Re: [Full-disclosure] Facebook URL redirection issue
On Sun, Apr 3, 2011 at 4:26 PM, Javier Bassi javierba...@gmail.com wrote: Reported this issue to Facebook team on 03/22/11 and Facebook team acknowledged this issue on 03/29/11 and fixed this vulnerability. They still have redirects on apps made by their users, and they don't care http://apps.facebook.com/truthsaboutu/track.php?r=http://www.google.com and if someone falls in basic phishing with facebook domain, he will fall with apps.facebook subdomain too. Btw, linkedin has open redirect too and they couldn't care less about it http://www.linkedin.com/redirect?url=www.google.com Probably because it's not a big deal? What next, an advisory about how massive quantities of open redirectors have been found on bit.ly, goo.gl and tinyurl.com ? Cheers Chris ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook URL redirection issue
Chris, If it's social and it's Facebook, it must be good :) Cheers, Chris. On Mon, Apr 4, 2011 at 8:22 AM, Chris Evans scarybea...@gmail.com wrote: On Sun, Apr 3, 2011 at 4:26 PM, Javier Bassi javierba...@gmail.comwrote: Reported this issue to Facebook team on 03/22/11 and Facebook team acknowledged this issue on 03/29/11 and fixed this vulnerability. They still have redirects on apps made by their users, and they don't care http://apps.facebook.com/truthsaboutu/track.php?r=http://www.google.com and if someone falls in basic phishing with facebook domain, he will fall with apps.facebook subdomain too. Btw, linkedin has open redirect too and they couldn't care less about it http://www.linkedin.com/redirect?url=www.google.com Probably because it's not a big deal? What next, an advisory about how massive quantities of open redirectors have been found on bit.ly, goo.gl and tinyurl.com ? Cheers Chris ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:063 ] xmlsec1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:063 http://www.mandriva.com/security/ ___ Package : xmlsec1 Date: April 4, 2011 Affected: 2009.0, 2010.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in xmlsec1: xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification (CVE-2011-1425). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149amp;products_id=490 The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1425 ___ Updated Packages: Mandriva Linux 2009.0: ab2caef2b723f8a627f4682e9b9b295c 2009.0/i586/libxmlsec1-1-1.2.10-7.3mdv2009.0.i586.rpm a82fe9a2eb07213a40d5b062d0c5a230 2009.0/i586/libxmlsec1-devel-1.2.10-7.3mdv2009.0.i586.rpm 2cec5cb556b742bcc87d10a14ded022c 2009.0/i586/libxmlsec1-gnutls1-1.2.10-7.3mdv2009.0.i586.rpm 7169d872a13bb5da168cad113ca3c9cb 2009.0/i586/libxmlsec1-gnutls-devel-1.2.10-7.3mdv2009.0.i586.rpm d9c9fe192a991bb7937fce742acac213 2009.0/i586/libxmlsec1-nss1-1.2.10-7.3mdv2009.0.i586.rpm c412b1cf110d47b6c9848a2718394e83 2009.0/i586/libxmlsec1-nss-devel-1.2.10-7.3mdv2009.0.i586.rpm fb3fcd72027a0c4707d185c03d7e6ffe 2009.0/i586/libxmlsec1-openssl1-1.2.10-7.3mdv2009.0.i586.rpm ee2375b5ce6b80fb0a37f8a298df8ffc 2009.0/i586/libxmlsec1-openssl-devel-1.2.10-7.3mdv2009.0.i586.rpm 45ec8c67b589d6874c265c316f0ef715 2009.0/i586/xmlsec1-1.2.10-7.3mdv2009.0.i586.rpm 00a18a237c5aee09d3de790df4ee8d0b 2009.0/SRPMS/xmlsec1-1.2.10-7.3mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: ab200f5369469e19e89743b23a097764 2009.0/x86_64/lib64xmlsec1-1-1.2.10-7.3mdv2009.0.x86_64.rpm 15eb2c4424a6d91b68f5caef8db2fdff 2009.0/x86_64/lib64xmlsec1-devel-1.2.10-7.3mdv2009.0.x86_64.rpm ad73f2e06650f4b76b482a1bf7532eac 2009.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.3mdv2009.0.x86_64.rpm 7c60997091a4214148c77d2d14c01a94 2009.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.3mdv2009.0.x86_64.rpm 22ac198274c38732b3f0a65e5814ffc7 2009.0/x86_64/lib64xmlsec1-nss1-1.2.10-7.3mdv2009.0.x86_64.rpm ddb61026f298b57254192f25398498d6 2009.