[Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs

2010-01-19 Thread NSO Research
_
Security Advisory NSOADV-2010-002
_
_


  Title:  Google Wave Design Bugs
  Severity:   Low
  Advisory ID:NSOADV-2010-002
  Found Date: 16.11.2009
  Date Reported:  18.11.2009
  Release Date:   19.01.2010
  Author: Nikolas Sotiriu (lofi)
  Mail:   nso-research at sotiriu.de
  URL:http://sotiriu.de/adv/NSOADV-2010-002.txt
  Vendor: Google (http://www.google.com/)
  Affected Products:  Google Wave Preview (Date: = 14.01.2010)
  Not Affected Component: Google Wave Preview (Date: = 14.01.2010)
  Remote Exploitable: Yes
  Local Exploitable:  No
  Patch Status:   partially patched
  Discovered by:  Nikolas Sotiriu
  Disclosure Policy:  http://sotiriu.de/policy.html
  Thanks to:  Thierry Zoller: For the permission to use his
  Policy



Background:
===

Google Wave is an online tool for real-time communication and
collaboration. A wave can be both a conversation and a document where
people can discuss and work together using richly formatted text,
photos, videos, maps, and more.

(Product description from Google Website)



Description:


All this possible attacks are the result of playing 4 hours with Google
Wave. I didn't check all the funny stuff, which is possible with the Wave.



1. Gadget phishing attack:
--

The Google Wave Gadget API can be used for phishing attacks.

An attacker can build his own phishing Gadget, share it with his Google
Wave contacts an hopefully get the login credentials from a user.

This behavior is normal. The Problem is, that this bug makes it easier
to steal logins.


2. Virus spreading attack:
--

Uploads Files are not scanned for malicious code.

An attacker could upload his malware to a wave and share it to his
Google Wave contacts.



Proof of Concept :
==

A proof of concept gadget can be found here:
http://sotiriu.de/demos/phgadget.xml



Solution:
=

1. No changes made here.
   Workaround: Don't trust Waves.

2. Google builds in AV scanning.



Disclosure Timeline (/MM/DD):
=

2009.11.16: Vulnerability found
2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.12.03) to Vendor
2009.11.23: Vendor response
2009.12.01: Ask for a status update, because the planned release date is
2009.12.03.
2009.12.03: Google Security Team asks for 2 more week to patch.
2009.12.03: Changed release date to 2009.12.17.
2009.12.15: Ask for a status update, because the planned release date is
2009.12.17. = No Response
2009.12.21: Ask for a status update.
2009.12.29: Google Security Team informs me, that there are no changes
made before 2010.01.03.
2010.01.14: Google Security Team informs me, that uploaded files will be
now scanned for malware. Google Gadgets will be not updated.
2010.01.19: Release of this Advisory












___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] iiscan results - a closer look

2010-01-19 Thread Gregor Schneider
Hm, wondering if I should allow a China based company to scan any f my
servers

just my 2 cents...
-- 
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] iiscan results - a closer look

2010-01-19 Thread The Security Community
What's your problem?  All the cool kids are doing it!

On Tue, Jan 19, 2010 at 7:00 AM, Gregor Schneider rc4...@googlemail.com wrote:
 Hm, wondering if I should allow a China based company to scan any f my
 servers

 just my 2 cents...
 --
 just because your paranoid, doesn't mean they're not after you...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs

2010-01-19 Thread dramacrat
This is the stupidest advisory I have read on this list in at least two
months.

2010/1/19 NSO Research nso-resea...@sotiriu.de

 _
 Security Advisory NSOADV-2010-002
 _
 _


  Title:  Google Wave Design Bugs
  Severity:   Low
  Advisory ID:NSOADV-2010-002
  Found Date: 16.11.2009
  Date Reported:  18.11.2009
  Release Date:   19.01.2010
  Author: Nikolas Sotiriu (lofi)
  Mail:   nso-research at sotiriu.de
  URL:http://sotiriu.de/adv/NSOADV-2010-002.txt
  Vendor: Google (http://www.google.com/)
  Affected Products:  Google Wave Preview (Date: = 14.01.2010)
  Not Affected Component: Google Wave Preview (Date: = 14.01.2010)
  Remote Exploitable: Yes
  Local Exploitable:  No
  Patch Status:   partially patched
  Discovered by:  Nikolas Sotiriu
  Disclosure Policy:  http://sotiriu.de/policy.html
  Thanks to:  Thierry Zoller: For the permission to use his
  Policy



 Background:
 ===

 Google Wave is an online tool for real-time communication and
 collaboration. A wave can be both a conversation and a document where
 people can discuss and work together using richly formatted text,
 photos, videos, maps, and more.

 (Product description from Google Website)



 Description:
 

 All this possible attacks are the result of playing 4 hours with Google
 Wave. I didn't check all the funny stuff, which is possible with the Wave.



 1. Gadget phishing attack:
 --

 The Google Wave Gadget API can be used for phishing attacks.

 An attacker can build his own phishing Gadget, share it with his Google
 Wave contacts an hopefully get the login credentials from a user.

 This behavior is normal. The Problem is, that this bug makes it easier
 to steal logins.


 2. Virus spreading attack:
 --

 Uploads Files are not scanned for malicious code.

 An attacker could upload his malware to a wave and share it to his
 Google Wave contacts.



