Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it
It may either be simple trickery or, and I guess I am being optimistic here, an overly aggressive / erroneous attempt by FB to deal with an ongoing problem. http://searchsecurity.techtarget.com/news/2240114125/-Facebook-users-targeted-by-transformed-Carberp-Trojan On Jan 19, 2012, at 11:10 PM, xD 0x41 wrote: > +1 > > this was the first and biggest hack ever done on myspace, wich simply, > pretended you needed the 'java flash' plugin, to view the 'wall' of > your friend..now, they killed it but by then, it was suicide...and, > they had no idea for many months... this, is known, and also that FB > has added new features, but, not being a user of it, i guess, id > rather not learn and, all im thinking is, the virus i will endup > having to remove from my sisters PC in the next day or so :) > cheers... but, yea, i agree, i think it is a simple page trickery, FB, > theyre own security, would be used against them, it is that new :P,. > so, everything new...well...lets say, has teething probs eh...well, > many of major sites did...and, this worm for myspace, was simple, it > prentended to be the actual, legit page, but, it was just simply > hiding a vuln in myspace wich let you still, eceute a 'plugin' wich, > was your url to malware, but, you had to use the actual 'plugfin' to > succeed, so, not the official one ofc, but, it seemed VERY > offcial...and, took solong to detect, i think thats what killed > MSpace..forsure...and will be same, for Fb, if they dont keep up with > the times...as, people , even as big as cisco, now see... that, it is > very very important, to update code :) > have a great day. > > > On 20 January 2012 14:57, Byron Sonne wrote: >> Hello, >> >>> “Your computer has malware!” Facebook says to me. >> >> I am really curious to know, assuming that everything you've said is >> accurate, how they determine you've got malware. This is rather curious. >> >> The more I think about it, the more I wonder if something's come between >> you and facebook pretending to be official, hoping to trick you into >> downloading something. >> >> Cheers >> >> -- >> freebyron.org >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it
+1 this was the first and biggest hack ever done on myspace, wich simply, pretended you needed the 'java flash' plugin, to view the 'wall' of your friend..now, they killed it but by then, it was suicide...and, they had no idea for many months... this, is known, and also that FB has added new features, but, not being a user of it, i guess, id rather not learn and, all im thinking is, the virus i will endup having to remove from my sisters PC in the next day or so :) cheers... but, yea, i agree, i think it is a simple page trickery, FB, theyre own security, would be used against them, it is that new :P,. so, everything new...well...lets say, has teething probs eh...well, many of major sites did...and, this worm for myspace, was simple, it prentended to be the actual, legit page, but, it was just simply hiding a vuln in myspace wich let you still, eceute a 'plugin' wich, was your url to malware, but, you had to use the actual 'plugfin' to succeed, so, not the official one ofc, but, it seemed VERY offcial...and, took solong to detect, i think thats what killed MSpace..forsure...and will be same, for Fb, if they dont keep up with the times...as, people , even as big as cisco, now see... that, it is very very important, to update code :) have a great day. On 20 January 2012 14:57, Byron Sonne wrote: > Hello, > >> “Your computer has malware!” Facebook says to me. > > I am really curious to know, assuming that everything you've said is > accurate, how they determine you've got malware. This is rather curious. > > The more I think about it, the more I wonder if something's come between > you and facebook pretending to be official, hoping to trick you into > downloading something. > > Cheers > > -- > freebyron.org > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it
Hello, > “Your computer has malware!” Facebook says to me. I am really curious to know, assuming that everything you've said is accurate, how they determine you've got malware. This is rather curious. The more I think about it, the more I wonder if something's come between you and facebook pretending to be official, hoping to trick you into downloading something. Cheers -- freebyron.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Facebook seems to think my Arch Linux box has malware on it
So there I was, innocently posting anti-SOPA links on my wall. I close my facebook tab temporarily, open a new one a few minutes later, and I’m logged out of my account. “Well that’s odd” I think. So I log back in. “Your computer has malware!” Facebook says to me. They tell me that my computer has malware, okay, well I am very skeptical of that since I run Arch Linux, my kernel and all of my software is up-to-date, and I don’t remember running any strange shell scripts as root. They then proceed to force me to certify that I’ve run Anti-Virus software, and link to several Windows and OS-X programs. “Well that’s offensive to me, both as a Linux user and a Programmer” I think. Why would they not even bother to check my user-agent to see what OS I am running? Why does Facebook even have an algorithm to try and detect if someone has malware on their computer? How do you even say “You have malware on your computer” with any confidence when the only interface between you and the user is HTTP? Facebook doesn’t have access to my computer’s hard disk. They have no right to tell me if I do or do not have any malware. So now I am completely locked out of making any changes to my account or posting on my wall, or anyone else’s. All because Facebook was too lazy to check for false positives. This will supposedly last for around two days. I ended up sending a bug report that will most likely be ignored, and not even looked at. I will most likely end up waiting the two days for my account to be re-instated because I don’t know anyone who personally works for facebook that can fix the issue. The message here for Facebook is that they shouldn’t implement systems that they can’t support when they fail. Apparently (this is according to people who I’ve talked to) there is a virus program going around in the Windows world called the “Carberp” Trojan. The lesson here is also that even if you refuse to use Windows, you can still be affected by the mediocrity of Windows. You are not 100% safe even on Linux, BSD, or Haiku. Good job Facebook! You just impeded someone who was trying to help you stay around! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
