[Full-disclosure] Secunia Research: SHOUTcast DNAS Relay Server Buffer Overflow
== Secunia Research 25/02/2009 - SHOUTcast DNAS Relay Server Buffer Overflow - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * SHOUTcast 1.9.8 NOTE: Other versions may also be affected. == 2) Severity Rating: Less critical Impact: System access Where: From remote == 3) Vendor's Description of Software The SHOUTcast Radio Distributed Network Audio Software (DNAS) is a software application that runs on your server attached to the Internet or an IP network and is responsible for receiving audio from a broadcaster such as your Win amp media player running the SHOUTcast Radio DSP plug-in.. Product Link: http://www.shoutcast.com/download == 4) Description of Vulnerability Secunia Research has discovered a vulnerability in SHOUTcast DNAS, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error when receiving data from a relay master server. This can be exploited to overflow a static buffer by tricking a SHOUTcast admin into setting up a server to act as relay for a malicious server. Successful exploitation allows to e.g. overwrite the password of the web administration interface. == 5) Solution Relay trusted servers only. == 6) Time Table 09/01/2009 - Vendor notified. 04/02/2009 - Requested status update from vendor. 25/02/2009 - Public disclosure. == 7) Credits Discovered by Stefan Cornelius, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has not yet assigned a CVE for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2008-62/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: ksquirrel-libs Radiance RGBE Buffer Overflows
== Secunia Research 25/02/2009 - ksquirrel-libs Radiance RGBE Buffer Overflows - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerability.4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software * ksquirrel-libs 0.8.0. NOTE: Other versions may also be affected. == 2) Severity Rating: Moderately critical Impact: System access Where: From remote == 3) Vendor's Description of Software ksquirrel-libs is a set of image codecs for KSquirrel. It is written on pure C++, so you can simply use it in any other project. At this time ksquirrel-libs supports 57 image formats.. Product Link: http://ksquirrel.sourceforge.net/subprojects.php == 4) Description of Vulnerability Secunia Research has discovered some buffer overflows ksquirrel-libs, which can be exploited by malicious people to compromise an application using the library. The vulnerabilities are caused due to boundary errors within the mt_codec::getHdrHead() function in kernel/kls_hdr/fmt_codec_hdr.cpp, which can be exploited to cause stack-based buffer overflows by e.g. tricking a user into opening a specially crafted Radiance RGBE (*.hdr) file. == 5) Solution Do not open untrusted Radiance RGBE images in an application using ksquirrel-libs. == 6) Time Table 09/01/2009 - Vendor notified. 04/02/2009 - Requested status update from vendor. 25/02/2009 - Public disclosure. == 7) Credits Discovered by Stefan Cornelius, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2008-5263 for the vulnerability. == 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2008-63/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1727-1] New proftpd-dfsg packages fix SQL injection vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1727-1secur...@debian.org http://www.debian.org/security/ Steffen Joeris February 26th, 2009 http://www.debian.org/security/faq - -- Package: proftpd-dfsg Vulnerability : SQL injection vulnerabilites Problem type : remote Debian-specific: no CVE Ids: CVE-2009-0542 CVE-2009-0543 Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0542 Shino discovered that proftpd is prone to an SQL injection vulnerability via the use of certain characters in the username. CVE-2009-0543 TJ Saunders discovered that proftpd is prone to an SQL injection vulnerability due to insufficient escaping mechanisms, when multybite character encodings are used. For the stable distribution (lenny), these problems have been fixed in version 1.3.1-17lenny1. For the oldstable distribution (etch), these problems will be fixed soon. For the testing distribution (squeeze), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 1.3.2-1. We recommend that you upgrade your proftpd-dfsg package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny1.dsc Size/MD5 checksum: 1348 bb4118976a78b6eef4356123b4e322da http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny1.diff.gz Size/MD5 checksum: 102388 7873fdab33c5e044dce721300d496d7e http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1.orig.tar.gz Size/MD5 checksum: 2662056 da40b14c5b8ec5467505c98b4ee4b7b9 Architecture independent components: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.1-17lenny1_all.deb Size/MD5 checksum: 1256300 f0e73bd54793839c802b3c3ce85bb123 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny1_all.deb Size/MD5 checksum: 194896 cda6edb78e4a5ab9c8a90cfdaeb19b32 AMD64 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 744914 4c09f5af5f825f0c068f3dce4a1c7a84 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 214334 eb8f6f56afda836f85f6d808a6086c6a http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 203878 8d13ce2c0d2c15eec496d3e014aa1ea3 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 203902 ce74fcf7e0f082fcf4454120e984a0c3 ARM architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 696884 cab353aa755852b2c07916f234268e39 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 213832 faad0df7dab14fdca108c6370ae3edf0 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 203260 3940f22df22db3ce6a3644a22b68e82b http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 203448 35f6cb99d5f9886d74a8a1e72df36a2d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 688540 bdcbe2b33ed58bf474824c4639dcfb99 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 212208 bcb4bce6c950fe4fd416fcf9e97b79f6 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 203074 55e8334da716aeb8efe43803c8f71d00
Re: [Full-disclosure] Weird traffic
Don't open the pcap file in wireshark ! Is exploiting a hole in the whireshark you will pe pwned !!! On Wed, Feb 25, 2009 at 9:56 PM, julio sanchez pete.sanc...@gmail.comwrote: Here's the cap file 10.240 is the A-V server. You can see various ARP loop scan Regards Pete ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-724-1] Squid vulnerability
=== Ubuntu Security Notice USN-724-1 February 25, 2009 squid vulnerability CVE-2009-0478 === A security issue affects the following Ubuntu releases: Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: squid 2.7.STABLE3-1ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Joshua Morin, Mikko Varpiola and Jukka Taimisto discovered that Squid did not properly validate the HTTP version when processing requests. A remote attacker could exploit this to cause a denial of service (assertion failure). Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1.diff.gz Size/MD5: 303042 9132293f589a71ae3f771e1ae6de30f1 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1.dsc Size/MD5: 1252 6953f88d6f4825daabd9e77bd0fa1a88 http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3.orig.tar.gz Size/MD5: 1782040 a4d7608696e2b617aa5853c7d23e25b0 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.7.STABLE3-1ubuntu2.1_all.deb Size/MD5: 495876 b6d1e76b140c792297c14382a06ed3e3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_amd64.deb Size/MD5: 771610 7f2ca95b0497cc23f0bf26b7a6503cc7 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_amd64.deb Size/MD5: 119880 27ff06a902debe143acb7b3959fb1c52 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_i386.deb Size/MD5: 695708 312c710ebdb46e3017b02cb672d14524 http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_i386.deb Size/MD5: 118638 f2f2f698523d49d8971c7a22faebc427 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_lpia.deb Size/MD5: 694080 6720b3aca93aabb7600a1a2c2f699af5 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_lpia.deb Size/MD5: 118550 7484981bd7c4c8b6361362e98d5d1631 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_powerpc.deb Size/MD5: 777958 b9d530e92ad4638fb8d169ef55eb33f4 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_powerpc.deb Size/MD5: 120446 9899cd403bbca3e0e6f5a936cd2d9955 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/s/squid/squid_2.7.STABLE3-1ubuntu2.1_sparc.deb Size/MD5: 719088 2781d6fd1c7adc0b76aa12670ac1abb5 http://ports.ubuntu.com/pool/universe/s/squid/squid-cgi_2.7.STABLE3-1ubuntu2.1_sparc.deb Size/MD5: 119398 8a26b4da728c31d7bd11191575b2 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ANNOUNCE: RFIDIOt-0.1x release - February 2009
