Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[Neil McKellar]

Please be patient with me while I work through this a bit.  I want to be
sure I understand.
In morning_wood's original post, he said:
Windows® networking ( TCP) and messenger service are both initialized
before any user/admin login has taken place, and are remotely 
accessable
He went on to describe getting some Messenger spam before he's even
logged in.  It's true that Messenger is a dog.  And in another message,
morning_wood says:
my post is in regaurd of Windows Messenger being accessable witthout
any interactive login to take place
Given what Messenger typically gets used for, I don't think that's a bad
question.
But then we get this, and morning_wood isn't the only one suggesting this:
imho it is iresponsible default behaivor for a workstation OS to 
allow remote resources / services / enumeration before any 
interactive user or administrative login.
So suppose.  You're on a local network with a central authentication
service of some kind.  Maybe it's a Windows domain controller, maybe
it's NIS+, maybe it's Kerberos.  Whatever.
Now, we've decided to follow your advice and *not* enable any remote
resources/services/enumeration before login.  Just to be clear, is there
a TCP stack yet or is this a 'resource' or 'service'?  How do I actually
*do* the login against the remote authentication service without
activating some kind of service before the login?
I'm also curious about what exactly we mean by 'workstation'?  If
'workstation' is a stand-alone computer and necessary peripherals (ie.
hard drive, monitor, etc.), then maybe for some value of "no services"
we can successfully get the user logged in.
If we also inlcude diskless workstations or thin-clients that boot off
the network or terminal clients (X-terminals/Windows Terminal Server),
this becomes much harder.  These machines *need* to be running services
and network connected just to get booted up and display a login prompt.
I'm asking because I want to be clear about what morning_wood and others
are suggesting should be the default.  If I've misunderstood, please
explain yourselves.  I'm just going on what I see here.
If we're actually nitpicking about *which* services should be running,
then I think you're preaching to the choir here. :-)  Yes, a lot of
stuff gets turned on by default that *nobody* needs and certainly not on
a workstation.  True of a lot of Linuxes, Unixes, and Windows boxes.
--
Neil ([EMAIL PROTECTED])
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RAV Antivirus : Buffer Overflow in Online Scanning ActiveX

[Tri Huynh]

RAV Online Scanning ActiveX Buffer Overflow
=

PROGRAM: RAV ONLINE SCANNING ACTIVEX
HOMEPAGE:  www.ravantivirus.com
VULNERABLE VERSIONS: Online Version Only


DESCRIPTION
=

RAV Online Scanning is a free antivirus scanner for internet users. It is
run on the user's browsers as an ActiveX.

DETAILS
=

The ActiveX file called ravonline.dll has a function named browseForFolder()
that can be overflowed by passing a very long string as an argument. Since
the function browseForFolder() is imported from Shell32.dll, so it looks
like
the problem maybe lay in the Shell32.dll but not in the ActiveX itself (I am
still working on that) however users that use RAV Online Scanning are still
vulnerable to the overflow.

WORKAROUND
=

Delete the old ActiveX(ravonline.dll) in the "Downloaded Program Files" in
your Windows Directory. Vendor already got noticed but no response yet.

CREDITS
=

Discovered by Tri Huynh from Sentry Union


DISLAIMER
=

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.


FEEDBACK
=

Please send suggestions, updates, and comments to: [EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: [0day] W-Nikto PHP FrontEnd

[morning_wood]

the satire is appriciated, the truest form of flatery.. thanks b0iler

donnie

- Original Message - 
From: "morning_wood Weinerzucker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, July 17, 2003 6:22 PM
Subject: [0day] W-Nikto PHP FrontEnd


> -= 0day - Freedom of Voice - Freedom of Choice =-
>
> I go start new mail list where we can all frolick with fake exploit and
XSS! who wanna join?!! Now 0d4y
>
>
> --
>   - EXPL-A-2003-015 exploitlabs.com Advisory 016 [i dunno what
these number mean]
> --
>  -= w-nikto phpFE =-
>
>
> Donnie Weinerzucker
> July 17, 2003
> I release advisory of my own scripts! thats how l33t I am
>
>
> Vunerability(s):
> 
> 1. Remote Commands Execution
> 2. XSS Vulnerability
> 3. File PERmission issues
> 4. Bad Code & Credit Stealing
>
>
> Product:
> 
> Wnikto32 PHP Remote Frontend
>
>
> http://exploitlabs.com/files/woods/wnikto32-phpfe.zip
>
>
>
> Comments:
> ---
> No Blame Me Because I Make Script. I not make nikto
> not my fault, i just code bad frontend, blame nikto for
> do nothing to protect againt my bad coding.
>
>
> almost like inf-scan.  no blame me for working on code
> and putting it out as mine then exploiting it, not my
> fault i can not code
>
>
>
> Description of product:
> ---
> "Wnikto32(vuln scanner i compiled, i l33t) with php remote frontend avail
at
> http://exploitlabs.com/files/woods/wnikto32-phpfe.zip
>  Author: Donnie Werner
>
> Requirements:
> Webspace with PHP support.
> have been developed over a Apache + PHP
> platform running in Windows XP[me never used unix] and have not been
fully tested
> because I don't knwo how to code
>
> ummm.. ok  hint: it runs on most anything with php installed
>
>
>
> VUNERABILITY / EXPLOIT
> ==
> Another very lame "scanner" frontend type of php script with many
flaws...
>
>
> 1. REMOTE COMMAND EXECUTION in the execution of the w-nikto.exe,
>the frontend passes all input unfiltered.
>
> 2. XSS Vunerabilities lay in everything that give output
>
> "alert(document.domain);alert(document.cookie
> );"
>
> the JS code is rendered / executed in the the users browser.
>
> 3. No authentication at all done giving anyone remote command access
>
> 4. I can't code and only know XSS
>
> 5. I suck and should die
>
>
>
> EXPLOIT CODE:
> ---
> input | or ; surrounding most input
>
> see, I know exploit is. you tell me i no know exploit, hah
>
>
> Local:
> --
> everything remote is local!!!
>
> Remote:
> ---
> yup we got XSS and stuff via remote
>
>
> Vendor Fix:
> ---
> There is no fix on 0day because I don't know how to code(look
> at what I call advisories, me code?! HAH)
>
>
>
> Vendor Contact:
> ---
> Yep, and he got mad and pissed his pants while crying for his mother
>
>
> Credits:
> 
>
> Donnie Werner ([EMAIL PROTECTED])
> 5685 Eagle Pky #2
> Ferndale, Wa 98248
> 360-312-8011 ~ call me if you want to talk about XSS
>
> visit my sites!
> exploitlabs.com (maybe some day i learn more than xss)
> nothackers.org (the XSS 0y34r ph34r, "Freedom of voice" till you say
something i no like)
> and other lame sites that have nothing!
>
> Original advisory may be found at
> http://exploitlabs.com/files/advisories/EXPL-A-2003-015-phpfe.txt
>
>
> 
> Goodbyes;
>
> I only know XSS, thats why you can look at every script i review and find
> alot more holes in them. I can scroll on IRC! I never seen a unix, i
think it's
> some kinda blackhat thing. I got exploit code! but only fake and exploit
for my
> own scripts I make. Maybe someone can e-mail me and tell me how to do dns
because
> I dont know how people can visit my site with www.! lately I complain
because
> nobody see that im "special"(i lub u mommy!) and servers should never
start, I also
> release programs but I dont know how to code. Just call me the unpatched
xp kid!
> I got hacked but i dont know yet... i got lots of porn e-mail me for
trade. I got my
> chan all logged, ask for logs and you can see how i know nothing.
>
>
> If anyone saw my post in the "Invaded by morons"  discussion, just ignore
that
> my comments of "And I think most of you may be in for a big supprise
sometime
> in a few weeks from me im so incompitent.. sheesh", I also thought my
lame
> Zope information disclosure/xss was going to make me famous! Because I
want to
> speak at defcon on how im so elite at XSS that i release it 0d4y! WOOHOO
FOR ME
>
>
>
> Greets;
>
> Project cOd,  Donnie Weiner, w00w00[u know aim technique, teech aim xss?]
> badpack3t(i'm almost as lame as you! nice sploitz!), the cisco kyd, moot
bailey,
>
>
>
> 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y
0D4Y
>0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 

Re: [Full-Disclosure] W-Nikto PHP FrontEnd [twice, YAY!!!]

[morning_wood]

b0iler... go away and find someone to pick on on IRC, as that is what you
enjoy most..

Donnie

- Original Message - 
From: "morning_wood Weinerzucker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 17, 2003 6:44 PM
Subject: [Full-Disclosure] W-Nikto PHP FrontEnd [twice, YAY!!!]


> I go start new mail list where we can all frolick with fake exploit and
XSS! who wanna join?!! Now 0d4y
>
>
> --
>   - EXPL-A-2003-015 exploitlabs.com Advisory 016 [i dunno what
these number mean]
> --
>  -= w-nikto phpFE =-
>
>
> Donnie Weinerzucker
> July 17, 2003
> I release advisory of my own scripts! thats how l33t I am
>
>
> Vunerability(s):
> 
> 1. Remote Commands Execution
> 2. XSS Vulnerability
> 3. File PERmission issues
> 4. Bad Code & Credit Stealing
>
>
> Product:
> 
> Wnikto32 PHP Remote Frontend
>
>
> http://exploitlabs.com/files/woods/wnikto32-phpfe.zip
>
>
>
> Comments:
> ---
> No Blame Me Because I Make Script. I not make nikto
> not my fault, i just code bad frontend, blame nikto for
> do nothing to protect againt my bad coding.
>
>
> almost like inf-scan.  no blame me for working on code
> and putting it out as mine then exploiting it, not my
> fault i can not code
>
>
>
> Description of product:
> ---
> "Wnikto32(vuln scanner i compiled, i l33t) with php remote frontend avail
at
> http://exploitlabs.com/files/woods/wnikto32-phpfe.zip
>  Author: Donnie Werner
>
> Requirements:
> Webspace with PHP support.
> have been developed over a Apache + PHP
> platform running in Windows XP[me never used unix] and have not been
fully tested
> because I don't knwo how to code
>
> ummm.. ok  hint: it runs on most anything with php installed
>
>
>
> VUNERABILITY / EXPLOIT
> ==
> Another very lame "scanner" frontend type of php script with many
flaws...
>
>
> 1. REMOTE COMMAND EXECUTION in the execution of the w-nikto.exe,
>the frontend passes all input unfiltered.
>
> 2. XSS Vunerabilities lay in everything that give output
>
> "alert(document.domain);alert(document.cookie
> );"
>
> the JS code is rendered / executed in the the users browser.
>
> 3. No authentication at all done giving anyone remote command access
>
> 4. I can't code and only know XSS
>
> 5. I suck and should die
>
>
>
> EXPLOIT CODE:
> ---
> input | or ; surrounding most input
>
> see, I know exploit is. you tell me i no know exploit, hah
>
>
> Local:
> --
> everything remote is local!!!
>
> Remote:
> ---
> yup we got XSS and stuff via remote
>
>
> Vendor Fix:
> ---
> There is no fix on 0day because I don't know how to code(look
> at what I call advisories, me code?! HAH)
>
>
>
> Vendor Contact:
> ---
> Yep, and he got mad and pissed his pants while crying for his mother
>
>
> Credits:
> 
>
> Donnie Werner ([EMAIL PROTECTED])
> 5685 Eagle Pky #2
> Ferndale, Wa 98248
> 360-312-8011 ~ call me if you want to talk about XSS
>
> visit my sites!
> exploitlabs.com (maybe some day i learn more than xss)
> nothackers.org (the XSS 0y34r ph34r, "Freedom of voice" till you say
something i no like)
> and other lame sites that have nothing!
>
> Original advisory may be found at
> http://exploitlabs.com/files/advisories/EXPL-A-2003-015-phpfe.txt
>
>
> 
> Goodbyes;
>
> I only know XSS, thats why you can look at every script i review and find
> alot more holes in them. I can scroll on IRC! I never seen a unix, i
think it's
> some kinda blackhat thing. I got exploit code! but only fake and exploit
for my
> own scripts I make. Maybe someone can e-mail me and tell me how to do dns
because
> I dont know how people can visit my site with www.! lately I complain
because
> nobody see that im "special"(i lub u mommy!) and servers should never
start, I also
> release programs but I dont know how to code. Just call me the unpatched
xp kid!
> I got hacked but i dont know yet... i got lots of porn e-mail me for
trade. I got my
> chan all logged, ask for logs and you can see how i know nothing.
>
>
> If anyone saw my post in the "Invaded by morons"  discussion, just ignore
that
> my comments of "And I think most of you may be in for a big supprise
sometime
> in a few weeks from me im so incompitent.. sheesh", I also thought my
lame
> Zope information disclosure/xss was going to make me famous! Because I
want to
> speak at defcon on how im so elite at XSS that i release it 0d4y! WOOHOO
FOR ME
>
>
>
> Greets;
>
> Project cOd,  Donnie Weiner, w00w00[u know aim technique, teech aim xss?]
> badpack3t(i'm almost as lame as you! nice sploitz!), the cisco kyd, moot
bailey,
>
>
>
> 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y
0D4Y
>0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y
>

Re: [Full-Disclosure] W-Nikto PHP FrontEnd

[morning_wood]

the satire is appriciated, the truest form of flatery.. thanks b0iler

donnie

- Original Message - 
From: "morning_wood Weinerzucker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, July 17, 2003 6:22 PM
Subject: [Full-Disclosure] W-Nikto PHP FrontEnd


