Re: [Full-Disclosure] iDEFENSE Security Advisory 08.18.04: Courier-IMAP Remote Format String Vulnerability
A lot of people have been making fun of us for releasing bugs in rarely used configurations of software (Squid/NTLM), and now DEBUG message related vulnerabilities. On behalf of my cracker group, I would like to take a moment to publically explain how this is actually a serious issue and is nothing to be laughed at. Many people use Courier-IMAP. We aren't sure how many, but part of our team predicts that it is enough to merit a HIGH ranking (as will my upcoming XSS related vulnerabilities in Courier-IMAP). I don't see any of you critics releasing any better security advisories than we buy from drunk college students, so shut your mouths until you read the PaX[1] documentation at a Blackhat speech. The easiest way to exploit debugging-related vulnerabilities, such as this one, is to launch a disruption of service attack[2] of some sort to trick the admin into enabling the debug mode to figure out what is going wrong. While you are launching the disruption of service attack, loop attack probe until exploitation succeeds. So, as you can see, the threat here is HIGH! Further, a reasonably competent exploit coder might be able to bypass STACK PROTECTION MECHANISMS such as PaX, ExecShield, that kilt-wearing PhD guy's stuff. It could probably be exploited on obscure win32 STACK PROTECTION MECHANISMS also that attempt to emulate PaX. However, since there is no public testsuite to adequately deduce those results, and we aren't really sure what we're doing when we slightly modify code for public release, we'll have to have the ins1der do that sort of stuff for us. I guess this makes the threat BIG HIGH instead of simply just HIGH. We hope this clarification has done our genius the proper justice that we demand and deserve[3]. When I started GOBBLES, we made fun of people by releasing format string bugs in software and making a big deal out of it, because even idiots like ourselves could find them and claim they were exploitable. We even got away with our claims that we could bypass PaX/OpenWall/Cowan's Kilt. Now that I'm a respected member of the security community, I have to pretend to take myself seriously and let everyone know that I'm doing my part to fight terrorism by doing that same thing. I might not make a lot of sense, but my ego is perfect. [1] http://pax.grsecurity.net - a more complete copy of our presentation is online here. If you have any questions about it, please contact the PaX-Team. Hey I think this is called a footnote! [2] disruption of service attack - a term I pioneered in 1992 AD. [3] Using less than three footnotes is bad form. On Wed, Aug 18, 2004 at 12:32:55PM -0400, [EMAIL PROTECTED] wrote: Courier-IMAP Remote Format String Vulnerability iDEFENSE Security Advisory 08.18.04 www.idefense.com/application/poi/display?id=131type=vulnerabilities August 18, 2004 I. BACKGROUND Courier-IMAP is an IMAP/POP3 mail server popular on sites utilizing Qmail/Exim/Postfix. More information is available here: http://www.courier-mta.org/imap/ II. DESCRIPTION Remote exploitation of a format string vulnerability in Double Precision Inc.'s, Courier-IMAP daemon allows attackers to execute arbitrary code. The vulnerability specifically exists within the auth_debug() function defined in authlib/debug.c: void auth_debug( const char *fmt, va_list ap ) { charbuf[DEBUG_MESSAGE_SIZE]; int i; int len; // print into buffer to be able to replace control and other // unwanted chars. vsnprintf( buf, DEBUG_MESSAGE_SIZE, fmt, ap ); len = strlen( buf ); // replace nonprintable chars by dot for( i=0 ; ilen ; i++ ) if( !isprint(buf[i]) ) buf[i] = '.'; // emit it fprintf( stderr, buf ); // - Format String Vulnerability fprintf( stderr, \n ); } The 'buf' variable utilized in the fprintf() call is attacker-controlled and can contain format string modifiers allowing an attacker to manipulate the stack and eventually execute arbitrary code. III. ANALYSIS Successful exploitation does not require authentication thereby allowing any remote attacker to execute arbitrary code under the privileges of the user that the IMAP daemon runs as. The vulnerable function auth_debug() is only called if login debugging is enabled requiring that the 'DEBUG_LOGIN' be set to either '1' or '2' in the imapd configuration file. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Courier-IMAP, v2.2.1. It is reported that all versions of Courier-IMAP from 1.6.0 to 2.2.1 inclusive are vulnerable. V. WORKAROUND Disable the login debugging option of Courier-IMAP. This can be accomplished by setting 'DEBUG_LOGIN' to '0' in the configuration file usually located at /usr/lib/courier-imap/etc/imapd. VI. VENDOR RESPONSE This issue has been resolved in the latest version of Courier IMAP (v3.0.7). As
Re: [Full-Disclosure] driver for display goes to a infinite loop by viewing a html!
