Re: [Full-Disclosure] Vulnerability in sourceforge.net

[a]

 Does OpenBSD do that?

yes by default openbsd dose not even start the httpd  so it is more secure 
-aditya 
ÿÿ
éb½êÞvëžaxZÞx÷«²‰Ú”Gb¶*'¡óŠ[kj¯ðÃæj)m­ªÿr‰ÿ

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] SUSE Security Announcement: samba (SUSE-SA:2004:022)

[Thomas Biege]

-BEGIN PGP SIGNED MESSAGE-

__

SUSE Security Announcement

Package:samba
Announcement-ID:SUSE-SA:2004:022
Date:   Friday, Jul 23th 2004 12:30 MEST
Affected products:  8.1, 8.2, 9.0, 9.1
SUSE Linux Database Server,
SUSE eMail Server III, 3.1
SUSE Linux Enterprise Server 7, 8
SUSE Linux Firewall on CD/Admin host
SUSE Linux Connectivity Server
SUSE Linux Office Server
Vulnerability Type: remote root compromise
Severity (1-10):7
SUSE default package:   no
Cross References:   CAN-2004-0600
CAN-2004-0686

Content of this advisory:
1) security vulnerability resolved:
- buffer overflow in base64 code
- buffer overflow in mangling method hash code
   problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- cadaver
- kopete
- wv
- gnats
- OpenOffice_org
- mod_ssl
- lha
3) standard appendix (further information)

__

1)  problem description, brief discussion, solution, upgrade information

The Samba Web Administration Tool (SWAT) was found vulnerable to
a buffer overflow in its base64 code. This buffer overflow can possibly
be exploited remotely before any authentication took place to execute
arbitrary code.
The same piece of vulnerable code was also used in ldapsam passdb and
in the ntlm_auth tool.
This vulnerability only exists on Samba 3.0.2 to 3.0.4.

Another buffer overflow was found in Samba 3.0.0 and later, as well as
in Samba 2.2.x. This overflow exists in the hash code of the mangling
method (smb.conf: mangling method = hash), the default uses hash2 which
is not vulnerable.

There is no temporary workaround known. The first proof-of-concept
exploits were seen on public mailing lists.

After the installation was successfully completed please restart the
samba daemon.
/usr/sbin/rcsmb restart

SWAT is called by inetd/xinetd. Therefore it is sufficient to kill all
running instances of SWAT only.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command rpm -Fhv file.rpm to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.

Note that SLES8 packages will be delivered with a short delay.


x86 Platform:

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-3.0.4-1.27.i586.rpm
  eb8a66582bfa5749457ac18d518321ef

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-client-3.0.4-1.27.i586.rpm
  d38d71df7e69ede72ae70f1e763ee688
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-pdb-3.0.4-1.27.i586.rpm
  9d95db6023323752e1705147c3a0609a

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-python-3.0.4-1.27.i586.rpm
  dfd2c9883cfdbefc27d8a6d555d483df

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-vscan-0.3.4-83.30.i586.rpm
  117af75e8fb9d8a941a88680f813f7ba

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-winbind-3.0.4-1.27.i586.rpm
  a589036769807de0fc0aa5bab67010f4
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-doc-3.0.4-1.12.i586.rpm
  c5ef1760451cc548082ad6dad990e971

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libsmbclient-3.0.4-1.27.i586.rpm
  2ea69766d732ca3393a3a49256550315

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libsmbclient-devel-3.0.4-1.27.i586.rpm
  6c03f36007f9172ec2c51b18796b7fed
patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-3.0.4-1.27.i586.patch.rpm
  1d4b5402e5c4d86c6da563176e4c08fb

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-client-3.0.4-1.27.i586.patch.rpm
  71a324e5651388fc8386abd3ac7390e8

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-pdb-3.0.4-1.27.i586.patch.rpm
  37bb872de17d6553cd4b3953339fff57

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-python-3.0.4-1.27.i586.patch.rpm
  7e3f654697615788d6ec4a8b7befb409

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/samba-vscan-0.3.4-83.30.i586.patch.rpm
  4fe8afef0d7a6423e9d75059f5c3a39c

RE: [Full-Disclosure] Affordable Network Behavior Analysis alternatives

[Heather M. Guse Bryan]

Unfortunately they closed the beta program.

