[Full-disclosure] thc-ipv6 v2.0
Hi guys, I released thc-ipv6 v2.0 yesterday. Includes a new tool for alive scanning IPv6 networks (also see https://conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Marc%20Heuse%20-%20IPv6%20Insecurity%20Revolutions.pdf), new tools for local network denial of service against Windows and BSD based systems (not patched yet as it seems), inject into PPPoE and 6to4 tunnels and a lot more! Have fun :-) available at www.thc.org/thc-ipv6 Greets, Marc -- Marc Heuse www.mh-sec.de PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Last reminder for ClubHack 2012 : Call for Papers
Hello Everyone, This is a Last Reminder for ClubHack 2012 Call for Papers. CFP closes on 15th Oct, 2012. Send in you submission as soon as possible. Call For Participation == See http://clubhack.com/2012 for details In 2012, as ClubHack is focusing toward innovation & leadership, we invite papers from enthusiast & seasoned professionals for ClubHack2012 with emphasis on entrepreneurship in infosec and security innovation. These presentations are expected to be of 40 minutes each. The schedule time for each presenter would be 50 minutes out of which 40 minutes are for the presentation & 10 for the question-answer sessions. We would request you to submit the papers keeping the time constraint in mind. :::Topics::: Innovation knows no boundaries. Just to spark your thought process, here?s a hint of topics which you may refer * Entrepreneurship in infosec product development * Research work in infosec * Innovation in attack vectors * Attacks on Cloud * Mobile computing * Malware & Botnets * Privacy with social networks * Telecom Security (3G/4G, SS7, GSM/CDMA, VoIP) and Phone Phreaking * Hardware, Embedded Systems and other Electronic Devices Hacking * War of handhelds & BYOD * Cyber warfare & your role * Open Source Intelligence (OSINT) * Signal Intelligence (SIGINT) : COMINT, ELINT, etc * Critical Infrastructure Protection * Security aspects in SCADA and industrial environments and obscure networks * & the general other infosec domains like web, network, tools & exploits etc. If you want to deliver a workshop at ClubHack2012, please write to us separately and we will help in the same. :::Submission Deadline::: October 15, 2012 :::How to Submit::: Please send us your entries to c...@clubhack.com For more information regarding CFP please visit http://clubhack.com/2012/cfp/ For conference related information please visit the conference web site - http://clubhack.com/2012 OR contact us via email - i...@clubhack.com Hope to see your contribution and support for ClubHack2012. -- Abhijeet Patil ClubHack http://clubhack.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FileBound - Privilege Escalation Vulnerability - Security Advisory - SOS-12-010
Sense of Security - Security Advisory - SOS-12-010 Release Date. 10-Oct-2012 Last Update. - Vendor Notification Date. 14-Aug-2012 Product. FileBound On-Site Platform. Windows Affected versions. All versions prior to 6.2 Severity Rating. High Impact.Privilege escalation Attack Vector. From remote with authentication Solution Status. Vendor patch CVE reference. CVE - not yet assigned Details. The FileBound On-Site document management application is vulnerable to a privilege escalation attack by sending a modified password request to the FileBound web service. By modifying the UserID value you can reset the password of any local user in the application without requiring administrative privileges. Proof of Concept. Authenticate to FileBound via the following web service method and SOAP request: http://www.company.com/Filebound.asmx?op=Login sosuser daisyp0p After authentication a request can be sent to the following administrator's password reset web service method and SOAP request: http://www.company.com/Filebound.asmx?op=SetPassword2 32 lightsouthern 0 By modifying the UserID value the password can be reset for any existing user in the system. A response code of -1 confirms the password reset was successful. Solution. Install the latest vendor patch. Discovered by. Nathaniel Carew from Sense of Security Labs. About us. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the country's largest organisations. Sense of Security Pty Ltd Level 8, 66 King St Sydney NSW 2000 AUSTRALIA T: +61 (0)2 9290 F: +61 (0)2 9290 4455 W: http://www.senseofsecurity.com.au/consulting/penetration-testing E: i...@senseofsecurity.com.au Twitter: @ITsecurityAU The latest version of this advisory can be found at: http://www.senseofsecurity.com.au/advisories/SOS-12-010.pdf Other Sense of Security advisories can be found at: http://www.senseofsecurity.com.au/research/it-security-advisories.php ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple 0-days in Dark Comet RAT
