Re: [Full-disclosure] usb shorting to ground
Todd Troxell wrote: > I discovered rather inadvertently that laptops do not enjoy having > their USB VCC shorted to GND one bit. It is a sure DoS, in fact if > the machine has a stupid power supply, it could result in permanent > damage. It is kind of scary for kiosk machines like the those > ubiquitous Kodak photo centers. > > I give you, the usb pwner. It could even hide inside a legitimate > stick: > > USB Pwner schematic > > VCC > D+ ---(nc)| > D ---(nc)| > GND See also ... http://www.hackerslab.org/images/geek/2005/may/etherkiller.jpg cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Local police hacking,now?
scott wrote: > Just read an article about local police being able(by law)to hack a > suspects box from the net. Hey, did you hear there are countries other than ... wherever the hell you live? Some of them even have internet access, too! cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Chinese Professor Cracks Fifth Data SecurityAlgorithm (SHA-1)
Tim wrote: > Hello, > > On Wed, Mar 21, 2007 at 06:45:19PM +0300, 3APA3A wrote: >> Dear Michael Silk, >> >> First, by reading 'crack' I thought lady can recover full >> message by it's signature. After careful reading she can bruteforce >> collisions 2000 times faster. > > Both of you guys are confused. > > First off Michael: this is old news. It doesn't seem to indicate that > finding collisions is any faster than 2^63, which was reported quite > some time ago[1]. It's not just old news, but old old news, since we already had this discussion about how it was old news back in january when the piece was published... cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] code release: cryptographic attack tool
"Slythers Bro" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > this is a mathematic tool where all bits of a double word have 3 states : > one , zero and > unknow > i implemented the addition , multiplication (with an integer), a new > concept "fusion" > (equivalent to = ) , and all basic booleean functions (binary version of > xor, or, no , and) > there are some utilities like error detection, error depth etc ... What axioms did you define? There is more than one way of describing notions analagous to addition, multiplication etc. with three-valued logic. Does your system form a ring or group? > i used this lib for coding fuckmd5.cpp You did? I can't see any sign of tri-state logic in the final source code. > if you want to use multithreading the code need modification > i think this tool is good for easy recomputation and error detection in > the case of a > cryptographic attack How? In what way? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Perforce client: security hole by design
Ben Bucksch wrote: > Anders B Jansson wrote: >> I'd say that it's a design decition, not sure that it's a design >> flaw. >> It's all down to what you try to protect. >> ... connecting any device not 100% controlled by the company to a >> company network is strictly forbidden, doing so would be regarded as >> intended sabotage. >> > > OK, so this bug is not a problem in your company or some Perforce > setups. That's fine. However, I hope it was clear from my description > that it's *not* fine in other cases: I think it's a bad enough design flaw to call a bug, or at any rate a wide-open security hole. The client should not alter anything that is not *below* the current working directory where it's invoked from. This is exactly the same bug as path traversal on webservers or in (un)archiving programs, all of which have been fixed to prevent "../.." and absolute paths from being allowed; exactly the same reasoning applies to p4. > I understand the reasoning of Perforce's design, and I understand that > most companies think that their *own* servers are fine and never pose > a problem to *anybody*, why *would* they, but that's just not a valid > assumption for the rest of the world. This is always an *assumption*, and for that reason it's bad. Defense-in-depth says neither end should "just trust" the other. I don't use p4 myself, but wouldn't running the client in a chroot'd sandbox be the quickest way to use it safely in these circumstances? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Fwd: MOST URGENT]
[EMAIL PROTECTED] wrote: >What a frikking idiot. That's "the former chief executive officer who > recently died of Colonium-210 poisoning under mysterious circumstances". Colonium my arse! cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack
TheGesus wrote: > I was only quoting (with a little creative editing) the late(?), > great(?) Paul Milne of Y2K disaster fame. Fair enough, in that case, Paul Milne is MAKING IT HAPPEN! You're kinda-helping by propagating his sewage without a proper health warning though; your argument is a bit like the line of thinking that says "I know that all those email virus warnings are always hoaxes, but I'll send this one on to all my friends just in case this is the one time that it isn't" > There's a goldmine in there... Wow, a whole new world of net.kookery that I've never explored... thanks for the amusing reading material. > > http://groups.google.com/groups/search?lr=&safe=off&num=10&q=bank+panic+author%3Apaul+milne&safe=off&qt_s=Search > > "If you live within 5 miles of a 7-11, you're toast" Heh, I couldn't resist sorting by date... seems the last time he ever poasted to usenut was 5th december 2000 only took him 12 months to get how wrong he was but he did at least disappear in shame! cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack
TheGesus wrote: > More and more people are hearing the recommendation to "withdraw a > little extra cash out of the banks" to prepare for cyber attacks. If > as many as 1.32% of bank depositors take their advice and withdraw all > their money, the banks will close their doors. > > Al Qaeda threatens to disrupt the electronic bank payments system. And YOU'RE MAKING IT HAPPEN! DUH! > This system contributes about 90% of the US money supply. Without it, > 10% of the money supply (the cash & coin) must take over the work of > the other 90%. > > Conclusion: Withdraw and stockpile some cash now. Shoot for at least > three months' cash requirements. Don't wait. Start now. AQ don't intend to "attack the banking system". They plan to get paranoids, suckers, and conspiracy-theorists like you to do their dirty work for them. They just need to spread a rumour and then sit back and watch as all you "loyal patriots" trash your own country out of fear and cowardice. ObTopic: Sounds like a social engineering attack to me; attempting to manipulate the users of a service into acting as an implicit ddos against it. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anonymizing RFI Attacks Through Google
Gadi Evron wrote: > Noam Rathaus on using Google to anonymize attacks on websites: > http://blogs.securiteam.com/index.php/archives/746 > By placing a URL on any web page, Google will find it, visit it and > then index it. With this mechanism, it is possible to anonymize > attacks on third party web sites through Google by the use of its > crawler. This technique was described by Michal Zalewski in Phrack years ago. http://www.phrack.org/archives/57/p57-0x13 cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in Client Service for NetWare
