Re: [Full-disclosure] Drupal core XSS vulnerability
Thanks to Justin for identifying and describing this issue. With a little more detail inline. On Wed, Aug 14, 2013 at 7:33 AM, Justin C. Klein Keane wrote: > Mitigating factors: > - --- > In order to inject arbitrary script malicious attackers must have the > ability to manipulate module .info files on a site filesystem, perhaps > via permissions misconfiguration, It feels unclear to me if the permissions mentioned here are Drupal permissions or others. So, to be clear, this would require server file permission misconfiguration. The info files are placed in the same directories as php code. For this vulnerability to be significant it would require permissions like: -rw-rw-rw- 1 deployuser deployuser243 Jan 7 2013 machine_name.info -rw-rw-r-- 1 deployuser deployuser434 Jan 7 2013 machine_name.install -rw-rw-r-- 1 deployuser deployuser 3802 Jan 7 2013 machine_name.module Or maybe: -rw-rw-r-- 1 deployuser somegroup243 Jan 7 2013 machine_name.info -rw-r--r-- 1 deployuser somegroup434 Jan 7 2013 machine_name.install -rw-r--r-- 1 deployuser somegroup 3802 Jan 7 2013 machine_name.module In the first scenario the attacker would just need a shell on the server. In the second scenario the attacker would need a shell on the server and membership in somegroup. > feels this issue is already public (https://drupal.org/node/637538), > however the public discussion only concerns the development of the > next major release of Drupal - Drupal 8. There is no mention in the > public discussion, of the fact that this issue faces both current > supported release versions (Drupal 7 and Drupal 6) and likely previous > releases. I updated that issue to include Drupal 7 and Drupal 6 mentions. It's true this affects previous releases, but previous releases are explicitly EOL and full of holes that are not documented. * Drupal 5 EOL Announcement: https://drupal.org/node/1027214 * Drupal 4.7 EOL Announcement: https://drupal.org/node/225729 Regards, Greg ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WordPress Authenticated File Upload Authorisation Bypass
On Wed, Jun 20, 2012 at 8:04 PM, Denis Andzakovic < denis.andzako...@security-assessment.com> wrote: > Exploitation of this vulnerability requires a malicious user with > access to the admin panel to use the > "/wp-admin/plugin-install.php?tab=upload" page to upload a malicious > file. That tool is meant to allow an admin to upload arbitrary php plugins. You can argue that this feature is insecure by design, but there are two solutions from the WordPress perspective: 1) "Don't grant malicious users the permission to install plugins." 2) If you don't want this feature on your site at all, this feature can be disabled in the config define( 'DISALLOW_FILE_MODS', TRUE); By the way, two more "vulnerabilities" the theme installer has this same issue and the upgrade tool could also be abused if you can poison the DNS of the server. Regards, Greg ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Security-news] SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities
I should note that Justin was a reporter of the issue to the Drupal Security Team. When writing the advisory he was mistakenly excluded. That's been corrected in the html version of this advisory http://drupal.org/node/1506562 On Wed, Mar 28, 2012 at 4:40 PM, Justin C. Klein Keane wrote: > Exploit for bespoke: > > Patch: Note that Justin's POC and patch below only address the XSS issue and not the CSRF issue. Regards, Greg -- Director Security Services | +1-720-310-5623 Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution
Hi MaXe, Thanks for the response. You raise a good point that our advisories are not as educational as they could be as a result of not fully detailing the attacks. I recognize I'm writing this on the full-disclosure list, but many members of our community prefer a long waiting period after the vulnerability is announced to share details or POC so our "vendor" stance matches that desire. However, members of the Drupal community often give presentations about secure coding at community events like user group meetings, regional and national events (we call them Drupalcamps and Drupalcons). They often use previous security advisories to demonstrate 1) how to exploit the attack and 2) how to fix the attack. It probably wouldn't be as useful for you personally, but for anyone else interested here are some videos: One example video where I demonstrate a few kinds of attacks and how to prevent them in Drupal: http://www.archive.org/details/drupal_security_for_coders A search for "drupal security" finds tons of other videos, most of which should have similar demonstrations: http://www.archive.org/search.php?query=drupal%20security%20AND%20mediatype%3Amovies Regards, Greg On Fri, Mar 16, 2012 at 3:53 PM, InterN0T Advisories wrote: > Hello Greg, > > > Thank you for your response. > > After re-reading the advisory a couple of times, and after a few > communication attempts from Ustima who seems to have personal issues with > me, I realized that I was wrong, and that it wasn't the same bug that I > made an advisory for. > > I am glad however, that you pointed out the difference, and also how your > advisories are designed (e.g., without PoC's limiting both attacks but also > free knowledge. Of course I could just research this bug discovered by you > or your team and release a working exploit), but the confusing part is also > the time-frame, as the CKEditor developers has recently fixed the bug I > discovered. > > Thanks again for clarifying the difference, but also responding to this > public mailing list. > > > > Best regards, > MaXe > > > On Thu, 15 Mar 2012 07:57:17 -0600, Greg Knaddison > wrote: >> Hello MaXe, >> >> Thanks for the feedback. >> >> Our security advisories are meant to be a little opaque and do not >> include a POC, so I can understand how these two issues could be >> confusing: they both include XSS in something named (F)CKEditor. >> >> However this issue is quite different from the one you identified. >> >> Your advisory was about Javascript execution in html attributes inside >> the Javascript/CKEditor tool itself. This vulnerability is about a >> feature of the Drupal module written in PHP which responds to Ajax >> requests and sends back text filtered using one of Drupal's Input >> Formats. >> >> Users of Drupal who upgraded (F)CKEditor Javascript previously to >> address the issue you identified in that code need to update their >> Drupal module as well to fix the issue described in the advisory >> SA-CONTRIB-2012-040. >> >> Regards, >> Greg >> >> >> On Wed, Mar 14, 2012 at 2:42 PM, InterN0T Advisories >> wrote: >>> FYI, this bug was recently fixed by the CKEditor Developers, as the bug >>> itself was in the CKEditor module, not Drupal. (They just use it like >>> everyone else.) >>> >>> Cartoon of the day: http://i.imgur.com/IbRbx.jpg >>> >>> >>> References: >>> https://dev.ckeditor.com/ticket/8630#comment:23 >>> http://seclists.org/fulldisclosure/2012/Jan/279 >>> > http://forum.intern0t.org/intern0t-advisories/4102-drupal-ckeditor-3-0-3-6-2-persistent-eventhandler-cross-site-scripting.html >>> http://i.imgur.com/IbRbx.jpg >>> >>> >>> Best regards, >>> MaXe >>> >>> PS: Sorry for the previous HTML e-mail. >>> >>> On Wed, 14 Mar 2012 19:03:36 + (UTC), security-n...@drupal.org > wrote: >>>> * Advisory ID: DRUPAL-SA-CONTRIB-2012-040 >>>> * Project: CKEditor [1], FCKeditor [2] - WYSIWYG HTML editor >>> (third-party >>>> module) >>>> * Version: 6.x, 7.x >>>> * Date: 2012-March-14 >>>> * Security risk: Highly critical [3] >>>> * Exploitable from: Remote >>>> * Vulnerability: Cross Site Scripting, Cross Site Request Forgery, >>>> Arbitrary >>>> PHP code execution >>>> >>>> DESCRIPTION >>>> - >>>> >>>> CKEditor and its predecessor FCKeditor
Re: [Full-disclosure] [Security-news] SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution
