Re: [Full-disclosure] Linux kernel 2011 local root does it exist

[Kevin Wilcox]

On Wed, May 18, 2011 at 13:59, root  wrote:

> You can only jailbreak FreeBSD devices.

FreeBSD is dead. Netcraft confirms it.

kmw

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Voting for bans

[Kevin Wilcox]

On 23 March 2010 11:18, Jan G.B.  wrote:

> We all know that the email address he used to use is banned.

Yep

> We also know that our inboxes are filled with crap since he returned some 
> weeks ago.

Yep, with a large amount of that being from narcissists that just
*have* to get their jokes or jibes in and can't either ignore him or,
better yet, just hit delete.

> What can we do?

Kill-file.

> Not much. He showed us several times, that "talking" to him makes no sense.

Kill-file or ignore. It works, and it works for *anyone* you don't
want to deal with. It's great.

> He is struggling for reactions on his topics, and he will always get some
> reactions (Yes, even if I don't respond). The noise in the last days was
> terrible.

Yes it has been. Again, though, it's been mostly from folks that want
to get in their snide comments or make themselves look good with their
jabs and pokes; the signal level would again go up if they'd let it
rest and just hit delete.

> We have the freedom to ban him from your inboxes. Let's do it!

Like I said, kill-file. It really does work.

Seriously, Jan, I do understand where you're coming from but banning
account after account does no good in a world of unlimited email
accounts. What *does* work is to let someone post at will and simply
ignoring what you don't want to reply to. The problem isn't that we
have one person that posts a ton of crud, it's that we have one person
that posts and fifty that insist on commenting about how it's crud -
and then continue to harp about how that single poster needs to go
away when he replies to each of them.

kmw

-- 
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Cyber War Conspiracy

[Kevin Wilcox]

2009/12/5 Paul Schmehl :

> --On December 4, 2009 10:44:20 PM -0600 valdis.kletni...@vt.edu wrote:

>> On the other hand, nobody's ever seen me and Paul Schmehl at the same
>> place
>> at the same time... I wonder why... :)

> Because we have no travel money.  :-)

BSDCAN 2010 has been announced and I believe they start accepting
presentation proposals in two weeks; travel money wouldn't be
necessary and I'd even bring a camera to document that you are,
indeed, two different people :)

kmw

-- 
Beware the leader who bangs the drums of war in order to whip the
citizenry into a patriotic fervor, for patriotism is indeed a
double-edged sword. It both emboldens the blood, just as it narrows
the mind. And when the drums of war have reached a fever pitch and the
blood boils with hate and the mind has closed, the leader will have no
need in seizing the rights of the citizenry. Rather, the citizenry,
infused with fear and blinded by patriotism, will offer up all of
their rights unto the leader and gladly so - Unattributed, post 9/11

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft: ‘Piracy no longe r poses a threat to us’

[Kevin Wilcox]

2009/12/3 dramacrat :

> How many legit copies of Windows 7 Ultimate have they sold? Three? Or was it
> four?
> I guess this is their way of competing with free software... making
> their software free (yes, yes, money-free vs freedom-free, i know) except to
> those thick enough (or lawsuit vulnerable enough, ie governments
> and corporations) to pay.

Or to those who feel software developers should be compensated for
their time and efforts. It's why some of us buy new copies of OpenBSD
when they make a release, or why some of us have a purchased copy for
each production device we deploy. It's the reason we have a valid,
purchased license of Windows [XP Pro | 7 Ultimate | whatever previous
version] for each machine that's running it. If we're using and
benefiting from the code, why shouldn't the developers get
compensated?

Not everyone has the same feeling of entitlement and greed that you
just displayed and I daresay that neither makes us "lawsuit
vulnerable" nor "thick".

kmw

-- 
Beware the leader who bangs the drums of war in order to whip the
citizenry into a patriotic fervor, for patriotism is indeed a
double-edged sword. It both emboldens the blood, just as it narrows
the mind. And when the drums of war have reached a fever pitch and the
blood boils with hate and the mind has closed, the leader will have no
need in seizing the rights of the citizenry. Rather, the citizenry,
infused with fear and blinded by patriotism, will offer up all of
their rights unto the leader and gladly so - Unattributed, post 9/11

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Rumor] SSH 0-day

[Kevin Wilcox]

2009/7/9 Charles Majola :

> >From the LWN article (OpenSSH maintainer Damien Miller), its probably
> not real, well just have to wait and see

Agreed.

Even if you *do* believe the secer site, look at the particulars. It's
a brute force. Properly configure your ssh servers (including
rate-limiting, key based authentication and u...@host allow
statements) and file this under a non-issue.