It's InfoSec. Nothing has any meaning anymore. Or, better stated, things means whatever people want them to mean in order to forward their agenda. When we talked about full disclosure a while back, somebody said I was "jaded" as if it meant I had "clouded judgement." They were actually right though, as jaded" means "negative by way of experience." I remember when people started using metrics like "moderately critical" to describe their [what they called] 0-day XSS vulnerability for some ancient CRM package. That way they get to say they published 14,000 0-days on their marketing material. Some dude recently posted on a professional list how he routinely cracks the NTLMv2 hashes for 10,000 users in 36 hours with rainbow tables. Of course every single part of the statement is complete BS but no one (except me) even blinked. People talk about how stupid users are, but I think the people in the industry are far worse. Sent from whatever device will keep us from debating which one is better. On Oct 9, 2012, at 9:59 AM, Philip Whitehouse wrote: > Does 0-day have any meaning any more? It used to mean there were exploits in > the wild used to cause damage before the vendor patched it not merely that a > security researcher found it and disclosed it to the public before the vendor > did. > > If a 0 day is everything found by a security team before a vendor then the > term will loose all purpose and meaning because almost all work done by such > researchers is finding vulns. before the vendor. > > End rant. > > Philip Whitehouse > > On 8 Oct 2012, at 21:33, "Hertz, Jesse" wrote: > >> SQL Injection and Arbitrary File Access present in Command and Control >> server of DarkComet RAT >> >> for more info see: >> http://matasano.com/research/PEST-CONTROL.pdf >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] binfmt_script kernel stack data disclosure during exec
Linux kernel binfmt_script handling in combination with CONFIG_MODULES can lead to disclosure of kernel stack data during execve via copy of data from dangling pointer to stack to growing argv list. Apart from that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4 recursions is ignored, instead a maximum of roughly 2^6 recursions is in place. A patch draft is available, but not accepted by upstream and might not have been checked thoroughly enough for production use. Since the issue is somehow public anyway, but upstream fixing may still take longer, I'm putting it here so that anyone with need can evaluate or optimize the patch by himself. See [1] for extended description and POC. hd [1] http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/ -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-155 - ShareThis - Cross Site Scripting (XSS)
View online: http://drupal.org/node/1808856 * Advisory ID: DRUPAL-SA-CONTRIB-2012-155 * Project: ShareThis [1] (third-party module) * Version: 7.x * Date: 2012-October-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - This module enables integration with the ShareThis [3] web service to allow social bookmarking amongst your users. The module doesn't sufficiently filter JavaScript settings before outputting them. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer sharethis". CVE: Requested VERSIONS AFFECTED --- * ShareThis 7.x-2.x versions prior to 7.x-2.5. Drupal core is not affected. If you do not use the contributed ShareThis [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the ShareThis module for Drupal 7.x, upgrade to ShareThis 7.x-2.5 [5] Also see the ShareThis [6] project page. REPORTED BY - * Jake Bell [7] FIXED BY * Rob Loach [8], the module maintainer COORDINATED BY -- * David Stoline [9] provisional member of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/sharethis [2] http://drupal.org/security-team/risk-levels [3] http://sharethis.com/ [4] http://drupal.org/project/sharethis [5] http://drupal.org/node/1808760 [6] http://drupal.org/project/sharethis [7] http://drupal.org/user/71548 [8] http://drupal.org/user/61114 [9] http://drupal.org/user/329570 [10] http://drupal.org/user/91990 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-154 - Basic webmail - Multiple vulnerabilities