Too bad, I was interested in it.

-Original Message-
From: Steven Rakick [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 12:48 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Affordable Network Behavior Analysis
alternatives


Jeff,

You may want to take a look at the nSight behavior
analysis product from Intrusense
(http://www.intrusense.com). 

We were actually in a similar bind a while back and
came across their beta program. We've been using it
ever since and will be buying it as soon as their
release version comes out. 

It has both standalone and distributed installation
types and dead simple to install and configure.
Overall it has less functionality than QRadar but it
made up for that in cost. While we haven't
*officially* purchased it yet, we were quoted under
$10,000 for the distributed version with support for 3
collector agents.

Still too much? You may also want to take a look at
Snort and Ntop then.

Feel free to email me if you want more details.


Steve


---
Thu, 22 Jul 2004 13:33:15 -0400
Jeff Gillian  [EMAIL PROTECTED] wrote:

Hi list,

Since it appears the SecurityFocus Sectools and IDS
lists are dead, I
thought I'd repost this here.

I recently saw a posting on FocusIDS regarding the
high cost of the
most commercial solutions. The one mentioned was the
QRadar product
from Q1Labs. Don't get me wrong, we have a budget, we
just don't have
a Fortune 500 budget. :)

My question is simple, are there any other commercial
out-of-the-box
alternatives to QRadar? Something that isn't going to
cost me $40,000
to deploy?

Any input would be appreciated.

Regards,

Jeff G.






__
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Progress and Challenges

[John Dowling]

Due to the lag time in posts appearing to the list,
this may have already been mentioned, and if so, I
apologize. Also, if you could care less what this
report has to say, I apologize as well.

Dept of Homeland Security has released an audit of
security within the dept. In his report 'Progress and
Challenges in Securing the Nation’s Cyberspace', the
department's inspector general Clark Kent Ervin points
to the human factor as the weak plate of armor.

(pdf)
http://www.dhs.gov/interweb/assetlibrary/OIG_CyberspaceRpt_Jul04.pdf

Some may find this interesting.

/jd



__
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Crash IE with 11 bytes ;)

[Phuong Nguyen]

Hey,
I thought you guys might want to know that it only takes 11 bytes to crash 
IE 5.x , 6.x SP1. CSS memory corruption vulnerability. All you need to do 
is style;@/* ;) simple as that. More details@ 
http://www.ecqurity.com/adv/IEstyle.html

Phuong
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Question for DNS pros

[Paul Schmehl]

Can this be done?
Conditions:
1) You know an IP address that is running a DNS server.  (IOW, it responds 
to digs.)
2) You do not know the hostname or domain of the host.
3) The DNS server does not allow zone transfers.

You want to find out *all* the domains that that DNS server is 
authoritative for.  (Essentially you're trying to find out what's in the 
named.conf file rather than zone file info.)

Has anyone written a tool that can do this?  I thought about the 
possibility of parsing all the registration sites for the Primary and 
Backup NS, but that would take forever.  I imagine you could write a perl 
script that would access the web interfaces, do the queries and return the 
results, but it would run for days...

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Enumerating a DNS servers authoritative zones (was Question for DNS pros)

[Bennett Todd]

[ enumerate domains for which a nameserver publishes authoritative
  data ]

Even if the nameserver _did_ allow zone transfers, you _still_
couldn't enumerate its zones.

Even if you parsed all registration sites you'd still be nowhere
near there. Any subdomain at any depth can be delegated, by any
nameserver. And a server can offer authoritative data even if nobody
delegates it at 'em, this is sometimes a very useful technique, e.g.
declaring SOA for a classfully-aligned superset of your real
classless delegation in in-addr.arpa. And one of the more popular
top-level zones, .com, is jealously guarded as a secret by the lucky
bastards who stole it from the public domain, to prevent other folks
from stepping in and doing a more responsible job of managing
registry for the domain.

