[Full-disclosure] BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload
BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload
---
Gruezi, this document describes CVE-2011-1547.
RFC3173 ip payload compression, henceforth ipcomp, is a protocol intended to
provide compression of ip datagrams, and is commonly used alongside IPSec
(although there is no requirement to do so).
An ipcomp datagram consists of an ip header with ip-ip_p set to 108, followed
by a 32 bit ipcomp header, described in C syntax below.
struct ipcomp {
uint8_t comp_nxt; // Next Header
uint8_t comp_flags; // Reserved
uint16_tcomp_cpi; // Compression Parameter Index
};
The Compression Parameter Index indicates which compression algorithm was used
to compress the ipcomp payload, which is expanded and then routed as requested.
Although the CPI field is 16 bits wide, in reality only 1 algorithm is widely
implemented, RFC1951 DEFLATE (cpi=2).
It's well documented that ipcomp can be used to traverse perimeter filtering,
however this document discusses potential implementation flaws observed in
popular stacks.
The IPComp implementation originating from NetBSD/KAME implements injection of
unpacked payloads like so:
algo = ipcomp_algorithm_lookup(cpi);
/* ... */
error = (*algo-decompress)(m, m-m_next, newlen);
/* ... */
if (nxt != IPPROTO_DONE) {
if ((inetsw[ip_protox[nxt]].pr_flags PR_LASTHDR) != 0
ipsec4_in_reject(m, NULL)) {
IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
goto fail;
}
(*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
} else
m_freem(m);
/* ... */
Where inetsw[] contains definitions for supported protocols, and nxt is a
protocol number, usually associated with ip-ip_p (see
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml), but in
this case from ipcomp-comp_nxt. m is the mbuf structure adjusted to point to
the unpacked payload.
The unpacked packet is dispatched to the appropriate protocol handler
directly from the ipcomp protocol handler. This recursive implementation fails
to check for stack overflow, and is therefore vulnerable to a remote
pre-authentication kernel memory corruption vulnerability.
The NetBSD/KAME network stack is used as basis for various other
operating systems, such as Xnu, FTOS, various embedded devices and
network appliances, and earlier versions of FreeBSD/OpenBSD (the code
has since been refactored, but see the NOTES section regarding IPComp
quines, which still permit remote, pre-authentication, single-packet,
spoofed-source DoS in the latest versions).
The Xnu port of this code is close to the original, where the decompressed
payload is recursively injected back into the toplevel ip dispatcher. The
implementation is otherwise similar, and some alterations to the testcase
provided for NetBSD should make it work. This is left as an exercise for the
interested reader.
Affected Software
Any NetBSD derived IPComp/IPSec stack may be vulnerable (Xnu, FTOS, etc.).
NetBSD is not distributed with IPSec support enabled by default, however Apple
OSX and various other derivatives are. There are so many NetBSD derived network
stacks that it is infeasible to check them all, concerned administrators are
advised to check with their vendor if there is any doubt.
Major vendors known to use network stacks derived from NetBSD were pre-notified
about this vulnerability. If I missed you, it is either not well known that you
use the BSD stack, you did not respond to security@ mail, or could not use pgp
properly.
Additionally, administrators of critical or major deployments of NetBSD (e.g.
dns root servers) were given advance notice in order to deploy appropriate
filter rules.
Exploitability of kernel stack overflows will vary by platform (n.b. a stack
overflow is not a stack buffer overflow, for a concise definition see
TAOCP3,V1,S2.2.2). Also note that a kernel stack overflow is very different
from a userland stack overflow.
For further discussion, including attacks on other operating systems,
see the notes section on ipcomp quines below.
Consequences
---
While exploitation of kernel stack overflows is a somewhat under researched
topic, the author feels a skilled attacker would be able to leverage this for
remote code execution. However, this is not a trivial task, and is highly
platform dependent.
I have verified kernel stack overflows on NetBSD are exploitable, I have looked
at the source code for xnu and do not see any obvious obstacles to prevent
exploitation (kernel stack segment limits, guard pages, etc. which would cause
the worst impact to be limited to remote denial of service), so have no reason
to believe it is different.
Thoughts on this topic from fellow researchers would be welcome.
Source code for a sample Linux program to
Re: [Full-disclosure] itunes.apple.com owned by webapp malicious host
Seems that Websense agree with me... http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx ... or better they copy and paste my trivial link ... LOL! :))) 2011/3/29 Cal Leeming c...@foxwhisper.co.uk Unconfirmed, seems to escape fine for me. On Tue, Mar 29, 2011 at 3:22 PM, matador matador m4t4d...@gmail.comwrote: Enjoy! :) http://www.google.com/search?q=lizamoon.com+site%3Aapple.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] itunes.apple.com owned by webapp malicious host
No they don't. All your link implies is that either a) someone compromised the itunes account associated with that band and added the script, or b) it was injected into place. However at no point is the javascript executed. Sigh, do you have a CSSIP aswell? On 4/1/11, matador matador m4t4d...@gmail.com wrote: Seems that Websense agree with me... http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx ... or better they copy and paste my trivial link ... LOL! :))) 2011/3/29 Cal Leeming c...@foxwhisper.co.uk Unconfirmed, seems to escape fine for me. On Tue, Mar 29, 2011 at 3:22 PM, matador matador m4t4d...@gmail.comwrote: Enjoy! :) http://www.google.com/search?q=lizamoon.com+site%3Aapple.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] itunes.apple.com owned by webapp malicious host
I am 15 years old :) 2011/4/1 Benji m...@b3nji.com No they don't. All your link implies is that either a) someone compromised the itunes account associated with that band and added the script, or b) it was injected into place. However at no point is the javascript executed. Sigh, do you have a CSSIP aswell? On 4/1/11, matador matador m4t4d...@gmail.com wrote: Seems that Websense agree with me... http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx ... or better they copy and paste my trivial link ... LOL! :))) 2011/3/29 Cal Leeming c...@foxwhisper.co.uk Unconfirmed, seems to escape fine for me. On Tue, Mar 29, 2011 at 3:22 PM, matador matador m4t4d...@gmail.comwrote: Enjoy! :) http://www.google.com/search?q=lizamoon.com+site%3Aapple.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] itunes.apple.com owned by webapp malicious host
Is that a yes or a no? On 4/1/11, matador matador m4t4d...@gmail.com wrote: I am 15 years old :) 2011/4/1 Benji m...@b3nji.com No they don't. All your link implies is that either a) someone compromised the itunes account associated with that band and added the script, or b) it was injected into place. However at no point is the javascript executed. Sigh, do you have a CSSIP aswell? On 4/1/11, matador matador m4t4d...@gmail.com wrote: Seems that Websense agree with me... http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx ... or better they copy and paste my trivial link ... LOL! :))) 2011/3/29 Cal Leeming c...@foxwhisper.co.uk Unconfirmed, seems to escape fine for me. On Tue, Mar 29, 2011 at 3:22 PM, matador matador m4t4d...@gmail.comwrote: Enjoy! :) http://www.google.com/search?q=lizamoon.com+site%3Aapple.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] itunes.apple.com owned by webapp malicious host
Anyway the main point that I was wondering before is: What's happen if the sql inj bot was smarter? (For example: Using obfuscation technique) Probably nothing because iTunes sanitized the input. 2011/4/1 Benji m...@b3nji.com Is that a yes or a no? On 4/1/11, matador matador m4t4d...@gmail.com wrote: I am 15 years old :) 2011/4/1 Benji m...@b3nji.com No they don't. All your link implies is that either a) someone compromised the itunes account associated with that band and added the script, or b) it was injected into place. However at no point is the javascript executed. Sigh, do you have a CSSIP aswell? On 4/1/11, matador matador m4t4d...@gmail.com wrote: Seems that Websense agree with me... http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx ... or better they copy and paste my trivial link ... LOL! :))) 2011/3/29 Cal Leeming c...@foxwhisper.co.uk Unconfirmed, seems to escape fine for me. On Tue, Mar 29, 2011 at 3:22 PM, matador matador m4t4d...@gmail.comwrote: Enjoy! :) http://www.google.com/search?q=lizamoon.com+site%3Aapple.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload
On Fri, Apr 1, 2011 at 4:00 AM, Tavis Ormandy tav...@cmpxchg8b.com wrote:
BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested
payload
---
Gruezi, this document describes CVE-2011-1547.
RFC3173 ip payload compression, henceforth ipcomp, is a protocol intended to
provide compression of ip datagrams, and is commonly used alongside IPSec
(although there is no requirement to do so).
An ipcomp datagram consists of an ip header with ip-ip_p set to 108, followed
by a 32 bit ipcomp header, described in C syntax below.
struct ipcomp {
uint8_t comp_nxt; // Next Header
uint8_t comp_flags; // Reserved
uint16_t comp_cpi; // Compression Parameter Index
};
The Compression Parameter Index indicates which compression algorithm was used
to compress the ipcomp payload, which is expanded and then routed as
requested.
Although the CPI field is 16 bits wide, in reality only 1 algorithm is widely
implemented, RFC1951 DEFLATE (cpi=2).
It's well documented that ipcomp can be used to traverse perimeter filtering,
however this document discusses potential implementation flaws observed in
popular stacks.
The IPComp implementation originating from NetBSD/KAME implements injection of
unpacked payloads like so:
algo = ipcomp_algorithm_lookup(cpi);
/* ... */
error = (*algo-decompress)(m, m-m_next, newlen);
/* ... */
if (nxt != IPPROTO_DONE) {
if ((inetsw[ip_protox[nxt]].pr_flags PR_LASTHDR) != 0
ipsec4_in_reject(m, NULL)) {
IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
goto fail;
}
(*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
} else
m_freem(m);
/* ... */
Where inetsw[] contains definitions for supported protocols, and nxt is a
protocol number, usually associated with ip-ip_p (see
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml), but in
this case from ipcomp-comp_nxt. m is the mbuf structure adjusted to point to
the unpacked payload.
