GreyMagic Security [EMAIL PROTECTED] kindly made an online decoder
available at
http://www.greymagic.com/security/tools/decoder/
On occasions it may be more useful to have a local decoder: I often
use the following perl script.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http
generated with the cracked version of Sound Forge 4.5.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe
.
Some cases remain un-fixed, as Eudora developers know and admit privately.
One such example below.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
#!/usr/bin/perl --
use MIME::Base64
. Is this a known bug or feature?
If so, does anyone know a workaround? Otherwise, does this have security
implications?
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
.
Not so. Harmless demo below.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
#!/usr/bin/perl --
use MIME::Base64;
print From: me\n;
print To: you\n;
print Subject: Eudora 6.2.0.7
. Is this related to
IconHandler, and is it exploitable?
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe
warning in
http://www.kb.cert.org/vuls/id/323070 but it was toned down after the
release of MS04-013.)
I do not read that as advice on product choice, just a statement of the
technical inadequacy of IE.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School
Eudora 6.1.2 for Windows was released on 21 June 2004. The release notes
http://www.eudora.com/download/eudora/windows/6.1.2/RelNotes.txt
say:
SECURITY
Fixed case where attachments could be spoofed via base64 encoded
(plain-text, inline) MIME parts.
Not so. Harmless demo below.
Cheers,
Paul
with LaunchProtect (the X - X.exe dichotomy issue) is not
fixed either (rather it seems un-fixed).
Please see
http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx
for more details and history.
Harmless demo below.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u
,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
will crash Eudora.\n\n;
print The following plain-text converted by Eudora into a clickable URL\n;
print http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx\n;;
print is for comparison: the user can hardly tell them apart.\n\n;
Cheers,
Paul Szabo - [EMAIL PROTECTED] http
this is
fixed in W2kSP4; or maybe that KB article refers to a different problem: it
say the error should be Access Violation, I got Program Error.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006
=41414141 iopl=0 nv up ei ng nz ac pe cy
# cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs= efl=00010293
# 41414141 ?? ???
print Attachment Converted\r: , Ax300,\n\n;
---
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School
Eudora 6.0.3 for Windows will crash if sent a MIME message nested more than
2000 levels deep. Due to the presence of the [EudoraDir]\spool\*.RCV file,
users may find it difficult to recover from this DoS situation. Demo below.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au
Eudora 6.0.3 for Windows was released recently. Though known for years, the
spoofing of attachments is still not fixed; the problem with LaunchProtect
is not fixed either.
Spoofing demo (essentially identical to 6.0.1 version) below.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http
at the end of
September 1998, maybe it would be useful to look in the archives?)
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full
: uuencoded blocks, or those
within incomplete Content-type: message/partial bits.
Within those limitations, it is a great idea to keep an organization
free from common attacks.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics
environments.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full
use something like
that to chown or chmod the pty they just allocated. Turning the suid bit
off prevents your pty from being owned by you so you cannot set safe
permissions, and are vulnerable to echo badcommand yourpty.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u
want some traditional AV on your desktops;
any reasonably well supported product should do.
For some more blurb/details please see
http://www.maths.usyd.edu.au:8000/u/psz/pc/virus.html
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics
, about 10 hours ago.
The EXE seems dated 23 Nov, so this is a new virus; no wonder the AV
vendors do not yet know about it; you may wish to send your sample to
them for analysis. (Each new virus is an example where traditional
AV fails to protect...)
Cheers,
Paul Szabo - [EMAIL PROTECTED] http
warning.
Harmless demo below.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
---
#!/usr/bin/perl --
use MIME::Base64;
print From: me\n;
print To: you\n;
print Subject: Eudora 6.0.1
Eudora 6.0.1 for Windows was released recently. The buffer overflow (and
code execution) with long spoofed attachment names seems to be fixed; the
spoofing itself is not, though it was known for years.
Spoofing demo (essentially identical to 6.0 version) below.
Cheers,
Paul Szabo - [EMAIL
or some joke?)
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full
(or the desktop or C:\) be patched also?
Avenues of exploitation, not using Flash, will be found. Fix IE, or else.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
will
just choose a different mechanism.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe in it.
Charter: http
. ... I doubt we will see any malicious use of the
local file redirection variation you found.
My favourite store-arbitrary-local-file application is Eudora: it
pre-extracts attachments into files in a known location.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz
2003.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
---
#!/usr/bin/perl --
use MIME::Base64;
print From: me\n;
print To: you\n;
print Subject: Eudora 6.0 on Windows exploit\n;
print
://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe
all might be a
good thing; beware of those you let through.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe
is a perversion.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full
the HTML file it contains, that may be the
result of some configuration option. By default, F-PROT only lists
infected files ...
But ... I did use the -LIST option, and normally (for innocent ZIP
archives) I get the files listed, see below (and in my earlier post).
Cheers,
Paul Szabo
://www.securityfocus.com/archive/1/330886
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe in it.
Charter: http
,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
been
fixed.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full
unpack?).
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
---
$ f-prot virus/mimail -ai -archive -packed -list
Virus scanning report - 4 August 2003 @ 7:26
F-PROT ANTIVIRUS
Program
install) be exploited?
Maybe the CON: driver where we have some control over the output?
I apologize if these are stupid questions.
Thanks,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
has not been specified. Do you want to
configure Weblink Prefrences? I set the browser to mozilla and had
no luck with the overflow... just a mozilla mail with a HUGE mail to: line.
Set your browser to Netscape, not Mozilla.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au
: Exception.log says
Exception code: c005 ACCESS_VIOLATION
Fault address: 77e873bc 01:63bc C:\WINNT\system32\KERNEL32.DLL
Registers:
EAX:
EBX:
ECX:00412e35
..
(only ECX seems controllable).
(Tested with Eudora 5.2.1 on Windows 2000.)
Cheers,
Paul Szabo - [EMAIL PROTECTED] http
,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
+ rmdir /tmp/F$$
exec $target
but Sqpe would still be open to races as it repeatedly open()s and
unlink()s that file. A proper fix will have to come from the vendor.
SIGNATURE
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics
/$$a
! EVAL_ASSIGNS=$EVAL_ASSIGNS$lhs=''$rhs';'
;;
*.c) # c source file.
cfiles='1'
SIGNATURE
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006
be undone
by a Web page or email. Just as exploitable after the patch.
Is this what Microsoft calls responsible disclosure?
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
PS: The above
what MIME boundary we use,
a bare spoofed attachment line is NOT prefixed with #?
Attachment Converted: c:\winnt\system32\calc.exe
Never mind that the text comes out all funny...
Any other tricks we can play?
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz
45 matches
Mail list logo