 Proof of Concept :
 ==

 A proof of concept gadget can be found here:
 http://sotiriu.de/demos/phgadget.xml



 Solution:
 =

 1. No changes made here.
   Workaround: Don't trust Waves.

 2. Google builds in AV scanning.



 Disclosure Timeline (/MM/DD):
 =

 2009.11.16: Vulnerability found
 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.12.03) to Vendor
 2009.11.23: Vendor response
 2009.12.01: Ask for a status update, because the planned release date is
2009.12.03.
 2009.12.03: Google Security Team asks for 2 more week to patch.
 2009.12.03: Changed release date to 2009.12.17.
 2009.12.15: Ask for a status update, because the planned release date is
2009.12.17. = No Response
 2009.12.21: Ask for a status update.
 2009.12.29: Google Security Team informs me, that there are no changes
made before 2010.01.03.
 2010.01.14: Google Security Team informs me, that uploaded files will be
now scanned for malware. Google Gadgets will be not updated.
 2010.01.19: Release of this Advisory












 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] All China, All The Time

2010-01-19 Thread omg wtf
Jokes aside has anyone seen this?

http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0ftype=js

On Mon, Jan 18, 2010 at 1:44 PM, Christian Sciberras uuf6...@gmail.comwrote:

 Bipin,

 I'm not wise either, at least not when it comes to security, I'm just
 still discovering this world.
 Other then that, I didn't understand a thing of what you said.

 Regards,
 Christian Sciberras.




 On Mon, Jan 18, 2010 at 8:42 PM, Bipin Gautam bipin.gau...@gmail.comwrote:

 Christian!

 I may not be wise as you all but i left FD long back --- still i
 happen to stumble into security bugs every now and then. No i dodnt
 sat on a chair to look for it! It JUST followed me like a shadows.

 I hate it...

 At one point in time i got so sick of it all, i stopped my counting of
 my number of advisory.. but that doesnt help either.

 BOTTOM LINE: ITS A PROBLEM BY ARCHITECTURE! A direction where infinite
 things can go wrong because your teeth are stronger if your roots are
 stronger?

 With due respect, I dont want to waste a life working on something
 like that for my whole life. nothing
 meaningful @end!

 Just business and politics that is fueling this ecosystem and we are
 like the soldiers fighting for virtue?

 f*** it  

 THINK ABOUT IT.



 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDVSA-2010:015 ] roundcubemail

2010-01-19 Thread security

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:015
 http://www.mandriva.com/security/
 ___

 Package : roundcubemail
 Date: January 19, 2010
 Affected: Enterprise Server 5.0
 ___

 Problem Description:

 Multiple vulnerabilities has been found and corrected in transmission:
 
 A number of dependency probles were discovered and has been corrected
 with this release (#56006).
 
 Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
 0.2.2 and earlier allows remote attackers to hijack the authentication
 of unspecified users for requests that modify user information via
 unspecified vectors, a different vulnerability than CVE-2009-4077
 (CVE-2009-4076).
 
 Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail
 0.2.2 and earlier allows remote attackers to hijack the authentication
 of unspecified users for requests that send arbitrary emails via
 unspecified vectors, a different vulnerability than CVE-2009-4076
 (CVE-2009-4077).
 
 The updated packages have been patched to correct these
 issues. Additionally roundcubemail has been upgraded to 0.2.2 that
 also fixes a number of upstream bugs.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4076
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4077
 https://qa.mandriva.com/56006
 ___

 Updated Packages:

 Mandriva Enterprise Server 5:
 a1f0123588ceb9641dcf271095c32a0c  
mes5/i586/roundcubemail-0.2.2-0.1mdvmes5.noarch.rpm 
 9957258d449a99eea2065481183cb412  
mes5/SRPMS/roundcubemail-0.2.2-0.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 bb7c6fb4c4d6c26fd352ef148e7dc099  
mes5/x86_64/roundcubemail-0.2.2-0.1mdvmes5.noarch.rpm 
 9957258d449a99eea2065481183cb412  
mes5/SRPMS/roundcubemail-0.2.2-0.1mdvmes5.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  security*mandriva.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLVbYZmqjQ0CJFipgRAoAJAKC19oqyR48prrDvZ3Ldb5mQaWF8rwCgyral
mTsXVBxXg9nXw/qZ2zU0bpk=
=gpX8
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[Full-disclosure] [ MDVSA-2010:017 ] ruby

2010-01-19 Thread security

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:017
 http://www.mandriva.com/security/
 ___

 Package : ruby
 Date: January 19, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
   Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been found and corrected in ruby:
 
 WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through
 patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev
 writes data to a log file without sanitizing non-printable characters,
 which might allow remote attackers to modify a window's title,
 or possibly execute arbitrary commands or overwrite files, via an
 HTTP request containing an escape sequence for a terminal emulator
 (CVE-2009-4492).
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4492
 ___

 Updated Packages:

