[Full-disclosure] [Bkis-07-2009] 010 Editor Multiple Buffer Overflow Vulnerabilities

[Bkis]

010 Editor Multiple Buffer Overflow Vulnerabilities

1. General Information

010 Editor is a text editor and hex editor, with a lot of functions as 
view and edit binary files, analyze and edit binary data, import and 
export binary data in many different formats.

Bkis has just found many vulnerabilities in the software, related to the 
processing of 010 Editor Binary Template files (“.bt”) and 010 Editor 
Script Files (“.1sc”). These vulnerabilities are very dangerous due to 
the fact that they allow hackers to execute malicious code on users’ 
systems.

We’ve reported to the vendor about the errors and they’ve released a 
fixed version. All related information can be reached at: 
http://www.sweetscape.com/010editor/release_notes.html

Details : http://security.bkis.vn/?p=580
Bkis Advisory : Bkis-07-2009
Initial vendor notification : 03/04/2009
Release Date : 04/22/2009
Update Date : 04/22/2009
Discovered by : Le Duc Anh - Bkis
Attack Type : Buffer Overflow
Security Rating : Critical
Impact : Code Execution
Affected Software : 010 Editor Version <= 3.0.4
PoC : 
http://security.bkis.vn/wp-content/uploads/2009/04/010editor_v304_poc.zip

2. Technical Description

Binary Template and Script files are advertised as highlighted features 
of 010 Editor. Binary Template files help users parse and edit many 
types of binary files and Script files let users perform automatic 
tasks. The software has not handled these file formats well enough 
resulting in a lot of serious vulnerabilities.

Many fields in those two file formats might create buffer overflow 
errors when set with an overly long value. More precisely, errors can 
occur in the handling of the following fields and elements:
• Struct name in “.bt” files
• Custom attributes in “.bt” files
• Number format (a number prefixed by “0x”, or something else) in both 
“.bt” and “.1sc” files
• Mathematics operators in both “.bt” and “.1sc” files
• Function name in “.1sc” files
• Function parameters in “.1sc” files

In order to exploit, a hacker might create a specially crafted “.bt” or 
“.1sc” file and trick users into using it. If successful, hackers can 
perform local attack, inject viruses, steal sensitive information and 
even take control of the victim’s system.

3. Solution

The producer has fixed the vulnerability in 010 Editor Version 3.0.5. 
Rating this vulnerability high severity, Bkis recommends that users 
should update their software to the latest version.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CORE-2009-0114 - HTTP Response Splitting vulnerability in Sun Delegated Administrator

[CORE Security Technologies Advisories]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

  Core Security Technologies - CoreLabs Advisory
   http://www.coresecurity.com/corelabs/

HTTP Response Splitting vulnerability in Sun Delegated Administrator



1. *Advisory Information*

Title: HTTP Response Splitting vulnerability in Sun Delegated Administrator
Advisory ID: CORE-2009-0114
Advisory URL:
http://www.coresecurity.com/content/sun-delegated-administrator
Date published: 2009-04-21
Date of last update: 2009-04-21
Vendors contacted: Sun Microsystems
Release mode: Coordinated release


2. *Vulnerability Information*

Class: HTTP response splitting
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 34643
CVE Name: CVE-2009-1357


3. *Vulnerability Description*

An HTTP Response Splitting vulnerability [1][2] has been discovered in
Sun Java System Delegated Administrator. HTTP Response Splitting occurs
when an attacker has the possibility of injecting a carriage return
(0x0D) or a line feed (0x0A) character sequence into the HTTP headers of
the web server's response. This allows proxy cache-poisoning attacks
that affect the proxy users base when requesting a web page that belongs
to the affected domain, redirection attacks or other kind of Cross-Site
Scripting attacks.


4. *Vulnerable packages*

4.1. *Sparc Platform*

   . Sun Java System Delegated Administrator 6.2.
   . Sun Java System Delegated Administrator 6.3.
   . Sun Java System Delegated Administrator 6.4 without patch 121581-20.


