Re: [Full-disclosure] Month of Random Hashes: DAY THREE
M.B.Jr. wrote: but only one string can produce that md5 hash signature, that sha1 hash signature, fucking that sha256 hash signature, fucking that any_other hash signature, etc... False. If you specify multiple hash algorithms for a string it's conceptually equivalent to making up a new hash function that is defined as having the output that is the concatenated outputs of md5, sha1, sha256, and whatever else our crapflooder is posting. But this new composite-hash function still has an infinite number of inputs and a finite number of outputs, just like any other hash function. And thus for any one particular output value there are still an infinite number of corresponding inputs. They may be harder to find and they may be orders of magnitude larger, but they still exist at the mathematical level. Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY THREE
Dëêþàñ Çhäkrãvârthÿ wrote: I am not sure what exactly people do with random hashes. Do you people try to decrypt using rainbow table or anything similar to that ? Guys I am in the dark, please help me. The original intent was that someone discovering a vuln would post the hash of the POC to the list so that later when it was widely released they could prove the point in time at which they found it. Hashing is not encryption, so flush the notion of decrypt a hash from your brain. For any given hash there are an infinite number of inputs that would result in that same output, though most of them are meaningless strings of garbage of astronomical length. In the case of passwords since it is known that they are typically short in length and have a limited set of characters it's sometimes possible to come up with an input that is sensible, but for something like a POC of a vulnerability it would be quite naive to think that you could ever recover it in any reasonable amount of time. That was never the intent anyway; it was about proving who was first to discover something. But seeing as this is FD and there has been a rash of Month of Foo nonsense, I think someone is just taking the piss and further degrading the already miniscule SNR of this list. Unless a posted hash is correlated to the release of some POC or other item of interest, it's noise. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DNS mining ?
Aaron Gray wrote: Is there not a tool that runs on *nux that does this ? I doubt it. If such a tool existed, it would just be querying some third party service like domaintools.com, not doing anything itself. In order to do this lookup yourself requires access to the TLD zone files, which requires signing a contract with Verisign (for .net .com) or PIR (for .org) that says you won't use it to spam or whatever. http://www.verisign.com/information-services/naming-services/com-net-registry/page_001052.html http://www.pir.org/RegistrarResources/ZoneFileAccess.aspx Without that you'd have to bruteforce the TLD nameservers with all possible domain names, and that is obviously impractical (and stupid.) Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
[EMAIL PROTECTED] wrote: For bonus points, figure out how to reboot the machine without being detected. For starters, there's that pesky 'uptime' ;) 1. Pull power plug on target machine. 2. Open case, disconnect data cable from target hard drive. 3. Use PATA/SATA-to-USB cable to connect target hard drive to attacker's laptop. 4. Re-energise target machine (it won't boot, this is only to supply power to target hard drive.) 5. Using laptop, mount target hard drive and insert malfeasance here. 6. When done, install rootkit on filesystem of target hard drive. 7. Power down, unplug USB adapter cable, reattach target hard drive's controller, close case, boot target. 8. Using rootkit installed in 6, get privilege and manipulate log files, utmp, kernel state, et al. to cover any traces of a shutdown. 9. Profit. Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] tcpdump logfile viewer
Paul Schmehl wrote: Ethereal s/Ethereal/Wireshark/ig http://trends.newsforge.com/article.pl?sid=06/06/09/1349255 http://lwn.net/Articles/186925/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Filtering Latest Spam Run (radio.toad.com)
Matthew Murphy wrote: attack also appears isolated to one host (radio.toad.com) that can be successfully filtered until the admin can make the necessary rule change. Good luck with that. toad.com is John Gilmore's infamous open relay that he's been running out of protest since... forever. http://www.google.com/search?q=john+gilmore+open+relay ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] strange domain name in phishing email
Jianqiang Xin wrote: I received several phishing emails. One interesting thing is the link to phishing website has the link: http://1406379699/dbweb/ws/ebay/index.htm This is a very old technique. Most people think that dotted-quad decimal is the only way to express an IP address but they can in fact be written in a variety of formats - octal, hexadecimal, and/or combined as a single 32 bit word. Read http://www.pc-help.org/obscure.htm for more. Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Improper Character Handling In PHP BasedScriptslike PhpBB, IPB etc.
