[Full-disclosure] FD subject line/name of org suggestion...
Hi everyone! Is it just me, or is it normal for everyone else *not* to usually see the entire exploit notification, e.g., subject line in client: [Full-disclosure] [ GL** #-0* ] Critical Squirrel Meat Timer v. 371117a Threat to Earth and All Inhabitants '(cut off right about @Meat Timer) [date]' What has happened over time (10+ years) is that while average desktop space has grown, font real-estate has shrunk. Way more stuff is on-screen. We're bombarded with even more info, some of it critical, and yeah, maybe some of us like to keep current 'cause we live & breath infosec and have to "kill -s netdev 666" just to make sense of it all sometimes. Belay that, nothing, nothing makes sense there...makes my orange run like clockwork. That's it! Using an informal survey method, most of my peers display FD the same waycritical version info is usually obscuficated (or it's something else dearly important...say what you want...the community is creative with names). It would be easier on the eyes and achieve a better productivity metric for my capitalist oppressors if the sub. line read: [Full-disclosure] Warning goes here .xxx [good job, now put your name/date thingy here, right here!] When my FD mailbox has 1000+ messages, many of them pertaining to software I'm responsible for, it would make it easier if the subject line devoted as much space possible for the 'sploit...firstfollowed by the author's naming convention. Credit will be remembered no matter what, since if it affects you, it will be opened. If it's been a long night or day, whoa, it's easy to overlook something I shouldn't. Right now it's like, "Wow, that was some exploit I saw by 'insert name here and date' -- sure wish I could have read it at one glance, damn..." Somebody might be screaming, "Dude, change your settings" -- and they're right. I should and do...but still have the same issue, on a variety of clients -- increasing available subject line space helps, regardless. Some org. ID's rent *16!* characters in the subj. line, and the last five can be a real bitch, i.e., "v.371117" -- etc. Maybe some of 'ya think this is persnickety, and hell, it might be, it's just the 'best job, least amount of time thing.' It just makes more sense to me is all, quite unlike my apparent deteriorating cognitive & grammatical abilities. -oz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Black Hat: New Webinar, Japan audio now on-line.
Full Disclosure peeps, some new content to consume. NEW FREE WEBCAST - Oracle Database Forensics Black Hat's webcast series continues with another powerful presentation from a popular Black Hat speaker. This month's presenter is David Litchfield of NGS software, speaking on Oracle database forensics, and he will be releasing a new tool called orablock which he describes this way: "Orablock allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence. Orablock can also be used to locate "stale" data - i.e. data that has been deleted or updated. It can also be used to dump SCNs for data blocks which can be useful during the examination of a compromised Oracle box." Please join us to learn about Oracle DB forensics from one of the innovators of the field, as well as learn about his new tool and to get your questions answered. The webcast will be held on December 18 at 1pm PST. The URL for registration is: http://w.on24.com/r.htm?e=122240&s=1&k=57F93C9128D5D1BBC64B8AE7177FB981 For more information about Black Hat's webcast series, including an archive of our previous webcasts in audio format: https://www.blackhat.com/webinars/webinars-index.html BLACK HAT JAPAN audio is now online! Encoded in .m4b format these audio files are tiny, as well as being bookmarkable and iTunes friendly. https://www.blackhat.com/html/bh-japan-08/brief-bh-jp-08-archives.html UPCOMING BLACK HAT EVENTS The next big Black Hat event is Black Hat DC, scheduled for February 16-19 at the Hyatt Regency Crystal City in Arlington Virginia. The event is divide into two sections with two days of intense, hands-on Training Sessions followed by a two-day, four-track Briefings portion with a wide variety of exciting speakers and presentations. Black Hat DC is a unique information security event that places a special emphasis on the needs of security professionals who work in government service and infrastructure. And we think this one will be our best DC event yet. Even though the Black Hat DC Call for Papers doesn't close until January 1, but we've already confirmed some exciting Briefings presentations. - Crowd favorite Adam Laurie will return with a satellite-hacking presentation that is sure to be popular. - Database guru David Litchfield will present a powerful new database forensics tool. - Andrew Lindell's contribution is entitled "Making Privacy-Preserving data Mining Practical with Smartcards." - In the hardware hacking area we have a very interesting presentation from Travis Goodspeed on reverse engineering and exploiting wireless sensors. Our lineup of brand new training sessions includes a physical security training by Zac Franken and Adam Laurie entitled "RFID, Access Control and Biometric Systems", a Metasploit course called "Tactical Exploitation" by Metasploit creator HD Moore and a course on "Understanding and Deploying DNNSEC" by Paul Wouters and Patrick Nauber. As always, it's best to register early for the training of your choice to make sure there's a place for you - seats are limited. To learn more about all of our training courses, follow this link: https://www.blackhat.com/html/bh-dc-09/train-bh-dc-09-index.html REGISTER NOW Please keep in mind that the early bird rate that's in effect for the Briefings and the Training classes will end on January 1. To take advantage of those significant savings, please consider registering soon. The Black Hat Europe early bird rate ends February 1 - we'll have more details about that event in our next mailing. CFP OPEN FOR BLACK HAT DC AND EUROPE Another reminder is that Black Hat is still considering Briefings speaker applications for both Black Hat DC and Black Hat Europe, so if you have a strong, compelling and technical presentation to share, please let us know! To be considered for Black Hat DC, you'll need to have your work in our system by January 1. The deadline is February 1 for the Black Hat Europe CFP, the details for potential presenters are available online: https://cfp.blackhat.com/ GET INVOLVED WITH BLACK HAT! - Join the Black Hat LinkedIn group and participate in discussions and comment on news. http://www.linkedin.com/groups?gid=37658&trk=hb_side_g - Share your pictures of past events, or just check out ours: Yes it is just getting started, but please post your Black Hat pics. http://www.flickr.com/photos/[EMAIL PROTECTED]/ -Follow us on Twitter: https://twitter.com/blackhatusa2008 -Subscribe to our main RSS feed to get timely announcements that won't be in monthly newsletters: https://www.blackhat.com/BlackHatRSS.xml Thank you, Jeff Moss Director of Black Hat, CMP Media LLC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [FULL DISCLOSURE] Facebook Non Persistant XSS
On Tue, Dec 9, 2008 at 2:41 PM, Facebook IsBuggy <[EMAIL PROTECTED]> wrote: > Found in August, I tried to alert facebook as quickly as was possible > - however I received no further correspondence to my communications. > At time of writing, it was possible to exploit both Firefox 3 and IE 7 > - by simply using an IFRAME or even an object tag. (Dependant on the > browser target) > > This allows you to overwrite the whole page with your choice of script/embed. Although the domain is 2.channel15.facebook.com, all the significant Facebook cookies appear to be .facebook.com domain cookies so wouldn't the more significant attack involve those, rather than some elaborate phishing scheme? > > Vulnerability was found by accident when I was routing my web traffic > via WebScarab with an advanced list of strings to use with the > in-built XSS/CSRF tool. > > > > http://2.channel15.facebook.com/iframe/7/?pv=49&rev=";>Google src="http://www.google.com/"; type="text/html" width="100%" > height="100%"> > > Naturally that rather obvious URL could be encoded, or cut down to > prevent the obvious anomaly. However, I feel the facebook domain name > itself would be enough to fool most users. This is not a significant aspect of this vulnerability. You could go and register http://www.facebook-secure.com/ (or similar) and that would leave users more than happy to believe & trust it is Facebook. Things can be different if the XSS is on an https-supporting login domain, but that does not seem to be the case here. Cheers Chris > > http://2.channel15.facebook.com/iframe/7/?pv=49&rev=%22%3E%3C/script%3E%3Ctitle%3EGoogle%3C/title%3E%3C/head%3E%3C/body%3E%3CIFRAME%20src%3D%22http%3A//www.google.com/%22%20type%3D%22text/html%22%20width%3D%22100%25%22%20height%3D%22100%25%22%3E%3C/IFRAME%3E > > > > *Similar vulnerabilities had been spoken about on a credit card fraud > (carding) forum prior to my discovery of this. Possibly for the use of > phisihing.* > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AST-2008-012: Remote crash vulnerability in IAX2
