OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  • application/octet-stream attachment: price.com
 
Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

From: Jesse Valentin (jessevalentinyahoo.com)
Date: Mon Oct 11 2004 - 18:33:07 CDT

Hey Barry,

 

Thanks for the info. (You're right it is odd.. :-)

 

The "sophisticated" legal system never ceases to amuse me. You made me laugh with your statement - "they're fraudulantly using something they know they should be paying for".

 

See in my eyes, this is stealing... plain and simple regardless of whether or not you're talking bits and bytes and regardless of how many Harvard Law Graduates disagree with me.

 

To illustrate my point check out this website: http://www.goerie.com/nie_civilrights/civil_rights_timeline__1619_-_.html

 

One law in particular is the following passed in 1735:

 

“South Carolina passes laws requiring slaves to wear clothing identifying them as slaves; newly freed slaves must leave the state within six months or risk re-enslavement.”

 

Now to us today living in the modern world, this law is recognized as being barbaric and foolish, and yet educated legislators of that time viewed this as a valid law and “civilized behavior”.

 

My point is that just because something isn’t recognized as incorrect by a “legal entity” this doesn’t necessarily indicate that the conclusion is sound…

 

Thanks again though Barry, I do appreciate you submitting that information and I totally understand where you're coming from.

 

Best Regards,

 

Jesse Valentin

Barry Fitzgerald <bkfsecsdf.lonestar.org> wrote:Hey there Jesse,

From a legal perspective (IANAL, but this was explained to me by a
copyright attorney) Vince is correct.

Stealing, or theft, both legally and philosophically is the act of
depriving the rightful owner of an item of use of that item. Your
argument below is using the loose association of terms found in common
language. The misuse of those terms wandered into common language
through poor attribution and through emotional manipulation.

Distributing copyrighted works is a tort violation and not theft. It's a
civil matter that is handled by laws centered around business and
scientific regulation, not a criminal matter (though that may change
soon, and that change would be catastrophic. Legislation like the INDUCE
act would have a chilling effect on the world of science and free
enterprise.).

The act of descrambling a cable signal is an act of fraud, not of theft.
The person using the service isn't "stealing" anything - they're
fraudulantly using something they know they should be paying for. Note
that the rules for this are different for services than they are for
products. That's why people who "steal cable" can go to jail. It's not
because they're actually stealing anything. It's just hard for people to
understand how fraud works and much easier for them to understand the
concept of "stealing".

It is illegal, but it's not actually theft. Odd that way.

-Barry

Jesse Valentin wrote:

> Hey Vince,
>
> With all due respect, while I find your argument interesting I think
> it’s a case of “mental gymnastics”.
>
> You mention that descrambling is “copyright violation”. According to
> the Merriam Webster dictionary the term Copyright is defined as:
>
> the EXCLUSIVE legal right to reproduce, publish, and sell the matter
> and form (as of a literary, musical, or artistic work).
>
> If we are talking about the “exclusive right” to sell cable television
> as a service, then anyone who “violates” this right would be
> committing … ah what is that term, - piracy?
>
> The Merriam Webster dictionary goes on to define the word “piracy” as:
>
> “an act of robbery on the high seas; /also/ *:* an act resembling such
> robbery”
>
> As we know “robbery” is…. yes you guessed it… stealing.
>
> Interesting how that term “stealing” keeps popping up, huh? J
>
> Jesse
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

From: VeNoMouS (venomgen-x.co.nz)
Date: Mon Oct 11 2004 - 20:57:45 CDT

Is it just me , or are these converstations a waste of time for this mailing list, almost makes you want to unsubscribe.

Arent these type of convos better for irc where you can all have a group hug?? No this isnt a flame, im just wondering wtf has happened to the list is all, it started out good, now its full of talkive bitches that dont know what personal email is for.

EOF
  ----- Original Message -----
  From: Jesse Valentin
  To: full-disclosurelists.netsys.com
  Sent: Tuesday, October 12, 2004 12:33 PM
  Subject: Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

  Hey Barry,

   

  Thanks for the info. (You're right it is odd.. :-)

   

  The "sophisticated" legal system never ceases to amuse me. You made me laugh with your statement - "they're fraudulantly using something they know they should be paying for".

   

  See in my eyes, this is stealing... plain and simple regardless of whether or not you're talking bits and bytes and regardless of how many Harvard Law Graduates disagree with me.

   

  To illustrate my point check out this website: http://www.goerie.com/nie_civilrights/civil_rights_timeline__1619_-_.html

   

  One law in particular is the following passed in 1735:

   

  "South Carolina passes laws requiring slaves to wear clothing identifying them as slaves; newly freed slaves must leave the state within six months or risk re-enslavement."

   

  Now to us today living in the modern world, this law is recognized as being barbaric and foolish, and yet educated legislators of that time viewed this as a valid law and "civilized behavior".

   

  My point is that just because something isn't recognized as incorrect by a "legal entity" this doesn't necessarily indicate that the conclusion is sound.

   

  Thanks again though Barry, I do appreciate you submitting that information and I totally understand where you're coming from.

   

  Best Regards,

   

  Jesse Valentin

  Barry Fitzgerald <bkfsecsdf.lonestar.org> wrote:
    Hey there Jesse,

    From a legal perspective (IANAL, but this was explained to me by a
    copyright attorney) Vince is correct.

    Stealing, or theft, both legally and philosophically is the act of
    depriving the rightful owner of an item of use of that item. Your
    argument below is using the loose association of terms found in common
    language. The misuse of those terms wandered into common language
    through poor attribution and through emotional manipulation.

    Distributing copyrighted works is a tort violation and not theft. It's a
    civil matter that is handled by laws centered around business and
    scientific regulation, not a criminal matter (though that may change
    soon, and that change would be catastrophic. Legislation like the INDUCE
    act would have a chilling effect on the world of science and free
    enterprise.).

    The ac! t of descrambling a cable signal is an act of fraud, not of theft.
    The person using the service isn't "stealing" anything - they're
    fraudulantly using something they know they should be paying for. Note
    that the rules for this are different for services than they are for
    products. That's why people who "steal cable" can go to jail. It's not
    because they're actually stealing anything. It's just hard for people to
    understand how fraud works and much easier for them to understand the
    concept of "stealing".

    It is illegal, but it's not actually theft. Odd that way.

    -Barry

    Jesse Valentin wrote:

> Hey Vince,
>
> With all due respect, while I find your argument interesting I think
> it's a case of "mental gymnastics".
>
> You mention that descrambling is "copyright violation". According to
> the Merriam Webster dictionary the term Copyright is defined as:
>
> the EXCL! USIVE legal right to reproduce, publish, and sell the matter
> and form (as of a literary, musical, or artistic work).
>
> If we are talking about the "exclusive right" to sell cable television
> as a service, then anyone who "violates" this right would be
> committing . ah what is that term, - piracy?
>
> The Merriam Webster dictionary goes on to define the word "piracy" as:
>
> "an act of robbery on the high seas; /also/ *:* an act resembling such
> robbery"
>
> As we know "robbery" is.. yes you guessed it. stealing.
>
> Interesting how that term "stealing" keeps popping up, huh? J
>
> Jesse
>

  __________________________________________________
  Do You Yahoo!?
  Tired of spam? Yahoo! Mail has the best spam protection around
  http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

From: Giselbert Hinkelmann (giselbertweb.de)
Date: Mon Oct 11 2004 - 19:24:29 CDT

Am 12.10.2004 um 01:33 schrieb Jesse Valentin:

> My point is that just because something isn’t recognized as incorrect
> by a
> “legal entity” this doesn’t necessarily indicate that the conclusion
> is sound…

Which means that future generations may see not giving free/cheap access
of all published information to everyone as soon as it was technically
possible
as one of the worst crimes of the 21st century...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

From: Chris Umphress (umphressgmail.com)
Date: Mon Oct 11 2004 - 22:30:00 CDT

> evilsheep:~$ unarj x test.arj
> ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [27 Jun 2004]
>
> Processing archive: test.arj
> Archive created: 2004-10-12 01:15:49, modified: 2004-10-12 01:15:49
> usr/bin/namei, Create this directory? Yes
> Extracting ../usr/bin/namei to usr/bin/namei OK
> 1 file(s)
>
> so it's not taking all the ../ into account and also an .arj created with
> full path is created in $PWD. arj + unarj are both v3.10.

Good point. I tried extracting again with 3.10, and it only leaves the
one "../" on the front.

> ...somehow i don't expect programs to mess with /usr. not as a user and
> not as root.

I just picked /usr, it could have been /etc, /var or any other
standard directory that every *nix distribution has. Regardless, if I
try to make unarj write to a directory that I don't have the
neccessary permissions for, it asks me to pick an alternate location
to extract to.

> /me wonders about which version of arj/unarj "doubles" is talking about....

I don't see a problem, but it would be interesting to see which
version "doubles" is refering to.

--
Chris Umphres <http://daga.dyndns.org/>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] DHCP Flood on inside network. HELP!!

From: Eddie (EddieSsofthome.net)
Date: Tue Oct 12 2004 - 00:00:07 CDT

I don't have much information on this yet, I am driving down to the office now to pull an all nighter. I figured I would toss this out to the list and see if anyone has any
idea. This is just info from what I can get from talking to people and what little time I can get on the network before it goes down.

Starting 2 days ago, I discovered the PIX 515 was locked hard. It seems to be random, but around every 15-30 minutes something floods the network hard for a few
minutes. Broadcast flood too. This is a small network with 30 workstations and 5 servers (Linux and SCO, no Wins). It overloads the Extreme switches and I see pdu (or
something like that, not udp tho) errors on about every port.
The Pix 515 overloads and is having issues, but I did see it say something about ARP problems when I could get to the syslog for more info. I looked up the error
number and it said it could be ARP poisoning. Not sure what would do that.

In the syslog of the DHCP server, I see thousands of DHCP DISCOVER request(and the REPLAY request from the server, a Linux box). It looks like one client on the
network (I have seen this both from XP and Win98) will send 100+ DISCOVER request a second swamping the network. Not always DISCOVER too.
That will go on for a few minutes, then all is well. Then another computer will do the same thing.

This is quickly overloading things and I am getting IRQ busy and overload errors on some of the servers.

What should I look for. I have never seen something like this before.

Thanks
-Eddie

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] DHCP Flood on inside network. HELP!!

From: J.A. Terranson (measlmfn.org)
Date: Tue Oct 12 2004 - 00:53:36 CDT

On Mon, 11 Oct 2004, Eddie wrote:

<snip vague desription that could be almost anything>

tcpdump would help here. Even if you can't read it, someone here could
;-)

--
Yours,

J.A. Terranson
sysadminmfn.org
0xBD4A95BF

        "An ill wind is stalking
        while evil stars whir
        and all the gold apples
        go bad to the core"

        S. Plath, Temper of Time

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] DHCP Flood on inside network. HELP!!

From: Gregory Gilliss (ggillissnetpublishing.com)
Date: Tue Oct 12 2004 - 01:53:18 CDT

Sounds like someone discovered the DHCP discover flood trick and set it
to work on you. A little packet filtering kung fu on your part ought to be
sufficient to prevent it happening again.

-- Greg

On or about 2004.10.11 22:00:07 +0000, Eddie (EddieSsofthome.net) said:

> I don't have much information on this yet, I am driving down to the office now to pull an all nighter. I figured I would toss this out to the list and see if anyone has any
> idea. This is just info from what I can get from talking to people and what little time I can get on the network before it goes down.
>
> Starting 2 days ago, I discovered the PIX 515 was locked hard. It seems to be random, but around every 15-30 minutes something floods the network hard for a few
> minutes. Broadcast flood too. This is a small network with 30 workstations and 5 servers (Linux and SCO, no Wins). It overloads the Extreme switches and I see pdu (or
> something like that, not udp tho) errors on about every port.
> The Pix 515 overloads and is having issues, but I did see it say something about ARP problems when I could get to the syslog for more info. I looked up the error
> number and it said it could be ARP poisoning. Not sure what would do that.
>
> In the syslog of the DHCP server, I see thousands of DHCP DISCOVER request(and the REPLAY request from the server, a Linux box). It looks like one client on the
> network (I have seen this both from XP and Win98) will send 100+ DISCOVER request a second swamping the network. Not always DISCOVER too.
> That will go on for a few minutes, then all is well. Then another computer will do the same thing.
>
> This is quickly overloading things and I am getting IRQ busy and overload errors on some of the servers.
>
> What should I look for. I have never seen something like this before.
>
> Thanks
> -Eddie
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

--
Gregory A. Gilliss, CISSP E-mail: greggilliss.com
Computer Security WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

doubleshush.com
Date: Tue Oct 12 2004 - 02:57:50 CDT

On Mon, 11 Oct 2004 16:29:40 -0700 evilninja <evilninjagmx.net> wrote:
>evilsheep:~$ unarj x test.arj
>ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [27
>Jun 2004]

arj != unarj! debian is stubido dist nd it pakage ''arj'' as ''unarj''!

real unarj 2.* inkl 2.65 latest are vunerabble!

doubles

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

From: Vincent Archer (vardeny-all.com)
Date: Tue Oct 12 2004 - 02:40:06 CDT

On Mon, Oct 11, 2004 at 11:43:22AM -0500, Ron DuFresne wrote:
> Vincent, I think you lost track in your reply, he was not talking about
> braondband cable access to the internet, he was talking about cable TV
> services being stolen in this case, and the teft of the 'service'.
...
> On Mon, 11 Oct 2004, Vincent Archer wrote:
>
> > On Fri, Oct 08, 2004 at 11:41:49AM -0700, Jesse Valentin wrote:
> > > How about using a digital de-scrambler for cable service? You?re getting something you?re not paying for? isn?t that stealing? True, its not a vital service, but isn?t this still plain ?ol stealing?
> >

The initial post was about de-cramblers, i.e. watching TV programs you
haven't paid a subscription for. It's not stealing. The TV programs you
"stole" are still there, and every single subscriber had access to them.
Hence, no theft has occured. Fraud, however, has occured in that case.

