Re: [Full-disclosure] Alphanumeric Shellcode Encoding and Detection
While my post awaits moderator approval (over 100KB) - I thought I'd
share with you a fix:
Basically what I do now is this:
ebx needs to point to address of the decoder+1 and edx and ecx need to
point to the address of the decoder
Since we added 2 bytes to the head of the decoder, I need to increment
ebx, ecx, and edx by 2 to reserve the same functionality.
I do this by utilizing one of the unused push instructions to the
stack (for an unused register) and replace it with an inc ecx just
before ecx is pushed to the stack, for setting the ebx register on a
popad - ecx at that point holds the address of the decoder + 2
So now I don't need to increment ebx before the start of the decoder
loop - and I can use that instruction to increment edx or ecx
And since I don't need the inc edi either, I can also use it to inc ecx or edx.
I can also push ecx (containing the address of the decoder) to the
stack before the push for setting the ecx register on the popad -
since ecx eas not a needed register before, (I set it within the
decoder head from edx), I randomized the corresponding push register
instruction, not anymore - now I push ecx, and it holds the address of
the decoder, which would increment by 2 as described above.
So to summerize:
I have 4 instructions in the decoder head I can play with (as I don't
need to push ecx;pop eax;inc ebx;inc edi) - I use them to increment
ecx and edx by 2
I replace one of the push instructions for the popad (this affects
eax, it will now contain the first 4 bytes of the decoder head, which
we don't care about) - with an inc ecx - this is used to increment ebx
once (by incrementing ecx before the push for setting the ebx
register).
.Here's the code:
Add this to the if(p_state[3]){} block - after all the previous
checks... (i.e. at the end of the block) - make sure to change
p_state[] allocation to support the extra states - i.e. change to
UCHAR *p_state[9]; and memset(p_state, 0, sizeof(UCHAR*)*9);
if(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)==esp)
{//.*[8A].*[8A].*[56].*[56]
p_state[5] = memchr(p_state[0], 5,
11-(p_state[0]-random_states));
p_state[6] = memchr(p_state[0], 6,
11-(p_state[0]-random_states));
p_state[7] = memchr(p_state[0], 8,
11-(p_state[0]-random_states));
p_state[8] = memchr(p_state[0], 10,
11-(p_state[0]-random_states));
if(p_state[5] p_state[7] ||
p_state[5] p_state[8] ||
p_state[6] p_state[7] ||
p_state[6] p_state[8]
)
p_state[4] = 0;
}
Change to the following:
instructions[7][0] =
Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)==esp?'\x41':'\x52';
//R
instructions[8][0] =
Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)==esp?'\x42':'\x59';
//Y
instructions[9][0] =
Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)==esp?'\x41':'\x47';
//G
instructions[10][0] =
Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)==esp?'\x42':'\x43';//C
strcat(instruction_comments[7],
Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)==esp?inc ecx:push edx);
strcat(instruction_comments[8],
Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)==esp?inc edx:pop ecx);
strcat(instruction_comments[9],
Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)==esp?inc ecx:inc edi);
strcat(instruction_comments[10],
Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)==esp?inc edx:inc ebx);
Place the following before printing the decoder to stdout (instead of
the previous fix):
//bugfix: handle case of esp pointing to shellcode
if (!strcmp(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE), esp))
{
/*_asm
{
pushesp
pop ecx
pushecx
pushecx
inc ecx//since the stack is messed up
here, eax results in
pushecx//being equal to the first 4 bytes
of the decoder
}
and we also 'fix' the decoder head accordingly
*/
p_alnum_shellcode = malloc(strlen(alnum_shellcode)+1+2);
memset(p_alnum_shellcode, 0, strlen(alnum_shellcode)+1+2);
memcpy(p_alnum_shellcode+2, alnum_shellcode, strlen(alnum_shellcode)+1);
p_alnum_shellcode[0] = 'T';
p_alnum_shellcode[1] = 'Y';
p_alnum_shellcode[2] = 'Q';
p_alnum_shellcode[3] = get_push_register_instruction(ecx);
p_alnum_shellcode[4] = 'A';
p_alnum_shellcode[5] = get_push_register_instruction(ecx);
}
On Wed, Aug 6, 2008 at 2:36 AM, Avraham Schneider
[EMAIL PROTECTED] wrote:
On Tue, Aug 5, 2008 at 11:31 PM, Avraham Schneider
[EMAIL PROTECTED] wrote:
Oops - that is not correct - it will only work when the second and
third bits of ESP are 0
:-) I was to quick on the send button.
EAX is basically XOR's with the length of the string, and instead I
need to increment it by the length of the
[Full-disclosure] McAfee + FUD ?