Asterisk Project Security Advisory - AST-2008-012 ++ | Product| Asterisk| |--+-| | Summary| Remote crash vulnerability in IAX2 | |--+-| | Nature of Advisory | Remote Crash| |--+-| |Susceptibility| Remote Unauthenticated Sessions | |--+-| | Severity | Major | |--+-| |Exploits Known| No | |--+-| | Reported On | November 22, 2008 | |--+-| | Reported By |Jon Leren Scho/pzinsky | |--+-| | Posted On | | |--+-| | Last Updated On| December 9, 2008| |--+-| | Advisory Contact | Mark Michelson| |--+-| | CVE Name | | ++ ++ | Description | There is a possibility to remotely crash an Asterisk | | | server if the server is configured to use realtime IAX2 | | | users. The issue occurs if either an unknown user| | | attempts to authenticate or if a user that uses hostname | | | matching attempts to authenticate. | | | | | | The problem was due to a broken function call to | | | Asterisk's realtime configuration API. | ++ ++ | Resolution| The function calls in question have been fixed. | ++ ++ | Affected Versions| || | Product | Release Series | | |-++-| | Asterisk Open Source | 1.2.x | 1.2.26-1.2.30.3 | |-++-| | Asterisk Open Source | 1.4.x | Unaffected | |-++-| | Asterisk Open Source | 1.6.x | Unaffected | |-++-| | Asterisk Addons | 1.2.x | Unaffected | |-++-| | Asterisk Addons | 1.4.x | Unaffected | |-++-| | Asterisk Addons | 1.6.x | Unaffected | |-++-| |Asterisk Business Edition| A.x.x | Unaffected | |-++-| |Asterisk Business Edition| B.x.x | B.2.3.5-B.2.5.5 | |-++-| |Asterisk Business Edition| C.x.x | Unaffected | |-++-| | AsteriskNOW | 1.5 | Unaffected | |-++-| | s800i (Asterisk Appliance)| 1.2
[Full-disclosure] Browser Security Handbook
Hi all, I am happy to announce the availability of our "Browser Security Handbook" - a comprehensive, 60-page document meant to provide web application developers and information security researchers with a one-stop reference to several hundred key security properties and sometimes counterintuitive quirks in contemporary web browsers: http://code.google.com/p/browsersec/wiki/Main Having a clear picture of these characteristics appears to be of significance to building secure web applications, and to auditing existing designs for potential weaknesses. For this reason, I am hoping that the document is a valuable contribution to the information security community. BSH currently covers recent releases of Microsoft Internet Explorer (versions 6 and 7), Mozilla Firefox (versions 2 and 3), Apple Safari, Opera, Google Chrome, Android embedded browser, and a handful of browser plugins. Please note that due to the sheer number of characteristics covered, I fully expect some kinks to show up here and there; feedback from vendors and security researchers is greatly appreciated. Cheers, /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200812-11 ] CUPS: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: CUPS: Multiple vulnerabilities Date: December 10, 2008 Bugs: #238976, #249727 ID: 200812-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Several remotely exploitable bugs have been found in CUPS, which allow remote execution of arbitrary code. Background == CUPS is the Common Unix Printing System. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-print/cups < 1.3.9-r1 >= 1.3.9-r1 Description === Several buffer overflows were found in: * The read_rle16 function in imagetops (CVE-2008-3639, found by regenrecht, reported via ZDI) * The WriteProlog function in texttops (CVE-2008-3640, found by regenrecht, reported via ZDI) * The Hewlett-Packard Graphics Language (HPGL) filter (CVE-2008-3641, found by regenrecht, reported via iDefense) * The _cupsImageReadPNG function (CVE-2008-5286, reported by iljavs) Impact == A remote attacker could send specially crafted input to a vulnerable server, resulting in the remote execution of arbitrary code with the privileges of the user running the server. Workaround == None this time. Resolution == All CUPS users should upgrade to the latest version. # emerge --sync # emerge --ask --oneshot --verbose ">=net-print/cups-1.3.9-r1" References == [ 1 ] CVE-2008-3639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3639 [ 2 ] CVE-2008-3640 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3640 [ 3 ] CVE-2008-3641 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3641 [ 4 ] CVE-2008-5286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5286 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA ARCserve Backup LDBserver Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA ARCserve Backup LDBserver Vulnerability CA Advisory Date: 2008-12-10 Reported By: Dyon Balding of Secunia Research Impact: A remote attacker can cause a denial of service or execute arbitrary code. Summary: CA ARCserve Backup contains a vulnerability that can allow a remote attacker to cause a denial of service or execute arbitrary code. CA has issued patches to address the vulnerability. The vulnerability, CVE-2008-5415, is due to insufficient verification of client data. A remote attacker can crash the LDBserver service or execute arbitrary code in the context of the service. Note: The client installation is not affected. Mitigating Factors: The client installation is not affected. Severity: CA has given this vulnerability a High risk rating. Affected Products: CA ARCserve Backup r12.0 Windows CA ARCserve Backup r11.5 Windows* CA ARCserve Backup r11.1 Windows* CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 *Formerly known as BrightStor ARCserve Backup. Non-Affected Products CA ARCserve Backup r12.0 Windows SP1 Affected Platforms: Windows Status and Recommendation: CA has issued the following patches to address the vulnerability. CA ARCserve Backup r12.0 Windows: Apply Service Pack 1 (RO01340) CA ARCserve Backup r11.5 Windows: RO04383 CA ARCserve Backup r11.1 Windows: RO04382 CA Protection Suites r2: RO04383 How to determine if you are affected: CA ARCserve Backup r12.0 Windows, CA ARCserve Backup r11.5 Windows: 1. Run the ARCserve Patch Management utility. From the Windows Start menu, it can be found under: Programs > CA > ARCserve Patch Management > Patch Status 2. The main patch status screen will indicate if the respective patch in the below table is currently applied. If the patch is not applied, the installation is vulnerable. Product Patch CA ARCserve Backup r12.0 WindowsRO01340 CA ARCserve Backup r11.5 Windows* RO04383 For more information on the ARCserve Patch Management utility, read document TEC446265. Alternatively, use the file information below to determine if the product installation is vulnerable. CA ARCserve Backup r11.1 Windows: 1. Using Windows Explorer, locate the file "DBserver.dll". By default, the file is located in the "C:\Program Files\CA\BrightStor ARCserve Backup" directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file timestamp is earlier than indicated in the table below, the installation is vulnerable. Product version: CA ARCserve Backup r11.1 Windows File Name: DBserver.dll File Size: 675840 bytes Timestamp: 11/25/2008 09:32:21 *CA Protection Suites r2 includes CA ARCserve Backup 11.5 Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA ARCserve Backup LDBserver https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1942 93 Solution Document Reference APARs: RO01340, RO04383, RO04382 CA Security Response Blog posting: CA ARCserve Backup LDBserver Vulnerability community.ca.com/blogs/casecurityresponseblog/archive/2008/12/10.aspx Reported By: Dyon Balding of Secunia Research CVE References: CVE-2008-5415 - LDBserver code execution http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5415 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.9.0 (Build 397) Charset: utf-8 wj8DBQFJQC8NeSWR3+KUGYURAgM3AJ0Y07s2AHILwcEFx6TnBquybQMfbACgkbwX ZVMX5nrB//gqq9wcOpUXlgY= =dBR8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:240 ] vinagre