Windows 2000 SP4, IE 6 (all fully updated) with a old/integrated Matrox Mystique (drivers included with Win2000) showed no problems. Took it a extra sec to display the page (like 6-8 seconds), but it was only a dual-PII system. After loading was able to scroll around. Knoppix Live Linux CD, Mozilla 1.6 with a nVidia GF4 ti4800 SE 128MB AGP also no problems at all. Loaded quickly, was able to scroll around and such. I've loaded the nVidia display drivers from the Live Installer and restarted X. Not sure if that would have anything to do with it. No trouble on FireFox 0.9 or IE 6 (all updates) on Window XP Corp w/SP1 either (Same nVidia GF4 ti4800 SE 128MB AGP card as above.) *shrugs* Was able to scroll around and it loaded fast too. (Like 1-2 seconds) --- Peace. ~G On Wed, 18 Aug 2004 21:21:31 -0700, Glenn Hamblin [EMAIL PROTECTED] wrote: Loaded fine in Opera 7.53 on XP-SP1, NVIDA RIVA TNT2 64, MS Drivers On Mon, 16 Aug 2004 09:30:47 +1000, Casey Ellis [EMAIL PROTECTED] wrote: Moderator: I am not subscribed, but this is probably useful info... I've tested the link on a WinXP SP2 box (P3 500mhz w/ 256MB) and she froze pretty much instantly (no scrolling or user interaction at all) and after about 20 seconds the machine rebooted. No BSOD, no warning, just a reboot and a Windows Recovered from a Serious Error message on restart. Card: ATI Technologies Inc 3D Rage Pro AGP 2X Driver: 5.1.2001.0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Farinic Sent: Wednesday, 11 August 2004 6:18 PM To: Andrei Zlate-Podani; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] driver for display goes to a infinite loop by viewing a html! Confirmed Sys. Crash. Got BSOD on XPSp1 (IE+OS latest patches) Intel 82845G/GL/GE/PE/GV Graphic Controller Driver version :6.14.10.3619 Image itself is not big html resizing of it is big. img width=999 height=999 src=crazy.jpg /html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrei Zlate-Podani Sent: Wednesday, August 11, 2004 9:25 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] driver for display goes to a infinite loop by viewing a html! It's just a VERY large image... Aparently, the browser doesn't handle well the memory allocation. It hangs the system for some seconds. Once u switch the task it's all working OK. bipin gautam wrote: hello everybody, please view this page: http://www.geocities.com/visitbipin/crazy.html [tested with firefox and IE browser...] Try scrolling the picture for few seconds...[ don't kill the process] I have tested it on several machines [p3 p4] , with intel vga. it reboots winxp cauz The driver for the display device got stuck in an infinite loop. please test it with winxp sp1 or sp2! regards, bipin __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- This message was scanned for spam and viruses by BitDefender For more information please visit http://www.bitdefender.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This mail was checked for malicious code and viruses by GFI MailSecurity. GFI MailSecurity provides email content checking, exploit detection, threats analysis and anti-virus for Exchange SMTP servers. Viruses, Trojans, dangerous attachments and offensive content are removed automatically. Key features include: multiple virus engines; email content and attachment checking; an exploit shield; an HTML threats engine; a Trojan Executable Scanner; and more. In addition to GFI MailSecurity, GFI also produces the GFI MailEssentials anti-spam software, the GFI FAXmaker fax server GFI LANguard network security product ranges. For more information on our products, please visit http://www.gfi.com. This disclaimer was sent by GFI MailEssentials for Exchange/SMTP. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] What A Drag II XP SP2
Works on fully patched XP SP 1 aswell. --Pera Quoting [EMAIL PROTECTED] [EMAIL PROTECTED]: Internet Explorer supports a fantastic variety of styles and behaviors amongst other 'unique capabilities'. A lovely demonstration of that can be found here: http://www.malware.com/wottapoop.html -- http://www.malware.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: !SPAM! RE: [OT] Re: [Full-Disclosure] lame bitching about xpsp2
The hardware is warranted, which was the requirement - there was no mention of supporting the OS as well. YY -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Esler, Joel - Contractor Sent: Wednesday, August 18, 2004 20:42 To: [EMAIL PROTECTED] Subject: !SPAM! RE: [OT] Re: [Full-Disclosure] lame bitching about xpsp2 Actually the website says: Dell does not officially support running Linux on Dell laptops, Although, as there are relatively fewer gotchas associated with Linux running on desktops as compared to laptops, installing Linux should be a fairly straight-forward task. If you quote, quote the whole thought. J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Fitzgerald Sent: Wednesday, August 18, 2004 1:28 PM To: KF_lists Cc: joe; [EMAIL PROTECTED] Subject: Re: [OT] Re: [Full-Disclosure] lame bitching about xpsp2 KF_lists wrote: OK - put your money where your mouth is. Pretend I'm a consumer. I have 2000 USD to spend and want a good PC with a good warranty with GNU/Linux on it. Find me a link to a major OEM that will ship me a PC within those specs with decent hardware and a generally recognized name (Dell, Gateway, HP, IBM...). The PC must be listed as a desktop system and must be easy to find. That's your assignment. That's the way that you can prove your point, and it's the only way. If the situation is as you claim it is, that should take you no less than 3 minutes. The clock is ticking... Took me all of about 30 seconds... http://linux.dell.com/desktops.shtml -KF From the site: Dell does not officially support running Linux on Dell desktops. Try again -- this didn't meet my criteria and thus would not be available for an average user. No warranty and no support turns this into a no-go for Ma and Pa Kettle. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: !SPAM! Re: [OT] Re: [Full-Disclosure] lame bitching about xpsp2