Hi All, Well, it's been a busy month... thanks to pytey, I came across TikiTags, which proved to be rather more interesting than they at first seemed... http://hackerati.com/post/57314994/rfid-on-the-cheap-hacking-tikitag These devices contain an NXP PN532 reader chip, which, it turns out, is also capable of running in emulator mode (it is the chip used in a lot of NFC mobile phones), and, after looking at documentation from NXP, I was able to get this functionality working, and I'm delighted that NXP have also agreed to allow me to release the code despite it being based on information that was provided under NDA, so massive props to NXP for supporting the open source security research community! :) As a result, I'm able to release two new tools: pn532emulate.py - sets up the emulator and processes one command. pn532mitm.py - 'pn532 man-in-the-middle', which will drive two readers: one as an emulator and one as a reader, and will log all traffic that flows between them. Additionally, you can separate the reader and emulator onto two different machines, and relay the traffic via TCP. As always, this is very much a work in progress, and I know the error handling is not perfect and needs tweaking. Low level command processing is also slightly wacky, and will probably be re-written now I understand what's going on a bit more... :) I've also added a tool for reading HID ProxCard IDs - 'hidprox.py' and I finally got around to writing some more detailed documentation, which you can find here: http://www.rfidiot.org/documentation.html Homepage and download instructions etc. can be found here: http://www.rfidiot.org/ Enjoy! Adam -- Adam Laurie Tel: +44 (0) 20 7993 2690 Suite 117 Fax: +44 (0) 1308 867 949 61 Victoria Road Surbiton Surrey mailto:a...@algroup.co.uk KT6 4JX http://rfidiot.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Drupal Viewfield Module XSS Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yes, it's yet another CCK related module with XSS vulnerabilities. It's lame, but it should be reported since the Drupal security team has already made an announcement about the issue in these modules. Drupal security and module maintainer have been notified. Details can also be found at http://www.lampsecurity.org/node/20. The Drupal Viewfield module (http://drupal.org/project/viewfield) is designed to allow the creation of nodes that display views and is vulnerable to cross site scripting attacks. Version 5.x-1.5 was tested and found vulnerable, but other versions may be affected. This problem is related to SA-CORE-2009-002 (http://drupal.org/node/372836). The problem occurs when an administrator creates a new content type using CCK and then adds or edits a view field for the new content type. Users authorized to administer content types can configure this field with malicious code in the Help text: area. Input to this field is not properly sanitized and JavaScript can be executed while attempting to create new content that includes the link field, or while configuring the link field. Here are the steps involved in reproducing this issue: 1. Log in as a user with 'Administer content types' privilege 2. Click Administer - Content Types 3. Click 'Add content type' 4. Fill in required text in the Identification, Submission and other fieldsets 5. Click 'Save content type' button 6. Click 'edit' under the Operations column on the 'Administer' - 'Content management' screen for the new content type 7. Click 'Add field' 8. Fill in the 'Name' text box in the 'Create new field' fieldset and select the 'View' radio button 9. Click the 'Create field' button 10. In the next screen (assuming the new field was named 'test' and the new type was named 'test' this will be in Home Administer Content management Content types test) find the 'Widget settings' filedset 11. Under Help text: enter scriptalert(xss);/script 12. Click 'Save field settings' button 13. Click 'configure' under the Operations column for the View field OR click Create content and then choose the content type you created in the previous steps to trigger the JavaScript. - -- Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBSaaxipEpbGy7DdYAAQL38Qb/UdUjLby/IgNk8RUwF2d63uYfwfy1G6rn vyuiGvpcOOz0y/iBmSs64UUSAPS55kYe4VQm9WXXMSQVfeBPuPnVACS8aGFmmCuX ZZXSE+wRYq1NlXw2L2tOw2br/rszm+DK4TREPkVYiBDpKbfMAuiGjBP9RQQunhqD +itxAvhspCjECOTfmE6s0PUXclC9Ypc2w9ow7a4yua5tmT2MntPjM1ByvXbldeNl O9S8O0D8DauoCxieKRMQWusdnh1yG7zMmSGUXOtkIAdGaRkTQ8JHKdQqKt8923hN 3fbz9oU7bV8= =wH4k -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:057 ] valgrind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:057 http://www.mandriva.com/security/ ___ Package : valgrind Date: February 26, 2009 Affected: 2008.0, 2008.1, 2009.0 ___ Problem Description: A vulnerability has been identified and corrected in valgrind: Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary programs via a Trojan horse .valgrindrc file in the current working directory, as demonstrated using a malicious --db-command options. NOTE: the severity of this issue has been disputed, but CVE is including this issue because execution of a program from an untrusted directory is a common scenario. (CVE-2008-4865) The updated packages have been patched to prevent this. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4865 ___ Updated Packages: Mandriva Linux 2008.0: 7d2fdce148a8c9883262ff3d6b2cf843 2008.0/i586/valgrind-3.2.3-2.2mdv2008.0.i586.rpm a204fd31df3f302c19b8e6c74bd58eb1 2008.0/SRPMS/valgrind-3.2.3-2.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: dfe5025371c9dc804b71e84081a62743 2008.0/x86_64/valgrind-3.2.3-2.2mdv2008.0.x86_64.rpm a204fd31df3f302c19b8e6c74bd58eb1 2008.0/SRPMS/valgrind-3.2.3-2.2mdv2008.0.src.rpm Mandriva Linux 2008.1: c8df0a495d0d70b8dd61900037e2 2008.1/i586/valgrind-3.3.0-3.1mdv2008.1.i586.rpm 391e202fc7f592ba63280a34245bb255 2008.1/SRPMS/valgrind-3.3.0-3.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 2e16854eec6bc05f5a6d39e1fef120be 2008.1/x86_64/valgrind-3.3.0-3.1mdv2008.1.x86_64.rpm 391e202fc7f592ba63280a34245bb255 2008.1/SRPMS/valgrind-3.3.0-3.1mdv2008.1.src.rpm Mandriva Linux 2009.0: c61e803ffafdcfbf889b604dec79fa4e 2009.0/i586/valgrind-3.3.1-2.1mdv2009.0.i586.rpm 49a62badfb184864bd5764f1d3b8280b 2009.0/SRPMS/valgrind-3.3.1-2.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: b0b4fecae9ffd5613c4ebfcb369ba23f 2009.0/x86_64/valgrind-3.3.1-2.1mdv2009.0.x86_64.rpm 49a62badfb184864bd5764f1d3b8280b 2009.0/SRPMS/valgrind-3.3.1-2.1mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJpos8mqjQ0CJFipgRArW7AKCD5t24AcyIloyEvYt2XIdj84BnSACg6y47 jVLQtGJ6WmVL1iMqQEPQ8lA= =9zCC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Just because a bug class can crash an application doesn't make it a security issue. A remotely triggerable DoS condition is a security issue per se, my opinion about the trend to remove the A in CIA for statisitca reasons can be read here : http://blog.zoller.lu/2009/01/open-letter-remove-a-in-cia-or-venting.html -- http://secdev.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