Hello MaXe, Thanks for the feedback. Our security advisories are meant to be a little opaque and do not include a POC, so I can understand how these two issues could be confusing: they both include XSS in something named (F)CKEditor. However this issue is quite different from the one you identified. Your advisory was about Javascript execution in html attributes inside the Javascript/CKEditor tool itself. This vulnerability is about a feature of the Drupal module written in PHP which responds to Ajax requests and sends back text filtered using one of Drupal's Input Formats. Users of Drupal who upgraded (F)CKEditor Javascript previously to address the issue you identified in that code need to update their Drupal module as well to fix the issue described in the advisory SA-CONTRIB-2012-040. Regards, Greg On Wed, Mar 14, 2012 at 2:42 PM, InterN0T Advisories wrote: > FYI, this bug was recently fixed by the CKEditor Developers, as the bug > itself was in the CKEditor module, not Drupal. (They just use it like > everyone else.) > > Cartoon of the day: http://i.imgur.com/IbRbx.jpg > > > References: > https://dev.ckeditor.com/ticket/8630#comment:23 > http://seclists.org/fulldisclosure/2012/Jan/279 > http://forum.intern0t.org/intern0t-advisories/4102-drupal-ckeditor-3-0-3-6-2-persistent-eventhandler-cross-site-scripting.html > http://i.imgur.com/IbRbx.jpg > > > Best regards, > MaXe > > PS: Sorry for the previous HTML e-mail. > > On Wed, 14 Mar 2012 19:03:36 + (UTC), security-n...@drupal.org wrote: >> * Advisory ID: DRUPAL-SA-CONTRIB-2012-040 >> * Project: CKEditor [1], FCKeditor [2] - WYSIWYG HTML editor > (third-party >> module) >> * Version: 6.x, 7.x >> * Date: 2012-March-14 >> * Security risk: Highly critical [3] >> * Exploitable from: Remote >> * Vulnerability: Cross Site Scripting, Cross Site Request Forgery, >> Arbitrary >> PHP code execution >> >> DESCRIPTION >> - >> >> CKEditor and its predecessor FCKeditor allow Drupal to replace textarea >> fields with the (F)CKEditor - a visual HTML WYSIWYG editor. >> >> The modules have an AJAX callback that filters text to prevent Cross > site >> scripting attacks on content edits. This AJAX callback function contains > a >> number of bugs which allow attackers to chose which filter to execute on >> chosen text or bypass the filter entirely. >> >> The vulnerability can be used to conduct Cross site scripting (XSS) > attacks >> on privileged users. Attackers can also execute arbitrary PHP code if > the >> core PHP module is enabled. This can happen either directly or by > enticing >> a >> privileged user to visit a page. >> >> Direct execution of PHP code requires that the attacker has the > following >> privileges: >> >> "access fckeditor" for FCKeditor 6.x >> "access ckeditor" for CKEditor 6.x >> >> No additional permissions are required to directly exploit the PHP code >> execution flaw on CKEditor 7.x. >> >> VERSIONS AFFECTED >> --- >> >> * FCKeditor 6.x-2.x versions prior to 6.x-2.3. >> * CKEditor 6.x-1.x versions prior to 6.x-1.9. >> * CKEditor 7.x-1.x versions prior to 7.x-1.7. >> >> Drupal core is not affected. If you do not use the contributed CKEditor > - >> WYSIWYG HTML editor [4] module, there is nothing you need to do. >> >> SOLUTION >> >> >> Install the latest version: >> >> * If you use the FCKeditor module for Drupal 6.x, upgrade to FCKeditor >> 6.x-2.3 [5]. >> * If you use the CKEditor module for Drupal 6.x, upgrade to CKEditor >> 6.x-1.9 >> [6]. >> * If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor >> 7.x-1.7 >> [7]. >> >> See also the CKEditor - WYSIWYG HTML editor [8] project page. >> >> REPORTED BY >> - >> >> * Heine Deelstra [9] of the Drupal Security Team >> >> FIXED BY >> >> >> * Wiktor Walc [10] the module maintainer >> >> CONTACT AND MORE INFORMATION >> >> >> The Drupal security team can be reached at security at drupal.org or via >> the >> contact form at http://drupal.org/contact [11]. >> >> Learn
Re: [Full-disclosure] posting xss notifications in sites vs software packages
On Tue, Feb 7, 2012 at 4:18 PM, b wrote: > What is the point of posting notifications of XSS vulnerabilities in > specific web sites instead of alerts of xss vulns in specific software > packages? I think there are at least 2 reasons: 1. We have pretty good data about bugs in published software packages because those vendors will usually disclose the issues and we can track it and know what's going on. But we don't have good data for security bugs in completely custom code. I think it's helpful to prove the point that custom code has security bugs too, even if we don't see CVE numbers for it. 2. If you are a customer of one of those sites you can use the knowledge of a bug in the site to take proactive measures like disabling javascript/flash/java/etc. when visiting that site if you know it has xss. Or simply not logging in until a CSRF issue is fixed. Regards, Greg -- Director Security Services | +1-720-310-5623 Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in multiple themes for Drupal
/* Pardon my failure to thread this properly. I just subscribed so future responses can be threaded properly. */ http://seclists.org/fulldisclosure/2011/Oct/22 reports vulnerabilities in several themes based on the cumulus.swf file. That file is not present in those themes in the format distributed from drupal.org. For example, http://drupalcode.org/project/danland.git/tree/refs/heads/6.x-3.x shows there is no cumulus.swf in the danland theme which was one of the themes listed as vulnerable by mustlive. Since there is no vulnerability in these themes the Drupal Security Team will not be making an announcement about them. Regards, Greg Knaddison, a member of the Drupal Security Team speaking my own behalf -- Director Security Services Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenBSD Paradox
he has some cool root exploits. but you have to run them as root. On Dec 15, 2010, at 5:00 PM, BMF wrote: > 2010/12/15 musnt live : >> What is this time to stop the press! > > This fake broken English schtick is really stupid and annoying. Knock > it off. In the meantime you are kill filed. I suggest everyone else do > the same as nothing useful has ever come of this person. > > BMF > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RHEL Linux Kernel Exploit
funny... 1. you were root when you ran the code! epic elite. 2. he said "red hat" NOT redhat based. Redhat has no control over what others do to "redhat based" efforts. you need more coffee! 8) -g musnt live spewed: [musntl...@pizda ~]# awk '/rel/' /etc/issue Scientific Linux SL release 5.5 (Boron) [musntl...@pizda ~]# uname -a Linux allotropos 2.6.18-194.3.1.el5 #1 SMP Fri May 7 01:52:57 EDT 2010 i686 athlon i386 GNU/Linux [musntl...@pizda ~]# md5sum fullnullson.c b16e2a647bc8de1f72f25ab29aa916da fullnullson.c [musntl...@pizda ~]# gcc -o hakaruski fullnullson.c && ./hakaruski [*] Failed to open file descriptors. [musntl...@pizda ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),1337(hakaruskis) [musntl...@pizda ~]# whoami musntlive Is this exploit work and is my Linux is RedHat based. Thank you Dan and Ryan Seacrest! -- -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Symark PowerBroker: Local Privilege Escalation vulnerability
Michael Ligh (of MNIN.org) and Greg Sinclair (of NNL-Labs) have identified a vulnerability in Symark's PowerBroker suite that allows an attacker with local access to gain root access. For complete details, please refer to the full advisory located at http://www.mnin.org/advisories/2008_symarkpb.pdf Michael Ligh, Greg Sinclair ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SecNiche : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos Vulnerability
> > Advisory : Microsoft Internet Explorer Pop up Blocker Bypassing and Dos > Vulnerability > In fact, it isn't just "malicious" doing this. I wanted to read an article on a well known Australian I.T. mag and it had, with it, the usual advertisements. In the middle of reading it using IE7, a pop up started to come up. I noted that the GOOGLE pop up blocker installed on this IE7 turned to "Popups Okay" and when the popup came up, it bounced right back to "# blocked" where "#" equals the number recorded as blocked. This happened to me yesterday while using an Internet Explorer 7 on a Vista machine with no third party firewall installed and Google Toolbar installed. So it lead me to wonder - is Google actually allowing popups for paid advertisers or is someone fooling with the Google popup blockers for the same reason? No, I haven't investigated it. I haven't had the time and though this has potential most likely, it didn't seem malicious right now. Perhaps someone else can. Too much on my plate to get near it right now. I would love to hear anything if anyone looks into it. Apologies if this has already been posted. I am way behind on my list reading. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NNL-Labs & MNIN - F5 FirePass Security Advisory