[EMAIL PROTECTED] wrote: > Per charter, please take politics off list. What does that suggest to you? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in Client Service for NetWare
[EMAIL PROTECTED] wrote: > Please take disagreements, flames, and arguments off the list if > possible. Reposting the entire thing makes you a hypocrite. Why is it ok for YOU to post that message but not ok for the OP to post it? Answer: it isn't. How about getting the bloody tree trunk out of your eye before you go criticising the splinter in anybody else's, eh? You are a spammer, you contribute zero content, your postings are BI>20, you repost entire off-topic postings to add one bloody line. Plus it's pretty damn sad that your greatest ambition in life is to be 'hall monitor'. Whoop-de-doo, you've achieved the same level of accomplishment as an unconscious automaton. Congratulations. Let us know if you ever move up the scale of existence from 'inert inorganic matter' to something more advanced, like slime mould, ok? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in Client Service for NetWare
Cyrus Grissom wrote: > and what the hell is this, "Dave Marcus, B.A., CCNA, MCSE"? are > you letting everyone know that you have a bachelor's of arts > degree? a "Security Research and Communications Manager" who > advertises that he has a ba, a ccna and a mcse...you're such a > schmuckhow about a high school diploma, do you want to let us > know about that too? go play with your blog or something.. The BSc stands for "Bronze Swimming Certificate" :) cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Patch tuesday debris
Last tuesday's updates (which I deferred installing until yesterday) left a folder on my HD, called "C:\c0772dab3463959f7c", containing a log file, msxml6-KB927977-enu-x86.log, which contains install logging details for the msxml patch. Did everyone get this (or perhaps a similarly-named folder with a different hex number)? If absolutely everyone ended up with this it's probably just M$ being careless, but if not it might mean something failed during install and that's why it didn't clean up properly. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 18th anniversary of Internet worma.k.a.Morris worm
[EMAIL PROTECTED] wrote: > On Sun, 12 Nov 2006 18:21:16 GMT, "Dave \"No, not that one\" Korn" said: > > Georgi Guninski wrote: > > > my question was: > > > > > > when was the first provable *public* (as in common sense) > > > announcement of the exploitability of buffer overflows. > > > > The use of smashing the stack to seize control of the program flow was > > in > > everyday usage on the Commodore PET from around 1979-1980ish. It was > > our > > standard technique for making programs autorun after loading! > > Was that a "classic" smash-the-stack, where an overly long paramater is > used > to over-write the return pointer, or were you guys just intercepting the > return pointer directly? Well, it wasn't a parameter, but it was overwriting the return pointer. Everything lived at absolute addresses on that machine, there being no dynamic allocation or memory management. The stack lived a short distance in memory below the area reserved for program code. By setting the (absolute) load address of your program a couple of pages lower than usual, the first thing that got loaded was your stack, then your program area, so you could overwrite the stack with an address in the code region and as soon as the kernel's tape load routine returned you seized control. > If the latter, I'm pretty sure there was software > that would overlay return pointers in order to redirect program flow as > far > back as IBM's OS/360 in the 1967-75 timeframe. Indeed, and there's also the age-old technique of implementing a computed goto by pushing the address on the stack and executing a ret (rts for you old 6502 heads out there) instruction. This is all kind of tangential to Georgi's question about when the first public announcement was made, but the point I'm getting at is that the general principles of stack manipulation to control program flow either deliberately or unexpectedly had been in the air for some time; so no matter when the first public announcement of *a* stack-smashing buffer overflow vulnerability was made, it would already have been common knowledge that buffer overflows *in general* could be used to manipulate the stack; I don't suppose there was one initial announcement and then suddenly everyone realised the stack could be smashed, I reckon lots of people were gradually putting two and two together independently. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] retiring from public security stuff
Georgi Guninski wrote: > bye bye and all the best :) So long, and thanks for all the 'sploits! cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Keylogger
"0 0" <[EMAIL PROTECTED]> wrote in message > Yesterday I finished programming a keylogger, > After receiving the program, it really is as simple as sending it to > someone, telling them to run it, and watching the logs appear in your > email account! Oh great. So now I can spy on morons. That's going to be reeeaal interesting. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 18th anniversary of Internet worma.k.a. Morris worm
Georgi Guninski wrote: > my question was: > > when was the first provable *public* (as in common sense) > announcement of the exploitability of buffer overflows. The use of smashing the stack to seize control of the program flow was in everyday usage on the Commodore PET from around 1979-1980ish. It was our standard technique for making programs autorun after loading! cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] unreliable vulnerability reports en-masee [was:Re: vulnerability in Symantec products]
Gadi Evron wrote: > Nothing really surprises me anymore. The quality of advisories and QA > people do seems to be dropping, especially when it comes to File > Inclusions. The level of false positives posted in the last couple of > weeks is staggering. > > Folks use Google Code Search to find vulns, and don't notice they are > fixed 3 lines above the "bug" and that three lines below, there is > another one. > > Last week, one of these File Inclusion vulns worked only if you > disabled two security functions that work by default... > Up to this day, vulnerabilities and exploits would be researched to a > level, and released AS-IS. This is fast becoming impracticle. > If the S/N ratio of ADVISORIES rather than ML traffic becomes even > lower > due to unreliable submissions, our jobs will indeed become much, much > harder. :) Perhaps the antisec/bantown crew have developed a new strategy to try and shut-down FD by flooding it with useless-but-valid-seeming information? Just as spammers have moved on from random hashbuster strings to including chunks of real english text from news reports and books, so the antisec posters have moved on from furry pr0n and gay lames to real-yet-wrong bug reports. Subtle, you'll never get even a really good bayesian filter to discriminate between valid and bogus bug reports! cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