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:240 http://www.mandriva.com/security/ ___ Package : vinagre Date: December 10, 2008 Affected: 2008.1, 2009.0 ___ Problem Description: Alfredo Ortega found a flaw in how Vinagre uses format strings. A remote attacker could exploit this vulnerability if they were able to trick a user into connecting to a malicious VNC server, or opening a specially crafted URI with Vinagre. With older versions of Vinagre, it was possible to execute arbitrary code with user privileges. In later versions, Vinagre would abort, leading to a denial of service. The updated packages have been patched to prevent this issue. ___ Updated Packages: Mandriva Linux 2008.1: a8a6ada09391c2e6a84b21e9df02be0a 2008.1/i586/vinagre-0.5.0-1.1mdv2008.1.i586.rpm eb08aeb2f86562c079477bf0c478c546 2008.1/SRPMS/vinagre-0.5.0-1.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: edeeac6c489b5d1f3863f292c030318f 2008.1/x86_64/vinagre-0.5.0-1.1mdv2008.1.x86_64.rpm eb08aeb2f86562c079477bf0c478c546 2008.1/SRPMS/vinagre-0.5.0-1.1mdv2008.1.src.rpm Mandriva Linux 2009.0: b09a10bb652f5d9afa23e076e139d87c 2009.0/i586/vinagre-2.24.0-1.1mdv2009.0.i586.rpm a22e09709e3c947737a2eefa29983175 2009.0/SRPMS/vinagre-2.24.0-1.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 5e6214867963cc0d8c3776b05212567a 2009.0/x86_64/vinagre-2.24.0-1.1mdv2009.0.x86_64.rpm a22e09709e3c947737a2eefa29983175 2009.0/SRPMS/vinagre-2.24.0-1.1mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJQAIdmqjQ0CJFipgRAlQ0AJ4hS6N/kMl+qoEFXgeuvtX88t7JDwCg0wfX 5HuiWdeJVkEsonVh7+XKfA0= =TpM8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 12.10.08: Microsoft Excel Malformed Object Memoy Corruption Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 iDefense Security Advisory 12.09.08 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 09, 2008 I. BACKGROUND Excel is the spreadsheet application included with Microsoft Corp.'s Office productivity software suite. More information is available at the following website: http://office.microsoft.com/excel/ II. DESCRIPTION Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Excel spreadsheet could allow attackers to execute arbitrary code with the privileges of the current user. This issue exists in the handling of certain malformed object records within an Excel spreadsheet (XLS), allowing memory corruption to occur. This could lead to an exploitable situation. iDefense's proof of concept code can redirect the program execution flow to a user controllable address on Excel 2000 SP3, and crash on other versions of Excel, including Excel XP SP3, Excel 2003 SP3 and Excel 2007 SP1. III. ANALYSIS Exploitation allows an attacker to execute arbitrary code in the context of the currently logged-on user. To exploit this vulnerability, the attacker must persuade a user to open a specially crafted Excel (XLS) document. Likely attack vectors include sending the file as an e-mail attachment or linking to the file on a website. By default, systems with Office 2000 installed will open Office documents, including Excel spreadsheet files, from websites without prompting the user. This allows attackers to exploit this vulnerability without user interaction. Later versions of Office do not open these documents automatically unless the user has chosen this behavior. Using the Office Document Open Confirmation Tool for Office 2000 can prevent Office files from opening automatically from web sites. Use of this tool is highly recommended for users still using Office 2000. IV. DETECTION iDefense has confirmed the existence of this vulnerability with Office 2000 SP3 fully patched as of July 2008. V. WORKAROUND iDefense is currently unaware of any effective workaround for this issue, since the vulnerability exists in the core component of Excel. VI. VENDOR RESPONSE Microsoft Corp. has released a patch which addresses this issue. For more information, consult their advisory at the following URL. http://www.microsoft.com/technet/security/bulletin/ms08-074.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4265 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/21/2008 Initial Vendor Notification 07/22/2008 Initial Vendor Reply 07/24/2008 Additional Vendor Feedback 12/09/2008 Coordinated Public Disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. ~ There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJQB6ebjs6HoxIfBkRAjKTAKD3meNs6BwgFJhQDoUlNy6qqa09ZQCdFLST XWdAq1pjchUyhLQ94ZfT2uE= =atK5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 21 Million German bank accounts stolen
Also money transfers are traceable I am guessing that they also have EC card data. On Wed, Dec 10, 2008 at 2:06 PM, Jost Krieger <[EMAIL PROTECTED]<[EMAIL PROTECTED]> > wrote: > On Tue, Dec 09, 2008 at 04:11:48PM +0200, James Matthews wrote: > > German banks are some of the oldest in the world. This is pretty scary > > however it is also the reality of germanys new laws... I hope they find > it > > soon and protect the people that need to be protected > > http://it.slashdot.org/it/08/12/09/0125201.shtml > > What Slashdot doesn't say: > > What was disclosed were 1.2 million account numbers plus additional > information, but not means of access. This is bad enough of course. > > The 21 million were claimed to be available by the perps, which is > believable, as they tried to sell them to a newspaper. > > The trail seems to lead to small call centers, where someone collects > these data and sells them on the side. The banks seem not to be > involved at all. > > If you find this all weird, payments in Germany work totally different > from the US. Noone uses checks for private payments, either you use > money transfer or you have the money directly pulled from your account > (and you can call it back for at least 6 weeks). So a lot of people know > your account number. > > Jost > -- > | Helft Spam ausrotten!HTML in Mail ist unhöflich. | > | Postmaster, JAPH, manchmal Wahrsager am RZ der RUB | > | Wahre Worte sind nicht gefällig, gefällige Worte sind nicht wahr.| > | Lao Tse, Tao Te King 81 | > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.goldwatches.com/ http://www.jewelerslounge.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] U.S. Is Losing Global Cyberwar, Commission Says
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 "You should revisit this opinion after you're out of school and in the workforce for 5 years. :)" 6 years and counting, a little cynicism never hurt anyone. On a side note, I am well aware of the impact that PCI has had on the industry(currently involved in a project which falls in the realm of PCI compliance), those on the council as well as the those in the field pushing and advocating the standards have done some great work, unfortunately(and it is not their fault), its not enough... On Wed, 10 Dec 2008 11:27:19 -0500 Michael Krymson <[EMAIL PROTECTED]> wrote: >Like tiny Link holding the almighty Triforce braced overhead >glinting in the >sunlight, so too shall we raise up PCI to the heavens as our >shining, >guiding light of all things good; it will save us from all evils, >so shall >it be... > >You should revisit this opinion after you're out of school and in >the >workforce for 5 years. :) > >On Tue, Dec 9, 2008 at 1:53 PM, Luke Scharf <[EMAIL PROTECTED]> >wrote: > >> Elazar Broad wrote: >> > Neither, because ultimately no one cares, and that is why the >> > financial industry foots the 60 billion identity theft bill. >My >> > rant was a little bit of wishful thinking and a shred of >belief in >> > the human race... >> > >> >> Having been a student in a computer-security training class >taught by >> one of the people who helps banks deal with these problems, I'd >say >> you're wrong. This is a hard set of problems. Smart people are >working >> on it -- not everywhere, but in enough places to make a >difference. >> >> Read the PCI and learn its role in the financial industry. Then >this >> conversation will become interesting. Here's a link to get you >started: >>http://en.wikipedia.org/wiki/PCI_DSS >> >> -Luke >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpsEAQECAAYFAkk//FkACgkQi04xwClgpZgMQAP4wPXhHHNSUdNuxFIwP3OXChR4kuID orrJj0QyJn9kvz7b8B3J00g5xrTAOr51HXECr6uPE1YXl9LqvBxt41mqznml8pttVoQt F7hF2uQ4TBMGc0I7EXOxfHgRKRnyhvN1yDhkmQl51bT7fw94ISWYYQhTvscnRMkV4R26 tiSHOg== =Avgu -END PGP SIGNATURE- -- Click for free information on earning a medical transcriptionist degree. http://tagline.hushmail.com/fc/PnY6qxthN5XQLNMTzhTyL6rrUEkhz4FESxwZfHZaXjMaNHKOpaXrS/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] U.S. Is Losing Global Cyberwar, Commission Says
