Re: [Full-disclosure] 0day: PDF pwns Windows
pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers Hi Your point is right. But there are a number of factors other than this in exploiting pdf in other sense. My latest research is working over the exploitation of PDF. Even if you look at the core then there are no restriction on READ in PDF in most of the versions. Only outbound data is filtered to some extent. you can even read /etc/passwd file from inside of PDF. Other infection vector includes infection through Local Area Networks through sharing and printing PDF docs and all. My upcoming research feature everything regarding this and the issue you have already discussed. Regards Aks http://ww.secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] A Request To Everyone
Hi After looking at the mail wars , I want to say only two lines. I dont know who Meta Info is , Lamer Buster is , LSNN is and all. I dont know how they are generating mails and putting my name everywhere. Thats it. Thanks to all. Regards Aks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Mlabs] Scrutinising SIP Payloads : Traversing Attack Vectors in VOIP and IM
Hi I have released core research paper on SIP comprising of Payload problems and Attack vectors. This research paper lays stress on the potential weaknesses present in the SIP which make it vulnerable to stringent attacks. The point of discussion is to understand the weak spots in the protocol. The payloads constitute the request vectors. The protocol inherits well defined security procedures and implementation objects. The security model is hierarchical and is diverged in every working layer of SIP from top to bottom. SIP features can be exploited easily if definitive attack base is subjugated. We will discuss about inherited flaws and methods to combat against predefined attacks. The payloads have to be scrutinized at the network level. It is critical because payloads are considered as infection bases to infect networks . The pros and cons will be enumerated from security perspective. You can download paper at: http://mlabs.secniche.org Regards Aks aka 0kn0ck ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SecNiche : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability
Advisory : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability Dated : 15 August 2007 Severity : Critical Explanation : The vulnerability persists in the popup blocker functioning to allow specific websites to execute popup in the running instance of Internet Explorer. An attacker can easily exploits it by enabling a browser to run a malicious script in the context of Internet Explorer. The script manipulates the registry entries for specific websites through Javascript. It adds fake or malicious websites as an allowed websites in the pop up blocker. The cause user visiting a untrusted website or any othe malicious cause. Detail Advisory : http://www.secniche.org/advisory/Internet_Pop_Phish_Dos_Adv.pdf http://www.secniche.org/adv.html Proof of Concept : Level 1 Infection Test http://www.secniche.org/misc/ie_pop_by_level1_test.zip Test run fine locally as well with Web server [IIS] automated server object calling. Infection through Active X Object. Regards AKS aka 0kn0ck http://www.secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SecNiche : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability
Debasis Mohanty wrote: No offence intended but if you take a little more effort of validating your work before posting publicly then you can save yourself from embarrassment. I don't see anything in the script that can bypass zone security and run successfully from internet zone. I am sure you have tested it locally and drawn conclusion that the script can execute from internet zone. To test the script from internet zone, you need to upload it to a webserver and try accessing via browser. Any VB/Java script will run from local security with a charm but if you can make it run from internet zone (without a prompt) then you found a holy grail. However I don't see anything in the script which can defeat zone security and access registry, hence no vulnerability. The best way to validate your work before posting publicly is, run it through the