Re: [Full-Disclosure] Vulnerability in sourceforge.net
Does OpenBSD do that? yes by default openbsd dose not even start the httpd so it is more secure -aditya ÿÿ éb½êÞvëaxZÞx÷«²ÚGb¶*'¡ó[kj¯ðÃæj)mªÿrÿ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] SUSE Security Announcement: samba (SUSE-SA:2004:022)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:samba Announcement-ID:SUSE-SA:2004:022 Date: Friday, Jul 23th 2004 12:30 MEST Affected products: 8.1, 8.2, 9.0, 9.1 SUSE Linux Database Server, SUSE eMail Server III, 3.1 SUSE Linux Enterprise Server 7, 8 SUSE Linux Firewall on CD/Admin host SUSE Linux Connectivity Server SUSE Linux Office Server Vulnerability Type: remote root compromise Severity (1-10):7 SUSE default package: no Cross References: CAN-2004-0600 CAN-2004-0686 Content of this advisory: 1) security vulnerability resolved: - buffer overflow in base64 code - buffer overflow in mangling method hash code problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - cadaver - kopete - wv - gnats - OpenOffice_org - mod_ssl - lha 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information The Samba Web Administration Tool (SWAT) was found vulnerable to a buffer overflow in its base64 code. This buffer overflow can possibly be exploited remotely before any authentication took place to execute arbitrary code. The same piece of vulnerable code was also used in ldapsam passdb and in the ntlm_auth tool. This vulnerability only exists on Samba 3.0.2 to 3.0.4. Another buffer overflow was found in Samba 3.0.0 and later, as well as in Samba 2.2.x. This overflow exists in the hash code of the mangling method (smb.conf: mangling method = hash), the default uses hash2 which is not vulnerable. There is no temporary workaround known. The first proof-of-concept exploits were seen on public mailing lists. After the installation was successfully completed please restart the samba daemon. /usr/sbin/rcsmb restart SWAT is called by inetd/xinetd. Therefore it is sufficient to kill all running instances of SWAT only. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Note that SLES8 packages will be delivered with a short delay. x86 Platform: SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-3.0.4-1.27.i586.rpm eb8a66582bfa5749457ac18d518321ef ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-client-3.0.4-1.27.i586.rpm d38d71df7e69ede72ae70f1e763ee688 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-pdb-3.0.4-1.27.i586.rpm 9d95db6023323752e1705147c3a0609a ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-python-3.0.4-1.27.i586.rpm dfd2c9883cfdbefc27d8a6d555d483df ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-vscan-0.3.4-83.30.i586.rpm 117af75e8fb9d8a941a88680f813f7ba ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-winbind-3.0.4-1.27.i586.rpm a589036769807de0fc0aa5bab67010f4 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-doc-3.0.4-1.12.i586.rpm c5ef1760451cc548082ad6dad990e971 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libsmbclient-3.0.4-1.27.i586.rpm 2ea69766d732ca3393a3a49256550315 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libsmbclient-devel-3.0.4-1.27.i586.rpm 6c03f36007f9172ec2c51b18796b7fed patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-3.0.4-1.27.i586.patch.rpm 1d4b5402e5c4d86c6da563176e4c08fb ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-client-3.0.4-1.27.i586.patch.rpm 71a324e5651388fc8386abd3ac7390e8 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-pdb-3.0.4-1.27.i586.patch.rpm 37bb872de17d6553cd4b3953339fff57 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-python-3.0.4-1.27.i586.patch.rpm 7e3f654697615788d6ec4a8b7befb409 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-vscan-0.3.4-83.30.i586.patch.rpm 4fe8afef0d7a6423e9d75059f5c3a39c
RE: [Full-Disclosure] Affordable Network Behavior Analysis alternatives
Unfortunately they closed the beta program. Too bad, I was interested in it. -Original Message- From: Steven Rakick [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 12:48 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Affordable Network Behavior Analysis alternatives Jeff, You may want to take a look at the nSight behavior analysis product from Intrusense (http://www.intrusense.com). We were actually in a similar bind a while back and came across their beta program. We've been using it ever since and will be buying it as soon as their release version comes out. It has both standalone and distributed installation types and dead simple to install and configure. Overall it has less functionality than QRadar but it made up for that