Michael Ligh from MNIN (http://www.mnin.org) and Greg Sinclair from NNL-Labs (http://nnl-labs.com) have released on 5 January 2007 an advisory regarding multiple vulnerabilities in the F5 Firepass product. The F5 Firepass is vulnerable to multiple filter bypasses, information disclosure and cross-site scripting attacks. For more information, please visit http://www.mnin.org/advisories/2007_firepass.pdf. Thanks, Michael Ligh and Greg Sinclair smime.p7s Description: S/MIME cryptographic signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
> -Original Message- > From: Christian "Khark" Lauf [mailto:[EMAIL PROTECTED] > Sent: Thursday, 7 December 2006 5:22 AM > To: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Nmap Online > > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi, > > Greg wrote: > > > I don't wish to upset anyone but that answer has to be the craziest > > FIRST "port of call" approach I have seen used. I get > plenty of those > > sorts of calls. I take about 30 seconds time on the phone > for almost > > all of them. I say "Pull the power plug out of the router. Wait 10 > > seconds, plug it back in and wait another 10 seconds. OK, > try now" and > > almost all of them report it works well. > > What about the people whose router configuration (which was > done by a friend months/years ago) you just resetted? Better > prepare for some house visits to restore SOHO router > configurations :-) I am fairly certain that the NV in NV-ram doesn't mean "New Victim" but "Non Volatile". Eg, even if nothing else works so you pull the plug and put it back in, the settings you have changed remain intact. So, in most cases, no you do not need to worry when pulling the plug. > > And I think that the more you know about a certain topic, the > more you are able to find nice & half-decent solutions. > Resetting the whole device just because of what is a maybe > temporarly problem doesn't seem clever to me. > That wasn't what I said of course. The whole point was that if the user is complaining about not getting email from their ISP via whatever method they decide to use and/or cannot get onto the web, then pulling the power plug is a viable answer that is normally correct in most situations. Sure, there are some where it isn't the answer but if you find out it is still as bad as it ever was after pulling the plug and putting it back in, then you need to go there, physically, in any case. > But I understand your point.. At some point in time first > level support gets boring. > It wasn't even that which I said. My point was always that there are better ways of doing things. You could drive 30 miles just to pull the plug yourself leaving the current job unfinished or unable to get to that next problem in a suitable response time or you could just tell the person on the phone to do that while you wait and see the result. In most cases, it has been the answer. It has never ALWAYS been the case. In the cases where it works, it is just a more efficient way for YOU to work. No "online" answer is going to fix a router that just lost its cool and is locked up unless you have installed a remote power down and power up (yeah, they exist but I haven't used one and cant remember the name). The end result of working this way is a happy customer who is now able to work, a contact who feels superior because they worked with you to fix the problem and is more likely to help you out in future when you want something done that they are capable of doing and you can get to your next appointment on time. Call me crazy but I reckon trying it first is always the best approach. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
> -Original Message- > From: Ed Carp [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 6 December 2006 2:06 PM > To: full-disclosure@lists.grok.org.uk > Cc: David Matousek > Subject: Re: [Full-disclosure] Nmap Online > > > > On 12/5/06, Simon Smith <[EMAIL PROTECTED]> wrote: > > > Why would you do this? > > Well, for one, sometimes you need to do a port scan when > you're not in front of a system that has nmap installed on > it. I get a call about once every couple of months, "why > can't I get into my email server" that's sitting behind a > hardware router with a hole poked in it for port 110. Doing > a port scan on the client's IP address ensures that either > yes, the port is open or no, it's not. If it's open then I > can proceed with my troubleshooting - if not, I know where to > look for the problem. > I don't wish to upset anyone but that answer has to be the craziest FIRST "port of call" approach I have seen used. I get plenty of those sorts of calls. I take about 30 seconds time on the phone for almost all of them. I say "Pull the power plug out of the router. Wait 10 seconds, plug it back in and wait another 10 seconds. OK, try now" and almost all of them report it works well. So why would I need and how could I use Nmap online to tell me the router went crazy and locked up? Besides, wouldn't it be just as easy to use the Nmap sitting on my computer if I decided I needed to use it? Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Removing the NIC cable = EoP?
I don't really understand the fuss to be honest. Eg, to do that you would have to be so lax in security that anyone who could take an Ethernet cable out and put it in another computer would be able to do that. This means that someone is bending over, unplugging, moving it the required distance to another machine and plugging it in. Hell, the well known and still existing Windows problem would be much easieryou know the one yes? You have a networked machine that has a password at keyboard level and a screen saver set to take it back to the logon screen when inactive for "X" minutes. To get back in at keyboard level for a non-hacker means knowing at least the password or possibly the username and password depending on how it is set up. However, if the keyboard user has already logged on then, say, gone to lunch and the machine has defaulted to wanting you to logon, it retains its network capability. Much easier for a pissed off employee to use that method to gain access than being seen moving to that computer and back again. I have always maintained, which some disagree with, that if the machine requires local user logon in those circumstances, it also should be forced off the network. After all, the machine that I discovered that had that problem was a payroll one and of course anyone able to get in via the network could while normal users who didn't know the password couldn't. If anyone is interested, yes I sent that one in to MS quite some time back just around when they released SP2 for XP. They said it would be an option (you decide which way it behaves) next SP and/or Windows (eg, Vista). Don't hold your breath on it happening. > -Original Message- > From: Jessica Hope [mailto:[EMAIL PROTECTED] > Sent: Friday, 6 October 2006 11:20 PM > To: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Removing the NIC cable = EoP? > > > Lee Turner is correct, a default RM machine running Windows 98 (or > 95...) will allow local admin if it can't reach the network. > Since such machines would be deployed in schools and > sometimes by people who do not know anything about what they > are doing, this attack can work rather well. > > However, RM's defaults are worse than that, as all > restrictions are stored in the registry, so you can just as > quickly unrestrict yourself with modification of a few keys... > > Jessica > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Removing the NIC cable = EoP?
