[Full-disclosure] Internet attacks against Georgian web sites
In the last days news and government web sites in Georgia suffered DDoS attacks. While these attacks seem to affect the Georgian Internet, it is still there. Facts: 1. There are botnet attacks against .ge websites. 2. These attacks affect the .ge Internet infrastructure, but it's reachable. 3. It doesn't seem Internet infrastructure is directly attacked. 4. Every other political tension in the past 10 years, from a comic of the Prophet Muhammad to the war in Iraq, were followed by online supporters attacking targets which seem affiliated with the opposing side, and vise-versa. Up to the Estonian war, such attacks would be called hacker enthusiast attacks or cyber terrorism (of the weak sort). Nowadays any attack with a political nature seems to get the information warfare tag. When 300 Lithuanian web sites were defaced last month, cyber war was the buzzword. Running security for the Israeli government Internet operation and later the Israeli government CERT such attacks were routine, and just by speaking on them in the local news outlets I started bigger so-called wars when enthusiasts responded in the story comments and then attacks the other side. Not every fighting is warfare. While Georgia is obviously under a DDoS attacks and it is political in nature, it doesn't so far seem different than any other online after-math by fans. Political tensions are always followed by online attacks by sympathizers. Could this somehow be indirect Russian action? Yes, but considering Russia is past playing nice and uses real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically. Coulda, shoulda⦠the nature of what's going on isn't clear, but until we are certain anything state-sponsored is happening on the Internet it is my official opinion this is not warfare, but just some unaffiliated attacks by Russian hackers and/or some rioting by enthusiastic Russian supporters. It is too early to say for sure what this is and who is behind it. The RBN blog (following the Russian Business Network) is of a different opinion: http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare.html and: http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-2-sat-16-00.html Also, Renesys has been following the situation and provides with some data: http://www.renesys.com/blog/2008/08/georgia_clings_to_the_net.shtml (Thanks to Paul Ferguson for the URLs) DDoS attacks harm the Internet itself rather than just this or that web site, so soon this may require some of us in the Internet security operations community getting involved in mitigating the attacks, if they don't just drop on their own. Gadi Evron. -- You don't need your firewalls! Gadi is Israel's firewall. -- Itzik (Isaac) Cohen, Computers czar, Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprication quotes, time to even things up!) My profile and resume: http://www.linkedin.com/in/gadievron___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Internet attacks against Georgian web sites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Paul Ferguson [EMAIL PROTECTED] wrote: -- Gadi Evron [EMAIL PROTECTED] wrote: In the last days news and government web sites in Georgia suffered DDoS attacks. While these attacks seem to affect the Georgian Internet, it is still there. One more thing, TTNet has seemingly been a harbor for malicious Russian and Ukrainian criminal activity for a couple of years now. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIn+Zrq1pz9mNUZTMRAiPqAJwJlo12Rj9zkVVfIrWJ5vXiZCgrcACgrQBy DCCmJaWULlvfvP7fAeJKxho= =ARWR -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Internet attacks against Georgian web sites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gadi Evron [EMAIL PROTECTED] wrote: In the last days news and government web sites in Georgia suffered DDoS attacks. While these attacks seem to affect the Georgian Internet, it is still there. Also, I wish to say: It is clear that there are anti-Georgian forces at work on the Internet. Who they are, and what their motivations are 9at this point), remains to be seen. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIn+HCq1pz9mNUZTMRAg5bAKC14z8wNBom1TASstp9D6n3fL4bLwCfSzxU cQcPfvWSi7j3Bwpgy1hPZJM= =5lFT -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Inguma version 0.0.9 released
