Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED

[satyam pujari]

some more..on "hoax or real ?"

http://www.theregister.co.uk/2011/04/18/wind_turbine_hack/
http://www.isssource.com/fpl-wind-turbine-hack-a-hoax/
http://forums.theregister.co.uk/forum/1/2011/04/18/wind_turbine_hack/
http://www.scmagazineus.com/wind-power-company-disputes-alleged-scada-hack/article/200961/

@Bgr dude , you're in the news ! :)

Regards,
Satyamhax
http://esploit.blogspot.com/

On Tue, Apr 19, 2011 at 12:48 PM, Bgr R  wrote:
>
> > try cisco:cisco on
> >
> > 1) 161.154.232.2 (external FLP IP)
> > 2) 65.14.117.30 (ISP alias)
> >
> > interface Vlan1578
> >  ip address 65.14.117.30 255.255.255.252
> >  load-interval 30
> >  no clns route-cache
>
> IT IS REAL, for how FLP wants to hide the incident and make it fake.
>
> --- On Mon, 4/18/11, satyam pujari  wrote:
>
> From: satyam pujari 
> Subject: Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort 
> Sumner Wind turbine Control SCADA was HACKED
> To: full-disclosure@lists.grok.org.uk
> Date: Monday, April 18, 2011, 12:31 PM
>
> Anyone checked this ?
>
> http://reversemode.com/index.php?option=com_content&task=view&id=74&Itemid=1
>
> Regards,
> Satyamhax
> http://esploit.blogspot.com/
>
> On Mon, Apr 18, 2011 at 1:24 AM, Patrick R  wrote:
> >
> > He is crazy. BTW I checked, the BUG in FLP is real. Check it out:
> >
> > try cisco:cisco on
> >
> > 1) 161.154.232.2 (external FLP IP)
> > 2) 65.14.117.30 (ISP alias)
> >
> > interface Vlan1578
> >  ip address 65.14.117.30 255.255.255.252
> >  load-interval 30
> >  no clns route-cache
> >
> > Seems to be that after it he targeted on SCADA objects in internal networks 
> > ...
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Windows Synchronization Object Vulnerabilites in Antivirus Suites

[Lists]

Abstract

In 2009 we examined the effects of manipulating synchronization
objects in security software suites frequently found on personal
computers running Windows XP and Vista. The synchronization objects
were mutexes and events, and the security software included products
from AVG, Avast, Avira, BitDefender, BullGuard, CheckPoint, Eset,
F-Prot, F-Secure, Kaspersky, McAfee, Microsoft (Security Essentials),
Norman, Norton, Panda, PC Tools, Quick Heal, Symantec, and Trend
Micro.

The examinations revealed that nearly all suites suffered non-trivial
faults originating from both standard and administrator accounts. The
faults ranged from simple denial of service affecting the UI console
and definition update service to scanner crashes and surreptitious
suite shutdown.

http://www.softwareintegrity.com/documents/Old-Dogs-and-New-Tricks.pdf



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MS mhtml patch bypass

[sec yun]

Hi

someone report a case about bypass mhtml patch

http://www.wooyun.org/bugs/wooyun-2010-01929

http://trusteddomain.com/wooyun.jpg!wooyun.swf"; allowNetworking=all
AllowScriptAccess=samedomain width=500 height=500>

some VUL like http://www.wooyun.org/bugs/wooyun-2010-01474 (gmail hack) will
stiil be exploitable

credits: http://www.wooyun.org/whitehats/latentwind

:)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED

[Cal Leeming]

lmfao.