also keep in mind that null ptr deref's can sometimes be exploitable-- especially on certain processors that store important things at 0x0; of which, from what i recall, the iphone is one. On Thu, 26 Feb 2009, Thierry Zoller wrote: Date: Thu, 26 Feb 2009 16:21:18 +0100 From: Thierry Zoller thie...@zoller.lu To: full-disclosure full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability Just because a bug class can crash an application doesn't make it a security issue. A remotely triggerable DoS condition is a security issue per se, my opinion about the trend to remove the A in CIA for statisitca reasons can be read here : http://blog.zoller.lu/2009/01/open-letter-remove-a-in-cia-or-venting.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
The fun times of security semantics! I'd have to argue that DoS conditions have the potential to be security issues. Then again, I'd also prefer not to remove A from CIA, but this is not from the standpoint of a developer or software vendor. I understand how that opinion changes based on perspective... Maybe someone will be interested in some non-technical discussion! =) Three examples: A- A DoS condition is discovered in Apache. I can trigger it by sending a specially crafted packet to Apache. Apache crashes. I can do this many times until you stop me or Apache fixes it. B- A DoS condition is discovered in Safari. I can trigger it by getting you to go to my web page www.youhavenobusinessreasontobehere.com/goats.blah. You hit my site, you decide not to come back after your browser bombs. C- A DoS condition is discovered in Safari, the same as before. I can trigger it by editing your intranet portal and inserting my lovely code. All of your internal users need to use your intranet portal, but they all keep crashing, crashing, crashing. Yikes! I would suggest that DoS conditions are not a priori security issues, but it certainly depends on the context and whether security has or could have an *interest* in them. I would suggest A is a security issue because more power is in the hands of the attacker than the user. (Yeah, what a horrible definition that will be once someone tears it up!) I would suggest B is simply a bug and not something that really affects the world too much. I would suggest C is a security bug in the intranet portal, but the browser crash is of a concern to security as well. It might not specifically be a security issue in the browser, but the effect of it is a concern to security. On Thu, Feb 26, 2009 at 9:21 AM, Thierry Zoller thie...@zoller.lu wrote: Just because a bug class can crash an application doesn't make it a security issue. A remotely triggerable DoS condition is a security issue per se, my opinion about the trend to remove the A in CIA for statisitca reasons can be read here : http://blog.zoller.lu/2009/01/open-letter-remove-a-in-cia-or-venting.html -- http://secdev.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
Dear Michael, I understand your point, however consider that your examples are showing the different *impacts* of a DoS condition. A bug becomes a security problem once it violates at least one of the three letters C or I or A. That's the point. The impact and risk assesement is to be done later on and can only be done partialy by a vendor since the use of the affected products sometimes heavily depends on the implementation or use case. MK I would suggest that DoS conditions are not a priori security issues, but it MK certainly depends on the context and whether security has or could have an MK *interest* in them. This is not to be measured or estimated completely by a vendor but the client/user/integrator of said products in their specific enviroment and use and abuse cases. For example Internet Kiosk vendors. -- http://secdev.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
iPhone is not affected by this issue. jf wrote: also keep in mind that null ptr deref's can sometimes be exploitable-- especially on certain processors that store important things at 0x0; of which, from what i recall, the iphone is one. On Thu, 26 Feb 2009, Thierry Zoller wrote: Date: Thu, 26 Feb 2009 16:21:18 +0100 From: Thierry Zoller thie...@zoller.lu To: full-disclosure full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability Just because a bug class can crash an application doesn't make it a security issue. A remotely triggerable DoS condition is a security issue per se, my opinion about the trend to remove the A in CIA for statisitca reasons can be read here : http://blog.zoller.lu/2009/01/open-letter-remove-a-in-cia-or-venting.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Moshe :: Trancer 0nly Human. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
The fun times of security semantics! Old debates never die... Vulnerabilities are a subset of software engineering bugs. As the name implies, they are defined strictly by the impact they have; if a bug does not render the victim appreciably susceptible to anything that would be of value to external attackers, it is not a security problem. Now, there are two points to be made: 1) Value to the attacker is a broad and fuzzy term that also covers emotional gratification (by just causing hardship to a disliked party) - so loss of availability should be often treated as a security glitch (well, you could also say a reliability glitch and start another argument); but the important thing is, not all bugs that cause a crash will cause noticeable loss of availability - i.e., no service is denied or deferred to third parties. For example, crashing a sshd or ftpd child handling my own connection is not interesting by itself, unless events leading to the crash, or the crash itself, impose a significant and repeatable resource strain. Crashing a keep-alive httpd child might be marginally more expensive, and hence maybe a limited security concern. 2) Appreciably susceptible is just as hard to quantify when dealing with high loss, but low probability scenarios; there were quite a few bugs that likely affected very few or no users (e.g., many of the publicly reported command-line overflows in non-suid programs), but a hypothetical scenario where it would matter could be constructed (in the aforementioned case, say, really bad PHP / CGI scripting). Most people dismiss such vulnerability reports, but it's difficult to draw the line. Anyway... bottom line is, any attempts to formalize the criteria are bound to fail (and have mostly failed in the past), and common sense is the best tool we have. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Drupal Taxonomy Theme Module XSS Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Version Tested:
Taxonomy Theme 5.x-1.1 (http://drupal.org/project/taxonomy_theme)
Drupal 5.15 (http://drupal.org)
Module maintainer and Drupal security team notified
The taxonomy_theme module allows you to change the theme of a given
node based on the taxonomy term, vocabulary or nodetype of that node.