BTW you bug is a division by zero and it's here: Linux/net/ipv4/igmp.c 178 static void igmp_start_timer(struct ip_mc_list *im, int max_delay) 179 { 180 int tv = net_random() % max_delay; <--- max_delay==0 181 182 im->tm_running = 1; 183 if (!mod_timer(&im->timer, jiffies+tv+2)) 184 atomic_inc(&im->refcnt); 185 } 186 On 01/19/2012 08:49 PM, root wrote: > Hi, > > You already have a good reputation as a bug-finder. > IMHO, releasing additional research in a hurry like this can only > tarnish that reputation and feed the trolls. > Providing a kernel stack trace ( http://imgur.com/klC4k ) or a more > reliable PoC can't take more than an hour, and it will greatly enhance > the quality of the report. > > If you are worried several people has founded a particular bug and > publication is imminent, then maybe was not such a great find to begin > with :) > > > > > > > On 01/19/2012 02:32 PM, HI-TECH . wrote: >> Hi XD, >> >> Am 19. Januar 2012 15:27 schrieb xD 0x41 : >>> Oh and btw, that coding style, just aint you dude... you know, >>> everyone has theyre own fingerprint, i find it really hard to think >>> that, you just made this mistakes in cksum area,wich was area wich >>> actually does the exploiting :P , so why release crap ? why not make >> >> I release it because it worked for me INSIDE TWO VM's, I had no clue about >> the >> checksum error. I didnt cripple it. It worked in my tests because I >> bet the vmware >> did adjust the checksums to be correct. >> Why release that crap? Because I wanted to be the first to release an >> exploit for it >> for fame and glory and it was coded in a hurry, I was thinking it >> actually works (I am doing >> more tests now on real hardware so I can be sure) >> >>> it half decent, and as i said, it was not even your coding style so im >>> finding this really hard to believe it wwas yours, maybe was modified >>> , from many many similars, but, i guess thats normal... you tend to >> >> It is modified code from other coders as stated in the header. >> >>> use perl, and bash alot, within your bash, is the .c, and that is your >>> style... like zx2c has, like dan rosenberg and JO, all kep the same >>> style, because it is habit for any coder.. you dont just change styles >>> this fast, or did you get some reay good ebooks coz, show me where >>> you found so i can catch up to it :P) >> >> I didnt change my coding style, it was just done in a hurry so Dan or >> Jon wouldnt beat me on that BWHAHAHA. >> >>> Love you long time pal, but, find this one abit shitty, and, i do like >>> everything in past, your codes going back to you know when, but this >>> is bs, and if you were gonna rls it, you shulda fucked with the >>> numbers maybe, but, let it fkn run, it was made as poc for lan test >>> right, so why cripple it, thats just silly... thats why i attack it, >>> and, i dont really care a shit who coded it, but, i doubt it was >>> anyone in that code. >> >> You can attack it its your opinion and thats totally fine. I didnt >> cripple the code >> actually. >> >>> have a good day and, no offence over this but, it just shits me when >>> people, who know better, go out of theyre way and release publically, >>> shit wich is fucked up and, in this case, would waste a persons time, >>> and, you even put tested on, and, now, how would it be tested with >>> that cksum, please explain that then, your saying you dont have time >>> but stop bullshit man, you crippled it, just fkn admit it, it could >>> NOT work setup, without the damn cksum, as it was part of sento! how >>> could this, be any use, even with the settings back to old, without my >>> edit you show me one fucking real test, i mean, compile the code, >>> infront of people, then go make your fYT vids, seriously, I have told >>> Jon Oberheldie this, and others, str8 up, if you release crippled >>> shit, your as shit as what you cripple mate. >> >> You forget about all the codes I rlsed before. As I said this was done >> in a hurry. You had a look at roaring beast ? How can you tell me I send >> crippled codes out? Buddy I m human too and do mistakes. >> >>> thats just my point of view and really, this is d0s, wich, i dont care >>> for..im saying, you dont see AB release some fucked up exploit every >> >> AB? whos that ? >> >>> 2months, and makeSURE it dont work , you dont see anyone release shit >>> like this anymore with such blatant errors, its just shitty, luckily i >>> nano'd it, yea, i like nano ok, or i would have wasted time >> >> wtf ? come on.. nano.. this is getting silly >> >>> kcope...its just that simple, and no offences atall, i was able to >>> spot this, but, do not sit there, telling me and everyone else, that >>> it was working, tested... coz, we both know that was NOT the same code >>> released, you cannot deny the code simple. >>> you screwed this one up. go back to exploiting :P itsd better and your >>> better at it! :P >> >> As I said I tested it with
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
