[Full-disclosure] Funniest thing at DefCon this year...
Was certainly the roll of 1000 stickers that was found near the (then closed) registration window, just sitting there inviting all to take a bunch of them The stickers were 4 inches round, black with white lettering, and said... N3TD3V SUCKS! I nearly fell on my ass I was laughing so hard! Of course I grabbed a crapload of them too :-) Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [funsec] Estonia similarities begin to manifest (fwd)
It seems like the online Russian population is getting mobilized. Like a meme spreading on the blogosphere, the mob is forming and starting to riot, attacking Georgia. This seems very similar to the Estonian incident, only my current guess is natural evolution rather than grass-roots implanted--but I am getting more and more convinced of the similarities as more information becomes available. Determining exactly when the use of scripts by regular users started, is key to this determination. So, this may possibly be in copy-cat fashion, filling in for the missing coordination that existed in Estonia's case, or a duplicate after all. It is still too early to come to conclusions. This information was recieved from Shadowserver, which posted a reduced public report on this subject on their wiki: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080813 Great work from Shadowserver! My Colleague Randy Vaughn, came up with the following theory, which is contradictory to my own: I would say more like the result of past training. That is, the .ee attacks served to set a behavioral response that will automatically trigger during any real or perceived conflict. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-0103: Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs/
Internet Explorer Zone Elevation Restrictions Bypass and Security Zone
Restrictions Bypass
*Advisory Information*
Title: Internet Explorer Zone Elevation Restrictions Bypass and Security
Zone Restrictions Bypass
Advisory ID: CORE-2008-0103
Advisory URL:
http://www.coresecurity.com/content/internet-explorer-zone-elevation
Date published: 2008-08-13
Date of last update: 2008-08-13
Vendors contacted: Microsoft
Release mode: Coordinated release
*Vulnerability Information*
Class: Zone Elevation Restrictions Bypass and Security Zone Restrictions
Bypass
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 30585
CVE Name: CVE-2008-1448
*Vulnerability Description*
Internet Explorer introduces the concept of URL Security Zones, which
basically define a set of privileges for web applications (such as, for
example, accessing and/or modifying the local computer files) depending
on their level of trustworthiness.
Issues have been found in the way that security policies are applied
when a URI is specified in the UNC form:
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'
* When a remote site attempts to access a local resource, Internet
Explorer will fail to enforce the Zone Elevation restrictions.
* When browsing a remote site, Internet Explorer will not apply the
right Security Zone permissions, allowing a site belonging to a less
secure zone to be treated as one belonging to a more privileged zone.
*Vulnerable Packages*
. Internet Explorer 5 under Windows 2000/2003/XP
. Internet Explorer 6 under Windows 2000/2003/XP
. Internet Explorer 7 under Windows 2000/2003/XP
. Internet Explorer 7 under Windows Vista (when protected mode is turned
off)
*Non-vulnerable Packages*
. This vulnerability is addressed by Microsoft Security Bulletin
MS08-048 [1]
*Vendor Information, Solutions and Workarounds*
Microsoft has issued Security Bulletin MS08-048 to address this
vulnerability. The bulletin includes workarounds and mitigating factors.
For more information refer to the bulletin:
http://www.microsoft.com/technet/security/bulletin/ms08-048.mspx
Workarounds communicated by the vendor include:
* Locking down the MHTML protocol handler. Below are the required
registry changes.
/---
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
explorer.exe=dword:0001
iexplore.exe=dword:0001
*=dword:0001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols\1]
mhtml=mhtml
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols\2]
mhtml=mhtml
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols\3]
mhtml=mhtml
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols\4]
mhtml=mhtml
- ---/
* Disabling the MHTML protocol handler. To disable the protocol handler,
follow these steps:
1. Click Start and then click Run. Enter regedit.exe in the text box and
click OK.
2. Navigate to
HKEY_CLASSES_ROOT\CLSID\{05300401-BCBC-11d0-85E3-00C04FD85AB4}.
3. Right click {05300401-BCBC-11d0-85E3-00C04FD85AB4} and select
Permissions.
4. Click Advanced.
5. Deselect Allow inheritable permissions from the parent to propagate
6. Click Remove, and then click OK. Click Yes and OK on subsequent screens.
*Credits*
This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Technologies.
*Technical Description / Proof of Concept Code*
Internet Explorer is the most popular Internet browser in the world as
it is an integrated component of every Windows installation. It
introduces the concept of URL Security Zones, as explained in [2], which
basically define a set of privileges for web applications (such as
accessing and modifying the local computer files) depending on their
level of trustworthiness, namely:
* Local Intranet Zone: for content located on an organization's
intranet. Because the servers and information are within an
organization's firewall, it is reasonable to assign a higher level of
trust to content on the intranet.
* Trusted Sites Zone: for content located on Web sites that are
considered more reputable or trustworthy than other sites on the
Internet. Assigning a higher level of trust to these sites minimizes the
number of related authentication requests. The user adds the URLs of
trusted Web sites to this zone.
* Internet Zone: for Web sites on the Internet that do not belong to
another zone. This default setting causes Internet Explorer to prompt
the user whenever potentially unsafe content is about to be downloaded.