I know habit still puts theft to use where nothing is ever stolen. You
still talk about "stealing secrets" in espionage, for example. Nothing
is stolen in that case either. In general, you cannot steal, in the
real sense of the word, information. But theft is much shorter and convey
better the sense of badness than "illegal duplication and access".

--
Vincent ARCHER
varcherdenyall.com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

doubleshush.com
Date: Tue Oct 12 2004 - 02:49:53 CDT

On Mon, 11 Oct 2004 12:50:20 -0700 Chris Umphress <umphressgmail.com>
wrote:
> chrischris:~/test$ arj a test.arj ../../../usr/local/bin/test.txt

ya have ''.'' in yar PATH! bwahahahah!

>Apart from it removing one "../" from the filename I gave it, it
>worked exactly as I expected.

dis is powerfull security whole! im writting a exploit for it right now
in visual cobol!

czech this out::

http://www.security.nnov.ru/search/news.asp?binid=1320
http://www.securityfocus.com/bid/5835/info/
http://www.securityfocus.com/bid/7550/info/
http://rhn.redhat.com/errata/RHSA-2002-096.html
http://www.debian.org/security/2003/dsa-344
http://www.2600.com

doubles

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Denial of service in KitchenAid blenders

From: Michael Simpson (Michael.Simpsoninveresk.com)
Date: Tue Oct 12 2004 - 03:59:23 CDT

presumably because you're denied the service but the blender isn't pwned
even though there is physical axs to the device.
full-disclosure-adminlists.netsys.com wrote on 11/10/2004 16:56:44:

> --On Sunday, October 10, 2004 08:12:35 PM +0200 "Jedi/Sector One"
> <jpureftpd.org> wrote:
>
> >
> > Product : KitchenAid blenders
> > Date : 10/10/2004
> > Author : Frank Denis <jpureftpd.org>
>
> > ------------------------[ Vulnerability
]------------------------
> >
> > There's a race condition in KitchenAid blenders that can trigger a
> > denial of service.
> >
> > The device will require a physical shutdown in order to work again.
> >
> You left out - "But still better than Windows". (TM Georgi)
>
> Paul Schmehl (paulsutdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RE: ASP.NET cannonicalization issue

From: Cassidy Macfarlane (cmacfarlaneDrummond-Miller.co.uk)
Date: Tue Oct 12 2004 - 06:44:21 CDT

Ive seen this on the lists, cause You've posted it about five times.
Unless you have new information or links regarding this issue, please
refrain from repeat postings - we get enough noise on this list as it
is.

Thanks
Cassidy

-----Original Message-----
From: Evans, Arian [mailto:Arian.Evansfishnetsecurity.com]
Sent: 07 October 2004 20:32
To: bugtraqsecurityfocus.com; full-disclosurelists.netsys.com
Subject: ASP.NET cannonicalization issue

Hadn't seen this on the lists yet:

Cannonicalization issue in ASP.NET

<snip>
Microsoft is currently investigating a reported
vulnerability in Microsoft ASP.NET.

/snip!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

From: evilninja (evilninjagmx.net)
Date: Tue Oct 12 2004 - 06:48:30 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

doubleshush.com wrote:
> On Mon, 11 Oct 2004 16:29:40 -0700 evilninja <evilninjagmx.net> wrote:
>
>>evilsheep:~$ unarj x test.arj
>>ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [27
>>Jun 2004]
>
> arj != unarj! debian is stubido dist nd it pakage ''arj'' as ''unarj''!

um, actually i had to install a package called "unarj", obviously it's
from the same source package. i wonder why this is the case at all. when i
have "gzip", i don't _install_ "ungzip" too. but this is another discussion...

> real unarj 2.* inkl 2.65 latest are vunerabble!

how nice i have stubido gnu/linux running, not having such an "original"
version of unarj ;-)

- --
BOFH excuse #290:

The CPU has shifted, and become decentralized.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBa8SNC/PVm5+NVoYRAvJLAJ9khOeZwKhaSWGaKk5PNCmKdHFbTgCgmx0F
G8/N4bLBtRoSUMVmvSsm2nI=
=1qwI
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

From: evilninja (evilninjagmx.net)
Date: Tue Oct 12 2004 - 06:53:41 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Umphress wrote:
>>...somehow i don't expect programs to mess with /usr. not as a user and
>>not as root.
>
> I just picked /usr, it could have been /etc, /var or any other
> standard directory that every *nix distribution has. Regardless, if I
> try to make unarj write to a directory that I don't have the
> neccessary permissions for, it asks me to pick an alternate location
> to extract to.

yes, but this is the point! when i happen to unarj a package with the
unarj version you have as user "root", then unarj *will* have the
permission to overwrite /etc or whatever. it won't kindly ask but just
overwrite, or does it? (you've shown unarj in action with sudo when
test.txt was non-existant).

- --
BOFH excuse #290:

The CPU has shifted, and become decentralized.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBa8XFC/PVm5+NVoYRAonoAKCGvDw7nWPHmeiSLbIJnZTZL96DrQCgyzVp
2Nj8WyhvyAGZWdyR6ce9W/s=
=4bNP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Sowhat . (smaillistgmail.com)
Date: Tue Oct 12 2004 - 07:51:18 CDT

hi ,list

I have installed Norton AntiVirus 2005 ,and when i open my F:\
directory ,Norton pops up and show that,"Norton AntiVirus has detected
a virus on your computer" "Boject Name F:\radmin.exe" "Virus Name
Hacktool".

Is RemoteAdministrator a commercial remote control software or a Hacktool ?

the following information is copied from the Radmin's site:
(http://www.radmin.com/)

"This fast, reliable, easy-to-use pc remote control software saves you
hours of running up and down stairs between computers. Radmin allows
you to take control of another PC on a LAN, WAN or dial-up connection
so you see the remote computer's screen on your monitor and all your
mouse movements and keystrokes are directly transferred to the remote
machine. Radmin provides fast secure access to remote PC's on Windows
platforms. "

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [SECURITY] [DSA 563-1] New cyrus-sasl packages fix arbitrary code execution

debian-security-announcelists.debian.org
Date: Tue Oct 12 2004 - 07:52:50 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 563-1 securitydebian.org
http://www.debian.org/security/ Martin Schulze
October 12th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : cyrus-sasl
Vulnerability : unsanitised input
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0884
Debian Bug : 275498

A vulnerability has been discovered in the Cyrus implementation of the
SASL library, the Simple Authentication and Security Layer, a method
for adding authentication support to connection-based protocols. The
library honors the environment variable SASL_PATH blindly, which
allows a local user to link against a malicious library to run
arbitrary code with the privileges of a setuid or setgid application.

For the stable distribution (woody) this problem has been fixed in
version 1.5.27-3woody2.

For the unstable distribution (sid) this problem has been fixed in
version 1.5.28-6.2 of cyrus-sasl and in version 2.1.19-1.3 of
cyrus-sasl2.

We recommend that you upgrade your libsasl packages.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3woody2.dsc
      Size/MD5 checksum: 711 5eef2264f52bb4f3dc2a655285a889d2
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3woody2.diff.gz
      Size/MD5 checksum: 40375 35007ca458f24aedebc3a651bbb5f9d2
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27.orig.tar.gz
      Size/MD5 checksum: 528252 76ea426e2e2da3b8d2e3a43af5488f3b

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_alpha.deb
      Size/MD5 checksum: 76260 6263d2d53f5cc606d11c372d078ffc63
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_alpha.deb
      Size/MD5 checksum: 19100 8a901b0282fbd4ced40b820a961b01c0
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_alpha.deb
      Size/MD5 checksum: 14944 dd2ce3541cd52e2564e829b9616cba76
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_alpha.deb
      Size/MD5 checksum: 172284 759030ca07a99ac03d8243dca9c2cad1
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_alpha.deb
      Size/MD5 checksum: 13414 076ea2b666ab7dd47de390829c9b59ab

  ARM architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_arm.deb
      Size/MD5 checksum: 70148 e4d6ea105d776178620d7b12c4a0896a
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_arm.deb
      Size/MD5 checksum: 15040 9691c34f18d88e24037dcbb1606156e9
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_arm.deb
      Size/MD5 checksum: 12452 e42407c240af8914be263deda7790cb0
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_arm.deb
      Size/MD5 checksum: 165868 4091e9262e8603612c1a3515f907fd6b
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_arm.deb
      Size/MD5 checksum: 10850 22d3bd0b8a64cf6b907ca268b55cb80d

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_i386.deb
      Size/MD5 checksum: 65256 a56f4a88b5ff92ce7928cb73729044fd
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_i386.deb
      Size/MD5 checksum: 13296 0b9d7f91fb9b0216098dc79b74530add
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_i386.deb
      Size/MD5 checksum: 11750 ceaeb52a01badb855be07fa38cd90c4b
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_i386.deb
      Size/MD5 checksum: 162842 e2ef2c121fe75a17a88494f405d57d1f
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_i386.deb
      Size/MD5 checksum: 11072 cbaca72bbc2c11ccb0958779aafccb27

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_ia64.deb
      Size/MD5 checksum: 83800 2bafe3b35b0a800bbfdfa25e9ba05626
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_ia64.deb
      Size/MD5 checksum: 23256 694e474ab24f799be51dc7b827485155
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_ia64.deb
      Size/MD5 checksum: 19966 447a20a3ec15457d9d182b8d15fba107
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_ia64.deb
      Size/MD5 checksum: 180928 29db43ba600016cc26f5c28b66b48129
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_ia64.deb
      Size/MD5 checksum: 14244 b1a996ee1e45cb4ce07c49a7ca3239f4

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_hppa.deb
      Size/MD5 checksum: 75330 539739f38e9df2a1d98e3c8a4b919c93
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_hppa.deb
      Size/MD5 checksum: 18276 f637c0ba4d1a980522d689d95c3e5f52
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_hppa.deb
      Size/MD5 checksum: 15466 765faa8bd3222b259409620695f756c2
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_hppa.deb
      Size/MD5 checksum: 171192 c1e2a288952027c4fe36027ef3e25814
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_hppa.deb
      Size/MD5 checksum: 11896 7c49f1a0b18736ddfc36bf1fe1fd8fe2

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_m68k.deb
      Size/MD5 checksum: 64718 08575afaa5f06373430ed88363ea9d9c
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_m68k.deb
      Size/MD5 checksum: 13106 d9effd93aafe1d64d051dd505fd81205
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_m68k.deb
      Size/MD5 checksum: 11804 d9f844e778ad38b914763f3bc0fff271
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_m68k.deb
      Size/MD5 checksum: 162794 7e1099ca5b9e95d79fe78a0c08dc20c9
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_m68k.deb
      Size/MD5 checksum: 10904 8c168b1b1cfb5ef518c5d5b94e598735

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_mips.deb
      Size/MD5 checksum: 72944 7b48f9446b52903db6cbb2b587443978
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_mips.deb
      Size/MD5 checksum: 15948 5e8b18a3f2754141dcfc47ff66f249ba
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_mips.deb
      Size/MD5 checksum: 13358 0addb00d92b722e98d7b638a1bcdd014
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_mips.deb
      Size/MD5 checksum: 165754 784ab3d57bc8ede3d2b9fc39bc331feb
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_mips.deb
      Size/MD5 checksum: 11318 71458695f44db43e0f7dc3144d830058

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_mipsel.deb
      Size/MD5 checksum: 72950 c98752eaa324fb9973258405612e0562
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_mipsel.deb
      Size/MD5 checksum: 16258 283370df7b1d07759a777b3d8ebcd0f3
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_mipsel.deb
      Size/MD5 checksum: 13294 c61ffee37b2ef8a5f233256130f2af90
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_mipsel.deb
      Size/MD5 checksum: 165860 9755232aa1196026a472e76e88b88014
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_mipsel.deb
      Size/MD5 checksum: 11280 7eb3f91142eca523b099f97c2aafa2fc

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_powerpc.deb
      Size/MD5 checksum: 70900 b070433e505918201f62ecb8e62461d3
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_powerpc.deb
      Size/MD5 checksum: 16072 674eb86793fcb12f4f895779a79abe98
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_powerpc.deb
      Size/MD5 checksum: 13468 eefdd31622950d66417a02e2214ed704
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_powerpc.deb
      Size/MD5 checksum: 166530 75a19abd63c5b2edca78d67966f4a107
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_powerpc.deb
      Size/MD5 checksum: 11006 77e102f433fa91ac2a8473c306d8ebdf

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_s390.deb
      Size/MD5 checksum: 67032 dba4e8ca165f387430fff29471bb4093
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_s390.deb
      Size/MD5 checksum: 14410 f8020d1b2b062b61e36201cc90e2d0ac
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_s390.deb
      Size/MD5 checksum: 12396 d0a61b7158cde509d891323f17fc852a
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_s390.deb
      Size/MD5 checksum: 165350 683724f4a92ee3505961d5b153cad8d0
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_s390.deb
      Size/MD5 checksum: 11620 8492059c9319b780be7dcaf37aac2734

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody2_sparc.deb
      Size/MD5 checksum: 68274 83cb5d714911812ca01596859a7b06f8
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody2_sparc.deb
      Size/MD5 checksum: 14808 03883df35a2f693ad3a367170c2e3641
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody2_sparc.deb
      Size/MD5 checksum: 11904 b087e74b56cee1f858897df5e18034e5
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody2_sparc.deb
      Size/MD5 checksum: 164808 44d4a0fdf7dd6aa6da1fe108d24710ee
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody2_sparc.deb
      Size/MD5 checksum: 13554 174b14213eef7c94388ba08b54062e12

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announcelists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBa9OiW5ql+IAeqTIRAklFAKC0/1+zky3QV38uwrhtk6GqXx+vMACfTW36
oRDIX6kH6GM/cd/tamVbsI0=
=bc+L
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

From: Cedric Blancher (blanchercartel-securite.fr)
Date: Tue Oct 12 2004 - 08:16:33 CDT

Le mar 12/10/2004 à 13:48, evilninja a écrit :
> > arj != unarj! debian is stubido dist nd it pakage ''arj'' as ''unarj''!
> um, actually i had to install a package called "unarj", obviously it's
> from the same source package. i wonder why this is the case at all. when i
> have "gzip", i don't _install_ "ungzip" too. but this is another discussion...

