[Full-disclosure] pytbull, IDS/IPS Testing Framework

[Sebastien Damaye]

Hi guys,

I would like to share this new tool I have developed with you: pytbull,
available here: http://code.google.com/p/pytbull/

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing
Framework for Snort and Suricata. It can be used to test the detection and
blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare
configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 8 testing modules:

   - *clientSideAttacks*: this module uses a reverse shell to provide the
   server with instructions to download remote malicious files. This module
   tests the ability of the IDS/IPS to protect against client-side attacks.
   - *testRules*: basic rules testing. These attacks are supposed to be
   detected by the rules sets shipped with the IDS/IPS.
   - *badTraffic*: Non RFC compliant packets are sent to the server to test
   how packets are processed.
   - *fragmentedPackets*: various fragmented payloads are sent to server to
   test its ability to recompose them and detect the attacks.
   - *multipleFailedLogins*: tests the ability of the server to track
   multiple failed logins (e.g. FTP). Makes use of custom rules on Snort and
   Suricata.
   - *evasionTechniques*: various evasion techniques are used to check if
   the IDS/IPS can detect them.
   - *shellCodes*: send various shellcodes to the server on port 21/tcp to
   test the ability of the server to detect/reject shellcodes.
   - *denialOfService*: tests the ability of the IDS/IPS to protect against
   DoS attempts

It is easily configurable and could integrate new modules in the future.
There are basically 5 types of tests:

   - *socket*: open a socket on a given port and send the payloads to the
   remote target on that port.
   - *command*: send command to the remote target with the subprocess.call()
   python function.
   - *scapy*: send special crafted payloads based on the Scapy syntax
   - *multiple failed logins*: open a socket on port 21/tcp (FTP) and
   attempt to login 5 times with bad credentials.
   - *client side attacks*: use a reverse shell on the remote target and
   send commands to it to make them processed by the server (typically wget
   commands).

More information here: http://www.aldeid.com/index.php/Pytbull.

-- 
Cordialement/Regards,

Sébastien Damaye
http://www.aldeid.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Computer name should match with your real identity?

[lists]

On Fri, Apr 29, 2011 at 12:56:04PM +0530, taneja.secur...@gmail.com wrote:
> So need any ref./case study/security policy referencing not to have real
> name .

RFC 1178

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Stress Testing / DoS Tools comparison

[Sec Tools]

First of all, thanks for all the feedback! 

I have done a lot of extensive lab and real world (worldwide) testing
last weeks and I´ve found that many of the pretentious/experimental
tools do nothing more than anoy you and make you loose your time (ie:
'dark ddoser' and t'50' are jokes with unnecessary fake 37337ness and
kiddie videos added). 

Huzeyfe, Gaurang, Glowing, Shinnok, Aaron and Xavier - I have followed
your savvy advice and now I´m having the best results with with these 3
tools:

Ddossim, Mausezahn and Tcpreplay

peace out, 

John James

http://sectools.org/ 


___Care2
 makes it easy for everyone to live a healthy, green lifestyle
and impact the causes you care about most. Over 12 Million members!
http://www.care2.com

Feed a child by searching the web! Learn how http://www.care2.com/toolbar___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] psnhack - playstation network hack

[satyam pujari]

Yep man, this is unfortunate , I like PS too

http://www.theregister.co.uk/2011/04/26/sony_playstation_network_security_breach/
http://www.darknet.org.uk/2011/04/sony-playstation-network-hack-resulted-in-stolen-user-data-lawsuit/
http://www.informationweek.com/news/security/attacks/229402362
http://latimesblogs.latimes.com/technology/2011/04/sony-playstation-hack.html
http://in.playstation.com/home/news/articles/detail/item369508/PSN-Qriocity-Service-Update/

Regards,
Satyamhax
http://esploit.blogspot.com/

On Sat, Apr 30, 2011 at 6:06 AM, Benji  wrote:
> wowa when did this happen? whatre all these links?
> im glad you sent this email as I wouldnt have heard about this without it.
>
> On Sat, Apr 30, 2011 at 1:30 AM, satyam pujari  wrote:
>>
>> Hello List,
>>
>> quick update on the recent psnhack
>>
>>
>> IRC chat logs is for Feb 16th (does not disclose the real “usernames”
>> and it’s incomplete )
>>
>>
>> ==
>>
>>
>> http://www.psx-sense.nl/46022/chatlog-hackers-credit-card-gegevens-niet-voldoende-encrypted/
>>
>> http://pastie.org/pastes/1570691/text?key=97oth9v5tspkiztwwdmnga
>>
>> http://pastebin.com/m0ZxsjAb
>>
>>
>> ==
>>
>> Below the full IRC logs for Feb 16th  with “real user names” and “time
>> stamp”
>>
>> ==
>>
>> http://173.255.232.215/logs/efnet/ps3dev/2011-02-16
>>
>>
>>
>> ===
>>
>> *Related* IRC LOGS OF PSN HACKS (Logs are being updated here)
>>
>> 
>>
>>
>> “Log system created and maintained by tpw_rules and his bot,
>> DoctorBot. Stats are generated approximately every 20 minutes.”
>>
>>
>> http://173.255.232.215/logs/efnet/ps3dev/ (Full IRC log from
>> 01-12-2011 to 04-29-2011 as of yet )
>>
>> http://173.255.232.215/logs/efnet/ps3dev/stats (#ps3dev @ EFNet stats
>> by tpw_rules)
>>
>>
>> DHS & FBI involvement !
>> 
>>
>>
>> http://www.industrygamers.com/news/psn-data-breach-investigation-getting-help-from-homeland-security/
>>
>>
>> http://www.gamasutra.com/view/news/34364/Homeland_Security_Department_Helping_Investigate_PSN_Data_Breach.php
>>
>>
>>
>> Did Anonops hacked ?
>> =
>>
>> anon "We didn't do it"
>>
>> http://twitpic.com/4r6dpo
>>
>> ==
>>  Kevin Stevens, security analyst with Trend Micro  who informed about
>> it initially. (recent tweets)
>>
>>
>> ===
>>
>> killercube Kevin Stevens
>>
>> This #PSNHack is turning into a bunch of FUD, it really is. I posted
>> up what I saw to warn people, not to incite the masses to create FUD.
>>
>> 9 hours ago
>>
>>
>> killercube Kevin Stevens
>>
>> @
>>
>> @KingNYC1 This is not BS. It is called seeing a post on a forum and
>> tweeting about it. I already clearly stated that I had not seen the DB
>>
>> 9 hours ago
>>
>>
>> killercube Kevin Stevens
>>
>> @
>>
>> @speekmeister It is not a rumor, it was a conversation on a criminal
>> forum. I never saw the DB so I can't verify if it is real.
>>
>> 29 Apr
>>
>>
>> =
>>
>>
>> The question is “Does the DB really exist ? looks like no one saw the DB
>> yet !”
>>
>> Thoughts?
>>
>> Regards,
>> Satyamhax
>> http://esploit.blogspot.com/
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-1121-1] firefox vulnerabilities

[Micah Gersten]

==
Ubuntu Security Notice USN-1121-1
April 30, 2011

firefox vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.04

Summary:

Multiple firefox vulnerabilities

Software Description:
- firefox: Safe and easy web browser from Mozilla

Details:

Boris Zbarsky, Gary Kwong, Jesse Ruderman, Michael Wu, and Ted Mielczarek
discovered multiple memory vulnerabilities. An attacker could exploit these
to possibly run arbitrary code as the user running Firefox. (CVE-2011-0079)

It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Firefox. (CVE-2011-0081)

It was discovered that Firefox incorrectly handled certain JavaScript
requests. An attacker could exploit this to possibly run arbitrary code as
the user running Firefox. (CVE-2011-0069)

Ian Beer discovered a vulnerability in the memory handling of a certain
types of documents. An attacker could exploit this to possibly run
arbitrary code as the user running Firefox. (CVE-2011-0070)

Chris Evans discovered a vulnerability in Firefox's XSLT generate-id()
function. An attacker could possibly use this vulnerability to make other
attacks more reliable. (CVE-2011-1202)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.04:
  firefox 4.0.1+build1+nobinonly-0ubuntu0.11.04.1

After a standard system update you need to restart Firefox to make all the
necessary changes.

References:
  CVE-2011-0079 CVE-2011-0081 CVE-2011-0069 CVE-2011-0070 CVE-2011-1202

Package Information:
  
https://launchpad.net/ubuntu/+source/firefox/4.0.1+build1+nobinonly-0ubuntu0.11.04.1





signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] psnhack - playstation network hack

[Benji]

wowa when did this happen? whatre all these links?

im glad you sent this email as I wouldnt have heard about this without it.

On Sat, Apr 30, 2011 at 1:30 AM, satyam pujari  wrote:

> Hello List,
>
> quick update on the recent psnhack
>
>
> IRC chat logs is for Feb 16th (does not disclose the real “usernames”
> and it’s incomplete )
>
>
> ==
>
>
> http://www.psx-sense.nl/46022/chatlog-hackers-credit-card-gegevens-niet-voldoende-encrypted/
>
> http://pastie.org/pastes/1570691/text?key=97oth9v5tspkiztwwdmnga
>
> http://pastebin.com/m0ZxsjAb
>
>
> ==
>
> Below the full IRC logs for Feb 16th  with “real user names” and “time
> stamp”
>
> ==
>
> http://173.255.232.215/logs/efnet/ps3dev/2011-02-16
>
>
>
> ===
>
> *Related* IRC LOGS OF PSN HACKS (Logs are being updated here)
>
> 
>
>
> “Log system created and maintained by tpw_rules and his bot,
> DoctorBot. Stats are generated approximately every 20 minutes.”
>
>
> http://173.255.232.215/logs/efnet/ps3dev/ (Full IRC log from
> 01-12-2011 to 04-29-2011 as of yet )
>
> http://173.255.232.215/logs/efnet/ps3dev/stats (#ps3dev @ EFNet stats
> by tpw_rules)
>
>
> DHS & FBI involvement !
> 
>
>
> http://www.industrygamers.com/news/psn-data-breach-investigation-getting-help-from-homeland-security/
>
>
> http://www.gamasutra.com/view/news/34364/Homeland_Security_Department_Helping_Investigate_PSN_Data_Breach.php
>
>
>
> Did Anonops hacked ?
> =
>
> anon "We didn't do it"
>
> http://twitpic.com/4r6dpo
>
> ==
>  Kevin Stevens, security analyst with Trend Micro  who informed about
> it initially. (recent tweets)
>
>
> ===
>
> killercube Kevin Stevens
>
> This #PSNHack is turning into a bunch of FUD, it really is. I posted
> up what I saw to warn people, not to incite the masses to create FUD.
>
> 9 hours ago
>
>
> killercube Kevin Stevens
>
> @
>
> @KingNYC1 This is not BS. It is called seeing a post on a forum and
> tweeting about it. I already clearly stated that I had not seen the DB
>
> 9 hours ago
>
>
> killercube Kevin Stevens
>
> @
>
> @speekmeister It is not a rumor, it was a conversation on a criminal
> forum. I never saw the DB so I can't verify if it is real.
>
> 29 Apr
>
>
> =
>
>
> The question is “Does the DB really exist ? looks like no one saw the DB
> yet !”
>
> Thoughts?
>
> Regards,
> Satyamhax
> http://esploit.blogspot.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] psnhack - playstation network hack

[satyam pujari]

Hello List,

quick update on the recent psnhack


IRC chat logs is for Feb 16th (does not disclose the real “usernames”
and it’s incomplete )

==

http://www.psx-sense.nl/46022/chatlog-hackers-credit-card-gegevens-niet-voldoende-encrypted/

http://pastie.org/pastes/1570691/text?key=97oth9v5tspkiztwwdmnga

http://pastebin.com/m0ZxsjAb


==

Below the full IRC logs for Feb 16th  with “real user names” and “time stamp”

==

http://173.255.232.215/logs/efnet/ps3dev/2011-02-16



===

*Related* IRC LOGS OF PSN HACKS (Logs are being updated here)




“Log system created and maintained by tpw_rules and his bot,
DoctorBot. Stats are generated approximately every 20 minutes.”


http://173.255.232.215/logs/efnet/ps3dev/ (Full IRC log from
01-12-2011 to 04-29-2011 as of yet )

http://173.255.232.215/logs/efnet/ps3dev/stats (#ps3dev @ EFNet stats
by tpw_rules)


DHS & FBI involvement !


http://www.industrygamers.com/news/psn-data-breach-investigation-getting-help-from-homeland-security/

http://www.gamasutra.com/view/news/34364/Homeland_Security_Department_Helping_Investigate_PSN_Data_Breach.php



Did Anonops hacked ?
=

anon "We didn't do it"

http://twitpic.com/4r6dpo

==
 Kevin Stevens, security analyst with Trend Micro  who informed about
it initially. (recent tweets)

===

killercube Kevin Stevens

This #PSNHack is turning into a bunch of FUD, it really is. I posted
up what I saw to warn people, not to incite the masses to create FUD.