Of course this is all theoretical so far so I suppose everyone is free
to wring their hands and gnash their teeth as much as they wish over
this.

kmw

-- 
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, ‘the
guarantee to every one of a free exercise of his industry, & the
fruits acquired by it.'

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Rumor] SSH 0-day

[Kevin Wilcox]

2009/7/9 Charles Majola :

> >From the LWN article (OpenSSH maintainer Damien Miller), its probably
> not real, well just have to wait and see

Agreed.

Even if you *do* believe the secer site, look at the particulars. It's
a brute force. Properly configure your ssh servers (including
rate-limiting, possibly port knocking, key based authentication and
u...@host allow
statements) and file this under a non-issue.

Of course this is all theoretical so far so I suppose everyone is free
to wring their hands and gnash their teeth as much as they wish over
this.

Original CC recipients cut  because I'm the guy that can't remember
which addresses are subscribed to which lists.

kmw

--
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, ‘the
guarantee to every one of a free exercise of his industry, & the
fruits acquired by it.'

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] (no subject)

[Kevin Wilcox]

2009/7/1 Inbox (Main) :
>
> Why not just ask michelle?
>
> Hope you don't mind: I forwarded your mail to michelle.nash2...@yahoo.com

I'm guessing this could have something to do with it:

http://www.nrtoday.com/article/20090619/LOGS/906199976/1051/NONE&parentprofile=1055

In particular, the section that says,

"Mitchell Dale Nash, 45, of Myrtle Creek, on suspicion of violation of
a restraining order, interfering with making a report, harassment and
unlawful entry into a motor vehicle."

I only mention that because the original email came in from
74.32.173.24...which gives us

u...@host ~ $ nslookup 74.32.173.24
Server: 152.10.248.1
Address:152.10.248.1#53

Non-authoritative answer:
24.173.32.74.in-addr.arpa   name =
74-32-173-24.dr01.myck.or.frontiernet.net.

My favourite part is the "myck.or.frontiernet.net" section. Sounds
like Myrtle Creek, Oregon, to me.

Of course, I could be *completely* wrong...

kmw

-- 
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, ‘the
guarantee to every one of a free exercise of his industry, & the
fruits acquired by it.'

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] apache and squid dos

[Kevin Wilcox]

2009/6/22 Mark Sec :
> $php -f dos.php 1 localhost
> PHP Fatal error:  Call to undefined function pcntl_fork() in
> C:\Users\Administrador\Desktop\dos.php on line 68
>
> Mmm it not works! :-/

http://www.php.net/manual/en/ref.pcntl.php

kmw

-- 
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, ‘the
guarantee to every one of a free exercise of his industry, & the
fruits acquired by it.'

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows 7 UAC compromised

[Kevin Wilcox]

2009/2/6 Yudi Rosen :

> But Joe the Plumber doesn't want to have to click on endless 'confirm'
> dialogs every time he tries to use the computer. Simply having him run as a
> non-admin user only fixes half the problem.

No, it doesn't fix anywhere *near* half of the problem; it doesn't
address that we have millions of people that use their computers
without knowing anything about them.

"But not every car driver needs to be a mechanic!" Yes, I know this,
but every driver needs to know that there are laws and rules
concerning how they drive and what happens when a 1200 kilogramme car
hits a 100 kilogramme pedestrian at 70 kilometres/hour. Every driver
needs to know they need to have their tyres rotated and their oil
changed. There are things you must know beyond, "accelerator,
decelerator and steering wheel".

"But a computer isn't going to kill anyone if someone gets infected by
a virus or trojan!" Yes, I know this, too, but if you're mixing
questionable software and surfing habits with online banking and
shopping, it's a recipe for destruction. Welcome to identity theft and
empty bank accounts.

We can either continue to pretend like it's *only* really crappy
software or we can realise that it's a combination of easily
exploitable software, user ignorance and user apathy. You can give
them an operating system that has been vetted and been through
multiple code reviews by people that really do know secure OS design
but they wouldn't be able to accomplish anything at all. So what do we
do? We give them operating systems that are less secure, hope they
don't shoot their feet off and turn them loose with it - but we don't
shoulder the burden of training them. Some of us do but we, as a
collective, do not. Until we can properly educate our users, all we
are doing is trying to mitigate risk in the best ways we can while
still providing them a service. I maintain that by not educating our
users we are failing in that goal.

kmw

-- 
Far better is it to dare mighty things, to win glorious triumphs, even
if chequered by failure, than to take rank with those poor spirits who
neither enjoy much nor suffer much, because they live in the grey
twilight that knows not victory or defeat.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows 7 UAC compromised

[Kevin Wilcox]

2009/2/5 Miller Grey :
> No, it doesn't make sense...I don't think Redmond missed the point at all,
> they're trying to introduce a concept totally new to the everyday user who,
> like Valdis said, only "...wants his dancing hamster screensaver.", and will
> blindly click any OK button that pops up.  Ultimately, Valdis is right,
> Redmond cares about profit, and creating an OS that is irritating to the
> everyday jackass does not help their profits.