Web sites that are not mapped into other zones
[Full-disclosure] Coordinated Russia vs Georgia cyber attack in progress
Hello, The following factual analysis is a complete account of the events that took place during the weekend in regard to Russia's self-mobilization of Internet users in an attempt to coordinate and launch a cyber attack against Georgia's Internet infrastructure, and limit the Georgian government's ability to disseminate information on the events taking place inside the country. The attacks are ongoing despite the ceasefire. http://blogs.zdnet.com/security/?p=1670 Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://blogs.zdnet.com/security http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ISOI 5 (Tallinn) agenda is now online
Greetings! The agenda for the ISOI conference (held on the 11th and 12th of September 2008, in Tallinn Estonia) has just been made public. You can find it here: http://www.isotf.org/isoi5.html Suggested hotel is the Viru: http://www.viru.ee/ Our kind host is the Estonian CERT (Hillar) who is also planning a special after-hours event for us to enjoy. We have the option of moving to a bigger room if necessary, so you can RSVP when you like (although we'd appreciate notice, and our confirmation is required). Best regards, Randy Vaughn and Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SECOBJADV-2008-03: PartyGaming PartyPoker Malicious Update Vulnerability
== = Security Objectives Advisory (SECOBJADV-2008-03) = == PartyGaming PartyPoker Malicious Update Vulnerability http://www.security-objectives.com/advisories/SECOBJADV-2008-03.txt AFFECTED: PartyPoker Client (Build Number 121/120, Build Date Mar 18 2008) Other versions may also be affected PLATFORM: Intel / Windows CLASSIFICATION: Origin Validation Error (CWE-346) RESEARCHER: Derek Callaway IMPACT: Client-side code execution SEVERITY: Medium DIFFICULTY: Moderate REFERENCES: CVE-2008-3324 BACKGROUND PartyPoker.com (www.PartyPoker.com) is the world's largest online poker brand in terms of number of players and revenues. You'll find a great variety of poker games and tournaments, plus blackjack. SUMMARY The PartyGaming PartyPoker client program can be forced into downloading a malicious update. This is a result of the PartyPoker client not properly confirming the authenticity of the network update server or the executable update files themselves. When downloading an update, first the client program resolves the DNS address of the update host. Next, it establishes a TCP connection on port 80 of the previously resolved IP address. Then, it sends an HTTP request for an EXE file under the web server's Downloads directory. Upon receiving the HTTP response, the requested portable executable is written to disk and executed. ANALYSIS To successfully exploit this vulnerability an attacker must be able to somehow position themself such that they can impersonate the update server. This can be accomplished through DNS cache poisoning, ARP redirection, TCP hijacking, impersonation of a Wi-Fi Access Point, etc. The attacker also would have configured a rogue web server to push out update code of their choosing. Before PartyPoker downloads the update it communicates with another PartyGaming server in the 88.81.154.0/24 subnetwork via SSL to determine if a new client update is available; if so, a HTTP GET request is sent to www1.partypoker.com for an EXE file in the /Downloads/en/vcc directory and is stored on the local filesystem under C:\Programs\PartyGaming\tmpUpgrade and executed. Afterwards, the user may login and operate the PartyPoker client as usual. Since the update itself is downloaded from a seperate server, the client can contact the legitimate PartyGaming server during exploitation to determine if an update is available as normal. The attacker only needs to masquerade as www1.partypoker.com. WORKAROUND Do not use the PartyPoker client program. VENDOR RESPONSE The vendor was contacted initially and fully aware of the vulnerability. However, after unsuccessfully attempting to reestablish dialogue multiple times with limited responsiveness over a period of several months, Security Objectives proceeded with the advisory. DISCLOSURE TIMELINE 20-Feb-2008 Discovery of Vulnerability 22-Feb-2008 Developed Proof-of-Concept 25-Feb-2008 Reported to Vendor 15-Aug-2008 Published Advisory ABOUT SECURITY OBJECTIVES Security Objectives is a security centric consultancy and software development corporation which operates in the area of application assurance software. Security Objectives employs methods that are centered on software comprehension, therefore a more in-depth contextual understanding of the application is developed. http://security-objectives.com/ LEGAL Permission is granted for electronic distribution of this advisory. It may not be edited without the written consent of Security Objectives. The information contained in this advisory is believed to be accurate based on currently available information and is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality and performance of the information is with you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SUSE Security Announcement: postfix (SUSE-SA:2008:040)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:postfix Announcement ID:SUSE-SA:2008:040 Date: Thu, 14 Aug 2008 14:00:00 + Affected Products: openSUSE 10.2 openSUSE 10.3 openSUSE 11.0 SuSE Linux Enterprise Server 8 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SUSE Linux Enterprise Server 10 SP1 SUSE Linux Enterprise Desktop 10 SP2 SUSE Linux Enterprise Server 10 SP2 Vulnerability Type: local privilege escalation Severity (1-10):6 SUSE Default Package: yes Cross-References: CVE-2008-2936 CVE-2008-2937 Content of This Advisory: 1) Security Vulnerability Resolved: local privilege escalation and mbox ownership problem Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: none 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion Postfix is a well known MTA. During a source code audit the SuSE Security-Team discovered a local privilege escalation bug (CVE-2008-2936) as well as a mailbox ownership problem (CVE-2008-2937) in postfix. The first bug allowed local users to execute arbitrary commands as root while the second one allowed local users to read other users mail. 2) Solution or Work-Around Please install the update package. 3) Special Instructions and Notes After successfully installing the postfix update, execute the command /etc/init.d/postfix restart as root to restart the postfix system. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update-debug/11.0/rpm/i586/postfix-debuginfo-2.5.1-28.3.i586.rpm http://download.opensuse.org/pub/opensuse/update-debug/11.0/rpm/i586/postfix-debugsource-2.5.1-28.3.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/postfix-2.5.1-28.3.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/postfix-devel-2.5.1-28.3.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/postfix-mysql-2.5.1-28.3.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/postfix-postgresql-2.5.1-28.3.i586.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/postfix-2.4.5-20.4.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/postfix-devel-2.4.5-20.4.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/postfix-mysql-2.4.5-20.4.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/postfix-postgresql-2.4.5-20.4.i586.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/postfix-2.3.2-32.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/postfix-devel-2.3.2-32.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/postfix-mysql-2.3.2-32.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/postfix-postgresql-2.3.2-32.i586.rpm Sources: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/src/postfix-2.5.1-28.3.src.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/postfix-2.4.5-20.4.src.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/postfix-2.3.2-32.src.rpm Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server
Re: [Full-disclosure] Internet attacks against Georgian web sites
n3td3v ?: Watch this video by Marcus Sachs at Black Hat 2008 http://www.youtube.com/watch?v=FSUPTZVlkyU, he talks about, how are we going to get the next president's attention in the transition period in the first 100 days of Obama or McCain getting into the White House and to take cyber seriously? I'm afraid, all that cyberterrorism nonsense is proposed (solely or not) for the purpose of gaining more control over the Internet. Today we hear: There are terrorism, so we need to eavesdrop your communications. Tomorrow we may hear: There are terrorism *and* cyberterrorism. Cyberterrorists use techniques that made an eavesdropping ineffective today, so to save Democracy and Peace we need to *control* your communications. Yeah, to control like this: Ban everything and allow only what *we* explicitly allow. North Korea is coming. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DNS forward only: why does it help?