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Financial IT has much competence, the problem is the red tape and politics that many face when trying to get the job done, but then again, you have that everywhere, I am just venting/lamenting over it... On Wed, 10 Dec 2008 12:23:38 -0500 Luke Scharf <[EMAIL PROTECTED]> wrote: >Michael Krymson wrote: >> Like tiny Link holding the almighty Triforce braced overhead >glinting in the >> sunlight, so too shall we raise up PCI to the heavens as our >shining, >> guiding light of all things good; it will save us from all >evils, so shall >> it be... >> >> You should revisit this opinion after you're out of school and >in the >> workforce for 5 years. :) >> > >The OP seemed to think that there was no competence in financial >IT. I >know firsthand that are some smart people, but, like everywhere >else, >there must be more than enough morons too -- especially given what >I've >been hearing in the news, lately. > >But, hey, I work in academia, not the financial industry and I >should >better than to post to FD -- so, whatever. *shrug* > >-Luke > > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAkk//qgACgkQi04xwClgpZh+rgP/cvuk1UUANZZI8DITKfOXDaKH9M1I gv5dKJVBWkk5UulB1QX7f2h0VALh5iGgS4UIOoRA7OJNsiJXaLwKMxAKpDvdouJDHNKd b6PTCqT3GvS7JSR2QVqNkhDCmuyoC52ZGsWc4zXvo1fv16D30JnFGUgx+OSN8u1R5l8b 2nOnGyY= =253G -END PGP SIGNATURE- -- Click here for free information on business phone systems from top companies. http://tagline.hushmail.com/fc/PnY6qxu9tWBLk71Xl9cycxiWlxre6C3YgHWw4ZPSMTuljZWL8GEO0/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] U.S. Is Losing Global Cyberwar, Commission Says
Michael Krymson wrote: > Like tiny Link holding the almighty Triforce braced overhead glinting in the > sunlight, so too shall we raise up PCI to the heavens as our shining, > guiding light of all things good; it will save us from all evils, so shall > it be... > > You should revisit this opinion after you're out of school and in the > workforce for 5 years. :) > The OP seemed to think that there was no competence in financial IT. I know firsthand that are some smart people, but, like everywhere else, there must be more than enough morons too -- especially given what I've been hearing in the news, lately. But, hey, I work in academia, not the financial industry and I should better than to post to FD -- so, whatever. *shrug* -Luke ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200812-10 ] Archive::Tar: Directory traversal vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Archive::Tar: Directory traversal vulnerability Date: December 10, 2008 Bugs: #192989 ID: 200812-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A directory traversal vulnerability has been discovered in Archive::Tar. Background == Archive::Tar is a Perl module for creation and manipulation of tar files. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 perl-core/Archive-Tar < 1.40>= 1.40 Description === Jonathan Smith of rPath reported that Archive::Tar does not check for ".." in file names. Impact == A remote attacker could entice a user or automated system to extract a specially crafted tar archive, overwriting files at arbitrary locations outside of the specified directory. Workaround == There is no known workaround at this time. Resolution == All Archive::Tar users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=perl-core/Archive-Tar-1.40" References == [ 1 ] CVE-2007-4829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4829 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200812-09 ] OpenSC: Insufficient protection of smart card PIN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200812-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSC: Insufficient protection of smart card PIN Date: December 10, 2008 Bugs: #233543 ID: 200812-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Smart cards formatted using OpenSC do not sufficiently protect the PIN, allowing attackers to reset it. Background == OpenSC is a smart card application that allows reading and writing via PKCS#11. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-libs/opensc < 0.11.6 >= 0.11.6 Description === Chaskiel M Grundman reported that OpenSC uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4. Impact == A physically proximate attacker can exploit this vulnerability to change the PIN on a smart card and use it for authentication, leading to privilege escalation. Workaround == There is no known workaround at this time. Resolution == All OpenSC users should upgrade to the latest version, and then check and update their smart cards: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/opensc-0.11.6" # pkcs15-tool --test-update # pkcs15-tool --test-update --update References == [ 1 ] CVE-2008-2235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2235 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-09.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [IVIZ-08-016] F-Secure f-prot Antivirus for Linux corrupted ELF header Security Bypass
Hrm, Are you talking about linux AV by F-Secure or linux AV by F-Prot. These are different companies. Also, a short glance on both company websites tells pretty much that neither have 4.X strain as the latest. Usually when posting vulns on software it's recommended to use the latest and greatest versions. my 0.02 euros. --Toni ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] U.S. Is Losing Global Cyberwar, Commission Says
Like tiny Link holding the almighty Triforce braced overhead glinting in the sunlight, so too shall we raise up PCI to the heavens as our shining, guiding light of all things good; it will save us from all evils, so shall it be... You should revisit this opinion after you're out of school and in the workforce for 5 years. :) On Tue, Dec 9, 2008 at 1:53 PM, Luke Scharf <[EMAIL PROTECTED]> wrote: > Elazar Broad wrote: > > Neither, because ultimately no one cares, and that is why the > > financial industry foots the 60 billion identity theft bill. My > > rant was a little bit of wishful thinking and a shred of belief in > > the human race... > > > > Having been a student in a computer-security training class taught by > one of the people who helps banks deal with these problems, I'd say > you're wrong. This is a hard set of problems. Smart people are working > on it -- not everywhere, but in enough places to make a difference. > > Read the PCI and learn its role in the financial industry. Then this > conversation will become interesting. Here's a link to get you started: >http://en.wikipedia.org/wiki/PCI_DSS > > -Luke > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [IVIZ-08-011] ClamAV lzh unpacking segmentation fault
--- [ iViZ Security Advisory 08-01110/12/2008 ] --- iViZ Techno Solutions Pvt. Ltd. http://www.ivizsecurity.com --- * Title: ClamAV lzh unpacking segmentation fault * Date: 10/12/2008 * Software: ClamAV 0.93.3 and prior --[ Synopsis: Clamav uses an external unpacker, which can be deterministically crashed, when processing corrupted LZH files. --[ Affected Software: * ClamAV 0.93.3 and prior --[ Non Affected Software: * ClamAV 0.94 and newer --[ Impact: Remote DoS, possibly remote code execution. --[ Vendor response: * "Support for external unpackers has been dropped in 0.94 for security issues". --[ Credits: This vulnerability was discovered by Security Researcher Jonathan Brossard from iViZ Techno Solutions Pvt. Ltd. --[ Disclosure timeline: * First private disclosure to vendor on October 14th 2008 * First vendor reply on October 15th 2008 : issue fixed. --[ Reference: http://www.ivizsecurity.com/security-advisory.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [IVIZ-08-014] AVG antivirus for Linux vulnerability
--- [ iViZ Security Advisory 08-01410/12/2008 ] --- iViZ Techno Solutions Pvt. Ltd. http://www.ivizsecurity.com --- * Title: AVG antivirus for Linux vulnerability * Date: 10/12/2008 * Software: AVG version 7.5.51 --[ Synopsis: AVG antivirus can be deterministically forced to crash (segmentation fault) when analyzing corrupted UPX files. --[ Affected Software: * AVG for Linux version 7.5.51 (current), possibly others. --[ Impact: Remote DoS, possibly remote code execution. --[ Vendor response: * None. --[ Credits: This vulnerability was discovered by Security Researcher Jonathan Brossard from iViZ Techno Solutions Pvt. Ltd. --[ Disclosure timeline: * First attempt to contact the vendor on September 18th 2008. * Received an automated reply on September 18th 2008. * No actual reponse from vendor in spite of our multiple emails. --[ Reference: http://www.ivizsecurity.com/security-advisory.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [IVIZ-08-012] Bitdefender antivirus for Linux multiple vulnerabilities