On Tue, Apr 19, 2011 at 9:52 AM, satyam pujari  wrote:

> some more..on "hoax or real ?"
>
> http://www.theregister.co.uk/2011/04/18/wind_turbine_hack/
> http://www.isssource.com/fpl-wind-turbine-hack-a-hoax/
> http://forums.theregister.co.uk/forum/1/2011/04/18/wind_turbine_hack/
>
> http://www.scmagazineus.com/wind-power-company-disputes-alleged-scada-hack/article/200961/
>
> @Bgr dude , you're in the news ! :)
>
> Regards,
> Satyamhax
> http://esploit.blogspot.com/
>
> On Tue, Apr 19, 2011 at 12:48 PM, Bgr R  wrote:
> >
> > > try cisco:cisco on
> > >
> > > 1) 161.154.232.2 (external FLP IP)
> > > 2) 65.14.117.30 (ISP alias)
> > >
> > > interface Vlan1578
> > >  ip address 65.14.117.30 255.255.255.252
> > >  load-interval 30
> > >  no clns route-cache
> >
> > IT IS REAL, for how FLP wants to hide the incident and make it fake.
> >
> > --- On Mon, 4/18/11, satyam pujari  wrote:
> >
> > From: satyam pujari 
> > Subject: Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort
> Sumner Wind turbine Control SCADA was HACKED
> > To: full-disclosure@lists.grok.org.uk
> > Date: Monday, April 18, 2011, 12:31 PM
> >
> > Anyone checked this ?
> >
> >
> http://reversemode.com/index.php?option=com_content&task=view&id=74&Itemid=1
> >
> > Regards,
> > Satyamhax
> > http://esploit.blogspot.com/
> >
> > On Mon, Apr 18, 2011 at 1:24 AM, Patrick R  wrote:
> > >
> > > He is crazy. BTW I checked, the BUG in FLP is real. Check it out:
> > >
> > > try cisco:cisco on
> > >
> > > 1) 161.154.232.2 (external FLP IP)
> > > 2) 65.14.117.30 (ISP alias)
> > >
> > > interface Vlan1578
> > >  ip address 65.14.117.30 255.255.255.252
> > >  load-interval 30
> > >  no clns route-cache
> > >
> > > Seems to be that after it he targeted on SCADA objects in internal
> networks ...
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED

[Paul Schmehl]

ngasiyalyfao

--On April 19, 2011 10:45:18 AM +0100 Cal Leeming  
wrote:

> lmfao.
>
>
> On Tue, Apr 19, 2011 at 9:52 AM, satyam pujari 
> wrote:
>
> some more..on "hoax or real ?"
>
> http://www.theregister.co.uk/2011/04/18/wind_turbine_hack/
> http://www.isssource.com/fpl-wind-turbine-hack-a-hoax/
> http://forums.theregister.co.uk/forum/1/2011/04/18/wind_turbine_hack/
> http://www.scmagazineus.com/wind-power-company-disputes-alleged-scada-hac
> k/article/200961/
>
> @Bgr dude , you're in the news ! :)
>
>
> Regards,
> Satyamhax
> http://esploit.blogspot.com/
>
>
> On Tue, Apr 19, 2011 at 12:48 PM, Bgr R  wrote:
>>
>> > try cisco:cisco on
>> >
>> > 1) 161.154.232.2 (external FLP IP)
>> > 2) 65.14.117.30 (ISP alias)
>> >
>> > interface Vlan1578
>> >  ip address 65.14.117.30 255.255.255.252
>> >  load-interval 30
>> >  no clns route-cache
>>
>> IT IS REAL, for how FLP wants to hide the incident and make it fake.
>>
>> --- On Mon, 4/18/11, satyam pujari  wrote:
>>
>> From: satyam pujari 
>
>> Subject: Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort
>> Sumner Wind turbine Control SCADA was HACKED To:
>> full-disclosure@lists.grok.org.uk
>> Date: Monday, April 18, 2011, 12:31 PM
>
>
>
>>
>> Anyone checked this ?
>>
>> http://reversemode.com/index.php?option=com_content&task=view&id=74&Item
>> id=1
>>
>> Regards,
>> Satyamhax
>> http://esploit.blogspot.com/
>>
>> On Mon, Apr 18, 2011 at 1:24 AM, Patrick R  wrote:
>> >
>> > He is crazy. BTW I checked, the BUG in FLP is real. Check it out:
>> >
>> > try cisco:cisco on
>> >
>> > 1) 161.154.232.2 (external FLP IP)
>> > 2) 65.14.117.30 (ISP alias)
>> >
>> > interface Vlan1578
>> >  ip address 65.14.117.30 255.255.255.252
>> >  load-interval 30
>> >  no clns route-cache
>> >
>> > Seems to be that after it he targeted on SCADA objects in internal
>> > networks ... ___
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
***
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Annoucement] ClubHack Magazine - Call for Articles

[Abhijeet Patil]

lubHACK Magazine is seeking for submissions for next issue i.e. May 2011
issue. IF you have something interesting and would like to share, please
send in your articles to abhij...@clubhack.com

Topics/Themes for May issue is - Browser Security.

