[Full-disclosure] XSSer v1.5 -beta- aka "Swarm Edition!" released.

2011-02-23 Thread psy 
Hi,

I am very happy to present a new version of *XSSer* (v1.5-beta-) - the
cross site scripter framework.

Take a look to the XSSer website to see new features implemented,
screenshoots, documentation, etc...

http://xsser.sf.net

You can download new code directly from here:

http://sourceforge.net/projects/xsser/files/xsser_1.5-1.tar.gz/download

There is one package pre-compiled for Ubuntu/Debian here:

http://xsser.sourceforge.net/xsser/xsser_1.5-1_all.deb.tar.gz

And here, you have a video demostration:

http://blip.tv/file/4806587/

"Remeber, now mosquitos... are swarm!"

Happy cross hacking.

psy.



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Other recommended lists?

2011-02-23 Thread Pete Smith 
Valdis, you're a troll... ;)

On 22 February 2011 09:25,  wrote:

> On Mon, 21 Feb 2011 16:21:47 -0300, Pablo Ximenes said:
>
> > I ask: Might calling someone a troll in an unsubstantiated fashion be
> > considered trolling?
>
> counter-trolling.  But it's been a while since we've seen a totally
> baseless
> accusation of trolling. ;)
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-093: CA Internet Security Suite HIPS XML Security Database Parser Class Remote Code Execution Vulnerability

2011-02-23 Thread ZDI Disclosures 
ZDI-11-093: CA Internet Security Suite HIPS XML Security Database Parser Class 
Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-093

February 23, 2011

-- CVE ID:
CVE-2011-1036

-- CVSS:
9.3, (AV:N/AC:M/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
CA

-- Affected Products:
CA Internet Security Suite

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10848. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of CA Internet Security Suite 2010. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page or open a malicious file.

The flaw exists within the XMLSecDB ActiveX control which is installed
with HIPSEngine component. SetXml and Save methods are implemented
insecurely and can allow creation of an arbitrary file on the victim's
system. A remote attacker can exploit this vulnerability to execute
arbitrary code under the context of the user.

-- Vendor Response:
CA has issued an update to correct this vulnerability. More
details can be found at:

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={53A608DF-BFDB-4AB3-A98F-E4BB6BC7A2F4}

-- Disclosure Timeline:
2010-08-25 - Vulnerability reported to vendor
2011-02-23 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Andrea Micalizzi aka rgod

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-092: (0day) Cisco Secure Desktop CSDWebInstaller ActiveX Control Cleaner.cab Remote Code Execution Vulnerability

2011-02-23 Thread ZDI Disclosures 
ZDI-11-092: (0day) Cisco Secure Desktop CSDWebInstaller ActiveX Control 
Cleaner.cab Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-092

February 23, 2011

-- CVE ID:
CVE-2011-0925

-- CVSS:
8.3, (AV:N/AC:M/Au:N/C:P/I:P/A:C)

-- Affected Vendors:
Cisco

-- Affected Products:
Cisco Secure Desktop

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8247. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Cisco Secure Desktop. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within CSDWebInstaller.ocx. The
CSDWebInstallerCtrl ActiveX control allows downloading and executing any
Cisco-signed executable files. By renaming a Cisco-signed executable
file to inst.exe and putting it on a webserver, an attacker can
subsequently exploit vulnerabilities in the Cisco-signed executable file
remotely.

-- Vendor Response:
February 23, 2011 - This vulnerability is being disclosed publicly without a 
patch in accordance with the ZDI 180 day 
deadline. 

-- Mitigations:
Cisco states that they will have a patch for this issue on March 31st, 2011. In 
the meantime, we suggest users implement the mitigations below.

The killbit can be set on this control to disable scripting within Internet 
Explorer by modifying the data value of the Compatibilty Flags DWORD within the 
following location in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX 
Compatibility\705EC6D4-B138-4079-A307-EF13E4889A82

If the Compatibility Flags value is set to 0x0400 the control can no longer 
be instantiated inside the browser. For more information, please see: 
http://support.microsoft.com/kb/240797

-- Disclosure Timeline:
2010-08-25 - Vulnerability reported to vendor
2011-02-23 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-091: (0day) Cisco Secure Desktop CSDWebInstaller Remote Code Execution Vulnerability

2011-02-23 Thread ZDI Disclosures 
ZDI-11-091: (0day) Cisco Secure Desktop CSDWebInstaller Remote Code Execution 
Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-091

February 23, 2011

-- CVE ID:
CVE-2011-0926

-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- Affected Vendors:
Cisco

-- Affected Products:
Cisco Secure Desktop

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8247. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Cisco Secure Desktop. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within CSDWebInstaller.ocx ActiveX control. The
vulnerable Cisco-signed ActiveX control verifies the signing authority
names in the certificate chain but fails to properly verify the digital
signature of an executable file that is downloaded and executed by the
Cisco Secure Desktop installation process. A remote attacker can exploit
this vulnerability to execute arbitrary code under the context of the
browser.

-- Vendor Response:
February 23, 2011 - This vulnerability is being disclosed publicly without a 
patch in accordance with the ZDI 180 day 
deadline. 

-- Mitigations:
Cisco states that they will have a patch for this issue on March 31st, 2011. In 
the meantime, we suggest users implement the mitigations below.

The killbit can be set on this control to disable scripting within Internet 
Explorer by modifying the data value of the Compatibilty Flags DWORD within the 
following location in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX 
Compatibility\705EC6D4-B138-4079-A307-EF13E4889A82

If the Compatibility Flags value is set to 0x0400 the control can no longer 
be instantiated inside the browser. For more information, please see: 
http://support.microsoft.com/kb/240797

-- Disclosure Timeline:
2010-09-14 - Vulnerability reported to vendor
2011-02-23 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:full
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] What the f*** is going on?

2011-02-23 Thread Michele Orru 


  
  



  

  
  

  

Chris Evans
  February 23, 2011 1:35 AM
  

  
  
On Tue, Feb 22, 2011 at 2:42 PM, Michal Zalewski 
wrote:

  
> Also, I would say that even though
  randomly prodding exec arguments
  > with As isn't so elite, the space of "the non-web" is
  much more deep
  > and much more complex than the space of "the web"..
  

I think that sentiment made sense 8-10 years ago, but today,
it's
increasingly difficult to defend. I mean, we are at a point
where
casual users can do without any "real" applications, beyond
just
having a browser. And in terms of complexity, the browser
itself is
approaching the kernel, and is growing more rapidly.