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.3mdv2009.0.x86_64.rpm a965cb539117930426efb7b6dbf8553d 2009.0/x86_64/lib64xmlsec1-openssl1-1.2.10-7.3mdv2009.0.x86_64.rpm a2853268d49f512f660b0c85f32f3b98 2009.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.3mdv2009.0.x86_64.rpm cfcb56269c2b2e79ea2701839fa93090 2009.0/x86_64/xmlsec1-1.2.10-7.3mdv2009.0.x86_64.rpm 00a18a237c5aee09d3de790df4ee8d0b 2009.0/SRPMS/xmlsec1-1.2.10-7.3mdv2009.0.src.rpm Mandriva Linux 2010.0: bdc91e075985a73525da8a27c50f3e4d 2010.0/i586/libxmlsec1-1-1.2.13-1.2mdv2010.0.i586.rpm a8cf6ac42e0ae7df962f3b6e1abd0a27 2010.0/i586/libxmlsec1-devel-1.2.13-1.2mdv2010.0.i586.rpm 50e1f9b8c2b36781b5597c37756f0a27 2010.0/i586/libxmlsec1-gnutls1-1.2.13-1.2mdv2010.0.i586.rpm 94b518a20f8d6a99033be5c7fa9a561c 2010.0/i586/libxmlsec1-gnutls-devel-1.2.13-1.2mdv2010.0.i586.rpm b5e93f5674d8b2065e64f2e53ba05605 2010.0/i586/libxmlsec1-nss1-1.2.13-1.2mdv2010.0.i586.rpm 880fe166f23413733c3c3c118d816387 2010.0/i586/libxmlsec1-nss-devel-1.2.13-1.2mdv2010.0.i586.rpm 21b46e66c6b78df3fbcd86064cf30e7c 2010.0/i586/libxmlsec1-openssl1-1.2.13-1.2mdv2010.0.i586.rpm 6620368f5cc3bcbb857b4a23eac3c8ca 2010.0/i586/libxmlsec1-openssl-devel-1.2.13-1.2mdv2010.0.i586.rpm c2ea73966298d29fdfdc34c7c2a2f1c2 2010.0/i586/xmlsec1-1.2.13-1.2mdv2010.0.i586.rpm 877a15d6552bedb5763df240f4d82d84 2010.0/SRPMS/xmlsec1-1.2.13-1.2mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: a62d421d4fd1899fbba01309dbaf1896 2010.0/x86_64/lib64xmlsec1-1-1.2.13-1.2mdv2010.0.x86_64.rpm 2f537e7a96421519da35174c233ce595 2010.0/x86_64/lib64xmlsec1-devel-1.2.13-1.2mdv2010.0.x86_64.rpm 7a8b160fe2e6034be36f6eae79085ace 2010.0/x86_64/lib64xmlsec1-gnutls1-1.2.13-1.2mdv2010.0.x86_64.rpm 0a6294fd609fc0852648a497a88483c0 2010.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.13-1.2mdv2010.0.x86_64.rpm 29db3a07e7ad181397aad0cc8d0d 2010.0/x86_64/lib64xmlsec1-nss1-1.2.13-1.2mdv2010.0.x86_64.rpm fbbf15dc907548874aa56a0a60288c44 2010.0/x86_64/lib64xmlsec1-nss-devel-1.2.13-1.2mdv2010.0.x86_64.rpm 91cde9b85b74ee50ca22063395776ad5
[Full-disclosure] [HITB-Announce] HITBSecConf2011 - Malaysia Call for Papers Now Open
The Call for Papers for the 9th annual HITBSecConf in Malaysia is now open! The event takes place from the 10th - 13th of October at the new Intercontinental Kuala Lumpur. As always the first two days will be dedicated to hands on technical training sessions followed by a 2-day quad track conference featuring keynote speaker Kenneth Geers (CCD CoE) and Jennifer Granick (Attorney, Zwilinger Genetski LLP). This years conference will also feature a brand new attack-only Capture The Flag - Tower of Hackf00 Madness, an updated lock picking village set up and run by members from TOOOL US (now includes impressioning!), an industry exhibition and technology showcase and last but not least the HITB Labs and SIGINT sessions. == As always, talks that are more technical or that discuss new and never before seen attack methods are of more interest than a subject that has been covered several times before. Submissions are due _no later than 15th July 2011_ HITB CFP: http://cfp.hackinthebox.org/ === Topics of interest include, but are not limited to the following: # Cloud Security # 3G/4G/WIMAX Security # File System Security # SS7/GSM/VoIP Security # Smart Card and Physical Security # Network Protocols, Analysis and Attacks # Applications of Cryptographic Techniques # Side Channel Analysis of Hardware Devices # Data Recovery, Forensics and Incident Response # Analysis of Malicious Code / Viruses / Malware # Windows / Linux / OS X / *NIX Security Vulnerabilities # Next Generation Exploit and Exploit Mitigation Techniques # WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security Each non-resident speaker will receive accommodation for 3 nights / 4 days and travel reimbursement up to EUR1200.00. Your submission will be reviewed by The HITB CFP Review Committee which includes: Charlie Miller(Principal Analyst, Independent Security Evaluators) Jeremiah