It has as 6 sections:

1.Tech Gyan - Main article of the magazine. Covers various technical aspects
in security, latest hacking trends and techniques.
2. Tool Gyan - Covers various tools hacking and security tools.
3. Mom's Guide - Dedicated to comman man. Covers basics of hacking and
security.
4. Legal Gyan - IT Law with respect to hacking explained in simple language.
5. Command Line - Explains command line alternatives for various tasks.
6. Matriux Vibhag - Articles on Matriux Security Distro.

No hard and fast rules as such. Just a few guidelines. Guidelines:
1) Keep the language as easy as possible.
2) It should be related to our sections mentioned above. (Except for Matriux
Vibhag, articles can be submitted for all other sections)
3) Article submissions to be done on or before 25th of the month.

--
Abhijeet Patil
Team ClubHack
Url: http://chmag.in, http://clubhack.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2220-1] Request Tracker security update

[Florian Weimer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2220-1   secur...@debian.org
http://www.debian.org/security/Florian Weimer
April 19, 2011 http://www.debian.org/security/faq
- -

Package: request-tracker3.6, request-tracker3.8
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2011-1685 CVE-2011-1686 CVE-2011-1687 CVE-2011-1688 
 CVE-2011-1689 CVE-2011-1690

Several vulnerabilities were in Request Tracker, an issue tracking
system.

CVE-2011-1685
If the external custom field feature is enabled, Request Tracker
allows authenticated users to execute arbitrary code with the
permissions of the web server, possible triggered by a cross-site
request forgery attack.  (External custom fields are disabled by
default.)

CVE-2011-1686
Multiple SQL injection attacks allow authenticated users to obtain
data from the database in an unauthorized way.

CVE-2011-1687
An information leak allows an authenticated privileged user to
obtain sensitive information, such as encrypted passwords, via the
search interface.

CVE-2011-1688
When running under certain web servers (such as Lighttpd), Request
Tracker is vulnerable to a directory traversal attack, allowing
attackers to read any files accessible to the web server.  Request
Tracker instances running under Apache or Nginx are not affected.

CVE-2011-1689
Request Tracker contains multiple cross-site scripting
vulnerabilities.

CVE-2011-1690
Request Tracker enables attackers to redirect authentication
credentials supplied by legitimate users to third-party servers.


For the oldstable distribution (lenny), these problems have been fixed
in version 3.6.7-5+lenny6 of the request-tracker3.6 package.

For the stable distribution (squeeze), these problems have been fixed
in version 3.8.8-7+squeeze1 of the request-tracker3.8 package.

For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 3.8.10-1 of the
request-tracker3.8 package.

We recommend that you upgrade your Request Tracker packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJNrdPiAAoJEL97/wQC1SS+3dgIAKLuPySVeWmsXlKJ/sgeFjXm
19lDcDzI9QHd7V+Y9paNGxud8F7GlXF4PR/fFGso1ho9eH3I9VRwL+NY/EQmlEkc
8disl5IjtVE5bZ19c650oRGpyQc8LKQ/6V/XoYmaFn5eJSZfnj3/hRHj5dGCmKZd
ASQ6zM7VWXCYHudVBokza1U9lqI2rLosS5sc+HmaUkvjZvTLpANvOSmThxxA28+L
lC3dQs8Aw+17NSbmPjP5zzNYIpjqhcPvCg+KHdDc/FJryBqJe0Nnaf2tb4PXNALT
omxPu6xpgXTUWA3vhWbzuVVk7o8JIYPTxx4vRrJkwMKQ7f4wq7DiCZhnXdswahU=
=LRAr
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-1115-1] language-selector vulnerability

[Kees Cook]

==
Ubuntu Security Notice USN-1115-1
April 19, 2011

language-selector vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10

Summary:

Local users could gain root access via the language-selector.