9 hours ago


killercube Kevin Stevens

@

@KingNYC1 This is not BS. It is called seeing a post on a forum and
tweeting about it. I already clearly stated that I had not seen the DB

9 hours ago


killercube Kevin Stevens

@

@speekmeister It is not a rumor, it was a conversation on a criminal
forum. I never saw the DB so I can't verify if it is real.

29 Apr

=


The question is “Does the DB really exist ? looks like no one saw the DB yet !”

Thoughts?

Regards,
Satyamhax
http://esploit.blogspot.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Benji]

The real question is why is this guy using a fish to protect his network? is
it dead?

On Fri, Apr 29, 2011 at 4:38 PM,  wrote:

> On Fri, 29 Apr 2011 08:13:31 PDT, bk said:
>
> (Agreeing with most of what you said)
>
> > Anyone with a reasonable level of technical competence who has ever
> > implemented one of these appliances from any vendor in this space would
> > already be well aware of these facts.
>
> On the other hand, remember that Barracuda gear is targeted at those
> sites who *don't* roll their own...
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-1123-1] xulrunner-1.9.1 vulnerabilities

[Micah Gersten]

==
Ubuntu Security Notice USN-1123-1
April 30, 2011

xulrunner-1.9.1 vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 9.10

Summary:

Multiple xulrunner-1.9.1 vulnerabilities

Software Description:
- xulrunner-1.9.1: XUL + XPCOM application runner

Details:

A large number of security issues were discovered in the Gecko rendering
engine. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 9.10:
  xulrunner-1.9.1 1.9.1.19+build2+nobinonly-0ubuntu0.9.10.1

After a standard system update you need to restart any applications which
use Xulrunner to make all the necessary changes.

References:
  CVE-2010-3776 CVE-2010-3778 CVE-2011-0053 CVE-2011-0062 CVE-2011-0051 
CVE-2011-0055 CVE-2011-0054 CVE-2011-0056 CVE-2011-0057 CVE-2011-0058 
CVE-2010-1585 CVE-2011-0059 CVE-2011-0069 CVE-2011-0070 CVE-2011-0080 
CVE-2011-0074 CVE-2011-0075 CVE-2011-0077 CVE-2011-0078 CVE-2011-0072 
CVE-2011-0065 CVE-2011-0066 CVE-2011-0073 CVE-2011-0067 CVE-2011-0071 
CVE-2011-1202

Package Information:
  
https://launchpad.net/ubuntu/+source/xulrunner-1.9.1/1.9.1.19+build2+nobinonly-0ubuntu0.9.10.1





signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-1112-1] Firefox and Xulrunner vulnerabilities

[Micah Gersten]

==
Ubuntu Security Notice USN-1112-1
April 29, 2011

firefox, firefox-3.0, firefox-3.5, xulrunner-1.9.2 vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10
- Ubuntu 8.04 LTS

Summary:

Multiple vulnerabilities in Firefox and Xulrunner

Software Description:
- firefox: safe and easy web browser from Mozilla
- xulrunner-1.9.2: XUL + XPCOM application runner
- firefox-3.5: safe and easy web browser from Mozilla
- firefox-3.0: safe and easy web browser from Mozilla

Details:

It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Firefox. (CVE-2011-0081)

It was discovered that Firefox incorrectly handled certain JavaScript
requests. An attacker could exploit this to possibly run arbitrary code as
the user running Firefox. (CVE-2011-0069)

Ian Beer discovered a vulnerability in the memory handling of a certain
types of documents. An attacker could exploit this to possibly run
arbitrary code as the user running Firefox. (CVE-2011-0070)

Bob Clary, Henri Sivonen, Marco Bonardo, Mats Palmgren and Jesse Ruderman
discovered several memory vulnerabilities. An attacker could exploit these
to possibly run arbitrary code as the user running Firefox. (CVE-2011-0080)

Aki Helin discovered multiple vulnerabilities in the HTML rendering code.
An attacker could exploit these to possibly run arbitrary code as the user
running Firefox. (CVE-2011-0074, CVE-2011-0075)

Ian Beer discovered multiple overflow vulnerabilities. An attacker could
exploit these to possibly run arbitrary code as the user running Firefox.
(CVE-2011-0077, CVE-2011-0078)

Martin Barbella discovered a memory vulnerability in the handling of
certain DOM elements. An attacker could exploit this to possibly run
arbitrary code as the user running Firefox. (CVE-2011-0072)

It was discovered that there were use-after-free vulnerabilities in
Firefox's mChannel and mObserverList objects. An attacker could exploit
these to possibly run arbitrary code as the user running Firefox.
(CVE-2011-0065, CVE-2011-0066)

It was discovered that there was a vulnerability in the handling of the
nsTreeSelection element. An attacker serving malicious content could
exploit this to possibly run arbitrary code as the user running Firefox.
(CVE-2011-0073)

Paul Stone discovered a vulnerability in the handling of Java applets. An
attacker could use this to mimic interaction with form autocomplete
controls and steal entries from the form history. (CVE-2011-0067)

Soroush Dalili discovered a vulnerability in the resource: protocol. This
could potentially allow an attacker to load arbitrary files that were
accessible to the user running Firefox. (CVE-2011-0071)

Chris Evans discovered a vulnerability in Firefox's XSLT generate-id()
function. An attacker could possibly use this vulnerability to make other
attacks more reliable. (CVE-2011-1202)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  firefox 3.6.17+build3+nobinonly-0ubuntu0.10.10.1
  xulrunner-1.9.2 1.9.2.17+build3+nobinonly-0ubuntu0.10.10.1

Ubuntu 10.04 LTS:
  firefox 3.6.17+build3+nobinonly-0ubuntu0.10.04.1
  xulrunner-1.9.2 1.9.2.17+build3+nobinonly-0ubuntu0.10.04.1

Ubuntu 9.10:
  firefox 3.6.17+build3+nobinonly-0ubuntu0.9.10.1
  xulrunner-1.9.2 1.9.2.17+build3+nobinonly-0ubuntu0.9.10.1

Ubuntu 8.04 LTS:
  firefox 3.6.17+build3+nobinonly-0ubuntu0.8.04.1
  xulrunner-1.9.2 1.9.2.17+build3+nobinonly-0ubuntu0.8.04.1

After a standard system update you need to restart Firefox and any
applications which use Xulrunner to make all the necessary changes.

References:
  CVE-2011-0081 CVE-2011-0069 CVE-2011-0070 CVE-2011-0080 CVE-2011-0074 
CVE-2011-0075 CVE-2011-0077 CVE-2011-0078 CVE-2011-0072 CVE-2011-0065 
CVE-2011-0066 CVE-2011-0073 CVE-2011-0067 CVE-2011-0071 CVE-2011-1202

Package Information:
  
https://launchpad.net/ubuntu/+source/firefox/3.6.17+build3+nobinonly-0ubuntu0.10.10.1
  
https://launchpad.net/ubuntu/+source/xulrunner-1.9.2/1.9.2.17+build3+nobinonly-0ubuntu0.10.10.1
  
https://launchpad.net/ubuntu/+source/firefox/3.6.17+build3+nobinonly-0ubuntu0.10.04.1
  
https://launchpad.net/ubuntu/+source/xulrunner-1.9.2/1.9.2.17+build3+nobinonly-0ubuntu0.10.04.1
  
https://launchpad.net/ubuntu/+source/firefox-3.5/3.6.17+build3+nobinonly-0ubuntu0.9.10.1
  
https://launchpad.net/ubuntu/+source/xulrunner-1.9.2/1.9.2.17+build3+nobinonly-0ubuntu0.9.10.1
  
https://launchpad.net/ubuntu/+source/firefox-3.0/3.6.17+build3+nobinonly-0ubuntu0.8.04.1
  
h

Re: [Full-disclosure] Code Execution vulnerability в WordPress

[-= Glowing Doom =-]

Agreed,
   I run WP and, unless the admin is malignant towards your server, this is
nothing but simple template editing wich can be done.. normally, as admin
with perms.. ofc, if you have a bad apple in the bunch, it will eventually
showup in some way.. this is just a level of trust given to WP-Admins, wich
Could or could-NOT be compromised, depends on your admins... I know on my
site, thats not a possible scenario to attack this and exploit, simply dont
have admins :>
xd


On 30 April 2011 07:53, Christian Sciberras  wrote:

> Just for your (and everyone else's) information, Wordpress allows
> Administrators to Edit Template code, as you may or may not know, is nothing
> but plain PHP code.
> Besides, Wordpress can be made to upload rogue addons (under this same
> role), among many other things malicious Administrators might want to do.
>
> At this point I don't think it makes the least sense to call such a feature
> a vulnerability, not because it's not exploitable, but because of the simple
> reason that when you're dead you should call it quits and stop fcking
> pretending nothing happened to you. If that didn't hit, let me state it
> plain and simple, if your server is compromised, there are ZERO reasons you
> would want the attacker to not be able to install plugins simply because it
> can't be done.
>
> Yes, I'm in a mode and simply can't student clueless idiots trying to make
> headlines with fancy irrelevant titles.
>
> While at it, MustLive, here's a clue, PHP is one huge exploit; it can run
> code(oh noes)!!
>
>
>
>
> On Fri, Apr 29, 2011 at 7:13 PM, MustLive wrote:
>
>> Hello list!
>>
>> I want to warn you about Code Execution vulnerability in WordPress.
>>
>> SecurityVulns ID: 11622.
>>
>> -
>> Affected products:
>> -
>>
>> Vulnerable are versions WordPress 2.5 - 3.1.1. The new version 3.1.2 which
>> released at 26th of April just after my disclosure also must be
>> vulnerable.
>> The attack via double extension will work at Apache with appropriate
>> configuration.
>>
>> --
>> Details:
>> --
>>
>> Code Execution (WASC-31) attack is possible in WordPress via uploader. The
>> attack can be conducted by users with roles Author, Editor and
>> Administrator.
>>
>> In WordPress 2.5 - 2.8.4 it's possible to upload php scripts (1.php) in
>> Media Library. In 2.5 - 2.7.1 the attack is possible only for
>> Administrator.
>> For Author and Editor it's not possible to upload 1.php, nor attack will
>> work via double extensions.
>>
>> In version 2.8.5 it was prohibited also for Administrator. And even in 2.8
>> -
>> 2.8.5 for Author and Editor (and for Administrator in 2.8.5) it's
>> impossible
>> to upload 1.php, but it's possible to upload 1.php.txt.
>>
>> At that in WP 2.0 - 2.0.11 (where there were no Media Library) for all
>> roles
>> were prohibited to upload files with php extension (and bypassing method
>> didn't work). As in versions 2.1.x, 2.2.x and 2.3.x. Only in WordPress 2.2
>> (http://websecurity.com.ua/1276/) Alexander Concha found vulnerability,
>> which allowed to upload files with php extension.
>>
>> In version 2.8.6 and higher it's already prohibited. The attack via double
>> extensions (1.php.txt and 1.asp;.txt) will not work, but it's possible to
>> use 1.phtml.txt (for all three roles) to execute code.
>>
>> 
>> Timeline:
>> 
>>
>> 2011.04.26 - disclosed at my site. As I already wrote many times to
>> security
>> mailing lists (http://www.securityfocus.com/archive/1/510274), starting
>> from
>> 2008 I never more inform WP developers about vulnerabilities in WordPress.
>>
>> I mentioned about these vulnerabilities at my site
>> (http://websecurity.com.ua/5108/).
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Computer name should match with your real identity?