View online: http://drupal.org/node/1808852 * Advisory ID: DRUPAL-SA-CONTRIB-2012-154 * Project: Basic webmail [1] (third-party module) * Version: 6.x * Date: 2012-October-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Information Disclosure, Multiple vulnerabilities DESCRIPTION - This module allows site users to read and write e-mail through an IMAP mail server. There are four issues being addressed by this security advisory: * The module doesn't sufficiently sanitize data when setting page title. * The module may store Drupal login IDs and passwords in plain text in the data column of the users table. * The module doesn't sufficiently sanitize data displayed from email messages. * The module allows users who have the 'access basic_webmail' permission to view the e-mail addressof other site users. CVE: Requested VERSIONS AFFECTED --- * Basic webmail 6.x-1.x versions prior to 6.x-1.2. Drupal core is not affected. If you do not use the contributed Basic webmail [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Basic webmail module for Drupal 6.x, upgrade to Basic webmail 6.x-1.2 [4] Also see the Basic webmail [5] project page. REPORTED BY - * Hunter Fox [6] provisional member of the Drupal Security Team FIXED BY * Jason Flatt [7] the module maintainer * Hunter Fox [8] provisional member of the Drupal Security Team COORDINATED BY -- * Hunter Fox [9] provisional member of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/basic_webmail [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/basic_webmail [4] https://drupal.org/node/1808616 [5] http://drupal.org/project/basic_webmail [6] http://drupal.org/user/426416 [7] http://drupal.org/user/4649 [8] http://drupal.org/user/426416 [9] http://drupal.org/user/426416 [10] http://drupal.org/user/91990 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-153 - Mandrill - Information Disclosure
View online: http://drupal.org/node/1808846 * Advisory ID: DRUPAL-SA-CONTRIB-2012-153 * Project: Mandrill [1] (third-party module) * Version: 7.x * Date: 2012-October-10 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Information Disclosure DESCRIPTION - This module enables you to send emails using an external gateway and by default logs the contents of the messages. An attacker who gains access to the Mandrill dashboard can trigger password reset emails from the Drupal site, get the reset links from the Mandrill logs, and take over an account. CVE: Requested VERSIONS AFFECTED --- * Mandrill 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Mandrill [3] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Mandrill module for Drupal 7.x, upgrade to Mandrill 7.x-1.2 [4] Also see the Mandrill [5] project page. REPORTED BY - * Patrick Dawkins [6] FIXED BY * Lev Tsypin [7] the module maintainer * Ned McClain [8] provisional member of the Drupal Security Team COORDINATED BY -- * Ned McClain [9] provisional member of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/mandrill [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/mandrill [4] http://drupal.org/node/1807894 [5] http://drupal.org/project/mandrill [6] http://drupal.org/user/1025236 [7] http://drupal.org/user/54135 [8] http://drupal.org/user/798324 [9] http://drupal.org/user/798324 [10] http://drupal.org/user/91990 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2012-152 - Feeds - Access bypass
