Re: [Full-disclosure] Free Tibet..

2008-03-26 Thread Eduardo Tongson 
Not just Tibet. PRC wants to own every land around them [1].

[1] 

On Wed, Mar 26, 2008 at 11:35 PM, Robert Smits <[EMAIL PROTECTED]> wrote:
> On March 24, 2008 10:31:55 pm Jerome Jar wrote:
>  > Please, I humbly think that you know possibly nothing about Tibet, the
>  > province of China.
>  >
>  > A lot of Chinese people, who used to take western medias as the
>  > representation of good will and perhaps democracy, do feel sick of the
>  > misleading news article pieces produced by such medias on this very
>  > topic of Tibet. If all of your knowledge about the Tibet event comes
>  > from such sources, just ignore them.
>
>  China, by force, may have the power to enforce its will in Tibet, but that
>  does not make it a "province" of China.
>
>  Tibet is an invaded country, and China has no right to be there at all.
>
>
>  --
>  Bob Smits [EMAIL PROTECTED]
>
>
>
>  ___
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )

2008-01-22 Thread Eduardo Tongson 
Should have made it a bit tricky. So the ensuing base64 and shar
slugging could have been avoided.

\x31\xc0\xbb\x01\x00\x00\x00\x50\x68\x70\x61\x6e\x79\x68\x20\x63\x6f\x6d\x68
\x79\x6f\x75\x72\x68\x6f\x72\x65\x20\x68\x6f\x20\x77\x68\x68\x75\x73\x20\x74
\x68\x70\x61\x79\x20\x68\x63\x61\x6e\x20\x68\x79\x6f\x75\x20\x54\x59\xba\x25
\x00\x00\x00\xb0\x04\xcd\x80\xb0\x01\x89\xc3\xcd\x80

  Ed

On Jan 22, 2008 2:04 AM, J. Oquendo <[EMAIL PROTECTED]> wrote:
> SecReview wrote:
> > Nate,
> > Your email was constructive and much appreciated. We'll go over
> > the review a second time and incorporate some of your suggestions.
> > Thank you for taking the time to provide so much good feedback.
> >
>
> Hey all, I'd like to get into reviewing security companies as well.
> Before I do though I'd appreciate it if someone could provide me
> with information on the differences betweens statistical sampling
> over judgmental sampling. I wouldn't want to write a review that
> could affect someone's livelihood without knowing what the differences
> are between say change management and mitigation management.
>
> And to the older security folks on the list keeping quiet (not those
> between the ages of tenteen and 19):
>
> eW91IGNhbiBwYXkgdXMgdG8gd2hvcmUgeW91ciBjb21wYW55Cg==
>
> Cheap too!
>
>
>
> --
> 
> J. Oquendo
>
> SGFA #579 (FW+VPN v4.1)
> SGFE #574 (FW+VPN v4.1)
>
> wget -qO - www.infiltrated.net/sig|perl
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Load balancer ?

2008-01-15 Thread Eduardo Tongson 
Hello seb,

Yes it is probably an f5-BigIP. Thanks.
Anybody else seen this with their BigIPs? Should not this be considered a bug?

   Ed 

On Jan 15, 2008 6:47 PM,  <[EMAIL PROTECTED]> wrote:
> > Hello folks,
> >
> > Does anyone know what load balancer has this behavior?. Apparently
> > requesting over HTTP 1.0 without a trailing slash reveals the internal
> > IP addresses of the web servers.
> >
>
> I've encounter this with some F5-BigIP some months ago. But I've encounter
> on IIS and ISA Server too.
>
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Load balancer ?

2008-01-15 Thread Eduardo Tongson 
Hello folks,

Does anyone know what load balancer has this behavior?. Apparently
requesting over HTTP 1.0 without a trailing slash reveals the internal
IP addresses of the web servers.


--> HEAD /docs HTTP/1.0
HTTP/1.1 301 Moved Permanently
Date: Tue, 15 Jan 2008 09:59:57 GMT
Server: Apache
Location: http://192.168.1.2/docs/
Connection: close
Content-Type: text/html; charset=iso-8859-1

--> HEAD /docs HTTP/1.0
HTTP/1.1 301 Moved Permanently
Date: Tue, 15 Jan 2008 09:59:57 GMT
Server: Apache
Location: http://192.168.1.4/docs/
Connection: close
Content-Type: text/html; charset=iso-8859-1

--> HEAD /docs HTTP/1.0
HTTP/1.1 301 Moved Permanently
Date: Tue, 15 Jan 2008 09:59:57 GMT
Server: Apache
Location: http://192.168.1.3/docs/
Connection: close
Content-Type: text/html; charset=iso-8859-1