-Original Message- From: Pink Hat [mailto:[EMAIL PROTECTED] Sent: Wednesday, 4 October 2006 2:45 AM To: Tonnerre Lombard Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Removing the NIC cable = EoP? > Wrong. > It is about getting local admin rights in this case as the so called attack scenario requires it. > List -- this is so easy to disprove yet we have all kinds of so called security professonals and in this case a (wow, I am almost pissing > myself) BSD Kernel hacker, stating that they feel its a possible attack. > Go grab VMWare and various windows versions from your favorite warez site and spend the time to actually try things and understand how > the technology works before you comment. > The bottom line is that what was posted on that site about "hacking high school computers" is false. I have been reading this thread on FD because there was something nagging at my memory and I was hoping one of you might prod it to life. Unfortunately you didn't but apparently the "My Documents" in my head defragged itself and spit out the old answer. This idea is a fake and I believe I know from whence it may have come. Back in the 80s when having Internet to a home was about as cheap as buying a 747SP (not 747B, you couldn't afford that one with an Internet yearly payment), there used to exist the old BBS scene. That is, Bulletin Boards that you rang directly to using your 2400BPS modem (or even earlier for those of you who remember the old 300/300 days). Some BBSs used to be correctly written and upon loss of carrier would cancel the session and reset to the start of the program, awaiting a new call. Some would not. Some would sit there and time out before resetting while some would just sit there endlessly. The result of the latter 2 was that someone ringing in after the person who just cut the carrier would end up logged on under that person's access and do whatever that person was capable of doing on that BBS. This sounds like what this whole discussion has been based upon though updated to today's standards. There was a case in the early 90s where you could pull the networking cable out and put it into another computer and assume the network rights of the computer that had it before. Heck, there were some of us who used to do that to check that whatever the whinger was having a whinge about was right or not. The point is, those days of "I am not hacking, I am helping" in the case of the network cable or "Shit! Look at what this idiot has done!" in the case of the modem dropper has not existed, to my meagre knowledge, in a very long time. I do know the early days of the 90s in some ISPs when they were learning their craft of security, you might actually logon and find yourself with someone else's accounts, too. Happened quite accidentally to me once. Rang in on dial up and found I was logged on as someone I didn't know before I could do a thing. THOSE problems are long gone as well. So, I believe that unless there is something I am sadly missing - and let's be honest here, I admit I could be missing something - this seems all to be a load of bullshit. I honest-to-God(Allah, Buddha, whomever) don't really know of any program for communication purposes in serious use these days that is so damned stupid unless it is at least 15 years old. Therefore - PLEASE, someone correct me, point out the error of my ways by either providing the relevant info directly or the link if you are bone lazy like me - or in the absence of such proof, may we now decide this is a load of "politician truth" (that being the same stuff you get from the arse end of a bull)?? Thank you, Signed - Don't-know-nuffin. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
On 9/14/06, fit happy <[EMAIL PROTECTED]> wrote: It is really take effect in my virtual machine: xp sp2+pdf reader version 7.0.1.2005030700 ___Using the evince reader on Linux, the link opens within evince itself rather than launching a new browser. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Responsibility
Large motel/hotel chain I recently acquired wants to sue previous company who did their I.T. work for them as a customer's wifi connected machine infected their network and caused loss of booking data thus money. My question then is - if you have done the utmost to lock down your customer but someone connects an infected machine and somehow it gets in, is the customer right in suing you? Eg, like a car mechanic, you do the best but you cannot be 100% sure that something else that was never a problem will now cause a problem (such as a new exploit in our case that wasn't known generally until 24 hours ago). Should you be sued at that point? Wondering whether to dump the guy at this point. Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Bluetooth Activesync - requesting test
OK this sounds screwy but if someone has the equipment, can you test and let us all know please? A PDA I was working on that had to be Activesync'd to one computer had the PDA name "John" rather than the standard name that comes with the PDA. Another PDA was already working Activesync. Both were over bluetooth encrypted. The other one was named "Cheryl" just for info's sake. Anyway, "John" was a new PDA of exactly the same make and model as "Cheryl" (Mortein syndrome) but what I didn't know and didn't look for, initially, was that the computer had been set up by someone else to ONLY allow connections from "Cheryl" and no other device and it was set in "non discovery" mode, that is, no other bluetooth device supposed to be able to find it. When I set John up, it autosync'd for 24 hours and stopped syncing again. I went back and did a thorough look and found that "Cheryl" was the only one allowed to connect bluetooth to the computer but "John" had, anyway. So this makes me wonder - and this is what I am asking help with - is it possible that bluetooth pairing, connection in total and autosync are all at risk if the same model PDA is used even though they are set up with different PDA names and even if settings are correct and are NOT supposed to allow connection from anything else? If it is, this is a worry. Of course, the alternative is that I stuffed something up, I know but for the life of me, I cant see what it is. If data is encrypted and only paired devices that are NAMED are allowed to connect, I would have thought that meant I shouldn't have been able to set the other PDA up but I did. Thanks for any info/help. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: According to Ivan, the secret ZA phone-homeserver is located at 127.0.0.1 [was Re: Re:Re: ZoneAlarm phones home]
I say "TAKE THE SECRET SERVER DOWN"!! I incite mass ping flooding of that ip 127.0.0.1 NOW! Would that stop it, Ivan? Get right on it and let us know the results of your tests. > -Original Message- > From: Ivan . [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 7 February 2006 9:15 AM > To: Dave Korn > Cc: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Re: According to Ivan,the > secret ZA phone-homeserver is located at 127.0.0.1 [was Re: > Re:Re: ZoneAlarm phones home] > > > Your quite a piece fo work Dave. The "secret" server is > acutally zonelabs.com, hence the workaround to edit the hosts > file and map that domain to the loopback address. Do you know > how windows hosts file works? No, here is link that may help > you Blocking Unwanted Parasites with a Hosts File > http://www.mvps.org/winhelp2002/hosts.htm > > The work around issued by zonealarm and their response to > this list, is proof enough for me that there was an issue and > probably quite a few other people. But not you Dave, eh? > > On 2/7/06, Dave Korn <[EMAIL PROTECTED]> wrote: > > Frank Knobbe wrote: > > >On Mon, 2006-02-06 at 14:06 +, Dave Korn wrote: > > >> >> The company says it will fix the "bug" soon. In the > meantime you > > >> >> can > > >> > work >around it by adding: > > >> >> # Block access to ZoneLabs Server > > >> >> 127.0.0.1 zonelabs.com > > >> >> to your Windows host file. > > > > >> 2) You aren't the first person in the world to mistake the > > >> loopback interface for a routable address, but you do > look just as > > >> dumb as everyone else who's ever done it down