in cost. While we haven't *officially* purchased it yet, we were quoted under $10,000 for the distributed version with support for 3 collector agents. Still too much? You may also want to take a look at Snort and Ntop then. Feel free to email me if you want more details. Steve --- Thu, 22 Jul 2004 13:33:15 -0400 Jeff Gillian [EMAIL PROTECTED] wrote: Hi list, Since it appears the SecurityFocus Sectools and IDS lists are dead, I thought I'd repost this here. I recently saw a posting on FocusIDS regarding the high cost of the most commercial solutions. The one mentioned was the QRadar product from Q1Labs. Don't get me wrong, we have a budget, we just don't have a Fortune 500 budget. :) My question is simple, are there any other commercial out-of-the-box alternatives to QRadar? Something that isn't going to cost me $40,000 to deploy? Any input would be appreciated. Regards, Jeff G. __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Progress and Challenges
Due to the lag time in posts appearing to the list, this may have already been mentioned, and if so, I apologize. Also, if you could care less what this report has to say, I apologize as well. Dept of Homeland Security has released an audit of security within the dept. In his report 'Progress and Challenges in Securing the Nations Cyberspace', the department's inspector general Clark Kent Ervin points to the human factor as the weak plate of armor. (pdf) http://www.dhs.gov/interweb/assetlibrary/OIG_CyberspaceRpt_Jul04.pdf Some may find this interesting. /jd __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Crash IE with 11 bytes ;)
Hey, I thought you guys might want to know that it only takes 11 bytes to crash IE 5.x , 6.x SP1. CSS memory corruption vulnerability. All you need to do is style;@/* ;) simple as that. More details@ http://www.ecqurity.com/adv/IEstyle.html Phuong ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Question for DNS pros
Can this be done? Conditions: 1) You know an IP address that is running a DNS server. (IOW, it responds to digs.) 2) You do not know the hostname or domain of the host. 3) The DNS server does not allow zone transfers. You want to find out *all* the domains that that DNS server is authoritative for. (Essentially you're trying to find out what's in the named.conf file rather than zone file info.) Has anyone written a tool that can do this? I thought about the possibility of parsing all the registration sites for the Primary and Backup NS, but that would take forever. I imagine you could write a perl script that would access the web interfaces, do the queries and return the results, but it would run for days... Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Enumerating a DNS servers authoritative zones (was Question for DNS pros)
[ enumerate domains for which a nameserver publishes authoritative data ] Even if the nameserver _did_ allow zone transfers, you _still_ couldn't enumerate its zones. Even if you parsed all registration sites you'd still be nowhere near there. Any subdomain at any depth can be delegated, by any nameserver. And a server can offer authoritative data even if nobody delegates it at 'em, this is sometimes a very useful technique, e.g. declaring SOA for a classfully-aligned superset of your real classless delegation in in-addr.arpa. And one of the more popular top-level zones, .com, is jealously guarded as a secret by the lucky bastards who stole it from the public domain, to prevent other folks from stepping in and doing a more responsible job of managing registry for the domain. The place where this question rises routinely is in DNS server sets. It's quite common within organizations to want to maintain sets of domains across some collection of more or less independent nameservers. DNS has a protocol within it, zone transfer, for replicating the contents of a zone; not the best-designed protocol, but occasionally useful. But as it has no mechanism for enumerating the zones that would need to be transferred, some out-of-band mechanism needs to be used to maintain the zone list; and once that's in place, many folks note that using common off-the-shelf components for replication works better than zone xfer even for the zone data. The one place zone xfer is handy is as a rendesvous point; nameservers with different native zone data formats can share zone xfer as a way to convert zones from one format to another. -Bennett pgppQZXNA3BBd.pgp Description: PGP signature
Re: [Full-Disclosure] Crash IE with 11 bytes ;)