4.2. *x86 Platform*

   . Sun Java System Delegated Administrator 6.2.
   . Sun Java System Delegated Administrator 6.3.
   . Sun Java System Delegated Administrator 6.4 without patch 121582-20.


4.3. *Linux Platform *

   . Sun Java System Delegated Administrator 6.2.
   . Sun Java System Delegated Administrator 6.3.
   . Sun Java System Delegated Administrator 6.4 without patch 121583-20.


5. *Non-vulnerable packages*

   . Sun Java System Delegated Administrator 6.4 with patch 121581-20
(Sparc) or later.
   . Sun Java System Delegated Administrator 6.4 with patch 121582-20
(x86) or later.
   . Sun Java System Delegated Administrator 6.4 with patch 121583-20
(Linux) or later.


6. *Vendor Information, Solutions and Workarounds*

Sun Microsystems has published a Sun Alert for this issue. It has been
assigned the ID 255928 and is available at the following URL
http://sunsolve.sun.com/search/document.do?assetkey=1-26-255928-1.


7. *Credits*

This vulnerability was discovered by the SCS team [3] from Core Security
Technologies.


8. *Technical Description / Proof of Concept Code*

The parameter 'HELP_PAGE' of the web application located at
https:///da/DA/Login is vulnerable to a response splitting
vulnerability.

/---

$ openssl s_client -connect :443

GET
/da/DA/Login?Login.HelpHREF=http://www.vulnerable-site.com/&com_sun_web_ui_popup=false&HELP_PAGE=/help/%0AX-Tag:%20Core%20Security%20Technologies%0A%0D&jato.pageSession=
HTTP/1.1
Host: 

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Mon, 20 Apr 2009 18:21:48 GMT
Cache-control: private
Location: 
X-Tag: Core Security Technologies
Content-length: 0
Content-type: text/html

- ---/


9. *Report Timeline*

. 2009-01-14: Core Security Technologies notifies Sun Delegated
Administrator Team of the vulnerability and sends technical details.
Core asks the vendor an estimated date for the release of patches and
fixes.
. 2009-01-14: Sun Delegated Administrator Team responds they will
investigate this issue and provide the expected timeframe for a fix as
soon as possible.
. 2009-01-21: Core asks the vendor an estimated date for the release of
patches and fixes.
. 2009-01-21: Sun engineering team responds they are working on other
vulnerabilities reported by Core [4] and they are attempting to engage
the proper engineering team for the DA server.
. 2009-02-06: Sun engineering team has been investigating this issue and
they are able to confirm that it is indeed a valid vulnerability.
. 2009-02-16: Sun engineering team informs that they are still working
on others flaws reported by Core [4], and they hope to have a more
detailed update regarding the progress on the DA vulnerability shortly.
. 2009-02-16: Core acknowledges previous email.
. 2009-03-23: Vendor informs that the fix for Delegated Administrator
Server is still on-going, and will likely not be ready by the end of March.
. 2009-04-08: Vendor confirms that a fix for the Delegated Administrator
is available. This fix is currently undergoing Sun standard testing.
Vendor expects to be ready to publish the patch and the Sun Alert on
Monday 20th April 2009.
. 2009-04-17: Core asks Sun engineering team an URL for the Sun Alert
and the DA affected versions for this vulnerability.
. 2009-04-20: Sun kindly sends Core the requested information.
. 2009-04-21: The advisory CORE-2009-0114 is published.


10. *References*

[1]
http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf.
[2]

Re: [Full-disclosure] THC releases video and tool to create fakeePassports

[M.B.Jr.]

