Re: [Full-disclosure] Nokia N95 cellphone remote DoS using the SIP Stack
On Dec 5, 2007 11:05 AM, Radu State [EMAIL PROTECTED] wrote:
# Humberto J. Abdelnur (Ph.D Student) #
# Radu State (Ph.D) #
# Olivier Festor (Ph.D) #
lol..
wow is all i can say to this..
let me enlighten you on the basics of Perl
$text = '';
http://perldoc.perl.org/functions/my.html
if you understood perl you would see that this line shows your complete
lack of ability as $text could be declared as its used in the loop
to demonstrate such amazing techniques such as declaring variables properly
i will demonstrate this code
die ($!) unless open my $file,'',/etc/passwd;
my @b = $file;
while(my $a = shift @b){
print $a;
}
notice the my $a ... please take a few minutes to reflect on this code as
your fragile phd minds can only handle so much but soon it will come to you
while (not $text =~ /^SIP\/2.0 100(.\r\n)*/ ){
from perlretut ( http://perldoc.perl.org/perlretut.html )
The sense of the match can be reversed by using !~ operator:
print http://perldoc.perl.org/functions/print.html It doesn't
match\n if Hello World !~ /World/;
Understanding that you do not know how to code i will make it easier for
you:
while ($text !~ /^SIP\/2.0 100(.\r\n)*/ ){
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nokia N95 cellphone remote DoS using the SIP Stack
http://hal.inria.fr/index.php?view_this_doc=inria-00172056extended_view=1version=halsid=5561bd637e62791f1744a158d907343a
Could you please send me this document so i can learn from you how to nmap?
I would very much appreciate reading this paper so I can learn the basics of
a high level pen test.
http://hal.inria.fr/inria-00168415/fr/
I would also love this paper. Based on the times you mention the word
model and proven it seems your product must be better then selinux
itself.
The rest of your papers were modeled around mobile ad-hoc networks and key
managment in blah blah which are areas generally reserved for academics who
cannot publish anything useful so it seems appropriate that the bulk of your
publications are in this field.
On Dec 5, 2007 1:57 PM, [EMAIL PROTECTED] wrote:
hi Reepex,
I do not understand why are frustrated about a computer science degree.
Maybe,
someone got dropped out of a degree programm and some psychological trauma
gets
activated when seeing a Ph.D?
If you like it or not, in order to get a computer science degree, you will
have
to take classes, and most classes are taught by Ph.Ds.
I will not argue with you on why I use the Ph.D in my signature, but if
you
really want to know, look at our research papers published in academic
journals/conferences. (If you do not find them, I can send them to you).
If you will ever understand the contents, then you will understand what
are our
credentials..:) This will probably never happen.
At least, I use a signature and a real name and do not hide behind a gmail
account.
Meanwhile try yourself to find at least one vulnerability and enjoy Perl
programming, it seemes your computer science skills are somehow in this
area :)
Greetings
RS
Selon reepex [EMAIL PROTECTED]:
So almighty Phd what is your thesis exactly?
To me it seems to be 'how to run a fuzzer then write crappy perl
scripts
to exploit DoS conditions'
does this properly summarize your phd credentials?
I guess you could tack on 'after writing the crappy scripts, flood
mailing
lists with our crap, and get made fun of'
I am sure you will serve the academic community great one day when teach
hacking classes revolving around the latest editions of hacking
exposed
On Dec 5, 2007 11:05 AM, Radu State [EMAIL PROTECTED] wrote:
Nokia N95 cellphone remote DoS using the SIP Stack
Severity:
High – Denial of Service
Hardware:
Nokia N95
Firmware:
Tested version: Nokia RM-159 V 12.0.013
Notification:
Vulnerability found: 11 September 2007
Contact Nokia Support: 12 September 2007 / None reply Contact Nokia
Security Support: 19 September 2007 / None reply
Vulnerability Synopsis:
If the device has the SIP Phone client activated, a sequence of SIP
messages turn the device in an inconsistent state where the user is
not
able
to operate it anymore until it reboots.
The sequence of messages consists in 2 different SIP Dialogs where the
first initiates an INVITE transaction but immediately closes it (in an
anticipated manner). While, the second transaction initiates a normal
INVITE
transaction that trigger the vulnerability of the target.
The sequence of messages is illustrated below.
X - INVITE --- Nokiav12
X -- 100 Trying -- Nokiav12
X - CANCEL --- Nokiav12
X - OK (to the Cancel) --- Nokiav12
X 487 Request Terminated Nokiav12
New Dialog
X - INVITE --- Nokiav12
X -- 100 Trying -- Nokiav12
X -- 180 Trying -- Nokiav12
The device does not work properly anymore
Impact:
A remote entity can take down all the services of the cell phone
Resolution:
As we did not get any proper reply from Nokia about the subject, the
best
way will be to disable the SIP Client
Credits:
Humberto J. Abdelnur (Ph.D Student)
Radu State (Ph.D)
Olivier Festor (Ph.D)
This vulnerability was identified by the Madynes research team at
INRIA
Lorraine, using KiF the Madynes VoIP fuzzer.
http://madynes.loria.fr/
Proof of Concept:
A perl script (nokiav12.pl) is attached to this mail. Before launching
it, the SIP phone has to be initialed in the target device
Command:
perl nokiav12.pl dst_IP username SourceIp SourceUsername
Eg. perl nokiav12.pl 192.168.1.119 lupilu 192.168.1.2 tucu
#!/usr/bin/perl
Re: [Full-disclosure] High Value Target Selection
you should destroy myspace.com after the downfall of and removal of myspace, many emo kids and future teenage moms will commit sucide saving the world from future jerry springer episodes and adding to the list of an heroes On 11/30/07, gmaggro [EMAIL PROTECTED] wrote: I think it'd be interesting if we started a discussion on the selection of high value targets to be used in the staging of attacks that damage significant infrastructure. The end goals, ranked equal in importance, would be as follows: 1. To bring like minded people together while operating under the strategy of 'leaderless resistance' (http://en.wikipedia.org/wiki/Leaderless_resistance) 2. To be the 'aboveground' partner to the 'underground' scene, or at least serve to distract authorities from the activities of underground groups 3. To see exactly what can be accomplished, and accomplish it 4. To capture the imagination of the public The 'leaderless resistance' aspect of organization is going to be key. Plenty of technology exists for encryption and anonymity but that doesn't apply to people. We have to be like the Internet itself here, as originally intended: able to take the largest of blows and route around the damage automatically. We also have to be like good encryption: able to expose everything about our mechanism without leading to compromise. Capturing the imagination of the public sounds like bizspeek bullshit, but it's a very powerful tool - it only takes one cow to start a stampede. Furthermore it serves as a useful discriminator in selecting targets. Bringing down Facebook or Amazon might annoy people... but it really gets driven home when they can't pay their bills, buy food from supermarkets, or take the train to work. So, types of infrastructure to attack: 1. Transportation 2. Financial 3. Telecommunications 4. Petrochemical 5. Manufacturing 6. Health care 7. Education 8. Civilian Law Enforcement 9. Government (Judicial, Executive, Legislative) 10. Military This is just what I've thought of to date. One thing we'll need to do is prioritize that list and flesh it out. For instance, for 'Financial' I'd be inclined to break up something like this: banks, credit card companies, credit processing companies, ATM companies, credit bureaus, collection agencies, investment firms, etc. I guess we should pick some kind of a nation-state to narrow the scope. I'm going to propose the USA for several reasons: 1. Alot of folks got it in for them. This makes it easier to blend into the background. There's also the potential for assistance via enemy-of-my-enemy-is-my-friend co-operation among like minded individuals and groups. Also, in security, the advantage always goes to the attacker; he only needs to be successful once but the defender has to suceed every time. And since they're no doubt getting assaulted left right and centre they've probably been tenderized pretty good. These factors, I believe, combine to nullify any advantage they might have from being well practiced at having to withstand assaults. 