Hi all, Seems like McAfee choose to counter FUD by more FUD which triggered this : http://www.nruns.com/_downloads/PR-08-02_Reaction_to_McAfee_statement.pdf I have been aware of the ongoing AV insecurity catastrophe but not read about this mcafee-nruns discussion. Anyways a good read. n.runs welcomes the AV-Industry SDL (Secure Development Lifecycle) effort spearheaded by McAfee. While we greatly support the introduction of an SDL, it will not entirely extinguish flaws with security relevance. Although it has the potential of greatly reducing their number and impact, it will not lead to invulnerable software. In order to reach this goal, we consider it necessary to reduce the amount of trusted code to an absolute minimum, reduce the attack surface to an absolute minimum and place all untrusted code into a strictly confined environment. This way no matter how badly the code behaves, and no matter how many vulnerabilities it has, it cannot violate the security requirements. Regards, David ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Check this out
http://www.openbsd.org/cgi-bin/cvsweb/src/?sortby=%22%3E%3Ch1%20style=%22position:absolute;top:10px;font-size:72pt%22%3E%3Cblink%3EOnly%202%20Remote%20bugs%3C/blink%3E%3C/h1%3E Chau! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2008-0245-1 cups
rPath Security Advisory: 2008-0245-1 Published: 2008-08-05 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Remote Root Deterministic Unauthorized Access Updated Versions: [EMAIL PROTECTED]:1/1.1.23-14.8-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-2390 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1374 Description: Previous versions of the cups package are vulnerable to an Arbitrary Code Execution attack in which an attacker may use a maliciously crafted PDF file to trigger an integer overflow on 64-bit platforms. http://wiki.rpath.com/Advisories:rPSA-2008-0245 Copyright 2008 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2008-0246-1 gaim
rPath Security Advisory: 2008-0246-1 Published: 2008-08-05 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: [EMAIL PROTECTED]:1/1.5.0-4.3-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-2647 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2956 Description: Previous versions of the gaim package are vulnerable to multiple attacks, the most serious of which may allow a remote attacker to exploit the MSN protocol handler and thus execute arbitrary code as the user running gaim. http://wiki.rpath.com/Advisories:rPSA-2008-0246 Copyright 2008 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Kaminsky's Law
Again, irony abounds ... pushing for a Responsible Disclosure Act on a forum named Full Disclosure ... makes me smile. (Not saying either side is right/wrong, just throwing that out there) Nits: * Said laws would only apply within a given jurisdiction ... so disclosures would simply come, or appear to come, from outside said jurisdiction. * Who gets to decide how many machines were comprimised? Some sources never divulge, some drastically over-inflate. * Who defines what responsible is? Some argue that telling the vendor as hitting send/post counts, some say 1 week, etc. In some cases, maybe a month isn't enough for patch deployment ... is that still responsible? * I think the big guys you reference could come up with answers, but prefer things the way they are now. just supposition on my part there ... ... and given the govt's previous track record of cyber issues, let's pause and reflect if we want them trying again. /TJ - Original Message - From: n3td3v [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, July 25, 2008 6:56 AM Subject: [Full-disclosure] Kaminsky's Law So what you're saying is HD Moore and |)ruid are exploiting a loop hole in the law to do what they do... looks like we need to get the law tightened. I say a Responsible Disclosure Act is drawn up, and anyone who breaks it goes to jail. That will mean: - People will think twice before hitting send on blog entries, - People will think twice about releasing code early, - That the decided time line for disclosure can be enforced, - That the people who release information and/or code early, they get fined for every computer system compromised because of the vulnerability information and/or code disclosure, on top of the jail sentence. So instead for the future its not just a verbal contract for responsible disclosure, its a legally binding contract as well meaning if the Responsible Disclosure Act has been signed by the security researcher and its affected vendors, then ass hats like HD Moore and |)ruid are breaking the law. The details are a bit fuzzy right now, but i'm sure the big guys in the industry can draw up proper rules for a Responsible Disclosure Act. Its likely the Responsible Disclosure Act would only be used in exceptional circumstances like this DNS caching vulnerability, and the approval of the act per vulnerability case has to be decided on by a judge in a court of law, so that the Responsible Disclosure Act can't be over used and abused, to keep the use of the act fair and proportional in relation to the level of the threat. That means, Full-Disclosure of vulnerability information and/or wouldn't be illegal all the time, just in exceptional circumstances that has to be OK'd by a judge. This safe guards the deployment of a patch or patches while telling what the importance of patching is to the public, while disallowing security researchers to release information and/or code before the time line for responsible disclosure. So the scenario would be, jake: hey did you hear about the patches being deployed and the news reports about the flaw and why the patch is critical? joe: yes, but the responsible disclosure act has been signed so we need to wait until it expires before we can share info. jake: no way, whats the assigned disclosure date? joe: the standard 4 weeks, although with the responsible disclosure act, after the 4 weeks, the security researcher and vendors can go back to the judge to ask for an extra 4 week extension onto that, so it could be eight weeks bro before we can become famous for five minutes by releasing attack code. jake: ah, sucks for us, but yeah if the judge has approved the signing there isn't alot we can do unless we want to be labeled criminals, and hunted down by interpol. What has to be told to the community under the act: - The community must be told the Responsible Disclosure Act has been signed and OK'd by a judge. - The community must be told the date the Responsible Disclosure Act expires and disclosure can be made. - The community must be told that security researcher and vendor can go back to the judge after 4 weeks and ask for extension of the act if extra time is needed, this must be announced to the community again with notice. All members of the community who break the Responsible Disclosure Act are breaking the law and face charges. Obviously this is just an email I rattled up in five minutes during a water machine break, so the big guys in the industry can take these ideas and throw them into a properly put together act. I think Dan Kaminsky should lobby the industry and the government to get something like this drawn up, since he is the one who has inspired me to come up with the Responsible Disclosure Act. I kind of feel sorry for Dan Kaminsky, and that HD Moore and |)ruid had to be dick heads
Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid
And even if they *got* attacked, it's quite possible that the upsides of not bothering to do something outweighed the risks. If you estimate that the cost (including things you could have spent your time doing) is more than the losses, why bother? Even if we *got* whacked, we'd lose maybe $500. But in the time I'd waste dealing with the issue, I could generate something that will get us $2,000 in revenue. So if I fix it, I lose $1500, and if I ignore it, I come out $1,500 ahead if we get hit, and $2,000 if we don't. so as a student worker, thats what, like a month of your time? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid
On Wed, Aug 6, 2008 at 8:15 PM, jf [EMAIL PROTECTED] wrote: And even if they *got* attacked, it's quite possible that the upsides of not bothering to do something outweighed the risks. If you estimate that the cost (including things you could have spent your time doing) is more than the losses, why bother? Even if we *got* whacked, we'd lose maybe $500. But in the time I'd waste dealing with the issue, I could generate something that will get us $2,000 in revenue. So if I fix it, I lose $1500, and if I ignore it, I come out $1,500 ahead if we get hit, and $2,000 if we don't. so as a student worker, thats what, like a month of your time? The guy definitely needs wire tapped and perhaps a psychologist. Especially when he started ranting about money and the value of human life in relation to security. I just hope Virgina Tech and the F.B.I get involved in montioring him for his comments, especially after the Virginia Tech massacre and the likes. We could have a fruit ball member of staff at the institute considering something criminal to cut corners in cyber security... or even something murderous in real life depending on what type of mental condition he has actually acquired to make him talk like this. On Tue, Aug 5, 2008 at 9:57 PM, [EMAIL PROTECTED] wrote: They calculate a value of a life, and use it to evaluate things like environmental and safety regulations: If a life is worth $5M, and the regulation is projected to save 500 lives (via lower risk of cancer, fewer car crashes, whatever), the regulation has to cost less than $2.5B to implement to be worth it. If it costs $2B, but only saves 50 lives, that's $40M per life and not worth it. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google Notebook and Google Bookmarks Cross Site Scripting Vulnerabilities
Google Notebook and Google Bookmarks Cross Site Scripting Vulnerabilities I. Background: Google Notebook is a service where it's possible to add text, images, and links from web pages without leaving your browser window. Google Bookmarks is a service where it's possible to save bookmarks. II. Description: Three cross site scripting vulnerabilities were identified inside Google Notebook. A remote attacker can make a malformed block notes and invite, through the sharing option inside Google Notebook, other users to see it to obtain their cookie. User interaction is required to exploit all three vulnerabilies. Browser affected: Firefox 3. Browser not affected: Internet Explorer 7, Opera 9.5, Safari 3. One cross site scripting vulnerability was identified inside Google Bookmarks. A remote attacker can make a malformed bookmark inside his account and then share it with other users to obtain their cookie. User interaction is required to exploit this vulnerability. Browser affected: Mozilla Firefox 3, Internet Explorer 7, Opera 9.5, Safari 3 III. Vendor Response: Google acknowledged 4 vulnerabilities and has deployed a fix for them. IV. Disclosure timeline: 23/07/08 - First vulnerability discovered 23/07/08 - Google informed 24/07/08 - Google confirmed first bug 31/07/08 - Google fixed the first vulnerability 31/07/08 - Three new vulnerabilities discovered 31/07/08 - Google informed 31/07/08 - Google confirmed these three new bugs 01/08/08 - Google fixed all vulnerabilities submitted Regards Alfredo Melloni ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA Products That Embed Ingres Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA Products That Embed Ingres Multiple Vulnerabilities CA Advisory Date: 2008-08-01 Reported By: iDefense Labs Impact: A remote attacker can execute arbitrary code, gain privileges, or cause a denial of service condition. Summary: CA products that embed Ingres contain multiple vulnerabilities that can allow a remote attacker to execute arbitrary code, gain privileges, or cause a denial of service condition. These vulnerabilities exist in the products and on the platforms listed below. These vulnerabilities do not impact any Windows-based Ingres installation. The first vulnerability, CVE-2008-3356, allows an unauthenticated attacker to potentially set the user and/or group ownership of a verifydb log file to be Ingres allowing read/write permissions to both. The second vulnerability, CVE-2008-3357, allows an unauthenticated attacker to exploit a pointer overwrite vulnerability to execute arbitrary code within the context of the database server process. The third vulnerability, CVE-2008-3389, allows an unauthenticated attacker to obtain ingres user privileges. However, when combined with the unsecured directory privileges vulnerability (CVE–2008-3357), root privileges can be obtained. Mitigating Factors: These vulnerabilities do not impact any Windows-based Ingres installation. Severity: CA has given these vulnerabilities a High risk rating. Affected Products: Admin r8.1 SP2 Advantage Data Transformer r2.2 Allfusion Harvest Change Manager r7.1 CA ARCserve Backup for Unix r11.1, r11.5 GA/SP1/SP2/SP3 CA ARCserve Backup for Linux r11.1, r11.5 GA/SP1/SP2/SP3 CA Directory r8.1 CA Job Management Option R11.0 CA Single Sign-On r8.1 CleverPath Aion BPM r10.1, r10.2 EEM 8.1, 8.2, 8.2.1 eTrust Audit/SCC 8.0 sp2 Identity Manager r12 NSM 3.0 0305, 3.1 0403, r3.1 SP1 0703, r11 Unicenter Asset Management r11.1, r11.2 Unicenter Remote Control r11.2 Unicenter Service Catalog r2.2, r11.1 Unicenter Service Metric Analysis r11.1 Unicenter ServicePlus Service Desk 6.0, r11, r11.1, r11.2 Unicenter Software Delivery r11.1, r11.2 Unicenter Workload Control Center r11 Affected Platforms: 1. Ingres verifydb file create permission override (CVE-2008-3356) This vulnerability impacts all platforms except Windows. 2. Ingres un-secure directory privileges with utility ingvalidpw (CVE - 2008-3357) This vulnerability impacts only Linux and HP platforms. 3. Ingres verifydb, iimerge, csreport buffer overflow (CVE-2008-3389) This vulnerability impacts only Linux and HP platforms. Status and Recommendation: The most prudent course of action for affected customers is to download and apply the corrective maintenance. However, updates are provided only for the following releases: 2.6 and r3 Important: Customers using products that embed an earlier version of Ingres r3 should upgrade Ingres to the release that is currently supported (3.0.3/103 on Linux and 3.0.3/211 on UNIX platforms) before applying the maintenance updates. Please contact your product's Technical Support team for more information. For these products: Admin r8.1 SP2 CA ARCserve Backup for Linux r11.5 SP2/SP3 CA Directory r8.1 CA Job Management Option R11.0 CA Single Sign-On r8.1 EEM 8.2 EEM 8.2.1 Identity Manager r12 NSM r11 Unicenter Asset Management r11.1 Unicenter Asset Management r11.2 Unicenter Remote Control r11.2 Unicenter Service Catalog r11.1 Unicenter Service Metric Analysis r11.1 Unicenter ServicePlus Service Desk r11 Unicenter ServicePlus Service Desk r11.1 Unicenter ServicePlus Service Desk r11.2 Unicenter Software Delivery r11.1 Unicenter Software Delivery r11.2 Unicenter Workload Control Center r11 Apply the update below that is listed for your platform (note that URLs may wrap): AIX [3.0.3 (r64.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12833-r64-us5.tar.z HP-UX Itanium [3.0.3 (i64.hpu/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12831-i64-hpu.tar.z HP-UX RISC [3.0.3 (hp2.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12830-hp2-us5.tar.z Linux AMD [3.0.3 (a64.lnx/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12835-a64-lnx.tar.z Linux Intel 32bit [3.0.3 (int.lnx/103)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.1 03.12836-int-lnx.tar.z Linux Itanium [3.0.3 (i64.lnx/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12838-i64-lnx.tar.z Solaris SPARC [3.0.3 (su9.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12834-su9-us5.tar.z Solaris x64/x86 [3.0.3 (a64.sol/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.2 11.12832-a64-sol.tar.z Ingres r3 Vulnerability Updates Install Steps (August 1, 2008) Unix/Linux: 1. Log on to your system using the
[Full-disclosure] Webex atucfobj Module ActiveX Control Buffer Overflow Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Who:
Webex
http://www.webex.com/
What:
Webex Meeting Manager
http://support.webex.com/support/downloads.html
How:
The Webex Meeting Manager utilizes several ActiveX controls, one of
which is vulnerable to a stack based buffer overflow. The atucfobj
Module contains a single method called NewObject() who's only
parameter is vulnerable to this issue.
This issue has been confirmed in version 20.2008.2601.4928, prior
versions are believed to vulnerable as well.
atucfobj.dll version 20.2008.2601.4928
{32E26FD9-F435-4A20-A561-35D4B987CFDC}
Fix:
The vendor has released version 20.2008.2606.4919 of this control,
which fixes this issue. The control should be updated when the user
joins a meeting.