> I go start new mail list where we can all frolick with fake exploit and
XSS! who wanna join?!! Now 0d4y
>
>
> --
>   - EXPL-A-2003-015 exploitlabs.com Advisory 016 [i dunno what
these number mean]
> --
>  -= w-nikto phpFE =-
>
>
> Donnie Weinerzucker
> July 17, 2003
> I release advisory of my own scripts! thats how l33t I am
>
>
> Vunerability(s):
> 
> 1. Remote Commands Execution
> 2. XSS Vulnerability
> 3. File PERmission issues
> 4. Bad Code & Credit Stealing
>
>
> Product:
> 
> Wnikto32 PHP Remote Frontend
>
>
> http://exploitlabs.com/files/woods/wnikto32-phpfe.zip
>
>
>
> Comments:
> ---
> No Blame Me Because I Make Script. I not make nikto
> not my fault, i just code bad frontend, blame nikto for
> do nothing to protect againt my bad coding.
>
>
> almost like inf-scan.  no blame me for working on code
> and putting it out as mine then exploiting it, not my
> fault i can not code
>
>
>
> Description of product:
> ---
> "Wnikto32(vuln scanner i compiled, i l33t) with php remote frontend avail
at
> http://exploitlabs.com/files/woods/wnikto32-phpfe.zip
>  Author: Donnie Werner
>
> Requirements:
> Webspace with PHP support.
> have been developed over a Apache + PHP
> platform running in Windows XP[me never used unix] and have not been
fully tested
> because I don't knwo how to code
>
> ummm.. ok  hint: it runs on most anything with php installed
>
>
>
> VUNERABILITY / EXPLOIT
> ==
> Another very lame "scanner" frontend type of php script with many
flaws...
>
>
> 1. REMOTE COMMAND EXECUTION in the execution of the w-nikto.exe,
>the frontend passes all input unfiltered.
>
> 2. XSS Vunerabilities lay in everything that give output
>
> "alert(document.domain);alert(document.cookie
> );"
>
> the JS code is rendered / executed in the the users browser.
>
> 3. No authentication at all done giving anyone remote command access
>
> 4. I can't code and only know XSS
>
> 5. I suck and should die
>
>
>
> EXPLOIT CODE:
> ---
> input | or ; surrounding most input
>
> see, I know exploit is. you tell me i no know exploit, hah
>
>
> Local:
> --
> everything remote is local!!!
>
> Remote:
> ---
> yup we got XSS and stuff via remote
>
>
> Vendor Fix:
> ---
> There is no fix on 0day because I don't know how to code(look
> at what I call advisories, me code?! HAH)
>
>
>
> Vendor Contact:
> ---
> Yep, and he got mad and pissed his pants while crying for his mother
>
>
> Credits:
> 
>
> Donnie Werner ([EMAIL PROTECTED])
> 5685 Eagle Pky #2
> Ferndale, Wa 98248
> 360-312-8011 ~ call me if you want to talk about XSS
>
> visit my sites!
> exploitlabs.com (maybe some day i learn more than xss)
> nothackers.org (the XSS 0y34r ph34r, "Freedom of voice" till you say
something i no like)
> and other lame sites that have nothing!
>
> Original advisory may be found at
> http://exploitlabs.com/files/advisories/EXPL-A-2003-015-phpfe.txt
>
>
> 
> Goodbyes;
>
> I only know XSS, thats why you can look at every script i review and find
> alot more holes in them. I can scroll on IRC! I never seen a unix, i
think it's
> some kinda blackhat thing. I got exploit code! but only fake and exploit
for my
> own scripts I make. Maybe someone can e-mail me and tell me how to do dns
because
> I dont know how people can visit my site with www.! lately I complain
because
> nobody see that im "special"(i lub u mommy!) and servers should never
start, I also
> release programs but I dont know how to code. Just call me the unpatched
xp kid!
> I got hacked but i dont know yet... i got lots of porn e-mail me for
trade. I got my
> chan all logged, ask for logs and you can see how i know nothing.
>
>
> If anyone saw my post in the "Invaded by morons"  discussion, just ignore
that
> my comments of "And I think most of you may be in for a big supprise
sometime
> in a few weeks from me im so incompitent.. sheesh", I also thought my
lame
> Zope information disclosure/xss was going to make me famous! Because I
want to
> speak at defcon on how im so elite at XSS that i release it 0d4y! WOOHOO
FOR ME
>
>
>
> Greets;
>
> Project cOd,  Donnie Weiner, w00w00[u know aim technique, teech aim xss?]
> badpack3t(i'm almost as lame as you! nice sploitz!), the cisco kyd, moot
bailey,
>
>
>
> 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y
0D4Y
>0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y
> 0d4y th

Re: [Full-Disclosure] Credit card numbers

[Jeremiah Cornelius]

On Thursday 17 July 2003 03:51 pm, gml wrote:
> My point being was that at a certain point regardless you realize hopefully
> as you grow up that carding is REALLY INCREDIBLY STUPID and often results
> in a serious prison sentence.

Not to mention the fact that it generally causes serious financial damage and 
distress to innocents.  This isn't page-defacement or software-license 
evasion.  Someone is actually harmed by these actions.

-- 
Jeremiah Cornelius, CISSP, CCNA, MCSE
Information Security Technology - farm9.com
email: [EMAIL PROTECTED] - mobile: 415.235.7689

"What would be the use of immortality to a person who cannot use well a half 
hour?"
--Ralph Waldo Emerson

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] W-Nikto PHP FrontEnd [twice, YAY!!!]

[morning_wood Weinerzucker]

I go start new mail list where we can all frolick with fake exploit and XSS! who wanna 
join?!! Now 0d4y


--
  - EXPL-A-2003-015 exploitlabs.com Advisory 016 [i dunno what these number 
mean]
--
 -= w-nikto phpFE =-


Donnie Weinerzucker
July 17, 2003
I release advisory of my own scripts! thats how l33t I am


Vunerability(s):

1. Remote Commands Execution
2. XSS Vulnerability
3. File PERmission issues
4. Bad Code & Credit Stealing


Product:

Wnikto32 PHP Remote Frontend 


http://exploitlabs.com/files/woods/wnikto32-phpfe.zip



Comments:
---
No Blame Me Because I Make Script. I not make nikto
not my fault, i just code bad frontend, blame nikto for
do nothing to protect againt my bad coding. 


almost like inf-scan.  no blame me for working on code 
and putting it out as mine then exploiting it, not my 
fault i can not code



Description of product:
---
"Wnikto32(vuln scanner i compiled, i l33t) with php remote frontend avail at
http://exploitlabs.com/files/woods/wnikto32-phpfe.zip
 Author: Donnie Werner

Requirements:
Webspace with PHP support.
have been developed over a Apache + PHP
platform running in Windows XP[me never used unix] and have not been fully tested
because I don't knwo how to code

ummm.. ok  hint: it runs on most anything with php installed



VUNERABILITY / EXPLOIT
==
Another very lame "scanner" frontend type of php script with many flaws...


1. REMOTE COMMAND EXECUTION in the execution of the w-nikto.exe, 
   the frontend passes all input unfiltered.

2. XSS Vunerabilities lay in everything that give output

"alert(document.domain);alert(document.cookie
);"

the JS code is rendered / executed in the the users browser.

3. No authentication at all done giving anyone remote command access

4. I can't code and only know XSS

5. I suck and should die



EXPLOIT CODE:
---
input | or ; surrounding most input

see, I know exploit is. you tell me i no know exploit, hah


Local:
--
everything remote is local!!!

Remote:
---
yup we got XSS and stuff via remote


Vendor Fix:
---
There is no fix on 0day because I don't know how to code(look
at what I call advisories, me code?! HAH)



Vendor Contact:
---
Yep, and he got mad and pissed his pants while crying for his mother


Credits:


Donnie Werner ([EMAIL PROTECTED])
5685 Eagle Pky #2
Ferndale, Wa 98248
360-312-8011 ~ call me if you want to talk about XSS

visit my sites!
exploitlabs.com (maybe some day i learn more than xss)
nothackers.org (the XSS 0y34r ph34r, "Freedom of voice" till you say something i no 
like)
and other lame sites that have nothing! 

Original advisory may be found at
http://exploitlabs.com/files/advisories/EXPL-A-2003-015-phpfe.txt



Goodbyes;

I only know XSS, thats why you can look at every script i review and find
alot more holes in them. I can scroll on IRC! I never seen a unix, i think it's
some kinda blackhat thing. I got exploit code! but only fake and exploit for my
own scripts I make. Maybe someone can e-mail me and tell me how to do dns because
I dont know how people can visit my site with www.! lately I complain because
nobody see that im "special"(i lub u mommy!) and servers should never start, I also 
release programs but I dont know how to code. Just call me the unpatched xp kid! 
I got hacked but i dont know yet... i got lots of porn e-mail me for trade. I got my 
chan all logged, ask for logs and you can see how i know nothing.


If anyone saw my post in the "Invaded by morons"  discussion, just ignore that
my comments of "And I think most of you may be in for a big supprise sometime 
in a few weeks from me im so incompitent.. sheesh", I also thought my lame
Zope information disclosure/xss was going to make me famous! Because I want to
speak at defcon on how im so elite at XSS that i release it 0d4y! WOOHOO FOR ME



Greets;

Project cOd,  Donnie Weiner, w00w00[u know aim technique, teech aim xss?]
badpack3t(i'm almost as lame as you! nice sploitz!), the cisco kyd, moot bailey,



0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 
   0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y
0d4y thinking caps on!

0D4Y EXPLOIT ON FULL DISCLOSURE ~ THEY MAIL YOU PASSWORD BACK IN CLEARTEXT
HAHAHAH HOW LAME THAT [EMAIL PROTECTED]@ HAHAHAHHA-ROFLMFAOHAHAHAHHAA


XSS THE PLANET!!  YEAHHH!!! LUCY!

   THE END

-- 
___
Get your free email from http://www.singapore.net
Get US $10 Now: http://www.resource-a-day.com/members2/rsathyamurthy

Powered by Outblaze
___

Re: [Full-Disclosure] Invaded by morons..

[DStark]

- Original Message -
From: "Dortmunder Lethman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 17, 2003 6:33 PM
Subject: [Full-Disclosure] Invaded by morons..

> Ever since Donnie Werner showed up all we see
> is Windows crap, and stupid xss tricks.
>
> We don't need 50 millions me-too posts about
> lame ie crashing.
>
> We don't need 50 millions slash-dot lamers
> flooding this list with crap.
>
> We don't need 50 millions whiners complaining
> about standart services that are in inherently
> insekure which is an oxymoronic position since
> windows is inherently insekure, and none of it
> is news to anyone with .01% kluon.


Not to mention the countless Millions that have taken the time to learn to
least write in proper english. some of whom use windows and can throw out
moronic insults with less grammer mistakes than you apparently. =P

And just incase this isn't some joke, nazi n1x leetism is on the same level
as an aoler that knows l33t sp34k.

Anyways, back to lurking and seeing what's on slashdot this hour.

- d.




___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] W-Nikto PHP FrontEnd

[morning_wood Weinerzucker]

I go start new mail list where we can all frolick with fake exploit and XSS! who wanna 
join?!! Now 0d4y


--
  - EXPL-A-2003-015 exploitlabs.com Advisory 016 [i dunno what these number 
mean]
--
 -= w-nikto phpFE =-


Donnie Weinerzucker
July 17, 2003
I release advisory of my own scripts! thats how l33t I am


Vunerability(s):

1. Remote Commands Execution
2. XSS Vulnerability
3. File PERmission issues
4. Bad Code & Credit Stealing


Product:

Wnikto32 PHP Remote Frontend 


http://exploitlabs.com/files/woods/wnikto32-phpfe.zip



Comments:
---
No Blame Me Because I Make Script. I not make nikto
not my fault, i just code bad frontend, blame nikto for
do nothing to protect againt my bad coding. 


almost like inf-scan.  no blame me for working on code 
and putting it out as mine then exploiting it, not my 
fault i can not code



Description of product:
---
"Wnikto32(vuln scanner i compiled, i l33t) with php remote frontend avail at
http://exploitlabs.com/files/woods/wnikto32-phpfe.zip
 Author: Donnie Werner

Requirements:
Webspace with PHP support.
have been developed over a Apache + PHP
platform running in Windows XP[me never used unix] and have not been fully tested
because I don't knwo how to code

ummm.. ok  hint: it runs on most anything with php installed



VUNERABILITY / EXPLOIT
==
Another very lame "scanner" frontend type of php script with many flaws...


1. REMOTE COMMAND EXECUTION in the execution of the w-nikto.exe, 
   the frontend passes all input unfiltered.

2. XSS Vunerabilities lay in everything that give output

"alert(document.domain);alert(document.cookie
);"

the JS code is rendered / executed in the the users browser.

3. No authentication at all done giving anyone remote command access

4. I can't code and only know XSS

5. I suck and should die



EXPLOIT CODE:
---
input | or ; surrounding most input

see, I know exploit is. you tell me i no know exploit, hah


Local:
--
everything remote is local!!!

Remote:
---
yup we got XSS and stuff via remote


Vendor Fix:
---
There is no fix on 0day because I don't know how to code(look
at what I call advisories, me code?! HAH)



Vendor Contact:
---
Yep, and he got mad and pissed his pants while crying for his mother


Credits:


Donnie Werner ([EMAIL PROTECTED])
5685 Eagle Pky #2
Ferndale, Wa 98248
360-312-8011 ~ call me if you want to talk about XSS

visit my sites!
exploitlabs.com (maybe some day i learn more than xss)
nothackers.org (the XSS 0y34r ph34r, "Freedom of voice" till you say something i no 
like)
and other lame sites that have nothing! 

