Re: [Full-disclosure] Iran is doing ip-and-port filtering of SSL
maybe it's time to get the old school substitution code books out. http://www.forbes.com/sites/andygreenberg/2012/02/10/as-iran-cracks-down-online-tor-tests-undetectable-encrypted-connections/ Thanks Derek On 12/02/2012, at 4:23, Sai wrote: > See my post @ > https://plus.google.com/u/0/103112149634414554669/posts/PT3eEF4u415 > to stay updated. Copying over update: > > - > > Further testing done. Conclusions: > > 1. IP-and-port filtering for some IPs > 2. SSL protocol filtering on standard ports for targeted IPs / sites > 3. No request header filtering > 4. Some IPs / sites NOT SSL protocol or port filtered! > 5. All Tor filtered, even unpublished proxies > > I'm not going to openly publish what went through to prevent it > getting blacklisted and useless for testing, but it was a full normal > https://something:443 connection, green lock w/ verified serial # and > all. > > The government proxy is http://bgp.he.net/AS12880 > Still to test, will update post: > * obfs2 tor > * ssh on standard & nonstandard ports > * nonstandard ssl ports > > More info: > https://blog.torproject.org/blog/iran-partially-blocks-encrypted-network-traffic > (based in part on my info) > http://news.ycombinator.com/item?id=3575029 > > On Wed, Feb 8, 2012 at 19:54, Sai wrote: >> I have pretty definitive proof that Iran is doing ip-and-port based >> filtering of SSL. >> >> Filtering is being done by 217.218.154.250 after a hop through >> 217.219.96.120 / 217.219.96.132. This hop is after my source's ISP, >> and all three IPs are owned by ITC, Iran's central telco. >> >> Filtering targets all google.com IPs, some but not all torproject.org >> IPs, probably more. Haven't attempted a broad scan. It's a simple >> connection drop; filtered connections just time out. >> >> It is not based on SSL handshake signature; testing SSL on nonstandard >> ports worked successfully, and testing non-SSL on :443 of target IPs >> was blocked. >> >> I'm not sharing screencaps in order to protect my source, but tests >> included TCP traceroutes on different IP/port combinations and some >> simple use of curl. >> >> Cheers, >> Sai > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
They should at least consider providing an option to disable the static pin only or disable it after an hour if the future is activated by the user. Seems to be something that could be included in a future firmware update. For a vendor to provide another mechanism for a user to get remotely hacked (within wireless TX/RX range) and not address it in a reasonable amount of time, exposes the less technical user, who is was intended to help in the first place. It would be interesting to see if this feature went through a technical security risk assessment and if so, how the static pin was rationalised for public release. I setup an isolated vulnerable device and had attack traffic within 2 days of it being activated. I did make the SSID very attractive, but the war drivers are certainly getting out of the house again. Thanks Derek On 13/02/2012, at 1:47, Rob Fuller wrote: > I've tested a 6 models of Linksys, all of them appear to disable WPS > completely as soon as a single wireless setting is set. I assume this > would be the reason Cisco/Linksys aren't putting much stock in > 'fixing' it further. If anyone has any experience to contradict this > or have a modification to current tools to circumvent what I've > perceived as disabled, I, as I'm sure Craig, would be very interested. > > -- > Rob Fuller | Mubix > Certified Checkbox Unchecker > Room362.com | Hak5.org > > > > On Sat, Feb 11, 2012 at 4:23 PM, wrote: >> _ >> "Use Tomato-USB OS on them." >> _ >> >> Besides you void warranty... >> list of DD-WRT Supported routers: >> >> E1000supported >> E1000 v2 supported >> E1000 v2.1 supported >> E1200 v1 ??? >> E1200 v2 ??? >> E1500??? >> E1550??? >> E2000supported >> E2100L supported >> E2500not supported >> E3000supported >> E3200supported >> E4200 v1 not supported yet >> E4200 v2 not supported >> M10 >> M20 >> M20 v2 >> RE1000 >> WAG120N not supported >> WAG160N not supported >> WAG160N v2 not supported >> WAG310G not supported >> WAG320N not supported >> WAG54G2 not supported >> WAP610N not supported >> WRT110 not supported >> WRT120N not supported >> WRT160N v1 supported >> WRT160N v2 not supported >> WRT160N v3 supported >> WRT160NL supported >> WRT310N v1 supported >> WRT310N v2 not supported yet >> WRT320N supported >> WRT400N supported >> WRT54G2 v1 supported >> WRT54G2 v1.3 supported >> WRT54G2 v1.5 not supported >> WRT54GS2 v1 supported >> WRT610N v1 supported >> WRT610N v2 supported >> X2000not supported >> X2000 v2 not supported >> X3000not supported. >> >> _ >> >> "Fixing? Heh. >> >> Aside from rate limiting WPS, there isn't much of a fix, and you can't turn >> it off either." >> _ >> >> What about removing WuPS entirely? >> >> WuPS is a total failure because: >> >> 1. Even if everything is fine 8 digits long is very weak because once you >> got the pin after 7 month - 2 years for example, you are completely pwned. >> >> 2. Pin number is fixed you can't change it to a longer number or maybe a >> string like "omgponnies" >> >> 3. Setting up a WPA2 password manually it's a piece of cake (even with >> keypad only cell phones), if some people are lazy, you don't have to >> weakening the security of a strong protocol. >> >> Farth Vader >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