The place where this question rises routinely is in DNS server sets.
It's quite common within organizations to want to maintain sets of
domains across some collection of more or less independent
nameservers. DNS has a protocol within it, zone transfer, for
replicating the contents of a zone; not the best-designed protocol,
but occasionally useful. But as it has no mechanism for enumerating
the zones that would need to be transferred, some out-of-band
mechanism needs to be used to maintain the zone list; and once
that's in place, many folks note that using common off-the-shelf
components for replication works better than zone xfer even for the
zone data.

The one place zone xfer is handy is as a rendesvous point;
nameservers with different native zone data formats can share zone
xfer as a way to convert zones from one format to another.

-Bennett


pgppQZXNA3BBd.pgp
Description: PGP signature

Re: [Full-Disclosure] Crash IE with 11 bytes ;)

[Phuong Nguyen]

Oh, I actually didn't know about that! Coolio ;) !!
Phuong
At 12:47 AM 7/24/2004, Marcel Krause wrote:
Hi!
There is a similar Bug using about:input%20type%20crash .
Well i think that's old news to you :)
Yours, Marcel

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Enumerating a DNS servers authoritative zones (was Question for DNS pros)

[Paul Schmehl]

I'll take that as a No.  :-)
Thanks for the info, Todd.
--On Friday, July 23, 2004 06:01:42 PM + Bennett Todd [EMAIL PROTECTED] 
wrote:

[ enumerate domains for which a nameserver publishes authoritative
  data ]
Even if the nameserver _did_ allow zone transfers, you _still_
couldn't enumerate its zones.
Even if you parsed all registration sites you'd still be nowhere
near there. Any subdomain at any depth can be delegated, by any
nameserver. And a server can offer authoritative data even if nobody
delegates it at 'em, this is sometimes a very useful technique, e.g.
declaring SOA for a classfully-aligned superset of your real
classless delegation in in-addr.arpa. And one of the more popular
top-level zones, .com, is jealously guarded as a secret by the lucky
bastards who stole it from the public domain, to prevent other folks
from stepping in and doing a more responsible job of managing
registry for the domain.
The place where this question rises routinely is in DNS server sets.
It's quite common within organizations to want to maintain sets of
domains across some collection of more or less independent
nameservers. DNS has a protocol within it, zone transfer, for
replicating the contents of a zone; not the best-designed protocol,
but occasionally useful. But as it has no mechanism for enumerating
the zones that would need to be transferred, some out-of-band
mechanism needs to be used to maintain the zone list; and once
that's in place, many folks note that using common off-the-shelf
components for replication works better than zone xfer even for the
zone data.
The one place zone xfer is handy is as a rendesvous point;
nameservers with different native zone data formats can share zone
xfer as a way to convert zones from one format to another.
-Bennett

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Crash IE with 11 bytes ;)

[Schmidt, Michael R.]

Just to be a bugger I personally hit the page about 40 times and told IE to send the 
error report.

How long till you think they fix this one?

Michael R. Schmidt


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Phuong Nguyen
Sent: Friday, July 23, 2004 10:18 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Crash IE with 11 bytes ;)

Hey,

I thought you guys might want to know that it only takes 11 bytes to crash
IE 5.x , 6.x SP1. CSS memory corruption vulnerability. All you need to do
is style;@/* ;) simple as that. More details@
http://www.ecqurity.com/adv/IEstyle.html

Phuong


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Crash IE with 11 bytes ;)

[Phuong Nguyen]

Well I guess that we all have to wait and find out :). But honestly, I 
don't even think MS would take this seriously. I just think this bug is 
cool in which it takes only 11 bytes to crash a ~25 megabytes program :P hehe.

Phuong
At 01:31 AM 7/24/2004, Schmidt, Michael R. wrote:
Just to be a bugger I personally hit the page about 40 times and told IE 
to send the error report.