Original advisory may be found at
http://exploitlabs.com/files/advisories/EXPL-A-2003-015-phpfe.txt



Goodbyes;

I only know XSS, thats why you can look at every script i review and find
alot more holes in them. I can scroll on IRC! I never seen a unix, i think it's
some kinda blackhat thing. I got exploit code! but only fake and exploit for my
own scripts I make. Maybe someone can e-mail me and tell me how to do dns because
I dont know how people can visit my site with www.! lately I complain because
nobody see that im "special"(i lub u mommy!) and servers should never start, I also 
release programs but I dont know how to code. Just call me the unpatched xp kid! 
I got hacked but i dont know yet... i got lots of porn e-mail me for trade. I got my 
chan all logged, ask for logs and you can see how i know nothing.


If anyone saw my post in the "Invaded by morons"  discussion, just ignore that
my comments of "And I think most of you may be in for a big supprise sometime 
in a few weeks from me im so incompitent.. sheesh", I also thought my lame
Zope information disclosure/xss was going to make me famous! Because I want to
speak at defcon on how im so elite at XSS that i release it 0d4y! WOOHOO FOR ME



Greets;

Project cOd,  Donnie Weiner, w00w00[u know aim technique, teech aim xss?]
badpack3t(i'm almost as lame as you! nice sploitz!), the cisco kyd, moot bailey,



0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 
   0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y 0D4Y
0d4y thinking caps on!

0D4Y EXPLOIT ON FULL DISCLOSURE ~ THEY MAIL YOU PASSWORD BACK IN CLEARTEXT
HAHAHAH HOW LAME THAT [EMAIL PROTECTED]@ HAHAHAHHA-ROFLMFAOHAHAHAHHAA


XSS THE PLANET!!  YEAHHH!!! LUCY!

   THE END

-- 
___
Get your free email from http://www.singapore.net
Get US $10 Now: http://www.resource-a-day.com/members2/rsathyamurthy

Powered by Outblaze
___

RE: [Full-Disclosure] Credit card numbers

[gml]

My point being was that at a certain point regardless you realize hopefully
as you grow up that carding is REALLY INCREDIBLY STUPID and often results in
a serious prison sentence.

-Original Message-
From: micah mcnelly [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 17, 2003 6:47 PM
To: gml; 'northern snowfall'; 'Nick Jacobsen'
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Credit card numbers

i used to card during high school all the time.

/m

- Original Message -
From: "gml" <[EMAIL PROTECTED]>
To: "'northern snowfall'" <[EMAIL PROTECTED]>; "'Nick Jacobsen'"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, July 17, 2003 3:18 PM
Subject: RE: [Full-Disclosure] Credit card numbers


> Carding is for "hackers" who enjoy prison.  If you are considering illegal
> activity that involves theft or the possibly involvement of the secret
> service, I suggest you first ask yourself whether or not you enjoyed high
> school cafeteria food and then imagine eating that for the next 20-30
years.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of northern
> snowfall
> Sent: Thursday, July 17, 2003 6:59 PM
> To: Nick Jacobsen
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Credit card numbers
>
> >
> >
> >This is a professional list - would you go up to someone at a computer
> >security conference and tell em "oh yeah, I used to card during
> >highschool all the time"?
> >
> Oh grow up
>
> Don
>
> http://www.7f.no-ip.com/~north_
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Credit card numbers

[Chris Watson]

Good lord. Trashing 101. This is so 30 years ago. Why is this even on 
the list?

Chris Watson
Bestor G. Brown #433
Wichita, KS USA
M.M
AIM: BSDUNIX44

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Credit card numbers

[gml]

Well butt sex is one thing but I mean could you eat high school cafeteria
food every day for 20-30 years.  I know I can't.  Although I would certainly
enjoy the time alone in my cell far away from computing, security and
infosec mailing lists.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Phelps /
Dreamwright Studios
Sent: Thursday, July 17, 2003 7:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Credit card numbers

 

I would have mentioned the butt sex, but I guess the food is pretty bad too.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of gml
Sent: Thursday, July 17, 2003 6:18 PM
To: 'northern snowfall'; 'Nick Jacobsen'
Cc: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Credit card numbers

Carding is for "hackers" who enjoy prison.  If you are considering illegal
activity that involves theft or the possibly involvement of the secret
service, I suggest you first ask yourself whether or not you enjoyed high
school cafeteria food and then imagine eating that for the next 20-30 years.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] credit card numbers

[Justin Shin]

carding is still very much the same as it was 10 years ago, before online shopping 
kicked off. basically its a ring of losers who dig in the trash cans, use deceptive 
web pages (ie fake logins for paypal, ebay, etc.), steal numbers from cc vendors 
databases, and then trade them off because they are too much of pussies to actually 
try to use any of them...

for example if you ever visit an irc carding room or a carding newsgroup its all the 
same:

Thrash1: i have 10 gazillion ccs w/cvv2 and full info, selling for $25 each
Thrash2: huh, i dont understand. how do u use these credit cards online
Thrash3: newbie, get out, go screw yourself
Thrash2: whats cvv2

Although it can be a serious problem carding remains largely the same deal as before. 
The best thing online vendors can do is to encrypt cc information as well as any 
accounts tied to those numbers (ie user/pass) in case another one of those 0day 
shopping cart sploits come out. Another thing they can do is to delete cc info after 
"x" days or just not store it at all ... after all, doesn't that eliminate the problem 
all together?

Also, sorry about the stupid vacation message. I got about 20 million emails that said 
something along the lines of:

>Its July, dipshit.

:)

-- Justin Shin

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Invaded by morons..

[gml]

Does Mac OS X count?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of northern
snowfall
Sent: Thursday, July 17, 2003 8:25 PM
To: Dortmunder Lethman
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Invaded by morons..

>
>
>I won't respond to anyone who didn't use unix
>to send mail to me.
>
Um, is amoeba or plan9 ok? :P

Don

http://www.7f.no-ip.com/~north_


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Invaded by morons..

[micah mcnelly]

c:\aux\aux.  

owned!

/m

- Original Message - 
From: "Dortmunder Lethman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 17, 2003 3:33 PM
Subject: [Full-Disclosure] Invaded by morons..


> 
> Ever since Donnie Werner showed up all we see
> is Windows crap, and stupid xss tricks.
> 
> We don't need 50 millions me-too posts about 
> lame ie crashing.
> 
> We don't need 50 millions slash-dot lamers
> flooding this list with crap.
> 
> We don't need 50 millions whiners complaining
> about standart services that are in inherently
> insekure which is an oxymoronic position since
> windows is inherently insekure, and none of it
> is news to anyone with .01% kluon.
> 
> For instance, no one even responded to *Hobbit*
> points about secure practices, and I bet not
> even 10% of you windows lamers even know who
> he is.
> 
> All you windows lamers join Werner's 0-day
> lamers list and the rest of us will be here,
> agreed?
> 
> I won't respond to anyone who didn't use unix
> to send mail to me.
> 
> Lethman returns, phear me.
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] OT: Ldreamer looking for old IRC friends

[ldreamer]

Hello, sorry to waste bandwith but if anyone used to hang out on dalnet
during mid to late 90's who knew ldreamer please respond.
flames -> /dev/null

LDreamer


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Invaded by morons..

[morning_wood]

> For instance, no one even responded to *Hobbit*
> points about secure practices, and I bet not
> even 10% of you windows lamers even know who
> he is.
umm, your quite obtuse, and his info didnt lead to questioning did it? It
was statement that looked quite sound an logical and outside my scope at
the moment by choice. and if you mean..
"CIFS: Common Insecurities Fail Scrutiny" by Hobbit,
the original SMB hacker's technical reference"

then yes Im quite familliar with his work.

as for responding with *nix, sorry my son is home and i had to give him
back his ram for his 98se box, but would be more than happy to on monday,
wtdf do you just want to see everones mail daemon version or what, gimme a
break with the only thing i contribute are xss and other crap posts, sure i
havent released any root compromises or a breaking of anyones biggest OS
but at least i contribute with factual and relevant info, have you? And I
think most of you may be in for a big supprise sometime in a few weeks from
me im so incompitent.. sheesh

buh-bye,

w00d


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[morning_wood]

>I don't believe you will install RedHat 6.2 on the machine, go away for a
>coffee while letting it sit on a login screen and return and find it like
it
>was :)
>
>Just my 2 euro cents ..
>
>Bojan Zdrnja

funny... my slackware box sits and sits until i actually log in.. no weird
crap when logging to find a remote access effect on any cli or WM... im
still not getting the point from 99.9% of the respondeees here..  what is
your point again??

wood


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Invaded by morons..

[northern snowfall]

I won't respond to anyone who didn't use unix
to send mail to me.
Um, is amoeba or plan9 ok? :P

Don

http://www.7f.no-ip.com/~north_

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Credit card numbers

[slugbait]

On a related note, how do you get web vendors not to store your credit
card # on their hard disks longer than absolutely necessary?  I trust
(ssl data entry * number of orders) a lot more than a merchant's ability
to stay up to date on patches until my card expires.


Check out http://www.mbna.com and look for their "Shopsafe" service.  In 
short, you can generate temporary CC numbers that are linked to your 
real CC.  You can put limits on the temp numbers like a low limit, one 
time use and one-vendor use.  The last one rocks for "subscriptions" to 
websites ;)

It's not perfect, but it's better than nothing.

slugbait

(They should be paying me :P)

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[Bojan Zdrnja]

Well,

I don't actually see a point in this.
If a service like that starts before login that's fine - it's the design and
you have to live with it.
If the service bothers you, disable it.

As far as I know, safe practice should make you disable absolutely
everything you don't want or need *before* connecting the machine to the
Internet.

I don't believe you will install RedHat 6.2 on the machine, go away for a
coffee while letting it sit on a login screen and return and find it like it
was :)

Just my 2 euro cents ..

Bojan Zdrnja

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> morning_wood
> Sent: Thursday, 17 July 2003 3:53 p.m.
> To: Jay Sulzberger; [EMAIL PROTECTED]
> Cc: Jay Sulzberger
> Subject: Re: [Full-Disclosure] Odd Behavior - Windows 
> Messenger Service
> 
> 
> >
> > > The service starts before you login.
> > > This is normal behaviour.
> >
> > Perhaps.  But this behavior is not sane.
> >
> > If this behavior is incorrigible by an ordinary sysadmin using the
> standard
> > tools, then that alone disqualifies the OS for serious use, 
> even were the
> > code free.
> >
> > oo--JS.
> >
> >
> 
> omg.. thank you, thank you, thank you
> 
> 
> Donnie Werner
> http://nothackers.org
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Credit card numbers

[Scott Phelps / Dreamwright Studios]

 

I would have mentioned the butt sex, but I guess the food is pretty bad too.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of gml
Sent: Thursday, July 17, 2003 6:18 PM
To: 'northern snowfall'; 'Nick Jacobsen'
Cc: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Credit card numbers

Carding is for "hackers" who enjoy prison.  If you are considering illegal
activity that involves theft or the possibly involvement of the secret
service, I suggest you first ask yourself whether or not you enjoyed high
school cafeteria food and then imagine eating that for the next 20-30 years.


smime.p7s
Description: S/MIME cryptographic signature

Re: [Full-Disclosure] Invaded by morons..

[bscabl]

X-BeenThere: [EMAIL PROTECTED]
X-Virus-Scanned: Symantec AntiVirus Scan Engine
X-Mailman-Version: 2.0.12


hmm 
windoze

- Original Message - 
From: "Dortmunder Lethman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 17, 2003 6:33 PM
Subject: [Full-Disclosure] Invaded by morons..


> 
> Ever since Donnie Werner showed up all we see
> is Windows crap, and stupid xss tricks.
> 
> We don't need 50 millions me-too posts about 
> lame ie crashing.
> 
> We don't need 50 millions slash-dot lamers
> flooding this list with crap.
> 
> We don't need 50 millions whiners complaining
> about standart services that are in inherently
> insekure which is an oxymoronic position since
> windows is inherently insekure, and none of it
> is news to anyone with .01% kluon.
> 
> For instance, no one even responded to *Hobbit*
> points about secure practices, and I bet not
> even 10% of you windows lamers even know who
> he is.
> 
> All you windows lamers join Werner's 0-day
> lamers list and the rest of us will be here,
> agreed?
> 
> I won't respond to anyone who didn't use unix
> to send mail to me.
> 
> Lethman returns, phear me.
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Credit card numbers

[micah mcnelly]

PRAISE THE LORD!

/m

robertson is a nutjob.

- Original Message -
From: "Knud Erik Højgaard" <[EMAIL PROTECTED]>
To: "Nick Jacobsen" <[EMAIL PROTECTED]>; "Kristian Hermansen"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, July 17, 2003 3:15 PM
Subject: Re: [Full-Disclosure] Credit card numbers


> Nick Jacobsen wrote:
> > Perhaps it is just my imagination here, and I do realize this is an
> > unmoderated list, but this seems to be a more than unacceptable email.
> > This is a professional list - would you go up to someone at a computer
> > security conference and tell em "oh yeah, I used to card during
> > highschool all the time"?  My favorite phase is the "I don't exploit
> > this *ANYMORE*" (emphasis added)
>
> Bah, I used to shoplift for a living, I don't do it anymore.
> I believe god forgives sinners as long as they admit it.
> Occasionally I actually break in to other peoples computers.
> Boo-fucking-hoo.
> This list isn't
> corporate-whores-trying-to-gather-enough-strings-to-get-a-clue.
>
> --
> kokanin, speaker of truth, friend of jesus, son of God.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Thanks for all the stupid windows tricks

[Matthew Kent]

And if I get much more of this uninteresting crap I'm going to
unsubscribe!

