RE: [Full-Disclosure] driver for display goes to a infinite loop by viewing a html!
> > hello, > > Please note the fact, i've just tested it with IE and firefox > .9.3 on windows XP with intel VGA and the system reboots with > a fetal error. > > There have been reports the exploit doesn't triggered via. a > Opera Browser. > Doesn't work on Firefox 0.93 on Windows XP SP2 with ATI Radeon IGP 320M. Just hung the browser (and effectively the machine), but killing the task brought everything back to life. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] XP SP2 - Still Buggy
Haven't seen that behaviour on any of the SP2 boxes I've been involved with. You haven't got some application running in the background that's "stealing" focus have you - maybe some AV software or something like that that loads at startup? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Staves, SteveSent: Thursday, 12 August 2004 6:41 a.m.To: [EMAIL PROTECTED]Subject: [Full-Disclosure] XP SP2 - Still Buggy Unfortunately, the notorious Microsoft Mammoth is still holding on to it's ever persistent image of wreaking havoc on O/S's! With the latest update from our esteemed "Rulers", XP now has an added "Undocumented feature" of losing focus on applications - Even on logging in. e.g. Press CTRL-ALT-DEL to bring up the logon dialog box - The text will flash three times and then lose focus. Open up a copy of IE, Same thing - Three flashes and then poof, lost focus and not only that, but if you happen to minimize you currently active screen, you cannot click on the toolbar to bring up any previous windows until you minimize the 'new' active screen?? But ... We need not worry though, For Microsoft keep on raking in the dough.
RE: [Full-Disclosure] Viral infection via Serial Cable
> > So the question is, is a pc / machine connected to another pc > via serial cable only using specialised windows software to > move data to the machine at all vulnerable to viruses? Can > they transmit themselves across a serial cable? > It all really depends on how transport independent the virus/worm is. If it uses only TCP/IP to transmit itself, and the serial link is using some other protocol, then the answer is of course no. If the worm simply expects to see "a network transport" then the answer would be yes. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Microsoft Security, baby steps ?
> > Come on Microsoft. How about putting together a single file > that contains all the "critical" security updates since the > last service pack for a given OS? How about every time they release a fix, they also release a rollup, so you can either download the individual fix, or all the fixes up to that point? > Who knows, perhaps then we'd get sensible > results out of MBSA? Is it just me, or does the idea of having to have the Remote Registry Service running to use the MBSA really annoy everyone else as well? > > I use kickstart and the genhdlist package with Red Hat to > ensure that any installed system has all the updates > installed on the first boot after installation. Why then does > Windows have to lag so far behind? A combination of SMS & SUS can provide almost the same thing, but having to put SMS in isn't really desirable. Cheers Stu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: [OFF TOPIC] winxp home expusure
I assume that there's detailed analysis somewhere of the information that it sends back? I'd be interested to see it. Cheers Stu > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Tobias Weisserth > Sent: Tuesday, 23 March 2004 11:48 a.m. > To: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Re: [OFF TOPIC] winxp home expusure > > Hi there, > > Am Mo, den 22.03.2004 schrieb Richard Maudsley um 20:40: > ... > > You are suggesting that Windows lies about the state of its network > > interfaces? > > Well, at least it's no secret that Microsoft uses Windows XP > to send back information about the customers machine without > notifying him about this. I'd call this a lie about the state > of the network. > > This is reason enough for me not to trust MS with any version > of Windows more recent than Windows 2000. > > regards, > Tobias W. > > > -- > *** > _ > | _ \| | Tobias Weisserth > | | | | _| [EMAIL PROTECTED]|com|net|org] > _| |_| | |___ http://www.weisserth.org (_)/|_| > > Encrypted mail is welcome. > Key and fingerprint: http://imprint.weisserth.org > > *** > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] viruses being sent to this list
> > | I vote to take you off this list. Talk about S/N ratios. > > Lucky for me than, that this is FD. Anybody can talk here and > say whatever they like. > > This is what it states in the list charter. > > Just like any Microsoft sucks rant, or "die b*tch" flame, my > emails are acceptable content. As people filter the noise, > they can filter my emails. Why don't you substitute the word "viruses" for "my emails" in the sentence above? It would seem that the weight of opinion might be against you on this one, I'd give up while you're still only marginally behind... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] viruses being sent to this list