vendor or third party security sites like secunia or idefence. This would certainly save you from public embarrassment. -d -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aditya K Sood Sent: 17 August 2007 09:07 To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Steven M. Christey Subject: [Full-disclosure] SecNiche : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability Advisory : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability Dated : 15 August 2007 Severity : Critical Explanation : The vulnerability persists in the popup blocker functioning to allow specific websites to execute popup in the running instance of Internet Explorer. An attacker can easily exploits it by enabling a browser to run a malicious script in the context of Internet Explorer. The script manipulates the registry entries for specific websites through Javascript. It adds fake or malicious websites as an allowed websites in the pop up blocker. The cause user visiting a untrusted website or any othe malicious cause. Detail Advisory : http://www.secniche.org/advisory/Internet_Pop_Phish_Dos_Adv.pdf http://www.secniche.org/adv.html Proof of Concept : Level 1 Infection Test http://www.secniche.org/misc/ie_pop_by_level1_test.zip Test run fine locally as well with Web server [IIS] automated server object calling. Infection through Active X Object. Regards AKS aka 0kn0ck http://www.secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Hi /Any VB/Java script will run from local security with a charm but if you can make it run from internet zone (without a prompt) then you found a holy grail. However I don't see anything in the script which can defeat zone security and access registry, hence no vulnerability./ No problem. I think every script that runs from the Internet zone prompts.Mr. Debasish. Most of the time locally it prompts too. I hope you can find any method that an active X control does not prompt. You are good at bypassing things. /I don't see anything in the script that can bypass zone security and run successfully from internet zone. I am sure you have tested it locally and drawn conclusion that the script can execute from internet zone. To test the script from internet zone, you need to upload it to a webserver and try accessing via browser. / I think I have told the practical citation clearly. The automation object is required. The best way to validate your work before posting publicly is, run it through the vendor or third party security sites like secunia or idefence. This would certainly save you from public embarrassment. Embarrassment. Nothing lies beneath it. Critically your are too much at of your own in deciding. Regards AKS ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Whitepaper SecNiche] Insecurities in Implementing Serialization in BISON
hi A specific white paper have been released comprising of specific application problems related to Bison. You can look into it. http://www.secniche.org/papers/Ser_Insec_Bison.pdf Regards AKS http://www.secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Whitepaper SecNiche] Insecurities in Implementing Serialization in BISON
Hi joey Thanks. no Problem. Regards AKS ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SecNiche Security] WAZ (v 1.0) : Windows Anti Zomb Killer Released
Hi WAZ is a Anti Zombie Healer written specifically for windows platform. WAZ crafts a UDP and ICMP packets based on the ID's and signature checks of various Zombie Agents. WAZ consists of : = 1. waz_tester.exe : A level 1 infection tester for zombie ports. 2. waz_killer.exe : Win Anti Zomb Killer. The tool works very generically on windows platform. It provides an easy implementation layout. Project Page : http://www.secniche.org/projects/waz http://www.secniche.org/project.html Regards Zknk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE 2007-3816] [Advisory] Vulnerability Facts Related JWIG Advisory
Hi all The JWIG has got very good functionalities. But vulnerability finding never states that technology should not be used but should be carefully used. The vulnerability points should be taken into account while implementing technology. The growth counts. Thats it. Regards Aditya K Sood SecNiche Security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2007-3816][Advisory] JWIG Context-Dependent Template Calling Dos