Edward Pearson wrote: Anybody know a good prog to discover what ASCII chars are? Jesus, what has the world come to when people on a security list can't even seem to work a hex editor? Do you realize how pathetic that sounds? The character in question is U+00AD aka SOFT HYPHEN. http://www.cs.tut.fi/~jkorpela/shy.html Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Packet sniffing help needed
Mark Knowles wrote: Comp1(victim1) = Windows xp box, Connected via dial up to a free ISP Comp2(attacker) = windows/*nix, connected via broadband to different ISP than comp1 Comp3(webserver/victim2) C1 - C3 C2---¦ Are you asking what's possible or what's easiest? I think that many readers of this list could come up with dozens of various plans, ranging from relatively straightforward (compromise the target's computer through a browser vulnerability then install tcpdump/dns redirection/keylogger/etc) to the absurd (gain 'enable' access to C1's ISP's core routers through vulnerabilities or social engineering). Without more specifics or information it's kind of an open-ended question. As far as warnings go.. That also depends on the details of the application. For example if you accessed a standard POP3 or FTP server over an insecure connection (i.e. any connection) then your username and password are flying out in plain sight in cleartext. The attacker doesn't really have to do anything special to obtain them once he has the packets. On the other hand if a (non-https) web page has a login that uses password hashing with proper salting, implemented on the client-side (i.e. using javascript in the browser) then even if the attacker captured the entire conversation it would not give him enough information to be able to steal the credentials. I think that yahoo does this sort of this for its logins, but most sites do not go this far, and just send username and password completely in the clear as form fields. Of course with SSL/TLS it doesn't matter what the application layer does, as the entire conversation is protected from many forms of attack (simple snooping, replay, etc.) But here again the world is not perfect, because an attacker can still proxy the entire conversation, inserting his own certificate in place of the one that the remote server presents. This certificate will not be valid since it won't have a trusted CA signature (or if it did it would not match the domain of the site) and any browser will pop up a warning about this certificate before continuing. But if the user dismisses this warning without reading it then the attacker essentially has everything, and the session is no more secure than the non-encrypted http session. In this example the warning was critical, and ignoring it breaks the entire security model. Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Talk cleartext credentials in processmemory
Kurt Grutzmacher wrote: Just stop keeping our secrets laying around in the open. That's all we ask. In my opinion this is not a very effective thing to rally against. The operating system already presents a means to protect against one process snooping on the other, as has already been pointed out elsewhere in this thread. If this sort of attack is a concern then you should be urging the user to not run as administrator. There are a number of resources on how to do this, it is far from impossible: http://nonadmin.editme.com/ and http://blogs.msdn.com/aaron%5Fmargosis/ are two. The fact is that if you get to the point where you A) can run code on the target's computer and B) that code has sufficient privileges to read another process's memory, then you've already lost, it's too late. Trying to mitigate things at that point is just re-arranging deckchairs. Even if the target program scrambles the password in memory, it by definition has to use the password in cleartext at some point (otherwise it would have no need for it in the first place) and so the attacking program could use a number of methods (like dicking around with process or thread priorities to create a race condition, using the debug API, using the hooks API, intercepting window messages, etc) to read the process's memory at the moment that it had the password in cleartext. As you yourself point out, there are a very large number of programs that don't bother to try to obfuscate cleartext secrets in their own process memory, because they realize it's just not their problem to deal with. Fixing all of them would be nearly impossible. From a cost/benefit analysis, which is more effective: Using the operating system's built-in protection which works for all processes, or trying to convince every Tom, Dick, and Harry that has ever written a throwaway shareware app that they need to make some change? It's whack-a-mole. Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Window's O/S
