Re: [Full-disclosure] Windows XP cmd.exe crash
long file name exploit existing since 2001-2002 On Fri, Jun 28, 2013 at 6:47 PM, Pedro Laguna wrote: > Ey list! Just something quick and funny crash I found long time ago and it > may give some of you something to check this weekend. > > Windows XP cmd.exe crash when trying to copy files with a very long name. > The following BATCH file can crash the cmd.exe process: > > --- crash.bat > -- > @echo off > echo test > data.txt > copy "%CD%"\data.txt > \\.\C:\A.txt > REM copy "%CD%"\data.txt > \\?\C:\A.txt > -- / crash.bat > > > It only happens with "copy" but not with "move" command and with both \\.\ > and \\?\ prefixes. I'm not an expert on these fields so I don't know if it > will be possible to exploit it, maybe some of you with crazy kung fu skills > can do it. If not, it's just a weird behaviour for the cmd.exe and given > that is less than a year to the end of life of the Windows XP cannot see > any harm sharing it. > > Ta! > > -- > Pedro Laguna > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple vulnerabilities found in NSA website
The US is spying on us .. Huh? Why didn't you tell us before ! http://www.youtube.com/watch?v=8JCVucx5HzI Greetz: jimjones, matt, scut of teso:)) Kcrookie Am 29.06.2013 um 23:05 schrieb macf...@chronicle.su: > RUSTLE LEAGUE WHITE HAT SECURITY RESEARCH TEAM REVEALS HOLE IN NSA WEBSITE; > CONTACTS VENDOR, HOLE PATCHED. > > RUSTLE RESEARCH ETHICAL R&D WHITEHAT RED TEAM > VULNERABILITY ALERT AND ASSESSMENT > RED TEAM ALERT LEVEL AT MAGENTA > > ETHICAL DISCLOSURE NOTICE: Press release withheld until holes were patched. > > Breaking: NSA Website Vulnerable To Attack via Third Party Software, > Illustrate Dangers of Security Outsourcing > Ethical Hackers Exploit XSS Vulnerabilities in NSA Software Made by third > party. > > Field researchers curiously perusing nsa.gov stumbled upon XSS > vulnerabilities on the main NSA forward facing webserver. Both > vulnerabilities were found in shoddily outsourced third party software > written in Coldfusion--which we all know is the worlds greatest mark-up > language. > > "Anyone with an internet connection can use the XSS vulnerability to > impersonate NSA personnel and web traffic," says Horace Grant, a researcher > with Rustle Research. "Why are unreliable third parties creating the software > that guards our national secrets?" > > These exploits are ironic given the multiple, recently revealed NSA security > faux pas. The obvious Booz Allen Hamilton/NSA partnership allowed CIA > operative and possible Communist spy, Edward Snowden, to infiltrate the NSA > and leak the PRISM slides. Hilarious outsourcing of basic webapps to ma'n'pa > crapshoot ColdFusion developers have now given an even graver look at the > egregious outsourcing of even the most minute government projects. > > Why the focus on ColdFusion? The Adobe product is made by a company well > known for holding a monopoly on online media. A simple google query, such as > "michael hastings adobe" yields many results, all requiring Adobe products to > view. Recently deceased, journalist Michael Hastings was researching > government secrets. Many say he was investigating not only the NSA, but > Wikileaks FBI informant Sigurdur Thordarson, who has close ties with the > Democratic People's Republic of Korea. Rumors say Hastings' car was hacked by > a 0day ColdFusion exploit, sending him to his fiery grave. Anyone in the know > realizes that Siggi was the one who sent FBI assassins after Hastings, who > was also researching Adrian Lamo and th3j35t3r. > > One of the NSA vulnerabilities exploited by ethical white hat hackers this > week exists in the "Careers" section of the nsa.gov website. Internet users > who enter data into the "Feedback" fields now are treated to a jovial visual > representation of their data pooped back at them, in such elegant fashion as: > http://i.imgur.com/1cyISex.png > > The other, more insidious, yet still trivial bug in nsa.gov, is an XSS attack > that allows URL redirection. When the "Mail to a Friend" notice is queried, > and nsa.gov is appended at the end of the address. It is then exempted and > allowed to redirect to the provided address. For example: > http://www.nsa.gov/applications/links/notices.cfm?address=http://wikipaste.eu/nsa.gov > > Other possible uses of these exploits include dropping a malicious website > into the url by using simple disguising methods, redirect, and executing > arbitrary code. An attacker could also pretend to be an NSA employee and send > a malicious payload via email to real NSA employees, unbeknownst to them -- > or simply trick more people into seeing goatse because that shit's funny as > fuck. > > The holes have since been patched. > > http://rustleleague.com/advisory.html > > greetz: adobe, YAN, jimjones, chippy, zeekilled > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Content Spoofing vulnerabilities in TinyMCE and WordPress