[Csirt, Star]

Same here as well for an across the global organization naming convention.

W/S/L-workstation, server, laptop
P/T/I-Prod/Test/Itegration
BOS/HQ/FIN-Location or department
www/sql/orc/fp-web, db, file and print etc
lb01/hdn005-Load balanced, Help Desk North and numbers

ETC


-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Michael Holstein
Sent: Friday, April 29, 2011 3:17 PM
To: taneja.secur...@gmail.com
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Computer name should match with your real 
identity?


> I am not doing it 

You are free to reject corporate policy as you see fit.
Your personal effects will be at the security desk on Friday. We will
mail your last check.

> it could be case of "information leakage"
>   

Internal NETBIOS/DNS names are generally helpful for identification of
machines, and most places follow some soft of template of
location+type+model+serial .. just so the IT department doesn't have to
figure out some UNIX admin's scheme-de-jour of colors/gods/planets/whatever.

Really .. what's easier to find the location/function of .. the machine
named CORPHQWWWDEV1 or the one named "Aristotle".

Michael Holstein
Cleveland State University

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Cal Leeming]

On Fri, Apr 29, 2011 at 4:13 PM, bk  wrote:

> On Apr 29, 2011, at 6:11 AM, Cal Leeming wrote:
>
>
> On Fri, Apr 29, 2011 at 3:30 AM, bk  wrote:
>
>>
>> On Fri, Apr 29, 2011 at 3:17 AM, bk  wrote:
>>
>>> On Apr 28, 2011, at 3:09 AM, Tõnu Samuel wrote:
>>>
>>> > One day their Barracuda product stopped working.
>>> >
>>> > After investigating problem it came out that Barracuda reseller and
>>> > Barracuda itself have some misunderstandings and because of this
>>> > Barracuda not only disabled all kind of subscription services
>>>
>>> You're unsubstantiated claims don't bare repeating.  I will however point
>>> out that many vendors disable some portion of functionality when
>>> subscription or support payments lapse.  This is widely done in the industry
>>> and a surprise to no one.
>>>
>>> --
>>> chort
>>> ___
>>>
>> On Apr 28, 2011, at 7:20 PM, Cal Leeming wrote:
>>
>> Name ten.
>>
>>
>> For starters, every anti-spam company ever.  I should know, I've worked
>> for half of them.  At the very least you cannot get upgrades or patches of
>> any kind.  Most of them disable anti-spam updates, all of them disable
>> anti-virus updates, and some even disable anti-spam scanning entirely.  The
>> anti-spam SaaS vendors I know of will disable accepting your mail after a
>> grace period if you haven't moved your MX records.
>>
>> Hmm, let's see.  Firewall vendors won't let you apply updates, some of
>> them cripple VPN functionality when your license has expired... really, do
>> we need to go on?  There's a long precedent for products going into a
>> degraded mode if your subscription or license expires.
>>
>> --
>> chort
>>
>>
>> Everything you have mentioned there are when you have 'leased' a product,
> so if the license runs out, of course it's going to terminate those 'leased'
> services.
>
>
> Actually, no.  I'm really starting to doubt you have any experience what so
> ever with enterprise products.  Every appliance I've ever heard of or sold
> personally is sold, as in ownership is transferred.  The physical unit
> belongs to the party who purchased it.  The continuing fees or subscriptions
> cover:
> 1.  Support
> 2.  Product updates and patches
> 3.  Updates to anti-spam and anti-virus definitions
> 4.  Other product features that either require infrastructure on the
> vendor's part, or capabilities that are OEM'd from another vendor and
> require recurring royalty fees.
>

Are you referring to hardware or virtual appliances? Almost everything I
have used in an enterprise deployment, has been where the unit was owned
outright by the customer, with the license simply being for support.

Take Zeus products (ZXTM) for example.


>
> In all those cases the hardware unit doesn't just stop working, but certain
> aspects of the software functionality that require money & effort from the
> vendor to support do cease to operate.
>


>
> I believe OP is wildly exaggerating the extent to which functionality was
> impaired.  I also really doubt that Barracuda, with thousands of units
> deployed in the field, would assign a human being to individually login
> remotely and disable them.  They probably do it like most other vendors,
> where the units do periodic phone-home functions to a set of license
> servers.  If there isn't an updated license present for the unit to
> download, functionality automatically turns off when the original license on
> the box expires.
>
> Lastly, to touch on the other "shocking" subject, yes security appliance
> vendors have ssh access to the units in the field, either directly or via
> reverse tunnel.  Every vendor I have experience with calls this out in their
> documentation and the custom either has to allow it explicitly through their
> firewall, or they're given the option to block it (in the case of reverse
> tunnel).
>

I can understand why this feature would be in there, but I am strongly
against the practise of it being on an opt-out basis, not opt-in.


>
> Anyone with a reasonable level of technical competence who has ever
> implemented one of these appliances from any vendor in this space would
> already be well aware of these facts.  You'd probably all be stunned to
> learn that your phones, which can position you with accuracy of a few
> hundred feet, are storing information about locations of beaconing objects
> around them.  Yes, I'll give you a few minutes to get over that shock.
>

You can stop with the smart ass comments.


>
> --
> chort
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Stress Testing Tools

[Teófilo Couto]

In some scenarios (HTTP/s protocols), SIEGE might be a nice tool! 


Best regards, 

Teófilo Couto 
AnubisNetworks 
Av. Quinta Grande, 53 
Edifício Prime, 5ºA 
Alfragide 
2610-156 AMADORA 
Portugal 

Tel. : +351 217 252 110 
Mobile: + 351 91 486 99 02 
Fax : +351 217 252 119 
teofilo.co...@anubisnetworks.com 
http://www.anubisnetworks.com 

Join our community at http://world.anubisnetworks.com 
Follow Us on Twitter http://twitter.com/anubisnetworks 



- Original Message - 
From: "-= Glowing Doom =-"  
To: "Gaurang Pandya"  
Cc: full-disclosure@lists.grok.org.uk 
Sent: Friday, April 29, 2011 4:30:02 AM 
Subject: Re: [Full-disclosure] Stress Testing Tools 

Try t50 packet injector... (much much faster checksum) even t49... now open src 
i believe..well, this is the hardest known packet flooder :)... atleast, that i 
know of.. also, oping is 'not bad' and for stress, borrow a ddos army for the 
day... 
xd 



On 29 April 2011 13:14, Gaurang Pandya < gaub...@yahoo.com > wrote: 





I have generated around 4G of attack using Hping from 6 servers, and I could 
have still increased it but that was all I needed. So I think hping does good 
job.. 

Gaurang. 




From: Oscar < shyamsecurity...@gmail.com > 
To: Sec Tools < secto...@wildmail.com > 
Cc: full-disclosure@lists.grok.org.uk 
Sent: Wed, April 27, 2011 5:44:14 PM 
Subject: Re: [Full-disclosure] Stress Testing Tools 

Hi, 

I am also in the verg of testing firewall/IDS/IPS currently i am looking at 
some DOS/DDOS/stress testing tools.. Please help me on that.. 

Thanks in Advance 
Oscar 


On Wed, Apr 27, 2011 at 11:17 AM, Sec Tools < secto...@wildmail.com > wrote: 



I've been using a combination of Mausezahn ( 
http://www.perihel.at/sec/mz/index.html ), Tcpreplay ( 
http://tcpreplay.synfin.net ) and some times Scapy ( 
http://www.secdev.org/projects/scapy/ ) for our 1G/10G network stress testing 
needs ( mostly for probing and checking the resilience of new network 
appliances ). 

I noted that these tools were not updated recently (for one year aprox). Do you 
guys have any suggestions on better approaches / really good new tools to do 
this? ( note that currently our budget does not allow the use of hardware based 
solutions ). 

Best Regards, 

John James 
http://sectools.org/ 



___ 
Care2 makes it easy for everyone to live a healthy, green lifestyle and impact 
the causes you care about most. Over 12 Million members! http://www.care2.com 
Feed a child by searching the web! Learn how http://www.care2.com/toolbar 
___ 
Full-Disclosure - We believe in it. 
Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
Hosted and sponsored by Secunia - http://secunia.com/ 


___ 
Full-Disclosure - We believe in it. 
Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
Hosted and sponsored by Secunia - http://secunia.com/ 


___ 
Full-Disclosure - We believe in it. 
Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
Hosted and sponsored by Secunia - http://secunia.com/___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Cal Leeming]

Name ten.

On Fri, Apr 29, 2011 at 3:17 AM, bk  wrote:

> On Apr 28, 2011, at 3:09 AM, Tõnu Samuel wrote:
>
> > One day their Barracuda product stopped working.
> >
> > After investigating problem it came out that Barracuda reseller and
> > Barracuda itself have some misunderstandings and because of this
> > Barracuda not only disabled all kind of subscription services
>
> You're unsubstantiated claims don't bare repeating.  I will however point
> out that many vendors disable some portion of functionality when
> subscription or support payments lapse.  This is widely done in the industry
> and a surprise to no one.
>
> --
> chort
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Code Execution vulnerability в WordPress

[Christian Sciberras]

Just for your (and everyone else's) information, Wordpress allows
Administrators to Edit Template code, as you may or may not know, is nothing
but plain PHP code.
Besides, Wordpress can be made to upload rogue addons (under this same
role), among many other things malicious Administrators might want to do.

At this point I don't think it makes the least sense to call such a feature
a vulnerability, not because it's not exploitable, but because of the simple
reason that when you're dead you should call it quits and stop fcking
pretending nothing happened to you. If that didn't hit, let me state it
plain and simple, if your server is compromised, there are ZERO reasons you
would want the attacker to not be able to install plugins simply because it
can't be done.

Yes, I'm in a mode and simply can't student clueless idiots trying to make
headlines with fancy irrelevant titles.

While at it, MustLive, here's a clue, PHP is one huge exploit; it can run
code(oh noes)!!




