Re: [Full-disclosure] iDefense Q-1 2007 Challenge

All people black hat, I agree with you KF I Defense low pay s0x! - mark On 16/01/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: I agree with you KF , that's why I do not recommand iDEFENSE in my forum's footer since some times now. They are just playing on the fact they are alone , or t

Re: [Full-disclosure] iDefense Q-1 2007 Challenge

I agree with you KF , that's why I do not recommand iDEFENSE in my forum's footer since some times now. They are just playing on the fact they are alone , or they were alone for a long time on this market, and they do not wish to do any effort, making loads of dollars with us , to say clean , th

[Full-disclosure] ADTool.exe Updated

Hi, thanks to all people who help me to improve this tool. ADTool.exe updated to version 1.5 Bugs fixed since 1.0: + if no output file, app crashes. + If there no server browse found, bad output. + improved speed. + It seems to work ok by now, enjoy it. DOWNLOAD URL:

[Full-disclosure] ZDI-07-005: Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability

ZDI-07-005: Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-005.html January 16, 2007 -- CVE ID: CVE-2007-0243 -- Affected Vendor: Sun Microsystems -- Affected Products: JDK and JRE 5.0 Update 9 and earlier (al

[Full-disclosure] [ GLSA 200701-12 ] Mono: Information disclosure

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200701-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - -

[Full-disclosure] [ GLSA 200701-11 ] Kronolith: Local file inclusion

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200701-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - -

Re: [Full-disclosure] iDefense Q-1 2007 Challenge

[EMAIL PROTECTED] wrote: > I agree with you KF , that's why I do not recommand iDEFENSE in my > forum's footer since some times now. > They are just playing on the fact they are alone , or they were alone > for a long time on this market, and they do > not wish to do any effort, making loads of d

[Full-disclosure] link to site rumored to have "viruses"

i was sent this link...i've heard rumors that there are viruses on this site from YouTube people...the article itself appears to be about a YouTube personalityreal threat?...or sour grapes? http://www.encyclopediadramatica.com/index.php/Greg_Solomon - H

Re: [Full-disclosure] Grab a myspace credential

http://www.ninjahype.org/mov/ nameHREFTrack -KF wac wrote: > > > On 1/16/07, *Deepan* <[EMAIL PROTECTED] > > wrote: > > On Mon, 2007-01-15 at 23:05 -0500, Peter Dawson wrote: > > "but at some point all this abuse will likely start sending > users off >

Re: [Full-disclosure] iDefense Q-1 2007 Challenge

Well, I guess that miscommunication sums it up and I apologize (publicly) for being such a snappy brat. For the record though, this isn't something that the company markets at all. We've been doing this for a while and are very selective about who we work with. Hence, why there is no real mark

Re: [Full-disclosure] Grab a myspace credential

On 1/16/07, Deepan <[EMAIL PROTECTED]> wrote: On Mon, 2007-01-15 at 23:05 -0500, Peter Dawson wrote: > "but at some point all this abuse will likely start sending users off > to another service. " > > thats only --if the know if they are being abused.. most of them are > not coherent about any s

Re: [Full-disclosure] iDefense Q-1 2007 Challenge

Simon Smith wrote: > Blue Boar, > Simply put, and with all due respect, you're wrong. About? I see basically two assertions in my note; 1) that I would sell to iDefense or TippingPoint. Surely you're not going to tell me what I would do? And 2) That iDefense isn't doing the same thing that Bl

Re: [Full-disclosure] iDefense Q-1 2007 Challenge

Blue Boar, Simply put, and with all due respect, you're wrong. Furthermore I don't appreciate you directly or indirectly suggesting that these exploits are being sold on the black market, that will never happen on my watch, ever! More importantly, the company that I am working with is no

Re: [Full-disclosure] Grab a myspace credential

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 HAHA! Yeah, I had just updated to firefox 2 before I went to the phishing page and got the warning. It kinda threw me for a moment when that happened :) but I think it's a great feature for protecting the innocent and stupid alike. Steven Scheffler w

Re: [Full-disclosure] iDefense Q-1 2007 Challenge

K F (lists) wrote: > We all know black hats are selling these sploits for <=$25k so why > should the legit folks settle for anything less? As an example the guys > at MOAB kicked around selling a Quicktime bug to iDefense but in the end > we decided it was not worth it due to low pay... > > Low

Re: [Full-disclosure] iDefense Q-1 2007 Challenge

This is very true... and in some cases rather than do either you chose to sit on the bug. Its almost a cache 22... some folks invest time upfront putting work into various vulnerabilities and have no way to get back that investment. That in essence amounts to free QA for vendor X,Y or Z and not