Hello list! This are Content Spoofing vulnerabilities in TinyMCE and WordPress. Which I've disclosed on Wednesday. In 2011 I already wrote about Content Spoofing in Moxieplayer, when I wrote concerning multiple vulnerabilities in TinyMCE (http://securityvulns.ru/docs27349.html), which is a component of Media plugin for TinyMCE (it's a part of core of TinyMCE). This visual editor is bundled with hundreds of web applications, particularly with WordPress. This flash file is bundled with WP since version 3.3. - Affected products: - Vulnerable are versions TinyMCE 3.4b2 - 4.0b3. For the first vulnerability versions WordPress 3.3 - 3.4.2 are vulnerable. For the second vulnerability versions WordPress 3.3 - 3.5.1 are vulnerable. This hole was fixed in WordPress 3.5.2 (note that WP developers incorrectly called this CS hole as XSS in announcement at their site, at that in codex they wrote correctly). -- Details: -- Content Spoofing (WASC-12): If previous vulnerability, which I found in 2011, looked the next (since TinyMCE 3.4b2 and in version 3.4.7 it was fixed): http://site/moxieplayer.swf?url=http://site2/1.flv Then recently new vulnerability was found (by Wan Ikram), which allows to bypass protection and conduct CS attack: http://site/moxieplayer.swf#?url=http://site2/1.flv In June this vulnerability was fixed. Updated version of Moxieplayer is present in TinyMCE 4.0. In WordPress the attack with using of this flash-file looks the next. The first variant (WP 3.3 - 3.4.2): http://site/wp-includes/js/tinymce/plugins/media/moxieplayer.swf?url=http://site2/1.flv The second variant (WP 3.3 - 3.5.1): http://site/wp-includes/js/tinymce/plugins/media/moxieplayer.swf#?url=http://site2/1.flv Timeline: 2013.06.21 - released WP 3.5.2 with updated version of Moxieplayer. 2013.06.26 - disclosed at my site (http://websecurity.com.ua/6604/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/29, Grandma Eubanks wrote: > However, I think this is still interesting. It's been a while since I've > played with Windows boxes and won't have access to one for a couple days, > but isn't this triggering off of vendor supplied recovery partitions? This > is a regular Windows 7 sole partition box you tried this one? from a first look, i don't think a vendor-supplied recovery partition is necessary. it appears that it would also be possible if the "system restore" setting was enabled (but don't quote me on that). i'm not sure how likely that is in your average large, corporate environment. the ones i've seen have system restore disabled and opt to reimage systems instead when issues occur. i'm sure there are some environments where this could be useful, however. - -chl - -- cool hand luke -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQF8BAEBCgBmBQJRz0jUXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5RUE3NjY3OTY3NTE0RjAyMDgyRTNBQzAy QkE2NTVENTVDODgzNUVCAAoJECumVdVciDXraG4H/0rOTqDYy5wzmI5/Rs8n/1Ts Z3/xwsUuSCQzFNmA6VuPD5hRNtygPVoq3nhcm4ADZzWHPwOy32RTbtriUgK4mAF/ S2yuGsGk1rszxPdW4/DZ+APInTCMxTwtViL5NGa9AsVRKAxQ87i9XyxTUeB4V0H5 XlUMCCzmX1yNupdyIEkE4zYc4RiNTaPeamXlnds+gaW+/hmMVz9d1tC6vYBmtaAz urXy55TnEUoAwUlAGxgtwKappfKenggqFFEc2OY0s2HTRpd1WbVEiCW7VV3BR33z JOpwwF3IfRbOvcrZai5BztyIRmSw1r5olymXr2l3PYLXNZVmLJXmQei1CzZJ58I= =+kX6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Denial of Service in WordPress