Oh, I actually didn't know about that! Coolio ;) !! Phuong At 12:47 AM 7/24/2004, Marcel Krause wrote: Hi! There is a similar Bug using about:input%20type%20crash . Well i think that's old news to you :) Yours, Marcel ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Enumerating a DNS servers authoritative zones (was Question for DNS pros)
I'll take that as a No. :-) Thanks for the info, Todd. --On Friday, July 23, 2004 06:01:42 PM + Bennett Todd [EMAIL PROTECTED] wrote: [ enumerate domains for which a nameserver publishes authoritative data ] Even if the nameserver _did_ allow zone transfers, you _still_ couldn't enumerate its zones. Even if you parsed all registration sites you'd still be nowhere near there. Any subdomain at any depth can be delegated, by any nameserver. And a server can offer authoritative data even if nobody delegates it at 'em, this is sometimes a very useful technique, e.g. declaring SOA for a classfully-aligned superset of your real classless delegation in in-addr.arpa. And one of the more popular top-level zones, .com, is jealously guarded as a secret by the lucky bastards who stole it from the public domain, to prevent other folks from stepping in and doing a more responsible job of managing registry for the domain. The place where this question rises routinely is in DNS server sets. It's quite common within organizations to want to maintain sets of domains across some collection of more or less independent nameservers. DNS has a protocol within it, zone transfer, for replicating the contents of a zone; not the best-designed protocol, but occasionally useful. But as it has no mechanism for enumerating the zones that would need to be transferred, some out-of-band mechanism needs to be used to maintain the zone list; and once that's in place, many folks note that using common off-the-shelf components for replication works better than zone xfer even for the zone data. The one place zone xfer is handy is as a rendesvous point; nameservers with different native zone data formats can share zone xfer as a way to convert zones from one format to another. -Bennett Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Crash IE with 11 bytes ;)
Just to be a bugger I personally hit the page about 40 times and told IE to send the error report. How long till you think they fix this one? Michael R. Schmidt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Phuong Nguyen Sent: Friday, July 23, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Crash IE with 11 bytes ;) Hey, I thought you guys might want to know that it only takes 11 bytes to crash IE 5.x , 6.x SP1. CSS memory corruption vulnerability. All you need to do is style;@/* ;) simple as that. More details@ http://www.ecqurity.com/adv/IEstyle.html Phuong ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Crash IE with 11 bytes ;)
Well I guess that we all have to wait and find out :). But honestly, I don't even think MS would take this seriously. I just think this bug is cool in which it takes only 11 bytes to crash a ~25 megabytes program :P hehe. Phuong At 01:31 AM 7/24/2004, Schmidt, Michael R. wrote: Just to be a bugger I personally hit the page about 40 times and told IE to send the error report. How long till you think they fix this one? Michael R. Schmidt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Phuong Nguyen Sent: Friday, July 23, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Crash IE with 11 bytes ;) Hey, I thought you guys might want to know that it only takes 11 bytes to crash IE 5.x , 6.x SP1. CSS memory corruption vulnerability. All you need to do is style;@/* ;) simple as that. More details@ http://www.ecqurity.com/adv/IEstyle.html Phuong ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Worm_RBOT.EI
Has anyone else seen any infections of this? So far 13 servers, and 200 workstations here, luckily closed down alot of it before it became too big. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.EI Matt ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Question for DNS pros
Paul, Public-facing .Com and .Net zone authority could be derived in-part from the appropriate TLD zone files: http://www.verisign.com/nds/naming/tld/ The .Org TLD zone file is available through PIR: http://www.pir.org/registrars/zone_file_access As Bennett described, though, this won't necessarily provide a complete picture. -Dennis On Fri, 23 Jul 2004, Paul Schmehl wrote: Can this be done? Conditions: 1) You know an IP address that is running a DNS server. (IOW, it responds to digs.) 2) You do not know the hostname or domain of the host. 3) The DNS server does not allow zone transfers. You want to find out *all* the domains that that DNS server is authoritative for. (Essentially you're trying to find out what's in the named.conf file rather than zone file info.) Has anyone written a tool that can do this? I thought about the possibility of parsing all the registration sites for the Primary and Backup NS, but that would take forever. I imagine you could write a perl script that would access the web interfaces, do the queries and return the results, but it would run for days... Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Question for DNS pros