secure_CC_POS Thanks Derek On 13/02/2012, at 22:17, Alex Buie wrote: > Just morbidly curious, what did you use for the SSID? > > On Feb 12, 2012 5:31 PM, "Derek" wrote: > They should at least consider providing an option to disable the static pin > only or disable it after an hour if the future is activated by the user. > > Seems to be something that could be included in a future firmware update. > > For a vendor to provide another mechanism for a user to get remotely hacked > (within wireless TX/RX range) and not address it in a reasonable amount of > time, exposes the less technical user, who is was intended to help in the > first place. > > It would be interesting to see if this feature went through a technical > security risk assessment and if so, how the static pin was rationalised for > public release. > > I setup an isolated vulnerable device and had attack traffic within 2 days of > it being activated. I did make the SSID very attractive, but the war drivers > are certainly getting out of the house again. > > > Thanks > Derek > > > On 13/02/2012, at 1:47, Rob Fuller wrote: > > > I've tested a 6 models of Linksys, all of them appear to disable WPS > > completely as soon as a single wireless setting is set. I assume this > > would be the reason Cisco/Linksys aren't putting much stock in > > 'fixing' it further. If anyone has any experience to contradict this > > or have a modification to current tools to circumvent what I've > > perceived as disabled, I, as I'm sure Craig, would be very interested. > > > > -- > > Rob Fuller | Mubix > > Certified Checkbox Unchecker > > Room362.com | Hak5.org > > > > > > > > On Sat, Feb 11, 2012 at 4:23 PM, wrote: > >> _ > >> "Use Tomato-USB OS on them." > >> _ > >> > >> Besides you void warranty... > >> list of DD-WRT Supported routers: > >> > >> E1000supported > >> E1000 v2 supported > >> E1000 v2.1 supported > >> E1200 v1 ??? > >> E1200 v2 ??? > >> E1500??? > >> E1550??? > >> E2000supported > >> E2100L supported > >> E2500not supported > >> E3000supported > >> E3200supported > >> E4200 v1 not supported yet > >> E4200 v2 not supported > >> M10 > >> M20 > >> M20 v2 > >> RE1000 > >> WAG120N not supported > >> WAG160N not supported > >> WAG160N v2 not supported > >> WAG310G not supported > >> WAG320N not supported > >> WAG54G2 not supported > >> WAP610N not supported > >> WRT110 not supported > >> WRT120N not supported > >> WRT160N v1 supported > >> WRT160N v2 not supported > >> WRT160N v3 supported > >> WRT160NL supported > >> WRT310N v1 supported > >> WRT310N v2 not supported yet > >> WRT320N supported > >> WRT400N supported > >> WRT54G2 v1 supported > >> WRT54G2 v1.3 supported > >> WRT54G2 v1.5 not supported > >> WRT54GS2 v1 supported > >> WRT610N v1 supported > >> WRT610N v2 supported > >> X2000not supported > >> X2000 v2 not supported > >> X3000not supported. > >> > >> _ > >> > >> "Fixing? Heh. > >> > >> Aside from rate limiting WPS, there isn't much of a fix, and you can't > >> turn it off either." > >> _ > >> > >> What about removing WuPS entirely? > >> > >> WuPS is a total failure because: > >> > >> 1. Even if everything is fine 8 digits long is very weak because once you > >> got the pin after 7 month - 2 years for example, you are completely pwned. > >> > >> 2. Pin number is fixed you can't change it to a longer number or maybe a > >> string like "omgponnies" > >> > >> 3. Setting up a WPA2 password manually it's a piece of cake (even with > >> keypad only cell phones), if some p
Re: [Full-disclosure] Reverse dns
Reverse DNS lookups are entirely optional; this option exists at the sole discretion of the DNS operators. Reference RFC1035, section 6.4 for specifics. In spite of numerous updates to this RFC since its release in 1987 (including an update that obsoleted the original protocol for inverse lookups), there does not seem to be a change that makes reverse lookups a requirement for DNS. My look through the documentation was cursory though; you may want to browse the RFC index compiled at http://rfc.net/rfc-index.html to see if any of the updates to 1035 have in fact mandated reverse lookups. All things considered, I would not disable it because of the two reasons you mentioned previously. In addition, spam blacklisting and any of the new antispam technology that may be implemented on the