--- [ iViZ Security Advisory 08-01210/12/2008 ] --- iViZ Techno Solutions Pvt. Ltd. http://www.ivizsecurity.com --- * Title: Bitdefender antivirus for Linux multiple vulnerabilities. * Date: 10/12/2008 * Software: Bitdefender v7 for Linux --[ Synopsis: Multiple integer overflows were discovered in the GNU/Linux version of Bitdefender when analyzing corrupted PE binaries packed with neolite and asprotect packers. --[ Affected Software: * Bitdefender for GNU/Linux version 7.60825 and earlier. --[ Non Affected Software: * Bitdefender for GNU/Linux version after v7.60825 and newer. --[ Impact: Remote DoS, possibly remote code execution. --[ Final vendor response: * The vendor acknowledged the problems and fixed them in the latest versions of the product. --[ Credits: This vulnerability was discovered by Security Researcher Jonathan Brossard from iViZ Techno Solutions Pvt. Ltd. --[ Disclosure timeline: * First private disclosure to vendor on September 19th 2008. * First vendor reply on September 19th 2008 : Without asking for any PoC, The BitDefender Support Team states that "This has been fixed in latest version". * September 19th 2008 : We manage to repeat crash with the updated version of the scanner. * September 19th 2008 : We send a PoC to the vendor. * September 23th 2008 : Vendor states "Yes, the issue was reproduced in the lab and it seems that was an engine problem." * September 24th 2008 : Problem fixed in latest version. --[ Reference: http://www.ivizsecurity.com/security-advisory.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [IVIZ-08-015] Sophos Antivirus for Linux vulnerability
--- [ iViZ Security Advisory 08-01510/12/2008 ] --- iViZ Techno Solutions Pvt. Ltd. http://www.ivizsecurity.com --- * Title: Sophos Antivirus for Linux vulnerability * Date: 10/12/2008 * Software: Sophos SAVScan 4.33.0 for Linux --[ Synopsis: Sophos Antivirus deterministically crashes (segmentation fault) when analyzing corrupted packed files for multiple packers : armadillo, asprotect, asprotectSKE. The same behavior has also been observed when analyzing corrupted CAB files. --[ Affected Software: * Sophos SAVScan 4.33.0 for Linux, possibly others --[ Impact: Remote DoS, possibly remote code execution. --[ Vendor response: * Vendor acknowledged the problems and will "fix the issues" in the next release. --[ Credits: This vulnerability was discovered by Security Researcher Jonathan Brossard from iViZ Techno Solutions Pvt. Ltd. --[ Disclosure timeline: --[ Reference: http://www.ivizsecurity.com/security-advisory.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [IVIZ-08-016] F-Secure f-prot Antivirus for Linux corrupted ELF header Security Bypass
--- [ iViZ Security Advisory 08-01610/12/2008 ] --- iViZ Techno Solutions Pvt. Ltd. http://www.ivizsecurity.com --- * Title: F-Secure f-prot Antivirus for Linux corrupted ELF header Security Bypass. * Date: 10/12/2008 * Software: f-prot version 4.6.8 for GNU/Linux --[ Synopsis: It is possible to protect an ELF binary against f-prot by corrupting its ELF header, while letting the binary completely functional. F-prot will crash when analyzing the file, letting the possible malware undetected. --[ Affected Software: * f-prot version 4.6.8 for GNU/Linux --[ Impact: Remote DoS, possibly remote code execution. --[ Vendor response: * No vendor response --[ Credits: This vulnerability was discovered by Security Researcher Jonathan Brossard from iViZ Techno Solutions Pvt. Ltd. --[ Disclosure timeline: * First private disclosure to vendor on September 1st 2008. --[ Reference: http://www.ivizsecurity.com/security-advisory.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [IVIZ-08-013] Avast antivirus for Linux multiple vulnerabilities
--- [ iViZ Security Advisory 08-01310/12/2008 ] --- iViZ Techno Solutions Pvt. Ltd. http://www.ivizsecurity.com --- * Title: Avast antivirus for Linux multiple vulnerabilities. * Date: 10/12/2008 * Software: Avast for Workstations v1.0.8 --[ Synopsis: Multiple buffer overflows were discovered in the GNU/Linux version of Avast when analyzing corrupted ISO and RPM files. --[ Affected Software: * Avast for Workstations v1.0.8 Trial versions, possibly others. --[ Impact: Remove DoS, possibly remote code execution. --[ Vendor response: * On September 24th 2008, the vendor stated : "With (the) mentioned version of avast4workstation 1.0.8_2, indeed, this bug existed. It was a stack-overflow, caused by cycling over intertwined directories on corrupted ISO files. All versions built since 22.1.2008 have this fixed. Thanks for your report." --[ Credits: This vulnerability was discovered by Security Researcher Jonathan Brossard from iViZ Techno Solutions Pvt. Ltd. --[ Disclosure timeline: * First private disclosure to vendor on September 18th 2008. * First vendor reply on September 19th 2008. * On September 23th 2008, the vendor claims to have fixed the problem : "my colleague identified the problem few minutes ago as a bug which was fixed 22. Jan 2008." * On October 15th 2008, the vulnerable trial version link hasn't been updated: http://download664.avast.com/files/linux/avast4workstation_1.0.8-2_i386.deb --[ Reference: http://www.ivizsecurity.com/security-advisory.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2008-0228: Microsoft Word Malformed FIB Arbitrary Free Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Microsoft Word Malformed FIB Arbitrary Free Vulnerability
1. *Advisory Information*
Title: Microsoft Word Malformed FIB Arbitrary Free Vulnerability
Advisory ID: CORE-2008-0228
Advisory URL: http://www.coresecurity.com/content/word-arbitrary-free
Date published: 2008-12-10
Date of last update: 2008-12-10
Vendors contacted: Microsoft
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Arbitrary free
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 29633
CVE Name: CVE-2008-4024
3. *Vulnerability Description*
A vulnerability has been found in the way that Microsoft Word handles
specially crafted Word files. The vulnerability could allow remote code
execution if a user opens a specially crafted Word file that includes a
malformed record value. An attacker who successfully exploited this
vulnerability could execute arbitrary code with the privileges of the
user running the MS Word application.
More specifically, a Word file with a specially crafted 'lcbPlcfBkfSdt'
field value (offset '0x4f0') inside the File Information Block (FIB) can
corrupt the heap structure on vulnerable Word versions and enable an
arbitrary free with controlled values.
4. *Vulnerable packages*
. Microsoft Word 2000 Service Pack 3
. Microsoft Word 2002 Service Pack 3
5. *Non-vulnerable packages*
. Microsoft Word 2003 Service Pack 3
. Microsoft Word 2007
6. *Vendor Information, Solutions and Workarounds*
Microsoft has released patches for this vulnerability. For more
information refer to the Microsoft Security Bulletin MS08-072 released
on December 9th, 2008, available at
http://www.microsoft.com/technet/security/Bulletin/ms08-072.mspx
Microsoft recommends that customers apply the update immediately.
7. *Credits*
This vulnerability was discovered and researched by Ricardo Narvaja,
from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
A vulnerability has been found in the way that Microsoft Word handles
specially crafted Word files. A Word file with a specially crafted
'lcbPlcfBkfSdt' field value (offset '0x4f0') inside the File Information
Block (FIB) can corrupt the heap structure on vulnerable Word versions,
and enable an arbitrary free with controlled values. If successfully
exploited, this vulnerability could allow an attacker to execute
arbitrary code on vulnerable systems with the privileges of the user
running the MS Word application.
To construct a PoC file that demonstrates this bug it is sufficient to
use Microsoft Word 2007 to generate a Word 97-2003 compatible '.doc'
file, and then change the byte at offset 0x4f0, this is the
'lcbPlcfBkfSdt' field value located inside the File Information Block
(FIB). By simply changing this byte from 0 to 1, we obtain a file that
will make vulnerable Word versions crash when closing the file. This can
be improved to make Word crash when opening the file by changing some
other values. This fact was detected using automated fuzzing.
In location 0x2b80, there is an arbitrary pointer that can be controlled
to choose the address that will be used as parameter of a call to the
free function '__MsoPvFree'. If the 'lcbPlcfBkfSdt' value is 0,
modifying this pointer has no effect. But if this value is 1, then
modifying this arbitrary pointer will cause the free function to close
the program.
The execution of '__MsoPvFree' is reached with two controlled values,
the pointer that was directly changed in the .doc file and the contents
of the memory position that it points to. That is, both of them are
controlled, one directly and the other in an indirect manner, we can
thus fully control the effect of the free function.
The exploitation of this bug depends on the construction of a file such
that different arbitrary blocks are allocated when closing the file
before 'free' is called. However this scenario is complex due to the
limitations of the '__MsoPvFree' API, including checks that make the
exploitation difficult.
