Re: [Full-disclosure] 0day: PDF pwns Windows
yes I believe the vuls will most from the JS feature, and we (Fortinet
Security Research Team) has finished our security review on Adobe
Reader/Acrobat, with the vendor's process, we will release advisories some
months too, expecting it!
welcome to my blog:
http://ruder.cdut.net
From: Eduardo Tongson [EMAIL PROTECTED]
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] 0day: PDF pwns Windows
Date: Sun, 23 Sep 2007 10:59:33 +0800
That exploits the JavaScript [1] and open URI [2] feature through the
Acrobat WebLink plug-in. Adobe put in JavaScript to PDF 1.3
specifications for Forms interaction. Opening up the calculator should
not be a feature [3].
[1] /JS ({app.alert\(evil javascript active!\);}\r{app.alert\(Oh
wait! We aren\'t finished with you yet..\);}\r)
[2] /URI (www.nthelp.com/evil_browse.htm)
[3] http://projects.info-pull.com/moab/MOAB-06-01-2007.html
On 9/23/07, silky [EMAIL PROTECTED] wrote:
On 9/22/07, Geo. [EMAIL PROTECTED] wrote:
pa http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
Is this the way responsible disclosure works these days ?
Adobe?s representatives can contact me from the usual place.
Wow, now that's coordinated release. Knowing the bugs that you
found
previously it should take 10 minutes to rediscover this one. Which
makes this even worse.
I just saw his video showing the exploit fireing up calculator, it
looks
like the same stuff (feature/exploit call it what you want) that's
been
around for years. See www.nthelp.com/test.pdf (warning, it won't
damage
anything but it may scare you)
ps, if anyone cares, this exploit does not work on foxit pdf reader
v1.3.
foxit rocks.
so lets not call it a 'pdf' vuln, but a 'adobe acrobat' vuln.
Geo.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
mike
http://lets.coozi.com.au/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_
免费下载 MSN Explorer: http://explorer.msn.com/lccn
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote: A private 0day exploit (the case I was concerned with) would be where someone develops an exploit, but does not deploy or publish it, holding it in reserve to attack others at the time of their choosing. Presumably if such a person wanted to keep it for very long, they would have to base it on a vulnerability that they themselves discovered, and did not publish. I continue to dismiss the requirement that an 0day be found maliciously exploiting machines, because that requires inferring intent. IMHO, a POC exploit first posted to Bugtraq ahead of the patch counts as an 0day exploit, unless it has been so thoroughly obfuscated that the proof part of proof of concept is itself BS. In the case of that private zero day exploit, then, nobody will ever know about it except the person that has it waiting in reserve -- and if someone else discovers and patches the vulnerability before the exploit is ever used, it never becomes a public zero day exploit. In other words, you can always posit that there's sort of a Heisenbergian state of potential private zero day exploitedness, but in real, practical terms there's no zero day anything unless it's public. The moment you have an opportunity to measure it, the waveforms collapse. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Amazon.com interview candidate: When C++ is your hammer, everything starts to look like your thumb. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Chad Perrin wrote: On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote: A private 0day exploit (the case I was concerned with) would be where someone develops an exploit, but does not deploy or publish it, holding it in reserve to attack others at the time of their choosing. Presumably if such a person wanted to keep it for very long, they would have to base it on a vulnerability that they themselves discovered, and did not publish. In the case of that private zero day exploit, then, nobody will ever know about it except the person that has it waiting in reserve -- and if someone else discovers and patches the vulnerability before the exploit is ever used, it never becomes a public zero day exploit. In other words, you can always posit that there's sort of a Heisenbergian state of potential private zero day exploitedness, but in real, practical terms there's no zero day anything unless it's public. The moment you have an opportunity to measure it, the waveforms collapse. Its a little less abstract than that. Consider that the United States government might want to worry about whether some foreign nation is banking a large pool of private 0day exploits in preparation for war. Such a nation might farm these private 0day exploits by employing a pool of vulnerability researchers and exploit developers, and just not published the results. This is a perfectly viable way to produce what amounts to Internet munitions. The recent incident of Estonia Under *Russian Cyber Attack*? http://www.internetnews.com/security/article.php/3678606 is an example of such a network brush war in which possession of such an arsenal would be very useful. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
On Sun, 23 Sep 2007, Chad Perrin wrote: In the case of that private zero day exploit, then, nobody will ever know about it except the person that has it waiting in reserve -- and if someone else discovers and patches the vulnerability before the exploit is ever used, it never becomes a public zero day exploit. In other words, you can always posit that there's sort of a Heisenbergian state of potential private zero day exploitedness, but in real, practical terms there's no zero day anything unless it's public. The moment you have an opportunity to measure it, the waveforms collapse. The exploit is not made public by its use. The exploit is not even made public by (back-channel) sharing amongst the hacker/cracker community. The exploit is only made public if detected or the vulnerability is disclosed. Until detected/disclosed the hacker/cracker can use their 31337 0day spl01tz to break into whichever vulnerable machines they like. 0day exploits are valuable because the opposition is ignorant of them. Posting exploits to BUGTRAQ, however, inherently makes them not 0day... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Minor point: No need to limit such accumulations to nation-states though. People interested in fiddling with other peoples' computers have come up with attacks that don't get instantly published at least since the 1970s, and have had more-or-less private channels to communicate them. The motives these days, if you believe the press, may be more around money than simple mischief, but the practice of not disclosing bugs and exploits to the world has been with us a long time. Such exploits are 0day exploits until someone gets wind of them who will do something to defend against them. This can be a vendor, someone who publishes workarounds for admins, or whatnot, the key point being that the 0day issue is one that pretty much all systems of the target type will be vulnerable to. Once an exploit is widely used, it is likely to be noticed and cease to be effective everywhere too. The recent stories about targetted attacks are I expect partly devised to keep exploits working longer by avoiding this. BTW the older use for 0day to refer to warez that were newly cracked is similar in that again the term refers to the fact that the vendor has not yet had time to do anything to react to the crack or disallow use of the software. Glenn Everhart -Original Message- From: Crispin Cowan [mailto:[EMAIL PROTECTED] Sent: Monday, September 24, 2007 5:59 PM To: Chad Perrin Cc: [EMAIL PROTECTED]; Gadi Evron; pdp (architect); [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: Re: 0day: PDF pwns Windows Chad Perrin wrote: On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote: A private 0day exploit (the case I was concerned with) would be where someone develops an exploit, but does not deploy or publish it, holding it in reserve to attack others at the time of their choosing. Presumably if such a person wanted to keep it for very long, they would have to base it on a vulnerability that they themselves discovered, and did not publish. In the case of that private zero day exploit, then, nobody will ever know about it except the person that has it waiting in reserve -- and if someone else discovers and patches the vulnerability before the exploit is ever used, it never becomes a public zero day exploit. In other words, you can always posit that there's sort of a Heisenbergian state of potential private zero day exploitedness, but in real, practical terms there's no zero day anything unless it's public. The moment you have an opportunity to measure it, the waveforms collapse. Its a little less abstract than that. Consider that the United States government might want to worry about whether some foreign nation is banking a large pool of private 0day exploits in preparation for war. Such a nation might farm these private 0day exploits by employing a pool of vulnerability researchers and exploit developers, and just not published the results. This is a perfectly viable way to produce what amounts to Internet munitions. The recent incident of Estonia Under *Russian Cyber Attack*? http://www.internetnews.com/security/article.php/3678606 is an example of such a network brush war in which possession of such an arsenal would be very useful. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor - This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Crispin Cowan wrote: This is a perfectly viable way to produce what amounts to Internet munitions. The recent incident of Estonia Under *Russian Cyber Attack*? http://www.internetnews.com/security/article.php/3678606 is an example of such a network brush war in which possession of such an arsenal would be very useful. Crispin One would presume that governments across the world would have their shares of unpublished exploits but with all the incidences of government networks being compromised, I don't believe this to be the case. What happened in Estonia though was nothing more than a botnet attack on their infrastructure (http://www.informationweek.com/showArticle.jhtml?articleID=199602023) not an 0day attack. 0day's defined as unpublished exploit wouldn't do much in a cyberwarfare theater as country against country as the purpose of such warfare would LIKELY be to disconnect/disrupt communications. In the cases of industrial/country vs. country espionage it might (likely) will be more effective for the long haul but in the short term, 0days will be useless in this type of cyberfight. Think about it logically, you want to disrupt country X's communications, not tap them. You'd want to make sure their physical army had no mechanism to communicate. You'd want to make sure financially you would cripple them. Not worry about injecting some crapware onto a machine for the sake of seeing what their doing. Reconnaissance is usually something done beforehand to mitigate your strategy. Not mitigate what's happening after you possibly sent 1Gb of traffic down a 100Mb pipe. -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
J. Oquendo wrote: Crispin Cowan wrote: This is a perfectly viable way to produce what amounts to Internet munitions. The recent incident of Estonia Under *Russian Cyber Attack*? http://www.internetnews.com/security/article.php/3678606 is an example of such a network brush war in which possession of such an arsenal would be very useful. Crispin One would presume that governments across the world would have their shares of unpublished exploits but with all the incidences of government networks being compromised, I don't believe this to be the case. What happened in Estonia though was nothing more than a botnet attack on their infrastructure (http://www.informationweek.com/showArticle.jhtml?articleID=199602023) not an 0day attack. 0day's defined as unpublished exploit wouldn't do much in a cyberwarfare theater as country against country as the purpose of such warfare would LIKELY be to disconnect/disrupt communications. In the cases of industrial/country vs. country espionage it might (likely) will be more effective for the long haul but in the short term, 0days will be useless in this type of cyberfight. Think about it logically, you want to disrupt country X's communications, not tap them. You'd want to make sure their physical army had no mechanism to communicate. You'd want to make sure financially you would cripple them. Not worry about injecting some crapware onto a machine for the sake of seeing what their doing. Reconnaissance is usually something done beforehand to mitigate your strategy. Not mitigate what's happening after you possibly sent 1Gb of traffic down a 100Mb pipe. You present a valid position but fall short of seeing the whole picture. As an attacker, nation state or otherwise, my goal being to cripple communications, 0day is the way to go. Resource exhaustion takes resources, something the 0day can deprive the enemy of. Knocking out infrastructure with attacks is a far more effective strategy. You can control it's timing, launch it with minimal resources, from anywhere, coordinate it, and be gone before it can be thwarted. The botnet would only serve as cover while the real attack happens. I am more inclined to believe that botnets in use today really only serve as cover, thuggish retribution, and extortion tools, not as effective tools of warfare. No real warfare threat would risk exposing themselves through the use of or construction of a botnet. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Jason wrote: You present a valid position but fall short of seeing the whole picture. As an attacker, nation state or otherwise, my goal being to cripple communications, 0day is the way to go. Resource exhaustion takes resources, something the 0day can deprive the enemy of. Counterpoint... You're trying to shoot me down with 0day crap: You -- 0day attack -- My Infrastructure Me -- Botnet -- Your infrastructure Never having to consume any resources other than a point and click shoot em up attack, I necessarily won't even have to use my own resources. So shoot away as your network becomes saturated. Knocking out infrastructure with attacks is a far more effective strategy. You can control it's timing, launch it with minimal resources, from anywhere, coordinate it, and be gone before it can be thwarted. The botnet would only serve as cover while the real attack happens. In a strategic war, most countries aim to eliminate supply points and mission critical infrastructure as quickly as possible. In a cyberwarfare situation me personally, I would aim to 1) disrupt/stop via a coordinated attack whether its via a botnet or something perhaps along the lines of a physical cut to a nation's fiber lines. 0day would only serve me afterwards to perhaps maintain covert states of communication. Maybe inject disinformation through crapaganda. Imagine an enemies entire website infrastructure showing tailored news... Would truly serve a purpose AFTER the attack not during. I am more inclined to believe that botnets in use today really only serve as cover, thuggish retribution, and extortion tools, not as effective tools of warfare. No real warfare threat would risk exposing themselves through the use of or construction of a botnet. Luckily for most companies and government, botnets aren't being used for their full potential. And I don't mean potential as in they're a good thing. I could think up a dozen cyberware scenarios in minutes that would cripple countries and businesses. I believe countries, providers and governments should at some point get the picture and perhaps create guidelines to curtail the potential for havoc - imagine hospitals being attacked and mission critical life saving technologies taken offline. J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
On Tue, 25 Sep 2007 10:48:22 EDT, J. Oquendo said: Counterpoint... You're trying to shoot me down with 0day crap: You -- 0day attack -- My Infrastructure Me -- Botnet -- Your infrastructure Never having to consume any resources other than a point and click shoot em up attack, I necessarily won't even have to use my own resources. So shoot away as your network becomes saturated. The point you're missing is that in an actual war, more than just infantry and artillery shooting happens. Espionage happens, scouting happens, snipers happen. And remember that your forward artillery observers are *always* high-value targets for the opponent, so you want those to be stealthy. Plus, there's blended attacks - how about using a 0day to drop botnet drones onto the targeted network, so you DDoS it *from within* (quite interesting if there's DDoS mitigation hardware on the external face of the network, but none inside). I'd fully expect that any cyber-warfare team worth the name would be attacking with DDoS, 0days, social engineering, and every other tool they can think of. pgpD4YDTVErpQ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
On Tue, 25 Sep 2007, Jason wrote: You present a valid position but fall short of seeing the whole picture. As an attacker, nation state or otherwise, my goal being to cripple communications, 0day is the way to go. Resource exhaustion takes resources, something the 0day can deprive the enemy of. Knocking out infrastructure with attacks is a far more effective strategy. You can control it's timing, launch it with minimal resources, from anywhere, coordinate it, and be gone before it can be thwarted. The botnet would only serve as cover while the real attack happens. I am more inclined to believe that botnets in use today really only serve as cover, thuggish retribution, and extortion tools, not as effective tools of warfare. No real warfare threat would risk exposing themselves through the use of or construction of a botnet. There is a difference between Sun Tsu-like stealth and civil war-like throw bodies at it. I quite agree 0days would be important tools, but not necessarily the only tool. Then, it would only be a fascilitating technology. A known vulnerability is also useful in many cases. About botnets, they are at the very heart of the matter--not necessarily for being used in this fashion, but rather because the Internet is perfect for plausible deniability, and then, of course, there is the matter of a /fifth column/, inside your network. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
On Tue, 25 Sep 2007, J. Oquendo wrote: In a strategic war, most countries aim to eliminate supply points and mission critical infrastructure as quickly as possible. In a cyberwarfare situation me personally, I would aim to 1) disrupt/stop via a coordinated attack whether its via a botnet or something perhaps along the lines of a physical cut to a nation's fiber lines. Just go watch Die Hard 4. :) Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Hi Crispin, I agree with almost everything you say until here: I continue to dismiss the requirement that an 0day be found maliciously exploiting machines, because that requires inferring intent. IMO, everybody in this thread is taking this from an inside-to-outside approach, whereas a '0day' is the opposite. If I'm on a CERT team for a corporation then I don't give a flying F if somebody's concocted a cool exploit for a vulnerability that hasn't been patched; and moreover, I don't know about it. I only care if there's malicious code running around in the real world doing damage that has no patch for the vulnerability. That's when I have to take some action or be completely helpless and in my mind that's the only time I consider a '0day' to have any relevance. Let me repeat: if it's a theoretical exploit, or even if it's hit 100,000 machines but has not been reported and is not being in the wild, then it has no relevance to me BECAUSE I DON'T KNOW THAT IT EXISTS and therefore to me it is not 0day. Only through normal channels doing my daily CERT work (dCERT, FrSIRT, Secunia, etc.) if I see an exploit on an unpatched vulnerability doing real damage is when I would ever consider the term '0day'. Very respectfully, Ignacio --- Crispin Cowan [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: But then there is the important concept of the private 0day, a new vulnerability that a malicious person has but has not used yet. But the point is there is no such thing as a 0day *vulnerability; there's a 0day exploit, an exploit in the wild before the vulnerability id discovered. An excellent point. Sorry I overlooked that. Exploit development today is so fast that I tend to equate knowledge of a vulnerability with ... and can have an exploit by tomorrow afternoon. Rather, I just treat 0day as a synonym for new vulnerability and don't give a hoot about the alleged intentions of whoever discovered it. What makes it an 0 day is that whoever is announcing it is first to announce it in public. You could only invalidate the 0day claim by showing that the same vulnerability had previously been disclosed by someone