Wait, so is he right when he said all they care about is profit, was
he right when he said they intentionally missed it or both?

Microsoft market share has absolutely nothing to do with how
irritating the computing experience is and has everything to do with
product availability and familiarity; basically, it's carried along by
inertia. Kind of like the whole, "no one was ever fired for buying
[IBM|Cisco|]" deal. Most products that most
companies have are MS-centric; if the products are there, and it's
what people are used to, no one really gives a flying penny about how
irritating the OS is to the average person unless it's completely
intolerable. On a level playing field I would say yes, the quality of
the computing experience would help dictate the winner in the OS game
but this is *not* a level playing field and it's quite easy to just
roll along simply because you already have 90%+ of the market with no
serious contenders in sight.

My previous post was made because rather than attempt to refute
anything stated by M.B., you just replied with a "blank-stare" style
"what?". I neither support nor refute his statements, I was simply
rewording them.

kmw

-- 
Far better is it to dare mighty things, to win glorious triumphs, even
if chequered by failure, than to take rank with those poor spirits who
neither enjoy much nor suffer much, because they live in the grey
twilight that knows not victory or defeat.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows 7 UAC compromised

[Kevin Wilcox]

2009/2/5 Miller Grey :

> On Tue, Feb 3, 2009 at 3:40 PM, M.B.Jr.  wrote:

>> Windows says: Hello world! Check this out, world, this is really cool.
>> Now I have, uh, something like, uh, "privileges management"!

>> "UAC" is no more than a new commercial designation for something with
>> about 40 years.
>> And they (Redmond) are still missing the concept's point.

> ...what?

He's saying Microsoft has embraced and extended "privilege management"
and "introduced" it as something new, "UAC".

He then says Microsoft is daft and missing the entire point of
privilege management, even though it's been around for decades and
their "UAC" is nothing new.

Make sense?

kmw

-- 
Far better is it to dare mighty things, to win glorious triumphs, even
if chequered by failure, than to take rank with those poor spirits who
neither enjoy much nor suffer much, because they live in the grey
twilight that knows not victory or defeat.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] HTTP cache poisoning via Host header injection

[Kevin Wilcox]

2008/6/12 M. Shirk <[EMAIL PROTECTED]>:

> But PHPNuke is not vulnerable right?

I suppose there's a first time for everything

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Wiretapping

[Kevin Wilcox]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Joel R. Helgeson wrote:
> If your company is a criminal enterprise, then yes.  If you fund or
> support terrorism, you stand a pretty good chance. If you are like the
> 99.999% of the companies out there that do their thing, trying to make
> an honest buck, you have nothing to fear.

Kelly - you should always ignore anyone that falls back to the "if
you've nothing to hide then you've nothing to fear" argument. It's
complete bollocks.

Yes, you should be concerned with wiretapping. The one thing that we've
seen throughout history is that once power is given, it is abused. Given
the number of abuses of the powers granted by the Patriot Act over the
last few years, I see no evidence to suggest that any American entity
(company or private individual) should not be concerned with
wiretapping. Non-US companies are always fair game so at least they have
the comfort of knowing they are probably being listened in on. Domestic
companies are supposedly "protected" but, again, the documented abuses
of the Patriot Act suggest otherwise.

There are two things to remember. What is considered legal and just
today may be considered illegal and treasonous tomorrow and once we
accept that it's ok to listen in on phone calls at the corporate level,
how long until that extends to private life? There is a reason we have
the "slippery slope" argument being made.