Hi, A new release of Inguma is available for download. This release fixes a bunch of bugs in about all parts of Inguma. In this version 6 new modules were added: dnsspoof, fakearp, dtspc, jsfuzz, ikescan and unicornscan. In the exploits section you will notice a bunch of new exploits. Just DOS exploits for various vulnerabilities recently fixed in Oracle and SUN software. In future releases I'm planning to add more interesting exploits (not just DOS exploits) but, well, the vulnerabilities must be fixed by vendors prior to public announce. ;) The complete ChangeLog is the following: * Library libTNS updated (enhancements). * Fixed bugs in the SMTP, POP3 and IMAP brute forcers. * Module isnated enhanced (Thanks you Sp0oKeR!). * Added module dnsspoof. * Added module fakearp, a fake ARP server. * Added various changes to make Inguma Debian friendly. * Added module dtspc to gather information from dtspcd. * Many changes and enhancements to PyShellCodeLib. * Added libdisassemble from Immunity Sec to the toolkit. * Added a JavaScript object's fuzzer. Connect with your browser to the spawned web server and follow the instructions. * Help command now shows output summarized by category (discover, gather, etc...). * Upgraded Scapy to version 1.2.0.2 to avoid problems with IKE. * Added module ikescan, a tool like the well know ike-scan. * Added module unicornscan, a wrapper for the popular tool. Thanks you Hugo!. * Added to the public version of Inguma various DOS exploits for recently fixed vulnerabilities in Oracle TimesTen, Oracle Internet Directory and Sun Java Web Proxy Server. Download Version 0.0.9 http://sourceforge.net/project/showfiles.php?group_id=188246package_id=220086release_id=619127 Sourceforge.net Project's Page http://sourceforge.net/projects/inguma/ Thanks Regards, Joxean Koret signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet justice delivered, criminals panic and run in despair
On Sun, 10 Aug 2008 08:30:07 PDT, alan shimel said: These people, who claim to protect Internet infrastructure, who claim hacking does not mean breaking into systems. The same people who have never experienced breaking into a system with PaX, mprotect restrictions, 16 bit ASLR, and RBAC policies configured, the same people who have never backdoored a PHP extension on runtime, the same people who have never broken into Fortune 100 C-level executives mailboxes. So in your world, only murderers can be policemen, and only arsonists can be firemen, only pitchers can contend for the batting title, and only linebackers can be quarterbacks? A quarterback is trying to throw the pass - the linebacker doesn't need to be able to throw well. He needs to be able to intercept or break up the play. Similarly, the needed skill sets for white and black hats differ. pgppvhovQPv3H.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] anyone developing a secure telephony application for GSM CSD?
I would like to enter in contact with all the guys here that worked/developed on encrypted/secure telephony apps. Would like to start a community based platform for who worked/is working on this kind of technology in order to establish a standardization and interoperability path. No, i am not talking about VoIP clients but encrypted voice clients that leverage legacy telephony networks (GSM, SATCOM, PSTN, ISDN, etc). Fabio/naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Surf Jack - HTTPS will not save you
Say hello to a new security tool called Surf Jack which demonstrates a security flaw found in various public sites. The proof of concept tool allows testers to steal session cookies on HTTP and HTTPS sites that do not set the Cookie secure flag. Tool: http://surfjack.googlecode.com/ Short paper: http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf Screencast: http://www.vimeo.com/1507697 This research was done independently from Mike Perry's[1], but it appears to be effectively the same thing. [1] https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry -- Sandro Gauci EnableSecurity Web: http://enablesecurity.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet attacks against Georgian web sites
On Saturday Gadi Evron to Paul Ferguson said: http://linuxbox.org/pipermail/funsec/2008-August/018032.html I don't believe this is cyber warefare. Political tensions lead to cyber fans. I doubt RBN. let's not make this a story. Thanks for sharing! Interesting, Gadi. Big U-turn from your original comment is it not Mr.Evron? 1) Nobody takes you seriously anymore. 2) You're not a leader in the internet security industry. 3) The ISP community is sick of you as well. Read: http://mailman.nanog.org/pipermail/nanog/2008-August/002735.html Adding your Linkedin http://www.linkedin.com/in/gadievron profile to the bottom of your posts isn't going to make anyone take you more seriously. You make it up as you go along, hence your U-turn, anything thats going to get you a reason to do a big multiple mailing list cross post with your name on it, you pick up on. On Saturday it was a non-issue, by Monday its worthy of a multiple mailing list cross post with your name on it, what gives Gadi? Did Mossad phone you up after your original comment on Funsec and tell you to start beating the hell out of this to make it a story? Some fishy about your U-turn Gadi, perhaps you can explain to the security community why on Saturday this was a non-issue that didn't need to be made into a story by news journalists, has suddenly turned into a multiple mailing list cross post. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] George Ledin virus material training Request.