The unpacked packet is dispatched to the appropriate protocol handler
directly from the ipcomp protocol handler. This recursive implementation fails
to check for stack overflow, and is therefore vulnerable to a remote
pre-authentication kernel memory corruption vulnerability.
The NetBSD/KAME network stack is used as basis for various other
operating systems, such as Xnu, FTOS, various embedded devices and
network appliances, and earlier versions of FreeBSD/OpenBSD (the code
has since been refactored, but see the NOTES section regarding IPComp
quines, which still permit remote, pre-authentication, single-packet,
spoofed-source DoS in the latest versions).
The Xnu port of this code is close to the original, where the decompressed
payload is recursively injected back into the toplevel ip dispatcher. The
implementation is otherwise similar, and some alterations to the testcase
provided for NetBSD should make it work. This is left as an exercise for the
interested reader.
Isn't this OK as long as the evil bit (RFC 3514) is not set?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in MaxSite Anti Spam Image for WordPress
Hello Mueslix ! I want to warm you about Insufficient Content Filtering on FD. Timeline: 2005.12.24 - Mueslix got a computer 2005.12.31 - His friends didn't want to go out with him, so he read owasp instead 2006.01.02 - Found his first FDP 2011.03.29 - Still spaming this list with FDP, and an horribly broken En. On Thu, Mar 31, 2011 at 11:22 PM, MustLive mustl...@websecurity.com.uawrote: Hello list! I want to warn you about Insufficient Anti-automation vulnerability in MaxSite Anti Spam Image plugin for WordPress. This is modified version of original plugin Anti Spam Image, about vulnerability in which I wrote in 2007 in my project Month of Bugs in Captchas. This captcha is vulnerable to session reusing with constant captcha bypass method, like original Anti Spam Image, on which base this plugin is made. - Affected products: - Vulnerable are MaxSite Anti Spam Image 0.6 and potentially all other versions of this plugin. -- Details: -- Insufficient Anti-automation (WASC-21): Exploit: http://websecurity.com.ua/uploads/2011/MaxSite%20Anti%20Spam%20Image%20CAPTCHA%20bypass.html Vulnerability has place on old versions of PHP. It shows only in PHP 4.4.7, which has bug which leads to error in work of web application's algorithm, which leads to possibility of captcha bypass. Timeline: 2007.12.01 - found vulnerability. 2007.12.01 - informed developer. 2011.03.29 - disclosed at my site. I mentioned about this vulnerability at my site (http://websecurity.com.ua/5045/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I got hacked
Nah, You really are a lemming. From: Cal Leeming [mailto:c...@foxwhisper.co.uk] Sent: 31 March 2011 13:03 To: McGhee, Eddie Subject: Re: [Full-disclosure] I got hacked Wow, and you're the 7th retarded person who can't spell my relatively easy last name.. congrats! 2011/3/31 McGhee, Eddie eddie.mcg...@ncr.commailto:eddie.mcg...@ncr.com Says Mr Cal 7 Emails in a row Lemming From: full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Cal Leeming Sent: 31 March 2011 12:40 To: Rémon Schopmeijer Cc: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] I got hacked Spam? On Wed, Mar 30, 2011 at 3:52 PM, Rémon Schopmeijer re...@anthraxmedia.commailto:re...@anthraxmedia.com wrote: http://www.n-it.ro/ , [TBO] Security... (The best of Security Team) , , ___, , by tbo_pablo Marian , , , , wWw.Tbo-S.comhttp://wWw.Tbo-S.com They hacked three of my websites. What can you guys do for me? Anthrax. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
+1. I've come across countless companies who had idiotic technical directors who didn't even want you speaking up in meetings about how bad their network was, let alone in public. A lot of it comes down to pride/image, if someone starts questioning their job worth, they get all pissy about it, plus a lot of people find it *extremely* difficult to take constructive criticism and/or advice within their own remit. Personally, I'm completely honest and open when I fuck something up. If a clients network goes down cos I accidently plugged a 12v cable tester into core switch gear causing a site wide telecoms outage for 20 minutes (lol), I'll come right out and say Yeah, I did bad.. Where as most people try and cover it up. Different scenario, but same principle. On Thu, Mar 31, 2011 at 1:13 PM, BlackHawk hawkgot...@gmail.com wrote: Nothing new under the sun.. i have done some security testing on _open source_ webapps, and most of the time if you allert the publisher of your founding ( most of the time remote code executions, not boring XSS ) the answer is tipically F*** off, we do not need your help / you are lying / you are a criminal / etc.etc. showing that bug founding is still looked with diffidence from many people; on the other side admins are so proud of themselfs that they do not want other people to know they have bad coded something, look at this: http://forums.pligg.com/questions-comments/23065-pligg-1-1-3-security-vulnerabilities.html#post103328 to close with a semi-serious joke: put all this together and you will know why black market selling of exploit is increasing his size: at least someone will appreciate your work and eventually recompensate you for it.. On Wed, Mar 30, 2011 at 9:33 PM, Cal Leeming c...@foxwhisper.co.uk wrote: Like with most laws, the key point is intent. If your intention was clearly not malicious, then you are safe. -- BlackHawk - hawkgot...@gmail.com Sent with Gmail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro 2.5 Release - Web scanner tool
Come on guys!! I think they are not trying to reinvent the wheel here! As far as i can remember they never said they created a new product better than msf (or the other tools you mentioned) they packed a bunch of really good tools and made it easier to those who dont like using console, or complicated things... they also have some own native exploits BTW, do you guys always use your time for replying to all the threads you dont like?? What a waste of time! I tried it and i think it is really usefull, thumbs up for insect pro!! Cheers :D ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] password.incleartext.com
Hi FD, Just launched a new website to keep a list of websites storing passwords in clear text, so far the database is small but feel free to add some: http://password.incleartext.com/ Cheers, Inc Leartext ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro 2.5 Release - Web scanner tool
Well correct me if I'm wrong, but the whole premise of an un-regulated forum is for people to collaborate on opinions, even if they don't necessarily agree. You clearly didn't like the comments directed toward the INSECT devs, so aren't you 'wasting your time' by replying to them yourself? On Apr 1, 2011, at 6:12 AM, Esteban Cañizal este...@canizal.com.ar wrote: Come on guys!! I think they are not trying to reinvent the wheel here! As far as i can remember they never said they created a new product better than msf (or the other tools you mentioned) they packed a bunch of really good tools and made it easier to those who dont like using console, or complicated things... they also have some own native exploits BTW, do you guys always use your time for replying to all the threads you dont like?? What a waste of time! I tried it and i think it is really usefull, thumbs up for insect pro!! Cheers :D ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I got hacked
Hi! Are your websites commercial? If not, I can help you identify the vulnerabilities and fix them. BR, Valery Marchuk www.SecurityLab.ru - Original Message - From: McGhee, Eddie eddie.mcg...@ncr.com To: Cal Leeming c...@foxwhisper.co.uk Cc: full-disclosure@lists.grok.org.uk Sent: Thursday, March 31, 2011 3:57 PM Subject: Re: [Full-disclosure] I got hacked Nah, You really are a lemming. From: Cal Leeming [mailto:c...@foxwhisper.co.uk] Sent: 31 March 2011 13:03 To: McGhee, Eddie Subject: Re: [Full-disclosure] I got hacked Wow, and you're the 7th retarded person who can't spell my relatively easy last name.. congrats! 2011/3/31 McGhee, Eddie eddie.mcg...@ncr.commailto:eddie.mcg...@ncr.com Says Mr Cal 7 Emails in a row Lemming From: full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Cal Leeming Sent: 31 March 2011 12:40 To: Rémon Schopmeijer Cc: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] I got hacked Spam? On Wed, Mar 30, 2011 at 3:52 PM, Rémon Schopmeijer re...@anthraxmedia.commailto:re...@anthraxmedia.com wrote: http://www.n-it.ro/ , [TBO] Security... (The best of Security Team) , , ___, , by tbo_pablo Marian , , , , wWw.Tbo-S.comhttp://wWw.Tbo-S.com They hacked three of my websites. What can you guys do for me? Anthrax. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in MyBB
Hello list! I want to warn you about Cross-Site Scripting and SQL DB Structure Extraction vulnerabilities in MyBB. - Affected products: - Vulnerable are MyBB 1.6 and previous versions. In MyBB 1.6.1 these four vulnerabilities were fixed (by turning SQL error messages off). -- Details: -- Vulnerabilities take place in scripts search.php and private.php. XSS (WASC-08): http://websecurity.com.ua/uploads/2011/MyBB%20XSS.html http://websecurity.com.ua/uploads/2011/MyBB%20XSS-2.html SQL DB Structure Extraction (WASC-13): http://websecurity.com.ua/uploads/2011/MyBB%20SQL%20DB%20Structure%20Extraction.html http://websecurity.com.ua/uploads/2011/MyBB%20SQL%20DB%20Structure%20Extraction-2.html Timeline: 2011.02.10 - announced at my site. 2011.02.11 - informed developers. 2011.03.30 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4919/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in MaxSite Anti Spam Image for WordPress
On Thu, 31 Mar 2011 23:35:50 +1100, John Belushae said: I want to warm you about Insufficient Content Filtering on FD. Dude, you missed by 24 minutes and 10 seconds... pgp8IM0PwgKMF.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:058 ] quagga