Yes, web app vulnerabilities are easier to discover.
  
  
  Web app security is beginners' security -- surely
everyone knows that?

  


  

  Those with talent graduate on to low-level vulns (mem
corruptions, kernel vulns, etc).

  

Well even if I agree with you, I don't think guys like rsnake,
grossman, .mario, vela, ecc..
are not talented just because they mainly focus on web app/client
side security.

I'm the first one among many who want to learn RE and low level
things,
but I think both of the sides are complex enough.

Isn't your colleague Michal more focused on web app security
nowadays?

Cheers
antisnatchor 

  

  
  
  
  
  
  Cheers
  Chris
  
  
  
That's partly
because of horrible design decisions back in the 1990s, and
partly
because we're dealing with greater diversity, more complex
interactions, and a much younger codebase. Plus, we had much
less time
to develop systemic defenses.

  /mz


  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
  

  


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  
  

  

Michal Zalewski
  February 22, 2011 11:42 PM
  

  
  

  I think that sentiment made sense 8-10 years ago, but today,
  it's
  increasingly difficult to defend. I mean, we are at a point
  where
  casual users can do without any "real" applications, beyond
  just
  having a browser. And in terms of complexity, the browser
  itself is
  approaching the kernel, and is growing more rapidly.
  
  Yes, web app vulnerabilities are easier to discover. That's
  partly
  because of horrible design decisions back in the 1990s, and
  partly
  because we're dealing with greater diversity, more complex
  interactions, and a much younger codebase. Plus, we had much
  less time
  to develop systemic defenses.
  
  /mz
  
  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/


  
  

  

Charles Morris
  February 22, 2011 10:44 PM
  

  
  



  
  Michal, your blog writeup does cut to the disheartening core
  of the
  issue, but as we all know large non-savvy organizations just
  eat that
  bravado and mystery up.
  
  Also, I would say that even though randomly prodding exec
  arguments
  with As isn't so elite, the space of "the non-web" is much
  more deep
  and much more complex than the space of "the web".. and the
  vulnerabilities are generally more interesting, generally more
  difficult to find, and generally more difficult to exploit. If
  we
  examine the speciali

[Full-disclosure] ZDI-11-090: Novell Netware RPC XNFS xdrDecodeString Remote Code Execution Vulnerability

2011-02-23 Thread ZDI Disclosures 
ZDI-11-090: Novell Netware RPC XNFS xdrDecodeString Remote Code Execution 
Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-090

February 18, 2011

-- CVE ID:
CVE-2010-4227

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Novell

-- Affected Products:
Novell Netware

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10874. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell Netware. Authentication is not
required to exploit this vulnerability. 

The flaw exists within the XNFS.NLM component which listens by default
on UDP port 1234. When handling the an NFS RPC request the
xdrDecodeString function uses a user supplied length value to null
terminate a string. This value can be signed allowing the NULL byte to
be written at an arbitrary address. A remote attacker can exploit this
vulnerability to execute arbitrary code under the context of the system.

-- Vendor Response:
Novell has issued an update to correct this vulnerability. More
details can be found at:

http://download.novell.com/Download?buildid=1z3z-OsVCiE~

-- Disclosure Timeline:
2010-08-25 - Vulnerability reported to vendor
2011-02-18 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Francis Provencher for Protek Researchh Lab's

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Announcing NVD CVE parser for Ruby on Rails

2011-02-23 Thread Serkan Özkan 
Hi,
If you don't want to maintain your own CVE database you can use
http://www.cvedetails.com/  , someone (me) already maintains it for you. If
you also want to view full details of related OVAL definitions you can use
http://www.itsecdb.com/oval/

Regards
Serkan


On Tue, Feb 22, 2011 at 7:27 PM, Dominik Elsbroek <
dominik.elsbr...@gmail.com> wrote:

>  Hello list!
>
> I'd like to announce the public release of the FreeBSD licensed FIDIUS
> CVE-DB RubyGem.
>
> The FIDIUS CVE-DB gem is used to create and run your own vulnerability
> database. It uses the National Vulnerability Database to gather
> vulnerability entries which are based on the Common Vulnerabilities
> and Exposures (CVE) identifiers.
>
> Therefore it includes rake tasks to download and parse XML files provided
> by the NVD, to store and update them in your personal database.
> Furthermore it includes ActiveRecord models, migrations and example
> database configuration to store vulnerabilities easily.
>
> This gem is developed in the context of the students project "FIDIUS"
> at the Universitaet Bremen, and is available here:
>
>https://rubygems.org/gems/fidius-cvedb
>https://github.com/fidius/cvedb
>
> For more information about FIDIUS visit
>
>http://fidius.me/en/news/release-fidius-cvedb
>
> Cheers
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Announcing NVD CVE parser for Ruby on Rails

2011-02-23 Thread Dominik Elsbroek 
Hello list!

I'd like to announce the public release of the FreeBSD licensed FIDIUS
CVE-DB RubyGem.

The FIDIUS CVE-DB gem is used to create and run your own vulnerability
database. It uses the National Vulnerability Database to gather
vulnerability entries which are based on the Common Vulnerabilities
and Exposures (CVE) identifiers.

Therefore it includes rake tasks to download and parse XML files provided
by the NVD, to store and update them in your personal database.
Furthermore it includes ActiveRecord models, migrations and example
database configuration to store vulnerabilities easily.

This gem is developed in the context of the students project "FIDIUS"
at the Universitaet Bremen, and is available here:

   https://rubygems.org/gems/fidius-cvedb
   https://github.com/fidius/cvedb

For more information about FIDIUS visit

   http://fidius.me/en/news/release-fidius-cvedb

Cheers

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [PRE-SA-2011-01] Multiple Linux kernel vulnerabilities in partition handling code of LDM and MAC partition tables

2011-02-23 Thread Timo Warns 
# PRE-CERT Security Advisory #

* Advisory: PRE-SA-2011-01
* Released on: 23 Feb 2011
* Last updated on: 23 Feb 2011
* Affected product: Linux Kernel 2.4 and 2.6
* Impact: - privilege Escalation
  - denial-of-service
  - disclosure of sensitive information
* Origin: storage devices
* CVE Identifier: - CVE-2011-1010

## Summary ##

Timo Warns (PRESENSE Technologies GmbH) reported some vulnerabilities in
the Linux kernel that may lead to privilege escalation,
denial-of-service, or information leakage via corrupted partition
tables. Exploiting these vulnerabilities has been demonstrated by a "USB
Stick of Death" that crashes the Linux kernel upon connecting the stick.

