-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
Debian Security Advisory DSA-2133-1 secur...@debian.org
http://www.debian.org/security/ Raphael Geissert
December 13, 2010
?
OK, wrap up, are we talking about Domain Admins having local admin privs? Of
course they do - that's the joy of having a domain, centralized management...
OR
Are we talking about local admins having domain admin privs?
The local admin would only have "temporary" domain admin privs if said lo
www.eVuln.com advisory:
"url" BBCode XSS in slickMsg
Summary: http://evuln.com/vulns/160/summary.html
Details: http://evuln.com/vulns/160/description.html
---Summary---
eVuln ID: EV0160
Software: slickMsg
Vendor: n/a
Version: 0.7-alpha
Critical Level: low
Type: Cross Site Scripti
"Andrea Lee" wrote:
> I hope I'm not just feeding the troll...
No. You just made a complete fool of yourself.-P
Read the initial post again.
CAREFULLY.
Especially that part about unplugging from the network.
> A local admin is an admin on one system. The domain admin is an admin
> on all system
On 12/13/2010 11:19 AM, Michael Bauer wrote:
> An administrator is very different there are many levels of
> administrative control in windows to say an admin is an admin is
> absurd.
I disagree. There's only one level of pwned.
> There is a big difference between a local admin and a domain
> adm
Again, considering there was no nasty code in there, it was safe enough to
run.
Give it a break dude, you ain't going to get an argument out of me lol :)
On Mon, Dec 13, 2010 at 9:21 PM, Benji wrote:
> I know in your perfect world nothing could ever break out of a sandbox, but
> this just isnt
Hey Dan,
Freaking THANK YOU first and foremost. I've been waiting for someone to say
that for days now, and was just about to myself.
Just because everyone and their brother want's to show off that they can
compile & run some software (herp a derp, good job) DOESN'T mean they should
immediate
it doesnt contribute to testing, i can assure you there's been enough
'tests' of this exploit.
On Mon, Dec 13, 2010 at 9:32 PM, Cal Leeming [Simplicity Media Ltd] <
cal.leem...@simplicitymedialtd.co.uk> wrote:
> Actually Ryan, I'll think you'll find a lot of people just wanted to
> contribute tow
Actually Ryan, I'll think you'll find a lot of people just wanted to
contribute towards testing, as most authors will appreciate the masses
testing on as many systems as possible.
It's not a case of anyone "showing off", it's simply that a lot of people
simply don't have time to read the "small pr
Admitting you will not feed the trolls show that you have fed the trolls
at some point in time and have fell for a troll.
There is no way to properly "damage control" this statement.
YHBT YHL HAND
On 12/13/2010 04:19 PM, Cal Leeming [Simplicity Media Ltd] wrote:
>
> No more troll feed for you!
wait wait wait.
you dont have time to read header notes, but do have time to run code you
dont really know what it does on your system?
can I send you some code? it's a linux 2.6.* 0day, remote root.
On Mon, Dec 13, 2010 at 9:14 PM, Cal Leeming [Simplicity Media Ltd] <
cal.leem...@simplicitymedi
I know in your perfect world nothing could ever break out of a sandbox, but
this just isnt true.
No more coco-pops for you, maybe some brain food!
On Mon, Dec 13, 2010 at 9:19 PM, Cal Leeming [Simplicity Media Ltd] <
cal.leem...@simplicitymedialtd.co.uk> wrote:
>
>1. It ran on a one-time ser
1. It ran on a one-time server which gets re-generated every time its
restarted (which is everytime a testing session has finished)
2. I did a *very* brief look in the code for shell code etc, and based on
the noise already on the board, there wasn't any risk.
3. Even if there was do
Sorry Dan, I did a very quick copy and paste job, without reading the
headers. I simply don't have time to read the code notes of every single
exploit released.
I would say that, if you are fed up with being inundated with emails, then
perhaps you should mark these notes very clearly in big red wr
Please don't inundate me with e-mail because none of you bothered to read the
exploit header.
The exploit so far has a 100% success rate on the systems it was designed to
work on.
I don't think this is rocket science. If your distribution does not compile
Econet, then the exploit obviously wo
On Mon, Dec 13, 2010 at 12:40 PM, Cal Leeming [Simplicity Media Ltd]
wrote:
> I've seen far too many people just sending back "Failed to open file
> descriptors" without giving any indication as to what could have happened.
> ...
> Anyways, the code failed on our sandbox.. see below:
> ...