> -Original Message- > From: Gadi Evron [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 23 March 2004 4:27 p.m. > To: Stuart Fox (DSL AK) > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] viruses being sent to this list > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > | It would seem that the weight of opinion might be against > you on this > | one, I'd give up while you're still only marginally behind... > > I will defend my opinion here, as I unwisely committed to > this discussion, a while longer. As I am permitted to by the > list charter, which I am defending, as it has been breached. Trouble is, the charter applies to humans. Viruses don't read the charter before they send their messages. Basically, I read the charter to say "don't deliberately send viruses/worms to the list". The charter doesn't say anything about what will happen to automated attacks. Given that AV vendors tend to charge per user for their mail scanning products, it probably wouldn't be too financially viable for the list owners (who graciously host the list for free) to implement scanning anyway. Cheers Stu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Microsoft Coding / National Security Ri sk
> also sprach Richard Hatch <[EMAIL PROTECTED]> > [2004.03.24.1110 +0100]: > > Take a team of really really good C/C++ coders with > excellent security > > vulnerability knowledge and have them go through the source > code for > > windows (starting with the core functionality and internet facing > > functionality maybe). Find these bugs (including > methodical black-box > > testing against the binaries) and fix them. > > You will have a hard time, given the patched OS that Windoze is. > Where design is flawed you can't add security. Seems to me that common consensus is that the Windows design is actually relatively good - it is the implementation that is the problem. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scan ners
And some more things for you to think about > > Just some things to think about... > > > Top 15 Reasons Why Admins Use Security Scanners > > Question: Should admins be using security scanners? Someone should be. Admins should be to confirm that their environment is in the state that they believe it to be. > > > This list has been compiled by emailing various Security/Admin > > lists... > > Anyone care to offer their input - add to the list? > > > > -Am I sure that I have found all vulnerabilities in my network? > > -Have I configured my network properly? > > What's your policy say? If you're relying on a security > scanner to define proper network configuration, maybe you're > in the wrong line of work. How do you know your policy has been implemented properly? A security scan is a useful tool to help you determine this. How do you know that your policy is still relevant - are their new security best practices that are relevant that a security scan could help you find? > > > -Am I finding and closing security holes fast enough? > > With proper policies and procedures in place, it's not a > matter of finding and closing holes fast enough. > Some Microsoft guys (Dave LeBlanc included) set up an IIS 4.0 > web server on NT a full year before Code Red came out, and > from the time it went live, it was immune to Code Red. Why? > The ida/idq script mappings were unnecessary functionality > and therefore disabled. Again, have new types of vulnerabilities been discovered, are there new best practices. The reason Code Red hit so hard was because people didn't know about removing script mappings - it wasn't a common best practice. It became one pretty quickly after Code Red. > > > -How do I know which machines have a missing patch? > > What is your patch management process? Is my patch management process working? A security scan may well be part of your patch management process, but you need to confirm that what your process says and what is actually happening are the same. > > > -Are we resistant enough to network-savvy viruses that spread via > > known exploits? > > What is "resistant enough"? You can roll out Norton on your > email server (and other servers) as well as on your desktops, > and manage them all from a central location, pushing out > updates as they become available? Do you? A security > scanner won't tell you if you do or not. How do you confirm that updates are actually being rolled out, as opposed to trusting that they are? > > > -Are we in compliance with HIPAA, Sarbanes-Oxley and other > > regulations? > > The only way a security scanner will tell you this is if it's > compliant, as well. > > > -What have I missed in locking down a server or environment? > > What do your policies and procedures say? Have my policies and procedures been implemented properly? How do I know - by running a security scan? > > > -Do I have my network perimeter and interior sufficiently protected? > > -Have I identified and protected my network resources from external > > threats? > > -Do I know which systems are now well protected? > > -How vulnerable are we from the inside? > > From what threat? Are you refering to users, or to admins? Probably both. They're a different class of threat obviously, but both need to be considered. > > > -How will I ever pass my IT Security Audits? > > Don't worry about it...most audits don't seem to have an IT > background, and even when they do, they don't take the time > to understand your business processes or your network infrastructure. > > > -How do I locate computers on my network, that are not within > > compliance? > > -How do I report to Management that we have done all we > could to lock > > down? > > Very carefully. IT guys and management don't speak the same language. > > > -How do I detect unknown and/or rogue > > devices/connections? > > By understanding your infrastructure. If you know what IP > address ranges are assigned and to where, then you'll know > that whatever device is on 10.2.1.52 shouldn't be responding > to ICMP... And how did you detect that it **was** responding to ICMP - it wasn't by running a security scan was it? You've offered a lot of thoughts that seem to involve a degree of faith in policies and procedures. Policies and procedures can only do so much, but you have to confirm that they are actually implemented correctly. A security scan is one way to develop improvements to your policies and procedures, or to spot ways where their implementation could be improved. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scan ners
