[Full-disclosure] Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and m ore
Exploiting Chrome and Operas inbuilt ATOM/RSS reader with Script Execution
and more
-
For complete post (with images), please visit -
http://securethoughts.com/2009/09/exploiting-chrome-and-operas-inbuilt-atomr
ss-reader-with-script-execution-and-more/
=
SECURETHOUGHTS.COM ADVISORY
- CVE-ID: CVE-2009- (Chrome) {Pending}
- Release Date : September 15, 2009
- Severity : Medium to High
- Discovered by : Inferno
=
I. TITLE
-
Exploiting Chrome and Operas inbuilt ATOM/RSS reader with Script Execution
and more
II. VULNERABLE
-
Chrome all versions 2 and 3 (< 3.0.195.21)
Opera all versions - 9 and 10.
III. BACKGROUND
-
Back in 2006, there was interesting research done by James Holderness[1] and
James M. Snell[2] which uncovered a variety of XSS issues in various online
feed aggregator services (e.g. Feed Demon). The vulnerability arises from
the fact that it is not expected of RSS readers to render scripted content.
I want to extend that research by doing threat analysis on inbuilt feed
readers offered in most modern browsers. I have found Google Chrome (v2,3)
and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8), Firefox
3.5 and Safari 4 are resilient to the exploits mentioned below.
IV. DESCRIPTION
-
Google Chrome and Operas inbuilt RSS/ATOM Reader renders untrusted
javascript in an RSS/ATOM feed.
Exploit Scenarios
1. Scenario 1
1. Attacker social engineers a victim user to visit a rss/atom feed
link pointing to his or her evil site.
2. Victim uses Google Chrome / Opera browser to view the feed.
3. Malicious javascript gets executed on victims browser. Examples
1. Modifies into a phishing page and asks user credentials
for subscribing to Google Reader / My.Opera.com
2. Searches users browser history for visited url list [3]
3. Scans users internal network with/without javascript [4]
2. Scenario 2
1. Both attacker and victim user have an account to a trusted
website.
2. Either
1. The trusted web site lets the attacker inject JavaScript
content into any section of the sites RSS or an Atom feed.
3. OR
1. The trusted website uses blacklist to block known
executable file types for scripted content. E.g. html, jsp, etc.
2. Attacker uploads a file with extension .rss/.atom/arbitary
extension preceded by .rss/.atom [e.g. .atom.tx]. Most widely used Apache
web server passes Content-Type as application/{atom/rss}+xml for all the
three cases automatically in default configuration.
3. Attacker convinces victim to visit the direct link to
uploaded file.
4. Victims cookies and other sensitive data gets sent to
attackers site.
5. Note: For Internet Explorer (v7,8), the task is easier
because it does automatic mime type detection. So, you can execute
javascript content in any file extension. E.g. click
http://securethoughts.com/security/rssatomxss/anyfile.tx. However, for other
browsers, Firefox 3.5, Safari 4, Opera 10 and Chrome 3, they dont support
this functionality (perhaps for security reasons). So, using such extensions
mentioned above can be used as a workaround for script execution in Opera
and Chrome browsers.
3. Scenario 3
1. Similar to Scenario 1, but exploit can be used for complete
control over feeds in the Opera browser.
V. PROOF OF CONCEPT
-
1. Exploit Scenario 1 [Testcases - 18 XSS for Chrome, 38 XSS for Opera]
1. Chrome:
http://securethoughts.com/security/rssatomxss/googlechromexss.atom [or .rss]
2. Opera:
http://securethoughts.com/security/rssatomxss/opera10xss.atom [or .rss]
2. Exploit Scenario 2
1. Include all in Scenario 1
2. Opera:
http://securethoughts.com/security/rssatomxss/opera10xss.atom.tx [Any
arbitary file extension at. E.g .tx, .tm]
3. Chrome:
http://securethoughts.com/security/rssatomxss/googlechromexss.atom.tx [Any
arbitary file extension at. E.g .tx, .tm]
3. Exploit Scenario 3
1. Details and PoC will be released after patch is provided by
Opera Security Team in next minor release.
For research purposes, you can try out the PoCs on these virtualized (and
vulnerable) versions of various browsers, without installing any bits on
your computer [5].
VI. FIX DESCRIPTION
-
Chrome: ATOM/RSS feed rendering is completely disabled by forcing a
text/plain MIME type [6]. If you need feed rendering, a good alternative is
FeedBurner which protects from any script execution attacks by blocking them
at time of the feed registration.
Opera: Scenarios (1) and (2)
Re: [Full-disclosure] Andrew Aurenheimer aka weev gets tree'd
No, it is a domain name you registered for a web design client. On Sep 15, 2009, at 10:54 PM, Ronny Lawson wrote: > I guess you're a junior and this is your dad: http://www.sealpacusa.com/ > > > On Sep 15, 2009, at 9:52 PM, Andrew A wrote: > >> Okay. You've been in contact with Hep? She's handed over her logs? Oh >> man, the FBI now has hundreds of megs of me scrolling ansi on IRC, >> telling her she's a sickly withered ghoul, calling her fat, and >> making >> fun of her Springeresque living situation of having 3 different kids >> by 3 different dads (seriously hep is basically the hip web2.0 >> version >> of used up trailer trash whore). >> >> Oclet's handed over his logs? Wow, the FBI now has records of all the >> times I've told him to stop doing cocaine and drinking and clean up >> his act. >> >> Sherrod DeGrippo was indeed a fed. If she's turned against me, the >> FBI >> now has all the records of me posting the information of people with >> autism to Encyclopedia Dramatica! I'm goin' down! >> >> Tehdely, the gay San Francisco Jew who works for blogging house Six >> Apart will be able to tell a jury that I, in the haze of a 5-balloon >> dose of nitrous oxide, did a "sieg heil" salute and shouted "heil >> hitler" while giggling hysterically. I, clearly, will be screwed by >> this revelation of SECRET KNOWLEDGE in the grand jury proceedings. >> >> And actually, you can make your living off of advertising and selling >> t-shirts. I made high sfigs off of direct marketing alone for several >> years. >> >> You antis are pathetic. You think you got one up on me by pasting >> some >> fuckin info I put in my fuckin LIVEJOURNAL? Is this what hackin is >> these days? Are you gonna start syndicating emo rants from 14 year >> old >> girls into f-d posts with ascii banners at the top, acting like you >> owned people? >> >> See, for a doxdrop to be proper, you have to do info that is not >> already public, and you have to tie it together in a way that reveals >> something about their lives that they did not want people to know. >> >> For example, when some clever soul revealed that Rob Levin of >> freenode >> didn't actually live in a trailer, had all sorts of welfare and was >> still using people's donations to supplement his income, that was a >> pretty sweet doxdrop: >> http://antisec.wordpress.com/2006/06/27/eyeballing-rob-levin/ >> >> Or when somebody pieced together Kathy Sierra's sordid history of >> dick >> sucking, that was pretty fuckin' awesome: >> http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2007-03/msg00507.html >> >> You, sir, are a fucking amateur. You haven't uncovered anything new >> (the most well funded law enforcement organization in the world had >> to >> do that for you in their organized campaign, and you copied it from >> my >> livejournal), and it is certainly not anything I tried to hide, as I >> put it in my fucking blog. No secrets uncovered, no dark past >> revealed, just shit you copied from my livejournal to full- >> disclosure. >> Doxdrop is not copy and paste. You are the failure here, and your >> hilarious attempt to poorly emulate a sacred tradition of the >> hackscene in a D- fashion is regrettable. >> >> If you want to be impressive, figure out the name (Hint hint: >> France!) >> i actually do business under. Find out what fucking country I >> emigrated to. Find out SOMETHING yourself. >> >> My world ain't spinnin, I've been playing lolling it up for ages >> buddy, and I ain't gonna stop anytime soon. >> >> On Mon, Sep 14, 2009 at 11:39 PM, GOBBLES > mail.net> wrote: >>> *grins like chesire cat* >>> *spins you around* >>> >>> Oh weev, you try too hard. >>> >>> You hold on to vanity like a 13 year old girl. That's what your >>> friends say. Or at least people who think are your friend. >>> >>> I've been in contact with hep, sherrod degrippo, oclet and >>> tehdely about what a flatout nutter you are. And btw, last I >>> heard your vehicles bugged for sound and GPS. Those dudes >>> handed over your logs. You got a mountain of people ready >>> to testify against you. Most will play buddy with you until >>> you get the iron cuffs slapped on. They gone el mariachi >>> on you bud. You think you can make a living off ads and >>> selling t-shirts? Use your fucking brain. Idiot. >>> >>> You know your worlds spinning before you why don't you just give up. >>> >>> Enjoy ^_^ >>> >>> Presents >>> = >>> Sorry about that. The JDL/GOBBLES team takes mispellings very >>> seriously. >>> >>> Meet the exposed Andrew Auernheimer. Former bantown member and a >>> sysop at encyclopediadramatica. >>> >>> Aliases: >>> - weev >>> - weevlar >>> - weevlos >>> - the iprophet >>> - wbeelsoi >>> >>> He is a failed man. Loyalty to him shall bring you no benefit. See >>> for yourself: >>> >>> Law enforcement authorities reportedly have identified a 21-year- >>> old Vancouver man as the individual who made two threatening >>> telephone calls to Congregation Beth Isra
Re: [Full-disclosure] Andrew Aurenheimer aka weev gets tree'd
I guess you're a junior and this is your dad: http://www.sealpacusa.com/ On Sep 15, 2009, at 9:52 PM, Andrew A wrote: > Okay. You've been in contact with Hep? She's handed over her logs? Oh > man, the FBI now has hundreds of megs of me scrolling ansi on IRC, > telling her she's a sickly withered ghoul, calling her fat, and making > fun of her Springeresque living situation of having 3 different kids > by 3 different dads (seriously hep is basically the hip web2.0 version > of used up trailer trash whore). > > Oclet's handed over his logs? Wow, the FBI now has records of all the > times I've told him to stop doing cocaine and drinking and clean up > his act. > > Sherrod DeGrippo was indeed a fed. If she's turned against me, the FBI > now has all the records of me posting the information of people with > autism to Encyclopedia Dramatica! I'm goin' down! > > Tehdely, the gay San Francisco Jew who works for blogging house Six > Apart will be able to tell a jury that I, in the haze of a 5-balloon > dose of nitrous oxide, did a "sieg heil" salute and shouted "heil > hitler" while giggling hysterically. I, clearly, will be screwed by > this revelation of SECRET KNOWLEDGE in the grand jury proceedings. > > And actually, you can make your living off of advertising and selling > t-shirts. I made high sfigs off of direct marketing alone for several > years. > > You antis are pathetic. You think you got one up on me by pasting some > fuckin info I put in my fuckin LIVEJOURNAL? Is this what hackin is > these days? Are you gonna start syndicating emo rants from 14 year old > girls into f-d posts with ascii banners at the top, acting like you > owned people? > > See, for a doxdrop to be proper, you have to do info that is not > already public, and you have to tie it together in a way that reveals > something about their lives that they did not want people to know. > > For example, when some clever soul revealed that Rob Levin of freenode > didn't actually live in a trailer, had all sorts of welfare and was > still using people's donations to supplement his income, that was a > pretty sweet doxdrop: > http://antisec.wordpress.com/2006/06/27/eyeballing-rob-levin/ > > Or when somebody pieced together Kathy Sierra's sordid history of dick > sucking, that was pretty fuckin' awesome: > http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2007-03/msg00507.html > > You, sir, are a fucking amateur. You haven't uncovered anything new > (the most well funded law enforcement organization in the world had to > do that for you in their organized campaign, and you copied it from my > livejournal), and it is certainly not anything I tried to hide, as I > put it in my fucking blog. No secrets uncovered, no dark past > revealed, just shit you copied from my livejournal to full-disclosure. > Doxdrop is not copy and paste. You are the failure here, and your > hilarious attempt to poorly emulate a sacred tradition of the > hackscene in a D- fashion is regrettable. > > If you want to be impressive, figure out the name (Hint hint: France!) > i actually do business under. Find out what fucking country I > emigrated to. Find out SOMETHING yourself. > > My world ain't spinnin, I've been playing lolling it up for ages > buddy, and I ain't gonna stop anytime soon. > > On Mon, Sep 14, 2009 at 11:39 PM, GOBBLES mail.net> wrote: >> *grins like chesire cat* >> *spins you around* >> >> Oh weev, you try too hard. >> >> You hold on to vanity like a 13 year old girl. That's what your >> friends say. Or at least people who think are your friend. >> >> I've been in contact with hep, sherrod degrippo, oclet and >> tehdely about what a flatout nutter you are. And btw, last I >> heard your vehicles bugged for sound and GPS. Those dudes >> handed over your logs. You got a mountain of people ready >> to testify against you. Most will play buddy with you until >> you get the iron cuffs slapped on. They gone el mariachi >> on you bud. You think you can make a living off ads and >> selling t-shirts? Use your fucking brain. Idiot. >> >> You know your worlds spinning before you why don't you just give up. >> >> Enjoy ^_^ >> >> Presents >> = >> Sorry about that. The JDL/GOBBLES team takes mispellings very >> seriously. >> >> Meet the exposed Andrew Auernheimer. Former bantown member and a >> sysop at encyclopediadramatica. >> >> Aliases: >> - weev >> - weevlar >> - weevlos >> - the iprophet >> - wbeelsoi >> >> He is a failed man. Loyalty to him shall bring you no benefit. See >> for yourself: >> >> Law enforcement authorities reportedly have identified a 21-year- >> old Vancouver man as the individual who made two threatening >> telephone calls to Congregation Beth Israel on the night of June 16. >> >> Jewish Federation of Greater Portland Community Relations Director >> Robert Horenstein said the suspect, whose name was not made public, >> “admitted making the calls and the FBI is now working with the U.S. >> Attorney’s office to determine if