You can also theme your forums and map themes to Drupal paths or path
aliases directly. The module contains a Cross Site Scripting (XSS)
vulnerability that can allow users with 'administer taxonomy' privileges
to expose users of the Taxonomy Theme module to XSS attacks. Details
are also available at http://www.lampsecurity.org/node/21
Executing the Attack:
1. Enable the Drupal core Taxonomy module
2. Create a new vocabulary by clicking Administer - Content Management
- - Categories.
3. Click the 'Add Vocabulary' link
4. For the 'Vocabulary name' enter scriptalert('xss');/script, fill
in arbitrary values for all other fields
5. Click on Administer - Site configuration - Taxonomy Theme, then
click the 'Taxonomy' link to trigger the JavaScript.
Technical Details:
This flaw exists do to a lack of output checking in the
taxonomy_theme_admin_table_builder() function. Specifically, on line
388 of taxonomy_theme_admin.inc, which reads:
$form['table'][$item-$data['key']]['title'] = array('#value' =
$item-name);
Should use check_plain() or similar sanitation function on the
$item-name value like so:
$form['table'][$item-$data['key']]['title'] = array('#value' =
check_plain($item-name));
- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQD1AwUBSacCnZEpbGy7DdYAAQJYPQb/YnDXlQPm5RBW/p9nnx0ER/LJQ2KbFUUR
KTY9L+JsCiClV8PmLxjH8kSUsD5ITIMNmiVoA7OtsOGPD2oiaIuxqrjEKiXkThTb
ugkdrxMsu0dxITI837vt2nJfiHThCuk293Dzf6mGbrMJ77DDeybvyKKP/YxZGqNv
XOI87vedSjqJnREFLjGcyFfmczVTY+CkOaDkgKvWxrqoeOlUvbu7zO52UJm1ZSm0
vJ8gz176zl9R5O/Ar28f7ddlksFmWANgqBSmRCRQLoNBdPcNz4bjmuLc7YFVlYDi
yP1P/e/PNYw=
=laaL
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cambium Group, LLC. CAMAS Advisory
On Wed, Feb 25, 2009 at 11:57 AM, Adriel T. Desautels ad_li...@netragard.com wrote: I'm not sure if its appropriate for this list but it is related to penetration testing and vulnerability disclosure (moderators decide). The irony of Kevin (don't make fun of my complexion) Finisterre disclosing he has a full time job outside of security followed by his foray into the realm of security with advisories is puzzling. So Kevin isn't working in the industry as he disclosed in his previous email which means he obviously isn't working for Netragard which leads me to believe that Netragard is merely a fictitious company formed on an IRC channel amongst friends. Now this is not to say there is anything wrong with this however, to trust a bunch of IRC kids on an infrastructure would amount to career suicide. For starters outside of a modded Pentium, they'd have little experience in the real world. Themes like DoDAF, DIACAP, Information Security Architecture would be beyond the scope of their understanding. Without further-ado, I'll now speculate on the intent of this current Critical advisory Netragard was gracious enough to bless the community with. - - Contact : Adriel T. Desautels Researcher : Kevin Finisterre Vendor Notified : 08/22/2007 [Proof Of Concept] - - Proof of concept code exists but is not provided as to not increase CAMAS users overall risk levels. Any website that reads Powered by the Cambium Group, LLC. is a CAMAS powered website. Snake oil at it's finest. You may recall Netragard has a pay for play scheme working where they never disclose any code. This works to anyone's advantage as a trump card when you think about it on a psychological warfare like scale. We found a tumor somewhere in your body however, we're choosing not to tell you about how we found it, nor where it is. Imagine if you will those words coming out of a doctor's mouth. You have to take into account that a doctor is a professional as should someone in this industry be - a professional. The entire absurdity of finding a tumor and not revealing that tumor is quite shady. Wouldn't you agree? You may choose to disagree but offer some supportive argument should you choose to say so. [Vendor Status and Chronology] - - 08/06/2007 07:11:57 PM EDT - Vulnerabilities Discovered 08/24/2007 09:38:41 AM EDT - Cambium Group, LLC. Notified in full detail 08/24/2007 10:54:01 AM EDT - Cambium Group, LLC. Responds to Notification 08/27/2007 10:31:30 AM EDT - Conference Call Scheduled 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded 09/26/2008 11:17:35 PM EDT - Issues remain unfixed 02/09/2009 09:00:00 PM EDT - Issues remain unfixed 02/11/2009 03:44:19 PM EST - Whistle Blower FD Posting (No affiliation to Netragard) 02/11/2009 04:55:20 PM EST - Netragard Prepares Advisory for Release During the initial discovery by the self-impose-experts at Netragard, it seems that Cambium performed some form of diligence in the sense they took the time to listen to Netragard however, much can be gleaned from Netragards own choice of wording: 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded At the onset of a conference call - dot dot dot - there was an immediate breakdown. Not one day later, not one week later - according to Netragard it occurred the minute Netragard got on call with them. This is a rather peculiar scenario if you think about it logically. What could have been the potential breakdown; after all, Cambium took the time out of their schedules to do something. Could it have been the pitch offered by Netragard. Were you guys trying to extort them Adriel? How could that conference have played out? http://www.copyright.gov/1201/2003/comments/019.pdf It has been brought to my attention that, on July 18, 2002, a buffer overflow exploit of Tru64 UNIX was posted on securityfocus.com under the alias pha...@webtribe.net (a/k/a phased, pha...@mail.ru and James Green). Based on information provided by Gil Novak to HP concerning aliases utilized by SnoSoft, we understand that this action was taken by an agent of SnoSoft despite SnoSoft's representations that it intended to comply with the industry standard practice of reporting its findings to CERT and despite the ongoing discussions between Gil Novak and Rich Boren on this issue. Snosoft and its agents are nothing more than wanna be security experts without having the capacity to keep out of the big boys club of penetration testing. The purpose
Re: [Full-disclosure] Cambium Group, LLC. CAMAS Advisory