Besides, would you want someone listening in on your scientists and
engineers discussing trade secrets?

kmw

- --

Quis custodiet ipsos custodes


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHOF2hsKMTOtQ3fKERAtMdAKCRvZFstucEGwvSkJslTo0oOv628gCfb9zi
96Qv6mheEDNPqMWp/LGFBnk=
=Hlfo
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Critical SQL Injection PHPNuke

[Kevin Wilcox]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

DaRk14 wrote:
> pls .. i want a script who creates an admin account in php-nuke site`s
> ... www.site.com/admin.php 
> exemple...understand ? pls if you know what i speak, and have that
> script in your PC, plss mail`me :) thx

I think you've missed an essential. It's one thing to disclose product
vulnerabilities for the greater good of the community. It's an entirely
different thing to go searching for cracks to gain unauthorized access
to a system.

kw
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFErnJv7XWNuvsOTiYRAkVGAKCgZ+1wv/hVDmt1ebQZtJK4d7MV0ACg1h2U
LHJdL7T77rESctIaO+msap4=
=AsJF
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ADVISORY] # =Thu Mar 16 14:12:28 EST 2006= # Integer Overflow in Microsoft PowerPoint

[Kevin Wilcox]

[ADVISORY] # =Thu Mar 16 14:12:28 EST 2006= # Integer Overflow in Microsoft 
PowerPoint




==
[+] Description
==
Microsoft PowerPoint incorrectly parses integer data, and this can be used to 
execute arbitrary code.

==
Appendix A Vendor Information
==
http://www.microsoft.com

==
Appendix B References
==
RFC 6818

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Security Advisory: SQL injection in PhpWebSite <= 0.10.1

[Kevin Wilcox]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


phpWebSite Security Advisory[EMAIL PROTECTED]
http://phpwebsite.appstate.edu  Kevin Wilcox
12 October 2005


Type:  SQL Injection
Versions Affected: <= 0.10.1

Description:
phpWebSite is an open source Content Management System released by
Electronic Student Services at Appalachian State University.

At 930 EST the phpWebSite development team was made aware that, using a
flaw in the Search module, an attacker was able to gain access to
approximately ten user names and hashed passwords using URLs formatted
in the following fashion:

http://SITE_NAME/index.php?module='+UNION+select+username,username+from+mod_users+where+user_id='1'/*
http://SITE_NAME/index.php?module='+UNION+select+username,password+from+mod_users+where+user_id='1'/*

Only versions 0.10.1 and earlier are affected. The current stable
release, 0.10.2, and the latest development release, fallout, are not
susceptible.

Patch Status:
A patch was released approximately 90 minutes after the development team
was made aware of the flaw. The patch is available from sourceforge:

http://osdn.dl.sourceforge.net/sourceforge/phpwebsite/phpwebsite_security_patch_20051202.tgz

and on the phpwebsite main page:

http://phpwebsite.appstate.edu


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFDTV2I7XWNuvsOTiYRApfTAKCY1mFj3M5aJeQfsInfZsaUlL1mbwCfUJ+T
0p6mgP5bN7fqnahc08CFDI4=
=NNaS
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?

[Kevin Wilcox]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Michael Holstein wrote:
>> attacker sends packets -> packets are dropped by firewall -> packets
>> properties are captured in logs  -> backdoor reads logs and finds
>> encoded commands -> commands are executed
> 
> 
> As a covert channel? .. no, it's a waste. Once you have the access to
> set that up, you could establish any number of more efficient schemes.
> 
> As a way to do a "remote wake-up" though .. it might have some promise
> .. but it still depends on too many other variables.

SAdoor uses this general idea.

device in promiscuous mode sits and listens, iptables can have all ports
filtered and no services running on the machine, a particular sequence
of events happens, a command gets executed.

http://cmn.listprojects.darklab.org/

kw
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFDRTNN7XWNuvsOTiYRAqr5AKDQmgqdbBHSJrc2fuOzwx4SjekKlQCg3gFR
JYDJjZo37FNF1XNjaejqamc=
=8SzG
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] phpWebSite 0.10.1 Full SQL Injection

[Kevin Wilcox]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

h4cky0u wrote:



> VENDOR STATUS:
> ===
> The vendors were contacted but no response received.

As one of the core developers I would like to say two things.

First - thank you for finding and reporting this bug. We have yet to be
able to do anything useful with it, i.e., select from or insert into any
db tables, but it is definitely a bug that needs patching and that you
were able to find it and report it is the beauty of OSS.

Secondly - this bug was *never* reported directly to the phpWebsite
development team. It was posted (publicly) to the bug list on
sourceforge but, despite phone/fax numbers, mailing addresses and email
addresses being readily available (one click away on
http://phpwebsite.appstate.edu, the homepage of the project), no direct
contact was ever attempted with the core development team.

A minor release, 0.10.2, is to be released today which incorporates this
and other bug fixes.

Kevin Wilcox
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDA0Nt7XWNuvsOTiYRAkeDAKC5derCJqcTTgHLkjVn6a8xN/EVKgCgwETz
ZPi8nxxQMeuj/hbkLRNEoG4=
=W2hD
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/