Re: [Full-disclosure] Google Maps XSS (currently unpatched)

[wac]

> First of all, "security" is a myth. One can presume they're "secure"
(or secluded) from danger sitting behind a firewall, but to do so is
just foolish.

Something is better than nothing ;).

> People in power love to say "if you have nothing to hide then nothing to
worry about" when it comes to tracking, keeping data, searching data etc
etc 1984 et al...but this is wrong. I'm not doing anything wrong in my
eyes, but that may mean topperling the over bearing government that
wants us all chipped, so my privacy is worth a lot. Once it's too late,
it will be very difficult to get privacy back.

Yet worse than being chipped is that somebody is looking forward to harm
you. Even if they don't know you and even if also you don't know them. Never
forget about that.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs

[wac]

In any case i wonder how much google is going to respect corporate, industry
secret or all that stuff you don't want them to know with google wave. Best
thing to do is not to use that. I really doubt that it is an improvement and
i think i will hardly ever need it. Is just more fanboi food. (knowing gmail
how i know it and left for public stuff only how i left it)

On Thu, Jan 21, 2010 at 5:28 AM, dramacrat  wrote:

> inb4 front page news
>
> 2010/1/21 
>
> > Well, that's exactly what I'm saying.  Pretending that this is some kind
>> new
>> > exploit class simply because Google Wave is used is stupid.  This is the
>> > logical extension of e-mail and instant message and social network
>> attacks
>> > to the next potential platform.
>>
>> Following in the history of the security community, we should coin a
>> buzzword on this old issue with a new spin.
>> WaveJacking sounds like a perfect fit.
>> 
>>
>>
>> > On Tue, Jan 19, 2010 at 8:10 PM,  wrote:
>> >
>> > > On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:
>> > > > Yeah, no kidding.  Surprise! Untrusted files can be malicious.  If
>> you
>> > > > accept files from those whom you do not trust, whether its via
>> e-mail,
>> > > > instant message, Google Wave, or physical media, you well and truly
>> > > deserve
>> > > > the virus that'll eventually infect your machine.
>> > >
>> > > Let's see.. *HOW* many years ago did we first see e-mail based viruses
>> that
>> > > depended on people opening them because they came from people they
>> already
>> > > knew?  'CHRISTMA EXEC' in 1984 comes to mind.
>> > >
>> > > The problem here is that Google Wave is for *collaboration* - which
>> means
>> > > that you're communicating with people you already know, and presumably
>> > > trust to some degree or other. "Hey Joe, look at this PDF and tell me
>> > > what you think" is something reasonable when the request comes from
>> > > somebody
>> > > who Joe knows and who has sent Joe PDF's in the past.
>> > >
>> > > I guarantee that if every time you receive a document that appears to
>> be
>> > > from
>> > > your boss, you call back and ask if they really intended to send a
>> document
>> > > or
>> > > if it's a virus, your boss will get very cranky with you very fast.
>> > >
>> > > Let's look at that original advisory again:
>> > >
>> > > >> An attacker could upload his malware to a wave and share it to his
>> > > >> Google Wave contacts.
>> > >
>> > > Now change that to "An attacker could trick/pwn some poor victim into
>> > > uploading
>> > > the malware to a wave"  Hilarity ensues.
>> > >
>> > >
>> > >
>> > >
>> >
>> > --000e0cd2e002580025047da0b22e
>> > Content-Type: text/html; charset=ISO-8859-1
>> > Content-Transfer-Encoding: quoted-printable
>> >
>> > Well, that's exactly what I'm saying.=A0 Pretending that this is
>> so=
>> > me kind new exploit class simply because Google Wave is used is
>> stupid.=A0 =
>> > This is the logical extension of e-mail and instant message and social
>> netw=
>> > ork attacks to the next potential platform.
>> > -- Rohit PatnaikOn Tue, Jan 19,
>> 2010=
>> >  at 8:10 PM,  <> valdis.kletni...@vt.e=
>> > du">valdis.kletni...@vt.edu> wrote:> class=3D"g=
>> > mail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin:
>> 0pt=
>> >  0pt 0pt 0.8ex; padding-left: 1ex;">
>> > On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik
>> said:
>> > > Yeah, no kidding. =A0Surprise! Untrusted files can be malicious.
>> =A0If=
>> >  you
>> > > accept files from those whom you do not trust, whether its via
>> e-mail,=
>> > 
>> > > instant message, Google Wave, or physical media, you well and truly
>> de=
>> > serve
>> > > the virus that'll eventually infect your machine.
>> > 
>> > Let's see.. *HOW* many years ago did we first see e-mail based
>> vi=
>> > ruses that
>> > depended on people opening them because they came from people they
>> already<=
>> > br>
>> > knew? =A0'CHRISTMA EXEC' in 1984 comes to mind.
>> > 
>> > The problem here is that Google Wave is for *collaboration* - which
>> means> > r>
>> > that you're communicating with people you already know, and
>> presumably<=
>> > br>
>> > trust to some degree or other. "Hey Joe, look at this PDF and tell
>> me<=
>> > br>
>> > what you think" is something reasonable when the request comes from
>> so=
>> > mebody
>> > who Joe knows and who has sent Joe PDF's in the past.
>> > 
>> > I guarantee that if every time you receive a document that appears to be
>> fr=
>> > om
>> > your boss, you call back and ask if they really intended to send a
>> document=
>> >  or
>> > if it's a virus, your boss will get very cranky with you very
>> fast.
>> > 
>> > Let's look at that original advisory again:
>> > 
>> > >> An attacker could upload his malware to a wave and share it to
>> his=
>> > 
>> > >> Google Wave contacts.
>> > 
>> > Now change that to "An attacker could trick/pwn some poor
>> victim=
>> >  into uploading
>> > the malware to a wave" =A0Hilarity ensues.
>> > 
>> > 
>> > 
>> > 
>> 