Grossman (Founder, Whitehat Security) Red Dragon Thanh (THC, VNSECURITY, Intel Corp) Mark Curphey (Director, Microsoft Corp) Cesar Cerrudo (Founder / CEO ArgenISS) Saumil Shah (Founder CEO Net-Square) Shreeraj Shah (Founder, BlueInfy) Fredric Raynal(Sogeti/Cap Gemini) Robert Hansen (rsnake) (SecTheory) Alexander Kornburst (Red Database) Emmanuel Gadaix (Founder, TSTF) Andrea Barisani (Inverse Path) Ed Skoudis(InGuardians) Haroon Meer (Thinkst) Chris Evans (Google) Philippe Langlois (TSTF) Skyper(THC) NOTE: We do not accept product or vendor related pitches. If you would like to showcase your company's products or technology, please contact us for further participation opportunities. === Event Website: http://conference.hackinthebox.org/hitbsecconf2011kul/ We look forward to receiving your submissions and to seeing you in Malaysia in October (or in May at HITB2011AMS!) - The HITB.my Team --- Hafez Kamal HITB Crew Hack in The Box (M) Sdn. Bhd. Suite 26.3, Level 26, Menara IMC, No. 8 Jalan Sultan Ismail, 50250 Kuala Lumpur, Malaysia Tel: +603-20394724 Fax: +603-20318359 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DC4420 - London DEFCON - April meet - Wednesday 22nd April 2011
I know it's 3 weeks out, but there's a lot going on that week so I wanted to make sure you've got this in your calendars! You wanted technical, you got it In March we quantum'd your minds then keylogged you with 13 lines of code: Thanks to Gregoire of IDQ for the drinks and the great talk. Thanks to Krunch for the Systemtap walkthrough and entertaining delivery! ... and now to April - it's the INFOSEC edition! Every year on Infosec Wednesday we pull a rabbit out of the hat and wake up peoples brains - Providing some relief from the product focused marketing in that big hall. This year we've also got BSides London in town, so you've got twice the reason to make the trip! Where: DOWNSTAIRS!@ The Phoenix, Cavendish Square http://www.phoenixcavendishsquare.co.uk/ Oxford Circus nearest tube When: Wednesday April 20th Venue ours from 17:30, talks start 19:30 Notice: currently talking to people who want to buy you drinks, early in the evening. This is traditional for infosec. We have 2 excellent speakers talks - don't miss this. Technical Talk: Evading Defences - Steve Lord. Fun Talk: cccamd, spartacus, and the largest sat-card sharing ring in the world - Neil 'mu-b' Kettle Administrativa: BE EARLY. We have a max capacity and every year for the last 3 years we have filled whatever venue we have been at on this night! You have been warned! http://www.dc4420.org/ See you in 17 days! cheers, MM/Alien -- In DEFCON, we have no names... errr... well, we do... but silly ones... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DC4420 - London DEFCON - April meet - Wednesday 20th April 2011
Doh!! Subject should of course have read Wednesday 20th, not 22nd! Major Malfunction wrote: I know it's 3 weeks out, but there's a lot going on that week so I wanted to make sure you've got this in your calendars! You wanted technical, you got it In March we quantum'd your minds then keylogged you with 13 lines of code: Thanks to Gregoire of IDQ for the drinks and the great talk. Thanks to Krunch for the Systemtap walkthrough and entertaining delivery! ... and now to April - it's the INFOSEC edition! Every year on Infosec Wednesday we pull a rabbit out of the hat and wake up peoples brains - Providing some relief from the product focused marketing in that big hall. This year we've also got BSides London in town, so you've got twice the reason to make the trip! Where: DOWNSTAIRS!@ The Phoenix, Cavendish Square http://www.phoenixcavendishsquare.co.uk/ Oxford Circus nearest tube When: Wednesday April 20th Venue ours from 17:30, talks start 19:30 Notice: currently talking to people who want to buy you drinks, early in the evening. This is traditional for infosec. We have 2 excellent speakers talks - don't miss this. Technical Talk: Evading Defences - Steve Lord. Fun Talk: cccamd, spartacus, and the largest sat-card sharing ring in the world - Neil 'mu-b' Kettle Administrativa: BE EARLY. We have a max capacity and every year for the last 3 years we have filled whatever venue we have been at on this night! You have been warned! http://www.dc4420.org/ See you in 17 days! cheers, MM/Alien -- In DEFCON, we have no names... errr... well, we do... but silly ones... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SLAAC Attack - 0day Windows Network Interception Configuration Vulnerability