On Fri, Apr 29, 2011 at 7:13 PM, MustLive wrote:

> Hello list!
>
> I want to warn you about Code Execution vulnerability in WordPress.
>
> SecurityVulns ID: 11622.
>
> -
> Affected products:
> -
>
> Vulnerable are versions WordPress 2.5 - 3.1.1. The new version 3.1.2 which
> released at 26th of April just after my disclosure also must be vulnerable.
> The attack via double extension will work at Apache with appropriate
> configuration.
>
> --
> Details:
> --
>
> Code Execution (WASC-31) attack is possible in WordPress via uploader. The
> attack can be conducted by users with roles Author, Editor and
> Administrator.
>
> In WordPress 2.5 - 2.8.4 it's possible to upload php scripts (1.php) in
> Media Library. In 2.5 - 2.7.1 the attack is possible only for
> Administrator.
> For Author and Editor it's not possible to upload 1.php, nor attack will
> work via double extensions.
>
> In version 2.8.5 it was prohibited also for Administrator. And even in 2.8
> -
> 2.8.5 for Author and Editor (and for Administrator in 2.8.5) it's
> impossible
> to upload 1.php, but it's possible to upload 1.php.txt.
>
> At that in WP 2.0 - 2.0.11 (where there were no Media Library) for all
> roles
> were prohibited to upload files with php extension (and bypassing method
> didn't work). As in versions 2.1.x, 2.2.x and 2.3.x. Only in WordPress 2.2
> (http://websecurity.com.ua/1276/) Alexander Concha found vulnerability,
> which allowed to upload files with php extension.
>
> In version 2.8.6 and higher it's already prohibited. The attack via double
> extensions (1.php.txt and 1.asp;.txt) will not work, but it's possible to
> use 1.phtml.txt (for all three roles) to execute code.
>
> 
> Timeline:
> 
>
> 2011.04.26 - disclosed at my site. As I already wrote many times to
> security
> mailing lists (http://www.securityfocus.com/archive/1/510274), starting
> from
> 2008 I never more inform WP developers about vulnerabilities in WordPress.
>
> I mentioned about these vulnerabilities at my site
> (http://websecurity.com.ua/5108/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Computer name should match with your real identity?

[phil]

>
> Recently got a policy from admin to change your PC name with your "name" +
> organisation name.
>

The funnier with that thread, is that if you tell us that as a normal  
user, then that mean that you are a local admin, and most of user must  
be local admin if they sent that policy to everyone. Kinda a security  
issue just there, the computer name is just not important. who care  
your computer name when netbios traffic stay local on your lan. (ex,  
your co-worker must already know your name, i hope so)


-phil

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-1126-1] PHP vulnerabilities

[Steve Beattie]

==
Ubuntu Security Notice USN-1126-1
April 29, 2011

php5 vulnerabilities
==

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10
- Ubuntu 8.04 LTS
- Ubuntu 6.06 LTS

Summary:

Multiple vulnerabilities in PHP.

Software Description:
- php5: HTML-embedded scripting language interpreter

Details:

Stephane Chazelas discovered that the /etc/cron.d/php5 cron job for
PHP 5.3.5 allows local users to delete arbitrary files via a symlink
attack on a directory under /var/lib/php5/. (CVE-2011-0441)

Raphael Geisert and Dan Rosenberg discovered that the PEAR installer
allows local users to overwrite arbitrary files via a symlink attack on
the package.xml file, related to the (1) download_dir, (2) cache_dir,
(3) tmp_dir, and (4) pear-build-download directories. (CVE-2011-1072,
CVE-2011-1144)

Ben Schmidt discovered that a use-after-free vulnerability in the PHP
Zend engine could allow an attacker to cause a denial of service (heap
memory corruption) or possibly execute arbitrary code. (CVE-2010-4697)

Martin Barbella discovered a buffer overflow in the PHP GD extension
that allows an attacker to cause a denial of service (application crash)
via a large number of anti- aliasing steps in an argument to the
imagepstext function. (CVE-2010-4698)

It was discovered that PHP accepts the \0 character in a pathname,
which might allow an attacker to bypass intended access restrictions
by placing a safe file extension after this character. This issue
is addressed in Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04.
(CVE-2006-7243)

Maksymilian Arciemowicz discovered that the grapheme_extract function
in the PHP Internationalization extension (Intl) for ICU allow
an attacker to cause a denial of service (crash) via an invalid
size argument, which triggers a NULL pointer dereference. This
issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu
11.04. (CVE-2011-0420)

Maksymilian Arciemowicz discovered that the _zip_name_locate
function in the PHP Zip extension does not properly handle a
ZIPARCHIVE::FL_UNCHANGED argument, which might allow an attacker to
cause a denial of service (NULL pointer dereference) via an empty
ZIP archive. This issue affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu
10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2011-0421)

Luca Carettoni discovered that the PHP Exif extension performs an
incorrect cast on 64bit platforms, which allows a remote attacker
to cause a denial of service (application crash) via an image with
a crafted Image File Directory (IFD). (CVE-2011-0708)

Jose Carlos Norte discovered that an integer overflow in the PHP
shmop extension could allow an attacker to cause a denial of service
(crash) and possibly read sensitive memory function. (CVE-2011-1092)

Felipe Pena discovered that a use-after-free vulnerability in the
substr_replace function allows an attacker to cause a denial of
service (memory corruption) or possibly execute arbitrary code.
(CVE-2011-1148)

Felipe Pena discovered multiple format string vulnerabilities in the
PHP phar extension. These could allow an attacker to obtain sensitive
information from process memory, cause a denial of service (memory
corruption), or possibly execute arbitrary code. This issue affected
Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04.(CVE-2011-1153)

It was discovered that a buffer overflow occurs in the strval function
when the precision configuration option has a large value. The default
compiler options for Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS,
Ubuntu 10.10, and Ubuntu 11.04 should reduce the vulnerability to a
denial of service. (CVE-2011-1464)

It was discovered that an integer overflow in the SdnToJulian function
in the PHP Calendar extension could allow an attacker to cause a
denial of service (application crash). (CVE-2011-1466)

Tomas Hoger discovered that an integer overflow in the
NumberFormatter::setSymbol function in the PHP Intl extension
could allow an attacker to cause a denial of service (application
crash). This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu
11.04. (CVE-2011-1467)

It was discovered that multiple memory leaks in the PHP OpenSSL
extension might allow a remote attacker to cause a denial of service
(memory consumption). This issue affected Ubuntu 10.04 LTS, Ubuntu
10.10, and Ubuntu 11.04. (CVE-2011-1468)

Daniel Buschke discovered that the PHP Streams component in PHP
handled types improperly, possibly allowing an attacker to cause a
denial of service (application crash). (CVE-2011-1469)

It was discovered that the PHP Zip extension could allow an attacker to
cause a denial of service (application crash) via a ziparchive stream
that is not properly handled by the stream_get_contents function. This
issue affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu
1

Re: [Full-disclosure] Computer name should match with your real identity?

[Michael Holstein]

> I am not doing it 

You are free to reject corporate policy as you see fit.
Your personal effects will be at the security desk on Friday. We will
mail your last check.

> it could be case of "information leakage"
>   

Internal NETBIOS/DNS names are generally helpful for identification of
machines, and most places follow some soft of template of
location+type+model+serial .. just so the IT department doesn't have to
figure out some UNIX admin's scheme-de-jour of colors/gods/planets/whatever.

Really .. what's easier to find the location/function of .. the machine
named CORPHQWWWDEV1 or the one named "Aristotle".

Michael Holstein
Cleveland State University

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-153: Embarcadero Interbase connect Request Parsing Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-153: Embarcadero Interbase connect Request Parsing Remote Code Execution 
Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-153

April 29, 2011

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Embarcadero

-- Affected Products:
Embarcadero Interbase

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 5626. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Borland Interbase. Authentication is not
required to exploit these vulnerabilities.

The specific flaws exists within the database service, ibserver.exe,
which binds to TCP port 3050. When a specially crafted "connect" (opcode
0x01) message is sent a stack-based buffer overflow can occur. If
properly exploited this can lead to remote compromise of the system with
SYSTEM credentials.

-- Vendor Response:

Embarcadero states:
This issue is now resolved in InterBase XE update 2. This update is
available from http://cc.embarcadero.com/reg/interbase. On that page,
there are multiple downloads which contain this fix. Below are the
descriptions of all the downloads that have this fix. Note that each
description has two downloads, one for English and one for Japanese.

InterBase XE 64-bit Update 2 (10.0.2.474) for Windows

InterBase XE Update 2 (10.0.2.467) for Linux

InterBase XE 32-bit Update 2 (10.0.2.474) for Windows


The readme document in the download has a list of defects resolved.

-- Disclosure Timeline:
2011-02-04 - Vulnerability reported to vendor
2011-04-29 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Anonymous

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-152: HP Data Protector Backup Client Service GET_FILE Directory Traversal Vulnerability

[ZDI Disclosures]

ZDI-11-152: HP Data Protector Backup Client Service GET_FILE Directory 
Traversal Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-152

April 29, 2011

-- CVE ID:
CVE-2011-1736

-- CVSS:
7.8, (AV:N/AC:L/Au:N/C:C/I:N/A:N)

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard Data Protector

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11136. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers directory traversal on
vulnerable installations of HP OpenView Data Protector. Authentication
is not required to exploit this vulnerability.

This specific flaw exists in the Backup Client Service (OmniInet.exe).
The Backup Client Service listens on TCP port  for communications
between systems in the cell. The process has insufficient sanitization
on user-supplied data when handling certain messages. Remote,
unauthenticated attackers can exploit this vulnerability by sending
crafted filename strings to the target, which would allow attackers to
view or download arbitrary files on the target system.

-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:

http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02810240

-- Disclosure Timeline:
2011-04-04 - Vulnerability reported to vendor
2011-04-29 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Aniway (aniway.any...@gmail.com)

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-151: HP Data Protector Backup Client Service bm Message Processing Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-151: HP Data Protector Backup Client Service bm Message Processing 
Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-151

April 29, 2011

-- CVE ID:
CVE-2011-1735

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard Data Protector

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11135. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of HP OpenView Data Protector. Authentication
is not required to exploit this vulnerability. 

This specific flaw exists in the Backup Client Service (OmniInet.exe).
The Backup Client Service listens on TCP port  for communications
between systems in the cell. The process has insufficient bounds
checking on user-supplied data in a fixed-length buffer on the stack.
Remote, unauthenticated attackers can exploit this vulnerability by
sending malformed bm message packets to the target, which could
ultimately lead to arbitrary code execution under the context of the
SYSTEM user.

-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:

http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02810240

-- Disclosure Timeline:
2011-04-04 - Vulnerability reported to vendor
2011-04-29 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Aniway (aniway.any...@gmail.com)

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-150: HP Data Protector Backup Client Service omniiaputil Message Processing Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-150: HP Data Protector Backup Client Service omniiaputil Message 
Processing Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-150

April 29, 2011

-- CVE ID:
CVE-2011-1734

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard Data Protector

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11129. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of HP OpenView Data Protector. Authentication
is not required to exploit this vulnerability. 

This specific flaw exists in the Backup Client Service (OmniInet.exe).
The Backup Client Service listens on TCP port  for communications
between systems in the cell. The process has insufficient bounds
checking on user-supplied data in a fixed-length buffer on the stack.
Remote, unauthenticated attackers can exploit this vulnerability by
sending malformed omniiaputil message packets to the target, which could
ultimately lead to arbitrary code execution under the context of the
SYSTEM user.

-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:

http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02810240

-- Disclosure Timeline:
2011-04-04 - Vulnerability reported to vendor
2011-04-29 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Aniway (aniway.any...@gmail.com)

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-149: HP Data Protector Backup Client Service HPFGConfig Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-149: HP Data Protector Backup Client Service HPFGConfig Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-149

April 29, 2011

-- CVE ID:
CVE-2011-1733

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard Data Protector 

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11130. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of HP OpenView Data Protector. Authentication
is not required to exploit this vulnerability. 

