Re: [Full-disclosure] Avast Antivirus
On Tue, 17 Jan 2012, Floste wrote: > Hello, > > Avast Antivirus also comes with sandbox and a "SafeZone". But both can > be circumvented using simple dll-injection and they seem to do nothing > about it: http://forum.avast.com/index.php?topic=82291.0 > > Maybe this post here will encourage them to fix it. In my understanding a sandbox is not supposed to prevent you from getting in from the outside but from escaping from the inside. So if a sandboxed process injects a DLL in say a running IE process outside -- then we are talking about vulns bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag, Karl-Wiechert-Allee 10 , D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail j...@heisec.de GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Holes in the firewall of Mac OS X Leopard
Hello, we did some functional testing on the firewall of Mac OS X Leopard. Short summary: - the firewall is not activated by default but there are services running even if you don't activate any sharing (as shown by netstat or lsof) - if you set it to "Block all incoming connections" it still allows access to certain system services. We could access the ntp daemon that is running per default over the internet. In a LAN based scenario, we were able to query the Netbios naming service even with full blocking enabled. - if you set it to "Set access to specific services and programs" the firewall permits access to listening processes startet by the user, regardless if they are in the list of shared services. We were able to access a service like "nc -l 1414" over the internet. ntpd is labeled 4.2.2, the latest version is 4.2.4. It is unknown if any of the bugs fixed in the meantime are relevant in this scenario or if fixes have been backported. The same applies to the Samba package (3.0.25b-apple), of which releases 3.0.25c and 3.0.26a contained numerous bug fixes. For more information see: A second look at the Mac OS X Leopard firewall http://www.heise-security.co.uk/articles/98120 bye, ju -- Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Holes in the firewall of Mac OS X Leopard
On Mon, 29 Oct 2007, Brandon S. Allbery KF8NH wrote: > On Oct 29, 2007, at 17:49 , Juergen Schmidt wrote: > > >- if you set it to "Block all incoming connections" it still allows access > >to certain system services. We could access the ntp daemon that is running > >per default over the internet. In a LAN based scenario, we were able to > >query the Netbios naming service even with full blocking enabled. > > The firewall in Tiger, and presumably Leopard, only affects TCP services by > default (you can enable UDP filtering in the Advanced settings). So no change > here from the status quo. Nope -- the behaviour we observed did not depend on the protocol by any means. For example we were able to connect to a netcat server listening on a TCP port despite of "Set access to specific services and programs" and an empty list of allowed services. There is no way to "enable UDP filtering" in Leopard either -- at least I have not found any. In fact the firewall does not use ipfw rules at all. bye, ju -- Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Leopard's firewall damages Skype and WoW
Hi, some further research on the firewall of Mac OS X Leopard proved, that the firewall is altering binaries on the disc -- in some cases they refuse to work after that. In contrast to Tiger, the firewall in Leopard no longer operates at the packet level but rather it works with applications, to which it permits or denies specific network activities. In order to unambiguously identify applications, Apple uses code signatures. Certain applications signed by Apple are automatically permitted to communicate with the network past the firewall without showing that in the user interface -- even if the firewall is set to "Block all incoming connections". (see: http://www.heise-security.co.uk/articles/98120). By contrast, if an application which does not have a valid signature opens a network port, the firewall swings into action. In restricted mode, simply trying to start a service brings up a window asking the user for permission. The system records this choice and enters it into the firewall's exceptions list. Hitherto Apple furnishes unsigned programs with a digital signature in the process. If changes are made to the program subsequently, the permission is withdrawn. Code signing becomes a problem when an application performs its own self-integrity check and determines that the file on the hard disk has been changed. The firewall's code signature changes the checksum of Skype's binary on the disc: MD5 (Skype) = 9d7fa7f77b8dc2a3c2ae61737a373c11 MD5 (Skype-org) = 4245cb201a94c76ddcb54b1cc1e58cfa after which, if the user attempts to start Skype from the command line it displays the following message: Main starting Check 1 failed. Can't run Skype Similar behaviour has been observed by World of Warcraft users. For more see: http://www.heise-security.co.uk/news/98492 Code Signing is documented in: http://developer.apple.com/releasenotes/Security/RN-CodeSigning/ http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuide/Introduction/chapter_1_section_1.html bye, ju -- Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ Suresec Advisories ] - Linux kernel ia32 compatibility (ia64/x86-64) race condition