I guess these days it isn't so amazing that people can type, and even hit send, rarely sharing their views face to face. Hiding in your grandmother's closet with your indestructable, glow-in-the-dark keyboard from Best Buy is sooo in. Anyways, free Kev.. speech! On Thu, Feb 26, 2009 at 5:22 PM, Smoking Gun pentesterk...@gmail.comwrote: On Wed, Feb 25, 2009 at 11:57 AM, Adriel T. Desautels ad_li...@netragard.com wrote: I'm not sure if its appropriate for this list but it is related to penetration testing and vulnerability disclosure (moderators decide). The irony of Kevin (don't make fun of my complexion) Finisterre disclosing he has a full time job outside of security followed by his foray into the realm of security with advisories is puzzling. So Kevin isn't working in the industry as he disclosed in his previous email which means he obviously isn't working for Netragard which leads me to believe that Netragard is merely a fictitious company formed on an IRC channel amongst friends. Now this is not to say there is anything wrong with this however, to trust a bunch of IRC kids on an infrastructure would amount to career suicide. For starters outside of a modded Pentium, they'd have little experience in the real world. Themes like DoDAF, DIACAP, Information Security Architecture would be beyond the scope of their understanding. Without further-ado, I'll now speculate on the intent of this current Critical advisory Netragard was gracious enough to bless the community with. - - Contact : Adriel T. Desautels Researcher : Kevin Finisterre Vendor Notified : 08/22/2007 [Proof Of Concept] - - Proof of concept code exists but is not provided as to not increase CAMAS users overall risk levels. Any website that reads Powered by the Cambium Group, LLC. is a CAMAS powered website. Snake oil at it's finest. You may recall Netragard has a pay for play scheme working where they never disclose any code. This works to anyone's advantage as a trump card when you think about it on a psychological warfare like scale. We found a tumor somewhere in your body however, we're choosing not to tell you about how we found it, nor where it is. Imagine if you will those words coming out of a doctor's mouth. You have to take into account that a doctor is a professional as should someone in this industry be - a professional. The entire absurdity of finding a tumor and not revealing that tumor is quite shady. Wouldn't you agree? You may choose to disagree but offer some supportive argument should you choose to say so. [Vendor Status and Chronology] - - 08/06/2007 07:11:57 PM EDT - Vulnerabilities Discovered 08/24/2007 09:38:41 AM EDT - Cambium Group, LLC. Notified in full detail 08/24/2007 10:54:01 AM EDT - Cambium Group, LLC. Responds to Notification 08/27/2007 10:31:30 AM EDT - Conference Call Scheduled 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded 09/26/2008 11:17:35 PM EDT - Issues remain unfixed 02/09/2009 09:00:00 PM EDT - Issues remain unfixed 02/11/2009 03:44:19 PM EST - Whistle Blower FD Posting (No affiliation to Netragard) 02/11/2009 04:55:20 PM EST - Netragard Prepares Advisory for Release During the initial discovery by the self-impose-experts at Netragard, it seems that Cambium performed some form of diligence in the sense they took the time to listen to Netragard however, much can be gleaned from Netragards own choice of wording: 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded At the onset of a conference call - dot dot dot - there was an immediate breakdown. Not one day later, not one week later - according to Netragard it occurred the minute Netragard got on call with them. This is a rather peculiar scenario if you think about it logically. What could have been the potential breakdown; after all, Cambium took the time out of their schedules to do something. Could it have been the pitch offered by Netragard. Were you guys trying to extort them Adriel? How could that conference have played out? http://www.copyright.gov/1201/2003/comments/019.pdf It has been brought to my attention that, on July 18, 2002, a buffer overflow exploit of Tru64 UNIX was posted on securityfocus.com under the alias pha...@webtribe.net (a/k/a phased, pha...@mail.ru and James Green). Based on information provided by Gil Novak to HP concerning aliases utilized by SnoSoft, we understand that this action
Re: [Full-disclosure] Weird traffic
No virus in there, it's a normal cap file... 2009/2/26 srl security.research.l...@gmail.com Don't open the pcap file in wireshark ! Is exploiting a hole in the whireshark you will pe pwned !!! On Wed, Feb 25, 2009 at 9:56 PM, julio sanchez pete.sanc...@gmail.comwrote: Here's the cap file 10.240 is the A-V server. You can see various ARP loop scan Regards Pete ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
On Fri, Feb 27, 2009 at 10:54 AM, jf j...@danglingpointers.net wrote: also keep in mind that null ptr deref's can sometimes be exploitable-- especially on certain processors that store important things at 0x0; of which, from what i recall, the iphone is one. Can you please give one example of a NULL deref that was exploitable? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PDP Architect and your great book
Hi Bob, Thank you for your concerns. The truth is that I've been incredibly busy lately both in my personal and professional life and therefore I am not so active at the moment. I am also taking the time to think about new ideas and wrap up some old projects. In fact, the Agile Hacking project is one of them. I still believe in the idea and I am very excited about it. This project gathered quite a lot of interest but we do not have any deadlines to meet. Just because I am not talking about it, it does not mean that I am not silently working on it. The quality of the final product is very important to me. The way I see it right now, the book should take no more than year and half to be fully completed. I just want to remind you that this is entirely a community project and it depends on the contributions of everyone and I do not financially benefit from it. All the best, pdp On Thu, Feb 26, 2009 at 5:41 AM, bob jones bhold...@gmail.com wrote: I was wondering when your book about how to become a become a real hacker and write programs through alt codes will be coming out. I read on your blog long ago about this book you envisioned but I have not seen announcments or preordering on Amazon. I also have not seen you posting much on the mailing lists. Did some event in your life that made you less talkative? I hope this is not true and look forward to your great book. maybe it will rival the great hacker kevin mitnick's books about hacking stories he could never accomplish in real life since they did not revolve around social engineering. Thanks, BB Gun Holder -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Not all are practically exploitable, but exploitation seems to be possible at least on ARM, XScale, and possibly PowerPC as www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf points out. As for examples.. doesn't look like they are public. On Thu, Feb 26, 2009 at 6:52 PM, Jubei Trippataka vpn.1.fana...@gmail.com wrote: On Fri, Feb 27, 2009 at 10:54 AM, jf j...@danglingpointers.net wrote: also keep in mind that null ptr deref's can sometimes be exploitable-- especially on certain processors that store important things at 0x0; of which, from what i recall, the iphone is one. Can you please give one example of a NULL deref that was exploitable? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Can you please give one example of a NULL deref that was exploitable? http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Windows 7 or KDE4?