Cassidy Macfarlane wrote: This seems to be a 'nearest path' issue - iexplore would use notepad.exe to 'view source' by default, so when you choose to 'view source', Windows looks to the PATH variable to find notepad. IE first looks for the key HKLM\SOFTWARE\Microsoft\Internet Explorer\View Source Editor\Editor Name If present, it uses its value as the name of the editor to launch. If absent it seems to use a hardcoded default of just notepad without any qualifying path. It then searches starting on the desktop (and then presumably on the path) to find notepad.*. The first hit that it finds, it uses the standard shell launch method based on the class. In this case that turns out to be HKCR\Folder\shell\open, which launches explorer. If you change the above Editor Name key to something with a qualified path such as c:\winxp\system32\notepad.exe you get notepad despite a folder on the desktop named notepad. Similarly, if you set the above key to an unqualified foobar and have a folder named foobar on the desktop, it gets opened. There's nothing special about notepad other than that's IE's built-in default. Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Window's O/S
Greg wrote: In C:\windows\ the file nnotepad.exe remained as I had changed it and a brand new (from the same date as the renamed exe) notepad.exe appeared and same under c:\windows\system32 and c:\windows\dllcache as well. http://www.microsoft.com/whdc/winlogo/drvsign/wfp.mspx So my question next is If I have renamed the whole lot that I could find, where did this replacement notepad.exe come from? and I cant really answer The WFP thread watches for file changes and replaces files deemed system files whenever they are modified or replaced. This is not unique to notepad. I don't know how this daemon works but I'd assume it keeps a private cached copy of all files so that it can replace them when changed. I think this is what dllcache is. This means there are always two copies of the file at any given time, and since it's impossible to atomically delete two files simultaneously, the WFP thread can always use one copy of the file to replace the other. If not it could probably grab it from the .cab file that's usually tucked away in %WINDIR% somewhere. that one excepting to say that because notepad is the default html editor in IE6, perhaps IE6 has notepad somehow protected? BTW, my changed default No, it has nothing to do with IE or the original subject of this thread. Notepad.exe just happens to be one of a large number of files that WFP has on its list. Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: Full-Disclosure Digest, Vol 9, Issue 3
Robert Kim Wireless Internet Advisor wrote: Nick, hi... why would you want to filter out the digests? will this eliminate digests from my subscriptioin? It would have nothing to do with *sending* the digests, and everything to do with stopping tards that hit reply to a 70kb digest containing 20 messages, add a single word reply without trimming anything, and spew it all back to the list. It also breaks threading when someone replies to a digest using a mail client that's too dumb to reply to individual mails in a digest. Don't security professionals know how to use email for god's sake? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] So how does THIS work?
James Lay wrote: So ok...I'm scopin out my apache logs, when I see this: http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpBB 2.0.17 remote avatar size bug
SmOk3 wrote: I don't want to criticize the phpBB coders, but why is it dificult to check out the size of a image and telling the user that that size of image it's not possible, or even block the size on the viewtopic table, something like that. Having phpbb check the image size would add no security whatsoever. The malicious user could place the image on a server that uses mod_rewrite or PHP (or whatever...) to send a nice 100 x 75 image of a kitty cat when the phpbb server requests the image, and a 4000x3000 gaping goatse to everyone else. There is absolutely no way for phpbb to be able to enforce the size of images hosted on remote machines. All it can do is specify the width and height attributes of the IMG tag when it displays the image. Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] talk.google.com
Geo. wrote: I don't understand the big fuss over google talk. ICQ has had both talk and video chat features since 2000. It started as plugins but it's been part of icq for a while now http://www.icq.com/img/download/tutorial/tutorial.html It's become terribly trendy these days for people that want to seem cool to obsess about every single thing that Google does -- even if it's as mundane as setting up a Jabber server. Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/