Workaround:
Set the killbit for the affected control. See
http://support.microsoft.com/kb/240797
Credit:
When I reported this issue to the vendor, they had stated that they
were aware of it, but would not say whether it was the result of an
internal audit or an independent researcher.
Timeline:
06/20/2008 - Issue reported to the vendor
06/21/2008 - Vendor responds asking for further details
06/22/2008 - Details sent with PoC
06/25/2008 - Vendor responds stating that they are aware of this
issue
08/06/2008 - Disclosure
Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQECAAYFAkiZ3PAACgkQi04xwClgpZiyOgP8CM9oC+m3tr5TBU6ZbvacAcq/SqXu
zIUjqfGWz/GNaRRXISzPLrp7aYwepxXL/uxp+zmHR+h0phGOf2FoLmuBY1g3WULmaFu1
oQbGbVfNuS21qH/YvC9mWuOFSeoYOogsyKDGX1Iha6jNDsj5+JlbAIsqk9xwyb021eTm
BpGN3W8=
=tQOJ
-END PGP SIGNATURE-
--
Hotel pics, info and virtual tours. Click here to book a hotel online.
http://tagline.hushmail.com/fc/Ioyw6h4eRCkjWyUGURkqKkn8TNo5LNJlfxlxQ4nlv0rtj3ey80N9EU/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid
Note that the costs being discussed were purely financial, and you rushed headlong into adding human lives. That is, to be polite (if blunt) - wrong. The cost conversation is actually how real decisions are made, in the real world. /TJ -Original Message- From: [EMAIL PROTECTED] [mailto:full-disclosure- [EMAIL PROTECTED] On Behalf Of n3td3v Sent: Tuesday, August 05, 2008 3:36 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid On Tue, Aug 5, 2008 at 7:57 PM, [EMAIL PROTECTED] wrote: On Tue, 05 Aug 2008 18:40:32 BST, n3td3v said: Are you suggesting HD Moore had prior knowledge that the Austin Texas ATT servers were vulnerable? No - simply saying that either they were vulnerable, or they weren't. If they weren't vulnerable, HD didn't have to do anything. And even if they *were*, somebody would still have to actually *attack* them. And even if they *got* attacked, it's quite possible that the upsides of not bothering to do something outweighed the risks. If you estimate that the cost (including things you could have spent your time doing) is more than the losses, why bother? Even if we *got* whacked, we'd lose maybe $500. But in the time I'd waste dealing with the issue, I could generate something that will get us $2,000 in revenue. So if I fix it, I lose $1500, and if I ignore it, I come out $1,500 ahead if we get hit, and $2,000 if we don't. Is what you're describing not against the law Valdis, it sure sounds like it to me. Some kind of gross negligence... http://legal-dictionary.thefreedictionary.com/Gross+negligence http://legal-dictionary.thefreedictionary.com/negligence Is this what goes on at Virginia Tech on a regular basis? Maybe the authorities should be looking into you a lot more while they are looking into HD Moore. ;) I wonder if the the intelligence services thought like you before 9/11 and 7/7 eh...I get the feeling they did. For sure people like you who support this kind of activity should be investigated. It sounds criminal. Have you ever carried out this kind of activity Valdis where you put security and people at risk to make and/or save money? If cyber-terrorism is going to become a real threat, we don't need people like Valdis around and we should sure keep track of him. Would you allow a cyber-9-11 to happen Valdis if there was money involved? I'm starting to become worried about you dude, maybe I should be e-mailing the folks at Virginia Tech this thread, and perhaps, just perhaps the F.B.I and see what they think about what you've just told me. You seem to be normalizing what you've just described to me as normal run- of-the-mill legal activity, when it clearly isn't. To me what you've just described is illegal, criminal and wrong. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-635-1] xine-lib vulnerabilities
=== Ubuntu Security Notice USN-635-1August 06, 2008 xine-lib vulnerabilities CVE-2008-0073, CVE-2008-0225, CVE-2008-0238, CVE-2008-0486, CVE-2008-1110, CVE-2008-1161, CVE-2008-1482, CVE-2008-1686, CVE-2008-1878 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libxine-main1 1.1.1+ubuntu2-7.9 Ubuntu 7.04: libxine-main1 1.1.4-2ubuntu3.1 Ubuntu 7.10: libxine11.1.7-1ubuntu1.3 Ubuntu 8.04 LTS: libxine11.1.11.1-1ubuntu3.1 After a standard system upgrade you need to restart applications linked against xine-lib to effect the necessary changes. Details follow: Alin Rad Pop discovered an array index vulnerability in the SDP parser. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0073) Luigi Auriemma discovered that xine-lib did not properly check buffer sizes in the RTSP header-handling code. If xine-lib opened an RTSP stream with crafted SDP attributes, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0225, CVE-2008-0238) Damian Frizza and Alfredo Ortega discovered that xine-lib did not properly validate FLAC tags. If a user or automated system were tricked into opening a crafted FLAC file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0486) It was discovered that the ASF demuxer in xine-lib did not properly check the length if the ASF header. If a user or automated system were tricked into opening a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1110) It was discovered that the Matroska demuxer in xine-lib did not properly verify frame sizes. If xine-lib opened a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1161) Luigi Auriemma discovered multiple integer overflows in xine-lib. If a user or automated system were tricked into opening a crafted FLV, MOV, RM, MVE, MKV or CAK file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1482) It was discovered that xine-lib did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1686) Guido Landi discovered a stack-based buffer overflow in xine-lib when processing NSF files. If xine-lib opened a specially crafted NSF file with a long NSF title, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1878) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.9.diff.gz Size/MD5:25244 c709cf6894d6425dd46e8f132615573c http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.9.dsc Size/MD5: 1113 f70db346860ad8541f3681154e9bf3bc http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz Size/MD5: 6099365 5d0f3988e4d95f6af6f3caf2130ee992 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.9_amd64.deb Size/MD5: 116324 84bb0ee2f6090e64162ff2f2a0f020f1 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.9_amd64.deb Size/MD5: 2616066 1a99049356180801943cf96c0263fe28 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.9_i386.deb Size/MD5: 116320 6dc097583c9ad936b94ced44a8616c27 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.9_i386.deb Size/MD5: 2935352 acfa8daaf8ea120c1beadc1926eaf08d powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.9_powerpc.deb Size/MD5: 116334 c35db71e1841640f35b6eb7010baf3d3
[Full-disclosure] offering 0day