Advisory : JWIG Context-Dependent Template Calling Dos CVE- 2007-3816 Dated : 12 July 2007 Vulnerable Software : BRICS, JWIG Severity : Intermediate Explanation: JWIG might allow context-dependent attackers to cause a denial of service (service degradation) via loops of references to external templates. For more details : http://www.secniche.org/papers/HackAnnotationsInJWIG.pdf Links: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3816 http://nvd.nist.gov/cpe.cfm?cvename=CVE-2007-3816 Regards Aditya K Sood SecNiche Security ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Advisory] Phishing Vulnerability in Verisign Network
Advisory : Phishing Vulnerability in Verisign Network Dated : 5 July 2007 Severity : Critical Explanation: The Verisign Secured Network and Verisign Weblogs network is vulnerable to phishing . The problem persists in the redirection links present which allows third party redirection. The cause : 1. Redirection of traffic directly without visiting website. 2. The website wont check the link that is being called by the phisher. 3. Third party linking is possible. 4. Looping attack is also possible. The vulnerable links are: 1. http://www.verisignsecured.com/Redirect.aspx?[ website name ] 2. http://www.weblogs.com/clickthru?url=[website name] It is considered as vulnerable because the clickthru parameter can be initialised to any website not related to main website links respectively. Examples: 1]http://www.weblogs.com/clickthru?url=http://www.unep.org/Documents.Multilingual/Default.asp?DocumentID=' 2]http://www.weblogs.com/clickthru?url=http://www.weblogs.com/clickthru?url=http://www.pewinternet.org/report_display.asp?r=');-- 3]http://www.verisignsecured.com/Redirect.aspx?http://www.unep.org/Documents.Multilingual/Default.asp?DocumentID=' 4]http://www.verisignsecured.com/Redirect.aspx?http://www.weblogs.com/clickthru?url=http://www.weblogs.com/clickthru?url=http://www.pewinternet.org/report_display.asp?r=');-- 5]http://www.verisignsecured.com/Redirect.aspx?http://www.weblogs.com/clickthru?url=http://www.weblogs.com/clickthru?url=http://www.weblogs.com/clickthru?url=http://www.google.com Vendor Status : Reported. Regards Aditya K Sood http://www.secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Advisory] Phishing Vulnerability in Verisign Network
Advisory : Phishing Vulnerability in Verisign Network Dated : 5 July 2007 Severity : Critical Explanation: The Verisign Secured Network and Verisign Weblogs network is vulnerable to phishing . The problem persists in the redirection links present which allows third party redirection. The cause : 1. Redirection of traffic directly without visiting website. 2. The website wont check the link that is being called by the phisher. 3. Third party linking is possible. 4. Looping attack is also possible. The vulnerable links are: 1. http://www.verisignsecured.com/Redirect.aspx?[ website name ] 2. http://www.weblogs.com/clickthru?url=[website name] It is considered as vulnerable because the clickthru parameter can be initialised to any website not related to main website links respectively. Examples: 1]http://www.weblogs.com/clickthru?url=http://www.unep.org/Documents.Multilingual/Default.asp?DocumentID=' 2]http://www.weblogs.com/clickthru?url=http://www.weblogs.com/clickthru?url=http://www.pewinternet.org/report_display.asp?r=');-- 3]http://www.verisignsecured.com/Redirect.aspx?http://www.unep.org/Documents.Multilingual/Default.asp?DocumentID=' 4]http://www.verisignsecured.com/Redirect.aspx?http://www.weblogs.com/clickthru?url=http://www.weblogs.com/clickthru?url=http://www.pewinternet.org/report_display.asp?r=');-- 5]http://www.verisignsecured.com/Redirect.aspx?http://www.weblogs.com/clickthru?url=http://www.weblogs.com/clickthru?url=http://www.weblogs.com/clickthru?url=http://www.google.com Vendor Status : Reported. Regards Aditya K Sood http://www.secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Advisory] Phishing Vulnerability in Yahoo Search Engine and Yahoo Network. [Multiple]