--> HEAD /docs/ HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 15 Jan 2008 10:00:14 GMT
Server: Apache
Connection: close
Content-Type: text/html


--> HEAD /docs HTTP/1.1
--> HOST: example.com
HTTP/1.1 301 Moved Permanently
Date: Tue, 15 Jan 2008 10:00:43 GMT
Server: Apache
Location: http://example.com/docs/
Connection: close
Content-Type: text/html; charset=iso-8859-1


--> HEAD /docs/ HTTP/1.1
--> HOST: example.com
HTTP/1.1 200 OK
Date: Tue, 15 Jan 2008 10:01:00 GMT
Server: Apache
Connection: close
Content-Type: text/html


Ed 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability

2007-11-20 Thread Eduardo Tongson 
Hello folks,

I wonder why we don't see web applications use secure cookie recipes
like [1] and [2]. There are also existing secure password hashing
frameworks such as Solar's [3]. Are developers just unaware of these
secure schemes?.

Amusingly a proprietary web application I audited used static tokens.
Even if you change your password cookies are still valid. Even
passwords are stored as raw MD5 hashes on the database. I think
programmers should be taught secure practices from the start.

[1] <http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf>
[2] <http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf>
[3] <http://www.openwall.com/phpass/>

Eduardo Tongson  NCCS

On 11/21/07, James Matthews <[EMAIL PROTECTED]> wrote:
> Wordpress never knew how to deal with cookies!
>
>
> On Nov 20, 2007 9:23 PM, Steven Adair <[EMAIL PROTECTED]> wrote:
> > Right this problem has existed for a long time, but it's not the end of
> > the world for someone to point it out again I suppose.
> >
> > I think it's obvious that there's another main issue here and that's the
> > way WordPress handles its cookies in general.  They are not temporary
> > sessions that expire or are only valid upon successful authentication.
> > The cookies work for ever.. or at least until the password changes.  If
> > someone uses an XSS attack to obtain the cookies or sniffs them (most
> > blogs are just HTTP) they can essentially permanently authenticate.  The
> > same result occurs with being able to read the database.
> >
> > Furthermore, one could in theory conduct a bruteforce attack against the
> > WordPress password by just making normal requests to the blog but changing
> > the cookies that does the double MD5 of the password.  You could in theory
> > emulate normal continued browsing of the website while sending
> > MD5(MD5(password)) over and over with each request via the cookie.  Other
> > than perhaps a large increase in browsing of the blog, this could possibly
> > go unnoticed as an attack -- as it would not be logged anywhere (in most
> > instances) that the cookies were being presented.  Once authenticated into
> > WordPress, the normal blog pages look different, so it would not require
> > an attacker to access the Admin area to verify.
> >
> > Anyway, good to see the CVE is already there.  Maybe better session
> > management will find its way into WordPress.
> >
> > Steven
> > http://www.securityzone.org
> > (..runs on WordPress.. oh noes!)
> >
> >
> >
> >
> > > This is CVE-2007-6013 since 19th Nov including WordPress ticket #5367:
> > >
> > >
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013
> > >
> > > - Juha-Matti
> > >
> > > "Steven J. Murdoch"
> <[EMAIL PROTECTED]> kirjoitti:
> > >>
> > >>On Tue, Nov 20, 2007 at 07:08:36PM +0100, Stefan Esser wrote:
> > >>Could you elaborate why you consider this news? Most public SQL
> > >>injection exploits for Wordpress use this cookie trick.
> > >>
> > >>I couldn't find it on the Wordpress bug tracker and when I mentioned
> > >>it to the Wordpress security address, they did not mention having
> > >>heard of it before. I also couldn't find a detailed explanation of the
> > >>problem online, nor in the usual vulnerability databases. Blog
> > >>administrators, like me, therefore risk sites being compromised
> > >>because they didn't realize the problem.
> > >>
> > >>It seemed intuitive to me that restoring the database to a known good
> > >>state would be adequate to recover from a Wordpress compromise
> > >>(excluding guessable passwords). This is the case with the UNIX
> > >>password database and any similarly implemented system. Because of the
> > >>vulnerability I mentioned, this is not the case for Wordpress.
> > >>
> > >>So I also thought it important to describe the workarounds, and fixes.
> > >>If these were obvious, Wordpress would have already applied them. Some
> > >>commenters did not think that the current password scheme needs to be,
> > >>or can be improved, despite techniques to do so being industry
> > >>standard for decades. Clearly this misconception needs to be
> > >>corrected.
> > >>
> > >>I did mention that this was being exploited, so obviously some people
> > >>already know about the problem, but not the right ones. Before I sent
> > >>the disclosure, there was

Re: [Full-disclosure] 0day: PDF pwns Windows

2007-09-22 Thread Eduardo Tongson 
That exploits the JavaScript [1] and open URI [2] feature through the
Acrobat WebLink plug-in. Adobe put in JavaScript to PDF 1.3
specifications for Forms interaction. Opening up the calculator should
not be a feature [3].

