[Full-disclosure] iDefense Security Advisory 03.09.10: Microsoft Excel FNGROUPNAME Record Uninitialized Memory Vulnerability

[iDefense Labs]

iDefense Security Advisory 03.09.10
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 09, 2010

I. BACKGROUND

Excel is the spreadsheet application included with Microsoft Corp.'s
Office productivity software suite. More information is available at
the following website:

http://office.microsoft.com/excel/

II. DESCRIPTION

Remote exploitation of an uninitialized memory vulnerability in
Microsoft Corp.'s Excel could allow an attacker to execute arbitrary
code with the privileges of the current user.

The vulnerability occurs due to Excel using a local function variable
without properly initializing it. This error occurs when parsing
several related records inside of an Excel worksheet. When Execl parses
certain records in a particular order, a stack variable may not be
initialized properly. If an attacker can control the area of memory
used for this variable, then it is possible to execute arbitrary code
on the targeted host.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user opening the file. To exploit this
vulnerability, an attacker needs to convince a user to open a malicious
file. Attackers typically accomplish this by emailing a targeted user
the file, or hosting the file on a web page.

Successful exploitation of this vulnerability depends upon an attacker
being able to control the area of uninitialized memory prior to the
vulnerable code execution. Since the data stored is a constant, this
type of vulnerability can typically be difficult to exploit.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Excel
versions 2003 SP3, 2007 SP0, SP1, and SP3 . Previous versions do not
appear to be affected. A full list of vulnerable Microsoft products can
be found in Microsoft Security Bulletin MS10-017.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue since
the vulnerability occurs in the core parsing code, making it impossible
to disable the affected area of code.

VI. VENDOR RESPONSE

Microsoft Corp. has released a patch which addresses this issue.
Information about downloadable vendor updates can be found by clicking
on the URLs shown.
http://www.microsoft.com/technet/security/bulletin/MS10-017.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-0262 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/25/2009  Initial Vendor Notification
09/25/2009  Initial Vendor Reply
03/09/2010  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2010 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerserv...@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 03.09.10: Microsoft Excel Sheet Object Type Confusion Vulnerability

[iDefense Labs]

iDefense Security Advisory 03.09.10
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 09, 2010

I. BACKGROUND

Excel is the spreadsheet application included with Microsoft Corp.'s
Office productivity software suite. More information is available at
the following website:

http://office.microsoft.com/excel/

II. DESCRIPTION

Remote exploitation of a type confusion vulnerability in Microsoft
Corp.'s Excel could allow an attacker to execute arbitrary code with
the privileges of the current user.

This vulnerability is a type confusion vulnerability that occurs when
parsing several related Excel record types. In this case, the type
confusion is due to multiple records containing fields that identify
the type of an object shared between them.

By controlling memory outside of the bounds of the allocated heap chunk,
an attacker can control a C++ object pointer used in a virtual function
call. This can result in an area of memory being treated as a different
type of object than it actually is, resulting in access outside of the
bounds of the allocated object.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user opening the file. To exploit this
vulnerability, an attacker needs to convince a user to open a malicious
file. This is typically accomplished by emailing the targeted user a
malicious file, or providing a link to one on a webpage.

iDefense testing has demonstrated that this vulnerability is highly
exploitable, which is consistent with most type confusion
vulnerabilities.

As with most memory corruption vulnerabilities, exploitation mitigation
technologies like DEP and ASLR substantially increase the difficulty of
exploiting this vulnerability.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in all
currently supported versions of Excel (2007 SP1/SP2, 2003 SP3, XP SP3),
and also the currently unsupported Excel 2000 SP3. A full list of
vulnerable Microsoft products can be found in Microsoft Security
Bulletin MS10-017.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue. Since
the vulnerability occurs in the core parsing code it is impossible to
disable the affected module.

VI. VENDOR RESPONSE

Microsoft Corp. has released a patch which addresses this issue.
Information about downloadable vendor updates can be found by clicking
on the URLs shown.
http://www.microsoft.com/technet/security/bulletin/MS10-017.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2010-0258 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/10/2009  Initial Vendor Notification
09/11/2009  Initial Vendor Reply
03/09/2010  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2010 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerserv...@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubisoft DDoS

[Rohit Patnaik]

Well, we don't know exactly how the servers were configured.  There might
have been some kind of issue with the coding or the configuration of the DRM
servers that wasn't noticed during testing.  After all, these sorts of
big-budget games sell millions of copies in the opening weekend.  Even
simulating that kind of load is an expensive proposition.  There might have
been some issue with the server that only became visible when there were
millions of simultaneous clients all trying to authenticate themselves
simultaneously.  Remember what happened with AT&T's iPhone activation
fiasco?  Who's to say that something similar didn't happen here?