View online: https://drupal.org/node/1808832 * Advisory ID: DRUPAL-SA-CONTRIB-2012-152 * Project: Feeds [1] (third-party module) * Version: 7.x * Date: 2012-October-10 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The feeds module enables you to import or aggregate data as nodes, users, taxonomy terms or simple database records. The module doesn't sufficiently check permissions when creating nodes on behalf of a user. This vulnerability is mitigated by the fact that an attacker must have control over the source feed, and the Feeds importer must have a field from that feed mapped to the node's author. /Note: the Feeds module doesn't have a stable release and therefore a Security Advisory would not normally be issued, per the Drupal Security Team policy [3]. However, this issue affects the Mailhandler [4] module, which does have a stable release. For modules with dependencies, maintainers are encouraged to create stable releases only for those modules dependent on stable releases./ CVE: Requested VERSIONS AFFECTED --- * Feeds 7.x-2.x versions prior to 7.x-2.0-alpha6. Drupal core is not affected. If you do not use the contributed Feeds [5] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Feeds module for Drupal 7.x, upgrade to Feeds 7.x-2.0-alpha6 [6]. Also see the Feeds [7] project page. REPORTED BY - * Iñaki Lopez [8] FIXED BY * Chris Leppanen [9] the module maintainer * Lee Rowlands [10] provisional member of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/feeds [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/security-advisory-policy [4] http://drupal.org/project/mailhandler [5] http://drupal.org/project/feeds [6] https://drupal.org/node/1808282 [7] http://drupal.org/project/feeds [8] http://drupal.org/user/118449 [9] http://drupal.org/user/473738 [10] http://drupal.org/user/395439 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright - Introduction & Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to full-disclosure-requ...@lists.grok.org.uk, send the word 'help' in either the message subject or body for details. - Moderation & Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing full-disclosure@lists.grok.org.uk. Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a consensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in the Cisco WebEx Recording Format Player
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Multiple Vulnerabilities in the Cisco WebEx Recording Format Player Advisory ID: cisco-sa-20121010-webex Revision 1.0 For Public Release 2012 October 10 16:00 UTC (GMT) - -- Summary === The Cisco WebEx Recording Format (WRF) player contains six buffer overflow vulnerabilities. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user. The Cisco WebEx WRF Player is an application used to play back WRF WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The Cisco WebEx WRF Player can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site. The Cisco WebEx WRF Player can also be manually installed for offline playback after downloading the application from: http://www.webex.com/play-webex-recording.html. If the Cisco WebEx WRF Player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If the Cisco WebEx WRF Player was manually installed, users will need to manually install a new version of the Cisco WebEx WRF Player after downloading the latest version from: http://www.webex.com/play-webex-recording.html. Cisco has updated affected versions of the WebEx meeting sites and Cisco WebEx WRF Player to address these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-webex -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAlB1h6AACgkQUddfH3/BbTrjWAD/Xo3bSaXFymHXWKgoGNJQTRcp MFilgSgS+0Hp09ncDC0A/R+0E3BmJFwMukJw6IPAQkp+AjYus1naLVDcQMjh7svJ =tuKg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Multiple Vulnerabilities in Cisco Firewall Services Module Advisory ID: cisco-sa-20121010-fwsm Revision 1.0 For Public Release 2012 October 10 16:00 UTC (GMT) - -- Summary === The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is affected by the following vulnerabilities: DCERPC Inspection Buffer Overflow Vulnerability DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the other. Exploitation of these vulnerabilities could allow an unauthenticated, remote attacker to trigger a reload of the affected device, or to execute arbitrary commands. Repeated exploitation could result in a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm Note: The Cisco Catalyst 6500 Series ASA Services Module, and the Cisco ASA 5500 Series Adaptive Security Appliance may also be affected by these vulnerabilities. The vulnerabilities affecting the Cisco Catalyst 6500 Series ASA Services Module and Cisco ASA 5500 Series Adaptive Security Appliance have been disclosed in a separate Cisco Security Advisory. The Advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAlB1h6AACgkQUddfH3/BbTrdbQD/WPf0vA8pJbKyFgfDQ0rol2r4 AAAdCeOQlELptysCaYsBAIZP/vuW1jX43H6pLgx9xBum9wcNBvhzG1m9Bip+nGbH =e0NQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module Advisory ID: cisco-sa-20121010-asa Revision 1.0 For Public Release 2012 October 10 16:00 UTC (GMT) - -- Summary === Cisco ASA 5500 Series Adaptive Security Appliances (ASA) and Cisco Catalyst 6500 Series ASA Services Module (ASASM) may be affected by the following vulnerabilities: DHCP Memory Allocation Denial of Service Vulnerability SSL VPN Authentication Denial of Service Vulnerability SIP Inspection Media Update Denial of Service Vulnerability DCERPC Inspection Buffer Overflow Vulnerability Two DCERPC Inspection Denial Of Service Vulnerabilities These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of these vulnerabilities could allow an unauthenticated remote attacker to trigger a reload of the affected device. Exploitation of the DCERPC Inspection Buffer Overflow Vulnerability could additionally cause a stack overflow and possibly the execution of arbitrary commands. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for some of these vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa Note: The Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series (FWSM) may be affected by some of the vulnerabilities listed above. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the Cisco FWSM. This advisory is available at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-fwsm The Cisco ASA 1000V Cloud Firewall and Cisco ASA-CX Context-Aware Security are not affected by any of these vulnerabilities. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAlB1jRsACgkQUddfH3/BbTo1RwD+NHNKsAkrc/dZ+XAhDtqAyVIY xaVp6BpwmKAnBbDtwVQA/jXPlWJbmNmSOiHTAI30KkXahf9Bi9+bIvnQyeUI6aUM =Ncu5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2012:162 ] bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:162 http://www.mandriva.com/security/ ___ Package : bind Date: October 10, 2012 Affected: 2011., Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in bind: A certain combination of records in the RBT could cause named to hang while populating the additional section of a response. [RT #31090] (CVE-2012-5166). The updated packages have been upgraded to bind 9.7.6-P4 and 9.8.3-P4 which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166 https://kb.isc.org/article/AA-00801 ftp://ftp.isc.org/isc/bind9/9.7.6-P4/CHANGES ftp://ftp.isc.org/isc/bind9/9.8.3-P4/CHANGES ___ Updated Packages: Mandriva Linux 2011: 674904bbe6055bbce6addee9df404492 2011/i586/bind-9.8.3-0.0.P4.0.1-mdv2011.0.i586.rpm a04233b14f792b187f52bb12975d6616 2011/i586/bind-devel-9.8.3-0.0.P4.0.1-mdv2011.0.i586.rpm c8f5d3ceb296f04eb7b09ec3a4f72ee9 2011/i586/bind-doc-9.8.3-0.0.P4.0.1-mdv2011.0.i586.rpm 0dae4f49ec8626b2d985f38cc206410e 2011/i586/bind-utils-9.8.3-0.0.P4.0.1-mdv2011.0.i586.rpm c614ce64e6fbf4610ca67ff37bc57d28 2011/SRPMS/bind-9.8.3-0.0.P4.0.1.src.rpm Mandriva Linux 2011/X86_64: a40a739988c6d0277ea2ff9862956bae 2011/x86_64/bind-9.8.3-0.0.P4.0.1-mdv2011.0.x86_64.rpm 4136bd8e81216d03ccd5b389f208250d 2011/x86_64/bind-devel-9.8.3-0.0.P4.0.1-mdv2011.0.x86_64.rpm 84ff9042691182668122ece8d7f67a20 2011/x86_64/bind-doc-9.8.3-0.0.P4.0.1-mdv2011.0.x86_64.rpm 39439c8b0e3b9f89f17bbf9e4c8b088d 2011/x86_64/bind-utils-9.8.3-0.0.P4.0.1-mdv2011.0.x86_64.rpm c614ce64e6fbf4610ca67ff37bc57d28 2011/SRPMS/bind-9.8.3-0.0.P4.0.1.src.rpm Mandriva Enterprise Server 5: c37fb5666ee6ac7d83dc2fbeceebd39f mes5/i586/bind-9.7.6-0.0.P4.0.1mdvmes5.2.i586.rpm f60d20d6870bf103f24d41a50d8b7c2e mes5/i586/bind-devel-9.7.6-0.0.P4.0.1mdvmes5.2.i586.rpm 59e509a6e0a72a178bf80f237000ef7e mes5/i586/bind-doc-9.7.6-0.0.P4.0.1mdvmes5.2.i586.rpm 6db1bd8c47448801f8f0f163046bb4f7 mes5/i586/bind-utils-9.7.6-0.0.P4.0.1mdvmes5.2.i586.rpm 0e32cc1eb2b98495c828990ad3fe868d mes5/SRPMS/bind-9.7.6-0.0.P4.0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: bb6806ee598c72bc218098eefc6fafa4 mes5/x86_64/bind-9.7.6-0.0.P4.0.1mdvmes5.2.x86_64.rpm 83c8197a29ee75ccf9396b0773aada77 mes5/x86_64/bind-devel-9.7.6-0.0.P4.0.1mdvmes5.2.x86_64.rpm 0cb5d1455f341f27601104e45395308b mes5/x86_64/bind-doc-9.7.6-0.0.P4.0.1mdvmes5.2.x86_64.rpm 1ec00fc2d8bcb0eb7d8aec80535b589b mes5/x86_64/bind-utils-9.7.6-0.0.P4.0.1mdvmes5.2.x86_64.rpm 0e32cc1eb2b98495c828990ad3fe868d mes5/SRPMS/bind-9.7.6-0.0.P4.0.1mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQdULemqjQ0CJFipgRAqmHAKDZVAV8OmU7wk0ieb0RhgXhjp1/hQCgwfW7 zf2hK/iuE08rZtMXpzK6bIs= =JF6q -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2
