[Full-disclosure] [SECURITY] [DSA-2156-1] pcscd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2156-1 secur...@debian.org http://www.debian.org/security/ Steve Kemp January 31, 2011 http://www.debian.org/security/faq - Package: pcscd Vulnerability : buffer overflow Problem type : local Debian-specific: no CVE ID : CVE-2010-4531 MWR InfoSecurity identified a buffer overflow in pcscd, middleware to access a smart card via PC/SC, which could lead to the execution of arbitrary code. For the stable distribution (lenny), this problem has been fixed in version 1.4.102-1+lenny4. For the testing distribution (squeeze), this problem has been fixed in version 1.5.5-4. For the unstable distribution (sid), this problem has been fixed in version 1.5.5-4. We recommend that you upgrade your pcscd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAk1GmzEACgkQwM/Gs81MDZ16QACgtj//ggRf90v63iYv0M3NChBH Qo4An2eHPeNMFlNqPcK2OAe5EzQ+6tRo =CaqX -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2153-1] linux-2.6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-2153-1 secur...@debian.org http://www.debian.org/security/ dann frazier January 30, 2011 http://www.debian.org/security/faq - - Package: linux-2.6 Vulnerability : privilege escalation/denial of service/information leak Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2010-0435 CVE-2010-3699 CVE-2010-4158 CVE-2010-4162 CVE-2010-4163 CVE-2010-4242 CVE-2010-4243 CVE-2010-4248 CVE-2010-4249 CVE-2010-4258 CVE-2010-4342 CVE-2010-4346 CVE-2010-4526 CVE-2010-4527 CVE-2010-4529 CVE-2010-4565 CVE-2010-4649 CVE-2010-4656 CVE-2010-4668 CVE-2011-0521 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0435 Gleb Napatov reported an issue in the KVM subsystem that allows virtual machines to cause a denial of service of the host machine by executing mov to/from DR instructions. CVE-2010-3699 Keir Fraser provided a fix for an issue in the Xen subsystem. A guest can cause a denial of service on the host by retaining a leaked reference to a device. This can result in a zombie domain, xenwatch process hangs, and xm command failures. CVE-2010-4158 Dan Rosenberg discovered an issue in the socket filters subsystem, allowing local unprivileged users to obtain the contents of sensitive kernel memory. CVE-2010-4162 Dan Rosenberg discovered an overflow issue in the block I/O subsystem that allows local users to map large numbers of pages, resulting in a denial of service due to invocation of the out of memory killer. CVE-2010-4163 Dan Rosenberg discovered an issue in the block I/O subsystem. Due to improper validation of iov segments, local users can trigger a kernel panic resulting in a denial of service. CVE-2010-4242 Alan Cox reported an issue in the Bluetooth subsystem. Local users with sufficient permission to access HCI UART devices can cause a denial of service (NULL pointer dereference) due to a missing check for an existing tty write operation. CVE-2010-4243 Brad Spengler reported a denial-of-service issue in the kernel memory accounting system. By passing large argv/envp values to exec, local users can cause the out of memory killer to kill processes owned by other users. CVE-2010-4248 Oleg Nesterov reported an issue in the POSIX CPU timers subsystem. Local users can cause a denial of service (Oops) due to incorrect assumptions about thread group leader behavior. CVE-2010-4249 Vegard Nossum reported an issue with the UNIX socket garbage collector. Local users can consume all of LOWMEM and decrease system performance by overloading the system with inflight sockets. CVE-2010-4258 Nelson Elhage reported an issue in Linux oops handling. Local users may be able to obtain elevated privileges if they are able to trigger an oops with a process' fs set to KERNEL_DS. CVE-2010-4342 Nelson Elhage reported an issue in the econet protocol. Remote attackers can cause a denial of service by sending an Acorn Universal Networking packet over UDP. CVE-2010-4346 Tavis Ormandy discovered an issue in the install_special_mapping routine which allows local users to bypass the mmap_min_addr security restriction. Combined with an otherwise low severity local denial of service vulnerability (NULL pointer dereference), a local user could obtain elevated privileges. CVE-2010-4526 Eugene Teo reported a race condition in the Linux SCTP implementation. Remote users can cause a denial of service (kernel memory corruption) by transmitting an ICMP unreachable message to a locked socket. CVE-2010-4527 Dan Rosenberg reported two issues in the OSS soundcard driver. Local users with access to the device (members of group 'audio' on default Debian installations) may contain access to sensitive kernel memory or cause a buffer overflow, potentially leading to an escalation of privileges. CVE-2010-4529 Dan Rosenberg reported an issue in the Linux kernel IrDA socket implementation on non-x86 architectures. Local users may be able to gain access to sensitive kernel memory via a specially crafted IRLMP_ENUMDEVICES getsockopt call. CVE-2010-4565 Dan Rosenberg reported an issue in the Linux CAN protocol implementation. Local users can obtain the address of a kernel heap object which might help facilitate system exploitation. CVE-2010-4649 Dan
[Full-disclosure] Google Caching For Fun And Profit
With the latest autocomplete google search feature filtering torrent keywords, what happens when illegal data is split into many pieces and Google caches them. If the site hosting the illegal data is forced to remove it, what about google? The original file can still be reassembled from the cached pieces. For example: http://webcache.googleusercontent.com/search?q=cache:rWWxuilWeYUJ... http://webcache.googleusercontent.com/search?q=cache:rWWxuilWeYUJ... http://webcache.googleusercontent.com/search?q=cache:rWWxuilWeYUJ... ... ... ... Is Google now liable because it's hosting illegal files on their servers. Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TELUS Security Labs VR - Symantec Alert Management System HNDLRSVC Arbitrary Command Execution
Symantec Alert Management System HNDLRSVC Arbitrary Command Execution TSL ID: FSC20100727-01 1. Affected Software Symantec Antivirus Corporate Edition 10.1.8.8000 and possibly prior Symantec System Center 10.1.8.8000 and possibly prior Reference: http://www.symantec.com/business/antivirus-corporate-edition 2. Vulnerability Summary An arbitrary program execution vulnerability exists in Symantec Alert Management System (AMS) service shipped with multiple Symantec products. The vulnerability could be exploited by remote unauthenticated attackers to execute arbitrary code with SYSTEM privileges. 3. Vulnerability Analysis The Alert Management System (AMS) component of Symantec Antivirus Corporate Edition installs an alert handler service, HNDLRSVC, that listens for commands from the AMS server. This service does not perform proper authentication checks before executing such commands. Remote unauthenticated attackers could exploit this vulnerability by sending a crafted packet via the MSGSYS.EXE service on port 38292/TCP. The Run Program command would allow executing arbitrary programs from a remote SMB share with SYSTEM privileges on the vulnerable system. 4. Vulnerability Detection TELUS Security Labs has confirmed the vulnerability in: Symantec Antivirus Corporate Edition 10.1.8.8000 Symantec System Center 10.1.8.8000 5. Workaround Disable the AMS service, or update to the non-vulnerable version of Symantec Antivirus 11.x series which does not include the vulnerable AMS component. 