named exploits are usefull for finding out what's inside a named.conf even in chroot jails. - 2 cents --- Paul Schmehl [EMAIL PROTECTED] wrote: Can this be done? Conditions: 1) You know an IP address that is running a DNS server. (IOW, it responds to digs.) 2) You do not know the hostname or domain of the host. 3) The DNS server does not allow zone transfers. You want to find out *all* the domains that that DNS server is authoritative for. (Essentially you're trying to find out what's in the named.conf file rather than zone file info.) Has anyone written a tool that can do this? I thought about the possibility of parsing all the registration sites for the Primary and Backup NS, but that would take forever. I imagine you could write a perl script that would access the web interfaces, do the queries and return the results, but it would run for days... Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Question for DNS pros
VX Dude wrote: named exploits are usefull for finding out what's inside a named.conf even in chroot jails. - 2 cents --- Paul Schmehl [EMAIL PROTECTED] wrote: Can this be done? Conditions: 1) You know an IP address that is running a DNS server. (IOW, it responds to digs.) 2) You do not know the hostname or domain of the host. 3) The DNS server does not allow zone transfers. You want to find out *all* the domains that that DNS server is authoritative for. (Essentially you're trying to find out what's in the named.conf file rather than zone file info.) Has anyone written a tool that can do this? I thought about the possibility of parsing all the registration sites for the Primary and Backup NS, but that would take forever. I imagine you could write a perl script that would access the web interfaces, do the queries and return the results, but it would run for days... Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html hm... you could also try reverse lookups for all existing ip-adresses in the world :) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Worm_RBOT.EI
see what happens when you leave systems unpatched and with open insecure windows ports to the internet; Description: This worm spreads via network shares, and takes advantage of the following Windows vulnerabilities to propagate across networks: * Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability * LSASS Vulnerability Thanks, Ron DuFresne On Fri, 23 Jul 2004, Matt Carlson wrote: Has anyone else seen any infections of this? So far 13 servers, and 200 workstations here, luckily closed down alot of it before it became too big. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.EI Matt ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Question for DNS pros
--On Friday, July 23, 2004 09:50:44 PM +0200 [EMAIL PROTECTED] wrote: hm... you could also try reverse lookups for all existing ip-adresses in the world :) Well, no, because that wouldn't solve the problem. A host on our network is being queried quite regularly on udp/53 by other hosts. A review of the packets reveals that these other hosts believe that our host is a dns server. (AAMOF the IP address isn't even in use at the present time.) Now, if you do a reverse lookup for that IP, *our* DNS servers, which are authoritative for our network will tell you what the hostname is. But that isn't what I want to know. Obviously, a simple dig -x IP will tell me that. What I want to know is *why* do these foreign hosts think an IP on my network is serving DNS when there's not even a host at that address. I can think of two possibilities: 1) At some time in the past, a host *was* serving DNS at that address and some foreign hosts have cached the address. 