I think you're oversimplifying things a little. Comments inline. > > But there's also another way to look at the original > comment...security is a process. Running a vulnerability > scanner isn't a process...it's a point-in-time check, a > snapshot. But running a security scanner could well be part of that process. Part of the security management process is assessing what you have and why it's like it is. A security scan could well indicate areas where your process and policies could be improved. Sure, a vulnerability scanner is a point in time check, but it's one way to help you identify what your current state is. If you don't know that your process is faulty, you don't stand a chance. A good IT security auditor won't focus on the fact > that certain systems have vulnerabilities...he or she will > focus on *why* they have the vulnerabilities. That's a really good point, and does need to be considered. However, if the auditor doesn't know that there *are* vulnerabilities, how will they know to look for the *why*? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scan ners
> > > Question: Should admins be using security > > scanners? > > > > Someone should be. Admins should be to confirm that their > environment > > is in the state that they believe it to be. > > I guess we'll have to agree to disagree. In my experience, > the guy who set a system up shouldn't be the one to inspect > it, or verify it. Well in some environments that's not an option. In others, you might delegate setting up a system to junior techs and you need to confirm that they've been following correct procedures. It might also indicate that your procedures are useless. > > Also, I'm sort of thinking that if someone doesn't know how > to set up and maintain a system, what good is it for that > same person to run a scanner on it? Well, it might indicate to them that there are issues with the way they do things. Sure, if they're not paying attention or are not switched on, they might not get anything from running a scanner. However, if they are learning, they'll say "Hey, I could improve my process here and make things better". The answer to your question is, it depends, and the good will range from nothing to a lot. > > > Again, have new types of vulnerabilities been discovered, are there > > new best practices. The reason Code Red hit so hard was because > > people didn't know about removing script mappings - it > wasn't a common > > best practice. It became one pretty quickly after Code Red. > > Actually, the best practice of removing unnecessary > functionality has long been in place, well before Code Red > reared it's head. > The same is true with the best practice of > removing unnecessary script mappings...this was documented by > Microsoft and available for free from their site well before > Code Red came out. Removing unnecessary functionality has indeed been in place for a long time. Code Red indicated that whether Microsoft documented it or not, the best practice wasn't common. In fact, before Code Red, it wasn't exactly obvious that this was a recommended best practice, and the documentation wasn't really clear. It's very clear now. > > With regards to the rest of your comments, I think you're > missing the point. I'm not saying that a security scanner > shouldn't be run...I just don't think that admins should be > the ones to run the scanner. That's not how it read. Admins is a pretty blanket statement. In an ideal world, security admins should run the scan while others do their work. However, in a lot of environments, there isn't a dedicated security admin - it's just a normal admin who has to manage security along with the other 10 million things he has to do. Is that bad? - yep, it sucks. However, an admin running the scanner is better than noone running the scanner. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] LSASS exploit win32 binary
For those servers that break when you apply MS04-011, there's a KB article that describes what to do to work around it. http://support.microsoft.com/default.aspx?scid=kb;EN-US;841382 > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Chris Scott > Sent: Thursday, 29 April 2004 4:22 p.m. > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] LSASS exploit win32 binary > > Does anyone have snort sigs or any means of defending against > the worms that are exploiting this? Several acquaintances of > mine which work for edu's are reporting their networks being > affected by this in a big way. They have 2k machines which > apparently broke when applied with the MS04-011 patch. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Learn from history?