2.They're weak right now. In many ways. Given the issues in the sub-prime market and it's cascade effects, profits are down everywhere. When businesses lose money, what's the first thing that suffers? Customer service. What's the second thing? Security. Not trying to slant politically one way or the other here, but the American implementation of capitalism is not renowned for having led to people making quality goods or loving their jobs. Sloppiness abounds whether it's ACLs on the router or easy-to-social-engineer employees. The effects of more people losing their jobs and increased sociocultural turmoil will only exacerbate this. Alot of talented people will be out a job for reason of economics or colour, and if engaged properly, can add to the ranks. 3. They're easy to penetrate. If you can't walk right into the states over the Mexican or Canadian border, then there's a million lines of fibre and copper running straight in. It is an incredibly well connected place with a widely geographically dispersed populace. And alot of coffee shops near open wifi. Entire cities blanketed in connectivity accessible from back alleys, washrooms in malls, or remote corners of public parks with a 12db Yagi. Miles upon miles of SCADA wiring. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
so... what fuzzer that you didnt code did you use to find these amazing vulns? Also nice 'payload' in your exploits meaning 'nice long lists of as'. You should not claim code execution when your code does not perform it. Well I guess it has been good talking until your fuzzer crashes another application and you copy and paste the results On 11/28/07, Rajesh Sethumadhavan [EMAIL PROTECTED] wrote: Microsoft FTP Client Multiple Bufferoverflow Vulnerability # XDisclose Advisory : XD100096 Vulnerability Discovered: November 20th 2007 Advisory Reported : November 28th 2007 Credit : Rajesh Sethumadhavan Class : Buffer Overflow Denial Of Service Solution Status : Unpatched Vendor : Microsoft Corporation Affected applications : Microsoft FTP Client Affected Platform : Windows 2000 server Windows 2000 Professional Windows XP (Other Versions may be also effected) # Overview: Bufferoverflow vulnerability is discovered in microsoft ftp client. Attackers can crash the ftp client of the victim user by tricking the user. Description: A remote attacker can craft packet with payload in the mget, ls, dir, username and password commands as demonstrated below. When victim execute POC or specially crafted packets, ftp client will crash possible arbitrary code execution in contest of logged in user. This vulnerability is hard to exploit since it requires social engineering and shellcode has to be injected as argument in vulnerable commands. The vulnerability is caused due to an error in the Windows FTP client in validating commands like mget, dir, user, password and ls Exploitation method: Method 1: -Send POC with payload to user. -Social engineer victim to open it. Method 2: -Attacker creates a directory with long folder or filename in his FTP server (should be other than IIS server) -Persuade victim to run the command mget, ls or dir on specially crafted folder using microsoft ftp client -FTP client will crash and payload will get executed Proof Of Concept: http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Note: Modify POC to connect to lab FTP Server (As of now it will connect to ftp://xdisclose.com) Demonstration: Note: Demonstration leads to crashing of Microsoft FTP Client Download POC rename to .bat file and execute anyone of the batch file http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Solution: No Solution Screenshot: http://www.xdisclose.com/images/msftpbof.jpg Impact: Successful exploitation may allows execution of arbitrary code with privilege of currently logged in user. Impact of the vulnerability is system level. Original Advisory: http://www.xdisclose.com/advisory/XD100096.html Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code/Proof Of Concept is to be used on test environment only. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
woah woah watch your words many people on fd make their career based on 1) and 2) so dont diss them unless you want to start an e-war On 11/28/07, Peter Dawson [EMAIL PROTECTED] wrote: Yeah .. a) Social engineer victim to open it. b) Persuade victim to run the command is kind funky.. On Nov 28, 2007 5:21 PM, Stan Bubrouski [EMAIL PROTECTED] wrote: Not to mention the obvious fact that if you have to trick someone into running a batch file then you could probably just tell the genius to execute a special EXE you crafted for them. -sb On Nov 28, 2007 4:43 PM, dev code [EMAIL PROTECTED] wrote: lolerowned, kinda like the 20 other non exploitable stack overflow exceptions that someone else has been reporting on full disclosure Date: Wed, 28 Nov 2007 09:11:30 -0600 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] ; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability so... what fuzzer that you didnt code did you use to find these amazing vulns? Also nice 'payload' in your exploits meaning 'nice long lists of as'. You should not claim code execution when your code does not perform it. Well I guess it has been good talking until your fuzzer crashes another application and you copy and paste the results On 11/28/07, Rajesh Sethumadhavan [EMAIL PROTECTED] wrote: Microsoft FTP Client Multiple Bufferoverflow Vulnerability # XDisclose Advisory : XD100096 Vulnerability Discovered: November 20th 2007 Advisory Reported : November 28th 2007 Credit : Rajesh Sethumadhavan Class : Buffer Overflow Denial Of Service Solution Status : Unpatched Vendor : Microsoft Corporation Affected applications : Microsoft FTP Client Affected Platform : Windows 2000 server Windows 2000 Professional Windows XP (Other Versions may be also effected) # Overview: Bufferoverflow vulnerability is discovered in microsoft ftp client. Attackers can crash the ftp client of the victim user by tricking the user. Description: A remote attacker can craft packet with payload in the mget, ls, dir, username and password commands as demonstrated below. When victim execute POC or specially crafted packets, ftp client will crash possible arbitrary code execution in contest of logged in user. This vulnerability is hard to exploit since it requires social engineering and shellcode has to be injected as argument in vulnerable commands. The vulnerability is caused due to an error in the Windows FTP client in validating commands like mget, dir, user, password and ls Exploitation method: Method 1: -Send POC with payload to user. -Social engineer victim to open it. Method 2: -Attacker creates a directory with long folder or filename in his FTP server (should be other than IIS server) -Persuade victim to run the command mget, ls or dir on specially crafted folder using microsoft ftp client -FTP client will crash and payload will get executed Proof Of Concept: http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Note: Modify POC to connect to lab FTP Server (As of now it will connect to ftp://xdisclose.com) Demonstration: Note: Demonstration leads to crashing of Microsoft FTP Client Download POC rename to .bat file and execute anyone of the batch file http://www.xdisclose.com/poc/mget.bat.txt http://www.xdisclose.com/poc/username.bat.txt http://www.xdisclose.com/poc/directory.bat.txt http://www.xdisclose.com/poc/list.bat.txt Solution: No Solution Screenshot: http://www.xdisclose.com/images/msftpbof.jpg Impact: Successful exploitation may allows execution of arbitrary code with privilege of currently logged in user. Impact of the vulnerability is system level. Original Advisory: http://www.xdisclose.com/advisory/XD100096.html Credits: Rajesh Sethumadhavan has been credited with the discovery of this vulnerability Disclaimer: This entire document is strictly for educational, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your own risk. The exploit code/Proof Of Concept is to be used on test environment only. I am not liable for any direct or