* Paul Szabo: As a workaround, it is recommended to set DNS servers to forward only. Can someone explain why that helps? It helps if the network between recursor and forwarder is trusted. If it's not, the attacker must still obtain the IP addresses involved and the forwarder source port, which doesn't immediately leak to the attacker. So automated attacks are somewhat less likely. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet attacks against Georgian web sites
On Thu, Aug 14, 2008 at 1:53 PM, Pavel Labushev [EMAIL PROTECTED] wrote: n3td3v ?: Watch this video by Marcus Sachs at Black Hat 2008 http://www.youtube.com/watch?v=FSUPTZVlkyU, he talks about, how are we going to get the next president's attention in the transition period in the first 100 days of Obama or McCain getting into the White House and to take cyber seriously? I'm afraid, all that cyberterrorism nonsense is proposed (solely or not) for the purpose of gaining more control over the Internet. Today we hear: There are terrorism, so we need to eavesdrop your communications. Tomorrow we may hear: There are terrorism *and* cyberterrorism. Cyberterrorists use techniques that made an eavesdropping ineffective today, so to save Democracy and Peace we need to *control* your communications. Yeah, to control like this: Ban everything and allow only what *we* explicitly allow. North Korea is coming. Yes, once Marcus Sachs and friends have done the false flag cyber 9/11 after Obama or McCain get in, cyber will finally be on top of the Agenda. Right now that video doesn't seem like much, but as soon as the cyber 9/11 false flag happens then it will be key evidence in the investigation into who in the U.S government under world was involved in the plannning, execution and cover up. By the way, ignore Gadi Evron and Dancho Danchev, they are secret intelligence service operatives who want you to believe there is a Russia and/or Estonia link. Also, the U.S cyber command isn't suspended, that was just propaganda to make sure the U.S cyber command was in the media at the same time as the Georgia cyber attacks. They might say it is suspended at the end of the month, but they know it will be restarted after the false flag cyber 9/11 happens, so it was well worth it just to get mentioned at the same time as the Georgia cyber attacks. However, Air Force leaders insisted Wednesday that they were not torpedoing plans to establish the new Cyberspace Command. Rather, leaders have decided to pause on making any further plans in order to give leaders time to get more information and set a proper course of action concerning the new command and other Air Force initiatives. The Air Force remains committed to providing full-spectrum cyber capabilities to include global command and control, electronic warfare and network defense, Air Force spokesman Ed Gulick said in a prepared statement. http://www.bizjournals.com/sanjose/stories/2008/08/11/daily67.html leaders have decided to pause on making any further plans in order to give leaders time to get more information and set a proper course of action concerning the new command and other Air Force initiatives. They are putting it on hold because they are waiting for the cyber 9/11 false flag, that Marcus Sachs talks about in the video. Because if the cyber command is built before the infulence of the false flag then it won't be as big and powerful as it wants to be. However if they wait for the cyber 9/11 false flag, then the cyber command will be bigger, better with better funding. So according to bizjournals.com there is going to be a pause. Is this pause to allow the U.S government under world cyber 9/11 false flag to happen, so that all folks in the U.S government's cyber can become even more powerful than ever before. The cyber 9/11 false flag will give the the cyber leaders in the U.S government all the money and power they want, that they are currently frustrated about not having, because main land terrorism is currently distracting what the power hungry cyber guys in the U.S government are wanting. (See the Marcus Sachs video). Don't allow Marcus Sachs and company to carry out a cyber 9/11 false flag, this is ultimately what all this is leading up to when Obama, McCain get in to the White House. Gadi Evron and Dancho Danchev are the secret service operatives doing the ground work at the moment, so that the public have known people to blame, and other things the public can connect with for after the false flag cyber 9/11 happens. Its likely the cyber 9/11 false flag will be blamed on Russia, China or Al-Qaeda. Die Hard 4.0 was also put into the public domain on the lead up to the Obama and McCain election by the Marcus Sachs's of the world to get the idea of cyber terrorism into the hearts and minds of the public. If they didn't have a lead up and all the background work put in first, the false flag wouldn't be as good, they've got to make sure the public know everything about cyber attacks and cyber terrorism first and have known enemies the public and the media can blame afterwards. By the way, I suggest folks mirror the Youtube video as soon as possible, as I predict its going to mysteriously disappear. There are power hungry cyber folks in Washington who are currently frustrated they don't have the power and money they want and they will do anything in their power to get it. If it means a cyber 9/11 false flag, they will do it, to
Re: [Full-disclosure] Funniest thing at DefCon this year...