6. Vendor Response Patches have been made available by the vendor to eliminate this vulnerability: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisorypvid=security_advisoryyear=2011suid=20110126_00 7. Disclosure Timeline 2009-07-31 Reported to the vendor 2009-08-03 Vendor response 2011-01-26 Coordinated public disclosure 8. Credits Junaid Bohio of Vulnerability Research Team, TELUS Security Labs 9. References CVE: CVE-2010-0110 Vendor: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisorypvid=security_advisoryyear=2011suid=20110126_00 http://telussecuritylabs.com/threats/show/FSC20100727-01 10. About TELUS Security Labs TELUS Security Labs, formerly Assurent Secure Technologies is the leading provider of security research. Our research services include: * Vulnerability Research * Malware Research * Signature Development * Shellcode Exploit Development * Application Protocols * Product Security Testing * Security Content Development (parsers, reports, alerts) TELUS Security Labs provides a specialized portfolio of services to assist security product vendors with newly discovered commercial product vulnerabilities and malware attacks. Many of our services are provided on a subscription basis to reduce research costs for our customers. Over 50 of the world's leading security product vendors rely on TELUS Security Labs research. http://telussecuritylabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TELUS Security Labs VR - Novell ZENworks Handheld Management ZfHIPCND.exe Buffer Overflow
Novell ZENworks Handheld Management ZfHIPCND.exe Buffer Overflow TSL ID: FSC20110125-06 1. Affected Software Novell ZENworks Handheld Management 7.0 Reference: http://www.novell.com/products/zenworks/handhelds 2. Vulnerability Summary A buffer overflow vulnerability exists in Novell ZENworks Handheld Management that could be exploited by remote unauthenticated attackers to execute arbitrary code with SYSTEM privileges on a vulnerable server. 3. Vulnerability Analysis The vulnerability is due to a boundary error in the IP Conduit Service, ZfHIPCND.exe. If a crafted packet is sent to the service on port 2400/TCP, it allocates a fixed size heap buffer and copies the client device information into it without validating the string size. This could be exploited by attackers to overflow the buffer and possibly execute arbitrary code with the privileges of the ZfHIPCND.exe service, by default SYSTEM. 4. Vulnerability Detection TELUS Security Labs has confirmed the vulnerability in: ZENworks Handheld Management 7.0 (ZfHIPCND.exe version 7.0.2.1029 Build 10/29/10) 5. Workaround Do not allow untrusted hosts to access the vulnerable service. 6. Vendor Response Patches have been made available by the vendor to eliminate this vulnerability: http://www.novell.com/support/viewContent.do?externalId=7007663 http://download.novell.com/Download?buildid=x_x4cdA5yT8~ 7. Disclosure Timeline 2010-12-21 Reported to the vendor 2010-12-21 Vendor response 2011-01-25 Vendor released patches and advisory 2011-01-26 Published TSL advisory 8. Credits Junaid Bohio of Vulnerability Research Team, TELUS Security Labs 9. References CVE: Not available Vendor: http://www.novell.com/support/viewContent.do?externalId=7007663 http://telussecuritylabs.com/threats/show/FSC20110125-06 10. About TELUS Security Labs TELUS Security Labs, formerly Assurent Secure Technologies is the leading provider of security research. Our research services include: * Vulnerability Research * Malware Research * Signature Development * Shellcode Exploit Development * Application Protocols * Product Security Testing * Security Content Development (parsers, reports, alerts) TELUS Security Labs provides a specialized portfolio of services to assist security product vendors with newly discovered commercial product vulnerabilities and malware attacks. Many of our services are provided on a subscription basis to reduce research costs for our customers. Over 50 of the world's leading security product vendors rely on TELUS Security Labs research. http://telussecuritylabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TELUS Security Labs VR - Symantec Antivirus Intel Alert Handler Service Denial of Service
Symantec Antivirus Intel Alert Handler Service Denial of Service TSL ID: FSC20101213-06 1. Affected Software Symantec Antivirus Corporate Edition 10.1.8.8000 and possibly prior Symantec System Center 10.1.8.8000 and possibly prior Reference: http://www.symantec.com/business/antivirus-corporate-edition 2. Vulnerability Summary A denial of service vulnerability exists in Symantec Antivirus Intel Alert Handler service. Remote unauthenticated attackers can exploit this vulnerability by sending a malicious packet to the target service. 3. Vulnerability Analysis The Alert Management System (AMS) component of Symantec Antivirus Corporate Edition installs an alert handler service, HNDLRSVC, that listens for commands from the AMS server. This service does not perform proper input validation of the command arguments while parsing parameters in the AMSGetPastParamList function. Remote unauthenticated attackers could exploit this vulnerability by sending a crafted packet, with overly long parameter size values, via the MSGSYS.EXE service on port 38292/TCP. 4. Vulnerability Detection TELUS Security Labs has confirmed the vulnerability in: Symantec Antivirus Corporate Edition 10.1.8.8000 Symantec System Center 10.1.8.8000 5. Workaround Disable the AMS service, or update to the non-vulnerable version of Symantec Antivirus 11.x series which does not include the vulnerable AMS component. 6. Vendor Response Patches have been made available by the vendor to eliminate this vulnerability: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisorypvid=security_advisoryyear=2011suid=20110126_01 7. Disclosure Timeline 2009-10-01 Reported to the vendor 2009-10-20 Vendor response 2011-01-26 Coordinated public disclosure 8. Credits Junaid Bohio of Vulnerability Research Team, TELUS Security Labs 9. References CVE: CVE-2010-0111 Vendor: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisorypvid=security_advisoryyear=2011suid=20110126_01 http://telussecuritylabs.com/threats/show/FSC20101213-06 10. About TELUS Security Labs TELUS Security Labs, formerly Assurent Secure Technologies is the leading provider of security research. Our research services include: * Vulnerability Research * Malware Research * Signature Development * Shellcode Exploit Development * Application Protocols * Product Security Testing * Security Content Development (parsers, reports, alerts) TELUS Security Labs provides a specialized portfolio of services to assist security product vendors with newly discovered commercial product vulnerabilities and malware attacks. Many of our services are provided on a subscription basis to reduce research costs for our customers. Over 50 of the world's leading security product vendors rely on TELUS Security Labs research. http://telussecuritylabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue
CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache CouchDB 0.8.0 to 1.0.1 Description: Apache CouchDB versions prior to version 1.0.2 are vulnerable to cross site scripting (XSS) attacks. Mitigation: All users should upgrade to CouchDB 1.0.2. Upgrades from the 0.11.x and 0.10.x series should be seamless. Users on earlier versions should consult http://wiki.apache.org/couchdb/Breaking_changes Example: Due to inadequate validation of request parameters and cookie data in Futon, CouchDB's web-based administration UI, a malicious site can execute arbitrary code in the context of a user's browsing session. Credit: This XSS issue was discovered by a source that wishes to stay anonymous. References: http://couchdb.apache.org/downloads.html http://wiki.apache.org/couchdb/Breaking_changes http://en.wikipedia.org/wiki/Cross-site_scripting Jan Lehnardt -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] sourceforge entry point seems still active.