US government began with those brilliant ideas in 2005:
http://www.eweek.com/c/a/Mobile-and-Wireless/Infineon-Announces-Deal-for-US-Passport-RFID-Chips/

Last year, THC proved they were in the wrong way:
http://freeworld.thc.org/thc-epassport/

Bruce Schneier proved that CAs would not exactly "help":
http://www.schneier.com/blog/archives/2008/09/how_to_clone_an.html

Incredibly, last week, after performing a series of security tests on
the passport application process and discovering some failures, the US
GAO still state they don't know much about the fraudulent methods:
http://www.gao.gov/new.items/d09583r.pdf





On Wed, Oct 1, 2008 at 6:49 PM, Pruett, Mike  wrote:
>
> I about peed my pants laughing at the mere thoughts of this... We could
> all be like the bad guy from Lethal Weapon 2!! xD
>
> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk
> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Ed Carp
> Sent: Tuesday, September 30, 2008 4:18 PM
> To: r...@segfault.net
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] THC releases video and tool to create
> fakeePassports
>
> And obvious (and interesting) use would be to generate an ePassport that
> would flag the bearer as having diplomatic immunity.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Marcio Barbado, Jr.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Python winappdbg module v1.0 is out!

[Mario Alejandro Vilas Jerez]

What is winappdbg?
==

The winappdbg python module allows developers to quickly code
instrumentation scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and
provides an object-oriented abstraction layer to manipulate threads,
libraries and processes, attach your script as a debugger, trace
execution, hook API calls, handle events in your debugee and set
breakpoints of different kinds (code, hardware and memory).
Additionally it has no native code at all, making it easier to
maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors
wishing to test / fuzz Windows applications with quickly coded Python
scripts. Several ready to use utilities are shipped and can be used
for this purposes.

Current features also include disassembling x86 native code (using the
open source diStorm project, see http://ragestorm.net/distorm/),
debugging multiple processes simultaneously and produce a detailed log
of application crashes, useful for fuzzing and automated testing.


Where can I find winappdbg?
===

The winappdbg project is currently hosted at Sourceforge, and can be found at:

    http://winappdbg.sourceforge.net/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obfuscated patches

[Pedro Hugo]

Hello,

If it's a patch why do you need to obfuscate ? Patch the binary and bindiff
it :)

If you are talking about starting to obfuscate the resulting binaries,
that's a dark way to go... Waste of cpu cycles, compatibility problems, etc
etc etc...

Pedro

On 4/21/09 11:08, "Dennis Yurichev"  wrote:

> 
> Hi.
> 
> Just curious: will we see one day obfuscated patches
> (in a manner of obfuscated code) to make reverse engineer's
> (who would like to create exploits after security patches out)
> work harder?
> 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1776-1] New slurm-llnl packages fix privilege escalation

[Thijs Kinkhorst]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1776-1  secur...@debian.org
http://www.debian.org/security/  Thijs Kinkhorst
April 21, 2009http://www.debian.org/security/faq
- 

Package: slurm-llnl
Vulnerability  : programming error
Problem type   : local
Debian-specific: no
Debian Bug : 524980

It was discovered that the Simple Linux Utility for Resource Management
(SLURM), a cluster job management and scheduling system, did not drop
the supplemental groups. These groups may be system groups with elevated
privileges, which may allow a valid SLURM user to gain elevated privileges.

The old stable distribution (etch) does not contain a slurm-llnl package.

For the stable distribution (lenny), this problem has been fixed in
version 1.3.6-1lenny3.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.15-1.

We recommend that you upgrade your slurm-llnl package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- 

Source archives:

  
http://security.debian.org/pool/updates/main/s/slurm-llnl/slurm-llnl_1.3.6-1lenny3.diff.gz
Size/MD5 checksum:64996 5fddc1d94476619e4b7c7f22c8678d26
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/slurm-llnl_1.3.6.orig.tar.gz
Size/MD5 checksum:  6594797 1d0585a558b91158c65db7298dd22426
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/slurm-llnl_1.3.6-1lenny3.dsc
Size/MD5 checksum: 1710 05867d451d0e8c89e5ffa8efec2cc89d

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/s/slurm-llnl/slurm-llnl-doc_1.3.6-1lenny3_all.deb
Size/MD5 checksum:   850710 389aec73a46468dcd7ebeb4c4d51eb1c