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:058 http://www.mandriva.com/security/ ___ Package : quagga Date: April 1, 2011 Affected: Corporate 4.0 ___ Problem Description: Multiple vulnerabilities has been identified and fixed in quagga: The extended-community parser in bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed Extended Communities attribute (CVE-2010-1674). bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (session reset) via a malformed AS_PATHLIMIT path attribute (CVE-2010-1675). Updated packages are available that bring Quagga to version 0.99.18 which provides numerous bugfixes over the previous 0.99.17 version, and also corrects these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1675 ___ Updated Packages: Corporate 4.0: 87b588dee68e7b87d505e9d3953a279c corporate/4.0/i586/libquagga0-0.99.18-0.1.20060mlcs4.i586.rpm 818e4b52aca03cb083aec7486630964c corporate/4.0/i586/libquagga0-devel-0.99.18-0.1.20060mlcs4.i586.rpm fb9f8c521a536d0b92cb8f070a80ad83 corporate/4.0/i586/quagga-0.99.18-0.1.20060mlcs4.i586.rpm b62e56494540a8dc9de806e59150d3f3 corporate/4.0/i586/quagga-contrib-0.99.18-0.1.20060mlcs4.i586.rpm 64b55fea4af3b02837266cc9e5162841 corporate/4.0/SRPMS/quagga-0.99.18-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 130cac8e86e6bb41e8139ea53fb5bd35 corporate/4.0/x86_64/lib64quagga0-0.99.18-0.1.20060mlcs4.x86_64.rpm f7074a145d6742523470aadc450eeda2 corporate/4.0/x86_64/lib64quagga0-devel-0.99.18-0.1.20060mlcs4.x86_64.rpm d9e5ac8f09fc897d1f2fa113c4801b79 corporate/4.0/x86_64/quagga-0.99.18-0.1.20060mlcs4.x86_64.rpm 1ca735918f1126b00b64e1433d2dc85d corporate/4.0/x86_64/quagga-contrib-0.99.18-0.1.20060mlcs4.x86_64.rpm 64b55fea4af3b02837266cc9e5162841 corporate/4.0/SRPMS/quagga-0.99.18-0.1.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNlaQ7mqjQ0CJFipgRAriUAKDLNRGlMvPdbPkgp0Wd0pxGixIzWwCfc38Q svx+sURyhhcmOWk06baNRFE= =Ii2a -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-041: (0day) Multiple Browser Node Processing Stack Overflow Vulnerability
ZDI-11-041: (0day) Multiple Browser Node Processing Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-911 April 1, 2011 -- CVE ID: CVE-C000-00FD -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Microsoft Google Mikul Apple ISC -- Affected Products: Microsoft Internet Explorer Google Chrome Mikul Links Apple Safari ISC Lynx -- Vulnerability Details: Multiple vulnerabilities allow remote attackers to remotely terminate mission critical web applications on vulnerable installations of Apple Safari, Microsoft Internet Explorer, Google Chrome, Mikul Links, and ISC Lynx. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaws exists within the handling of node attributes, specifically nodes with large quantities of attributes or large values within such nodes. When handling these objects, several functions are called recursively for each value provided defined within. The functions use a shared memory region referred to internally as the stack. The size of the stack is not properly verified during processing which can result in the consumption of all the its available address space. This process is extremely exhausting for the application and it cannot continue functioning. A remote attacker can exploit this vulnerability to terminate web applications under the context of the Internet. -- Vendor Response: Vendors claimed to be unable to respond due to unexpected browser termination upon accessing web form. -- Disclosure Timeline: 2011-04-01 - Vulnerability reported to vendor 2011-04-01 - Public release of advisory -- Credit: This vulnerability was discovered by: * Spencer Pratt -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The US Government Officially Confirms the Existence of Extraterrestrial Civilizations
Worst April fools troll evar? -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Valery Marchuk Sent: 01 April 2011 12:20 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] The US Government Officially Confirms the Existence of Extraterrestrial Civilizations Hi! Tremendous news have recently been published on the official websites of NASA and NATO. President of the USA Barak Obama revealed to all mankind that the government of the USA along with governments of many other countries have been cooperating with extraterrestrial civilizations for almost 40 years. Owing to this cooperation, the people on Earth were granted the access to new technologies, cures for many diseases and the means to reach the outer space. Right now, the US government possesses 5 cruisers that can travel in subspace and reach other galaxies millions light-years away. Barak Obama himself assures that that there is no danger coming from the extraterrestrial civilizations. More information with prooflinks on SecurityLab.ru: Russian: http://www.securitylab.ru/news/405274.php English: http://www.securitylab.ru/news/405276.php BR, Valery Marchuk www.SecurityLab.ru ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The US Government Officially Confirms the Existence of Extraterrestrial Civilizations
...And surely you meant President Martinez, not this Obama character =) Eddie McGhee Retail TSS GB114/GB115/GB116 eddie.mcg...@ncr.com | www.ncr.com -Original Message- From: McGhee, Eddie Sent: 01 April 2011 12:31 To: 'Valery Marchuk'; full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] The US Government Officially Confirms the Existence of Extraterrestrial Civilizations Worst April fools troll evar? -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Valery Marchuk Sent: 01 April 2011 12:20 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] The US Government Officially Confirms the Existence of Extraterrestrial Civilizations Hi! Tremendous news have recently been published on the official websites of NASA and NATO. President of the USA Barak Obama revealed to all mankind that the government of the USA along with governments of many other countries have been cooperating with extraterrestrial civilizations for almost 40 years. Owing to this cooperation, the people on Earth were granted the access to new technologies, cures for many diseases and the means to reach the outer space. Right now, the US government possesses 5 cruisers that can travel in subspace and reach other galaxies millions light-years away. Barak Obama himself assures that that there is no danger coming from the extraterrestrial civilizations. More information with prooflinks on SecurityLab.ru: Russian: http://www.securitylab.ru/news/405274.php English: http://www.securitylab.ru/news/405276.php BR, Valery Marchuk www.SecurityLab.ru ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The US Government Officially Confirms the Existence of Extraterrestrial Civilizations
Happy All fools' day? ;-) full-disclosure-boun...@lists.grok.org.uk wrote on 01.04.2011 14:19:48: Valery Marchuk teckl...@securitylab.ru Sent by: full-disclosure-boun...@lists.grok.org.uk 01.04.2011 14:20 To full-disclosure@lists.grok.org.uk cc Subject [Full-disclosure] The US Government Officially Confirms the Existence of Extraterrestrial Civilizations Hi! Tremendous news have recently been published on the official websites of NASA and NATO. President of the USA Barak Obama revealed to all mankind that the government of the USA along with governments of many other countries have been cooperating with extraterrestrial civilizations for almost 40 years. Owing to this cooperation, the people on Earth were granted the access to new technologies, cures for many diseases and the means to reach the outer space. Right now, the US government possesses 5 cruisers that can travel in subspace and reach other galaxies millions light-years away. Barak Obama himself assures that that there is no danger coming from the extraterrestrial civilizations. More information with prooflinks on SecurityLab.ru: Russian: http://www.securitylab.ru/news/405274.php English: http://www.securitylab.ru/news/405276.php BR, Valery Marchuk www.SecurityLab.ru ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The US Government Officially Confirms the Existence of Extraterrestrial Civilizations
F, I fell for it. On Fri, Apr 1, 2011 at 12:19 PM, Valery Marchuk teckl...@securitylab.ruwrote: Hi! Tremendous news have recently been published on the official websites of NASA and NATO. President of the USA Barak Obama revealed to all mankind that the government of the USA along with governments of many other countries have been cooperating with extraterrestrial civilizations for almost 40 years. Owing to this cooperation, the people on Earth were granted the access to new technologies, cures for many diseases and the means to reach the outer space. Right now, the US government possesses 5 cruisers that can travel in subspace and reach other galaxies millions light-years away. Barak Obama himself assures that that there is no danger coming from the extraterrestrial civilizations. More information with prooflinks on SecurityLab.ru: Russian: http://www.securitylab.ru/news/405274.php English: http://www.securitylab.ru/news/405276.php BR, Valery Marchuk www.SecurityLab.ru ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Plumber Injection Attack in Bowser's Castle