The vendor's analysis indicates that the root cause of this
vulnerability is the processing of a 'PlfLfo' structure that is read in
from the file. It contains an array of 'Lfo' objects. If any of those
'Lfo' objects has a 'clfolvl' value of 0 and a 'plfolvl' (the previous 4
bytes) value that is non-zero, Word will attempt to free memory at
'plfolvl'. This is because 'plfolvl' is supposed to be overwritten with
a valid pointer to allocated memory, but if 'clfolvl' is 0 this
initialization step is skipped. Later on cleanup code will check if
'plfolvl' has a non-zero value and if so, attempt to free the memory
chunk it points to.
A Proof of Concept '.doc' file which makes Word 2000 and Word 2002 crash
('WINWORD.EXE', main thread, module 'MS09') is available at [2]. An
illustrated explanati
[Full-disclosure] CYBSEC News - New sapyto release (v0.98)
Hello list, I'm glad to let you know that a new version of sapyto, the SAP Penetration Testing Framework, is available. You can download it by accessing the following link: http://www.cybsec.com/EN/research/sapyto.php News in this version: - This version is mainly a complete re-design of sapyto's core and architecture to support future releases. Some of the new features now available are: . Target configuration is now based on "connectors", which represent different ways to communicate with SAP services and components. This makes the framework extensible to handle new types of connections to SAP platforms. . Plugins are now divided in three categories: . Discovery: Try to discover new targets from the configured/already-discovered ones. . Audit: Perform some kind of vulnerability check over configured targets. . Exploit: Are used as proofs of concept for discovered vulnerabilities. . Exploit plugins now generate shells and/or sapytoAgent objects. . New plugins!: User account bruteforcing, client enumeration, SAProuter assessment, and more... . Plugin-developer interface drastically simplified and improved. . New command switches to allow the configuration of targets/scripts/output independently. . Installation process and general documentation improved. . Many (*many*) bugs fixed. :P Enjoy! Cheers, -- - Mariano Nuñez Di Croce CYBSEC S.A. Security Systems Email: [EMAIL PROTECTED] Tel/Fax: (54-11) 4371- Web: http://www.cybsec.com PGP: http://www.cybsec.com/pgp/mnunez.txt - ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] List Charter
On Wed, Dec 10, 2008 at 1:44 PM, Ureleet <[EMAIL PROTECTED]> wrote: > now, what is the point in sending this out to the list, if no1 ever > enforces any part of it? > > On Wed, Dec 10, 2008 at 5:13 AM, John Cartwright <[EMAIL PROTECTED]> wrote: >> >> [Full-Disclosure] Mailing List Charter Because it's up to individual list members to abide by the charter: most do, some don't, as I'm sure you've noticed. --stuart ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're letting the bad guys win
Care to share a few with the rest of us :). Sent from my Verizon Wireless BlackBerry -Original Message- From: Ureleet <[EMAIL PROTECTED]> Date: Wed, 10 Dec 2008 08:42:22 To: n3td3v<[EMAIL PROTECTED]> Cc: Subject: Re: [Full-disclosure] We're letting the bad guys win this is not a serious mailing list. this is an announcement nd a bitching list. there r serious mailing lists, and im on sum. this aint 1. On Wed, Dec 10, 2008 at 3:51 AM, n3td3v <[EMAIL PROTECTED]> wrote: > On Tue, Dec 9, 2008 at 9:50 PM, Some Guy Posting To Full Disclosure > <[EMAIL PROTECTED]> wrote: >> a stupid fat kid attempting to be funny with his freinds > > This is a serious mailing list not one where there are kids fooling > around, they would be too scared to post here because of the military, > government and intelligence services who are HUMINT subscribed. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] List Charter
now, what is the point in sending this out to the list, if no1 ever enforces any part of it? On Wed, Dec 10, 2008 at 5:13 AM, John Cartwright <[EMAIL PROTECTED]> wrote: > > [Full-Disclosure] Mailing List Charter > John Cartwright <[EMAIL PROTECTED]> > > > - Introduction & Purpose - > > This document serves as a charter for the [Full-Disclosure] mailing > list hosted at lists.grok.org.uk. > > The list was created on 9th July 2002 by Len Rose, and is primarily > concerned with security issues and their discussion. The list is > administered by John Cartwright. > > The Full-Disclosure list is hosted and sponsored by Secunia. > > > - Subscription Information - > > Subscription/unsubscription may be performed via the HTTP interface > located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. > > Alternatively, commands may be emailed to > [EMAIL PROTECTED], send the word 'help' in > either the message subject or body for details. > > > - Moderation & Management - > > The [Full-Disclosure] list is unmoderated. Typically posting will be > restricted to members only, however the administrators may choose to > accept submissions from non-members based on individual merit and > relevance. > > It is expected that the list will be largely self-policing, however in > special circumstances (eg spamming, misappropriation) then offending > members may be removed from the list by the management. > > An archive of postings is available at > http://lists.grok.org.uk/pipermail/full-disclosure/. > > > - Acceptable Content - > > Any information pertaining to vulnerabilities is acceptable, for > instance announcement and discussion thereof, exploit techniques and > code, related tools and papers, and other useful information. > > Gratuitous advertisement, product placement, or self-promotion is > forbidden. Disagreements, flames, arguments, and off-topic discussion > should be taken off-list wherever possible. > > Humour is acceptable in moderation, providing it is inoffensive. > Politics should be avoided at all costs. > > Members are reminded that due to the open nature of the list, they > should use discretion in executing any tools or code distributed via > this list. > > > - Posting Guidelines - > > The primary language of this list is English. Members are expected to > maintain a reasonable standard of netiquette when posting to the list. > > Quoting should not exceed that which is necessary to convey context, > this is especially relevant to members subscribed to the digested > version of the list. > > The use of HTML is discouraged, but not forbidden. Signatures will > preferably be short and to the point, and those containing > 'disclaimers' should be avoided where possible. > > Attachments may be included if relevant or necessary (e.g. PGP or > S/MIME signatures, proof-of-concept code, etc) but must not be active > (in the case of a worm, for example) or malicious to the recipient. > > Vacation messages should be carefully configured to avoid replying to > list postings. Offenders will be excluded from the mailing list until > the problem is corrected. > > Members may post to the list by emailing > [EMAIL PROTECTED] Do not send subscription/ > unsubscription mails to this address, use the -request address > mentioned above. > > > - Charter Additions/Changes - > > The list charter will be published at > http://lists.grok.org.uk/full-disclosure-charter.html. > > In addition, the charter will be posted monthly to the list by the > management. > > Alterations will be made after consultation with list members and a > concensus has been reached. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're letting the bad guys win
no, n3tdev, u r wrong. again. if we email u in private, u forward the email 2 the list? u do the same thing, 2 every1! do we need to pull up the archives 2 prove it? dont be hypocritical. im not trying 2 get u down 2 my level. i really am trying 2 get u 2 leave. pretty simple. On Tue, Dec 9, 2008 at 8:23 PM, n3td3v <[EMAIL PROTECTED]> wrote: > On Tue, Dec 9, 2008 at 9:50 PM, Some Guy Posting To Full Disclosure > <[EMAIL PROTECTED]> wrote: >> ok this is what this whole thing looks like to me: > > They (Ureleet) try to get my attention, they don't care if I stop or > not, they flame me. If I email them in private, then they forward the > message to the list and keep the noise going. > > They aren't interested in me leaving the list, they are interested in > being troublemakers and bring me down to their level. > > You like me are gullible and naive to respond to them, I have stopped > responding to them and so should you, pretend you don't see their > posts. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're letting the bad guys win
this is not a serious mailing list. this is an announcement nd a bitching list. there r serious mailing lists, and im on sum. this aint 1. On Wed, Dec 10, 2008 at 3:51 AM, n3td3v <[EMAIL PROTECTED]> wrote: > On Tue, Dec 9, 2008 at 9:50 PM, Some Guy Posting To Full Disclosure > <[EMAIL PROTECTED]> wrote: >> a stupid fat kid attempting to be funny with his freinds > > This is a serious mailing list not one where there are kids fooling > around, they would be too scared to post here because of the military, > government and intelligence services who are HUMINT subscribed. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're letting the bad guys win