else. The point is that it is not supposed to be moniker for vulnerabilities; it's a moniker for exploits. In any other context it does not make sense. Specifically considering that 0-day exploit is the only definition which holds meaning with respect to a particular exploit over time. An exploit which existed before the vulnerability was publicly known. Yes, you are right. So 0day is a class of exploits. Specifically, it is the class of exploits that are developed before the first available patch for the vulnerability in question. But that race condition of whether the patch or the exploit is partially ordered, because they could be developed independently. There is the special case where the person who first discovered the vulnerability also develops either a patch or an exploit, in which case it is totally ordered. But in the general case where one person discovers the vulnerability, and two other people independently develop an exploit and a patch, you can't tell who finished first. All you can do is detect who published first. So fair enough, an 0day exploit is one that appears in public before the associated patch is published. A private 0day exploit (the case I was concerned with) would be where someone develops an exploit, but does not deploy or publish it, holding it in reserve to attack others at the time of their choosing. Presumably if such a person wanted to keep it for very long, they would have to base it on a vulnerability that they themselves discovered, and did not publish. I continue to dismiss the requirement that an 0day be found maliciously exploiting machines, because that requires inferring intent. IMHO, a POC exploit first posted to Bugtraq ahead of the patch counts as an 0day exploit, unless it has been so thoroughly obfuscated that the proof part of proof of concept is itself BS. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get listings, and more! http://tv.yahoo.com/collections/3658 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
J. Oquendo wrote: Jason wrote: You present a valid position but fall short of seeing the whole picture. As an attacker, nation state or otherwise, my goal being to cripple communications, 0day is the way to go. Resource exhaustion takes resources, something the 0day can deprive the enemy of. Counterpoint... You're trying to shoot me down with 0day crap: You -- 0day attack -- My Infrastructure Me -- Botnet -- Your infrastructure Perhaps, if you can catch me everywhere I can be. The problem is that my attacks, using my 0day, are run from your infrastructure by my forward teams, long entrenched in your society. If I want to knock out your infrastructure to render it unusable I'm going to do it in a way that I can either - control when and how it goes down and makes it resistant to restore efforts (Exploiting vulns to gain control ) - destroy it entirely causing you to expend massive resources to rebuild it Never having to consume any resources other than a point and click shoot em up attack, I necessarily won't even have to use my own resources. So shoot away as your network becomes saturated. Knocking out infrastructure with attacks is a far more effective strategy. You can control it's timing, launch it with minimal resources, from anywhere, coordinate it, and be gone before it can be thwarted. The botnet would only serve as cover while the real attack happens. In a strategic war, most countries aim to eliminate supply points and mission critical infrastructure as quickly as possible. In a cyberwarfare situation me personally, I would aim to 1) disrupt/stop via a coordinated attack whether its via a botnet or something perhaps along the lines of a physical cut to a nation's fiber lines. 0day would only serve me afterwards to perhaps maintain covert states of communication. Maybe inject disinformation through crapaganda. Imagine an enemies entire website infrastructure showing tailored news... Would truly serve a purpose AFTER the attack not during. You don't start that after the fact, you start it before, maintain it during, and follow through victory. I am more inclined to believe that botnets in use today really only serve as cover, thuggish retribution, and extortion tools, not as effective tools of warfare. No real warfare threat would risk exposing themselves through the use of or construction of a botnet. Luckily for most companies and government, botnets aren't being used for their full potential. And I don't mean potential as in they're a good thing. I could think up a dozen cyberware scenarios in minutes that would cripple countries and businesses. I believe countries, providers and governments should at some point get the picture and perhaps create guidelines to curtail the potential for havoc - imagine hospitals being attacked and mission critical life saving technologies taken offline. The botnet still only serves as cover for this activity. It is a tool, like the rest, but not a primary weapon for use in active wide scale infrastructure dos. Taking out infrastructure on a wide scale using resource exhaustion requires too much resource. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
http://en.wikipedia.org/wiki/0day /thread --=Q=-- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Tuesday, September 25, 2007 11:55 AM To: J. Oquendo Cc: Chad Perrin; pdp (architect); Gadi Evron; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; Crispin Cowan Subject: Re: [Full-disclosure] 0day: PDF pwns Windows J. Oquendo wrote: Jason wrote: You present a valid position but fall short of seeing the whole picture. As an attacker, nation state or otherwise, my goal being to cripple communications, 0day is the way to go. Resource exhaustion takes resources, something the 0day can deprive the enemy of. Counterpoint... You're trying to shoot me down with 0day crap: You -- 0day attack -- My Infrastructure Me -- Botnet -- Your infrastructure Perhaps, if you can catch me everywhere I can be. The problem is that my attacks, using my 0day, are run from your infrastructure by my forward teams, long entrenched in your society. If I want to knock out your infrastructure to render it unusable I'm going to do it in a way that I can either - control when and how it goes down and makes it resistant to restore efforts (Exploiting vulns to gain control ) - destroy it entirely causing you to expend massive resources to rebuild it Never having to consume any resources other than a point and click shoot em up attack, I necessarily won't even have to use my own resources. So shoot away as your network becomes saturated. Knocking out infrastructure with attacks is a far more effective strategy. You can control it's timing, launch it with minimal resources, from anywhere, coordinate it, and be gone before it can be thwarted. The botnet would only serve as cover while the real attack happens. In a strategic war, most countries aim to eliminate supply points and mission critical infrastructure as quickly as possible. In a cyberwarfare situation me personally, I would aim to 1) disrupt/stop via a coordinated attack whether its via a botnet or something perhaps along the lines of a physical cut to a nation's fiber lines. 