Hi, I'm interested in George Ledin's, material training. http://www.newsweek.com/id/150465 Can someone send me any mail contact or direct link to download? Gracias. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Internet attacks against Georgian web sites
I haven't looked terribly closely but the cyber attacks don't seem to match up with what I would consider military objectives... there are plenty of nationalists that come crawling out of the woodwork during events like this. If the attacks are targetted more at military objectives then I'd say you're starting to see real information warfare. While I'm sure Russia knows it goes on and are more than content to allow the harassment, that's not the same as sponsorship. On Mon, Aug 11, 2008 at 1:52 AM, Paul Ferguson [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gadi Evron [EMAIL PROTECTED] wrote: In the last days news and government web sites in Georgia suffered DDoS attacks. While these attacks seem to affect the Georgian Internet, it is still there. Also, I wish to say: It is clear that there are anti-Georgian forces at work on the Internet. Who they are, and what their motivations are 9at this point), remains to be seen. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIn+HCq1pz9mNUZTMRAg5bAKC14z8wNBom1TASstp9D6n3fL4bLwCfSzxU cQcPfvWSi7j3Bwpgy1hPZJM= =5lFT -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Internet attacks against Georgian web sites
Gadi Evron has connections with the Israeli government and probably Mossad, how do we know its not the Israeli government behind these attacks? Think about the sudden U-turn I was talking about that Gadi Evron did on this particular security incident, one minute he was downplaying it, the next he was doing a multiple mailing list cross post. Remember Gadi Evron is good at information warfare, and he is probably being directed to do this by Mossad. 1) Full-Disclosure is run by MI5/6. 2) Securityfocus Bugtraq is run by FBI/CIA. 3) Funsec is run by Mossad. Gadi Evron shouldn't be coming on a British mailing list with his propagandas just because Mossad told him to, the intelligence analysts can see straight through it. All the best, n3td3v On Mon, Aug 11, 2008 at 6:32 PM, John C. A. Bambenek, GCIH, CISSP [EMAIL PROTECTED] wrote: I haven't looked terribly closely but the cyber attacks don't seem to match up with what I would consider military objectives... there are plenty of nationalists that come crawling out of the woodwork during events like this. If the attacks are targetted more at military objectives then I'd say you're starting to see real information warfare. While I'm sure Russia knows it goes on and are more than content to allow the harassment, that's not the same as sponsorship. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Internet attacks against Georgian web sites
On Mon, 11 Aug 2008 18:58:11 BST, n3td3v said: 1) Full-Disclosure is run by MI5/6. 2) Securityfocus Bugtraq is run by FBI/CIA. 3) Funsec is run by Mossad. No, that's just what THEY want you to believe. I'd tell you what is really going on, but this is an insecure channel and there's been this black helicopter patrolling the area all morning... pgpOxHlvU3uRc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200808-11 ] UUDeview: Insecure temporary file creation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: UUDeview: Insecure temporary file creation Date: August 11, 2008 Bugs: #75, #224193 ID: 200808-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in UUDeview may allow local attackers to conduct symlink attacks. Background == UUdeview is encoder and decoder supporting various binary formats. NZBGet is a command-line based binary newsgrabber supporting .nzb files. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 app-text/uudeview 0.5.20-r1 = 0.5.20-r1 2 news-nntp/nzbget 0.4.0 = 0.4.0 --- 2 affected packages on all of their supported architectures. --- Description === UUdeview makes insecure usage of the tempnam() function when creating temporary files. NZBGet includes a copy of the vulnerable code. Impact == A local attacker could exploit this vulnerability to overwrite arbitrary files on the system. Workaround == There is no known workaround at this time. Resolution == All UUDview users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-text/uudeview-0.5.20-r1 All NZBget users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =news-nntp/nzbget-0.4.0 References == [ 1 ] CVE-2008-2266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2266 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Internet attacks against Georgian web sites