- matt (no relation :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew
McGehrin
Sent: Thursday, July 17, 2003 2:09 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Thanks for all the stupid windows tricks

I just wanted to thank every one for all the stupid windows tricked I
learned today. Gee. I never thought Microsoft was so buggy.
 
If I hear another stupid windows bug I think I'm going to loose it.
 
-- Matthew
 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Credit card numbers

[micah mcnelly]

i used to card during high school all the time.

/m

- Original Message -
From: "gml" <[EMAIL PROTECTED]>
To: "'northern snowfall'" <[EMAIL PROTECTED]>; "'Nick Jacobsen'"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, July 17, 2003 3:18 PM
Subject: RE: [Full-Disclosure] Credit card numbers


> Carding is for "hackers" who enjoy prison.  If you are considering illegal
> activity that involves theft or the possibly involvement of the secret
> service, I suggest you first ask yourself whether or not you enjoyed high
> school cafeteria food and then imagine eating that for the next 20-30
years.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of northern
> snowfall
> Sent: Thursday, July 17, 2003 6:59 PM
> To: Nick Jacobsen
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Credit card numbers
>
> >
> >
> >This is a professional list - would you go up to someone at a computer
> >security conference and tell em "oh yeah, I used to card during
> >highschool all the time"?
> >
> Oh grow up
>
> Don
>
> http://www.7f.no-ip.com/~north_
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet

Revision 1.3


Last Updated 2003 July 17 at 23:00 UTC (GMT)

For Public Release 2003 July 17 at 6:10 UTC (GMT)
=

- --

Please provide your feedback on this document.

- --

Contents


Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: INTERIM
Distribution
Revision History
Cisco Security Procedures

- --

Summary
===

Cisco routers and switches running Cisco IOS® software and configured
to process Internet Protocol version 4 (IPv4) packets are vulnerable to
a Denial of Service (DoS) attack. A rare sequence of crafted IPv4
packets with specific protocol fields sent directly to the device may
cause the input interface to stop processing traffic once the input
queue is full. No authentication is required to process the inbound
packet. Processing of IPv4 packets is enabled by default. Devices
running only IP version 6 (IPv6) are not affected. A workaround is
available.

Cisco has made software available, free of charge, to correct the
problem.

This advisory is available at 
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml.

Affected Products
=

This issue affects all Cisco devices running Cisco IOS software and
configured to process Internet Protocol version 4 (IPv4) packets. Cisco
devices which do not run Cisco IOS software are not affected. Devices
which run only Internet Protocol version 6 (IPv6) are not affected.

Details
===

Cisco routers are configured to process and accept Internet Protocol
version 4 (IPv4) packets by default. A rare, specially crafted sequence
of IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77
(Sun ND), or 103 (Protocol Independent Multicast - PIM) which is
handled by the processor on a Cisco IOS device may force the device to
incorrectly flag the input queue on an interface as full, which will
cause the router to stop processing inbound traffic on that interface.
This can cause routing protocols to drop due to dead timers.

Interfaces which are explicitly configured to run PIM will not be
affected by traffic with protocol type 103. An interface with PIM
enabled will have one of the following three commands in the interface
configuration: ip pim dense-mode, ip pim sparse-mode, or ip pim
sparse-dense-mode.

On Ethernet interfaces, Address Resolution Protocol (ARP) times out
after a default time of four hours, and no traffic can be processed.
The device must be rebooted to clear the input queue on the interface,
and will not reload without user intervention. The attack may be
repeated on all interfaces causing the router to be remotely
inaccessible. A workaround is available, and is documented in the 
Workarounds section.

The following two Cisco vulnerabilities are documented in DDTS: 
CSCea02355 ( registered customers only) affects all Cisco routers
running Cisco IOS software. This documents the flaw with protocols 53,
55, and 77. CSCdz71127 ( registered customers only) was introduced by
an earlier code revision, and documents an input queue vulnerability to
protocol 103 with a device which is not configured for PIM. Any version
of software which has the fix for CSCdx02283 ( registered customers
only) is vulnerable.

Registered customers can find more details using the Bug Toolkit at 
http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl ( 
registered customers only) .

To identify a blocked input interface, use the show interfaces command
and look for the Input Queue line. If the current size (in this case,
76) is larger than the maximum size (75), the input queue is blocked.

Use the show buffers command and look for the prot field. Below are two
examples:

Router#show interface ethernet 0/0
Ethernet0/0 is up, line protocol is up  
  Hardware is AmdP2, address is 0050.500e.f1e0 (bia 0050.500e.f1e0)   
  Internet address is 172.16.1.9/24
  MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, rely 255/255, load 1/255
  Encapsulation ARPA, loopback not set, keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00  
  Last input 00:00:41, output 00:00:07, output hang never
  Last clearing of "show interface" counters 00:07:18
  Input queue: 76/75/1091/0 (size/max/drops/flushes); Total output drops: 0  
!--- The 76/75 shows that this is blocked

   

Router#show buffers input-interface serial 0/0
 Buffer information for Small buffer at 0x612EAF3C
 data_area 0x7896E84, refcount 1, next 0x0, flags 0x0
 linktype 7 (IP),

RE: [Full-Disclosure] Credit card numbers

[gml]

Also I'm really not entirely sure what's so professional about this list.
What deems a professional anyway?  I mean seriously, you stopped hacking and
got a job instead so now you're a professional?  You avoided prison until
the age of 18 and someone was foolish enough to pay you for your
"intellectual property" so now you are a professional?  Or maybe you have a
CISSP and you know absolutely everything and that makes you a professional.
Come on please.  Nothing is even remotely at black and white as it's made
out to be.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of gml
Sent: Thursday, July 17, 2003 6:18 PM
To: 'northern snowfall'; 'Nick Jacobsen'
Cc: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Credit card numbers

Carding is for "hackers" who enjoy prison.  If you are considering illegal
activity that involves theft or the possibly involvement of the secret
service, I suggest you first ask yourself whether or not you enjoyed high
school cafeteria food and then imagine eating that for the next 20-30 years.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of northern
snowfall
Sent: Thursday, July 17, 2003 6:59 PM
To: Nick Jacobsen
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Credit card numbers

>
>
>This is a professional list - would you go up to someone at a computer
>security conference and tell em "oh yeah, I used to card during
>highschool all the time"?
>
Oh grow up

Don

http://www.7f.no-ip.com/~north_


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Invaded by morons..

[Dortmunder Lethman]

Ever since Donnie Werner showed up all we see
is Windows crap, and stupid xss tricks.

We don't need 50 millions me-too posts about 
lame ie crashing.

We don't need 50 millions slash-dot lamers
flooding this list with crap.

We don't need 50 millions whiners complaining
about standart services that are in inherently
insekure which is an oxymoronic position since
windows is inherently insekure, and none of it
is news to anyone with .01% kluon.

For instance, no one even responded to *Hobbit*
points about secure practices, and I bet not
even 10% of you windows lamers even know who
he is.

All you windows lamers join Werner's 0-day
lamers list and the rest of us will be here,
agreed?

I won't respond to anyone who didn't use unix
to send mail to me.

Lethman returns, phear me.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Credit card numbers

[gml]

Carding is for "hackers" who enjoy prison.  If you are considering illegal
activity that involves theft or the possibly involvement of the secret
service, I suggest you first ask yourself whether or not you enjoyed high
school cafeteria food and then imagine eating that for the next 20-30 years.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of northern
snowfall
Sent: Thursday, July 17, 2003 6:59 PM
To: Nick Jacobsen
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Credit card numbers

>
>
>This is a professional list - would you go up to someone at a computer
>security conference and tell em "oh yeah, I used to card during
>highschool all the time"?
>
Oh grow up

Don

http://www.7f.no-ip.com/~north_


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Credit card numbers

[northern snowfall]

Carding is for "hackers" who enjoy prison.  If you are considering illegal
activity that involves theft or the possibly involvement of the secret
service, I suggest you first ask yourself whether or not you enjoyed high
school cafeteria food and then imagine eating that for the next 20-30 years.
The issue isn't about what people are about to do, but what people have 
done.
Everyone has made mistakes, that's just an inherent part of life. Learning
from the problems is the main issue. I've never carded, nor plan to, but
I'm not so foolish to think that I couldn't learn something about security
from someone who has had experience in that area. So, yes, grow up and
realize everyone has something to offer.

Don

http://www.7f.no-ip.com/~north_



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Credit card numbers

[northern snowfall]

This is a professional list - would you go up to someone at a computer
security conference and tell em "oh yeah, I used to card during
highschool all the time"?
Oh grow up

Don

http://www.7f.no-ip.com/~north_

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[gregh]

> - Original Message - 
> From: morning_wood 
> To: Jay Sulzberger ; Neil McKellar 
> Cc: [EMAIL PROTECTED] ; Jay Sulzberger 
> Sent: Friday, July 18, 2003 7:08 AM
> Subject: Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service


> once again Jay, Bravo Bravo Bravo
> damn, you just may be the only one who gets the point of my post
> or do we need to wade through 20 more ppl telling me how to secure a system
> or how services act or initialize.
> ( and at that they have no concept of my particular topology..  and
> furthermore can only see fit to blast away completly missing the target and
> shooting themselves in the foot thats squarley stuck in thier mouths..
> hint: take off the white hat so you can see 2 feet beyond your certs and
> books)


Don't forget my post of last week. Microsoft dont quite AGREE that it should or 
shouldnt happen that the machine has contact with the network before the human is 
ready to do so but they DID agree to put in an option in the next SP/full Windows, 
that network connections do NOT happen until logon. In other words, this whole issue 
may become a moot point when that release happens.

Without assaulting people reading this - or even attempting to do so - with why I 
think they are wrong when they disagree this is a bad thing, I just have to remind the 
readers, here, that they restrict access to certain ports for certain users, watch out 
for trojans and spyware, worry about things such as keyloggers running through their 
work and home lans that may be watching the important and necessarily protected data 
on their lan clients. Why bother securing ANY data at all when a machine that may 
already be infected and attempting to mass infect the lan clients and/or contact 
internet before the user can properly use it may be completely stuffing your site 
and/or reporting sensitive data through the middle of your firewall? 

Greg.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Credit card numbers

[Knud Erik Højgaard]

Nick Jacobsen wrote:
> Perhaps it is just my imagination here, and I do realize this is an
> unmoderated list, but this seems to be a more than unacceptable email.
> This is a professional list - would you go up to someone at a computer
> security conference and tell em "oh yeah, I used to card during
> highschool all the time"?  My favorite phase is the "I don't exploit
> this *ANYMORE*" (emphasis added)

Bah, I used to shoplift for a living, I don't do it anymore.
I believe god forgives sinners as long as they admit it.
Occasionally I actually break in to other peoples computers.
Boo-fucking-hoo.
This list isn't
corporate-whores-trying-to-gather-enough-strings-to-get-a-clue.

--
kokanin, speaker of truth, friend of jesus, son of God.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[morning_wood]

Dos 6.2 running win 3.1



- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 17, 2003 12:51 PM
Subject: RE: [Full-Disclosure] Odd Behavior - Windows Messenger Service


> Clearly, this thread is more odd than the behavior of the Windows
> Messenger service.
> 
> Jay, please let us know which OS's are qualified for "serious use"
> according to your standards. List some of these operating systems that
> don't run any network-enabled service in a default install.
> 
> -Jason
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jay
> Sulzberger
> Sent: Wednesday, July 16, 2003 5:34 PM
> To: [EMAIL PROTECTED]
> Cc: Jay Sulzberger
> Subject: Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service
> 
> 
> 
> 
> On Wed, 16 Jul 2003, dos cerveza wrote:
> 
> > The service starts before you login.
> > This is normal behaviour.
> 
> Perhaps.  But this behavior is not sane.
> 
> If this behavior is incorrigible by an ordinary sysadmin using the
> standard
> tools, then that alone disqualifies the OS for serious use, even were
> the
> code free.
> 
> oo--JS.
> 
> 
> > Please read the previous replies you have recieved.
> >
> >
> > - Original Message -
> > From: "morning_wood" <[EMAIL PROTECTED]>
> > Date: Wed, 16 Jul 2003 13:11:46 -0700
> > To: "Martin" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> > Subject: Re: [Full-Disclosure] Odd Behavior - Windows Messenger
> Service
> >
> > > > I can confirm this behavior. This service is enabled on Windows
> 2000
> > > > and XP by default.
> > > > I noticed it on my sister's PC after she clicked away 3
> advertisement
> > > >pop-ups and growling at the PC. I think that the average user does
> > > >not know how to disable it.
> > > > (And btw: NO, the average MS-Windows user is NOT USING any
> firewalls.)
> > > >
> > >
> > >
> > > more to the point... THERE WAS NO LOGIN PERIOD
> > > this was a fresh install.. waiting at the login prompt.. the pop up
> was
> > > there before any user ( admin ) settings initialized or login took
> place.
> > > once again.. this is out of  the box install following all prompts,
> no
> > > sharing etc. ( only setting computer name and workgroup )reboot..
> sit at
> > > login prompt.. login.. pop up was waiting on an uninitialized
> desktop..
> > > this is my question / issue...   NOT my personal security or lack of
> > > knowlege about basic networking / security.
> > > disabling the service is easy, im reporting on default out of the
> box
> > > behavior, not how to get rid of it or protect myself.
> > > please all.. re-read my scenario...
> > >
> > > donnie
> > >
> > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> > --
> > __
> > Sign-up for your own FREE Personalized E-mail at Mail.com
> > http://www.mail.com/?sr=signup
> >
> > CareerBuilder.com has over 400,000 jobs. Be smarter about your job
> search
> > http://corp.mail.com/careers
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[Jay Sulzberger]

On Thu, 17 Jul 2003, morning_wood wrote:

> once again Jay, Bravo Bravo Bravo

Thanks, and I blush ;)

oo--JS.