How long till you think they fix this one?
Michael R. Schmidt
-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] Behalf Of Phuong Nguyen
Sent: Friday, July 23, 2004 10:18 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Crash IE with 11 bytes ;)

Hey,
I thought you guys might want to know that it only takes 11 bytes to crash
IE 5.x , 6.x SP1. CSS memory corruption vulnerability. All you need to do
is style;@/* ;) simple as that. More details@
http://www.ecqurity.com/adv/IEstyle.html
Phuong
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Worm_RBOT.EI

[Matt Carlson]

Has anyone else seen any infections of this?

So far 13 servers, and 200 workstations here, luckily closed down alot
of it before it became too big.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.EI


Matt

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Question for DNS pros

[Dennis Opacki]

Paul,

Public-facing .Com and .Net zone authority could be derived in-part from
the appropriate TLD zone files:

http://www.verisign.com/nds/naming/tld/

The .Org TLD zone file is available through PIR:

http://www.pir.org/registrars/zone_file_access

As Bennett described, though, this won't necessarily provide a complete
picture.

-Dennis

On Fri, 23 Jul 2004, Paul Schmehl wrote:

 Can this be done?

 Conditions:
 1) You know an IP address that is running a DNS server.  (IOW, it responds
 to digs.)
 2) You do not know the hostname or domain of the host.
 3) The DNS server does not allow zone transfers.

 You want to find out *all* the domains that that DNS server is
 authoritative for.  (Essentially you're trying to find out what's in the
 named.conf file rather than zone file info.)

 Has anyone written a tool that can do this?  I thought about the
 possibility of parsing all the registration sites for the Primary and
 Backup NS, but that would take forever.  I imagine you could write a perl
 script that would access the web interfaces, do the queries and return the
 results, but it would run for days...

 Paul Schmehl ([EMAIL PROTECTED])
 Adjunct Information Security Officer
 The University of Texas at Dallas
 AVIEN Founding Member
 http://www.utdallas.edu/ir/security/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.netsys.com/full-disclosure-charter.html


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Question for DNS pros

[VX Dude]

named exploits are usefull for finding out what's
inside a named.conf even in chroot jails.

- 2 cents

--- Paul Schmehl [EMAIL PROTECTED] wrote:
 Can this be done?
 
 Conditions:
 1) You know an IP address that is running a DNS
 server.  (IOW, it responds 
 to digs.)
 2) You do not know the hostname or domain of the
 host.
 3) The DNS server does not allow zone transfers.
 
 You want to find out *all* the domains that that DNS
 server is 
 authoritative for.  (Essentially you're trying to
 find out what's in the 
 named.conf file rather than zone file info.)
 
 Has anyone written a tool that can do this?  I
 thought about the 
 possibility of parsing all the registration sites
 for the Primary and 
 Backup NS, but that would take forever.  I imagine
 you could write a perl 
 script that would access the web interfaces, do the
 queries and return the 
 results, but it would run for days...
 
 Paul Schmehl ([EMAIL PROTECTED])
 Adjunct Information Security Officer
 The University of Texas at Dallas
 AVIEN Founding Member
 http://www.utdallas.edu/ir/security/
 
 ___
 Full-Disclosure - We believe in it.
 Charter:
 http://lists.netsys.com/full-disclosure-charter.html
 




__
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Question for DNS pros

[[EMAIL PROTECTED]]

VX Dude wrote:
named exploits are usefull for finding out what's
inside a named.conf even in chroot jails.
- 2 cents
--- Paul Schmehl [EMAIL PROTECTED] wrote:
 

Can this be done?
Conditions:
1) You know an IP address that is running a DNS
server.  (IOW, it responds 
to digs.)
2) You do not know the hostname or domain of the
host.
3) The DNS server does not allow zone transfers.

You want to find out *all* the domains that that DNS
server is 
authoritative for.  (Essentially you're trying to
find out what's in the 
named.conf file rather than zone file info.)

Has anyone written a tool that can do this?  I
thought about the 
possibility of parsing all the registration sites
for the Primary and 
Backup NS, but that would take forever.  I imagine
you could write a perl 
script that would access the web interfaces, do the
queries and return the 
results, but it would run for days...