[Full-disclosure] Hackito Ergo Sum 2010 - Call For Paper - HES2010 CFP

[endrazine]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Hackito Ergo Sum 2010 - Call For Paper - HES2010 CFP
http://hackitoergosum.org

Hackito Ergo Sum conference will be held from April 8th to 10th 2010 in
Paris, France.
It is part of the series of conference "Hacker Space Fest" taking place
since 2008 in France and all over Europe.

HES2010 will focus on hardcore computer security, insecurity,
vulnerability analysis, reverse engineering, research and hacking.

INTRO
The goal of this conference is to promote security research, broaden
public awareness and create an open forum so that communication between
the researcher, the security industry, the experts and the public can
happen.

A recent decision of justice in France has convicted a security
researcher for disclosing vulnerabilities and exploits. These laws
(similar to the one in Germany), descending from USA's DMCA law, are
orienting freedom of research and knowledge into a situation where
"illegal knowledge" can happen, restricted to the only ones blessed by
governmental silent approval and military. Scientific research and
public information cannot be made into another monopoly of state, where
"some" can study and publish and "some others" cannot.
Such approach just show how misinformed some politics are and how little
understanding they get of the struggle they are acting in.

Not understanding that the best way to improve security is to attack it
shows the lack of maturity of some stakeholder by being cut out of
independent information sources.
This is where our ethics and responsibility is to say "No, we have a
right for free information and true independence in research", and this
responsibility is the one of anybody, not just the responsibility of
academically blessed scientists.

This conference will try to take in account all voices in order to reach
a balanced position regarding research and security, inviting
businesses, governmental actors, researchers, professionals and general
public to share concerns, approaches and interests during.
During three days, research conferences, solutions presentations, panels
and debates will aim at finding synthetic and balanced solutions to the
current situation.


CONTENT

> Research Track:
We are expecting submissions in english or french, english preferred.
The format will be 45 mn presentation + 10mn Q&A.

For the research track, preference will be given for offensive,
innovative and highly technical proposals covering (but not restricted
to) the topics below:

Attacking Software
* Vulnerability discovery (and automating it!)
* Non-x86 exploitation
* Fuzzing with SMT and its limits
* New classes of software vulnerabilities and new methods to detect
software bugs (source or binary based)
* Reverse Engineering tools and techniques
* Static analysis (source or binary, Lattices to blind analysis, new
languages and targets strongly encouraged)
* Unpacking
* Current exploitation on Gnu/Linux WITH GRsecurity / SElinux / OpenWall
/ SSP and other current protection methods
* Kernel land exploits (new architectures or remote only)
* New advances in Attack frameworks and automation

Attacking Infrastructures
* Exotic Network Attacks
* Telecom (from VoIP to SS7 to GSM & 3G RF hacks)
* Financial and Banking institutions
* SCADA and the industrial world, applied.
* Governmental firewall and their limits (Australia, French's HADOPI,
China, Iran, Danemark, Germany, ...)
* Satellites, Military, Intelligence data collection backbones ("I
hacked Echelon and I would like to share")
* Non-IP (SNA, ISO, make us dream...)
* Red-light and other public utilities control networks
* M2M

Attacking Hardware
* Hardware reverse engineering (and exploitation + backdooring)
* Femto-cell hacking (3G, LTE, ...)
* Microchip grinding, opening, imaging and reverse engineering
* BIOS and otherwise low-level exploitation vectors
* Real-world SMM usage! We know it's vulnerable, now let's do something
* WiFi drivers and System on Chip (SoC) overflow, exploitation and
backdooring.
* Gnu Radio hacking applied to new domains
* Toll-booth and fast-lane payment systems

Attacking Crypto
* Practical crypto attacks from the hackers perspective (RCE,
bruteforce, ...)
* SAT-solver applied to cryptanalysis
* Algorithm strength modeling and evaluation metrics
* Hashing functions pre-image attacks
* Crypto where you wouldn't think there is

We highly encourage any other presentation topic that we may not even
imagine.