-- Rohit Patnaik

On Tue, Mar 9, 2010 at 3:59 PM, Jan Schejbal <
jan.mailinglis...@googlemail.com> wrote:

> Am 09.03.2010 21:11, schrieb James Matthews:
> > I don't see why they didn't just block the attack. It must be more then
> > this.
>
> If the attack behaved like LOTS of legitimate clients, it might have
> been hard to lock out the bots while not locking out players.
>
> The option that the attack is just made up as an excuse for too few
> resources to support all the players should also not be forgotten,
> although I consider that improbable.
>
> Sincerely,
> Jan
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubisoft DDoS

[Jan Schejbal]

Am 09.03.2010 21:11, schrieb James Matthews:
> I don't see why they didn't just block the attack. It must be more then
> this.

If the attack behaved like LOTS of legitimate clients, it might have 
been hard to lock out the bots while not locking out players.

The option that the attack is just made up as an excuse for too few 
resources to support all the players should also not be forgotten, 
although I consider that improbable.

Sincerely,
Jan

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CORE-2009-1103: Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability

[CORE Security Technologies Advisories]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

  Core Security Technologies - CoreLabs Advisory
   http://www.coresecurity.com/corelabs/

Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability



1. *Advisory Information*

Title: Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability
Advisory Id: CORE-2009-1103
Advisory URL: http://www.coresecurity.com/content/CORE-2009-1103
Date published: 2010-03-09
Date of last update: 2010-03-09
Vendors contacted: Microsoft
Release mode: Coordinated release



2. *Vulnerability Information*

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2010-0264



3. *Vulnerability Description*

A memory corruption occurs on Microsoft Office Excel 2002 when parsing a
.XLS file with a malformed DbOrParamQry record. This vulnerability could
be used by a remote attacker to execute arbitrary code in the context of
the currently logged on user, by enticing the user to open a specially
crafted file.


4. *Vulnerable packages*

   . Microsoft Excel 2002 (Office XP SP3)


5. *Non-vulnerable packages*

   . Microsoft Office 2003
   . Microsoft Office 2007


6. *Vendor Information, Solutions and Workarounds*

Microsoft has addressed this vulnerability by issuing an update located
at http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx


7. *Credits*

This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies.


8. *Technical Description / Proof of Concept Code*

A memory corruption occurs on Microsoft Office Excel 2002 when parsing a
.XLS file with a malformed DbOrParamQry record. The precise affected
executable versions that we tested are:

   . EXCEL.exe version 10.0.6501
   . EXCEL.exe version 10.0.6854
   . EXCEL.exe version 10.0.6856

 The vulnerable version is Microsoft Office Excel XP SP3.

According to the MSDN documentation [2] the DbOrParamQry record
specifies a DbQuery or ParamQry record depending on the preceding
record. The Record Query Parameters (ParamQry) offset DCh, contains
information about ODBC parameterized queries. This record has the
following format:


/-
Offset  NameSize  Contents
4  wTypeSql  2Used for ODBC queries; the parameter SQL type
6  flags 2Option flags

- -/

By modifying this record an exploitable condition can be triggered. An
excerpt of the vulnerable code follows:


/-
EXCEL!Ordinal41+2c20ce:
302c20ce 8b461c   mov eax,[esi+0x1c]
ds:0023:0180aa98=0197013c
302c20d1 85c0 testeax,eax
302c20d3 0f84e100 je  EXCEL!Ordinal41+0x2c21ba (302c21ba)
[br=0]
302c20d9 8b08 mov ecx,[eax]
ds:0023:0197013c=00010001
302c20db 50   pusheax
302c20dc ff5108   call  dword ptr [ecx+0x8]
ds:0023:00010009=5c003a00

Access violation - code c005 (first chance)
eax=0197013c ebx=0001 ecx=00010001 edx=014c esi=0180aa7c
edi=
eip=5c003a00 esp=001363ec ebp=00136400 iopl=0 nv up ei pl nz na
po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=
efl=0206
5c003a00 ??   ???

- -/


9. *Report Timeline*

. 2009-11-04:
Core Security Technologies notifies the Microsoft team of the
vulnerability and sends a Proof of Concept malformed file. Planned
publication date is set to February 9th 2010.

. 2009-11-04:
Microsoft acknowledges receipt of the report, and opens case 9564 to
track this issue.

. 2009-11-19:
Microsoft confirms that the reported bug is exploitable on Office 2002,
and that it is a bulletin class issue. Microsoft analysis indicates that
Office 2003 and Office 2007 are not affected by this vulnerability.
Microsoft estimates that its projected release date will be later than
February.

. 2009-11-19:
Core replies that it needs additional information about Microsoft fix
development and testing process, in particular a concrete estimated date
for the release of fixes, before rescheduling publication.

. 2009-12-18:
Microsoft communicates that the Office Excel Team has scheduled a fix
for this issue for March 9th 2010, and requests that Core reschedules
publication of its advisory to that date.

. 2009-12-21:
Core agrees to reschedule publication to March 9th 2010, and tells
Microsoft that it's still waiting for their technical analysis of the bug.

. 2010-01-28:
Microsoft informs Core that it is still on track to release the patch
for this vulnerability in March 2009.