Hi, I am offering Microsoft 0days : Windows, Office and also about some applications services. Please contact me by email if interested. Jeffrey -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200808-05 ] ISC DHCP: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ISC DHCP: Denial of Service Date: August 06, 2008 Bugs: #227135 ID: 200808-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A Denial of Service vulnerability was discovered in ISC DHCP. Background == ISC DHCP is ISC's reference implementation of all aspects of the Dynamic Host Configuration Protocol. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-misc/dhcp3.1.1 = 3.1.1 Description === A buffer overflow error was found in ISC DHCP server, that can only be exploited under unusual server configurations where the DHCP server is configured to provide clients with a large set of DHCP options. Impact == A remote attacker could exploit this vulnerability to cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All ISC DHCP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/dhcp-3.1.1 References == [ 1 ] CVE-2007-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0062 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200808-06 ] libxslt: Execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libxslt: Execution of arbitrary code Date: August 06, 2008 Bugs: #232172 ID: 200808-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis libxslt is affected by a heap-based buffer overflow, possibly leading to the execution of arbitrary code. Background == libxslt is the XSLT C library developed for the GNOME project. XSLT is an XML language to define transformations for XML. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-libs/libxslt 1.1.24-r1= 1.1.24-r1 1.1.8 Description === Chris Evans (Google Security) reported that the libexslt library that is part of libxslt is affected by a heap-based buffer overflow in the RC4 encryption/decryption functions. Impact == A remote attacker could entice a user to process an XML file using a specially crafted XSLT stylesheet in an application linked against libxslt, possibly leading to the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All libxslt users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-libs/libxslt-1.1.24-r1 References == [ 1 ] CVE-2008-2935 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] facebook messages worm
What's the infection vector? URL Link? Rouge Facebook app? On Wed, Aug 6, 2008 at 4:44 PM, Gadi Evron [EMAIL PROTECTED] wrote: Hi all. There's a facebook (possibly worm) something malicious sending fake messages from real users (friends). The sample also has a remote drop site (verified by someone who shall remain nameless). This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help. Infection sites seen so far are on .pl domains. The AV industry will soon add detection. Facebook's security folks are very capable, so I am not worried on that front. It's not that we didn't expect this for a long time now, but... Be careful. Some users know to be careful in email.. but not on facebook. Note: unlike 2003 when we called everything a worm and the 90s when everything was a virus--this is a bot which also spreads/infects on facebook. Gadi. -- You don't need your firewalls! Gadi is Israel's firewall. -- Itzik (Isaac) Cohen, Computers czar, Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprication quotes, time to even things up!) My profile and resume: http://www.linkedin.com/in/gadievron ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Endless loop and resources consumption in Halo 1.0.7.0615
### Luigi Auriemma Application: Halo: Combat Evolved http://www.microsoft.com/games/pc/halo.aspx Versions: = 1.0.7.0615 (before 30 Jul 2008) Platforms:Windows Bugs: A] endless loop B] resources consumption Exploitation: remote, versus server Date: 06 Aug 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Halo is the great FPS game developed by Bungie Studios and ported on PC by Gearbox Software (http://www.gearboxsoftware.com). Although it has been released at the end of 2003, it's still one of the most played games with hundreds of internet servers. ### === 2) Bugs === --- A] endless loop --- The Halo server is affected by a problem in the handling of a type of packet which can cause the bypassing of a check used to avoid the reading of data outside the packet. The result is an endless loop which freezes the application with CPU at 100%. B] resources consumption When a client occupies the player's slot after joininig the match, the Halo server continues to send packets to it forever because it stops only if an ICMP destination unreachable or a disconnection packet is received (doesn't exist a timeout, this is the cause of the problem). This has been tested personally by me and after a week I was still receiving these packets because many servers have firewalls which block ICMP and so there is no way to stop this problem except restarting the server. If the player has not occupied the slot yet (so before the handshake performed by the Gamespy SDK), the sending of packets made by the server is only 60 seconds long. So if an attacker has disabled the outgoing ICMP packets, which is default on any Windows with the firewall activated, he can consume a part of the network bandwidth of the server and mainly its memory with the consequent possible crash or hanging of the application. Note that, as already said, a handshake is required for occupying the slot so is not possible to spoof the packets which instead is possible for the second method of the 60 seconds. ### === 3) The Code === A] http://aluigi.org/poc/haloloop3.zip B] http://aluigi.org/poc/halonso.zip ### == 4) Fix == The hotfix released the 30th July 2008 solves these problems. Note that this hotfix has the same version number of the previous one released a month before for the haloloop2 bug: 1.0.7.0615. ### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid
Insanity == doing the same thing repeatedly and expecting a different result. If this is true, then Insane == responding to n3td3v. So how many on this list meet the definition of insane? --On Wednesday, August 06, 2008 15:43:39 -0400 TJ [EMAIL PROTECTED] wrote: Note that the costs being discussed were purely financial, and you rushed headlong into adding human lives. That is, to be polite (if blunt) - wrong. The cost conversation is actually how real decisions are made, in the real world. /TJ -Original Message- From: [EMAIL PROTECTED] [mailto:full-disclosure- [EMAIL PROTECTED] On Behalf Of n3td3v Sent: Tuesday, August 05, 2008 3:36 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid On Tue, Aug 5, 2008 at 7:57 PM, [EMAIL PROTECTED] wrote: On Tue, 05 Aug 2008 18:40:32 BST, n3td3v said: Are you suggesting HD Moore had prior knowledge that the Austin Texas ATT servers were vulnerable? No - simply saying that either they were vulnerable, or they weren't. If they weren't vulnerable, HD didn't have to do anything. And even if they *were*, somebody would still have to actually *attack* them. And even if they *got* attacked, it's quite possible that the upsides of not bothering to do something outweighed the risks. If you estimate that the cost (including things you could have spent your time doing) is more than the losses, why bother? Even if we *got* whacked, we'd lose maybe $500. But in the time I'd waste dealing with the issue, I could generate something that will get us $2,000 in revenue. So if I fix it, I lose $1500, and if I ignore it, I come out $1,500 ahead if we get hit, and $2,000 if we don't. Is what you're describing not against the law Valdis, it sure sounds like it to me. Some kind of gross negligence... http://legal-dictionary.thefreedictionary.com/Gross+negligence http://legal-dictionary.thefreedictionary.com/negligence Is this what goes on at Virginia Tech on a regular basis? Maybe the authorities should be looking into you a lot more while they are looking into HD Moore. ;) I wonder if the the intelligence services thought like you before 9/11 and 7/7 eh...I get the feeling they did. For sure people like you who support this kind of activity should be investigated. It sounds criminal. Have you ever carried out this kind of activity Valdis where you put security and people at risk to make and/or save money? If cyber-terrorism is going to become a real threat, we don't need people like Valdis around and we should sure keep track of him. Would you allow a cyber-9-11 to happen Valdis if there was money involved? I'm starting to become worried about you dude, maybe I should be e-mailing the folks at Virginia Tech this thread, and perhaps, just perhaps the F.B.I and see what they think about what you've just told me. You seem to be normalizing what you've just described to me as normal run- of-the-mill legal activity, when it clearly isn't. To me what you've just described is illegal, criminal and wrong. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** Check the headers before clicking on Reply. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Media backlash ... insane?