[1] /JS ({app.alert\("evil javascript active!"\);}\r{app.alert\("Oh
wait! We aren\'t finished with you yet.."\);}\r)

[2] /URI (www.nthelp.com/evil_browse.htm)

[3] 

On 9/23/07, silky <[EMAIL PROTECTED]> wrote:
> On 9/22/07, Geo. <[EMAIL PROTECTED]> wrote:
> > > pa> http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
> > > Is this the way responsible disclosure works these days ?
> > > "Adobe?s representatives can contact me from the usual place."
> > >
> > > Wow, now that's coordinated release. Knowing the bugs that you found
> > > previously it should take 10 minutes to rediscover this one. Which
> > > makes this even worse.
> >
> > I just saw his video showing the exploit fireing up calculator, it looks
> > like the same stuff (feature/exploit call it what you want) that's been
> > around for years. See www.nthelp.com/test.pdf (warning, it won't damage
> > anything but it may scare you)
>
> ps, if anyone cares, this exploit does not work on foxit pdf reader v1.3.
>
> foxit rocks.
>
> so lets not call it a 'pdf' vuln, but a 'adobe acrobat' vuln.
>
>
>
>
> > Geo.
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> --
> mike
> http://lets.coozi.com.au/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [ GLSA 200708-14 ] NVIDIA drivers: Denial of Service

2007-08-19 Thread Eduardo Tongson 
On 8/20/07, Raphael Marichez <[EMAIL PROTECTED]> wrote:
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Gentoo Linux Security Advisory   GLSA 200708-14
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> http://security.gentoo.org/
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>   Severity: Normal
>  Title: NVIDIA drivers: Denial of Service
>   Date: August 19, 2007
>   Bugs: #183567
> ID: 200708-14
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Synopsis
> 
>
> A vulnerability has been discovered in the NVIDIA graphic drivers,
> allowing for a Denial of Service.
>
> Background
> ==
>
> The NVIDIA drivers provide support for NVIDIA graphic boards.
>
> Affected packages
> =
>
> ---
>  Package /   Vulnerable   / Unaffected
> ---
>   1  x11-drivers/nvidia-drivers  < 100.14.09  >= 100.14.09
>   *>= 1.0.9639
>   *>= 1.0.7185
>
> Description
> ===
>
> Gregory Shikhman discovered that the default Gentoo setup of NVIDIA
> drivers creates the /dev/nvidia* with insecure file permissions.
>
> Impact
> ==
>
> A local attacker could send arbitrary values into the devices, possibly
> resulting in hardware damage on the graphic board or a Denial of
> Service.
>
> Workaround
> ==
>
> There is no known workaround at this time.
>
> Resolution
> ==
>
> All NVIDIA drivers users should upgrade to the latest version:
>
> # emerge --sync
> # emerge --ask --oneshot --verbose "x11-drivers/nvidia-drivers"
>
> References
> ==
>
>   [ 1 ] CVE-2007-3532
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3532
>
> Availability
> 
>
> This GLSA and any updates to it are available for viewing at
> the Gentoo Security Website:
>
>   http://security.gentoo.org/glsa/glsa-200708-14.xml
>
> Concerns?
> =
>
> Security is a primary focus of Gentoo Linux and ensuring the
> confidentiality and security of our users machines is of utmost
> importance to us. Any security concerns should be addressed to
> [EMAIL PROTECTED] or alternatively, you may file a bug at
> http://bugs.gentoo.org.
>
> License
> ===
>
> Copyright 2007 Gentoo Foundation, Inc; referenced text
> belongs to its owner(s).
>
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike license.
>
> http://creativecommons.org/licenses/by-sa/2.5
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


-- 
pǝ
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Retrieving "deleted" sms/mms from Nokia phone (Symbian S60)

2007-05-20 Thread Eduardo Tongson 
gd,
You can also recover SMS from flash memory cards used in these Nokia
phones. The phones has a feature wherein you can archive or backup SMS
to the cards. So even if they delete the backup you could just
undelete the .dat files using something like Testdisk to recover the
messages.