. 2010-02-18:
Microsoft informs Core that unexpected issues will force them to
postpone the bulletin release from March, and that they will try to
release it in April 2010.

. 2010-03-02:
Microsoft tells Core that finally the patch for this issue will be
released on March 9th 2010.

. 2010-03-08:
Core acknowledges receipt of the previous mail, and requests the URL of
Microsoft's security bulletin to include in the vendor information
section of its advisory.

. 2010-03-09:
The a

[Full-disclosure] CORE-2009-0813: Windows Movie Maker and Microsoft Producer IsValidWMToolsStream() Heap Overflow

[CORE Security Technologies Advisories]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

  Core Security Technologies - CoreLabs Advisory
   http://www.coresecurity.com/corelabs/

Windows Movie Maker and Microsoft Producer IsValidWMToolsStream() Heap
Overflow



1. *Advisory Information*

Title: Windows Movie Maker and Microsoft Producer IsValidWMToolsStream()
Heap Overflow
Advisory Id: CORE-2009-0813
Advisory URL: http://www.coresecurity.com/content/movie-maker-heap-overflow
Date published: 2010-03-09
Date of last update: 2010-03-09
Vendors contacted: Microsoft
Release mode: User release



2. *Vulnerability Information*

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2010-0265



3. *Vulnerability Description*

Windows Movie Maker is a video creating/editing software, which is
included by default in Windows Vista and XP. Microsoft Producer is an
add-in for PowerPoint to create rich-media presentations.

A vulnerability was found in Windows Movie Maker and Microsoft Producer,
which can be triggered by a remote attacker by sending a specially
crafted file and enticing the user to open it. This vulnerability
results in a write access violation and can lead to remote code execution.


4. *Vulnerable packages*

   . Windows Movie Maker
 The following Windows versions ship with a vulnerable version of
Windows Movie Maker by default:
  . Windows Vista.
  . Windows Vista Service Pack 1.
  . Windows Vista Service Pack 2.
  . Windows XP Professional x64 Edition.
  . Windows XP Service Pack 2.
  . Windows XP Service Pack 3.
   . Microsoft Producer for PowerPoint.


5. *Non-vulnerable packages*

   . Windows Live Movie Maker (downloadable component for Windows 7).


6. *Vendor Information, Solutions and Workarounds*

Microsoft has addressed the vulnerability in Movie Maker by issuing an
update located at
http://www.microsoft.com/technet/security/Bulletin/MS10-016.mspx

The security update for Microsoft Producer 2003 is unavailable at this
time.

The workarounds and mitigations are:

   . Avoid opening .MSWMM Movie Maker files or .MSProducer Microsoft
Producer files from untrusted sources.
   . Remove the Movie Maker .MSWMM file association and/or remove the
Microsoft Producer 2003 .MSProducer, .MSProducerZ, and .MSProducerBF
file associations.
   . Replace Microsoft Producer with a new version when it comes out or
with the current Beta version.

 Refer to the Microsoft Security Bulletin MS10-016 [2] for more
information.


7. *Credits*

This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies during Bugweek 2009 [1].


8. *Technical Description / Proof of Concept Code*

An exploitable vulnerability was found in Windows Movie Maker, which can
be triggered by a remote attacker by sending a specially crafted .MSWMM
file and enticing the user to open it. This vulnerability results in a
write access violation and can lead to remote code execution.

The root cause of this is the function IsValidWMToolsStream(), in which
*pbuffer is used twice with 2 different sizes. The second time, the data
is read from the MSWMM file, and pbuffer is not re-allocated before it
is re-used. If the size read from the file is bigger than the initial
internal value, this results in a buffer overrun.

The following is an excerpt of the vulnerable code:

/-
CDocManager::IsValidWMToolsStream(bool *)+EB   pushdword ptr
[valueFromFile];0x
CDocManager::IsValidWMToolsStream(bool *)+EE   call?...@yapaxi@Z;
operator new(uint)
CDocManager::IsValidWMToolsStream(bool *)+F3   pop ecx
CDocManager::IsValidWMToolsStream(bool *)+F4   mov [pBuffer], eax
CDocManager::IsValidWMToolsStream(bool *)+F7   mov [ebp-40h], eax
CDocManager::IsValidWMToolsStream(bool *)+FA   mov byte ptr [ebp-4], 2
CDocManager::IsValidWMToolsStream(bool *)+FE   pushdword ptr
[ebp-2Ch] ; int
CDocManager::IsValidWMToolsStream(bool *)+101  mov ecx, esi
CDocManager::IsValidWMToolsStream(bool *)+103  pushebx ; int
CDocManager::IsValidWMToolsStream(bool *)+104  pushedi ;
wchar_t *
CDocManager::IsValidWMToolsStream(bool *)+105  call
?extractd...@cdocmanager@@qaejpbgp...@z ;
CDocManager::ExtractData(ushort const *,void *,long)
CDocManager::IsValidWMToolsStream(bool *)+10A  mov esi, eax
CDocManager::IsValidWMToolsStream(bool *)+10C  testesi, esi
CDocManager::IsValidWMToolsStream(bool *)+10E  jge short loc_118158A