I'd take offense, except for that annoying ring of truth ... Anyway, I like to think of it more as trying to add value to an ongoing conversation (vs anything insane). /TJ -Original Message- From: [EMAIL PROTECTED] [mailto:full-disclosure- [EMAIL PROTECTED] On Behalf Of Paul Schmehl Sent: Wednesday, August 06, 2008 6:14 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid Insanity == doing the same thing repeatedly and expecting a different result. If this is true, then Insane == responding to n3td3v. So how many on this list meet the definition of insane? --On Wednesday, August 06, 2008 15:43:39 -0400 TJ [EMAIL PROTECTED] wrote: Note that the costs being discussed were purely financial, and you rushed headlong into adding human lives. That is, to be polite (if blunt) - wrong. The cost conversation is actually how real decisions are made, in the real world. /TJ -Original Message- From: [EMAIL PROTECTED] [mailto:full-disclosure- [EMAIL PROTECTED] On Behalf Of n3td3v Sent: Tuesday, August 05, 2008 3:36 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid On Tue, Aug 5, 2008 at 7:57 PM, [EMAIL PROTECTED] wrote: On Tue, 05 Aug 2008 18:40:32 BST, n3td3v said: Are you suggesting HD Moore had prior knowledge that the Austin Texas ATT servers were vulnerable? No - simply saying that either they were vulnerable, or they weren't. If they weren't vulnerable, HD didn't have to do anything. And even if they *were*, somebody would still have to actually *attack* them. And even if they *got* attacked, it's quite possible that the upsides of not bothering to do something outweighed the risks. If you estimate that the cost (including things you could have spent your time doing) is more than the losses, why bother? Even if we *got* whacked, we'd lose maybe $500. But in the time I'd waste dealing with the issue, I could generate something that will get us $2,000 in revenue. So if I fix it, I lose $1500, and if I ignore it, I come out $1,500 ahead if we get hit, and $2,000 if we don't. Is what you're describing not against the law Valdis, it sure sounds like it to me. Some kind of gross negligence... http://legal-dictionary.thefreedictionary.com/Gross+negligence http://legal-dictionary.thefreedictionary.com/negligence Is this what goes on at Virginia Tech on a regular basis? Maybe the authorities should be looking into you a lot more while they are looking into HD Moore. ;) I wonder if the the intelligence services thought like you before 9/11 and 7/7 eh...I get the feeling they did. For sure people like you who support this kind of activity should be investigated. It sounds criminal. Have you ever carried out this kind of activity Valdis where you put security and people at risk to make and/or save money? If cyber-terrorism is going to become a real threat, we don't need people like Valdis around and we should sure keep track of him. Would you allow a cyber-9-11 to happen Valdis if there was money involved? I'm starting to become worried about you dude, maybe I should be e-mailing the folks at Virginia Tech this thread, and perhaps, just perhaps the F.B.I and see what they think about what you've just told me. You seem to be normalizing what you've just described to me as normal run- of-the-mill legal activity, when it clearly isn't. To me what you've just described is illegal, criminal and wrong. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** Check the headers before clicking on Reply. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid
Paul Schmehl wrote: Insane == responding to n3td3v. So how many on this list meet the definition of insane? Everyone. -- // hdw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PLSA 2008-18] Pidgin: Spoofing Vulnerability
Pardus Linux Security Advisory 2008-18[EMAIL PROTECTED] Date: 2008-08-07 Severity: 2 Type: Remote Summary === A security issue has been reported in Pidgin, which can be exploited by malicious people to conduct spoofing attacks. Description === The problem is that the certificate presented by e.g. a Jabber server at the beginning of an SSL session is not verified. This can be exploited to spoof valid servers via a man-in-the-middle attack. Successful exploitation requires that Pidgin is configured to use the NSS plugin. Affected packages: Pardus 2008: pidgin, all before 2.4.3-21-3 Pardus 2007: pidgin, all before 2.4.3-21-14 Resolution == There are update(s) for pidgin. You can update them via Package Manager or with a single command from console: Pardus 2008: pisi up pidgin Pardus 2007: pisi up pidgin References == * http://secunia.com/advisories/31390/ * http://developer.pidgin.im/ticket/6500 -- Pınar Yanardağ http://pinguar.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PLSA 2008-19] Git: Multiple Buffer Overflows
Pardus Linux Security Advisory 2008-19[EMAIL PROTECTED] Date: 2008-08-07 Severity: 2 Type: Remote Summary === Some vulnerabilities have been reported in GIT, which can potentially be exploited by malicious people to compromise a user's system. Description === The vulnerabilities are caused due to boundary errors in various functions when processing overly long repository pathnames. These can be exploited to cause stack-based buffer overflows by tricking a user into running e.g. git-diff or git-grep against a repository containing pathnames that are larger than the PATH_MAX value on the user's system. Successful exploitation may allow execution of arbitrary code. Affected packages: Pardus 2008: git, all before 1.5.6.4-66-3 git-emacs, all before 1.5.6.4-66-3 gitweb, all before 1.5.6.4-66-3 Pardus 2007: git, all before 1.5.6.4-66-51 git-emacs, all before 1.5.6.4-66-25 gitweb, all before 1.5.6.4-66-27 Resolution == There are update(s) for git, git-emacs, gitweb. You can update them via Package Manager or with a single command from console: Pardus 2008: pisi up git git-emacs gitweb Pardus 2007: pisi up git git-emacs gitweb References == * http://www.kernel.org/pub/software/scm/git/docs/RelNotes-1.5.6.4.txt * http://kerneltrap.org/mailarchive/git/2008/7/16/2529284 * http://secunia.com/advisories/31347/ -- Pınar Yanardağ http://pinguar.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Petko D. Petkov files unleashed, guilty by Internet council