Software Description:
- language-selector: Language selector for Ubuntu Linux

Details:

Romain Perier discovered that the language-selector D-Bus backend did not
correctly check for Policy Kit authorizations. A local attacker could exploit
this to inject shell commands into the system-wide locale configuration file,
leading to root privilege escalation.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  language-selector-common0.6.7

In general, a standard system update will make all the necessary changes.

References:
  CVE-2011-0729

Package Information:
  https://launchpad.net/ubuntu/+source/language-selector/0.6.7



signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Insect Pro - Looking for partners

[runlvl]

Insect Pro is actively looking for partners to expand the frontiers of
Insect Pro and grow our penetration testing tool at a competitive
level worldwide.

We are located in Argentina and we are currently two developers with
low-level knowledge and desire to make a profitable business.

We need a company to be our economic support so we can work full time
to the development of the tool.

Please contact us to jsa...@insecurityresearch.com with the proposal.

By phone at +541144334778 or 549111534303024

More info about Insect Pro: http://www.insecurityresearch.com

About Insect Pro: INSECT Pro is the ultimate resource to demonstrate
the security—or vulnerability—of your network. INSECT goes beyond
simply detecting vulnerabilities to safely exploiting them. The first
integrated vulnerability and penetration testing tool, INSECT Pro is
part of the complete solution Insecurity Research offers to evaluate
the vulnerabilities on your network.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-1108-2] DHCP vulnerability

[Marc Deslauriers]

==
Ubuntu Security Notice USN-1108-2
April 19, 2011

dhcp3 vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10

Summary:

An attacker's DHCP server could send crafted responses to your computer and
cause it to run programs as root.

Software Description:
- dhcp3: DHCP Client

Details:

USN-1108-1 fixed vulnerabilities in DHCP. Due to an error, the patch to fix
the vulnerability was not properly applied on Ubuntu 9.10 and higher. This
update fixes the problem.

Original advisory details:

 Sebastian Krahmer discovered that the dhclient utility incorrectly filtered
 crafted responses. An attacker could use this flaw with a malicious DHCP
 server to execute arbitrary code, resulting in root privilege escalation.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  dhcp3-client3.1.3-2ubuntu6.2

Ubuntu 10.04 LTS:
  dhcp3-client3.1.3-2ubuntu3.2

Ubuntu 9.10:
  dhcp3-client3.1.2-1ubuntu7.3

In general, a standard system update will make all the necessary changes.

References:
  CVE-2011-0997

Package Information:
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.3-2ubuntu6.2
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.3-2ubuntu3.2
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.2-1ubuntu7.3




signature.asc
Description: This is a digitally signed message part
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Looking for partners

[John Jacobs]

> Insect Pro is actively looking for partners to expand the frontiers of
> Insect Pro and grow our penetration testing tool at a competitive
> level worldwide.

Dear Sir, I would very much like to be a partner and I think this is an 
exceptional product that not only offers more than what is already available in 
the open source community but it is also very well marketed.

Would you be willing to wave the initial "Donations Appreciated" hurdle to 
becoming a partner?  Also, some time ago I ordered your product (I think back 
when it was "free" but it wasn't, or something, yawn) and I never did get a 
nifty box like the one depicted in your image.

Kind Regards,
John "I see what you did there" Jacobs

  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Looking for partners

[Oscar Marques]

Try ekoparty list, there are good guys there.
See ya!