Yeah I got a mail from them stating the db's have been compromised, they're doing password resets. Sal Rinder Date: Fri, 28 Jan 2011 10:23:25 +0100 From: extraexpl...@gmail.com To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] sourceforge entry point seems still active. Another update from HN and official response from sourceforge team: the sourceforge entry point seems still active http://extraexploit.blogspot.com/2011/01/sourceforge-entry-point-seems-still.html Sourceforge servers compromised http://news.ycombinator.com/item?id=2150639 SourceForge.net Attack Update http://sourceforge.net/apps/wordpress/sourceforge/2011/01/27/sourceforge-net-attack-update/ Regards -- http://extraexploit.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA-2154-1] exim4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2154-1 secur...@debian.org http://www.debian.org/security/ Stefan Fritsch January 30, 2011 http://www.debian.org/security/faq - Package : exim4 Vulnerability: privilege escalation Problem type : local CVE Id(s): CVE-2010-4345 CVE-2011-0017 Behaviour change : yes A design flaw (CVE-2010-4345) in exim4 allowed the loal Debian-exim user to obtain root privileges by specifying an alternate configuration file using the -C option or by using the macro override facility (-D option). Unfortunately, fixing this vulnerability is not possible without some changes in exim4's behvaviour. If you use the -C or -D options or use the system filter facility, you should evaluate the changes carefully and adjust your configuration accordingly. The Debian default configuration is not affected by the changes. The detailed list of changes is described in the NEWS.Debian file in the packages. The relevant sections are also reproduced below. In addition to that, missing error handling for the setuid/setgid system calls allowed the Debian-exim user to cause root to append log data to arbitrary files (CVE-2011-0017). For the stable distribution (lenny), these problems have been fixed in version 4.69-9+lenny3. For the testing distribution (squeeze) and the unstable distribution (sid), these problem have been fixed in version 4.72-4. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ - Excerpt from the NEWS.Debian file from the packages exim4-daemon-light and exim4-daemon-heavy: Exim versions up to and including 4.72 are vulnerable to CVE-2010-4345. This is a privilege escalation issue that allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option. The macro override facility (-D) might also be misused for this purpose. In reaction to this security vulnerability upstream has made a number of user visible changes. This package includes these changes. If exim is invoked with the -C or -D option the daemon will not regain root privileges though re-execution. This is usually necessary for local delivery, though. Therefore it is generally not possible anymore to run an exim daemon with -D or -C options. However this version of exim has been built with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. TRUSTED_CONFIG_LIST defines a list of configuration files which are trusted; if a config file is owned by root and matches a pathname in the list, then it may be invoked by the Exim build-time user without Exim relinquishing root privileges. As a hotfix to not break existing installations of mailscanner we have also set WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to start exim with -DOUTGOING while being able to do local deliveries. If you previously were using -D switches you will need to change your setup to use a separate configuration file. The .include mechanism makes this easy. The system filter is run as exim_user instead of root by default. If your setup requies root privileges when running the system filter you will need to set the system_filter_user exim main configuration option. - Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFNRUAWbxelr8HyTqQRAnoKAJ9yvfLsBBM+zDddAF0Bg1PRknw1vQCgoL4q GRsuFBCpLRszeIrSYf6rIjk= =6Cy/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA-2154-2] exim4 regression fix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2154-2 secur...@debian.org http://www.debian.org/security/ Stefan Fritsch January 30, 2011 http://www.debian.org/security/faq - Package : exim4 Vulnerability: privilege escalation / regression Problem type : local CVE Id(s): CVE-2010-4345 CVE-2011-0017 Debian bug : 611572 Behaviour change : yes The updated packages from DSA-2154-1 introduced a regression which prevented unprivileged users from using 'exim4 -bf' to test filter configurations. This update fixes this problem. Please also read the information provided in DSA-2154-1 if you have not done so already. For the stable distribution (lenny), this problem has been fixed in version 4.69-9+lenny4. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFNRd8Tbxelr8HyTqQRAo1jAJwIKvN6wJcNQMCS8TdTD9/rSrVjbwCeKCG6 dpsHKoU001vpAedZse3H9JM= =RjQY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Harvard.edu LFI
Hey, I've tried reporting issues to Harvard University tons of times in the past but they rarely respond and even more rarely commend researchers for finding vulnerabilities so I decided that full-disclosure was the way to get Harvard off of their crimson asses and patch this vulnerability. PoC link: http://www.hcs.harvard.edu/~chtnasp/index.php?page=../../../../../../../../../../../../../../../../../../../../../etc/passwd Enjoy, Luis Santana - Security+ Administrator - http://hacktalk.net HackTalk Security - Security From The Underground ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerability discloses PIN used in Microsoft Excel secure printing
Hello list, Stumbled across this today. It appears Excel spreadsheets store printer information including the PIN you might use when trying to do a secure print. http://insecureprinting.com/Microsoft_Excel_Spreadsheets_Expose_User_PIN_Used_for_Confidential_Secure_Printing.pdf The paper is quite thorough and shows that in most cases the PIN is stored in clear text in the spreadsheet, though some printer vendors try to obfuscate the PIN (though not very successfully). Thanks, Ed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Harvard.edu LFI
*claps* On Mon, Jan 31, 2011 at 12:22 AM, Hack Talk hacktalkb...@gmail.com wrote: Hey, I've tried reporting issues to Harvard University tons of times in the past but they rarely respond and even more rarely commend researchers for finding vulnerabilities so I decided that full-disclosure was the way to get Harvard off of their crimson asses and patch this vulnerability. PoC link: http://www.hcs.harvard.edu/~chtnasp/index.php?page=../../../../../../../../../../../../../../../../../../../../../etc/passwd Enjoy, Luis Santana - Security+ Administrator - http://hacktalk.net HackTalk Security - Security From The Underground ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] world's worst hacker?
I know there's been posts in the passed about honeypot related issues. I just wanted to share one of the more fun sessions I've had until today. http://george.hedfors.com/content/worlds-worst-hacker -- George Hedfors http://www.linkedin.com/in/georgehedfors PGP: 0xE2AE9749/66C3 1A01 240F 3AF4 C0C8 80BC 0347 6C5D E2AE 9749 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Travel letter from Craig S. Wright
This is so funny, almost laughed my ass off :) Enjoy! Hello all, I am sitting on a plane as I type this in flight some place between SFO (San Francisco) and JFK (New York). I am not flying economy as this is a work trip and I have laptops and other things sprawled all over the place in my mobile office structure. Having power in business and first was always a turn on for me and a justification as I can generally pay for the cost of the flight in billable hours as well as arriving relaxed. This is not of course an advertisement for premium service flights, but rather a post about the other aspects of flight with laptops these days. That is Internet access. I have another 4 hours before I have to turn my laptop off. I love the wireless internet access you can get in flight right now as I am sitting here at 30,000 feet. I mean this is really marvellous when you think of it. I have 4 companies, 2 of which are in the stages where they are in need of constant attention and I can be there 24x7 even as I fly now. I only have the small sections for take-off and landing where I have to be internet deprived. As a work-a-holic, the ability to stay connected from 3G on the parts of my travel and manage and monitor client needs and staff is absolutely tremendous. I have Netstumbler on my laptop, just collecting passively. I do not have the Kismet one running now. There is another laptop here and I see a paper on the security of inflight services - the GOGO service is unsecured. Not even WEP. So for the work critical things I use the Citrix gateway and allow those who want to see my browsing to unsecured sites to collect away. The shame I see in all this is that these wireless hotspots on planes are even less secure than the ones on the ground. With more and more executives starting to use these services, this is going to be more of an issue as time passes. I see C-level staff using this now and in time more and more use from high-level employees will occur. Think of all that leaked data. For the right people, it would almost seem profitable to hop a plane and extrude data in flight. Lots to add to the list of things to secure… God I love technology! ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, ... Information Defense Pty Ltd Mobile: 0417 683 914 Description: Logo4 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability discloses PIN used in Microsoft Excel secure printing