> damn, you just may be the only one who gets the point of my post
> or do we need to wade through 20 more ppl telling me how to secure a system
> or how services act or initialize.
> ( and at that they have no concept of my particular topology..  and
> furthermore can only see fit to blast away completly missing the target and
> shooting themselves in the foot thats squarley stuck in thier mouths..
> hint: take off the white hat so you can see 2 feet beyond your certs and
> books)
>
> > Out of the box, the default should be that no network services are
> started
> > at boot without human command transmitted via local hardware.  This may
> be
> > seen from even the first, even the most crude and blunt, cost benefit
> > analysis.
> >
> > oo--JS.
>
> Donnie Werner
> http://exploitlabs.com
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Thanks for all the stupid windows tricks

[Matthew McGehrin]

I just wanted to thank every one for all the stupid 
windows tricked I learned today. Gee. I never thought Microsoft was so 
buggy.
 
If I hear another stupid windows bug I think I'm 
going to loose it.
 
-- Matthew
 

Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[morning_wood]

once again Jay, Bravo Bravo Bravo
damn, you just may be the only one who gets the point of my post
or do we need to wade through 20 more ppl telling me how to secure a system
or how services act or initialize.
( and at that they have no concept of my particular topology..  and
furthermore can only see fit to blast away completly missing the target and
shooting themselves in the foot thats squarley stuck in thier mouths..
hint: take off the white hat so you can see 2 feet beyond your certs and
books)

> Out of the box, the default should be that no network services are
started
> at boot without human command transmitted via local hardware.  This may
be
> seen from even the first, even the most crude and blunt, cost benefit
> analysis.
>
> oo--JS.

Donnie Werner
http://exploitlabs.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[morning_wood]

nop, but this dont look good http://62.131.200.99/BadLittleGirl/index.php

> Both local and remote.
> Remote tests:
> http://62.131.200.99/eastwood/browser/crashing.htm (body onload)
> http://62.131.200.99/eastwood/browser/crashed.htm(meta refresh)
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Oliver Beck]

On 17 Jul 2003 17:57:16 +0200
Martin <[EMAIL PROTECTED]> wrote:

> I have a question. I would like to know, if you can also crash 
> IE6, when typing the following "URL":
> 
> ftp*://?
> 
> I have also tried from HTML like this:
> 
> [snipped]

confirmed under Windows2000 Build 2195 and IE 6.0.2600. running in
VMWare 4.


MfG Oliver Beck

-- 
 /"\ -ASCII-Ribbon-Campaign- |
 \ /Against HTML Mail| -Linux on an VIA EPIA-M9000-
  X  Against nontext |http://epia.std-err.de
 / \   attachments   |(german only)
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Spiro Trikaliotis]

Hello,

On Thu, Jul 17, 2003 at 11:39:39AM -0500, Nik Reiman wrote:
> -Not- confirmed with IE Version 6.0.2800.1106.xpsp2.030422-1633 on XP 
> build 2600.xpsp2.030422-1633, Service Pack 1.  Throws the error message 
> "Server Name or Address can't be resolved."

Well, it depends... ;-)

-Not- confirmed if logged in as "main user". IE6 tells me that it is not 
possible to access this folder, and I'd have to check that the file name 
(sic!) is correct and I have the needed rights.

Furthermore, the URL is rewritten to ftp://ftp*/

I have the same build number for IE and XP as you, together with 
  SP1; Q324929; Q810847; Q813951; Q813489; Q330994; Q818529


Anyway, if I'm logged in as administrator, IE6 crashes (doesn't respond 
anymore).

Spiro.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Credit card numbers

[Nick Jacobsen]

Perhaps it is just my imagination here, and I do realize this is an
unmoderated list, but this seems to be a more than unacceptable email.
This is a professional list - would you go up to someone at a computer
security conference and tell em "oh yeah, I used to card during
highschool all the time"?  My favorite phase is the "I don't exploit
this *ANYMORE*" (emphasis added)
 
Nick Jacobsen
[EMAIL PROTECTED]  
 

-Original Message- 
From: Kristian Hermansen 
Sent: Thu 7/17/2003 12:43 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: [Full-Disclosure] Credit card numbers


There are many companies that still leave the full numbers on
their receipts.  I am going to give away a pretty big secret right now.
If you have ever eaten at the "99 Restaurant" you will notice that they
have the MOST sensitive information out of any company I have ever used
my credit card at.  Here's a list of what is on the receipt:
 
1) Full CC# - nothing blanked out
2) Full Name - just as it appears on the card
3) Expiration date
4) Customer signature (if they signed their copy)
 
Now here's how to easily get them.  When I was in high school I
used to go there late on Friday and Saturday nights and snag all the
receipts out of the "conveniently placed" trash receptacle right outside
the front door.  Friday and Saturday nights are the best because they
usually have the most customers (at the bar, drunk people, etc...)
Anyway, I have kept this pretty much a secret for a long time now and
since we are on the topic and I don't exploit this anymore I figured I
should make it public.  There is even a way to get the CVV2 numbers from
the back of the cards, but I will NOT tell you how to do that!  If you
check out the restaurant, I'm sure you will figure out how I got the
CVV2 numbers as well.  AND DON'T F**KING EMAIL ASKING HOW TO DO IT!!!
 
Peace out...
 
Kris

<>

Re: [Full-Disclosure] Credit card numbers

[Knud Erik Højgaard]

Myers, Marvin wrote:
> Maybe it is only me, but does anyone else notice a big jump in the
> number of merchants that are printing the entire credit card number
> and expiration date on receipts?

In Denmark they  out 4 ciphers, but sadly the position of them
alternate(jeez).
No expiry date on the receipt, but VISA has limited lifetime, so <50 tries
should do it.

--
kokanin

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[ops-lists]

Clearly, this thread is more odd than the behavior of the Windows
Messenger service.

Jay, please let us know which OS's are qualified for "serious use"
according to your standards. List some of these operating systems that
don't run any network-enabled service in a default install.

-Jason

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jay
Sulzberger
Sent: Wednesday, July 16, 2003 5:34 PM
To: [EMAIL PROTECTED]
Cc: Jay Sulzberger
Subject: Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service




On Wed, 16 Jul 2003, dos cerveza wrote:

> The service starts before you login.
> This is normal behaviour.

Perhaps.  But this behavior is not sane.

If this behavior is incorrigible by an ordinary sysadmin using the
standard
tools, then that alone disqualifies the OS for serious use, even were
the
code free.

oo--JS.


> Please read the previous replies you have recieved.
>
>
> - Original Message -
> From: "morning_wood" <[EMAIL PROTECTED]>
> Date: Wed, 16 Jul 2003 13:11:46 -0700
> To: "Martin" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> Subject: Re: [Full-Disclosure] Odd Behavior - Windows Messenger
Service
>
> > > I can confirm this behavior. This service is enabled on Windows
2000
> > > and XP by default.
> > > I noticed it on my sister's PC after she clicked away 3
advertisement
> > >pop-ups and growling at the PC. I think that the average user does
> > >not know how to disable it.
> > > (And btw: NO, the average MS-Windows user is NOT USING any
firewalls.)
> > >
> >
> >
> > more to the point... THERE WAS NO LOGIN PERIOD
> > this was a fresh install.. waiting at the login prompt.. the pop up
was
> > there before any user ( admin ) settings initialized or login took
place.
> > once again.. this is out of  the box install following all prompts,
no
> > sharing etc. ( only setting computer name and workgroup )reboot..
sit at
> > login prompt.. login.. pop up was waiting on an uninitialized
desktop..
> > this is my question / issue...   NOT my personal security or lack of
> > knowlege about basic networking / security.
> > disabling the service is easy, im reporting on default out of the
box
> > behavior, not how to get rid of it or protect myself.
> > please all.. re-read my scenario...
> >
> > donnie
> >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> __
> Sign-up for your own FREE Personalized E-mail at Mail.com
> http://www.mail.com/?sr=signup
>
> CareerBuilder.com has over 400,000 jobs. Be smarter about your job
search
> http://corp.mail.com/careers
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Credit card numbers

[christopher neitzert]

On Thu, 2003-07-17 at 14:57, Dan Stromberg wrote:
> On Thu, 2003-07-17 at 10:49, Myers, Marvin wrote:
> > Maybe it is only me, but does anyone else notice a big jump in the
> > number of merchants that are printing the entire credit card number
> > and expiration date on receipts?
> Shredders are your friends.  But don't let that stop you from
> complaining to the merchant in question.  Don't behead the person behind
> the counter - but maybe ask them to relay a message to their manager.
I've seen this quite a bit up here in Reno. Yet up here we have no
anti-identity theft, let alone other information security legislation.
 
My solution is to cross out with a pen all but the last 4 digits and the
expiry date on BOTH copies of the receipt. This has infuriated a few
local vendors, though it seems that most are easily educated on the
liability it poses.

chris

-- 
Christopher Neitzert http://www.neitzert.com/~chris
chris(at)neitzertcom - GPG Key ID: 7DCC491B



signature.asc
Description: This is a digitally signed message part

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[dos cerveza]

The first confirmed.
The html does not crash my IE.
The META REFRESH did.
And also a body onload= crashed it.
Both local and remote.
Remote tests:
http://62.131.200.99/eastwood/browser/crashing.htm (body onload)
http://62.131.200.99/eastwood/browser/crashed.htm(meta refresh)

IE version: 6.0.2800.1106
Win2K SP4 
 > I have a question. I would like to know, if you can also crash 
 > IE6, when typing the following "URL":
 > 
 > ftp*://?
 > 
 > I have also tried from HTML like this:
 > 
 > 
 > 
 > 
 > window.open("ftp://ftp*://?";);
 > 
 > 
 > 
 > 
 > I could crash IE about a year ago with the first "URL" above 

-- 
__
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
http://corp.mail.com/careers

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[Jay Sulzberger]

On Thu, 17 Jul 2003, Neil McKellar wrote:

> Schmehl, Paul L wrote:
> > But, back to your original complaint, which was that remote services
> > should not be available until you login to the console.I'm willing
> > to bet that *many* people who use *nix as a workstation, *even at home*,
> > allow *at least* ssh sessions remotely.  And there are KaZaA lovers
> > worldwide who are offering remote access to files, on numerous Oses,
> > even when they're not at home and logged in.
>
> I was wondering about this as well.  Even if you don't run a local FTP,
> HTTP, NFS, SMB, SSH, or other service on your local Linux workstation,
> you're guaranteed to be bringing up parts of the system to talk to the
> network during the boot process.  Chances are you're broadcasting for
> DHCP.  If you're a thin-client, you may be asking for tftp or bootp even
> before that.  If you're running a virus scanner, it may be starting in
> the background, downloading updates automatically from a central server
> and scanning files.  If you've got NIS, ADS, or Kerberos or something
> running, you may be hooking into local authentication systems.  These
> things are all true for Windows workstations and Mac workstations, too.
>
> All these things require network connectivity, imply levels of trust
> with services inside the local network, and may be vulnerable to
> spoofing locally.  Even the order in which these things become available
> may result in greater or lesser exposure.
>
> You don't want your workstations talking to the network or running local
> services with network connectivity before the user logs in?  Well, when
> is it renewing the DHCP lease?  How are you remotely pushing software
> updates or virus updates to those 1,000+ users?  How are you remotely
> administering the workstation at all?  How are you running backups over
> the network, if you need to do such things?
>
> If you need complete lockdown on all these things, then this is no
> normal workstation and shouldn't be treated as such.  Don't be surprised
> if the default install isn't fulfilling your needs.
> --
> Neil ([EMAIL PROTECTED])

Out of the box, the default should be that no network services are started
at boot without human command transmitted via local hardware.  This may be
seen from even the first, even the most crude and blunt, cost benefit
analysis.

oo--JS.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Magnus Bodin]

On Thu, Jul 17, 2003 at 11:06:30AM -0700, Troy wrote:
> 
> ftp://ftp*://?";>
> 
> 
> Fortunately, OE isn't stupid enough to launch the URL automatically if I
> open an HTML message with that source, but I wonder about other
> HTML-capable news readers.

My guess: Put it in an  and you'll see.

/magnus

-- 
http://x42.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[Ron DuFresne]

[SNIP]

>
> I was wondering about this as well.  Even if you don't run a local FTP,
> HTTP, NFS, SMB, SSH, or other service on your local Linux workstation,
> you're guaranteed to be bringing up parts of the system to talk to the
> network during the boot process.  Chances are you're broadcasting for
> DHCP.  If you're a thin-client, you may be asking for tftp or bootp even
> before that.  If you're running a virus scanner, it may be starting in
> the background, downloading updates automatically from a central server
> and scanning files.  If you've got NIS, ADS, or Kerberos or something
> running, you may be hooking into local authentication systems.  These
> things are all true for Windows workstations and Mac workstations, too.
>

All the more reason to configure such protocols properly and securely;

bind them to the proper NIC:ports, and do not allow them to bind
to all NIC's

for those nasty protocols and such that defy configuration
directly, make sure they are secured by other meand, say a
firewall or personal desktop firewall at the least, to limit
exposure to something other then the open internet.

Enforcing paramaters upon the less then nice protocols merely requires a
tool outside the specific portocol itself.  May home users, being on
dialups still, do not have as much 'startup' exposure, and those with
DSL/cable modem access, would do well to firewall those 'NICS', as well as
rotate them to start after such services as the firewall/IDS etc...