Re: [Full-disclosure] Andrew Aurenheimer aka weev gets tree'd
On Tue, 15 Sep 2009 00:39:38 EDT, GOBBLES said: > on you bud. You think you can make a living off ads and > selling t-shirts? Use your fucking brain. Idiot. You know all those rich rock stars? They don't get that way selling records and CDs - they usually *lose* money to the record companies. They get rich touring (often with corporate sponsorship) and selling the t-shirts at the concert. So yes, you *can* make quite a good living off ads and tshirts. pgpXWBxtGVlN8.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Andrew Aurenheimer aka weev gets tree'd
Australia is the country you emigrated to. On Sep 15, 2009, at 9:52 PM, Andrew A wrote: > Okay. You've been in contact with Hep? She's handed over her logs? Oh > man, the FBI now has hundreds of megs of me scrolling ansi on IRC, > telling her she's a sickly withered ghoul, calling her fat, and making > fun of her Springeresque living situation of having 3 different kids > by 3 different dads (seriously hep is basically the hip web2.0 version > of used up trailer trash whore). > > Oclet's handed over his logs? Wow, the FBI now has records of all the > times I've told him to stop doing cocaine and drinking and clean up > his act. > > Sherrod DeGrippo was indeed a fed. If she's turned against me, the FBI > now has all the records of me posting the information of people with > autism to Encyclopedia Dramatica! I'm goin' down! > > Tehdely, the gay San Francisco Jew who works for blogging house Six > Apart will be able to tell a jury that I, in the haze of a 5-balloon > dose of nitrous oxide, did a "sieg heil" salute and shouted "heil > hitler" while giggling hysterically. I, clearly, will be screwed by > this revelation of SECRET KNOWLEDGE in the grand jury proceedings. > > And actually, you can make your living off of advertising and selling > t-shirts. I made high sfigs off of direct marketing alone for several > years. > > You antis are pathetic. You think you got one up on me by pasting some > fuckin info I put in my fuckin LIVEJOURNAL? Is this what hackin is > these days? Are you gonna start syndicating emo rants from 14 year old > girls into f-d posts with ascii banners at the top, acting like you > owned people? > > See, for a doxdrop to be proper, you have to do info that is not > already public, and you have to tie it together in a way that reveals > something about their lives that they did not want people to know. > > For example, when some clever soul revealed that Rob Levin of freenode > didn't actually live in a trailer, had all sorts of welfare and was > still using people's donations to supplement his income, that was a > pretty sweet doxdrop: > http://antisec.wordpress.com/2006/06/27/eyeballing-rob-levin/ > > Or when somebody pieced together Kathy Sierra's sordid history of dick > sucking, that was pretty fuckin' awesome: > http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2007-03/msg00507.html > > You, sir, are a fucking amateur. You haven't uncovered anything new > (the most well funded law enforcement organization in the world had to > do that for you in their organized campaign, and you copied it from my > livejournal), and it is certainly not anything I tried to hide, as I > put it in my fucking blog. No secrets uncovered, no dark past > revealed, just shit you copied from my livejournal to full-disclosure. > Doxdrop is not copy and paste. You are the failure here, and your > hilarious attempt to poorly emulate a sacred tradition of the > hackscene in a D- fashion is regrettable. > > If you want to be impressive, figure out the name (Hint hint: France!) > i actually do business under. Find out what fucking country I > emigrated to. Find out SOMETHING yourself. > > My world ain't spinnin, I've been playing lolling it up for ages > buddy, and I ain't gonna stop anytime soon. > > On Mon, Sep 14, 2009 at 11:39 PM, GOBBLES mail.net> wrote: >> *grins like chesire cat* >> *spins you around* >> >> Oh weev, you try too hard. >> >> You hold on to vanity like a 13 year old girl. That's what your >> friends say. Or at least people who think are your friend. >> >> I've been in contact with hep, sherrod degrippo, oclet and >> tehdely about what a flatout nutter you are. And btw, last I >> heard your vehicles bugged for sound and GPS. Those dudes >> handed over your logs. You got a mountain of people ready >> to testify against you. Most will play buddy with you until >> you get the iron cuffs slapped on. They gone el mariachi >> on you bud. You think you can make a living off ads and >> selling t-shirts? Use your fucking brain. Idiot. >> >> You know your worlds spinning before you why don't you just give up. >> >> Enjoy ^_^ >> >> Presents >> = >> Sorry about that. The JDL/GOBBLES team takes mispellings very >> seriously. >> >> Meet the exposed Andrew Auernheimer. Former bantown member and a >> sysop at encyclopediadramatica. >> >> Aliases: >> - weev >> - weevlar >> - weevlos >> - the iprophet >> - wbeelsoi >> >> He is a failed man. Loyalty to him shall bring you no benefit. See >> for yourself: >> >> Law enforcement authorities reportedly have identified a 21-year- >> old Vancouver man as the individual who made two threatening >> telephone calls to Congregation Beth Israel on the night of June 16. >> >> Jewish Federation of Greater Portland Community Relations Director >> Robert Horenstein said the suspect, whose name was not made public, >> “admitted making the calls and the FBI is now working with the U.S. >> Attorney’s office to determine if a crime has been committed.” >>
Re: [Full-disclosure] Andrew Aurenheimer aka weev gets tree'd