Is n3td3v the new stile ?? http://img142.imageshack.us/my.php?image=n3td3vsuxft5.jpg --=Q =-- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Exibar Sent: Thursday, August 14, 2008 1:04 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Funniest thing at DefCon this year... Was certainly the roll of 1000 stickers that was found near the (then closed) registration window, just sitting there inviting all to take a bunch of them The stickers were 4 inches round, black with white lettering, and said... N3TD3V SUCKS! I nearly fell on my ass I was laughing so hard! Of course I grabbed a crapload of them too :-) Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This email is intended for the recipient only. If you are not the intended recipient please disregard, and do not use the information for any purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet attacks against Georgian web sites
On Wed, Aug 13, 2008 at 12:49 PM, n3td3v [EMAIL PROTECTED] wrote: On Wed, Aug 13, 2008 at 6:43 AM, Viktor Larionov [EMAIL PROTECTED] wrote: Hi all, As a comment to Gadi's story: it's not nice to accuse anyone if it's still not clear who's behind all this and what is really happening. It would be great for the U.S to take down the .ge sites while Russia is attacking Georgia in a ground conflict, as it ramps up U.S's ambitions for an offensive cyber command. They already cyber false flagged Estonia to get money support politically and public acceptance for the big U.S cyber command to get built in the first place. Now that the big U.S cyber command has been given the go ahead because of the Estonia cyber false flag, they've got to keep reasons in the media that the U.S cyber command is still a good idea. u mean the cyber command that was just cancelled and told to stop? Russia gets all the blame for the .ge cyber attacks and U.S get to keep the politicians and the public sweet about the ongoing need for the big U.S cyber command and legitimate reasons for its existence. I couldn't think of a better time for U.S to do a bit of cyber false flagging, than is when another country invading another, while keeping U.S cyber ambitions afloat politically and publically. Remember, U.S need to keep the idea of ground conflict and cyber attacks as the same thing in the eyes of the public and the politicians or the idea of the U.S cyber command doesn't float. In reality, proper government-led cyber attacks wouldn't target web sites, this is purely an attention seeking exercise to highlight the ongoing need for the U.S cyber command. In reality, proper government-led cyber attacks are invisible to the public, as they are targeting specific government and military stuff that the public and politicians don't get a chance to know about. Its a classic media whoring exercise to take out web sites, as taking out websites has no real cyber operational value apart from a bit of media whoring. I don't think it was Russia, but Russia have been framed by the U.S. who need to keep the ideology of a U.S offensive cyber command afloat and OK'd as the next president and its administration take over, so that cyber gets full funding and the attention of Obama or McCain. Watch this video by Marcus Sachs at Black Hat 2008 http://www.youtube.com/watch?v=FSUPTZVlkyU, he talks about, how are we going to get the next president's attention in the transition period in the first 100 days of Obama or McCain getting into the White House and to take cyber seriously? Now by this video it seems that Marcus Sachs http://en.wikipedia.org/wiki/Marcus_Sachs is trying to say we need a cyber false flag attack in the first 100 days that Obama or McCain get into the White House to make sure cyber is fully funded and that cyber offensive operations are fully OK'd for the next four to eight years. We want to get the attention of the next administration as they are coming in --Marcus Sachs. marcus sachs is a media wh0reing bloehard. he seems he is in the right place at the right time. what has he done besides run his mouth? He talks about the first two months or 100 days of the next presidency is crucial in getting the attention of the president and its administration. Is this a hidden message here by Marcus Sachs about a Die Hard 4.0 scenario false flag attack being planned? he wouldnt know if it bit him in the ass. He said also in the video, when Bush was coming in, the powers that be got their attention with 9/11 and that cyber got distracted, and now he is basically saying when Obama or McCain come in that the U.S government under world are planning a cyber 9/11. he said something about the first 100 days and shit before bush got elected too. u could say the same thing every 4 yrs. It seems that Marcus Sachs is frustrated that 9/11 got all the attention last time, and now the powers of be are going to make sure cyber takes up the main agenda this time around. How are they going to get the attention of the next presidency to get cyber fully funded and taken seriously is anyones guess, but I fear the worst and that we must keep our eyes and ears open for any false flagging and other suspicious looking cyber security incidents, so we are better prepared to call out false flag at the earliest opportunity. marcus is trying to get a government appt to lead the us cyber command. this is called 'dick sucking' ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Funniest thing at DefCon this year...
and i missed em. fuck. On Thu, Aug 14, 2008 at 1:04 AM, Exibar [EMAIL PROTECTED] wrote: Was certainly the roll of 1000 stickers that was found near the (then closed) registration window, just sitting there inviting all to take a bunch of them The stickers were 4 inches round, black with white lettering, and said... N3TD3V SUCKS! I nearly fell on my ass I was laughing so hard! Of course I grabbed a crapload of them too :-) Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
dear ff, u suck. die. that is all. On Wed, Aug 13, 2008 at 6:18 AM, [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] has sent you a secure email using Hushmail. To read it, please visit the following web page: https://www.hushmail.com/express/4JS7VCHT Frequently Asked Questions: Why did I receive this email? You have received this email because you have been sent a secure email through Hushmail. To read your secure email, you must follow the link provided and correctly answer a secret question chosen by the sender. What is a secure email? Sending a regular email is like sending a postcard - it may be read by any number of people before reaching its recipient(s). A secure email is like sending a letter in a sealed envelope - it can only be read by the sender and intended recipient(s). Is it safe to follow the link in this email? Yes, it is safe to visit the Hushmail web site by following the link provided in this email. However, you should never open an email attachment unless you know the person who sent it, were expecting to receive the file from them, and have scanned the file for viruses. When you arrive at the Hushmail web site, be sure to check the following: The address bar of your web browser shows: https://www.hushmail.com/express/ A small picture of a padlock appears in the bottom right corner of your web browser If you would prefer to access your message by entering its message code, please visit the following web page: https://www.hushmail.com/express. You will be asked to enter the following message code: 4JS7 VCHT What is Hushmail? Hushmail is a web-based email service that lets you send and receive email in total security using OpenPGP standard algorithms. These algorithms, combined with Hushmail's unique key management system, provide unrivalled levels of security. Hushmail's encryption is automatic, transparent, and seamless - no special computer skills are required. How do I create a free Hushmail account? You can create a free Hushmail account by clicking on the following link: https://www.hushmail.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Great Council of Internet Superheros