This specific flaw exists in the Backup Client Service (OmniInet.exe).
The Backup Client Service listens on TCP port  for communications
between systems in the cell. The process has insufficient bounds
checking on user-supplied data in a fixed-length buffer on the stack.
Remote, unauthenticated attackers can exploit this vulnerability by
sending malformed HPFGConfig message packets to the target, which could
ultimately lead to arbitrary code execution under the context of the
SYSTEM user.

-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:

http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02810240

-- Disclosure Timeline:
2011-04-04 - Vulnerability reported to vendor
2011-04-29 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Aniway (aniway.any...@gmail.com)

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-148: HP Data Protector Backup Client Service stutil Message Processing Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-148: HP Data Protector Backup Client Service stutil Message Processing 
Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-148

April 29, 2011

-- CVE ID:
CVE-2011-1732

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard Data Protector 

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11131. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of HP OpenView Data Protector. Authentication
is not required to exploit this vulnerability. 

This specific flaw exists in the Backup Client Service (OmniInet.exe).
The Backup Client Service listens on TCP port  for communications
between systems in the cell. The process has insufficient bounds
checking on user-supplied data in a fixed-length buffer on the stack.
Remote, unauthenticated attackers can exploit this vulnerability by
sending malformed stutil message packets to the target, which could
ultimately lead to arbitrary code execution under the context of the
SYSTEM user.

-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:

http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02810240

-- Disclosure Timeline:
2011-04-04 - Vulnerability reported to vendor
2011-04-29 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Aniway (aniway.any...@gmail.com)

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco Linksys WRT54G XSS Vulnerability

[Nick Boyce]

On Thu, Apr 28, 2011 at 5:12 PM, Justin Klein Keane  wrote:

> Systems affected:
> - -
> Cisco Linksys Wireless G Boradband Router WRT54G with firmware version
> 4.21.1 was tested and found to be vulnerable.

FWIW, exact same weakness confirmed in Linksys AG241v1 with firmware
1.00.23 (the AG241 is the same animal as the WRT54G but without the
WiFi).

I don't suppose Cisco will ever release updates to address
vulnerabilities in these products, simple (and cost-effective for
customer goodwill) though it would be.

Cheers
Nick
--
Handy Fact: Miles per Gallon and Furlongs per Pint are equivalent.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-146: HP Data Protector Backup Client Service EXEC_SCRIPT Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-146: HP Data Protector Backup Client Service EXEC_SCRIPT Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-146

April 29, 2011

-- CVE ID:
CVE-2011-1730

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard Data Protector

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11133. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of HP OpenView Data Protector. Authentication
is not required to exploit this vulnerability. 

This specific flaw exists in the Backup Client Service (OmniInet.exe).
The Backup Client Service listens on TCP port  for communications
between systems in the cell. The process has insufficient bounds
checking on user-supplied data in a fixed-length buffer on the stack.
Remote, unauthenticated attackers can exploit this vulnerability by
sending malformed EXEC_SCRIPT message packets to the target, which could
ultimately lead to arbitrary code execution under the context of the
SYSTEM user.

-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:

http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02810240

-- Disclosure Timeline:
2011-04-04 - Vulnerability reported to vendor
2011-04-29 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Aniway (aniway.any...@gmail.com)

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-147: HP Data Protector Backup Client Service EXEC_INTEGUTIL Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-147: HP Data Protector Backup Client Service EXEC_INTEGUTIL Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-147

April 29, 2011

-- CVE ID:
CVE-2011-1731

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard Data Protector

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11132. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of HP OpenView Data Protector. Authentication
is not required to exploit this vulnerability. 

This specific flaw exists in the Backup Client Service (OmniInet.exe).
The Backup Client Service listens on TCP port  for communications
between systems in the cell. The process has insufficient bounds
checking on user-supplied data in a fixed-length buffer on the stack.
Remote, unauthenticated attackers can exploit this vulnerability by
sending malformed EXEC_INTEGUTIL message packets to the target, which
could ultimately lead to arbitrary code execution under the context of
the SYSTEM user.

-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:

http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02810240

-- Disclosure Timeline:
2011-04-04 - Vulnerability reported to vendor
2011-04-29 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Aniway (aniway.any...@gmail.com)

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-145: HP Data Protector Backup Client Service GET_FILE Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-145: HP Data Protector Backup Client Service GET_FILE Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-145

April 29, 2011

-- CVE ID:
CVE-2011-1729

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard Data Protector

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11134. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of HP OpenView Data Protector. Authentication
is not required to exploit this vulnerability. 

This specific flaw exists in the Backup Client Service (OmniInet.exe).
The Backup Client Service listens on TCP port  for communications
between systems in the cell. The process has insufficient bounds
checking on user-supplied data in a fixed-length buffer on the stack.
Remote, unauthenticated attackers can exploit this vulnerability by
sending malformed GET_FILE message packets to the target, which could
ultimately lead to arbitrary code execution under the context of the
SYSTEM user.

-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:

http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02810240

-- Disclosure Timeline:
2011-04-04 - Vulnerability reported to vendor
2011-04-29 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Aniway (aniway.any...@gmail.com)

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ZDI-11-144: HP Data Protector Backup Client Service EXEC_BAR Remote Code Execution Vulnerability

[ZDI Disclosures]

ZDI-11-144: HP Data Protector Backup Client Service EXEC_BAR Remote Code 
Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-11-144

April 29, 2011

-- CVE ID:
CVE-2011-1728

-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard Data Protector

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11128. 
For further product information on the TippingPoint IPS, visit:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of HP OpenView Data Protector. Authentication
is not required to exploit this vulnerability. 

This specific flaw exists in the Backup Client Service (OmniInet.exe).
The Backup Client Service listens on TCP port  for communications
between systems in the cell. The process has insufficient bounds
checking on user-supplied data in a fixed-length buffer on the stack.
Remote, unauthenticated attackers can exploit this vulnerability by
sending malformed EXEC_BAR message packets to the target, which could
ultimately lead to arbitrary code execution under the context of the
SYSTEM user.

-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found at:

http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02810240

-- Disclosure Timeline:
2011-04-04 - Vulnerability reported to vendor
2011-04-29 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
* Aniway (aniway.any...@gmail.com)

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

Follow the ZDI on Twitter:

http://twitter.com/thezdi

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Code Execution vulnerability в WordPress

[MustLive]

Hello list!

I want to warn you about Code Execution vulnerability in WordPress.

SecurityVulns ID: 11622.

-
Affected products:
-

Vulnerable are versions WordPress 2.5 - 3.1.1. The new version 3.1.2 which
released at 26th of April just after my disclosure also must be vulnerable.
The attack via double extension will work at Apache with appropriate
configuration.

--
Details:
--

Code Execution (WASC-31) attack is possible in WordPress via uploader. The
attack can be conducted by users with roles Author, Editor and
Administrator.

In WordPress 2.5 - 2.8.4 it's possible to upload php scripts (1.php) in
Media Library. In 2.5 - 2.7.1 the attack is possible only for Administrator.
For Author and Editor it's not possible to upload 1.php, nor attack will
work via double extensions.

In version 2.8.5 it was prohibited also for Administrator. And even in 2.8 -
2.8.5 for Author and Editor (and for Administrator in 2.8.5) it's impossible
to upload 1.php, but it's possible to upload 1.php.txt.

At that in WP 2.0 - 2.0.11 (where there were no Media Library) for all roles
were prohibited to upload files with php extension (and bypassing method
didn't work). As in versions 2.1.x, 2.2.x and 2.3.x. Only in WordPress 2.2
(http://websecurity.com.ua/1276/) Alexander Concha found vulnerability,
which allowed to upload files with php extension.

In version 2.8.6 and higher it's already prohibited. The attack via double
extensions (1.php.txt and 1.asp;.txt) will not work, but it's possible to
use 1.phtml.txt (for all three roles) to execute code.


Timeline:


2011.04.26 - disclosed at my site. As I already wrote many times to security
mailing lists (http://www.securityfocus.com/archive/1/510274), starting from
2008 I never more inform WP developers about vulnerabilities in WordPress.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5108/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[bk]

On Apr 29, 2011, at 9:22 AM, Cal Leeming wrote:
> On Fri, Apr 29, 2011 at 4:13 PM, bk  wrote:
> On Apr 29, 2011, at 6:11 AM, Cal Leeming wrote:
>> 
>> On Fri, Apr 29, 2011 at 3:30 AM, bk  wrote:
>> Everything you have mentioned there are when you have 'leased' a product, so 
>> if the license runs out, of course it's going to terminate those 'leased' 
>> services.
> 
> 
> Actually, no.  I'm really starting to doubt you have any experience what so 
> ever with enterprise products.  Every appliance I've ever heard of or sold 
> personally is sold, as in ownership is transferred.  The physical unit 
> belongs to the party who purchased it.  The continuing fees or subscriptions 
> cover:
> 1.  Support
> 2.  Product updates and patches
> 3.  Updates to anti-spam and anti-virus definitions
> 4.  Other product features that either require infrastructure on the vendor's 
> part, or capabilities that are OEM'd from another vendor and require 
> recurring royalty fees.
> 
> Are you referring to hardware or virtual appliances? Almost everything I have 
> used in an enterprise deployment, has been where the unit was owned outright 
> by the customer, with the license simply being for support.

EIther/both.  In the case of VM, customer generally pays a one-time license for 
the right to run a VM (in perpetuity).  A few were sold based on size of the 
pre-configured VM (disk space, vCPUs, etc), but my understanding is most of 
those are transitioning to a perpetual VM license scheme (due to the obvious 
fact that customers can change the virtual hardware).

If you don't like remote support from vendor, ask them how to disable it.  If 
you don't believe them, block all the egress traffic and look at the firewall 
logs to see where it's sending SYNs.  Almost any product these days needs to 
download updates, but you should be able to tell the difference between 
downloading updates and opening reverse shells.  I don't know of any vendors 
yet who do their shell over HTTPS (although it would make sense if you want it 
to be covert, ssh really stands out).

--
chort



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[R0me0 ***]

insect's are a big joke
m* f*

2011/4/29 -= Glowing Doom =- 

> Well... I am only saying, this place is NOT a place where 'web fuzzing'
> should be the main topic of interest, specially when it is related to
> software wich costs money and does not even have any trial..
> It also, produced a false, on many occassions.
> Acutenix consultant would do this, and guess what, get a cracked copy, and
> they STILL let ya be a consultant!!
> neat huh??
> Now with this and Insect... you cannot do any ill.. your hard working
> product, doesnt even scan right, and there is no free version... there is
> only 'email' ones as ive seen, so what kinda shit is that, posting to grok
> ??? eh ???
> Im with the others... the tests show the truth, truth is, the product
> stinks, even when given the second glance.
> Your peers vote i think, against this app...and, unless you maybe fix it,
> and, even use some open src tosdo so (maybe learn something about 'opening')
> the product, and more people will be happy to debug for you.. but alone,
> your , yes..an insect waiting to be squashed :P lol...pardon my fracoise'
> .
> xd
>
>
> On 29 April 2011 13:43, Mario Vilas  wrote:
>
>> Precisely. The poc triggers the bug by passing a very long command line
>> argument, so it's assumed the attacker already has executed code. The only
>> way this is exploitable is if the binary has suid (then the attacker can
>> elevate privileges) or the command can be executed remotely (and the
>> attacker additionaly cannot execute any other commands, but can mysteriously
>> control the arguments). Unless either scenario is researched (and nothing in
>> the advisory tells me so) I call bullshit.
>>
>> On Thu, Apr 28, 2011 at 6:09 PM,  wrote:
>>
>>> On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said:
>>>
>>> > Is the suid bit set on that binary? Otherwise, unless I'm missing
>>> something
>>> > it doesn't seem to be exploitable by an attacker...
>>>
>>> Who cares?  You got code executed on the remote box, that's the *hard*
>>> part.
>>> Use that to inject a callback shell or something, use *that* to get
>>> yourself a shell
>>> prompt.  At that point, download something else that exploits you to root
>>> - if
>>> you even *need* to, as quite often the Good Stuff is readable by non-root
>>> users.
>>>
>>
>>
>>
>> --
>> “There's a reason we separate military and the police: one fights
>> the enemy of the state, the other serves and protects the people. When
>> the military becomes both, then the enemies of the state tend to become the
>> people.”
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Valdis . Kletnieks]

On Fri, 29 Apr 2011 08:13:31 PDT, bk said:

(Agreeing with most of what you said)

> Anyone with a reasonable level of technical competence who has ever
> implemented one of these appliances from any vendor in this space would
> already be well aware of these facts.