2) Someone somewhere has registered a domain and used our IP address for one of their nameservers in the registration. (If anyone can think of other explanations, please let me know.) Now how is a reverse lookup going to help you with that? It would be trivial to write a perl script that did reverse lookups for every IP on the Internet and wrote the responses to a comma delimited file, but the resulting file would be useless to solve the problem that I'm trying to solve. And for those who were thinking just do a tcpdump, here's what *that* looks like - no domain info there - 17:01:44.646943 x.x.x.x.17388 xx.utdallas.edu.domain: 48072 NS? . (17) 17:01:45.386919 x.x.x.x.17388 xx.utdallas.edu.domain: 48073 NS? . (17) 17:01:46.153402 x.x.x.x.17388 xx.utdallas.edu.domain: 48074 NS? . (17) 17:01:47.657898 x.x.x.x.17388 xx.utdallas.edu.domain: 1084 PTR? 63.37.110.129.in-addr.arpa. (44) 17:01:48.399150 x.x.x.x.17388 xx.utdallas.edu.domain: 1085 PTR? 63.37.110.129.in-addr.arpa. (44) 17:01:49.144398 x.x.x.x.17388 xx.utdallas.edu.domain: 1086 PTR? 63.37.110.129.in-addr.arpa. (44) The best suggestion yet has been to set up a name server at that address with verbose logging. That's probably what I will do next week. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] iDEFENSE VCP Party 2004
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To celebrate the success and two-year anniversary of iDEFENSE's Vulnerability Contributor Program (VCP), we will again be hosting a VCP party on Friday, July 30th, 2004, at the Hard Rock Hotel Casino in Las Vegas, Nevada: http://www.hardrockhotel.com The party will begin at the Sports Deluxe Bar on the ground floor of the hotel with an open bar from 7pm to 9pm: http://www.hardrockhotel.com/party_drink_sportsdeluxe.php The party continues from 9pm until midnight in our executive suite for extended drinking, food and debauchery. If you are interested in intending please RSVP as soon as possible, letting us know how many will be in your party. For those of you attending the conferences, two of our researchers, Richard Johnson and Peter Silberman will be presenting their analysis on various buffer overflow prevention software at both Black Hat and Defcon: Black Hat: Thursday, July 29th 3:15 in Zero Day Defense Defcon:Friday, July 30th 1:00 in Apollo We are proud to announce the start of three separate award programs: - VCP Retention Program - VCP Incentive Program - VCP Referral Program The purpose of which is to incentivize and reward both current and future contributors. The details of these programs are attached. The iDEFENSE Labs Staff -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQQFuCAqL+57L+yZ9EQLRKQCgvdd26rKrAsXYkC8rG78Chdq9ao0An0RP +0yvE2f5vLzensnq4MxEvIhG =wcK/ -END PGP SIGNATURE- Content-Description: VCP Reward Programs.txt --[ iDEFENSE VCP RETENTION PROGRAM ] In an effort to reward long term VCP contributors, iDEFENSE is launching a VCP Retention Program. This program will provide additional incentives to top contributors above and beyond the base compensation received for their submissions. Details: At the end of each quarter, the top five contributors over the past year will share a US $15,000 bonus pool. The bonus pool will be divided among the top five contributors as such: 1 - $5,000 2 - $4,000 3 - $3,000 4 - $2,000 5 - $1,000 The top five contributors are determined by iDEFENSE based on their total payout* over the past year. The first payout will cover the period from July 1st, 2004 through June 30th, 2005. Eligible submissions must be received no later than 12am EST on June 30th 2005. The following table outlines the first six pay periods and payout date. Time Start Time End Payment Date** July1st 2004June 30th 2005August 1st 2005 October 1st 2004September 30th 2005November 1st 2005 January 1st 2005December 31st 2005February 1st 2006 April 1st 2005March 31st 2006May 1st 2006 July1st 2005June 30th 2006August 1st 2006 October 1st 2005September 30th 2006November 1st 2006 * Total payout includes payments per submission and referral rewards but does not include rewards received through the retention or incentive programs. ** Payment date is an approximate date. --[ iDEFENSE VCP INCENTIVE PROGRAM ] In an effort to reward new VCP contributors, iDEFENSE is launching a VCP Incentive Program. This program will provide additional incentives to top contributors above and beyond the base compensation received for their submissions. Details: At the end of each quarter, the top three contributors over the past quarter will share a US $6,000 bonus pool. The bonus pool will be divided among the top three contributors as such: 1 - $3,000 2 - $2,000 3 - $1,000 The top three contributors are determined by iDEFENSE based on their total payout* over the past quarter. The first payout will cover the shortened period from August 1st, 2004 to September 30th, 2004. Eligible submissions must be received no later than 12am EST on September 30th 2004. The following table outlines the first six pay periods and the payout date. Time Start Time End Payment Date** August 1st 2004September 30th 2004November 1st 2004 October 1st 2004December 31st 2004February 1st 2005 January 1st 2005March 31st 2005May 1st 2005 April 1st 2005June 30th 2005August 1st 2005 July1st 2005September 30th 2005November 1st 2005 October 1st 2005December 31st 2005February 1st 2006 * Total payout includes payments per submission and referral rewards but does not include rewards received through the retention or incentive programs. ** Payment date is an approximate date. --[ iDEFENSE VCP REFERRAL PROGRAM ]- In