"Antoine SANTO" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi, > > I come to report a little strange discolsure discovered by my > co-worker Fx0day. > > When you save session informations under putty and you need proxy > for a session, > We can find in plain clear text the login and password proxy auth in > the windows > database register. > > Strange to see a good ssh client storing plain clear text « hot » > informations !! The HKCU key is protected by an ACL; it is only accessible to the user, or to someone with admin rights. So it's not best practice, agreed, but it isn't a major vulnerability. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows Command Processor CMD.EXEBufferOverflow
Peter Ferrie wrote: >>> file:// >>> ? >> >> OK, I'll bite. Why are file:// URLs relevant to the discussion? > > It allows arbitrary data to be passed to CMD.EXE, without first > owning the system. No it doesn't. It passes arbitrary data to the windows gui shell exec function. It doesn't invoke cmd.exe. Unless you have an actual working example? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Genetic method to detect the presence of anyvirtual machine
Bipin Gautam wrote: > Microsoft Virtual Machine & VMWARE information disclosure > Vulnerability > > Note: Though not limited to these two products, this trick can be used > as an genetic method to detect the presence of any virtual machine Gene*R*ic. The word you're looking for is "generic". Genetic means to do with DNA and stuff. Generic means universal, widespread, non-branded. > (Query Output inside Microsoft Virtual Machine) > Motherboard: > Company Brnad Name: Vmware, Inc VMware > > Video Chipset & Video Memory information > > System Manufacturer : VMware, Inc > Product Name: VMware Virtual Platform > ( Output inside VMWARE ) > Company Brnad Name: Microsoft Corporation Virtual Machine > Motherboard Modal: Microsoft Corporation Virtual Machine I think you got the two sets of query outputs mixed up as well. > Quering just few of the above mentioned information from inside the > virtual machine can IMMIDIATELY PROVE the presense of virtual machine, > not the actual system. True. Is it possible to change them, short of binary patching the vm executable? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] pacsec hype security advisory: seven words ofwarning about Flash player nine.
Dragos Ruiu wrote: > "The new Flash player adds network functions!" Hey, I can do it in three words! Flash. Must. Die. > and thus there are many ways to bypass the only-connect-back-upstream > and port < 1024 limitations on the SWF applet Socket() class. A Limiting ports to less than 1024 hasn't been any kind of security measure since.. I dunno, forever really. Since there were more than two machines connected to the internet. How can anyone in the 21st century think that this is meaningful? > The potential for network misuse possible in Flash just went up > several orders of magnitude, and as the Adobe site triumphantly > proclaims it's apparently in use at 97.3% of networked computers. > I'll avoid some of the more exotic scenarios, lest they give > anyone some bad ideas - Distributed port scanning from a malicious webserver that gives every client a slightly modified .swf with a different range of ip addresses to scan? Seriously, thanks for the warning. Once more, feeping creatureitis wins out over sanity and security. Oh well. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Googling:Google Meta Bugs
Aditya Sood wrote: > This post deals with the googling effects that google provide with its > search engine. You just invented a new phrase that does not exist in any dictionary. What are "googling effects"? And how did you expect everyone else in the world to know a private phrase you just made up in your own head? > Since in searching algorithms the metacharacters are > handled with proper filtering techniques which we have not seen it in > google.Already explanation given to google but i think they are > getting googled not to handled these unexceptional searches.What we > call it. That was just plain gibberish. > Explanation: No, those aren't explanations, they are *examples*. You completely forgot to say anything at all about what is supposed to happen. > Well Only GOOGLE can give the answer. No, only YOU can tell us what on earth you're talking about. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] moooooooore fun with Google search
Gadi Evron wrote: > I cover everything that I found so far on how Google Code Search can > be used to find vulnerabilities and backdoors in code.. and even > harvest valid email addresses or perform static analysis. > > http://blogs.securiteam.com/index.php/archives/663 > > What's your new fav Google hack? http://www.google.com/codesearch?q=kill+me+now&btnG=Search+Code See also http://thedailywtf.com/forums/thread/94630.aspx for some less serious-minded searches... cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Stealing Search Engine Queries with JavaScript
"Billy Hoffman" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Proof of Concept: http://www.spidynamics.com/spilabs/js-search/index.html Hmm, doesn't work for me in FF1.0.6. Haven't tested with 1.5.x series. Can send more information or do further testing if you want. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security as an Enabler - Virtual Trust: An Open Challenge to All InfoSec Professionals
Kenneth F. Belva wrote: > I've been defending Virtual Trust as an enabler for the past three > days on the full-disclosure list. So far, fairly successfully. An enabler *of* anything in particular? Or just some kind of magic enabling pixie dust, good for all purposes? > Here's the challenge: How creative are you *for* VT, *against* VT and > determining the *impact* of VT? What does "being creative *for*" something even mean? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows Automatic Gringo ZaW!
? wrote: >> So, WTF#1 is: what the hell makes them think my utterly clean >> machine could possibly be infected? What kind of pseudo "detection" >> technique are they using? So WTF#2 is: why the hell are they trying >> to push obsolete old garbage on me? >> I'm going to leave my workstation unplugged over the weekend, in >> case this is some kind of DRM or WGA update being forced on us under >> false pretences, > > OK. So you have choice but choose Windows and then come to > full-disclosure to whine about basically nothing? > What can I say. You are retarded. > > Nyoro~n Ok, then, one more time. This time with subtitles for the hard of thinking: >> So, WTF#1 is: what the hell makes them think my utterly clean >> machine could possibly be infected? What kind of pseudo "detection" >> technique are they using? So WTF#2 is: why the hell are they trying >> to push obsolete old garbage on me? "I have observed some kind of bug or glitch in a piece of security-related software." This is the full-disclosure list, a place for discussing bugs and glitches in security-related software. So I said that I had observed some kind of bug or glitch in some security-related software. You, on the other hand, appear to think that this list is just another version of slashdot. That makes you the retard. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Windows Automatic Updates WTF?