On the other hand, remember that Barracuda gear is targeted at those
sites who *don't* roll their own...


pgpwj3G9bwLbn.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Pangolin spam

[Peter Osterberg]

Thank me I saved you the seconds it took to Google the link, now all you have 
to do for yourself is click it and read...

http://www.nosec-inc.com/en/products/pangolin/



- Ursprungsmeddelande -
> Is it nicer / better than sqlmap or have any extra features?
> 
> On Fri, Apr 29, 2011 at 1:52 PM, TOR  wrote:
> 
> > Did you just harvest emails from Full Disclosure and spam them
> > off-list?
> > 
> > That's kind of low.
> > 
> > --
> > 
> > Pangolin is on sale on Labor Day
> > 
> > Our distinguished customers,
> > Pangolin is on sale now for celebration of Labor Day.
> > This discount is available from Apr 30, 2011 to May 5, 2011.
> > 
> > Fast Action Bonus:
> > 1. 10% off
> > 2. Free charge for one-year update service valued up to $300
> > 3. Latest version of Pangolin: Pangolin 3.2.5
> > 
> > Order Now
> > 
> > 
> > No risks!
> > Full 15 days trial with full function,
> > 30 days money back guarantee!
> > 
> > What is Pangolin?
> > Pangolin is an automatic SQL injection penetration testing
> > (pen-testing) tool for website administrator or IT security analyst.
> > Now with Pangolin Injection Digger of pangolin 3.2.5, all SQL Injection
> > Vulnerabilities that may be exploited by hackers will be shown to you,
> > isn't it cool?
> > Know more or take action now:
> > 
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> > 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[bk]

On Apr 29, 2011, at 6:11 AM, Cal Leeming wrote:
> 
> On Fri, Apr 29, 2011 at 3:30 AM, bk  wrote:
> 
>> On Fri, Apr 29, 2011 at 3:17 AM, bk  wrote:
>> On Apr 28, 2011, at 3:09 AM, Tõnu Samuel wrote:
>> 
>> > One day their Barracuda product stopped working.
>> >
>> > After investigating problem it came out that Barracuda reseller and
>> > Barracuda itself have some misunderstandings and because of this
>> > Barracuda not only disabled all kind of subscription services
>> 
>> You're unsubstantiated claims don't bare repeating.  I will however point 
>> out that many vendors disable some portion of functionality when 
>> subscription or support payments lapse.  This is widely done in the industry 
>> and a surprise to no one.
>> 
>> --
>> chort
>> ___
> 
> On Apr 28, 2011, at 7:20 PM, Cal Leeming wrote:
> 
>> Name ten.
> 
> For starters, every anti-spam company ever.  I should know, I've worked for 
> half of them.  At the very least you cannot get upgrades or patches of any 
> kind.  Most of them disable anti-spam updates, all of them disable anti-virus 
> updates, and some even disable anti-spam scanning entirely.  The anti-spam 
> SaaS vendors I know of will disable accepting your mail after a grace period 
> if you haven't moved your MX records.
> 
> Hmm, let's see.  Firewall vendors won't let you apply updates, some of them 
> cripple VPN functionality when your license has expired... really, do we need 
> to go on?  There's a long precedent for products going into a degraded mode 
> if your subscription or license expires.
> 
> --
> chort
> 
> 
> Everything you have mentioned there are when you have 'leased' a product, so 
> if the license runs out, of course it's going to terminate those 'leased' 
> services.


Actually, no.  I'm really starting to doubt you have any experience what so 
ever with enterprise products.  Every appliance I've ever heard of or sold 
personally is sold, as in ownership is transferred.  The physical unit belongs 
to the party who purchased it.  The continuing fees or subscriptions cover:
1.  Support
2.  Product updates and patches
3.  Updates to anti-spam and anti-virus definitions
4.  Other product features that either require infrastructure on the vendor's 
part, or capabilities that are OEM'd from another vendor and require recurring 
royalty fees.

In all those cases the hardware unit doesn't just stop working, but certain 
aspects of the software functionality that require money & effort from the 
vendor to support do cease to operate.

I believe OP is wildly exaggerating the extent to which functionality was 
impaired.  I also really doubt that Barracuda, with thousands of units deployed 
in the field, would assign a human being to individually login remotely and 
disable them.  They probably do it like most other vendors, where the units do 
periodic phone-home functions to a set of license servers.  If there isn't an 
updated license present for the unit to download, functionality automatically 
turns off when the original license on the box expires.

Lastly, to touch on the other "shocking" subject, yes security appliance 
vendors have ssh access to the units in the field, either directly or via 
reverse tunnel.  Every vendor I have experience with calls this out in their 
documentation and the custom either has to allow it explicitly through their 
firewall, or they're given the option to block it (in the case of reverse 
tunnel).

Anyone with a reasonable level of technical competence who has ever implemented 
one of these appliances from any vendor in this space would already be well 
aware of these facts.  You'd probably all be stunned to learn that your phones, 
which can position you with accuracy of a few hundred feet, are storing 
information about locations of beaconing objects around them.  Yes, I'll give 
you a few minutes to get over that shock.

--
chort

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Computer name should match with your real identity?

[Brian Anderson]

On 4/29/2011 9:17 AM, Cal Leeming wrote:
> Personally, I'd tell the admin the go and  himself, and refuse outright.
> Although I do use tendency to use 'girls names' as server names, I never
> *ever* use my real name as the server/pc/user name. Hell no.
>
> On Fri, Apr 29, 2011 at 8:26 AM,  wrote:
>
>

Yes, Be sure the machine name describes in full detail its function. 
My machines are public, confidential, secret, and top_secret.

http://dilbert.com/strips/comic/2008-02-11/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Computer name should match with your real identity?

[Cal Leeming]

Personally, I'd tell the admin the go and fuck himself, and refuse outright.
Although I do use tendency to use 'girls names' as server names, I never
*ever* use my real name as the server/pc/user name. Hell no.

On Fri, Apr 29, 2011 at 8:26 AM,  wrote:

> Hi,
>
> Recently got a policy from admin to change your PC name with your "name" +
> organisation name.
>
> I am not doing it for a long time as I feel it could be case of
> "information leakage" .
>
> So need any ref./case study/security policy referencing not to have real
> name .
>
>
> -Avii
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Cal Leeming]

Everything you have mentioned there are when you have 'leased' a product, so
if the license runs out, of course it's going to terminate those 'leased'
services.

However, I was under the assumption that the OP had purchased the Barracuda
outright from a reseller, and the license was just a piracy check? Am I
mistaken OP??

On Fri, Apr 29, 2011 at 3:30 AM, bk  wrote:

>
> On Fri, Apr 29, 2011 at 3:17 AM, bk  wrote:
>
>> On Apr 28, 2011, at 3:09 AM, Tõnu Samuel wrote:
>>
>> > One day their Barracuda product stopped working.
>> >
>> > After investigating problem it came out that Barracuda reseller and
>> > Barracuda itself have some misunderstandings and because of this
>> > Barracuda not only disabled all kind of subscription services
>>
>> You're unsubstantiated claims don't bare repeating.  I will however point
>> out that many vendors disable some portion of functionality when
>> subscription or support payments lapse.  This is widely done in the industry
>> and a surprise to no one.
>>
>> --
>> chort
>> ___
>>
> On Apr 28, 2011, at 7:20 PM, Cal Leeming wrote:
>
> Name ten.
>
>
> For starters, every anti-spam company ever.  I should know, I've worked for
> half of them.  At the very least you cannot get upgrades or patches of any
> kind.  Most of them disable anti-spam updates, all of them disable
> anti-virus updates, and some even disable anti-spam scanning entirely.  The
> anti-spam SaaS vendors I know of will disable accepting your mail after a
> grace period if you haven't moved your MX records.
>
> Hmm, let's see.  Firewall vendors won't let you apply updates, some of them
> cripple VPN functionality when your license has expired... really, do we
> need to go on?  There's a long precedent for products going into a degraded
> mode if your subscription or license expires.
>
> --
> chort
>
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Pangolin spam

[Cal Leeming]

Is it nicer / better than sqlmap or have any extra features?

On Fri, Apr 29, 2011 at 1:52 PM, TOR  wrote:

> Did you just harvest emails from Full Disclosure and spam them off-list?
>
> That's kind of low.
>
> --
>
> Pangolin is on sale on Labor Day
>
> Our distinguished customers,
> Pangolin is on sale now for celebration of Labor Day.
> This discount is available from Apr 30, 2011 to May 5, 2011.
>
> Fast Action Bonus:
> 1. 10% off
> 2. Free charge for one-year update service valued up to $300
> 3. Latest version of Pangolin: Pangolin 3.2.5
>
>   Order Now
>
>
> No risks!
> Full 15 days trial with full function,
> 30 days money back guarantee!
>
> What is Pangolin?
> Pangolin is an automatic SQL injection penetration testing (pen-testing)
> tool for website administrator or IT security analyst.
> Now with Pangolin Injection Digger of pangolin 3.2.5, all SQL Injection
> Vulnerabilities that may be exploited by hackers will be shown to you, isn't
> it cool?
> Know more or take action now:
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Stress Testing Tools

[Shinnok]

You might find Nping useful too for that matter. It is pretty recent and
updated and is part of the Nmap suite:

http://nmap.org/nping/



On Fri, Apr 29, 2011 at 6:14 AM, Gaurang Pandya  wrote:

> I have generated around 4G of attack using Hping from 6 servers, and I
> could have still increased it but that was all I needed. So I think hping
> does good job..
>
> Gaurang.
>
> --
> *From:* Oscar 
> *To:* Sec Tools 
> *Cc:* full-disclosure@lists.grok.org.uk
> *Sent:* Wed, April 27, 2011 5:44:14 PM
> *Subject:* Re: [Full-disclosure] Stress Testing Tools
>
> Hi,
>
> I am also in the verg of testing firewall/IDS/IPS currently i am looking at
> some DOS/DDOS/stress testing tools.. Please help me on that..
>
> Thanks in Advance
> Oscar
>
> On Wed, Apr 27, 2011 at 11:17 AM, Sec Tools  wrote:
>
>>  I've been using a combination of Mausezahn (
>> http://www.perihel.at/sec/mz/index.html ), Tcpreplay (
>> http://tcpreplay.synfin.net ) and some times Scapy (
>> http://www.secdev.org/projects/scapy/ ) for our 1G/10G network stress
>> testing needs ( mostly for probing and checking the resilience of new
>> network appliances ).
>>
>> I noted that these tools were not updated recently (for one year aprox).
>> Do you guys have any suggestions on better approaches / really good new
>> tools to do this? ( note that currently our budget does not allow the use of
>> hardware based solutions ).
>>
>> Best Regards,
>>
>> John James
>> http://sectools.org/
>>
>> ___
>> Care2 makes it easy for everyone to live a healthy, green lifestyle and
>> impact the causes you care about most. Over 12 Million members!
>> http://www.care2.com Feed a child by searching the web! Learn how
>> http://www.care2.com/toolbar
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 

Shinnok 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Computer name should match with your real identity?