Advisory Name: Plumber Injection Attack in Bowser's Castle Release Date: 2011-04-01 Application: Bowser's Castle Versions: Super Mario Bros., Super Mario Bros.: The Lost Levels Identifier: SMB-1985-0001 Advisory: http://blog.ksplice.com/2011/04/smb-1985-0001-advisory/ --- Vulnerability Overview -- Multiple versions of Bowser's Castle are vulnerable to a plumber injection attack. An Italian plumber could exploit this bug to bypass security measures (walk through walls) in order to rescue Peach, to defeat Bowser, or for unspecified other impact. Exploit --- http://www.youtube.com/watch?v=rGshxZ1dYjA This vulnerability is demonstrated by happylee-supermariobros,warped.fm2 [1]. Attacks using this exploit have been observed in the wild, and multiple other exploits are publicly available. Affected Versions - Versions of Bowser's Castle as shipped in Super Mario Bros. [2] and Super Mario Bros.: The Lost Levels [3] are affected. Solution http://www.youtube.com/watch?v=nacFU7ozeZA An independently developed patch [4] is available. A binary hot patch [5] to apply the update to an existing version is also available. All users are advised to upgrade. Mitigations --- For users unable to apply the recommended fix, a number of mitigations are possible to reduce the impact of the vulnerability. NOTE THAT NO MITIGATION IS BELIEVED TO BE COMPLETELY EFFECTIVE. Potential mitigations include: - Employing standard defense-in-depth strategies incorporating multiple layers of defense, including Goombas [6], Koopa Troopas [7], Bullet Bills [8], and others. - Installing poison mushrooms outside your castle [9]. - Installing a firewall to limit access to affected systems. [10] - Frequently moving your princess between different castles [11]. Credit -- The vulnerability was originally discovered by Mario and Luigi, of Mario Bros. Security Research. The provided patch and this advisory were prepared by Lakitu Cloud Security, Inc. The hot patch was developed in collaboration with Ksplice, Inc. [12] Product Overview Bowser's Castle is King Bowser's home and the base of operations for the Koopa Troop. Bowser's Castle is the final defense against assaults by Mario to kidnap Princess Peach, and is guarded by Bowser's most powerful minions. [13] References -- [1] http://tasvideos.org/1715M.html [2] http://en.wikipedia.org/wiki/Super_Mario_Bros. [3] http://en.wikipedia.org/wiki/Super_Mario_Bros.:_The_Lost_Levels [4] http://blog.ksplice.com/wp-content/uploads/2011/04/smb-1985-0001.patch [5] http://blog.ksplice.com/wp-content/uploads/2011/04/patch-smb-1985-0001.sh [6] http://www.mariowiki.com/Goomba [7] http://www.mariowiki.com/Koopa_Troopa [8] http://www.mariowiki.com/Bullet_Bill [9] http://www.mariowiki.com/Firebar [10] http://tvtropes.org/pmwiki/pmwiki.php/Main/YourPrincessIsInAnotherCastle [11] http://www.mariowiki.com/Poison_Mushrooms [12] http://www.ksplice.com/ [13] http://www.mariowiki.com/Bowser%27s_Castle ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Whitepaper: Assessing Cloud Node Security
Context Information Security have released a whitepaper on Assessing Cloud Node Security. Synopsis: Some major Cloud providers currently expose their clients’ data to the risk of compromise as a result of serious flaws in the implementation of their technologies. This is the key finding of a major new survey of the security of Cloud nodes completed by Context Information Security. The growing trend in migrating systems to use Cloud infrastructure to take advantage of the cost savings and flexibility that this form of IT provision can offer has caused concern within the security community, because this virtual and dynamic environment creates a new threat landscape. This whitepaper is the result of research undertaken by Context into the technical risks associated with Cloud computing infrastructure nodes. Context rented a range of Cloud nodes currently offered by the major providers and performed a review of their security, including the limitations imposed by providers on the types of technical security testing allowed to be performed. The methodology, results, challenges and recommended mitigations are detailed in this whitepaper, which sets out best practices for securing Cloud nodes as an end user and will help end users to assess and reduce any associated risk to their systems. Information about the general security issues discovered in actual Cloud nodes has also been fed back to the providers to enable them to resolve these issues. Read the whitepaper in full at: http://www.contextis.co.uk/resources/white-papers/assessing-cloud-node-security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WWWroot spring cleaning of neglected files
[ Tl;dr: do a cleanup, help create a web-scan jackpot DB ] Ever temporarily uploaded/moved/created files in a directory accessible from the web? How many times have you left them there? Have you ever used a wwwroot to transfer DB's (even if through https) from one place to another? Ever used short filenames that you thought were kind-of-random for anyone to scan for? Read on. I realize there are many 'web vulnerability scanners' out there with thousands of different variations of possibly interesting web queries and such. The reason I'm asking you all to contribute with ideas is that... 1) In practice, I found less usable results - especially in a plaintext dump - than I expected (including dozens of weblogs). 2) Many of these 'lists' contain too much obsolete junk that makes it unrealistic to use in a mass-scan on a larger local network (or the internet, which is not my aim by the way). 3) I hope to compile a list of neat locations that do not yet appear in any web scanner databases, but are still worth mentioning and looking for. The best way to contribute would be - after anything valid that comes to mind - to go and check out your wwwroots, do a spring cleaning and share whatever file or directory name you found and removed that is likely used on other servers and could be of interest to an 'attacker'. Mainly looking for: - test, backup scripts - DB/www backups - source code in general - temporary dirs for file sharing Leave out obvious and application-specific stuff (already out there in all scanners) - /admin - /phpmyadmin - /robots.txt - /cgi-bin - /scripts Leave out generic ones (that will generate 'false positives' too often) - /help - /info - /stat - /doc - /list - /upload A few ideas off the top of my head (I expect better from you guys :)) - /intranet - /backup - /backup(s).asp/php/py - /database, /dbase, /dbs, /db, /_db, /save - /backup.tgz, /backup.tar.gz, /backup.zip, /backup.rar - /www.tgz, /www.tar.gz, /www.zip, /www.rar - /db.tgz, /db.tar.gz, /db.zip, /db.rar - /sql.tgz, /sql.tar.gz, /sql.zip, /sql.rar - /user.sql, /users.sql, /customer.sql, /db.sql, /data.sql, /dump.sql - /dump /dump.tgz, /dump.tar.gz, /dump.tgz, /dump.rar - [hostname].tgz, [hostname].tar.gz, [hostname].zip, [hostname].rar - /sql, /sqlbackup - /inc, /include, /includes - /a, /b, /c etc... - /1, /2, /3, /4 etc... - /2000, /2001, /2002, /2003, etc... - /log.txt, /log, /logs, /weblog, /weblogs - /zip, /zipfiles - /htaccess.txt, /htpasswd.txt - /manage - /tmp - /uploads - /tmp - /beta - /test - /excel, /xls - /xml - /www-sql - /prv, /priv, /privat, /private - /config, /configs - /accounts - /config.inc - /index.phps - /moderator, /moderators - /useradmin, /dbadmin - /dynamic - /api - /employees - /fileadmin - /hidden, /secret - /shadow, /master.passwd, /pwd.db - /.bash_history, /.history, /.mc, /.ssh - /work - /billing - /auth.txt, /login.txt After a few good replies and ideas, I would like to see anyone with access to a larger network with many webservers to do a scan (legally, of course) and provide statistics on success and false positives. I will do the same (unless this ends in a big FAIL / trollfest / flamewar - which is no doubt a possibility). I am also interested to hear what programs (out of the many) you use to scan webservers and why. My apologies if such a thread has been posted here already or if I'm missing something obvious (in any case, links and resources are welcome of course). Kind regards, http://tor.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro 2.5 Release - Web scanner tool
Yes i do agree with you! everybody can comment and disagree as much as they wish what I am trying to say is that there is a bunch of people that always complains about the same things that have been already answered, if you decided you don't like the tool just don't use it and find a better one, at least that is what i usually do. I read the same people saying the same things that have been said when the tool was released (1.0) -- Esteban Cañizal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZDI-11-041: (0day) Multiple Browser Node Processing Stack Overflow Vulnerability
Hahahah. On Fri, Apr 1, 2011 at 5:28 PM, ZDI Disclosures zdi-disclosu...@tippingpoint.com wrote: ZDI-11-041: (0day) Multiple Browser Node Processing Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-911 April 1, 2011 -- CVE ID: CVE-C000-00FD -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Microsoft Google Mikul Apple ISC -- Affected Products: Microsoft Internet Explorer Google Chrome Mikul Links Apple Safari ISC Lynx -- Vulnerability Details: Multiple vulnerabilities allow remote attackers to remotely terminate mission critical web applications on vulnerable installations of Apple Safari, Microsoft Internet Explorer, Google Chrome, Mikul Links, and ISC Lynx. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaws exists within the handling of node attributes, specifically nodes with large quantities of attributes or large values within such nodes. When handling these objects, several functions are called recursively for each value provided defined within. The functions use a shared memory region referred to internally as the stack. The size of the stack is not properly verified during processing which can result in the consumption of all the its available address space. This process is extremely exhausting for the application and it cannot continue functioning. A remote attacker can exploit this vulnerability to terminate web applications under the context of the Internet. -- Vendor Response: Vendors claimed to be unable to respond due to unexpected browser termination upon accessing web form. -- Disclosure Timeline: 2011-04-01 - Vulnerability reported to vendor 2011-04-01 - Public release of advisory -- Credit: This vulnerability was discovered by: * Spencer Pratt -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in MaxSite Anti Spam Image for WordPress