i like ur email. will note it. On Tue, Dec 9, 2008 at 4:50 PM, Some Guy Posting To Full Disclosure <[EMAIL PROTECTED]> wrote: > ok this is what this whole thing looks like to me: > > To n3td3v: > You often post ideas and express your opinion to this list. The some > (often the more liberal) of us often disagree with you and others mock > you for your adventurousness. Actually sometimes it looks childish, > almost as if you're desperately trying to propose the big new thing > that changes the world. > The thing is your posting to a list where really, all that happens is > people (mostly sec companies) post information on vulnerabilities in > software and news in the sec field. > You say you came here for information, then LEACH like the rest of us > - just shut up. If you want a mailing list for proposed security > project ideas then make one. > You're enthusiastic and a dreamer who's obviously very forward and > ambitious with that excellence. Just think before you talk, and maybe > do something, like sit down and think: > I want to be $A(as in what you're going to do with your LIFE!). To be > that I need to get $B done. To do that I have to do $C[]/*<-that's a > list(:s)*/. > > To all that oppose n3td3v: > Some of you (UreLeet + others) get a little too excited and flame. If > you don't like how someone acts, what they have to say, who they are: > then shut up! You don't need to bully something into submission just > because you don't like it. If you get some angry rush feeling when you > see a some stupid fat kid majorly embarrass himself by attempting to > be funny with his freinds and just looking like that annoying retard > kid the don't bully him! Be gentle and point out the problem > (privately) (of course first think are you really of a knowledge and > responsibility to instruct this child how to change his life) OR, much > better: shut up, and go take your (own) anger out somewhere else, PC > games do it for me, - > even that's good enough. > btw n3td3v - I don't think you're a retarded fat child (ur not right?). > > Come to think about it: We're being listened to by a bunch of other > people, mostly geeks who think FD is the shitz where all the l33t sec > companies go for their patches and sec news (it isn't!). But are we > all just doing this crap for the benefit of out audience. I mean I > could have written these things to the individuals they where intended > for. Hell I could have taken my own advice and shut up, blocked the > troublesome email addresses, and carried on with my life (I'm a > hobbiest). Are You All Just Doing This For The Benefit Of The Sec Gods > We Wish We Where? THINK ABOUT IT > > Oh also I don't care about me - I'm a leach, I'll should probably not > post on this list unless I have something decent to say too. > > On 12/9/08, Ureleet <[EMAIL PROTECTED]> wrote: >> thats all he does is deflect, weve established that he never gives a >> real answer. >> >> On Tue, Dec 9, 2008 at 12:25 PM, Elazar Broad <[EMAIL PROTECTED]> wrote: >>> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA1 >>> >>> Brilliant use of deflection, keep it up, you might end up as some >>> loser serial rapist on Law and Order, oh wait, they want actor's, >>> not the real thing... >>> >>> On Tue, 09 Dec 2008 11:55:08 -0500 n3td3v <[EMAIL PROTECTED]> >>> wrote: On Tue, Dec 9, 2008 at 3:08 PM, Paul Schmehl <[EMAIL PROTECTED]> wrote: > --On Tuesday, December 09, 2008 00:25:18 -0600 [EMAIL PROTECTED] wrote: > >> >> On Tue, 09 Dec 2008 04:03:57 GMT, n3td3v said: >>> We need to stop this back and forth fighting its making infosec look >>> bad, this isn't what infosec should be about. >> >> It's making one very small insignificant corner of infosec look bad. >> >> Let's keep a sense of perspective, guys. > > Or, to look at it another way, it's tying up all the idiots in one place and > keeping the rest of infosec unsullied. :-) > I agree, But full-disclosure shouldn't be full of idiots so why do we let it be that way. It's because we reply to them that it happens. I was gullible and naive to reply to them, i'm not replying to them anymore. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ >>> -BEGIN PGP SIGNATURE- >>> Charset: UTF8 >>> Note: This signature can be verified at https://www.hushtools.com/verify >>> Version: Hush 3.0 >>> >>> wpwEAQECAAYFAkk+qhEACgkQi04xwClgpZg3kQP9GEBAH9byz3/fJKvWHN9IFX0ycf17 >>> 0LS0fUg/5BRHXck+a2uEZsNujlKoMYyl1XshW+HWH0rwmDTw/1S88vCqULiqiMI7yXD0 >>> G01L1MDkA+dM9ntF0IHSPUz3r2a4qVfP4D8o6KB45oDizZOLiCB5zGQdV5g1hwlHEBsL >>> KMecN/o= >>> =dDzW >>> -END PGP SIGNATURE- >>> >>> -- >>> Click for free info on getting an MBA, $200K/ year potential. >>> >>> http://tagline.hushmail.com/fc/PnY6qxsZwU
[Full-disclosure] Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-20081209)
Update to SEC Consult Security Advisory 20081210-0 (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability) === Summary: By calling the extended stored procedure sp_replwritetovarbin, an attacker can write limited values to arbitrary locations in process memory. This vulnerability has been described in a prior security advisory for MS SQL Server 2000: http://www.securityfocus.com/archive/1/499042 Moreno Zilli of Swisscom has reported that MS SQL Server 2005 is vulnerable to the same attack. This has been confirmed in a lab test conducted by SEC Consult. Our public security advisory has been updated accordingly: http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt Workaround: --- Remove the sp_replwriterovarbin extended stored procedure. Run the following as an administrator: execute dbo.sp_dropextendedproc 'sp_replwritetovarbin' See also: "Removing an Extended Stored Procedure from SQL Server" http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx Patch: -- According to an email received by Microsoft in September, a fix for this vulnerability has been completed. The release schedule for this fix is currently unknown. Vendor timeline: --- Vendor notified: 2008-04-17 Vendor response: 2008-04-17 Last response from Microsoft: 09-29-2008 Request for update status 1: 10-14-2008 Request for update status 2: 10-29-2008 Request for update status 3: 11-12-2008 Request for update status 4 and prenotification about advisory release date: 11-28-2008 Public release: 12-09-2008 Update (added MS-SQL 2005): 12-10-2008 SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF Bernhard Mueller / @2008 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 21 Million German bank accounts stolen
On Tue, Dec 09, 2008 at 04:11:48PM +0200, James Matthews wrote: > German banks are some of the oldest in the world. This is pretty scary > however it is also the reality of germanys new laws... I hope they find it > soon and protect the people that need to be protected > http://it.slashdot.org/it/08/12/09/0125201.shtml What Slashdot doesn't say: What was disclosed were 1.2 million account numbers plus additional information, but not means of access. This is bad enough of course. The 21 million were claimed to be available by the perps, which is believable, as they tried to sell them to a newspaper. The trail seems to lead to small call centers, where someone collects these data and sells them on the side. The banks seem not to be involved at all. If you find this all weird, payments in Germany work totally different from the US. Noone uses checks for private payments, either you use money transfer or you have the money directly pulled from your account (and you can call it back for at least 6 weeks). So a lot of people know your account number. Jost -- | Helft Spam ausrotten!HTML in Mail ist unhöflich. | | Postmaster, JAPH, manchmal Wahrsager am RZ der RUB | | Wahre Worte sind nicht gefällig, gefällige Worte sind nicht wahr.| | Lao Tse, Tao Te King 81 | smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright <[EMAIL PROTECTED]> - Introduction & Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to [EMAIL PROTECTED], send the word 'help' in either the message subject or body for details. - Moderation & Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing [EMAIL PROTECTED] Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1684-1] New lcms packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1684[EMAIL PROTECTED] http://www.debian.org/security/ Devin Carraway December 10, 2008 http://www.debian.org/security/faq - Package: lcms Vulnerability : multiple vulnerabilities Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2008-5316 CVE-2008-5317 Two vulnerabilities have been found in lcms, a library and set of commandline utilities for image color management. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-5316 Inadequate enforcement of fixed-length buffer limits allows an attacker to overflow a buffer on the stack, potentially enabling the execution of arbitrary code when a maliciously-crafted image is opened. CVS-2008-5317 An integer sign error in reading image gamma data could allow an attacker to cause an under-sized buffer to be allocated for subsequent image data, with unknown consequences potentially including the execution of arbitrary code if a maliciously-crafted image is opened. For the stable distribution (etch), these problems have been fixed in version 1.14-1.1+etch1. For the upcoming stable distribution (lenny), and the unstable distribution (sid), these problems are fixed in version 1.17.dfsg-1. We recommend that you upgrade your lcms packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch1.diff.gz Size/MD5 checksum: 2000 10fb445280ea38542701017292ffb1ca http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15.orig.tar.gz Size/MD5 checksum: 791543 95a710dc757504f6b02677c1fab68e73 http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch1.dsc Size/MD5 checksum: 636 188344016765736e5690a669a6dce88b alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_alpha.deb Size/MD5 checksum: 179622 a64aa233ae03aa942c34e28af411f5fe http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_alpha.deb Size/MD5 checksum: 153452 12b7bbd297ef50a85f19da90d1c4f30f http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_alpha.deb Size/MD5 checksum:61580 a821798d40f1d0990a053b825db129a8 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_amd64.deb Size/MD5 checksum:53284 7eb60db022f80565251a0e4d9cadd8b2 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_amd64.deb Size/MD5 checksum: 140288 2b3fa89b3757f0431e2ab3e44f7d1c08 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_amd64.deb Size/MD5 checksum: 147692 e8be34ecb4af9f7cfe1e51c759fc2c27 arm architecture (ARM) http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_arm.deb Size/MD5 checksum: 135546 523110a99549778b3a5a9ddf38b381e5 http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_arm.deb Size/MD5 checksum: 135376 0e4f0fabbc9a04bc593f1887a1bcf35f http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_arm.deb Size/MD5 checksum:50962 7f38a7371ca57f25080f227a3a3b373a hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch1_hppa.deb Size/MD5 checksum: 168420 e5aab4f34d88b9f8aefd43fed5f2fe78 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch1_hppa.deb Size/MD5 checksum:59120 88bf9add52df55b353d0d26508486a96 http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_hppa.deb Size/MD5 checksum: 157652 30f8396d4f78363befd2e0d72b9e56a8 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch1_i386.deb Size/MD5 checksum: 137296 46695836065eb7b734e02706191872f7 http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch
[Full-disclosure] ISOI 6, Dallas, TX - January 29, 30
Hi all. ISOI is once again happening, and back to the States. Almost final agenda: http://isotf.org/isoi6.html As usual, while attendance is limited to the folks who are busy "saving the Internet"/"fighting crime", it is free of charge. Once again we offer the public at-large the opportunity to attend without such membership. The process is: you submit a relevant talk, get vetted and get accepted. We have two slots reserved for such a purpose. Subjects of interest: case studies, attacks, botnets, fraud, ... To submit email your talk idea to [EMAIL PROTECTED] Is it time to say merry Xmas yet? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [FULL DISCLOSURE] Facebook Non Persistant XSS
Found in August, I tried to alert facebook as quickly as was possible - however I received no further correspondence to my communications. At time of writing, it was possible to exploit both Firefox 3 and IE 7 - by simply using an IFRAME or even an object tag. (Dependant on the browser target) This allows you to overwrite the whole page with your choice of script/embed. Vulnerability was found by accident when I was routing my web traffic via WebScarab with an advanced list of strings to use with the in-built XSS/CSRF tool. http://2.channel15.facebook.com/iframe/7/?pv=49&rev=";>Googlehttp://www.google.com/"; type="text/html" width="100%" height="100%"> Naturally that rather obvious URL could be encoded, or cut down to prevent the obvious anomaly. However, I feel the facebook domain name itself would be enough to fool most users. http://2.channel15.facebook.com/iframe/7/?pv=49&rev=%22%3E%3C/script%3E%3Ctitle%3EGoogle%3C/title%3E%3C/head%3E%3C/body%3E%3CIFRAME%20src%3D%22http%3A//www.google.com/%22%20type%3D%22text/html%22%20width%3D%22100%25%22%20height%3D%22100%25%22%3E%3C/IFRAME%3E *Similar vulnerabilities had been spoken about on a credit card fraud (carding) forum prior to my discovery of this. Possibly for the use of phisihing.* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Insomnia : ISVA-081209.1 - IE Webdav Request Parsing Heap Corruption Vulnerability
__ Insomnia Security Vulnerability Advisory: ISVA-081209.1 ___ Name: IE Webdav Request Parsing Heap Corruption Vulnerability Released: 09 December 2008 Vendor Link: http://www.microsoft.com/ Affected Products: Microsoft Internet Explorer 7 Running On Vista Requires Office 2007 Original Advisory: http://www.insomniasec.com/advisories/ISVA-081209.1.htm Researcher: Brett Moore, Insomnia Security http://www.insomniasec.com ___ ___ Description ___ A vulnerability was found in the way that webdav requests are cached and then later retrieved by Internet Explorer. This results in the use of uninitialized memory which under the right situation can lead to command execution. ___ Details ___ When Internet Explorer loads a file from a webdav share, a copy of the file is stored in \Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV This copy is used as the cached version of the file, and is loaded if a page refresh is done. If the size of the requested file is larger that 190 characters then the webdav handling service will not save it correctly. Internet Explorer assumes that the file was stored, and is cached, so when a refresh is done it attempts to load the file information from the cached data. This leads to a heap corruption with various values read that lead to exploitable conditions. ___ Solution ___ Microsoft have released a security update to address this issue; http://www.microsoft.com/technet/security/bulletin/ms08-073.mspx ___ Legals ___ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ___ Insomnia Security Vulnerability Advisory: ISVA-081209.1 ___ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Microsoft Hierarchical FlexGrid Control Integer Overflows
== Secunia Research 09/12/2008 - Microsoft Hierarchical FlexGrid Control Integer Overflows - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Microsoft Hierarchical FlexGrid Control 6.0.88.4 NOTE: Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System compromise Where: Remote == 3) Description of Vulnerability Secunia Research has discovered some vulnerabilities in Microsoft Hierarchical FlexGrid Control bundled with various products, which can be exploited by malicious people to compromise a user's system. The vulnerabilities are caused due to integer overflow errors in the ActiveX control (mshflxgd.ocx) when handling the "Rows" and "Cols" properties and the "ExpandAll()" and "CollapseAll()" methods. These can be exploited to corrupt memory. Successful exploitation allows execution of arbitrary code. == 4) Solution Apply patches from MS08-070. == 5) Time Table 28/08/2007 - Vendor notified. 28/08/2007 - Vendor response. 26/09/2007 - Additional information provided and status update requested. 26/09/2007 - Vendor informs that status update will be provided soon. 10/10/2007 - Vendor provides status update. 23/11/2007 - Status update requested. 24/11/2007 - Vendor provides status update. 15/08/2008 - Status update requested. 09/09/2008 - Status update requested. 26/09/2008 - Status update requested and vendor informed that advisory will be published in a week if no status update is provided. 29/09/2008 - Vendor provides status update. 31/10/2008 - Vendor provides status update (targeted for November). 07/11/2008 - Vendor provides status update (targeted for December). 05/12/2008 - Vendor provides status update (on track for December). 09/12/2008 - Vendor acknowledges that fix will be issued today. 09/12/2008 - Vendor publishes security bulletin. 09/12/2008 - Public disclosure. == 6) Credits Discovered by Carsten Eiram, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2008-4254 for the vulnerability. MS08-070 (KB932349): http://www.microsoft.com/technet/security/Bulletin/MS08-070.mspx == 8) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2007-72/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-
Re: [Full-disclosure] We're letting the bad guys win
On Tue, Dec 9, 2008 at 9:50 PM, Some Guy Posting To Full Disclosure <[EMAIL PROTECTED]> wrote: > a stupid fat kid attempting to be funny with his freinds This is a serious mailing list not one where there are kids fooling around, they would be too scared to post here because of the military, government and intelligence services who are HUMINT subscribed. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