Hi all [Advisory 1] Phishing and Redirection Vulnerability in Yahoo Network Severity : Critical Dated : 19 June 2007 Explanation: A severe redirection and phishing vulnerability have been found in Yahoo Network. The specific URL linked to any further yahoo website can be manipulated by the attacker to redirect the traffic and used for phishing. The critical point is the URL can be called by third party for phishing. Example : [Persistent Links] https://us.ard.yahoo.com/SIG=12gb00bbf/M=341232.9804850.11489914.6055752/D=regst/S=150001465:R2/Y=YAHOO/EXP=1182284104/A=4651436/R=0/SIG=1255of0p5/*http://help.yahoo.com/l/us/yahoo/mail/yahoomail/tools/tools-08.html http://us.ard.yahoo.com/SIG=12l25b5lf/M=289534.9533254.10260072.9228191/D=sec_cntr/S=56502:FOOT/Y=YAHOO/EXP=1182284340/A=4080514/R=0/SIG=11lp7krrc/*http://docs.yahoo.com/info/copyright/copyright.html http://us.ard.yahoo.com/SIG=12l25b5lf/M=289534.9533254.10260072.9228191/D=sec_cntr/S=56502:FOOT/Y=YAHOO/EXP=1182284340/A=4080514/R=1/SIG=1136qnvkg/*http://docs.yahoo.com/info/terms/ http://us.ard.yahoo.com/SIG=12l25b5lf/M=289534.9533254.10260072.9228191/D=sec_cntr/S=56502:FOOT/Y=YAHOO/EXP=1182284340/A=4080514/R=3/SIG=134av65kc/*http://feedback.help.yahoo.com/feedback.php?.src=YSEC.done=http://security.yahoo.com.form=footer The network is us.ard.yahoo.com. The vulnerability persist in the internal redirection directly from website or from third party. the attacker manipulates it as : https://us.ard.yahoo.com/SIG=12gb00bbf/M=341232.9804850.11489914.6055752/D=regst/S=150001465:R2/Y=YAHOO/EXP=1182284104/A=4651436/R=0/SIG=1255of0p5/ Rogue WebsiteName https://us.ard.yahoo.com/SIG=12gb00bbf/M=341232.9804850.11489914.6055752/D=regst/S=150001465:R2/Y=YAHOO/EXP=1182284104/A=4651436/R=0/SIG=1255of0p5/*http://www.google.com https://us.ard.yahoo.com/SIG=12gb00bbf/M=341232.9804850.11489914.6055752/D=regst/S=150001465:R2/Y=YAHOO/EXP=1182284104/A=4651436/R=0/SIG=1255of0p5/*http://www.hushmail.com The whole network is vulnerable to this. It is a virtually manipulated. Status: Reported and Patched in 24 hours. = [Advisory 2] Yahoo Search Engine Phishing Vulnerability At Core Severity : Critical Dated : 19 June 2007 Explanation: A severe redirection and phishing vulnerability have been found in Yahoo Search Network.the links provide for the search to next page can be manipulated by the phishers to redirect traffic and used yahoo search engine for phishing. The vulnerability affects the yahoo search engine at full. Example:[Persistent Links] http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=11 http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIzJXNyoA/SIG=14o91b3v5/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=21 http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAJDJXNyoA/SIG=14ods48an/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=31 The above stated URL's are taken from the next page of query set as Hacking. the network used is rds.yahoo.com. the phisher exploits it by stripping off full yahoo search and appending the rogue website. [Original URL] http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=11 [Phishing URL] http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//[PhishingWebsite] http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//www.google.com The whole yahoo search engine is vulnerable to this. The problem persist in the internal linking. Status : Reported To Yahoo Security. Accepted. Patch is in progress with robust stature as explained by yahoo security.. = Regards Aditya K Sood aka Zeroknock http://www.secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SECNICHE : Dwelling Security is On the Run
Pranay Kanwar wrote: Hi, Aditya Sood is no longer part of metaeye, he was thrown out because of this kind of behaviour, as MZ describes it. warl0ck // MSG http://www.metaeye.org Michal Zalewski wrote: On Tue, 12 Jun 2007 [EMAIL PROTECTED] wrote: In an admittedly brief review of this page, I saw nothing useful or informative to my career in information assurance. Aditya has a history of using security mailing lists to advertise his various security consulting projects (metaeye.org, etc) under the guise of fairly bogus whitepapers and vulnerability reports: http://portal.spidynamics.com/blogs/jeff/archive/2007/04/16/ASP.NET-encoding-shortcomings-_2800_review-of-MetaEye-analysis_2900_.aspx