 Mandriva Linux 2008.0:
 81ffde889fff5e736c7fc8ff4caed3af  2008.0/i586/ruby-1.8.6-5.5mdv2008.0.i586.rpm
 5cc1e869a22fc16936eedfd34005a683  
2008.0/i586/ruby-devel-1.8.6-5.5mdv2008.0.i586.rpm
 6d1f7748edeb1aba0051cc11560a071b  
2008.0/i586/ruby-doc-1.8.6-5.5mdv2008.0.i586.rpm
 39bc1acbe49a9453acab67b49b084b80  
2008.0/i586/ruby-tk-1.8.6-5.5mdv2008.0.i586.rpm 
 744a650335e29123f403d35cf366e5b6  2008.0/SRPMS/ruby-1.8.6-5.5mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 f02c68cceb01dc048f5b056d61672346  
2008.0/x86_64/ruby-1.8.6-5.5mdv2008.0.x86_64.rpm
 2c1242265445600bd8ee386766f4bd22  
2008.0/x86_64/ruby-devel-1.8.6-5.5mdv2008.0.x86_64.rpm
 0f70cc7a2b8ec3c4d7b56ff4ce21e703  
2008.0/x86_64/ruby-doc-1.8.6-5.5mdv2008.0.x86_64.rpm
 2c8c2aad4db092fa7afc86ab6081862b  
2008.0/x86_64/ruby-tk-1.8.6-5.5mdv2008.0.x86_64.rpm 
 744a650335e29123f403d35cf366e5b6  2008.0/SRPMS/ruby-1.8.6-5.5mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 b2fd3ee6542e4cd9631b91acf9dea020  
2009.0/i586/ruby-1.8.7-7p72.3mdv2009.0.i586.rpm
 dbdd2531cc1fa4e0b7f36231da1ff758  
2009.0/i586/ruby-devel-1.8.7-7p72.3mdv2009.0.i586.rpm
 cacf5f1c157efdb1d34c487c5981c743  
2009.0/i586/ruby-doc-1.8.7-7p72.3mdv2009.0.i586.rpm
 21e92249cbfd8be58fb0f4e7fb179b8f  
2009.0/i586/ruby-tk-1.8.7-7p72.3mdv2009.0.i586.rpm 
 4d73e6540dd45a75948aae15c227180c  
2009.0/SRPMS/ruby-1.8.7-7p72.3mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 5fcb69fd1908cf385712fe8f0c7197ad  
2009.0/x86_64/ruby-1.8.7-7p72.3mdv2009.0.x86_64.rpm
 24e163680c8ab0c33599954482d66c8a  
2009.0/x86_64/ruby-devel-1.8.7-7p72.3mdv2009.0.x86_64.rpm
 a7ca58b52fe54fc71b84a5bf13db878c  
2009.0/x86_64/ruby-doc-1.8.7-7p72.3mdv2009.0.x86_64.rpm
 f59a9ebd06d9447729f86816849f2829  
2009.0/x86_64/ruby-tk-1.8.7-7p72.3mdv2009.0.x86_64.rpm 
 4d73e6540dd45a75948aae15c227180c  
2009.0/SRPMS/ruby-1.8.7-7p72.3mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 88cfd59b0e447ce2fc3e555bd8cc8c05  
2009.1/i586/ruby-1.8.7-9p72.3mdv2009.1.i586.rpm
 b26875792b8dd1450acf22e1cd5e7125  
2009.1/i586/ruby-devel-1.8.7-9p72.3mdv2009.1.i586.rpm
 ae27cb9ea848800dd24eed2622c863a5  
2009.1/i586/ruby-doc-1.8.7-9p72.3mdv2009.1.i586.rpm
 80d7ae68c8318b4544c3c15605baf376  
2009.1/i586/ruby-tk-1.8.7-9p72.3mdv2009.1.i586.rpm 
 158e9c9ea053a470c964e0bc3ce03a00  
2009.1/SRPMS/ruby-1.8.7-9p72.3mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 dacfa4833a9dfd882c93bf87b671fe90  
2009.1/x86_64/ruby-1.8.7-9p72.3mdv2009.1.x86_64.rpm
 8409d1abd0192d2bfa7426049ffaaf8b  
2009.1/x86_64/ruby-devel-1.8.7-9p72.3mdv2009.1.x86_64.rpm
 0cc95c768f986b0bb168ae821b04c370  
2009.1/x86_64/ruby-doc-1.8.7-9p72.3mdv2009.1.x86_64.rpm
 1088ecc3fa689f1d41346880f7a71427  
2009.1/x86_64/ruby-tk-1.8.7-9p72.3mdv2009.1.x86_64.rpm 
 158e9c9ea053a470c964e0bc3ce03a00  
2009.1/SRPMS/ruby-1.8.7-9p72.3mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 2c0a2f50cb64ce9c8db446c7c43a3ad5  
2010.0/i586/ruby-1.8.7-9p174.1mdv2010.0.i586.rpm
 1d3b0284cefce641ae3a9e0acad3eb31  
2010.0/i586/ruby-devel-1.8.7-9p174.1mdv2010.0.i586.rpm
 a5889305c1e1efe0306e87e0e0584905  
2010.0/i586/ruby-doc-1.8.7-9p174.1mdv2010.0.i586.rpm
 e04504a888df5b80242b430253d01ebe  
2010.0/i586/ruby-tk-1.8.7-9p174.1mdv2010.0.i586.rpm 
 bb56bb35355c556f4be4e11bcf53cc93  
2010.0/SRPMS/ruby-1.8.7-9p174.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 75230d955e7f28d6fbbe0efb5069b2d2  
2010.0/x86_64/ruby-1.8.7-9p174.1mdv2010.0.x86_64.rpm
 085cb4af83feef546a9cf6a3929c5c51  
2010.0/x86_64/ruby-devel-1.8.7-9p174.1mdv2010.0.x86_64.rpm
 9e35d282e30588fa843b4edc36808068  
2010.0/x86_64/ruby-doc-1.8.7-9p174.1mdv2010.0.x86_64.rpm
 

[Full-disclosure] Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack

2010-01-19 Thread Tavis Ormandy
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
-

CVE-2010-0232

In order to support BIOS service routines in legacy 16bit applications, the
Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode
monitor code. These are implemented in two stages, the kernel transitions to
the second stage when the #GP trap handler (nt!KiTrap0D) detects that the
faulting cs:eip matches specific magic values.