Required informations:
* Presenter's name
* Bio
* Presentation Title
* Description
* Demo?
* Needs: Internet? Others?
* Company (name) or Independent?
* Address
* Phone
* Email

Send your submission to:
hes2010-cfp __AT__ lists.hackitoergosum.org


> Business & Society Track:
Format:
20 minutes slots to present a tool, an innovative product, a solution
(commercial, open source, free); a customer experience or open research
domain; a society issue or a subject of public interest.

Demos are mandatory for tool, product or solutions presentations.

Re: [Full-disclosure] win7x64 Direct General

[Rohit Patnaik]

Poetry?  Or a security advisory?  You decide!

-- Rohit Patnaik

2010/2/3 yuange 

>
> win7x64 Direct General
> 2010-02-03 23:38 2010-02-03 23:38
>
>
> 破机器花一天时间才好不容易装好win7x64，结果还是通用通杀，我对我自己都无言了。 Spend a day breaking the
> machine a good time to finally install win7x64, the result was universal
> pass to kill, I myself have had silently.
> microsoft不花千万年薪挖我，简直都对不起我的这程序的通用性了。 microsoft does not pay to spend
> millions of years digging me, I'm sorry I really have the versatility of
> this procedure.
>
>
>
>
>
> http://translate.googleusercontent.com/translate_c?hl=zh-CN&sl=zh-CN&tl=en&u=http://hi.baidu.com/yuange1975/blog/item/022dec59443c4d212834f041.html&rurl=translate.google.cn&usg=ALkJrhg-C-arlz2AxJEkRSQznuAAoSqdNg#comment
>
> --
> 更多热辣资讯尽在新版MSN首页！ 立刻访问！ 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Google apps letter

[Philippe Ouellet]

Dear Google Apps admin,​

In order to continue to improve our products and deliver more  
sophisticated features and performance, we are harnessing some of the  
latest improvements in web browser technology.  This includes faster  
JavaScript processing and new standards like HTML5.  As a result, over  
the course of 2010, we will be phasing out support for Microsoft  
Internet Explorer 6.0 ​as well as other older browsers that are not  
supported by their own manufacturers.


We plan to begin phasing out support of these older browsers on the  
Google Docs suite and the Google Sites editor on March 1, 2010.  After  
that point, certain functionality within these applications may have  
higher latency and may not work correctly in these older browsers.  
Later in 2010, we will start to phase out support for these browsers  
for Google Mail and Google Calendar.


Google Apps will continue to support Internet Explorer 7.0 and above,  
Firefox 3.0 and above, Google Chrome 4.0 and above, and Safari 3.0 and  
above.


Starting this week, users on these older browsers will see a message  
in Google Docs and the Google Sites editor explaining this change and  
asking them to upgrade their browser.  We will also alert you again  
closer to March 1 to remind you of this change.


In 2009, the Google Apps team delivered more than 100 improvements to  
enhance your product experience.  We are aiming to beat that in 2010  
and continue to deliver the best and most innovative collaboration  
products for businesses.


Thank you for your continued support!

Sincerely,

The Google Apps team


Email preferences: You have received this mandatory email service  
announcement to update you about important changes to your Google Apps  
product or account.


Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043



Ie six should have been phased out long ago.___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Creating An IP Input File for WinScanX

[Reed Arvin]

For those of you that are using WinScanX Pro, you may find the need to
create an IP input file at some point so you can cover a large range
of hosts very quickly. The following script can help you to do just
that.

http://windowsaudit.com/downloads/CreateIPInputFile.zip

Usage:

- Unzip the contents of CreateIPInputFile.zip to a folder and run the
CreateIPInputFile.vbs script.

- Enter an IP range (i.e. 192.168.1.1-192.168.10.254) and click OK.

- A new file named iprange.txt will appear in the same folder as the
CreateIPInputFile.vbs script.

- In WinScanX Pro click the Browse button to locate the iprange.txt
file, select your scan options and click Start Scan to scan all of the
hosts in the iprange.txt file.



Get WinScanX Pro for just $10 this month (regularly $250)!

http://www.windowsaudit.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] anybody know good service for cracking md5?

[Christian Sciberras]

Actually dictionary attacks seem to work quite well, especially for common
users which typically use dictionary and/or well known passwords (such as
the infamous "password").
Another idea which seems to be cropping in, is the use of hash tables with a
list of known passwords rather then dictionary approach.
Personally, the hash table one is quite successful, consider that it targets
password groups rather than a load of wild guesses.

Cheers.