Hi, You already have a good reputation as a bug-finder. IMHO, releasing additional research in a hurry like this can only tarnish that reputation and feed the trolls. Providing a kernel stack trace ( http://imgur.com/klC4k ) or a more reliable PoC can't take more than an hour, and it will greatly enhance the quality of the report. If you are worried several people has founded a particular bug and publication is imminent, then maybe was not such a great find to begin with :) On 01/19/2012 02:32 PM, HI-TECH . wrote: > Hi XD, > > Am 19. Januar 2012 15:27 schrieb xD 0x41 : >> Oh and btw, that coding style, just aint you dude... you know, >> everyone has theyre own fingerprint, i find it really hard to think >> that, you just made this mistakes in cksum area,wich was area wich >> actually does the exploiting :P , so why release crap ? why not make > > I release it because it worked for me INSIDE TWO VM's, I had no clue about the > checksum error. I didnt cripple it. It worked in my tests because I > bet the vmware > did adjust the checksums to be correct. > Why release that crap? Because I wanted to be the first to release an > exploit for it > for fame and glory and it was coded in a hurry, I was thinking it > actually works (I am doing > more tests now on real hardware so I can be sure) > >> it half decent, and as i said, it was not even your coding style so im >> finding this really hard to believe it wwas yours, maybe was modified >> , from many many similars, but, i guess thats normal... you tend to > > It is modified code from other coders as stated in the header. > >> use perl, and bash alot, within your bash, is the .c, and that is your >> style... like zx2c has, like dan rosenberg and JO, all kep the same >> style, because it is habit for any coder.. you dont just change styles >> this fast, or did you get some reay good ebooks coz, show me where >> you found so i can catch up to it :P) > > I didnt change my coding style, it was just done in a hurry so Dan or > Jon wouldnt beat me on that BWHAHAHA. > >> Love you long time pal, but, find this one abit shitty, and, i do like >> everything in past, your codes going back to you know when, but this >> is bs, and if you were gonna rls it, you shulda fucked with the >> numbers maybe, but, let it fkn run, it was made as poc for lan test >> right, so why cripple it, thats just silly... thats why i attack it, >> and, i dont really care a shit who coded it, but, i doubt it was >> anyone in that code. > > You can attack it its your opinion and thats totally fine. I didnt > cripple the code > actually. > >> have a good day and, no offence over this but, it just shits me when >> people, who know better, go out of theyre way and release publically, >> shit wich is fucked up and, in this case, would waste a persons time, >> and, you even put tested on, and, now, how would it be tested with >> that cksum, please explain that then, your saying you dont have time >> but stop bullshit man, you crippled it, just fkn admit it, it could >> NOT work setup, without the damn cksum, as it was part of sento! how >> could this, be any use, even with the settings back to old, without my >> edit you show me one fucking real test, i mean, compile the code, >> infront of people, then go make your fYT vids, seriously, I have told >> Jon Oberheldie this, and others, str8 up, if you release crippled >> shit, your as shit as what you cripple mate. > > You forget about all the codes I rlsed before. As I said this was done > in a hurry. You had a look at roaring beast ? How can you tell me I send > crippled codes out? Buddy I m human too and do mistakes. > >> thats just my point of view and really, this is d0s, wich, i dont care >> for..im saying, you dont see AB release some fucked up exploit every > > AB? whos that ? > >> 2months, and makeSURE it dont work , you dont see anyone release shit >> like this anymore with such blatant errors, its just shitty, luckily i >> nano'd it, yea, i like nano ok, or i would have wasted time > > wtf ? come on.. nano.. this is getting silly > >> kcope...its just that simple, and no offences atall, i was able to >> spot this, but, do not sit there, telling me and everyone else, that >> it was working, tested... coz, we both know that was NOT the same code >> released, you cannot deny the code simple. >> you screwed this one up. go back to exploiting :P itsd better and your >> better at it! :P > > As I said I tested it with two VMS in a testbed and both Ubuntu and > OpenSUSE crashed > instantly. > >> I like your shit, but, i really prefer, when kxcope, is thinking >> of b0f and new methods etc, like i know the one from 2009 did, and >> found the biggest remote hole ever,and you even released this , and >> people can hate you and whatever but there is no denying it, your damn >> skilled, so im just saying, i dont like crippled work, nowdays, and >> when it is released with a mark of approval, from someone i trust. > >
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
I release it because it worked for me INSIDE TWO VM's, I had no clue about the checksum error. I didnt cripple it. It worked in my tests because I bet the vmware please... dude, it does not work without it, so, there is one person thats already come forward, howmany more, before you just admit that, you released it, knowing that bug was there, or, you simply got setup maybe ? by not being the actual coder ? who knows, i did not read what you just sent me, as, really that was private, you put it up there...but, your not in the right this time dude, i mean, i still love ya work and all but, you cannot tell me this crap, worked, as is, i think maybe, you werre gioven perhaps a binary to use and used it, and then maybe, did not bother to fix the codeor, you knew, and ignored it. you cannot bullshit, a bullshitter :P drew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