2011/4/19 runlvl 

> Insect Pro is actively looking for partners to expand the frontiers of
> Insect Pro and grow our penetration testing tool at a competitive
> level worldwide.
>
> We are located in Argentina and we are currently two developers with
> low-level knowledge and desire to make a profitable business.
>
> We need a company to be our economic support so we can work full time
> to the development of the tool.
>
> Please contact us to jsa...@insecurityresearch.com with the proposal.
>
> By phone at +541144334778 or 549111534303024
>
> More info about Insect Pro: http://www.insecurityresearch.com
>
> About Insect Pro: INSECT Pro is the ultimate resource to demonstrate
> the security—or vulnerability—of your network. INSECT goes beyond
> simply detecting vulnerabilities to safely exploiting them. The first
> integrated vulnerability and penetration testing tool, INSECT Pro is
> part of the complete solution Insecurity Research offers to evaluate
> the vulnerabilities on your network.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/




-- 
Oscar Marques
osca...@gmail.com
http://www.dunkelheit.com.br
Twitter: @f117usbr
+55 21 9293-9343


Participe do I Hack'n Rio 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Looking for partners

[Manichattan at gotham.us]

Yes - I know an investor who recently contacted me.

Mr.John Bali first son of Mr.Abrahim Bali, who was recently murdered in the
land dispute in Zimbabwe would like to invest.
You can reach him at  johnbali060 at gmail.com
You can go into partnership with him for proper profitable investment of the
money in your country.

-Manic H.


On Tue, Apr 19, 2011 at 2:48 PM, runlvl  wrote:

> Insect Pro is actively looking for partners to expand the frontiers of
> Insect Pro and grow our penetration testing tool at a competitive
> level worldwide.
>
> We are located in Argentina and we are currently two developers with
> low-level knowledge and desire to make a profitable business.
>
> We need a company to be our economic support so we can work full time
> to the development of the tool.
>
> Please contact us to jsa...@insecurityresearch.com with the proposal.
>
> By phone at +541144334778 or 549111534303024
>
> More info about Insect Pro: http://www.insecurityresearch.com
>
> About Insect Pro: INSECT Pro is the ultimate resource to demonstrate
> the security—or vulnerability—of your network. INSECT goes beyond
> simply detecting vulnerabilities to safely exploiting them. The first
> integrated vulnerability and penetration testing tool, INSECT Pro is
> part of the complete solution Insecurity Research offers to evaluate
> the vulnerabilities on your network.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-137: Oracle Application Server Authentication Bypass Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-137: Oracle Application Server Authentication Bypass Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-137

April 19, 2011

-- CVE ID:
CVE-2011-0807

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Oracle

-- Affected Products:
Oracle Application Server

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10882. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Oracle GlassFish Application Server and
Oracle Java Application Server. Authentication is not required to
exploit this vulnerability. 

The flaw exists within the Web Administration component which listens by
default on TCP port 4848. When handling a malformed GET request to the
administrative interface, the application does not properly handle an
exception allowing the request to proceed without authentication. A
remote attacker can exploit this vulnerability to execute arbitrary code
under the context of the application.

-- Vendor Response:
Oracle has issued an update to correct this vulnerability. More
details can be found at:

http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html

-- Disclosure Timeline:
2010-09-23 - Vulnerability reported to vendor
2011-04-19 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Jason Bowes

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-138: Webkit Undefined DOM Prototype Attach Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-138: Webkit Undefined DOM Prototype Attach Remote Code Execution 
Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-138

April 19, 2011

-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- Affected Vendors:
WebKit

-- Affected Products:
WebKit WebKit

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11100. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple Safari Webkit. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the application's implementation of a
Frame element. When attaching this element to a document, the
application will duplicate a reference of an anonymous block. When
freeing the container holding the Frame element, the reference will
still be available. If an attacker can perform an explicit type change
of the contents the element this can then be leveraged to gain code
execution under the context of the application.

-- Vendor Response:
Webkit fix:
http://trac.webkit.org/changeset/67182

-- Disclosure Timeline:
2011-03-31 - Vulnerability reported to vendor
2011-04-19 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* wushi of team509

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-139: Webkit Anonymous Frame Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-139 (formerly ZDI-CAN-1035): Webkit Anonymous Frame Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-139

April 19, 2011

-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- Affected Vendors:
WebKit

-- Affected Products:
WebKit WebKit

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11101. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple Safari Webkit. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within the library's implementation of a frame
element. When parsing a malformed document embedded inside an SVG
document, the library will create an anonymous block around a frame
element in the block's contents. When freeing this anonymous block via
an assignment to the read-only .textContent attribute, a reference to
one of the child elements will still exist. Accessing this child element
can then lead to code execution under the context of the application.