http://www.webappsec.org/lists/websecurity/archive/2007-03/msg00079.html http://www.webappsec.org/lists/websecurity/archive/2007-03/msg00115.html As a rule, these claim to discuss cutting-edge attack techniques whilist in fact describing something remarkably mundane (register_globals as Global Space Exploitation, form-based XSS as Double Trap Attacks). I would advise WEBSECURITY moderators to exercise... well, moderation in approving his non-advisory posts: http://www.webappsec.org/lists/websecurity/archive/2007-06/msg00010.html http://www.webappsec.org/lists/websecurity/archive/2007-06/msg00019.html /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Hi People are taking things very personal. No use. Giving rogue comments here is of no use. It has already described. in : http://zeroknock.blogspot.com/2007/06/i-have-left-metaeye-security-group.html Reoriginating same things and try to disrupt the normal stature is all bad. dont stretch it. do your work. Regards Zeroknock ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SECNICHE : Dwelling Security is On the Run
Pranay Kanwar wrote: dont stretch it. do your work. threat ?? whoha! what then, are you going to do double trap us ? or exploit us in the global space ?. Stop vandalizing the lists and shitting on the security community. warl0ck // MSG http://www.metaeye.org Aditya K Sood wrote: Pranay Kanwar wrote: Hi, Aditya Sood is no longer part of metaeye, he was thrown out because of this kind of behaviour, as MZ describes it. warl0ck // MSG http://www.metaeye.org Michal Zalewski wrote: On Tue, 12 Jun 2007 [EMAIL PROTECTED] wrote: In an admittedly brief review of this page, I saw nothing useful or informative to my career in information assurance. Aditya has a history of using security mailing lists to advertise his various security consulting projects (metaeye.org, etc) under the guise of fairly bogus whitepapers and vulnerability reports: http://portal.spidynamics.com/blogs/jeff/archive/2007/04/16/ASP.NET-encoding-shortcomings-_2800_review-of-MetaEye-analysis_2900_.aspx http://www.webappsec.org/lists/websecurity/archive/2007-03/msg00079.html http://www.webappsec.org/lists/websecurity/archive/2007-03/msg00115.html As a rule, these claim to discuss cutting-edge attack techniques whilist in fact describing something remarkably mundane (register_globals as Global Space Exploitation, form-based XSS as Double Trap Attacks). I would advise WEBSECURITY moderators to exercise... well, moderation in approving his non-advisory posts: http://www.webappsec.org/lists/websecurity/archive/2007-06/msg00010.html http://www.webappsec.org/lists/websecurity/archive/2007-06/msg00019.html /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Hi People are taking things very personal. No use. Giving rogue comments here is of no use. It has already described. in : http://zeroknock.blogspot.com/2007/06/i-have-left-metaeye-security-group.html Reoriginating same things and try to disrupt the normal stature is all bad. dont stretch it. do your work. Regards Zeroknock Hi No further talk. Thats it. Regards Zeroknock ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SECNICHE : Dwelling Security is On the Run
Michal Zalewski wrote: On Tue, 12 Jun 2007 [EMAIL PROTECTED] wrote: In an admittedly brief review of this page, I saw nothing useful or informative to my career in information assurance. Aditya has a history of using security mailing lists to advertise his various security consulting projects (metaeye.org, etc) under the guise of fairly bogus whitepapers and vulnerability reports: http://portal.spidynamics.com/blogs/jeff/archive/2007/04/16/ASP.NET-encoding-shortcomings-_2800_review-of-MetaEye-analysis_2900_.aspx http://www.webappsec.org/lists/websecurity/archive/2007-03/msg00079.html http://www.webappsec.org/lists/websecurity/archive/2007-03/msg00115.html As a rule, these claim to discuss cutting-edge attack techniques whilist in fact describing something remarkably mundane (register_globals as Global Space Exploitation, form-based XSS as Double Trap Attacks). I would advise WEBSECURITY moderators to exercise... well, moderation in approving his non-advisory posts: http://www.webappsec.org/lists/websecurity/archive/2007-06/msg00010.html