Is anyone else seeing this? I just noticed the 'updates waiting to be installed' shield icon in my systray. Popped it up, chose manual install to see what M$ was trying to shove down my throat this time. It was offering me the "Mydoom, Zindos, and Doomjuice Worm Removal Tool (KB836528). The text reads:- " Size: 119 KB This tool helps remove the Mydoom.A, Mydoom.B, Mydoom.E, Mydoom.F, Mydoom.J, Mydoom.L, Mydoom.O, Zindos.A, Doomjuice.A, and Doomjuice.B worms from infected systems. The appearance of this update means that your machine is likely infected with one or more of these worms. For more information on protecting your PC, visit the Microsoft Protect Your PC Web site at www.microsoft.com/protect. More information for this update can be found at http://support.microsoft.com/default.aspx?kbid=836528 " So, WTF#1 is: what the hell makes them think my utterly clean machine could possibly be infected? What kind of pseudo "detection" technique are they using? And on going to check the KB article, what do I see? " Article ID : 836528 Last Review : March 8, 2005 This tool is no longer available. It has been replaced by the Microsoft Windows Malicious Software Removal Tool." So WTF#2 is: why the hell are they trying to push obsolete old garbage on me? I'm going to leave my workstation unplugged over the weekend, in case this is some kind of DRM or WGA update being forced on us under false pretences, and in case they decide to use their "Sod-what-settings-the-user-chose, make-them-install-the-update-and-forcibly-reboot-their-machine-losing-any-unsaved-work-in-the-progress" remote control feature again. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] the world of botnets article and wrong numbers
Gadi Evron wrote: > Numbers... > I can't speak for others, but I can try to answer better than I did > on the botnets mailing list on whitestar. > > On individual honey nets, even rather large ones, the number of unique > samples often assembled can be somewhere between 200 and 800 > a month.. depending on how wide it is spread and the networks it sits > on. Which is why many of us cooperate. > >> From cumulative honey nets monitoring of such smaller (yet very > effective) nets, and some larger nets, we get to a number of about > 15K new bot samples every month (Alan Solomon and myself wrote 12K, > so we underplayed it a bit due to statistics being a bit shaky). So > the real avg number is somewhere around 15K new unique samples a > month. Can you go into detail about the methodology you're using here? How do you "get to a number" of 15,000 from a number "between 200 and 800"? Is this a statistical extrapolation, or are you saying that your honeynet gets 200 to 800 unique samples a month, and so does that one over there, and that one, and that one and they all add up to 15000? Do you attempt to correct for variants that are simply re-packed using a different compressor, or other trivial changes? Do you attempt to correct for complex polymorphic variants? > Further, the anti virus world sees about the same numbers. > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of > 15K avg bot samples a month, as well. Got a link/quote/reference to that? Does Ziv explain the methodology that they are using? > I don't know what others may be seeing, but this is our best estimate > as to what's going on with the number of unique samples released > every month. > > Jose Nazarijo from Arbor replied on the botnets list that he sees > similar numbers. > > I hope this helps... what are you looking to hear? Some kind of explanation for the huge disjunction between these numbers and our instinctive ideas about what's possible. Of course, being un-worked-out intuitive estimates, such ideas are of course entirely likely to be off the mark, but off the mark by two orders of magnitude? Hence the request for more methodological details. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: OT - Check this out - Full disclosure is aptfor this
[EMAIL PROTECTED] wrote: > Contex - > > > >> If you consider that America are >> able to lie about the weapons of mass >> destruction and then admit it, > > "America" never lied about WMD. > America is not in a position to prove that any WMD stockpiles > existed past December of 1998, when Saddam kicked out the UN; but > at worst that makes them wrong, not liars. All the stuff about VX nerve gas *HAS* to be conscious, knowing, deliberate lies. Why? Because the stuff has a shelf-life of twelve weeks, and anyone who's claiming a decade later that there's a ton and a half of the stuff unaccounted for KNOWS for a fact that even if it did still exist in any recognizable form it would be less harmful than dirty dishwater. I'm sorry, but the *publicly known* facts were so blatantly in opposition to the conclusions promulgated by the warmongers that I'm not willing to accept 'mistaken' as a plausible explanation. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HP execs phone hack - SSNs *still* not secure for authentication
Haven't seen this mentioned before, but it's part of AT&T's explanation of how a PI was able to falsely obtain the phone records of Thomas J. Perkins, the board member who resigned over the illegal investigation: http://www.thesmokinggun.com/archive/0905061hp3.html [transcribed by me from the jpg, any typos are my fault] " First, with respect to your "local" residential telephone account with the former SBC (now AT&T), an online account was established on January 30, 2006. [ ... ] The person registering the online account did so through the Internet and provided your telephone number and the last four digits of your Social Security Number to identify himself/herself as the authorized account holder. We have no way of determining how the person obtained this Social Security Number information. " How many more times are we going to see this exact same mistake over and over again? SSNs are not secure and they are not proof of authority or identity. AT&T have now locked the online account facility for Mr. Perkins. That leaves .. let me see... every single customer except one still vulnerable to having their accounts stolen in this way. AT&T should disable this facility at once and not bring it back online until it is secured. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Browzar Footprints
lsi wrote: > If the user uses Browzar's default search page, it's obvious as hell: > > 2xx.206.1x6.1x5 - - [01/Sep/2006:20:49:19 +0100] "GET > /parvati/ici_bse.htm HTTP/1.1" 200 18754 > "http://www.browzar.com/search/browzar.asp?q=david%20brown%20prion"; > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Why don't you set your server to automatically 302 any client with a browzar.com referer header to one of the pages about how useless browzar is ? cheers, DaveK n.b. closing /evil tag omitted on purpose. i plan to stay this way. muahahahah! -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Buffer overflow vulnerability in dsocks
Michael Adams wrote: > A buffer overflow in variable 'buf' exists due to insufficient > validation of variable 'name' in function tor_resolve line 218 of > software at http://www.monkey.org/~dugsong/dsocks/ At a quick glance, this looks like it could indeed be overflowed quite trivially by passing an overlong name to any of the host lookup functions proxied by dsocks. It therefore seems that it could quite easily be triggered remotely by, for example, a web page with an include/iframe using an overlong URL. I would advise anyone currently using dsocks to click here: http://foo.12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.veryverylongname.com.invalid/ and if they crash their dsocks-enabled web-browser, to stop using it very quickly indeed. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: [Advisory] % +Thu Mar 16 21:07:15 EST 2006+ %Local Privilege Escalation Vulnerability in Microsoft Windows XP