Hi full disclosure dudes, InfoSec Institute security researcher Alec Waters has just released a new article on SLAAC Attacks. The basic premise is to use the default network configuration found on all Windows 7 (as well as Server 2008, Vista) installations to intercept and hijack all network traffic without any user knowledge or interaction. The testing in our lab shows that this attack requires no interaction on the user's part, and is totally transparent. It is hard to detect even in enterprise computing environments with significant security gear in place. It works on wired and wireless networks. Even though we are exploiting the IPv6 to IPv4 translation process, it does not require an existing IPv6 network to be set up or functional. It only requires the operating system to have IPv6 enabled by default. Mac OS-X is also likely vulnerable, but we have not tested it yet. We detail the vulnerability, the effect, as well as provide scripts and some tools for setting up the attack here: http://resources.infosecinstitute.com/slaac-attack- http://resources.infosecinstitute.com/slaac-attack---0day-windows-network-i nterception-configuration-vulnerability/ --0day-windows-network-interception-configuration-vulnerability/ We contacted Microsoft over the weekend, but, because this is a default installation configuration vulnerability, Microsoft is not able to release a patch and states While you are correct that this may not be something that is easily/quickly corrected (at least with regards to just pushing out a patch to change the default configuration if needed) this would be something that we want to review and explore our options to mitigate against any potential attacks. The fix right now is for Microsoft to default disable IPv6, but this cannot be done retroactively to production desktops and servers because customers may be using IPv6 for legitimate reasons. We believe the public needs to know about the possibility of this attack, because other bad guys could have figured it out before us and be exploiting unsuspecting companies right now. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:064 ] libtiff
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:064 http://www.mandriva.com/security/ ___ Package : libtiff Date: April 4, 2011 Affected: 2009.0, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities were discovered and corrected in libtiff: Buffer overflow in LibTIFF allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF image with JPEG encoding (CVE-2011-0191). Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value (CVE-2011-1167). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149amp;products_id=490 The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1167 ___ Updated Packages: Mandriva Linux 2009.0: 469f83f325486ac28efade864c4c04dd 2009.0/i586/libtiff3-3.8.2-12.5mdv2009.0.i586.rpm 60ed02c79ace2efc9d360c6a254484d8 2009.0/i586/libtiff3-devel-3.8.2-12.5mdv2009.0.i586.rpm 9eec6c7a71319a0dbe42043e3ce0143c 2009.0/i586/libtiff3-static-devel-3.8.2-12.5mdv2009.0.i586.rpm c83359e62f148232dbf4716c3db1da27 2009.0/i586/libtiff-progs-3.8.2-12.5mdv2009.0.i586.rpm 394324226f6347b8adde7d5a3b94e616 2009.0/SRPMS/libtiff-3.8.2-12.5mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 12d1c6b013d1001804dcff1607ba0cbf 2009.0/x86_64/lib64tiff3-3.8.2-12.5mdv2009.0.x86_64.rpm 