the annals of > > >> history. > > > > > >You might want to remove your foot from your own mouth. > The loopback > > >thing is a workaround > > > > I'm perfectly aware of that, but if you had actually read this > > thread you would realise that's not the issue under discussion. > > > > I claimed that Cringely was spreading FUD, because he > hadn't so much > > as shown us a packet trace or an IP address. Ivan told me to "read > > the article again Dave, you'll find that he did provide the > ip address > > of the destination servers to Zonelaram". When I point out to Ivan > > that a) the article was not by Cringely but a second-hand report of > > Cringely's original article, and that b) 127.0.0.1 is not the ip > > address of the destination servers, I am correct, and the fact that > > redirecting a hostname lookup to the loopback address is an > effective > > method of blocking an adbanner does not in any way > contradict anything > > I've said nor confirm anything Ivan said. > > > > Maybe that taste of shoe leather you've noticed is coming > from your > > own mouth? > > > > >You might want to think yourself before assailing other posters > > >verbally. But frankly, I don't care since your email just > qualified > > >you for my plonker list. > > > > That's your choice; if you're happier reading FUD-spreading > > mis-reported nonsense from people who don't even know the loopback > > address when they see it rather than well-informed posts > from people > > who have done their background research and know the field, you're > > going the right way about it. > > > > Of course, you're the ever-so-reasonable guy whose posts > are full of > > emotive and pejorative terms like "presume we're all lusers", "wild > > assumptions", "must be an idiot", "piece of shit", "satisfy > the ego", > > "stop sucking", so I call PKB on you, troll. > > > > >Cheers, > > >Frank > > > > > >PS: zonelabs.com resolves to 208.185.174.44 in case you're still > > >wondering about an IP address. > > > > Your adroitness with nslookup hardly compensates for your > not having > > paid any attention to the actual *content* of the > discussion you wish > > to contribute to. > > > > >PPS: Of course that's not proof of anything. Packet traces > would be > > >preferred, but I'd think anyone with Zone Alarm could > probably gather > > >those easily. > > > > If you'd care to actually look at this thread, you would > have seen > > that that is the main point of my original post. > > > > >(...Why do I even care...) > > > > You clearly don't care enough to read the thread and try > and follow > > the argument you're responding to. I suggest that if you > don't care > > that much, you really shouldn't bother writing a half-baked > response > > that utterly misses the point. > > > > cheers, > > DaveK > > -- > > Can't think of a witty .sigline today > > > > > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://sec
RE: [Full-disclosure] Re: Re: PC Firewall Choices
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Nancy Kramer > Sent: Friday, 20 January 2006 2:30 PM > To: Stan Bubrouski; full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices > > > I admit I know nothing about firewalls but with ZA I have had > to shut it > down sometimes to go onto the internet. I have no idea why. > I just can't > get on and when I shut it down I can. > That'd be a well known and never fixed bug I reported to Zonelabs some years back now. It has a feature to automatically lock internet connection after so many minutes of inactivity. The length of time can be changed by the user. What it REALLY did was cut off access to internet and any LAN you were on, isolating you entirely and never actually let go of it when the user was back at the keyboard. Exiting ZA let that go and internet and lan were restored. You have the option to turn that feature OFF but even that didn't stop the whole thing happening. So, about the only thing you could do was to set the auto lock as high as it could go and turn the feature off. It would still go off after that many minutes had passed (which I believe is 999 in the PRO version and 99 in the free version) and lock you out again but it was delayed by that much, at least. You CAN set certain programs to pass by its' lock, however. So, if you have some computers almost always chattering away on a distributed project but otherwise not touched, you could allow those programs to pass on even though, should you attempt to get out with a simple web browser (where it wasn't allowed to pass the lock), you cant. Saves some stuffing about on such machines and let's face it - the more "free" some company execs see, the more likely they are to use it. Surprising how many Windows based companies use free ZA. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: Re: PC Firewall Choices
> -Original Message- > From: Stan Bubrouski [mailto:[EMAIL PROTECTED] > Sent: Friday, 20 January 2006 8:37 AM > To: Greg > Cc: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices > > > On 1/19/06, Greg <[EMAIL PROTECTED]> wrote: > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On > Behalf Of Stan > > > Bubrouski > > > Sent: Friday, 20 January 2006 7:51 AM > > > To: full-disclosure@lists.grok.org.uk > > > Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices > > > > > > > > > On 1/19/06, Dave Korn <[EMAIL PROTECTED]> wrote: > > > > > > > > Stan Bubrouski wrote in > > > > news:[EMAIL PROTECTED] > > > > > As cruel as that last message was I'm sick of the ZA > pros here > > > > > saying its perfect, its not, far from it. > > > > > > > > Since nobody has ever claimed that ZA is perfect, in > > > saying this you > > > > prove > > > > > > Yeah I didn't literally mean perfect, only that certain > people seem > > > to argue that everyone's complaints about ZA aren't real because > > > they don't experience them. What proof > > > > > > Actually, seeing no-one actually said that, I suppose that is a > > pointer towards you REALLY meaning that YOU cant make the prog do > > something therefore no-one can. > > I said it slowed down IE on machines here and some apps > wouldn't start. Where did I claim that everyone had this > problem? Again just because something doesn't affect you > doesn't mean ZA isn't at fault... unless you are sitting at > the exact same computer as me I don't see how you can know this... > > > > > > > could I profer here? Some flawed benchmark? A video? > Why would I > > > bother you assume I'm lying anyways. > > > > > > > that your claims are either lies or hyperbole. If you > can't argue > > > > with what > > > > > > So because you think that one sentence is misleading (in > retrospect > > > 'perfect' was not a good word choice), everything else I > said must > > > be untrue. Sigh. > > > > > > > people actually said, making up things that they didn't say is > > > > fatuously dishonest. > > > > > > You are the one being dishonest and the one exaggerating > here. You > > > take something too literally, and call people > > > > Actually, I would have to agree with him that it was you > doing that. > > You either lied or exaggerated above as I pointed out. Deal with it. > > How selectively we read. He accused me of lying about using > the word perfect (I didn't mean it literally) and then said > my claims that ZA slowed down IE and caused some apps not to > load here are either lies or exaggerated because he says so. > And now because you say so... you've convinced me! Is there > some benchmark you'd like me to run to prove it to you? > I don't think anymore needs be said. Your mistakes, above, are enough to condemn you by your own word so for the sake of not making this any worse, we'll leave it here. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Re: Re: PC Firewall Choices