0day would only serve me afterwards to perhaps maintain covert states of communication. Maybe inject disinformation through crapaganda. Imagine an enemies entire website infrastructure showing tailored news... Would truly serve a purpose AFTER the attack not during. You don't start that after the fact, you start it before, maintain it during, and follow through victory. I am more inclined to believe that botnets in use today really only serve as cover, thuggish retribution, and extortion tools, not as effective tools of warfare. No real warfare threat would risk exposing themselves through the use of or construction of a botnet. Luckily for most companies and government, botnets aren't being used for their full potential. And I don't mean potential as in they're a good thing. I could think up a dozen cyberware scenarios in minutes that would cripple countries and businesses. I believe countries, providers and governments should at some point get the picture and perhaps create guidelines to curtail the potential for havoc - imagine hospitals being attacked and mission critical life saving technologies taken offline. The botnet still only serves as cover for this activity. It is a tool, like the rest, but not a primary weapon for use in active wide scale infrastructure dos. Taking out infrastructure on a wide scale using resource exhaustion requires too much resource. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Nice, sounds almost exactly like what I said a few days ago. Good to see the bullet-proof wikipedia has my back. Steven www.securityzone.org http://en.wikipedia.org/wiki/0day /thread --=Q=-- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Tuesday, September 25, 2007 11:55 AM To: J. Oquendo Cc: Chad Perrin; pdp (architect); Gadi Evron; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; Crispin Cowan Subject: Re: [Full-disclosure] 0day: PDF pwns Windows J. Oquendo wrote: Jason wrote: You present a valid position but fall short of seeing the whole picture. As an attacker, nation state or otherwise, my goal being to cripple communications, 0day is the way to go. Resource exhaustion takes resources, something the 0day can deprive the enemy of. Counterpoint... You're trying to shoot me down with 0day crap: You -- 0day attack -- My Infrastructure Me -- Botnet -- Your infrastructure Perhaps, if you can catch me everywhere I can be. The problem is that my attacks, using my 0day, are run from your infrastructure by my forward teams, long entrenched in your society. If I want to knock out your infrastructure to render it unusable I'm going to do it in a way that I can either - control when and how it goes down and makes it resistant to restore efforts (Exploiting vulns to gain control ) - destroy it entirely causing you to expend massive resources to rebuild it Never having to consume any resources other than a point and click shoot em up attack, I necessarily won't even have to use my own resources. So shoot away as your network becomes saturated. Knocking out infrastructure with attacks is a far more effective strategy. You can control it's timing, launch it with minimal resources, from anywhere, coordinate it, and be gone before it can be thwarted. The botnet would only serve as cover while the real attack happens. In a strategic war, most countries aim to eliminate supply points and mission critical infrastructure as quickly as possible. In a cyberwarfare situation me personally, I would aim to 1) disrupt/stop via a coordinated attack whether its via a botnet or something perhaps along the lines of a physical cut to a nation's fiber lines. 0day would only serve me afterwards to perhaps maintain covert states of communication. Maybe inject disinformation through crapaganda. Imagine an enemies entire website infrastructure showing tailored news... Would truly serve a purpose AFTER the attack not during. You don't start that after the fact, you start it before, maintain it during, and follow through victory. I am more inclined to believe that botnets in use today really only serve as cover, thuggish retribution, and extortion tools, not as effective tools of warfare. No real warfare threat would risk exposing themselves through the use of or construction of a botnet. Luckily for most companies and government, botnets aren't being used for their full potential. And I don't mean potential as in they're a good thing. I could think up a dozen cyberware scenarios in minutes that would cripple countries and businesses. I believe countries, providers and governments should at some point get the picture and perhaps create guidelines to curtail the potential for havoc - imagine hospitals being attacked and mission critical life saving technologies taken offline. The botnet still only serves as cover for this activity. It is a tool, like the rest, but not a primary weapon for use in active wide scale infrastructure dos. Taking out infrastructure on a wide scale using resource exhaustion requires too much resource. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
For the record, the original term O-Day was coined by a dyslexic security engineer who listened to too much Harry Belafonte while working all night on a drink of rum. It's true. Really. t -Original Message- From: Roland Kuhn [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 25, 2007 10:58 AM To: Lamont Granquist Cc: Chad Perrin; Crispin Cowan; [EMAIL PROTECTED]; Gadi Evron; pdp (architect); [EMAIL PROTECTED]; full- [EMAIL PROTECTED] Subject: Re: 0day: PDF pwns Windows On 25 Sep 2007, at 00:57, Lamont Granquist wrote: The exploit is not made public by its use. The exploit is not even made public by (back-channel) sharing amongst the hacker/cracker community. The exploit is only made public if detected or the vulnerability is disclosed. Until detected/disclosed the hacker/ cracker can use their 31337 0day spl01tz to break into whichever vulnerable machines they like. 0day exploits are valuable because the opposition is ignorant of them. Posting exploits to BUGTRAQ, however, inherently makes them not 0day... And my ignorant self thought until this thread that the 0 in the term referred to the number of days of head start granted to the vendor. Silly me. Because that would make all vulnerabilities published without prior warning to the vendor a 0day... Roland (who seems to remember that this was once the meaning of this term) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