The kernel automatically evaluates partition tables of storage devices.
Note that this happens independently of whether auto-mounting is enabled
or not. The code for evaluating MAC and LDM partition tables contains the
following vulnerabilities:

* CVE-2011-1010
  A buffer overflow bug in mac_partition in fs/partitions/mac.c (for MAC
  partition tables) allows to cause a denial-of-service (kernel panic)
  via a corrupted MAC partition table.

  For a patch, see
  http://git.kernel.org/linus/fa7ea87a057958a8b7926c1a60a3ca6d696328ed

* A division-by-zero bug in ldm_get_vblks in fs/partitions/ldm.c (for
  LDM partition tables) allows to cause a denial-of-service (kernel
  oops) via a corrupted LDM partition table.

  For a patch, see
  http://www.spinics.net/lists/mm-commits/msg82429.html

* A buffer overflow bug in ldm_frag_add in fs/partitions/ldm.c (for LDM
  partition tables) may allow to escalate privileges or to disclose
  sensitive information via a corrupted LDM partition table.

## Workaround ##

Compile and use a kernel that does not evaluate MAC and LDM partition
tables. The corresponding configuration keys are CONFIG_MAC_PARTITION
and CONFIG_LDM_PARTITION.

## References ##

https://bugzilla.redhat.com/show_bug.cgi?id=679282

When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:

http://www.pre-cert.de/advisories/PRE-SA-2011-01.txt

## Contact ##

PRE-CERT can be reached under prec...@pre-secure.de. For PGP
key information, refer to http://www.pre-cert.de

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Pen-Testing Companies in Quebec

2011-02-23 Thread Pierre-Guy Lavoie 
>just make sure you dont hire my good friends @sekcore :PpPp
 
>our local media whore pierre-guy lavoie ...
 
> 
http://www.cbc.ca/news/story/2000/03/01/hacker000301.html
 
>"A 22-year-old Quebec City man has been convicted in a computer 
>hacker case.
>Pierre-Guy Lavoie was sentenced to a year of community service and 
>a year of probation for using computer passwords to commit computer 
>crimes.
>Lavoie and two friends discovered passwords to hundreds of Internet 
>sites, including the Pentagon, the FBI and such companies as Bell 
>Canada and the National Bank of Canada.
>They then posted the passwords and access codes on a site called 
>Corruption Addicts, and invited people to use them."
 
>and his "ethical hacker" buddy marek roy ...
 
> 
http://google.com/support/forum/p/gmail/thread?tid=00c1d20479653e47
 
>"Yesterday I wasn't able to access to my email. I emailed google 
>and requested to retrieve my password. 
>Today I gain back my access to my email, after Log in I checked my 
>email details and found that there were several IP addresses from 
>Canada which log in to my account , the IPs are as the following :
>Canada (96.21.193.207)
>Canada (24.37.115.136)
>>From my inbox I can see that the hacker attempt to access one's 
>Skype account and I found he is using the following email address 
>  mroy at
sekcore.com
>From google I can see this Hacker known as Marek Roy from Canada 
>and work at www.sekcore.com"
 
>lulz :D
 
>old habits die hard, heh.

 

Dear “Bob” aka corruption.addicts () hushmail com,

 

I am sure you are full of good intention. Feel free to use our contact
details for any inquiries. It would be a pleasure for us to invite you
somewhere for dinner.

 

And if you need more clarification on the current matter, we will be glad to
help you understand why we put REAL NAMES while performing black box
penetration testing. I am sure you might have missed this part during one of
our training session.

 

Have a nice day.

 

Regards,

 

Pierre-Guy

 

 

-

Pierre-Guy Lavoie

Conseiller en sécurité informatique

pglav...@sekcore.com

(418)265-4225

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] What the f*** is going on?

2011-02-23 Thread Pietro de Medici 
Michal hit the nail on it's head. The news isn't want some script kiddie
ring did to some supposedly info sec website as much as what the whole
industria is leading to.

So the public thinks the bad guys go around in suits and neckties with the
intent of "breaking the net" when the truth is there's a huge broken mess
out there.

Even worse, those paid to fix it do not give a hoot and often times make it
worse (re: HBGary).

The media of course follows the more sensational news, some supposedly
vigilantes (correction: vandals) attacking some sites.

Well, we've been saying the net's broken for how long, 10, 30 years? News is
kinda getting old. And where are we now?

Salute,
Pietro DeMedici




On Tue, Feb 22, 2011 at 11:42 PM, Michal Zalewski wrote:

> > Also, I would say that even though randomly prodding exec arguments
> > with As isn't so elite, the space of "the non-web" is much more deep
> > and much more complex than the space of "the web"..
>
> I think that sentiment made sense 8-10 years ago, but today, it's
> increasingly difficult to defend. I mean, we are at a point where
> casual users can do without any "real" applications, beyond just
> having a browser. And in terms of complexity, the browser itself is
> approaching the kernel, and is growing more rapidly.
>
> Yes, web app vulnerabilities are easier to discover. That's partly
> because of horrible design decisions back in the 1990s, and partly
> because we're dealing with greater diversity, more complex
> interactions, and a much younger codebase. Plus, we had much less time
> to develop systemic defenses.
>
> /mz
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] what to buy?

2011-02-23 Thread Brandon McGinty 
Something about that sounds wrong.
Anyone posting from your companies connection will be sending out their
IP addresses with each web request, be it to a proxy or a third party.
If you wanted, for whatever reason, to route your traffic through a web
proxy, so that your companies main address isn't shown, something like
Squid on entirely different IP range might be useful.
As for Mac addresses, anyone sniffing your lan or wlan can find those
out. If this happens, you've got more than just a small problem, however.
I'm still not sure what your aim is, here, though.
TO stop general data leakage, you could look into OpenDLP, though this
would only work for your Windows workstations.
If you wanted to add a Mac component, you could code it, if you have
experience in programming.
http://code.google.com/p/opendlp
List, please correct me if I'm off base with any of this.