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/s/slurm-llnl/libpmi0-dev_1.3.6-1lenny3_alpha.deb
Size/MD5 checksum:26888 a5ea7fee6d0e75618c30c0ec37c157c3
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/slurm-llnl_1.3.6-1lenny3_alpha.deb
Size/MD5 checksum:  5400312 3942fce2dbcf3bf5153aa1ab43228047
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/slurm-llnl-slurmdbd_1.3.6-1lenny3_alpha.deb
Size/MD5 checksum:   650910 a3f33b7e50d5ad842de8019ab35af8aa
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/libpmi0_1.3.6-1lenny3_alpha.deb
Size/MD5 checksum:18858 a8c8d7ba0584461b33a66dd639a332f5
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/slurm-llnl-sview_1.3.6-1lenny3_alpha.deb
Size/MD5 checksum:   370244 ab2579137734f33d7297922af11bdb77
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/libslurm13_1.3.6-1lenny3_alpha.deb
Size/MD5 checksum:   283126 4059af374860d4ee883ea7d46c125fcd
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/slurm-llnl-basic-plugins-dev_1.3.6-1lenny3_alpha.deb
Size/MD5 checksum:  1542610 d106a5728a67549df7c8f399c1d1ab73
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/libslurm13-dev_1.3.6-1lenny3_alpha.deb
Size/MD5 checksum:   600980 c658d851294fe58172e2753d5ce44646
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/slurm-llnl-basic-plugins_1.3.6-1lenny3_alpha.deb
Size/MD5 checksum:   411156 55d1819dddc4a3321b182d292d4c5944

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/s/slurm-llnl/libslurm13-dev_1.3.6-1lenny3_amd64.deb
Size/MD5 checksum:   437968 6433601f151b27788e5d93d9a945acc8
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/slurm-llnl-slurmdbd_1.3.6-1lenny3_amd64.deb
Size/MD5 checksum:   636364 791835add6fed2b7fd7082d4a376d50c
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/libpmi0-dev_1.3.6-1lenny3_amd64.deb
Size/MD5 checksum:24000 1780ea8351a4fb55522931236cb4b733
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/libpmi0_1.3.6-1lenny3_amd64.deb
Size/MD5 checksum:18926 46190ef53eddc7ad02ef95e5adcd918f
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/slurm-llnl-basic-plugins-dev_1.3.6-1lenny3_amd64.deb
Size/MD5 checksum:  1361004 f5dd511c93356cd665c26eafab8e3cdd
  
http://security.debian.org/pool/updates/main/s/slurm-llnl/slurm-llnl-basic-plugins_1.3.6-1lenny3_amd64.deb
Size/MD5 checksum:   389882 38dbf3d3b10c4708f705be259e265310
  
http://security.debian.org/pool/updates/main/s/s

[Full-disclosure] [SECURITY] [DSA 1777-1] New git-core packages fix privilege escalation

[Thijs Kinkhorst]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1777-1  secur...@debian.org
http://www.debian.org/security/  Thijs Kinkhorst
April 21, 2009http://www.debian.org/security/faq
- 

Package: git-core
Vulnerability  : file permission error
Problem type   : local
Debian-specific: yes
Debian Bug : 516669

Peter Palfrader discovered that in the Git revision control system,
on some architectures files under /usr/share/git-core/templates/ were
owned by a non-root user. This allows a user with that uid on the local
system to write to these files and possibly escalate their privileges.

This issue only affects the DEC Alpha and MIPS (big and little endian)
architectures.

For the old stable distribution (etch), this problem has been fixed in
version 1.4.4.4-4+etch2.

For the stable distribution (lenny), this problem has been fixed in
version 1.5.6.5-3+lenny1.

For the unstable distribution (sid), this problem has been fixed in
version 1.6.2.1-1.