> socke
I've seen far too many people just sending back "Failed to open file
descriptors" without giving any indication as to what could have happened.
:| Can people *please* remember to send the author as much debug as possible
(at the very least, an strace), so they can at least see what's going on.
Can
>The attack has some academically interesting details about how cached
>credentials work, but I agree with Stefan. If you own the machine, you own
>the machine. What's to stop you from, say, simply installing a rootkit?
Exactly. More importantly, even if you must make users local admins, there is
On Mon, Dec 13, 2010 at 2:13 PM, David Gillett wrote:
> If our users hadn't been local admins (not my choice), they would not have
> been able to eject Domain Admins from the Local Admins group in the first
> place
Ouch! But at least it keeps the help desk calls down ;)
> -Original Messag
There is no "local admin" on a DC.
t
From: Peter Setlak [mailto:peterset...@me.com]
Sent: Monday, December 13, 2010 12:06 PM
To: Andrea Lee
Cc: Thor (Hammer of God); George Carlson; bugt...@securityfocus.com;
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Flaw in Microsoft Doma
You knew where I was going with that, and I know that YOU know all this, so
I'll just leave that one alone :)
t
>-Original Message-
>From: David Gillett [mailto:gillettda...@fhda.edu]
>Sent: Monday, December 13, 2010 11:14 AM
>To: Thor (Hammer of God); 'George Carlson'; bugt...@securityf
You don't use block number as a key; you use it as part of the computation
to select one. Actual encryption needs to use a strong algorithm but
you want to make sure the key differs for every cipher block. If nothing
else, there tend to be many places in a disk filestructure that contain
all zeroes
Everyone.
Please read my original post. I never claimed to gain access to
networked resources using the masqueraded account. My method merely
shows that you can modify the SAM and SECURITY hives without using DLL
injection or any other advanced technique that security Admins are
currently lookin
Maybe what some of us need to learn from this is that we should never think in
absolutes such as local VS domain users. There are numerous account types and
the overrides to take into account with any OS and they change.
This is more of a wakeup call to brush up on our understanding of permissi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kurt Dillard said the following on 13/12/10 20:09:
> So far I agree with Thor. Did I miss something? Has anyone demonstrated
> using the locally cached credentials to access resources across the network?
> So far I haven't seen anything new or interest
So far I agree with Thor. Did I miss something? Has anyone demonstrated
using the locally cached credentials to access resources across the network?
So far I haven't seen anything new or interesting in this thread:
1. StenoPlasma claims that a local admin can access and reuse the cached
credential
If our users hadn't been local admins (not my choice), they would not have
been able to eject Domain Admins from the Local Admins group in the first
place
David Gillett
-Original Message-
From: Thor (Hammer of God) [mailto:t...@hammerofgod.com]
Sent: Monday, December 13, 2010 10:49
To
Since when do local admins become domain admins!?!?!?!?!
Domain Admins are added to the Local Admins group when a computer joins a
network. How do Local Admins on a computer become Domain Admins!?!?!!?!?
-Original Message-
From: jco...@winwholesale.com [mailto:jco...@winwholesale.com]
"StenoPlasma @ ExploitDevelopment" wrote:
Your MUA is defective, it strips the "References:" header!
> Stefan,
>
> For you information:
>
> Cached domain accounts on a local system are not stored in the SAM. They
> are stored in the SECURITY registry hive. When a cached domain user logs
>
> If I take the domain admin out of my local administrators, they can't do
anything. Done.
Back when I did AD/domain support, all domain user accounts got a profile
that included a trivial script to re-add Domain Admins to the Local Admins
group. So this kind of local removal shenanigans laste
But he said that RedHat (and thus CentOS) doesn't have Econet enabled by
default.
--Ariel
fireb...@backtrack.com.br wrote:
> I tested it on a VM with CentOS 5.5 i386 updated and did not work.
>
> Last login: Tue Dec 13 12:48:54 2010
> [r...@localhost~]#nano full-nelson.c
> [r...@localhost~]#gcc-o
On 13/12/2010 12:05 PM, highteck wrote:
> Posted by Benji on Dec 13
>
> I heard rumors it's backdoored and sends your /etc/passwd and uname to
> Dan
> Rosenberg.
>
> Just sayin'
>
>
> ^^^
>
> 1. wheres the shell code to hide such a process?
> 2. do you see /etc/passwd any ware in there?