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/28, Julius Kivimäki wrote: > If one wants to conduct such attacks, would it not be a million times > easier for them to use infected hosts to do thousands of requests per > second? (Per computer). Can you come up with a scenario where this "attack" > would actually be useful? no, he can't. there isn't such a scenario. this is one of those situations where in theory he is correct but in reality this is simply not an issue. there are a thousand other attacks one could do that would be more efficient and more effective (which others have been trying to explain to him) but he refuses to listen and insists this is a major problem. this is *not* an issue -- which is why everyone has been ignoring it for 5.5 years. - -chl - -- cool hand luke -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQF8BAEBCgBmBQJRz0VjXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5RUE3NjY3OTY3NTE0RjAyMDgyRTNBQzAy QkE2NTVENTVDODgzNUVCAAoJECumVdVciDXrtT4IAJwAnbWUWrzLXuX29QO9Wsk1 nWbwOF4t0QgPaCnQckwD9r6a5/EpUIjSRD00yweXjL12ZX4RobtI18tri+h2bor3 xq9PQgsHCLe1XdU4CSAmmKpVb7Bd5YJExxH/JQJbZQdQS/KNZFvdGBKHsN4O6WYr E28H5kggpcBF1++iWp2WEBLdyoW9bGdRvtPukDkLOnLUGU28IAhxCtOlYGnjz1LE QmQvT3U4325sOKNJCdCuw3kCYnEEHY3/PlVDd/uVEiWt9w8mVzzTbUI3rjwYVagM VV9urMW9XnaaZ5VFQEUluh3jtofgfrd9d97/x/vSj2cuGMOSgvKbRg/T5XIg6JM= =7+mT -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities found in NSA website
RUSTLE LEAGUE WHITE HAT SECURITY RESEARCH TEAM REVEALS HOLE IN NSA WEBSITE; CONTACTS VENDOR, HOLE PATCHED. RUSTLE RESEARCH ETHICAL R&D WHITEHAT RED TEAM VULNERABILITY ALERT AND ASSESSMENT RED TEAM ALERT LEVEL AT MAGENTA ETHICAL DISCLOSURE NOTICE: Press release withheld until holes were patched. Breaking: NSA Website Vulnerable To Attack via Third Party Software, Illustrate Dangers of Security Outsourcing Ethical Hackers Exploit XSS Vulnerabilities in NSA Software Made by third party. Field researchers curiously perusing nsa.gov stumbled upon XSS vulnerabilities on the main NSA forward facing webserver. Both vulnerabilities were found in shoddily outsourced third party software written in Coldfusion--which we all know is the worlds greatest mark-up language. "Anyone with an internet connection can use the XSS vulnerability to impersonate NSA personnel and web traffic," says Horace Grant, a researcher with Rustle Research. "Why are unreliable third parties creating the software that guards our national secrets?" These exploits are ironic given the multiple, recently revealed NSA security faux pas. The obvious Booz Allen Hamilton/NSA partnership allowed CIA operative and possible Communist spy, Edward Snowden, to infiltrate the NSA and leak the PRISM slides. Hilarious outsourcing of basic webapps to ma'n'pa crapshoot ColdFusion developers have now given an even graver look at the egregious outsourcing of even the most minute government projects. Why the focus on ColdFusion? The Adobe product is made by a company well known for holding a monopoly on online media. A simple google query, such as "michael hastings adobe" yields many results, all requiring Adobe products to view. Recently deceased, journalist Michael Hastings was researching government secrets. Many say he was investigating not only the NSA, but Wikileaks FBI informant Sigurdur Thordarson, who has close ties with the Democratic People's Republic of Korea. Rumors say Hastings' car was hacked by a 0day ColdFusion exploit, sending him to his fiery grave. Anyone in the know realizes that Siggi was the one who sent FBI assassins after Hastings, who was also researching Adrian Lamo and th3j35t3r. One of the NSA vulnerabilities exploited by ethical white hat hackers this week exists in the "Careers" section of the nsa.gov website. Internet users who enter data into the "Feedback" fields now are treated to a jovial visual representation of their data pooped back at them, in such elegant fashion as: http://i.imgur.com/1cyISex.png The other, more insidious, yet still trivial bug in nsa.gov, is an XSS attack that allows URL redirection. When the "Mail to a Friend" notice is queried, and nsa.gov is appended at the end of the address. It is then exempted and allowed to redirect to the provided address. For example: http://www.nsa.gov/applications/links/notices.cfm?address=http://wikipaste.eu/nsa.gov Other possible uses of these exploits include dropping a malicious website into the url by using simple disguising methods, redirect, and executing arbitrary code. An attacker could also pretend to be an NSA employee and send a malicious payload via email to real NSA employees, unbeknownst to them -- or simply trick more people into seeing goatse because that shit's funny as fuck. The holes have since been patched. http://rustleleague.com/advisory.html greetz: adobe, YAN, jimjones, chippy, zeekilled ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] GreHack 2013 - CFP EXTENDED TO JULY, 16 - Conf: Nov. 15, Grenoble, France