On Wed, Feb 3, 2010 at 10:26 PM,  wrote:

> On Wed, 03 Feb 2010 23:42:07 +0300, Alex said:
>
> > i find some sites which says that they can brute md5 hashes and WPA dumps
> > for 1 or 2 days.
>
> Given enough hardware and a specified md5 hash, one could at least
> hypothetically find an input text that generated that hash.  However, that
> may or may not be as useful as one thinks, as you wouldn't have control
> over
> what the text actually *was*.  It would suck if you were trying to crack
> a password, and got the one that was only 14 binary bytes long rather than
> the one that was 45 printable characters long. ;)
>
> Having said that, it would take one heck of a botnet to brute-force an MD5
> has
> in 1 or 2 days. Given 1 billion keys/second, a true brute force of MD5
> would
> take on the order of 10**22 years.  If all 140 million zombied computers on
> the
> internet were trying 1 billion keys per second, that drops it down to
> 10**16
> years or so - or about 10,000 times the universe has been around already.
>
> I suspect they're actually doing a dictionary attack, which has a good
> chance
> of succeeding in a day or two.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA-1990-1] New trac-git packages fix code execution

[Florian Weimer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1990-1  secur...@debian.org
http://www.debian.org/security/   Florian Weimer
February 03, 2010 http://www.debian.org/security/faq
- 

Package: trac-git
Vulnerability  : shell command injection
Problem type   : remote
Debian-specific: yes
CVE Id(s)  : CVE-2010-0394
Debian Bug : 567039

Stefan Goebel discovered that the Debian version of trac-git, the Git
add-on for the Trac issue tracking system, contains a flaw which
enables attackers to execute code on the web server running trac-git
by sending crafted HTTP queries.

The old stable distribution (etch) does not contain a trac-git package.

For the stable distribution (lenny), this problem has been fixed in
version 0.0.20080710-3+lenny1.

For the unstable distribution (sid) and the testing distribution
(squeeze), this problem has been fixed in version 0.0.20090320-1.

We recommend that you upgrade your trac-git package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- 

Source archives:

  
http://security.debian.org/pool/updates/main/t/trac-git/trac-git_0.0.20080710-3+lenny1.dsc
Size/MD5 checksum: 1312 4357cd66c8df3ac03273f9f858d14928
  
http://security.debian.org/pool/updates/main/t/trac-git/trac-git_0.0.20080710-3+lenny1.diff.gz
Size/MD5 checksum: 4262 af5bbdd092dfe8d953bcb2183c1228c4
  
http://security.debian.org/pool/updates/main/t/trac-git/trac-git_0.0.20080710.orig.tar.gz
Size/MD5 checksum:28505 c8220478c501b7ab3e6df97cea6d2e26

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/t/trac-git/trac-git_0.0.20080710-3+lenny1_all.deb
Size/MD5 checksum:16920 d91bf3dc4b15e1c999f7dc5e65e0de65


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-annou...@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJLafM5AAoJEL97/wQC1SS+ChkH/i8B9Iij86LWyp7vd8QI+XJb
bgVkrtty7VjM/zjDGaPm3M6L6TeQLVVDzbVVPcZ3GkZO3sP5S+hqc5tc6der9soy
fVtV44BIIydu8u0bDQIZD44k/mC6YzwATy7rxDLz0VAblUYmgMvlPWWbRE5TIR/e
i+8bdqc7dEab0aBLNy3TwnytsVIpWZfaBOK7M49P131FV3j5W15GjYtlzP1PmyVn
0DhLrPB3KQ0l8XwdW3iSjMsWDcl3TlO7i1X6H9Ef7CXuWVYx7NDwbBnGRwx77sJB
y6PI+cXRwWLHI89Dj8LUnS4KVZ+7Kgd5ALleJvhLy6W+WswanKjotafIeLB8Ems=
=TLBg
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] anybody know good service for cracking md5?

[Valdis . Kletnieks]

On Wed, 03 Feb 2010 23:42:07 +0300, Alex said:

> i find some sites which says that they can brute md5 hashes and WPA dumps
> for 1 or 2 days.

Given enough hardware and a specified md5 hash, one could at least
hypothetically find an input text that generated that hash.  However, that
may or may not be as useful as one thinks, as you wouldn't have control over
what the text actually *was*.  It would suck if you were trying to crack
a password, and got the one that was only 14 binary bytes long rather than
the one that was 45 printable characters long. ;)

Having said that, it would take one heck of a botnet to brute-force an MD5 has
in 1 or 2 days. Given 1 billion keys/second, a true brute force of MD5 would
take on the order of 10**22 years.  If all 140 million zombied computers on the
internet were trying 1 billion keys per second, that drops it down to 10**16
years or so - or about 10,000 times the universe has been around already.