But, it seems this will be rehashed for another week since we're stating
nothing that has not been stated by at least 20 others already and some
refuse to injest.

Thanks,

Ron DuFresne
~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Does your IE6 crash with these "URLs"?

[Bryan Loveless]

Nope, my machine just says that it is unavailable.
--bryan

"Using Microsoft products is like holding a wolf by its ears,
we don't like it, but we don't dare let go."   -BL
-
Bryan Loveless
Microsoft Certified Systems Administrator
Northern Arizona University

_-original message-
Message: 20
From: Martin <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: 17 Jul 2003 17:57:16 +0200
Subject: [Full-Disclosure] Does your IE6 crash with these "URLs"?

Hi,

I have a question. I would like to know, if you can also crash 
IE6, when typing the following "URL":

ftp*://?

I have also tried from HTML like this:




window.open("ftp://ftp*://?";);




I could crash IE about a year ago with the first "URL" above 
and I've sent already various crash reports to Microsoft a 
long time ago. There was no reaction.

That's why I just want to ask if someone can check this for me. 
Maybe only my 3 PCs are weird.

Thanks,
Martin




___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Doug Stewart]

Happens on Win98 se and IE 5.50.4807.2300

-- 
Doug Stewart





Quoting Martin <[EMAIL PROTECTED]>:

 
 OK, thank you all. It looks like only W2k is affected. I could
 swear I found it on XP.
 
 I know it's not a security issue. It's only that noone answered to
 me in other forums.
 
 Btw, it was a kind of game. "How many attempts do I need to crash
 IE?". I needed about 50-100 (don't remember the exact number, it was
 really a year ago). You should try it, too. ;)
 
 Martin
 
 
 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.netsys.com/full-disclosure-charter.html
 


-
This mail sent through IMP: http://horde.org/imp/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Credit card numbers

[Kristian Hermansen]

There are many companies that still leave the full 
numbers on their receipts.  I am going to give away a pretty big secret 
right now.  If you have ever eaten at the "99 Restaurant" you will notice 
that they have the MOST sensitive information out of any company I have ever 
used my credit card at.  Here's a list of what is on the 
receipt:
 
1) Full CC# - nothing blanked out
2) Full Name - just as it appears on the 
card
3) Expiration date
4) Customer signature (if they signed their 
copy)
 
Now here's how to easily get them.  When I was 
in high school I used to go there late on Friday and Saturday nights and snag 
all the receipts out of the "conveniently placed" trash receptacle right outside 
the front door.  Friday and Saturday nights are the best because they 
usually have the most customers (at the bar, drunk people, etc...)  Anyway, 
I have kept this pretty much a secret for a long time now and since we are on 
the topic and I don't exploit this anymore I figured I should make it 
public.  There is even a way to get the CVV2 numbers from the back of the 
cards, but I will NOT tell you how to do that!  If you check out the 
restaurant, I'm sure you will figure out how I got the CVV2 numbers as 
well.  AND DON'T F**KING EMAIL ASKING HOW TO DO IT!!!
 
Peace out...
 
Kris

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[morning_wood]

> I have a question. I would like to know, if you can also crash 
> IE6, when typing the following "URL":
> 
> ftp*://?
> 
> I have also tried from HTML like this:
> 
> 
> 
> 
> window.open("ftp://ftp*://?";);
> 
> 
> 
> 
> I could crash IE about a year ago with the first "URL" above 


unconfirmed XPpro / Ie 6 ( 6.0.2600..xpclient.010817-1148 )

morning_wood
http://exploitlabs.com 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Credit card numbers

[Michele Chubirka]

Title: Message



This 
is or will soon be illegal in California. Part of the anti-identity theft 
legislation movement there. They will also be requiring the ability 
to attach PINs to credit reports. They will be requiring that all merchants 
use credit card systems which do NOT print the full credit card number and/or 
expiration date.

  
  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Myers, 
  MarvinSent: Thursday, July 17, 2003 1:49 PMTo: 
  [EMAIL PROTECTED]Subject: [Full-Disclosure] Credit 
  card numbers
  
  Maybe it is only me, but does 
  anyone else notice a big jump in the number of merchants that are printing the 
  entire credit card number and expiration date on 
  receipts?
  Over the past 6 months I have had 
  to educate about a dozen local merchants about the possible abuse scenarios 
  that exist with this type of information leakage. If 
  there
  Is not already some sort of law 
  governing this policy, there should be.
   
   
  Marvin R. 
  Myers

Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[Neil McKellar]

Schmehl, Paul L wrote:
But, back to your original complaint, which was that remote services
should not be available until you login to the console.I'm willing
to bet that *many* people who use *nix as a workstation, *even at home*,
allow *at least* ssh sessions remotely.  And there are KaZaA lovers
worldwide who are offering remote access to files, on numerous Oses,
even when they're not at home and logged in.
I was wondering about this as well.  Even if you don't run a local FTP, 
HTTP, NFS, SMB, SSH, or other service on your local Linux workstation, 
you're guaranteed to be bringing up parts of the system to talk to the 
network during the boot process.  Chances are you're broadcasting for 
DHCP.  If you're a thin-client, you may be asking for tftp or bootp even 
before that.  If you're running a virus scanner, it may be starting in 
the background, downloading updates automatically from a central server 
and scanning files.  If you've got NIS, ADS, or Kerberos or something 
running, you may be hooking into local authentication systems.  These 
things are all true for Windows workstations and Mac workstations, too.

All these things require network connectivity, imply levels of trust 
with services inside the local network, and may be vulnerable to 
spoofing locally.  Even the order in which these things become available 
may result in greater or lesser exposure.

You don't want your workstations talking to the network or running local 
services with network connectivity before the user logs in?  Well, when 
is it renewing the DHCP lease?  How are you remotely pushing software 
updates or virus updates to those 1,000+ users?  How are you remotely 
administering the workstation at all?  How are you running backups over 
the network, if you need to do such things?

If you need complete lockdown on all these things, then this is no 
normal workstation and shouldn't be treated as such.  Don't be surprised 
if the default install isn't fulfilling your needs.
--
Neil ([EMAIL PROTECTED])

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Credit card numbers

[Dan Stromberg]

On Thu, 2003-07-17 at 10:49, Myers, Marvin wrote:
> Maybe it is only me, but does anyone else notice a big jump in the
> number of merchants that are printing the entire credit card number
> and expiration date on receipts?
> 
> Over the past 6 months I have had to educate about a dozen local
> merchants about the possible abuse scenarios that exist with this type
> of information leakage. If there
> 
> Is not already some sort of law governing this policy, there should
> be.
> 

I believe there's a patent on the idea of only listing four digits of a
credit card.  So yes, there's an actual financial incentive to do the
wrong thing.

A local grocery store was doing 8 digits for a while - before they went
out of business.  Another shows all of them - they seem to be doing
well.

Shredders are your friends.  But don't let that stop you from
complaining to the merchant in question.  Don't behead the person behind
the counter - but maybe ask them to relay a message to their manager.

On a related note, how do you get web vendors not to store your credit
card # on their hard disks longer than absolutely necessary?  I trust
(ssl data entry * number of orders) a lot more than a merchant's ability
to stay up to date on patches until my card expires.

-- 
Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]>



signature.asc
Description: This is a digitally signed message part

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[madsaxon]

At 07:15 PM 7/17/03 +0200, Martin wrote:

OK, thank you all. It looks like only W2k is affected. I could
swear I found it on XP.
No, I was running Win 98 SE.

m5x

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Nick Jacobsen]

Odd...  it DOES crash on mine...
Windows 2000 SP4
IE 6.0.2800.1106, SP1, all updates

-Original Message- 
From: Martin 
Sent: Thu 7/17/2003 8:57 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [Full-Disclosure] Does your IE6 crash with these
"URLs"?



Hi,

I have a question. I would like to know, if you can also crash
IE6, when typing the following "URL":

ftp*://?

I have also tried from HTML like this:




window.open(" ftp://ftp*://?";);




I could crash IE about a year ago with the first "URL" above
and I've sent already various crash reports to Microsoft a
long time ago. There was no reaction.

That's why I just want to ask if someone can check this for me.
Maybe only my 3 PCs are weird.

Thanks,
Martin


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


<>

[Full-Disclosure] Credit card numbers

[Myers, Marvin]

Maybe it is only me, but does anyone else notice a big jump
in the number of merchants that are printing the entire credit card number and
expiration date on receipts?

Over the past 6 months I have had to educate about a dozen
local merchants about the possible abuse scenarios that exist with this type of
information leakage. If there

Is not already some sort of law governing this policy, there
should be.

 

 

Marvin R. Myers

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Troy]

On 17 Jul 2003 17:57:16 +0200, Martin <[EMAIL PROTECTED]> wrote:

> Hi,
> 
> I have a question. I would like to know, if you can also crash 
> IE6, when typing the following "URL":
> 
> ftp*://?

Neat. Windows 2000, IE build 6.0.2800.1106 reproduces this. I *just*
went to Windows Update. All patches are installed. The only things left
to install at WU are the .NET framework, DX9, and Media Player 9.

I tried the sample code and made a simpler, non-Java version using a
redirect.


ftp://ftp*://?";>


Fortunately, OE isn't stupid enough to launch the URL automatically if I
open an HTML message with that source, but I wonder about other
HTML-capable news readers.

-- 
Troy

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Blue Boar]

Securesdotcoms wrote:
Crashes me:

AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName: msieftp.dll

ModVer: 5.50.4807.2300 Offset: b8bc

It does not crash my IE on WinXPPro.  IE version 
6.0.2800.1106.xpsp2.030422-1633

My msieftp.dll version says:
6.0.2800.1106
Strange that the people who do crash seem to have the IE 5.5 dll.  I see a 
copy of the new file in c:\Windows\ServicePackFiles\i386.  It's dated 
8/29/2002.  So, I'm guessing I picked it up with service pack 1?

	BB

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RES: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Armando Rogerio Brandao Guimaraes Junior]

Title: RES: [Full-Disclosure] Does your IE6 crash with these "URLs"?






Don´t crash my WinXP IE ver 6.0.2800.1106xpsp2.030422-1633 with: SP1; Q810847; Q813489; Q818529; Q330994; Q820223


see image below


Armando Junior
Consultor - amadeus C/S
* - attps Informática S/A - Vitória 


 


<>

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Byron Copeland]

Crashed here as well:

AppName: explore.exe   AppVer: 6.0.2800.1106  ModName: msieftp.dll

ModVer: 5.50.4807.2300  Offset: b8bc


l8r,
-b

On Thu, 2003-07-17 at 12:37, Securesdotcoms wrote:
> Crashes me:
> 
> AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName: msieftp.dll
> 
> ModVer: 5.50.4807.2300 Offset: b8bc
> 
> - Original Message - 
> From: "Martin" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, July 17, 2003 8:57 AM
> Subject: [Full-Disclosure] Does your IE6 crash with these "URLs"?
> 
> 
> > Hi,
> > 
> > I have a question. I would like to know, if you can also crash 
> > IE6, when typing the following "URL":
> > 
> > ftp*://?
> > 
> > I have also tried from HTML like this:
> > 
> > 
> > 
> > 
> > window.open("ftp://ftp*://?";);
> > 
> > 
> > 
> > 
> > I could crash IE about a year ago with the first "URL" above 
> > and I've sent already various crash reports to Microsoft a 
> > long time ago. There was no reaction.
> > 
> > That's why I just want to ask if someone can check this for me. 
> > Maybe only my 3 PCs are weird.
> > 
> > Thanks,
> > Martin
> > 
> > 
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Martin]

OK, thank you all. It looks like only W2k is affected. I could
swear I found it on XP.

I know it's not a security issue. It's only that noone answered to
me in other forums.

Btw, it was a kind of game. "How many attempts do I need to crash
IE?". I needed about 50-100 (don't remember the exact number, it was
really a year ago). You should try it, too. ;)

Martin


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Jim Laverty]

Not sure this is leading to anything useful or why it is on this list,
but...

Same here:

AppName: iexplore.exeAppVer: 6.0.2800.1106   ModName: msieftp.dll
ModVer: 5.50.4807.2300   Offset: b8bc

The thread 'Win32 Thread' (0xc90) has exited with code 0 (0x0).
Unhandled exception at 0x039cb8bc in IEXPLORE.EXE: 0xC005: Access
violation reading location 0x.