Sincerely,
Brandon McGinty


On 2/21/2011 11:47 PM, Just1n T1mberlake wrote:
> 
> Hows it going security gurues.
>  
> My job is now taking on the security responsibilityes for my network. We
> have nearly 250 pcs on the network and theres about 30 macs too (ugh). I
> was just doing the network before this but the security guy got fired on
> the weekend after getting caught with drugs.
>  
> My boss wants to stop people being able to post their IP number on the
> internet. I was telling him that you have to worry about the MAC numbers
> getting posted too, otherwise you can get hacked using them if the
> hackers get those numbers. Most people dont really know thats how you
> can get hacked on facebook or some of the forums (especially php forums).
>  
> If I wanted to buy something to block these getting posted, what would
> be the best? Or should I look into doing it myself with linux?? Any good
> books you think I should read about this?
>  
> Thanks in advance,
> Justin
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Released New Software - Mail Password Decryptor

2011-02-23 Thread Nagareshwar Talekar 
Hey guys,

MailPasswordDecryptor is the FREE software to instantly recover Mail
Account passwords from popular email clients and other associated
applications. You can recover your lost password for email accounts
like Gmail, Yahoo Mail, Hotmail or Windows Mail from email
applications such as Microsoft Outlook, Thunderbird, GTalk etc.

MailPasswordDecryptor supports recovery of Mail account passwords from
following Email Clients and other associated applications

* Microsoft Outlook Express
* Microsoft Outlook 2002/XP/2003/2007/2010
* Mozilla Thunderbird
* Windows Live Messenger (including latest version 2011)
* MSN Messenger
* GTalk
* GMail Notifier
* PaltalkScene IM
* Pidgin (Formerly Gaim) Messenger
* Miranda Messenger

It will be useful for penetration testers as well as forensics folks !

Check it out -  http://passwordforensics.com/mail-password-decryptor.php


Cheers
Nagareshwar
http://securityxploded.com
http://passwordforensics.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-1070-1] Bind vulnerability

2011-02-23 Thread Marc Deslauriers 
===
Ubuntu Security Notice USN-1070-1 February 23, 2011
bind9 vulnerability
CVE-2011-0414
===

A security issue affects the following Ubuntu releases:

Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 10.10:
  libdns661:9.7.1.dfsg.P2-2ubuntu0.2

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that Bind incorrectly handled IXFR transfers and dynamic
updates while under heavy load when used as an authoritative server. A
remote attacker could use this flaw to cause Bind to stop responding,
resulting in a denial of service.


Updated packages for Ubuntu 10.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.7.1.dfsg.P2-2ubuntu0.2.debian.tar.gz
  Size/MD5:   633590 e359965f4d7402e02408085af4a4cd32

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.7.1.dfsg.P2-2ubuntu0.2.dsc
  Size/MD5: 2292 423f576862de791b97edf37e95750309

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.7.1.dfsg.P2.orig.tar.gz
  Size/MD5:  6104039 a09aab2a215166e37b741d78d776dfbc

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9-doc_9.7.1.dfsg.P2-2ubuntu0.2_all.deb
  Size/MD5:   330324 8286b192fe1a5df9988c972c93ceb026

http://security.ubuntu.com/ubuntu/pool/universe/b/bind9/host_9.7.1.dfsg.P2-2ubuntu0.2_all.deb
  Size/MD5:17476 1792e7eaad32245086d117c710439e44

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9-host_9.7.1.dfsg.P2-2ubuntu0.2_amd64.deb
  Size/MD5:69730 1c8a0a8b98b217eb83310d1821b1cc1c

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.7.1.dfsg.P2-2ubuntu0.2_amd64.deb
  Size/MD5:   349738 9037f4a622bb56df6a32d6fadce4a73e

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9utils_9.7.1.dfsg.P2-2ubuntu0.2_amd64.deb
  Size/MD5:   120940 ef17428138445b9369d12d2fef74eba7

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/dnsutils_9.7.1.dfsg.P2-2ubuntu0.2_amd64.deb
  Size/MD5:   161304 f7840374de1936fdca7056c0d20449b1

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libbind-dev_9.7.1.dfsg.P2-2ubuntu0.2_amd64.deb
  Size/MD5:  1493092 5eab9a20c300e9e6ac98ab1a99de51f9

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libbind9-60_9.7.1.dfsg.P2-2ubuntu0.2_amd64.deb
  Size/MD5:37084 e0017c6639f8909bfe7e9b77c5c050d7

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libdns66_9.7.1.dfsg.P2-2ubuntu0.2_amd64.deb
  Size/MD5:   696296 ea1473ba2cad636caaed3a3b65360469

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisc60_9.7.1.dfsg.P2-2ubuntu0.2_amd64.deb
  Size/MD5:   169634 4a98361ade04085c3de155b52ac8481d

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisccc60_9.7.1.dfsg.P2-2ubuntu0.2_amd64.deb
  Size/MD5:31444 12c3dcc49f830df8c120f2b6ae61f827

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisccfg60_9.7.1.dfsg.P2-2ubuntu0.2_amd64.deb
  Size/MD5:54622 49e4a44091a9e4358f8e6d6e8a3ab8cc

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/liblwres60_9.7.1.dfsg.P2-2ubuntu0.2_amd64.deb
  Size/MD5:50068 0ec154c84f2ac697534443cae6525865

http://security.ubuntu.com/ubuntu/pool/universe/b/bind9/lwresd_9.7.1.dfsg.P2-2ubuntu0.2_amd64.deb
  Size/MD5:   234890 45bbf3f44f097404731d6ae9f391dc30

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9-host_9.7.1.dfsg.P2-2ubuntu0.2_i386.deb
  Size/MD5:66282 7729872a7cc4d6a447dc13b7f6563609

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9_9.7.1.dfsg.P2-2ubuntu0.2_i386.deb
  Size/MD5:   321106 56d1249fd1957643a45ceba86f40d8e4

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/bind9utils_9.7.1.dfsg.P2-2ubuntu0.2_i386.deb
  Size/MD5:   111704 31cce7e333e0a7872b4d5d12d69bcf72

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/dnsutils_9.7.1.dfsg.P2-2ubuntu0.2_i386.deb
  Size/MD5:   150772 09938abe28594324b475749255eb4ea8

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libbind-dev_9.7.1.dfsg.P2-2ubuntu0.2_i386.deb
  Size/MD5:  1417262 dbf1cd20c2b4b10208d7eb9c751c1f1e

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libbind9-60_9.7.1.dfsg.P2-2ubuntu0.2_i386.deb
  Size/MD5:37320 7b2e67dcec38c8af0d57a114562b7144