Transitioning to the second stage involves restoring execution context and
call stack (which had been previously saved) from the faulting trap frame once
authenticity has been verified.

This verification relies on the following incorrect assumptions:

  - Setting up a VDM context requires SeTcbPrivilege.
  - ring3 code cannot install arbitrary code segment selectors.
  - ring3 code cannot forge a trap frame.

This is believed to affect every release of the Windows NT kernel, from
Windows NT 3.1 (1993) up to and including Windows 7 (2009).

Working out the details of the attack is left as an exercise for the reader.

Just kidding, that was an homage to Derek Soeder :-)

- Assumption 0: Setting up a VDM context requires SeTcbPrivilege.

Creating a VDM context requires EPROCESS-Flags.VdmAllowed to be set in order
to access the authenticated system service, NtVdmControl(). VdmAllowed can
only be set using NtSetInformationProcess(), which verifies the caller has
SeTcbPrivilege. If this is true, the caller is very privileged and can
certainly be trusted.

This restriction can be subverted by requesting the NTVDM subsystem, and then
using CreateRemoteThread() to execute in the context of the subsystem process,
which will already have this flag set.

- Assumption 1: ring3 code cannot install arbitrary code segment selectors.

Cpl is usually equal to the two least significant bits of cs and ss, and is
a simple way to calculate the privilege of a task. However, there is an
exception, Virtual-8086 mode.

Real mode uses a segmented addressing scheme in order to allow 16-bit
addresses to access the 20-bit address space. This is achieved by forming
physical addresses from a calculation like (cs  4) + (eip  0x). The
same calculation is used to map the segmented real address space onto the
protected linear address space in Virtual-8086 mode. Therefore, I must be
permitted to set cs to any value, and checks for disallowed or privileged
selectors can be bypassed (PsSetLdtEnties will reject any selector where any
of the three lower bits are unset, as is the case with the required cs pair).

- Assumption 2: ring3 code cannot forge a trap frame.

Returning to usermode with iret is a complicated operation, the pseudocode for
the iret instruction alone spans several pages of Intel's Software Developers
Manual. The operation occurs in two stages, a pre-commit stage and a
post-commit stage. Using the VdmContext installed using NtVdmControl(), an
invalid context can be created that causes iret to fail pre-commit, thus
forging a trap frame.

The final requirement involves predicting the address of the second-stage BIOS
call handler. The address is static in Windows 2003, XP and earlier operating
systems, however, Microsoft introduced kernel base randomisation in Windows
Vista. Unfortunately, this potentially useful exploit mitigation is trivial
to defeat locally as unprivileged users can simply query the loaded module list
via NtQuerySystemInformation().


Affected Software


All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to
be affected, including but not limited to the following actively supported
versions:

- Windows 2000
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows Server 2008
- Windows 7


Consequences
---

Upon successful exploitation, the kernel stack is switched to an attacker
specified address.

An attacker would trigger the vulnerability by setting up a specially
formed VDM_TIB in their TEB, using a code sequence like this:

/* ... */
// Magic CS required for exploitation
Tib.VdmContext.SegCs = 0x0B;
// Pointer to fake kernel stack
Tib.VdmContext.Esi = KernelStack;
// Magic IP required for exploitation
Tib.VdmContext.Eip = Ki386BiosCallReturnAddress;

NtCurrentTeb()-Reserved4[0] = Tib;
/* ... */

Followed by

/* ... */
NtVdmControl(VdmStartExecution, NULL);
/* ... */

Which will reach the following code sequence via the #GP trap handler,
nt!KiTrap0D. Please note how the stack pointer is restored from the saved
(untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition
described above.

/* ... */
.text:0043C3CE Ki386BiosCallReturnAddress proc near
.text:0043C3CE mov eax, large fs:KPCR.SelfPcr
.text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi]
.text:0043C3D7 mov edi, [edi]
.text:0043C3D9 mov

Re: [Full-disclosure] All China, All The Time

2010-01-19 Thread Densmore, Todd
Mark, Dan, Smasher, etc. Thanks for the feedback.

I saw the thread this weekend, but I had to wait until I today to respond. My 
main motivation was to point out that there is no free lunch, and often even 
security professionals forget to think critically. It was not meant to be a 
thorough assessment of the actual 0-day. However I appreciate the correction, 
the details of the exploit, and the observation that its sophistication was 
probably exaggerated in the media.

I have changed some implicit wording in the article about China and added an 
addendum to the blog to clarify the exploit and thank sources.

