a sneaking suspicion that this can be
further extended/modified to affect some firewalls that were not
vulnerable to the first incarnation, so now is a very good time to get
a handle on those protocols in your networks.
Take care, all
/Mikael Olsson
PS. No proof of concept exploit. It's cu
From
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security
- Forwarded message from Edwin Groothuis <[EMAIL PROTECTED]> -
Date: Thu, 1 Aug 2002 16:55:51 +1000
From: Edwin Groothuis <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: openssh-3.4p1.tar.gz trojaned
lution is probably educating all your users to
always verify host fingerprints (hahahaha) or forcing public key auth
instead of password auth (usually more viable) in your servers. People
are more likely to notice "public key auth failed" rather than the old
"new host key" messag
r needs is that first connection. :/
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
, in the case of *nix servers, it's even easier for an attacker
to run the fake gopher server on a high port; this way, he won't even
need root priviliges.)
Take care,
/Mikael Olsson
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29
re
on bugtraq a couple of months ago.)
So, the only approach that really works is a white-list approach.
And add to that, a white-list that ONLY lets through extensions
that you KNOW that the vast majority of the installed user base
has associated handlers for. Removing the handler for ".zip
erent X servers.
Mozilla is what is causing the vulnerability (gimp isn't). Indeed, XFS
should be fixed, but from an overall vulnerability perspective, I'm
quite convinced mozilla should be fixed too. People upgrade mozilla
a _lot_ more often than they upgrade their X font servers.
s TCP segments without data, there's
nothing to be done about it, and you should let fragmentation occur.
The fingerprinting point is sort of valid, I guess. However, since
there are already BSD boxes out there doing this, the fingerprint
value would be even greater (the fingerprint match
Darren Reed wrote:
>
> In some mail from Mikael Olsson, sie said:
> >
> > * RealAudio/Video (secondary UDP channel)
>
> This can't be exploited in even close to the same way, if the proxy is
> properly implemented. You might be able to write a java class to
Extending the FTP "ALG" vulnerability to any FTP client
Author: Mikael Olsson, EnterNet Sweden <[EMAIL PROTECTED]>
Original Date: 2000-03-10
Originally posted to: Bugtraq, Vuln-dev (BID 1045)
Vendor contacted: Nope, sorry, too many.
Updated: 2000-03-14
- Added exploit by
t depends on your firewall. I'd say that
chances are fairly high that your browser of choice won't really
make a difference in 95% of the cases; the firewall is the key.
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.seE-mail: [EMAIL PROTECTED]
Extending the FTP "ALG" vulnerability to any FTP client
Author: Mikael Olsson, EnterNet Sweden
E-mail: [EMAIL PROTECTED]
Date: 2000-03-10
Synopsis
--
For those of you that followed the discussion about the
"Multiple Firewalls FTP PASV ALG Vulnerability", h
(don't
> know which version - it's not my pix :).
>
> jacek
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
Mobile: +46 (0)70 66 77 636
WWW: http://www.enternet.seE-mail: [EMAIL PROTECTED]
hat way, even if just one single bit is wrong, you won't be
able to decode the secret :-P
> Since everyone's voice is unique, there shouldn't be any worry as to security.
Ehm. Right.
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 105 50
into
> conflict with the quota system.
Not "just" a cluster-size filling issue. The idea of quotas is preventing
people from using all available hard disk space, as that is a VERY effective
DoS. This bug means that W2K basically does not have any quotas, since it does
not provide
ETE SECRETS ON
THE LOCAL COMPUTER IF THE LOCAL COMPUTER CANNOT BE TRUSTED.
Solution: Don't write apps that store passwords on the local computer
without using another password to encrypt them.
Workaround: Disable all "remember this password for me" checkboxes
completely reassemble the TCP stream and not make "educated"
guesses about what packet data belongs on what line and in
which order and state of the FTP protocol.
It doesn't have to be a "proxy" in order to do this, I think.
You DO need to reassemble the stream completely
ion
firewalls protecting servers.
It might also be possible to cause "proxy" like firewalls to
open arbitrary ports to protected servers.
In the extreme case, albeit a tad unlikely, it may be possible
to cause any type of firewall to open arbitrary ports against
FTP clien
r?
>
According to
http://www.securiteam.com/securitynews/DHTML_makes_HTTP_REFERER_an_unreliable_sanity_check.html
it is possible for DHTML to lie about the referer.
(I believe this was originally a post here on Bugtraq, but I might
be wrong; could be some other mailing list I'm on too..)
/M
is why companies invest in security. Which is why issues
like this one sometimes (too seldom IMHO) get treated like security
issues.
'nuff rambling for one night =P
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.seE-mail: [EMAIL PROTECTED]
the same file that you
actually opened (I hope!).
Oh, and the freopen() call opens you up to
another race situation (I think).
AFAIK, freopen() is just a shorthand for
fclose() followed by fopen(), so that leaves
room for a race situation.
(I might be talking out of my arse here tho)
If it were me
d one(for version 4.X) which I released an advisory
> about many months ago.
>
> -steven
>
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.seE-mail: [EMAIL PROTECTED]
ing of
> "file://" specification. This overflow occurs when we are logging on to
> the Microsft Network, this overflow can be verified if the long name is
> specfied to the "file://". For example,
>
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDS
x27;s an
established standard.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 11 October 1999 13:39
To: [EMAIL PROTECTED]
Subject: VIRTUAL NETWORK COMPUTER
this is a little off topic but still it relates to security and
firewall in a sense.
H
ted by this.
>
> --------
> Sacha Faust [EMAIL PROTECTED]
> "He who despairs of the human condition is a coward, but he who has hope for
> it is a fool. " - Albert Camus
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.seE-mail: [EMAIL PROTECTED]
e routing table from the console, or polling
it via SNMP. I've noticed on some brands that the console
only displays static and RIPped routes, but that SNMP
displays all; keep that in mind.
You should be able to amend this problem by adding static
routes without destination for IP spans known
26 matches
Mail list logo