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Stan Bubrouski > Sent: Friday, 20 January 2006 7:51 AM > To: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Re: Re: PC Firewall Choices > > > On 1/19/06, Dave Korn <[EMAIL PROTECTED]> wrote: > > > > Stan Bubrouski wrote in > > news:[EMAIL PROTECTED] > > > As cruel as that last message was I'm sick of the ZA pros here > > > saying its perfect, its not, far from it. > > > > Since nobody has ever claimed that ZA is perfect, in > saying this you > > prove > > Yeah I didn't literally mean perfect, only that certain > people seem to argue that everyone's complaints about ZA > aren't real because they don't experience them. What proof Actually, seeing no-one actually said that, I suppose that is a pointer towards you REALLY meaning that YOU cant make the prog do something therefore no-one can. IMHO, ZA has some good points in it. As I said before, it is easy as buggery to set up and has ways to fix stuff that make lief easier. One such example in a wi-fi network that would get internet through the router but not connect to shares was a mate of mine, needing to get out quickly, simply installed ZA on each Windows machine and attempted to access shares from one machine to the next and went to that other machine and added each manually set IP to the trusted list. That got the workers through OK until he had the time (after a few days skiing) to get back and fix it all properly. Bloody XP Pro and Home mix for some reason. I like it's ability to show "I KNOW hardware firewalls are better than software ones and WONT be told anything else because *I* know - don't you?" types the logs that ZA free edition, behind their hardware firewall, picks up of whatever comes it's way through the router without even upsetting a thing there. That doesn't mean that ZA stopped everything but there are SOME things stopped and logged so it is a cause for worry for them. They think they are safe. Clearly they arent safe behind their hardware firewall and once more I say "For every so-called security professional who THINKS a hardware firewall is all you need, there is a blackhat laughing behind your back". OK that was slightly altered but it gets the point across. > could I profer here? Some flawed benchmark? A video? Why > would I bother you assume I'm lying anyways. > > > that your claims are either lies or hyperbole. If you can't argue > > with what > > So because you think that one sentence is misleading (in > retrospect 'perfect' was not a good word choice), everything > else I said must be untrue. Sigh. > > > people actually said, making up things that they didn't say is > > fatuously dishonest. > > You are the one being dishonest and the one exaggerating > here. You take something too literally, and call people Actually, I would have to agree with him that it was you doing that. You either lied or exaggerated above as I pointed out. Deal with it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] PC Firewall Choices
> -Original Message- > From: Nic Werner [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 18 January 2006 10:42 AM > To: Greg > Cc: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] PC Firewall Choices > > > On 1/17/06, Greg <[EMAIL PROTECTED]> wrote: > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On > Behalf Of Nic > > > Werner > > > Sent: Wednesday, 18 January 2006 10:05 AM > > > To: Steven > > > Cc: full-disclosure@lists.grok.org.uk > > > Subject: Re: [Full-disclosure] PC Firewall Choices > > > Importance: High > > > > > > > > > ZoneAlarm - gets in the way, and hard to diagnose > problems. You end > > > up turning it off because it never remembers your > settings and you > > > can't trust it. > > > > > > > Rubbish. Sure it gets in the way. It is MEANT to get in the way. If > > you close it down, it is likely because you don't know how to drive > > it. The prog CAN be a little hard to newbies to understand > if you want > > to go internet banking etc but people on this list ought to > know how > > to handle it. > > > > Getting in your way as opposed to letting you get work done > are two different things. Kerio does a great job of popping > up and explaining what is happening while I've seen more > people confused by ZA and its dialogs > > No, we've turned ZA off as web sites or programs won't load > (Ciscoworks, nGenius, etc) and even though we've checked the > logs of ZA, nothing shows as being blocked. Turn it off and > everything magically works. I will never run the bloat that is ZA. As I said - if you don't know how to drive it, that will happen. It is variable enough, if you want to use it that is, to allow you to work at any web site the way you want.either Pro or Free versions, BTW. > > Talk about trust, I don't trust the logging capability of ZA > at all due to examples like the above. While I enjoy your > rant to the choir about not trusting programs, my point is > that ZA doesn't show everything while it is actively blocking > something. Did I say I trusted it? I said I loved it as it does a good job of that at least. It also shows so-called security professionals at installations that their belief in harware based protection is just ridiculous. There was no rant from me no preaching to the choir. I guess maybe I stated the bleedingly obvious but then it isnt so obvious to everyone no doubt. > > To each their own! As you can see Steven, you should just > download each one and spend about a week fussing around. > > - Nic. > > I agree with that but I would also like to point out that whatever you choose, if you don't feel your knowledge is up to it, then you need to read, read and read some more all over the place. Find out every little droplet of info you can about what people have done, found etc with the program of your choice. You may find the program you like because it is so user friendly is not up to scratch while the one that "gets in the way" may suit you better depending on what you want it for once you learn how to drive the damned thing. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] PC Firewall Choices
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Nic Werner > Sent: Wednesday, 18 January 2006 10:05 AM > To: Steven > Cc: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] PC Firewall Choices > Importance: High > > > ZoneAlarm - gets in the way, and hard to diagnose problems. > You end up turning it off because it never remembers your > settings and you can't trust it. > Rubbish. Sure it gets in the way. It is MEANT to get in the way. If you close it down, it is likely because you don't know how to drive it. The prog CAN be a little hard to newbies to understand if you want to go internet banking etc but people on this list ought to know how to handle it. As to trust, you have to be joking if you trust any firewall, software or hardware, to keep you safe. About the only way to keep your computer out of the reach of someone with the knowledge, initiative and will is to pull the power plug out of the wall BEFORE they get to it. For every "I know what I am doing" security professional, there is someone without credentials who doesn't mind that professional thinking that at ALL. > Kerio - I liked the best, but the GUI would crash when trying Keep track of what is going on with it. Personally I prefer vintage cheese to Swiss Cheese. > to display all your packets. This is a known bug. Allows you > to create rules, and to see how they are applied in > comparison to the system-generated rules. Definitely try. > > 8Signs - Said it had stateful packet inspection, but didn't. > I gave up trying to poke a hole for TFTP. > Haven't tried that one. > I haven't tried Tiny, its next on my list. The toughest part Not worth even downloading. I did download it and I regret that. If someone wants to supplement Windows XP firewall and doesn't really know what they are doing, I always say to get the free ZA to start with and learn from there THEN decide what they want to do. One thing that ZA does very well is log things you want logged. I love that bit on it at least. I use it to test hardware firewalls and installations in other ways behind routers. You'd be amused at how many hardware/router "I'm SAFE" types go bug eyed when I show them a simple log from ZA of innocuous and not-so-innocuous things that have come right by their router/hardware firewall without touching the sides and bounced off ZA. Note - I am not spruiking FOR Zonelabs. I just like the logs bit and also like to tell newbies to start there and build up their knowledge. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New virus?