Christoph Gruber wrote: > On Friday 17 March 2006 03:07 Christoph Gruber wrote: > > I want to straiten out, that this posting does NOT come from me! > > A look at the header clarifies that: you're almost six months too late? Seriously, there's not a lot of need to do this. It should be blatantly obvious to anyone coming across it that nobody flooding a mailing list would use their real name to do so. If you notice, it's part of a huge flood of identical posts all with different names harvested from the group. How daft would anyone need to be who looked at that and thought that all those different people really had decided to suddenly post the exact same bit of crap? Don't worry, nobody was taken in! cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: MS06-034 lies? IIS 6 can still be owned?
[EMAIL PROTECTED] wrote: > please note that self-promotion is forbidden on the list. That's 'gratuitous' self-promotion that is forbidden. Non-gratuitous self-promotion, which is allowed, would be where the post is almost entirely worthwhile security-related content with a brief plug for whatever the poster's currently up to thrown in. Since *you* have never posted anything with any security-related content whatsoever, you're clearly not interested in anything except seeing your own name 'in print'. That makes every single post you've ever posted gratuitous self-promotion. I call PKB on you, hypocrite. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: MS Word Unchecked Boundary ConditionVulnerability - POC
"naveed" <[EMAIL PROTECTED]> wrote in message
> void dummy(unsigned char* ptr,int sz)
> {
> for(int i=0;i fwrite(&ptr[i],1,1,fptr);
> }
:) Bit odd way of doing things!
cheers,
DaveK
--
Can't think of a witty .sigline today
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: The truth about Rob Levin aka Liloofirc.freenode.net
Eliah Kagan wrote: > On 7/6/06, Edward Pearson wrote: >> Yes, shame on you. >> If Rob took you to court, you'd be in big fucking trouble. > > Wow, feel the hate. > > evilrabbi pointed it out, but maybe you didn't catch it...court > records are public... > > Benjamin Krueger spoke of, "SSN, birthdate, and other personal data," > but see, nobody posted any of that...Andrew A posted some information > from PUBLIC COURT RECORDS... > > -Eliah You appear to have come in part way through this thread and missed the first post that started it, which had Rob Levin's SSN, birthdate and personal data. What makes you look even dafter is that the post by Andrew A, which you clearly *have* seen, re-quoted the entire thing beneath the top-post, including Rob Levin's SSN, birthdate and personal data. If you can't see things such as an SSN, birthdate, and personal data, when they're right there in front of you, please don't try and help anyone else by discussing the absence of SSN, birthdate, and personal data, from posts that you clearly didn't pay the slightest attention to when you read them. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Google and Yahoo search engine zero-day code
Denis Jedig wrote: > n3td3v wrote: > >> Today's disclosure involves Google and Yahoo search engines: >> >> All you need to do is put in the code to a web page, when Google and >> Yahoo visit it, then the code exploits the software they use and >> makes them start caching 'other' pages. Including 'no index' pages, >> where sites have setup a robot text file on their server to protect >> corporate and consumer interests. > > I think you missed the concept here. Whatever is on the webservers and > is available to the public is... well... available to the public. > > It does not help security matters to introduce a robots.txt - the > purpose of this directives file is not to secure something but to > reduce traffic and keep irrelevant content out of search engines. > > If you need security, you introduce some kind of authentication > *before* access is allowed to sensitive data. You will find that a > sign reading "Do not enter and do not steal any gold" will not help > much at the Fort Knox entrance if it is the only security measure. Also, Google and Yahoo *do* respect the robots.txt file and do check it for every server they fetch files from, and the whole thing is garbage. His so-called 'example' is a fraud because it shows yahoo caching a page from the site mtf.news.yahoo.com, which DOES NOT HAVE A ROBOTS.TXT FILE. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Write Your Own Perspective Alongside BBC FOX CNNWSJ and New York Times
Robert Kim Wireless Internet Advisor wrote: > http://www.frustratedcities.com/bush-foreign-policy-iran.html > > compares the same stories from BBC FOX CNN WSJ and New York Times to > show you how EACH source is biased... No it doesn't. It just puts up an rss feed from each of those sites next to each other and lets whatever randomly happesn to turn up in whatever order lie next to each other. Right now, it is "comparing" (according to you) Summers Looks Back at Harvard Presidency Freed foreign prisoner has killed Justices Uphold Most Remapping in Texas by G.O.P. Bush Welcomes Japanese Prime Minister to White House Mexican Watershed India - Muslims welcome revised PM's programme for minority welfare ... any resemblance between the topics of these stories is purely coincidental. (And as far as "show you how each is biased", the graph at the bottom right makes it pretty clear that some are far less biased than others - unless of course you think that "accuracy" is some kind of unfair bias and equal weight should be given to lies and bullshit.) cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Forensics help - Outgoing email
[EMAIL PROTECTED] wrote: > Recently, I was introduced to the torrent network > (primarily because I wanted to download some Linux > distros). My curiosity made me download other audio > torrents to see the efficiency of the torrent network. > One thing I have noticed on my system is that there > is an email being sent out periodically to some system > (247.16.delicado.com.uy). When the email is being > sent out, the AVG Anti Virus is scanning the email, > which > is how I found out about the delicado.com.uy system. > I do not know what is being sent out. Can the torrent > files compromise security on your system? Has my > system been compromised and become part of a bot > network? How do I find out what is causing this email > to go out? How do I fix this problem? One possible explanation is that one of the music files you downloaded wasn't actually an mp3 but a virus-infected exe, with a name like 'foo.mp3.exe' or 'foo.mp3 .exe' that can easily slip past your notice if you aren't paying full attention. I suggest you run a full scan with AVG, and perhaps try out one or two of the on-line virus scanners as well. On the other hand, some versions of the torrent software are known to have been bundled with ad/spyware, so perhaps you should run AdAware or SpyBot S'n'D as well? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Backdoor in RelevantKnowledge adware (What are wefighting for?)