Hello Valdis! The one thing which John didn't missed for sure it's to get into my blacklist. As I already informed him earlier this day. Because it's what I always do with e-mails of not serious people. And I drew attention to it many times last year, but maybe John missed it or just forgot :-). But from today he'll be certainly know it. From other side, it's possible that he's celebrating April Fools' Day all year long ;-). In any case we'll wish him good luck in celebrating the 1st of April - his favorite and professional holiday. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: valdis.kletni...@vt.edu To: John Belushae john.belus...@gmail.com Cc: MustLive mustl...@websecurity.com.ua; full-disclosure@lists.grok.org.uk Sent: Friday, April 01, 2011 4:04 PM Subject: Re: [Full-disclosure] Vulnerabilities in MaxSite Anti Spam Image for WordPress On Thu, 31 Mar 2011 23:35:50 +1100, John Belushae said: I want to warm you about Insufficient Content Filtering on FD. Dude, you missed by 24 minutes and 10 seconds... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The US Government Officially Confirms the Existence of Extraterrestrial Civilizations
Yeah, but I still fell for it.. April fools was one of those things that I kinda grew out of lol, yet the rest of the world still seems to do it.. :S On Fri, Apr 1, 2011 at 12:30 PM, McGhee, Eddie eddie.mcg...@ncr.com wrote: Worst April fools troll evar? -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Valery Marchuk Sent: 01 April 2011 12:20 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] The US Government Officially Confirms the Existence of Extraterrestrial Civilizations Hi! Tremendous news have recently been published on the official websites of NASA and NATO. President of the USA Barak Obama revealed to all mankind that the government of the USA along with governments of many other countries have been cooperating with extraterrestrial civilizations for almost 40 years. Owing to this cooperation, the people on Earth were granted the access to new technologies, cures for many diseases and the means to reach the outer space. Right now, the US government possesses 5 cruisers that can travel in subspace and reach other galaxies millions light-years away. Barak Obama himself assures that that there is no danger coming from the extraterrestrial civilizations. More information with prooflinks on SecurityLab.ru: Russian: http://www.securitylab.ru/news/405274.php English: http://www.securitylab.ru/news/405276.php BR, Valery Marchuk www.SecurityLab.ru ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload
On Fri, Apr 01, 2011 at 05:34:18AM -0400, Jeffrey Walton wrote: On Fri, Apr 1, 2011 at 4:00 AM, Tavis Ormandy tav...@cmpxchg8b.com wrote: BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload --- Isn't this OK as long as the evil bit (RFC 3514) is not set? I get the joke, but to be clear, this is not an april fools prank :-) Tavis. -- - tav...@cmpxchg8b.com | pgp encrypted mail preferred --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in MaxSite Anti Spam Image for WordPress
MustLive - just for the record, no one cares about who you blacklist or not. No one cares who anyone blacklists. If you blacklist someone, but then go out of your way to publically tell everyone else that you've blacklisted them, you sound like a 12 year old yelling last words at someone from behind their mommy's door before they slam it. Just add them and be done with it... -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of MustLive Sent: Friday, April 01, 2011 8:54 AM To: valdis.kletni...@vt.edu Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Vulnerabilities in MaxSite Anti Spam Image for WordPress Hello Valdis! The one thing which John didn't missed for sure it's to get into my blacklist. As I already informed him earlier this day. Because it's what I always do with e-mails of not serious people. And I drew attention to it many times last year, but maybe John missed it or just forgot :-). But from today he'll be certainly know it. From other side, it's possible that he's celebrating April Fools' Day all year long ;-). In any case we'll wish him good luck in celebrating the 1st of April - his favorite and professional holiday. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: valdis.kletni...@vt.edu To: John Belushae john.belus...@gmail.com Cc: MustLive mustl...@websecurity.com.ua; full-disclosure@lists.grok.org.uk Sent: Friday, April 01, 2011 4:04 PM Subject: Re: [Full-disclosure] Vulnerabilities in MaxSite Anti Spam Image for WordPress On Thu, 31 Mar 2011 23:35:50 +1100, John Belushae said: I want to warm you about Insufficient Content Filtering on FD. Dude, you missed by 24 minutes and 10 seconds... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Plumber Injection Attack in Bowser's Castle
Super Mario Brothers 2 is not vulnerable to this exploit, as it does not ship with a Bowser. It is possible to use the Plumber to inject Wart, but only during sleep(3). On Fri, Apr 1, 2011 at 6:59 AM, Nelson Elhage nelh...@ksplice.com wrote: Advisory Name: Plumber Injection Attack in Bowser's Castle Release Date: 2011-04-01 Application: Bowser's Castle Versions: Super Mario Bros., Super Mario Bros.: The Lost Levels Identifier: SMB-1985-0001 Advisory: http://blog.ksplice.com/2011/04/smb-1985-0001-advisory/ --- Vulnerability Overview -- Multiple versions of Bowser's Castle are vulnerable to a plumber injection attack. An Italian plumber could exploit this bug to bypass security measures (walk through walls) in order to rescue Peach, to defeat Bowser, or for unspecified other impact. Exploit --- http://www.youtube.com/watch?v=rGshxZ1dYjA This vulnerability is demonstrated by happylee-supermariobros,warped.fm2 [1]. Attacks using this exploit have been observed in the wild, and multiple other exploits are publicly available. Affected Versions - Versions of Bowser's Castle as shipped in Super Mario Bros. [2] and Super Mario Bros.: The Lost Levels [3] are affected. Solution http://www.youtube.com/watch?v=nacFU7ozeZA An independently developed patch [4] is available. A binary hot patch [5] to apply the update to an existing version is also available. All users are advised to upgrade. Mitigations --- For users unable to apply the recommended fix, a number of mitigations are possible to reduce the impact of the vulnerability. NOTE THAT NO MITIGATION IS BELIEVED TO BE COMPLETELY EFFECTIVE. Potential mitigations include: - Employing standard defense-in-depth strategies incorporating multiple layers of defense, including Goombas [6], Koopa Troopas [7], Bullet Bills [8], and others. - Installing poison mushrooms outside your castle [9]. - Installing a firewall to limit access to affected systems. [10] - Frequently moving your princess between different castles [11]. Credit -- The vulnerability was originally discovered by Mario and Luigi, of Mario Bros. Security Research. The provided patch and this advisory were prepared by Lakitu Cloud Security, Inc. The hot patch was developed in collaboration with Ksplice, Inc. [12] Product Overview Bowser's Castle is King Bowser's home and the base of operations for the Koopa Troop. Bowser's Castle is the final defense against assaults by Mario to kidnap Princess Peach, and is guarded by Bowser's most powerful minions. [13] References -- [1] http://tasvideos.org/1715M.html [2] http://en.wikipedia.org/wiki/Super_Mario_Bros. [3] http://en.wikipedia.org/wiki/Super_Mario_Bros.:_The_Lost_Levels [4] http://blog.ksplice.com/wp-content/uploads/2011/04/smb-1985-0001.patch [5] http://blog.ksplice.com/wp-content/uploads/2011/04/patch-smb-1985-0001.sh [6] http://www.mariowiki.com/Goomba [7] http://www.mariowiki.com/Koopa_Troopa [8] http://www.mariowiki.com/Bullet_Bill [9] http://www.mariowiki.com/Firebar [10] http://tvtropes.org/pmwiki/pmwiki.php/Main/YourPrincessIsInAnotherCastle [11] http://www.mariowiki.com/Poison_Mushrooms [12] http://www.ksplice.com/ [13] http://www.mariowiki.com/Bowser%27s_Castle ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in MaxSite Anti Spam Image for WordPress
Is hello full disclosure!! Is you see ! is call explanation mark is mean that I is mean business!! I is like to warn you about blacklisting. Blacklisting is really racialist!! In is early America, we is make fun of is people like Snoop Dogg. Is was talk down to them: nigger go is clean up that shit and is American paint face to mimic this and is call is this Blackface. (http://en.wikipedia.org/wiki/Blackface) Is blacklist originally is start from list of blackies in is written down. Meaning, whities is say: is you see that nigger Nobama right there. Blacklist is his ass and make is him clean the toilets. Then is go paint your face and is act like him. Just is make sure is that is blacklisted. Is no polite to blacklist. Apologies to Thor, Valdis and others is for Must Live. Must Live: Не мудак повинні жити ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Plumber Injection Attack in Bowser's Castle