[-= Glowing Doom =-]

this is maybe to access theyre database, or belong to it, so they can
basically track every pc, and possibly install psanYwhere as i know many
corps want done, you do need to have proper name of pc for some of this
stuff.. might be administral procedure, i would not stress on this to much
id just ask about more about it...
cheers!
xd


On 29 April 2011 17:26,  wrote:

> Hi,
>
> Recently got a policy from admin to change your PC name with your "name" +
> organisation name.
>
> I am not doing it for a long time as I feel it could be case of
> "information leakage" .
>
> So need any ref./case study/security policy referencing not to have real
> name .
>
>
> -Avii
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[-= Glowing Doom =-]

Well... I am only saying, this place is NOT a place where 'web fuzzing'
should be the main topic of interest, specially when it is related to
software wich costs money and does not even have any trial..
It also, produced a false, on many occassions.
Acutenix consultant would do this, and guess what, get a cracked copy, and
they STILL let ya be a consultant!!
neat huh??
Now with this and Insect... you cannot do any ill.. your hard working
product, doesnt even scan right, and there is no free version... there is
only 'email' ones as ive seen, so what kinda shit is that, posting to grok
??? eh ???
Im with the others... the tests show the truth, truth is, the product
stinks, even when given the second glance.
Your peers vote i think, against this app...and, unless you maybe fix it,
and, even use some open src tosdo so (maybe learn something about 'opening')
the product, and more people will be happy to debug for you.. but alone,
your , yes..an insect waiting to be squashed :P lol...pardon my fracoise'
.
xd


On 29 April 2011 13:43, Mario Vilas  wrote:

> Precisely. The poc triggers the bug by passing a very long command line
> argument, so it's assumed the attacker already has executed code. The only
> way this is exploitable is if the binary has suid (then the attacker can
> elevate privileges) or the command can be executed remotely (and the
> attacker additionaly cannot execute any other commands, but can mysteriously
> control the arguments). Unless either scenario is researched (and nothing in
> the advisory tells me so) I call bullshit.
>
> On Thu, Apr 28, 2011 at 6:09 PM,  wrote:
>
>> On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said:
>>
>> > Is the suid bit set on that binary? Otherwise, unless I'm missing
>> something
>> > it doesn't seem to be exploitable by an attacker...
>>
>> Who cares?  You got code executed on the remote box, that's the *hard*
>> part.
>> Use that to inject a callback shell or something, use *that* to get
>> yourself a shell
>> prompt.  At that point, download something else that exploits you to root
>> - if
>> you even *need* to, as quite often the Good Stuff is readable by non-root
>> users.
>>
>
>
>
> --
> “There's a reason we separate military and the police: one fights the enemy
> of the state, the other serves and protects the people. When the military
> becomes both, then the enemies of the state tend to become the people.”
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[-= Glowing Doom =-]

Im with ya there, Insect is a joke... i mean, open src tools, sure, we can
use those... but, a non open src, non free tool,. being posted ATALL
surprises me.. so, why berat up on him ? your lame app missed shit, simple..
even if your a good coder, does not mean YOUR product will 'rule'.
Sorry but, ichib0d, is in the right, he should -not- be flamed for his
willingness to participate, in something wich most lister's agree with..
your the minority here sherlock.. trying to sell an app, on FD... whats
next!
xd


On 29 April 2011 08:22, ichib0d crane  wrote:

> Any reason for the hostility? The nigerian thing was ages ago and out
> of curiosity, and I don't see how my choice of school is relevant in
> the situation. Wheres this six month deal coming from and when did I
> ever say I even counted myself as a hacker?
>
> All I'm saying is InsectPro did poor documentation and poor
> investigation into the "vulnerability".
>
> On Thu, Apr 28, 2011 at 3:11 PM, ghost  wrote:
> > So in 6 short months you've become a master hacker huh Gage ? All that
> > reporting "nigerian scammers" really put you to the top of the hacker
> > echelon ?  or is it cause you finally got a piece of paper as
> > "recognition" from your little school ?
> >
> > In short; Shut the fuck up and go play in traffic, kid.
> >
> >
> > On Thu, Apr 28, 2011 at 2:39 PM, ichib0d crane 
> wrote:
> >> This isn't a zero day. This is a vulnerability. Being able to crash
> >> the system is nothing compared to the effort needed to actually write
> >> the exploit. What function is the heap overflow in? Did you guys even
> >> bother to find out? How do I know this is even a heap overflow? Heck
> >> you couldnt even overwrite a single register! How effective are
> >> standard mitigations on the target? Are there even any?(if there isnt
> >> and you couldnt overwrite a single reg theres something wrong with
> >> you).
> >>
> >> Cool fuzz story bro, tell it again, but a quick fuzz doesn't drop zero
> >> days. A smart exploit WRITER drops zero days.
> >>
> >> Come back once you stop being an amateur.
> >>
> >> ___
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Stress Testing Tools

[-= Glowing Doom =-]

Try t50 packet injector... (much much faster checksum) even t49... now open
src i believe..well, this is the hardest known packet flooder :)... atleast,
that i know of.. also, oping is 'not bad' and for stress, borrow a ddos army
for the day...
xd


On 29 April 2011 13:14, Gaurang Pandya  wrote:

> I have generated around 4G of attack using Hping from 6 servers, and I
> could have still increased it but that was all I needed. So I think hping
> does good job..
>
> Gaurang.
>
> --
> *From:* Oscar 
> *To:* Sec Tools 
> *Cc:* full-disclosure@lists.grok.org.uk
> *Sent:* Wed, April 27, 2011 5:44:14 PM
> *Subject:* Re: [Full-disclosure] Stress Testing Tools
>
> Hi,
>
> I am also in the verg of testing firewall/IDS/IPS currently i am looking at
> some DOS/DDOS/stress testing tools.. Please help me on that..
>
> Thanks in Advance
> Oscar
>
> On Wed, Apr 27, 2011 at 11:17 AM, Sec Tools  wrote:
>
>>  I've been using a combination of Mausezahn (
>> http://www.perihel.at/sec/mz/index.html ), Tcpreplay (
>> http://tcpreplay.synfin.net ) and some times Scapy (
>> http://www.secdev.org/projects/scapy/ ) for our 1G/10G network stress
>> testing needs ( mostly for probing and checking the resilience of new
>> network appliances ).
>>
>> I noted that these tools were not updated recently (for one year aprox).
>> Do you guys have any suggestions on better approaches / really good new
>> tools to do this? ( note that currently our budget does not allow the use of
>> hardware based solutions ).
>>
>> Best Regards,
>>
>> John James
>> http://sectools.org/
>>
>> ___
>> Care2 makes it easy for everyone to live a healthy, green lifestyle and
>> impact the causes you care about most. Over 12 Million members!
>> http://www.care2.com Feed a child by searching the web! Learn how
>> http://www.care2.com/toolbar
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[Cal Leeming]

GROUP HUG.

On Thu, Apr 28, 2011 at 11:11 PM, ghost  wrote:

> So in 6 short months you've become a master hacker huh Gage ? All that
> reporting "nigerian scammers" really put you to the top of the hacker
> echelon ?  or is it cause you finally got a piece of paper as
> "recognition" from your little school ?
>
> In short; Shut the fuck up and go play in traffic, kid.
>
>
> On Thu, Apr 28, 2011 at 2:39 PM, ichib0d crane 
> wrote:
> > This isn't a zero day. This is a vulnerability. Being able to crash
> > the system is nothing compared to the effort needed to actually write
> > the exploit. What function is the heap overflow in? Did you guys even
> > bother to find out? How do I know this is even a heap overflow? Heck
> > you couldnt even overwrite a single register! How effective are
> > standard mitigations on the target? Are there even any?(if there isnt
> > and you couldnt overwrite a single reg theres something wrong with
> > you).
> >
> > Cool fuzz story bro, tell it again, but a quick fuzz doesn't drop zero
> > days. A smart exploit WRITER drops zero days.
> >
> > Come back once you stop being an amateur.
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Hartley, Christopher J.]

fwiw, I've run into a Barracuda instance that had an ssh connection (reverse
shell) open to an address in XO address space.  The user (owner of the 
Barracuda)
indicated that it was expected, as it was how they were getting support through 
the company.  Not sure I'd permit that without a real demonstration of value and
assurances of limits on that access.

As to what changes they can make when or why, I have no idea.  No matter what
the case, it's always hard for me to trust a vendor when it comes down to 
production
services. 


On Apr 28, 2011, at 12:09 PM, 
  wrote:

> On Thu, 28 Apr 2011 13:09:14 +0300, =?ISO-8859-1?Q?T=F5nu_Samuel?= said:
> 
>> One day their Barracuda product stopped working.
> 
> OK... That's hardly surprising, given the high-quality software engineering
> that Barracuda is known for.. ;)
> 
>> Barracuda not only disabled all kind of subscription services but also
>> used some kind of backdoor in their products to disable product customer
>> had paid long time ago.
> 
> And I should believe this claim, why?
> 
>> Message was shown "Error: Activation has not been completed. Please
>> activate your Barracuda Spam & Virus Firewall to enable functionality.
>> (Click here to activate)". Customer was blocked to make any changes in
>> admin interface of product. Even more irritating was fact that admin
>> wanted to see why some e-mails were lost and was denied even to see logs!
> 
> Strong claims require strong evidence.  It's well-known that Barracuda turns
> off subscription services if you don't pay - and even charges you back 
> coverage
> for years you skipped.  See the thread starting here:
> 
> http://mailman.nanog.org/pipermail/nanog/2011-April/035067.html
> 
> Now the question is - given that *that* Barracuda was at least semi-functional
> even when off support, do we have any indication that your unit was in fact
> intentionally disabled?  It could very well be the symptoms you are seeing are
> the unit being just plain *broken*.
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Tõnu Samuel]

> Let's be careful though: just because your system stopped working 
> doesn't mean it has a backdoor. It could have been implemented as simply 
> a periodic "phone home for updates" which received some type of 
> "license expired" message. A remote kill switch, for sure, but not 
> necessarily the same as a back door.

For now I have reports from people who do not want to expose them but
claim that Barracuda people can freely log in into their systems but
never asked for password etc.

This time I have no proof etc. Just I get lot of different pieces of
feedback in private.

  Tõnu

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[Cal Leeming]

On a side note, anyone here ever used any of the xmatters engines?? Care to
give a small review??