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter:
http://lists.netsys.com/full-disclosure-charter.html
   


		
__
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 

hm... you could also try reverse lookups for all existing ip-adresses in 
the world :)

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Worm_RBOT.EI

[Ron DuFresne]

see what happens when you leave systems unpatched and with open insecure
windows ports to the internet;

   Description:

   This worm spreads via network shares, and takes advantage of the
   following Windows vulnerabilities to propagate across networks:
 * Remote Procedure Call (RPC) Distributed Component Object Model
   (DCOM) vulnerability
 * LSASS Vulnerability


Thanks,

Ron DuFresne


On Fri, 23 Jul 2004, Matt Carlson wrote:

 Has anyone else seen any infections of this?

 So far 13 servers, and 200 workstations here, luckily closed down alot
 of it before it became too big.

 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.EI


 Matt

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.netsys.com/full-disclosure-charter.html


~~
Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation. -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Question for DNS pros

[Paul Schmehl]

--On Friday, July 23, 2004 09:50:44 PM +0200 [EMAIL PROTECTED] wrote:
hm... you could also try reverse lookups for all existing ip-adresses in
the world :)
Well, no, because that wouldn't solve the problem.
A host on our network is being queried quite regularly on udp/53 by other 
hosts. A review of the packets reveals that these other hosts believe that 
our host is a dns server.  (AAMOF the IP address isn't even in use at the 
present time.)

Now, if you do a reverse lookup for that IP, *our* DNS servers, which are 
authoritative for our network will tell you what the hostname is.  But that 
isn't what I want to know.  Obviously, a simple dig -x IP will tell me that.

What I want to know is *why* do these foreign hosts think an IP on my 
network is serving DNS when there's not even a host at that address.

I can think of two possibilities:
1) At some time in the past, a host *was* serving DNS at that address and 
some foreign hosts have cached the address.
2) Someone somewhere has registered a domain and used our IP address for 
one of their nameservers in the registration.

(If anyone can think of other explanations, please let me know.)
Now how is a reverse lookup going to help you with that?  It would be 
trivial to write a perl script that did reverse lookups for every IP on the 
Internet and wrote the responses to a comma delimited file, but the 
resulting file would be useless to solve the problem that I'm trying to 
solve.

And for those who were thinking just do a tcpdump, here's what *that* 
looks like - no domain info there -

17:01:44.646943 x.x.x.x.17388  xx.utdallas.edu.domain:  48072 NS? . 
(17)
17:01:45.386919 x.x.x.x.17388  xx.utdallas.edu.domain:  48073 NS? . 
(17)
17:01:46.153402 x.x.x.x.17388  xx.utdallas.edu.domain:  48074 NS? . 
(17)
17:01:47.657898 x.x.x.x.17388  xx.utdallas.edu.domain:  1084 PTR? 
63.37.110.129.in-addr.arpa. (44)
17:01:48.399150 x.x.x.x.17388  xx.utdallas.edu.domain:  1085 PTR? 
63.37.110.129.in-addr.arpa. (44)
17:01:49.144398 x.x.x.x.17388  xx.utdallas.edu.domain:  1086 PTR? 
63.37.110.129.in-addr.arpa. (44)

The best suggestion yet has been to set up a name server at that address 
with verbose logging.  That's probably what I will do next week.

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] iDEFENSE VCP Party 2004

[Richard Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

To celebrate the success and two-year anniversary of iDEFENSE's
Vulnerability Contributor Program (VCP), we will again be hosting a
VCP party on Friday, July 30th, 2004, at the Hard Rock Hotel  Casino
in Las Vegas, Nevada: 

http://www.hardrockhotel.com

The party will begin at the Sports Deluxe Bar on the ground floor of
the hotel with an open bar from 7pm to 9pm:

http://www.hardrockhotel.com/party_drink_sportsdeluxe.php

The party continues from 9pm until midnight in our executive suite
for extended drinking, food and debauchery. If you are interested in
intending please RSVP as soon as possible, letting us know how many
will be in your party.