> 3. dan r
On 13/12/2010 12:03 PM, highteck wrote:
> r...@bt:~# su test
> sh-3.2$ cd /tmp
> sh-3.2$ id;uname -a
> uid=1000(test) gid=1000(test) groups=1000(test)
> Linux bt 2.6.34 #1 SMP Wed Jul 21 09:51:09 EDT 2010 i686 GNU/Linux
> sh-3.2$ ls
> full-nelson.c
> sh-3.2$ gcc full-nelson.c -o full-nelson
> sh-3.
An administrator is very different there are many levels of administrative
control in windows to say an admin is an admin is absurd. There is a big
difference between a local admin and a domain admin. There are many types of
admin in windows and all of them have different levels of permission. I
I hope I'm not just feeding the troll...
A local admin is an admin on one system. The domain admin is an admin
on all systems in the domain, including mission critical Windows
servers. With temporary domain admin privs, the local admin could log
into the AD and change permissions / passwords for a
> From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
> Sent: Friday, 10 December, 2010 17:12
>
> "George Carlson" wrote:
>
> > Your objections are mostly true in a normal sense.
> > However, it is not true when Group Policy is taken into account.
>
> Group Policies need an AD. Cached credent
Disclaimer: I'm not a cryptographer. I don't even play one on TV.
> I'm now worried that if an attacker knows, or "guesses" that you are
> using, say, CentOS Linux 5.5, (or at least some mutation of Red Hat),
> he might use this knowledge of "known artefacts" to his advantage, by
> starting out f
>-Original Message-
>From: katt...@gmail.com [mailto:katt...@gmail.com] On Behalf Of Andrea
>Lee
>Sent: Monday, December 13, 2010 9:12 AM
>To: Thor (Hammer of God)
>Cc: George Carlson; bugt...@securityfocus.com; full-
>disclos...@lists.grok.org.uk
>Subject: Re: [Full-disclosure] Flaw in Mic
You made all domain users local admin? Or did you do some sort of RUNAS in the
logon script?
>-Original Message-
>From: David Gillett [mailto:gillettda...@fhda.edu]
>Sent: Monday, December 13, 2010 10:16 AM
>To: Thor (Hammer of God); 'George Carlson'; bugt...@securityfocus.com;
>full-dis
ProCheckUp Research
PR10-09 Multiple XSS and Cross Domain redirect within Mura CMS
Advisory publicly released: Monday, 13 December 2010
Vulnerability found: Monday, 19 April 2010
Vendor informed: Tuesday, 20 April 2010
Severity level: Medium
Credits
Richard Brain of ProCheckUp Ltd (www.prochecku
ZDI-10-285: Novell ZENworks Desktop Management Linux TFTPD Remote Code
Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-285
December 13, 2010
-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
-- Affected Vendors:
Novell
-- Affected Products:
Novell Zenworks
-- TippingPoint(T
ZDI-10-284: Novell ZENWorks Remote Management Agent DN Name Remote Code
Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-284
December 13, 2010
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Novell
-- Affected Products:
Novell Zenworks
-- TippingPoint
ZDI-10-283: Novell ZENWorks Remote Management Agent Uninitialized Pointer
Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-283
December 13, 2010
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
Novell
-- Affected Products:
Novell Zenworks
-
Has a large 11mb .avi file in it, a text file with what looks like
phished Facebook credentials and looks like a copy of a Facebook
phishing site.
I haven't looked at the HTML nor the avi.
On 12/13/2010 08:23 AM, Martin Aberastegue wrote:
> I would be nice if you provide additional information
On Mon, Dec 13, 2010 at 11:40 AM, Everhart, Glenn
wrote:
> If you are making an encrypted disk, you must be able to start decrypting
> any parts you like. This makes use of common encryption modes other than ECB
> harder.
CTR (and CTS) or XTS comes to mind. CTR should be considered since its
seeka
If you are making an encrypted disk, you must be able to start decrypting
any parts you like. This makes use of common encryption modes other than ECB
harder.
However you have the block number of the disk available. If it is used as part
of the encryption calculation you can have what amounts to a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
Symantec Intel Handler Service Remote DoS
1. *Advisory Information*
Title: Symantec Intel Handler Service Remote DoS
Advisory Id: CORE-2010-0728
Advi
Stefan,
For you information:
Cached domain accounts on a local system are not stored in the SAM. They
are stored in the SECURITY registry hive. When a cached domain user logs
in to the system, they do not authenticate against the SAM (As you can see
in my article, I am not editing the SAM).