7160228a5f9eb015f7c39b034e4168fe 2009.0/x86_64/lib64tiff3-devel-3.8.2-12.5mdv2009.0.x86_64.rpm dd60de9c42e6e6db115866b0729d11a6 2009.0/x86_64/lib64tiff3-static-devel-3.8.2-12.5mdv2009.0.x86_64.rpm 019b6c2c67897e9e15b61c5bd5290d7c 2009.0/x86_64/libtiff-progs-3.8.2-12.5mdv2009.0.x86_64.rpm 394324226f6347b8adde7d5a3b94e616 2009.0/SRPMS/libtiff-3.8.2-12.5mdv2009.0.src.rpm Mandriva Linux 2010.0: 516da8a4ac19bd931ec94c948e2202b3 2010.0/i586/libtiff3-3.9.1-4.4mdv2010.0.i586.rpm bb474b98be4cee2d5ce83b18a97e0b0a 2010.0/i586/libtiff-devel-3.9.1-4.4mdv2010.0.i586.rpm 91bbafe5b93099fa6bc91a4ae2c792c5 2010.0/i586/libtiff-progs-3.9.1-4.4mdv2010.0.i586.rpm cfe592e3c30c76e9e814c828f4e9c850 2010.0/i586/libtiff-static-devel-3.9.1-4.4mdv2010.0.i586.rpm 82734445474583997f82f61a6bca5477 2010.0/SRPMS/libtiff-3.9.1-4.4mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 89d02f64104cdeefcfff27251ac493e3 2010.0/x86_64/lib64tiff3-3.9.1-4.4mdv2010.0.x86_64.rpm 184361a7a031fd0040ef210289e659ad 2010.0/x86_64/lib64tiff-devel-3.9.1-4.4mdv2010.0.x86_64.rpm ea63a95bea50aa8c6173b7e018b52c16 2010.0/x86_64/lib64tiff-static-devel-3.9.1-4.4mdv2010.0.x86_64.rpm b683c3de7768e3be291f3cd0810f29f7 2010.0/x86_64/libtiff-progs-3.9.1-4.4mdv2010.0.x86_64.rpm 82734445474583997f82f61a6bca5477 2010.0/SRPMS/libtiff-3.9.1-4.4mdv2010.0.src.rpm Mandriva Linux 2010.1: 6cae776a3869cba91324d4db8c3e445b 2010.1/i586/libtiff3-3.9.2-2.4mdv2010.2.i586.rpm 9eb7c8e16bdccb2a08bbd51b842d6b8a 2010.1/i586/libtiff-devel-3.9.2-2.4mdv2010.2.i586.rpm b22f03fcab8549799bd989a1ac5b9505 2010.1/i586/libtiff-progs-3.9.2-2.4mdv2010.2.i586.rpm 5207df22c3ce3a1dc5487e5a9f1386f5 2010.1/i586/libtiff-static-devel-3.9.2-2.4mdv2010.2.i586.rpm edc5ff22e092f6c0c761ea064beec57e 2010.1/SRPMS/libtiff-3.9.2-2.4mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: fead69647d8429a2e0f3bde99440a81e 2010.1/x86_64/lib64tiff3-3.9.2-2.4mdv2010.2.x86_64.rpm f8eefcab2c69e31dc9e59b7c5fd1370a 2010.1/x86_64/lib64tiff-devel-3.9.2-2.4mdv2010.2.x86_64.rpm a14aa71d4721718fc2312f04b76163db 2010.1/x86_64/lib64tiff-static-devel-3.9.2-2.4mdv2010.2.x86_64.rpm cd214410be00ea40859776ac4f95f1da 2010.1/x86_64/libtiff-progs-3.9.2-2.4mdv2010.2.x86_64.rpm edc5ff22e092f6c0c761ea064beec57e 2010.1/SRPMS/libtiff-3.9.2-2.4mdv2010.2.src.rpm Corporate 4.0: 26f8d583111883193418679358070dac corporate/4.0/i586/libtiff3-3.6.1-12.11.20060mlcs4.i586.rpm 6cc27c218fc154873d80b9f20d0026a0 corporate/4.0/i586/libtiff3-devel-3.6.1-12.11.20060mlcs4.i586.rpm d2cc27f255b5c06ac0270501742d075a corporate/4.0/i586/libtiff3-static-devel-3.6.1-12.11.20060mlcs4.i586.rpm 1dce21141558e525afac04376ee88b0e corporate/4.0/i586/libtiff-progs-3.6.1-12.11.20060mlcs4.i586.rpm
Re: [Full-disclosure] DC4420 - London DEFCON - April meet - Wednesday 20th April 2011
Doh!!! 20th, not 22nd!!! Major Malfunction wrote: I know it's 3 weeks out, but there's a lot going on that week so I wanted to make sure you've got this in your calendars! You wanted technical, you got it In March we quantum'd your minds then keylogged you with 13 lines of code: Thanks to Gregoire of IDQ for the drinks and the great talk. Thanks to Krunch for the Systemtap walkthrough and entertaining delivery! ... and now to April - it's the INFOSEC edition! Every year on Infosec Wednesday we pull a rabbit out of the hat and wake up peoples brains - Providing some relief from the product focused marketing in that big hall. This year we've also got BSides London in town, so you've got twice the reason to make the trip! Where: DOWNSTAIRS!@ The Phoenix, Cavendish Square http://www.phoenixcavendishsquare.co.uk/ Oxford Circus nearest tube When: Wednesday April 20th Venue ours from 17:30, talks start 19:30 Notice: currently talking to people who want to buy you drinks, early in the evening. This is traditional for infosec. We have 2 excellent speakers talks - don't miss this. Technical Talk: Evading Defences - Steve Lord. Fun Talk: cccamd, spartacus, and the largest sat-card sharing ring in the world - Neil 'mu-b' Kettle Administrativa: BE EARLY. We have a max capacity and every year for the last 3 years we have filled whatever venue we have been at on this night! You have been warned! http://www.dc4420.org/ See you in 17 days! cheers, MM/Alien -- Adam Laurie Tel: +44 (0) 20 7993 2690 Suite 117 Fax: +44 (0) 1308 867 949 61 Victoria Road Surbiton Surrey mailto:a...@algroup.co.uk KT6 4JX http://rfidiot.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SLAAC Attack - 0day Windows Network Interception Configuration Vulnerability