Wtf, I've never heard heard of a 'secure' print :S On Mon, Jan 31, 2011 at 8:01 AM, Ed Murphy ed.b.mur...@gmail.com wrote: Hello list, Stumbled across this today. It appears Excel spreadsheets store printer information including the PIN you might use when trying to do a secure print. http://insecureprinting.com/Microsoft_Excel_Spreadsheets_Expose_User_PIN_Used_for_Confidential_Secure_Printing.pdf The paper is quite thorough and shows that in most cases the PIN is stored in clear text in the spreadsheet, though some printer vendors try to obfuscate the PIN (though not very successfully). Thanks, Ed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Travel letter from Craig S. Wright
from http://www.gogoinflight.com/gogo/content/FAQ_Service.do also noteworthy that the privacy policy link is broken: http://www.gogoinflight.com/gbp/privacy.do snip Is it safe to use Wi-Fi in flight? Passenger security and safety is of utmost importance to Gogo. Before allowing our service to be used onboard, all aspects of its use were rigorously tested by Gogo and our airline partners, and certified by the Federal Aviation Administration (FAA). /snip Cheers, --scm On Sun, Jan 30, 2011 at 13:56, mad@hushmail.com wrote: This is so funny, almost laughed my ass off :) Enjoy! Hello all, I am sitting on a plane as I type this in flight some place between SFO (San Francisco) and JFK (New York). I am not flying economy as this is a work trip and I have laptops and other things sprawled all over the place in my mobile office structure. Having power in business and first was always a turn on for me and a justification as I can generally pay for the cost of the flight in billable hours as well as arriving relaxed. This is not of course an advertisement for premium service flights, but rather a post about the other aspects of flight with laptops these days. That is Internet access. I have another 4 hours before I have to turn my laptop off. I love the wireless internet access you can get in flight right now as I am sitting here at 30,000 feet. I mean this is really marvellous when you think of it. I have 4 companies, 2 of which are in the stages where they are in need of constant attention and I can be there 24x7 even as I fly now. I only have the small sections for take-off and landing where I have to be internet deprived. As a work-a-holic, the ability to stay connected from 3G on the parts of my travel and manage and monitor client needs and staff is absolutely tremendous. I have Netstumbler on my laptop, just collecting passively. I do not have the Kismet one running now. There is another laptop here and I see a paper on the security of inflight services - the GOGO service is unsecured. Not even WEP. So for the work critical things I use the Citrix gateway and allow those who want to see my browsing to unsecured sites to collect away. The shame I see in all this is that these wireless hotspots on planes are even less secure than the ones on the ground. With more and more executives starting to use these services, this is going to be more of an issue as time passes. I see C-level staff using this now and in time more and more use from high-level employees will occur. Think of all that leaked data. For the right people, it would almost seem profitable to hop a plane and extrude data in flight. Lots to add to the list of things to secure… God I love technology! ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, ... Information Defense Pty Ltd Mobile: 0417 683 914 Description: Logo4 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] world's worst hacker?
HAHA that made my day. Thanks for sharing... On Sat, Jan 29, 2011 at 8:03 AM, George Hedfors george.hedf...@gmail.com wrote: I know there's been posts in the passed about honeypot related issues. I just wanted to share one of the more fun sessions I've had until today. http://george.hedfors.com/content/worlds-worst-hacker -- George Hedfors http://www.linkedin.com/in/georgehedfors PGP: 0xE2AE9749/66C3 1A01 240F 3AF4 C0C8 80BC 0347 6C5D E2AE 9749 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Travel letter from Craig S. Wright
I am truly amazed. He was actually HIRED by someone who is paying travel expenses? Wonders never cease. He's probably trying to merge his Vulnerability Prediction System with Getting Off the Patch. You know, I wouldn't be surprised. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- disclosure-boun...@lists.grok.org.uk] On Behalf Of mad@hushmail.com Sent: Sunday, January 30, 2011 10:56 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Travel letter from Craig S. Wright This is so funny, almost laughed my ass off :) Enjoy! Hello all, I am sitting on a plane as I type this in flight some place between SFO (San Francisco) and JFK (New York). I am not flying economy as this is a work trip and I have laptops and other things sprawled all over the place in my mobile office structure. Having power in business and first was always a turn on for me and a justification as I can generally pay for the cost of the flight in billable hours as well as arriving relaxed. This is not of course an advertisement for premium service flights, but rather a post about the other aspects of flight with laptops these days. That is Internet access. I have another 4 hours before I have to turn my laptop off. I love the wireless internet access you can get in flight right now as I am sitting here at 30,000 feet. I mean this is really marvellous when you think of it. I have 4 companies, 2 of which are in the stages where they are in need of constant attention and I can be there 24x7 even as I fly now. I only have the small sections for take-off and landing where I have to be internet deprived. As a work-a-holic, the ability to stay connected from 3G on the parts of my travel and manage and monitor client needs and staff is absolutely tremendous. I have Netstumbler on my laptop, just collecting passively. I do not have the Kismet one running now. There is another laptop here and I see a paper on the security of inflight services - the GOGO service is unsecured. Not even WEP. So for the work critical things I use the Citrix gateway and allow those who want to see my browsing to unsecured sites to collect away. The shame I see in all this is that these wireless hotspots on planes are even less secure than the ones on the ground. With more and more executives starting to use these services, this is going to be more of an issue as time passes. I see C-level staff using this now and in time more and more use from high-level employees will occur. Think of all that leaked data. For the right people, it would almost seem profitable to hop a plane and extrude data in flight. Lots to add to the list of things to secure… God I love technology! ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, ... Information Defense Pty Ltd Mobile: 0417 683 914 Description: Logo4 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] In Pro Domo
How about you fuck off and go listen to more Bright Eyes? You little emo faggot. I'll send you some razor blades. Sincerely, storm (gonullyourself.org) From: HI-TECH . isowarez.isowarez.isowarez () googlemail com Date: Thu, 27 Jan 2011 05:22:49 +0100 Phrack and the blackhats. You are an army I am one. The only lasting. I am your conscience. I am always behind you, every day from morning to late, I am near you no matter where you go I'm the bad feeling that you get the one or the other day. And you without difficulty Simply push aside On your last day I'll get you, - i'll Take you tight in my grip - Then you're not getting past me - I'll show you your true self - The thousand lies from you i'll put you down to account - All the tricks and gimmicks - I am your conscience I will not let you alone more I am the tick sitting in your neck - i will not leave you whether you like it or not - Your sleep is still deep and strong - Because you think you come out without me - But believe me even you wake up at some point On your last day I'll get you, - i'll Take you tight in my grip - Then you're not getting past me - I'll show you your true self - The thousand lies from you i'll put you down to account - All the tricks and gimmicks - I am your conscience I will not let you alone more http://www.youtube.com/watch?v=cZIGDPzad1M See you in zero for owned. Sincerely, Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Andrew trelane Kirch EXPOSED