On Thu, Apr 28, 2011 at 4:03 PM, Juan Sacco
wrote:

>  Information
>  
>  Name : Heap Buffer Overflow in xMatters AlarmPoint APClient
>  Version: APClient 3.2.0 (native)
>  Software : xMatters AlarmPoint
>  Vendor Homepage : http://www.xmatters.com
>  Vulnerability Type : Heap Buffer Overflow
>  Md5: 283d98063323f35deb7afbd1db93d859  APClient.bin
>  Severity : High
>  Researcher : Juan Sacco 
>
>  Description
>  --
>  The AlarmPoint Java Server consists of a collection of software
>  components and software APIs designed to provide a flexible and
>  powerful set of tools for integrating various applications to
>  AlarmPoint.
>
>  Details
>  ---
>  AlarmPoint APClient is affected by a Heap Overflow vulnerability in
>  version APClient 3.2.0 (native)
>
>  A heap overflow condition is a buffer overflow, where the buffer that
>  can be overwritten is allocated in the heap portion of memory, generally
>  meaning that the buffer was allocated using a routine such as the POSIX
>  malloc() call.
>  https://www.owasp.org/index.php/Heap_overflow
>
>
>  Exploit as follow:
>  Submit a malicious file cointaining the exploit
>  root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$
>  ./APClient.bin --submit-file maliciousfile.hex
>  or
>  (gdb) run `python -c 'print "\x90"*16287'`
>  Starting program:
>  /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c
>  'print "\x90"*16287'`
>
>  Program received signal SIGSEGV, Segmentation fault.
>  0x0804be8a in free ()
>  (gdb) i r
>  eax0xa303924170932516
>  ecx0xbfb8   49080
>  edx0xa303924170932516
>  ebx0x8059438134583352
>  esp0xbfff3620   0xbfff3620
>  ebp0xbfff3638   0xbfff3638
>  esi0x8059440134583360
>  edi0x80653f0134632432
>  eip0x804be8a0x804be8a 
>  eflags 0x210206 [ PF IF RF ID ]
>  cs 0x73 115
>  ss 0x7b 123
>  ds 0x7b 123
>  es 0x7b 123
>  fs 0x0  0
>  gs 0x33 51
>  (gdb)
>
>
>  Solution
>  ---
>  No patch are available at this time.
>
>  Credits
>  ---
>  Manual discovered by Insecurity Research Labs
>  Juan Sacco - http://www.insecurityresearch.com
>
> --
>  --
>  _
>  Insecurity Research - Security auditing and testing software
>  Web: http://www.insecurityresearch.com
>  Insect Pro 2.5 was released stay tunned
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Cal Leeming]

OP, I suggest you possibly take this story to "The Register" and see if they
will run it.. they'll take care of getting an official answer and public
statement from Barracuda, which might get you some answers..?

On Thu, Apr 28, 2011 at 5:09 PM,  wrote:

> On Thu, 28 Apr 2011 13:09:14 +0300, =?ISO-8859-1?Q?T=F5nu_Samuel?= said:
>
> > One day their Barracuda product stopped working.
>
> OK... That's hardly surprising, given the high-quality software engineering
> that Barracuda is known for.. ;)
>
> > Barracuda not only disabled all kind of subscription services but also
> > used some kind of backdoor in their products to disable product customer
> > had paid long time ago.
>
> And I should believe this claim, why?
>
> > Message was shown "Error: Activation has not been completed. Please
> > activate your Barracuda Spam & Virus Firewall to enable functionality.
> > (Click here to activate)". Customer was blocked to make any changes in
> > admin interface of product. Even more irritating was fact that admin
> > wanted to see why some e-mails were lost and was denied even to see logs!
>
> Strong claims require strong evidence.  It's well-known that Barracuda
> turns
> off subscription services if you don't pay - and even charges you back
> coverage
> for years you skipped.  See the thread starting here:
>
> http://mailman.nanog.org/pipermail/nanog/2011-April/035067.html
>
> Now the question is - given that *that* Barracuda was at least
> semi-functional
> even when off support, do we have any indication that your unit was in fact
> intentionally disabled?  It could very well be the symptoms you are seeing
> are
> the unit being just plain *broken*.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Tõnu Samuel]

On Thu, 2011-04-28 at 17:05 +0100, corpus.defero wrote:
> On Thu, 2011-04-28 at 08:29 -0700, ichib0d crane wrote:
> (snipped)
> > but that doesn't
> > change the fact that Barracuda has done something likely bad here. A
> > vendor should make it explicitly clear when they have the capability
> > to disable remote products that have already been purchased. Maybe
> > their ToS allows it, maybe not. Either way it is highly unethical.
> > 
> They can't. All they can do is disable updating of the virus and spam
> definitions. It will still work without a subscription to 'energize
> updates'.

Reread topic again. This is exactly what they did - they disabled
essentially needed features of customer property, unrelated to annual
subscription. Also this is less important in my opinion but actually all
bills were paid which removes even last options to make customer guilty
here. 

I would really be angry is BMW remotely disables my car because they
have some civil disagreement with local service center for example. 

   Tõnu

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[Tõnu Samuel]

On Thu, 2011-04-28 at 12:09 -0400, valdis.kletni...@vt.edu wrote:
> On Thu, 28 Apr 2011 13:09:14 +0300, =?ISO-8859-1?Q?T=F5nu_Samuel?= said:
> 
> > One day their Barracuda product stopped working.
> 
> OK... That's hardly surprising, given the high-quality software engineering
> that Barracuda is known for.. ;)
> 
> > Barracuda not only disabled all kind of subscription services but also
> > used some kind of backdoor in their products to disable product customer
> > had paid long time ago.
> 
> And I should believe this claim, why?
> 

Sue me. Sometime such claim is good enough because they will not sue me.
And if they do, this makes me happy. I got sued multiple times for what
I say in public and I never lost the case yet.

> Now the question is - given that *that* Barracuda was at least semi-functional
> even when off support, do we have any indication that your unit was in fact
> intentionally disabled?  It could very well be the symptoms you are seeing are
> the unit being just plain *broken*.

Yes I do have proofs, including Barracuda mails confirming it. There are
multiple of them including this one:

From: Chelsi Newland [mailto:cnewl...@barracuda.com] 
Sent: Wednesday, April 27, 2011 5:51 PM
Subject: FW: Current (Expires 2011-11-21)
Importance: High


Please note we have proof of payment to you from the end user.  Either
reimburse this customer, or send payment for this order.

Please advise payment on your account so we can enable their unit. 

Sincerely,

Chelsi Newland| Barracuda Networks | Credit/Collections Manager

  Tõnu

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Pangolin spam

[Raj Mathur (राज माथुर)]

On Friday 29 Apr 2011, TOR wrote:
> Did you just harvest emails from Full Disclosure and spam them
> off-list?
> 
> That's kind of low.

  echo 'blacklist_from mattmad...@gmail.com' >> /etc/spamassassin/local.cf
  /etc/init.d/spamassassin reload

Done on all mail servers I manage.

-- Raj
-- 
Raj Mathurr...@kandalaya.org  http://kandalaya.org/
   GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
PsyTrance & Chill: http://schizoid.in/   ||   It is the mind that moves

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Pangolin spam

[TOR]

Did you just harvest emails from Full Disclosure and spam them off-list?

That's kind of low.

--

Pangolin is on sale on Labor Day

Our distinguished customers,
Pangolin is on sale now for celebration of Labor Day.
This discount is available from Apr 30, 2011 to May 5, 2011.

Fast Action Bonus:
1. 10% off
2. Free charge for one-year update service valued up to $300
3. Latest version of Pangolin: Pangolin 3.2.5

   Order Now


No risks!
Full 15 days trial with full function,
30 days money back guarantee!

What is Pangolin?
Pangolin is an automatic SQL injection penetration testing (pen-testing) tool 
for website administrator or IT security analyst.
Now with Pangolin Injection Digger of pangolin 3.2.5, all SQL Injection 
Vulnerabilities that may be exploited by hackers will be shown to you, isn't it 
cool?
Know more or take action now:

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Computer name should match with your real identity?

[Guy]

On Fri, Apr 29, 2011 at 3:26 AM,   wrote:
> Recently got a policy from admin to change your PC name with your "name" +
> organisation name.
>

System admins typically aren't responsible for policy creation
depending on the size of the organization. Was the request made due to
an organization policy change, a new guideline, or just "because"?

Was the admin given the appropriate authority to request such a change?

> I am not doing it for a long time as I feel it could be case of
> "information leakage" .
>

While that's a valid point worth considering, orders are orders, which
is why it's important to know under whose authority did the admin
request the change.

> So need any ref./case study/security policy referencing not to have real
> name .
>

For starters, a computer isn't a person. A more appropriate location
to store equipment assignment data is in an asset management/tracking
system. This way there's an audit trail and accountability. The
equipment becomes the users responsibility, so when/if it's
transferred to another user, there's motivation for them to make sure
their asset manager is informed. Otherwise, they risk being charged or
held responsible if the equipment goes "missing."

Also, an environment with roaming profiles or multi-user systems will
make the computer name irrelevant/invalid once another user or users
logs in. There are probably dozens of other reasons that just aren't
worth mentioning. Think most would agree the admin's request is a
terrible idea.

Perhaps you could recommend an alternative naming convention that will
provide more benefit to the organization in the long run.

A couple of examples:

BIT02DWS9966 - Bureau of IT, Building #02, Desktop Workstation,
Property/Asset Tag 9966.
BFS07LWS9211 - Bureau of Financial Service, Building #07, Laptop
(mobile) Workstation, Tag #9211.
PDC01SVWB012 - Primary Data Center #01, Server, Virtual Machine, Web/HTTP, #012
DDC02SPEX022 - Disaster Recovery Data Center #02, Server, Physical,
Exchange #022.

,<3 char type class code>,

Can apply this convention to any type of device on the network: SDB
for databases, MFP for multi-function printers, HFW for hardware
firewalls, etc.

To distinguish between dev/test, use a higher number in the suffix,
999, 998, etc. Prod will use 000, 001, 002, etc.

Just an initial thought, others may have better suggestions.. Would
like to know how other organizations address this issue, though.

I personally hate seeing devices on a network with ridiculous names as
though the IT infrastructure is some kind of kiddy cartoon world.
Gonzo, Nemo, Simba, and the like are not appropriate and provide
absolutely no benefit to anyone. If users need to access a resource
using "simba", create a DNS alias/entry...

"Uh-oh, Sponge-Bob is out of ink, can you reprint the report on the
Chim-Chim!!?!on1e??!"

Yea, didn't make that up...

And just to be clear, the proposed naming convention above isn't
something to distribute to end users or folks using the services on a
host.

Have had developers ask me to audit their web applications and provide
a url like, 
"http://PDC01SVWB996.int.the-domain.org/some-lame-app/MyAwesomeTool.aspx";.

No. Create a DNS entry, don't distribute the actual host name... Good luck.

Regards,

Guy
www.nullamatix.com
Key: 0x353DA923

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] iPhone Geolocation storage

[Christian Sciberras]

>
> The *real* problem is if you're in a jurisdiction like Michigan, which
> seems to
> think it's OK to hoover all the data out of electronic devices at a traffic
> stop.
>

Regardless of whether they are given access or not, the major concern isn't
that, but rather whether they *can* or *can't*. Subpoena or not, they *can*
get to the server - and everyone knows this.
On the other hand, having a browser, devise or anything keep logs away from
prying eyes, is a completely different problem altogether.
Personally, I'd rather everyone that keeps a log also warns people about it
(like how CCTV should be), than hassling over whether police should be given
personal info or not (not saying the latter is unimportant).

As they say, knowledge is power. Knowing what someone knows / could know
about you doubles the points.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] iPhone Geolocation storage

[Valdis . Kletnieks]

On Fri, 29 Apr 2011 08:25:04 +0200, Christian Sciberras said:
> Besides of which, the police already can be granted (upon request) access to
> servers (where your data is already stored in plain text), so I don't see
> the big deal.

This is one of those places where details count.  In some jurisdictions, LEO's
get access upon request.  In other places, LEO's get access upon subpoena
signed by a judge.  And in some places with wishy-washy spineless providers,
LEO's legally need a subpoena, but get access upon request anyhow. We'll just
skip over the whole US "National Security Letter" thing and pretend it's just a
hallucination. ;)

The *real* problem is if you're in a jurisdiction like Michigan, which seems to
think it's OK to hoover all the data out of electronic devices at a traffic 
stop.




pgpR8cWOeCf2S.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Computer name should match with your real identity?

[taneja . security]

Hi,

Recently got a policy from admin to change your PC name with your "name" +
organisation name.

I am not doing it for a long time as I feel it could be case of
"information leakage" .

So need any ref./case study/security policy referencing not to have real
name .


-Avii
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/