On 04/04/2011 05:34 PM, Adam Behnke wrote: http://resources.infosecinstitute.com/slaac-attack- http://resources.infosecinstitute.com/slaac-attack---0day-windows-network-i nterception-configuration-vulnerability/ --0day-windows-network-interception-configuration-vulnerability/ worst URL ever seen :) -%E2%80%93- argh. ascii ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SLAAC Attack - 0day Windows Network Interception Configuration Vulnerability
On Mon, 04 Apr 2011 10:34:51 CDT, Adam Behnke said: InfoSec Institute security researcher Alec Waters has just released a new article on SLAAC Attacks. The basic premise is to use the default network configuration found on all Windows 7 (as well as Server 2008, Vista) installations to intercept and hijack all network traffic without any user knowledge or interaction. Please read RFC4862, section 6, Security Considerations. Nothing actually new here, unless you've found issues above and beyond the ones mentioned in that RFC. pgpflptTDIcPy.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-116: Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability
ZDI-11-116: Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-116 April 4, 2011 -- CVE ID: CVE-2011-0994 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Novell -- Affected Products: Novell File Reporter -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10783. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell File Reporter Agent. Authentication is not required to exploit this vulnerability. The flaw exists within the NFRAgent.exe component which listens by default on TCP port 3037. When handling the contents of an XML tag the process blindly copies user supplied data into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://download.novell.com/Download?buildid=rCAgCcbPH9s~ -- Disclosure Timeline: 2010-10-06 - Vulnerability reported to vendor 2011-04-04 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Stephen Fewer of Harmony Security (www.harmonysecurity.com) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS exploit .
Title :Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS exploit . Version :( Checked on XP SP All Versions ) Discovery: http://Garage4Hackers.com, http://www.fb1h2s.com Author : FB1H2S aka Rahul Sasi[ Garage4Hackers.com ] Twitter : @fb1h2s Bug Information: Class :Division By Zero Impact : Could cause a Crash for explorer.exe when tried to be viewed, listed using Windows Explorer. Vendor : http://www.microsoft.com Security Impact : Nil DOS Impact: High Remotely : Yes [Webdev] Locally : Yes Crash File: Attached Bug Details: The shmedia.dll module, serves as shell media extension for Windows, which provides statistics and thumbnails for media files. The dll has also got the ablity to acts as media file property extractor of the Windows shell(explorer.exe) to extract custom attribute information from audio, video, midi, and video thumbnail files including MPEG, MPE, MPG, ASF, ASX, AVI, and WMV. The shmedia.dll application calculates the bit-rate of the file and creates a thumbnail preview for the Properties.So when a user open a folder containing AVI,MPEG file extensions the Shmedia.dll loaded with explorer.exe will automatically calculat the files details and make a preview of the properties. A Div by Zero bug is found when shmedia.dll handles malformed AVI file which when