r u jealous because they are stealing ur troll thunder? On Fri, Aug 8, 2008 at 2:31 PM, n3td3v [EMAIL PROTECTED] wrote: Stop spamming Full-Disclosure or i'll get your Hushmail account terminated and your parents informed. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet justice delivered [UPDATE ON M. ROTHMAN AND ALAN]
sic. On Sun, Aug 10, 2008 at 11:07 AM, Squadron of Justice [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We missed some relevant updates. Mike Rothman's phone number: +1 678-449-7183 And some neat insight into Alan Shimel's income, his IRS forms scanned: http://bayimg.com/image/cakkdaabc.jpg SSN: 088-54-4202 This guy earns 16k US dollars monthly. In the meanwhile, people are struggling in Africa to fight starvation, walking a few miles to bring non-edible water to their people. If Alan spared some dollars from paying abortions for his extramarital relationships and burgers at McDonalds, a few dozen families could realize there's a better world for them out there. This Great Council disapproves these abuses against humankind. An overweight man makes 16k-plus bucks a month just for blogging, taking phone calls, meeting other obese executives, and a child has to walk 4 miles in Africa to avoid dieing dehydrated. Alan Shimel goes to Disneyworld with his family (we won't release information on minors, or relatives unless they are associated with business or activities in the industry, superheroes have strict ethical codes and creeds) while other kids are brutally abused in Thailand by midget executives from Europe and the USA. See his reservation (if someone dares to do anything with his family information we will lay acts of Great Justice upon them, kids aren't to blame for their parents sins): http://vacation.disneyworld.com/T0RH02575A0A79374DCC3A15AFDA40 These people, who claim to protect Internet infrastructure, who claim hacking does not mean breaking into systems. The same people who have never experienced breaking into a system with PaX, mprotect restrictions, 16 bit ASLR, and RBAC policies configured, the same people who have never backdoored a PHP extension on runtime, the same people who have never broken into Fortune 100 C-level executives mailboxes. On Sun, 10 Aug 2008 16:03:37 +0200 Night Ninja [EMAIL PROTECTED] wrote: May great justice be had! Whitehats enter my oven. Zeroday can happen to anyone. Especially if it's openssl flavored. Love, the Great Council of Internet Superheros. To protect exposure and serve ruin. -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkifBDQACgkQ5g5u/REitpZ0FQP/TGutvRBVnLG6+2X17fHbffC3jbK4 SRc9NDvI3/QCmDbSc8JbEpUfGkTfgtQBbfPHQJj+69ujN9iF6/PypIoJGwczIQYR+BVd HfufQn3yzBwaFxvtO78ugngRDsQN1n5ppiio+YtVIlBrTNR/KYtryon+kfCiRO1KABbE xdz+25E= =LEBw -END PGP SIGNATURE- -- Click here for great computer networking solutions! http://tagline.hushmail.com/fc/Ioyw6h4fM6mdPYIAVDpw8cBy8QcCxLirHsJLiRlgUfA4eQLXUtLq5q/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco IOS Shellcodes
Following our Cisco IOS shell code presentation at Blackhat Vegas 2008, IRM has decided to release three variants of the IOS shell codes discussed in the presentation. Following are the payloads that can be used as both code execution based payloads and runtime memory resident backdoors within IOS:- * Password protected bind shell - http://www.irmplc.com/downloads/presentations/IOS_Bindshell_v.1.0.txt * Connect Back Shell - http://www.irmplc.com/downloads/presentations/IOS_Connectback_v.1.0.txt * Two byte overwrite bind shell - http://www.irmplc.com/downloads/presentations/IOS_tiny_v.1.0.txt Regards, Gyan Chawdhary Gyan Chawdhary | Senior Consultant Information Risk Management Plc 8th Floor | Kings Buildings | Smith Square | London SW1P 3JJ Tel: +44 (0)20 7808 6420 Fax: +44 (0)20 7808 6421 www.irmplc.com http://www.irmplc.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
On Wed, 13 Aug 2008 10:18:13 -, [EMAIL PROTECTED] said: Is it safe to follow the link in this email? Yes, it is safe to visit the Hushmail web site by following the link provided. Which is, of course, what any miscreant who wanted you to visit a site that will drop malware into your browser would say. The risk is mitigated quite a bit for *this* e-mail because the link is in a text/plain, so you're either cut-n-pasting the link and can see where you're going, or your MUA has linkified it but you still can see the actual target. Unfortunately, most users can't tell the difference between a link in a text/plain and a href=http://127.0.0.1;http://www.goodstuff.com/a (and you probably should double-check what your MUA did with the above line :) pgpoTQqU7aK3y.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SUSE Security Announcement: openwsman (SUSE-SA:2008:041)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:openwsman Announcement ID:SUSE-SA:2008:041 Date: Thu, 14 Aug 2008 18:00:00 + Affected Products: openSUSE 10.3 openSUSE 11.0 Vulnerability Type: remote code execution Severity (1-10):7 SUSE Default Package: no Cross-References: CVE-2008-2233 CVE-2008-2234 Content of This Advisory: 1) Security Vulnerability Resolved: remote code execution, SSL session replay Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - pdns - dnsmasq - gnome-screensaver - mysql - rdesktop 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion The openwsman project provides an implementation of the Web Service Management specification. The SuSE Security-Team has found two critical issues in the code: - two remote buffer overflows while decoding the HTTP basic authentication header (CVE-2008-2234) - a possible SSL session replay attack affecting the client (depending on the configuration) (CVE-2008-2233) Both issues were fixed. 2) Solution or Work-Around Please install the fixed package. 3) Special Instructions and Notes Please restart the openwsman daemon. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/debug/update/11.0/rpm/i586/openwsman-debuginfo-2.0.0-3.3.i586.rpm http://download.opensuse.org/pub/opensuse/debug/update/11.0/rpm/i586/openwsman-debugsource-2.0.0-3.3.