We recommend that you upgrade your git-core package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Source archives:

  
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2.dsc
Size/MD5 checksum:  805 2693d7024a52e175ea62eaff3c07a61a
  
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2.diff.gz
Size/MD5 checksum:71107 34ad45133052ce77f2f803554aa9dda1
  
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4.orig.tar.gz
Size/MD5 checksum:  1054130 99bc7ea441226f792b6f796a838e7ef0

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/g/git-core/git-arch_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum:68960 6ceed58c872080f324ca8a662fefda8c
  
http://security.debian.org/pool/updates/main/g/git-core/git-doc_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum:   466672 3a557c1e51a90e0278d5d1a249f5da57
  
http://security.debian.org/pool/updates/main/g/git-core/git-daemon-run_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum:55782 c31f96adaa78b22f0066c936909f75c8
  
http://security.debian.org/pool/updates/main/g/git-core/gitweb_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum:88466 d4f2fe54f9fa94ac65ad23bcd0a262d1
  
http://security.debian.org/pool/updates/main/g/git-core/git-svn_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum:   101018 896a41a4a8c301e47e584617ea1c2f4e
  
http://security.debian.org/pool/updates/main/g/git-core/gitk_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum:99756 ac00ea6de16a1aa34539f2381d02722e
  
http://security.debian.org/pool/updates/main/g/git-core/git-cvs_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum:94168 8470e1691d1733cb7b172b1ad68bfe6a
  
http://security.debian.org/pool/updates/main/g/git-core/git-email_1.4.4.4-4+etch2_all.deb
Size/MD5 checksum:63252 3bc6980242c54684b97918195cb04420

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_alpha.deb
Size/MD5 checksum:  3088136 abc602dba99ef25f760a355a54e069c6

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_amd64.deb
Size/MD5 checksum:  2642492 0e3cafc333d0afd1c9a4e30766411cfc

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_arm.deb
Size/MD5 checksum:  2320802 1254025ebc1e95ce11292e38b06798ee

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_hppa.deb
Size/MD5 checksum:  2694116 c866ee375a5d459fc165ae195348023c

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_i386.deb
Size/MD5 checksum:  2353376 38737a48d77b9f5ee8ff5f818b27649e

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_ia64.deb
Size/MD5 checksum:  3815820 c184bf1ea1d53d995b5ff10383660642

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/g/git-core/git-core_1.4.4.4-4+etch2_mips.deb
Size/MD5 checksum:  2784232 abbbd45333878d3a3c1e93bc561135fd

mipsel architecture (MIPS (Little Endian))

  
http://security.debian.org/pool/updates/main/g/git-c

[Full-disclosure] Windows Update (re-)installs outdated Flash ActiveX on Windows XP

[Stefan Kanthak]

Windows Update (as well as Microsoft Update and the Automatic Update)
installs an outdated (and from its manufacturer unsupported) Flash
Player ActiveX control on Windows XP.


Although this fact is nothing really new it but shows the lack of taking
care for security problems and in general the chuzpe of many software
"producers" to ship their "products" with outdated and often vulnerable
components.


The ouverture:

* Windows XP RTM (i.e. the original release version without any service
  packs) installs a Flash Player ActiveX control SWFLASH.OCX v5.0r42

* Windows XP Service Pack 1 updates the SWFLASH.OCX to v5.0r44

* Windows XP Service Pack 2 (released in August 2004) replaces the
  SWFLASH.OCX with FLASH.OCX v6.0r79

* security update KB913433 (see 
  and )
  updates FLASH.OCX to 6.0r84

* security update KB923789 (see 
  and )
  updates FLASH.OCX to 6.0r88

* Windows XP Service Pack 3 (released in April 2008) contains the same
  FLASH.OCX v6.0r79 as Service Pack 2, i.e. none of the security updates
  published after Service Pack 2 were incorporated!
  The MSKB article KB948460 but STILL states wrong that KB913433 (sic!)
  is included in Service Pack 3

To my knowledge Adobe stopped direct support for Flash Player 6 in late
2005, the newest version of Flash Player ActiveX 6.0 available on their
web site  is 6.0r79 from 2005-11-11.
Later versions of Flash Player ActiveX 6.0 were available from Microsoft
only: 
and 

I doubt that these outdated Flash Player ActiveX controls are safe and
not vulnerable to current exploits, so Microsoft puts it's customers
clearly at risk.