http://www.webappsec.org/lists/websecurity/archive/2007-06/msg00019.html /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Hi all I dont know why Mr. Michael , such a good professional taking things in this way. Upbringing to a new domain and releasing is a positive process. Rest I never use list for something awful. Thats it. I respect Michael for the work he had done. I have only one thing to say its not necessary to have similar views and one sided perception of looking things. The use of these words aggrandizing and bogus should not be done. Thats it. Regards Zeroknock ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Re: SECNICHE : Dwelling Security is On the Run
[EMAIL PROTECTED] wrote: In an admittedly brief review of this page, I saw nothing useful or informative to my career in information assurance. Congratulations on posting your personal website. Regards, Dave Druitt -- CSO InfoSec Group 703-626-6516 -- Original message from Aditya K Sood [EMAIL PROTECTED]: -- Hi all The Sec Niche : dwelling Security portal is up fully. Its a personal working arena and consultancy domain of mine.You can check it: http://www.secniche.org Number of papers have been transformed ot secniche and many more will be added as soon as they are ready. So run a bit. Aditya K Sood aka Zeroknock http://www.secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Well Its all about work. It all security perspective. Well assurance. I dont cover information assurance in it. I dont know how you looking at it better if you are in Security field :-P No prob. Take care ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SECNICHE : Dwelling Security is On the Run
Hi all The Sec Niche : dwelling Security portal is up fully. Its a personal working arena and consultancy domain of mine.You can check it: http://www.secniche.org Number of papers have been transformed ot secniche and many more will be added as soon as they are ready. So run a bit. Aditya K Sood aka Zeroknock http://www.secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SecNiche : MLabs Shifted Fully
Hi all Due to some previous complexitites , there is bit delay in work. the mlabs have been shifted to SecNiche fully. http://mlabs.secniche.org You can see the things directly on this sub domain Regards Aditya K Sood aka Zeroknock http://secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SecNiche - CERA Project is Reoriginated
Hi all This is zeroknock. I feel pleased to announce that project CERA is up again. There are some subtle problem occurred previously. CERA : Cutting Edge Research Analysis is project of SecNiche : Dwelling Security. The Sec Niche which will be up very soon which holds my work. The CERA : http://cera.secniche.org http://zeroknock.blogspot.com I am not associated with my previous group. Lot of other projects are coming. All to serve community. I am concerned for previous delay. But now its all ready. I have left my shared research work back to the singular group. Thanks Regards Aditya K Sood a.k.a Zeroknock http://www.secniche.org http://zeroknock.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Adverse Vectors of Coding in Wordpress : Post Modifications
Hi all This analysis directly or indirectly revolves around the coding of wordpress.In this the stress is being laid on the modification of .php pages present in the wordpress.This issues comes relevant when the user changes some of the content of base pages to render it according to its own needs. you can find it at : http://cera.metaeye.org/wpana.xhtml http://zeroknock.blogspot.com/2007/06/adverse-vectors-of-coding-in-wordpress.html Regards Aditya K Sood Zerkn0ck http://www.metaeye.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Project CERA : Cutting Edge Research Arena
Hi all Project CERA : Cutting Edge Research Arena is undertaken. The project provides detailed analysis of untamed issues related to Web exploitation , Web penetration and Web security. Due to its wide acceptance it is projected as prime base. http://cera.metaeye.org Regards Aditya K Sood Zeroknock http://www.metaeye.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] URL Encoding/Decoding Flaw Mechanism In ASP.net[1.0-2.0] Based Web Applications.