That was a dumb fucking joke. Please end this thread. J On Tue, 25 Sep 2007 14:39:24 -0400 Thor (Hammer of God) [EMAIL PROTECTED] wrote: For the record, the original term O-Day was coined by a dyslexic security engineer who listened to too much Harry Belafonte while working all night on a drink of rum. It's true. Really. t -Original Message- From: Roland Kuhn [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 25, 2007 10:58 AM To: Lamont Granquist Cc: Chad Perrin; Crispin Cowan; [EMAIL PROTECTED]; Gadi Evron; pdp (architect); [EMAIL PROTECTED]; full- [EMAIL PROTECTED] Subject: Re: 0day: PDF pwns Windows On 25 Sep 2007, at 00:57, Lamont Granquist wrote: The exploit is not made public by its use. The exploit is not even made public by (back-channel) sharing amongst the hacker/cracker community. The exploit is only made public if detected or the vulnerability is disclosed. Until detected/disclosed the hacker/ cracker can use their 31337 0day spl01tz to break into whichever vulnerable machines they like. 0day exploits are valuable because the opposition is ignorant of them. Posting exploits to BUGTRAQ, however, inherently makes them not 0day... And my ignorant self thought until this thread that the 0 in the term referred to the number of days of head start granted to the vendor. Silly me. Because that would make all vulnerabilities published without prior warning to the vendor a 0day... Roland (who seems to remember that this was once the meaning of this term) -- Largest network of startups. Find new startup opportunities. Click here. http://tagline.hushmail.com/fc/Ioyw6h4dA9SsstedRp4odQ5DOKFMMBH1X4BfZJCnzKEsIKvjj5jbZG/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Daylight come and me wanna go home... This one time, at band camp, Thor (Hammer of God) wrote: For the record, the original term O-Day was coined by a dyslexic security engineer who listened to too much Harry Belafonte while working all night on a drink of rum. It's true. Really. t -Original Message- From: Roland Kuhn [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 25, 2007 10:58 AM To: Lamont Granquist Cc: Chad Perrin; Crispin Cowan; [EMAIL PROTECTED]; Gadi Evron; pdp (architect); [EMAIL PROTECTED]; full- [EMAIL PROTECTED] Subject: Re: 0day: PDF pwns Windows On 25 Sep 2007, at 00:57, Lamont Granquist wrote: The exploit is not made public by its use. The exploit is not even made public by (back-channel) sharing amongst the hacker/cracker community. The exploit is only made public if detected or the vulnerability is disclosed. Until detected/disclosed the hacker/ cracker can use their 31337 0day spl01tz to break into whichever vulnerable machines they like. 0day exploits are valuable because the opposition is ignorant of them. Posting exploits to BUGTRAQ, however, inherently makes them not 0day... And my ignorant self thought until this thread that the 0 in the term referred to the number of days of head start granted to the vendor. Silly me. Because that would make all vulnerabilities published without prior warning to the vendor a 0day... Roland (who seems to remember that this was once the meaning of this term) -- Lawrence MacIntyre 865.574.8696 [EMAIL PROTECTED] Oak Ridge National Laboratory Cyber Security and Information Infrastructure Research Group Protect your digital freedom and privacy, eliminate DRM. Learn more at http://www.defectivebydesign.org/what_is_drm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
[EMAIL PROTECTED] wrote: But then there is the important concept of the private 0day, a new vulnerability that a malicious person has but has not used yet. But the point is there is no such thing as a 0day *vulnerability; there's a 0day exploit, an exploit in the wild before the vulnerability id discovered. An excellent point. Sorry I overlooked that. Exploit development today is so fast that I tend to equate knowledge of a vulnerability with ... and can have an exploit by tomorrow afternoon. Rather, I just treat 0day as a synonym for new vulnerability and don't give a hoot about the alleged intentions of whoever discovered it. What makes it an 0 day is that whoever is announcing it is first to announce it in public. You could only invalidate the 0day claim by showing that the same vulnerability had previously been disclosed by someone else. The point is that it is not supposed to be moniker for vulnerabilities; it's a moniker for exploits. In any other context it does not make sense. Specifically considering that 0-day exploit is the only definition which holds meaning with respect to a particular exploit over time. An exploit which existed before the vulnerability was publicly known. Yes, you are right. So 0day is a class of exploits. Specifically, it is the class of exploits that are developed before the first available patch for the vulnerability in question. But that race condition of whether the patch or the exploit is partially ordered, because they could be developed independently. There is the special case where the person who first discovered the vulnerability also develops either a patch or an exploit, in which case it is totally ordered. But in the general case where one person discovers the vulnerability, and two other people independently develop an exploit and a patch, you can't tell who finished first. All you can do is detect who published first. So fair enough, an 0day exploit is one that appears in public before the associated patch is published. A private 0day exploit (the case I was concerned with) would be where someone develops an exploit, but does not deploy or publish it, holding it in reserve to attack others at the time of their choosing. Presumably if such a person wanted to keep it for very long, they would have to base it on a vulnerability that they themselves discovered, and did not publish. I continue to dismiss the requirement that an 0day be found maliciously exploiting machines, because that requires inferring intent. IMHO, a POC exploit first posted to Bugtraq ahead of the patch counts as an 0day exploit, unless it has been so thoroughly obfuscated that the proof part of proof of concept is itself BS. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
back online - too many users .. On 9/21/07, Rohit Srivastwa [EMAIL PROTECTED] wrote: And your website is down at this moment http://www.gnucitizen.org/ 403 http://www.gnucitizen.org/blog/ 403 http://www.gnucitizen.org/blog/0day-pdf-pwns-windows 404 Is it a reverse attack by someone hurt :) --Through the Firewall,Out the Router,Down the T1,Across the Backbone,Bounced from Satellite Nothing but the Internet - Original Message From: pdp (architect) [EMAIL PROTECTED] To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Thursday, September 20, 2007 6:51:33 PM Subject: [Full-disclosure] 0day: PDF pwns Windows http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Hi, Too interesting and dangerousLast couple of months there were PDF spamming (Stocks Information) all over the internet..I analyzed those PDF i didn't find any such thingDid you checked them? Are they related to any vulnerability? Regards, Taneja Vikas http://annysoft.wordpress.com On 9/20/07, pdp (architect) [EMAIL PROTECTED] wrote: My upcoming research feature everything regarding this and the issue you have already discussed. really :).. which one... the one from last year? On 9/20/07, Aditya K Sood [EMAIL PROTECTED] wrote: pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers Hi Your point is right. But there are a number of factors other than this in exploiting pdf in other sense. My latest research is working over the exploitation of PDF. Even if you look at the core then there are no restriction on READ in PDF in most of the versions. Only outbound data is filtered to some extent. you can even read /etc/passwd file from inside of PDF. Other infection vector includes infection through Local Area Networks through sharing and printing PDF docs and all. My upcoming research feature everything regarding this and the issue you have already discussed. Regards Aks http://ww.secniche.