Lakitu Cloud Security, Inc. Heh. That is an awesome company name actually. On Apr 1, 2011 8:46 AM, Nelson Elhage nelh...@ksplice.com wrote: Advisory Name: Plumber Injection Attack in Bowser's Castle Release Date: 2011-04-01 Application: Bowser's Castle Versions: Super Mario Bros., Super Mario Bros.: The Lost Levels Identifier: SMB-1985-0001 Advisory: http://blog.ksplice.com/2011/04/smb-1985-0001-advisory/ --- Vulnerability Overview -- Multiple versions of Bowser's Castle are vulnerable to a plumber injection attack. An Italian plumber could exploit this bug to bypass security measures (walk through walls) in order to rescue Peach, to defeat Bowser, or for unspecified other impact. Exploit --- http://www.youtube.com/watch?v=rGshxZ1dYjA This vulnerability is demonstrated by happylee-supermariobros,warped.fm2 [1]. Attacks using this exploit have been observed in the wild, and multiple other exploits are publicly available. Affected Versions - Versions of Bowser's Castle as shipped in Super Mario Bros. [2] and Super Mario Bros.: The Lost Levels [3] are affected. Solution http://www.youtube.com/watch?v=nacFU7ozeZA An independently developed patch [4] is available. A binary hot patch [5] to apply the update to an existing version is also available. All users are advised to upgrade. Mitigations --- For users unable to apply the recommended fix, a number of mitigations are possible to reduce the impact of the vulnerability. NOTE THAT NO MITIGATION IS BELIEVED TO BE COMPLETELY EFFECTIVE. Potential mitigations include: - Employing standard defense-in-depth strategies incorporating multiple layers of defense, including Goombas [6], Koopa Troopas [7], Bullet Bills [8], and others. - Installing poison mushrooms outside your castle [9]. - Installing a firewall to limit access to affected systems. [10] - Frequently moving your princess between different castles [11]. Credit -- The vulnerability was originally discovered by Mario and Luigi, of Mario Bros. Security Research. The provided patch and this advisory were prepared by Lakitu Cloud Security, Inc. The hot patch was developed in collaboration with Ksplice, Inc. [12] Product Overview Bowser's Castle is King Bowser's home and the base of operations for the Koopa Troop. Bowser's Castle is the final defense against assaults by Mario to kidnap Princess Peach, and is guarded by Bowser's most powerful minions. [13] References -- [1] http://tasvideos.org/1715M.html [2] http://en.wikipedia.org/wiki/Super_Mario_Bros. [3] http://en.wikipedia.org/wiki/Super_Mario_Bros.:_The_Lost_Levels [4] http://blog.ksplice.com/wp-content/uploads/2011/04/smb-1985-0001.patch [5] http://blog.ksplice.com/wp-content/uploads/2011/04/patch-smb-1985-0001.sh [6] http://www.mariowiki.com/Goomba [7] http://www.mariowiki.com/Koopa_Troopa [8] http://www.mariowiki.com/Bullet_Bill [9] http://www.mariowiki.com/Firebar [10] http://tvtropes.org/pmwiki/pmwiki.php/Main/YourPrincessIsInAnotherCastle [11] http://www.mariowiki.com/Poison_Mushrooms [12] http://www.ksplice.com/ [13] http://www.mariowiki.com/Bowser%27s_Castle ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro 2.5 Release - Web scanner tool
Actually, when the tool was originally released it wasn't free (strings attached or not), but they tried to charge $500 per license as a closed source product. http://seclists.org/fulldisclosure/2010/Sep/283 So at any rate some people have been complaining over and over for the use of the word free since version 2.0. http://seclists.org/fulldisclosure/2011/Jan/504 BTW I do not mind people making yet another UI for Metasploit, but this free but not free thing creates a dishonest image that could have easily been avoided by following the same practice every other donationware follows: let users download it freely and decide whether to donate or not based on their experience with the software. On Fri, Apr 1, 2011 at 12:36 PM, Esteban Cañizal este...@canizal.com.arwrote: Yes i do agree with you! everybody can comment and disagree as much as they wish what I am trying to say is that there is a bunch of people that always complains about the same things that have been already answered, if you decided you don't like the tool just don't use it and find a better one, at least that is what i usually do. I read the same people saying the same things that have been said when the tool was released (1.0) -- Esteban Cañizal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “My daughter was asked by a little old lady in a London hotel restaurant what her daddy did - she answered, ‘He’s a pirate.’ I was very proud of that answer.” - *Johnny Depp* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft VISTA TCP/IP heap buffer underflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Microsoft VISTA TCP/IP heap buffer underflow Summary - - Microsoft Device IO Control wrapped by an API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer underflow corrupting kernel memory. Affected Systems - - Using the sample proof of concept, it was possible to verify this issue on following operating systems and configurations: * Microsoft Windows Vista Ultimate 32 bit It is very likely that other versions of Windows Vista are affected by this issue. This issue did not occur on Windows XP, Windows 2003 Advanced Server, Windows 2008 Server nor Windows Millenium Edition Re-installation of Service Pack 1 and/or upgrading to SP2 had any effect in regards to resolve the random crashes. To execute either the sample program or any other system command, the user has to be either the admin, in the admin group or the Administrators group. Since this buffer underflow never makes it to kernel memory, it could be possible that propping up the underflow will make it overflow and take control over the operating system without any restriction. Remedy - No remedy available at this time. Reported - This vulnerability is being reported now Relevant - 934b7a5c 85aa6fe4 934b7ac4 837100ee tcpip!IppCreateUnicastRoute+0xf0 934b7ae8 85a5d121 0001 858b6278 84d74ce8 tcpip!IppValidateSetAllRouteParameters+0x217 934b7b64 85a18a29 836c134c 92a84a70 tcpip!Ipv4SetAllRouteParameters+0x1d1 934b7ba4 8a844551 0001 92a326b4 NETIO!NsiSetAllParametersEx+0xbd 934b7bf0 8a844eb8 836c1330 836c1378 nsiproxy!NsippSetAllParameters+0x1b1 934b7c14 8a844f91 92a32601 8371d290 nsiproxy!NsippDispatchDeviceControl+0x88 934b7c2c 818f0053 8590b448 92a32698 92a32698 nsiproxy!NsippDispatch+0x33 934b7c44 81a80515 8371d290 92a32698 92a32708 nt!IofCallDriver+0x63 934b7c64 81a80cba 8590b448 8371d290 0027f700 nt!IopSynchronousServiceTail+0x1d9 934b7d00 81a6a98e 8590b448 92a32698 nt!IopXxxControlFile+0x6b7 934b7d34 8188ba7a 0044 0048 nt!NtDeviceIoControlFile+0x2a 934b7d34 77529a94 0044 0048 nt!KiFastCallEntry+0x12a 0027f68c 77528444 777214b9 0044 0048 ntdll!KiFastSystemCallRet 0027f690 777214b9 0044 0048 ntdll!ZwDeviceIoControlFile+0xc Disassembly with commands mov edi,edi push ebp mov ebp,esp push edi mov edi,dword ptr [ebp+8] lea eax,[ebp+8] push eax push dword ptr [edi+4] push 18h call NOMNOM!RtlULongAdd (85a1675d) test eax,eax jl OMNOM!PtpCreateNOM+0x1b push esi push 74704D4Eh push dword ptr [ebp+8] ; = 0x0020 push 0 call ExAllocatePoolWithTag ; eax = ExAllocatePoolWithTag(0, 0x20, 0x74704D4E, esi); mov esi,eax ; = 0x83716380 allocated buffer address test esi,esi je NOM!CreateOMNOM+0x6d push dword ptr [ebp+8] ; = 0x0020 push 0 push esi ; 0x83716380 allocated buffer address call NOM!memset (85a10543) ; memset((char*)0x83716380, 0, 0x20) mov eax,dword ptr [ebp+14h] mov dword ptr [esi],eax mov eax,dword ptr [ebp+18h] mov dword ptr [esi+0Ch],eax mov dword ptr [eax],esi mov eax,dword ptr [ebp+0Ch] and word ptr [esi+14h],0 add esp,0Ch push eax ; = 0x837100ee lea eax,[esi+18h] ; esi unchanged, holds the alloc. buffer address (=0x83716380) push eax ; = 0x83716398 add offset of 0x18 bytes to the allocated buffer inc dword ptr [edi+8] mov eax,esi pop esi pop edi pop ebp ret 14h nop nop nop om nom nom - -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x2BF7D83F210A95AF -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNlhDEK/fYPyEKla8RAnWXAJ0XaB/D0Cd0eYt+6Vd00Tx6RYsRmQCfWwGk QGt6mpCUiDKXxhCdg5xpi7M= =pjws -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft VISTA TCP/IP heap buffer underflow
Just so that I understand correctly, are you reporting that if one is logged on as the administrator, it may be possible to execute this exploit in order to take over the machine? t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of J. Oquendo Sent: Friday, April 01, 2011 10:52 AM To: bugt...@securityfocus.com Cc: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Microsoft VISTA TCP/IP heap buffer underflow -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Microsoft VISTA TCP/IP heap buffer underflow Summary - - Microsoft Device IO Control wrapped by an API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer underflow corrupting kernel memory. Affected Systems - - Using the sample proof of concept, it was possible to verify this issue on following operating systems and configurations: * Microsoft Windows Vista Ultimate 32 bit It is very likely that other versions of Windows Vista are affected by this issue. This issue did not occur on Windows XP, Windows 2003 Advanced Server, Windows 2008 Server nor Windows Millenium Edition Re-installation of Service Pack 1 and/or upgrading to SP2 had any effect in regards to resolve the random crashes. To execute either the sample program or any other system command, the user has to be either the admin, in the admin group or the Administrators group. Since this buffer underflow never makes it to kernel memory, it could be possible that propping up the underflow will make it overflow and take control over the operating system without any restriction. Remedy - No remedy available at this time. Reported - This vulnerability is being reported now Relevant - 934b7a5c 85aa6fe4 934b7ac4 837100ee tcpip!IppCreateUnicastRoute+0xf0 934b7ae8 85a5d121 0001 858b6278 84d74ce8 tcpip!IppValidateSetAllRouteParameters+0x217 934b7b64 85a18a29 836c134c 92a84a70 tcpip!Ipv4SetAllRouteParameters+0x1d1 934b7ba4 8a844551 0001 92a326b4 NETIO!NsiSetAllParametersEx+0xbd 934b7bf0 8a844eb8 836c1330 836c1378 nsiproxy!NsippSetAllParameters+0x1b1 934b7c14 8a844f91 92a32601 8371d290 nsiproxy!NsippDispatchDeviceControl+0x88 934b7c2c 818f0053 8590b448 92a32698 92a32698 nsiproxy!NsippDispatch+0x33 934b7c44 81a80515 8371d290 92a32698 92a32708 nt!IofCallDriver+0x63 934b7c64 81a80cba 8590b448 8371d290 0027f700 nt!IopSynchronousServiceTail+0x1d9 934b7d00 81a6a98e 8590b448 92a32698 nt!IopXxxControlFile+0x6b7 934b7d34 8188ba7a 0044 0048 nt!NtDeviceIoControlFile+0x2a 934b7d34 77529a94 0044 0048 nt!KiFastCallEntry+0x12a 0027f68c 77528444 777214b9 0044 0048 ntdll!KiFastSystemCallRet 0027f690 777214b9 0044 0048 ntdll!ZwDeviceIoControlFile+0xc Disassembly with commands mov edi,edi push ebp mov ebp,esp push edi mov edi,dword ptr [ebp+8] lea eax,[ebp+8] push eax push dword ptr [edi+4] push 18h call NOMNOM!RtlULongAdd (85a1675d) test eax,eax jl OMNOM!PtpCreateNOM+0x1b push esi push 74704D4Eh push dword ptr [ebp+8] ; = 0x0020 push 0 call ExAllocatePoolWithTag ; eax = ExAllocatePoolWithTag(0, 0x20, 0x74704D4E, esi); mov esi,eax ; = 0x83716380 allocated buffer address test esi,esi je NOM!CreateOMNOM+0x6d push dword ptr [ebp+8] ; = 0x0020 push 0 push esi ; 0x83716380 allocated buffer address call NOM!memset (85a10543) ; memset((char*)0x83716380, 0, 0x20) mov eax,dword ptr [ebp+14h] mov dword ptr [esi],eax mov eax,dword ptr [ebp+18h] mov dword ptr [esi+0Ch],eax mov dword ptr [eax],esi mov eax,dword ptr [ebp+0Ch] and word ptr [esi+14h],0 add esp,0Ch push eax ; = 0x837100ee lea eax,[esi+18h] ; esi unchanged, holds the alloc. buffer address (=0x83716380) push eax ; = 0x83716398 add offset of 0x18 bytes to the allocated buffer inc dword ptr [edi+8] mov eax,esi pop esi pop edi pop ebp ret 14h nop nop nop om nom nom - -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x2BF7D83F210A95AF -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNlhDEK/fYPyEKla8RAnWXAJ0XaB/D0Cd0eYt+6Vd00Tx6RYsRmQCfWwGk QGt6mpCUiDKXxhCdg5xpi7M= =pjws -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in