> > > > 2. If a patch cannot be installed, find workarounds > > > > That does not work with the workarounds customer need to facilitate > > life (security <> easy of use, remember) > > In the particular case of Sasser, workarounds indicated in KB > 835732 and/or making sure TCP 445 is closed to the outside > world was enough and not difficult to achieve. > Not it wasn't enough. It would be until someone dialled to the Internet, or even to some other third party network that had the virus. The only thing that was enough was to patch. The only people who have the luxury of not patching are those who have no connectivity from their LAN to any other network. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Learn from history?
> > > 3. If it is a port-related threat, find out if such ports > are in use, > > and if not, make sure they are closed. (Of course there would > > Once the virus is on the LAN it can do whatever it wants. > Not quite. Anyone here using IPSEC filter group policies to block the ports that Sasser uses to propagate? Obviously you can't block 445 without causing significant issues, but you can block the ports Sasser uses to transfer itself (5554 & 9996). Anyone here using IPSEC Filter Group Policies at all? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Support the Sasser-author fund started
> All the features required of mature operating systems were > added as an afterthought and not designed in. Such things as > memory management and file access control They've been designed into the Windows NT based OS from the start. > on a single user/single process/non-network OS. To maintain > backward compatibility with DOS and Windows 95, key OS data > structures have many assumptions about things like buffer > size that lead to buffer overflows. Witness the assumption > about machine names that led to Slammer. Which is an implementation issue, not a design issue. The whole Microsoft > OS effort has been to grow from a system designed for minimal > size machines such as the 640K PC to something that can be > used as a system for commerce. Features have been bolted on > as they are deemed sellable to make a profit. It wasn't until > NT that the file system even had the concept of access > control So since around 1993 then? and backward compatibility has meant that the default > ACL is give everyone full control. Which has now changed (and a good thing too) > Unix, by contrast, has always been designed as a > multi-user/multi-process system so things like file security > and separation of processes are inherent. That's a bit of a stretch. Unix has had security bolted on after the fact as well - it's just got about ten years head start on Windows. Your mail seemed to switch between issues relating to design and issues relating to implementation - from what I can gather the design of the NT OS is a good one (Things like ActiveX excluded), but the implementation has been full of holes. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] M$ - so what should they do?
> > How about changing the ".exe" convention? Making a file > executable by it's "extension" probably causes a lot of > opportunities for problems, doesn't it? > > Also, the magic file names, like "CON" and "AUX" should go away. > No way! Am I the only person who still uses "copy con filename.txt" to create scripts and such at the command line? Please tell me I'm not? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] M$ - so what should they do?
> > > > [SNIP} > > > > > > > > The second one, I concur completely, get the App stuff out of the > > > Windows folders. > > > > > > > Which includes IE. > > Actually, just doing that one *alone* (splitting it out so it > isn't entwined into the OS) would probably do more than > anything else. But we're not likely to see that happen, not > since the Microsoft witnesses swore on a Bible that IE was an > integral part of the OS But then of course if you look at it, it's just a set of com components in a few dll's and iexplore.exe is just the glue that binds them all together. It actually probably wouldn't be that hard to remove IE from the Windows folders - just move those dll's. Of course, since there are now so many MS applications that use those components for presentation, you could argue they are an integral part of the OS (that just means they should go into C:\program files\common files or somewhere like that). ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] M$ - so what should they do?