What's your real name? Since goatsec is a reputable security firm, certainly you have no issue if we pull up your info? Aerojam --- On Fri, 1/28/11, Leon Kaiser litera...@gmail.com wrote: From: Leon Kaiser litera...@gmail.com Subject: [Full-disclosure] Andrew trelane Kirch EXPOSED To: full-disclosure@lists.grok.org.uk Date: Friday, January 28, 2011, 2:25 PM http://www.dailytech.com/Goatse+Security+Defaced+Perpetrators+Alleged+Identity+Revealed+/article20776.htm Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer -Inline Attachment Follows- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Input not sanitized in Emerson network power
Found this search box last month which is not sanitizing any input : http://www.emersonnetworkpower.com/en-US/SearchCenter/Pages/AllResults.aspx?k=%3Cscript%3Ealert(document.cookie)%3C/script%3Es=Network%20Power%20Content_en-US_en-US Have contacted the owner but there isn't any response. May be the vulnerability isn't serious enough to exploit -- Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] In Pro Domo
When in doubt, unleash internet-tough-guy on your adversaries. On Fri, Jan 28, 2011 at 1:18 AM, Jack Ryan c0xforb...@hotmail.com wrote: How about you fuck off and go listen to more Bright Eyes? You little emo faggot. I'll send you some razor blades. Sincerely, storm (gonullyourself.org) *From*: HI-TECH . isowarez.isowarez.isowarez () googlemail com *Date*: Thu, 27 Jan 2011 05:22:49 +0100 -- Phrack and the blackhats. You are an army I am one. The only lasting. I am your conscience. I am always behind you, every day from morning to late, I am near you no matter where you go I'm the bad feeling that you get the one or the other day. And you without difficulty Simply push aside On your last day I'll get you, - i'll Take you tight in my grip - Then you're not getting past me - I'll show you your true self - The thousand lies from you i'll put you down to account - All the tricks and gimmicks - I am your conscience I will not let you alone more I am the tick sitting in your neck - i will not leave you whether you like it or not - Your sleep is still deep and strong - Because you think you come out without me - But believe me even you wake up at some point On your last day I'll get you, - i'll Take you tight in my grip - Then you're not getting past me - I'll show you your true self - The thousand lies from you i'll put you down to account - All the tricks and gimmicks - I am your conscience I will not let you alone more http://www.youtube.com/watch?v=cZIGDPzad1M http://www.youtube.com/watch?v=cZIGDPzad1M See you in zero for owned. Sincerely, Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Travel letter from Craig S. Wright
Thor, he's on your paycheck...taxes... On Mon, Jan 31, 2011 at 4:25 PM, Thor (Hammer of God) t...@hammerofgod.comwrote: I am truly amazed. He was actually HIRED by someone who is paying travel expenses? Wonders never cease. He's probably trying to merge his Vulnerability Prediction System with Getting Off the Patch. You know, I wouldn't be surprised. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- disclosure-boun...@lists.grok.org.uk] On Behalf Of mad@hushmail.com Sent: Sunday, January 30, 2011 10:56 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Travel letter from Craig S. Wright This is so funny, almost laughed my ass off :) Enjoy! Hello all, I am sitting on a plane as I type this in flight some place between SFO (San Francisco) and JFK (New York). I am not flying economy as this is a work trip and I have laptops and other things sprawled all over the place in my mobile office structure. Having power in business and first was always a turn on for me and a justification as I can generally pay for the cost of the flight in billable hours as well as arriving relaxed. This is not of course an advertisement for premium service flights, but rather a post about the other aspects of flight with laptops these days. That is Internet access. I have another 4 hours before I have to turn my laptop off. I love the wireless internet access you can get in flight right now as I am sitting here at 30,000 feet. I mean this is really marvellous when you think of it. I have 4 companies, 2 of which are in the stages where they are in need of constant attention and I can be there 24x7 even as I fly now. I only have the small sections for take-off and landing where I have to be internet deprived. As a work-a-holic, the ability to stay connected from 3G on the parts of my travel and manage and monitor client needs and staff is absolutely tremendous. I have Netstumbler on my laptop, just collecting passively. I do not have the Kismet one running now. There is another laptop here and I see a paper on the security of inflight services - the GOGO service is unsecured. Not even WEP. So for the work critical things I use the Citrix gateway and allow those who want to see my browsing to unsecured sites to collect away. The shame I see in all this is that these wireless hotspots on planes are even less secure than the ones on the ground. With more and more executives starting to use these services, this is going to be more of an issue as time passes. I see C-level staff using this now and in time more and more use from high-level employees will occur. Think of all that leaked data. For the right people, it would almost seem profitable to hop a plane and extrude data in flight. Lots to add to the list of things to secure… God I love technology! ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, ... Information Defense Pty Ltd Mobile: 0417 683 914 Description: Logo4 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Travel letter from Craig S. Wright
OK, Now it's not that funny. From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Monday, January 31, 2011 7:32 AM To: Thor (Hammer of God) Cc: mad@hushmail.com; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Travel letter from Craig S. Wright Thor, he's on your paycheck...taxes... On Mon, Jan 31, 2011 at 4:25 PM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: I am truly amazed. He was actually HIRED by someone who is paying travel expenses? Wonders never cease. He's probably trying to merge his Vulnerability Prediction System with Getting Off the Patch. You know, I wouldn't be surprised. t -Original Message- From: full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-mailto:full- disclosure-boun...@lists.grok.org.ukmailto:disclosure-boun...@lists.grok.org.uk] On Behalf Of mad@hushmail.commailto:mad@hushmail.com Sent: Sunday, January 30, 2011 10:56 AM To: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Travel letter from Craig S. Wright This is so funny, almost laughed my ass off :) Enjoy! Hello all, I am sitting on a plane as I type this in flight some place between SFO (San Francisco) and JFK (New York). I am not flying economy as this is a work trip and I have laptops and other things sprawled all over the place in my mobile office structure. Having power in business and first was always a turn on for me and a justification as I can generally pay for the cost of the flight in billable hours as well as arriving relaxed. This is not of course an advertisement for premium service flights, but rather a post about the other aspects of flight with laptops these days. That is Internet access. I have another 4 hours before I have to turn my laptop off. I love the wireless internet access you can get in flight right now as I am sitting here at 30,000 feet. I mean this is really marvellous when you think of it. I have 4 companies, 2 of which are in the stages where they are in need of constant attention and I can be there 24x7 even as I fly now. I only have the small sections for take-off and landing where I have to be internet deprived. As a work-a-holic, the ability to stay connected from 3G on the parts of my travel and manage and monitor client needs and staff is absolutely tremendous. I have Netstumbler on my laptop, just collecting passively. I do not have the Kismet one running now. There is another laptop here and I see a paper on the security of inflight services - the GOGO service is unsecured. Not even WEP. So for the work critical things I use the Citrix gateway and allow those who want to see my browsing to unsecured sites to collect away. The shame I see in all this is that these wireless hotspots on planes are even less secure than the ones on the ground. With more and more executives starting to use these services, this is going to be more of an issue as time passes. I see C-level staff using this now and in time more and more use from high-level employees will occur. Think of all that leaked data. For the right people, it would almost seem profitable to hop a plane and extrude data in flight. Lots to add to the list of things to secure... God I love technology! ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, ... Information Defense Pty Ltd Mobile: 0417 683 914 Description: Logo4 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Andrew trelane Kirch EXPOSED