3APA3A wrote: > RelevantKnowledge was found to contain backdoor proxy > component > rlvknlg.exe (Marketscore OSSProxy), which is configured to > allow > incoming network connections on TCP/8254, probably acts as open > proxy > and also performs keylogging and monitoring for active windows > content. > Component can not be disabled by user. > > Details (by YAG KOHHA, Lame): Good analysis, but you're not the first: http://www.cit.cornell.edu/computer/security/marketscore/technical.html cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: I'm ready to tell the police
n3td3v wrote: > i'm not having a major breakdown... Methinks the lady doth protest too much. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: **LosseChange::Debunk it??**
Pete Simpson wrote: > This demonstrates that if the model were valid the minimum possible > duration of complete collapse would be 87.9 seconds. Well then, this demonstrates that your model is not valid. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: RealVNC 4.1.1 Remote Compromise
James Evans wrote: > And now a very important message... > > RealVNC is distributed under the GNU General Public License. As such, > the complete source code of RealVNC *must* be freely distributed. When > RealVNC (the company) received notice of this flaw in their software, > they were quite prompt in patching it. Such action is normally worthy > of praise. Yet, in this case, RealVNC immediately took down the source > code to their software. While this was probably done out of fear > rather than malice, I believe it violates both the spirit and law of > the GNU GPL It's there now. Perhaps it just took them a little longer to roll the release packages but they rushed the binaries out ASAP so people could get patched? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: MSIE (mshtml.dll) OBJECT tag vulnerability
Sol Invictus wrote: > "I also remember LSD pesters Microsoft and they were rapidly sold > out." > I knew those guys were on something when they created Windows!!! They > had Dealers sell out of LSD ROFLMAO > Don't talk crazy. Everyone knows what operating system you get if you do way too much acid Berkeley![*] Windows must have been written on a fatal mogadon downer IMO. cheers, DaveK [*] - Two things came out of Berkeley. And they both can be globbed by '?sd'. -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: security at .edus
Fixer wrote: > Brian Eaton wrote: >> than a secure network. Plus a university network has fewer secrets >> to protect than a business. > > > Depending on the University, I might or might not agree with that. I > know of several that have DoD funded research projects going on that > require Top Secret clearances just to work on. Add to that all of the > student data and you've got a pretty good trove of data. When you > combine that with the notoriously lax security at most of them you've > got real problems waiting to happen. s/waiting to happen/been going on for years/ .edus have always been among the most widely-hacked targets since back in mitnick-days. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Who Do I Contact?
CrYpTiC MauleR wrote: > students attending. So everyone please dont wast your time trying to > play 'who can guess what school it is or where it is?' because I > really will not verify if you are correct or not and plain do not > want to play that game. I just asked FD on advice of what to do > considering the implications, and that is all it will be kept at. :) It was just a game, and I'm not actually interested in guessing where it is. See my other recent post in this thread for my actual serious advice about what might work the best. Good luck, it is important and it does need fixing. Incidentally, since presumably this bug has been there for some time, and if it's accessible from the web, then it's already too late; the data might have been leaked and without going through server logs with a fine-tooth comb it may be impossible to tell (and perhaps even with). I don't know if SarbOx applies to an edu, but if the data may already have leaked then they really ought to be obliged to warn everyone whose data is on that database that they need to take precautions to protect themselves against identity theft. They shouldn't be allowed to cover it up or sweep it under the carpet. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Who Do I Contact?