Re: [Full-disclosure] [Argeniss] Data0: Next generation malware for stealing databases (Paper)
so you can .. read login details to databases, login to them, steal their records, and then send them out? .. thanks for this ... groundbreaking research we hope that your next pdf will contain how to sniff telnet sessions and then automatically hack something something something anyway um .. great job On Nov 22, 2007 5:57 AM, Cesar [EMAIL PROTECTED] wrote: Hey, I'm releasing this new paper, not big deal but interesting. http://www.argeniss.com/research/Data0.pdf Abstract: This paper it's about Data0, a fictitious (or not) simple PoC of new malware that after it's deployed on a computer in an internal network it will automatically hack database servers and steal their data. Several techniques used by Data0 will be detailed. Data0 will be targeting Microsoft SQL Server and Oracle Database Server two of the most used database servers. While Data0 could be used by the bad guys for evil purposes, it could also be used by security professionals and organizations to determine how strong networks, workstations, database servers, etc. are against this kind of attack. This paper is not intended to be a cook book for cyber criminals, it's intended to show people that by implementing simple techniques malware can become smarter and cause a lot more damage in a very near future. Cesar. Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RIPA powers being used
lol its always the lamest people that make responses like these are you scared they will steal your latest post auth dos in a ftpd that no one uses? On Nov 21, 2007 11:51 AM, Morning Wood [EMAIL PROTECTED] wrote: - Original Message - From: James Rankin [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Tuesday, November 20, 2007 3:46 AM Subject: [Full-disclosure] RIPA powers being used RIPA is finally being used to force people to hand over encryption keys... http://news.bbc.co.uk/1/hi/technology/7102180.stm omg wtf... In the event that there was doubt that a suspect did not possess a key, he said, it was up to the prosecution to demonstrate beyond a reasonable doubt that they could know the passphrase ever fat finger a password? ever forgot a password? ( I got a zip archive I protected and cant unlock due to the fact I forgot the passphrase ) looks like prosecuters and judges will now be ASSUMING guilt or innocence based on whaty they THINK MIGHT be true. ( if you created the passphrase you must know it ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] save gary mckinnon or lock away dan egerstad
gary mckinnon should be burned alive on charges of script kiddie douche bag On 11/14/07, worried security [EMAIL PROTECTED] wrote: if this guy [1] gets away with this then i want gary mckinnon [2] taken off charges as well. [1] http://www.theage.com.au/articles/2007/11/12/1194766589522.html [2] http://en.wikipedia.org/wiki/Gary_McKinnon n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 300$ is more than 0$
does badly recorded videos on random OSes like plan9 count? On Nov 10, 2007 3:49 PM, don bailey [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ok, so the first person to disclose a Linux kernel zero day exploit in the next week will get 300$ from me direct into their favorite (legitimate) charity's bank account. Ok, fuck it, let's make it 500$. I'm serious. Ok, fuck it again. ANY kernel exploit for: Windows OpenBSD or Linux released publicly in the next week gets 500$ of my personal money into their favorite charity's bank account. That's right, YOU get to pick the charity. As long as it's legit and the exploit is released before midnight of November 16th, 2007. Make your favorite (or least favorite) kernel look bad while making your charity feel good! 500$ isn't a lot of money, sure. It's better than making SNOsoft and iDefense look slightly more elite, isn't it? I think so! Don B. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHNidMyWX0NBMJYAcRArIIAJ9nJ17T09fcSNU0xffeIG3PmVvdwwCdG4ex Y1Nje/C4XsVabyF52QBSl/g= =uKW3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] stop cross posting
actually no one cares about your posts so it would be better if you stopped posting completely when you learn to install gcc you can come back On Nov 3, 2007 6:39 PM, Dude VanWinkle [EMAIL PROTECTED] wrote: On 11/3/07, worried security [EMAIL PROTECTED] wrote: hi, can everyone stop cross posting? its the same people on all the mailing lists, there is absolutely no reason for cross posting. Sorry about that n3td3v, won't happen again. I would hate to annoy you like that. -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] breaking SIP for fun and toll fraud
On Nov 4, 2007 8:45 AM, Radu State [EMAIL PROTECTED] wrote: P is the proxy located at URL:proxy.org http://proxy.org X is the attacker located at URL: attacker.lan.org V is the victim located at URL: victim.lan.org V is also registered with P under the username [EMAIL PROTECTED] . Step 3) The accomplice Y steps in and invites victim V, and then the victim decides to put X on hold to make this exploit work you need more conditions present than in The Malloc Maleficarum. If Alice sits in bob's lap and bob looks over alices shoulder and sees her type her password and alice does not notice bob then bob has broken the security of the windows login. POC code: Available ONLY to legitimate VoIP device manufacturers. Will you step down to them and send them more of your expert perl? or will you send them iterative loops in lisp Humberto Abdelnur, Ph.D student, the Madynes team at INRIA Radu State, Ph.D, the Madynes team at INRIA Olivier Festor, Ph.D the Madynes team at INRIA phd is the new cissp! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] on xss and its technical merit
Pdp architect and I have been emailing back and forth about whether xss has a place in fd, bugtraq, or the security research area at all. He decided that we should start a discussion about in on here and gets peoples unmoderated opinion. This discussion should not concern whether its important due to stealing bank info, paypal, whatever it should only stick to xss as a pure research area. Or as pdp described it: we are talking about whether XSS is as technical as other security disciplines. We are also talking about whether it should have a deserved an recognized place among FD readers and contributers. however, the topic wont cover only whether you can detect or inject XSS, this is lame. it will cover the whole 9 yards... pretty much all the topics covered inside the XSS book. My ideas on the topic are 1) XSS isnt techincal no matter how its used 2) people who use xss on pentests/real hacking/anything but phishing are lame and only use it because they cannot write real exploits (non-web) or couldnt find any other web bugs (sql injection, cmd exec,file include, whatever) 3) XSS does not have a place on this list or any other security list and i remember when the idea of making a seperate bugtraq for xss was proposed and i still think it should be done. 4) if you go into a pentest/audit and all you get out is xss then its a failed pentest and the customer should get a refund. 5) publishing xss shows your weakness and that you dont have the ability to find actual bugs ( b/c xss isnt a vuln its crap ) i think pdp is going to respond first. should be fun ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
investigated enough to see whether and how your findings can be exploited. we agree!! reepex, I am sorry but all your statements are groundless. I was expecting something more from you, especially after we exchanged a few private emails. sometimes, I get the feeling that you actually know what you are talking about. you definitely know a few things but c'mon, really... give me something juicy... Yea after reading my original thing i admit it was pretty weak. i hope i fixed it up here. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