Important: From which direction is the wind coming? ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KF_lists Sent: Thursday, August 19, 2004 01:53 To: Invicticide X Cc: [EMAIL PROTECTED] Subject: !SPAM! Re: [OT] Re: [Full-Disclosure] lame bitching about xpsp2 /me Pees again and goes away... enjoy the rest of the thread fellas.. the pissing match is in full effect. -KF Invicticide X wrote: Apparently that 30 seconds did not include reading the page you linked to. Sure it did. I read it just fine... I believe you are the one that missed the paragraph stating: Currently, all Dell N-Series Precision Workstation desktops are available and supported with Red Hat Linux. You are correct though that it is NOT supported on Desktops and Laptops . And you're the one who missed the orinial line in Barry's spec which stated: The PC must be listed as a desktop system and must be easy to find. Desktops are not supported. He also said as a consumer, which I would imagine to be an individual, who most likely wouldn't be going for a corporate workstation, or buying 50+ machines (with regard to your linked article). ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: IpSwitch IMail Server = ver 8.1 User Password Decryption
On Mon, 16 Aug 2004, Adik wrote: IpSwitch IMail Server version up to 8.1 uses weak encryption algorithm to encrypt its user passwords. Have a look at attached proof of concept tool, which will decrypt user password from local machine instantly. Heck, this isn't even news. It was posted to Bugtraq a while back. Like 1999. This URL details Imail's password scheme for Imail 5.0: http://seclists.org/bugtraq/1999/Dec/0255.html About a year ago, I found that article, and used it to decrypt a few lost email passwords on my Imail 7.15 installation. Given the fact that Imail tries to do just about everything (it does POP3, SMTP, IMAP, LDAP, includes a Web server and makes crispy French fries), this sort of thing is probably bound to stay around for a while. One of the neat things about Imail (other than that it does practically everything) is that it's backwards-compatible. If my Imail 8.1x installation does something weird, I can roll it back to Imail 7.x with maybe fifteen minutes' work. This level of backwards compatibility does lead to weird problems and security issues (q.v. every version of DOS and Windows for about fifteen years). ...dave ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Electronic Voting Machines - WinVote by Adv anced Voting Solutions
Next question - is the traffic encrypted between the counting station and the booth itself? If it's not, I'm filing a paper vote in my community from now on. (Grand Prairie, TX BTW) Brandon Fetch 817-871-4036 -- carpe ductum -- Grab the tape -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 18, 2004 4:41 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Electronic Voting Machines - WinVote by Advanced Voting Solutions Our county has approved the purchase of these machines for the upcoming election. I looked them up on the www and found that the Windows-based voting machines use WEP to ensure the security of the wireless transmissions of the machines to a central site. Without even commenting on the security of WEP, it seems to me that a massive DDOS attack against the voting machines could prevent vote tallies from being counted in a timely manner. Has there been any discussion of the security of this type of voting machine architecture? The machine is particular is WinVote by Advanced Voting Solutions (http://clients.enfocom.com/avs/home.html`). -Randy Marchany ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This message is intended only for the person(s) to which it is addressed and may contain privileged, confidential and/or insider information. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Any disclosure, copying, distribution, or the taking of any action concerning the contents of this message and any attachment(s) by anyone other than the named recipient(s) is strictly prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft Windows XP SP2
Let's commence by giving credit where credit is due. The thinking is that the manufacturer of Windows XP has done a splendid job in patching their little operating system with 300 million dollar's worth of fixes. This is not exactly 'pocket change'. But this is: 1. trivial scripting in the local zone 2. notepad icon regardless of file in XP's little zip thing http://www.malware.com/malware.sp2.zip many other 'bits and pieces' to be had but overall a splendid effort on the manufacturer's part [for now]. Not quite sure where all that money went though. End Call -- http://www.malware.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [OT] Re: [Full-Disclosure] lame bitching about xpsp2
On Wednesday 18 August 2004 23:51, KF_lists wrote: Apparently that 30 seconds did not include reading the page you linked to. Sure it did. I read it just fine... I believe you are the one that missed the paragraph stating: Currently, all Dell N-Series Precision Workstation desktops are available and supported with Red Hat Linux. You are correct though that it is NOT supported on Desktops and Laptops . Old news, no longer valid. Check out HP (URL wrapped): http://h10010.www1.hp.com/wwpc/us/en/sm/ WF05a/321957-64295-89315-321838-f33-395654.html Linux (Novell/SuSE) preinstalled on HP nx5000 laptop... Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [ok] [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind
First of all, almost all Windows users demand backward compatibility. While MS's software is not open source, MSDN indexes a huge number of libraries and most all of these would have to be wrapped up to work under a newly written OS if backward compatibility is to be maintained. Programmers of 3rd party windows software also have a long history of not doing things the way they should (are told to) and this will lead to further problems if the quirks of the OS are removed. This is an issue which MS will face for years to come, and they are trying to re-write major portions of the OS in Longhorn. SP2 was a step in the right direction protecting most of the buffers in the OS. A drastic but potentially good option they have is actually to release their old legacy operating systems free of charge. Source release for MS is probably not a good idea, as allot of the source does not change, and it is likely that many new exploits would be theorised in a very short space of time. At least if the legacy OS's were available consumers with legacy applications would not have so much to complain about, in terms of lack