[Full-disclosure] 0-day vulnerability
Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
OK, good points. And since my mac dictionary widget doesn't have the term yet, I vote for 0day dis It has a nice ring to it ;) Curt On Thu, Oct 28, 2010 at 12:24 PM, w0lfd...@gmail.com wrote: Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from BlackBerry® on Airtel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
Right as usual t-man, but while we are doing FWs job for them, Remote code execution is: any program you can run on a machine you can't touch (for further explanation, man touch). Curt On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: None of this really matters. People will call it whatever they want to. Generally, all software has some sort of vulnerability. If they want to call the process of that vulnerability being communicated for the first time 0 day vulnerability then so what. The industry can't (and won't) even come up with what Remote Code Execution really means, so trying to standardize disclosure nomenclature is a waste of time IMO. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of w0lfd...@gmail.com Sent: Thursday, October 28, 2010 9:25 AM To: Curt Purdy; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from BlackBerry(r) on Airtel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
Along the same lines, from DHS to Symantec, the threat level is always Elevated. So yellow is now the new green. I think ISS (IBM now) is one of the few that leave their alert level at 1 until there is really a 2-4 situation to deal with. I don't need more stress in my day than the crackers already provide... Of course, I know keeping things in perspective are hard these days, i.e. I was reading the Washington Post on the Metro this morning, looking at a map of the four stations that al-Qaeda planned to bomb, as I passed all four of them. I would say my PTL (Personal Threat Level) is red. BTW Hammer, I think of is an OK middle name, but I think your last name is a little presumptuous ;) Curt On Thu, Oct 28, 2010 at 1:14 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: I would further define it as code that can be run on a machine remotely without any human interaction. What I think would be ultimately effective is if researches and those who make disclosure announcements quit trying to make their discoveries or processes cool and just stick to the facts. Vendors want to downplay vulnerabilities, disclosures want it to sound as bad as it can be. That's why we have people describing a user following a link in an email to download something from their site to be subsequently executed as Remote Code Execution that is Moderately Critical as if there are actually varying degrees of Critical. The same holds true for quantifying likelihood of exploitation as high based on what researchers call extremely common deployment environments in many businesses when they are actually inferring what they THINK is common based on what two of their 5-10 workstation clients are doing with XP peer-to-peer configurations. I think that the only people really paying any attention to this are other researchers, who basically ignore what other people call something - this doesn't really benefit the user. People want the vulnerability they discover to be awesome and cool and critical because it substantiates their egos. For now, preceding anything with 0-day is a way of invoking fear and urgency as if it represents some immanent disaster, but soon people will become desensitized to that as well. t -Original Message- From: Curt Purdy [mailto:infosy...@gmail.com] Sent: Thursday, October 28, 2010 9:51 AM To: Thor (Hammer of God) Cc: w0lfd...@gmail.com; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Right as usual t-man, but while we are doing FWs job for them, Remote code execution is: any program you can run on a machine you can't touch (for further explanation, man touch). Curt On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: None of this really matters. People will call it whatever they want to. Generally, all software has some sort of vulnerability. If they want to call the process of that vulnerability being communicated for the first time 0 day vulnerability then so what. The industry can't (and won't) even come up with what Remote Code Execution really means, so trying to standardize disclosure nomenclature is a waste of time IMO. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of w0lfd...@gmail.com Sent: Thursday, October 28, 2010 9:25 AM To: Curt Purdy; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from BlackBerry(r) on Airtel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com
Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
The answer is obviously, of course!!! Don't know what planet your from but the reason God put nmap here was to save from the Blue Pill ska M$. Sent from my iPhone On Jul 10, 2010, at 3:11 AM, Dobbins, Roland rdobb...@arbor.net wrote: On Jul 9, 2010, at 10:49 PM, Dario Ciccarone (dciccaro) wrote: Cisco Security Advisory: Vulnerabilities in SNMP Message Processing - which can be found at http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml . The bug ID on our bug database being CSCed68575. This is a good reminder that it's always a good idea to go through the relevant security advisories of the relevant vendors, ensuring that any vendor-supplied fixes have been applied, before reporting a possible vulnerability - especially in a public forum. The assumption is generally that OPs have taken the opportunity to do so prior to posting; it's also a good reminder that this isn't necessarily the case, and that due diligence is something to which everyone can contribute. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Dailydave] Hacking software is lame -- try medical research...