http://olylug.org/read.php?73,13757 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Dear JT On Wed, Feb 25, 2009 at 9:09 PM, Jubei Trippataka vpn.1.fana...@gmail.com wrote: Why are these bugs even published to a security mailing list and not privately dealt with by the vendor? What's this list's name again? -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
lol you must work for selinux On Thu, Feb 26, 2009 at 5:52 PM, Jubei Trippataka vpn.1.fana...@gmail.comwrote: On Fri, Feb 27, 2009 at 10:54 AM, jf j...@danglingpointers.net wrote: also keep in mind that null ptr deref's can sometimes be exploitable-- especially on certain processors that store important things at 0x0; of which, from what i recall, the iphone is one. Can you please give one example of a NULL deref that was exploitable? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
BM_X-Force_WP_final.pdf is called Application-Specific Attacks: Leveraging the ActionScript Virtual Machine and if you haven't read it, you should. It'll make you smile. On Fri, Feb 27, 2009 at 08:10:10AM +, jf wrote: Can you please give one example of a NULL deref that was exploitable? http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:058 ] wireshark
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:058 http://www.mandriva.com/security/ ___ Package : wireshark Date: February 26, 2009 Affected: 2008.1, 2009.0, Corporate 4.0 ___ Problem Description: Buffer overflow in wiretap/netscreen.c in Wireshark 0.99.7 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed NetScreen snoop file. (CVE-2009-0599) Wireshark 0.99.6 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted Tektronix K12 text capture file, as demonstrated by a file with exactly one frame. (CVE-2009-0600) Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-Windows platforms allows local users to cause a denial of service (application crash) via format string specifiers in the HOME environment variable. (CVE-2009-0601) This update provides Wireshark 1.0.6, which is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0601 http://www.wireshark.org/security/wnpa-sec-2009-01.html ___ Updated Packages: Mandriva Linux 2008.1: 2d591a5772317d3587434424b8dc4a1d 2008.1/i586/dumpcap-1.0.6-0.1mdv2008.1.i586.rpm bf65e163112b4dc5db4041c552823bcb 2008.1/i586/libwireshark0-1.0.6-0.1mdv2008.1.i586.rpm 80056b13d9146428645d6e67cb2ed8ea 2008.1/i586/libwireshark-devel-1.0.6-0.1mdv2008.1.i586.rpm 7923294ad925674ef116b6273835d8ef 2008.1/i586/rawshark-1.0.6-0.1mdv2008.1.i586.rpm bd5a15d402a367058d61fd8dd6a2dcf9 2008.1/i586/tshark-1.0.6-0.1mdv2008.1.i586.rpm 5c7b0422b12d2eade1ce997de3766c6c 2008.1/i586/wireshark-1.0.6-0.1mdv2008.1.i586.rpm d116f95d212119516dbca4bf1d353cf5 2008.1/i586/wireshark-tools-1.0.6-0.1mdv2008.1.i586.rpm 2a31aab490fe670da93830f464154a48 2008.1/SRPMS/wireshark-1.0.6-0.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: b7213fd4bf53ad0cb41b5cc5ab1057df 2008.1/x86_64/dumpcap-1.0.6-0.1mdv2008.1.x86_64.rpm 4e3f14a549d66f199171d6f91aa28c68 2008.1/x86_64/lib64wireshark0-1.0.6-0.1mdv2008.1.x86_64.rpm aa39e29909ed34d5df2f0c85ac560c8f 2008.1/x86_64/lib64wireshark-devel-1.0.6-0.1mdv2008.1.x86_64.rpm ef92c97f74a2811daf7d874755dd 2008.1/x86_64/rawshark-1.0.6-0.1mdv2008.1.x86_64.rpm ea555917cd20aba1f0b4114730ad9924 2008.1/x86_64/tshark-1.0.6-0.1mdv2008.1.x86_64.rpm c74402d6323f6a72188f214d2d002ef2 2008.1/x86_64/wireshark-1.0.6-0.1mdv2008.1.x86_64.rpm fa5e55f0a5934c2bae263e9151a40b16 2008.1/x86_64/wireshark-tools-1.0.6-0.1mdv2008.1.x86_64.rpm 2a31aab490fe670da93830f464154a48 2008.1/SRPMS/wireshark-1.0.6-0.1mdv2008.1.src.rpm Mandriva Linux 2009.0: c661639631224e605d41a2985af43c93 2009.0/i586/dumpcap-1.0.6-0.1mdv2009.0.i586.rpm bb633c409ddb95d2e6f6826b6fd2be3d 2009.0/i586/libwireshark0-1.0.6-0.1mdv2009.0.i586.rpm 5d2f7434a1dd322259907d14caf90e11 2009.0/i586/libwireshark-devel-1.0.6-0.1mdv2009.0.i586.rpm d32a3de9e13b83d991a2d6c8577f50c2 2009.0/i586/rawshark-1.0.6-0.1mdv2009.0.i586.rpm bcdf64d0e05d0bb964c946c83bdd5353 2009.0/i586/tshark-1.0.6-0.1mdv2009.0.i586.rpm 3537cea11294e8d1dff87c15b933c622 2009.0/i586/wireshark-1.0.6-0.1mdv2009.0.i586.rpm c5ef95f5eb5255e10ccc12bcb0c6d77a 2009.0/i586/wireshark-tools-1.0.6-0.1mdv2009.0.i586.rpm 3efca295d42d9e1686b46ca1c020f8a2 2009.0/SRPMS/wireshark-1.0.6-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 90cffab44fe29d55f527ab4b76b0a0d6 2009.0/x86_64/dumpcap-1.0.6-0.1mdv2009.0.x86_64.rpm 838159ecdc95655df014d17d04434297 2009.0/x86_64/lib64wireshark0-1.0.6-0.1mdv2009.0.x86_64.rpm d3dba0b501696a634627540517693b62 2009.0/x86_64/lib64wireshark-devel-1.0.6-0.1mdv2009.0.x86_64.rpm bf51f59064d3ce3dd2dafd6889df 2009.0/x86_64/rawshark-1.0.6-0.1mdv2009.0.x86_64.rpm 3e33480b37b90293e1fd77c33934b9d2 2009.0/x86_64/tshark-1.0.6-0.1mdv2009.0.x86_64.rpm 6a22be605ea9e2357c8c5f38a1d6cc78 2009.0/x86_64/wireshark-1.0.6-0.1mdv2009.0.x86_64.rpm a73dd1ee57fee0b886beb0542bdd3baa 2009.0/x86_64/wireshark-tools-1.0.6-0.1mdv2009.0.x86_64.rpm 3efca295d42d9e1686b46ca1c020f8a2 2009.0/SRPMS/wireshark-1.0.6-0.1mdv2009.0.src.rpm Corporate 4.0: cd40c4762bd0c4b5ffafc5023809ac04 corporate/4.0/i586/dumpcap-1.0.6-0.1.20060mlcs4.i586.rpm 629aa56a60730449858656e1ea062b84 corporate/4.0/i586/libwireshark0-1.0.6-0.1.20060mlcs4.i586.rpm e7674da06cff0db774a65d40c8407ce1 corporate/4.0/i586/libwireshark-devel-1.0.6-0.1.20060mlcs4.i586.rpm
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
On Fri, Feb 27, 2009 at 12:26 PM, ne...@feelingsinister.net wrote: BM_X-Force_WP_final.pdf is called Application-Specific Attacks: Leveraging the ActionScript Virtual Machine and if you haven't read it, you should. It'll make you smile. OK, and what about this vulnerability makes use of a NULL pointer? This goes to show the shallow exploitation knowledge of this community. If you actually understood the paper it's (NULL + offset). This is NOT the same as a plain NULL deref bug. Also, you need to be able to map the NULL address, so I ask again, in examples such as this, in users-space apps name one exploitable condition. -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Better yet, name two. On Thu, Feb 26, 2009 at 9:22 PM, Jubei Trippataka vpn.1.fana...@gmail.comwrote: On Fri, Feb 27, 2009 at 12:26 PM, ne...@feelingsinister.net wrote: BM_X-Force_WP_final.pdf is called Application-Specific Attacks: Leveraging the ActionScript Virtual Machine and if you haven't read it, you should. It'll make you smile. OK, and what about this vulnerability makes use of a NULL pointer? This goes to show the shallow exploitation knowledge of this community. If you actually understood the paper it's (NULL + offset). This is NOT the same as a plain NULL deref bug. Also, you need to be able to map the NULL address, so I ask again, in examples such as this, in users-space apps name one exploitable condition. -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