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libdns66_9.7.1.dfsg.P2-2ubuntu0.2_i386.deb
  Size/MD5:   654184 0729856ebed628cfbe7cc5d338552bba

http://security.ubuntu.com/ubuntu/pool/main/b/bind9/libisc60_9.7.1.dfsg.P2-2ubuntu0.2_i386.deb

[Full-disclosure] [ MDVSA-2011:036 ] mailman

2011-02-23 Thread security 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2011:036
 http://www.mandriva.com/security/
 ___

 Package : mailman
 Date: February 23, 2011
 Affected: 2009.0, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been found and corrected in mailman:
 
 Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py
 in GNU Mailman 2.1.14 and earlier allow remote attackers to inject
 arbitrary web script or HTML via the (1) full name or (2) username
 field in a confirmation message (CVE-2011-0707).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0707
 ___

 Updated Packages:

 Mandriva Linux 2009.0:
 47a36cb8bb5464358047e119a573f0fb  
2009.0/i586/mailman-2.1.11-1.3mdv2009.0.i586.rpm 
 79afe7d6091352e440e02107ab466efe  
2009.0/SRPMS/mailman-2.1.11-1.3mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 3a07afa82cf9334e9d2cbd88208c578a  
2009.0/x86_64/mailman-2.1.11-1.3mdv2009.0.x86_64.rpm 
 79afe7d6091352e440e02107ab466efe  
2009.0/SRPMS/mailman-2.1.11-1.3mdv2009.0.src.rpm

 Mandriva Linux 2010.0:
 20c696c21b949cb810f055d3b3803a12  
2010.0/i586/mailman-2.1.12-3.3mdv2010.0.i586.rpm 
 4e461a2eb191aa9665ae4c8723ac1b17  
2010.0/SRPMS/mailman-2.1.12-3.3mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 9997c9ffed7a9672c92282c73f187aa1  
2010.0/x86_64/mailman-2.1.12-3.3mdv2010.0.x86_64.rpm 
 4e461a2eb191aa9665ae4c8723ac1b17  
2010.0/SRPMS/mailman-2.1.12-3.3mdv2010.0.src.rpm

 Mandriva Linux 2010.1:
 3c4ec4ef441084a5011d9c10b441df56  
2010.1/i586/mailman-2.1.13-1.3mdv2010.2.i586.rpm 
 2376bf5d3a1669352dfd8f11840bea55  
2010.1/SRPMS/mailman-2.1.13-1.3mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 3d6740a45395643aea20eaa55c584668  
2010.1/x86_64/mailman-2.1.13-1.3mdv2010.2.x86_64.rpm 
 2376bf5d3a1669352dfd8f11840bea55  
2010.1/SRPMS/mailman-2.1.13-1.3mdv2010.2.src.rpm

 Corporate 4.0:
 1ba9ef634bf145c569009dbc7f717f65  
corporate/4.0/i586/mailman-2.1.6-6.5.20060mlcs4.i586.rpm 
 d9e1706712003f86bcb18dcc0fbb9307  
corporate/4.0/SRPMS/mailman-2.1.6-6.5.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 f151b2121b079b4821c2d88e276c1a19  
corporate/4.0/x86_64/mailman-2.1.6-6.5.20060mlcs4.x86_64.rpm 
 d9e1706712003f86bcb18dcc0fbb9307  
corporate/4.0/SRPMS/mailman-2.1.6-6.5.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 ecfdebbe4501d6d2ff60834f9050d9f7  
mes5/i586/mailman-2.1.11-1.3mdvmes5.1.i586.rpm 
 c828514e473947b0b21d90db6d5c56eb  
mes5/SRPMS/mailman-2.1.11-1.3mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 b6d9bfdaf7e2f33f942d1f3408eebb02  
mes5/x86_64/mailman-2.1.11-1.3mdvmes5.1.x86_64.rpm 
 c828514e473947b0b21d90db6d5c56eb  
mes5/SRPMS/mailman-2.1.11-1.3mdvmes5.1.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNZRSimqjQ0CJFipgRAgoHAKCFFWAwwIJOKZQ7LLy2Ys1vBKmJngCg3w7/
0VY4v73uqXZ5zl5CMiIKH0o=
=irx9
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Manager

2011-02-23 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco Security Advisory: Multiple Vulnerabilities in Cisco
TelePresence Manager

Advisory ID: cisco-sa-20110223-telepresence-ctsman

Revision 1.0

For Public Release 2011 February 23
+-

Summary
===

Multiple vulnerabilities exist in the Cisco TelePresence Manager.
This security advisory outlines the details of the following
vulnerabilities:

  * Simple Object Access Protocol (SOAP) Authentication Bypass
  * Java Remote Method Invocation (RMI) Command Injection
  * Cisco Discovery Protocol Remote Code Execution

Duplicate Issue Identification in Other Cisco TelePresence Advisories
+

The Cisco Discovery Protocol remote code execution vulnerability
affects Cisco TelePresence endpoints, Manager, Multipoint Switch, and
Recording Server. The details about how the defect relates to each
component are covered in each associated advisory. The Cisco bug IDs
for these defects are as follows:

  * Cisco TelePresence endpoint devices - CSCtd75754
  * Cisco TelePresence Manager - CSCtd75761
  * Cisco TelePresence Multipoint Switch - CSCtd75766
  * Cisco TelePresence Recording Server - CSCtd75769

This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctsman.shtml

Affected Products
=

These vulnerabilities affect the Cisco TelePresence Manager. Releases
of Cisco TelePresence Manager software prior to 1.7.0 may be affected
by one or more of the vulnerabilities listed in this advisory.

The following table provides information pertaining to affected
software releases:

++
|| Cisco Bug  | Affected |
|  Description   | ID | Software |
||| Releases |
|++--|
||| 1.2.x,   |
| SOAP   || 1.3.x,   |
| Authentication | CSCtc59562 | 1.4.x,   |
| Bypass || 1.5.x,   |
||| 1.6.x|
|++--|
||| 1.2.x,   |
| Java RMI   || 1.3.x,   |
| Command| CSCtf9085  | 1.4.x,   |
| Injection  || 1.5.x,   |
||| 1.6.x|
|++--|
| Cisco  || 1.2.x,   |
| Discovery  || 1.3.x,   |
| Protocol   | CSCtd75761 | 1.4.x,   |
| Remote Code|| 1.5.x,   |
| Execution  || 1.6.2|
++

Vulnerable Products
+--

Cisco TelePresence Manager devices that are running an affected
version of software are affected.