On Aug 11, 2008, at 8:54 PM, [EMAIL PROTECTED] wrote: On Mon, 11 Aug 2008 18:58:11 BST, n3td3v said: 1) Full-Disclosure is run by MI5/6. 2) Securityfocus Bugtraq is run by FBI/CIA. 3) Funsec is run by Mossad. No, that's just what THEY want you to believe. I'd tell you what is really going on, but this is an insecure channel and there's been this black helicopter patrolling the area all morning... What's with the BND and the FSB? :-P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:165 ] perl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:165 http://www.mandriva.com/security/ ___ Package : perl Date: August 11, 2008 Affected: 2008.1 ___ Problem Description: The rmtree function in lib/File/Path.pm in Perl 5.10 does not properly check permissions before performing a chmod, which allows local users to modify the permissions of arbitrary files via a symlink attack. The updated packages have been patched to fix this. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2827 ___ Updated Packages: Mandriva Linux 2008.1: a94542e9e9504a4d11be4acb0977cbca 2008.1/i586/perl-5.10.0-13.1mdv2008.1.i586.rpm 95515e6c74da5d6b28e954d68a3c06f2 2008.1/i586/perl-base-5.10.0-13.1mdv2008.1.i586.rpm b39451214d71c3cc151ce1c2c2e6969c 2008.1/i586/perl-devel-5.10.0-13.1mdv2008.1.i586.rpm 0ed618fc4dda3f804bd051af35d1073e 2008.1/i586/perl-doc-5.10.0-13.1mdv2008.1.i586.rpm 5c8292c188b1cfbd9509013060a8832e 2008.1/i586/perl-suid-5.10.0-13.1mdv2008.1.i586.rpm 894e08eab70f76a470e5faaccd35c684 2008.1/SRPMS/perl-5.10.0-13.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 9cbac47b99f5619c99c0bf127036728f 2008.1/x86_64/perl-5.10.0-13.1mdv2008.1.x86_64.rpm 28affc527b9b3fa016a15a8b334c12ad 2008.1/x86_64/perl-base-5.10.0-13.1mdv2008.1.x86_64.rpm 8a1015ddbf192d5d288c27eb887c2ea0 2008.1/x86_64/perl-devel-5.10.0-13.1mdv2008.1.x86_64.rpm 9e42182860712bed39366687feaebfa7 2008.1/x86_64/perl-doc-5.10.0-13.1mdv2008.1.x86_64.rpm 89f28b330583f90b4655f77e9740cc88 2008.1/x86_64/perl-suid-5.10.0-13.1mdv2008.1.x86_64.rpm 894e08eab70f76a470e5faaccd35c684 2008.1/SRPMS/perl-5.10.0-13.1mdv2008.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIoGdPmqjQ0CJFipgRAp4mAJoCpHxauxYDW1nbfmVX8a2JUl21vgCg5k8H HGMbkEpJ/3sCupxLk6GCiBg= =2DHh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] Internet attacks against Georgian web sites
On Mon, Aug 11, 2008 at 7:54 PM, [EMAIL PROTECTED] wrote: I'd tell you what is really going on, but this is an insecure channel I'll tell you what's really going on, Gadi Evron is partaking in information warfare via the mailing lists on behalf of the Israeli government. Note: This thread isn't on Bugtraq yet even though its been post to it, maybe the moderator *cough* CIA didn't want Gadi Evron's output going on their mailing list this time because they know something the public don't. Its strange for Gadi Evron posts to be denied from Bugtraq isn't it? They usually let all his posts go through, not this one though. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2008-0249-1 openldap openldap-clients openldap-servers
rPath Security Advisory: 2008-0249-1 Published: 2008-08-11 Products: rPath Appliance Platform Linux Service 2 rPath Linux 2 Rating: Severe Exposure Level Classification: Remote Deterministic Denial of Service Updated Versions: [EMAIL PROTECTED]:2/2.4.11-1-0.1 [EMAIL PROTECTED]:2/2.4.11-1-0.1 [EMAIL PROTECTED]:2/2.4.11-1-0.1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-2645 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2952 Description: Previous versions of the openldap package are vulnerable to a Denial of Service attack in which a remote attacker may use maliciously crafted network packets to cause an assertion in the slapd server. http://wiki.rpath.com/Advisories:rPSA-2008-0249 Copyright 2008 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2008-0247-1 gvim vim vim-minimal