i seemed to reply to nexxus as you were writing your original reply which ive since replied to. about this email though... On Nov 4, 2007 3:13 PM, pdp (architect) [EMAIL PROTECTED] wrote: XSS today is where buffer overflows were 10-15 year ago. Moreover, did you missed when I said that 99% of all sites are vulnerable to XSS. Given the percentage of available XSS vulnerabilities, what chance you think you have finding one? simple math! of course it is easy. It is easy for most of XSS issues. However, those that really matter are not easy at all. DOM based XSS is a debug hell, mainly because every time you want to do something you have to deal with the remote server. This is not very ofline. yes buffer overflows were everywhere then and yes xss is everywhere now. but to say that xss is the buffer overflow of 15 years ago is not a good comparison. Even if xss evolves for 15 years, which it may, would the result be as damaging as even simple stack based overflows have been? Could you have such mass damage worms as overflows have caused? I know there has been myspace worms (which you mention), but xss cannot have the same effect as overflows to a server. lets say 1 servers are running a vuln ftpd and another 1 are running the same open source web app. Which would you rather have the explot for? also which would be more practical to attack? assuming you have the same system and a good exploit you could get all the 1 ftpds, while the xss on 1 msg boards would require 1 users to view the page you attacked. xss just does not have the same potentional as overflows do unless browsers develop some new technology or extend an old one to let client side scripting to have much more control on the system. if you want to do it right, then it is harder to get a successful XSS attack. do you know why? cuz XSS involves a bit of strategy as well. because it is an indirect type of attack. A single XSS attack sometimes may involve several sub XSS each one of which call the next one in an exponential manner. By the time you reach level 5 you head is so screwed up that you need to start all over again because you code breaks on 50 places. JavaScript in particular is not an easy language. You may think that you know it but you don't know 90% of it. When it comes to scoping you get into a mess of things. Have you ever done XSS on GMail. Try it! See how far you will go. Unless you have some solid understanding on AJAX debuging and some nifty tools that can put back Google's mess into order, you have no chance. Today software hackers relay on tools such as IDA Pro or Soft Ice, which is discontinue but still. Check this out there are not tools like that for XSS and in particular AJAX, therefore I have to start from zero. Where is my JavaScript deobfiscator? I don't have one... I have to write it myself. Where is my debugger. I am stuck with Firebug for Firefox... Great! How about dynamic tracing, tracking, stepping and all other things on a complete BlackBox application that you can only see the incoming and outgoing requests. At least when you have a binary you know what it is. You can do it offline and you have all of the parts. XSS can be very complicated. Don't be fulled by what people post on FD. the problem is that if you are going to xss 5 times deep why cant you just find a client side browser bug? you are researching how to basically steal credentials/force requests/steal accounts when one browser or client side bug would make all of that unnecesary. People like the ones i mention in the other email will put this much time into xss because they are incapable doing the client side bugs because they require much more skill that he ppl simply do not have. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
wow you are an idiot. could you please stay off this discussion. we wanted valid (professional) opinions not your retarded comments. On Nov 4, 2007 5:07 PM, Dude VanWinkle [EMAIL PROTECTED] wrote: On 11/4/07, reepex [EMAIL PROTECTED] wrote: On Nov 4, 2007 3:13 PM, pdp (architect) [EMAIL PROTECTED] wrote: This is not very offline. So you are taking peoples offline conversations and posting them against their wishes? Are you trying to make a name for yourself by saying look this guy actually talks to me? What a joke. -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
On Nov 4, 2007 4:43 PM, pdp (architect) [EMAIL PROTECTED]
wrote:
lets say 1 servers are running a vuln ftpd and another 1 are
running
the same open source web app. Which would you rather have the explot
for?
also which would be more practical to attack? assuming you have the same
system and a good exploit you could get all the 1 ftpds, while the
xss
on 1 msg boards would require 1 users to view the page you
attacked.
well I will go for the 1 ftpds in general. However, it really
depends on what I am doing. As I said, these FTPDs may give you access
to the system but probably not access to the data which to me is a lot
more interesting. In this case 1 XSS sounds a lot more valuable.
Which 'data' are you talking about? the servers info (in this case the
server running the ftpd daemon) or the data/personal machines of the users
of the ftpd?
I would rather have control of the ftpd then simply backdoor the daemon to
work on indivivual users, just as I would rather control on the web server
itself rather than any pre-exsiting xss bugs.
again the whole point is that you do not need xss ever if you have client
side exploits or access to the server itself.
There are XSS script kiddies as well Buffer Overflow script kiddies.
Just because you can find XSS does not mean that you've done something
amazing and extraordinary. It takes skills and a lot of effort to make
something out of it. But as I said before, open your mind. There are
endless potentials when it comes to XSS.
yes and i guess bad for you is that the only xss you really see posted (fd,
milw0rm, security focus) is people posting scriptalert('hi')/script
BTW, it does look like an achievement when you find a XSS inside an
application that 1000 more people play with (look for similar bugs) on
a daily basis. XSS in some small apps are stupid. XSS on the default
Google Search Interface is as valuable as remotely exploitable buffer
overflow for Linux 2.6.x kernels (distribution independent).
Again i think if you are attacking the users of a site instead of the site
itself this is acceptable but your attacks could become much more hazardous
if you owned the google server itself (maybe a stretch in the case of
google) and added whatever code you wanted to the front page/ or embedded
your nice browser exploit in the page. either of these ways seems much more
valuable then xssing people who are signed in and visited your page.
also (unless im missing) something in another email you mentioned like 15
different kinds of xss which I am sure are all interesting in their own way
but the most you can get out of them is simple browser games.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