Try fixing the in_cksum() function, it has been intionally crippled,also,look at both of the 'ips' both should really be argvs,as theyre set in saddr/daddr;) this should be easy to fix, or read the pasted one i think is in one of my posts in reply to it, it will show where i had to adjust it, as the sendto, will never work with the in_cksum not functional, lan, or no lan... anyhow, you could ignore me, but in the end, read the code... later dude. drew On 19 January 2012 09:43, Morgus Magnificent wrote: > Thanks again for re-enforcing my paranoia with another one of your exploits. > The apache killer one was particularly disturbing and at the same time, > another great eye-opener, much respect to you. > > I tested this on a custom compiled kernel for PXE booting, version > 2.6.37.6-x86_64, running Debian Squeeze, and I can't seem to get it to work. > Root is mounted read-only over NFS. > > I don't recall any special config options I did for networking or IGMP > requests, other then building my NIC drivers and NFS into the kernel. > Did I just get lucky? > > Thanks, > > Morgus > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Avast Antivirus
Here is your post taken from the forum, it was not really taken to wellbut, nomatter, im just stating the facts as i see them, and hope you understand this, but, i also giving you the chance to please try a real sandboxie, then load some bot.exe into it, and watch what it does... would maybe explain abit better what a sandbox is about. [..] Then I just wondered: What is that SafeZone and how does it work? I opened Process Explorer and noticed, that the processes run under the same user account o.O I tried some simple dll-injection into the browser and the first attempt worked. This really made me laugh. <--- this is standard for a sandbox, try SandBoxie,it is abit neater for a sandbox, and maybe what your after When I tried to save some screenshots I noticed that the file is created but empty afterwards, when I place it on the system drive. But saving to another drive was no problem at all. Could you please tell me what this feature is supposed to prevent? Re: Safezone vs DllInjection >From what I read and already used, SAFEZONE BROWSER is a Google browser without toolbars that can access your info. Nothing else. Nothing goes from out into but you can go from in to out,so that's why they call it safezone. What's a dll injection and how do you do it? Yes, dude they wont bother todo anything because thats actually what you 'can' do in the safezone, is inject a dll, and then yes, it should showup virtually tho, not actually running on your main box right... coz, it is injection INTO the sandboxwhen you use say, SandBoxie for example, you would load the app up and, simply right-click on any file and open within sandboxie, then, you can watch it drop and dump a million exes, thats exactly what it is supposed to be doing, is not letting this oout. now, if your saying you injected, into the AV dll itself, wich, i see nothing here of, then there would be a vuln, wich would eed attending, but, your injecting into this safezone, wich is, what nearly every AV nowdays comes with,simply a processkiller/sandbox, so in some cases, it can be of use to you in making sure your safe,... anyhow, seems like, normal functioning sandbox to me, you should have this powers to inject anything into it, and, then trace that ll you injected. Cheers dude..hope you have a good time playing with sandbox, dirtying them is definately fun :) drew On 19 January 2012 22:04, Juergen Schmidt wrote: > On Tue, 17 Jan 2012, Floste wrote: > >> Hello, >> >> Avast Antivirus also comes with sandbox and a "SafeZone". But both can >> be circumvented using simple dll-injection and they seem to do nothing >> about it: http://forum.avast.com/index.php?topic=82291.0 >> >> Maybe this post here will encourage them to fix it. > > In my understanding a sandbox is not supposed to prevent you from getting > in from the outside but from escaping from the inside. So if a sandboxed > process injects a DLL in say a running IE process outside -- then we are > talking about vulns > > > bye, ju > > > > -- > Juergen Schmidt Chefredakteur heise Security www.heisec.de > Heise Zeitschriften Verlag, Karl-Wiechert-Allee 10 , D-30625 Hannover > Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail j...@heisec.de > GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
Hi XD, Am 19. Januar 2012 15:27 schrieb xD 0x41 : > Oh and btw, that coding style, just aint you dude... you know, > everyone has theyre own fingerprint, i find it really hard to think > that, you just made this mistakes in cksum area,wich was area wich > actually does the exploiting :P , so why release crap ? why not make I release it because it worked for me INSIDE TWO VM's, I had no clue about the checksum error. I didnt cripple it. It worked in my tests because I bet the vmware did adjust the checksums to be correct. Why release that crap? Because I wanted to be the first to release an exploit for it for fame and glory and it was coded in a hurry, I was thinking it actually works (I am doing more tests now on real hardware so I can be sure) > it half decent, and as i said, it was not even your coding style so im > finding this really hard to believe it wwas yours, maybe was modified > , from many many similars, but, i guess thats normal... you tend to It is modified code from other coders as stated in the header. > use perl, and bash alot, within your bash, is the .c, and that is your > style... like zx2c has, like dan rosenberg and JO, all kep the same > style, because it is habit for any coder.. you dont just change styles > this fast, or did you get some reay good ebooks coz, show me where > you found so i can catch up to it :P) I didnt change my coding style, it was just done in a hurry so Dan or Jon wouldnt beat me on that BWHAHAHA. > Love you long time pal, but, find this one abit shitty, and, i do like > everything in past, your codes going back to you know when, but this > is bs, and if you were gonna rls it, you shulda fucked with the > numbers maybe, but, let it fkn run, it was made as poc