To determine the current version of software that is running on the
Cisco TelePresence Manager, establish an SSH connection to the device
and issue the show version active and the show version inactive
commands. The output should resemble the following example:

admin: show version active
Active Master Version: 1.7.0.0-471

Active Version Installed Software Options:
No Installed Software Options Found.

admin: show version inactive
Inactive Master Version: 1.6.0.0-342

Inactive Version Installed Software Options:
No Installed Software Options Found.

In the preceding example, the system has versions 1.6.0 and 1.7.0
loaded on the device, and version 1.7.0 is currently active. A device
is affected only by vulnerabilities that are in the active software
version.

Products Confirmed Not Vulnerable
+

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
===

The Cisco TelePresence solution allows for immersive, in-person
communication and collaboration over the network with colleagues,
prospects, and partners, even when they are located in opposite
hemispheres.

This security advisory describes multiple, distinct vulnerabilities
in the Cisco TelePresence Manager. These vulnerabilities are
independent of each other.

SOAP Authentication Bypass
+-

An authentication bypass vulnerability exists that could allow a
remote, unauthenticated attacker to invoke arbitrary methods that are
available via the SOAP interface on the Cisco TelePresence Manager.
The attacker would need the ability to submit a malformed SOAP
request that is designed to trigger the vulnerability to the affected
device on TCP port 8080 or 8443.

An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.

  * Cisco TelePresence Manager: CSCtc59562 ( registered customers
only) has been assigned the Common Vulnerabilities and Exposures
(CVE) identifier CVE-2011-0380.

Java RMI Command Injection
+-

A command injection vulnerability exists in the Java

[Full-disclosure] Cisco Security Advisory: Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability

2011-02-23 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco Security Advisory: Cisco Firewall Services Module Skinny Client
Control Protocol Inspection Denial of Service Vulnerability

Document ID: 112893

Advisory ID: cisco-sa-20110223-fwsm

Revision 1.0

For Public Release 2011 February 23 1600 UTC (GMT)

+-

Summary
===

A vulnerability exists in the Cisco Firewall Services Module (FWSM)
for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
that may cause the Cisco FWSM to reload after processing a malformed
Skinny Client Control Protocol (SCCP) message. Devices are affected
when SCCP inspection is enabled.

Cisco has released free software updates that address this
vulnerability.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml.

Note: Cisco ASA 5500 Series Adaptive Security Appliances are
affected by the vulnerability described in this advisory. A
separate Cisco Security Advisory has been published to disclose
this and other vulnerabilities that affect the Cisco ASA 5500
Series Adaptive Security Appliances. The advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml.

Affected Products
=

Vulnerable Products
+--

Versions 3.1.x, 3.2.x, 4.0.x, and 4.1.x of Cisco FWSM software are
affected by this vulnerability if SCCP inspection is enabled. SCCP
inspection is enabled by default.

To determine whether SCCP inspection is enabled, issue the "show
service-policy | include skinny" command and confirm that the command
returns output. Example output follows:

fwsm#show service-policy | include skinny
  Inspect: skinny , packet 0, drop 0, reset-drop 0

Alternatively, a device that has SCCP inspection enabled has a
configuration similar to the following:

class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  ...
  inspect skinny
  ...
!
service-policy global_policy global

Note: The service policy could also be applied to a specific
interface. (Global application is shown in the previous example.)

To determine the version of Cisco FWSM software that is running, issue
the "show module" command from Cisco IOS Software or Cisco Catalyst
Operating System Software to identify what modules and submodules are
installed on the system.

The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1)
installed in slot 2:

switch>show module
Mod Ports Card Type  Model  Serial 
No.
--- - -- -- 
---
  1   16  SFM-capable 16 port 1000mb GBICWS-X6516-GBIC  
SAL06334NS9
  26  Firewall ModuleWS-SVC-FWM-1   
SAD10360485
  38  Intrusion Detection System WS-SVC-IDSM-2  
SAD0932089Z
  44  SLB Application Processor Complex  WS-X6066-SLB-APC   
SAD093004BD
  52  Supervisor Engine 720 (Active) WS-SUP720-3B   
SAL0934888E

Mod MAC addresses   HwFw   Sw   
Status
--- -- --   
---
  1  0009.11e3.ade8 to 0009.11e3.adf7   5.1   6.3(1)   8.5(0.46)RFW Ok
  2  0018.ba41.5092 to 0018.ba41.5099   4.0   7.2(1)   3.2(2)10 Ok
  3  0014.a90c.9956 to 0014.a90c.995d   5.0   7.2(1)   5.1(6)E1 Ok
  4  0014.a90c.66e6 to 0014.a90c.66ed   1.74.2(3)   Ok
  5  0013.c42e.7fe0 to 0013.c42e.7fe3   4.4   8.1(3)   12.2(18)SXF1 Ok

[...]

After locating the correct slot, issue the "show module "
command to identify the software version that is running, as shown in
the following example:

switch>show module 2
Mod Ports Card Type  Model  Serial 
No.
--- - -- -- 
---
  26  Firewall ModuleWS-SVC-FWM-1   
SAD10360485

Mod MAC addresses   HwFw   Sw   
Status
--- -- --   
---
  2  0018.ba41.5092 to 0018.ba41.5099   4.0   7.2(1)   3.2(2)10 Ok

[...]

The preceding example shows that the FWSM is running software version
3.2(2)10 as indicated by the Sw column.

Note: Recent versions of Cisco IOS Software will show the software
version of each module in the output from the "show module" command;
therefore, executing the "show module " command is not
necessary.

If a Virtual Switching System (VSS) is used to allow two physical Cisco
Catalyst 6500 Series Switches to operate as a single logical virtual
switch, the "show module swit

[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances

2011-02-23 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500
Series Adaptive Security Appliances

Advisory ID: cisco-sa-20110223-asa

Revision 1.0

For Public Release 2011 February 23 1600 UTC (GMT)

+-

Summary
===

Cisco ASA 5500 Series Adaptive Security Appliances are affected by the
following vulnerabilities:

  * Transparent Firewall Packet Buffer Exhaustion Vulnerability
  * Skinny Client Control Protocol (SCCP) Inspection Denial of
Service Vulnerability
  * Routing Information Protocol (RIP) Denial of Service
Vulnerability
  * Unauthorized File System Access Vulnerability

These vulnerabilities are independent; a release that is affected by
one vulnerability is not necessarily affected by the others.