you see i do not agree with this because you are relying on other bugs to make xss useful and again you are relying on interaction from the user. any bug that requires another (form of) bug to be useful or that requires user interaction is inherently weaker then then other any time bugs like bof/sql injection/whatever On Nov 4, 2007 5:16 PM, pdp (architect) [EMAIL PROTECTED] wrote: well valid point. XSS can alway be used as a career to whatever kind of attack you have in there. Just imagine the MySpace XSS warm combined with the IE VML or one of these ActiveX bugs that allow you to write into arbitery files on the file system (so that it is not a software bug). Hmmm? On Nov 4, 2007 11:51 PM, [EMAIL PROTECTED] wrote: What about when xss leads to stack overflows and command injections? See http://xs-sniper.com. It would seem that if you subscribe to the thought that only attacks that take over a victims computer are valid, then you would have to now admit xss as valid as well. Nate Sent via BlackBerry from T-Mobile -Original Message- From: reepex [EMAIL PROTECTED] Date: Sun, 4 Nov 2007 13:26:17 To:full-disclosure@lists.grok.org.uk, pdp (architect) [EMAIL PROTECTED] Subject: [Full-disclosure] on xss and its technical merit Pdp architect and I have been emailing back and forth about whether xss has a place in fd, bugtraq, or the security research area at all. He decided that we should start a discussion about in on here and gets peoples unmoderated opinion. This discussion should not concern whether its important due to stealing bank info, paypal, whatever it should only stick to xss as a pure research area. Or as pdp described it: we are talking about whether XSS is as technical as other security disciplines. We are also talking about whether it should have a deserved an recognized place among FD readers and contributers. however, the topic wont cover only whether you can detect or inject XSS, this is lame. it will cover the whole 9 yards... pretty much all the topics covered inside the XSS book. My ideas on the topic are 1) XSS isnt techincal no matter how its used 2) people who use xss on pentests/real hacking/anything but phishing are lame and only use it because they cannot write real exploits (non-web) or couldnt find any other web bugs (sql injection, cmd exec,file include, whatever) 3) XSS does not have a place on this list or any other security list and i remember when the idea of making a seperate bugtraq for xss was proposed and i still think it should be done. 4) if you go into a pentest/audit and all you get out is xss then its a failed pentest and the customer should get a refund. 5) publishing xss shows your weakness and that you dont have the ability to find actual bugs ( b/c xss isnt a vuln its crap ) i think pdp is going to respond first. should be fun ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Matasano on the mac trojan
Matasano's latest post has addressed the FUD post by gadi evron now [1]. I would ask gadi to comment on why he made such an outlandish post with no technical analysis but we all 1) Gadi has no technical skills 2) He is too busy putting on makeup for his next random tech magazine interview and story [1] http://www.matasano.com/log/985/the-silly-new-mac-os-x-trojan-or-hohuma/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
I guess you never heard of full disk encryption, finger print readers, or caged machines. On Nov 2, 2007 3:51 PM, Dude VanWinkle [EMAIL PROTECTED] wrote: On 11/2/07, J. Oquendo [EMAIL PROTECTED] wrote: Dude VanWinkle wrote: A program installed under false pretenses that will give the author/distributer remote access to the victim machines. Right... Guess those local are not a threat. ?? Local to the machine?? all prevention methods fail if physical security is compromised. There is nothing short of hooking a claymore to the inside of your case that will stop someone knowledgeable who has physical access to your machine from doing whatever they want Vranisaprick is that you ? -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 33, Issue 1
On Nov 1, 2007 9:36 AM, Joxean Koret [EMAIL PROTECTED] wrote: First of all, yes, is a preauth sql injection in an admin console but, if you have privileges to connect to the Oracle Financials instance, So as I said its 'post auth' sql injection but thanks for clarifying. And second, there are many ways to bypass authentication in Oracle E-Business Suite, at least in version 11i, I'm not sure if the same problems applies to R12. I can't release more details right now. hasn't this list been over people who 'have bugs' but 'cant release them for fear/fame/drama purposes' Do you *really* *want* *to* *be* in the same category as pdp and drraid. ( Notice how I sound smart by using alot of like the great valdis ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
It is funny that gadi does not post to this list anymore.. maybe its because he knows people here can actually express their opinion against his retarded posts without being moderated? anyway of course gadi is going to jump over stuff like this because it takes no technical knowledge to write about. If you want another example of this try sun's /8 in google and you will find gadi's low level technical research about the solaris telnet vulnerability or look up his crap about the no auth vnc bugs. These are the only bugs known to date that gadi evron could comprehend so he has to make many posts about them to keep his name high on google rankings for when he searches for his name daily [1]. [1] http://seclists.org/fulldisclosure/2007/Sep/0058.html On Nov 1, 2007 3:10 PM, nnp [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oh don't be so bloody sensationalist. You're worse than the journalists because you should know better. - -nnp -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: http://firegpg.tuxfamily.org iD8DBQFHKpQRbP10WPHfgnQRAtZ9AKDIydXWUjKGq4OboanGyxHXFMYdWACfUGvX hky9nDk4BKs4MdK+htgIGv0= =k7Xe -END PGP SIGNATURE- On 10/31/07, Gadi Evron [EMAIL PROTECTED] wrote: For whoever didn't hear, there is a Macintosh trojan in-the-wild being dropped, infecting mac users. Yes, it is being done by a regular online gang--itw--it is not yet another proof of concept. The same gang infects Windows machines as well, just that now they also target macs. http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html This means one thing: Apple's day has finally come and Apple users are going to get hit hard. All those unpatched vulnerabilities from years past are going to bite them in the behind. I can sum it up in one sentence: OS X is the new Windows 98. Investing in security ONLY as a last resort losses money, but everyone has to learn it for themselves. Gadi Evron. -- http://www.smashthestack.org http://www.unprotectedhex.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
On Nov 1, 2007 4:34 PM, Nick FitzGerald [EMAIL PROTECTED] wrote: Yes, today, the average level of clue among Mac users is probably a shade higher than amongst Windows users, Is this a joke? The reason people switch to macs is because they cannot handle simple tasks. Isnt the main thing said by new mac users is 'it just works' meaning 'I couldnt figure out windows' . The main users of macs are liberal arts students and hippies .. and we all know the technical level of these people. think we may agree about the advisability (or otherwise) of making such predictions as loudly and publicly as Gadi did, this page [1] has been dedicated to gadi evron because of events like these [1] http://www.encyclopediadramatica.com/index.php/Attention_whore ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
I will take that pepsi challenge... what is at stake ;) On Nov 1, 2007 4:50 PM, Paul Schmehl [EMAIL PROTECTED] wrote: --On Thursday, November 01, 2007 16:42:51 -0500 reepex [EMAIL PROTECTED] wrote: On Nov 1, 2007 4:34 PM, Nick FitzGerald [EMAIL PROTECTED] wrote: Yes, today, the average level of clue among Mac users is probably a shade higher than amongst Windows users, Is this a joke? The reason people switch to macs is because they cannot handle simple tasks. Isnt the main thing said by new mac users is 'it just works' meaning 'I couldnt figure out windows' . The main users of macs are liberal arts students and hippies .. and we all know the technical level of these people. You apparently haven't been around Macs recently. *Many* technical people, *especially* Unix and security admins, have started using Macs because they provide all the functionality of Unix with a beautiful GUI on top. Besides, I'll put the technical prowess of a liberal arts major up against the technical prowess of a computer science major *any* day, and spot them two full months to study. CS majors can code like monkeys, but they don't have a clue how a computer works. :-) -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS - www.howtoforge.com
lol pdp
On Nov 1, 2007 4:58 PM, Emmanouil Gavriil [EMAIL PROTECTED]
wrote:
Cross Site Scripting at howtoforge..