[Full-disclosure] [x0n3-h4ck] SMe FileMailer 1.21 Remote Sql Injection Exploit

-=[ADVISORY---]=- SmE FileMailer 1.21 Author: CorryL[EMAIL PROTECTED] -=[---]=- -=[+] Applicati

Re: [Full-disclosure] iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE

Amen! KF is 100% on the money. I can arrange the legitimate purchase of most working exploits for significantly more money than iDefense, In some cases over $75,000.00 per purchase. The company that I am working with has a relationship with a legitimate buyer, all transactions are legal. If you

Re: [Full-disclosure] Major gcc 4.1.1 and up security issue

On Mon, 15 Jan 2007 21:07:40 +0100, Felix von Leitner said: > So, in my gnupg diff, I used code like this: > > assert(a+100 > a); Note that if 'a' is a macro with side effects (the ++ and -- operators are particularly famous for this), you may just have seriously buggered the program while tryi

Re: [Full-disclosure] iDefense Q-1 2007 Challenge

No offense to iDefense as I have used their services in the past... but MY Q1 2007 Challenge to YOU is to start offering your researchers more money in general! I've sold remotely exploitable bugs in random 3rd party products for more $$ than you are offering for these Vista items (see the h0n0

Re: [Full-disclosure] iDefense Q-1 2007 Challenge

I know someone who will pay significantly more per vulnerability against the same targets. On 1/10/07 12:27 PM, "contributor" <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Also available at: > http://labs.idefense.com/vcp/challenge.php#more_q1+2007%3A+vulnerabil

Re: [Full-disclosure] Grab a myspace credential

This “Suspected Web Forgery” alert by Firefox 2.0.0.1 was generated very soon after the disclosure process. It appears that team(s) behind this technology are reading FD list regularly. - Juha-Matti Steven Scheffler <[EMAIL PROTECTED]> wrote: > > If you dig into google's cache you will see th

Re: [Full-disclosure] Grab a myspace credential

If you dig into google's cache you will see that http://www.marcolano.com/login/ has a spoofed myspace.com login screen where ppl enter their credentials. These are saved in a plain text file myspace.txt. Firefox2 warned me about marcolano.com is a phishing site. S -Original Message- Fr

Re: [Full-disclosure] Major gcc 4.1.1 and up security issue

Hi, this looks strange. I have made a test with gcc 4.03. The assertation was thrown correctly. So, is this only with gcc > 4.1? It seems that the interpretation of the standard was in gcc 4.03 "better". ~$ ./a.out 200 100 a.out: test.c:5: foo: Assertion `(int)(a+100) > 0' failed. Aborted [EMAIL

Re: [Full-disclosure] marc's list getting bigger, grab while you can

PEBKAC, as usual. There was a spoofed login page at http://www.marcolano.com/login/ (Googlecache vers: http://64.233.183.104/search?q=cache:u2RtwlpBqFcJ:www.marcolano.com/logi n/+inurl:marcolano&hl=en&gl=uk&ct=clnk&cd=2) that was identical to the myspace login page. My guess is that he's bounced

Re: [Full-disclosure] marc's list getting bigger, grab while you can

On Mon, 2007-01-15 at 12:49 +, Emma Perdue wrote: > 56000+ myspace accounts (hotmail, yahoo, gmail credentials are bonus) > > http://www.marcolano.com/login/myspace.txt Can you give details about the bugs in myspace that you used to hijack the credentails ? Thanks Deepan __

Re: [Full-disclosure] Grab a myspace credential

On 1/16/07, Deepan <[EMAIL PROTECTED]> wrote: > It is not quiet easy to fool 56000+ users using phishing sites. I wonder > how Mark is doing it. Yeah... in the interests of *ahem* full disclosure I would have thought the _how_ of the stunt would be more important information to communicate than a

Re: [Full-disclosure] Remedy Action Request System 5.01.02 - UserEnumeration

I regularly used to use Remedy in my previous duties. And okay, the authentication process does output a message specifying whether the user exists or not, and that is not a desirable aspect of any system. I would like to say however, that Remedy was the most efficient system that I was aware o

[Full-disclosure] Rixstep still aren't as leet as they thought they were

It seems Rixstep thought they could fix their stupidity: http://www.rixstep.com/1/1/20070115,02.shtml Silent security updates aren't cool. Unfortunately their bug fix was useless, maybe they forgot to actually do any QA on it in their rush to say how fast they are at fixing exploits. Or maybe th