of support and patching. There are a great deal of old DOS based applications in the world which have yet to be rebuilt on any more modern systems; and yet to re-install these systems it is nearly impossible these days. To find a fresh copy of DOS is very hard now. More importantly it is even more difficult to find a boot disk formatted with the correct generation of boot loader. Built in encryption is available in NT and this can be hardened with security upgrades available on MS's site. There are laws which govern MS in this regard and restrict them from exporting high encryption OS's from the US, the specifics of which I do not know, but google would be able to tell you. NT is a multi-user OS, it has a client server hierarchy to it also. The process scheduling system in NT is a proper process scheduler and allot of work went into changing this in Windows XP. In fact certain details were changed in SP1 and it is not unlikely that they changed again in SP2, although I have not heard as such. I am sure you are probably aware of the issues of attempting to secure and authenticate all mail transfer. Authentication unfortunately directly conflicts with privacy, in that if a user is to prove who they are, then you know who they are. Server side authentication can be useful, although this still requires some kind of centralisation in order to properly authenticate. Backwards compatibility issues are obvious, and more importantly you will note that holes in the system will appear any time traditional plain text SMTP is allowed. Deep packet inspection ISP side to stop SPAM and viruses is possible, however as you should be aware, being a firewall consultant, this is neither fast nor cheap. The best recent solution being the regexp system in Checkpoint FW1 NG+AI. Finally, it is not impossible for you to implement what you want without MS's involvement. Theoretically there is nothing to stop the community from writing an application which simply redirects all IP traffic through encrypted and fully authenticated channels. This kind of solution could work very effectively in a LAN scenario where all machines speak the same language. On the Internet the game changes, but of course, it was the Internet we were worried about in the first place. It is true to say that closing all holes in MS software would reduce the volume of SPAM and viruses on the Internet. Of course this would take some time however, as many places which remain infected (which contribute to most of the volume) simply would not update for a long time anyway (and it is this lack of updates and security which puts them there in the first place). If administrators and users of MS software are simply made more aware of the issues which face the Internet and the professionals who support it, we will slowly see a big improvement. SP2, good or bad, was a step in this direction, at the very least the security center will encourage users to buy / upgrade their anti virus solutions, and the recompilation of major portions of the OS with buffer checking will reduce the number of exploits possible in the OS. Software is unfortunately imperfect, and will rarely be perfect. It is likely that as most systems become more secure, the viewed need for vigilance on security will be lost among non IT-pro's. When that time comes, it will be the rare exploits which will cause major damage, not the near daily patches we see now. there are no problems, only income opportunities! -Tony Lawrence. my 2c. On Wed, 18 Aug 2004 16:00:05 -0500, Curt Purdy [EMAIL PROTECTED] wrote: Clairmont, Jan M wrote: M$ should just bite the bullet and re-write windows with security in mind, give it a true process scheduler, multi-user with windows as a client server processes. snip It ain't gonna happen. There is so much legacy code, dating all the way back to NT 3.5
[Full-Disclosure] mail.yahoo.com issue
When visiting http://mail.yahoo.com, occasionally the server will serve up a strange page saying only do you yahoo?. With a few refreshes (which likely pulls the content from other servers), you will get to the yahoo mail login page. It looks like some of their servers are not returning correct results. I'm not sure whether it's malicious, but it's worth noting Source of strange page: htmlheadtitledo you yahoo?/title/head body h1do you yahoo?/h1 /body/html !-- l27.login.scd.yahoo.com compressed/chunked Thu Aug 19 07:38:10 PDT 2004 -- Dallas LaRose === Notice You may have noticed the increased number of notices for you to notice. We notice that some of our notices have been noticed. On the other hand, some of our notices have not been noticed. This is very noticeable. It is noticed that the responses to the notices have been noticeably unnoticeable. This notice is to remind you to notice the notices and respond to the Notices because we do not want the noticed to go unnoticed. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] SUSE Security Announcement: qt3 (SUSE-SA:2004:027)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:qt3/qt3-non-mt/qt3-32bit/qt3-static Announcement-ID:SUSE-SA:2004:027 Date: Thursday, Aug 19th 2004 15:00 MEST Affected products: 8.1, 8.2, 9.0, 9.1 SUSE Linux Database Server, SUSE eMail Server III, 3.1 SUSE Linux Enterprise Server 8, 9 SUSE Linux Firewall on CD/Admin host SUSE Linux Connectivity Server SUSE Linux Office Server Vulnerability Type: remote system compromise Severity (1-10):7 SUSE default package: yes Cross References: CAN-2004-0691 CAN-2004-0692 CAN-2004-0693 Content of this advisory: 1) security vulnerability resolved: - buffer overflow in image handling code problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: - opera - acroread 6) standard appendix (further information) __ 1) problem description, brief discussion The QT-library is an environment for GUI-programming and is used in various well-known projects, like KDE. Chris Evans found a heap overflow in the BMP image format parser (CAN-2004-0691) which can probably be abused by remote attackers to execute arbitrary code with the privileges of the user using a malformed image as input for a vulnerable QT-based application. Additionally a NULL dereference in the GIF parser (CAN-2004-0693) was found. This lead to more research by other people and revealed another NULL dereference in the XPM parser (CAN-2004-0692) found by Marcus Meissner, SuSE Security-Team. The last two bugs can be used to trigger a remote denial-of-service attack against QT-based applications. 