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/libwsman-devel-2.0.0-3.3.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/libwsman1-2.0.0-3.3.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/openwsman-client-2.0.0-3.3.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/openwsman-python-2.0.0-3.3.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/openwsman-ruby-2.0.0-3.3.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/openwsman-server-2.0.0-3.3.i586.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/openwsman-1.2.0-14.4.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/openwsman-client-1.2.0-14.4.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/openwsman-devel-1.2.0-14.4.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/openwsman-server-1.2.0-14.4.i586.rpm Sources: openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/openwsman-1.2.0-14.4.src.rpm __ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - pdns This update of pdns offers better spoofing resistance by not ignoring invalid queries. (CVE-2008-3337) - dnsmasq This update of dnsmasq uses random UDP source ports and a random TRXID now. (CVE-2008-1447) - gnome-screensaver This update of gnome-screensaver disallows local users to read the contents of the clipboard for a locked screen using ctrl-v. (CVE-2007-6389) - mysql The database server MySQL was updated to fix two security problems. (CVE-2008-2079, CVE-2006-7232) - rdesktop Multiple problems have been fixed in rdesktop. (CVE-2008-1801, CVE-2008-1802, CVE-2008-1803) __ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and
Re: [Full-disclosure] Funniest thing at DefCon this year...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 beware, he's got superpower! On Thu, 14 Aug 2008 07:04:19 +0200 Exibar [EMAIL PROTECTED] wrote: Was certainly the roll of 1000 stickers that was found near the (then closed) registration window, just sitting there inviting all to take a bunch of them The stickers were 4 inches round, black with white lettering, and said... N3TD3V SUCKS! I nearly fell on my ass I was laughing so hard! Of course I grabbed a crapload of them too :-) Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkikUTEACgkQFDPTJDb6CsnFYQQAiyyeq5a5K3E2ygGjnbxINs8dNGpg PxMFv4lWoRZWms13G9tJbY/2XD1F1eRLTSz2Rfyaasl4sN2JyBwF0y3FpQd6fQtUBviP c3o4SUbhabMap1raqz0mL0rBRjm/oPf8Vox6RYyOCoa6kTTVAiPYed4z9LQlGKXMWzho l7TjL5k= =d0AA -END PGP SIGNATURE- -- Click here to become certified as a medical assistant at a school near you. http://tagline.hushmail.com/fc/Ioyw6h4fsDDENKR8XnskI4ggH11znTCJ1ViEDmSBv69DHwPIj5oOVa/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-08-052: OpenLDAP BER Decoding Remote DoS Vulnerability
ZDI-08-052: OpenLDAP BER Decoding Remote DoS Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-052 August 14, 2008 -- CVE ID: CVE-2008-2952 -- Affected Vendors: OpenLDAP Foundation -- Affected Products: OpenLDAP Foundation OpenLDAP -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6237. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to deny services on vulnerable installations of OpenLDAP. Authentication is not required to exploit this vulnerability. The specific flaw exists in the decoding of ASN.1 BER network datagrams. When the size of a BerElement is specified incorrectly, the application will trigger an assert(), leading to abnormal program termination. -- Vendor Response: OpenLDAP Foundation has issued an update to correct this vulnerability. More details can be found at: http://www.openldap.org/software/release/changes.html -- Disclosure Timeline: 2008-06-26 - Vulnerability reported to vendor 2008-08-14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Oscar Mira-Sanchez -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Security Assessment of the Internet Protocol
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, folks, The United Kingdom's Centre for the Protection of National Infrastructure has just released the document Security Assessment of the Internet Protocol, on which I have had the pleasure to work during the last year or so. The motivation to produce this document is explained in the Preface of the document as follows: - cut here The TCP/IP protocols were conceived during a time that was quite different from the hostile environment they operate in now. Yet a direct result of their effectiveness and widespread early adoption is that much of today's global economy remains dependent upon them. While many textbooks and articles have created the myth that the Internet Protocols (IP) were designed for warfare environments, the top level goal for the DARPA Internet Program was the sharing of large service machines on the ARPANET. As a result, many protocol specifications focus only on the operational aspects of the protocols they specify and overlook their security implications. Though Internet technology has evolved, the building blocks are basically the same core protocols adopted by the ARPANET more than two decades ago. During the last twenty years many vulnerabilities have been identified in the TCP/IP stacks of a number of systems. Some were flaws in protocol implementations which affect only a reduced number of systems. Others were flaws in the protocols themselves affecting virtually every existing implementation. Even in the last couple of years researchers were still working on security problems in the core protocols. The discovery of vulnerabilities in the TCP/IP protocols led to reports being published by a number of CSIRTs (Computer Security Incident Response Teams) and vendors, which helped to raise awareness about the threats as well as the best mitigations known at the time the reports were published. Much of the effort of the security community on the Internet protocols did not result in official documents (RFCs) being issued by the IETF (Internet Engineering Task Force) leading to a situation in which known security problems have not always been addressed by all vendors. In many cases vendors have implemented quick fixes to protocol flaws without a careful analysis of their effectiveness and their impact on interoperability. As a result, any system built in the future according to the official TCP/IP specifications might reincarnate security flaws that have already hit our communication systems in the past. Producing a secure TCP/IP implementation nowadays is a very difficult task partly because of no single document that can serve as a security roadmap for the protocols. There is clearly a need for a companion document to the IETF specifications that discusses the security aspects and implications of the protocols, identifies the possible threats, proposes possible counter-measures, and analyses their respective effectiveness. This document is the result of an assessment of the IETF specifications of the Internet Protocol from a security point of view. Possible threats were identified and, where possible, counter-measures were proposed. Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems. This document does not limit itself to performing a security assessment of the relevant IETF specification but also offers an assessment of common implementation strategies. Whilst not aiming to be the final word on the security of the IP, this document aims to raise awareness about the many security threats based on the IP protocol that have been faced in the past, those that we are currently facing, and those we may still have to deal with in the future. It provides advice for the secure implementation of the IP, and also insights about the security aspects of the IP that may be of help to the Internet operations community. Feedback from the community is more than encouraged to help this document be as accurate as possible and to keep it updated as new threats are discovered. - cut here The document is available at CPNI's web site: http://www.cpni.gov.uk/Products/technicalnotes/3677.aspx Any comments will be more than welcome. Kind regards, Fernando Gont -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) - not licensed for commercial use: www.pgp.com wsBVAwUBSKSBzGl+Jnd3SMmAAQhJPAgAq4SY+PG0ONFUsJDMWmadjKnG+LUSbyg6 Fnr/Up7HF59Z61r6/NXUG2TiUccu8u/ZE2ew7aUteAvbRM4sUWuQBlGXTRwgtv6S PKxOCQ5luLJjxDN9cKCN5KfpMmkCazoUXgno1PblKQH9CSxmZJxipsDWDLTMJHfU sGIwtX0bpgj4kWw+S3ycAwTRiwBApVYAZbzC58HwxhFbxZdLohGNdaAv8yuKskFP hzsEOfKSvcmoqLVE3kvm/8prjZhfocBcc/7Pr5RFugbP0dhUkLxye6GOiyY/tEzL XL3sDKc9lygfr/l1hk5ZDFpZcp0Rjw6REMo8MlojiM4+3qR1L2Ib8g== =xJ/e -END PGP SIGNATURE- -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9
[Full-disclosure] ZDI-08-053: Symantec Veritas Storage Foundation Scheduler Service NULL Session Authentication Bypass Vulnerability
ZDI-08-053: Symantec Veritas Storage Foundation Scheduler Service NULL Session Authentication Bypass Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-08-053 August 14, 2008 -- Affected Vendors: Symantec -- Affected Products: Symantec Veritas Storage Foundation -- Vulnerability Details: This vulnerability allows an attacker to execute arbitrary code on vulnerable installations of Symantec Veritas Storage Foundation. User interaction is not required to exploit this vulnerability. Authentication is not required to exploit this vulnerability. The specific flaw exists in the functionality exposed by the Storage Foundation for Windows Scheduler Service, VxSchedService.exe, which listens by default on TCP port 4888. The management console allows NULL NTLMSSP authentication thereby enabling a remote attacker to add, modify, or delete snapshots schedules and consequently run arbitrary code under the context of the SYSTEM user. -- Vendor Response: Symantec has issued an update to correct this vulnerability. More details can be found at: http://www.symantec.com/avcenter/security/Content/2008.08.14a.html -- Disclosure Timeline: 2008-06-26 - Vulnerability reported to vendor 2008-08-14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Tenable Network Security -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200808-12 ] Postfix: Local privilege escalation vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Postfix: Local privilege escalation vulnerability Date: August 14, 2008 Bugs: #232642 ID: 200808-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Postfix incorrectly checks the ownership of a mailbox, allowing, in certain circumstances, to append data to arbitrary files on a local system with root privileges. Background == Postfix is Wietse Venema's mailer that attempts to be fast, easy to administer, and secure, as an alternative to the widely-used Sendmail program. Affected packages = --- Package / Vulnerable / Unaffected --- 1 mail-mta/postfix 2.5.3-r1 *= 2.4.7-r1 = 2.5.3-r1 Description === Sebastian Krahmer of SuSE has found that Postfix allows to deliver mail to root-owned symlinks in an insecure manner under certain conditions. Normally, Postfix does not deliver mail to symlinks, except to root-owned symlinks, for compatibility with the systems using symlinks in /dev like Solaris. Furthermore, some systems like Linux allow to hardlink a symlink, while the POSIX.1-2001 standard requires that the symlink is followed. Depending on the write permissions and the delivery agent being used, this can lead to an arbitrary local file overwriting vulnerability (CVE-2008-2936). Furthermore, the Postfix delivery agent does not properly verify the ownership of a mailbox before delivering mail (CVE-2008-2937). Impact == The combination of these features allows a local attacker to hardlink a root-owned symlink such that the newly created symlink would be root-owned and would point to a regular file (or another symlink) that would be written by the Postfix built-in local(8) or virtual(8) delivery agents, regardless the ownership of the final destination regular file. Depending on the write permissions of the spool mail directory, the delivery style, and the existence of a root mailbox, this could allow a local attacker to append a mail to an arbitrary file like /etc/passwd in order to gain root privileges. The default configuration of Gentoo Linux does not permit any kind of user privilege escalation. The second vulnerability (CVE-2008-2937) allows a local attacker, already having write permissions to the mail spool directory which is not the case on Gentoo by default, to create a previously nonexistent mailbox before Postfix creates it, allowing to read the mail of another user on the system. Workaround == The following conditions should be met in order to be vulnerable to local privilege escalation. * The mail delivery style is mailbox, with the Postfix built-in local(8) or virtual(8) delivery agents. * The mail spool directory (/var/spool/mail) is user-writeable. * The user can create hardlinks pointing to root-owned symlinks located in other directories. Consequently, each one of the following workarounds is efficient. * Verify that your /var/spool/mail directory is not writeable by a user. Normally on Gentoo, only the mail group has write access, and no end-user should be granted the mail group ownership. * Prevent the local users from being able to create hardlinks pointing outside of the /var/spool/mail directory, e.g. with a dedicated partition. * Use a non-builtin Postfix delivery agent, like procmail or maildrop. * Use the maildir delivery style of Postfix (home_mailbox=Maildir/ for example). Concerning the second vulnerability, check the write permissions of /var/spool/mail, or check that every Unix account already has a mailbox, by using Wietse Venema's Perl script available in the official advisory. Resolution == All Postfix users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =mail-mta/postfix-2.5.3-r1 References == [ 1 ] CVE-2008-2936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2936 [ 2 ] CVE-2008-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2937 [ 3 ] Official Advisory http://article.gmane.org/gmane.mail.postfix.announce/110 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-12.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality
[Full-disclosure] [PLSA 2008-24] Amarok: Privilege escalation
Pardus Linux Security Advisory 2008-24[EMAIL PROTECTED] Date: 2008-08-15 Severity: 2 Type: Local Summary === A security issue has been reported in Amarok, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Description === The security issue is caused due to the MagnatuneBrowser::listDownloadComplete() function handling temporary files in an insecure manner. This can be exploited via symlink attacks in combination with a race condition to overwrite arbitrary files with the privileges of the user running the application. Affected packages: Pardus 2008: amarok, all before 1.4.9.1-52-4 amarok-docs, all before 1.4.9.1-52-4 Pardus 2007: amarok, all before 1.4.9.1-50-37 amarok-docs, all before 1.4.9.1-50-38 Resolution == There are update(s) for amarok, amarok-docs. You can update them via Package Manager or with a single command from console: Pardus 2008: pisi up amarok amarok-docs Pardus 2007: pisi up amarok amarok-docs References == * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3699 * http://secunia.com/advisories/31418 * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494765 * http://websvn.kde.org/?view=revrevision=846626 -- Pardus Security Team http://security.pardus.org.tr ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Vulnerability in Cisco WebEx Meeting Manager ActiveX Control
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerability in Cisco WebEx Meeting Manager ActiveX Control Advisory ID: cisco-sa-20080814-webex Revision 1.0 For Public Release 2008 August 14 2230 UTC (GMT) +- Summary === An ActiveX control (atucfobj.dll) that is used by the Cisco WebEx Meeting Manager contains a buffer overflow vulnerability that may result in a denial of service or remote code execution. The WebEx Meeting Manager is a client-side program that is provided by the Cisco WebEx meeting service. The Cisco WebEx meeting service automatically downloads, installs, and configures Meeting Manager the first time a user begins or joins a meeting. When users connect to the WebEx meeting service, the WebEx Meeting Manager is automatically upgraded to the latest version. There is a manual workaround available for users who are not able to connect to the WebEx meeting service. Cisco WebEx is in the process of upgrading the meeting service infrastructure with fixed versions of the affected file. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml Affected Products = Vulnerable Products +-- The WebEx Meeting Manager downloads several components to meeting participants before they join a WebEx meeting. The vulnerability in this Security Advisory affects the atucfobj.dll library. Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. Details === The WebEx meeting service is a hosted multimedia conferencing solution that is managed by and maintained by Cisco WebEx. When a meeting participant connects to the WebEx meeting service through a web browser, the WebEx meeting service installs several components of the WebEx Meeting Manager browser plugin on the meeting participant's system. WebEx Meeting Manager includes atucfobj.dll, a DLL that allows meeting participants to view Unicode fonts. This library contains a buffer overflow vulnerability that could allow an attacker to execute arbitrary code. The WebEx meeting service currently maintains three different versions of software. WebEx meeting service servers run one of the following versions: WBS 23, WBS 25, or WBS 26. This vulnerability is documented in WebEx Bug IDs 292551 for WBS 26 and 306639 for WBS 25. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2737. Identifying WebEx Meeting Service Version + The following procedure allows meeting participants to identify the version of client software that is provided by a WebEx server. The procedure varies slightly depending on the version of the WebEx server software. The URL in all the following examples is provided to meeting participants as part of the WebEx meeting invite. Client build numbers adhere to the format of XX.YY.ZZ.. The first number indicates the major version number of the software build. For example, a client build number of 26.49.9.2838 indicates a WBS 26-based software version. For the WBS 26 version: 1. Browse to the WebEx meeting server at https://servername.webex.com/. 2. Select Support from the left side of the web page. 3. Select Downloads from the left side of the web page. 4. The version of the client software that is provided by the server is listed next to Client build. For WebEx servers that are running WBS 26, the first fixed version is 26.49.9.2838. Client build versions prior to 26.49.9.2838 are vulnerable. For the WBS 25 version: 1. Browse to the WebEx meeting server at https://servername.webex.com/. 2. Select Assistant on the left side of the page. 3. Select the Support link. 4. Select the Version link, which is displayed on the right side of the top of the page. 5. The Client Build version is displayed in a pop-up window. There is currently no fixed version for the WBS 25-based WebEx meeting service. This section of the Security Advisory will be updated when fixed version information is available. For the WBS 23 version: Servers that run WBS 23-based WebEx meeting service display version information using the following URL format: https://servername.webex.com/version/wbxversionlist.do?siteurl=servername On the redisplayed page the Client versions in files field will indicate the Client Build. For example: The 'T23' in WBXclient-T23L10NSP33EP13-1092.txt indicates a WBS 23-based system. Cisco WebEx is not planning to repair WBS 23-based software. Affected WBS 23-based servers will be upgraded to fixed WBS 25 or WBS 26-based software. Attack Vector Details + This Security Advisory addresses a vulnerable ActiveX control (atucfobj.dll). If atucfobj.dll is present on a client's computer, it may be possible
[Full-disclosure] UPDATE!! Funniest thing at DefCon this year...
I'll be n3td3v himself (themselves) put that n3td3v sux! Sticker roll there themselves They're pretty decent stickers too Funny as heck! Exibar -Original Message- From: Ureleet [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2008 11:25 AM To: Exibar Cc: full-disclosure@lists.grok.org.uk Subject: [inbox] Re: [Full-disclosure] Funniest thing at DefCon this year... and i missed em. fuck. On Thu, Aug 14, 2008 at 1:04 AM, Exibar [EMAIL PROTECTED] wrote: Was certainly the roll of 1000 stickers that was found near the (then closed) registration window, just sitting there inviting all to take a bunch of them The stickers were 4 inches round, black with white lettering, and said... N3TD3V SUCKS! I nearly fell on my ass I was laughing so hard! Of course I grabbed a crapload of them too :-) Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] weev, baby
what did I tell you? you've been naughty. you need to stop being such a bad boy. only bad boys wright such shitty c code. the hallcats are on to you, my love. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