> > > Having all the configs as text files in /etc works fine for > Unix-like systems. You can use any editor to look at the > config - no need for some proprietary editor (regedit). > Automating config changes is as easy as writing a simple > shell script. Each config is named after its application, so > it's easy to know which is which, and if you need to restore > an application, just install the app then copy your backup > config file into place. As a matter of fact, an entire system > can be restored by re-installing the apps and only restoring > /etc (configs) and /home (user > data) from backup. Try that on Windows. Have you ever had a > successful Windows restore without a full system backup or > without re-configuring everything from scratch? It is > extremely difficult. Why? Because of the registry... > > The "config file mess" is an excuse made up by MS to sell the > registry concept. The registry does not make it easier to > manage application configuration. Instead, it makes it > considerably more complex. > > The real reason for the registry is to make it difficult to > copy an application from one machine to another. In other > words, it's a copy proctection scheme. Remember in the days > of Win 3.1, you could do that? It all broke in Win95 with the > registry. You've got some valid points but there is one thing that you've overlooked - auditing. One of the(few) advantages that the registry does have is that you can configure auditing on individual keys, so that if you want to you can track who made changes and when. With text files, you simply don't have that option (of course you can audit changes to the entire file). Having said that, I've never actually met anyone who uses the registry auditing, but I'm sure they're out there. Some of your points are also a bit dubious - registry mods are mostly scriptable (except binary data - one of my big gripes with the registry), and I'm not sure that it makes application configuration any more or less complex - they each have their advantages and disadvantages. As for copying applications, the issues are a bit deeper than the registry - if it was just the registry it would be easy enough to export & import the relevant keys (they are well structured). It tends to be more related to issues such as dll's needing to be registered etc. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Web sites compromised by IIS attack
> > > Paul, > > If I'm understanding you correctly you don't understand > Linux/Redhat. Or your just being silly to make a point. > sendmail, wftp , php, etc.. are not owned by Redhat. Each of > these applications are owned buy someone else and Redhat is > allowed to re-distribute them. Yeah, but Redhat are the vendor, whether or not they actually wrote the software, they distributed it to you. Their product is Redhat Linux (the distribution), if that has a flaw in it they shouldn't get exempted just because they didn't write it. Could Microsoft then pass off support for ftp.exe for instance? > > And using the number of fixes/patches to an application as an > indication of how god it is, is a bad thing. Using this logic > you would have to say M$ is a good product. I believe you haven't looked at http://support.microsoft.com for a while? And besides, it was pretty clear that he wasn't using it as an indication of relative quality, just as an indicator of the fact that noone writes perfect software. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Microsoft hides certain types of files from your eyes + some filename parsing bug
The CLSID one doesn't work at all under XP SP2 Beta RC2. The CLSID is registered on my machine as an HTA. File extension is show regardless of whether you have view file extensions turned on or off. Cheers Stu From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Good OneSent: Thursday, 8 July 2004 11:37 a.m.To: [EMAIL PROTECTED]Subject: [Full-Disclosure] Microsoft hides certain types of files from your eyes + some filename parsing bug Microsoft HIDES certain types of files from your eyes: This one is old unpatched "behaviour" ... If you will create in windows explorer file : test.txt with content :
a=new ActiveXObject("WSCript.Shell");
a.run("CMD.EXE");
alert("Hello, I'm Silly Billy !");
It will be executed if you will add CLSID to it's name and user double clicks it : test.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} Note: CLSID will remain hidden (explorer will not show it up in any means) File name for user will remain : test.txt This adds numerous possibilities for viruses to fool end user into safe content. another filename parsing bug (system even cannot access it) : By some technics windows still allows to write file on harddisk with funny name like : test [good one :] .avi End user will expierence certain difficulties to remove it afterwards from system. It's name will change to "test [good one", it will have no extension, will show up 0 bytes etc, etc... Of course .url and .lnk are hidden as well, being "shortcuts" in m$ way. The contents of those files are up to you ... :-) For example : file "test.url" with this content will open your browser with alert. [DEFAULT]BASEURL=_javascript_:alert('hello mama !')[InternetShortcut]URL="" mama !')Modified=00027F010505010100 m$ is good for gaming, not for serious work.. - SomeMan. ALL-NEW Yahoo! Messenger - so many all-new ways to express yourself
RE: [Full-Disclosure] Moox firefox/thunderbird builds. Anyone looked at these yet?