The unhappy end:

* Start with a fully patched Windows XP with Service Pack 3 AND the
  current Adobe Flash Player ActiveX v10.0r22.87 installed.

  Since recent Flash Player installers remove any older versions of the
  ActiveX control this means that neither FLASH.OCX nor SWFLASH.OCX are
  present in %SystemRoot%\System32\Macromed\ or
  %SystemRoot%\System32\Macromed\Flash\

* Install an arbitrary software product that installs a Flash Player
  ActiveX prior to 6.0r88 (there are MANY software products that do so).

  For example, get the current MSN CD-ROM "MSN 9.6-PROD", part no.
  X14-85160-02 DE from Microsoft; this CD-ROM contains the product
  "Digital Image Standard Edition 2006" v11.1 from 2007-01-29, which
  installs an outdated and VULNERABLE FLASH.OCX v6.0r29 to
  %SystemRoot%\System32\Macromed\!

  Note that the installer was created AFTER KB923789, which but was not
  incorporated. Does Microsoft really care about security?

  If you dont want to order the MSN CD-ROM a trial version of "Digital
  Image Starter Edition 2006" is available from
  


  If you dont want to install such a big product either, get the
  Windows Update KB913433 from
  

  extract the Flash Player ActiveX installer INSTALL_FP6_WU.EXE from
  the package and run the installer.

  The attempt to install a Flash Player ActiveX prior to 6.0r88 over a
  later version does not YET any harm, since starting with 6.0r88 Adobe
  sets deny ACLs on the %SystemRoot%\System32\Macromed\Flash\FLASH*.OCX
  as well as all the registry entries which prevent earlier Flash Player
  ActiveX installers to overwrite them, so any Flash Player ActiveX
  6.0r88 and later is preserved.

  Any of the above mentioned products but installs the previously not
  existent file %SystemRoot%\System32\Macromed\Flash\FLASH*.OCX

* Visit  (or wait till the daily
  run of the Automatic Update) and install the Windows Update KB923789.

  This but DOES harm: since the Flash Player ActiveX installer that has
  been wrapped in KB923789 (re-)sets the ACLs it overwrites the registry
  entries of the newer/recent Flash Player ActiveX. DAMAGE DONE!


I informed Microsoft in the last two years several times about this
problem and discussed it with various members of their Microsoft Security
Response Center, but the problem persists.


Stefan Kanthak

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obfuscated patches

[Valdis . Kletnieks]

On Tue, 21 Apr 2009 13:08:50 +0300, Dennis Yurichev said:

> Just curious: will we see one day obfuscated patches
> (in a manner of obfuscated code) to make reverse engineer's
> (who would like to create exploits after security patches out)
> work harder?

HMASPZAP.  You're about a quarter century late. ;)


pgpodNPQ1KSZS.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obfuscated patches

[Pedro]

Hello,

If it's a patch why do you need to obfuscate ? Patch the binary and bindiff
it :)

If you are talking about starting to obfuscate the resulting binaries,
that's a dark way to go... Waste of cpu cycles, compatibility problems, etc
etc etc...

Pedro


On 4/21/09 11:08, "Dennis Yurichev"  wrote:

> Hi.
> 
> Just curious: will we see one day obfuscated patches
> (in a manner of obfuscated code) to make reverse engineer's
> (who would like to create exploits after security patches out)
> work harder?
> 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Obfuscated patches

[Dennis Yurichev]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi.

Just curious: will we see one day obfuscated patches
(in a manner of obfuscated code) to make reverse engineer's
(who would like to create exploits after security patches out)
work harder?

- --
My PGP public key: http://yurichev.com/dennis.yurichev.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkntmzEACgkQ1YPmFmJG++Mf6gCgsROYYPPbm1WAb0G1bvoY31xx
SmkAoKchR/T02hz8CBpztc4J6Uc+m6OZ
=9mmf
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/