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Not in my book. I guess the people on this list are working off too many different definitions of 0day. 0day to me is something for which there is no patch/update at the time of the exploit being coded/used. So if I code an exploit for IE right now and they don't patch it until April September 2008, it's a 0day exploit for a year. It's not necessarily new and it doesn't have to be used maliciously. If I code an exploit (for which there is no patch) and use it on my own servers, does that mean it's not 0day? I don't think so. If my WordPress blog gets owned by pwnpress, that's not 0day.. there's patches/updates for everything on there. It just makes me an idiot for not upgrading. Now if I get hit with some WP exploit that's not patched, then that's another [0-day] story. Steven securityzone.org Gadi Evron wrote: Impressive vulnerability, new. Not a 0day. Not to start an argument again, but fact is, people stop calling everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild without being known. I don't like the mis-use of this buzzword. I respectfully disagree. By your definition, we have: * new vulnerability is just what it sounds like * 0day is a new vulnerability that comes to public attention because someone used it maliciously But then there is the important concept of the private 0day, a new vulnerability that a malicious person has but has not used yet. Does it really matter how the new vulnerability came to light? Do you really want to get into arguments about whether the person who discovered it was malicious? Especially for private 0days where the discoverer may be sitting on his discovery for some time, waiting for the highest bider to buy his result. If he sells it to criminals, then it becomes an 0day, and if he sells it to a vulnerability marketing company, then it is something else. I don't like this chain of logic. Whether a new vulnerability is an 0day or not depends entirely too much on the disclosure process, with funky race conditions in there. Rather, I just treat 0day as a synonym for new vulnerability and don't give a hoot about the alleged intentions of whoever discovered it. What makes it an 0 day is that whoever is announcing it is first to announce it in public. You could only invalidate the 0day claim by showing that the same vulnerability had previously been disclosed by someone else. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
But then there is the important concept of the private 0day, a new vulnerability that a malicious person has but has not used yet. But the point is there is no such thing as a 0day *vulnerability; there's a 0day exploit, an exploit in the wild before the vulnerability id discovered. By claiming all new vulnerabilities are 0day the term becomes completely meaningless; by your reasoning there is no such thing as a non-0day vulnerabillity; well, the next they it's no longer a 0day vulnerability but the funny thing is that everybody keeps calling it that. When a vulnerability is discovered you cannot be sure no-one found it before; the only thing you can ever be sure of whether at that point an exploit was detected in the wild. I don't like this chain of logic. Whether a new vulnerability is an 0day or not depends entirely too much on the disclosure process, with funky race conditions in there. But by your reasoning *all* vulnerabilities are 0day at some point; or is the only exception those found by the vendor itself? Rather, I just treat 0day as a synonym for new vulnerability and don't give a hoot about the alleged intentions of whoever discovered it. What makes it an 0 day is that whoever is announcing it is first to announce it in public. You could only invalidate the 0day claim by showing that the same vulnerability had previously been disclosed by someone else. The point is that it is not supposed to be moniker for vulnerabilities; it's a moniker for exploits. In any other context it does not make sense. Specifically considering that 0-day exploit is the only definition which holds meaning with respect to a particular exploit over time. An exploit which existed before the vulnerability was publicly known. But a 0 day vulnerability is meaningless as a definition; it applies to a vulnerability for exactly 24 hours and then is meaningless. ALL vulnerabilities were discovered at some point and had their 24 hours of 0 day fame by your definition. It just does not make sense. Casper ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
[EMAIL PROTECTED] wrote: But a 0 day vulnerability is meaningless as a definition; it applies to a vulnerability for exactly 24 hours and then is meaningless. ALL vulnerabilities were discovered at some point and had their 24 hours of 0 day fame by your definition. It just does not make sense. Casper Should we now create a new term for the industry +0day or 1day. How about? nowaday -- J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Dear All, pa http://www.gnucitizen.org/blog/0day-pdf-pwns-windows Is this the way responsible disclosure works these days ? Adobes representatives can contact me from the usual place. Wow, now that's coordinated release. Knowing the bugs that you found previously it should take 10 minutes to rediscover this one. Which makes this even worse. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