for lan test > right, so why cripple it, thats just silly... thats why i attack it, > and, i dont really care a shit who coded it, but, i doubt it was > anyone in that code. You can attack it its your opinion and thats totally fine. I didnt cripple the code actually. > have a good day and, no offence over this but, it just shits me when > people, who know better, go out of theyre way and release publically, > shit wich is fucked up and, in this case, would waste a persons time, > and, you even put tested on, and, now, how would it be tested with > that cksum, please explain that then, your saying you dont have time > but stop bullshit man, you crippled it, just fkn admit it, it could > NOT work setup, without the damn cksum, as it was part of sento! how > could this, be any use, even with the settings back to old, without my > edit you show me one fucking real test, i mean, compile the code, > infront of people, then go make your fYT vids, seriously, I have told > Jon Oberheldie this, and others, str8 up, if you release crippled > shit, your as shit as what you cripple mate. You forget about all the codes I rlsed before. As I said this was done in a hurry. You had a look at roaring beast ? How can you tell me I send crippled codes out? Buddy I m human too and do mistakes. > thats just my point of view and really, this is d0s, wich, i dont care > for..im saying, you dont see AB release some fucked up exploit every AB? whos that ? > 2months, and makeSURE it dont work , you dont see anyone release shit > like this anymore with such blatant errors, its just shitty, luckily i > nano'd it, yea, i like nano ok, or i would have wasted time wtf ? come on.. nano.. this is getting silly > kcope...its just that simple, and no offences atall, i was able to > spot this, but, do not sit there, telling me and everyone else, that > it was working, tested... coz, we both know that was NOT the same code > released, you cannot deny the code simple. > you screwed this one up. go back to exploiting :P itsd better and your > better at it! :P As I said I tested it with two VMS in a testbed and both Ubuntu and OpenSUSE crashed instantly. > I like your shit, but, i really prefer, when kxcope, is thinking > of b0f and new methods etc, like i know the one from 2009 did, and > found the biggest remote hole ever,and you even released this , and > people can hate you and whatever but there is no denying it, your damn > skilled, so im just saying, i dont like crippled work, nowdays, and > when it is released with a mark of approval, from someone i trust. Its 2011 and I found a bug in FreeBSD ftpd. Which is better than ProFTPD coz it rocks, have you ever seen a bug in FreeBSD ftpd since ~10 years ? > this is private, and, stays here but, this is why i attacked you dude, > and, nothing bad about it, it stays here, and, thats it... i wont say > shit, i have said what i wanted, your a nice guy, i like you, so, > thats all, i just dont want to see you ending up like them other fags, > they have 0 respect UG... you do atleast have that... fuck fd lists > respect... but still, you just had to leave out that line 'tested' ;) I like the public scene more than the dark one. > ok, sorry for any confusion etc but,
[Full-disclosure] usb_modeswitch/pppd -detach
morrn, Impact == Low Summary === When using usb_modeswitch and invoking pppd from wvdial in -detach mode. a /tmp/debug file is created. Local Attacker could overwrite arbitrary files. Example === ,file /tmp/debug debug: broken symbolic link to `/etc/nologin' Insert stick and connect: ,su Password: ,sh connect >/dev/null ,file debug debug: symbolic link to `/etc/nologin' ,cd /etc && cat nologin symlink-name: /devices/pci:00/:00:1a.7/usb1/1-3/1-3:1.0/ttyUSB0/tty ,ls -l nologin -rw-r--r-- 1 root root 84 Jan 19 01:11 nologin Software archlinux: community/usb_modeswitch 1.2.1-1c archlinux: core/ppp 2.4.5-3 (base) Please verify. YMMV. Greetings srm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
Thanks again for re-enforcing my paranoia with another one of your exploits. The apache killer one was particularly disturbing and at the same time, another great eye-opener, much respect to you. I tested this on a custom compiled kernel for PXE booting, version 2.6.37.6-x86_64, running Debian Squeeze, and I can't seem to get it to work. Root is mounted read-only over NFS. I don't recall any special config options I did for networking or IGMP requests, other then building my NIC drivers and NFS into the kernel. Did I just get lucky? Thanks, Morgus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Avast Antivirus
On Tue, 17 Jan 2012, Floste wrote: > Hello, > > Avast Antivirus also comes with sandbox and a "SafeZone". But both can > be circumvented using simple dll-injection and they seem to do nothing > about it: http://forum.avast.com/index.php?topic=82291.0 > > Maybe this post here will encourage them to fix it. In my understanding a sandbox is not supposed to prevent you from getting in from the outside but from escaping from the inside. So if a sandboxed process injects a DLL in say a running IE process outside -- then we are talking about vulns bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag, Karl-Wiechert-Allee 10 , D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail j...@heisec.de GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reflection Scan: an Off-Path Attack on TCP