I suspect they're actually doing a dictionary attack, which has a good chance
of succeeding in a day or two.



pgp4OVfNygEh2.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CORE-2009-0625: Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities

[Core Security Technologies Advisories]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/


Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities


1. *Advisory Information*

Title: Internet Explorer Dynamic OBJECT tag and URLMON sniffing
vulnerabilities

Advisory Id: CORE-2009-0625
Advisory URL:
http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag
Date published: 2010-02-03
Date of last update: 2010-02-03
Vendors contacted: Microsoft
Release mode: User release

2. *Vulnerability Information*

Class:  [CWE-497],  [CWE-501],  [CWE-612]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 38055, 38056
CVE Name: N/A, CVE-2010-0255

3. *Vulnerability Description*

This advisory describes two vulnerabilities that provide access to any
file stored in on a user's desktop system if it is running a vulnerable
version of Internet Explorer. These vulnerabilities can be used in
attacks combined with a number of insecure features of Internet Explorer
to provide remote access to locally stored files without the need for
any further action from the victim after visting a website controlled by
the attacker. The vulnerabilities are simple variations of bugs
disclosed previously in CoreLabs Security Advisories CORE-2008-0103 [1]
and CORE-2008-0826 [2]. Exploitation of these vulnerabilities requires
enticing users to click on URLs otherwise visit a malicious website
controlled by the attacker but no further user interaction is needed. As
a result an attacker would gain the ability to read any file stored on
the user's desktop system but will not be able to fully compromise it to
execute arbitrary code without restrictions.

4. *Vulnerable packages*

   . Internet Explorer 5.01 SP4 on Windows 2000 sp4
   . Internet Explorer 6sp1 on Windows 2000 sp4
   . Internet Explorer 6sp2 on Windows XP sp2
   . Internet Explorer 6sp2 on Windows XP sp3
   . Internet Explorer 7 on Windows XP sp2
   . Internet Explorer 7 on Windows XP sp3
   . Internet Explorer 7 on Windows Vista sp1
   . Internet Explorer 7 on Windows Vista sp2
   . Internet Explorer 7 on Windows Server 2003 sp2 if
 Protected Mode is OFF and not using Enhanced Security Configuration
   . Internet Explorer 7 on Windows Server 2008 i
 if Protected Mode is OFF and
 not using Enhanced Security Configuration
   . Internet Explorer 8 on Windows XP sp2
   . Internet Explorer 8 on Windows XP sp3
   . Internet Explorer 8 on Windows Vista sp1
 if Protected Mode if OFF
   . Internet Explorer 8 on Windows Vista sp2
 if Protected Mode is OFF
   . Internet Explorer 8 on Windows 7 if Protected Mode if OFF
   . Internet Explorer 8 on Windows Server 2003 sp2
 if Protected Mode if OFF and
 not using Enhanced Security Configuration
   . Internet Explorer 8 on Windows Server 2008 R2
 if Protected Mode is OFF and
 not using Enhanced Security Configuration

5. *Non-vulnerable packages*

   . Internet Explorer 7 on Windows Vista/Windows Server 2003/Windows 7
 if Protected Mode is ON
   . Internet Explorer 8 on Windows Vista/Windows Server 2003
 if Protected Mode is ON
   . Internet Explorer 8 on Windows Server 2003
 if Protected Mode is ON
   . Internet Explorer 8 on Windows 7/Windows Server 2008 R2
 if Protected Mode is ON

6. *Vendor Information, Solutions and Workarounds*

The vendor has guidance on how to address these vulnerabilities in
Microsoft Security Advisory (980088):
http://www.microsoft.com/technet/security/advisory/980088.mspx

To prevent exploitation of these vulnerabilities the following
mitigations are possible:

   . Run Internet Explorer with Protected Mode [3] turned ON if it is
supported by the operating system. This is default setting for the
Internet security zone on Windows Vista, Windows 7 and Windows Server
2008. Note that there may be specific scenarios where protected mode may
need to be turned off [4]
   . Use Internet Explorer's *Network Protocol Lockdown* feature control
to restrict the 'file:' protocol to prevent HTML content from UNC paths
from running scripting or ActiveX controls. Note that Network Protocol
Lockdown may affect the functionality of Web applications that rely on
relaxed security configurations of IE.
   . Set the Security Level setting to High for the Internet and Local
Intranet security zones to prevent IE from running scripts or ActiveX
controls.
   . Disable Active Scripting for the Internet and Local Intranet zones
manually with a custom security setting.
   . Use a different web browser to navigate untrusted web sites.

Additionally, disabling file sharing if it is not necessary and
filtering outbound SMB connections at the endpoint or network perimeter
are good security measures to prevent disclosure of sensitive
information such as valid user, system and domain names that could be
used to perform attacks that abuse the

[Full-disclosure] anybody know good service for cracking md5?

[Alex]

i find some sites which says that they can brute md5 hashes and WPA dumps
for 1 or 2 days.
is it true?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] win7x64 Direct General

[Larry Seltzer]

Wow, that’s a searing indictment if I’ve ever heard one, I think.