[EMAIL PROTECTED] wrote: > The number of US universities big enough to have 7,000 incoming students > is extremely limited. *that* little tidbit probably tells us more than > the fact his traceroute ends in Kansas. Plus he just gave away that his parents work there, so we can cut it down to those where we can automatically find surname matches between the staff directory and the pupils list CM, my suggestion would be to phone up the Dean/Principal while he's in the middle of his sunday lunch and read out his SSN to him and tell him how he can go to his computer and see it for himself. Do it from a phonebox, tell him he really needs to bang heads together in the IT department *now*, tell him you haven't messed or tampered with it in any way and you just want it fixed because your own data is in there too (don't mention the parents!) then say you're sorry but you hope he'll understand why you don't want to identify yourself and ring off. Then when you go to school on Monday you can enjoy the looks of pain on the faces of the IT staff who've been up all night fixing the hole because the Dean's torn them all a second one ... ;-D cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Re: Who Do I Contact?
john kalergis wrote: >> So, let's see Washington... Virginia Ohio Illinois >> Missouri >> >> You're in Kansas, right? > woweverybody here is more than impressed > Well, I don't suppose *everybody* has had a sense of humour bypass. And there's a valid point I was making about how information can leak in unexpected ways; they guy doesn't want to give away anything that could reveal the .edu in question, but the combination of his geo location from his posting IP and the fact that he's revealed that his own ssn is on the list and hence it's his own school and hence can be assumed to be geographically local to him allow us to deduce something that we couldn't have known from his words alone and allow any potential attacker to massively reduce the search space. IOW I was illustrating the point that if you want to discuss something openly but really, really, *really* want to keep the lid on any information that could identify it, you need to post through a proxy. And how's that - a legitimate use for posting through anonymous proxies! So there :-P~~~ cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Who Do I Contact?
CrYpTiC MauleR wrote: > I am sorry I am not going to say who the school is. You've already told us enough: > X-Originating-Ip: 70.129.230.224 04/22/06 22:06:09 Fast traceroute 70.129.230.224 Trace 70.129.230.224 ... 1 10.128.196.1210ms 10ms 10ms TTL: 0 (No rDNS) 2 80.1.202.77 10ms 10ms0ms TTL: 0 (cmbg-t2cam1-a-ge913.inet.ntl.com ok) 3 80.1.201.37 260ms 10ms 11ms TTL: 0 (cmbg-t2core-a-ge-wan62.inet.ntl.com ok) 4 62.253.188.193 10ms 10ms 10ms TTL: 0 (pop-bb-a-so-132-0.inet.ntl.com ok) 5 195.50.91.69 40ms 10ms 30ms TTL: 0 (No rDNS) 6 4.68.116.34 10ms 10ms 10ms TTL: 0 (ae-0-52.bbr2.london1.level3.net ok) 7 4.68.128.210 * 80ms 80ms TTL: 0 (ae-0-0.bbr2.washington1.level3.net ok) 8 4.68.121.145110ms 90ms 110ms TTL: 0 (ae-14-55.car4.washington1.level3.net ok) 9 4.68.111.186 90ms 80ms 80ms TTL: 0 (asn3356-level3.eqabva.sbcglobal.net bogus rDNS: host not found [authoritative]) 10 151.164.191.137 90ms 80ms 80ms TTL: 0 (bb2-p2-0.hrndva.sbcglobal.net ok) 11 151.164.243.137 90ms 81ms 80ms TTL: 0 (core2-p5-0.chrnva.sbcglobal.net bogus rDNS: host not found [authoritative]) 12 151.164.188.21 80ms 80ms 90ms TTL: 0 (core1-p8-0.crhnva.sbcglobal.net ok) 13 151.164.41.205 100ms 90ms 90ms TTL: 0 (core1-p9-0.crcloh.sbcglobal.net ok) 14 151.164.188.181 130ms 100ms 100ms TTL: 0 (core1-p3-0.crchil.sbcglobal.net ok) 15 151.164.188.41 100ms 100ms 120ms TTL: 0 (core2-p8-0.crchil.sbcglobal.net ok) 16 151.164.240.117 141ms 120ms 121ms TTL: 0 (core1-p11-0.crkcmo.sbcglobal.net ok) 17 151.164.241.109 110ms 120ms 120ms TTL: 0 (bb1-p5-1.ksc2mo.sbcglobal.net ok) 18 151.164.190.51 130ms 121ms 130ms TTL: 0 (No rDNS) 19 151.164.172.247 120ms 120ms 120ms TTL: 0 (dist1-vlan40.tpkaks.sbcglobal.net ok) 20 151.164.172.135 130ms 120ms 120ms TTL: 0 (rback4-fa2-0.tpkaks.sbcglobal.net ok) So, let's see Washington... Virginia Ohio Illinois Missouri You're in Kansas, right? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Secunia illegal spam and advisory republication
n3td3v wrote: > Remove the URL, no one wants it there. How dare you presume to speak for everyone in the world, you arrogant tosser? You haven't done a survey. You haven't asked anyone else's opinion. About anything, ever. You just think you're better than everyone else and must be automatically right about everything because you're a smug self-satisfied complacent hebephrenic. > Also: I'd like my xploitable_at_gmail account back. I guess Google terminate accounts for abusing mailing lists, so tough shit. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Google Groups e-mail disclosure in plain text