CDocManager::IsValidWMToolsStream(bool *)+110  mov byte ptr [ebp-4], 1
CDocManager::IsValidWMToolsStream(bool *)+114  cmp dword ptr
[pBuffer], 0
CDocManager::IsValidWMToolsStream(bool *)+118  jz  short loc_1181578

CDocManager::IsValidWMToolsStream(bool *)+29E  push[pBuffer]; void *
CDocManager::IsValidWMToolsStream(bool *)+2A1  call?...@yaxpax@Z;
operator delete(void *)
CDocManager::IsValidWMToolsStream(bool *)+2A6  pop ecx

- -

Re: [Full-disclosure] Ubisoft DDoS

[Christian Sciberras]

Perhaps Cisco xt 5650a?

Also, 6500 series are actually switches, not routers. ;-)

Cheers.

On Tue, Mar 9, 2010 at 4:24 PM, Michal  wrote:

> On 09/03/2010 15:12, valdis.kletni...@vt.edu wrote:
> > On Tue, 09 Mar 2010 15:27:02 +0100, Adrenalin said:
> >> I'm just wondering, even if it's under DDoS, isn't it as easy to block
> as to
> >> collect the list of IP that send too much data, and just block them on
> the
> >> upper level ISP ?
> >
> > You *do* realize that a *small* botnet these days is 75,000 machines, and
> > there's a estimated 140 million compromised zombie boxes out there?
> There's
> > very few boxes that can handle an inbound ACL of 75K entries sanely -
> usually
> > what ends up happening is the upstream drops all traffic *to* the target
> node
> > just so all the *other* boxes at the site still get some bandwidth.
> >
> > And "sending too much data" is hard to quantify - if you have enough
> bots,
> > you can thoroughly DDoS a site using far *less* bandwidth per host than a
> > normal user does.  If the site was designed to handle 10,000 clients each
> > sending 5 packets per second for 10 seconds during a login at game start,
> > it will likely fall over if you throw 100,000 bots at it, each sending
> > 4 packets a second continuously...
> >
>
>
> I've worked at huge online better company and they had network devices
> that worked to stop DDoS as we got hit quite a bit. I have to say they
> managed quite well, often we would only notice because we regularly
> checked the graphs over 24 hours periods. Other times the attacks had
> some successes but they worked well. Can't remember what they where
> called...think it was a company that ended up being bought by Cisco,
> though we did have cards in the 6500 routers to also help out with DDOS.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubisoft DDoS

[James Matthews]

I don't see why they didn't just block the attack. It must be more then
this.

On Tue, Mar 9, 2010 at 8:21 AM, Dobbins, Roland  wrote:

>
> On Mar 9, 2010, at 11:01 PM,  wrote:
>
> > Oh, I didn't say they didn't exist.
>
> A good way to get started w/scalable DDoS mitigation is to implement S/RTBH
> on one's hardware-based edge routers, and then make use of open-source
> NetFlow tools for visibility.
>
> There are commercial solutions as well - in the interests of full
> disclosure (pardon the pun, heh), I work for a vendor of such intelligent
> DDoS mitigation (IDMS) solutions.
>
> These slides may be of interest in hardening/leveraging one's network
> infrastructure and gaining the ability to
>  detect/classify/traceback/mitigate DDoS:
>
> 
>
> 
>
> 
>
> 
>
> There was also a relevant talk at the latest NANOG (a synopsis of
> discussions on nanog-l and cisco-nsp):
>
> <
> http://www.nanog.org/meetings/nanog48/presentations/Monday/Kaeo_FilterTrend_ISPSec_N48.pdf
> >
>
> and other relevant presentations at various NANOGs in the past.
>
> To answer the previous respondent's question, Cisco acquired Riverhead and
> its Guard in early 2004:
>
> <
> http://www.cisco.com/en/US/prod/collateral/modules/ps2706/end_of_life_c51-573493.html
> >
>
> I also highly recommend this book by Dave Smith and Gregg Schudel of Cisco
> - it's the best (and only!) book on real-world opsec out there, available in
> dead-tree, Kindle, and Adobe Reader formats:
>
> <
> http://www.amazon.com/Router-Security-Strategies-Securing-Network/dp/1587053365/ref=sr_1_1?ie=UTF8&s=books&qid=1262667257&sr=8-1
> >
>
> [Full disclosure again; I'm cited in the book, but received and continue to
> receive no renumeration of any kind due to same.]
>
> But before going the commercial route, folks should work on hardening their
> hosts/OSes/apps and leveraging their existing infrastructure and open-source
> as noted in the presentations above - in many cases, this is all that's
> needed, as outlined here:
>
> 
>
> ---
> Roland Dobbins  // 
>
>Injustice is relatively easy to bear; what stings is justice.
>
>-- H.L. Mencken
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
http://www.miami-criminallaw.com/practice-areas/cyber-crimes

--
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-10-026: Hewlett-Packard OVPI helpmanager Servlet Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-10-026: Hewlett-Packard OVPI helpmanager Servlet Remote Code Execution 
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-026
March 9, 2010

-- CVE ID:
CVE-2010-0447

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard OpenView Performance Insight

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9509. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary commands
on vulnerable installations of Hewlett-Packard Performance Insight.
Authentication is not required to exploit this vulnerability.