For those of you attending the conferences, two of our researchers,
Richard Johnson and Peter Silberman will be presenting their analysis
on various buffer overflow prevention software at both Black Hat and
Defcon:

Black Hat: Thursday, July 29th 3:15 in Zero Day Defense
Defcon:Friday,   July 30th 1:00 in Apollo

We are proud to announce the start of three separate award programs:

- VCP Retention Program
- VCP Incentive Program
- VCP Referral Program

The purpose of which is to incentivize and reward both current and
future contributors. The details of these programs are attached.

The iDEFENSE Labs Staff

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.3

iQA/AwUBQQFuCAqL+57L+yZ9EQLRKQCgvdd26rKrAsXYkC8rG78Chdq9ao0An0RP
+0yvE2f5vLzensnq4MxEvIhG
=wcK/
-END PGP SIGNATURE-
  
Content-Description: VCP Reward Programs.txt
--[ iDEFENSE VCP RETENTION PROGRAM ]

In an effort to reward long term VCP contributors, iDEFENSE is
launching a VCP Retention Program. This program will provide additional
incentives to top contributors above and beyond the base compensation
received for their submissions.

Details:

At the end of each quarter, the top five contributors over the past
year will share a US $15,000 bonus pool. The bonus pool will be divided
among the top five contributors as such:

1 - $5,000
2 - $4,000
3 - $3,000
4 - $2,000
5 - $1,000

The top five contributors are determined by iDEFENSE based on their
total payout* over the past year. The first payout will cover the period
from July 1st, 2004 through June 30th, 2005. Eligible submissions must
be received no later than 12am EST on June 30th 2005. The following
table outlines the first six pay periods and payout date.

  Time Start  Time End   Payment Date**
  
  July1st 2004June  30th 2005August   1st 2005
  October 1st 2004September 30th 2005November 1st 2005
  January 1st 2005December  31st 2005February 1st 2006
  April   1st 2005March 31st 2006May  1st 2006
  July1st 2005June  30th 2006August   1st 2006
  October 1st 2005September 30th 2006November 1st 2006

*  Total payout includes payments per submission and referral rewards
   but does not include rewards received through the retention or
   incentive programs.
** Payment date is an approximate date.


--[ iDEFENSE VCP INCENTIVE PROGRAM ]

In an effort to reward new VCP contributors, iDEFENSE is launching
a VCP Incentive Program. This program will provide additional incentives
to top contributors above and beyond the base compensation received for
their submissions.

Details:

At the end of each quarter, the top three contributors over the past
quarter will share a US $6,000 bonus pool. The bonus pool will be
divided among the top three contributors as such:

1 - $3,000
2 - $2,000
3 - $1,000

The top three contributors are determined by iDEFENSE based on their
total payout* over the past quarter. The first payout will cover the
shortened period from August 1st, 2004 to September 30th, 2004. Eligible
submissions must be received no later than 12am EST on September 30th
2004. The following table outlines the first six pay periods and the
payout date.

  Time Start  Time End   Payment Date**
  
  August  1st 2004September 30th 2004November 1st 2004
  October 1st 2004December  31st 2004February 1st 2005
  January 1st 2005March 31st 2005May  1st 2005
  April   1st 2005June  30th 2005August   1st 2005
  July1st 2005September 30th 2005November 1st 2005
  October 1st 2005December  31st 2005February 1st 2006

*  Total payout includes payments per submission and referral rewards
   but does not include rewards received through the retention or
   incentive programs.
** Payment date is an approximate date.


--[ iDEFENSE VCP REFERRAL PROGRAM ]-

In 

Re: [Full-Disclosure] Question for DNS pros

[Roberto Navarro]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

If you find the 8443 tcp port is open, try to ask the PTR record for
its own public IP.