n3td3v wrote: > I'm not anti corporate. I'm anti people working within them making bad > security choices, like Yahoo do. I'm anti Secunia, as they host FD, > only because of the footer URL. If there was no footer URL, they > wouldn't even have thought about hosting FD. Try and get causality the right way round in time. If they hadn't thought about hosting FD, there would be no footer URL. Because there would be no FD. >> You're slighting Secunia. At least Secunia does SOME original >> research. > > Show me their original research. The list on their website is claimed > to be, but isn't. Secunia original advisories: taken from http://secunia.com/secunia_research/, and not from the main advisory list, where they are intermingled with all the non-secunia advisories that they archive. Secunia Research - 2006 2006-22 Blazix Web Server JSP Source Code Disclosure Vulnerability 2006-21 AN HTTPD Script Source Disclosure Vulnerability 2006-20 Northern Solutions - RESERVED - Pending Disclosure 2006-19 Quick 'n Easy/Baby Web Server ASP Code Disclosure Vulnerability 2006-18 New Atlanta Communications - RESERVED - Pending Disclosure 2006-17 NOD32 Scheduled Scan Privilege Escalation Vulnerability 2006-16 unalz Filename Handling Directory Traversal Vulnerability 2006-15 RaidenHTTPD Script Source Disclosure Vulnerability 2006-14 Deerfield.com - RESERVED - Pending Disclosure 2006-13 Dwarf HTTP Server Source Disclosure and Cross-Site Scripting 2006-12 IceWarp - RESERVED - Pending Disclosure 2006-11 Orion Application Server JSP Source Disclosure Vulnerability 2006-10 NetworkActiv Web Server Script Source Disclosure Vulnerability 2006-9 Lighttpd Script Source Disclosure Vulnerability 2006-8 America Online - RESERVED - Pending Disclosure 2006-7 Microsoft Internet Explorer "createTextRange()" Code Execution 2006-6 ArGoSoft Mail Server Pro viewheaders Script Insertion 2006-5 NJStar Word Processor Font Name Buffer Overflow 2006-4 Macallan Mail Solution IMAP Commands Directory Traversal 2006-3 NeoMail neomail-prefs.pl Missing Session ID Validation 2006-2 @Mail Webmail Attachment Upload Directory Traversal 2006-1 E-Post Mail Server Products Multiple Vulnerabilities Secunia Research - 2005 2005-68 Adobe Document Server for Reader Extensions Multiple Vulnerabilities 2005-67 WinACE ARJ Archive Handling Buffer Overflow 2005-66 Verity Keyview SDK Multiple Vulnerabilities 2005-65 Visnetic AntiVirus Plug-in for MailServer Privilege Escalation 2005-64 ADOdb Insecure Test Scripts Security Issues 2005-63 TUGZip ARJ Archive Handling Buffer Overflow Vulnerability 2005-62 IceWarp Web Mail Multiple File Inclusion Vulnerabilities 2005-61 Pegasus Mail Buffer Overflow and Off-by-One Vulnerabilities 2005-60 SpeedProject Products ZIP/UUE File Extraction Buffer Overflow 2005-59 MailEnable Buffer Overflow and Directory Traversal Vulnerabilities 2005-58 Winmail Server Multiple Vulnerabilities 2005-57 Opera Command Line URL Shell Command Injection 2005-56 cPanel Entropy Chat Script Insertion Vulnerability 2005-55 ATutor Multiple Vulnerabilities 2005-54 ZipGenius Multiple Archive Handling Buffer Overflow 2005-53 WinRAR Format String and Buffer Overflow Vulnerabilities 2005-52 PHP-Fusion Two SQL Injection Vulnerabilities 2005-51 MySource Cross-Site Scripting and File Inclusion Vulnerabilities 2005-50 PowerArchiver ACE/ARJ Archive Handling Buffer Overflow 2005-49 ALZip Multiple Archive Handling Buffer Overflow 2005-48 AhnLab V3 Antivirus ALZ/UUE/XXE Archive Handling Buffer Overflow 2005-47 HAURI Anti-Virus ALZ Archive Handling Buffer Overflow 2005-46 Mantis "t_core_path" File Inclusion Vulnerability 2005-45 7-Zip ARJ Archive Handling Buffer Overflow 2005-44 SqWebMail Conditional Comments Script Insertion Vulnerability 2005-43 AVIRA Antivirus ACE Archive Handling Buffer Overflow 2005-42 Opera Mail Client Attachment Spoofing and Script Insertion 2005-41 ALZip ACE Archive Handling Buffer Overflow 2005-40 NOD32 Anti-Virus ARJ Archive Handling Buffer Overflow 2005-39 SqWebMail HTML Emails Script Insertion Vulnerability 2005-38 IBM Lotus Domino iNotes Client Script Insertion Vulnerabilities 2005-37 Lotus Notes ZIP File Handling Buffer Overflow 2005-36 Lotus Notes UUE File Handling Buffer Overflow 2005-35 SqWebMail Attached File Script Insertion Vulnerability 2005-34 Lotus Notes TAR Reader File Extraction Buffer Overflow 2005-33 HAURI Anti-Virus ACE Archive Handling Buffer Overflow 2005-32 Lotus Notes HTML Speed Reader Link Buffer Overflows 2005-31 NetworkActiv Web Server Cross-Site Scripting Vulnerability 2005-30 Lotus Notes Multiple Archive Handling Directory Traversal 2005-29 IBM
[Full-disclosure] Re: [Argeniss] Alert - Yahoo! Webmail XSS
Morning Wood wrote: > reflecting on this... > > the offending url you give is http://w00tynetwork.com/x/ > which contains a fake yahoo login ( for webmail ) > (( and other exploits embedded within the site )) > > > you state this is a Yahoo Email vulnerability. > > stop me if im wrong... > why would anyone be vulnerable to a Yahoo login redirect phish, if in > fact they are already logged in to read the mail in the first place. Dunno about anyone else, but I have occasionally found that Yahoo has a bad habit of forgetting I'm authenticated and continually requiring me to relogin even in one continuous session. > i can appriciate the possibility of XSS within the Yahoo webmail > interface, just not > with this particular redirect code ( or site url ) you provide. > > XSS could be more effectivly used to leverage a browser exploit, > rather than ( trying to ) > steal your credentals ala phishing Well, maybe they were hoping to be able to read his mail stealthily later on, while he wasn't logged in? If you want to steal the entire contents of someones mailbox, you don't really want to use an XSS to automatically forward all the mail to somewhere you can get it, since that amount of scripting would likely take a noticeable amount of time and transactions with yahoo's servers to run and the slow responsiveness of the browser might give a clue that something was going on; a better way is just to get their password and then login sometime when they're not online or perhaps use the pw with POP/IMAP to snarf down the entire lot. Or perhaps they were hoping that he uses the same pw in lots of places? cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