viewed or explored produces a crash. No user triggering is required except dragging the mouse pointer on top of files. Currently it is just (a fun bug ) with causes just DOS condition. The only issue would be as all applications uses windows file explorer to open a file (File + Open) all applications would would crash when attempting to open this file. Technical Details: The GetAViInfo is responsible for reading the file information , a prilimanary check is done to verify the AVI file headers to ensure the presence of right AVI headders. If returend true will move on to the file size bit rate calculation and all. ### shmedia!GetAviInfo: 5cad6f8e 8bffmov edi,edi 5cad6f90 55 pushebp 5cad6f91 8becmov ebp,esp 5cad6f93 53 pushebx 5cad6f94 56 pushesi 5cad6f95 57 pushedi 5cad6f96 ff7508 pushdword ptr [ebp+8] 5cad6f99 bb0080 mov ebx,8000h 5cad6f9e e803f5 callshmedia!_ValidAviHeaderInfo (5cad64a6) 5cad6fa3 85c0testeax,eax Get AVI info function is responsible for calculating the file size and AVI files bit rate ## 5cad6fa5 7463je shmedia!GetAviInfo+0x7c (5cad700a) 5cad6fa7 33ffxor edi,edi 5cad6fa9 57 pushedi 5cad6faa 688000 pushoffset Unloaded_hext.dll+0x7f (0080) 5cad6faf 6a03push3 5cad6fb1 57 pushedi 5cad6fb2 6a01push1 5cad6fb4 680080 push8000h 5cad6fb9 ff7508 pushdword ptr [ebp+8] 5cad6fbc ff154c10ad5ccalldword ptr [shmedia!_imp__CreateFileW (5cad104c)] 5cad6fc2 8bf0mov esi,eax 5cad6fc4 83feff cmp esi,0h 5cad6fc7 7518jne shmedia!GetAviInfo+0x53 (5cad6fe1) 5cad6fc9 ff157810ad5ccalldword ptr [shmedia!_imp__GetLastError (5cad1078)] 5cad6fcf 3bc7cmp eax,edi 5cad6fd1 7437je shmedia!GetAviInfo+0x7c (5cad700a) 5cad6fd3 7e37jle shmedia!GetAviInfo+0x7e (5cad700c) 5cad6fd5 25 and eax,offset Unloaded_hext.dll+0xfffe () 5cad6fda 0d0780 or eax,8007h 5cad6fdf eb2bjmp shmedia!GetAviInfo+0x7e (5cad700c) 5cad6fe1 57 pushedi 5cad6fe2 56 pushesi 5cad6fe3 ff15ac10ad5ccalldword ptr [shmedia!_imp__GetFileSize (5cad10ac)] 5cad6fe9 56 pushesi Once AVI file size is determined the function will move on and read the AVI data streams # 5cad6fd5 25 and eax,offset Unloaded_hext.dll+0xfffe () 5cad6fda 0d0780 or eax,8007h 5cad6fdf eb2bjmp shmedia!GetAviInfo+0x7e (5cad700c) 5cad6fe1 57 pushedi 5cad6fe2 56 pushesi 5cad6fe3 ff15ac10ad5ccalldword ptr [shmedia!_imp__GetFileSize (5cad10ac)] 5cad6fe9 56 pushesi # 5cad6ffb ff7508 pushdword ptr [ebp+8]# 5cad6ffe e8cffb callshmedia!ReadAviStreams (5cad6bd2)# Our crash file contains Null butes which would be feteched. 5cad7003 8bd8mov ebx,eax
[Full-disclosure] [USN-1102-1] tiff vulnerability
=== Ubuntu Security Notice USN-1102-1April 04, 2011 tiff vulnerability CVE-2011-1167 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libtiff43.7.4-1ubuntu3.11 Ubuntu 8.04 LTS: libtiff43.8.2-7ubuntu3.9 Ubuntu 9.10: libtiff43.8.2-13ubuntu0.6 Ubuntu 10.04 LTS: libtiff43.9.2-2ubuntu0.6 Ubuntu 10.10: libtiff43.9.4-2ubuntu0.3 After a standard system update you need to restart your session to make all the necessary changes. Details follow: Martin Barbella discovered that the thunder (aka ThunderScan) decoder in the TIFF library incorrectly handled an unexpected BitsPerSample value. If a user or automated system were tricked into opening a specially crafted TIFF image, a remote attacker could execute arbitrary code with user privileges, or crash the application, leading to a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.7.4-1ubuntu3.11.diff.gz Size/MD5:25828 5a188132e4b15d2799285c1c48941cb3 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.7.4-1ubuntu3.11.dsc Size/MD5: 1407 9a6dfe139833d6bfb8b2fbc67716220c http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.7.4.orig.tar.gz Size/MD5: 1280113 02cf5c3820bda83b35bb35b45ae27005 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.7.4-1ubuntu3.11_amd64.deb Size/MD5: 220868 f772d70fb80981e7d857b0bd6cdb5909 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.7.4-1ubuntu3.11_amd64.deb Size/MD5: 283508 