The specific flaw exists in the handling of requests to the helpmanager
servlet running on the Performance Insight web server. Insufficient
input validation and authentication allows for arbitrary JSP pages to be
uploaded which can be leveraged to execute arbitrary OS commands.
Exploitation of this vulnerability allows an attacker to gain control of
the affected system under SYSTEM credentials.

-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:

http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02033170

-- Disclosure Timeline:
2009-04-15 - Vulnerability reported to vendor
2010-03-09 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-10-025: Microsoft Office Excel XLSX File Parsing Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-10-025: Microsoft Office Excel XLSX File Parsing Remote Code Execution 
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-025
March 9, 2010

-- CVE ID:
CVE-2010-0263

-- Affected Vendors:
Microsoft

-- Affected Products:
Microsoft Office Excel

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Office Excel. User interaction is
required to exploit this vulnerability in that the target must open a
malicious file.

The specific flaw exists in the decompression of XLSX files. The XLSX
file is a ZIP archive of the associated content making up the new Open
XML Document. Due to the lack of validation on the ZIP header when
decompressing certain XML elements it is possible to execute
uninitialized memory. Successful exploitation can lead to remote code
execution under the credentials of the currently logged in user.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx

-- Disclosure Timeline:
2009-07-14 - Vulnerability reported to vendor
2010-03-09 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mozilla Firefox 3.6 plenitude String Crash(0day) Exploit

[Kaddeh]

I wouldn't call this a bug in the least bit.
I would call it a lack of hardware issue than anything, similar to "minimal
requirements" on software, etc.
This issue only happens on 32-bit with the configuration that you yourself
are running, there is no issue with Firefox itself, mainly because it has
been confirmed multiple times to work on multiple machines (myself
included).
I chalk this one up to single-user issue and move on.

Cheers

Kad

On Tue, Mar 9, 2010 at 9:03 AM, information security <
informationhacke...@gmail.com> wrote:

>  The testcase crashes in Mozilla because
> The reason for this is that  the  are stack exhaustion crashes and are not
> exploitable. Stack exhaustion occurs when there is no more room on the
> program stack to push any more data. This is not a stack-based buffer
> overflow. but it is definitely a bug
>
> Asheesh
>
>
> 
>
> On Mon, Mar 8, 2010 at 7:16 AM, Rohit Patnaik  wrote:
>
>> You checked this code on a 64-bit computer?  I just tested it on Ubuntu
>> 9.10 amd-64 edition (running from a LiveCD, no less).  The result was the
>> same as the one described above - Firefox chugged for a few seconds and then
>> displayed a very wide web page.
>>
>> -- Rohit Patnaik
>>
>> On Thu, Mar 4, 2010 at 4:15 AM, information security <
>> informationhacke...@gmail.com> wrote:
>>
>>> i had check this code  in 64 bit computer  it works
>>> but why this code only work for Mozilla  browser not in Internet Explorer
>>> and
>>> also thanks Jeff  for all your comment :)
>>> In India a famous Poet kabir says "keep your critic next to you he is
>>> your  best friend!"  :)
>>>
>>> Asheesh kumar Mani Tripathi
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Mar 3, 2010 at 4:19 PM, Jeff Williams wrote:
>>>
 Sure;

 Mozilla by default recover any "lost" tabs by itself, then no worry for
 your "users" considerations.

 Now sparky, who will be stupid enough to launch a botnet that sets a web
 page containing a document.write "A" * 200 on them
 compromised hosts ?

 You tell me.



 2010/3/3 information security 

> Thanks Valdis .Jeff for all your comment
> yes my small-penis machine running out of RAM and swap space ...:
> .. :)and i believe that Mozilla get crash ...:(
> can you tell me how to fix that people don't become victim from this
> attack  people with having 34 bit Computer
> or people having small -penis machine change into big-penis machine :)
>
>
>
> On Wed, Mar 3, 2010 at 12:37 AM,  wrote:
>
>> On Tue, 02 Mar 2010 20:02:37 PST, information security said:
>>
>> > open in Mozilla Firefox and wait for 15 sec .. :) and say Good
>> Bye
>>
>> Sorry, your exploit doesn't do squat on a 64-bit Firefox 3.7a3 with
>> plenty of
>> RAM. It chugs for about 7-8 seconds and displays a *very* wide page.
>>  It must
>> be your small-penis machine running out of RAM and swap space. :)
>>
>> Hint - this issue was well understood back in 1964. Literally. IBM's
>> OS/360 had
>> a GETMAIN macro that allocated storage that could encounter this same
>> basic
>> "out of memory" issue.  So not only is this a non-bug that was known
>> when you
>> were still being toilet-trained, this may be the first recorded case
>> of
>> somebody reporting a non-bug that was known when their *parents* were
>> still
>> being toilet-trained.
>>
>>
>

>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] List Charter

[John Cartwright]

[Full-Disclosure] Mailing List Charter
John Cartwright 
 

- Introduction & Purpose -

This document serves as a charter for the [Full-Disclosure] mailing 
list hosted at lists.grok.org.uk.