~todd

Todd Densmore
HP Software - Application Security Center
todd.densm...@hp.com
770.343.7054 Office

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[Full-disclosure] [ MDVSA-2010:018 ] phpMyAdmin

2010-01-19 Thread security

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:018
 http://www.mandriva.com/security/
 ___

 Package : phpMyAdmin
 Date: January 19, 2010
 Affected: Corporate 4.0
 ___

 Problem Description:

 Multiple vulnerabilities has been found and corrected in phpMyAdmin:
 
 libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates
 a temporary directory with 0777 permissions, which has unknown impact
 and attack vectors (CVE-2008-7251).
 
 libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses
 predictable filenames for temporary files, which has unknown impact
 and attack vectors (CVE-2008-7252).
 
 scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before
 2.11.10 calls the unserialize function on the values of the (1)
 configuration and (2) v[0] parameters, which might allow remote
 attackers to conduct cross-site request forgery (CSRF) attacks via
 unspecified vectors (CVE-2009-4605).
 
 This update provides phpMyAdmin 2.11.10, which is not vulnerable to
 these issues.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7251
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7252
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4605
 http://www.phpmyadmin.net/home_page/security/PMASA-2010-1.php
 http://www.phpmyadmin.net/home_page/security/PMASA-2010-2.php
 http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php
 ___

 Updated Packages:

 Corporate 4.0:
 e03dbf68c5d28f28c6937d81a4e8c9aa  
corporate/4.0/i586/phpMyAdmin-2.11.10-0.1.20060mlcs4.noarch.rpm 
 6ccf82f206cf5bf67073055a1954668f  
corporate/4.0/SRPMS/phpMyAdmin-2.11.10-0.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 c1b99fd5d52f53f1bbd5fc56a99654de  
corporate/4.0/x86_64/phpMyAdmin-2.11.10-0.1.20060mlcs4.noarch.rpm 
 6ccf82f206cf5bf67073055a1954668f  
corporate/4.0/SRPMS/phpMyAdmin-2.11.10-0.1.20060mlcs4.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  security*mandriva.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLVeaemqjQ0CJFipgRAh6qAKCsqDZhji1dmY2d0s4meXin5VQYiQCgirsS
wR0MMOPv9tCsrLdQfteLphE=
=N7cm
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] MouseOverJacking attacks

2010-01-19 Thread T Biehn
Hello MustLive!
Thanking you for taking a personal approach to all of your list admirers!

Prosperous futures abound!

A missive granted in thy honor sweet prince of XSS.

On Sun, Jan 17, 2010 at 4:33 PM, MustLive mustl...@websecurity.com.ua wrote:
 Hello Travis!

 Thanks for your attention to my article about MouseOverJacking attacks.

 If you read the HTML specification you can find all sorts of XSS
 attack vectors that people just assumed would be redundant to write
 entire articles on!

 Yes, I'm familiar with HTML specification (as web developer from beginning
 of 1999) and I know about different events in HTML. And as web security
 professional I know a lot of XSS vectors.

 Many of events in HTML are not widespread enough (or not usable enough) for
 XSS attacks to write entire articles about them, but such ones as onclick
 and onmouseover are those which worth entire articles. There were said a lot
 about attacks via onclick in 2008, so I decided to said about onmouseover in
 2009 (because it worths it).

 P.S.

 Because Jeff is already in my blacklist, as I mentioned to the list, so in
 the future no need to send me his letters. If you'll decide to answer me,
 than write me directly.

 Best wishes  regards,
 MustLive
 Administrator of Websecurity web site
 http://websecurity.com.ua

 - Original Message - From: T Biehn tbi...@gmail.com
 To: Jeff Williams jeffwilli...@gmail.com
 Cc: MustLive mustl...@websecurity.com.ua;
 full-disclosure@lists.grok.org.uk
 Sent: Tuesday, January 05, 2010 4:53 PM
 Subject: Re: [Full-disclosure] MouseOverJacking attacks


 Hey MustLive!
 If you read the HTML specification you can find all sorts of XSS
 attack vectors that people just assumed would be redundant to write
 entire articles on!

 Here!
 http://www.w3.org/TR/REC-html40/interact/scripts.html

 -Travis

 On Sun, Jan 3, 2010 at 10:29 PM, Jeff Williams jeffwilli...@gmail.com
 wrote:

 Thanks for your wishes MustDie;

 Do you consider yourself as an oz XSS ninja ?

 Did your C.V. ended in the OWASP trash bin ?

 And how the fuck you came up with a nickname like that ?



 Let us know, we truly give a shit about your life, and xss.


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/




 --
 FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
 http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on
 http://pastebin.com/f6fd606da





-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on
http://pastebin.com/f6fd606da

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs

2010-01-19 Thread omg wtf
Apparently not. Read Google's Response:

2010.01.14: Google Security Team informs me, that uploaded files will be
   now scanned for malware. Google Gadgets will be not updated.

On Tue, Jan 19, 2010 at 7:11 AM, dramacrat yirim...@gmail.com wrote:

 This is the stupidest advisory I have read on this list in at least two
 months.

 2010/1/19 NSO Research nso-resea...@sotiriu.de

 _
 Security Advisory NSOADV-2010-002
 _
 _


  Title:  Google Wave Design Bugs
  Severity:   Low
  Advisory ID:NSOADV-2010-002
  Found Date: 16.11.2009
  Date Reported:  18.11.2009
  Release Date:   19.01.2010
  Author: Nikolas Sotiriu (lofi)
  Mail:   nso-research at sotiriu.de
  URL:http://sotiriu.de/adv/NSOADV-2010-002.txt
  Vendor: Google (http://www.google.com/)
  Affected Products:  Google Wave Preview (Date: = 14.01.2010)
  Not Affected Component: Google Wave Preview (Date: = 14.01.2010)
  Remote Exploitable: Yes
  Local Exploitable:  No
  Patch Status:   partially patched
  Discovered by:  Nikolas Sotiriu
  Disclosure Policy:  http://sotiriu.de/policy.html
  Thanks to:  Thierry Zoller: For the permission to use his
  Policy



 Background:
 ===

 Google Wave is an online tool for real-time communication and
 collaboration. A wave can be both a conversation and a document where
 people can discuss and work together using richly formatted text,
 photos, videos, maps, and more.