Re: [Full-Disclosure] Question for DNS pros
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If you find the 8443 tcp port is open, try to ask the PTR record for its own public IP. Plesk is fun. Just visit http://www.sw-soft.com/en/partners/current/ and look for your nearest ip range 0=] Roberto a.k.a. Logan Everything you like is bad for you -- Murphy's Food Laws n°1 - --- Roberto Navarro [EMAIL PROTECTED] Registered Linux User #212565 LPIC2 Certified My PGP public key on: ldap://europe.keys.pgp.com:11370/ - --- -BEGIN PGP SIGNATURE- Version: PGP 8.0.2 iQA/AwUBQQGsgMhDftHeZF7JEQKoggCgvhS87+keLwAe5e70SSmkmIkb49QAoJWD NBlg+QdiST6qqhdhvdGPCba4 =7oEh -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Crash IE with 11 bytes ;)
Stephen, I believe that is something new right there. So the style;@/* partially DoS Mozilla too? Were you able to reproduce the situation? or it just happened once? As far as I know, it doesn't have any effect on Firefox on XP SP2 though. I wonder if anyone here experiences the same thing about Mozilla? Phuong At 02:50 AM 7/24/2004, Stephen Taylor wrote: I don't understand the effect it has on Mozilla. It certainly crashed my IE but for Mozilla, the URL window displayed a diamond shape with a red X through it. Mozilla was unresponsive afterwards. I had to close the window to recover. I am a W2K user at work. ST -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Phuong Nguyen Sent: Friday, July 23, 2004 1:49 PM To: Marcel Krause Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Crash IE with 11 bytes ;) Oh, I actually didn't know about that! Coolio ;) !! Phuong At 12:47 AM 7/24/2004, Marcel Krause wrote: Hi! There is a similar Bug using about:input%20type%20crash . Well i think that's old news to you :) Yours, Marcel ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Comcast(tm) Email Manager allows arbitrary java and activex code execution
Hi Michael, do ya mean Java (comes in class/jar files) or Javascript (simple text) ? If Java, which I doubt, how does it execute ? Which version (JPI/MSJVM?), please provide stackdumps ... Marc On Thu, 22 Jul 2004, Michael Scheidell wrote: Date: Thu, 22 Jul 2004 11:36:07 -0400 From: Michael Scheidell [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Comcast(tm) Email Manager allows arbitrary java and activex code execution Vulnerability in Comcast Webmail Manager allows arbitrary java and activex code execution Systems: Comcast Webmail email system. www.comcast.net Vulnerable: X-Mailer: ATT Message Center Version 1 (Mar 22 2004) Not Vulnerable: Unknown Severity: Serious / Low (Fixed now) Category: Arbitrary Execution of Code of Hackers Choice Classification: Input Validation Error BugTraq-ID: TBA CVE-Number: TBA Remote Exploit: yes Local Exploit: no Vendor URL: www.comcast.net Author: Michael S. Scheidell, SECNAP Network Security Original Release date: April 7, 2004 Notifications: Comcast notified April 7, 2004 Public Release date: July 22, 2004 Discussion: from www.comcast.com High-Speed Internet. This is the fastest way to travel the Web! It's cable-powered, so it's always connected and you won't tie up your phone lines. It's a faster, more powerful and more convenient Internet experience. Note: This is not so much a warning to Comcast or their users, since Comcast has fixed this problem, but more of a warning to every developer or CSIO to make sure that web based email, blogs, information, memos must check their code to make sure it is safe. See additional notifications of similar problems with GoldMine(tm) http://www.secnap.com/security/gm001.html, and sprintmail picture mail at http://www.secnap.com/security/030711.html Problem: There was a potential for hackers to use this vulnerability to specially craft emails that will run random code of their choice on users' computers - including remote Trojans, irc zombies, spyware, malware, and remote key loggers. This program would run inside the corporate network, behind the firewall and access anything the infected user has access to. The Comcast Webmail did not run the html email in the 'security