ISP level require reverse lookups in order to be utilized. If you believe reverse DNS is a security or performance issue for your DNS machines, perhaps a whitelist/blacklist could be implemented to filter out problem hosts. In many situations (even outside of computing), an accurate list of authorized personnel (or hosts) can alleviate 90% of the original problem while introducing a fraction of the issues caused by completing banning or disabling a particular function. That said, it may be advisable to disable reverse DNS lookups on your own servers and/or remove reverse DNS entries for some hosts on your network from the published DNS registry if there is no valuable reason for someone to obtain that information. This, of course, depends on the purpose of the machines; it would probably be extremely unwise to do this for email or secure web servers since those cases generally require reverse lookups. I didn't think reverse lookups were a problem with TCPdump. If this is the underlying problem that prompted the question about reverse DNS, you could either (a) patch TCPdump, or (b) configure your DNS machines to spit back dummy results when the actual response from your upstream DNS indicates there is no record. The dummy results should solve that particular problem (in addition to being easy to locate in the logfiles in case you're concerned with these unreversible hosts for some reason). - Derek Durski [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Re: [Full-disclosure] Reuters: Microsoft to give holes info
On Sat, 12 Mar 2005 16:33:46 CST, "[EMAIL PROTECTED]" said: Critical infrastructure: If it dies, things start breaking *very* badly, very quickly. If a PC directly related to managing calls in an E911 center dies, then emergency calls don't get routed. That's critical infrastructure. -===snip a few example cases===- Now tell me - what percent of government systems, if they were suddenly and unexpectedly unplugged from the network, would result in a partial or complete loss of network functionality? Things like routers, mail servers, Active Directory servers, and so on - *those* are "critical infrastructure". I believe the argument here is over one simple factor, and I disagree with you on this point. Critical infrastructure refers to anything that takes down a lot of other things when it collapses--you said this, and I agree completely. However, in your argument you focus upon critical network infrastructure as if it is the only critical infrastructure. It is not. There are network components that are critical parts of judicial, private, or corporate infrastructure. These devices and their status may be of little concern to the *network*, but they may be of great concern to the *society* in which they are deployed. For instance, if the entire IRS database (and all backups) went up in a puff of smoke, the internet as a whole would likely experience only a small disturbance. This does not, however, mean that the IRS machines are not critical infrastructure; it merely means that the IRS machines are not critical *network* infrastructure. If the IRS or the GAO collapsed, there would be a pronounced disruption in governmental services (and hopefully someone would find a way to keep things operating without funding until a new accounting system could be deployed because things could get quite messy... imagine the economic impact of thousands of federal employees receiving no pay for weeks, and remember that this is just one aspect of American activity that is directly affected by federal financing). To sum it all up, you narrowed the scope of critical infrastructure to include only critical network infrastructure, and I do not see that sufficient justification was given for doing so. --- Derek Durski [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
[Full-disclosure] Re: unknown windows rootkit
Your notes indicate you had trouble removing some registry entries. I'd suggest running PSExec from Sysinternals. It's free and comes with source from www.sysinternals.com, and the command would be something like: psexec /s /i /d c:\path\to\regedt32.exe If you can't edit or delete those keys this way, I don't know of another tool that will let you without resorting to an offline registry editor. We found what seems to be a unknown rootkit on a customer system which was windows 2000 sp4. It is a kernel resident infector as it installs itself as hidden device driver operating in kernel level to hide its directories and programs aswell as network connections. For our research we named it Win32/McSport-A. More Detailed informations aswell as removal instructions can be found here: http://www.groundzero-security.com/mcsport.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords
Subject: McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords McKesson Horizon Clinical Infrastructure, also known as McKesson HCI, utilizes hardcoded passwords for Oracle database access. HCI serves as the patient record datastore for the majority of McKesson applications. There are two components to an HCI implementation: the Infrastructure (or Master) server and the database back-end. The HCI Infrastructure Server has an Oracle client installed that initializes OCI/sqlplus connections to the Oracle database back-end. A file on each HCI Infrastructure server contains the database account usernames and their respective passwords, /usr/local/bin/password. Content from /usr/local/bin/password is shown: # cat /usr/local/bin/password AMBU:hacschema QUEUE_USER:qmanager SYS:alLp0ver2 SYSTEM:urA7mvP CHANGEMGR:datacontrol CCDEV:ccdev CCDBA:ccnulls*HAS ORACLE SYSDBA PRIVS* CCDATA:ccdata CCFORMS:ccforms CCINTERFACE:ccinterface MCKHEO:mckheo CCREL:ccrel CCQUERY:ccquery CDXWEB:winplu5 DRUG1:fdb3schema DRUG2:fdb3schema enc_ent:encent ENT:entpazz ENT_CONFIG:ent_configpazz ADF:adfpazz INF:infpazz INF_CONFIG:inf_configpazz SDM:sdmpazz STRMADM:pazzw0rd ENT_AUD:pazzw0rd ENT_ARCH:pazzw0rd POC_ARCH:pazzw0rd POC_AQ:qmanager INF_AQ:qmanager DATAMGR:datamgr CCUSER:bueno ALERTS:monitorhca HCALERTS:alertsuser AM:ampazz AM_AUD:pazzw0rd AUD:audpazz TMF:tmfpazz MN:mnpazz EH:ehpazz NG:ngpazz DM:dmpazz DMTOOL:dmtoolpazz STG_DMT:stg_dmtpazz WRL:wrlpazz NOTES:notespazz REPORTS:reportspazz ICONS:iconspazz BS:bspazz QZ:qzpazz RM:rmpazz RM_AUD:pazzw0rd COMMGR:commgrpazz OPSERVICE:opservicepazz SEC_CONFIG:sec_configpazz CTXSYS:ctxsyspazz OLOGY:ologypazz OLOGY_CONFIG:ology_configpazz DOC:docpazz DOC_CONFIG:doc_configpazz PORTAL:portal PORTAL_INSTALL:portal_install EBIDBADMIN:ebidbadmin DESIGN_OWNER:owb OWB_RUNTIME_REPOSITORY:owb RUNTIME_A_USER:owb Despite having a "central" password file that contains the credential information, much of the credentials are hardcoded throughout binaries and scripts that are shipped as part of the HCI Infrastructure server. # cd /u/live # find . -type f -print | xargs grep ccnull | wc -l 85 Here is some context of how the credentials are used throughout the HCI code: # find . -type f -print | xargs grep ccnull ./RUN_dmArchive:remote_db=`sqlplus -s ccdba/ccnulls$DB_SPEC_IF_REMOTE << EOF ./all_ord:LOGIN=ccdba/ccnulls ./bin/BatchDischarge:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE" ./bin/CheckDischargeRpts:ora_user="ccdba/ccnulls$DB_SPEC_IF_REMOTE" ./bin/Make_iv_template:sqlldr ccdba/ccnulls iv_bottle >> $LOG ./bin/Make_iv_template:ORD_SEQ=`sqlplus -S ccdba/ccnulls$DB_SPEC_IF_REMOTE <<- ENDSQL McKesson supports HCI on the AIX, HP-UX, and Linux. The nature of hardcoded passwords implies that for every customer that has purchased HCI, the credentials for all of these role accounts are the same across the installations. According to the following press release, http://www.oracle.com/corporate/press/2008_mar/em-mckesson.html, McKesson software is installed in 70% of hospitals within the US. HCI serves as the core infrastructure component of other McKesson applications such as Horizon Lab, Horizon Patient Folder, Horizon CareLink, Horizon Expert Documentation, etc. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers -Exposed] PlanNetGroup ( F )
I'm not a stack smasher but I typed in base64 ascii converter in google, and found the string within a few minutes> you can pay us to whore your company%a%0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 21, 2008 1:12 PM To: J. Oquendo Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed] PlanNetGroup ( F ) On Mon, 21 Jan 2008 13:04:52 EST, "J. Oquendo" said: > eW91IGNhbiBwYXkgdXMgdG8gd2hvcmUgeW91ciBjb21wYW55Cg== Cute, but probably lost on the half of the list that couldn't figure out what it was. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Southwest Airlines Ticket Silliness
It's been hard to fill all those positions in Oregon since we have manned gas stations. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of North, Quinn Sent: Monday, February 04, 2008 7:33 AM To: coderman; Adam Chesnutt Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Southwest Airlines Ticket Silliness I thought TSA stood for Thousands Standing Around. Yet another super informative TLA (Three Letter Acronym). --=Q=-- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of coderman Sent: Friday, February 01, 2008 4:37 AM To: Adam Chesnutt Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Southwest Airlines Ticket Silliness HELLO INDIAN On Jan 31, 2008 6:38 PM, Adam Chesnutt <[EMAIL PROTECTED]> wrote: > Not sure if anyone posted this before; But I figured this would interest > you guys... TSA == FULL IF FUCKING IGNORANT FUCKS so this is a kinown vulnerability. what was the question agtain? coderman, pwnder by nbusmillls whiskey ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This email is intended for the recipient only. If you are not the intended recipient please disregard, and do not use the information for any purpose. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-320 : GE Proficy iFix HMI/SCADA ihDataArchiver.exe Trusted Header Size Remote Code Execution Vulnerability