Troy, Since when were goats jumping on keyboards reputable hackers? Cheerio On Sat, Jan 29, 2011 at 6:40 PM, Troy Aerojam taero.secli...@yahoo.comwrote: What's your real name? Since goatsec is a reputable security firm, certainly you have no issue if we pull up your info? Aerojam --- On Fri, 1/28/11, Leon Kaiser litera...@gmail.com wrote: From: Leon Kaiser litera...@gmail.com Subject: [Full-disclosure] Andrew trelane Kirch EXPOSED To: full-disclosure@lists.grok.org.uk Date: Friday, January 28, 2011, 2:25 PM http://www.dailytech.com/Goatse+Security+Defaced+Perpetrators+Alleged+Identity+Revealed+/article20776.htm Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer -Inline Attachment Follows- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability discloses PIN used in Microsoft Excel secure printing
Yes, it comes in very handy for those who need to ensure that the documents they placed on open shares be held at the printer for security. I love this part: The adversary can then either print two copies of the victim's file and leave one on the printer for the victim, or print one copy of the victim's file and photocopy it before leaving the original on the printer for the victim, or print one copy of the victim's file and take it resulting in the victim thinking that perhaps they didn't click the print icon after all. They forgot to add Or, the attacker could open the spreadsheet from the share. LOL t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Cal Leeming [Simplicity Media Ltd] Sent: Monday, January 31, 2011 6:19 AM To: Ed Murphy Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Vulnerability discloses PIN used in Microsoft Excel secure printing Wtf, I've never heard heard of a 'secure' print :S On Mon, Jan 31, 2011 at 8:01 AM, Ed Murphy ed.b.mur...@gmail.com wrote: Hello list, Stumbled across this today. It appears Excel spreadsheets store printer information including the PIN you might use when trying to do a secure print. http://insecureprinting.com/Microsoft_Excel_Spreadsheets_Expose_User_PIN_Used_for_Confidential_Secure_Printing.pdf The paper is quite thorough and shows that in most cases the PIN is stored in clear text in the spreadsheet, though some printer vendors try to obfuscate the PIN (though not very successfully). Thanks, Ed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Input not sanitized in Emerson network power
xssed.com On Mon, Jan 31, 2011 at 3:04 PM, Madhur Ahuja ahuja.mad...@gmail.comwrote: Found this search box last month which is not sanitizing any input : http://www.emersonnetworkpower.com/en-US/SearchCenter/Pages/AllResults.aspx?k=%3Cscript%3Ealert(document.cookie)%3C/script%3Es=Network%20Power%20Content_en-US_en-US Have contacted the owner but there isn't any response. May be the vulnerability isn't serious enough to exploit -- Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Andrew trelane Kirch EXPOSED
It depends on whether they are wearing Wellies on their hind legs. From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christian Sciberras Sent: Monday, January 31, 2011 7:35 AM To: Troy Aerojam Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Andrew trelane Kirch EXPOSED Troy, Since when were goats jumping on keyboards reputable hackers? Cheerio On Sat, Jan 29, 2011 at 6:40 PM, Troy Aerojam taero.secli...@yahoo.commailto:taero.secli...@yahoo.com wrote: What's your real name? Since goatsec is a reputable security firm, certainly you have no issue if we pull up your info? Aerojam --- On Fri, 1/28/11, Leon Kaiser litera...@gmail.commailto:litera...@gmail.com wrote: From: Leon Kaiser litera...@gmail.commailto:litera...@gmail.com Subject: [Full-disclosure] Andrew trelane Kirch EXPOSED To: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Date: Friday, January 28, 2011, 2:25 PM http://www.dailytech.com/Goatse+Security+Defaced+Perpetrators+Alleged+Identity+Revealed+/article20776.htm Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eumailto:litera...@gnaa.eu || litera...@goatse.frmailto:litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer -Inline Attachment Follows- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability discloses PIN used in Microsoft Excel secure printing
Thor, how about creating a fake copy of the office with a fake printer? The attacker gets as much original/restricted copies as he wants to!(!) On Mon, Jan 31, 2011 at 4:36 PM, Thor (Hammer of God) t...@hammerofgod.comwrote: Yes, it comes in very handy for those who need to ensure that the documents they placed on open shares be held at the printer for security. I love this part: The adversary can then either print two copies of the victim's file and leave one on the printer for the victim, or print one copy of the victim's file and photocopy it before leaving the original on the printer for the victim, or print one copy of the victim's file and take it resulting in the victim thinking that perhaps they didn't click the print icon after all. They forgot to add Or, the attacker could open the spreadsheet from the share. LOL t From: full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Cal Leeming [Simplicity Media Ltd] Sent: Monday, January 31, 2011 6:19 AM To: Ed Murphy Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Vulnerability discloses PIN used in Microsoft Excel secure printing Wtf, I've never heard heard of a 'secure' print :S On Mon, Jan 31, 2011 at 8:01 AM, Ed Murphy ed.b.mur...@gmail.com wrote: Hello list, Stumbled across this today. It appears Excel spreadsheets store printer information including the PIN you might use when trying to do a secure print. http://insecureprinting.com/Microsoft_Excel_Spreadsheets_Expose_User_PIN_Used_for_Confidential_Secure_Printing.pdf The paper is quite thorough and shows that in most cases the PIN is stored in clear text in the spreadsheet, though some printer vendors try to obfuscate the PIN (though not very successfully). Thanks, Ed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Caching For Fun And Profit
On Fri, 28 Jan 2011 18:24:50 GMT, cyber flash said: Is Google now liable because it's hosting illegal files on their servers. At least in the US, this qualifies for the various Safe Harbor exemptions in 17 USC 512, where they're not liable as long as they respond to takedown notices. If you've ever seen a Google search return one or more entries have been removed due to DMCA requests, go visit chillingeffects.org, that's a Google response to a takedown notice. http://www.law.cornell.edu/uscode/html/uscode17/usc_sec_17_0512000-.html You're interested in 17 USC 512 (b) regarding cached information and 17 USC 512 (d) regarding information location tools Note that it's still an undecided question whether merely having a link to infringing materials is itself infringing - there's a very messy area having to do with facilitating infringement. You stick a Hey warez puppez, check this out comment on it, you're probably facilitating. You keep a whole list of links to nothing but infringing stuff, you're likely facilitating. You have a lot of links to stuff that you comment on, and some are infringing but most aren't, that's probably not facilitating. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability discloses PIN used in Microsoft Excel secure printing
Wtf, I've never heard heard of a 'secure' print :S Most large multifunction devices do this .. it's not secure in the traditional (crypto) sense of the word, it's just a part of the job sent via the postscript driver. Look at the PSD files for any large multifunction and you'll find the options for it. How it works is instead of printing the job immediately, it queues and holds until the operator goes and enters the code on the console .. so that you have time to walk over to the printer and grab it, versus having it sit there while you walk down the hall. What's interesting is that Excel is embedding the PIN (part of the printer driver) in the default printer settings it saves in the document metadata. The PIN itself isn't particularly private (it's sent in the clear when printing) but embedding it is dumb. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Harvard.edu LFI
On Sun, 30 Jan 2011 19:22:45 -0500 Hack Talk hacktalkb...@gmail.com wrote: Hey, I've tried reporting issues to Harvard University tons of times in the past but they rarely respond and even more rarely commend researchers for finding vulnerabilities so I decided that full-disclosure was the way to get Harvard off of their crimson asses and patch this vulnerability. PoC link: http://www.hcs.harvard.edu/~chtnasp/index.php?page=../../../../../../../../../../../../../../../../../../../../../etc/passwd Looks like it was fixed. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Harvard.edu LFI