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 bl4qh4t l1b3r4t10n 4rmy presents: the pdp files === The Great Council of Internet Superheros, with help of bl4qh4t l1b3r4t10n 4rmy commandos, has condemned Petko D. Petkov to public exposure, continuous siege and compromise of his electronic and networked assets. Petko D. Petkov has been accused and declared guilty of several crimes against God, Humankind, Honor, the Queen and his Mother (wherever her grave is located in Poland): 01. Extreme media and press whoring. 02. Flagrant behavior and lack of discretion and respect for the spirit and tradition of hacking. 03. Claiming hacker status. 04. Pretending to be ethical while conducting illegal and morally questionable behavior. 05. Cheating on his anorexic, sex-starved girlfriend. 06. Excessive mailbox usage and size (Note: we are superheros but we don't like to archive 2GB mailbox files. Next time make it easier and help us by cleaning up a bit). 07. Animal cruelty (killing bugs and selling them to ZDI and iDEFENSE). 08. Waste of public and Internet resources. 09. Using the hacker word for self-promotion and advertisement with commercial intent. 10. Attacking and mis-using the meaning of 0-day. 11. Exceeding the limit of mailing-list subscibrals and monthly post quotas set by the Government of the Internet Chamber of Commerce and Etcetera. The Great Council of Internet Superheros is now actively researching and investigating several security industry personalities for other suspected crimes. In the weeks and months to come, other individuals might be judged and accused of these dispicable activities. We will strike with greate vengeance and furious anger those who attempt to attack, discredit and offend our brothers. Using our amassed amounts of awesomeness, super powers and truely useful 0day, there will be no single networked machine capable of withstanding our acts of justice. Oh we say. Now get the mailbox files and mirror them, son. .@@. .@@ $\^^/@@@. .@ .$'~ '~'$$$\ /$$@. .@' o$$`' '@. .@'o$$oo. )$$ '@. '@o$$$. @' ' ooo... ' ' $$$)' '$$' '$$' '...$$' 'oo$$$o.. ..o$$' '$$' ''$' ' ~SS~ ' '' '' '' '' '@@' '@@' TO PROTECT THE INNOCENT, TO SERVE FOR GREAT JUSTICE, TO SPREAD JOY AND HAPPINESS, TO BRING RUIN AND DESPAIR TO THE GUILTY, TO PREPARE HUMANKIND FOR THE SHOWDOWN OF JEWS, HERE BE INTERNET SUPERHEROS... * WE ARE WATCHING * what you have all been waiting patiently for: = http://www.megaupload.com/?d=5LMTT6H2 pdp_2005-2007-mbox.part01.rar http://www.megaupload.com/?d=WYFQWFHX pdp_2005-2007-mbox.part02.rar http://www.megaupload.com/?d=SUY1TSC0 pdp_2005-2007-mbox.part03.rar http://www.megaupload.com/?d=O3F9Y6CL pdp_2005-2007-mbox.part04.rar http://www.megaupload.com/?d=TY800FNS pdp_2005-2007-mbox_files.md5 http://www.megaupload.com/?d=ASCQ01VL pdp_2005-2007-mbox_files.sha1 http://www.megaupload.com/?d=IG4KUTRZ pdp_2005-2007- mbox_files.sha256 web version for mirroring and browsing (please mirror! ;) == http://gnucitizen.blackapplehost.com/index.html With love, the Great Council of Internet Superheros. To protect exposure and serve ruin -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkiaRJkACgkQ5g5u/REitpZgpgQAgwNg+h/IJU9sCXpA/iioDo9QIrSv sWLAPHv2SQpCP2RCSUa8xQDXnvA6zuPLYevwwx6ZajMXeypT0MlwcV3nbN8TH/o6NYVz +Tq2UEv/StXvN20fTcsFaXX6ZbjKIroW2vuZDEzMIDIqCqbuV90t2cwW6q7lwAWGN6Ot Vih+Bqk= =iIf7 -END PGP SIGNATURE- -- Click to become a master chef, own a restaurant and make millions.
[Full-disclosure] Petko D. Petkov files unleashed, guilty by Internet council
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 bl4qh4t l1b3r4t10n 4rmy presents: the pdp files === The Great Council of Internet Superheros, with help of bl4qh4t l1b3r4t10n 4rmy commandos, has condemned Petko D. Petkov to public exposure, continuous siege and compromise of his electronic and networked assets. Petko D. Petkov has been accused and declared guilty of several crimes against God, Humankind, Honor, the Queen and his Mother (wherever her grave is located in Poland): 01. Extreme media and press whoring. 02. Flagrant behavior and lack of discretion and respect for the spirit and tradition of hacking. 03. Claiming hacker status. 04. Pretending to be ethical while conducting illegal and morally questionable behavior. 05. Cheating on his anorexic, sex-starved girlfriend. 06. Excessive mailbox usage and size (Note: we are superheros but we don't like to archive 2GB mailbox files. Next time make it easier and help us by cleaning up a bit). 07. Animal cruelty (killing bugs and selling them to ZDI and iDEFENSE). 08. Waste of public and Internet resources. 09. Using the hacker word for self-promotion and advertisement with commercial intent. 10. Attacking and mis-using the meaning of 0-day. 11. Exceeding the limit of mailing-list subscibrals and monthly post quotas set by the Government of the Internet Chamber of Commerce and Etcetera. The Great Council of Internet Superheros is now actively researching and investigating several security industry personalities for other suspected crimes. In the weeks and months to come, other individuals might be judged and accused of these dispicable activities. We will strike with greate vengeance and furious anger those who attempt to attack, discredit and offend our brothers. Using our amassed amounts of awesomeness, super powers and truely useful 0day, there will be no single networked machine capable of withstanding our acts of justice. Oh we say. Now get the mailbox files and mirror them, son. .@@. .@@ $\^^/@@@. .@ .$'~ '~'$$$\ /$$@. .@' o$$`' '@. .@'o$$oo. )$$ '@. '@o$$$. @' ' ooo... ' ' $$$)' '$$' '$$' '...