 (Product description from Google Website)



 Description:
 

 All this possible attacks are the result of playing 4 hours with Google
 Wave. I didn't check all the funny stuff, which is possible with the Wave.



 1. Gadget phishing attack:
 --

 The Google Wave Gadget API can be used for phishing attacks.

 An attacker can build his own phishing Gadget, share it with his Google
 Wave contacts an hopefully get the login credentials from a user.

 This behavior is normal. The Problem is, that this bug makes it easier
 to steal logins.


 2. Virus spreading attack:
 --

 Uploads Files are not scanned for malicious code.

 An attacker could upload his malware to a wave and share it to his
 Google Wave contacts.



 Proof of Concept :
 ==

 A proof of concept gadget can be found here:
 http://sotiriu.de/demos/phgadget.xml



 Solution:
 =

 1. No changes made here.
   Workaround: Don't trust Waves.

 2. Google builds in AV scanning.



 Disclosure Timeline (/MM/DD):
 =

 2009.11.16: Vulnerability found
 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.12.03) to Vendor
 2009.11.23: Vendor response
 2009.12.01: Ask for a status update, because the planned release date is
2009.12.03.
 2009.12.03: Google Security Team asks for 2 more week to patch.
 2009.12.03: Changed release date to 2009.12.17.
 2009.12.15: Ask for a status update, because the planned release date is
2009.12.17. = No Response
 2009.12.21: Ask for a status update.
 2009.12.29: Google Security Team informs me, that there are no changes
made before 2010.01.03.
 2010.01.14: Google Security Team informs me, that uploaded files will be
now scanned for malware. Google Gadgets will be not updated.
 2010.01.19: Release of this Advisory












 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/



 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [CORELAN-10-006] BOF Vulnerability in S.O.M.P.L. Player

2010-01-19 Thread Security

|--|
| __   __  |
|   _    / /___ _ / /   _ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|  |
|   http://www.corelan.be:8800 |
|  secur...@corelan.be |
|  |
|-[ EIP Hunters ]--|
|  |
| Vulnerability Disclosure Report  |
|  |
|--|

Advisory: CORELAN-10-006
Disclosure date : 20 January 2010
http://www.corelan.be:8800/index.php/forum/security-advisories/


0x00 : Vulnerability information


[*] Product : S.O.M.P.L player
[*] Version : 1.0
[*] Vendor : George Fesalides
[*] URL : http://sourceforge.net/projects/somplmp3/files/
[*] URL2 : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html
[*] Platform : Windows
[*] Type of vulnerability : Buffer Overflow 
[*] Risk rating : Medium 
[*] Issue fixed in version : ???
[*] Vulnerability discovered by : Rick2600 
[*] Greetings to : corelanc0d3r, EdiStrosar, mr_me, ekse, MarkoT, sinn3r


0x01 : Vendor description of software
-
S.O.M.PL. Is a Simple Open Music Player that plays mp3 files. This player loads 
mp3 files and stores them in a playlist. It includes features such as random 
tracks selection,tracks repetition,loading playlist, saving playlist.



0x02 : Vulnerability details

The discovered vulnerability allows an attacker to send a crafted malicious 
playlist (M3U) whereby
the user could be tricked into executing unauthorized commands.
In order for the vulnerability to be triggered, an end user must be tricked 
into loading a malicious
playlist (M3U) on SOMPL.

Crash information :

(dc.e4): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=41414141 ecx= edx= esi=0012eb48 edi=
eip=40004ae4 esp=0012eb18 ebp=0012fb4c iopl=0 nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=0246
VCL50!SystemLStrClr$qqrr17SystemAnsiString:
40004ae4 8b10mov edx,dword ptr [eax]  ds:0023:41414141=
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:000 !exchain
0012eb2c: VCL50!StdctrlsTRadioButtonCNCommand$qqrr19MessagesTWMCommand+e6 
(40048762)
0012fb7c: 41414141
Invalid exception stack at 41414141


!pvefindaddr findmsp :

Log data
0BADF00D   
-
0BADF00D   Searching for metasploit pattern references
0BADF00D   
-
0BADF00D   [1] Checking register addresses and contents
0BADF00D   
0BADF00D   Register EDI points to Metasploit pattern at position 0
0BADF00D   Register EAX is overwritten with Metasploit pattern at position 4096
0BADF00D   Register EBP points to Metasploit pattern at position 4100
0BADF00D   Register EDX points to Metasploit pattern at position 0
0BADF00D   Register EBX is overwritten with Metasploit pattern at position 4096
0BADF00D   Register ESI points to Metasploit pattern at position 0
0BADF00D   [2] Checking seh chain
0BADF00D   ==
0BADF00D- Checking seh chain entry at 0x0012eb2c, value 40048762
0BADF00D- Checking seh chain entry at 0x0012fb7c, value 46346946
0BADF00D  = record is overwritten with Metasploit pattern at position 4152
0BADF00D   
-