2) solution/workaround A temporary workaround for this issue is not known. 3) special instructions and notes After applying the update make sure all QT-based applications are restarted. It would be best to re-login if you use KDE. 4) package location and checksums Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. x86 Platform: SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/qt3-3.3.1-36.16.i586.rpm ee1026d5b6a4a554d95ce9d3626d6bf7 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/qt3-non-mt-3.3.1-41.14.i586.rpm ea6c27890eb69d47b54786a727cb782f ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/qt3-static-3.3.1-41.14.i586.rpm b965364531163627f34b9a66e6d0b07e patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/qt3-3.3.1-36.16.i586.patch.rpm e698670506097dff0f9e61b594bcfeb9 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/qt3-non-mt-3.3.1-41.14.i586.patch.rpm e64be5421ff6f1451c2b2dc926f8f081 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/qt3-static-3.3.1-41.14.i586.patch.rpm b891c79e3a96538b69417e1aba6e85c4 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/qt3-3.3.1-36.16.src.rpm 7d3b4859cca3548004d4dc0e2cb431a8 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/qt3-non-mt-3.3.1-41.14.src.rpm 1ebff5e543d7d36cd13670189fe50443 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/qt3-static-3.3.1-41.14.src.rpm a14a20c83eedde899af40a88cf60a14a SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/qt3-3.2.1-68.i586.rpm 975f35315d69a283355a9734edb323b1 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/qt3-non-mt-3.2.1-70.i586.rpm 2256aa7e05a0d6f3a055dc915c6823a9 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/qt3-static-3.2.1-70.i586.rpm df61777b0ce9dc097c794bcf3d236981 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/qt3-3.2.1-68.i586.patch.rpm 26cb661048adf99b3633d633347043a7 ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/qt3-non-mt-3.2.1-70.i586.patch.rpm f36dcd428c96ff5126817d0dfb130816
RE: [Full-Disclosure] Electronic Voting Machines - WinVote by Adv anced Voting Solutions
Using 802.11 for anything remotely critical is outright STUPID. FCC regulations are such that these part 15 devices (802.11, cordless phones, baby monitors) have no legal protection from interference from licensed services (amateur radio, TV stations, etc). If I'm running a high powered (10-100 watt) maybe signal at 2.4 ghz for amateur radio TV and happen to be living across the street from an election center, they're basically screwed. As a matter a fact, if their 802.11 is interfering with my licensed operation, it is they who must shut down. -Michael Without even commenting on the security of WEP, it seems to me that a massive DDOS attack against the voting machines could prevent vote tallies from being counted in a timely manner. signature.asc Description: This is a digitally signed message part
Re: RE: [Full-Disclosure] Electronic Voting Machines - WinVote by Adv anced Voting Solutions
On Thu, 19 Aug 2004 10:21:49 -0500, Michael Williamson [EMAIL PROTECTED] wrote: Using 802.11 for anything remotely critical is outright STUPID. FCC regulations are such that these part 15 devices (802.11, cordless phones, baby monitors) have no legal protection from interference from licensed services (amateur radio, TV stations, etc). If I'm running a high powered (10-100 watt) maybe signal at 2.4 ghz for amateur radio TV and happen to be living across the street from an election center, they're basically screwed. As a matter a fact, if their 802.11 is interfering with my licensed operation, it is they who must shut down. -Michael Without even commenting on the security of WEP, it seems to me that a massive DDOS attack against the voting machines could prevent vote tallies from being counted in a timely manner. Perhaps they need to invest in some of this... http://www.theregister.co.uk/2004/08/12/wifi_wallpaper/ British boffins have developed wallpaper that blocks Wi-Fi traffic but still allows other wireless transmissions to pass through in a bid to prevent unauthorised access to sensitive data via the WLAN. Developed by UK defence company BAE Systems, the wallpaper uses Frequency Selective Surface (FSS) sheeting, a material more commonly found slapped on military aircraft, naval vessels and radar antennae, New Scientist reports. -- Tremaine IT Security Consultant ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Electronic Voting Machines - WinVote by Adv anced Voting Solutions
On 19 Aug 2004, at 07:09, Fetch, Brandon wrote: Next question - is the traffic encrypted between the counting station and the booth itself? If it's not, I'm filing a paper vote in my community from now on. Then again, you should anyway :-) PGP.sig Description: This is a digitally signed message part
Re: [Full-Disclosure] mail.yahoo.com issue
What you may be seeing is a typical implementation on large networks where load balancing is performed on the front end connections. In the event that the service is not available from the pool of primary servers, a secondary pool can be made available that returns something along the lines of line busy, please try again later. Refreshing may or may not reproduce the page since the condition that caused the session to be directed to the lower priority pool may no longer exist at the time the refresh is performed. Basically, for large sites like Yahoo, it's a nicer way of responding than 404 - Page Not Found. -- Greg On or about 2004.08.19 09:49:43 +, LaRose, Dallas ([EMAIL PROTECTED]) said: When visiting http://mail.yahoo.com, occasionally the server will serve up a strange page saying only do you yahoo?. With a few refreshes (which likely pulls the content from other servers), you will get to the yahoo mail login page. It looks like some of their servers are not returning correct results. I'm not sure whether it's malicious, but it's worth noting Source of strange page: htmlheadtitledo you yahoo?/title/head body h1do you yahoo?/h1 /body/html !-- l27.login.scd.yahoo.com compressed/chunked Thu Aug 19 07:38:10 PDT 2004 -- -- Gregory A. Gilliss, CISSP E-mail: [EMAIL PROTECTED] Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] mail.yahoo.com issue