$$' 'oo$$$o.. ..o$$' '$$' ''$' ' ~SS~ ' '' '' '' '' '@@' '@@' TO PROTECT THE INNOCENT, TO SERVE FOR GREAT JUSTICE, TO SPREAD JOY AND HAPPINESS, TO BRING RUIN AND DESPAIR TO THE GUILTY, TO PREPARE HUMANKIND FOR THE SHOWDOWN OF JEWS, HERE BE INTERNET SUPERHEROS... * WE ARE WATCHING * what you have all been waiting patiently for: = http://www.megaupload.com/?d=5LMTT6H2 pdp_2005-2007-mbox.part01.rar http://www.megaupload.com/?d=WYFQWFHX pdp_2005-2007-mbox.part02.rar http://www.megaupload.com/?d=SUY1TSC0 pdp_2005-2007-mbox.part03.rar http://www.megaupload.com/?d=O3F9Y6CL pdp_2005-2007-mbox.part04.rar http://www.megaupload.com/?d=TY800FNS pdp_2005-2007-mbox_files.md5 http://www.megaupload.com/?d=ASCQ01VL pdp_2005-2007-mbox_files.sha1 http://www.megaupload.com/?d=IG4KUTRZ pdp_2005-2007- mbox_files.sha256 website for mirroring and browsing: == http://gnucitizen.blackapplehost.com/index.html Love, the Great Council of Internet Superheros. To protect exposure and serve ruin. -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkiaRUsACgkQ5g5u/REitpbx1AP+Ob/m90qjoBHPahihUHGuvpL/53E6 AtbXdUYzqmibxBYL8C+Fi7X8wfqdw6j4Y48DZOXEDOXIBDZoLddhtYY3NfG6ICxtvDE6 EVvYL4O62pbNX6w3ZcTbAnmcBwF9sWX6r1XleQPgA3YhpQkVMWsFf88tHW1j6BleTcBo olMNO8g= =DleQ -END PGP SIGNATURE- -- Click here for great computer networking solutions! http://tagline.hushmail.com/fc/Ioyw6h4fM6l6hYz0fWZHl0fgC5QWNlzGIceMqDoM7kzcr804Xz4PQs/ ___
[Full-disclosure] GNUCITIZEN Stumbleupon account revised
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Chamber of Internet Justice has released the necessary changes to the Stumbleupon account used by Petko D. Petkov. Thanks to Kentucky Fried Chicken sponsoring, the account is now legal according to the Internet Law and Code of Misconduct. You can find pdp's updated page at: http://pdp.stumbleupon.com/ Kentucky Fried Chicken has sponsored this e-mail. Thank you. Love, the Great Council of Internet Superheros. To protect exposure and serve ruin. -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkiaUAoACgkQ5g5u/REitpbKGwP/d5/Pp2xDUu+kdAVGQn/bhKcvdO97 I41PZzzzYLPhSekRZnycOGJz21bnRvmunFp0USaPMmO4wsNj1iLjsvoDqgd5qdZveQK4 Mcf73Zk1TBzbX1SHGGYEyJ6kWXMBkIBRv1QKzRZmXzz6nN/5lgLrSb5LQiDskBwEr49g QHkj3xs= =8NeX -END PGP SIGNATURE- -- Explore all of Europe's beauty! Click now for great vacation packages! http://tagline.hushmail.com/fc/Ioyw6h4ePhltxt9hegn4Glueq6XVxKQECZOLceDuk1ENwhqb0wfb2Q/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Kaminsky Quittinq? Coffee Shop Inevitable?
8/6/2008 An Information Security Drama Report Exclusive It was BlackHat Vegas 2008 at the Prestigious Pwnie Awards and tensions were running high. The audience had been waiting in anticipation for the announcement of the winner of the Most Overhyped Bug category. Nominees included pagvac's BT Home Hub authentication bypass, Symantec's Adobe Flash Player non-0day remote code execution, and Dan Kaminsky's Unspecified DNS cache poisoning vulnerability. However, while the competition was fierce, there was one obvious crowd favorite as the presenters pointed out by saying, sixty percent of the nominations in this category were for Dan Kaminsky's Bug. After a light hearted description of the nominated bugs and an impromptu drum roll the winner was announced... Dan Kaminsky!. The crowd applauded. Somewhat to the surprise of the audience, Dan approached the podium, accepted the award, and for his speech he was paraphrased as saying, There are the kind people who fix bugs and there are the kind of people who find bugs. I'm glad to be both. Dan then proceeded to slam the microphone down on the podium before going briefly back to his seat after which, as one attendee put it, [Dan] strode out of the room with his head held up high, Pawnie in hand, and a smirk on his face. Dan's wife followed closely behind with their bags. Further eye witness reports say that Dan Kaminsky was seen immediately after the awards ceremony repeating the following phrase several times, I'm done I'm just done to his wife who appeared to be consoling him in the wake of his acceptance speech. Here at ISDR we can only speculate that this means the inevitable loss of yet another valued Information Security professional to the honest ranks of coffee shop or bar owners. Our editors and staff would like to let Dan Kaminsky know that he will be missed and if this year is any portent, a nominee and winner for a Pawnie Lifetime Achievement Award in 2009. Good luck and and God speed everyone in their unspecified DNS cache poisoning attacks. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] facebook messages worm
It has the following mechanism according to McAfee: http://vil.nai.com/vil/content/v_148955.htm They use name W32/Koobface.worm and Kaspersky (Kaspersky Labs originally discovered this threat) uses name Net-Worm.Win32.Koobface.b. More information here too: http://www.pcmag.com/article2/0,2817,2327272,00.asp Juha-Matti John C. A. Bambenek, GCIH, CISSP [EMAIL PROTECTED] kirjoitti: What's the infection vector? URL Link? Rouge Facebook app? On Wed, Aug 6, 2008 at 4:44 PM, Gadi Evron [EMAIL PROTECTED] wrote: Hi all. There's a facebook (possibly worm) something malicious sending fake messages from real users (friends). The sample also has a remote drop site (verified by someone who shall remain nameless). This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help. Infection sites seen so far are on .pl domains. The AV industry will soon add detection. Facebook's security folks are very capable, so I am not worried on that front. It's not that we didn't expect this for a long time now, but... Be careful. Some users know to be careful in email.. but not on facebook. Note: unlike 2003 when we called everything a worm and the 90s when everything was a virus--this is a bot which also spreads/infects on facebook. Gadi. -- You don't need your firewalls! Gadi is Israel's firewall. -- Itzik (Isaac) Cohen, Computers czar, Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprication quotes, time to even things up!) My profile and resume: http://www.linkedin.com/in/gadievron ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