ZDI-11-320 : GE Proficy iFix HMI/SCADA ihDataArchiver.exe Trusted Header Size Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-320 November 7, 2011 -- CVE ID: -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C -- Affected Vendors: GE -- Affected Products: GE Proficy Historian ihDataArchiver -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11646. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE Proficy iFix HMI/SCADA. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ihDataArchiver.exe process which listens by default on TCP port 14000. The code within this module trusts a value supplied over the network and uses it as a length when copying user-supplied data to a stack buffer. By providing a large enough value, this buffer can be overflowed leading to arbitrary code execution under the context of the user running the service. -- Vendor Response: GE has issued an update to correct this vulnerability. More details can be found at: http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14493 -- Disclosure Timeline: 2011-06-02 - Vulnerability reported to vendor 2011-11-07 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Luigi Auriemma -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
That's definitely not a good thing if it's found to be the case across more of the vendors. Is it the intent of the of the column on the google docs spreadsheet (WPS can be disabled and it stays off), to include confirmation of the retest after the WPS setting has been disabled? I wonder if everyone retested after the option was turned off? I hope so. Thanks Derek On 14/02/2012, at 9:40 AM, chris nelson wrote: i believe that disabling wps on router still leaves some routers vulnerable was reported on before. from http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars "Having demonstrated the insecurity of WPS, I went into the Linksys' administrative interface and turned WPS off. Then, I relaunched Reaver, figuring that surely setting the router to manual configuration would block the attacks at the door. But apparently Reaver didn't get the memo, and the Linksys' WPS interface still responded to its queries—once again coughing up the password and SSID. " the testing i did was in early-mid jan, ill verify my findings again. at work now, but will let you know about config methods. On Mon, Feb 13, 2012 at 2:57 PM, Dan Kaminsky wrote: > That's a fairly significant finding. Can anyone else confirm the > existence of devices that still fall to Reaver even when WPS is disabled? > > Chris, when you run: > > iw scan wlan0 | grep “Config methods” > > Do you see a difference in advertised methods? > > > On Mon, Feb 13, 2012 at 3:58 PM, chris nelson > wrote: > >> i have tested reaver on a netgear and linksys (dont have model nos. with >> me) with wps disabled and enabled. the wps setting did not matter and both >> were vulnerable. was able to recover wpa2 passphrase in ~4 hrs on both. >> >> >> >> >> On Mon, Feb 13, 2012 at 8:32 AM, Dan Kaminsky wrote: >> >>> Steve while he's often derided goes into this very well. Many cisco's >>>> only stop advertising wps when it is "off" but wps actually still >>>> exists...which means they are still easily hackable. >>>> >>> >>> Have you directly confirmed a WPS exchange can occur even on devices >>> that aren't advertising support? That would indeed be a quick and dirty >>> way to "turn the feature off". >>> >>> >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Botnet Traffic
Hi James, I've found that using the Shadow Server network/ASN reports is very useful, depending on what analysis you are trying to do. http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork I.e. - Detected Botnet Command and Control servers - Infected systems (drones) - DDoS attacks (source and victim) - Scans - Clickfraud - Compromised hosts - Proxies - Spam relays - Malicious software droppers and other related information. - Compromised hosts - Proxies - Spam relays - Malicious software droppers and other related information. You could always create your own honeypot and/or partner with one of the carriers/ISP's to get live data. Thanks Derek On 24/02/2012, at 8:51 AM, James Smith wrote: Hello, Can anyone on this list provide botnet network traffic for analysis, or Ip’s which have been infected. -- Sincerely; James Smith CEO, CEH, Security Analyst Email: ja...@smithwaysecurity.com Phone: 1877-760-1953 Website: www.SmithwaySecurity.com CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication. - This communication is confidential to the parties it was intended to serve - ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 11: ] How much time is appropriate for fixing