Just a question: Recently had a rash of machines all turn off USB support. I am unsure what turned it off but was easily able to turn all back on of course. All machines are not from the one place either nor are they all from the same company so I am wondering if this is something new. Anybody know? Symptoms: No USB anywhere, rest of machine OK to passable. All machines had Zone Alarm of one sort or another and on every machine Zone Alarm, whether connected to Internet or not, ramped up to 100% use of CPU. When USB was set back to working, some machines showed known viruses that had nothing to do with this sort of action and Zone Alarm didn't cause a problem. Some machines had been hijacked or were otherwise open to being used over Internet and some were not. If anyone can point me towards what may be causing this, I would appreciate it. I used Mcafee and AVG to search for viruses but nothing known to have made this occur was found. Quite a lot of the machines ran Nortons of one sort or another and it was working and up to date but still one machine had 1035 infected files, none of which Nortons mentioned in any way. Thanks for any help. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Window's O/S
- Original Message - From: "Cassidy Macfarlane" <[EMAIL PROTECTED]> To: "pagvac" <[EMAIL PROTECTED]>; Sent: Thursday, November 24, 2005 10:45 PM Subject: RE: [Full-disclosure] Window's O/S This seems to be a 'nearest path' issue - iexplore would use notepad.exe to 'view source' by default, so when you choose to 'view source', Windows looks to the PATH variable to find notepad. I thought of similar so went on a hunt for all occurrences of "notepad.exe" and renamed them all to "nnotepad.exe" and then added the "notepad" folder to desktop. In C:\windows\ the file "nnotepad.exe" remained as I had changed it and a brand new (from the same date as the renamed exe) "notepad.exe" appeared and same under c:\windows\system32 and c:\windows\dllcache as well. So my question next is "If I have renamed the whole lot that I could find, where did this replacement notepad.exe come from?" and I cant really answer that one excepting to say that because notepad is the default html editor in IE6, perhaps IE6 has notepad somehow protected? BTW, my changed default is Word for the HTML editor in the options and yet Notepad kept coming up and all those changed exes kept reappearing. I suppose this is a "class for idiots" type of question that I am failing. I admit it! Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] the "Sony/BMG" virus
- Original Message - From: "Kenneth Ng" <[EMAIL PROTECTED]> To: "Todd Towles" <[EMAIL PROTECTED]> Cc: Sent: Saturday, November 12, 2005 3:46 AM Subject: Re: [Full-disclosure] the "Sony/BMG" virus - Right now the program phones home with info every time you play a song. How long before it phones home when you play competitors songs? Question - would a SIMPLE firewall prog that checks outbound connections properly (eg, not Win XP firewall) pick up an odd attempt to connect to the net? Eg, even if it is hiding and cloaked how did it connect to the net? Port 80 for example (anyone remember the original Realplayer "phone home" controversy years back?)? Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] the "Sony/BMG" virus
- Original Message - From: "Todd Towles" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: Sent: Saturday, November 12, 2005 6:07 AM Subject: RE: [Full-disclosure] the "Sony/BMG" virus Are you quoting Sony's legal position from a policy somewhere? ;) They went down the wrong road. Adware and spyware vendors will start to Pardon? "START" to? Seeing this has been an issue for a long time - cloaking of software for various reasons - someone correct me, please, if I am wrong but I thought this cloaking was new to the public but old news on this list. Am I mistaking some rootkits here? I distinctly remember a rootkit remover which wont be named (simply because I forgot the name! ;-}) which actually installed a rootkit, backdoor open, Bob's your uncle and it wasn't until said person actually admitted to it that it was foundor do I remember THAT wrong as well? Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meeting Room Names
- Original Message - From: "Martin Stricker" <[EMAIL PROTECTED]> To: Sent: Thursday, November 10, 2005 7:01 AM Subject: Re: [Full-disclosure] Meeting Room Names "Native.Code" wrote: We work in IT security area like you. A room with which name will you like to have your meeting in? Not as good as some of the other suggestions, but... I would call the largest meetibng room "maddog Hall". May I also suggest a room that you have to which all hawkers, canvassers, street salesman can go and answer the phones from phone sales people? Call the room "Spam". Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: new IE bug (confirmed on ALL windows)
- Original Message - From: "Dave Korn" <[EMAIL PROTECTED]> To: Sent: Friday, November 04, 2005 6:14 AM Subject: [Full-disclosure] Re: new IE bug (confirmed on ALL windows) Greg wrote in news:[EMAIL PROTECTED] - Original Message - From: "bkfsec" [EMAIL PROTECTED] To be honest, anyone who doesn't understand the previous paragraph, needs to shut the fuck up, report their results, and let the rest > of us who have a clue sort the shit out. It isn't hard to prove he is wrong. Tragic. You clearly didn't understand that previous paragraph, after all. If only you had stopped, while you were behind. If only you had taken bkfsec's sage advice. Now I'm just going to _have_ to publicly humiliate you. So let's start with the first point: Sigh the above sort of posting is just what gets me here. We have people who know so much more than those who have posted on this thread who rarely comment due to comments like that. Whatever happened to civility in posting, here? I would rather them not be frightened away. To answer your unfortunate comments though - the crash does not occur on WIN98SE *ENGLISH* IE6SP2 edition when employed by me from a P2 400Mhz which is running wired to this machine which then routes it wireless to my router. This machine is behind ZA Pro for the heck of it. That was what I posted and remains true. I did *NOT* try any other language version which may or may not crash. As I explained and you seem not to want to grasp is that it doesn't crash as I have described. Now as I said in my post, *WHY* it doesn't crash I leave to those who are interested in the differences. I also noted it does crash on XPSP2 using IE6SP2 behind exactly the same conditions as the 98SE machine and it crashes IE6SP2 on this XPSP2 machine. Now why you see that as a problem more than something that should be investigated I don't know but they remain the irrefutable facts. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
- Original Message - From: "bkfsec" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: Sent: Thursday, November 03, 2005 4:43 AM Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows) [EMAIL PROTECTED] wrote: I just don't like such insisted contradiction when proof is here that's all...have been able to test it on 9 windows + 1 98SE and there is always someone to put the doubt on it ... my reaction maybe suck but I thought it was clear... To be honest, anyone who doesn't understand the previous paragraph, needs to shut the fuck up, report their results, and let the rest > of us who have a clue sort the shit out. It isn't hard to prove he is wrong. Takes about 30 seconds, if that. I can understand someone misses something which is why I reported that person was wrong. That was all I did. I don't honestly care THAT much about it. However, if the fool cant take being wrong, that proves his worth which is why I don't care what he says in future. No honest-to-goodness proper researcher cares about being corrected when it is that easy to prove they made a mistake. I have seen the real ones thank people on this list and others when this has happened. They are the researchers I read. I know this is FULL disclosure but do we need to expose being incapable of being wrong? Such is life. My last post on the subject. Seems pointless going any further. You either accept you are wrong or thrash about like a 6 year old. I accept the differences between French and English version but didn't see that till after my last post. Perhaps if the original poster could do the same and realise that the majority of Windows users are English speaking, we could leave it at that. It explains my mistake. Hopefully he accepts it explains his instead of coming up with more of the same. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
I think this ends your usefulness by your own words. No use replying to someone, in future, who cannot take being wrong. You can safely be ignored by all, now. Anyone who cares will find that reported mistake doesn't affect IESP2 on 98SE. - Original Message - From: <[EMAIL PROTECTED]> To: "'Greg'" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, November 02, 2005 7:23 PM Subject: RE: [Full-disclosure] new IE bug (confirmed on ALL windows) Well please shut the fuck , I have win98se FR here on a old CD, and I have reinstalled it only for you tonight, conclusion: it DOES CRASH ALSO on win98. Happy now to look idiot ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Greg Envoyé : mercredi 2 novembre 2005 09:19 À : full-disclosure@lists.grok.org.uk Objet : Re: [Full-disclosure] new IE bug (confirmed on ALL windows) No play on words. You said it worked on all Windows and it doesn't, simple as that. WHY it works on XP and not on 98SE is for anyone interested in that difference to check out. If it were a play on words, it wouldn't be a correction of an obvious mistake. - Original Message - From: <[EMAIL PROTECTED]> To: "'Greg'" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, November 02, 2005 10:06 AM Subject: RE: [Full-disclosure] new IE bug (confirmed on ALL windows) Rofl... there is always someone to play with words... -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Greg Envoyé : mardi 1 novembre 2005 21:32 À : full-disclosure@lists.grok.org.uk Objet : Re: [Full-disclosure] new IE bug (confirmed on ALL windows) - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Wednesday, November 02, 2005 4:00 AM Subject: [Full-disclosure] new IE bug (confirmed on ALL windows) I think I have found by chance this weekend a security bug,while browsing the website news, within iexplorer on all windows versions. Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was networked through ICS (wired to this XP box then wi-fi to a router) and has no firewall of it's own. This XP box through which the 98SE box gets it's internet is in the router's DMZ and uses only Zone Alarm Pro, just for clarity. So, in essence the "confirmed on all windows" is wrong. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