OT - Graham Cluley - great name. G On or about 2004.08.19 16:47:38 +, raize ([EMAIL PROTECTED]) said: Load balancing. http://news.zdnet.co.uk/internet/security/0,39020375,39162570,00.htm This is working as intended. Quit refreshing Yahoo pages and causing them more trouble. -- Gregory A. Gilliss, CISSP E-mail: [EMAIL PROTECTED] Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Electronic Voting Machines - WinVote by Adv anced Voting Solutions
On 19 Aug 2004, at 10:08, Tremaine wrote: On Thu, 19 Aug 2004 10:21:49 -0500, Michael Williamson [EMAIL PROTECTED] wrote: Without even commenting on the security of WEP, it seems to me that a massive DDOS attack against the voting machines could prevent vote tallies from being counted in a timely manner. Using 802.11 for anything remotely critical is outright STUPID. FCC regulations are such that these part 15 devices (802.11, cordless phones, baby monitors) have no legal protection from interference from licensed services (amateur radio, TV stations, etc). If I'm running a high powered (10-100 watt) maybe signal at 2.4 ghz for amateur radio TV and happen to be living across the street from an election center, they're basically screwed. As a matter a fact, if their 802.11 is interfering with my licensed operation, it is they who must shut down. Perhaps they need to invest in some of this... http://www.theregister.co.uk/2004/08/12/wifi_wallpaper/ Perhaps they need to invest in some of this... http://www.amazon.com/exec/obidos/tg/detail/-/B0J1V3 PGP.sig Description: This is a digitally signed message part
Re: [Full-Disclosure] Electronic Voting Machines - WinVote by Adv anced Voting Solutions
On Thu, 19 Aug 2004 11:18:55 -0700, Andrew Farmer [EMAIL PROTECTED] wrote: On 19 Aug 2004, at 10:08, Tremaine wrote: On Thu, 19 Aug 2004 10:21:49 -0500, Michael Williamson [EMAIL PROTECTED] wrote: Without even commenting on the security of WEP, it seems to me that a massive DDOS attack against the voting machines could prevent vote tallies from being counted in a timely manner. Using 802.11 for anything remotely critical is outright STUPID. FCC regulations are such that these part 15 devices (802.11, cordless phones, baby monitors) have no legal protection from interference from licensed services (amateur radio, TV stations, etc). If I'm running a high powered (10-100 watt) maybe signal at 2.4 ghz for amateur radio TV and happen to be living across the street from an election center, they're basically screwed. As a matter a fact, if their 802.11 is interfering with my licensed operation, it is they who must shut down. Perhaps they need to invest in some of this... http://www.theregister.co.uk/2004/08/12/wifi_wallpaper/ Perhaps they need to invest in some of this... http://www.amazon.com/exec/obidos/tg/detail/-/B0J1V3 Definitely a better solution ;) -- Tremaine IT Security Consultant ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] mail.yahoo.com issue
Load balancing. http://news.zdnet.co.uk/internet/security/0,39020375,39162570,00.htm This is working as intended. Quit refreshing Yahoo pages and causing them more trouble.
RE: [Full-Disclosure] Microsoft Windows XP SP2
Confirmed icon vulnerability as working on SP1 and SP2. I found that regedit.exe, winhelp.exe, and explorer.exe are also vulnerable and display their corresponding icon. I am unsure as to how useful this is as a vulnerability, but it shouldn't be present none the less. Michael Young IT Consultant Miles Technologies (856)439-0999 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 19, 2004 11:35 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Microsoft Windows XP SP2 Let's commence by giving credit where credit is due. The thinking is that the manufacturer of Windows XP has done a splendid job in patching their little operating system with 300 million dollar's worth of fixes. This is not exactly 'pocket change'. But this is: 1. trivial scripting in the local zone 2. notepad icon regardless of file in XP's little zip thing http://www.malware.com/malware.sp2.zip many other 'bits and pieces' to be had but overall a splendid effort on the manufacturer's part [for now]. Not quite sure where all that money went though. End Call -- http://www.malware.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Electronic Voting Machines - WinVote by Adv anced Voting Solutions
Perhaps they need to invest in some of this... http://www.theregister.co.uk/2004/08/12/wifi_wallpaper/ Perhaps they need to invest in some of this... http://www.amazon.com/exec/obidos/tg/detail/-/B0J1V3 Definitely a better solution ;) Or even better, one of these http://sprott.physics.wisc.edu/neural/BRAIN.GIF signature.asc Description: This is a digitally signed message part
RE: [Full-Disclosure] Microsoft Windows XP SP2
I believe the $300 million figure being quoted has the marketing of SP2 in there. They want to get the word out globally to get patched and are supposed to do a lot to help out the folks in areas that can't get it off the NET. Also I believe they are supposed to pull the current retail boxed copies of XPs in stores and replace with XP2 versions. Also many security pros have petitioned Microsoft to release SP2 CDs like AOL CDs - have them for free in computer stores and magazines, etc. Whether that will happen or not remains to be seen. But MS is pretty adamant about trying to get as many machines patched as possible. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 19, 2004 11:35 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Microsoft Windows XP SP2 Let's commence by giving credit where credit is due. The thinking is that the manufacturer of Windows XP has done a splendid job in patching their little operating system with 300 million dollar's worth of fixes. This is not exactly 'pocket change'. But this is: 1. trivial scripting in the local zone 2. notepad icon regardless of file in XP's little zip thing http://www.malware.com/malware.sp2.zip many other 'bits and pieces' to be had but overall a splendid effort on the manufacturer's part [for now]. Not quite sure where all that money went though. End Call -- http://www.malware.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Microsoft Windows XP SP2