Hi all The penetration of web leads to origin of some new artifacts.This in turn helps in understanding the weaknesses and flaws persist in the web applications that lead to origin of exceptions. Asp.net issue have been analyzed. Links: http://zeroknock.metaeye.org/analysis http://zeroknock.blogspot.com/2007/04/url-encodingdecoding-flaw-mechanism-in.html Regards Zknk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerable Vectors in PHP Based Redirection Pages[redirect.php4/redirect.php5]
Hi The PHP based redirection pages inherits a design flaw in websites. This makes it vulnerable to phishing attacks.Look into desired issue at: http://zeroknock.blogspot.com/2007/04/vulnerable-vectors-in-php-based.html http://zeroknock.metaeye.org/analysis/ Regards Zeroknock ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Global Space Exploitation In PHP Based Web Applications
Hi all The PHP based applications are severely vulnerable to global space exploitation. This gives rise to XSS .A very generic analysis have been undertaken. Cutting edge research is on your way. Look at the issue at: http://zeroknock.blogspot.com/2007/03/global-space-exploitation-in-php-based.html http://zeroknock.metaeye.org/analysis/gspace.xhtml Regards Adi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] Re: Global Space Exploitation In PHP Based Web Applications
Michal Zalewski wrote: On Sat, 31 Mar 2007, Aditya K Sood wrote: http://zeroknock.metaeye.org/analysis/gspace.xhtml Just like your previous double trap XSS advisory, I fail to see the novelty or significance of this report. You seem to discuss an ages-old issue that had been used to exploit a countless number of web applications, and is remediated by disabling register_globals (ain't that off by default since PHP 4.2.0?). /mz Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Well Nothing seems to be old. If it is still persisting with different layout than the attack vector is till persisting. It depends up on individual to look at the significance. There are number of people who finds it significant. I dont want to point it out but it comes in my and I thought its need attention again.Even after the specifier is off but still the vector is there may be due to any reason. Rest it depends on ones thinking. It needs attention again. Regards Adi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NewOrder.box.sk Inherits Severe RedirectionVulnerability
Nikolay Kichukov wrote: Hello there, I've read the article, but I still do not see where the severe redirection vulnerability is. Is this not a feature of the neworder.box.sk web site to allow anyone to be redirected to anypage they submit to redirect.php? Thanks, -Nikolay Kichukov - Original Message - From: Aditya K Sood [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wednesday, March 28, 2007 8:49 PM Subject: [Full-disclosure] NewOrder.box.sk Inherits Severe RedirectionVulnerability Hi Previous Rootkit.com Vulnerability have been patched. The neworder.box.sk is famous security website.It inherits very specific redirection attacks. The domain forwarding or URL forwarding not only directly possible through the website but can be called from third party directly. A very generic analysis have been undertaken based on search engine specification.Look into the issues at: http://zeroknock.blogspot.com/2007/03/neworderboxsk-inherits-severe.html http://zeroknock.metaeye.org/analysis/neworder_red.xhtml Regards Zeroknock http://zeroknock.metaeye.org/mlabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Hi nikolay Thats where the thinking is bit off side. Remember there is lot of difference between redirection occurs from the main website through generating event and the redirection that occurs from the third party.It will be okay to the feature context if the redirection supports only from the website. More precisely a search engine check is performed at the top to show that the page is not subjected as standard page for redirection. If its a feature than it must not be redirected from the third party. Thats All. Regards Adi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NewOrder.box.sk Inherits Severe