Okay. You've been in contact with Hep? She's handed over her logs? Oh man, the FBI now has hundreds of megs of me scrolling ansi on IRC, telling her she's a sickly withered ghoul, calling her fat, and making fun of her Springeresque living situation of having 3 different kids by 3 different dads (seriously hep is basically the hip web2.0 version of used up trailer trash whore). Oclet's handed over his logs? Wow, the FBI now has records of all the times I've told him to stop doing cocaine and drinking and clean up his act. Sherrod DeGrippo was indeed a fed. If she's turned against me, the FBI now has all the records of me posting the information of people with autism to Encyclopedia Dramatica! I'm goin' down! Tehdely, the gay San Francisco Jew who works for blogging house Six Apart will be able to tell a jury that I, in the haze of a 5-balloon dose of nitrous oxide, did a "sieg heil" salute and shouted "heil hitler" while giggling hysterically. I, clearly, will be screwed by this revelation of SECRET KNOWLEDGE in the grand jury proceedings. And actually, you can make your living off of advertising and selling t-shirts. I made high sfigs off of direct marketing alone for several years. You antis are pathetic. You think you got one up on me by pasting some fuckin info I put in my fuckin LIVEJOURNAL? Is this what hackin is these days? Are you gonna start syndicating emo rants from 14 year old girls into f-d posts with ascii banners at the top, acting like you owned people? See, for a doxdrop to be proper, you have to do info that is not already public, and you have to tie it together in a way that reveals something about their lives that they did not want people to know. For example, when some clever soul revealed that Rob Levin of freenode didn't actually live in a trailer, had all sorts of welfare and was still using people's donations to supplement his income, that was a pretty sweet doxdrop: http://antisec.wordpress.com/2006/06/27/eyeballing-rob-levin/ Or when somebody pieced together Kathy Sierra's sordid history of dick sucking, that was pretty fuckin' awesome: http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2007-03/msg00507.html You, sir, are a fucking amateur. You haven't uncovered anything new (the most well funded law enforcement organization in the world had to do that for you in their organized campaign, and you copied it from my livejournal), and it is certainly not anything I tried to hide, as I put it in my fucking blog. No secrets uncovered, no dark past revealed, just shit you copied from my livejournal to full-disclosure. Doxdrop is not copy and paste. You are the failure here, and your hilarious attempt to poorly emulate a sacred tradition of the hackscene in a D- fashion is regrettable. If you want to be impressive, figure out the name (Hint hint: France!) i actually do business under. Find out what fucking country I emigrated to. Find out SOMETHING yourself. My world ain't spinnin, I've been playing lolling it up for ages buddy, and I ain't gonna stop anytime soon. On Mon, Sep 14, 2009 at 11:39 PM, GOBBLES wrote: > *grins like chesire cat* > *spins you around* > > Oh weev, you try too hard. > > You hold on to vanity like a 13 year old girl. That's what your > friends say. Or at least people who think are your friend. > > I've been in contact with hep, sherrod degrippo, oclet and > tehdely about what a flatout nutter you are. And btw, last I > heard your vehicles bugged for sound and GPS. Those dudes > handed over your logs. You got a mountain of people ready > to testify against you. Most will play buddy with you until > you get the iron cuffs slapped on. They gone el mariachi > on you bud. You think you can make a living off ads and > selling t-shirts? Use your fucking brain. Idiot. > > You know your worlds spinning before you why don't you just give up. > > Enjoy ^_^ > > Presents > = > Sorry about that. The JDL/GOBBLES team takes mispellings very > seriously. > > Meet the exposed Andrew Auernheimer. Former bantown member and a > sysop at encyclopediadramatica. > > Aliases: > - weev > - weevlar > - weevlos > - the iprophet > - wbeelsoi > > He is a failed man. Loyalty to him shall bring you no benefit. See for > yourself: > > Law enforcement authorities reportedly have identified a 21-year- > old Vancouver man as the individual who made two threatening > telephone calls to Congregation Beth Israel on the night of June 16. > > Jewish Federation of Greater Portland Community Relations Director > Robert Horenstein said the suspect, whose name was not made public, > “admitted making the calls and the FBI is now working with the U.S. > Attorney’s office to determine if a crime has been committed.” > > The alleged caller, whom authorities described to Horenstein as > having “low intelligence and no means to carry out any threats,” > reportedly said over the phone, “The Nazis are coming to get you; > there will be another Holocaust” and “You killed my Lord. Y
Re: [Full-disclosure] PakBugs.Com Report
On Tuesday 15 September 2009 09:09:41 am Jan G.B. wrote: > 2009/9/14 Rohit Patnaik > > > We know that the FBI and the CIA can't even catch Osama bin Laden in > > Pakistan. Do you really think they're going to bother with small-time > > credit card skimmers? > > > > --Rohit Patnaik > > Rohit, we all know that the FBI was never interested in catching Osama bin > Laden. Neither in Afghanistan, nor in Iraq. > There is not a single proof that he has smth. to do with 9/11. You might > want to verify that by looking onto the Website of the FBI. > What? I'll admit that I know very little about this, but I do know that Osama Bin Laden is the founder of al-Qaeda, and al-Qaeda is definitely responsible for the 9/11 attacks. He's also still on the FBI's top ten most wanted list (http://www.fbi.gov/wanted/topten/fugitives/fugitives.htm), which I think means that they are interested in catching him. signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hack-Mail.net or similar site
[First, sorry for spawning a new thread -- I just joined the list to post this] About 2 weeks ago, I decided to have them "hack" my account. I just got a not-too-poorly-done spoof email for an email login portal/ greeting card mashup. Granted, GMail would never actually do something like this, but it's enough to fool the layperson. http://www.123greetingsecards.com/greet_view/YOURACCOUNTNAME=gmail.html Tried msn.html and yahoo.html -- no go. smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ANNOUNCE: RFIDIOt release - v0.z - 16th September, 2009
Hi, Since I seem to have missed a version, here are the CHANGES for .y & .z: v0.y fix support for ACS PCSC-2 devices (e.g. ACR 122U) add writelfx.py - test write LF devices fix 3DES key setting for ID cards in mrpkey.py allow missing files to be skipped if running in files mode in mrpkey.py v0.z add xorcheck.py - search for valid final byte of rolling LRC [input from Henryk Plötz] add transit.py - program Q5 with FDI Matalec 'TRANSIT 500' or 'TRANSIT 999' standard UID [input from Proxmark Community] Download here: http://www.rfidiot.org/ cheers, Adam -- Adam Laurie Tel: +44 (0) 20 7993 2690 Suite 117 Fax: +44 (0) 1308 867 949 61 Victoria Road Surbiton Surrey mailto:a...@algroup.co.uk KT6 4JX http://rfidiot.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