This is truly a very strange discussion, indeed. On Tue, Jul 10, 2012 at 3:48 PM, valdis.kletni...@vt.edu wrote: > On Tue, 10 Jul 2012 15:16:39 -0400, Григорий Братислава said: >> I reply to you is back "on-list." Information is for meant to be free. >> And so you know, is no, your English is improper: > > The longer this thread goes on, the more I become convinced that > one of these guys actually lives in Nebraska and the other in Arizona. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rssh: root privilege escalation flaw
Affected Software: rssh - all versions prior to 2.3.0 Vulnerability: local user privilege escalation Severity: *CRITICAL* Impact: local users can gain root access Solution: Please upgrade to v2.3.1 Summary --- rssh is a restricted shell which allows a system administrator to limit users' access to a system via SSH to scp, sftp, rsync, rdist, and cvs. It also allows the system administrator the ability to chroot users to a configurable location. * PLEASE NOTE * This problem was fixed in 2.3.0, but there is another small bug (not security-related) in that version which prompted me to release 2.3.1 today. I will announce that separately in appropriate channels. Please upgrade to the 2.3.1 release, not the 2.3.0 release. Max Vozeler reported a flaw in the design of rssh_chroot_helper whereby it can be exploited to chroot to arbitrary directories and thereby gain root access. If rssh is installed on a system, and non-trusted users on that system have access which is not protected by rssh (i.e. they have full shell access), then they can use rssh_chroot_helper to chroot to arbitrary locations in the file system, and thereby gain root access. Workaround -- By careful configuration of file system mounts, it is possible to avoid this problem; but doing so requires a fair amount of contortion which will be difficult to re-engineer after an existing installation has already been configured. The exploit requires the user to be able to write executables in the directory they are chrooting to, and create hard links to SUID binaries within that directory structure, so by preventing either of these two things, the exploit will be foiled. System administrators can accomplish this by careful configuration of filesystem permissions, mount points, and mount options (such as no_exec, no_suid, etc.). I will not go into details since the far better solution is to upgrade. Fix --- The 2.3.0 release of rssh fixes this problem by forcing the chroot helper program to re-parse the config file instead of allowing the chroot home to be specified on the command line. Thus users not listed can not use it to chroot (or will chroot to the default location specified by the sysadmin), and users who are listed will be chrooted to the directories where they are supposed to go only. This version also fixes an unrelated bug which causes rssh_chroot_helper to crash on the ia64 architecture (and possibly others). Numerous people reported a problem with the way va_start/va_end was used in log.c, which causes a segfault on 64-bit Linux platforms. It is believed that this bug is not exploitable, since no code in this module is ever executed with root privileges. However this is also fixed in this release. Thanks -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D pgpLmE4ITohCk.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Tool: PorkBind v1.3 Nameserver Security Scanner (New Version)
This program retrieves version information for the nameservers of a domain and produces a report that describes possible vulnerabilities of each. Vulnerability information is configurable through a configuration file; the default is porkbind.conf. Each nameserver is tested for recursive queries and zone transfers. The code is parallelized with libpthread. http://www.innu.org/~super/tools/porkbind-1.3.tar.gz ChangeLog for this version: porkbind-1.3 Wrote in-a-bind shell script that scans random domain names from DMOZ Implemented recursive query testing Changed porkbind.conf to use CVE numbers in addition to CERT alerts Modified text displayed on stdout to make it more parsable Licensed with GNU Lesser General Public License Fixed timeout/concurrency/memory corruption bugs Fixed improper comparison of alpha/beta version numbering bug Added typecasts to silence compiler warnings - Derek ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RE: Full-Disclosure Digest, Vol 8, Issue 31
Mary Landesman wrote: > I can't speak to the IMLogic figures, but these are a few Yahoo IM > worms of which I am aware. > > Guap.a > Gunsan > Lile.a > Oscabot.k > StarGames > Velkbot.a > Yimp.a It's worth noting that none of the worms listed above are unique to the Yahoo! Instant Messenger client. They take advantage of most IM apps (some use YIM and AIM only) in addition to a few P2P services. Derek Pearcy Securify, Inc. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux big bang theory....