[EMAIL PROTECTED] wrote: Referer checking will not stop open redirects you must create a whitelist. Consider the following http://site/script?u=http://site/script?u=http://cnn.com It will hit the script, redirect back to itself set the referer header then continue. - Robert http://www.cgisecurity.com/ Application security news and more. http://www.cgisecurity.com/index.rss [RSS Feed] Hello Aditya, I see your point there. Hope they get it fixed. Should the patch involve some referrer checking? Regards, -Nikolay Kichukov - Original Message - From: Aditya K Sood [EMAIL PROTECTED] To: Nikolay Kichukov [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, March 29, 2007 7:40 PM Subject: Re: [Full-disclosure] NewOrder.box.sk Inherits Severe RedirectionVulnerability Nikolay Kichukov wrote: Hello there, I've read the article, but I still do not see where the severe redirection vulnerability is. Is this not a feature of the neworder.box.sk web site to allow anyone to be redirected to anypage they submit to redirect.php? Thanks, -Nikolay Kichukov - Original Message - From: Aditya K Sood [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wednesday, March 28, 2007 8:49 PM Subject: [Full-disclosure] NewOrder.box.sk Inherits Severe RedirectionVulnerability Hi Previous Rootkit.com Vulnerability have been patched. The neworder.box.sk is famous security website.It inherits very specific redirection attacks. The domain forwarding or URL forwarding not only directly possible through the website but can be called from third party directly. A very generic analysis have been undertaken based on search engine specification.Look into the issues at: http://zeroknock.blogspot.com/2007/03/neworderboxsk-inherits-severe.html http://zeroknock.metaeye.org/analysis/neworder_red.xhtml Regards Zeroknock http://zeroknock.metaeye.org/mlabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Hi nikolay Thats where the thinking is bit off side. Remember there is lot of difference between redirection occurs from the main website through generating event and the redirection that occurs from the third party.It will be okay to the feature context if the redirection supports only from the website. More precisely a search engine check is performed at the top to show that the page is not subjected as standard page for redirection. If its a feature than it must not be redirected from the third party. Thats All. Regards Adi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Hi The robert is quiet clear in its view and its right. I think there must be some event generation with respect to redirection handler.This makes the redirection to occur mainly from the site and not from third party. Designing a list will be a good solution. Regards Adi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NewOrder.box.sk Inherits Severe Redirection Vulnerability
Hi Previous Rootkit.com Vulnerability have been patched. The neworder.box.sk is famous security website.It inherits very specific redirection attacks. The domain forwarding or URL forwarding not only directly possible through the website but can be called from third party directly. A very generic analysis have been undertaken based on search engine specification.Look into the issues at: http://zeroknock.blogspot.com/2007/03/neworderboxsk-inherits-severe.html http://zeroknock.metaeye.org/analysis/neworder_red.xhtml Regards Zeroknock http://zeroknock.metaeye.org/mlabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Rootkit.com Redirection Looping Attack Analysis
Hi all Due to some server problems , the website remain down for one day.Now its up.You can look into the desired issue at: http://zeroknock.blogspot.com/2007/03/rootlitcom-prone-to-redirection-and.html http://zeroknock.metaeye.org/analysis/rootkit_red.xhtml Regards Zeroknock ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Rootkit.com : Prone To Redirection and Looping Attacks
Hi The famous rootkit.com website is prone to redirection looping attacks.The domain context can be manipulated. The full analysis with concept has been explained.You can look at the desired issue. http://zeroknock.blogspot.com/2007/03/rootlitcom-prone-to-redirection-and.html http://zeroknock.metaeye.org/analysis/rootkit_red.xhtml Regards Zeroknock http://zeroknock.metaeye.org/mlabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IntraProgrammed Search Engines Are XSS Driven
Hi all The intra programmed search engines are XSS driven. you can look into the desired issue. http://zeroknock.blogspot.com/2007/03/intraprogrammed-search-engines-prone-to.html Regards Zeroknock http://zeroknock.metaeye.org/mlabs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Double Trap XSS Injection : An Analysis
Hi all This analysis will enable you to the different realm of XSS injection attacks. No XSS cheatsheat is used in this. I am presenting the full analysis of it. The demonstration target is SecTheory security consultation website. This process goes in both ways. This will throw light on the trodden basics of security companies and also helpful in determining new class of exploitation. http://zeroknock.blogspot.com/2007/03/double-trap-xss-injection-analysis.html The issue have been undertaken by ha.ckers.org and replied as: http://zeroknock.blogspot.com/2007/03/hackersorg-view-over-double-trap-xss.html Regards Zknk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MLabs Is Up
Hi all The security mlabs is on the way.The Link: http://zeroknock.metaeye.org/mlabs Regards Aditya K Sood http://www.metaeye.org http://zeroknock.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/