On Fri, Feb 27, 2009 at 01:22:36PM +1100, Jubei Trippataka wrote: On Fri, Feb 27, 2009 at 12:26 PM, ne...@feelingsinister.net wrote: BM_X-Force_WP_final.pdf is called Application-Specific Attacks: Leveraging the ActionScript Virtual Machine and if you haven't read it, you should. It'll make you smile. OK, and what about this vulnerability makes use of a NULL pointer? This goes See this --^ to show the shallow exploitation knowledge of this community. If you actually understood the paper it's (NULL + offset). This is NOT the same as and then this -^ a plain NULL deref bug. Also, you need to be able to map the NULL address, so I ask again, in examples such as this, in users-space apps name one exploitable condition. -- ciao JT I'll clarify for everyone since you seem lost. EVERYONE, THE NULL POINTER DOES NOT GET DEREFERENCED. It only gets referenced. And Jubei isn't even sure a null pointer is involved at all =) With that out of the way, I'd just like to say that I only meant to encourage people to check out an excellent paper. I didn't mean to say anything related to your argument other than to say that that paper is a must-read. If you can't appreciate that, why the fuck are you on F-D? Think about it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
I'll clarify for everyone since you seem lost. EVERYONE, THE NULL POINTER DOES NOT GET DEREFERENCED. It only gets referenced. And Jubei isn't even sure a null pointer is involved at all =) With that out of the way, I'd just like to say that I only meant to encourage people to check out an excellent paper. I didn't mean to say anything related to your argument other than to say that that paper is a must-read. If you can't appreciate that, why the fuck are you on F-D? Think about it. I'm didn't even comment on Mark's paper, it is definitely a great piece of research, there is no doubt. It's just that some people have read this paper and thought, wow, all those NULL bugs are now exploitable. It's important to separate these bug classes. I'd even go to say that while this paper is a must-read, please also spend some time understanding it, otherwise don't bother. -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VMSA-2009-0003 ESX 2.5.5 patch 12 updates service console package ed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - VMware Security Advisory Advisory ID: VMSA-2009-0003 Synopsis: ESX 2.5.5 patch 12 updates service console package ed Issue date:2009-01-26 Updated on:2009-01-26 (initial release of advisory) CVE numbers: CVE-2008-3916 - 1. Summary ESX 2.5.5 patch 12 Build 142708 updates service console package ed 2. Relevant releases VMware ESX 2.5.5 before patch 12 Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan to upgrade to ESX 3.0.3 and preferably to the newest release available. 3. Problem Description a. Updated ESX patch updates Service Console package ed ed is a line-oriented text editor, used to create, display, and modify text files (both interactively and via shell scripts). A heap-based buffer overflow was discovered in the way ed, the GNU line editor, processed long file names. An attacker could create a file with a specially-crafted name that could possibly execute an arbitrary code when opened in the ed editor. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3916 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX3.5 ESX not affected ESX3.0.3 ESX not affected ESX3.0.2 ESX not affected ESX2.5.5 ESX Upgrade Patch 12 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. ESX 2.5.5 Upgrade Patch 12 Build 142709 www.vmware.com/support/esx25/doc/esx-255-142709-patch.html http://download3.vmware.com/software/esx/esx-2.5.5-142709-upgrade.tar.gz md5sum: 2a0bd5cc3591b1f6b04616fa2c97f78c 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3916 - 6. Change log 2009-02-20 VMSA-2009-0003 Initial security advisory after release of patch 12 for ESX 2.5.5 on 2009-02-20. - --- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2009 VMware Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) iD8DBQFJp2fAS2KysvBH1xkRAiBvAJ420qchZs/J2AiBRw+Gi4nTIlTprwCfU3Zx KioldmTcIUXlhY7Iq7WlmGY= =Ym/+ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
On Fri, Feb 27, 2009 at 03:19:29PM +1100, Jubei Trippataka wrote: I'd even go to say that while this paper is a must-read, please also spend some time understanding it, otherwise don't bother. -- ciao JT Does having the last word make you feel better? Neeko ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SHOUTcast XSS Vulnerability
-- Description: There exists a vulnerability in SHOUTcast, which can be exploited via script insertion attacks. Input passed to the incoming SHOUTcast web interface (default is port 8000) is not properly sanitized. Therefore, the input can contain arbitrary HTML and script code which will be outputted to the log file without being sanitized. Upon viewing the log file in the browser via the administrator panel, the malicious code will be executed in the administrator's browser. -- Affected Versions: The vulnerability is confirmed in version 1.9.8. Other versions may also be affected. -- Method: Construct a basic HTTP GET request destined to the victim's SHOUTcast web interface. Insert the malicious code in the User Agent field of the packet. -- Solution: Filter malicious characters and character sequences before logging the input to the log file, and also before displaying the contents of the log file in the browser. -- Discovered on: December 15, 2008 -- Discovered by: Stephen Komal, Ronald Gutierrez, Joseph Puran -- Special thanks to our elite instructors: Dan Guido, Mike Zusman, Erik Cabetas, Dean De Beer, Dino Dai Zovi, Stephen A. Ridley -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] POP Peeper 3.4.0.0 UIDL Remote Buffer Overflow Vulnerability