 

Larry Seltzer
Contributing Editor, PC Magazine

larry_selt...@ziffdavis.com 

http://blogs.pcmag.com/securitywatch/

 

From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of yuange
Sent: Wednesday, February 03, 2010 11:16 AM
To: full-disclosure
Subject: [Full-disclosure] win7x64 Direct General

 

 
win7x64 Direct General 

2010-02-03 23:38 2010-02-03 23:38 


破机器花一天时间才好不容易装好win7x64，结果还是通用通杀，我对我自己都无言了。 Spend a day breaking the machine a 
good time to finally install win7x64, the result was universal pass to kill, I 
myself have had silently. 
microsoft不花千万年薪挖我，简直都对不起我的这程序的通用性了。 microsoft does not pay to spend millions of 
years digging me, I'm sorry I really have the versatility of this procedure. 

 
 
 
 
http://translate.googleusercontent.com/translate_c?hl=zh-CN&sl=zh-CN&tl=en&u=http://hi.baidu.com/yuange1975/blog/item/022dec59443c4d212834f041.html&rurl=translate.google.cn&usg=ALkJrhg-C-arlz2AxJEkRSQznuAAoSqdNg#comment



更多热辣资讯尽在新版MSN首页！ 立刻访问！  

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] win7x64 Direct General

[yuange]

 

 win7x64 Direct General 

2010-02-03 23:38 2010-02-03 23:38 








破机器花一天时间才好不容易装好win7x64，结果还是通用通杀，我对我自己都无言了。 Spend a day breaking the machine a 
good time to finally install win7x64, the result was universal pass to kill, I 
myself have had silently. 

microsoft不花千万年薪挖我，简直都对不起我的这程序的通用性了。 microsoft does not pay to spend millions of 
years digging me, I'm sorry I really have the versatility of this procedure. 

 

 

 

 

http://translate.googleusercontent.com/translate_c?hl=zh-CN&sl=zh-CN&tl=en&u=http://hi.baidu.com/yuange1975/blog/item/022dec59443c4d212834f041.html&rurl=translate.google.cn&usg=ALkJrhg-C-arlz2AxJEkRSQznuAAoSqdNg#comment
  
_
约会说不清地方？来试试微软地图最新msn互动功能！
http://ditu.live.com/?form=TL&swm=1___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Private cloud security is no security at all

[Sam Johnston]

Private cloud security is no security at
all

It's ironic that the purveyors of "Private Cloud" sell their wares on the
premise of enhanced privacy and security - a totally unjustified claim which
is too often accepted without question - and that they are quick to dismiss
the huge benefit of the armies of security boffins employed by "public"
cloud vendors (whose future is largely dependent on keeping customer data
safe). It's also very convenient for them that the term itself is
disparaging of "public" cloud in the same way that "Blog With
Integrity"
badges imply that the rest of us are somehow unethical (one of the main
reasons I personally have and will always dislike[d] it).

It is with that in mind that I was intrigued by Reuven
Cohen
's announcement
today
 regarding Enomaly, Inc.  having recently joined
the Intel Cloud Builder Program
 (whatever
that is). It was these two quotes that I found particularly questionable
regarding their Enomaly ECP product:

   1. *Intel was among the first to full(sic) understand the opportunity in
   enabling a truly secure virtualized cloud computing environments(sic) for
   service providers and Telco's.*
   2. *Our work with the Intel Cloud Builder Program will help to accelerate
   our efforts to deliver a massively-scalable, highly-available,
   high-security cloud platform to our customers.*

The reason I'm naturally suspicious of such claims is that I've already
discovered a handful of critical security vulnerabilities in this product
(and that's without even having to look beyond the startup script - a
secure-by-default turbogears component that was made insecure through
inexplicable modifications):

   1. CVE-2008-4990 Enomaly ECP/Enomalism: Insecure temporary file creation
   
vulnerabilities
   2. CVE-2009-0390: Argument injection vulnerability in Enomaly Elastic
   Computing Platform
(ECP)
   3. Enomaly ECP/Enomalism: Multiple vulnerabilities in enomalism2.sh
   (redux) 

I had to dig a little (but not much) deeper for the silent update remote
command execution vulnerability .
I also inadvertently discovered another serious security
vulnerability
(sending
corporate BestBuy credentials in the clear over the Internet to a 3rd party
service ), which as it turns out was also
developed by Enomaly, Inc. It's only natural that I would be suspicious of
any future security claims made by this company.

It doesn't help my sentiment either that every last trace of the Open
Source ECP Community Edition  was
recently scrubbed from the Internet without notice,
leaving
 angry 
customers 
high 
and
 dry ,
purportedly pending the "rejigging [of their] OSS strategy". While my
previous attempts to fork the product as
Freenomalism failed
when we were unable to get the daemon to start, having the code in any
condition is better than not having it at all. In my opinion this is little
more than blatantly (and successfully I might add) taking advantage of the Open
Source  community for as long as necessary to get
the product into the limelight. Had they not filled this void others would
certainly have done so, and the Open
Cloud
would
be better off today as a result.