If you have security research to submit, please note that the CFP Submission deadline for GreHack'13 has been EXTENDED to *JULY 16*. --- *GreHack 2013* — Call For Papers - EXTENDED SUBMISSION DEADLINE: JULY 16 Event: November 15, Grenoble, France http://grehack.org — Twitter: @grehack --- *Topics* The 2nd International Symposium on Grey-Hat Hacking — aka GreHack 2013 — will gather researchers and practitioners from academia, industry, and government to discuss new advances in computer and information security research. All topics related to vulnerability discovery are within scope. In addition, topics of interest also include but are not limited to: - Reverse Engineering and Obfuscation - Vulnerability Discovery, Analysis and Exploit Automation - Embedded Systems Security, including Smartphone Security - Hardware Vulnerabilities - Malware Creation, Analysis and Prevention - Web Application Security - Network Exfiltration - Intrusion Detection and Prevention - Security and Privacy in Cloud, P2P Networks - Penetration Testing - Disclosure and Ethics - Digital Forensics - Applied Cryptography and Cryptanalysis We encourage original and groundbreaking submissions, demonstrations, release of a new open source/non-commercial tool, and interaction with the audience. Each submission will be reviewed by at least three members of the Program Committee. --- *Important Dates* - *SUBMISSION DEADLINE*: JULY 16, 2013 11PM59 HONOLULU, HAWAII TIME *EXTENDED* - Reviews due: August 25, 2013 11pm59 Honolulu, Hawaii Time - Decision notification: September 4, 2013 - Final paper camera-ready:September 30, 2013 11pm59 Honolulu, Hawaii Time - Symposium: November 15, 2013 --- *Submissions Types* GreHack 2013 will consider following types of submissions: *Full research papers* presenting mature and novel research results. Their total length should range from 10 to 16 pages. *Short Papers/Extended Abstracts* describing novel ideas of potential interest to the security research community. Their total length should range from 4 to 8 pages. Papers accepted by the Program Committee will be presented at GreHack 2013. Each paper must include an abstract and a list of keywords, be formatted in a single-column format, use at least 11-point fonts, and have reasonable margins. Templates are available on the website (Latex and Word). Total length includes the bibliography and any appendices. GreHack does not require anonymized submissions, thus authors and affiliations must be mentioned. For accepted papers, at least one of the authors must attend the conference and present the paper. Papers must neither have been previously accepted for publication nor submitted in another conference or journal with formal proceedings. Industry conferences such as BlackHat do not have formal proceedings. Further questions on the submission process may be sent to the program chairs at pc-chairs-2...@grehack.org. --- * Best Paper Award* The Program Committee members will select the best paper to be announced and awarded at the last session of the symposium. --- *Publishing: Springer JCVHT* The best papers will be selected from submissions, carefully reviewed, and published in the prestigious Springer Journal in Computer Virology and Hacking Techniques (JCVHT). JCVHT is an open journal: the access to the papers is free of charges for the reader. http://www.springer.com/computer/journal/11416 http://academic.research.microsoft.com/Journal/890/journal-in-computer-virology --- *Program Committee* - Dan Alloun (Intel, Israel) - Ruo Ando (NICT, Japan) - Jean-Philippe Aumasson (Kudelski Security, Switzerland) - Sofia Bekrar (VUPEN Security, France) - Elie Bursztein (Google, US) - Fabrice Desclaux aka Serpilliere (France) - Adam Doupe (UCSB, US) - Fabien Duchene (LIG, France) - Chris Eng (Veracode, US) - Peter Van Eeckhoutte aka corelanc0d3r (Corelan, Belgium) - Manuel Egele (CMU, US) - Philippe Elbaz-Vincent (UJF, France) - Eric Filiol (ESIEA, France) - The Grugq (Thailand) - Mario Heiderich (Ruhr University Bochum, Germany) - Pascal Lafourcade (VERIMAG, France) - Cedric Lauradoux (INRIA, France) - Pascal Malterre (CEA-DAM, France) - Laurent Mounier (VERIMAG, France) - Stefano Di Paola (Minded Security, Italia) - Marie-Laure Potet (VERIMAG, France) - Paul Rascagneres aka r00tBSD (Malware.Lu, Luxembourg) - Sanjay Rawat (India) - Raphael Rigo (ANSSI, France) - Nicolas Ruff (EADS Innovation Works, France) - Steven Seeley aka Mr_Me (Immunity, US) - Fermin J. Serna (Google, US) - Nikita Tarakanov (Russia) --- *Accepted Author Benefits* (1 author per accepted paper) - One free entry to the conference - Limited financial participation to author expenses (accomm