I notice that you didn't mention any rare disease that none of your friends or relatives have. Why is it that all of these altruistic people seem to never give a crap until it happens to them? Did Michael J Fox give one thin dime to Parkinsons until he had it? How about Christopher Reeves and spinal injury/stem cell? I'd much rather make my money, and donate to non-profit orgs that do things that I am interested in. --Curt On 9/21/07, Kristian Erik Hermansen [EMAIL PROTECTED] wrote: Some interesting discussion came up on some security lists this week and it got me to thinking. Yes, hacking software is lame. Cool, so you found some vulnerabilities in some widely distributed application, service, or OS and it is patched just as quickly. Why don't we spend our time and valuable energy researching cures for rare or popular diseases instead? For instance, my brother (Jon Hermansen) has a very rare disease called Langerhans Cell Histiocytosis. It is also better known as LCH. It can be identified as causing such further diseases as Diabetes Insipidus, which is also uncommon (not sugar diabetes). Have you heard of these diseases before? Let me educate you… General Information: http://en.wikipedia.org/wiki/Langerhans_cell_histiocytosis http://en.wikipedia.org/wiki/Diabetes_insipidus Seven Part Video Series: http://youtube.com/watch?v=KkBRqZS8nfM http://youtube.com/watch?v=w1h6ZjxF-To http://youtube.com/watch?v=0ojbJpERlt8 http://youtube.com/watch?v=dzUqdYofMCQ http://youtube.com/watch?v=lNhzwNYhi0M http://youtube.com/watch?v=nY9DDEhShcE http://youtube.com/watch?v=5_8SEYyEZGI And even worse than this, a friend of mine who is a PhD student in Math at Berkeley has an even rarer disease known as Gaucher's Disease. This costs $550,000 / year to treat. That's a hefty bill every year (you make that much doing security vulns?), and some insurance companies might refuse to accept you due to pre-existing conditions. So guess what, my friend does not have health insurance and has not been treated for two years. A genius might die. That's ludicrous. http://en.wikipedia.org/wiki/Gaucher's_disease http://youtube.com/watch?v=0nX6QM5iVaU If we consider ourselves decent hackers, why don't we put our efforts toward helping cure this and other diseases rather than some very simple programming vulnerability? Is it because then we would have to reinvent a whole new slew of tools and re-orient/re-educate ourselves to be successful? Think about it… -- Kristian Erik Hermansen ___ Dailydave mailing list [EMAIL PROTECTED] http://lists.immunitysec.com/mailman/listinfo/dailydave ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [lists] Re: [Full-disclosure] F-Secure to release XSS potential dangers
[EMAIL PROTECTED] wrote: n3td3v said: This is highly irresponsible of F-Secure and they should be held legally responsible if the information they release in relation to their Netscape hacked blog entry is used maliciously. You might want to review what you've posted to lists regarding vulnerabilities, and ask yourself - if F-Secure gets held to some legal standard of liability. where do you end up yourself? I don't know who's going to end up the test case/poster child for vulnerability liability - but it's much more likely to be an individual that posts to this list and can't afford a lawyer than a corporation with deep pockets like F-Secure :) n3td3v's mouth is going to get her in trouble one of these days. Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA Information Security Officer Information Systems Security infosysec.net 443.846.4231 - If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [lists] [Full-disclosure] Firefox fun
Very interesting HD. FYI, it produces OS not supported, only attempting a crash dialogue on 64-bit XP. IMHO MetaSploit Rocks! Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA Information Security Officer Information Systems Security infosysec.net 443.846.4231 - If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of H D Moore Sent: Friday, July 28, 2006 2:48 PM To: full-disclosure@lists.grok.org.uk Subject: [lists] [Full-disclosure] Firefox fun The demonstration exploit now works on Windows, Linux, and both architectures of Mac OS X. A friend of mine reported that is also works on the Camino browser: http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigat or-object.html Enjoy, -HD ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [lists] [Full-disclosure] cloning PC / run in VMware
[EMAIL PROTECTED] wrote: For circumvention of a certificate-based authentication I thought about cloning a windows pc into a image and let it run in a vmware- or qemu-like environment. Cloning from notebook to another notebook works, the certificate is accepted. Has anybody experience with cloning into an image and let it run in a virtualization engine? Any hints welcome, I backup my VMWare hosts to a file image less than half the size of the virtual disk and then can restore or move to a clone or another VMWare Server. Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA Information Security Officer Information Systems Security infosysec.net - If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Publishing exploit code - what is it good for
Interesting, becuase this just hit me the other day. Wearing my sysadmin hat, I woke up one morning to find that the NetBSD package converters/xlreader had a vulnerability. Nobody seemed to have a patch for it, but looking at it, even with my rather limited level of C coding skill, I reckoned I could fix it. (Standard buffer overflow: replace sprintf with snprintf kinda thing.) So I did. Or at least, I think I did. I can't get my hands on a working exploit, so I don't feel truly comfortable that I did indeed fix the problem. Maybe to someone more familiar with C it would be proved fixed by inspection, but I don't feel that comfortable with it myself. I didn't really used to think that exploits were so useful until this. cjs -- Curt Sampson [EMAIL PROTECTED] +81 90 7737 2974 http://www.NetBSD.org Make up enjoying your city life...produced by BIC CAMERA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/