ca7dd2b76511e939c697b452e9a12c5f http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.7.4-1ubuntu3.11_amd64.deb Size/MD5: 488788 cb5e42ca0a90a2d2e86928f916e68b8b http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiffxx0c2_3.7.4-1ubuntu3.11_amd64.deb Size/MD5:45298 d83fbdf3c0ca45a86c470abce13bf2a7 http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-opengl_3.7.4-1ubuntu3.11_amd64.deb Size/MD5:50454 256d3d1027da40488b8ec64d81c33b4e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.7.4-1ubuntu3.11_i386.deb Size/MD5: 206376 035721df202c94adceaf544033ad9437 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.7.4-1ubuntu3.11_i386.deb Size/MD5: 260196 0faa5b5ed21a8e3eb4f0ada49118e0de http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.7.4-1ubuntu3.11_i386.deb Size/MD5: 476650 5a756b57c85d6f6a55256b7f871d5c67 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiffxx0c2_3.7.4-1ubuntu3.11_i386.deb Size/MD5:45146 0f9ae54fed528ebd588df3716377e6ed http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-opengl_3.7.4-1ubuntu3.11_i386.deb Size/MD5:49464 71d625b0994b5aaba0fba48b8c7bc61e powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.7.4-1ubuntu3.11_powerpc.deb Size/MD5: 240468 f8a0354ea00b9016c658aae61077a36f http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.7.4-1ubuntu3.11_powerpc.deb Size/MD5: 289572 88bfef83f983ad53d2e4eec8c25a86b4 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.7.4-1ubuntu3.11_powerpc.deb Size/MD5: 477328 9d818bb8f5815a4b19034956f2d08412 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiffxx0c2_3.7.4-1ubuntu3.11_powerpc.deb Size/MD5:47454 1d16be8ef438678216c0786f6b4234d7 http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/libtiff-opengl_3.7.4-1ubuntu3.11_powerpc.deb Size/MD5:52094 652e25f8d88c9d4c41c3ed09316e06a3 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.7.4-1ubuntu3.11_sparc.deb Size/MD5: 209412 8df244d9ad1149285eef9821eee28b14 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.7.4-1ubuntu3.11_sparc.deb Size/MD5: 271510 110f8ef14ecf342177345d57769c72b9 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.7.4-1ubuntu3.11_sparc.deb Size/MD5: 468062 7828c57d2b0fdf7e8e625a70c6f3c4a2 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiffxx0c2_3.7.4-1ubuntu3.11_sparc.deb Size/MD5:45158 5eeab51e360c270ee187300fb838a1dd
[Full-disclosure] [USN-1103-1] tex-common vulnerability
=== Ubuntu Security Notice USN-1103-1April 04, 2011 tex-common vulnerability CVE-2011-1400 === A security issue affects the following Ubuntu releases: Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.04 LTS: tex-common 2.06ubuntu0.1 Ubuntu 10.10: tex-common 2.08ubuntu0.1 In general, a standard system update will make all the necessary changes. Details follow: Mathias Svensson discovered that the tex-common package contains an insecure shell_escape_commands configuration item. If a user or automated system were tricked into opening a specially crafted TeX file, a remote attacker could execute arbitrary code with user privileges. Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tex-common/tex-common_2.06ubuntu0.1.dsc Size/MD5: 1893 fa6f748f9666d6c32f4a14a6165bb431 http://security.ubuntu.com/ubuntu/pool/main/t/tex-common/tex-common_2.06ubuntu0.1.tar.gz Size/MD5: 811096 ca09fd481a53c8f90f82ab8b1ee6aaff Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/t/tex-common/tex-common_2.06ubuntu0.1_all.deb Size/MD5: 726746 9193ff30b08769fc2830c34d7ba2e782 Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tex-common/tex-common_2.08ubuntu0.1.dsc Size/MD5: 1893 8e034bee4d7786190ea2cba07dc28e5e http://security.ubuntu.com/ubuntu/pool/main/t/tex-common/tex-common_2.08ubuntu0.1.tar.gz Size/MD5: 812206 0b32d2416fd2271850fc81965a2af769 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/t/tex-common/tex-common_2.08ubuntu0.1_all.deb Size/MD5: 725042 0b804c28620ea5ae372d9e61e2900f53 signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