On 5/16/07, Davide Del Vecchio <[EMAIL PROTECTED]> wrote:
> Hello list,
>
> During some research, I found an intersting "feature"
> on my Nokia mobile phone; I was able to retrieve any
> apparently deleted sms/mms.
> Letting aside some paranoid thoughts about WHY this
> sms are not deleted, I think that, while this represents
> an high risk for our privacy, this discover could give some
> hint into mobile phone forensics and anti-forensics field.
>
> First, I would like to tell you that I tested this on
> my Nokia N-gage and on a Nokia 6600 but I am quiete sure
> that this procedure works on every Nokia Symbian S60
> (maybe other vendors). So I strongly incite you to test
> it on your mobile phone and share the results.
>
>
> Tested products:
>
> Nokia N-gage, firmware version: V 4.03 26-11-2003 NEM-4
>
> Nokia 6600
>
> Maybe the whole S60 series.
>
>
> Procedure:
>
> Download the Nokia PC Suite for your mobile phone and make
> a backup on your local hd.
> I used PC Suite for Nokia N-Gage Version 1.0.0
> http://www.nokia.com/pcsuite
>
> It will create a huge number of ".dat" files in a specified
> directory.
>
> Download, install and start Cygwin. This is not required but
> suggested, you could use an hexadecimal editor and a bit of
> patience but using Cygwin is surely faster.
> http://www.cygwin.com
>
>
> Move into the backup directory.
>
>
> $ ls -al | less
>
> total 6016
> drwx--+ 2 Administrator Nessuno  0 Feb  6 01:35 .
> drwx--+ 7 Administrator Nessuno  0 Feb  5 23:00 ..
> -rwx--+ 1 Administrator Nessuno   2972 Nov 27  2003 1.dat
> -rwx--+ 1 Administrator Nessuno  22913 Nov 27  2003 10.dat
> -rwx--+ 1 Administrator Nessuno   1062 Feb 16  2005 100.dat
> -rwx--+ 1 Administrator Nessuno   3912 Aug  9  2005 1000.dat
> -rwx--+ 1 Administrator Nessuno   2750 Aug 25  2005 1001.dat
> -rwx--+ 1 Administrator Nessuno   8741 Dec 15  2005 1002.dat
> -rwx--+ 1 Administrator Nessuno   9926 Dec 20  2005 1003.dat
> -rwx--+ 1 Administrator Nessuno 63 Dec 30  2005 1004.dat
> -rwx--+ 1 Administrator Nessuno  23988 Jan 13  2006 1005.dat
> -rwx--+ 1 Administrator Nessuno 18 Jan 23  2006 1006.dat
> ...
> ...
> etc etc (files created by the nokia pc suite).
>
>
> Choose a file to examine.
>
> $ ls -al 3102.dat
> -rwx--+ 1 Administrator Nessuno 666569 Feb  5 23:59 3102.dat
>
> Use the command "strings" to find printable characters.
>
> $ strings 3102.dat | less
>
> Ciao! Auguro a te ed alla tua [EMAIL PROTECTED] Farlonesi
> ...
> ...
> etc etc
>
>
>
> This is part of an sms I deleted and that I don't see on my phone.
> So, just grep every file in the directory to find the complete sms:
>
> $ grep -i "Auguro a te ed alla" *
>
> Binary file 1770.dat matches
> Binary file 3102.dat matches
>
> The sms has been found in 1770.dat file, let's see what's inside it:
>
> $ strings 1770.dat
>
> Ciao! Auguro a te ed alla tua famiglia un felice anno nuovo! E.
> 4+393915253350
> 4+393922378986
>
> Got it! The complete sms, with the phone number of the sender (phone
> numbers have been changed).
> In earlier versions of Nokia PC Suite it just creates a ".nbu" file and
> you can just edit it with an hexadecimal editor.
>
> I mailed the Nokia support and they told me they didn't know about this
> bug and would like to know more informations about impacted models but
> they don't have any intention to release some kind of patch.
> I contacted Symbian too, they told me that Symbian sources are
> distributed to mobile phone vendors and so they cannot release any
> final-user patch.
>
> This description is also avaiable here:
> http://www.alighieri.org/advisories/retrieving_deleted_sms.txt (ENG)
> http://www.alighieri.org/advisories/recuperare_sms_cancellati.txt (ITA)
>
> Regards,
>
> Davide Del Vecchio.
>
> --
> http://www.alighieri.org
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Full-Disclosure] (Psexec on *NIX)

2007-02-01 Thread Eduardo Tongson 
On 2/2/07, Xavier Beaudouin <[EMAIL PROTECTED]> wrote:
<>
>
> Allowing direct root login even with SSH is IMHO stupid...
>

Please elaborate why is it IYHO stupid.