So many people aren't real UNIX sysadmins. Those that are, care about security and do an adequate job of protecting their systems. Give Linux to others and it may be more risky then giving them Windows. With Windows, root kits may be easier for an average user to detect, given the availability of numerous tools. I would assume the novice Linux users are less prone to deploying some sort of protection besides maybe updating it and having a firewall running. If I was going to have an army of hosts I'd hopefully have a bunch of different kinds, using different kinds of root kits, in order to minimize losses if one kind of setup was discovered. -Derek http://www.syrex.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J. Oquendo Sent: Thursday, May 10, 2007 12:12 PM To: KJKHyperion; full-disclosure Subject: Re: [Full-disclosure] Linux big bang theory KJKHyperion wrote: > > > why, Windows machines of course, I'm an attacker, not a fool! If you > were a terrorist, what would you rather do? > > Crash the Twin Towers > Crash the dollar > > There is no such thing as an "attacker". All actions, even such an > individual's, are driven by economical considerations. With this said, if I were an attacker with economics in mind why would I want to target a machine which has X amount of vendors sifting through the much of malware and viruses when I could spawn off an semi undetectable program and KEEP IT THERE without having to wait for the next best thing. I don't know about your logics on economics, but if I were the attacker and I was looking for a constant steady stream of revenue, I would go the Linux route. And if you think for a second that "Boohoo Linux users are more inclined to be security conscious" then you are the fool here. Of the couple of thousand of brute force bots I see, none are on Windows. Whatever though, to each their own mechanisms of thought. If you truly believe its all fine and dandy and things won't get progressively worse by giving Linux to inexperienced users, you are in for a rude awakening. If you haven't stopped to read the facts that malware, *ware creators are getting more savvy, then you seem to be stuck somewhere in a world of fantasy. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Signal to Noise Ratio
There is quite a bit of noise. Focus on security. Whenever someone says anything, someone else has to say something and it goes on. And I'm not talking about security stuff. I'm sure someone will follow up this email and call me a dick or something. Damn list is nearly a DOS. Whatever I'll weed through all the remarks from guys with hardons or other guys that are just pissed off at the world. Lol a closed list has its benefits. -Derek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of trains Sent: Tuesday, July 24, 2007 8:18 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Signal to Noise Ratio One person's noise is another person's signal. Except maybe for n3td3v. :)) t.r. - Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RE: Full-Disclosure Digest, Vol 2, Issue 6
FBI was the reason for the intelligence break in Iraq? Hmm...must have just been a recent switch in jurisdictions b/c I always thought the would be CIA/DoD territory. Wait...yea, it still is. You're 1337 man, real 1337. no thnx for the blog either, i'd rather keep going to packetstorm for some real info. keep hacking, or whatever it is you do. ::Andre Derek Protas:: If ignorant both of your enemy and yourself, you are certain to be in peril. -Sun Tzu From: [EMAIL PROTECTED] Reply-To: full-disclosure@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 2, Issue 6 Date: Sun, 3 Apr 2005 12:00:09 +0100 (BST) MIME-Version: 1.0 Received: from lists.grok.org.uk ([195.184.125.51]) by MC6-F18.