No play on words. You said it worked on all Windows and it doesn't, simple as that. WHY it works on XP and not on 98SE is for anyone interested in that difference to check out. If it were a play on words, it wouldn't be a correction of an obvious mistake. - Original Message - From: <[EMAIL PROTECTED]> To: "'Greg'" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, November 02, 2005 10:06 AM Subject: RE: [Full-disclosure] new IE bug (confirmed on ALL windows) Rofl... there is always someone to play with words... -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Greg Envoyé : mardi 1 novembre 2005 21:32 À : full-disclosure@lists.grok.org.uk Objet : Re: [Full-disclosure] new IE bug (confirmed on ALL windows) - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Wednesday, November 02, 2005 4:00 AM Subject: [Full-disclosure] new IE bug (confirmed on ALL windows) I think I have found by chance this weekend a security bug,while browsing the website news, within iexplorer on all windows versions. Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was networked through ICS (wired to this XP box then wi-fi to a router) and has no firewall of it's own. This XP box through which the 98SE box gets it's internet is in the router's DMZ and uses only Zone Alarm Pro, just for clarity. So, in essence the "confirmed on all windows" is wrong. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
- Original Message - From: "Greg" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 02, 2005 7:31 AM Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows) Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was networked through ICS (wired to this XP box then wi-fi to a router) and has no firewall of it's own. This XP box through which the 98SE box gets it's internet is in the router's DMZ and uses only Zone Alarm Pro, just for clarity. So, in essence the "confirmed on all windows" is wrong. Sorry about the typo. Of course I meant IE6SP2 above where I typed IESP2. Lesson learned - don't go typing things like that after about 6 hours sleep in the last 48! Never work for yourself. The boss is a &*^%!! Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
- Original Message - From: <[EMAIL PROTECTED]> To: Sent: Wednesday, November 02, 2005 4:00 AM Subject: [Full-disclosure] new IE bug (confirmed on ALL windows) I think I have found by chance this weekend a security bug,while browsing the website news, within iexplorer on all windows versions. Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was networked through ICS (wired to this XP box then wi-fi to a router) and has no firewall of it's own. This XP box through which the 98SE box gets it's internet is in the router's DMZ and uses only Zone Alarm Pro, just for clarity. So, in essence the "confirmed on all windows" is wrong. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] for IE researchers, found a link crashing IE
- Original Message - From: <[EMAIL PROTECTED]> To: Sent: Sunday, October 30, 2005 11:55 PM Subject: [Full-disclosure] for IE researchers, found a link crashing IE This link crashes my fully patched IE on Unsure if this was a real bug-crash report or not but for the heck of it, tested it from 2 Windows boxes. 1) Win XPSP2 with IE6SP2 all fully patched and running, because I was too lazy to stop it running, Zone Alarm Pro (yes, I know but I like to do this for other reasons). No crash. 2) Networked (runs wired through the XP box as above and out of that, wireless to a router) 98SE machine with IE6SP2 fully patched on it. No crash. Was this one an honest report or just someone having a laugh? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Careless Law Enforcement ComputerForensicsLacking InfoSec Expertise Causes Suicides
- Original Message - From: "Lane Weast" <[EMAIL PROTECTED]> To: Sent: Monday, October 03, 2005 11:38 PM Subject: RE: [Full-disclosure] Careless Law Enforcement ComputerForensicsLacking InfoSec Expertise Causes Suicides In theory, what you say is incorrect. They may take you in but, in court they have to prove it was yours. It is not your responsibility to prove your innocence. It is their responsibility to prove your guilt. In theory YOU are correct also but that implies a belief that the court system: 1) Never gets it wrong. 2) Is not compromised. 3) Is not overwhelmed by political ambitions attempting to make "an arrest" in order to make headlines. If none of that is the case, you are still left with the old case of "throw shit and it sticks". Eg, if you are accused, you are always suspect even if the case is never proven. Try to get a good job in a sensitive area thereafter. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Help put a stop to incompetent computerforensics
- Original Message - From: <[EMAIL PROTECTED]> To: Sent: Wednesday, August 10, 2005 10:50 PM Subject: Re: [Full-disclosure] Help put a stop to incompetent computerforensics > Quoting Jason Coombs <[EMAIL PROTECTED]>: > >> Somehow we need to fix this broken system and insist that all >> computer forensics be performed with the help of a competent >> information security professional, at the very least. >> >> Any other suggestions? > > Maybe we should start a certification program. And we'll charge $5000 > a year to be certified so only serious players will get certified. And > we'll have roving "seminars" in all major cities taught only by our > certified instructors. Yeah, that's it. And we'll rig the test so > people have to take our useless classes to pass our useless tests. > Then we'll dump press releases on every ZD rag out there and maybe pay > a few CIOs and industry shills to comment on how, "hiring a 'certified > computer corpse analyst' is the only way to determine competency". > > Yeah. That'll fix it. tc > What bothers me the most is that a lot of what I know - and I don't claim to know as much as most people here - isn't available as a "text" anywhere. You are interested enough, you work it out for yourself. So, yeah, I could charge someone $5000 to be taught by me that which I know. However, compared to some it isn't worth $5000 while to others it is priceless. Pick your target. An incompetent investigator is one who doesn't care not a newbie. A newbie is potentially incompetent and potentially the best thing ever to happen to this trade. Don't stamp out newbies in the rush to stamp out knowledgeable lazy sods. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Plaxo?
- Original Message - From: "Aditya Deshmukh" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; Sent: Wednesday, August 10, 2005 1:06 PM Subject: RE: [Full-disclosure] Plaxo? > >> Aditya Deshmukh wrote: >> >> > I need some advice about allowing plaxo running on my >> internal network. >> > >> > Shoud I allow it or ban it ? >> >> Default deny. > > Yes that's my kind of thinking! > >> >> If you need to ask, there is clearly _no_ need to ask... >> >> And a hint to clueful thinking about all such services -- how can you >> (or your users) assure the confidentiality of your/their >> address books >> if they are being stored and managed offsite? >> >> That is not to say that such is not possible -- depending on the >> standards you wish or need to maintain -- but do any of these quasi- >> anonymous web-based address book managers even start to take >> the kinds >> of steps necessary to assure you to the level you require? And, how >> can you be sure that they actually do meet those requirements? Is >> their "terms of service" document really a sufficient basis >> on which to >> form such a relationship? >> > > Certainly not! > > Why should I trust anyone with my users email address books ? > > And I would have to deal with the extra spam that will be generated > One small problem that may not have been noticed with Plaxo. If the Plaxo using person decides to do so, you can be a non-Plaxo using person on that externally managed address book with full email address also in there, added by the Plaxo user. I have received "I have updated my Plaxo" for whatever was updated, by several customers, at my help line email address and have checked it out when at their premises. Sure enough, there is my email address externally managed. So, whether you allow Plaxo or not, if some user outside of your company has all your email addresses within your company on their computer, it has also likely been added to Plaxo by them whether you like it or not. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:[Full-dicklosure] Weird URL
- Original Message - From: <[EMAIL PROTECTED]> To: Sent: Monday, August 08, 2005 11:02 PM Subject: [Full-disclosure] Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:[Full-dicklosure] Weird URL > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Oh, oh, me, me, > > If you type an address in IE like, "www.yourdumb." IE will > magically append .com, .net, .gov, .etc... I just know this > redirection could be used by dumb people for something? > No that wouldn't happen. You'd need to spell it correctly. ;-} ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/