Cisco has released free software updates that address these
vulnerabilities.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110223-asa.shtml.

Note: The Cisco Firewall Services Module (FWSM) is affected
by one of these vulnerabilities. A separate Cisco Security
Advisory has been published to disclose the vulnerability
that affects the Cisco FWSM. That advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20110223-fwsm.shtml.

Affected Products
=

Cisco ASA 5500 Series Adaptive Security Appliances are affected by
multiple vulnerabilities. Affected versions of Cisco ASA Software
vary depending on the specific vulnerability.

Vulnerable Products
+--

For specific version information, refer to the Software Versions and
Fixes section of this advisory.

Transparent Firewall Packet Buffer Exhaustion Vulnerability
+--

A packet buffer exhaustion vulnerability affects multiple versions of
Cisco ASA Software when a security appliance is configured to operate in
the transparent firewall mode. Transparent firewall mode is enabled on
the appliance if the command "firewall transparent" is present in the
configuration. The default firewall mode is routed, not transparent.
The "show firewall" command can also be used to determine the firewall
operation mode:

ciscoasa# show firewall
Firewall mode: Transparent

SCCP Inspection Denial of Service Vulnerability
+--

A denial of service vulnerability affects the SCCP inspection feature
of Cisco ASA 5500 Series Adaptive Security Appliances.

Administrators can determine if SCCP inspection is enabled by issuing
the "show service-policy | include skinny" command and confirming that
output, such as what is displayed in the following example, is returned.

ciscoasa# show service-policy | include skinny
  Inspect: skinny, packet 0, drop 0, reset-drop 0

Alternatively, a device that has SCCP inspection enabled has a
configuration similar to the following:

class-map inspection_default
 match default-inspection-traffic

!

policy-map global_policy
 class inspection_default
  ...
  inspect skinny
  ...

!

service-policy global_policy global

Note: The service policy could also be applied to a specific
interface instead of globally, which is displayed in the previous
example.

SCCP inspection is enabled by default.

RIP Denial of Service Vulnerability
+--

A denial of service vulnerability affects the RIP implementation in
Cisco ASA 5500 Series Adaptive Security Appliances when both RIP and
the Cisco Phone Proxy feature are enabled on the same device. The
following example displays an affected configuration (Cisco ASA
Software version 8.0 and 8.1):

router rip
 ...

!

phone-proxy 
  media-termination address 
...


Or (Cisco ASA Software version 8.2 and later):

router rip
 ...

!

media-termination 
 address 

!



A security appliance is vulnerable if it is processing RIP messages
("router rip") and if a global media termination address is configured
for the Cisco Phone Proxy feature (refer to previous example). Note
that Cisco ASA Software versions 8.0 and 8.1 only allow a global
media termination address. However, in Cisco ASA Software version 8.2
and later, it is possible to tie a media termination address to an
interface. This configuration, which is accomplished by issuing the
command "address  interface " in media
termination configuration mode, is not affected.

Neither RIP nor the Cisco Phone Proxy feature is enabled by default.

Unauthorized File System Access Vulnerability
+

An unauthorized file system access vulnerability affects Cisco ASA
5500 Series Adaptive Security Appliances when a security appliance is
configured as a local Certificate Authority (CA). An affected
configuration consists of the following minimum

[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Recording Server

2011-02-23 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco Security Advisory: Multiple Vulnerabilities in Cisco
TelePresence Recording Server

Advisory ID: cisco-sa-20110223-telepresence-ctrs

Revision 1.0

For Public Release 2011 February 23 1600 UTC (GMT)

+-

Summary
===

Multiple vulnerabilities exist within the Cisco TelePresence
Recording Server. This security advisory outlines details of the
following vulnerabilities:

  * Unauthenticated Java Servlet Access

  * Common Gateway Interface (CGI) Command Injection

  * Unauthenticated Arbitrary File Upload

  * XML-Remote Procedure Call (RPC) Arbitrary File Overwrite

  * Cisco Discovery Protocol Remote Code Execution

  * Ad Hoc Recording Denial of Service

  * Java Remote method Invocation (RMI) Denial of Service

  * Unauthenticated XML-RPC Interface

Duplicate Issue Identification in Other Cisco TelePresence Advisories
+

The Unauthenticated Java Servlet Access vulnerability affects the
Cisco TelePresence Multipoint Switch and Recording Server. The defect
that is related to each component is covered in each associated
advisory. The Cisco Bug IDs for these defects are as follows:

  * Cisco TelePresence Multipoint Switch - CSCtf42008
  * Cisco TelePresence Recording Server - CSCtf42005

The Unauthenticated Arbitrary File Upload vulnerability affects the
Cisco TelePresence Multipoint Switch and Recording server. The defect
that is related to each component is covered in each associated
advisory. The Cisco Bug IDs for these defects are as follows:

  * Cisco TelePresence Multipoint Switch - CSCth61065
  * Cisco TelePresence Recording Server - CSCth85786

The Cisco Discovery Protocol Remote Code Execution vulnerability
affects Cisco TelePresence endpoints, Manager, Multipoint Switch, and
Recording Server. The defect that is related to each component is
covered in each associated advisory. The Cisco Bug IDs for these
defects are as follows:

  * Cisco TelePresence endpoint devices - CSCtd75754
  * Cisco TelePresence Manager - CSCtd75761
  * Cisco TelePresence Multipoint Switch - CSCtd75766
  * Cisco TelePresence Recording Server - CSCtd75769

The Java RMI Denial of Service vulnerability affects the Cisco
TelePresence Multipoint Switch and Recording Server. The defect that
is related to each component is covered in each associated advisory.
The Cisco Bug IDs for these defects are as follows:

  * Cisco TelePresence Multipoint Switch - CSCtg35825
  * Cisco TelePresence Recording Server - CSCtg35830

This advisory is posted at: 
http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctrs.shtml

Affected Products
=

These vulnerabilities affect the Cisco TelePresence Recording Server.
All releases of Cisco TelePresence software prior to 1.7.1 are
affected by one or more of the vulnerabilities listed in this
advisory.