0x03 : Vendor communication
---
[*] 28 dec 2009 : Vendor contacted - no reply
[*] 09 jan 2010 : Vendor contacted again - still no reply
[*] 20 jan 2010 : Public disclosure


0x04 : Exploit/PoC
--

# Exploit Title : SOMPL Player Buffer Overflow
# Date  : 20 January 2010
# Author: Rick2600 (ricks2600[at]gmail{dot}com)
# Bug found by  : Rick2600 (ricks2600[at]gmail{dot}com)
# Software Link : 
http://www.softpedia.com/progDownload/SOMPL-Download-144999.html
# Version   : 1.0
# Issue fixed in: ???
# OS: Windows
# 

[Full-disclosure] [Onapsis Security Advisory 2010-001] SAP WebAS Integrated ITS Remote Command Execution

2010-01-19 Thread Onapsis Research Labs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Onapsis Security Advisory 2010-001: SAP WebAS Integrated ITS Remote Command 
Execution

This advisory can be downloaded from http://www.onapsis.com/research.html.
By downloading this advisory from the Onapsis Resource Center, you will gain 
access to beforehand information on upcoming advisories, presentations
and new research projects from the Onapsis Research Labs.


1. Impact on Business
=

By exploiting this vulnerability, an internal or external attacker would be 
able execute arbitrary remote commands over vulnerable SAP Web Application
Servers, taking complete control of the SAP system.

With these privileges, he would be able to obtain, create, modify and/or delete 
any business related information stored in the vulnerable SAP system.

- - Risk Level: High


2. Advisory Information
===

- - Release Date: 2010-01-19

- - Last Revised: 2010-01-19

- - Security Advisory ID: ONAPSIS-2010-001

- - Onapsis SVS ID: ONAPSIS-06

- - Researcher: Mariano Nuñez Di Croce


3. Vulnerability Information


- - Vendor: SAP

- - Affected Components:

. SAP Kernel 6.40 Patch Level  312
. SAP Kernel 7.00 Patch Level  235
. SAP Kernel 7.01 Patch Level  72

- - Vulnerability Class: Buffer Overflow

- - Remotely Exploitable: Yes

- - Locally Exploitable: Yes

- - Authentication Required: Yes


4. Affected Components Description
==

The SAP Web Application Server (WebAS) is the application platform of the SAP 
NetWeaver, which is the basis for the other NetWeaver components. With
the SAP Web Application Server you can implement both server-based and 
client-based Web applications.

As of SAP NetWeaver 04, the ITS is now integrated into the SAP NetWeaver 
component SAP Web Application Server as an Internet Communication Framework
(ICF) service, which can, like other services, be accessed through the Internet 
Communication Manager (ICM). With the SAP Web Application Server with
integrated ITS functionality, the Web browser communicates directly with the 
SAP system.

The integrated ITS is widely used among SAP implementations, being the Webgui 
service one of the most common services. This service provides access to
the SAP system through a SAPGUI HTML interface, enabling end-users to access 
the server through a regular Internet browser.


5. Vulnerability Details


Due to the significant risk of this vulnerability to critical business 
solutions, Onapsis is not distributing technical details about it to the
general public at this moment in order to provide enough time to affected 
customers to patch their systems and protect against the exploitation of the
described vulnerability.


6. Solution
===

SAP has released SAP Note 1414112, which provides a patched version of the 
affected components.

This patch can be downloaded from 
https://service.sap.com/sap/support/notes/1414112.

Onapsis highly recommends SAP customers to download the related security fix 
and apply it to the affected components in order to reduce business risks.


7. Report Timeline
==

. 2009-11-24: Onapsis provides vulnerability information to SAP.
. 2009-11-24: SAP confirms reception of vulnerability submission.
. 2009-12-12: SAP releases security patch.
. 2010-01-14: Onapsis coordinates release of security advisory with SAP.
. 2010-01-19: Onapsis releases security advisory.


8. About Onapsis Research Labs
==

Onapsis is continuously investing resources in the research of the security of 
business critical systems and applications.

With that objective in mind, a special unit – the Onapsis Research Labs – has 
been developed since the creation of the company. The experts involved
in this special team lead the public research trends in this matter, having 
discovered and published many of the public security vulnerabilities in
these platforms.

The outcome of this advanced and cutting-edge research is continuously provided 
to the Onapsis Consulting and Development teams, improving the quality
of our solutions and enabling our customers to be protected from the latest 
risks to their critical business information.

Furthermore, the results of this research projects are usually shared with the 
general security and professional community, encouraging the sharing of
information and increasing the common knowledge in this field.


9. About Onapsis


Onapsis is the leading provider of solutions for the security of 
business-critical systems and applications.

Through different innovative products and services, Onapsis helps its global 
customers to effectively increase the security level of their core
business platforms, protecting their information and decreasing financial fraud 
risks.

Onapsis is built upon a team of world-renowned experts in the 

Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs

2010-01-19 Thread Rohit Patnaik
Yeah, no kidding.  Surprise! Untrusted files can be malicious.  If you
accept files from those whom you do not trust, whether its via e-mail,
instant message, Google Wave, or physical media, you well and truly deserve
the virus that'll eventually infect your machine.

-- Rohit Patnaik

On Tue, Jan 19, 2010 at 7:11 AM, dramacrat yirim...@gmail.com wrote:

 This is the stupidest advisory I have read on this list in at least two
 months.