-- Vendor Response:
Webkit fix:
http://trac.webkit.org/changeset/81611

-- Disclosure Timeline:
2011-03-31 - Vulnerability reported to vendor
2011-04-19 - Public release of advisory

-- Credit:
This vulnerability was discovered by:
* wushi of team509

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-140: Webkit Detached Body Element Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-140 (formerly ZDI-CAN-1026): Webkit Detached Body Element Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-140

April 19, 2011

-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- Affected Vendors:
WebKit

-- Affected Products:
WebKit WebKit

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11102. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple Safari WebKit. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within how the application manages a reference
to an anonymous block located near a particular element within the
document. When cloning this element, the application will duplicate a
reference to the block and then later re-attach this element to the
rendering tree. During this process the library will free the original
rendering element. Subsequent access to the same element will then cause
the library to use the freed object. This can be utilized to achieve
code execution under the context of the application.

-- Vendor Response:
Webkit fix:
http://trac.webkit.org/changeset/67182

-- Disclosure Timeline:
2011-03-31 - Vulnerability reported to vendor
2011-04-19 - Public release of advisory

-- Credit:
This vulnerability was discovered by:
* Rob King jk...@deadpixi.com

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Looking for partners

[phil]

Quoting runlvl :

>
> We need a company to be our economic support so we can work full time
> to the development of the tool.
>

Hi,

As I see it, it's only a GUI with other product behind. When the GUI  
is finished, there's nothing left to code.

Better support the product behind the tool, as it's the only way your  
tool will get updated ?




phil





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2221-1] Mojolicious security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2221-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
April 19, 2011 http://www.debian.org/security/faq
- -

Package: libmojolicious-perl
Vulnerability  : directory traversal
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2011-1589
Debian Bug : 622952

Viacheslav Tykhanovskyi discovered a directory traversal vulnerability in 
Mojolicious, a Perl Web Application Framework.

The oldstable distribution (lenny) doesn't contain libmojolicious-perl.

For the stable distribution (squeeze), this problem has been fixed in
version 0.26-1+squeeze1.

For the unstable distribution (sid), this problem has been fixed in
version 1.16-1.

We recommend that you upgrade your libmojolicious-perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk2t9G0ACgkQXm3vHE4uylpv/QCfaqpcw0tk0a04aAhXQOpwQEHe
I+0AoNmcAgpmTUSIffhxcN7T9z3wi79q
=JR8T
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-1116-1] Kerberos vulnerability

[Kees Cook]

==
Ubuntu Security Notice USN-1116-1
April 19, 2011

krb5 vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10

Summary:

An unauthenticated remote user could crash the Kerberos service.

Software Description:
- krb5: MIT Kerberos services

Details:

Felipe Ortega discovered that kadmind did not correctly handle password
changing error conditions. An unauthenticated remote attacker could exploit
this to crash kadmind, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  krb5-admin-server   1.8.1+dfsg-5ubuntu0.7

Ubuntu 10.04 LTS:
  krb5-admin-server   1.8.1+dfsg-2ubuntu0.9

Ubuntu 9.10:
  krb5-admin-server   1.7dfsg~beta3-1ubuntu0.13

In general, a standard system update will make all the necessary changes.

References:
  CVE-2011-0285

Package Information:
  https://launchpad.net/ubuntu/+source/krb5/1.8.1+dfsg-5ubuntu0.7
  https://launchpad.net/ubuntu/+source/krb5/1.8.1+dfsg-2ubuntu0.9
  https://launchpad.net/ubuntu/+source/krb5/1.7dfsg~beta3-1ubuntu0.13



signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] New vulnerabilities in eSitesBuilder

[MustLive]

Hello security curmudgeon!

> How many times are you going to disclose this?