- ed

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] http://prdelka.blackart.org.uk/paperz/VAstacksmash.txt

2005-10-11 Thread Eduardo Tongson 
On 10/11/05, none none <[EMAIL PROTECTED]> wrote:
> Can you point out where in the kernel tree this
> randomization has been done? I havent seen anything on
> LKML explaining this.

in >=2.6.12
# sysctl kernel.randomize_va_space
# cat /proc/self/maps



-ed
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Local suid files and buffer overflows

2005-10-09 Thread Eduardo Tongson 
> Hi,
>
> first of all apologies for asking such a newbie question but I am trying
> to learn how to exploit buffer overflows and therefore wrote a little
> program to exploit. This little program has the following permissions:
>
> $ ls -la test1
> -rwsr-sr-x  1 root root 17164 Oct  8 01:25 test1
>
> Now I exploited it using Aleph One's shellcode (see
> http://shellcode.org/shellcode/linux/null-free/) but I won't get a SUID
> shell afterwards (I know the exploit did work but I still have my normal
> user privleges). Why? I have tried a different shellcode to write a file
> and this file was root:root. Any ideas, hints, rtfm?
>
> Thank you.
>

Use a setreuid/setuid shellcode 

-ed
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] HT vulnerability & vendors

2005-07-23 Thread Eduardo Tongson 
Most of you may have heard about the HT vulnerability [1][2][3],
here's an interview of the researcher.  

an interesting bit there was his vendor experience.

[1] 
[2] 
[3] 

--ed
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] TCP/IP Stack Vulnerability

2005-04-18 Thread Eduardo Tongson 
Compiles and runs ok on *BSD and Linux.
No effect on windows xp sp2 home/pro, Linux 2.4/2.6, NetBSD 2.0.2, DragonFly 1.2
No sign of DoS on either side of the connection.
No wonder people you sent the advisory to didn't bother to respond


-- 
    Eduardo Tongson 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] linux bugs (survival stories)?

2005-04-13 Thread Eduardo Tongson 
> Like I said, this one was closed with Ulrich Drepper's patch applied in 2.6.0,
> which was released on Dec 17, 2003.  So it's only been fixed for some 15 
> months
> or so in the current stable kernel.

get my modified helloworld binary
http://pornadmin.net/~tongson/linux/helloworld.bin
and run that from a noexec mount
works on 2.6.12-rc2-mm3

-- 
            Eduardo Tongson 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] linux bugs (survival stories)?

2005-04-12 Thread Eduardo Tongson 
#include 
int main(int argc, char *argv[])   
{   
  printf("Hello world!\n");
  return 0;
}

> "like for example" is always a bad way to discuss things, because it's
> unclear what exactly you're talking about. ;)
ok ;)
 
> Now, going with specifics...  The last really big "trivial" issue with
> bypassing noexec on mounted filesystems was closed by a patch from Ulrich
> Drepper in 2.6.0 - basically forcing you to mmap() the binary in and then
> mprotect() it to add the exec flag.  And at *that* point, it gets ugly, 
> because
> even if you stop them from calling mprotect() to get it executable, they can
> still use some variant of "unexec()" (see the Emacs/XEmacs source tree) to 
> dump
> it out, twiddle the headers, and then exec() it off some other file system.
> 
> So what specific issue with noexec are *you* thinking of, and what is your
> proposed fix for it?

'hello world' can bypass noexec 
just remove the executable flags from the program headers
the compiled binary don't even need to have executable permissions

#include 
int main(int argc, char *argv[])   
{   
  printf("Hello world!\n");
  return 0;
}


% sudo mount -o remount,noexec /tmp
% wget http://pornadmin.net/~tongson/linux/helloworld.bin -O /tmp/helloworld.bin
% /lib/ld-linux.so.2 /tmp/helloworld.bin
Hello world!

-- 
Eduardo Tongson 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] linux bugs (survival stories)?

2005-04-12 Thread Eduardo Tongson 
> >>BUT i was woundering, to what extent adding these extra security
> >>measures are effective against the real attacks & bugs discovered in
> >>the kernel.
> >
> > They do almost nothing to guard against bugs discovered *in the kernel*,
> > because all of them are addressing *userspace* bugs.

Stuff like for example circumventing noexec flags on mounted filesystems 
still is trivial even with the latest and development versions of the
linux kernel
I don't know if you could even consider it that sad.

-- 
        Eduardo Tongson 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] openbsd 3.8 under GPL?

2005-04-01 Thread Eduardo Tongson 
> I heard that Theo is actually hired by Red Hat and that the whole
> OpenBSD project is gonna be bought by Red Hat.

It's april 1 or Theo and RMS are actually brothers. 

-- 
        Eduardo Tongson 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/