It's not that they aren't supported per se, just that Microsoft has deemed the impact of DOS to be low, the ability to patch that platform impossible/difficult and thus have make a risk calculation accordingly. Sometimes the architecture is what it is. Jeffrey Walton wrote: > Hi Susan, > > >> Read the bulletin. There's no patch. It is deemed by Microsoft to be of >> low impact and thus no patch has been built. >> > I don't know how I missed that XP/SP2 and above were not being > patched. It appears that my two references are worhtless... I used to > use them in position papers! > * http://support.microsoft.com/gp/lifepolicy > * http://support.microsoft.com/gp/lifeselect > > Jeff > > On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley wrote: > >> Read the bulletin. There's no patch. It is deemed by Microsoft to be of >> low impact and thus no patch has been built. >> >> Jeffrey Walton wrote: >> >>> Hi Aras, >>> >>> >>> Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, >>> Can you cite a reference? >>> >>> Unless Microsoft has changed their end of life policy [1], XP should >>> be patched for security vulnerabilities until about 2014. Both XP Home >>> and XP Pro's mainstream support ended in 4/2009, but extended support >>> ends in 4/2014 [2]. Given that we know the end of extended support, >>> take a look at bullet 17 of [1]: >>> >>>17. What is the Security Update policy? >>> >>>Security updates will be available through the end of the Extended >>>Support phase (five years of Mainstream Support plus five years of >>>the Extended Support) at no additional cost for most products. >>>Security updates will be posted on the Microsoft Update Web site >>>during both the Mainstream and the Extended Support phase. >>> >>> >>> I realize some of you might be tempted to relay the M$ BS about "not being feasible because it's a lot of work" rhetoric... >>> Not at all. >>> >>> Jeff >>> >>> [1] http://support.microsoft.com/gp/lifepolicy >>> [2] http://support.microsoft.com/gp/lifeselect >>> >>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici >>> wrote: >>> >>> Hello All: Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, I'm now curious to find out whether or not any brave souls out there are already working or willing to work on an open-source patch to remediate the issue within XP. I realize some of you might be tempted to relay the M$ BS about "not being feasible because it's a lot of work" rhetoric... I would just like to hear the thoughts of the true experts subscribed to these lists :) No harm in that is there? Aras "Russ" Memisyazici Systems Administrator Virginia Tech >>> >> > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1888-1] New openssl packages deprecate MD2 hash signatures
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1888-1 secur...@debian.org http://www.debian.org/security/ Moritz Muehlenhoff September 15, 2009http://www.debian.org/security/faq - Package: openssl, openssl097 Vulnerability : cryptographic weakness Problem type : remote Debian-specific: no CVE Id(s) : CVE-2009-2409 Certificates with MD2 hash signatures are no longer accepted by OpenSSL, since they're no longer considered cryptographically secure. For the stable distribution (lenny), this problem has been fixed in version 0.9.8g-15+lenny5. For the old stable distribution (etch), this problem has been fixed in version 0.9.8c-4etch9 for openssl and version 0.9.7k-3.1etch5 for openssl097. The OpenSSL 0.9.8 update for oldstable (etch) also provides updated packages for multiple denial of service vulnerabilities in the Datagram Transport Layer Security implementation. These fixes were already provided for Debian stable (Lenny) in a previous point update. The OpenSSL 0.9.7 package from oldstable (Etch) is not affected. (CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386 and CVE-2009-1387) For the unstable distribution (sid), this problem has been fixed in version 0.9.8k-5. We recommend that you upgrade your openssl packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch5.dsc Size/MD5 checksum: 1417 cfeda0aa5b691a5745475692c5d95023 http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch5.diff.gz Size/MD5 checksum:35983 d36ced1a9b6bc9fb473142df040a06d6 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9.dsc Size/MD5 checksum: 1455 853078a1ba61d986d0862b7052e6a47b http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz Size/MD5 checksum: 3313857 78454bec556bcb4c45129428a766c886 http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz Size/MD5 checksum: 3292692 be6bba1d67b26eabb48cf1774925416f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9.diff.gz Size/MD5 checksum:59037 1d168f6505755d3d5b2cc5c8dfc4a314 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_alpha.deb Size/MD5 checksum: 2623244 6d978b3c3271793c8e7af4805335186c http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_alpha.deb Size/MD5 checksum: 2209790 7b1bd54453a93ae2b20d25abf8e0187a http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_alpha.deb Size/MD5 checksum: 2556932 aff297a5754a34193d35e1e7bb1de5e5 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_alpha.deb Size/MD5 checksum: 3822402 2d51057194c55709f258303f9eb5634d http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_alpha.deb Size/MD5 checksum: 1015184 1a7ee5f6d57cc91aaee2df7efbed7e03 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_alpha.deb Size/MD5 checksum: 4561710 6e24f6d818c1c6e791f3b457e9d025cd http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_alpha.udeb Size/MD5 checksum: 677314 840e921e5eb158208331c1eb4e546453 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_amd64.deb Size/MD5 checksum: 2188696 730e51554bee77b38922ab4968f7bd8f http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_amd64.deb Size/MD5 checksum: 891856 373b14c8d5d44eba8e2a704d29621e4e http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_amd64.deb Size/MD5 checksum: 1328748 32e707b77f010c26690d0d170b3b8c71 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_amd64.deb Size/MD5 checksum: 1655940 94723e6134595ff2a407ab3cb99c24c9 http://security.debian.org/pool/updates/main/o/op
Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