http://www.howtoforge.com/trip_search?keys=scriptalert('XSS-Test')/scripthttp://www.howtoforge.com/trip_search?keys=%3Cscript%3Ealert%28%27XSS-Test%27%29%3C/script
Emmanouil Gavriil
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] re MAC trojan (fwd)
seriously dude wtf ... have you even put any research or thought into this topic? All you have done is paste other peoples sayings, links, and research and spam them to mailing lists to get your name on this topic just like the sendmail, solaris ftp, vnc, and every other bug that comes out. Get a fucking life and learn how to do your own research. Why do you even partake in the lists - we could easily replace you with a bot that forwards mails between lists and then we would have to read your (stolen) crap all the time. On Nov 1, 2007 7:55 PM, Gadi Evron [EMAIL PROTECTED] wrote: There have been many threads on this subject, but I believe this post below covers what some of us are trying to say on why this issue is significant. Obviously some people are far more articulate than me. -- Forwarded message -- Date: Thu, 1 Nov 2007 16:47:17 -0400 From: PinkFreud [EMAIL PROTECTED] To: Gary Flynn [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [botnets] re MAC trojan To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- [My apologies if this has already been covered - I started this email a few hours ago, and haven't had a chance to finish it until now.] I think the point Gadi (and Alex of Sunbelt Software, in his original blog entry) is trying to make is that professional malware authors have begun to take notice of Apple. As a piece of malware goes, this trojan is nothing remarkable in itself, other than the fact that it's aimed at Mac users. As Gadi mentioned, there are a number of known issues that Apple has yet to address. If the professional malware authors are now taking aim at Mac users, Apple appears to be making it easy for them. There are a few comments that I've seen in this thread that are rather worrisome: ::: Interspace System Department Relax. MAC users are not that stupid as MS users... Are you a Mac user? If so, you just proved yourself wrong with that statement. :)/flame Users are users, and their knowledge of computers varies greatly from one to the next. I've supported a number of Mac users who tend to be clueless when it comes to computers, and I've supported Mac users who know quite a bit about the machines they use. Like any Windows or *nix user, Mac users can - and will - fall prey to this kind of scheme. Again, the trojan is not what's important here. The fact that it was written for Macs is particularly noteworthy, however. ::: Jeremy Chatfield InfoSec is there to make sure that I can run my business, not as an end in itself. It *prevents* profit making activity by having effort expended on internal needs. So if the Mac hasn't *needed* higher level of security hoops, previously, that's good. So long as weaknesses are fixed *when needed*, I'm a happy bunny. If there's a Day Zero attack that hits a Mac, I'll be disappointed, but it's not a uniquely Mac situation to be in... If the failure was an obvious weakness, I'm actually still pretty sanguine, because it hasn't yet been exploited, despite being well known. Security issues should be fixed as soon as feasable, not 'when needed'. If all security vulnerabilities were fixed 'when needed', the malware authors would be having a field day (which, of course, implies they're not already... h.). Apple has a history of badly-written software. As far as recent examples go, take a look at tar and rsync on Tiger (10.4) - they've been modified to support extended attributes like ACLs and resource forks, and they're quite broken - extended attribute support introduces a serious memory leak. If that doesn't quite hit home, you can get a further idea of how their software is written by taking a look at the man page for sharing(1), on OS X Server (for those of you without access to OS X Server, take a look at http://developer.apple.com/DOCUMENTATION/Darwin/Reference/ManPages/man1/sharing.1.html ). Pay particular attention to the description for the -s, -g, and -i options - do their developers (or tech writers) know the difference between AND and OR? :) On Thu, Nov 01, 2007 at 08:56:22AM -0400, Gary Flynn babbled thus: This is nothing more than simple downloadable malware exacerbated somewhat by permissive configuration settings. It exploits no security defects. As I understand it, the operator is given multiple opportunities to refuse the program: http://www.jmu.edu/computing/security/#macmalware (I'm only subscribed to the archive so I apologize if this has been already pointed out or already proven incorrect today) -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. ___ To
Re: [Full-disclosure] N3TD3V INTERNET SECURITY THREAT CENTER
thanks for your document design.. i would have chose a more blue font over grey though On Nov 1, 2007 5:34 PM, worried security [EMAIL PROTECTED] wrote: *CYBER TERRORISM* *Talk about the current threat level.* *Discuss the internet terror threat* ** *SOFTWARE FLAWS* *Post your own research or talk about other peoples. * *Discuss technical vulnerabilities* ** *SECURITY NEWS * *Talk about news hitting the tv,radio and internet. * *Discuss whats making the news* *SECURITY HELP* *Are you looking to tighten your security? Ask here. * *Discuss security related questions* http://groups.google.com/group/n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flash that simulates virus scan
resulting to se in a pen test cuz you cant break any of the actual machines? lulz On 10/31/07, Joshua Tagnore [EMAIL PROTECTED] wrote: List, Some time ago I remember that someone posted a PoC of a small site that had a really nice looking flash animation that performed a virus scan and after the virus scan was finished, the user was prompted for a Download virus fix? question. After that, of course, a file is sent to the user and he got infected with some malware. Right now I'm performing a penetration test, and I would like to target some of the users of the corporate LAN, so I think this approach is the best in order to penetrate to the LAN. I searched google but failed to find the URL, could someone send it to me ? Thanks! Cheers, -- Joshua Tagnore ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flash that simulates virus scan
dont you listen to pdp ever? the government uses xss and bruteforces remote desktop logins http://seclists.org/fulldisclosure/2007/Oct/0417.html pdp: military grade exploits? :) dude, I am sorry man.. but you are living in some kind of a dream world. get real, most of the military hacks are as simple as bruteforcing the login prompt.. or trying something as simple as XSS. -- pdp is an hero and a computer security expert and based on his fans from the list he is the greatest researched since lcamtuf. his word = gold On 11/1/07, jf [EMAIL PROTECTED] wrote: must be on one of the .gov red teams ;] On Wed, 31 Oct 2007, reepex wrote: Date: Wed, 31 Oct 2007 16:56:20 -0500 From: reepex [EMAIL PROTECTED] To: Joshua Tagnore [EMAIL PROTECTED], full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Flash that simulates virus scan resulting to se in a pen test cuz you cant break any of the actual machines? lulz On 10/31/07, Joshua Tagnore [EMAIL PROTECTED] wrote: List, Some time ago I remember that someone posted a PoC of a small site that had a really nice looking flash animation that performed a virus scan and after the virus scan was finished, the user was prompted for a Download virus fix? question. After that, of course, a file is sent to the user and he got infected with some malware. Right now I'm performing a penetration test, and I would like to target some of the users of the corporate LAN, so I think this approach is the best in order to penetrate to the LAN. I searched google but failed to find the URL, could someone send it to me ? Thanks! Cheers, -- Joshua Tagnore ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZDI-07-063: RealPlayer RA Field Size File Processing Heap Oveflow Vulnerability
user interaction on a random file format? haven't we been over this types of bugs? This pool of zdi bugs is almost more laughable then idefense's aix spam flood On 10/31/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: This vulnerability allows remote attackers to execute code on vulnerable installations of RealPlayer. User interaction is required in that a user must open a malicious .ra/.ram file or visit a malicious web site. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZDI-07-058: Oracle E-Business Suite SQL Injection Vulnerability
post auth sql injection in random admin console - lulz On 10/31/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: The specific flaw exists in the okxLOV.jsp page in the Administration console. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SAXON version 5.4 Multiple Path Disclosure Vulnerabilities