Frickin k1dz1es On Thu, Jan 19, 2012 at 01:22:35PM +1100, xD 0x41 wrote: > On 18 January 2012 09:45, Jan Wrobel wrote: > > Hi, > > > > This TCP session hijacking technique might be of interest to some of you. > > > > Abstract: > > The paper demonstrates how traffic load of a shared packet queue can > > be exploited as a side channel through which protected information > > leaks to an off-path attacker. The attacker sends to a victim a > > sequence of identical spoofed segments. The victim responds to each > > segment in the sequence (the sequence is reflected by the victim) if > > the segments satisfy a certain condition tested by the attacker. The > > responses do not reach the attacker directly, but induce extra load on > > a routing queue shared between the victim and the attacker. Increased > > processing time of packets traversing the queue reveal that the tested > > condition was true. The paper concentrates on the TCP, but the > > approach is generic and can be effective against other protocols that > > allow to construct requests which are conditionally answered by the > > victim. A proof of concept was created to asses applicability of the > > method in real-life scenarios. > > > > The paper in ps and pdf is available at http://mixedbit.org and > > http://arxiv.org/abs/1201.2074 > > > > Proof of concept: https://github.com/wrr/reflection_scan > > > > Thanks, > > Jan > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > Very cool :) > Thanks for showing this as a 'type' ofsequencing,id love to test this > with winBITS and see what makes a difference in there...but yea, nice > stuff from the snippets i have read and could comprehend without > making a packetting app :P hehe..great work, and great paper for ANY > hat to wear. > Might have to try it oneday and see if it is as effective as it seems! > great stuff tho, anything todo with bugs within TCP-IP stacks, should > be al;ways encouraged... thanks for the encouragement :-) > Cheers,and Ill maybe add more on this and another persons pi3.com.pl ) > tcp ip session hijacking, wich people have even said, is impossible... > i guess they should find and watch that video, or just ask the author > of the blog, to explain it more...nmaybe would have them something to > actually see as a 'p0c' anyhow, many thanks in your input and, > again any futher addons and appendices to the papers just, let the > list know, and ill makesure the topic maybe gets a better coverage, > as, this is also a topic many ppl called me a wanker on...or maybe one > of them :s megh, i dont count now,. i just read the msgs from 3 ppl > and delete the rest :) > best way to use fd, is to take what your iven, and stfu... i dont > know why somany ppl seem to call me this, whebn, i am only interested, > in bugs i can actually exploit...yet, somuch bullsh1t on this forum, > they have forgotten what a bug is, and,. what a poc is./and now, > these are 'design flaws' lolanyhow, pease keep up the ressearch, > we like it! Oh thats, the ppl like, 3 of ypou (maybe) who actually, > seem cool ;) > You also do, and your on a great topic, dont let idiots pick out any > flaws in anything on this subject, coz believe me, behind every > trolling ive been thru, that was the worst when i spoke about, methods > of hijacking tcp ip stackand did not give out the poc...well, now, > the poc is available to see on video for those who are not idiots and > abuse, but actually, want to see it working :) > Ok, thats my 2bob, dont expect any answers, unless your a VERY well > known person, i will auto delete it, so, i hope to see you in my > channel, anytime online... and there, we could discuss ANYTHING :) > Why some of you are there, and see what i do, i guess are not the > haters on this list but, also, they get what 'theyre given' ,wich is > ALO in the cases where people are coolso, i guess the moral of > the story is, dont smash the stack t hard > enjoy budddy, im probably one of few who would even understand it but > anyghow :P Thanks!I > Drew. > > PS: > NOT a top poster anymore, omg, whats this, not using Glow XD , what is > this, madness!! omg! > Seriously folks, you should all read more of people like this's work, > and then maybe, contribute some of your own frigging srcs, instead of > relying on ppl like kcope to fist fuck you, wich is fine bvy me :> i > hope he fucks this list over, nonstop till your arses bleed, but hey, > thats JUST me! love you all long fucking time arseholes, goto hell, > and dont even try taklkin to me, ever, if your not already in the addy > book, you will fkn known about it and oh, i CAN ddos you, and i WILL, > so, anytime you like to shit me, in private, and wish to test your > fwall, go hard, i dun care, i should say, we...but,. it really doesnt > matter, coz, i dont ev
[Full-disclosure] Advisory 01/2012: Suhosin PHP Extension Transparent Cookie Encryption Stack Buffer Overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: Suhosin PHP Extension Transparent Cookie Encryption Stack Buffer Overflow Release Date: 2012/01/19 Last Modified: 2012/01/19 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: Suhosin Extension <= 0.9.32.1 Severity: A possible stack buffer overflow in Suhosin extension's transparent cookie encryption that can only be triggered in an uncommon and weakened Suhosin configuration can lead to arbitrary remote code execution, if the FORTIFY_SOURCE compile option was not used when Suhosin was compiled. Risk: Medium Vendor Status: Suhosin Extension 0.9.33 was released which fixes this vulnerability Reference: http://www.suhosin.org/ https://github.com/stefanesser/suhosin Overview: Quote from http://www.suhosin.org "Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against buffer overflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.." During an internal audit of the Suhosin PHP extension, which is often confused with the Suhosin PHP Patch, although they are not the same, a possible stack based buffer overflow inside the transparent cookie encryption feature was discovered. If successfully exploited this vulnerability can lead to arbitrary remote code execution. However further investigation into the vulnerability revealed that it can only be triggered if the admin has not only activated transparent cookie encryption, but also explicitly disabled several other security features of Suhosin. In addition to that remote exploitation requires a PHP application that puts unfiltered