 2010/1/19 NSO Research nso-resea...@sotiriu.de

 _
 Security Advisory NSOADV-2010-002
 _
 _


  Title:  Google Wave Design Bugs
  Severity:   Low
  Advisory ID:NSOADV-2010-002
  Found Date: 16.11.2009
  Date Reported:  18.11.2009
  Release Date:   19.01.2010
  Author: Nikolas Sotiriu (lofi)
  Mail:   nso-research at sotiriu.de
  URL:http://sotiriu.de/adv/NSOADV-2010-002.txt
  Vendor: Google (http://www.google.com/)
  Affected Products:  Google Wave Preview (Date: = 14.01.2010)
  Not Affected Component: Google Wave Preview (Date: = 14.01.2010)
  Remote Exploitable: Yes
  Local Exploitable:  No
  Patch Status:   partially patched
  Discovered by:  Nikolas Sotiriu
  Disclosure Policy:  http://sotiriu.de/policy.html
  Thanks to:  Thierry Zoller: For the permission to use his
  Policy



 Background:
 ===

 Google Wave is an online tool for real-time communication and
 collaboration. A wave can be both a conversation and a document where
 people can discuss and work together using richly formatted text,
 photos, videos, maps, and more.

 (Product description from Google Website)



 Description:
 

 All this possible attacks are the result of playing 4 hours with Google
 Wave. I didn't check all the funny stuff, which is possible with the Wave.



 1. Gadget phishing attack:
 --

 The Google Wave Gadget API can be used for phishing attacks.

 An attacker can build his own phishing Gadget, share it with his Google
 Wave contacts an hopefully get the login credentials from a user.

 This behavior is normal. The Problem is, that this bug makes it easier
 to steal logins.


 2. Virus spreading attack:
 --

 Uploads Files are not scanned for malicious code.

 An attacker could upload his malware to a wave and share it to his
 Google Wave contacts.



 Proof of Concept :
 ==

 A proof of concept gadget can be found here:
 http://sotiriu.de/demos/phgadget.xml



 Solution:
 =

 1. No changes made here.
   Workaround: Don't trust Waves.

 2. Google builds in AV scanning.



 Disclosure Timeline (/MM/DD):
 =

 2009.11.16: Vulnerability found
 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.12.03) to Vendor
 2009.11.23: Vendor response
 2009.12.01: Ask for a status update, because the planned release date is
2009.12.03.
 2009.12.03: Google Security Team asks for 2 more week to patch.
 2009.12.03: Changed release date to 2009.12.17.
 2009.12.15: Ask for a status update, because the planned release date is
2009.12.17. = No Response
 2009.12.21: Ask for a status update.
 2009.12.29: Google Security Team informs me, that there are no changes
made before 2010.01.03.
 2010.01.14: Google Security Team informs me, that uploaded files will be
now scanned for malware. Google Gadgets will be not updated.
 2010.01.19: Release of this Advisory












 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/



 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] All China, All The Time

2010-01-19 Thread Ivan .
Now, by analyzing the software used in the break-ins against Google
and dozens of other companies, Joe Stewart, a malware specialist with
SecureWorks, a computer security company based in Atlanta, said he
determined the main program used in the attack contained a module
based on an unusual algorithm from a Chinese-authored technical paper
that has been published exclusively on Chinese-language Web sites.

http://news.cnet.com/Evidence-found-of-Chinese-attack-on-Google/2100-7349_3-6250413.html?tag=newsEditorsPicksArea.0

On Wed, Jan 20, 2010 at 6:51 AM, Densmore, Todd todd.densm...@hp.com wrote:
 Mark, Dan, Smasher, etc. Thanks for the feedback.

 I saw the thread this weekend, but I had to wait until I today to respond. My 
 main motivation was to point out that there is no free lunch, and often even 
 security professionals forget to think critically. It was not meant to be a 
 thorough assessment of the actual 0-day. However I appreciate the correction, 
 the details of the exploit, and the observation that its sophistication was 
 probably exaggerated in the media.

 I have changed some implicit wording in the article about China and added an 
 addendum to the blog to clarify the exploit and thank sources.

 ~todd

 Todd Densmore
 HP Software - Application Security Center
 todd.densm...@hp.com
 770.343.7054 Office

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs

2010-01-19 Thread Valdis . Kletnieks
On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:
 Yeah, no kidding.  Surprise! Untrusted files can be malicious.  If you
 accept files from those whom you do not trust, whether its via e-mail,
 instant message, Google Wave, or physical media, you well and truly deserve
 the virus that'll eventually infect your machine.

Let's see.. *HOW* many years ago did we first see e-mail based viruses that
depended on people opening them because they came from people they already
knew?  'CHRISTMA EXEC' in 1984 comes to mind.

The problem here is that Google Wave is for *collaboration* - which means
that you're communicating with people you already know, and presumably
trust to some degree or other. Hey Joe, look at this PDF and tell me
what you think is something reasonable when the request comes from somebody
who Joe knows and who has sent Joe PDF's in the past.

I guarantee that if every time you receive a document that appears to be from
your boss, you call back and ask if they really intended to send a document or
if it's a virus, your boss will get very cranky with you very fast.

Let's look at that original advisory again:

 An attacker could upload his malware to a wave and share it to his
 Google Wave contacts.

Now change that to An attacker could trick/pwn some poor victim into uploading
the malware to a wave  Hilarity ensues.





pgp17lPMlmDaK.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/