[Full-disclosure] [ MDVSA-2011:059 ] ffmpeg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:059 http://www.mandriva.com/security/ ___ Package : ffmpeg Date: April 1, 2011 Affected: Corporate 4.0 ___ Problem Description: Multiple vulnerabilities has been identified and fixed in ffmpeg: Multiple integer underflows in FFmpeg 0.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that (1) bypasses a validation check in vorbis_dec.c and triggers a wraparound of the stack pointer, or (2) access a pointer from out-of-bounds memory in mov.c, related to an elst tag that appears before a tag that creates a stream. (CVE-2009-4634) FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted MOV container with improperly ordered tags that cause (1) mov.c and (2) utils.c to use inconsistent codec types and identifiers, which causes the mp3 decoder to process a pointer for a video structure, leading to a stack-based buffer overflow. (CVE-2009-4635) The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) via a crafted AVI file that triggers a divide-by-zero error. (CVE-2009-4639) And several additional vulnerabilites originally discovered by Google Chrome developers were also fixed with this advisory. The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4635 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4639 ___ Updated Packages: Corporate 4.0: 91862db1638f9bf513cba7b9896255f7 corporate/4.0/i586/ffmpeg-0.4.9-0.pre1.5.5.20060mlcs4.i586.rpm db9ae743d2044534563de66c42f78682 corporate/4.0/i586/libffmpeg0-0.4.9-0.pre1.5.5.20060mlcs4.i586.rpm 22c09e614168dc4f18ca7bfc2a47a01d corporate/4.0/i586/libffmpeg0-devel-0.4.9-0.pre1.5.5.20060mlcs4.i586.rpm 9a07a4bbf39f8d290bf3b3525fc6c3a5 corporate/4.0/SRPMS/ffmpeg-0.4.9-0.pre1.5.5.20060mlcs4.src.rpm Corporate 4.0/X86_64: 0446e21fde8d89c0da889306c462908a corporate/4.0/x86_64/ffmpeg-0.4.9-0.pre1.5.5.20060mlcs4.x86_64.rpm 56242d230f030635f231d25f74ee8e10 corporate/4.0/x86_64/lib64ffmpeg0-0.4.9-0.pre1.5.5.20060mlcs4.x86_64.rpm baf11eccdec3db1aab931626d4bf1ef8 corporate/4.0/x86_64/lib64ffmpeg0-devel-0.4.9-0.pre1.5.5.20060mlcs4.x86_64.rpm 9a07a4bbf39f8d290bf3b3525fc6c3a5 corporate/4.0/SRPMS/ffmpeg-0.4.9-0.pre1.5.5.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNlfE7mqjQ0CJFipgRAjShAJ9+WFp0MtozRAP8nICGyv0wIwlrxwCgtHtq uF+AD+fmE89UMwnzAiWiSkE= =pNTn -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZDI-11-041: (0day) Multiple Browser Node Processing Stack Overflow Vulnerability
I bet heidi did all the LEG work.. heh Eddie McGhee Retail TSS GB114/GB115/GB116 NCR Corporation phone: +44 (0) 1698 838068 eddie.mcg...@ncr.commailto:eddie.mcg...@ncr.com | www.ncr.comhttp://www.ncr.com/ From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christian Sciberras Sent: 01 April 2011 16:43 To: ZDI Disclosures Cc: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com Subject: Re: [Full-disclosure] ZDI-11-041: (0day) Multiple Browser Node Processing Stack Overflow Vulnerability Hahahah. On Fri, Apr 1, 2011 at 5:28 PM, ZDI Disclosures zdi-disclosu...@tippingpoint.commailto:zdi-disclosu...@tippingpoint.com wrote: ZDI-11-041: (0day) Multiple Browser Node Processing Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-911 April 1, 2011 -- CVE ID: CVE-C000-00FD -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Microsoft Google Mikul Apple ISC -- Affected Products: Microsoft Internet Explorer Google Chrome Mikul Links Apple Safari ISC Lynx -- Vulnerability Details: Multiple vulnerabilities allow remote attackers to remotely terminate mission critical web applications on vulnerable installations of Apple Safari, Microsoft Internet Explorer, Google Chrome, Mikul Links, and ISC Lynx. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaws exists within the handling of node attributes, specifically nodes with large quantities of attributes or large values within such nodes. When handling these objects, several functions are called recursively for each value provided defined within. The functions use a shared memory region referred to internally as the stack. The size of the stack is not properly verified during processing which can result in the consumption of all the its available address space. This process is extremely exhausting for the application and it cannot continue functioning. A remote attacker can exploit this vulnerability to terminate web applications under the context of the Internet. -- Vendor Response: Vendors claimed to be unable to respond due to unexpected browser termination upon accessing web form. -- Disclosure Timeline: 2011-04-01 - Vulnerability reported to vendor 2011-04-01 - Public release of advisory -- Credit: This vulnerability was discovered by: * Spencer Pratt -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The US Government Officially Confirms the Existence of Extraterrestrial Civilizations
Talk about food for the birthers - Message from teckl...@securitylab.ru - Date: Fri, 1 Apr 2011 13:50:13 +0300 From: Valery Marchuk teckl...@securitylab.ru Subject: [Full-disclosure] The US Government Officially Confirms the Existence of Extraterrestrial Civilizations To: full-disclosure@lists.grok.org.uk Hi! Tremendous news have recently been published on the official websites of NASA and NATO. President of the USA Barak Obama revealed to all mankind that the government of the USA along with governments of many other countries have been cooperating with extraterrestrial civilizations for almost 40 years. Owing to this cooperation, the people on Earth were granted the access to new technologies, cures for many diseases and the means to reach the outer space. Right now, the US government possesses 5 cruisers that can travel in subspace and reach other galaxies millions light-years away. Barak Obama himself assures that that there is no danger coming from the extraterrestrial civilizations. More information with prooflinks on SecurityLab.ru: Russian: http://www.securitylab.ru/news/405274.php English: http://www.securitylab.ru/news/405276.php BR, Valery Marchuk www.SecurityLab.ru ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - End message from teckl...@securitylab.ru - --Dan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:060 ] ffmpeg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:060 http://www.mandriva.com/security/ ___ Package : ffmpeg Date: April 1, 2011 Affected: 2009.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been identified and fixed in ffmpeg: oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain pointer arithmetic, which might allow remote attackers to obtain sensitive memory contents and cause a denial of service via a crafted file that triggers an out-of-bounds read. (CVE-2009-4632) vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a comparison operator was intended, which might allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that modifies a loop counter and triggers a heap-based buffer overflow. (CVE-2009-4633) Multiple integer underflows in FFmpeg 0.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that (1) bypasses a validation check in vorbis_dec.c and triggers a wraparound of the stack pointer, or (2) access a pointer from out-of-bounds memory in mov.c, related to an elst tag that appears before a tag that creates a stream. (CVE-2009-4634) FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted MOV container with improperly ordered tags that cause (1) mov.c and (2) utils.c to use inconsistent codec types and identifiers, which causes the mp3 decoder to process a pointer for a video structure, leading to a stack-based buffer overflow. (CVE-2009-4635) The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) via a crafted AVI file that triggers a divide-by-zero error. (CVE-2009-4639) Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Vorbis file that triggers an out-of-bounds read. (CVE-2009-4640) flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer and other products, allows remote attackers to execute arbitrary code via a crafted flic file, related to an arbitrary offset dereference vulnerability. (CVE-2010-3429) libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted .ogg file, related to the vorbis_floor0_decode function. (CVE-2010-4704) And several additional vulnerabilites originally discovered by Google Chrome developers were also fixed with this advisory. Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149amp;products_id=490 The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4632 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4633 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4635 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4640 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3429 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4704 ___ Updated Packages: Mandriva Linux 2009.0: 35b8598a8ba305854c81884350072070 2009.0/i586/ffmpeg-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm 537c6ed300c14bd4c6dac8b9ea98349a 2009.0/i586/libavformats52-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm 847b11c0bb86959f9712cb2beced7648 2009.0/i586/libavutil49-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm 6bad47923019bdd3e17209956955919e 2009.0/i586/libffmpeg51-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm c49eeeda4be62fdcc57b0b42eff2005b 2009.0/i586/libffmpeg-devel-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm c06661882ab8613b23712898751856af 2009.0/i586/libffmpeg-static-devel-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm a9ef39faaa7a3054c846471ed95510a1 2009.0/i586/libswscaler0-0.4.9-3.pre1.14161.1.4mdv2009.0.i586.rpm c8cf3cef711e1a6d51bcb666030e1f42 2009.0/SRPMS/ffmpeg-0.4.9-3.pre1.14161.1.4mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 03d2549605505e1c22ebb95d83b2657b 2009.0/x86_64/ffmpeg-0.4.9-3.pre1.14161.1.4mdv2009.0.x86_64.rpm b4e51f531b91947b68224adb0b7da78b 2009.0/x86_64/lib64avformats52-0.4.9-3.pre1.14161.1.4mdv2009.0.x86_64.rpm 304a2ba3024d20e6c61d499d9d77daa0