user input into a call to the header() function that sends a Set-Cookie header. Furthermore most modern unix systems compile the Suhosin extension with the FORTIFY_SOURCE flag, which will detect the possible buffer overflow and abort execution before something bad can happen. Details: The transparent cookie encryption of Suhosin is disabled by default because it stops applications using JavaScript to access cookies, which would break these applications. In order to activate it an admin has to enable this feature in the configuration file: suhosin.cookie.encrypt = On Once activated all incoming cookies will be decrypted and all outgoing Set-Cookie HTTP headers will be rewritten to only contain encrypted data. When this happens the following code of Suhosin extension will be triggered. char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key TSRMLS_DC) { char buffer[4096]; char buffer2[4096]; char *buf = buffer, *buf2 = buffer2, *d, *d_url; int l; if (name_len > sizeof(buffer)-2) { buf = estrndup(name, name_len); } else { memcpy(buf, name, name_len); buf[name_len] = 0; } ... if (strlen(value) <= sizeof(buffer2)-2) { memcpy(buf2, value, value_len); buf2[value_len] = 0; } else { buf2 = estrndup(value, value_len); } The problem with this code is that the second call to mempcy() uses strlen() to check if there is enough buffer space but uses the variable value_len to determine the amount of bytes to copy. The problem is that there could be a NUL byte inside the value of the cookie, which will result in a stack based buffer overflow. While the same code can also be found inside the suhosin_decrypt_single_cookie() function the problem cannot be exploited, because in that case there cannot be a NUL byte. To understand the limited impact of this vulnerability it is important to know that NUL bytes are not allowed inside HTTP headers in a default Suhosin installation. In order to be vulnerable it is therefore required that the admin explicitly weakened security by disabling the HTTP response splitting protection of Suhosin by using the following configuration: suhosin.multiheader=On The next thing to know is that PHP applications normally use the functions setcookie() and setrawcookie() to set cookies. Both functions are however not affected by the problem because both functions will eliminate a possible NUL byte when constructing the Set-Cookie header. Therefore the only wa
Re: [Full-disclosure] Reflection Scan: an Off-Path Attack on TCP
On 01/17/2012 04:45 PM, Jan Wrobel wrote: > > Abstract: > The paper demonstrates how traffic load of a shared packet queue can > be exploited as a side channel through which protected information > leaks to an off-path attacker. C.f. The Thing http://en.wikipedia.org/wiki/Thing_%28listening_device%29 - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Drupal Panels Module XSS Vulnerability
Description of Vulnerability: - Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Panels module (http://drupal.org/project/panels) "allows a site administrator to create customized layouts for multiple uses. At its core it is a drag and drop content manager that lets you visually design a layout and place content within that layout." Unfortunately the Panels module contains a persistent arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to user supplied input before display. Systems affected: - Drupal 6.22 with Panels 6.x-3.9 was tested and shown to be vulnerable. Impact -- The Panels module is deployed on over 100,000 Drupal sites according to the module project page. User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. A more likely scenario would be for an attacker to inject hidden content (such as iframes, applets, or embedded objects) that would attack client browsers in an attempt to compromise site users' machines. This vulnerability could also be used to launch cross site request forgery (XSRF) attacks against the site that could have other unexpected consequences. Mitigating factors: --- In order to exploit this vulnerability the attacker must have credentials to an authorized account that has been assigned the 'use page manager' and 'administer advanced pane settings' permissions. This could be accomplished via social engineering, brute force password guessing, or abuse or legitimate credentials. Proof of concept: - 1. Install Drupal 6-22, Panels 6.x-3.9, 6.x-1.8 and Ctools module (a prerequisite) 2. Enable the Panels module and the page manager in Ctools from ?q=/admin/build/modules 3. Go to ?q=admin/build/panels/layouts/add 4. Click 'Add flexible layout' beneath the 'Layouts' tab at the top 5. Enter an arbitrary title, name and description 6. Click the 'Row' link and select 'Add region to right' 7. Enter '">alert("xss1");plugins['layout']['panels'][$region_id] . ""; +$output .= "" . check_plain($this->plugins['layout']['panels'][$region_id]) . ""; $output .= $content; $output .= ""; Vendor Response: - Update to the latest version of Panels (ref: SA-CONTRIB-2012-011 https://drupal.org/node/1409436). The text of this advisory is also published at http://www.madirish.net/content/drupal-panels-6x-39-xss-vulnerability -- Justin Klein Keane http://www.MadIrish.net signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