Debian stable :

~$ dpkg -l *arj*
Souhait=inconnU/Installé/suppRimé/Purgé/H=à garder
|
État=Non/Installé/fichier-Config/dépaqUeté/échec-conFig/H=semi-installé
|/ Err?=(aucune)/H=à garder/besoin Réinstallation/X=les deux (État,Err:
majuscule=mauvais)
||/ Nom Version Description
+++-==============-==============-============================================
ii unarj 2.43-3 arj unarchive utility

Debian unstable :

~$ dpkg -l *arj*
Souhait=inconnU/Installé/suppRimé/Purgé/H=à garder
|
État=Non/Installé/fichier-Config/dépaqUeté/échec-conFig/H=semi-installé
|/ Err?=(aucune)/H=à garder/besoin Réinstallation/X=les deux (État,Err:
majuscule=mauvais)
||/ Nom Version Description
+++-==============-==============-============================================
ii arj 3.10.21-1 archiver for .arj files
ii unarj 3.10.21-1 transitional dummy package

There was a time when arj archiver was not available under Debian, for
licensing/distribution problems, and only unarj package was available.
As you can see, stable has only unarj 2.43 in non-free section :

        http://packages.debian.org/stable/utils/unarj

Now, they have both arj and unarj 3.10.21, unarj being transitional for
people to upgrade smoothly to old unarj 2 only package to full-featured
arj 3 package when moving to upper distro. So expect unarj to disappear
soon or later and have one arj package (probably when sarge will be
flaged as stable).

By the way, unarj depends on arj, arj package allows dearchiving (see
man page) exactly as unarj does and they share the same source as you
noticed.

--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Writing Trojans that bypass Windows XP Service Pack 2 Firewall

americanidiothushmail.com
Date: Tue Oct 12 2004 - 00:10:38 CDT

Writing Trojans that bypass Windows XP Service Pack 2 Firewall

Windows XP Service Pack 2 incorporates many enhancements to try to better
protect systems from malware and other forms of attacks. One of those
layers of protection is the Windows XP SP2 Firewall. One of the features
of this firewall is the ability to allow users to decide what applications
can listen on the network. By allowing users to control what applications
can communicate on the network, Microsoft believes that systems will
be protected against threats such as trojans. Like so many things Microsoft
says, this is inaccurate and in fact it is very easy for locally executing
code to bypass the Windows firewall. So don't worry you aspiring Trojan
developers, your still going to be able to Trojan consumer and corporate
systems to your hearts content.

Attached to this email is proof of concept code that demonstrates how
a Trojan could bind to a port and accept connections by piggybacking
on the inherent trust of sessmgr.exe. Simply compile this program and
run it as any local user. To test if the firewall has been bypassed (it
is!) telnet from another machine to the target machine on port 333 and
if your connected, then you've successfuly bypassed the Windows XP Service
Pack 2 Firewall.

It is amazing to watch how the release of Windows XP Service Pack 2 has
affected the computing industry. It is as if people are yearning for
a cure so badly that they will happily drink the Kool-Aid and believe
Microsoft's mantra. If for no other reason than the hope of security.
In this belief though few are left standing to question the motivations
and misguided nature of Windows XP Service Pack 2 and security in general
from Microsoft.

The security enhancements of Service Pack 2 are not targeted at helping
corporations solve their Microsoft related security problems. Even in
the case of security for home users Microsoft has failed to provide any
real value. Instead they have provided confusion, and misguided trust.

One of the first security enhancements of Service Pack 2 is the fact
that Microsoft conducted a large scale source code audit to flush out
any outstanding bugs that might exist within the XP and 2003 codebase.
Through the use of source code analysis tools (PREfast and PREfix) and
outside consultants, Microsoft has hoped to fix the majority of buffer
overflows, and other commonly discovered vulnerabilities. This is probably
the only valid security effort on Microsoft's part for Service Pack 2.
Indeed many bugs have been identified and silently fixed within Service
Pack 2. In fact so many security bugs have been fixed by Microsoft's
source code audit that if you're running a Windows XP system without
SP2 then you're leaving yourself at great risk to being compromised.
It is easy to understand why some people would want to pat Microsoft
on the back for this effort. But for those of you who have invested millions
of dollars in Windows 2000, it is easy to understand why you might feel
that Microsoft has wronged you. In fact you might feel more than wronged
when Microsoft tells you that their answer for better security is to
buy their new operating system. You might feel like Microsoft is the
company selling you their sickness, and the next year, their cure.

You also have to understand that there is a lot of shared code between
Windows 2000 and Windows XP. What is the significance you ask? Microsoft
has found and fixed numerous vulnerabilities in Windows XP with the release
of Windows XP SP2. These vulnerabilities also exist within Windows 2000.
However, there is no current plan for Microsoft to release a Security
Service Pack for Windows 2000, nor do anything to fix the now known vulnerabilities
(hundreds of them) that exist in Windows 2000. Again you are left with
a choice, upgrade for a price, or be vulnerable. Is this not gross negligence
and extortion? This goes beyond any analogies of car tires exploding
and the liability of car manufacturers. It is a fact that right now Microsoft
knows of insecurities within the Windows 2000 operating system and they
have no plan to do anything about it. The United States government, Department
of Homeland Security, foreign governments, large financial institutions,
 you are at the mercy of a company drunk on ego. You ask for security
but like Microsoft, it is not a real priority to you. If it was then
you would not let yourselves be so easily bullied by a software company
who is powerless against you, if you chose to take a stand and not only
demand better by your words, but by your actions.

Another security enhancement of Service Pack 2 is better protection around
executable code, to help prevent the propagation of virus and malware
programs. One of the ways that Microsoft has tried to help fight off
malware and virus programs is by adding an extra layer into the decision
making process of a user trying to run a virus or malware program. This
added layer uses code signing to attempt to verify trusted content. If
a program is not signed by a trusted source then a user is notified of
this and that user can allow or deny the program. This is another short
sighted feature on Microsoft's part as it does not add any real benefit
to corporations or home users. The way that this is going to work in
the real world is that now instead of a user running a program, or saying
yes to an ActiveX control, they are going to be prompted a second time
and told "This code has not been signed, are you sure you want to execute
it?" or in more realistic terms "Hello, this is your computer speaking.
Are you sure you want to perform the action that you already told me
you want to perform?" You can not expect a home user or your average
corporate user to understand what code signing is or to know if executable
content is coming from a trusted source or not. This is another exercise
on Microsoft's part in creating the illusion of safety, much like airport
guards carrying M-16 rifles. There is no real security value in this,
 and if there was, then why not provide this "needed" security functionality
to older operating systems which Microsoft still "supports". Even in
the case of web browser security enhancements, such as the Internet Explorer
enhancements that Microsoft has added to XP SP2, Microsoft will not provide
those security enhancements for the Windows 2000 platform.... You can
always pay to upgrade your corporate user desktop licenses to this supposedly
more secure operating system. If Microsoft really believed these security
enhancements were beneficial and needed then why not provide them to
their users of other "supported" operating systems?

The single most misunderstood security enhancement of Windows XP Service
Pack 2 is the new and improved firewalling capabilities. It is amazing
to see people talking about the Windows XP SP2 firewall as if it actually
adds protection to corporations/organizations using Microsoft Windows.
In truth the Service Pack 2 firewall does more harm than good because
too many people have fallen under the mistaken idea that the firewall
is going to protect them from attack. This false belief will cause companies
to depend too much on a technology that cannot live up to their expectations.
This notion of the Service Pack 2 firewall protecting you from attack
is not something that IT people have dreamed up themselves, this is something
that Microsoft reinforces in all of their messaging about XP SP2. In
reality the XP SP2 firewall does nothing in the way of helping corporations
stay protected against the latest worm threat. The way in which this
firewall attempts to keep a system secure is by filtering/firewalling
the various protocols and ports which are potentially vulnerable to worms.
For example if you were to block ports: 135,137,139,445, etc... You would
have been "safe" against two of the biggest worms this year, Sasser and
Blaster. In this example the Windows XP Service Pack 2 firewall would
have protected your system against infection. The only problem is that
this scenario does not work "in the real world". The reason being that
these ports are the same ports that Microsoft Windows uses for File Sharing,
 System and Domain management, and various other functionality that is
required by IT professionals to manage Windows based systems. So in an
effort to protect your organization you would in turn create a denial
of service and cripple your ability to manage your environment. Microsoft
does make recommendations to only allow things like File Sharing and
Windows Management available to other systems on your local subnet however
for a lot of organizations your domain controller, file servers, IT management
systems, are not going to exist on the same 255 host subnet. Therefore
you have to open these ports open to the rest of your network, which
means you are now back to square one and wide open to attack. Beyond
all of these usability and false sense of security problems the Windows
XP SP2 firewall is simply flawed as a program as illustrated in the beginning
of this email by the bypass attack.

When all the dust has settled around Windows XP SP2 people will see that
there has continued to be vulnerabilities discovered, systems compromised,
 and worms released. The only difference is that you will have the appearance
of security because Microsoft will be able to show pretty graphs and
charts about how Windows XP SP2 and Windows 2003 have had less vulnerabilities
than other OS's like Windows 2000. This is also largely in part because
of monthly patching schedules and bundling of multiple vulnerabilities
within a single patch, all to show downward trends in vulnerabilities.
It is like they are trying to rub in the fact that they have so much
power over you that they can knowingly leave you vulnerable, force you
to pay them money to upgrade to security, and then tell the whole world
they made you do it, and if the rest of you don’t, then your systems
are going to be compromised next. Compound that with the fact that the
systems they are forcing you to upgrade to are not that much more secure,
 and ask yourselves how you have let such a monopoly gain so much control
over HOW YOU DO BUSINESS, HOW YOU MANAGE YOUR LIFE.

We can all do better, this is not how technology has to be.

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  • application/octet-stream attachment: sessmgr.c
 
[Full-Disclosure] Adobe acrobat / Adobe Reader 6 can read local files

From: Jelmer (jkuperusplanet.nl)
Date: Tue Oct 12 2004 - 08:56:32 CDT

Adobe acrobat / Adobe Reader 6 can read local files

Description

Acrobat/ Acrobat reader is software for viewing and printing Adobe Portable
Document Format (PDF) files. Adobe PDF files can be viewed on most major
operating systems.

Version 6 of this program has an issue with the way it handles embedding
macromedia flash files directly into a pdf. This allows a malicious website
operator to steal local files from a user's hard drive including cookie
files

Technical Details:

Version 6 of the pdf format introduced a new way to embed movies directly
into the pdf file. In previous versions one could only link to media in
external files

Adobe reader extracts this swf file from the pdf and saves it under a random
name to your temp dir, on windows XP and 2000 this dir is usually located at

C:\Documents and Settings\<username>\Local Settings\Temp

It then appears to "link" directly to this saved file in effect making your
local hard disk the codebase for this swf file and allowing it read access
to all of the files on your hard drive

Systems affected:

Adobe reader 6
Adobe acrobat 6

Demonstration:

Create a text file called c:\jelmer.txt then proceed to click on

http://62.131.86.111/security/acrobat/demo.pdf

Risk: medium

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Microsoft cabarc directory traversal

From: Jelmer (jkuperusplanet.nl)
Date: Tue Oct 12 2004 - 08:56:35 CDT

Description:

Cabarc is a command line tool to create and extract cabinet files (.cab) it
is included in the Windows Support Tools package
It is subject to a directory traversal bug similar to those found in unzip,
unarj etc..

Technical Details:

..\file fails

../file defeats the protection

Demonstration:

http://62.131.86.111/security/cabarc/demo.cab

Risk : low

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

listnolog.org
Date: Tue Oct 12 2004 - 09:09:18 CDT

Hello,

Sowhat . wrote:
> [ NAV 2k5 detected radmin.exe as virus ]
>
> Is RemoteAdministrator a commercial remote control software or a
> Hacktool ?

since you're posting this to full-disclosure, I assume you have already
contacted Norton. What did they say?

GTi

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

From: Christian Kujau (evilg-house.de)
Date: Tue Oct 12 2004 - 06:53:14 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Umphress wrote:
>>...somehow i don't expect programs to mess with /usr. not as a user and
>>not as root.
>
> I just picked /usr, it could have been /etc, /var or any other
> standard directory that every *nix distribution has. Regardless, if I
> try to make unarj write to a directory that I don't have the
> neccessary permissions for, it asks me to pick an alternate location
> to extract to.

yes, but this is the point! when i happen to unarj a package with the
unarj version you have as user "root", then unarj *will* have the
permission to overwrite /etc or whatever. it won't kindly ask but just
overwrite, or does it? (you've shown unarj in action with sudo when
test.txt was non-existant).

- --
BOFH excuse #290:

The CPU has shifted, and become decentralized.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBa8Wq+A7rjkF8z0wRAvOIAKDDIeYg5kMmda/6vR1sfgXORSGW7wCg2Fwg
jkJFk76Fgb7nDCDvAk+HrkY=
=v0l8
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Rob Bochan (robochantwcny.rr.com)
Date: Tue Oct 12 2004 - 09:32:52 CDT

On Tuesday 12 October 2004 08:51 am, Sowhat . wrote:
> hi ,list
>
> I have installed Norton AntiVirus 2005 ,and when i open my F:\
> directory ,Norton pops up and show that,"Norton AntiVirus has detected
> a virus on your computer" "Boject Name F:\radmin.exe" "Virus Name
> Hacktool".

Symantec labels a competitor's product
(http://sea.symantec.com/content/product.cfm?productid=16)
as malware?

I am SHOCKED! SHOCKED I tell you! SHOCKED!
Who would expect such dastardly behavior from a corporate entity?