dot dot dot first an sql injection post that requires magic quotes off, then a post about xss, and now a post about path disclosure? Why waste cve entries and people's time with crap like this? Couldnt you at least find post-auth ftp dos bugs like morning wood? On 10/29/07, SecurityResearch [EMAIL PROTECTED] wrote: netVigilance Security Advisory #53 SAXON version 5.4 Multiple Path Disclosure Vulnerabilities Description: SAXON is a simple accessible online news publishing system for personal and small corporate site owners. Publish news, using configurable templates, on any .php page on your site. Publish news on a 'per author' basis. Edit and/or delete existing news items. Create multiple RSS news feeds automatically (RSS 0.9, RSS 2.0 and Atom). Post date news items for later public release. Multiple authors allowed. Ability to configure users as Standard or Administrators. Ability to add/delete users (Administrators only). Option to change any user password (Administrators only). Template creation/deletion/amendment interface. Online setup and configuration. External References: Mitre CVE: CVE-2007-4861 NVD NIST: CVE-2007-4861 OSVDB: Unassigned Summary: SAXON is a simple accessible online news publishing system for personal and small corporate site owners. Security problems in the product allow attackers to gather the true path of the server-side script. Advisory URL: http://www.netvigilance.com/advisory0053 Release Date: 10/29/2007 CVSS Version 2 Metrics: Base Metrics: Exploitability Metrics: Access Vector: Network Access Complexity: Low Authentication: None Impact Metrics: Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None Temporal Metrics: Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CVSS Version 2 Vectors: Base Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Temporal Vector: E:F/RL:OF/RC:C CVSS Version 2 Scores: Base Score: 5 Impact Subscore: 2.9 Exploitability Subscore: 10 Temporal Score: 4.1 SecureScout Testcase ID: TC 17990 Vulnerable Systems: SAXON version 5.4 Vulnerability Type: Program flaws - The product scripts have flaws which lead to Warnings or even Fatal Errors. Vendor: Quirm Vendor Status: The Vendor has confirmed the problem and has release new version 5.41 that addresses the problem. New version of product was tested and we can confirm that all vulnerabilities were solved. For more information see vendor announcement. To download the latest version go to vendors product download area. Workaround: From netVigilance: Disable warning messages: modify in the php.ini file following line: display_errors = Off. From vendor: Modify .htaccess file to include 'php_flag register_globals off' (this will work only for the Apache servers). Amend admin/config.php to include 'error_reporting(0);' Update critical files in the /admin, /rss and root directory of the installation (all MySQL error reporting removed) Example: Path Disclosure Vulnerability 1: REQUEST: http://[TARGET]/[PRODUCT DIRECTORY]/news.php REPLY: bFatal error/b: Call to undefined function: quotesmart() in b[DISCLOSED PATH][PRODUCT DIRECTORY]\news.php/b on line b15/bbr / Path Disclosure Vulnerability 2: REQUEST: http://[TARGET]/[SAXON-DIRECTORY]/admin/edit-item.php?newsid[]=1 REPLY: bWarning/b: mysql_real_escape_string() expects parameter 1 to be string, array given in b[DISCLOSED PATH][PRODUCT DIRECTORY]\admin\functions.php/b on line b48/bbr / Credits: Jesper Jurcenoks Co-founder netVigilance, Inc www.netvigilance.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] pdp is leaving us
Since everyone who really understood the post did not reply, this thread will serve as monument to all the people whose technical skills hit a roadblock at xss and javascript On 10/28/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: reepex wrote: It seems our good friend and fellow poster pdp|architect is leaving our scene for something else. http://www.gnucitizen.org/about/pdp#comment-61753 pdp took alot of heat after his home router bug that affected millions of people and maybe it was too much for him to handle. We hope he comes back soon with more 0day advisories and technical reports. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Well, good luck, and thanks for all your efforts. ~Florian --- And thanks for all the phish http://www.blackopscode.com http://www.gokickrocks.us --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MySpace URL redirection
CRIPEEE FIGHTT!! On 10/28/07, Morning Wood [EMAIL PROTECTED] wrote: your an ignorant little twat if you had a clue you would see the OP stated the link will crash IE now go away kthnx - Original Message - From: worried security [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Saturday, October 27, 2007 11:46 AM Subject: Re: [Full-disclosure] MySpace URL redirection On 10/27/07, Morning Wood [EMAIL PROTECTED] wrote: redirection yes, crash no ( IE7 ) crash yes ( IE6 ) morning wood, why would you want to crash IE6? is this because you're part of the whole zone-h agenda? yeah crashing IE6 is something you script kiddies do. if this was someone else mentioning IE6 crashes I wouldn't be worried, but its the fact you're connected to the biggest malicious hacker website in the world that it really concerns me. check out his website everyone, http://www.zone-h.org they tell script kids to submit defacements to their website and morning wood is part of the team, his picture is even in the staff section. everyone keep an eye on morning wood and I urge you to not associate yourself with him on the mailing lists, he is constantly being investigated because of his links with the zone-h agenda. n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MySpace URL redirection
lol n3td3v and morning_wood fighting http://youtube.com/watch?v=V_Y_fUhj6Bs http://en.wikipedia.org/wiki/Cripple_Fight thank you both for the entertainment that is your careers/lives/fd posts On 10/27/07, worried security [EMAIL PROTECTED] wrote: On 10/27/07, Morning Wood [EMAIL PROTECTED] wrote: redirection yes, crash no ( IE7 ) crash yes ( IE6 ) morning wood, why would you want to crash IE6? is this because you're part of the whole zone-h agenda? yeah crashing IE6 is something you script kiddies do. if this was someone else mentioning IE6 crashes I wouldn't be worried, but its the fact you're connected to the biggest malicious hacker website in the world that it really concerns me. check out his website everyone, http://www.zone-h.org they tell script kids to submit defacements to their website and morning wood is part of the team, his picture is even in the staff section. everyone keep an eye on morning wood and I urge you to not associate yourself with him on the mailing lists, he is constantly being investigated because of his links with the zone-h agenda. n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Sacure
please stop trying to ruin a noname company - all you are doing is giving n3td3v more things to talk about so that people click his link and his terrorist cell can be funded by adsense. If you want a company to laugh at you should instead try irm and their cisco xss. On 10/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: God, this is just more proof that they have no idea what they are doing. How long does it take to fix errors on a website? I mean, I know that they are using Godaddy.com and don't host their own stuff... wait... that can't be right! How can a leader in Managed Security Services not have the ability to host their own web server? Somethings fishy... On Fri, 26 Oct 2007 11:54:22 -0400 webby devil [EMAIL PROTECTED] wrote: ole: your site itself has problems! how are you going to solve others problems? Welcome ole! Your request has been directed to the Customer Servicedepartment. Please wait for our operator to answer your call. Call accepted by operator JC. Currently in room: JC. ole: any answers? JC: Hello Ole JC: Do you have a question? ole: your site itself has problems! how are you going to solve others problems? JC: What problems are you speaking of JC: We're currently working to fix some of our pages if that is what you're referring to ole: Access denied for user: '[EMAIL PROTECTED]'[EMAIL PROTECTED](Using password: YES) ole: /home/content/s/a/c/sacure/html/news/snews.php JC: Yes, I understand the concern with our News and Events page JC: We're working to fix that, my apologies ole: Your being discussed on FullDisclosure ole: do you know what that is? JC: No JC: Can you explain to me what that is ole: are you by anyway related to information security testing? JC: Yes we are JC: Can you please explain to me what Full Disclosure is and what the discussion is ole: well you should be asking one of your penetration testers there what FD is ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] pdp is leaving us