Call Stack:
>   msieftp.dll!039cb8bc()  
msieftp.dll!039cba4a()  
msieftp.dll!039cc02b()  
SHDOCVW.DLL!71743f4e()  
SHDOCVW.DLL!7170dfe3()  
SHDOCVW.DLL!7170e18d()  
SHDOCVW.DLL!7171ce8c()  
browseui.dll!71174c93() 
SHDOCVW.DLL!717209a5()  
SHDOCVW.DLL!7176e276()  
SHDOCVW.DLL!7173f80a()  
browseui.dll!711ca25a() 
browseui.dll!711ca2c8() 
browseui.dll!7119cfd4() 
browseui.dll!711765b7() 
browseui.dll!711764fe() 
browseui.dll!711764b1() 
browseui.dll!711684e6() 
USER32.DLL!77e3a244()   
USER32.DLL!77e16b21()   
USER32.DLL!77e24f4a()   
browseui.dll!71168a74() 
USER32.DLL!77e3a244()   
USER32.DLL!77e145e5()   
USER32.DLL!77e1a792()   

ASM Code:

039CB84E C2 0C 00 ret 0Ch  
039CB851 56   pushesi  
039CB852 33 F6xor esi,esi 
039CB854 E8 AE 03 00 00   call039CBC07 
039CB859 85 C0testeax,eax 
039CB85B 75 13jne 039CB870 
039CB85D FF 74 24 08  pushdword ptr [esp+8] 
039CB861 E8 41 D5 00 00   call039D8DA7 
039CB866 83 F8 01 cmp eax,1 
039CB869 75 05jne 039CB870 
039CB86B BE 05 40 00 80   mov esi,80004005h 
039CB870 85 F6testesi,esi 
039CB872 7D 11jge 039CB885 
039CB874 8B 44 24 0C  mov eax,dword ptr [esp+0Ch] 
039CB878 83 38 00 cmp dword ptr [eax],0 
039CB87B 74 08je  039CB885 
039CB87D 6A 00push0
039CB87F 50   pusheax  
039CB880 E8 BA D4 00 00   call039D8D3F 
039CB885 8B C6mov eax,esi 
039CB887 5E   pop esi  
039CB888 C2 08 00 ret 8
039CB88B 55   pushebp  
039CB88C 8B ECmov ebp,esp 
039CB88E 51   pushecx  
039CB88F 8B 45 18 mov eax,dword ptr [ebp+18h] 
039CB892 56   pushesi  
039CB893 8B 75 08 mov esi,dword ptr [ebp+8] 
039CB896 57   pushedi  
039CB897 83 20 00 and dword ptr [eax],0 
039CB89A 89 4D FC mov dword ptr [ebp-4],ecx 
039CB89D 85 F6testesi,esi 
039CB89F BF 05 40 00 80   mov edi,80004005h 
039CB8A4 74 74je  039CB91A 
039CB8A6 8B 46 14 mov eax,dword ptr [esi+14h] 
039CB8A9 85 C0testeax,eax 
039CB8AB 74 6Dje  039CB91A 
039CB8AD 66 83 38 00  cmp word ptr [eax],0 
039CB8B1 74 67je  039CB91A 
039CB8B3 FF 75 14 pushdword ptr [ebp+14h] 
039CB8B6 FF 15 D8 12 9C 03 calldword ptr ds:[39C12D8h] 
039CB8BC 80 38 00 cmp byte ptr [eax],0 <= Breaks here

Registers:

eax 0x  unsigned long
ebp 0x00125b34  unsigned long
esi 0x0021ef08  unsigned long
edi 0x80004005  unsigned long
ds  0x0023  unsigned short
ecx 0x001c5bf0  unsigned long
bx  0x5bf0  unsigned short
cx  0x5bf0  unsigned short
dx  0x001c  unsigned short
ds  0x0023  unsigned short
cs  0x001b  unsigned short

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Securesdotcoms
Sent: Thursday, July 17, 2003 12:38 PM
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?


Crashes me:

AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName: msieftp.dll

ModVer: 5.50.4807.2300 Offset: b8bc

- Original Message - 
From: "Martin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 17, 2003 8:57 AM
Subject: [Full-Disclosure] Does your IE6 crash with these "URLs"?


> Hi,
> 
> I have a question. I would like to know, if you can also crash
> IE6, when typing the following "URL":
> 
> ftp*://?
> 
> I have also tried from HTML like this:
> 
> 
> 
> 
> window.open("ftp://ftp*://?";);
> 
> 
> 
> 
> I could crash IE about a year ago with the first "URL" above
> and I've sent already various crash reports to Microsoft a 
> long time ago. There was no reaction.
> 
> That's why I just want to ask if someone can check this for me.
> Maybe only my 3 PCs are weird.
> 
> T

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Nik Reiman]

-Not- confirmed with IE Version 6.0.2800.1106.xpsp2.030422-1633 on XP 
build 2600.xpsp2.030422-1633, Service Pack 1.  Throws the error message 
"Server Name or Address can't be resolved."

-Nik

On Thursday, July 17, 2003, at 10:57  AM, Martin wrote:
Hi,

I have a question. I would like to know, if you can also crash
IE6, when typing the following "URL":
ftp*://?

I have also tried from HTML like this:




window.open("ftp://ftp*://?";);



I could crash IE about a year ago with the first "URL" above
and I've sent already various crash reports to Microsoft a
long time ago. There was no reaction.
That's why I just want to ask if someone can check this for me.
Maybe only my 3 PCs are weird.
Thanks,
Martin
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Michael Starr]

Martin;

It seems to crash my browser as well.  Running IE6, fairly new install.

Ciao!

On 17 Jul 2003, Martin tickled us all to no end by saying:

> Date: 17 Jul 2003 17:57:16 +0200
> From: Martin <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: [Full-Disclosure] Does your IE6 crash with these "URLs"?
> 
> Hi,
> 
> I have a question. I would like to know, if you can also crash 
> IE6, when typing the following "URL":
> 
> ftp*://?
> 
> I have also tried from HTML like this:
> 
> 
> 
> 
> window.open("ftp://ftp*://?";);
> 
> 
> 
> 
> I could crash IE about a year ago with the first "URL" above 
> and I've sent already various crash reports to Microsoft a 
> long time ago. There was no reaction.
> 
> That's why I just want to ask if someone can check this for me. 
> Maybe only my 3 PCs are weird.
> 
> Thanks,
> Martin
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Securesdotcoms]

Crashes me:

AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName: msieftp.dll

ModVer: 5.50.4807.2300 Offset: b8bc

- Original Message - 
From: "Martin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 17, 2003 8:57 AM
Subject: [Full-Disclosure] Does your IE6 crash with these "URLs"?


> Hi,
> 
> I have a question. I would like to know, if you can also crash 
> IE6, when typing the following "URL":
> 
> ftp*://?
> 
> I have also tried from HTML like this:
> 
> 
> 
> 
> window.open("ftp://ftp*://?";);
> 
> 
> 
> 
> I could crash IE about a year ago with the first "URL" above 
> and I've sent already various crash reports to Microsoft a 
> long time ago. There was no reaction.
> 
> That's why I just want to ask if someone can check this for me. 
> Maybe only my 3 PCs are weird.
> 
> Thanks,
> Martin
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Cesar]

It crashed my Win2K IE ver 6.0.2800.1106

Cesar.
--- Martin <[EMAIL PROTECTED]> wrote:
> Hi,
> 
> I have a question. I would like to know, if you can
> also crash 
> IE6, when typing the following "URL":
> 
> ftp*://?
> 
> I have also tried from HTML like this:
> 
> 
> 
> 
> window.open("ftp://ftp*://?";);
> 
> 
> 
> 
> I could crash IE about a year ago with the first
> "URL" above 
> and I've sent already various crash reports to
> Microsoft a 
> long time ago. There was no reaction.
> 
> That's why I just want to ask if someone can check
> this for me. 
> Maybe only my 3 PCs are weird.
> 
> Thanks,
> Martin
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html


__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[madsaxon]

At 05:57 PM 7/17/03 +0200, you wrote:


I have a question. I would like to
know, if you can also crash 
IE6, when typing the following "URL":

ftp*://?
Yep, crashes my IE6 with this error message:

AppName: iexplore.exe    AppVer:
6.0.2600.0  ModName: msieftp.dll
ModVer: 5.0.2614.3500    Offset:
c672

m5x

RE: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[Schmehl, Paul L]

> -Original Message-
> From: morning_wood [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, July 17, 2003 10:49 AM
> To: Schmehl, Paul L; dos cerveza; [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Odd Behavior - Windows 
> Messenger Service
> 
> > It'll be a sad day when someone has to login to the console 
> before a 
> > server can start doing its work. :-)
> 
> whoever said it was a server? This is a worksation product.
>
(I guess I'm going to have to use more specificity in my posts.  I
*thought* people in this group would understand some basics, but such is
apparently not the case.)

You misunderstand my use of the word "server".  I'm not referring to a
big expensive box with multiple processors, lots of memory and RAID
arrays.  A server is the complement of a client.  And I'm hard pressed
to think of a modern OS that isn't a server but simply and only a
workstation.  Even those who use Windows at home are sharing files,
which is a server/client process.

But, back to your original complaint, which was that remote services
should not be available until you login to the console.I'm willing
to bet that *many* people who use *nix as a workstation, *even at home*,
allow *at least* ssh sessions remotely.  And there are KaZaA lovers
worldwide who are offering remote access to files, on numerous Oses,
even when they're not at home and logged in.

So, how does you complaint about Windows offering remote services
without login not apply to *nix (and other OS for that matter) as well?

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Does your IE6 crash with these "URLs"?

[Michael Renzmann]

Hi.

Martin wrote:
> I have a question. I would like to know, if you can also crash
> IE6, when typing the following "URL":
>
> ftp*://?
I can confirm that problem. When opening the mentioned URL, IE6 
(6.0.2800.1106) reports the following "problem signature":

AppName: iexplore.exeAppVer: 6.0.2800.1106   ModName: msieftp.dll
ModVer: 5.50.4807.2300   Offset: b8bc
OS is Win2k SP2.

Bye, Mike

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Does your IE6 crash with these "URLs"?

[Martin]

Hi,

I have a question. I would like to know, if you can also crash 
IE6, when typing the following "URL":

ftp*://?

I have also tried from HTML like this:




window.open("ftp://ftp*://?";);




I could crash IE about a year ago with the first "URL" above 
and I've sent already various crash reports to Microsoft a 
long time ago. There was no reaction.

That's why I just want to ask if someone can check this for me. 
Maybe only my 3 PCs are weird.

Thanks,
Martin


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[morning_wood]

> > 
> I guess you'd better dump Unix then.  Have you ever watched the screen
> on a Unix box while it's booting?  Have you not noticed things like
> sendmail, sshd, crond, etc. starting up?
> 
yes i have, from 1992 untill today.. your point?

> It'll be a sad day when someone has to login to the console before a
> server can start doing its work. :-)

whoever said it was a server? This is a worksation product.

bleh,

wood
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[Schmehl, Paul L]

> -Original Message-
> From: morning_wood [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, July 16, 2003 5:17 PM
> To: dos cerveza; [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Odd Behavior - Windows 
> Messenger Service
> 
> imho it is iresponsible default behaivor for a workstation OS 
> to allow remote resources / services / enumeration before any 
> interactive user or administrative login.
> 
I guess you'd better dump Unix then.  Have you ever watched the screen
on a Unix box while it's booting?  Have you not noticed things like
sendmail, sshd, crond, etc. starting up?

It'll be a sad day when someone has to login to the console before a
server can start doing its work. :-)

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Participation in System Administrator Survey

[Curt Purdy]

Well put Ron.  Stamatis actually did more work than most having dug my name
out of the SANS cert list a few weeks ago, which is why I took the time to
fill it out.  The more young minds we bring into this field, especially from
true academic research, the more we will all learn.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions



If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ron DuFresne
Sent: Wednesday, July 16, 2003 3:39 PM
To: Stamatis Bolakis
Cc: Schmehl, Paul L; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Participation in System Administrator
Survey



Stamatis' survey request has appeared in a number of lists, some with more
restrictive participation then this unmoderated forum.  I've seen a number
of such and participated in many over the years.  It's a fairly standard
avenue for students to join and read lists in areas of their choice of
study, as well as on occasion actually articipating or requesting help in
gathering information for their studies.  We could well see more of these
kind of requests over time.  some will respond to the requestor  and help them out, some will hit the delete key and
move on.  Hopefully few will be putoff enough that the list floods for a
few days of 'complaints and counter complaints and claims of spamming',
that we can tolerate anothers quest for knowledge and learning .

Thanks,

Ron DuFresne

On Wed, 16 Jul 2003, [iso-8859-7] Stamatis Bolakis wrote:

>
> You are absolutely right... I couldn’t imagine or predict the impacts of
my action. It was under my effort to reach some responses for my Survey...
Of course I regret about that...
>
> I feel this way to distribute a Survey also can run the risk of alienating
people (e.g. being perceived as spamming), but I will never know what kind
of success can be have without trying...
>
> Regards,
> Stamatis
>
>
> Stamatis Bolakis
> MSc Network Systems Engineering
> University of Plymouth, UK.
>
>
>
>
> -
> Do You Yahoo!?
> ÁðïêôÞóôå ôçí äùñåÜí [EMAIL PROTECTED] äéåýèõíóç  óôï Yahoo! Mail.
>

~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

AW: [Full-Disclosure] Microsoft wins Homeland Security Bid ( Reuters)

[vogt]

> NSA already did their own open source distro 
> http://www.nsa.gov/selinux/

Not true. SELinux is a prototype implementation of a security concept. It
very much is _not_ a distro. (which is its greatest strength - SELinux
packages are available for Debian, Suse, Redhat and Gentoo)

Plus, while I'm a big fan of (and sometimes contributor to) SELinux, I
wouldn't yet hang my job on 140k workstation rollout.


Tom Vogt
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] cisco

[Carl Livitt]

>workaround would be to firewall the router's own IP address(es).  This
>would still allow the router to perform its routing function for other
> IPs
>
> Y'mean this *still* isn't done as standard best practice?
>
> *sigh*  ... well, perhaps not, because of speed considerations, real
> or perceived, from slapping an ACL on an interface.  Can't accept a minor
> slowdown in the interest of security, now can we?


Or, in the case of business users with a Cisco ADSL router that is remotely 
managed, it's not possible for a customer to firewall the interface - it's 
plugged directly into the ADSL line.