The list was created on 9th July 2002 by Len Rose, and is primarily 
concerned with security issues and their discussion.  The list is 
administered by John Cartwright.

The Full-Disclosure list is hosted and sponsored by Secunia.


- Subscription Information -

Subscription/unsubscription may be performed via the HTTP interface 
located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure.

Alternatively, commands may be emailed to 
full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in 
either the message subject or body for details.

 
- Moderation & Management -

The [Full-Disclosure] list is unmoderated. Typically posting will be
restricted to members only, however the administrators may choose to 
accept submissions from non-members based on individual merit and 
relevance.

It is expected that the list will be largely self-policing, however in
special circumstances (eg spamming, misappropriation) then offending 
members may be removed from the list by the management.

An archive of postings is available at 
http://lists.grok.org.uk/pipermail/full-disclosure/.
 

- Acceptable Content -

Any information pertaining to vulnerabilities is acceptable, for 
instance announcement and discussion thereof, exploit techniques and 
code, related tools and papers, and other useful information.

Gratuitous advertisement, product placement, or self-promotion is 
forbidden.  Disagreements, flames, arguments, and off-topic discussion 
should be taken off-list wherever possible.

Humour is acceptable in moderation, providing it is inoffensive. 
Politics should be avoided at all costs.

Members are reminded that due to the open nature of the list, they 
should use discretion in executing any tools or code distributed via
this list.
 

- Posting Guidelines -

The primary language of this list is English. Members are expected to 
maintain a reasonable standard of netiquette when posting to the list. 

Quoting should not exceed that which is necessary to convey context, 
this is especially relevant to members subscribed to the digested 
version of the list.

The use of HTML is discouraged, but not forbidden. Signatures will 
preferably be short and to the point, and those containing 
'disclaimers' should be avoided where possible.

Attachments may be included if relevant or necessary (e.g. PGP or 
S/MIME signatures, proof-of-concept code, etc) but must not be active 
(in the case of a worm, for example) or malicious to the recipient.

Vacation messages should be carefully configured to avoid replying to 
list postings. Offenders will be excluded from the mailing list until 
the problem is corrected.

Members may post to the list by emailing 
full-disclos...@lists.grok.org.uk. Do not send subscription/
unsubscription mails to this address, use the -request address 
mentioned above.


- Charter Additions/Changes -

The list charter will be published at 
http://lists.grok.org.uk/full-disclosure-charter.html.

In addition, the charter will be posted monthly to the list by the 
management.

Alterations will be made after consultation with list members and a 
concensus has been reached.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mozilla Firefox 3.6 plenitude String Crash(0day) Exploit

[information security]

 The testcase crashes in Mozilla because
The reason for this is that  the  are stack exhaustion crashes and are not
exploitable. Stack exhaustion occurs when there is no more room on the
program stack to push any more data. This is not a stack-based buffer
overflow. but it is definitely a bug

Asheesh


On Mon, Mar 8, 2010 at 7:16 AM, Rohit Patnaik  wrote:

> You checked this code on a 64-bit computer?  I just tested it on Ubuntu
> 9.10 amd-64 edition (running from a LiveCD, no less).  The result was the
> same as the one described above - Firefox chugged for a few seconds and then
> displayed a very wide web page.
>
> -- Rohit Patnaik
>
> On Thu, Mar 4, 2010 at 4:15 AM, information security <
> informationhacke...@gmail.com> wrote:
>
>> i had check this code  in 64 bit computer  it works
>> but why this code only work for Mozilla  browser not in Internet Explorer
>> and
>> also thanks Jeff  for all your comment :)
>> In India a famous Poet kabir says "keep your critic next to you he is
>> your  best friend!"  :)
>>
>> Asheesh kumar Mani Tripathi
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Mar 3, 2010 at 4:19 PM, Jeff Williams wrote:
>>
>>> Sure;
>>>
>>> Mozilla by default recover any "lost" tabs by itself, then no worry for
>>> your "users" considerations.
>>>
>>> Now sparky, who will be stupid enough to launch a botnet that sets a web
>>> page containing a document.write "A" * 200 on them
>>> compromised hosts ?
>>>
>>> You tell me.
>>>
>>>
>>>
>>> 2010/3/3 information security 
>>>
 Thanks Valdis .Jeff for all your comment
 yes my small-penis machine running out of RAM and swap space ...: ..
 :)and i believe that Mozilla get crash ...:(
 can you tell me how to fix that people don't become victim from this
 attack  people with having 34 bit Computer
 or people having small -penis machine change into big-penis machine :)