Did you install radmin or was it installed without your knowledge?

...Rob

--
"Stealing", as defined by (insert favorite industry group/misguided
Congressman here) is WRONG WRONG WRONG! Got that? It is WRONG! But
intimidation, lying, cheating, and misrepresenting facts and relevant law is
entirely okay so long as you're doing it to preserve and protect your cash
flow.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

From: Chris Umphress (umphressgmail.com)
Date: Tue Oct 12 2004 - 08:49:18 CDT

> yes, but this is the point! when i happen to unarj a package with the
> unarj version you have as user "root", then unarj *will* have the
> permission to overwrite /etc or whatever. it won't kindly ask but just
> overwrite, or does it? (you've shown unarj in action with sudo when
> test.txt was non-existant).

arj does ask if you want to overwrite an existing file.

--------------- snip ----------------
chrischris:/home$ ls -l /usr/local/bin/test.txt
/usr/bin/ls: /usr/local/bin/test.txt: No such file or directory
chrischris:/home$ ./chris/test/arj x chris/test/test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]

Processing archive: chris/test/test.arj
Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42
Error (13): Permission denied
Can't open ../usr/local/bin/test.txt
OK to extract to a new filename?
Break signaled!
chrischris:/home$ sudo ./chris/test/arj x chris/test/test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]

Processing archive: chris/test/test.arj
Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42
Extracting ../../usr/local/bin/test.txt to ../usr/local/bin/test.txt OK
     1 file(s)
chrischris:/home$ sudo ./chris/test/arj x chris/test/test.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [11 Oct 2004]

Processing archive: chris/test/test.arj
Archive created: 2004-10-11 12:22:42, modified: 2004-10-11 12:22:42
ARJ 13 04-10-11 12:21:48, DISK 13 04-10-11 12:21:48
../usr/local/bin/test.txt is same or newer, Overwrite?
Break signaled!
chrischris:/home$ ls -l /usr/local/bin/test.txt
-rw-r--r-- 1 root root 13 2004-10-11 12:21 /usr/local/bin/test.txt
--------------------------------------

I found a copy of unarj [2.63] and repeated the same test (using
unarj). It tried to extract with "../../" where arj had only used
"../". "unarj" had one other difference from "arj" that I noticed.
When it encountered a file that already existed, it automatically
skipped extraction of that file.

On a side-note, ARJ is more of a dos/windows archiving format. I had
assumed that noone in their right mind would run this tool as root on
an archive that they had not created. Every *nix package format that I
can find is based off of tar/gzip or the RPM file format. I guess
there is always a possibility that someone will run unarj as root,
though.

--
Chris Umphres <http://daga.dyndns.org/>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

From: Barry Fitzgerald (bkfsecsdf.lonestar.org)
Date: Tue Oct 12 2004 - 09:07:48 CDT

Giselbert Hinkelmann wrote:

>
> Am 12.10.2004 um 01:33 schrieb Jesse Valentin:
>
>> My point is that just because something isn’t recognized as incorrect
>> by a
>> “legal entity” this doesn’t necessarily indicate that the conclusion
>> is sound…
>
>
> Which means that future generations may see not giving free/cheap access
> of all published information to everyone as soon as it was technically
> possible
> as one of the worst crimes of the 21st century...
>
Actually, that state would guarantee the death of democracy. We're not
just talking about free movies here. We're talking about who controls
the dissemination of information. This can't be thought of as just a
petty criminal matter. It has much wider implications.

             -Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

From: Barry Fitzgerald (bkfsecsdf.lonestar.org)
Date: Tue Oct 12 2004 - 09:06:16 CDT

Jesse Valentin wrote:

>
> My point is that just because something isn’t recognized as incorrect
> by a “legal entity” this doesn’t necessarily indicate that the
> conclusion is sound…
>
>
I agree with your point here, but you missed one of the nuances of my
argument. The definition of theft isn't just a legal definition that
occurs at one point in time. It's a *long*-standing legal concept that
is grounded in millennia of philosophical interpretation.

Stealing is unathorized possession, not unathorized use. It's not just a
legal contextual definition, it's a very set in stone and time tested
legal definition.

It doesn't matter what someone's opinion of the misuse of the word is.
The sky is not blood red no matter how many people say that it is.

And those who try to redefine theft with the intention of affecting an
emotional reaction should recieve copious amounts of opposition because
they're trying to affect the legal infrastructure by manipulating the
language and, by extension, changing people's opinions when standard
methods of changing their opinions simply don't work.

In other words: the drive is manipulative and it's being carried out by
people who are malicious to society as a whole. Unfortunately, they've
had great success in this and the average person misuses the terms
without even knowing that they're doing harm.

-Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Todd Towles (toddtowlesbrookshires.com)
Date: Tue Oct 12 2004 - 09:15:22 CDT

That is a widely used tool that is dropped by various malware programs. I think even one of the JPEG exploits was dropping radmin.exe

It be better to assume you have a infection and prove yourself wrong than the other way around. Look into it pretty deep, I would suggest.

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Sowhat .
> Sent: Tuesday, October 12, 2004 7:51 AM
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] Norton AntiVirus 2005 treats
> Radmin as a Virus ??!
>
> hi ,list
>
> I have installed Norton AntiVirus 2005 ,and when i open my
> F:\ directory ,Norton pops up and show that,"Norton AntiVirus
> has detected a virus on your computer" "Boject Name
> F:\radmin.exe" "Virus Name Hacktool".
>
> Is RemoteAdministrator a commercial remote control software
> or a Hacktool ?
>
> the following information is copied from the Radmin's site:
> (http://www.radmin.com/)
>
> "This fast, reliable, easy-to-use pc remote control software
> saves you hours of running up and down stairs between
> computers. Radmin allows you to take control of another PC on
> a LAN, WAN or dial-up connection so you see the remote
> computer's screen on your monitor and all your mouse
> movements and keystrokes are directly transferred to the
> remote machine. Radmin provides fast secure access to remote
> PC's on Windows platforms. "
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Sowhat . (smaillistgmail.com)
Date: Tue Oct 12 2004 - 09:08:35 CDT

no , no one install Radmin on my computer, it's a new clean box.the
radmin.exe is the client of the Radmin.

in my memory , Norton AntiVirus 2004 has mark the Radmin as potential malware
and in 2005, it was marked as Hacktool

i have googled for it ,Trend Micro also marks it a hacktool,HKTL_RADMIN.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HKTL_RADMIN.A

"This hacking tool is actually a commercial software used for network
administration.

It can control the client system and desktop. It can also monitor all
events of the target machine.

This software contains the following features:

Control over multiple users
File transfer
User log on and log off
Multilanguage support
NT security
Telnet
It runs on Windows 95, 98, ME, NT, 2000, and XP.
"

On Tue, 12 Oct 2004 15:54:31 +0200, Mordread Wallas
<mordread.wallasgmail.com> wrote:
> On Tue, 12 Oct 2004 20:51:18 +0800, Sowhat . <smaillistgmail.com> wrote:
> > Is RemoteAdministrator a commercial remote control software or a Hacktool ?
>
> Hi,
>
> Imagine that someone has installed Remote Administrator (or,
> PCAnyWhere, VNC, DMWare, etc...) on your computer, without your
> permission (it can be do now with some GDI+ faked jpeg for example).
> What should your antivirus software do?
>
> For many years, antivirus softwares had never alert users about such
> tools, so I think it's a good news!
>
> See you,
> --
> Mordread Wallas
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Vi rus ??!

From: Stephen Agar (Stephen.Agarbmhcc.org)
Date: Tue Oct 12 2004 - 09:56:13 CDT

http://securityresponse.symantec.com/avcenter/venc/data/remacc.radmin.html

Maybe there is some info for you there?

--stephen

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Sowhat .
> Sent: Tuesday, October 12, 2004 7:51 AM
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] Norton AntiVirus 2005 treats
> Radmin as a Virus ??!
>
> hi $B!$(Jlist
>
> I have installed Norton AntiVirus 2005 ,and when i open my
> F:\ directory ,Norton pops up and show that,"Norton AntiVirus
> has detected a virus on your computer" "Boject Name
> F:\radmin.exe" "Virus Name Hacktool".
>
> Is RemoteAdministrator a commercial remote control software
> or a Hacktool ?
>
> the following information is copied from the Radmin's site:
> (http://www.radmin.com/)
>
> "This fast, reliable, easy-to-use pc remote control software
> saves you hours of running up and down stairs between
> computers. Radmin allows you to take control of another PC on
> a LAN, WAN or dial-up connection so you see the remote
> computer's screen on your monitor and all your mouse
> movements and keystrokes are directly transferred to the
> remote machine. Radmin provides fast secure access to remote
> PC's on Windows platforms. "
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

From: Stormwalker (bruencoldrain.net)
Date: Tue Oct 12 2004 - 09:53:58 CDT

Hi Vincent,

The theft is theft of services, not the TV show.

                       cheers, bob

On Tue, 12 Oct 2004, Vincent Archer wrote:
> On Mon, Oct 11, 2004 at 11:43:22AM -0500, Ron DuFresne wrote:
> > Vincent, I think you lost track in your reply, he was not talking about
> > braondband cable access to the internet, he was talking about cable TV
> > services being stolen in this case, and the teft of the 'service'.
> ...
> > On Mon, 11 Oct 2004, Vincent Archer wrote:
> >
> > > On Fri, Oct 08, 2004 at 11:41:49AM -0700, Jesse Valentin wrote:
> > > > How about using a digital de-scrambler for cable service? You?re getting something you?re not paying for? isn?t that stealing? True, its not a vital service, but isn?t this still plain ?ol stealing?
> > >
>
> The initial post was about de-cramblers, i.e. watching TV programs you
> haven't paid a subscription for. It's not stealing. The TV programs you
> "stole" are still there, and every single subscriber had access to them.
> Hence, no theft has occured. Fraud, however, has occured in that case.
>
> I know habit still puts theft to use where nothing is ever stolen. You
> still talk about "stealing secrets" in espionage, for example. Nothing
> is stolen in that case either. In general, you cannot steal, in the
> real sense of the word, information. But theft is much shorter and convey
> better the sense of badness than "illegal duplication and access".
>
>
--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

From: Jesse Valentin (jessevalentinyahoo.com)
Date: Tue Oct 12 2004 - 09:44:44 CDT

OK Barry,
 
I understand the point you're trying to make but regardless of the technical definition you are still using something that you should be paying for - correct? Fraud, stealing, cookie baking, whatever you want to call it - isnt it a breach of security and isnt it still wrong?
 
These are some of the limitation of the law that I'm talking about. Every issue gets so diluted that the simple decision of what is right and what is wrong gets lost.
 
This results in months and months of debates and legal wrangling that in the end gets nowhere. Everyone is still divided - great moneymaker but unfortunately no justice.
 
Having to define every nuance of crime creates loopholes and large issues out of small potatoes. Take for example Sarbanes Oxley. This whole god awful thing was created to prevent issues like the Enron scandal from happening all over again. And what was that whole issue about? Yep, that's right.. stealing. Or was it fraud? Or was it unauthorized use? Or was it unauthorized possession? ... :-)
 
Jesse

Barry Fitzgerald <bkfsecsdf.lonestar.org> wrote:Jesse Valentin wrote:

>
> My point is that just because something isn’t recognized as incorrect
> by a “legal entity” this doesn’t necessarily indicate that the
> conclusion is sound…
>
>
I agree with your point here, but you missed one of the nuances of my
argument. The definition of theft isn't just a legal definition that
occurs at one point in time. It's a *long*-standing legal concept that
is grounded in millennia of philosophical interpretation.

Stealing is unathorized possession, not unathorized use. It's not just a
legal contextual definition, it's a very set in stone and time tested
legal definition.

It doesn't matter what someone's opinion of the misuse of the word is.
The sky is not blood red no matter how many people say that it is.

And those who try to redefine theft with the intention of affecting an
emotional reaction should recieve copious amounts of opposition because
they're trying to affect the legal infrastructure by manipulating the
language and, by extension, changing people's opinions when standard
methods of changing their opinions simply don't work.

In other words: the drive is manipulative and it's being carried out by
people who are malicious to society as a whole. Unfortunately, they've
had great success in this and the average person misuses the terms
without even knowing that they're doing harm.

-Barry

                
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

From: Vincent Archer (vardeny-all.com)
Date: Tue Oct 12 2004 - 10:13:59 CDT

On Tue, Oct 12, 2004 at 10:53:58AM -0400, Stormwalker wrote:
> Hi Vincent,
>
> The theft is theft of services, not the TV show.

Actually, as I said somewhat in passing in my original message, the
cable companies can sue you for theft of signal, not theft of service
(you can't steal a service) or theft of the TV show (which is still
there, unchanged).

I.e. they contend that you stole the actual electrons (or photons, if
you have an optic fiber cable) delivered to your home that you didn't
pay for.

This is somewhat ridiculous, of course... but, hey, it's what you get
when you start looking into legalese. Common sense has no place in
there.

--
Vincent ARCHER
varcherdenyall.com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Vi rus ??!

From: Ken S (ken.securitylistgmail.com)
Date: Tue Oct 12 2004 - 11:02:24 CDT

This is part of Symantec's support for "expanded threats", which
includes adware & spyware. It is an option in Symantec AntiVirus
Corporate Edition version 9 as well. We have it set to "log only", so
we're not automatically deleting these programs. With SAV 9, it only
flags expanded threats during a scheduled scan, not in real-time. I'd
like to see more capabilities, including the ability to fully
uninstall these programs, but because of questionable catches like
this one, we're going to have to rely on human intervention to make
some of the uninstall decisions. I must say that it has been very
interesting (and a bit disconcerting) to see all the adware/spyware
that's on people's machines!