Be attentive - I wrote about different holes.

In June (http://seclists.org/bugtraq/2010/Jun/189) I wrote about XSS in
public forget.php (for users):

http://site/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y

In August (http://seclists.org/fulldisclosure/2010/Aug/306) I wrote about
multiple holes in eSitesBuilder and in particularly wrote about holes in
public forget.php. I wrote about Insufficient Anti-automation and mentioned
for company :-) about earlier-mentioned XSS (so both holes in this script
would be in one place). Also it was possible to mention about Abuse of
Functionality hole in this script (to write about three holes in it in one
advisory), but only later I decided to write about this hole - in hidden
forget.php script - which I did in the next advisory (and people easily
could understand that both forget.php scripts has AoF hole which allows to
enumerate logins).

In December (http://seclists.org/fulldisclosure/2010/Dec/465) I wrote about
XSS in hidden (there are no public links to it) forget.php (for admins):

http://site/console/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y

Plus added information about Insufficient Anti-automation and Abuse of
Functionality holes in this script. So these are two different forget.php
scripts. Which both have three similar holes (it's quite expected, that
developers used the same code for forget password functionality for users
and for admins).

> The June disclosure has a timeline indicating you had "announced" it
> almost two years prior to that:

My dear, in that timeline I showed that first time I found these holes long
time ago - at two e-commerce sites (99% of all holes I'm finding at web
sites in Internet). And I informed admins of those sites (which lamerly
ignored to fix the holes) and they could inform developer of this commercial
CMS (but most of holes wasn't fixed at demo site of CMS developer, which
showed that developer also don't care about security for a long time,
regardless if he was informed by owners of these sites or not, because they
ignored even after my informing).

This information in timeline must show long time ignorance of security by
owners of e-commerce sites (online shops) and developers of e-commerce
engines. And there must not be any questions (because everything must be
clear). But if there is some incomprehensibility, then I'll make it clear.

Those sites didn't show what engine they were using (it's common for
commercial engines and sites on such engines, online shops in particular).
Only in summer 2010 I've found (when decided to do it) at one of these
online shops, and then checked at another, the hidden admin panel with 
mentioned name of engine. As I wrote in Timeline:

> 18.06.2010 - disclosed at my site about vulnerabilities in eSitesBuilder
> (after I found that they concerned with eSitesBuilder).

And after I found that it's eSitesBuilder, I wrote series of advisories
about holes in this engine (as those holes which I found in 2007-2008, as
those ones found in 2010).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

- Original Message - 
From: "security curmudgeon" 
To: "MustLive" 
Cc: 
Sent: Sunday, April 17, 2011 3:56 AM
Subject: Re: [Full-disclosure] New vulnerabilities in eSitesBuilder


>
> : SecurityVulns ID: 11310.
>
> : XSS (WASC-08):
> :
> :
> http://site/console/forget.php?e_mail=%3Cscript%3Ealert(document.cookie)%3C/script%3E&seenform=y
>
> How many times are you going to disclose this?
>
> http://seclists.org/bugtraq/2010/Jun/189
>
> http://seclists.org/fulldisclosure/2010/Aug/306
>
> http://seclists.org/fulldisclosure/2010/Dec/465
>
> The June disclosure has a timeline indicating you had "announced" it
> almost two years prior to that:
>
> 21.11.2007 - found some of these vulnerabilities.
> 11.08.2008 - announced at my site.
> 11.08.2008 - informed admins of web site.
> 11.08.2008 - found others of these vulnerabilities.
> 11.02.2009 - disclosed at my site about first vulnerabilities.
> 05.05.2009 - disclosed at my site about other vulnerabilities.
> 06.05.2009 - informed admins of web site about other vulnerabilities.
> 18.06.2010 - disclosed at my site about vulnerabilities in eSitesBuilder
> (after I found that they concerned with eSitesBuilder).
> 19.06.2010 - informed developers (in case if owners of vulnerable site
> didn't informed them in previous years).
>
> Seriously, how long can you milk a single XSS here?
>
> : 2010.10.08 - announced at my site.
> : 2010.10.08 - informed developers.
> : 2010.12.16 - disclosed at my site.
> :
> : I mentioned about these vulnerabilities at my site
> : (http://websecurity.com.ua/4588/).
>
> http://websecurity.com.ua/4300/
>
> Several times, yes you did.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.