On 1/31/2011 12:39 PM, peter wrote: /../../../../../../../../../../../etc/passwd Looks like it was fixed. fixed here too, check your browser cache ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Harvard.edu LFI
Yup fixed. Can confirm that it was showing as vuln earlier tho. On Mon, Jan 31, 2011 at 5:51 PM, Andrew Kirch trel...@trelane.net wrote: On 1/31/2011 12:39 PM, peter wrote: /../../../../../../../../../../../etc/passwd Looks like it was fixed. fixed here too, check your browser cache ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Harvard.edu LFI
Well that was fast, As some proof here's a screenshot of the /etc/passwd file: http://i.imgur.com/HKA51.png Luis Santana - Security+ Administrator - http://hacktalk.net HackTalk Security - Security From The Underground ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-034: HP OpenView Performance Insight Server Backdoor Account Code Execution Vulnerability
ZDI-11-034: HP OpenView Performance Insight Server Backdoor Account Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-034 January 31, 2011 -- CVE ID: CVE-2011-0276 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Performance Insight -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9256. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Performance Insight Server. Authentication is not required to exploit this vulnerability. The specific vulnerability is due to a hidden account present within the com.trinagy.security.XMLUserManager Java class. Using this account a malicious user can access the com.trinagy.servlet.HelpManagerServlet class. This is defined within the piweb.jar file installed with Performance Insight. This class exposes a doPost() method which an attacker can use to upload malicious files to the server. Accessing these files can then lead to arbitrary code execution under the context of the SYSTEM user. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453 -- Disclosure Timeline: 2009-10-27 - Vulnerability reported to vendor 2011-01-31 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Stephen Fewer of Harmony Security (www.harmonysecurity.com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-034: HP OpenView Performance Insight Server Backdoor Account Code Execution Vulnerability
ZDI-11-034: HP OpenView Performance Insight Server Backdoor Account Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-034 January 31, 2011 -- CVE ID: CVE-2011-0276 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard OpenView Performance Insight -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9256. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard OpenView Performance Insight Server. Authentication is not required to exploit this vulnerability. The specific vulnerability is due to a hidden account present within the com.trinagy.security.XMLUserManager Java class. Using this account a malicious user can access the com.trinagy.servlet.HelpManagerServlet class. This is defined within the piweb.jar file installed with Performance Insight. This class exposes a doPost() method which an attacker can use to upload malicious files to the server. Accessing these files can then lead to arbitrary code execution under the context of the SYSTEM user. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453 -- Disclosure Timeline: 2009-10-27 - Vulnerability reported to vendor 2011-01-31 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Stephen Fewer of Harmony Security (www.harmonysecurity.com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-035: IBM DB2 db2dasrrm validateUser Remote Code Execution Vulnerability
ZDI-11-035: IBM DB2 db2dasrrm validateUser Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-035 January 31, 2011 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: IBM -- Affected Products: IBM DB2 Universal Database -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM DB2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the db2dasrrm process responsible for handling queries to the com.ibm.db2.das.core.DasSysCmd function. While processing a request, the username supplied is copied into a fixed-length stack buffer. By providing a large enough string the copy operation can overflow leading to remote code execution. -- Vendor Response: IBM states: v9.1 fp10 IC69986 https://www-304.ibm.com/support/entdocview.wss?uid=swg1IC66811 v9.5 fp6 IC70538 https://www-304.ibm.com/support/entdocview.wss?uid=swg1IC70538 v9.7 fp3 IC70539 https://www-304.ibm.com/support/entdocview.wss?uid=swg1IC70539 -- Disclosure Timeline: 2010-06-30 - Vulnerability reported to vendor 2011-01-31 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Intevydis http://intevydis.com -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-036: IBM DB2 db2dasrrm receiveDASMessage Remote Code Execution Vulnerability
ZDI-11-036: IBM DB2 db2dasrrm receiveDASMessage Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-036 January 31, 2011 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: IBM -- Affected Products: IBM DB2 Universal Database -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM DB2. Authentication is not required to exploit this vulnerability. The flaw exists within the db2dasrrm component which listens by default on TCP port 524. When allocating a buffer within receiveDASMessage a user supplied length is used as a parameter to malloc(). This buffer is later copied into without any bounds checking and can be made to overflow. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the das user user. -- Vendor Response: IBM states: v9.1 fp10 IC71203 https://www-304.ibm.com/support/entdocview.wss?uid=swg1IC71203 v9.5 fp7 IC72028 https://www-304.ibm.com/support/entdocview.wss?uid=swg1IC72028 v9.7 fp4 IC72029 https://www-304.ibm.com/support/entdocview.wss?uid=swg1IC72029 -- Disclosure Timeline: 2010-08-25 - Vulnerability reported to vendor 2011-01-31 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-037: Symantec IM Manager Administrative Interface IMAdminSchedTask.asp Eval Code Injection Remote Code Execution Vulnerability
ZDI-11-037: Symantec IM Manager Administrative Interface IMAdminSchedTask.asp Eval Code Injection Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-037 January 31, 2011 -- CVE ID: CVE-2010-3719 -- CVSS: 8.5, (AV:N/AC:M/Au:S/C:C/I:C/A:C) -- Affected Vendors: Symantec -- Affected Products: Symantec IM Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10776. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec IM Manager. Authentication is required to exploit this vulnerability in that a logged in user must be coerced into visiting a malicious link. The specific flaw exists within the ScheduleTask method exposed by the IMAdminSchedTask.asp page hosted on the web interface. This function does not properly sanitize user input from a POST variable before passing it to an eval call. An attacker can abuse this to inject and execute arbitrary ASP under the context of the user visiting the malicious link. -- Vendor Response: Symantec has issued an update to correct this vulnerability. More details can be found at: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisoryamp;pvid=security_advisoryamp;year=2011amp;suid=20110131_00 -- Disclosure Timeline: 2010-10-12 - Vulnerability reported to vendor 2011-01-31 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability discloses PIN used in Microsoft Excel secure printing
I assume it is embedded so that cancelled or queued jobs can still require PIN. You can't have one job pause all other jobs in the queue, so it would need some way of continuing from bypass. The whole vulnerability angle is pretty lame. How it works on our Xerox printers is you hit a button to pull up the jobs and the secure ones are held (in memory, on the printer) until the user enters the same code embedded in the job. The primary purpose is to target the resistance against departmental printers under the privacy angle. Jobs that don't have this tag print FIFO (secure jobs are a separate queue internally). The PIN just an attribute sent by the postscript driver and embedded in the job. I have seen print drivers and hardware that do operate in a secure manner (we have ID printers that do this), but IMHO that's more for license compliance than actual security of the information. The fact that Excel stores it as a printing default is interesting, but hardly a vulnerability. If you have access to the document to see the printing PIN in metadata, you obviously can read the document itself .. It'd be like saying OMG! Excel remembers what size paper I like to use. One could argue the whole creatures of habit aspect around the PIN (dammit, now I need to change my luggage), but the whole secure print thing is sort of a misnomer and more of a marketing trick (internally and externally) than anything else. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CORE-2010-1001] Cisco WebEx .atp and .wrf Overflow Vulnerabilities