As part of cloud standards work I was interested in taking a look at the
"secure" mechanism they developed for distributing virtual machines:

*VMcasting  is an automatic virtual machine
deployment mechanism based on RSS2.0 whereby virtual machine images are
transferred from a server to a client which securely delivers files
containing a technical specification and virtual disk image.*

Another bold claim that initially appeared justified by a simple but
relatively sensible embedding of crytpographically strong checksums into
descriptor and manifest files that were in turn digitally signed using GPG.
Unfortunately no consideration was given to the 

[Full-disclosure] [ISecAuditors Security Advisories] Facebook HTML and Script code injection vulnerability

[ISecAuditors Security Advisories]

=
INTERNET SECURITY AUDITORS ALERT 2010-001
- Original release date: January 8th, 2010
- Last revised: February 3rd, 2010
- Discovered by: Juan Galiana Lara
- Severity: 6.3/10 (CVSS Base Score)
=

I. VULNERABILITY
-
Facebook HTML and Script code injection vulnerability

II. BACKGROUND
-
Facebook is a social networking website that is operated and privately
owned by Facebook, Inc. Users can add friends and send them messages,
and update their personal profiles to notify friends about themselves.
Additionally, users can join networks organized by city, workplace,
school, and region. The website's name stems from the colloquial name
of books given at the start of the academic year by university
administrations with the intention of helping students to get to know
each other better.

III. DESCRIPTION
-
The mobile interface of Facebook social network is affected by
Cross-Site Scripting vulnerability due variable "q" is not properly
sanitized in http://m.facebook.com/friends.php.

An attacker can inject HTML or script code in the context of victim's
browser, so can perform XSS attacks, and steal cookies of a targeted user.

IV. PROOF OF CONCEPT
-
http://m.facebook.com/friends.php?q=%3Cscript%3Ealert(%22XSS%22)%3B%3C%2Fscript%3E

V. BUSINESS IMPACT
-
An attacker can execute arbitrary HTML or script code in a targeted
user's browser, this can leverage to steal user targeted cookies.

VI. SYSTEMS AFFECTED
-
Facebook

VII. SOLUTION
-
Corrected

VIII. REFERENCES
-
http://www.facebook.com
http://www.isecauditors.com
http://juangaliana.blogspot.com

IX. CREDITS
-
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-
January8, 2010: Initial release.
February   3, 2010: Last revision.

XI. DISCLOSURE TIMELINE
-
January2, 2010: Discovered by Internet Security Auditors.
January9, 2010: Vendor contacted including PoC. No response.
January   11, 2010: Second contact. No response.
January   19, 2010: Third contact. No response.
January   20, 2010: Vulnerability corrected without any
kind of contact.
January   31, 2010: Response from Facebook Security member
requiring info.
February   3, 2010: Sent to lists for public interest.

XII. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA-1989-1] New fuse packages fix denial of service

[Giuseppe Iuculano]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1989-1  secur...@debian.org
http://www.debian.org/security/Giuseppe Iuculano
February 02, 2010 http://www.debian.org/security/faq
- 

Packages   : fuse
Vulnerability  : denial of service
Problem type   : local
Debian-specific: no
CVE Id : CVE-2009-3297
Debian Bug : 567633

Dan Rosenberg discovered a race condition in FUSE, a Filesystem in USErspace.
A local attacker, with access to use FUSE, could unmount arbitrary
locations, leading to a denial of service.


For the oldstable distribution (etch), this problem has been fixed in
version 2.5.3-4.4+etch1.

For the stable distribution (lenny), this problem has been fixed in
version 2.7.4-1.1+lenny1.

For the unstable distribution (sid), this problem has been fixed in
version 2.8.1-1.2, and will migrate to the testing distribution (squeeze)
shortly.

We recommend that you upgrade your fuse packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian (oldstable)
- --

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/f/fuse/fuse_2.5.3-4.4+etch1.dsc
Size/MD5 checksum:  627 5886da280cc253c8ec2c04f5423238ee
  http://security.debian.org/pool/updates/main/f/fuse/fuse_2.5.3.orig.tar.gz
Size/MD5 checksum:   409443 9c7e8b6606b9f158ae20b8521ba2867c
  
http://security.debian.org/pool/updates/main/f/fuse/fuse_2.5.3-4.4+etch1.diff.gz
Size/MD5 checksum:11785 884b1f0d8646b121d133bb62a42e23c3

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_alpha.deb
Size/MD5 checksum:   109494 a46c800a39108d6a148e4db0e1d7d931
  
http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_alpha.deb
Size/MD5 checksum:54860 4d1acaf1b078a4370c90e47fb4c015e6
  
http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_alpha.deb
Size/MD5 checksum:59726 414582a9494fd50bed1bc41fdb17bf29