 On Wed, Mar 3, 2010 at 12:37 AM,  wrote:

> On Tue, 02 Mar 2010 20:02:37 PST, information security said:
>
> > open in Mozilla Firefox and wait for 15 sec .. :) and say Good
> Bye
>
> Sorry, your exploit doesn't do squat on a 64-bit Firefox 3.7a3 with
> plenty of
> RAM. It chugs for about 7-8 seconds and displays a *very* wide page.
>  It must
> be your small-penis machine running out of RAM and swap space. :)
>
> Hint - this issue was well understood back in 1964. Literally. IBM's
> OS/360 had
> a GETMAIN macro that allocated storage that could encounter this same
> basic
> "out of memory" issue.  So not only is this a non-bug that was known
> when you
> were still being toilet-trained, this may be the first recorded case of
> somebody reporting a non-bug that was known when their *parents* were
> still
> being toilet-trained.
>
>

>>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubisoft DDoS

[Dobbins, Roland]

On Mar 9, 2010, at 11:01 PM,  wrote:

> Oh, I didn't say they didn't exist. 

A good way to get started w/scalable DDoS mitigation is to implement S/RTBH on 
one's hardware-based edge routers, and then make use of open-source NetFlow 
tools for visibility.

There are commercial solutions as well - in the interests of full disclosure 
(pardon the pun, heh), I work for a vendor of such intelligent DDoS mitigation 
(IDMS) solutions.

These slides may be of interest in hardening/leveraging one's network 
infrastructure and gaining the ability to  detect/classify/traceback/mitigate 
DDoS:









There was also a relevant talk at the latest NANOG (a synopsis of discussions 
on nanog-l and cisco-nsp):



and other relevant presentations at various NANOGs in the past.

To answer the previous respondent's question, Cisco acquired Riverhead and its 
Guard in early 2004:



I also highly recommend this book by Dave Smith and Gregg Schudel of Cisco - 
it's the best (and only!) book on real-world opsec out there, available in 
dead-tree, Kindle, and Adobe Reader formats:



[Full disclosure again; I'm cited in the book, but received and continue to 
receive no renumeration of any kind due to same.]

But before going the commercial route, folks should work on hardening their 
hosts/OSes/apps and leveraging their existing infrastructure and open-source as 
noted in the presentations above - in many cases, this is all that's needed, as 
outlined here:



---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubisoft DDoS

[Valdis . Kletnieks]

On Tue, 09 Mar 2010 15:24:44 GMT, Michal said:

> I've worked at huge online better company and they had network devices
> that worked to stop DDoS as we got hit quite a bit. I have to say they
> managed quite well, often we would only notice because we regularly
> checked the graphs over 24 hours periods. Other times the attacks had
> some successes but they worked well. Can't remember what they where
> called...think it was a company that ended up being bought by Cisco,
> though we did have cards in the 6500 routers to also help out with DDOS.

Oh, I didn't say they didn't exist.  There's some *really* nice gear for
DDoS mitigation available, if your budget is in the high 6 digits to 7 digits
range per year. Your average 6509 router is going to need some expensive
help surviving. ;)


pgpTqTjpNHrgF.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] SQL injection vulnerability in wILD CMS

[Maciej Gojny]

 { Ariko-Security - Advisory #4/3/2010 } =

   SQL injection vulnerability in wILD CMS 



Vendor's Description of Software:
# http://www.wildcms.com/ 
Vulnerable DEMO
# http://www.wildcms.com/page.php?page_id=139

Dork:
# N/A

Application Info:
# Name: wILD CMS
Vulnerability Info:
# Type: SQL injection Vulnerability
# Risk: medium

Fix: 
# N/A

Time Table:
# 01/03/2010 - Vendor notified.

Input passed via the "page_id" parameter to page.php is not properly sanitised 
before being used in a SQL query.

Solution:
# Input validation of "page_id" parameter should be corrected.

Vulnerabilities:
# http://[site]/page.php?page_id=139[SQLi]



Credit:
# Discoverd By: MG
# Advisory: http://www.ariko-security.com/mar2010/ad526.html
# Contacts: support[-at-]ariko-security.com


Ariko-Security
Maciej Gojny
v...@ariko-security.com
tel.: +48512946012 (Mo-Fr 10.00-20.00 CET)




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubisoft DDoS

[Adrenalin]

I'm just wondering, even if it's under DDoS, isn't it as easy to block as to
collect the list of IP that send too much data, and just block them on the
upper level ISP ?