It seems our good friend and fellow poster pdp|architect is leaving our scene for something else. http://www.gnucitizen.org/about/pdp#comment-61753 pdp took alot of heat after his home router bug that affected millions of people and maybe it was too much for him to handle. We hope he comes back soon with more 0day advisories and technical reports. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] lol @ you
stop you from what.. spamming us? I believe we have that handled. Also don't annoy us because you can not get a job in the security field like we have. On 10/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: hahahahaha you can't stop us, silly whitehats there are more of us, and we are smarter -EAT A DIK ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle)
seriously. enough with the irc ass kissing. On 10/26/07, don bailey [EMAIL PROTECTED] wrote: Thank you, Captain Obvious - I specifically *said* that only one of them needs to be blind spoofing. only possible if sequence number is 100% (or close to 100%) predictable. And Michael Zalewski's work showed that even on many boxes that *claim* to have RFC1948 randomization, you can do pretty well on the predicting. Seriously. Enough with the asterisks. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle)
Hi I am sorry to hear you just woke from your coma. It is now 2007 not 1995. On 10/25/07, Oliver [EMAIL PROTECTED] wrote: Hello, I have been searching all over the place to find an answer to this question, but Google has made me feel unlucky these last few days. I hope I could find more expertise here. The burning question I have been pondering over is - could TCP connections be hijacked both ways? I know there are tools ( e.g. Hunt) that sniffs traffic and could arbitrarily reset a connection by spoofing the IP and MAC address. But could there be more than just that? Is it theoretically possible to not reset the connection with the server or the client, but play the man-in-the-middle attack? An example network scenario of this that I could come up with is that the hacker is within the same network as the victim (client), who is connected to a server through a persistent TCP connection. Now the hacker could pretend to be the server and send a TCP message (not reset/fin) to the client and change the seq/ack numbers on the client side, and the hacker could pretend to be the client and send a TCP message (not reset/fin) to the server and change the seq/ack there. Thus, the seq/ack numbers are completely out of sync for the client and server and thus would not recognize each others messages. At this point, the hacker could relay ( i.e. be man-in-the-middle) the messages from the client to the server and vice versa, using the seq/ack numbers that they would accept. While this seems pretty pointless so far, the hacker could inject messages at will to either side of the connection, and still make the server and client believe that they are in sync with each other ( i.e. this would not work if the hacker does not relay the messages with the seq/ack numbers the server and client would accept). That means the hacker goes undetected and could do whatever he chooses, as he has hijacked the connection. Is this possible? Assuming there is no hardware limitation (e.g. router/switch blocking MAC/IP addresses from certain port). Would the TCP protocol definition and implementation in Windows and *nixes these days would interpret this behaviour correctly (correctly for the hacker, incorrectly for themselves)? I imagine it would be quite a bit of work proving this theory and perhaps some of you could enlighten me or dismiss this concept. Regards, Oliver ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Airscanner Mobile Security Advisory #07101401: Mobile-spy Victim/User Phone/SMS/URL Log Spoofing and Persistent XSS Injection
On 10/23/07, Seth Fogie [EMAIL PROTECTED] wrote: * Risk Level:* High - Spoofed log records / Injected JavaScript can lead to malware attacks Risk level high and javascript do not belong together ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IRM Discover More Vulnerabilities in Cisco IOS
Bug 1: The Line Printer Daemon, which provides print server functionality in Cisco IOS is vulnerable to a software flaw whereby the length of the hostname of the router is not checked before being copied into a fixed size memory buffer. . However, the attacker must be able to control the hostname of the router, which could be achieved via SNMP. Ok... so for this remote attack the victim would need a badly configured snmp listening public... ok pdp architect --- Bug 2: Cisco say its cross-site scripting Ok you are still stealing pdp architect's research --- Bug 3-7,10-15 Local attacks on a cisco - lulz Not even pdp would go this low --- Bug 8,9: no info - im sure its elite though Having a bug but releasing no info - sounds like drraid and pdp architec to me - so basically you found a bunch of local bugs in ciscos and a bug if you can control snmp - way to go - your grep -r strcpy * skills are quiet strong. Eeye and idefense would glady hire you. Do you wonder why you found 12 bugs and get no press but michael lynn finds a couple and cisco is throwing lawyers and lawsuits at him? --- its probably because his mattered and yours are a joke - just like you and your company. On 10/23/07, Andy Davis [EMAIL PROTECTED] wrote: In the last three months IRM has discovered a total of 13 new security vulnerabilities in Cisco IOS. These vulnerabilities were reported to Cisco and have all been allocated PSIRT reference numbers while the root cause and potential impact of each is investigated. Cisco has taken all the vulnerability reports extremely seriously and has already started releasing patches and workarounds to mitigate them (e.g. http://www.cisco.com/warp/public/707/cisco-sr-20071010-lpd.shtml). As the remaining patches or workarounds are developed, IRM will release security advisories, which will include full technical details of each vulnerability and links to patch download information. More information about the new vulnerabilities discovered is available here: http://www.irmplc.com/index.php/111-Vendor-Alerts ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ifnet.it WEBIF XSS Vulnerability
SHUT UP PDP
SEND XSS TO SECURITY BASICS
On 10/22/07, SkyOut [EMAIL PROTECTED] wrote:
-
|| WWW.SMASH-THE-STACK.NET ||
-
|| ADVISORY: IFNET.IT WEBIF XSS VULNERABILITY
_
|| 0x00: ABOUT ME
|| 0x01: DATELINE
|| 0x02: INFORMATION
|| 0x03: EXPLOITATION
|| 0x04: GOOGLE DORK
|| 0x05: RISK LEVEL
_
|| 0x00: ABOUT ME
Author: SkyOut
Date: October 2007
Contact: skyout[-at-]smash-the-stack[-dot-]net
Website: www.smash-the-stack.net
_
|| 0x01: DATELINE
2007-10-15: Bug found
2007-10-15: Email with notification sent to ifnet.it
2007-10-21: Still no reaction from ifnet.it
2007-10-22: Advisory released
|| 0x02: INFORMATION
In the WEBIF product by the italian company ifnet, an error
occurs due to the fact of an unfiltered variable (cmd) in the
webif.exe program. It is possible to execute any JavaScript code
by manipulating the parameter.
_
|| 0x03: EXPLOITATION
To exploit this bug no exploit is needed, all can be done through
manipulation of the given URL:
STEP 1:
Go to the standard page of the WEBIF product, normally existing
at /cgi-bin/webif.exe. You will recognize some further parameters,
being cmd, config and outconfig.
STEP 2:
Don't change any parameter instead of the cmd one. Change its value
to any JavaScript code you like. For our demo we will use the default
one, being scriptalert('XSS');/script.
STEP 3:
Click ENTER and execute the code. A successfull demonstration will
popup a window.
EXAMPLE:
http://example.com/webif/cgi-bin/webif.exe?cmd=scriptalert('XSS');/scriptconfig=[
* ]outconfig=[ * ]
[ * ] = Depends on the server. Don't change this!
|| 0x04: GOOGLE DORK
inurl:/cgi-bin/webif/ intitle:WEBIF
___
|| 0x05: RISK LEVEL
- LOW - (1/3) -
! Happy Hacking !
THE END
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Redirecting 404 error pages?
whats the point of the blocking the url when its in google cache? http://64.233.169.104/search?q=cache:Y4hf4gOOAc8J:www.newskicks.com/avatars/user_uploaded//ts-audiotomidi-full-crack.html+muonline+huck+1+hit+panasonic+gd+68+acid+5+mp3hl=enct=clnkcd=2gl=usclient=firefox-a also you are lucky some spammers hacked your site instead of people who had more interesting ideas On 10/21/07, crazy frog crazy frog [EMAIL PROTECTED] wrote: Hi All, Recently on one of my domain i found some strange php script with random numeric names like 3578.php etc etc. and there was one .htaccess file which contained the apache directive to redirect the 404 pages to this script. and then on searching on google i found that my sites were displaying porn,cracks etc.i think its a automated bot/worm. any ideas on this? i have about it here:- http://www.secgeeks.com/ever_checked_that_your_apache_404_page_is_displaying_porn_or_cracks.html -- --- http://www.secgeeks.com http://www.newskicks.com --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