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_amd64.deb
Size/MD5 checksum:98016 fcc2e4f1981cc75fbe341be0012490fc
  
http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_amd64.deb
Size/MD5 checksum:53530 d3857a1f96067112cbe1e7a428178686
  
http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_amd64.deb
Size/MD5 checksum:58916 5b992f296e4fba939e27fa6bd961ea6d

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_arm.deb
Size/MD5 checksum:48512 7be71b3c68391c288d7992f2e135449b
  
http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_arm.deb
Size/MD5 checksum:93024 5c703f36949e7f156e4b59245c224eff
  
http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_arm.deb
Size/MD5 checksum:57820 345ad9a6f3ada4facd993823eded7663

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_hppa.deb
Size/MD5 checksum:56194 6a57e0f225759c4c79e5686378834981
  
http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_hppa.deb
Size/MD5 checksum:   103676 afb7fd5cb28ea33c8b1b37f53349e7e9
  
http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_hppa.deb
Size/MD5 checksum:59130 fc3f13580d207f0fe6bf9cfe0034f312

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch1_i386.deb
Size/MD5 checksum:94356 c692a6cb705c58ff1cea736f51bec18c
  
http://security.debian.org/pool/updates/main/f/fuse/libfuse2_2.5.3-4.4+etch1_i386.deb
Size/MD5 checksum:50812 55537e1c0561f86fff06f0a1319098de
  
http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_i386.deb
Size/MD5 checksum:58368 cfd1cee4477d2636b8b522a25310c984

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/f/fuse/fuse-utils_2.5.3-4.4+etch1_ia64.deb
Size/MD5 checksum:63764 0c9b12e7c71d48e2bdc9f3de90c4f3c9
  
http://security.debian.org/pool/updates/main/f/fuse/libfuse-dev_2.5.3-4.4+etch

[Full-disclosure] [SECURITY] [DSA 1986-1] New moodle packages fix several vulnerabilities

[Steffen Joeris]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1986-1  secur...@debian.org
http://www.debian.org/security/  Steffen Joeris
February 02, 2010 http://www.debian.org/security/faq
- 

Package: moodle 
Vulnerability  : several vulnerabilities
Problem type   : remote 
Debian-specific: no 
CVE IDs: CVE-2009-4297 CVE-2009-4298 CVE-2009-4299 CVE-2009-4301
 CVE-2009-4302 CVE-2009-4303 CVE-2009-4305  
Debian Bugs: 559531 


Several vulnerabilities have been discovered in Moodle, an online
course management system. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2009-4297

Multiple cross-site request forgery (CSRF) vulnerabilities have been
discovered. 

CVE-2009-4298

It has been discovered that the LAMS module is prone to the disclosure
of user account information.  

CVE-2009-4299

The Glossary module has an insufficient access control mechanism.

CVE-2009-4301

Moodle does not properly check permissions when the MNET service is
enabled, which allows remote authenticated servers to execute arbitrary
MNET functions.

CVE-2009-4302

The login/index_form.html page links to an HTTP page instead of using an
SSL secured connection.

CVE-2009-4303

Moodle stores sensitive data in backup files, which might make it
possible for attackers to obtain them.

CVE-2009-4305

It has been discovered that the SCORM module is prone to an SQL
injection.

Additionally, an SQL injection in the update_record function, a problem
with symbolic links and a verification problem with Glossary, database
and forum ratings have been fixed.


For the stable distribution (lenny), these problems have been fixed in
version 1.8.2.dfsg-3+lenny3.

For the oldstable distribution (etch), there are no fixed packages
available and it is too hard to backport many of the fixes. Therefore,
we recommend to upgrade to the lenny version.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 1.8.2.dfsg-6.


We recommend that you upgrade your moodle packages.


Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- 

Debian (stable)
- ---

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/m/moodle/moodle_1.8.2.dfsg-3+lenny3.dsc
Size/MD5 checksum: 1332 e6692ee05c7eda37d36ef9a0d24ce2ae
  
http://security.debian.org/pool/updates/main/m/moodle/moodle_1.8.2.dfsg.orig.tar.gz
Size/MD5 checksum: 10162497 d116f83641c70216a94168aa2c303004
  
http://security.debian.org/pool/updates/main/m/moodle/moodle_1.8.2.dfsg-3+lenny3.diff.gz
Size/MD5 checksum:67070 e8843f3e443495842705c040c0d98779

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/m/moodle/moodle_1.8.2.dfsg-3+lenny3_all.deb
Size/MD5 checksum:  8628382 1985ebd60f8f9f2fb03a25e9b0c58c50


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-annou...@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktoecgACgkQ62zWxYk/rQe57QCfVN1fhshCzlLxiQBhNUzAHspM
rrcAnjTYkLYcdwNBFMjZ32wFWbCEgoD1
=YJFS
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/