On Mon, 11 Jul 2005, Suresec Advisories wrote: > Suresec Security Advisory - #4 > 10/07/05 > > Linux kernel ia32 compatibility race condition > Advisory: http://www.suresec.org/advisories/adv4.pdf > <http://www.suresec.org/advisories/adv3.pdf> > > Description: > > A race condition vulnerability has been found in the ia32 compatibility > execve() systemcall. The race condition may lead to heap corruption. > > Risk: > > Exploitation of this vulnerability may results in panics, oopses or > in the worst case code exection at ring 0. > > Credit: > > The vulnerability was discovered by Ilja van Sprundel. FYI: While there is no official patch for 2.4 there is one form Andi Kleen in the HF kernel series: http://linux.exosec.net/kernel/2.4-hf/2.4.31/LATEST/CHANGELOG --- Changelog From 2.4.31 to 2.4.31-hf1 (semi-automated) --- '+' = added ; '-' = removed ... + 2.4.31-x86_64-ia64-32bit-execve-overflow-1 (Andi Kleen) [PATCH] Fix buffer overflow in x86-64/ia64 32bit execve Fix buffer overflow in x86-64/ia64 32bit execve. Originally noted by Ilja van Sprundel. I fixed it for both x86-64 and IA64. Other architectures are not affected. The HF series presents hotfixes for kernels 2.4.[29-31]. See: http://linux.exosec.net/kernel/2.4-hf/ bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag,Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail [EMAIL PROTECTED] GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] heise Security: Password exposure in Lotus Notes
Excerpt from: http://www.heise-security.co.uk/news/92958 -- Password exposure in Lotus Notes A debug function in version 5 and up of Lotus Notes can be used to write a file containing the new password in plain text when a user password is changed. This function has been designed to bring more transparency into password quality verification. If two additional lines are entered in the Notes.INI configuration file, Notes will log the evaluation. Since the Notes.INI file on a user’s hard disk must be manipulated, physical access to the system is required to exploit this flaw. But there are various possibilities within Notes to manipulate this file, which can, in turn, also be used to protect systems from this vulnerability. Assessment: Notes uses the password to protect the certificate storage Notes.ID used by every user for authentication. This file is encrypted or decrypted with the user password. Together with the Notes certificates, Notes.ID also stores the user's private key and X.509 certificates, where required. For this reason, it is of utmost importance to ensure that nobody can create a copy of the password and Notes.ID at the same time. If somebody gains concurrent access to both the log file and the Notes.ID, this person can authenticate himself to Notes at any time. Even though administrators can eliminate exploitation of this debug function in most cases, a Notes administrator with appropriate privileges is able to discover all user passwords. Some Notes customers have implemented complex solutions to allow for the central storage of password changes, while resetting passwords is only possible based on the four-eye principle, i.e. administration and revision must work together to do so. The debug function makes it possible to bypass this security policy. (Volker Weber) -- For a more detailed analysis, please see the original article on: http://www.heise-security.co.uk/news/92958 bye, ju -- Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 2.0.0.5 flaw allows to steal the user's passwords
On Sat, 21 Jul 2007, Guasconi Vincent wrote: > On 7/21/07, carl hardwick <[EMAIL PROTECTED]> wrote: > > Firefox 2.0.0.5 flaw allows to steal the user's passwords > > > > PoC here: > > http://www.heise-security.co.uk/services/browsercheck/demos/moz/pass1.shtml > > And without js > http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050845.html Yes, but this is fixed in recent Firefox versions. see: https://bugzilla.mozilla.org/show_bug.cgi?id=360493 The heise demo with JavaScript still works with Firefox 2.0.05 and Safari. On the other hand, if you can place JavaScript on a server, there are other means of stealing passwords. So don't be too fast with blaming Firefox. For more details read: Holes in Firefox password manager http://www.heise-security.co.uk/news/93018 bye, ju -- Juergen Schmidt editor-in-chief heise Security www.heise-security.co.uk GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Major UK Bank Web Sites With Serious Security Flaws
Major UK Bank Web Sites With Serious Security Flaws Tests conducted by heise Security show that the online banking web sites of eight major UK Banks are vulnerable to long known security issues. NatWest, Cahoot, Bank of Scotland, Bank of Ireland, First Direct and Link use frames on their web sites. This means that customers of those banks using Internet Explorer, in the default configuration, are vulnerable to frame spoofing attacks. This issue has been known since 1998. Incidentally, the same kind of attack works (mis)using the site of 'The Dedicated Cheque and Plastic Crime Unit', a bank sponsored police force. UBS and the Bank of England are vulnerable to very simple cross site scripting attacks. All vulnerabilties could be used by attackers to mount advanced phishing attacks, using the context of the original banking site. The user still sees a valid certificate and the correct address in the address bar. heise Security has informed all eight banks and has set up demos that illustrate these problems. Three banks have already reacted and changed their sites. Nat West removed the name of the frame, so that simple attacks no longer work. However the frame can still be addressed and modified using JavaScript. Bank of England updated their vulnerable application to filter user input. UBS changed their online banking application twice, but is still not filtering user input sufficiently. You can find more details and concrete, working demonstrations of the security problems in the article "You can't bank on security" on http://www.heise-security.co.uk/articles/76590 bye, ju -- Juergen Schmidt editor-in-chief heise Security ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] trojan horse to intercept voip calls
On Mon, 9 Oct 2006, karsten beldner wrote: > seems like switzerland's arming itself with new cutting edge hacking > technology to hunt down criminals as reported on sunday on heise > http://www.heise.de/newsticker/meldung/79172 (german it news portal. > unfortunately they didn't post it on their english web site.). They did -- it just took a little ;-) see: Superintendent Trojan http://www.heise-security.co.uk/news/79212 bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag,Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail [EMAIL PROTECTED] GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