On Tue, Mar 9, 2010 at 2:10 PM, Jan Schejbal <
jan.mailinglis...@googlemail.com> wrote:

> Hi there,
> Ubisoft apparently got a DDoS on their DRM servers [1], causing
> legitimate players of Assassins Creed II etc. being unable to play their
> games. (as the new DRM system requires constant connection to the
> servers) - I assume pirated copies ran fine, of course...
>
> Is there any information who was behind that attack? Some people angry
> about the DRM wanting to make a point, or criminal botherders trying to
> extort money from Ubisoft?
>
> What are the best strategies to defend against such an attack, except of
> course not creating such a stupid thing that has a large sign reading
> "DDoS ME!" built into it and pisses of a lot of people at the same time?
>
> Some people claim that attacks were announced "on IRC, in Usenet and on
> the Steam forums" - can anyone confirm this and/or provide message IDs?
>
> Sincerely
> Jan
>
> [1] http://twitter.com/Ubisoft/status/10184920360
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubisoft DDoS

[Michal]

On 09/03/2010 15:12, valdis.kletni...@vt.edu wrote:
> On Tue, 09 Mar 2010 15:27:02 +0100, Adrenalin said:
>> I'm just wondering, even if it's under DDoS, isn't it as easy to block as to
>> collect the list of IP that send too much data, and just block them on the
>> upper level ISP ?
> 
> You *do* realize that a *small* botnet these days is 75,000 machines, and
> there's a estimated 140 million compromised zombie boxes out there? There's
> very few boxes that can handle an inbound ACL of 75K entries sanely - usually
> what ends up happening is the upstream drops all traffic *to* the target node
> just so all the *other* boxes at the site still get some bandwidth.
> 
> And "sending too much data" is hard to quantify - if you have enough bots,
> you can thoroughly DDoS a site using far *less* bandwidth per host than a
> normal user does.  If the site was designed to handle 10,000 clients each
> sending 5 packets per second for 10 seconds during a login at game start,
> it will likely fall over if you throw 100,000 bots at it, each sending
> 4 packets a second continuously...
> 


I've worked at huge online better company and they had network devices
that worked to stop DDoS as we got hit quite a bit. I have to say they
managed quite well, often we would only notice because we regularly
checked the graphs over 24 hours periods. Other times the attacks had
some successes but they worked well. Can't remember what they where
called...think it was a company that ended up being bought by Cisco,
though we did have cards in the 6500 routers to also help out with DDOS.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubisoft DDoS

[Valdis . Kletnieks]

On Tue, 09 Mar 2010 15:27:02 +0100, Adrenalin said:
> I'm just wondering, even if it's under DDoS, isn't it as easy to block as to
> collect the list of IP that send too much data, and just block them on the
> upper level ISP ?

You *do* realize that a *small* botnet these days is 75,000 machines, and
there's a estimated 140 million compromised zombie boxes out there? There's
very few boxes that can handle an inbound ACL of 75K entries sanely - usually
what ends up happening is the upstream drops all traffic *to* the target node
just so all the *other* boxes at the site still get some bandwidth.

And "sending too much data" is hard to quantify - if you have enough bots,
you can thoroughly DDoS a site using far *less* bandwidth per host than a
normal user does.  If the site was designed to handle 10,000 clients each
sending 5 packets per second for 10 seconds during a login at game start,
it will likely fall over if you throw 100,000 bots at it, each sending
4 packets a second continuously...


pgprc6Ey6zIfN.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] GeoIPgen version 0.4 released - country-to-IPs generator

[Andrew Horton]

I've just released a new version of GeoIPgen

Description: GeoIPgen is a country-to-IPs generator. It's a geographic IP 
generator for IPv4
networks that uses the MaxMind GeoLite Country database. Geoipgen is the first 
published use of a
geographic ip database in reverse to translate from country-to-IPs instead of 
the usual use of
IP-to-country. Features: Random or sorted order, unique or repeating IPs, skips 
broadcast addresses,
one, many or all countries.

Changes: Much faster than version 0.3, for example generating all IPs for Papa 
New Guinea took a
couple of minutes with version 0.3. Now it takes a few seconds.

Homepage: http://www.morningstarsecurity.com/research/geoipgen

P.S. Please tell me about your projects or nationwide scanning efforts that use 
geoipgen. Eg. the
Australian Web Enumeration Project http://www.auenumerate.net

-- 
Cheers,

Andrew Horton

MorningStar Security
Mobile +64 (0) 272 646 959
Web www.morningstarsecurity.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Ubisoft DDoS

[Jan Schejbal]

Hi there,
Ubisoft apparently got a DDoS on their DRM servers [1], causing 
legitimate players of Assassins Creed II etc. being unable to play their 
games. (as the new DRM system requires constant connection to the 
servers) - I assume pirated copies ran fine, of course...

Is there any information who was behind that attack? Some people angry 
about the DRM wanting to make a point, or criminal botherders trying to 
extort money from Ubisoft?

What are the best strategies to defend against such an attack, except of 
course not creating such a stupid thing that has a large sign reading 
"DDoS ME!" built into it and pisses of a lot of people at the same time?

Some people claim that attacks were announced "on IRC, in Usenet and on 
the Steam forums" - can anyone confirm this and/or provide message IDs?

Sincerely
Jan

[1] http://twitter.com/Ubisoft/status/10184920360

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/