In our case, our provider simply asked 'What Cisco advisory?' when I called 
them about it this morning. I had to forward the advisory to them myself and 
am still waiting

Sheeesh.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4Packet (fwd)

[Muhammad Faisal Rauf Danka]

Regards

Muhammad Faisal Rauf Danka


*** There is an attachment in this mail. ***

_
---
[ATTITUDEX.COM]
http://www.attitudex.com/
---

_
Select your own custom email address for FREE! Get [EMAIL PROTECTED], No Ads, 6MB, 
IMAP, POP, SMTP & more! http://www.everyone.net/selectmail?campaign=tag
--- Begin Message ---


-BEGIN PGP SIGNED MESSAGE-

CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet

   Original release date: July 16, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

 * All  Cisco  devices  running  Cisco IOS software and configured to
   process Internet Protocol version 4 (IPv4) packets

Overview

   A  vulnerability in many versions of Cisco IOS could allow an intruder
   to execute a denial-of-service attack against a vulnerable device.

I. Description

   Cisco  IOS  is  a  very  widely  deployed  network operating system. A
   vulnerability   in   IOS   could   allow  an  intruder  to  execute  a
   denial-of-service   attack  against  an  affected  device.  Cisco  has
   publishedanadvisoryonthistopic,availableat
   http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
   We  strongly  encourage sites using IOS to read this document and take
   appropriate action.

   The CERT/CC is tracking this issue as VU#411332. This reference number
   corresponds to CVE candidate CAN-2003-0567.

II. Impact

   By  sending  specially  crafted  IPv4  packets  to  an  interface on a
   vulnerable device, an intruder can cause the device to stop processing
   packets destined to that interface. Quoting from Cisco's advisory:

   "A device receiving these specifically crafted IPv4 packets will force
   the  inbound interface to stop processing traffic. The device may stop
   processing  packets destined to the router, including routing protocol
   packets  and  ARP  packets.  No alarms will be triggered, nor will the
   router  reload  to  correct  itself.  This  issue can affect all Cisco
   devices   running  Cisco  IOS  software.  This  vulnerability  may  be
   exercised  repeatedly  resulting  in  loss  of  availability  until  a
   workaround has been applied or the device has been upgraded to a fixed
   version of code."

III. Solution

Apply a patch from Cisco

   Apply a patch as described in Cisco's Advisory.

   Until  a patch can be applied, you can mitigate the risks presented by
   this  vulnerability  by  judicious use of access control lists (ACLs).
   The   correct   use   of   ACLs  depends  of  your  network  topology.
   Additionally,   ACLs  may  degrade  performace  on  some  systems.  We
   recommend reviewing the following before applying ACLs

   http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml#workarounds
   http://www.cisco.com/warp/public/707/racl.html
   http://www.cisco.com/warp/public/707/iacl.html
_

   The  CERT Coordination Center thanks Cisco Systems of for notifying us
   about this problem and for helping us to construct this advisory.
_

   Feedback  about  this  advisory  may  be directed to the author, Shawn
   Hernan
   __

   This document is available from:
   http://www.cert.org/advisories/CA-2003-15.html
   __

CERT/CC Contact Information

   Email: [EMAIL PROTECTED]
  Phone: +1 412-268-7090 (24-hour hotline)
  Fax: +1 412-268-6989
  Postal address:
  CERT Coordination Center
  Software Engineering Institute
  Carnegie Mellon University
  Pittsburgh PA 15213-3890
  U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to [EMAIL PROTECTED] Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registere

[Full-Disclosure] Re: Re: Participation in System Administrator Survey

[martin f krafft]

also sprach Nils Ketelsen <[EMAIL PROTECTED]> [2003.07.17.0858 +0200]:
> He's asking for customers, that's all. Writing to millions of
> emailaddresses just seems like an easy way to reach a lot of
> people,

I surely distinguish between spam and mails that

  - are of an uncommercial nature
  - that clearly identify the poster
  - that are not used to verify and pass on your address
  - that are polite
  - on-topic

Now go and play outside.

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
why didn't noah swat those two mosquitoes?


pgp0.pgp
Description: PGP signature

[Full-Disclosure] [RHSA-2003:196-02] Updated Xpdf packages fix security vulnerability.

[bugzilla]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
   Red Hat Security Advisory

Synopsis:  Updated Xpdf packages fix security vulnerability.
Advisory ID:   RHSA-2003:196-02
Issue date:2003-06-18
Updated on:2003-07-17
Product:   Red Hat Linux
Keywords:  
Cross references:  
Obsoletes: RHSA-2003:137
CVE Names: CAN-2003-0434
- -

1. Topic:

Updated Xpdf packages are available that fix a vulnerability where a
malicious PDF document could run arbitrary code.

[Updated 16 July 2003]
Updated packages are now available, as the original errata packages did not
fix all possible ways of exploiting this vulnerability.

2. Relevant releases/architectures:

Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
Red Hat Linux 9 - i386

3. Problem description:

Xpdf is an X Window System based viewer for Portable Document Format
(PDF) files.

Martyn Gilmore discovered a flaw in various PDF viewers and readers. An
attacker can embed malicious external-type hyperlinks that, if activated or
followed by a victim, can execute arbitrary shell commands.   The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0434 to this issue.

All users of Xpdf are advised to upgrade to these errata packages, which
contain a backported security patch that corrects this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

79680 - xpdf packaging issues

6. RPMs required:

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/xpdf-0.92-4.71.2.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/xpdf-0.92-4.71.2.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/xpdf-0.92-10.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/xpdf-0.92-10.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/xpdf-0.92-10.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/xpdf-1.00-7.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-1.00-7.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-chinese-simplified-1.00-7.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-chinese-traditional-1.00-7.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-japanese-1.00-7.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/xpdf-korean-1.00-7.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/xpdf-1.01-12.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-1.01-12.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-chinese-simplified-1.01-12.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-chinese-traditional-1.01-12.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-japanese-1.01-12.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/xpdf-korean-1.01-12.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/xpdf-2.01-11.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/xpdf-2.01-11.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/xpdf-chinese-simplified-2.01-11.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/xpdf-chinese-traditional-2.01-11.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/xpdf-japanese-2.01-11.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/xpdf-korean-2.01-11.i386.rpm



7. Verification:

MD5 sum  Package Name
- --
dfdc27db65d2706554a3a35a1e4c7e0a 7.1/en/os/SRPMS/xpdf-0.92-4.71.2.src.rpm
56083c770c865432ee611c64cffa42f6 7.1/en/os/i386/xpdf-0.92-4.71.2.i386.rpm
936f5aad703113ac64b3ebd608c21f48 7.2/en/os/SRPMS/xpdf-0.92-10.src.rpm
3b37ceb7ac361a02b60dddf011a5f58d 7.2/en/os/i386/xpdf-0.92-10.i386.rpm
ef4ed48238c8d9bfb7125311aea1d000 7.2/en/os/ia64/xpdf-0.92-10.ia64.rpm
bbbca3b1e966cfbfbf4d05934f289a11 7.3/en/os/SRPMS/xpdf-1.00-7.src.rpm
5120b76b6af8c48a3311f3d69a3cdaa0 7.3/en/os/i386/xpdf-1.00-7.i386.rpm
ddd9c3f4413e16dac99787715d735c44 7.3/en/os/i386/xpdf-chines

Re: [Full-Disclosure] Cisco Code Train matrix (mystery IOS vulnerability)

[Jeremiah Cornelius]

> Hi.. merely reporting what information we had available,> and 
as far as I know it was the ONLY source of information> at the time. 
Perhaps Cisco could post something sooner next> time.>Here is 
CERT:http://www.cert.org/advisories/CA-2003-15.htmlCERT® 
Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 PacketOriginal 
release date: July 16, 2003Last revised: --Source: CERT/CCA 
complete revision history can be found at the end of this 
file.Systems AffectedAll Cisco devices running Cisco IOS 
software and configured to processInternet Protocol version 4 (IPv4) 
packetsOverviewA vulnerability in many versions of Cisco IOS 
could allow an intruder toexecute a denial-of-service attack against a 
vulnerable device.I. DescriptionCisco IOS is a very widely 
deployed network operating system. Avulnerability in IOS could allow an 
intruder to execute a denial-of-serviceattack against an affected device. 
Cisco has published an advisory on thistopic, available athttp://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml 
Westrongly encourage sites using IOS to read this document and 
takeappropriate action.The CERT/CC is tracking this issue as VU#411332. 
This reference numbercorresponds to CVE candidate 
CAN-2003-0567.II. ImpactBy sending specially crafted IPv4 
packets to an interface on a vulnerabledevice, an intruder can cause the 
device to stop processing packets destinedto that interface. Quoting from 
Cisco's advisory:"A device receiving these specifically crafted IPv4 packets 
will force theinbound interface to stop processing traffic. The device may 
stop processingpackets destined to the router, including routing protocol 
packets and ARPpackets. No alarms will be triggered, nor will the router 
reload to correctitself. This issue can affect all Cisco devices running 
Cisco IOS software.This vulnerability may be exercised repeatedly resulting 
in loss ofavailability until a workaround has been applied or the device has 
beenupgraded to a fixed version of code."III. SolutionApply 
a patch from CiscoApply a patch as described in Cisco's Advisory.Until a 
patch can be applied, you can mitigate the risks presented by 
thisvulnerability by judicious use of access control lists (ACLs). The 
correctuse of ACLs depends of your network topology. Additionally, ACLs may 
degradeperformace on some systems. We recommend reviewing the following 
beforeapplying ACLshttp://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml#workaroundshttp://www.cisco.com/warp/public/707/racl.htmlhttp://www.cisco.com/warp/public/707/iacl.htmlThe 
CERT Coordination Center thanks Cisco Systems of for notifying us aboutthis 
problem and for helping us to construct this advisory.Feedback 
about this advisory may be directed to the author, Shawn HernanThis 
document is available from:http://www.cert.org/advisories/CA-2003-15.htmlCERT/CC 
Contact InformationEmail: [EMAIL PROTECTED]Phone: +1 412-268-7090 (24-hour 
hotline)Fax: +1 412-268-6989Postal address:CERT Coordination 
CenterSoftware Engineering InstituteCarnegie Mellon 
UniversityPittsburgh PA 15213-3890U.S.A.CERT/CC personnel answer 
the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)Monday through Friday; they 
are on call for emergencies during other hours,on U.S. holidays, and on 
weekends.Using encryptionWe strongly urge you to encrypt sensitive 
information sent by email. Ourpublic PGP key is available fromhttp://www.cert.org/CERT_PGP.keyIf 
you prefer to use DES, please call the CERT hotline for more 
information.Getting security informationCERT publications and other 
security information are available from our websitehttp://www.cert.org/To subscribe to the CERT 
mailing list for advisories and bulletins, sendemail to [EMAIL PROTECTED]. Please include in the 
body of your messagesubscribe cert-advisory* "CERT" and "CERT 
Coordination Center" are registered in the U.S. Patentand Trademark 
Office.NO WARRANTYAny material furnished by Carnegie Mellon 
University and the SoftwareEngineering Institute is furnished on an "as is" 
basis. Carnegie MellonUniversity makes no warranties of any kind, either 
expressed or implied asto any matter including, but not limited to, warranty 
of fitness for aparticular purpose or merchantability, exclusivity or 
results obtained fromuse of the material. Carnegie Mellon University does 
not make any warrantyof any kind with respect to freedom from patent, 
trademark, or copyrightinfringement.Conditions for use, 
disclaimers, and sponsorship informationCopyright 2003 Carnegie Mellon 
University.Revision HistoryJuly 16, 2003:  Initial 
release

Re: [Full-Disclosure] Odd Behavior - Windows Messenger Service

[marco]

> . I was simply pointing out something in a default behavior that IMHO
> should not be able to occur... is this too hard to grasp? 

yes,
system tuning after installation is a needfull thing to never forget...

I know YOU know this... then.. why still surprised of MS defaults?


m1
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Participation in System Administrator Survey

[Nils Ketelsen]

At 21:44 16.07.2003 +0200, martin f krafft wrote:



Come down, dude. Nobody asks you to take this personal, so don't.
He's asking for help, that's all. Writing to mailing lists just
seems like an easy way to reach a lot of people, and surveys just
don't work without a lot of participants, just like darwinism
doesn't make sense without enough dead bodies.
And for Spammers that is:

Come down, dude. Nobody asks you to take this personal, so don't.
He's asking for customers, that's all. Writing to millions of 
emailaddresses just
seems like an easy way to reach a lot of people, and business just
don't work without a lot of customers, just like darwinism
doesn't make sense without enough dead bodies.



Nils 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [contact@lsd-pl.net: Critical security vulnerability in Microsoft operating systems]

[John Cartwright]

- Forwarded message from Last Stage of Delirium <[EMAIL PROTECTED]> -

Critical security vulnerability in Microsoft operating systems

Hello,

We have discovered a critical security vulnerability in all recent versions of 
Microsoft operating systems. The vulnerability affects default installations 
of Windows NT 4.0, Windows 2000, Windows XP as well as Windows 2003 Server. 

This is a buffer overflow vulnerability that exists in an integral component of 
any Windows operating system, the RPC interface implementing Distributed Component 
Object Model services (DCOM). In a result of implementation error in a function 
responsible for instantiation of DCOM objects, remote attackers can obtain 
unauthorized access to vulnerable systems.

The existence of the vulnerability has been confirmed by Microsoft Corporation. 
The appropriate security bulletin as well as fixes for all affected platforms 
are available for download from http://www.microsoft.com/security/ (MS03-026).

It should be emphasized that this vulnerability poses an enormous threat and  
appropriate patches provided by Microsoft should be immediately applied. 

We have decided not to publish codes or any technical details with regard to
this vulnerability at the moment.

With best regards,
Members of
The Last Stage of Delirium
Research Group

http://lsd-pl.net

- End forwarded message -
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html