I personally think that Microsoft should turn the hiding of file types off by default. We all turn it off and it doesn't help basic users learn file types. They go by the icons and therefore the icon issue is a better security threat. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Young Sent: Thursday, August 19, 2004 2:23 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Microsoft Windows XP SP2 Confirmed icon vulnerability as working on SP1 and SP2. I found that regedit.exe, winhelp.exe, and explorer.exe are also vulnerable and display their corresponding icon. I am unsure as to how useful this is as a vulnerability, but it shouldn't be present none the less. Michael Young IT Consultant Miles Technologies (856)439-0999 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 19, 2004 11:35 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Microsoft Windows XP SP2 Let's commence by giving credit where credit is due. The thinking is that the manufacturer of Windows XP has done a splendid job in patching their little operating system with 300 million dollar's worth of fixes. This is not exactly 'pocket change'. But this is: 1. trivial scripting in the local zone 2. notepad icon regardless of file in XP's little zip thing http://www.malware.com/malware.sp2.zip many other 'bits and pieces' to be had but overall a splendid effort on the manufacturer's part [for now]. Not quite sure where all that money went though. End Call -- http://www.malware.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Security aspects of time synchronization infrastructure
Hello bugtraq, Ipublished whitepaper called Security aspects of time synchronization infrastructure. It describes some observations on very common security flaws in time synchronization infrastructure design, including (but not limited to) MS Windows Active Directory. http://www.security.nnov.ru/advisories/timesync.asp Any comments are very appreciated. -- /3APA3A ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Re: [Full-Disclosure] Electronic Voting Machines - WinVote by Adv anced Voting Solutions
On Thu, 19 Aug 2004 15:27:59 -0500, Michael Williamson [EMAIL PROTECTED] wrote: Perhaps they need to invest in some of this... http://www.theregister.co.uk/2004/08/12/wifi_wallpaper/ Perhaps they need to invest in some of this... http://www.amazon.com/exec/obidos/tg/detail/-/B0J1V3 Definitely a better solution ;) Or even better, one of these http://sprott.physics.wisc.edu/neural/BRAIN.GIF *Now* you're dreamin' ;) -- Tremaine IT Security Consultant ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Security aspects of time synchronization infrastructure
Interesting paper. I am curious about this statement though as you seemingly don't give supporting information. If network is configured in accordance to these recommendations it's possible to bring whole Windows 2003 forest down with a single UDP packet. What is your line of reasoning here? In a properly configured forest, all machines will take their time from their default time source and not from a preconfigured machine as you outlined. If the time on the PDC emulator of the forest is spanked into a new value, either the other machines will be unable to sync with it due to not being able to authenticate with it or the forest time will change and authentication will continue on. It could impact kerberos certs in that they may need to be reissued sooner, but I fail to see an issue where the entire forest could be brought down. I could see this having adverse affects on MIT trusts and non-MS kerberos clients unless they have the Vintela or Centrify *nix/Win integration software (or other software configured to do the same) that forces a timesync with the Forest. If you would prefer to discuss offline, that is fine as well. Thanks, joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 3APA3A Sent: Thursday, August 19, 2004 5:26 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Security aspects of time synchronization infrastructure Hello bugtraq, Ipublished whitepaper called Security aspects of time synchronization infrastructure. It describes some observations on very common security flaws in time synchronization infrastructure design, including (but not limited to) MS Windows Active Directory. http://www.security.nnov.ru/advisories/timesync.asp Any comments are very appreciated. -- /3APA3A ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200408-19 ] courier-imap: Remote Format String Vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200408-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: courier-imap: Remote Format String Vulnerability Date: August 19, 2004 Bugs: #60865 ID: 200408-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis There is a format string vulnerability in non-standard configurations of courier-imapd which may be exploited remotely. An attacker may be able to execute arbitrary code as the user running courier-imapd (oftentimes root). Background == Courier-IMAP is an IMAP server which is part of the Courier mail system. It provides access only to maildirs. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 net-mail/courier-imap = 3.0.2-r1 = 3.0.5 Description === There is a format string vulnerability in the auth_debug() function which can be exploited remotely, potentially leading to arbitrary code execution as the user running the IMAP daemon (oftentimes root). A remote attacker may send username or password information containing printf() format tokens (such as %s), which will crash the server or cause it to execute arbitrary code. This vulnerability can only be exploited if DEBUG_LOGIN is set to something other than 0 in the imapd config file. Impact == If DEBUG_LOGIN is enabled in the imapd configuration, a remote attacker may execute arbitrary code as the root user. Workaround == Set the DEBUG_LOGIN option in /etc/courier-imap/imapd to 0. (This is the default value.) Resolution == All courier-imap users should upgrade to the latest version: # emerge sync # emerge -pv =net-mail/courier-imap-3.0.5 # emerge =net-mail/courier-imap-3.0.5 References == [ 1 ] iDEFENSE Advisory http://www.idefense.com/application/poi/display?id=131type=vulnerabilitiesflashstatus=true Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200408-19.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpehyR58rI8z.pgp Description: PGP signature
Re: [ok] [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind
Well said... -ASB On Thu, 19 Aug 2004 11:18:00 -0300, James Tucker [EMAIL PROTECTED] wrote: First of all, almost all Windows users demand backward compatibility. While MS's software is not open source, MSDN indexes a huge number of libraries and most all of these would have to be wrapped up to work under a newly written OS if backward compatibility is to be maintained. Programmers of 3rd party windows software also have a long history of not doing things the way they should (are told to) and this will lead to further problems if the quirks of the OS are removed. This is an issue which MS will face for years to come, and they are trying to re-write major portions of the OS in Longhorn. SP2 was a step in the right direction protecting most of the buffers in the OS. A drastic but potentially good option they have is actually to release their old legacy operating systems free of charge. Source release for MS is probably not a good idea, as allot of the source does not change, and it is likely that many new exploits would be theorised in a very short space of time. At least if the legacy OS's were available consumers with legacy applications would not have so much to complain about, in terms of lack of support and patching. There are a great deal of old DOS based applications in the world which have yet to be rebuilt on any more modern systems; and yet to re-install these systems it is nearly impossible these days. To find a fresh copy of DOS is very hard now. More importantly it is even more difficult to find a boot disk formatted with the correct generation of boot loader. Built in encryption is available in NT and this can be hardened with security upgrades available on MS's site. There are laws which govern MS in this regard and restrict them from exporting high encryption OS's from the US, the specifics of which I do not know, but google would be able to tell you. NT is a multi-user OS, it has a client server hierarchy to it also. The process scheduling system in NT is a proper process scheduler and allot of work went into changing this in Windows XP. In fact certain details were changed in SP1 and it is not unlikely that they changed again in SP2, although I have not heard as such. I am sure you are probably aware of the issues of attempting to secure and authenticate all mail transfer. Authentication unfortunately directly conflicts with privacy, in that if a user is to prove who they are, then you know who they are. Server side authentication can be useful, although this still requires some kind of centralisation in order to properly authenticate. Backwards compatibility issues are obvious, and more importantly you will note that holes in the system will appear any time traditional plain text SMTP is allowed. Deep packet inspection ISP side to stop SPAM and viruses is possible, however as you should be aware, being a firewall consultant, this is neither fast nor cheap. The best recent solution being the regexp system in Checkpoint FW1 NG+AI. Finally, it is not impossible for you to implement what you want without MS's involvement. Theoretically there is nothing to stop the community from writing an application which simply redirects all IP traffic through encrypted and fully authenticated channels. This kind of solution could work very effectively in a LAN scenario where all machines speak the same language. On the Internet the game changes, but of course, it was the Internet we were worried about in the first place. It is true to say that closing all holes in MS software would reduce the volume of SPAM and viruses on the Internet. Of course this would take some time however, as many places which remain infected (which contribute to most of the volume) simply would not update for a long time anyway (and it is this lack of updates and security which puts them there in the first place). If administrators and users of MS software are simply made more aware of the issues which face the Internet and the professionals who support it, we will slowly see a big improvement. SP2, good or bad, was a step in this direction, at the very least the security center will encourage users to buy / upgrade their anti virus solutions, and the recompilation of major portions of the OS with buffer checking will reduce the number of exploits possible in the OS. Software is unfortunately imperfect, and will rarely be perfect. It is likely that as most systems become more secure, the viewed need for vigilance on security will be lost among non IT-pro's. When that time comes, it will be the rare exploits which will cause major damage, not the near daily patches we see now. there are no problems, only income opportunities! -Tony Lawrence. my 2c. On Wed, 18 Aug 2004 16:00:05 -0500, Curt Purdy [EMAIL PROTECTED] wrote: Clairmont, Jan M wrote: M$ should just bite the bullet and re-write windows with security in mind,
[Full-Disclosure] Unsecure file permission of ZoneAlarm pro.
Hello list, Zone Alarm stores its config. files in %windir%\Internet Logs\* . But strangely, ZoneAlarm sets the folder/file permission (NTFS) of %windir%\Internet Logs\* to, EVERYONE: Full after its first started. Even If you try to change the permission to... Administrator (s): full system: full users: read and execute [these are the default permissions] Strangely, the permission again changes back to... EVERYONE: Full each time ZoneAlarm Pro (ZAP) is started. I've tested these in zap 4.x and 5.x This could prove harmful if we have a malicious program/user running with even with a user privilege on the system. Well a malicious program could modify those config file in a way ZAP will stop functioning. This is what ZoneLabs had to say... ---snip--- anyone could open any ZoneAlarm file (assuming it isn't locked), edit it with a hexeditor and cause it to stop functioning. This type of modification wouldn't be classified as an attack, as you have simply modified the file and caused it to not function as expected. This is true of any executable or other binary. ---/snip--- yap, true... but shouldnt ZAP have some protection against such attacks? instead of leaving the permission to EVERYONE: Full I wonder if a program could bypass ZAP filters using safePrograms*.xml [...experimenting] anyone wanna take this thing to a new level, please go on... Regards, Bipin Gautam http://www.geocities.com/visitbipin/ ___ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html