zone' as does Microsoft(tm) Outlook, but passed anything that looks like HTML to be executed unrestricted directly to the default Browser (usually IE). Linux/or Unix users with Netscape may have the javascript, page redirection and popup email run, however, the activeX component will not run. Comcast users have the option of using Comcast Webmail or Outlook Express. Because of the inability to disable html/java/or active-x in Comcast Webmail, those using Webmail had an increased chance of their computers' becoming infected in the event of a potential hacker either a) referencing active-x controls or b) including javascript within an HTML e-mail message. The above has been tested on a Windows(tm) 2000 system with service pack 4, all Internet Explorer patches and default (factory) Internet zone security settings. Also tested were two Windows XP(tm) systems with service pack 1 and all patches as well as Netscape 7.1 on Linux. The security community first became aware of the potential for this kind of threat about two years ago. Software companies that produce Web-based email, blog or input system must check for arbitrary java and html code. Note: the original Web Mail system was written by ATT and was inherited by Comcast during their purchase of ATT's broadband business. Exploit: No exploit is necessary, as there are already examples in viruses and trojans that were designed to attack Microsoft Outlook and Outlook Express. Microsoft fixed these by patching both readers and allowing the user to set the security zone for reading HTML email in the 'insecure' settings. To see an exhaustive list of what can happen when email is passed to IE, see http://www.guninski.com/browsers.html Vendor Response: April 7, 2004. A Comcast representative called our office immediately. Comcast worked quickly on fixing this bug and rolling it out to their servers, with a solution in place by April 13, 2004. Release of this notification was held back waiting for Comcast to decide how and when to self-release. Solution: Comcast is now filtering out various forms of scripting. Credit: Michael Scheidell, SECNAP Network Security, www.secnap.com The original problem with IIE, Microsoft Outlook and Outlook Express was found by George Grunski and involved insecure default reading of a malformed HTML in Outlook and OE and insecure running of HTML (see http://www.guninski.com/browsers.html) And thanks to Johannes B. Ullrich, CTO SANS Internet Storm Center for assistance. Original copy of this report can be found here
Re: [Full-Disclosure] Question for DNS pros
Paul Schmehl [EMAIL PROTECTED] writes: What I want to know is *why* do these foreign hosts think an IP on my network is serving DNS when there's not even a host at that address. I can think of two possibilities: 1) At some time in the past, a host *was* serving DNS at that address and some foreign hosts have cached the address. 2) Someone somewhere has registered a domain and used our IP address for one of their nameservers in the registration. (If anyone can think of other explanations, please let me know.) Some bogus resolver, or forwarder, setup. Now how is a reverse lookup going to help you with that? It won't. The best suggestion yet has been to set up a name server at that address with verbose logging. That's probably what I will do next week. Yes, just put no zone at all and log queries. After a while, you should be able to figure out why you receive these queries. Cheers. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Question for DNS pros
I can think of two possibilities: 1) At some time in the past, a host *was* serving DNS at that address and some foreign hosts have cached the address. i think your isp should have this info 2) Someone somewhere has registered a domain and used our IP address for one of their nameservers in the registration. then his domain is toast anyway as there is not dns server so effectively his domain is offline, this will be corrected soon if this is the case. (If anyone can think of other explanations, please let me know.) The best suggestion yet has been to set up a name server at that address with verbose logging. That's probably what I will do next week. 1. just block of port 53 / udp for that address at the firewall 2. run a dns server that replies to all the quries with localhost or 127.0.0.1 after you have found what is causing this 3. set the refresh time, TTL and other values to -1 this should solve most of the problems as the clients would simply stop querying -aditya ÿÿ éb½êÞvëaxZÞx÷«²ÚGb¶*'¡ó[kj¯ðÃæj)mªÿrÿ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html