rPath Security Advisory: 2008-0247-1 Published: 2008-08-11 Products: rPath Appliance Platform Linux Service 2 rPath Linux 2 Rating: Minor Exposure Level Classification: Indirect Deterministic Unauthorized Access Updated Versions: [EMAIL PROTECTED]:2/7.1.326-0.2-1 [EMAIL PROTECTED]:2/7.1.326-0.2-1 [EMAIL PROTECTED]:2/7.1.326-0.2-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-2622 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712 Description: Previous versions of the vim package are vulnerable to an Arbitrary Code Execution attack in which a user-assisted attacker may execute arbitrary commands by using a maliciously crafted file to exploit weaknesses in vim's internal scripting language. http://wiki.rpath.com/Advisories:rPSA-2008-0247 Copyright 2008 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The DBA role in Oracle Database is not the same as SYSDBA privilege, which is granted to SYS. There are many things that a user granted the DBA role can't do - the most important being the ability to alter SYS owned objects. This is true on databases where O7_DICTIONARY_ACCESSIBILITY=FALSE (default value). This vulnerability allows any user with execute privileges on the affected package (by default users granted the DBA role) to impersonate the SYS user. This is especially high risk vulnerability in databases where strict separation-of-duty is implemented as required by some regulations. This may also be the case, for instance, where Oracle Database Vault is deployed. Exploiting this vulnerability may allow a DBA to bypass Database Vault protections and access protected data that should be restricted by Database Vault. In other words, a DBA may escalate to DV_OWNER (Database Vault Owner) privileges. Also, the default privileges required to execute the affected package could have been changed to include non-trusted users. In this case, these non-trusted users may exploit the vulnerability to escalate privileges and own the database. Team SHATTER, Application Security Inc. (www.appsecinc.com) Memisyazici, Aras wrote: | Umm... | | By default, users granted DBA have the required privilege. | | So... You are saying, people should beware of DBAs (Database Administrators... AKA DB Gods) having the possibility to do SQL injection? Riighhtt... And why should they go through the trouble of exploiting a webapp to manipulate data in the DB? They're DBAs... As in they already CAN manipulate the data in the database since they sort of ADMINISTER it! | | Aras Russ Memisyazici | Systems Administrator | Office of Vice President for Research | Virginia Tech | | -Original Message- | From: Team SHATTER [mailto:[EMAIL PROTECTED] | Sent: Monday, August 04, 2008 12:42 PM | To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk | Subject: Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN) | | Team SHATTER Security Advisory | | SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN) | | August 4, 2008 | | Risk Level: | Medium | | Affected versions: | Oracle Database Server versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1 | | Remote exploitable: | Yes (Authentication to Database Server is needed) | | Credits: | This vulnerability was discovered and researched by Esteban Martínez Fayó of Application Security Inc. | | Details: | The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user. | | Impact: | Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges. | | Vendor Status: | Vendor was contacted and a patch was released. | | Workaround: | Restrict access to the SYS.DBMS_DEFER_SYS package. | | Fix: | Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink. | | Links: | http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2592 | | Timeline: | Vendor Notification - 9/24/2007 | Vendor Response - 9/28/2007 | Fix - 7/15/2008 | Public Disclosure - 7/23/2008 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkigrysACgkQ9EOAcmTuFN3trACfajJ17O9b/1efhlM0QAljCedp if4AoJ6+dqDggI41lsxePQ9PKfIjDkg+ =k+BC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what happened to fd??.. even eff cant save it??.