pa http://www.gnucitizen.org/blog/0day-pdf-pwns-windows Is this the way responsible disclosure works these days ? Adobe?s representatives can contact me from the usual place. Wow, now that's coordinated release. Knowing the bugs that you found previously it should take 10 minutes to rediscover this one. Which makes this even worse. I just saw his video showing the exploit fireing up calculator, it looks like the same stuff (feature/exploit call it what you want) that's been around for years. See www.nthelp.com/test.pdf (warning, it won't damage anything but it may scare you) Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Jeez, what a bunch of whiny pussies. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 That's been disclosed already, but thanks for your $0.02 USD ($0.02 CDN) Cheers, - --- Tremaine Lea Network Security Consultant Intrepid ACL Paranoia for hire On 21-Sep-07, at 5:40 PM, h4h wrote: Jeez, what a bunch of whiny pussies. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iQEcBAEBAgAGBQJG9F1TAAoJEKGa22zRy9WCBqgH/3rx3uiZU7USUJP96nWJXrg9 3jsHq6TkAIkE5hlJbNePsMCTKL9DgbPSRyD7sg2m9J9yf59rGCOEOmsvkEutFxGi kYDdizGijl1aYQlqDYRztANjENdpJW0lGCsfjEEB51hIzBq6wC+o/hAZe/QTcHnT MTUVQA0+/92o1pTqVeRRkG+T6tl9EgPLbhyJXHwtTJwWPtEg0EQcxGOz4W1ODOf6 Vw2vnGv/nR/DycOvVMHRt5IxjPKJkkXBHdx2TTgJH9+CQ021PUjG4xwgJO7qkAoy Jdg5v2yzKHGwYOeRr98jh3jvh7Lh5om+PMFv+WTXD1QY6ZpSx+bxUUrCvUTmkug= =f+bR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers Hi Your point is right. But there are a number of factors other than this in exploiting pdf in other sense. My latest research is working over the exploitation of PDF. Even if you look at the core then there are no restriction on READ in PDF in most of the versions. Only outbound data is filtered to some extent. you can even read /etc/passwd file from inside of PDF. Other infection vector includes infection through Local Area Networks through sharing and printing PDF docs and all. My upcoming research feature everything regarding this and the issue you have already discussed. Regards Aks http://ww.secniche.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 0day: PDF pwns Windows
http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Impressive vulnerability, new. Not a 0day. Not to start an argument again, but fact is, people stop calling everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild without being known. I don't like the mis-use of this buzzword. Gadi. On Thu, 20 Sep 2007, pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
My upcoming research feature everything regarding this and the issue you have already discussed. really :).. which one... the one from last year? On 9/20/07, Aditya K Sood [EMAIL PROTECTED] wrote: pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers Hi Your point is right. But there are a number of factors other than this in exploiting pdf in other sense. My latest research is working over the exploitation of PDF. Even if you look at the core then there are no restriction on READ in PDF in most of the versions. Only outbound data is filtered to some extent. you can even read /etc/passwd file from inside of PDF. Other infection vector includes infection through Local Area Networks through sharing and printing PDF docs and all. My upcoming research feature everything regarding this and the issue you have already discussed. Regards Aks http://ww.secniche.org -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Dear Fatboy, Let's put aside for a minute the fact that you have no idea what you are talking about and let's also, for the benefit of this very valuable debate, assume your definition is correct. First, please prove this bug was never used in the wild. After that, please prove your credibility in the realm of defining words related to illegal computer hacking. Thanks. J P.S. Talking about botnets doesn't count to satisfy part 1 OR part 2 ___ If today I stand here as a revolutionary, it is as a revolutionary against the Revolution. On Thu, 20 Sep 2007 11:29:22 -0400 Gadi Evron [EMAIL PROTECTED] wrote: Impressive vulnerability, new. Not a 0day. Not to start an argument again, but fact is, people stop calling everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild without being known. I don't like the mis-use of this buzzword. Gadi. On Thu, 20 Sep 2007, pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Never miss a moment. Click here for great deals on name brand camcorders! http://tagline.hushmail.com/fc/Ioyw6h4dKrqQnNKtnJWwaEuBMGhZ0f84BqiDwgxOl7ZGGE8yUbxeA4/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
On Thu, 20 Sep 2007, Joey Mengele wrote: Dear Fatboy, Let's put aside for a minute the fact that you have no idea what You like people on the heavy side? Psst... call me. you are talking about and let's also, for the benefit of this very valuable debate, assume your definition is correct. First, please prove this bug was never used in the wild. After that, please prove your credibility in the realm of defining words related to illegal computer hacking. Thanks. J P.S. Talking about botnets doesn't count to satisfy part 1 OR part 2 ___ If today I stand here as a revolutionary, it is as a revolutionary against the Revolution. On Thu, 20 Sep 2007 11:29:22 -0400 Gadi Evron [EMAIL PROTECTED] wrote: Impressive vulnerability, new. Not a 0day. Not to start an argument again, but fact is, people stop calling everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild without being known. I don't like the mis-use of this buzzword. Gadi. On Thu, 20 Sep 2007, pdp (architect) wrote: http://www.gnucitizen.org/blog/0day-pdf-pwns-windows I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one. The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available. Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions and other setups are also affected. A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon. cheers -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Click now for accounting software that's a huge plus! http://tagline.hushmail.com/fc/Ioyw6h4eooFnoPRHh77yKi8qPMTyf03wCE9icEun2cA0zQJXBBid3w/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Gadi Evron wrote: Impressive vulnerability, new. Not a 0day. Not to start an argument again, but fact is, people stop calling everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild without being known. I don't like the mis-use of this buzzword. I respectfully disagree. By your definition, we have: * new vulnerability is just what it sounds like * 0day is a new vulnerability that comes to public attention because someone used it maliciously But then there is the important concept of the private 0day, a new vulnerability that a malicious person has but has not used yet. Does it really matter how the new vulnerability came to light? Do you really want to get into arguments about whether the person who discovered it was malicious? Especially for private 0days where the discoverer may be sitting on his discovery for some time, waiting for the highest bider to buy his result. If he sells it to criminals, then it becomes an 0day, and if he sells it to a vulnerability marketing company, then it is something else. I don't like this chain of logic. Whether a new vulnerability is an 0day or not depends entirely too much on the disclosure process, with funky race conditions in there. Rather, I just treat 0day as a synonym for new vulnerability and don't give a hoot about the alleged intentions of whoever discovered it. What makes it an 0 day is that whoever is announcing it is first to announce it in public. You could only invalidate the 0day claim by showing that the same vulnerability had previously been disclosed by someone else. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
On 9/20/07, Crispin Cowan [EMAIL PROTECTED] wrote: ... Rather, I just treat 0day as a synonym for new vulnerability 0day is a perspective; if it came out of nowhere and pwnd your ass it is 0day. [that is, where you are on that clunky chain of disclosure process you describe...] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