Plesk is fun. Just visit http://www.sw-soft.com/en/partners/current/
and look for your nearest ip range 0=]

Roberto a.k.a. Logan


Everything you like is bad for you
-- Murphy's Food Laws n°1

- ---
Roberto Navarro
[EMAIL PROTECTED]
Registered Linux User #212565
LPIC2 Certified
My PGP public key on: ldap://europe.keys.pgp.com:11370/
- ---

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.2

iQA/AwUBQQGsgMhDftHeZF7JEQKoggCgvhS87+keLwAe5e70SSmkmIkb49QAoJWD
NBlg+QdiST6qqhdhvdGPCba4
=7oEh
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Crash IE with 11 bytes ;)

[Phuong Nguyen]

Stephen,
I believe that is something new right there. So the style;@/* partially 
DoS Mozilla too? Were you able to reproduce the situation? or it just 
happened once? As far as I know, it doesn't have any effect on Firefox on 
XP SP2 though. I wonder if anyone here experiences the same thing about 
Mozilla?

Phuong
At 02:50 AM 7/24/2004, Stephen Taylor wrote:
I don't understand the effect it has on Mozilla.  It certainly crashed my IE
but for Mozilla, the URL window displayed a diamond shape with a red X
through it. Mozilla was unresponsive afterwards. I had to close the window
to recover.  I am a W2K user at work.
ST
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Phuong
Nguyen
Sent: Friday, July 23, 2004 1:49 PM
To: Marcel Krause
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Crash IE with 11 bytes ;)
Oh, I actually didn't know about that! Coolio ;) !!
Phuong
At 12:47 AM 7/24/2004, Marcel Krause wrote:
Hi!

There is a similar Bug using about:input%20type%20crash .
Well i think that's old news to you :)

Yours, Marcel

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Comcast(tm) Email Manager allows arbitrary java and activex code execution

[Marc Schoenefeld]

Hi Michael,

 do ya mean Java (comes in class/jar files) or Javascript (simple text) ? If
 Java, which I doubt, how does it execute ? Which version (JPI/MSJVM?),
 please provide stackdumps ...

Marc


On Thu, 22 Jul 2004, Michael Scheidell wrote:

 Date: Thu, 22 Jul 2004 11:36:07 -0400
 From: Michael Scheidell [EMAIL PROTECTED]
 To: [EMAIL PROTECTED], [EMAIL PROTECTED],
  [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
 Subject: Comcast(tm) Email Manager allows arbitrary java and activex code
 execution

 Vulnerability in Comcast Webmail Manager allows arbitrary java and activex code 
 execution
 Systems: Comcast Webmail email system. www.comcast.net
 Vulnerable: X-Mailer: ATT Message Center Version 1 (Mar 22 2004)
 Not Vulnerable: Unknown
 Severity: Serious / Low (Fixed now)
 Category: Arbitrary Execution of Code of Hackers Choice
 Classification: Input Validation Error
 BugTraq-ID: TBA
 CVE-Number: TBA
 Remote Exploit: yes
 Local Exploit: no
 Vendor URL: www.comcast.net
 Author: Michael S. Scheidell, SECNAP Network Security
 Original Release date: April 7, 2004
 Notifications: Comcast notified April 7, 2004
 Public Release date: July 22, 2004

 Discussion: from www.comcast.com
 High-Speed Internet. This is the fastest way to travel the Web! It's cable-powered, 
 so it's always connected and you won't tie up your phone lines. It's a faster, more 
 powerful and more convenient Internet experience.

 Note: This is not so much a warning to Comcast or their users, since Comcast has 
 fixed this problem, but more of a warning to every developer or CSIO to make sure 
 that web based email, blogs, information, memos must check their code to make sure 
 it is safe. See additional notifications of similar problems with GoldMine(tm) 
 http://www.secnap.com/security/gm001.html, and sprintmail picture mail at 
 http://www.secnap.com/security/030711.html

 Problem: There was a potential for hackers to use this vulnerability to specially 
 craft emails that will run random code of their choice on users' computers - 
 including remote Trojans, irc zombies, spyware, malware, and remote key loggers. 
 This program would run inside the corporate network, behind the firewall and access 
 anything the infected user has access to.

 The Comcast Webmail did not run the html email in the 'security zone' as does 
 Microsoft(tm) Outlook, but passed anything that looks like HTML to be executed 
 unrestricted directly to the default Browser (usually IE). Linux/or Unix users with 
 Netscape may have the javascript, page redirection and popup email run, however, the 
 activeX component will not run.