KL0209ADV-poppeeper_uidl-bof.txt 02.27.2009 Krakow Labs Research [www.krakowlabs.com] POP Peeper 3.4.0.0 UIDL Remote Buffer Overflow Vulnerability - == BACKGROUND INFORMATION == POP Peeper is an email notifier that runs in your Windows task bar and alerts you when you have new email on your POP3, IMAP (with IDLE support), Hotmail\MSN\LiveMail, Yahoo, GMail, Mail.com, MyWay, Excite, iWon, Lycos.com, RediffMail, Juno and NetZero accounts. IMAP supports allows you to access AOL, AIM, Netscape and other services. Send mail directly from POP Peeper and use the address book to email your frequently used contacts. POP Peeper allows you to view messages using HTML or you can choose to safely view all messages in rich or plain text. Several options are available that will decrease or eliminate the risks of reading your email (viruses, javascript, webbugs, etc). POP Peeper can be run from a portable device and can be password protected. Many notification options are availble to indicate when new mail has arrived, such as sound alerts (configurable for each account), flashing scroll lock, skinnable popup notifier, customized screensaver and more. Source: http://www.poppeeper.org - = VULNERABILITY DESCRIPTION = POP Peeper is vulnerable to a remote buffer overflow vulnerability. This vulnerability is exploitable on the client side. A vulnerable POP Peeper user must connect to an exploitation server and attempt use retrieve mail to affected. - = TECHNICAL DETAILS = To trigger this vulnerability, POP Peeper has to connect to an exploitation server acting as a POP3 daemon. POP Peeper then uses the UIDL command to get unique IDs for each email it later plans on retrieving. The exploitation server can send an oversized ID (1040 bytes), overflowing a buffer on the stack, giving the attacker complete control over the process. - = PRODUCTS AFFECTED = POP Peeper 3.4.0.0 was confirmed vulnerable. All versions of below 3.4.0.0 and are suspected vulnerable as well. - EXPLOITATION An exploit has been made public to trigger this vulnerability. http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.pl.txt The exploit code has been tested in the following environment(s): Windows XP Professional with Service Pack 3 on x86 Architecture Result: SUCCESS - === WORKAROUNDS === The vendor has fixed this vulnerability but has not issued an updated version at the time of this advisory. We suggest POP Peeper users do not connect to untrusted POP3 servers until a new release is available that remedies this vulnerability. === CREDITS === r...@kl (Jeremy Brown) [r...@krakowlabs.com] is credited with the discovery and research of this vulnerability. r...@kl (Jeremy Brown) [r...@krakowlabs.com] and Jayji (James Burton) [jayji...@gmail.com] are both credited with the development of exploit code for this vulnerability. - == DISCLAIMER == Krakow Labs assumes no liability for the use or misuse of any or all information contained in this document or information available at or referring to this document. Any or all information contained in this document or available at or referring to this document is not misleading and all information provided by Krakow Labs in this document is accurate to the best knowledge of Krakow Labs. This document can be published and/or reproduced as long as the document's data is left unchanged. Krakow Labs may be accessed via krakowlabs.com for more information, personal reference, or other agendas supporting Krakow Labs. Associated Files Information: http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_uidl-bof.txt http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.pl.txt http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.jpg KL0209ADV-poppeeper_uidl-bof.txt
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
http://uninformed.org/?v=4a=5t=sumry On Thu, Feb 26, 2009 at 10:19 PM, Jubei Trippataka vpn.1.fana...@gmail.comwrote: I'll clarify for everyone since you seem lost. EVERYONE, THE NULL POINTER DOES NOT GET DEREFERENCED. It only gets referenced. And Jubei isn't even sure a null pointer is involved at all =) With that out of the way, I'd just like to say that I only meant to encourage people to check out an excellent paper. I didn't mean to say anything related to your argument other than to say that that paper is a must-read. If you can't appreciate that, why the fuck are you on F-D? Think about it. I'm didn't even comment on Mark's paper, it is definitely a great piece of research, there is no doubt. It's just that some people have read this paper and thought, wow, all those NULL bugs are now exploitable. It's important to separate these bug classes. I'd even go to say that while this paper is a must-read, please also spend some time understanding it, otherwise don't bother. -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
I'm didn't even comment on Mark's paper, it is definitely a great piece of research, there is no doubt. It's just that some people have read this paper and thought, wow, all those NULL bugs are now exploitable. It's important to separate these bug classes. sorry to interrupt your self-aggrandizing tirade, however you're the only one who took the implication that *all* null ptr related bugs are exploitable-- i never implied or said that, just said in some instances they can be. Furthermore, I think you're taking the word 'dereference' a little too serious and you should perhaps take up a hobby such as baseball cards or miniature collectibles to quench you're apparent need to sub-categorize into nothing. If you want to insist that null+x/etc bugs be in an entirely separate category than dereferences, that's cool, just don't go all ape-shit on people who dont share your same narrow view at some feeble attempt at elitism via syntactic pedantry. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
On Fri, Feb 27, 2009 at 5:04 PM, bob jones bhold...@gmail.com wrote: http://uninformed.org/?v=4a=5t=sumry This exploitation relies on the ability to have the top-level UEF point to an arbitrary address which hopefully you have the ability to control. The NULL pointer is only used as a mechanism to trigger the exception necessary to execute code where the handler now points. This doesn't need to be a NULL deref, it can be any unhandled exception. I guess you could compare the NULL pointer in this situation to a memory leak necesary to exploit another condition. The memory leak itself wouldn't be called a vulnerability, it's just used instrumentally to assist in exploitation. In this paper the NULL pointer is used to assist in the exploitation of a hijacked UEF by triggering the unhandled exception. My original point stands, the NULL pointer dereference can be used to assist in another explotiation, but in itself is not a vulnerability. Do you disagree? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] User-mode keylogging technique?
Hi Friends, Can someone give me some pointers on an effective and new user-mode keyboard logging and system-call interception techniques? Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