Ken

On Tue, 12 Oct 2004 09:56:13 -0500, Stephen Agar <stephen.agarbmhcc.org> wrote:
> http://securityresponse.symantec.com/avcenter/venc/data/remacc.radmin.html
>
> Maybe there is some info for you there?
>
> --stephen
>
> > -----Original Message-----
> > From: full-disclosure-adminlists.netsys.com
> > [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Sowhat .
> > Sent: Tuesday, October 12, 2004 7:51 AM
> > To: full-disclosurelists.netsys.com
> > Subject: [Full-Disclosure] Norton AntiVirus 2005 treats
> > Radmin as a Virus ??!
> >
> > hi ,list
> >
> > I have installed Norton AntiVirus 2005 ,and when i open my
> > F:Â¥ directory ,Norton pops up and show that,"Norton AntiVirus
> > has detected a virus on your computer" "Boject Name
> > F:Â¥radmin.exe" "Virus Name Hacktool".
> >
> > Is RemoteAdministrator a commercial remote control software
> > or a Hacktool ?
> >
> > the following information is copied from the Radmin's site:
> > (http://www.radmin.com/)
> >
> > "This fast, reliable, easy-to-use pc remote control software
> > saves you hours of running up and down stairs between
> > computers. Radmin allows you to take control of another PC on
> > a LAN, WAN or dial-up connection so you see the remote
> > computer's screen on your monitor and all your mouse
> > movements and keystrokes are directly transferred to the
> > remote machine. Radmin provides fast secure access to remote
> > PC's on Windows platforms. "
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Sowhat . (smaillistgmail.com)
Date: Tue Oct 12 2004 - 10:15:18 CDT

i am sorry , i didnt contact Norton

becasue i found that many AV marked it as HACKTOOL ,not only norton
as someone has said ,AV vendors need a lawyer :)

On Tue, 12 Oct 2004 16:09:18 +0200, listnolog.org <listnolog.org> wrote:
> Hello,
>
> Sowhat . wrote:
> > [ NAV 2k5 detected radmin.exe as virus ]
> >
> > Is RemoteAdministrator a commercial remote control software or a
> > Hacktool ?
>
> since you're posting this to full-disclosure, I assume you have already
> contacted Norton. What did they say?
>
> GTi
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Peadro, Jeff (AIS) (jpeaaallstate.com)
Date: Tue Oct 12 2004 - 11:03:46 CDT

Correct. RA was used in the JPEG exploit from easynews.

quoted from GDI spoit itself

"
UPDATE: We have packet logs at http://easynews.com/virus/ THIS VIRUS IS NASTY!

If you don't know what a jpeg virus is, check out:
http://news.google.com/news?q=jpeg+virus

Swany and I wrote a quick and nasty script to scan every jpeg that comes into Easynews.com.. It paged
my cell phone at 6:47pm PDT on 9/26/2004 for the first hit, and 7:52pm PDT on 9/26/2004 for
the second hit.

Once this JPEG overflowed GDI+, it phoned home, connected to and ftp site and downloaded
almost 2megs of stuff. It installs a trojan that installs itself as a service.

It also installs radmin (radmin.com) running as 'r_server'. From the radmin.com site, "With Radmin you
can work on a remote computer exactly as if you were right there at its keyboard."

It phones home to the same IP that is in the usenet post headers. Then it seems
to connect to ftp://209.171.43.27/www/system/ u/p bawz/pagdba (last time I checked, 93 users where logged in!)
"

jEff

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com]On Behalf Of Todd Towles
Sent: Tuesday, October 12, 2004 9:15 AM
To: Sowhat .; full-disclosurelists.netsys.com
Subject: RE: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a
Virus ??!

That is a widely used tool that is dropped by various malware programs. I think even one of the JPEG exploits was dropping radmin.exe

It be better to assume you have a infection and prove yourself wrong than the other way around. Look into it pretty deep, I would suggest.

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Sowhat .
> Sent: Tuesday, October 12, 2004 7:51 AM
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] Norton AntiVirus 2005 treats
> Radmin as a Virus ??!
>
> hi ,list
>
> I have installed Norton AntiVirus 2005 ,and when i open my
> F:\ directory ,Norton pops up and show that,"Norton AntiVirus
> has detected a virus on your computer" "Boject Name
> F:\radmin.exe" "Virus Name Hacktool".
>
> Is RemoteAdministrator a commercial remote control software
> or a Hacktool ?
>
> the following information is copied from the Radmin's site:
> (http://www.radmin.com/)
>
> "This fast, reliable, easy-to-use pc remote control software
> saves you hours of running up and down stairs between
> computers. Radmin allows you to take control of another PC on
> a LAN, WAN or dial-up connection so you see the remote
> computer's screen on your monitor and all your mouse
> movements and keystrokes are directly transferred to the
> remote machine. Radmin provides fast secure access to remote
> PC's on Windows platforms. "
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RE: x-posting--was--> ASP.NET cannonicalization issue

From: Evans, Arian (Arian.Evansfishnetsecurity.com)
Date: Tue Oct 12 2004 - 10:02:45 CDT

> -----Original Message-----
> From: Cassidy Macfarlane
> Sent: Tuesday, October 12, 2004 6:44 AM
>
> Ive seen this on the lists, cause You've posted it about five times.
> Unless you have new information or links regarding this issue, please
> refrain from repeat postings - we get enough noise on this list as it

I made one post to BT and one here (FD).

I fully expected the normal BT-mod drop so I got lazy; my fault.

It was a timely post about a very real issue; relevant, and covering
mitigation steps.

Others have followed up with the missing details since then;
good info to be found last week on webappsec list archives:

http://www.securityfocus.com/archive/107/2004-10-02/2004-10-08/0

Arian

The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material.
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
SV: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Peter Kruse (krusekrusesecurity.dk)
Date: Tue Oct 12 2004 - 10:40:32 CDT

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,

Keep in mind that there's a client and a server part in the Radmin installation. During installation of this commercial software you'll have the option to choose wether you want to install the server or only the client.

If the client software is detected as malicious this would indeed be a bad call. However, if Symantec labels the server as a backdoor risk, it's likely because it was distributed as part of a malware package not so long ago (a few weeks back). Still, this doesn't justify to label the Radmin Client as a security risk. The Radmin software is widely used for remote administration in the same manner as VNC, Terminal Services or "Netbus" ;-)

Regards
Peter Kruse

>-----Oprindelig meddelelse-----
>Fra: full-disclosure-adminlists.netsys.com
>[mailto:full-disclosure-adminlists.netsys.com]PÃ¥ vegne af Todd Towles
>Sendt: 12. oktober 2004 16:15
>Til: Sowhat .; full-disclosurelists.netsys.com
>Emne: RE: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a
>Virus ??!
>
>
>That is a widely used tool that is dropped by various malware
>programs. I think even one of the JPEG exploits was dropping radmin.exe
>
>It be better to assume you have a infection and prove yourself
>wrong than the other way around. Look into it pretty deep, I would
>suggest.
>
>> -----Original Message-----
>> From: full-disclosure-adminlists.netsys.com
>> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Sowhat .
>> Sent: Tuesday, October 12, 2004 7:51 AM
>> To: full-disclosurelists.netsys.com
>> Subject: [Full-Disclosure] Norton AntiVirus 2005 treats
>> Radmin as a Virus ??!
>>
>> hi ,list
>>
>> I have installed Norton AntiVirus 2005 ,and when i open my
>> F:\ directory ,Norton pops up and show that,"Norton AntiVirus
>> has detected a virus on your computer" "Boject Name
>> F:\radmin.exe" "Virus Name Hacktool".
>>
>> Is RemoteAdministrator a commercial remote control software
>> or a Hacktool ?
>>
>> the following information is copied from the Radmin's site:
>> (http://www.radmin.com/)
>>
>> "This fast, reliable, easy-to-use pc remote control software
>> saves you hours of running up and down stairs between
>> computers. Radmin allows you to take control of another PC on
>> a LAN, WAN or dial-up connection so you see the remote
>> computer's screen on your monitor and all your mouse
>> movements and keystrokes are directly transferred to the
>> remote machine. Radmin provides fast secure access to remote
>> PC's on Windows platforms. "
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQWv68HxYZNa+g/pgEQKOiwCePgzmaczX3p55JZXV4DvZcxox/GcAn3Kc
q+lT8pAgWbC+ESuAaZRQNkYo
=bmBO
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Harlan Carvey (keydet89yahoo.com)
Date: Tue Oct 12 2004 - 12:40:07 CDT

 
> becasue i found that many AV marked it as HACKTOOL
> ,not only norton
> as someone has said ,AV vendors need a lawyer :)

I don't get it...AV vendors each have their own naming
scheme, and decide what and how to detect malware.
You purchase the product, and then decide that the AV
vendors need a lawyer...based on what?

How about doing a better job of troubleshooting the
issue? How long have malware authors been changing
the names of files? However, long it's been, those
admining the machines don't seem to be catching on...

=====
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/

"Meddle not in the affairs of dragons, for
you are crunchy, and good with ketchup."

"The simplicity of this game amuses me.
Bring me your finest meats and cheeses."
------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] [OT] unarj dir-transversal bug (../../../..)

From: evilninja (evilninjagmx.net)
Date: Tue Oct 12 2004 - 10:42:58 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cedric Blancher wrote:
> There was a time when arj archiver was not available under Debian, for
> licensing/distribution problems, and only unarj package was available.
> As you can see, stable has only unarj 2.43 in non-free section :

ah! i *thought* it was in non-free once, but only checked the unstable
version where it's in main.

> Now, they have both arj and unarj 3.10.21, unarj being transitional for
> people to upgrade smoothly to old unarj 2 only package to full-featured
> arj 3 package when moving to upper distro. So expect unarj to disappear

makes sense, yes. thanks for clarification.

- --
BOFH excuse #225:

It's those computer people in X {city of world}. They keep stuffing
things up.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBa/uCC/PVm5+NVoYRAgqKAJ98WBZKE/YSZkFPY4QMkDSAvFNADgCePgHJ
aFpkN0WppFkUN52TaV22zS8=
=vAaS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Microsoft Security Bulletin Summary for October, 2004

From: d31337 (d31337gmail.com)
Date: Tue Oct 12 2004 - 13:43:44 CDT

Interesting that XP SP2 doesn't seem to be impacted by any of these
vulnerabilities. Kinda gives you the impression MS knew about these
for some time...

http://www.microsoft.com/technet/security/bulletin/ms04-oct.mspx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Ken S (ken.securitylistgmail.com)
Date: Tue Oct 12 2004 - 11:17:09 CDT

This is part of Symantec's support for "expanded threats", which
includes adware & spyware. It is an option in Symantec AntiVirus
Corporate Edition version 9 as well. We have it set to "log only", so
we're not automatically deleting these programs. With SAV 9, it only
flags expanded threats during a scheduled scan, not in real-time. I'd
like to see more capabilities, including the ability to fully
uninstall these programs, but because of questionable catches like
this one, we're going to have to rely on human intervention to make
some of the uninstall decisions. I must say that it has been very
interesting (and a bit disconcerting) to see all the adware/spyware
that's on people's machines!

Ken

On Tue, 12 Oct 2004 09:15:22 -0500, Todd Towles
<toddtowlesbrookshires.com> wrote:
> That is a widely used tool that is dropped by various malware programs. I think even one of the JPEG exploits was dropping radmin.exe
>
> It be better to assume you have a infection and prove yourself wrong than the other way around. Look into it pretty deep, I would suggest.
>
>
>
> > -----Original Message-----
> > From: full-disclosure-adminlists.netsys.com
> > [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Sowhat .
> > Sent: Tuesday, October 12, 2004 7:51 AM
> > To: full-disclosurelists.netsys.com
> > Subject: [Full-Disclosure] Norton AntiVirus 2005 treats
> > Radmin as a Virus ??!
> >
> > hi ,list
> >
> > I have installed Norton AntiVirus 2005 ,and when i open my
> > F:\ directory ,Norton pops up and show that,"Norton AntiVirus
> > has detected a virus on your computer" "Boject Name
> > F:\radmin.exe" "Virus Name Hacktool".
> >
> > Is RemoteAdministrator a commercial remote control software
> > or a Hacktool ?
> >
> > the following information is copied from the Radmin's site:
> > (http://www.radmin.com/)
> >
> > "This fast, reliable, easy-to-use pc remote control software
> > saves you hours of running up and down stairs between
> > computers. Radmin allows you to take control of another PC on
> > a LAN, WAN or dial-up connection so you see the remote
> > computer's screen on your monitor and all your mouse
> > movements and keystrokes are directly transferred to the
> > remote machine. Radmin provides fast secure access to remote
> > PC's on Windows platforms. "
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Todd Towles (toddtowlesbrookshires.com)
Date: Tue Oct 12 2004 - 13:34:04 CDT

I do agree with you Peter about the server and client part. I truly believe that Norton is detecting it as such only because it is being used in exploits. There are many exploits that drop this client onto the workstation. If you know it is there then the detection shouldn't surprise you. But if you are e-mailing a list asking about it and what it is. You most likely didn't install it.