> > I wonder why somebody would branch just to do performance > improvements? Because people want their browser to perform quickly? > Why not just work with the mozilla team and apply the changes > to the source tree? It's not like he's adding features and > the team didn't want them because they would add to bloat. > Makes me wonder if there is a hidden agenda is these custom builds... Because it doesn't look like he's actually making changes to the code, he's just compiling with specific support for certain processor features which aren't included in a general (unoptimised) build. Basically, Mozilla distribute a vanilla build that will run on everything, and this guy is compiling with support for specific processor optimisations that won't run on processors that don't support those features. > > Or maybe I'm just a super paranoid security professional. You probably are being a little paranoid, although I prefer to run the binaries as distributed by the supplier (I of course trust that they haven't included backdoors, and they have compiled it sensibly. For me, any open source application I run is essentially closed source anyway...). If you were being super paranoid, you could generate your own optimised build - once you'd read through all the source code looking for security holes of course... Stu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
Title: Re: [Full-Disclosure] IE is just as safe as FireFox > Can the Firefox settings be controlled centrally?>Yes, and more flexible than IE versions zoo at user computers. Download>a Firefox ZIP (not Firefox_Setup_1.0.exe but Firefox 1.0.zip), unpack it>to R/O share on file server, edit JS configuration files in>.\defaults\pref and .\greprefs, then create a shortcut to firefox.exe on> user desktops. To change FF settings, edit JS configs again. Voila!Can the executable reside on the workstation with the settings stored on the network? In an ideal world, you'd be able to control the settings via Group Policy (which is how you do it with IE). I'm not sure your method is any more flexible than using Group Policy to be honest.
RE: [Full-Disclosure] IE is just as safe as FireFox
Title: RE: [Full-Disclosure] IE is just as safe as FireFox >Unfortunatly, ms group policy do not handle mac, solaris, linux, ... >only ms toys can be configured using this. I also think it is somewhat >new and will probably be old (why don't you use this miracle ms tool >named: sorry, this falls under some nda) in a year or so. It's not somewhat new - it's four years old, and the technology in use was in use in NT 4 systems. It's the standard method of configuring Windows clients that are members of an Active Directory - and will probably continue to be so. A year or so won't even see the release of Longhorn, so it certainly won't be "old". >This mail doesn't mean firefox/mozilla is the greatest tool of the >world. It lacks (or my knowledge is too limited) good ldap support (I >tryed keeping my netscape config on my ldap directory, mozilla do not >seems to have this feature). So that's the answer to my question there: No. >Other browsers&mail readers are using a >dedicated central config server (I forgot the name) in order to make >them more corporate aware. People underestimate the importance of the browser being "corporate aware" - being able to centrally control and configure the browser is important.
RE: [Full-Disclosure] MS Windows Screensaver Privilege Escalation
> > On Windows XP all releases, when you replace, or change the > screensaver displayed on the login screen with a specially > crafted version designed to execute programs, those programs > are launched under the SYSTEM SID, IE: they are given > automatically the highest access level avalible to Windows. > This level is not accessible even to administrators. > > This flaw is important because while one would need Power > User privledges or above to change the Login Screensaver, by > default, any user with the exception of guest can replace the > login screensaver file with a modified version. In theory, > any determined user could execute ANYTHING with SYSTEM > privledges. A similar flaw exists in Win2K, but Microsoft > has ignored it. > Interesting when read in the context of this: http://support.microsoft.com/default.aspx?scid=kb;en-us;221991&sd=tech ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] TCP Port 42 port scans? What the heck over ...