The following table provides information that pertains to affected
software releases:

+-+
| | Cisco Bug  | Affected |
|   Description   | ID | Software |
| || Releases |
|-++--|
| Unauthenticated ||  |
| Java Servlet| CSCtf42005 | 1.6.x|
| Access  ||  |
|-++--|
| CGI Command | CSCtf97221 | 1.6.x|
| Injection   ||  |
|-++--|
| Unauthenticated ||  |
| Arbitrary File  | CSCth85786 | 1.6.x|
| Upload  ||  |
|-++--|
| XML-RPC || 1.6.x,   |
| Arbitrary File  | CSCti50739 | 1.7.0|
| Overwrite   ||  |
|-++--|
| Cisco Discovery ||  |
| Protocol Remote | CSCtd75769 | 1.6.x|
| Code Execution  ||  |
|-++--|
| Ad Hoc  ||  |
| Recording   | CSCtf97205 | 1.6.x|
| Denial of   ||  |
| Service ||  |
|-++--|
| Java RMI Denial | CSCtg35830 | 1.6.x|
| of Service  ||  |
|-++--|
| Unauthenticated ||  |
| XML-RPC | CSCtg35833 | 1.6.x|
| Interface   ||  |
+-+

Vulnerable Products
+--

Cisco TelePresence Recording Server devices that are running an
affected version of software are affected.

To determine the current version of software that is running on the
Cisco TelePresence Recording Server, SSH into the device and issue the
show version active and the show version inactive

[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch

2011-02-23 Thread Cisco Systems Product Security Incident Response Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco Security Advisory: Multiple Vulnerabilities in Cisco
TelePresence Multipoint Switch

Advisory ID: cisco-sa-20110223-telepresence-ctms

Revision 1.0

For Public Release 2011 February 23 
+-

Summary
===

Multiple vulnerabilities exist within the Cisco TelePresence
Multipoint Switch. This security advisory outlines details of the
following vulnerabilities:

  * Unauthenticated Java Servlet Access
  * Unauthenticated Arbitrary File Upload
  * Cisco Discovery Protocol Remote Code Execution
  * Unauthorized Servlet Access
  * Java RMI Denial of Service
  * Real-Time Transport Control Protocol Denial of Service
  * XML-Remote Procedure Call (RPC) Denial of Service

Duplicate Issue Identification in Other Cisco TelePresence Advisories

The Unauthenticated Java Servlet Access vulnerability affects the
Cisco TelePresence Multipoint Switch and Recording Server. The defect
as related to each component is covered in each associated advisory.
The Cisco bug IDs for these defects are as follows:

  * Cisco TelePresence Multipoint Switch - CSCtf42008
  * Cisco TelePresence Recording Server - CSCtf42005

The Unauthenticated Arbitrary File Upload vulnerability affects the
Cisco TelePresence Multipoint Switch and Recording Server. The defect
as related to each component is covered in each associated advisory.
The Cisco bug IDs for these defects are as follows:

  * Cisco TelePresence Multipoint Switch - CSCth61065
  * Cisco TelePresence Recording Server - CSCth85786

The Cisco Discovery Protocol Remote Code Execution vulnerability
affects Cisco TelePresence endpoint devices, Manager, Multipoint
Switch, and Recording Server. The defect as related to each component
is covered in each associated advisory. The Cisco bug IDs for these
defects are as follows:

  * Cisco TelePresence endpoint devices - CSCtd75754
  * Cisco TelePresence Manager - CSCtd75761
  * Cisco TelePresence Multipoint Switch - CSCtd75766
  * Cisco TelePresence Recording Server - CSCtd75769

The Java RMI Denial of Service vulnerability affects the Cisco
TelePresence Multipoint Switch and Recording Server. The defect as
related to each component is covered in each associated advisory. The
Cisco bug IDs for these defects are as follows:

  * Cisco TelePresence Multipoint Switch - CSCtg35830
  * Cisco TelePresence Recording Server - CSCtg35825

This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctms.shtml.

Affected Products
=

These vulnerabilities affect the Cisco TelePresence Multipoint
Switch. All releases of Cisco TelePresence System Software prior to
1.7.1 are affected by one or more of the vulnerabilities listed in
this advisory.

The following table provides information pertaining to affected
software releases:

+-+
| | Cisco Bug  | Affected |
|   Description   | ID | Software |
| || Releases |
|-++--|
| Unauthenticated || 1.0.x,   |
| Java Servlet| CSCtf01253 | 1.1.x,   |
| Access  || 1.5.x,   |
| || 1.6.x|
|-++--|
| Unauthenticated || 1.0.x,   |
| Java Servlet| CSCtf42008 | 1.1.x,   |
| Access  || 1.5.x,   |
| || 1.6.x|
|-++--|
| Unauthenticated || 1.0.x,   |
| Arbitrary File  | CSCth61065 | 1.1.x,   |
| Upload  || 1.5.x,   |
| || 1.6.x|
|-++--|
| Cisco Discovery || 1.0.x,   |
| Protocol Remote | CSCtd75766 | 1.1.x,   |
| Code Execution  || 1.5.x,   |
| || 1.6.x|
|-++--|
| || 1.0.x,   |
| Unauthorized| CSCtf97164 | 1.1.x,   |
| Servlet Access  || 1.5.x,   |
| || 1.6.x|
|-++--|
| || 1.0.x,   |
| Java RMI Denial | CSCtg35825 | 1.1.x,   |
| of Service  || 1.5.x,   |
| || 1.6.x|
|-++--|
| Real-Time   || 1.0.x,   |
| Transport   || 1.1.x,   |
| Control | CSCth60993 | 1.5.x,   |
| Protocol Denial || 1.6.x|
| of Service  ||  |
|-++--|
| || 1.0.x,   |
| XML-RPC Denial  || 1.1.x,   |
| of Service  | CSCtj44534 | 1.5.x,   |
| || 1.6.x,   |
| || 1.7.0|
+-+

Vulnerable Products

[Full-disclosure] Qualys Launches Open Source Web App Firewall Project

2011-02-23 Thread sergio 
http://www.itjungle.com/fhs/fhs022211-story04.htmlQualys last week 
unveiled IronBee, a new open source Web application firewall (WAF) 
project. The goal of the project is to leverage the open source 
community to build a high performance WAF that can protect users against
 the latest security threats to Web applications. The software will 
feature a liberal license, and will be free to anybody.In its introductory white paper
 Qualys says its goal with IronBee is to create a "universal application
 security sensor." In other words, it wants a flexible WAF framework 
upon which users can customize their specific rules and restrictions, 
and upon which software vendors can build commercial open source 
products.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/