I tested it on a VM with CentOS 5.5 i386 updated and did not work.
Last login: Tue Dec 13 12:48:54 2010
[r...@localhost~]#nano full-nelson.c
[r...@localhost~]#gcc-o full-nelson.c full-nelson
[r...@localhost~]#./full-nelson
[*] Failed to open file descriptors.
[r...@localhost~]# uname-a
Linux local
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
It has come to the attention of The Exim Maintainers that there is
an exploit circulating in the wild which affects versions of Exim
versions 4.69 and below -- Exim 4.70 was released in November 2009.
The flaw permits remote code execution over SMTP an
"Jeremy SAINTOT" wrote:
> Correct me if I'm wrong, but here is what I think of that :
You are wrong!
> A Domain user that is a Local admin of his workstation is different than
> a Domain user which is Domain Admin.
A local administrator has all the powers on his computer, while a domain
admi
On Mon, Dec 13, 2010 at 9:16 AM, Levente Peres wrote:
> Dear All,
>
> Yesterday I had a very interesting conversation with Anthony G. Basile,
> Ph. D. of D'Youville College about filesystem security. We thought that
> we should continue this discussion here, so we could all contemplate on
> the po
I heard rumors it's backdoored and sends your /etc/passwd and uname to Dan
Rosenberg.
Just sayin'
On Mon, Dec 13, 2010 at 3:27 PM, wrote:
> I tested it on a VM with CentOS 5.5 i386 updated and did not work.
>
> Last login: Tue Dec 13 12:48:54 2010
> [r...@localhost~]#nano full-nelson.c
> [r...@
I am not an expert either, but I think this is known as watermarking
attacks. That's why I mentioned CBC in my previous mail, because it is
vulnerable to IV guessing.
However there are other methods which are not vulnerable.
Read:
http://en.wikipedia.org/wiki/Disk_encryption_theory
If you
If a bad guy got the local admin password, then the computer is in it's
control at 100%. No need to run script as a domain user, as the local
admin can already format the drive, or remove all security mesure.
The cached credential is a hash of a hash. (kinda long to crack)
Any good network admin
On Sun, Dec 12, 2010 at 2:47 PM, Jeffrey Walton wrote:
> On Sun, Dec 12, 2010 at 12:02 PM, Jeffrey Walton wrote:
>> The company was started by a fellow named Al Huger. I believe he also
>> started Bugtraq. When Bugtraq was commercialized by Symantec, Huger
>> moved on to Immunet.
> >From Kurt S
Dear All,
Yesterday I had a very interesting conversation with Anthony G. Basile,
Ph. D. of D'Youville College about filesystem security. We thought that
we should continue this discussion here, so we could all contemplate on
the possibility of such a thing being possible.
After reading Anthon
sp...@alucard ~ $ uname -a
Linux alucard 2.6.35-zen2-knight #1 ZEN SMP PREEMPT Wed Dec 1 12:34:54 BRST
2010 x86_64 Intel(R) Core(TM)2 Duo CPU T6400 @ 2.00GHz GenuineIntel
GNU/Linux
sp...@alucard ~ $ gcc -o nerso full-nelson.c
sp...@alucard ~ $ ./nerso
[*] Failed to open file descriptors.
2010/12/
h...@darkstar:~$ cat /etc/slackware-version
Slackware 13.1.0
h...@darkstar:~$ uname -a
Linux darkstar 2.6.33.4-smp #2 SMP Wed May 12 22:47:36 CDT 2010 i686
Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz GenuineIntel GNU/Linux
h...@darkstar:~$ cc full-nelson.c -o full-nelson
h...@darkstar:~$ ./ful
I would be nice if you provide additional information about this
instead of just a link.
--
Martín Aberastegue
http://www.martinaberastegue.com/
On Sun, Dec 12, 2010 at 7:08 PM, Jbyte Security wrote:
> hi I find an bug ne Facebook here is the POC
>
> http://www.mediafire.com/?2mfvk2emjfk1m
Correct me if I'm wrong, but here is what I think of that :
A Domain user that is a Local admin of his workstation is different than
a Domain user which is Domain Admin.
Then, a local admin whose account is an AD account can run scripts *on
his local machine* in the name of the domain admin.
T
hi I find an bug ne Facebook here is the POC
http://www.mediafire.com/?2mfvk2emjfk1mpq
Saludos Jbyte
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hoste
62 matches
Mail list logo