On Sun, Aug 10, 2008 at 3:45 AM, Joel Jose [EMAIL PROTECTED] wrote: if fd is outlawed.. you idiot. fd is not announcing existence of your sploit to the world, scant on detail, in some kind of white hat tease days, weeks, even months ahead of disclosure. fd is dropping the bomb out of the blue on the unsuspecting. you can't get an injunction against the unknown... (the many factors supporting the decline of fd is a long political discourse for another day. the optimist would say this represents an improved vendor security awareness and increased responsibility of security researchers. the pessimist would say this underscores the filthy lucre to be claimed by selective disclosure to those lining the many pockets of researchers the world over. only n3td3v knows the truth... *cough*) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Surf Jack - HTTPS will not save you
On Mon, Aug 11, 2008 at 4:03 AM, Sandro Gauci [EMAIL PROTECTED] wrote: Say hello to a new security tool called Surf Jack which demonstrates a security flaw found in various public sites. The proof of concept tool allows testers to steal session cookies on HTTP and HTTPS sites that do not set the Cookie secure flag. note: Gmail now supports an account option to enforce the secure only bit on session cookies and keeps your entire gmail session on SSL. this makes attacks like this and Mike Perry's active side jacking impossible, as the session cookie is no longer sent in the clear when http:// non-SSL links are injected into browser content. to enable this feature: - at top of page select Settings - scroll to bottom of section for Browser connection: preference - select Always use https this will pass the Secure / secureonly option when settings the GX=... session cookie used to identify your authenticated session. this cookie will then never be sent over plain-text connections, protecting you from passive / active side jacking attacks. be sure to use a somewhat modern browser that supports secure only cookies. you can also verify correct operation with the Live HTTP Headers plugin for Firefox. hopefully ongoing attention and improved tools demonstrating the need for continuous SSL / secureonly session management will be adopted by all web developers and sites. (i'm not holding my breath...) best regards, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PLSA 2008-21] Ruby: Multiple Vulnerabilities
Pardus Linux Security Advisory 2008-21[EMAIL PROTECTED] Date: 2008-08-12 Severity: 3 Type: Remote Summary === Multiple vulnerabilities have been discovered in Ruby: several vulnerabilities in safe level, DoS vulnerability in WEBrick, Lack of taintness check in dl and DNS spoofing vulnerability in resolv.rb. Description === == Several vulnerabilities in safe level == Multiple errors in the implementation of safe level restrictions can be exploited to call untrace_var(), perform syslog operations, and modify $PROGRAM_NAME at safe level 4, or call insecure methods at safe levels 1 through 3. (These vulnerabilities were reported by Keita Yamaguchi.) == DoS vulnerability in WEBrick == An error exists in the usage of regular expressions in WEBrick::HTTPUtils.split_header_value(). This can be exploited to consume large amounts of CPU via a specially crafted HTTP request. (This vulnerability was reported by Christian Neukirchen.) == Lack of taintness check in dl == An error in DL can be exploited to bypass security restrictions and call potentially dangerous functions. (This vulnerability was reported by sheepman.) == DNS spoofing vulnerability in resolv.rb == The vulnerability is caused due to resolv.rb not sufficiently randomising the DNS query port number, which can be exploited to poison the DNS cache. (This vulnerability was reported by Tanaka Akira.) Affected packages: Pardus 2008: ruby, all before 1.8.7_p72-16-4 ruby-mode, all before 1.8.7_p72-16-4 Pardus 2007: ruby, all before 1.8.7_p72-16-13 ruby-mode, all before 1.8.7_p72-16-4 Resolution == There are update(s) for ruby, ruby-mode. You can update them via Package Manager or with a single command from console: Pardus 2008: pisi up ruby ruby-mode Pardus 2007: pisi up ruby ruby-mode References == * http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 * http://secunia.com/advisories/31430/ -- Pınar Yanardağ http://pinguar.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PLSA 2008-22] Php: Multiple Overflows
Pardus Linux Security Advisory 2008-22[EMAIL PROTECTED] Date: 2008-08-12 Severity: 2 Type: Remote Summary === Two overflow issues were discovered in Php which might possibly allow for arbitrary code execution. Description === Two overflow issues were discovered in Php: - Overflow in ext/gd's imageloadfont() function - Overflow in php's internal memnstr() function which is exposed to userspace as explode() Affected packages: Pardus 2008: php-common, all before 5.2.6-65-3 php-cli, all before 5.2.6-65-3 mod_php, all before 5.2.6-65-3 Pardus 2007: php-common, all before 5.2.6-58-27 php-cli, all before 5.2.6-58-36 mod_php, all before 5.2.6-58-59 Resolution == There are update(s) for php-common, php-cli, mod_php. You can update them via Package Manager or with a single command from console: Pardus 2008: pisi up php-common php-cli mod_php Pardus 2007: pisi up php-common php-cli mod_php References == * http://www.php.net/archive/2008.php#id2008-08-07-1 * http://news.php.net/php.cvs/51219 * http://news.php.net/php.cvs/52039 * http://news.php.net/php.cvs/52002 -- Pınar Yanardağ http://pinguar.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Ukraine?
Hello. Is there any security research companies in Ukraine? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