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
> Peter Kruse
> Sent: Tuesday, October 12, 2004 10:41 AM
> To: Todd Towles; Sowhat .; full-disclosurelists.netsys.com
> Subject: SV: [Full-Disclosure] Norton AntiVirus 2005 treats
> Radmin as a Virus ??!
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hi,
>
> Keep in mind that there's a client and a server part in the
> Radmin installation. During installation of this commercial
> software you'll have the option to choose wether you want to
> install the server or only the client.
>
> If the client software is detected as malicious this would
> indeed be a bad call. However, if Symantec labels the server
> as a backdoor risk, it's likely because it was distributed as
> part of a malware package not so long ago (a few weeks back).
> Still, this doesn't justify to label the Radmin Client as a
> security risk. The Radmin software is widely used for remote
> administration in the same manner as VNC, Terminal Services
> or "Netbus" ;-)
>
> Regards
> Peter Kruse
>
> >-----Oprindelig meddelelse-----
> >Fra: full-disclosure-adminlists.netsys.com
> >[mailto:full-disclosure-adminlists.netsys.com]På vegne af
> Todd Towles
> >Sendt: 12. oktober 2004 16:15
> >Til: Sowhat .; full-disclosurelists.netsys.com
> >Emne: RE: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a
> >Virus ??!
> >
> >
> >That is a widely used tool that is dropped by various
> malware programs.
> >I think even one of the JPEG exploits was dropping radmin.exe
> >
> >It be better to assume you have a infection and prove yourself wrong
> >than the other way around. Look into it pretty deep, I would suggest.
> >
> >> -----Original Message-----
> >> From: full-disclosure-adminlists.netsys.com
> >> [mailto:full-disclosure-adminlists.netsys.com] On Behalf
> Of Sowhat .
> >> Sent: Tuesday, October 12, 2004 7:51 AM
> >> To: full-disclosurelists.netsys.com
> >> Subject: [Full-Disclosure] Norton AntiVirus 2005 treats
> Radmin as a
> >> Virus ??!
> >>
> >> hi ,list
> >>
> >> I have installed Norton AntiVirus 2005 ,and when i open my F:\
> >> directory ,Norton pops up and show that,"Norton AntiVirus has
> >> detected a virus on your computer" "Boject Name
> F:\radmin.exe" "Virus
> >> Name Hacktool".
> >>
> >> Is RemoteAdministrator a commercial remote control software or a
> >> Hacktool ?
> >>
> >> the following information is copied from the Radmin's site:
> >> (http://www.radmin.com/)
> >>
> >> "This fast, reliable, easy-to-use pc remote control software saves
> >> you hours of running up and down stairs between computers. Radmin
> >> allows you to take control of another PC on a LAN, WAN or dial-up
> >> connection so you see the remote computer's screen on your monitor
> >> and all your mouse movements and keystrokes are directly
> transferred
> >> to the remote machine. Radmin provides fast secure access
> to remote
> >> PC's on Windows platforms. "
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.netsys.com/full-disclosure-charter.html
> >>
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
>
> iQA/AwUBQWv68HxYZNa+g/pgEQKOiwCePgzmaczX3p55JZXV4DvZcxox/GcAn3Kc
> q+lT8pAgWbC+ESuAaZRQNkYo
> =bmBO
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Microsoft Security Bulletin Summary for October, 2004

From: Danny (nocmonkeygmail.com)
Date: Tue Oct 12 2004 - 14:14:14 CDT

On Tue, 12 Oct 2004 14:43:44 -0400, d31337 <d31337gmail.com> wrote:
> Interesting that XP SP2 doesn't seem to be impacted by any of these
> vulnerabilities. Kinda gives you the impression MS knew about these
> for some time...
>
> http://www.microsoft.com/technet/security/bulletin/ms04-oct.mspx

Not according the security bulletins I read:

http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx

"Affected Software:
•

Microsoft Windows NT Server 4.0 Service Pack 6a
•

Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
•

Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
•

Microsoft Windows XP, Microsoft Windows XP Service Pack 1, and
Microsoft Windows XP Service Pack 2"

...D

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

From: Harry de Grote (rik.bobbaerscc.kuleuven.ac.be)
Date: Tue Oct 12 2004 - 04:17:12 CDT

doubleshush.com wrote:

> dis is powerfull security whole! im writting a exploit for it right now
> in visual cobol!
>
> czech this out::
>
> http://www.security.nnov.ru/search/news.asp?binid=1320
> http://www.securityfocus.com/bid/5835/info/
> http://www.securityfocus.com/bid/7550/info/
> http://rhn.redhat.com/errata/RHSA-2002-096.html
> http://www.debian.org/security/2003/dsa-344
> http://www.2600.com

it's over 1 year old! and it's your own fault if you fall for it,
normally , you dry-run it first, then you see something fishy is going on.

btw... what's there to exploit??? just take a modified bash (sh) that
opens a rootshell, and overwrite it!

djies... you skidds never seem to learn ;)

you really didn't invent the light, you know...

--
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
Rik.Bobbaerscc.kuleuven.ac.be -=- http://harry.ulyssis.org

"\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20"
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66"
"\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63"
"\x6c\x65\x0a\x00"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Quicky Analysis of a Proxy/Zombie Network

From: Steele (listslowkeysoft.com)
Date: Tue Oct 12 2004 - 14:41:16 CDT

For your consideration:
http://lowkeysoft.com/proxy/

screenshots included :)

be gentle,

-steele out
----------------------
LowKeysoft.com
-Tricking the tricksters
steele.lowkey[at]gmail.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
SV: [Full-Disclosure] Microsoft Security Bulletin Summary for October, 2004

From: Peter Kruse (krusekrusesecurity.dk)
Date: Tue Oct 12 2004 - 14:26:06 CDT

 
-----BEGIN PGP MESSAGE-----
Version: PGP 8.1

qANQR1DBwU4DHanyXEWzjw4QB/9Rd0KFg8Ncko7xo7Px1fW8kxsX901/R0d900MC
XCM6NG7LO+V7j1Fg0qFAhFh/qNDvyB4k9/eVacYNGQJWea/Mgkcvzt0DXjPxwUi6
xWKiuAI5gjnfQpXoVAbPLFc7/bc/UKXLJeAeq7Q3eUB4Q73OO0RwaiokJZGkXnTf
FmnmqRHXkXrsfWQd4B0gm9a/3x/lCVB7v+wWKR8kpZCymVM0JaddFhj8edJhAoSP
HvS2cQAlLxYUJXKqW/KbyffXa/19E9vzbdCVWR5zAqkQ6/JnfNnHrxPO8tvk9mXO
lZUd5bzFgRJ9rrd0QLk20oBsExa/WRu+JpfSPb06pIVYVPTFB/478fITUSDtUv60
8TklhhMoisvwi6AHs5YfJuz4VYF6oLJNmLzMiX5nMaM6GHqGWHJpy/+hjIDjJgz8
rziSvs6wKTJG+Euiep2dXv7x179nXJn76QhkI7B/k9IGwdk8u2eJyaPNiE1lAsab
VKDBxnVPnbZM+2LFCui1wjhM7hXl/e6+Tg5WUuSaFLZv7yZtM1XbYpPpbHtIS0HX
0FCjv7EJNWMs0ufVeDQoYswTZFGn086xgr+phs57ZMkOVoMC/FY6cuaNyZXa5p5Q
aE5rVGHrUL819Qm6mZsTUIVGN+5BAj2b+3xGXWMmJ6aqyXgVM3niqDEJSLfQrFsX
IXFsWzQ60sDWAZ8KGl+Dqxa+u5l9OJVLx2NGFd0ERbkYMMxE7QBOt4cB2vDBuWso
N75MEHQwGfu4L9/eCInIF9f2SuleZ1gRCaddUc12cg8hQqTms9FZwrtu0mtCPXpb
nrY0fxrMtWFkcMOEl4aWSbOFS5TF2sgdR00rndqWeBqx56D44UKXuDErrs2pFfFX
dc7c+GftYZQyltjtjVF4gVmxBbbkqakrX0YNF+zKF0Cg6i9NJ9rND5Cqw/AAQUsi
NwkAvaRe3GRdTy9NGEW7Fx39FZ4ka9KSfxNULzttjjHlr4o+kbDJyMpmIW5QAwu+
6mCPEW47/qSPfDYDwHSEdVlDtFPMTIglHBpTohI9vcI5+oAx1BwbekU7Lt0zG/1L
iNU7znfSUCqPmYTqFV3m6HG4wX7MpCoiey/DeZxA4AFkzf2gHf3M9UqfQtndFMSn
SPmlzETXSARsNEGKEUAfa3X2p0Iv78ZSOOXzCLOhvzTE0r1lY+9Ql9m775WD9g/S
m7RDbJ+kUbR1x74nUsaaIPQIBRCa/9JYTG+Onk5GKA==
=JWpR
-----END PGP MESSAGE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Writing Trojans that bypass Windows XP Service Pack 2 Firewall

From: Georgi Guninski (guninskiguninski.com)
Date: Tue Oct 12 2004 - 14:55:03 CDT

very good rant.

the m$ puppets are as quiet as if wiliam has put something in their gaping
apertures.

--
georgi

On Mon, Oct 11, 2004 at 10:10:38PM -0700, americanidiothushmail.com wrote:
> Writing Trojans that bypass Windows XP Service Pack 2 Firewall
>
> Windows XP Service Pack 2 incorporates many enhancements to try to better
> protect systems from malware and other forms of attacks. One of those

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Possibly a stupid question RPC over HTTP

From: Daniel Sichel (danielsPonderosatel.com)
Date: Tue Oct 12 2004 - 14:41:56 CDT

This may just reflect my ignorance, but I read (and found hard to
believe) that Microsoft has implemented RPC over HTTP. Is this not a
HUGE security hole? If I understand it correctly it means that good old
HTML or XML can invoke a process using standard web traffic (port 80)?
Is there any permission checking done? what things can be invoked by RPC
over HTTP? Jeeze, to me it looks like the barn door is now wide open. Am
I right, and if so, how can I detect RPCs in web traffic to block this
junk? Can ANY stateful packet filter see this stuff or is the pattern
too broad in allowed RPCs?

Again, I hope this is not a stupid question or inappropriate format for
this, as somebody else recently said, there is already enough noise on
this list. I would hate to see this list degenerate, it has been REALLY
valuable to me as a network engineer on occaison.

Thanks all,
Dan Sichel
Ponderosa telephone
danielsponderosatel.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] MS Security Bulletins

From: Jesse Valentin (jessevalentinyahoo.com)
Date: Tue Oct 12 2004 - 14:36:42 CDT

As per www.Incidents.org
 
Looks like more fun and excitement...
 
October Microsoft Security Bulletins
October Microsoft Security Bulletins. Ten bulletins (seven critical, three important) were released by Microsoft today at http://www.microsoft.com/security/bulletins/200410_windows.mspx and http://www.microsoft.com/security/bulletins/200410_office.mspx

Here is a brief synopsis:

MS04-029 IMPORTANT Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350)
An information disclosure and denial of service vulnerability exists that could cause the affected system to stop responding or could potentially read portions of active memory content.

MS04-030 IMPORTANT Vulnerability in WebDav XML Message Handler Could Lead to a Denial of Service (824151)
A Denial of Service vulnerability exists that could cause the affected system to stop responding to requests.

MS04-031 IMPORTANT Vulnerability in NetDDE Could Allow Remote Code Execution (841533)
A remote code execution vulnerability exists in the NetDDE services because of an unchecked buffer.

MS04-032 CRITICAL Security Update for Microsoft Windows (840987)
A remote code execution vulnerability, two elevation of privilege vulnerabilities, and a denial of service vulnerability exist in Windows. The most severe vulnerability could allow remote code execution on an affected system.

MS04-033 CRITICAL Vulnerability in Microsoft Excel Could Allow Remote Code Execution (886836)
A vulnerability exists in Microsoft Excel that could allow remote code execution on an affected system.

MS04-034 CRITICAL Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution (873376)
A vulnerability exists in the way that Windows processes compressed (zipped) folders that could allow remote code execution on an affected system.

MS04-035 CRITICAL Vulnerability in SMTP Could Allow Remote Code Execution (885881)
A vulnerability exists in the Windows SMTP component and Exchange Server Routing Engine component that could allow remote code execution on an affected system.

MS04-036 CRITICAL Vulnerability in NNTP Could Allow Remote Code Execution (883935)
A vulnerability exists in the Windows NNTP Component that could allow remote code execution on an affected system.

MS04-037 CRITICAL Vulnerability in Windows Shell Could Allow Remote Code Execution (841356)
A vulnerability exists in the way that the Windows Shell launches applications. A vulnerability exists in Program Group Converter because of the way that it handles specially crafted requests. Both could allow remote code execution on an affected system.

MS04-038 CRITICAL Cumulative Security Update for Internet Explorer (834707)
Five remote code execution and three information disclosure vulnerabilities exist in Internet Explorer.

                
---------------------------------
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Adobe acrobat / Adobe Reader 6 can read local files

From: Jay Libove (libovefelines.org)
Date: Tue Oct 12 2004 - 12:00:36 CDT

I have Acrobat Reader configured to NOT run Javascript. The demo did not
work on my system (XP, SP2, Acrobat Reader v6.0.2 dated 5/18/2004).

So, is having JavaScript enabled also a requirement in order for this
embedded SWF exploit to work?

-Jay Libove, CISSP

> Message: 20
> Date: Tue, 12 Oct 2004 15:56:32 +0200
> From: Jelmer <jkuperusplanet.nl>
> To: bugtraqsecurityfocus.com, full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] Adobe acrobat / Adobe Reader 6 can read local files
>
> Adobe acrobat / Adobe Reader 6 can read local files
>
> Description
>
> Acrobat/ Acrobat reader is software for viewing and printing Adobe Portable
> Document Format (PDF) files. Adobe PDF files can be viewed on most major
> operating systems.
>
> Version 6 of this program has an issue with the way it handles embedding
> macromedia flash files directly into a pdf. This allows a malicious website
> operator to steal local files from a user's hard drive including cookie
> files
>
> Technical Details:
>
> Version 6 of the pdf format introduced a new way to embed movies directly
> into the pdf file. In previous versions one could only link to media in
> external files
>
> Adobe reader extracts this swf file from the pdf and saves it under a random
> name to your temp dir, on windows XP and 2000 this dir is usually located at
>
> C:\Documents and Settings\<username>\Local Settings\Temp
>
> It then appears to "link" directly to this saved file in effect making your
> local hard disk the codebase for this swf file and allowing it read access
> to all of the files on your hard drive
>
> Systems affected:
>
> Adobe reader 6
> Adobe acrobat 6
>
> Demonstration:
>
> Create a text file called c:\jelmer.txt then proceed to click on
>
> http://62.131.86.111/security/acrobat/demo.pdf
>
> Risk: medium

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Microsoft Security Bulletin Summary for October, 2004

From: James Riden (j.ridenmassey.ac.nz)
Date: Tue Oct 12 2004 - 15:31:53 CDT

Danny <nocmonkeygmail.com> writes:

> On Tue, 12 Oct 2004 14:43:44 -0400, d31337 <d31337gmail.com> wrote:
>> Interesting that XP SP2 doesn't seem to be impacted by any of these
>> vulnerabilities. Kinda gives you the impression MS knew about these
>> for some time...
>>
>> http://www.microsoft.com/technet/security/bulletin/ms04-oct.mspx
>
> Not according the security bulletins I read:
>
> http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx

Yep, the IE roll-up, MS04-038 / 834707 does apply to XP SP2.

cheers,
 Jamie
--
James Riden / j.ridenmassey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Stealing DHCP Leases

From: Ian Holm (macaddictourholm.com)
Date: Tue Oct 12 2004 - 14:08:07 CDT

I was noticing that the number of DHCP address in the DHCP cache was running
low so I decided to check which computers were assigned to each address. To
my horror I saw that there were 81 addresses assigned at exactly the same
time and all expired at exactly the same time. I'm assuming that these were
all assigned to the same machine. How is this possible? Where could I learn
about this and how to prevent it?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] UnixWare 7.1.3up UnixWare 7.1.4 : CUPS before 1.1.21 allows remote attackers to cause a denial of service

please_reply_to_securitysco.com
Date: Tue Oct 12 2004 - 12:30:24 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SCO Security Advisory

Subject: UnixWare 7.1.3up UnixWare 7.1.4 : CUPS before 1.1.21 allows remote attackers to cause a denial of service
Advisory number: SCOSA-2004.15
Issue date: 2004 October 07
Cross reference: sr891400 fz530153 erg712688 CAN-2004-0558
______________________________________________________________________________

1. Problem Description

        The Internet Printing Protocol (IPP) implementation in
        CUPS before 1.1.21 allows remote attackers to cause a
        denial of service via a certain UDP packet to the IPP port.