Microsoft Security Bulletin MS09-048 - Critical: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723): http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks. Susan Bradley wrote: > Read the bulletin. There's no patch. It is deemed by Microsoft to be > of low impact and thus no patch has been built. > > Jeffrey Walton wrote: >> Hi Aras, >> >> >>> Given that M$ has officially shot-down all current Windows XP users >>> by not >>> issuing a patch for a DoS level issue, >>> >> Can you cite a reference? >> >> Unless Microsoft has changed their end of life policy [1], XP should >> be patched for security vulnerabilities until about 2014. Both XP Home >> and XP Pro's mainstream support ended in 4/2009, but extended support >> ends in 4/2014 [2]. Given that we know the end of extended support, >> take a look at bullet 17 of [1]: >> >> 17. What is the Security Update policy? >> >> Security updates will be available through the end of the Extended >> Support phase (five years of Mainstream Support plus five years of >> the Extended Support) at no additional cost for most products. >> Security updates will be posted on the Microsoft Update Web site >> during both the Mainstream and the Extended Support phase. >> >> >>> I realize some of you might be tempted to relay the M$ BS about "not >>> being >>> feasible because it's a lot of work" rhetoric... >>> >> Not at all. >> >> Jeff >> >> [1] http://support.microsoft.com/gp/lifepolicy >> [2] http://support.microsoft.com/gp/lifeselect >> >> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici >> wrote: >> >>> Hello All: >>> >>> Given that M$ has officially shot-down all current Windows XP users >>> by not >>> issuing a patch for a DoS level issue, I'm now curious to find out >>> whether >>> or not any brave souls out there are already working or willing to >>> work on >>> an open-source patch to remediate the issue within XP. >>> >>> I realize some of you might be tempted to relay the M$ BS about "not >>> being >>> feasible because it's a lot of work" rhetoric... I would just like >>> to hear >>> the thoughts of the true experts subscribed to these lists :) >>> >>> No harm in that is there? >>> >>> Aras "Russ" Memisyazici >>> Systems Administrator >>> Virginia Tech >>> >>> >>> >> >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
Read the bulletin. There's no patch. It is deemed by Microsoft to be of low impact and thus no patch has been built. Jeffrey Walton wrote: > Hi Aras, > > >> Given that M$ has officially shot-down all current Windows XP users by not >> issuing a patch for a DoS level issue, >> > Can you cite a reference? > > Unless Microsoft has changed their end of life policy [1], XP should > be patched for security vulnerabilities until about 2014. Both XP Home > and XP Pro's mainstream support ended in 4/2009, but extended support > ends in 4/2014 [2]. Given that we know the end of extended support, > take a look at bullet 17 of [1]: > > 17. What is the Security Update policy? > > Security updates will be available through the end of the Extended > Support phase (five years of Mainstream Support plus five years of > the Extended Support) at no additional cost for most products. > Security updates will be posted on the Microsoft Update Web site > during both the Mainstream and the Extended Support phase. > > >> I realize some of you might be tempted to relay the M$ BS about "not being >> feasible because it's a lot of work" rhetoric... >> > Not at all. > > Jeff > > [1] http://support.microsoft.com/gp/lifepolicy > [2] http://support.microsoft.com/gp/lifeselect > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici > wrote: > >> Hello All: >> >> Given that M$ has officially shot-down all current Windows XP users by not >> issuing a patch for a DoS level issue, I'm now curious to find out whether >> or not any brave souls out there are already working or willing to work on >> an open-source patch to remediate the issue within XP. >> >> I realize some of you might be tempted to relay the M$ BS about "not being >> feasible because it's a lot of work" rhetoric... I would just like to hear >> the thoughts of the true experts subscribed to these lists :) >> >> No harm in that is there? >> >> Aras "Russ" Memisyazici >> Systems Administrator >> Virginia Tech >> >> >> > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hack-Mail.net or similar site
From: Augusto Pereyra Subject: Re: [Full-disclosure] Hack-Mail.net or similar site Date: Tue, 15 Sep 2009 02:11:59 -0300 > I think this service is fake. > > To make some portal like this only you need a php form with the > following fields: Account to Hack, Account to send password > > Some client fill this form and three days later the server send a > spoofed mail acting like they have the password of the account > requested in previous form. When the client put his fait in this kind > of cheat pay the cash and maybe some kind of trash is sended to his > account. > > When the client in cheated is too late. Now the owners of the site > have his 20 buck. > > I was tested it and the mail doesn't become from yahoo server. The > mail become from bebobox.com > > My english sucks! Sorry Thank you for taking the time testing the service and sharing your experiences and don't worry about your English! :) maxigas ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1887-1] New rails packages fix cross-site scripting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1887-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris September 15, 2009http://www.debian.org/security/faq - Package: rails Vulnerability : missing input sanitising Problem type : remote Debian-specific: no CVE Id : CVE-2009-3009 Debian Bug : 545063 Brian Mastenbrook discovered that rails, the MVC ruby based framework geared for web application development, is prone to cross-site scripting attacks via malformed strings in the form helper. For the stable distribution (lenny), this problem has been fixed in version 2.1.0-7. For the oldstable distribution (etch) security support has been discontinued. It has been reported that rails in oldstable is unusable and several features that are affected by security issues are broken due to programming issues. It is highly recommended to upgrade to the version in stable (lenny). For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 2.2.3-1. We recommend that you upgrade your rails packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/r/rails/rails_2.1.0-7.diff.gz Size/MD5 checksum:17520 866f4225a0496c3a2fbeae5da52b36a9 http://security.debian.org/pool/updates/main/r/rails/rails_2.1.0-7.dsc Size/MD5 checksum: 1203 60d2bd20b3dae00c2675ed1d45ee99af http://security.debian.org/pool/updates/main/r/rails/rails_2.1.0.orig.tar.gz Size/MD5 checksum: 195 edcc03e7177e1557653fcb92c90db0d1 Architecture independent packages: http://security.debian.org/pool/updates/main/r/rails/rails_2.1.0-7_all.deb Size/MD5 checksum: 2374598 0a1648b6ff0105c4969f54f8c8bed8af These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkqvxQUACgkQ62zWxYk/rQepTACeMylU2PMJePwDfaGAAGFLLP6s Rz0AoLvIQHNfBsLVmXXG8xF9b5gsA+23 =tRi9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:235 ] silc-toolkit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:235 http://www.mandriva.com/security/ ___ Package : silc-toolkit Date: September 15, 2009 Affected: 2009.1 ___ Problem Description: Multiple vulnerabilities was discovered and corrected in silc-toolkit: Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions (CVE-2009-3051). Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users (CVE-2009-3163). This update provides a solution to these vulnerabilities. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3163 ___ Updated Packages: Mandriva Linux 2009.1: 963ef781398e914559c75514220c875d 2009.1/i586/libsilc1.1_2-1.1.9-1.1mdv2009.1.i586.rpm 18bb9a7ad80a3ea48e0456163b46e94e 2009.1/i586/libsilcclient1.1_3-1.1.9-1.1mdv2009.1.i586.rpm 816a0b7d2fceed7bac2af77d7a2cba09 2009.1/i586/silc-toolkit-1.1.9-1.1mdv2009.1.i586.rpm 7c712d1cf8aa7a588cf99a86b2ae886d 2009.1/i586/silc-toolkit-devel-1.1.9-1.1mdv2009.1.i586.rpm 55583cad550b01bbcd64fe6d2055e32c 2009.1/SRPMS/silc-toolkit-1.1.9-1.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 9fd16b8e6d20347ec944a652c78f3e93 2009.1/x86_64/lib64silc1.1_2-1.1.9-1.1mdv2009.1.x86_64.rpm 00aab2d7e5776d8ab6dfdf629249331e 2009.1/x86_64/lib64silcclient1.1_3-1.1.9-1.1mdv2009.1.x86_64.rpm 188699f87467e9b41d0acb74b6e3fe8c 2009.1/x86_64/silc-toolkit-1.1.9-1.1mdv2009.1.x86_64.rpm c10e9b7b1e405f26c91e2b7b20c29985 2009.1/x86_64/silc-toolkit-devel-1.1.9-1.1mdv2009.1.x86_64.rpm 55583cad550b01bbcd64fe6d2055e32c 2009.1/SRPMS/silc-toolkit-1.1.9-1.1mdv2009.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKr5c1mqjQ0CJFipgRArEfAJ0W115AG93WHQAdwvXDuGyts268sACdEB87 jhz23pZCPnHR9brkaxMLcmI= =+T/O -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:234-1 ] silc-toolkit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:234-1 http://www.mandriva.com/security/ ___ Package : silc-toolkit Date: September 15, 2009 Affected: Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities was discovered and corrected in silc-toolkit: Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions (CVE-2009-3051). The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string (CVE-2008-7159). The silc_http_server_parse function in lib/silchttp/silchttpserver.c in the internal HTTP server in silcd in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.9 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted Content-Length header, related to incorrect use of a %lu format string (CVE-2008-7160). Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users (CVE-2009-3163). This update provides a solution to these vulnerabilities. Update: Packages for MES5 was not provided previousely, this update addresses this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7159 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3163 ___ Updated Packages: Mandriva Enterprise Server 5: a800a8c69a356ca40c50b04d7322c9ee mes5/i586/libsilc1.1_2-1.1.7-4.1mdvmes5.i586.rpm 317fdb3af9d4d65540756f5737159e20 mes5/i586/libsilcclient1.1_2-1.1.7-4.1mdvmes5.i586.rpm 1e4df0e247b1b607d1a6382e45ce8f4b mes5/i586/silc-toolkit-1.1.7-4.1mdvmes5.i586.rpm a677c19630f8102c9ab33c0e59b97f89 mes5/i586/silc-toolkit-devel-1.1.7-4.1mdvmes5.i586.rpm b7e35b6e6252ab194db2b8ff2a0d2f92 mes5/SRPMS/silc-toolkit-1.1.7-4.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 38705859cd40b455bf1d4e48e2cd5791 mes5/x86_64/lib64silc1.1_2-1.1.7-4.1mdvmes5.x86_64.rpm 097e9e1258f2f350547aca8b20d1f442 mes5/x86_64/lib64silcclient1.1_2-1.1.7-4.1mdvmes5.x86_64.rpm b4fa6915dd6053d7883ca7052fc46bca mes5/x86_64/silc-toolkit-1.1.7-4.1mdvmes5.x86_64.rpm b410774b1e725efaac52bad52136f134 mes5/x86_64/silc-toolkit-devel-1.1.7-4.1mdvmes5.x86_64.rpm b7e35b6e6252ab194db2b8ff2a0d2f92 mes5/SRPMS/silc-toolkit-1.1.7-4.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKr5W/mqjQ0CJFipgRArrdAJsFtuI3Wv8EsCCtWZaQlg2ALyes8wCgrsSh Qx2iLo8GNFSm7AhvhoVzIhA= =vgFV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:234 ] silc-toolkit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:234 http://www.mandriva.com/security/ ___ Package : silc-toolkit Date: September 15, 2009 Affected: 2008.1, 2009.0 ___ Problem Description: Multiple vulnerabilities was discovered and corrected in silc-toolkit: Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions (CVE-2009-3051). The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string (CVE-2008-7159). The silc_http_server_parse function in lib/silchttp/silchttpserver.c in the internal HTTP server in silcd in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.9 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted Content-Length header, related to incorrect use of a %lu format string (CVE-2008-7160). Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users (CVE-2009-3163). This update provides a solution to these vulnerabilities. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7159 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3163 ___ Updated Packages: Mandriva Linux 2008.1: 3b8a40541dbec2f0740103179d14b7de 2008.1/i586/libsilc1.1_2-1.1.7-2.2mdv2008.1.i586.rpm 6f43e4ebe0d928e48212378211a30b9b 2008.1/i586/libsilcclient1.1_2-1.1.7-2.2mdv2008.1.i586.rpm 7213023ef107419e014d316680595268 2008.1/i586/silc-toolkit-1.1.7-2.2mdv2008.1.i586.rpm 552759cd69938394b85bd8860f19d26b 2008.1/i586/silc-toolkit-devel-1.1.7-2.2mdv2008.1.i586.rpm 4b63bf7ecedbf2741f562200c3a0721b 2008.1/SRPMS/silc-toolkit-1.1.7-2.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: fd0ea04815c2f90f50fa61ad56a38602 2008.1/x86_64/lib64silc1.1_2-1.1.7-2.2mdv2008.1.x86_64.rpm 44c2c3af3eb96b76828f48af6efde8f8 2008.1/x86_64/lib64silcclient1.1_2-1.1.7-2.2mdv2008.1.x86_64.rpm 3934e4b2b0cd45957c3fb4ee7c70 2008.1/x86_64/silc-toolkit-1.1.7-2.2mdv2008.1.x86_64.rpm d95db7e0ac6ff5e48b5861e0c29ab486 2008.1/x86_64/silc-toolkit-devel-1.1.7-2.2mdv2008.1.x86_64.rpm 4b63bf7ecedbf2741f562200c3a0721b 2008.1/SRPMS/silc-toolkit-1.1.7-2.2mdv2008.1.src.rpm Mandriva Linux 2009.0: 064f9c8a43887f645a57402a66fe6b35 2009.0/i586/libsilc1.1_2-1.1.7-4.1mdv2009.0.i586.rpm ff861bb97055cccbf102925c1b06fb45 2009.0/i586/libsilcclient1.1_2-1.1.7-4.1mdv2009.0.i586.rpm f4220d91c0ab2579e2cd0c80691a9cec 2009.0/i586/silc-toolkit-1.1.7-4.1mdv2009.0.i586.rpm 6442114abe267e2704ff5392c019ddb4 2009.0/i586/silc-toolkit-devel-1.1.7-4.1mdv2009.0.i586.rpm 240bb82b87ea0a1f0006d9e3c4cae160 2009.0/SRPMS/silc-toolkit-1.1.7-4.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 73263068f0eb8d4037034567db5ff43d 2009.0/x86_64/lib64silc1.1_2-1.1.7-4.1mdv2009.0.x86_64.rpm 7ce3e4a79ea9faec5ec86e89ec5f4f15 2009.0/x86_64/lib64silcclient1.1_2-1.1.7-4.1mdv2009.0.x86_64.rpm 4add52e5db6d96857c30e1fd63ce762e 2009.0/x86_64/silc-toolkit-1.1.7-4.1mdv2009.0.x86_64.rpm 0f2ca05679394a15a60446ffb8940e96 2009.0/x86_64/silc-toolkit-devel-1.1.7-4.1mdv2009.0.x86_64.rpm 240bb82b87ea0a1f0006d9e3c4cae160 2009.0/SRPMS/silc-toolkit-1.1.7-4.1mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories
Re: [Full-disclosure] Andrew Aurenheimer aka weev gets tree'd
On Mon, 14 Sep 2009 23:37:00 CDT, "Valdis' Mustache" said: > That said, your attempted Internet volleys have touched on a key > conundrum that has puzzled this mustache for some time wrt. the varied > and sundry security-centric cyber-VasiÄka of the first decade of this > millenium's latter half. So you're a time traveler from the year 2510? What's computer security like 500 years from now? Does IE still leak like a sieve? ;) pgpDwhyyRhBJI.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PakBugs.Com Report
2009/9/14 Rohit Patnaik > We know that the FBI and the CIA can't even catch Osama bin Laden in > Pakistan. Do you really think they're going to bother with small-time > credit card skimmers? > > --Rohit Patnaik > > Rohit, we all know that the FBI was never interested in catching Osama bin Laden. Neither in Afghanistan, nor in Iraq. There is not a single proof that he has smth. to do with 9/11. You might want to verify that by looking onto the Website of the FBI. > TheLearner wrote: > > I wanna be the very best > > Like no one ever was > > To catch them is my real test > > My criminal justice training is my cause > > > > I will travel across the lands > > searching far and wide > > with pokemon to understand > > THE POWER THAT'S INSIDE > > > > POKEMON gotta catch em all (it's you and me) > > YOU KNOW ITS MY TEST IN ME > > Ohh I have no friends > > In a world I must defend > > > > tips.fbi.gov <= Send the tip and make stuff happen! > > > > Send it in ASCII style yo > > > > And take a bite out of cybercrime > > > > On Sat, 12 Sep 2009 16:30:12 + Catch Them > > wrote: > > > >> As you may know these are mostly based in Pakistan involved in > >> illegal activities which include carding, hacking, cracking etc. > >> > >> I am including this list of their users for law enforcement > >> agencies to investigate and take action where neccessary. > >> Currently their site is hosted in pacificrack.com's server. > >> > >> WAR Against Cyber Crime > >> Catch Them If you can. > >> > >> _ > >> Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. > >> http://clk.atdmt.com/GBL/go/171222985/direct/01/ > >> > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2009-2958
Hi all, A NULL pointer dereference flaw was discovered in dnsmasq when the TFTP service is enabled. This flaw could allow a malicious TFTP client to crash the dnsmasq service. (CVE-2009-2958) Is this local exploit or remote exploit. By means is there any chance of detecting this in network traffic. If any POC is available to exploit this please provide me . Thanks in advance Srujan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2009-2958
Hi all, A NULL pointer dereference flaw was discovered in dnsmasq when the TFTP service is enabled. This flaw could allow a malicious TFTP client to crash the dnsmasq service. (CVE-2009-2958) Is this local exploit or remote exploit. By means is there any chance of detecting this in network traffic. If any POC is available to exploit this please provide me . Thanks in advance Srujan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Distribution of passwords between man and women
On Tue, 2009-09-15 at 14:24 +0200, Anıl Kurmuş wrote: > 99% confidence interval > for men: 1.65 to 1.73% (use lastname as a password, granted) > women : 1.36 to 1.52% > > seems like there is a difference, but not very significant imo :) But 123456 usage was different enough. Of course my results are disputable. Just found it interesting and now also waiting for someone else to confirm this or come out with competing theory or database stats. Tõnu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Distribution of passwords between man and women
99% confidence interval for men: 1.65 to 1.73% (use lastname as a password, granted) women : 1.36 to 1.52% seems like there is a difference, but not very significant imo :) Anıl Kurmuş --- GPG Key : http://perso.telecom-paristech.fr/~kurmus/key On Mon, Sep 14, 2009 at 19:02, Tõnu Samuel wrote: > Hi all kind of bad people in this list. > > Want to share weird thing I discovered today: Men have MUCH worse > passwords than females. There is a user database where men to woman > ratio is 5.2:1 but men but use last name more often as password. Ratio > is 6.2:1. When it somes to bad password like "123456", men used it on > 9.3:1 ratio. More details I put on page: > > http://no.spam.ee/~tonu/passwords.html > > If you want me run more queries on this DB, mail me in private back and > publish them too on same page. > > Tõnu > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Plain Text Password Disclosure vulnerability in rediff mail
Now now, don't ban people for getting owned We don't discriminate against retards On Mon, Sep 14, 2009 at 10:22 PM, wrote: > D-vice wrote: > > To Dan, being well known is now the same as having your ass > handed to ya by > > the like of me > > now that we banned n3td3v can we ban dan kaminsky as well? ;) > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PakBugs.Com Report
*So* you're saying *we need to invade Iran?* On Mon, Sep 14, 2009 at 4:34 PM, Rohit Patnaik wrote: > We know that the FBI and the CIA can't even catch Osama bin Laden in > Pakistan. Do you really think they're going to bother with small-time > credit card skimmers? > > --Rohit Patnaik > > TheLearner wrote: > > I wanna be the very best > > Like no one ever was > > To catch them is my real test > > My criminal justice training is my cause > > > > I will travel across the lands > > searching far and wide > > with pokemon to understand > > THE POWER THAT'S INSIDE > > > > POKEMON gotta catch em all (it's you and me) > > YOU KNOW ITS MY TEST IN ME > > Ohh I have no friends > > In a world I must defend > > > > tips.fbi.gov <= Send the tip and make stuff happen! > > > > Send it in ASCII style yo > > > > And take a bite out of cybercrime > > > > On Sat, 12 Sep 2009 16:30:12 + Catch Them > > wrote: > > > >> As you may know these are mostly based in Pakistan involved in > >> illegal activities which include carding, hacking, cracking etc. > >> > >> I am including this list of their users for law enforcement > >> agencies to investigate and take action where neccessary. > >> Currently their site is hosted in pacificrack.com's server. > >> > >> WAR Against Cyber Crime > >> Catch Them If you can. > >> > >> _ > >> Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. > >> http://clk.atdmt.com/GBL/go/171222985/direct/01/ > >> > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