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Sun, 3 Apr 2005 04:03:28 -0700 Received: from lists.grok.org.uk (localhost [127.0.0.1])by lists.grok.org.uk (Postfix) with ESMTP id F406A5CC1F;Sun, 3 Apr 2005 12:00:09 +0100 (BST) X-Message-Info: LGjzam7y+Lu3H/qmfvUwTum6w98YstwvEz9IMRZf3ug= X-BeenThere: full-disclosure@lists.grok.org.uk X-Mailman-Version: 2.1.5 Precedence: list List-Id: An unmoderated mailing list for the discussion of security issues List-Unsubscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, <mailto:[EMAIL PROTECTED]> List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure> List-Post: <mailto:full-disclosure@lists.grok.org.uk> List-Help: <mailto:[EMAIL PROTECTED]> List-Subscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, <mailto:[EMAIL PROTECTED]> Errors-To: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 03 Apr 2005 11:03:29.0197 (UTC) FILETIME=[C444E5D0:01C5383C] Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please: a) trim your post appropriately b) set an appropriate subject Thank you Today's Topics: 1. RE: Metasploit Framework v3.0 Alpha (Randall M) 2. RE: Re: Internet Going Down For Maintenance (Randall M) 3. FBI declares war on hackers (Randall M) 4. Anyone have more info on this (Randall M) 5. Re: FBI declares war on hackers (Andrew Smith) 6. RE: FBI declares war on hackers (Debasis Mohanty) 7. Re: FBI declares war on hackers (Travis Good) 8. RE: Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability (Eiji James Yoshida) 9. Re: FBI declares war on hackers (n3td3v) 10. Re: FBI declares war on hackers (Niccol? Roselli Cecconi) 11. Re: FBI declares war on hackers (Jeff Workman) 12. Re: FBI declares war on hackers (Milan 't4c' Berger) -- Message: 1 Date: Sat, 2 Apr 2005 07:38:08 -0600 From: "Randall M" <[EMAIL PROTECTED]> Subject: RE: [Full-disclosure] Metasploit Framework v3.0 Alpha To: 'Hern?n M. Racciatti' <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" Dam. And I got all excited about "face recognition" via web cam. thank you Randall M "If we ever forget that we're one nation under God, then we will be a nation gone under." - Ronald Reagan _ :-Original Message- :From: [EMAIL PROTECTED] :[mailto:[EMAIL PROTECTED] On Behalf :Of Hernán M. Racciatti :Sent: Friday, April 01, 2005 12:10 PM :To: Full-Disclosure@lists.grok.org.uk :Subject: Re: [Full-disclosure] Metasploit Framework v3.0 Alpha : :This pretends to be an amused and funy joke :D : :P.D: But... is true... phyton is cool :) : :On Apr 1, 2005 2:58 PM, Rudra Kamal Sinha Roy <[EMAIL PROTECTED]> wrote: :> The Alpha release couldn't be found anywhere in the site..Even a :> search reveals nothing..!! : :-- :Hernán Marcelo Racciatti : :Core Team Member ISECOM (Institute for Security and Open :Methodologies) Coordinator OISSG, Argentina (Open Information :System Security Group) : :[mailto:[EMAIL PROTECTED] :[http://www.hernanracciatti.com.ar] :___ :Full-Disclosure - We believe in it. :Charter: http://lists.grok.org.uk/full-disclosure-charter.html :Hosted and sponsored by Secunia - http://secunia.com/ : -- Message: 2 Date: Sat, 2 Apr 2005 07:45:13 -0600 From: "Randall M" <[EMAIL PROTECTED]> Subject: RE:
Re: [Full-disclosure] The best hacker ever !
I thought that was your IP so I used the same program he had and just killed my box! Whoops! ;) PS - Works in M$ Gregory Boyce wrote: On Mon, 2 May 2005, Zuxy Haiduc wrote: While most people know better than attacking 127.0.0.1, it's important to note that in some operating systems (Windows, and a few others, but normally not *nix), anything in 127.* is loopback. Its a lot easier to trick someone into attacking, say, 127.36.120.67, than 127.0.0.1. Just a thought. 127.36.120.67 works under Linux as well (tested on Ubuntu, Debian, Redhat and Gentoo with 2.2-2.6 kernels). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