Hi Scott, thanks, we always appreciate notes about unfixed issues. We did fix the actual issue reported in the function printPublishIconLink() last time: > Sanitize the $_GET super global on lines 1637 through 1641 in > zenpage-admin-functions.php file We also fixed a few other similar finds in 1.4.3.3. This one is the same issue type indeed but a different find actually we probably somehow missed searching. Please try the current trunk nightly build and let us know if you find any more issues. The actual official fix will probably have to wait until the next bugfix release beginning November. Note that our chief developer Stephen - I copied him on this mail - is currently unavailable until some time next week. Best regards, Malte Müller (acrylian) Zenphoto team www.zenphoto.org Am 08.10.2012 um 21:52 schrieb Scott Herbert: > Well chalk this one up to another learning experience for a novice bug > hunter, I took the vendors word that it was fixed and didn't check myself. > > I've BCC'ed in my contact with zenphoto, so they are aware. > > And to my knowledge this issue doesn't currently have a CVE. > > Bugger! > >> -Original Message- >> From: Henri Salo [mailto:he...@nerv.fi] >> Sent: 08 October 2012 15:42 >> To: Scott Herbert; secur...@zenphoto.org >> Cc: full-disclosure@lists.grok.org.uk >> Subject: Re: [Full-disclosure] Cookie stealing and XSS vulnerable in > Zenphoto >> version 1.4.3.2 >> >> On Tue, Oct 02, 2012 at 07:16:11AM +0100, Scott Herbert wrote: >>> - >>> Affected products: >>> - >>> >>> Product : Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3 >>> Affected function: printPublishIconLink >>> >>> -- >>> Details: >>> -- >>> >>> The file admin-news-articles.php calls the function printPublishIconLink >>> which generates HTML from data stored in the $_GET super global, this > can >> be >>> used to generate a XSS attack or more seriously, as a admin user need to >> be >>> logged in to access the page admin-news-articles.php, a cookie stealing >>> script. >>> >>> Example code: >>> http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news- >> articles. >>> >> php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascrip >> t%27%29;%3 >>> C/script%3E%3C> >>> >>> >>> Suggested fix: >>> >>> >>> Sanitize the $_GET super global on lines 1637 through 1641 in >>> zenpage-admin-functions.php file >>> >>> >>> Timeline: >>> >>> >>> 12-Sept-2012 Zenphoto and UK-CERT informed >>> 18-Sept-2012 Zenphoto confirmed and fixed (see >>> http://www.zenphoto.org/trac/changeset/10836). >>> 1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole. >>> >>> -- >>> Scott Herbert Cert Web Apps (Open) >>> http://blog.scott-herbert.com/ >>> Twitter @Scott_Herbert >> >> Hello list, >> >> Zenphoto 1.4.3.3 (tar.gz 3fe44951e33e726d2bba229880885075) is still >> affected by this vulnerability. Please notice "OSVDB is not aware of a > solution >> for this vulnerability. The original disclosure states that the vendor > claimed to >> have fixed this issue in version 1.4.3.3, but Secunia has confirmed it to > still be >> vulnerable." from http://osvdb.org/85899 and I verified this manually. > Does >> this vulnerability have CVE-identifier? >> >> - Henri Salo > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple 0-days in Dark Comet RAT
Does 0-day have any meaning any more? It used to mean there were exploits in the wild used to cause damage before the vendor patched it not merely that a security researcher found it and disclosed it to the public before the vendor did. If a 0 day is everything found by a security team before a vendor then the term will loose all purpose and meaning because almost all work done by such researchers is finding vulns. before the vendor. End rant. Philip Whitehouse On 8 Oct 2012, at 21:33, "Hertz, Jesse" wrote: > SQL Injection and Arbitrary File Access present in Command and Control server > of DarkComet RAT > > for more info see: > http://matasano.com/research/PEST-CONTROL.pdf > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