        The Common Vulnerabilities and Exposures project
        (cve.mitre.org) has assigned the following name
        CAN-2004-0558 to this issue.

2. Vulnerable Supported Versions

        System Binaries
        ----------------------------------------------------------------------
        UnixWare 7.1.3up cups distribution
        UnixWare 7.1.4 cups distribution

3. Solution

        The proper solution is to install the latest packages.

4. UnixWare 7.1.4 / UnixWare 7.1.3up

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.15

        4.2 Verification

        MD5 (erg712688.pkg) = b5b4183052dd91adf878bd256a943e51

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        Download erg712688.pkg to the /var/spool/pkg directory

        # pkgadd -d /var/spool/pkg/erg712688.pkg

5. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0558
                http://xforce.iss.net/xforce/xfdb/17389

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents sr891400 fz530153
        erg712688.

6. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.

7. Acknowledgments

        SCO would like to thank Alvaro Martinez Echevarria.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFBZdGXaqoBO7ipriERAsiCAJ9kdQB2Jvdh0PYYdoxTbQvqEimDXgCeK6cf
r6zSuovmtyzJdJcdqRhpzdQ=
=iUVV
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] UnixWare 7.1.4 : Multiple Vulnerabilities in libpng

please_reply_to_securitysco.com
Date: Tue Oct 12 2004 - 12:30:37 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SCO Security Advisory

Subject: UnixWare 7.1.4 : Multiple Vulnerabilities in libpng
Advisory number: SCOSA-2004.16
Issue date: 2004 October 07
Cross reference: sr891394 fz530149 erg712684 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 CAN-2004-0768 VU#388984 VU#236656 VU#160448 VU#477512 VU#817368 VU#286464 TA04-217A
______________________________________________________________________________

1. Problem Description

        Several vulnerabilities exist in the libpng library, the
        most serious of which could allow a remote attacker to
        execute arbitrary code on an affected system.

        CERT Technical Cyber Security Alert TA04-217A

        VU#388984 - libpng fails to properly check length of
                    transparency chunk (tRNS) data. The
                    Common Vulnerabilities and Exposures project
                    (cve.mitre.org) has assigned the following name
                    CAN-2004-0597 to this issue.

        VU#236656 - libpng png_handle_iCCP() NULL pointer dereference
                    The Common Vulnerabilities and Exposures project
                    (cve.mitre.org) has assigned the following name
                    CAN-2004-0598 to this issue.

        VU#160448 - libpng integer overflow in image height processing
                    The Common Vulnerabilities and Exposures project
                    (cve.mitre.org) has assigned the following name
                    CAN-2004-0599 to this issue.

        VU#477512 - libpng png_handle_sPLT() integer overflow
                    The Common Vulnerabilities and Exposures project
                    (cve.mitre.org) has assigned the following name
                    CAN-2004-0599 to this issue.

        VU#817368 - libpng png_handle_sBIT() performs insufficient
                    bounds checking. The Common Vulnerabilities
                    and Exposures project (cve.mitre.org) has assigned
                    the following name CAN-2004-0597 to this issue.

        VU#286464 - libpng contains integer overflows in progressive display
                    image reading. The Common Vulnerabilities and Exposures
                    project (cve.mitre.org) has assigned the following name
                    CAN-2004-0599 to this issue.

2. Vulnerable Supported Versions

        System Files
        ----------------------------------------------------------------------
        UnixWare 7.1.4 /usr/include/png.h
                                        /usr/include/pngconf.h
                                        /usr/lib/libpng.a
                                        /usr/lib/libpng.so.3.1.2.7
                                        /usr/man/man.3/libpng.3
                                        /usr/man/man.3/libpngpf.3
                                        /usr/man/man.5/png.5
3. Solution

        The proper solution is to install the latest packages.

4. UnixWare 7.1.4

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.16

        4.2 Verification

        MD5 (erg712684.pkg) = 78920b002aaeb097149084dc7451ce83

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        Download erg712684.pkg to the /var/spool/pkg directory

        # pkgadd -d /var/spool/pkg/erg712684.pkg

5. References

        Specific references for this advisory:
                http://libpng.sourceforge.net
                http://www.libpng.org/pub/png
                http://scary.beasts.org/security/CESA-2004-001.txt
                http://www.us-cert.gov/cas/techalerts/TA04-217A.html
                http://www.kb.cert.org/vuls/id/388984
                http://www.kb.cert.org/vuls/id/817368
                http://www.kb.cert.org/vuls/id/286484
                http://www.kb.cert.org/vuls/id/477512
                http://www.kb.cert.org/vuls/id/160448
                http://www.kb.cert.org/vuls/id/236656
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents sr891394 fz530149
        erg712684 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
        CAN-2004-0768 VU#388984 VU#236656 VU#160448 VU#477512
        VU#817368 VU#286464.

6. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.

7. Acknowledgments

        SCO would like to thank Chris Evans for researching and
        reporting these vulnerabilities.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFBZdG0aqoBO7ipriERAo4yAJ9Jq0kJcbjQ7Pi/aeRbTWk9zsk/owCffQxQ
wl3Jg/u6CafJ0Pqm4OzB3cM=
=y7cQ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Quicky Analysis of a Proxy/Zombie Network

From: Gregory Gilliss (ggillissnetpublishing.com)
Date: Tue Oct 12 2004 - 17:08:21 CDT

Bravo! Excellent work!

-- Greg

On or about 2004.10.12 15:41:16 +0000, Steele (listslowkeysoft.com) said:

> For your consideration:
> http://lowkeysoft.com/proxy/
>
> screenshots included :)
>
> be gentle,

--
Gregory A. Gilliss, CISSP E-mail: greggilliss.com
Computer Security WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

From: Gregh (chowsozemail.com.au)
Date: Tue Oct 12 2004 - 17:29:42 CDT

Just noticed this one by accident.

I had downloaded, some days back, a file to install a program that I hadn't gotten around to setting up. The file was named "setup.exe" and sat on my desktop. I had been getting errors with another already installed program so decided to uninstall it and install it again to cure that. When I attempted to install the other program which I had named "this.exe", by simply double clicking on it, the program named "setup.exe" (which is an innocent program, BTW) started.
This doesn't happen on every occasion but it occurred to me if "setup.exe" was invisible on my desktop and deleted itself after it had been run and had been put there by someone wanting to install something else on my machine, that I could have just clicked "next" repeatedly and ended up installing the wrong program.

As most of you know, clicking "next" and installing without reading is about what most normal users do.

Is this thing of "setup.exe" sometimes taking over a NORMAL thing from MS?

Note that I tried it with several other programs and it seems dependant on the way the individual program setup is configured as to whether the file "setup.exe" takes over where it shouldn't be or not.

Whatever, it seems a great way to install things on XPSP2 machines that shouldn't be there.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [SECURITY] [DSA 563-2] New cyrus-sasl packages really fix arbitrary code execution

debian-security-announcelists.debian.org
Date: Tue Oct 12 2004 - 11:54:23 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 563-2 securitydebian.org
http://www.debian.org/security/ Martin Schulze
October 12th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : cyrus-sasl
Vulnerability : unsanitised input
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0884
Debian Bug : 275498

This advisory corrects DSA 563-1 which contained a library that caused
other programs to fail unindented.

For the stable distribution (woody) this problem has been fixed in
version 1.5.27-3woody3.

For reference the advisory text follows:

  A vulnerability has been discovered in the Cyrus implementation of
  the SASL library, the Simple Authentication and Security Layer, a
  method for adding authentication support to connection-based
  protocols. The library honors the environment variable SASL_PATH
  blindly, which allows a local user to link against a malicious
  library to run arbitrary code with the privileges of a setuid or
  setgid application.

  For the unstable distribution (sid) this problem has been fixed in
  version 1.5.28-6.2 of cyrus-sasl and in version 2.1.19-1.3 of
  cyrus-sasl2.

We recommend that you upgrade your libsasl packages.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3woody3.dsc
      Size/MD5 checksum: 711 91b4d0c36b104620ec5d67a95908da5a
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3woody3.diff.gz
      Size/MD5 checksum: 40428 56130ac3dde75943d2f5d594881d4f31
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27.orig.tar.gz
      Size/MD5 checksum: 528252 76ea426e2e2da3b8d2e3a43af5488f3b

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_alpha.deb
      Size/MD5 checksum: 76226 7450c31b1634f789234dcd045c72ba1c
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_alpha.deb
      Size/MD5 checksum: 19100 80dff5ceced2b6902557e2f2753b2c10
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_alpha.deb
      Size/MD5 checksum: 14944 1ebe9da02e5fa969591472fc1d7d86a2
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_alpha.deb
      Size/MD5 checksum: 172332 d4c236501921a441e5bdbe97f18e3818
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_alpha.deb
      Size/MD5 checksum: 13422 43012f7ffc98161bf238d1eccd124c1b

  ARM architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_arm.deb
      Size/MD5 checksum: 70170 d4cdf775981a8f4bb41f4aec28562862
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_arm.deb
      Size/MD5 checksum: 15038 c34c52e62a3ecd1099daca1146a2c325
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_arm.deb
      Size/MD5 checksum: 12450 8cc784fd0e7a9f6c3fc8c85440f5d0da
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_arm.deb
      Size/MD5 checksum: 165914 32d2be1e5f58283b36d65904857c38d7
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_arm.deb
      Size/MD5 checksum: 10850 bba9b1694a4ea2bbbc533a029b589b26

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_i386.deb
      Size/MD5 checksum: 65292 91c7e706fbc6d6bf211960d8e4811eb2
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_i386.deb
      Size/MD5 checksum: 13298 433d2d981444495e6ca5e216543c8943
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_i386.deb
      Size/MD5 checksum: 11754 c97a58448542f29a1067291b52b94780
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_i386.deb
      Size/MD5 checksum: 162896 3b0e73e6f1425d9c5fad18377961d84b
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_i386.deb
      Size/MD5 checksum: 11078 ab906f86340a0b5c5f0bb3df8cdd5c9b

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_ia64.deb
      Size/MD5 checksum: 83792 05302af9b91315c201c9c92cd5fe61ff
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_ia64.deb
      Size/MD5 checksum: 23252 c86b8f1bc3b75a25e05c5c63738c3e4e
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_ia64.deb
      Size/MD5 checksum: 19964 75a969bda18dbd3b6d9b8a5a257ed71e
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_ia64.deb
      Size/MD5 checksum: 180990 d03f4ab68d2e9934561ed1852671df3d
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_ia64.deb
      Size/MD5 checksum: 14238 133ec7ac7d983036bd0b098856239272

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_hppa.deb
      Size/MD5 checksum: 75324 0b802ea7f227d06d0de2b1d6c255d3ba
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_hppa.deb
      Size/MD5 checksum: 18286 2ee50c0ea3d8d2904d737edbf6f51736
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_hppa.deb
      Size/MD5 checksum: 15470 ab652ce834c1a1946009402886a940bb
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_hppa.deb
      Size/MD5 checksum: 171242 d83593d56f74ee92998a804dbb2cf67c
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_hppa.deb
      Size/MD5 checksum: 11904 9484fe5429cda40dc6083537dd17426b

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_m68k.deb
      Size/MD5 checksum: 64738 a4b399d98655e6ee77241227ee86c2e2
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_m68k.deb
      Size/MD5 checksum: 13102 1c3e8fa88d42d621420fb9d8e1607573
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_m68k.deb
      Size/MD5 checksum: 11804 0608eb94698ee5fc87159f686f34d039
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_m68k.deb
      Size/MD5 checksum: 162838 ba3d43e64daec7da2a2eeb47c394db8a
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_m68k.deb
      Size/MD5 checksum: 10908 8f70e837ed7167d96b5ca9e4fd55c9e9

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_mips.deb
      Size/MD5 checksum: 72916 8c174e6a6e519114662ee701f4200936
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_mips.deb
      Size/MD5 checksum: 15946 b18ecabdb2e35db13beffca809e23487
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_mips.deb
      Size/MD5 checksum: 13346 d1764e156b4ed3c1e5f7eaf2a559bcf0
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_mips.deb
      Size/MD5 checksum: 165812 960d06d45f9740419f9c0b73b593c3bd
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_mips.deb
      Size/MD5 checksum: 11318 11682f55a6c99e156d6314f92dd4aa0b