[Full-disclosure] [USN-1117-1] PolicyKit vulnerability

[Kees Cook]

==
Ubuntu Security Notice USN-1117-1
April 19, 2011

policykit-1 vulnerability
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10

Summary:

Local users could gain root access by using the pkexec tool in PolicyKit.

Software Description:
- policykit-1: framework for managing administrative policies and privileges

Details:

Neel Mehta discovered that PolicyKit did not correctly verify the user
making authorization requests. A local attacker could exploit this to
trick pkexec into running applications with root privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  libpolkit-backend-1-0   0.96-2ubuntu1.1

Ubuntu 10.04 LTS:
  libpolkit-backend-1-0   0.96-2ubuntu0.1

Ubuntu 9.10:
  libpolkit-backend-1-0   0.94-1ubuntu1.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
  CVE-2011-1485

Package Information:
  https://launchpad.net/ubuntu/+source/policykit-1/0.96-2ubuntu1.1
  https://launchpad.net/ubuntu/+source/policykit-1/0.96-2ubuntu0.1
  https://launchpad.net/ubuntu/+source/policykit-1/0.94-1ubuntu1.1



signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Insecure Defaults In PPLiveAV Client

[dink]

Insecure Defaults In PPLiveAV Client


The Great Firewall is full of holes.

>From http://www.synacast.com/en/ ...

"PPLive has more than 200 million user installations and its active
monthly user base (as of Dec 2010) is 104 million, i.e, PPLive has a 43%
penetration of Chinese internet users. With its innovative user
experiences, such as live chatting, and SNS, average viewing time per
person per day has reach over 2 hours and 30 minutes, the highest
stickiness among all China websites."

The Intro
=
Anyone who has followed public proxy lists in the past year has noticed
there are thousands of new open proxies listening on port 9415 listed
every day.  In the past year I have documented over 394,000 port 9415
proxies from these public lists.  Geolocation of the IP addresses
indicates they are widespread mostly in China but also in Taiwan, Macau,
Hong Kong, and pockets of the US where Chinese is likely to be spoken.

I initially suspected some kind of malware.  Finding nothing in Google
(searching for 9415 will get you a lot of proxy lists), I eventually
started searching Baidu.  The results were immediate.

These proxies are built into the PPLiveAV client to retrieve an internal
PAC (proxy autoconfiguration) file from the following URL:

http://localhost:9415/tudouva.pac

Replacing "localhost" with the IP of an active port 9415 proxy (if you
can find one) will get you the PAC file, shown below:

function FindProxyForURL(url, host){
if(isPlainHostName(host) || url.substring(0,5) != "http:" ||
shExpMatch(url,"http://localhost:*";) ||
shExpMatch(url,"http://127.0.0.1:*";))
return "DIRECT";

if(shExpMatch(url, "*.flv*")  ||  shExpMatch(url, "*.mp4*")  || 
shExpMatch(url, "*.m4v*")  ||  shExpMatch(url, "*.f4v*")) 
  {
 if(shExpMatch(url, "*hzplayer0.tudou.com*"))
   return "DIRECT";
   else 
 return "PROXY 127.0.0.1:9415"; 
  }
else
return "DIRECT";
}

Obviously, the proxy should be listening on 127.0.0.1 only, but in
practice it listens on all interfaces.


The Outro
=
It looks like there are 200 million open proxies in China, thanks to
this software.  Pick a Chinese IP address, scan for port 9415.  You'll
get one sooner or later.  I don't consider this a 0day, since it's been
going on for over a year.  Responsible disclosure?  meh.  A little late
for that.

The fact is, they're pretty crappy proxies.


More Info
=
http://proxyobsession.net/?p=1534


More Proxies

http://www.mrhinkydink.com/proxies.htm



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/