Gotta love the team name ;) http://www.goear.com/listen/570f6b5/debede-sumo On Mon, Jan 31, 2011 at 10:17 PM, CORE Security Technologies Advisories advisor...@coresecurity.com wrote: 7. *Credits* These vulnerabilities were discovered and researched by Federico Muttis, Sebastian Tello and Manuel Muradas from Core Security Technologies during Bugweek 2010 as part of the Cisco Baby Cisco! team [2]. The publication of this advisory was coordinated by Pedro Varangot. -- “My daughter was asked by a little old lady in a London hotel restaurant what her daddy did - she answered, ‘He’s a pirate.’ I was very proud of that answer.” - Johnny Depp ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Drupal Panels 5.x-1.2 XSS Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Description of Vulnerability: - - Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Panels module (http://drupal.org/project/panels) allows a site administrator to create customized layouts for multiple uses. At its core it is a drag and drop content manager that lets you visually design a layout and place content within that layout. Unfortunately the Panels module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize div classes and id specifications for panels before display. Systems affected: - - Drupal 5.21 with Panels 5.x-1.2 was tested and shown to be vulnerable Impact - -- User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. A more likely scenario would be for an attacker to inject hidden content (such as iframes, applets, or embedded objects) that would attack client browsers in an attempt to compromise site users' machines. This vulnerability could also be used to launch cross site request forgery (XSRF) attacks against the site that could have other unexpected consequences. Mitigating factors: - --- In order to exploit this vulnerability the attacker must have credentials to an authorized account that has been assigned the 'use page manager' and 'administer advanced pane settings' permissions. This could be accomplished via social engineering, brute force password guessing, or abuse or legitimate credentials. Proof of concept: - - 1. Install Drupal 5, Panels 5.x-1.2 and Ctools module (a prerequisite) 2. Enable the Panels module and the page manager in Ctools from ?q=/admin/build/modules 3. Administer panels from ?q=/admin/build/panels and click on the 'Panel page' link on the left 4. Check 'Make this your site home page' and fill in arbitrary values for the rest 5. In the resulting screen (?q=admin/build/pages/add/page-[page_name]/next) select the 'Flexible' and 'Builders' from the Category drop down 6. Click continue 7. Enter arbitrary values in the resulting form 8. Click finish then 'Update and save' 9. In the Panel Content designer (?q=admin/build/pages/nojs/operation/page-[page_name]/handlers/page_[page_name]_panel_context/content click the gear in the 'Center' region 10. Select 'Add content' 11. Select 'Existing node' and enter the nid of an existing node. 12. Click the gear to the right of the header in the new box preview of the node 13. Select 'CSS Properties' 14. In the shadow box that pops up enter 'scriptalert('xss1');/scriptdiv id=' for the 'CSS ID' 15. Enter 'scriptalert('xss1');/scriptdiv id=' for the 'CSS class' 16. Click 'Update and preview' to observe the Javascript alerts 17. Click 'Save' to store these values so they are displayed on the home page Patch: - -- Applying the following patch mitigates this issue in version 5.x-1.2 - --- modules/panels/content_types/custom.inc 2007-03-15 19:13:41.0 -0400 +++ modules/panels/content_types/custom.inc 2011-01-14 12:04:23.371814132 -0500 @@ -16,8 +16,8 @@ function panels_custom_panels_content_ty */ function panels_content_custom($conf) { $title = filter_xss_admin($conf['title']); - - $css_id = filter_xss_admin($conf['css_id']); - - $css_class = filter_xss_admin($conf['css_class']); + $css_id = str_replace('', '', filter_xss_admin($conf['css_id'])); + $css_class = str_replace('', '', filter_xss_admin($conf['css_class'])); $body = check_markup($conf['body'], $conf['format'], FALSE); return theme('panels_content_custom', $title, $body, $css_id, $css_class); } Vendor Response: - -- Drupal security team no longer supports resolution of vulnerabilities in Drupal 5. Module maintainer notified in public forums. Details of this vulnerability are also posted at http://www.madirish.net/?article=478 - -- Justin Klein Keane http://www.MadIrish.net The digital signature on this e-mail may be confirmed using the PGP key located at: http://www.madirish.net/gpgkey -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAk1HLrEACgkQkSlsbLsN1gA8dAb+KWZ4opsQLGLe8lseM0JNxigK 2GUACkPq6kuAIarYcpogWLE8AbQEpNTtLTOgSnHtYMV69FBaDibgwY/ZLBP9JsNC 5iKopCmvEAp8CB9LC/jSFffoiIBNUFJmmFl8Zk+elMbN4uDgApLpUA67iIxrGH1e 8K8iC8a7j13WTdh6a13x3+GVO7ezfVrlxoRKLJWX/S+LmWfFAwO0oPSom7aH0Kpl CewLQgi/p13kTNmyeMmjLdzUaboQpRetzv3PWuZR/+m9FC9CP1I9hwhQCaE4R1WK NMJ0Aj9V/k1eY5Giezg= =uoO2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html
[Full-disclosure] Drupal Custom Pagers Module XSS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Description of Vulnerability: - - Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Custom Pagers module (http://drupal.org/project/custom_pagers) allows administrators to define context-sensitive previous/next pagers for any node type. The Custom Pagers module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize Custom Pagers names before display in the administrative back end interface. Systems affected: - - Drupal 5.21 with Custom Pagers 5.x-1.9, and Drupal 6.19 with Custom Pagers 6.x-1.0-beta2 were tested and shown to be vulnerable Impact - -- User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. A more likely scenario would be for an attacker to inject hidden content (such as iframes, applets, or embedded objects) that would attack client browsers in an attempt to compromise site users' machines. This vulnerability could also be used to launch cross site request forgery (XSRF) attacks against the site that could have other unexpected consequences. Mitigating factors: - --- In order to exploit this vulnerability the attacker must have credentials to an authorized account that has been assigned the 'administer custom pagers' permission. This could be accomplished via social engineering, brute force password guessing, or abuse or legitimate credentials. Proof of concept: - - 1. Install Drupal, and the Custom Pager module 2. Navigate to the Custom pagers administration page at ?q=admin/build/custom_pagers 3. Click the 'Add a new custom pager' link or go to ?q=admin/build/custom_pagers/add 4. For the 'Title' of the new page enter scriptalert('xss');/script 5. Enter arbitrary values for the rest of the form and click the 'Submit' button 6. Observe the persistent XSS at ?q=admin/build/custom_pagers Patch: - -- Applying the following patch mitigates this issue in version 5.x-1.9 - --- custom_pagers/custom_pagers.module2007-08-16 09:49:33.0 -0400 +++ custom_pagers/custom_pagers.module 2011-01-31 16:33:08.657233745 -0500 @@ -132,7 +132,7 @@ function custom_pagers_page() { $rows = array(); foreach ($pagers as $pager) { $row = array(); - -$row[] = $pager-title; +$row[] = check_plain($pager-title); $row[] = !empty($pager-list_php) ? t('PHP snippet') : $pager-view . t(' view'); $row[] = !empty($pager-visibility_php) ? t('PHP snippet') : $pager-node_type . t(' nodes'); $row[] = l(t('edit'), 'admin/build/custom_pagers/edit/' . $pager-pid); Applying the following patch mitigates this issue in version 6.x-1.0-beta2 - --- custom_pagers/custom_pagers.admin.inc 2010-01-17 17:57:39.0 - -0500 +++ custom_pagers/custom_pagers.admin.inc 2011-01-31 16:36:10.967026063 - -0500 @@ -15,7 +15,7 @@ function custom_pagers_page() { $rows = array(); foreach ($pagers as $pager) { $row = array(); - -$row[] = $pager-title; +$row[] = check_plain($pager-title); $row[] = !empty($pager-list_php) ? t('PHP snippet') : t('%view_name view', array('%view_name' = $pager-view)); $row[] = !empty($pager-visibility_php) ? t('PHP snippet') : t('%node_type nodes', array('%node_type' = $pager-node_type)); $row[] = l(t('edit'), 'admin/build/custom_pagers/edit/' . $pager-pid); Vendor Response: - -- Drupal security team no longer supports vulnerabilities in Drupal 5 and explicitly does not support resolution of vulnerabilities in modules designated alpha, beta, dev, or other testing release. Module maintainer notified in public forums. Disclosure also posted at http://www.madirish.net/?article=479 - -- Justin Klein Keane http://www.MadIrish.net The digital signature on this e-mail may be confirmed using the PGP key located at: http://www.madirish.net/gpgkey -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAk1HMegACgkQkSlsbLsN1gCTigb/Xj3RJjyzB1vYt5mQlhh5UJBe NA+2mg3zn5t18taTS3Z/tbS5RcchLk2wsf87Afh/MvRDvIJIukkFJtH6X0HXVamx fz8//sDiriSbz6729i2wLo0cy1ei/rBZLVKfGGRqvOrPiI/TBO69xhTdkEYXXSob tbKzJzFCfTv8qn+EVXOzeAzXrk2VMnMUpJ5uNv4aBoVfMPTJ7SgnKf2x1CGYYhNA WFsvczG6mPQ1Q5Z3L+Lt+VIxgcC3u+Bf/WDZ1GxntyOOqvUjaebpv5YyeMlkLqju alZDmoTqjHy8w7WNqhE= =dxhm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/