There's an outstanding security issue with WINS on Windows servers - TCP port 42 is the WINS port. Cheers Stu > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of James Lay > Sent: Tuesday, 14 December 2004 2:47 a.m. > To: Full-Disclosure (E-mail) > Subject: [Full-Disclosure] TCP Port 42 port scans? What the > heck over... > > Here they be. ODD. Anyone else seeing this? > > Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.1 > LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 > 06:41:49 gateway kernel: Web1 drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.18.1 > LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web > netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.4 > LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 > 06:41:49 workbox kernel: IN=eth0 OUT= > MAC=00:60:97:a5:76:36:00:10:7b:90:bc:30:08:00 > SRC=131.252.116.141 DST=10.1.200.10 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web > netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.7 > LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 > 06:41:49 gateway kernel: X12 drops:IN=br0 OUT=br0 PHYSIN=eth1 > PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.14 LEN=40 > TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web > netrecall drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.2 > LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP > SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 > 06:41:49 gateway kernel: Htpedi drops:IN=br0 OUT=br0 > PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.17 > LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Edirecall > drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 > SRC=131.252.116.141 DST=10.1.20.12 LEN=40 TOS=0x00 PREC=0x00 > TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 > RES=0x00 SYN URGP=0 > > > > James Lay > Network Manager/Security Officer > AmeriBen Solutions/IEC Group > Deo Gloria!!! > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] TCP Port 42 port scans? What the heck over...
This is potentially the patch: http://www.microsoft.com/technet/security/bulletin/MS04-045.mspx > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Florian Weimer > Sent: Tuesday, 14 December 2004 9:54 a.m. > To: James Lay > Cc: Full-Disclosure (E-mail) > Subject: Re: [Full-Disclosure] TCP Port 42 port scans? What > the heck over... > > * James Lay: > > > Here they be. ODD. Anyone else seeing this? > > Probably yes. 8-) 42/TCP is used by Microsoft's WINS > replication, and this service has got a security hole for > which Microsoft has yet to release a patch. > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Terminal Server vulnerabilities
Title: Re: [Full-Disclosure] Terminal Server vulnerabilities >> But I would point out something much more important : there are many>> more local exploits than remote (on Windows just like any other OS). Local exploits : about 1-2 a month>> * POSIX - OS/2 subsystem exploitation>> * Debugging subsystem exploitation (DebPloit)>> * 16-bit subsystem exploitation (NTVDM)>>* Shatter Attacks>> * Etc. Remote exploits : about once a year>> * RPC/DCOM (blaster)>> * LSASS (sasser) Basically, if you are logged in as an unpriviledged user on a Terminal>> Server, you can easily become SYSTEM. If this Terminal Server is also a>> Domain Controller, game over.>>You forgot one important factor - the use of IE and Outlook for the fast>direct-to-customer delivery of local exploits. Which *also* results in>a Game Over Assuming that the IE/Outlook bugs are privilege escalation bugs. There seem to be relatively few of those - all of the recent ones have given you credentials of the local user, not localsystem (or even admin). ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives
> For lack of a better name -- after all, this is a technology > that has hardly been investigated -- I refer to this as > integrity management. > Basically you turn known virus scanning on its head to have > the on- access scanner only allow known good code to run, > rather than trying to do the impossible of finding all > possible permutations of all possible > (known) "bad" code. This can easily be done using the > existing technology, but instead of depending on the a vendor > to find new bad things, add detection of them and ship that > update _finally_ giving the user protection, the user > supplies their own list of _allowable_ code and new code can > be run once the administrator updates their own, of allowable > code database . (There are other clever things such a re- > purposing of this technology neatly allows too -- for > example, such technology could easily be configured to block > access to all files of a given type; it can be easily used to > track software usage for auditing > and licensing checking; etc, etc...) Isn't this similar to what MS do in Windows 2003/XP SP2 with Software Restriction Policies? Executables are only allowed to run provided they fit a prespecified pattern i.e. name (not very useful), signed or not, hash of the executable. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