 Comcast users have the option of using Comcast Webmail or Outlook Express.  Because 
 of the inability to disable html/java/or active-x in Comcast Webmail, those using 
 Webmail had an increased chance of their computers' becoming infected in the event 
 of a potential hacker either a) referencing active-x controls or b) including 
 javascript within an HTML e-mail message.

 The above has been tested on a Windows(tm) 2000 system with service pack 4, all 
 Internet Explorer patches and default (factory) Internet zone security settings. 
 Also tested were two Windows XP(tm) systems with service pack 1 and all patches as 
 well as Netscape 7.1 on Linux.

 The security community first became aware of the potential for this kind of threat 
 about two years ago.  Software companies that produce Web-based email, blog or input 
 system must check for arbitrary java and html code.  Note:  the original Web Mail 
 system was written by ATT and was inherited by Comcast during their purchase of 
 ATT's broadband business.

 Exploit: No exploit is necessary, as there are already examples in viruses and 
 trojans that were designed to attack Microsoft Outlook and Outlook Express.

 Microsoft fixed these by patching both readers and allowing the user to set the 
 security zone for reading HTML email in the 'insecure' settings.

 To see an exhaustive list of what can happen when email is passed to IE, see 
 http://www.guninski.com/browsers.html

 Vendor Response: April 7, 2004. A Comcast representative called our office 
 immediately.  Comcast worked quickly on fixing this bug and rolling it out to their 
 servers, with a solution in place by April 13, 2004.  Release of this notification 
 was held back waiting for Comcast to decide how and when to self-release.

 Solution:
 Comcast is now filtering out various forms of scripting.

 Credit:
 Michael Scheidell, SECNAP Network Security, www.secnap.com
 The original problem with IIE, Microsoft Outlook and Outlook Express was found by 
 George Grunski and involved insecure default reading of a malformed HTML in Outlook 
 and OE and insecure running of HTML (see http://www.guninski.com/browsers.html) 
 And thanks to Johannes B. Ullrich, CTO SANS Internet Storm Center for assistance.

 Original copy of this report can be found here
 

Re: [Full-Disclosure] Question for DNS pros

[Cyril Guibourg]

Paul Schmehl [EMAIL PROTECTED] writes:

 What I want to know is *why* do these foreign hosts think an IP on
 my network is serving DNS when there's not even a host at that address.

 I can think of two possibilities:

 1) At some time in the past, a host *was* serving DNS at that address
 and some foreign hosts have cached the address.
 2) Someone somewhere has registered a domain and used our IP address
 for one of their nameservers in the registration.

 (If anyone can think of other explanations, please let me know.)

Some bogus resolver, or forwarder, setup.

 Now how is a reverse lookup going to help you with that?

It won't.

 The best suggestion yet has been to set up a name server at that
 address with verbose logging.  That's probably what I will do next
 week.

Yes, just put no zone at all and log queries. After a while, you should be
able to figure out why you receive these queries.

Cheers.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Question for DNS pros

[ALD, [ Aditya Lalit Deshmukh ]]

 I can think of two possibilities:
 1) At some time in the past, a host *was* serving DNS at that address and 
 some foreign hosts have cached the address.

i think your isp should have this info

 2) Someone somewhere has registered a domain and used our IP address for 
 one of their nameservers in the registration.

then his domain is toast anyway as there is not dns server so effectively his domain 
is offline, 
this will be corrected soon if this is the case.
 
 (If anyone can think of other explanations, please let me know.)
 
 The best suggestion yet has been to set up a name server at that address 
 with verbose logging.  That's probably what I will do next week.

1. just block of port 53 / udp for that address at the firewall
2. run a dns server that replies to all the quries with localhost or 127.0.0.1 after 
you have found what is causing this
3. set the refresh time, TTL and other values to -1 this should solve most of the 
problems as the clients would simply stop querying 

-aditya

ÿÿ
éb½êÞvëžaxZÞx÷«²‰Ú”Gb¶*'¡óŠ[kj¯ðÃæj)m­ªÿr‰ÿ

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html