[Full-disclosure] [ MDVSA-2011:061 ] ffmpeg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:061 http://www.mandriva.com/security/ ___ Package : ffmpeg Date: April 1, 2011 Affected: 2010.0 ___ Problem Description: Multiple vulnerabilities has been identified and fixed in ffmpeg: oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain pointer arithmetic, which might allow remote attackers to obtain sensitive memory contents and cause a denial of service via a crafted file that triggers an out-of-bounds read. (CVE-2009-4632) vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a comparison operator was intended, which might allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that modifies a loop counter and triggers a heap-based buffer overflow. (CVE-2009-4633) Multiple integer underflows in FFmpeg 0.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that (1) bypasses a validation check in vorbis_dec.c and triggers a wraparound of the stack pointer, or (2) access a pointer from out-of-bounds memory in mov.c, related to an elst tag that appears before a tag that creates a stream. (CVE-2009-4634) FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted MOV container with improperly ordered tags that cause (1) mov.c and (2) utils.c to use inconsistent codec types and identifiers, which causes the mp3 decoder to process a pointer for a video structure, leading to a stack-based buffer overflow. (CVE-2009-4635) FFmpeg 0.5 allows remote attackers to cause a denial of service (hang) via a crafted file that triggers an infinite loop. (CVE-2009-4636) The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) via a crafted AVI file that triggers a divide-by-zero error. (CVE-2009-4639) Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Vorbis file that triggers an out-of-bounds read. (CVE-2009-4640) flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer and other products, allows remote attackers to execute arbitrary code via a crafted flic file, related to an arbitrary offset dereference vulnerability. (CVE-2010-3429) Fix memory corruption in WMV parsing (CVE-2010-3908) libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted .ogg file, related to the vorbis_floor0_decode function. (CVE-2010-4704) Multiple buffer overflows in vorbis_dec.c in the Vorbis decoder in FFmpeg, as used in Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted WebM file, related to buffers for (1) the channel floor and (2) the channel residue. (CVE-2011-0480) Fix heap corruption crashes (CVE-2011-0722) Fix invalid reads in VC-1 decoding (CVE-2011-0723) And several additional vulnerabilites originally discovered by Google Chrome developers were also fixed with this advisory. The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4632 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4633 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4635 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4636 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4640 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3429 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3908 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4704 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0722 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0723 ___ Updated Packages: Mandriva Linux 2010.0: 6b1e936c3c14b4ecdfb8760cfde7ce11 2010.0/i586/ffmpeg-0.5.4-0.1mdv2010.0.i586.rpm 92fd61671352949e0cb90931fa8addd8 2010.0/i586/libavformats52-0.5.4-0.1mdv2010.0.i586.rpm aa5eff0402855d3702e3fda5f0c38d13 2010.0/i586/libavutil49-0.5.4-0.1mdv2010.0.i586.rpm
[Full-disclosure] [ MDVSA-2011:062 ] ffmpeg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:062 http://www.mandriva.com/security/ ___ Package : ffmpeg Date: April 1, 2011 Affected: 2010.1 ___ Problem Description: Multiple vulnerabilities has been identified and fixed in ffmpeg: FFmpeg 0.5 allows remote attackers to cause a denial of service (hang) via a crafted file that triggers an infinite loop. (CVE-2009-4636) flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer and other products, allows remote attackers to execute arbitrary code via a crafted flic file, related to an arbitrary offset dereference vulnerability. (CVE-2010-3429) libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted .ogg file, related to the vorbis_floor0_decode function. (CVE-2010-4704) Fix heap corruption crashes (CVE-2011-0722) Fix invalid reads in VC-1 decoding (CVE-2011-0723) And several additional vulnerabilites originally discovered by Google Chrome developers were also fixed with this advisory. The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4636 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3429 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4704 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0722 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0723 ___ Updated Packages: Mandriva Linux 2010.1: b4db9e819fe581e61ad59225fe630a25 2010.1/i586/ffmpeg-0.6-0.22960.5.1mdv2010.2.i586.rpm b2ba7998b8549d1a0434d51ff76ddfed 2010.1/i586/libavformats52-0.6-0.22960.5.1mdv2010.2.i586.rpm ce8964529073304413e3591f8d0de20b 2010.1/i586/libavutil50-0.6-0.22960.5.1mdv2010.2.i586.rpm da9b5200a498933bd3a1e5e000937a90 2010.1/i586/libffmpeg52-0.6-0.22960.5.1mdv2010.2.i586.rpm 64a5a0c59fba081b54f7538fd658f66f 2010.1/i586/libffmpeg-devel-0.6-0.22960.5.1mdv2010.2.i586.rpm e6fa096ebf765e1258a13bd578a8de68 2010.1/i586/libffmpeg-static-devel-0.6-0.22960.5.1mdv2010.2.i586.rpm 4cc7830f9684161826518db3077ca207 2010.1/i586/libpostproc51-0.6-0.22960.5.1mdv2010.2.i586.rpm be1e63a9da0a1b48308390ce48dc30cb 2010.1/i586/libswscaler0-0.6-0.22960.5.1mdv2010.2.i586.rpm 87155585e9ad3413d3210489a539a62f 2010.1/SRPMS/ffmpeg-0.6-0.22960.5.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: f26e9389ab90769c9d41379063b44052 2010.1/x86_64/ffmpeg-0.6-0.22960.5.1mdv2010.2.x86_64.rpm c1f7175cad48f46cfdd2b0d57c5f1d82 2010.1/x86_64/lib64avformats52-0.6-0.22960.5.1mdv2010.2.x86_64.rpm da8802f10ae716e344a85d27061716e2 2010.1/x86_64/lib64avutil50-0.6-0.22960.5.1mdv2010.2.x86_64.rpm abe637a5f54bf30b8738bc77d3a505cd 2010.1/x86_64/lib64ffmpeg52-0.6-0.22960.5.1mdv2010.2.x86_64.rpm 528f1d86498f7c6d975aaa58c30715d6 2010.1/x86_64/lib64ffmpeg-devel-0.6-0.22960.5.1mdv2010.2.x86_64.rpm c77efb105b06ee700d1094e0f468bc6d 2010.1/x86_64/lib64ffmpeg-static-devel-0.6-0.22960.5.1mdv2010.2.x86_64.rpm 2b46dcebe1a563aed2e9949f5869be8b 2010.1/x86_64/lib64postproc51-0.6-0.22960.5.1mdv2010.2.x86_64.rpm e1f77931ce1aa23bbc8f1b8f607548ff 2010.1/x86_64/lib64swscaler0-0.6-0.22960.5.1mdv2010.2.x86_64.rpm 87155585e9ad3413d3210489a539a62f 2010.1/SRPMS/ffmpeg-0.6-0.22960.5.1mdv2010.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNlhb3mqjQ0CJFipgRAn9IAJ9Yxk/y7oQNkzbAf0CXuET3XPRYYwCdF7V6 mAdlwouwYl64jARlHgI/M2w= =AyKF -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-114: RealNetworks Helix Server x-wap-profile Format String Remote Code Execution Vulnerability
ZDI-11-114: RealNetworks Helix Server x-wap-profile Format String Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-114 April 1, 2011 -- CVE ID: CVE-2010-4235 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: RealNetworks -- Affected Products: RealNetworks Helix Server -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10863. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Helix Server products. Authentication is not required to exploit this vulnerability. The specific flaw exists within the rmserver.exe process. This process is active by default on all Helix Server installations. Due to a failure to properly sanitize the contents of the 'x-wap-profile' header, it is possible to provide malicious data that is passed directly to a format string function. Remote attackers could leverage this vulnerability to execute arbitrary code under the context of the SYSTEM user. -- Vendor Response: RealNetworks has issued an update to correct this vulnerability. More details can be found at: http://www.realnetworks.com/helix-support/security-updates.aspx -- Disclosure Timeline: 2010-10-02 - Vulnerability reported to vendor 2011-04-01 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * defrost -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-115: IBM solidDB solid.exe Authentication Bypass Remote Code Execution Vulnerability
ZDI-11-115: IBM solidDB solid.exe Authentication Bypass Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-115 April 1, 2011 -- CVSS: 9.3, (AV:N/AC:M/Au:N/C:C/I:C/A:C) -- Affected Vendors: IBM -- Affected Products: IBM solidDB -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10984. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM solidDB. Authentication is not required to exploit this vulnerability. The specific flaw exists within the solid.exe process which listens by default on TCP ports 1315, 1964 and 2315. The authentication protocol allows a remote attacker to specify the length of a password hash. By specifying a minimum length the attacker can force the process to validate only the first several bytes of the password hash. This can be abused to bypass authentication to the database. -- Vendor Response: IBM has issued an update to correct this vulnerability. More details can be found at: https://www-304.ibm.com/support/docview.wss?uid=swg21474552 -- Disclosure Timeline: 2010-09-29 - Vulnerability reported to vendor 2011-04-01 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Tenable Network Security -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