lol no , i just like to make sure things work when i use them thanks, no offence taken :) On 20 January 2012 00:28, HI-TECH . wrote: > Hello xD, > sorry I don't understand a word you are talking about. > To put everything together about what you were ranting would take too > much time for me. > Did I offend you in any way ? > It's just a PoC for people to test their systems nothing else... > I cannot check each every system if it works, I just checked two boxes > and thats enough for me. > > Regards, > > Kc > > Am 19. Januar 2012 04:56 schrieb xD 0x41 : >> Now, heres the one wich works, without in_chksum bug ;) >> >> http://pastebin.com/x1ShKAUT >> >> now, sorry but, had to try it remotely, sheesh, and, you dont >> cripple, code of old bugs and, half of this code is from an old bug >> anyhow, so why the heck not leave it... i guess now your starting to >> look like Jon Oberheldie the king of fucked up cripples... lol... >> ewnjoy folks. this version, may even work! omg isnt this amazing!! >> XD says to FD a BIG FUCKS YOU ,well cept kcope and few other decent >> guys like me :P ,and nme, and tropic and well, #Haxnet :) >> now go fucking shoot yourselves away with your newbie working >> undeadattack.. dont know why someone did not inform me they would >> cripple it, and maybe forward a copy to me but, now this file, goes >> where the rest go, to the shame files... >> >> >> >> >> >> On 18 January 2012 08:11, HI-TECH . >> wrote: >>> Demonstration of the Exploit: >>> http://www.youtube.com/watch?v=78nAxh70yZE (thanks ClsHack) >>> >>> see attached content >>> >>> /Kingcope >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
Hello xD, sorry I don't understand a word you are talking about. To put everything together about what you were ranting would take too much time for me. Did I offend you in any way ? It's just a PoC for people to test their systems nothing else... I cannot check each every system if it works, I just checked two boxes and thats enough for me. Regards, Kc Am 19. Januar 2012 04:56 schrieb xD 0x41 : > Now, heres the one wich works, without in_chksum bug ;) > > http://pastebin.com/x1ShKAUT > > now, sorry but, had to try it remotely, sheesh, and, you dont > cripple, code of old bugs and, half of this code is from an old bug > anyhow, so why the heck not leave it... i guess now your starting to > look like Jon Oberheldie the king of fucked up cripples... lol... > ewnjoy folks. this version, may even work! omg isnt this amazing!! > XD says to FD a BIG FUCKS YOU ,well cept kcope and few other decent > guys like me :P ,and nme, and tropic and well, #Haxnet :) > now go fucking shoot yourselves away with your newbie working > undeadattack.. dont know why someone did not inform me they would > cripple it, and maybe forward a copy to me but, now this file, goes > where the rest go, to the shame files... > > > > > > On 18 January 2012 08:11, HI-TECH . > wrote: >> Demonstration of the Exploit: >> http://www.youtube.com/watch?v=78nAxh70yZE (thanks ClsHack) >> >> see attached content >> >> /Kingcope >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Pack - New release
So anyhow... came across this... for anyone interested in it.. this is seemingly abit old but, i will actually check it out, and then make my judgement, altho, i see msf2 and, recall there was problemos, specially with the whole smb session setup and nt session stuffs, and cpl other areas, dcerpc in any form seemed abit tricky them days of msf2 when it was crossing, from i think .py or .rb to customised rb with a really GREAT Dcerpc FPhost application, so, i see that is there but, is msf2/ , so, if he riped them off, well, i guess this is not a payback atall but, finally, im going to fucking end this topic ok, so, this guy is decent, or not decent, can be for once maybe put to bloody rest, i mean, the guy is trying, albeit, he sucks, atm...but, maybe this will show more, who knows, i have seen miracles happen. http://hotfile.com/dl/142661738/73422d5/INSECTProFull.zip.html -- 122meg , unchecked,untested.. probably others of it around but, this seems workable... enjoy but, please, rate it atleast afterwards...as i will delete it after people have given the 'complete' exploitpack.com works,wich, this is also part of, so i would assume that exploitpack files should work on insectpro, or not... this is what we can now ask and, well, he can try sell it and scream Copyrght all he likes, then, i will just move it to my website, and makesure it is updated... so, i guess it is, leave it till i say, or, itll be online, free,forever, with updates :) ok. have a lovely fucking FD wank day arseholes. On 19 January 2012 06:26, wrote: > Exploit Pack is a Security Tool that will assist you while you test > the security of your workstations or networks. With a friendly and easy > to use interface, it has an update manager to keep you up to date and an > IDE for develop or modify it’s modules. Also we provide you with > technical support if you need it. Try it out and purchase a subscription > now. Make your computer safe using Exploit pack. > > Make your workstation safe by testing it security before hackers do, > virus or malware do. Mitigate, monitor and manage the latest security > threats vulnerabilities and implement active security policies by > performing penetration tests across your infrastructure and > applications. > > Visit us: http://exploitpack.com > > Exploit Pack Team > Juan Sacco > Dev Lead > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Pack - Happy new year!
logon counter i womder.. you bring something interesting though to something wich that guy said... yea, i wonder how he is counting and, i know that shit, dont have 20k, more like 20 if luky... it has what, 10 ftp bsitty 10ftp in the world b0f,all from the same kid to... hes happy todo it but.. they know it goes in the pack, so, i guess if there was 20k ever of them, id not pity a single one :) have a nice day. On 19 January 2012 21:42, Mario Vilas wrote: > Just out of curiosity, exactly how do you measure that? > > On Wed, Jan 18, 2012 at 8:25 PM, wrote: >> +20k active users > > > > -- > “There's a reason we separate military and the police: one fights the > enemy of the state, the other serves and protects the people. When the > military becomes both, then the enemies of the state tend to become > the people.” > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Pack - Happy new year!
Just out of curiosity, exactly how do you measure that? On Wed, Jan 18, 2012 at 8:25 PM, wrote: > +20k active users -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/