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_mipsel.deb
      Size/MD5 checksum: 72966 c9b7a298d89d3c7d9c7e36ee7f463ad9
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_mipsel.deb
      Size/MD5 checksum: 16262 fd4ca17e75656bfe0e49686fc746ca54
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_mipsel.deb
      Size/MD5 checksum: 13292 3bf13fa11ea13520fda7491ec27948df
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_mipsel.deb
      Size/MD5 checksum: 165918 76d312c85fb2393fe6c2d0ffbf6689e3
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_mipsel.deb
      Size/MD5 checksum: 11280 3e3bda9496b303fc6e1e053b9fb723de

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_powerpc.deb
      Size/MD5 checksum: 70918 6eee1277a09b70eb561aec3eff80111a
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_powerpc.deb
      Size/MD5 checksum: 16076 592393749a7d6475d8cb5cf5d5d901cf
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_powerpc.deb
      Size/MD5 checksum: 13468 83bc3efbfd45d77fdd7a6d93c9417a90
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_powerpc.deb
      Size/MD5 checksum: 166594 ecb898c16ad7b6350ac0aadb369320d6
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_powerpc.deb
      Size/MD5 checksum: 11002 402a89f71a142ba2ccb5189211d8a12e

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_s390.deb
      Size/MD5 checksum: 67026 9b21bb28b3a4c8cee9de0b35da4f7cf0
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_s390.deb
      Size/MD5 checksum: 14410 72ab4e29865eb17710ec25189c5f535d
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_s390.deb
      Size/MD5 checksum: 12392 a5a3dc484a9733e0b3e404d2589f8915
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_s390.deb
      Size/MD5 checksum: 165406 3f8dec1387c80bfeaf8d2878f3f8acbc
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_s390.deb
      Size/MD5 checksum: 11626 d08b68882e58c36950a998a081a3b5d5

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_sparc.deb
      Size/MD5 checksum: 68252 52186d78b3ad3fb76c5fe707d77d9b75
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_sparc.deb
      Size/MD5 checksum: 14802 d2b0a39fa2e4dac6836ff1cc4b179838
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_sparc.deb
      Size/MD5 checksum: 11908 3e58d976ae3867e9e8829b5956f2271a
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_sparc.deb
      Size/MD5 checksum: 164874 9632f56622cd4cb1f0489b8188da45dd
    http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_sparc.deb
      Size/MD5 checksum: 13556 fb4002c8597e495fef0c3ff410442534

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announcelists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBbAw/W5ql+IAeqTIRAmI/AJ93/EAbszDfBgPQRAXbkwssEmGEoACfb8GN
pAAIxEg1AX0aH76w374vyiw=
=zDRq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Microsoft Security Bulletin Summary for October, 2004

From: d31337 (d31337gmail.com)
Date: Tue Oct 12 2004 - 18:27:42 CDT

I should have been more specific to eliminate confusion for those who
consider IE part of the OS.

Revised comment:
Interesting that XP SP2 doesn't seem to be impacted by any of the
*Windows* (not IE) vulnerabilities...

On Wed, 13 Oct 2004 09:31:53 +1300, James Riden <j.ridenmassey.ac.nz> wrote:
> Danny <nocmonkeygmail.com> writes:
>
> > On Tue, 12 Oct 2004 14:43:44 -0400, d31337 <d31337gmail.com> wrote:
> >> Interesting that XP SP2 doesn't seem to be impacted by any of these
> >> vulnerabilities. Kinda gives you the impression MS knew about these
> >> for some time...
> >>
> >> http://www.microsoft.com/technet/security/bulletin/ms04-oct.mspx
> >
> > Not according the security bulletins I read:
> >
> > http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx
>
> Yep, the IE roll-up, MS04-038 / 834707 does apply to XP SP2.
>
> cheers,
> Jamie
> --
> James Riden / j.ridenmassey.ac.nz / Systems Security Engineer
> Information Technology Services, Massey University, NZ.
> GPG public key available at: http://www.massey.ac.nz/~jriden/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Microsoft Security Bulletin Summary for October, 2004

From: Eric Paynter (ericarcticbears.com)
Date: Tue Oct 12 2004 - 18:53:44 CDT

On Tue, October 12, 2004 4:27 pm, d31337 said:
> I should have been more specific to eliminate confusion for those who
> consider IE part of the OS.

Like, for example, Microsoft.

-Eric

--
arctic bears - email and dns services
http://www.arcticbears.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Microsoft Security Bulletin Summary for October, 2004

From: Danny (nocmonkeygmail.com)
Date: Tue Oct 12 2004 - 19:15:59 CDT

On Tue, 12 Oct 2004 19:27:42 -0400, d31337 <d31337gmail.com> wrote:
> I should have been more specific to eliminate confusion for those who
> consider IE part of the OS.
>
> Revised comment:
> Interesting that XP SP2 doesn't seem to be impacted by any of the
> *Windows* (not IE) vulnerabilities...

I see your point, however, I would say IE is more a part of Windows
than any other component.

Now, back to your theme, yes, I also agree that Windows XP SP2 was
less affected by these vulns than any other version of Windows. I
would like to tell Microsoft, this is the way it *should* be!

...D

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: SV: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Ron DuFresne (dufresnewinternet.com)
Date: Tue Oct 12 2004 - 19:18:27 CDT

>
> If the client software is detected as malicious this would indeed be a bad call. However, if Symantec labels the server as a backdoor risk, it's likely because it was distributed as part of a malware package not so long ago (a few weeks back). Still, this doesn't justify to label the Radmin Client as a security risk. The Radmin software is widely used for remote administration in the same manner as VNC, Terminal Services or "Netbus" ;-)

And aty least VNC documents it should be run under a protocol that
encrypts the connections, one would hope.susppect then Radmin and

 the other 'tools' would as well document and make plain that fact as
well?

Thanks,

Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Quicky Analysis of a Proxy/Zombie Network

From: VeNoMouS (venomgen-x.co.nz)
Date: Tue Oct 12 2004 - 19:19:00 CDT

Getting the russian translated for you, isnt it fun to have lackys from
another countrys under your control >:P

----- Original Message -----
From: "Gregory Gilliss" <ggillissnetpublishing.com>
To: "Steele" <listslowkeysoft.com>
Cc: <full-disclosurelists.netsys.com>
Sent: Wednesday, October 13, 2004 11:08 AM
Subject: Re: [Full-Disclosure] Quicky Analysis of a Proxy/Zombie Network

> Bravo! Excellent work!
>
> -- Greg
>
> On or about 2004.10.12 15:41:16 +0000, Steele (listslowkeysoft.com) said:
>
>> For your consideration:
>> http://lowkeysoft.com/proxy/
>>
>> screenshots included :)
>>
>> be gentle,
>
> --
> Gregory A. Gilliss, CISSP E-mail:
> greggilliss.com
> Computer Security WWW:
> http://www.gilliss.com/greg/
> PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E
> 8C A3
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

From: VeNoMouS (venomgen-x.co.nz)
Date: Tue Oct 12 2004 - 19:10:50 CDT

Im surprised you manged to work out how an email client works after reading
that dribble.

This mailing list is really starting to bug me, to many newbs signing up and
talking about the most retarded shit.

sorry "gregh" but i think you need to get alot more experince computer wise.

The angus VeNoMouS has spoken!!

----- Original Message -----
From: "Gregh" <chowsozemail.com.au>
To: "Disclosure Full" <full-disclosurelists.netsys.com>
Sent: Wednesday, October 13, 2004 11:29 AM
Subject: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

> Just noticed this one by accident.
>
> I had downloaded, some days back, a file to install a program that I
> hadn't gotten around to setting up. The file was named "setup.exe" and sat
> on my desktop. I had been getting errors with another already installed
> program so decided to uninstall it and install it again to cure that. When
> I attempted to install the other program which I had named "this.exe", by
> simply double clicking on it, the program named "setup.exe" (which is an
> innocent program, BTW) started.
> This doesn't happen on every occasion but it occurred to me if "setup.exe"
> was invisible on my desktop and deleted itself after it had been run and
> had been put there by someone wanting to install something else on my
> machine, that I could have just clicked "next" repeatedly and ended up
> installing the wrong program.
>
> As most of you know, clicking "next" and installing without reading is
> about what most normal users do.
>
> Is this thing of "setup.exe" sometimes taking over a NORMAL thing from MS?
>
> Note that I tried it with several other programs and it seems dependant on
> the way the individual program setup is configured as to whether the file
> "setup.exe" takes over where it shouldn't be or not.
>
> Whatever, it seems a great way to install things on XPSP2 machines that
> shouldn't be there.
>
> Greg.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

From: VeNoMouS (venomgen-x.co.nz)
Date: Tue Oct 12 2004 - 19:39:42 CDT

Understand what it was a fucking retarded question! we are not your help
desk EOF

----- Original Message -----
From: "Gregh" <chowsozemail.com.au>
To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
<full-disclosurelists.netsys.com>
Sent: Wednesday, October 13, 2004 1:23 PM
Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

----- Original Message -----
From: "VeNoMouS" <venomgen-x.co.nz>
To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
<full-disclosurelists.netsys.com>
Sent: Wednesday, October 13, 2004 10:10 AM
Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

> Im surprised you manged to work out how an email client works after
> reading
> that dribble.
>

If you dont understand a cincept, take the opportunity to shut the hell up.
Just because YOU dont understand what was said doesnt mean others dont!

> This mailing list is really starting to bug me, to many newbs signing up
> and
> talking about the most retarded shit.
>
> sorry "gregh" but i think you need to get alot more experince computer
> wise.
>

1) You need to get a spell checker with that complete crap!

2) You need a little more experience yourself, in more than just computer
handling, obviously.

Please - take this opportunity to grow up.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Re: Adobe acrobat / Adobe Reader 6 can read local files

From: Jelmer (jkuperusplanet.nl)
Date: Tue Oct 12 2004 - 19:28:39 CDT

The demo uses script behind the scenes to start the movie, So the demo would
fail if you disabled scripting

I don't believe there's a way to start the movie without with scripting
disabled. So you should be safe. But I'll admit to being anything but an
expert on pdf.. Yet anyway so I might me overlooking something

  --jelmer

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Jay Libove
Sent: dinsdag 12 oktober 2004 19:01
To: full-disclosurelists.netsys.com
Subject: [Full-Disclosure] Re: Adobe acrobat / Adobe Reader 6 can read local
files

I have Acrobat Reader configured to NOT run Javascript. The demo did not
work on my system (XP, SP2, Acrobat Reader v6.0.2 dated 5/18/2004).

So, is having JavaScript enabled also a requirement in order for this
embedded SWF exploit to work?

-Jay Libove, CISSP

> Message: 20
> Date: Tue, 12 Oct 2004 15:56:32 +0200
> From: Jelmer <jkuperusplanet.nl>
> To: bugtraqsecurityfocus.com, full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] Adobe acrobat / Adobe Reader 6 can read local
files
>
> Adobe acrobat / Adobe Reader 6 can read local files
>
> Description
>
> Acrobat/ Acrobat reader is software for viewing and printing Adobe
Portable
> Document Format (PDF) files. Adobe PDF files can be viewed on most major
> operating systems.
>
> Version 6 of this program has an issue with the way it handles embedding
> macromedia flash files directly into a pdf. This allows a malicious
website
> operator to steal local files from a user's hard drive including cookie
> files
>
> Technical Details:
>
> Version 6 of the pdf format introduced a new way to embed movies directly
> into the pdf file. In previous versions one could only link to media in
> external files
>
> Adobe reader extracts this swf file from the pdf and saves it under a
random
> name to your temp dir, on windows XP and 2000 this dir is usually located
at
>
> C:\Documents and Settings\<username>\Local Settings\Temp
>
> It then appears to "link" directly to this saved file in effect making
your
> local hard disk the codebase for this swf file and allowing it read access
> to all of the files on your hard drive
>
> Systems affected:
>
> Adobe reader 6
> Adobe acrobat 6
>
> Demonstration:
>
> Create a text file called c:\jelmer.txt then proceed to click on
>
> http://62.131.86.111/security/acrobat/demo.pdf
>
> Risk: medium

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

From: Gregh (chowsozemail.com.au)
Date: Tue Oct 12 2004 - 19:23:44 CDT

----- Original Message -----
From: "VeNoMouS" <venomgen-x.co.nz>
To: "Gregh" <chowsozemail.com.au>; "Disclosure Full" <full-disclosurelists.netsys.com>
Sent: Wednesday, October 13, 2004 10:10 AM
Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

> Im surprised you manged to work out how an email client works after reading
> that dribble.
>

If you dont understand a cincept, take the opportunity to shut the hell up. Just because YOU dont understand what was said doesnt mean others dont!

> This mailing list is really starting to bug me, to many newbs signing up and
> talking about the most retarded shit.
>
> sorry "gregh" but i think you need to get alot more experince computer wise.
>

1) You need to get a spell checker with that complete crap!

2) You need a little more experience yourself, in more than just computer handling, obviously.

Please - take this opportunity to grow up.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] I detecting error in Outlook Express

From: Eliurkis (eliurkis.diazfacinf.uho.edu.cu)
Date: Tue Oct 12 2004 - 19:53:55 CDT

Hi people...
In a few days ago I was working in my pc, and changing for erroneous the permission in the folder where Outlook save all the messages...
Well, when I was trying enter at my Outlook this program say
"This program do a invalid operation and it will close..." (so so)
This is a problem of my windows (2000) or windows 2000 have this problem...?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

From: Gregh (chowsozemail.com.au)
Date: Tue Oct 12 2004 - 20:09:20 CDT

Understand it yourself. You didn't understand what you read so you went on like a right twit!

If you had a clue, you would have said what it was. As you don't, you opened your mouth and simply made a fool of yourself.

Tsk....what a twit!

----- Original Message -----
From: "VeNoMouS" <venomgen-x.co.nz>
To: "Gregh" <chowsozemail.com.au>; "Disclosure Full" <full-disclosurelists.netsys.com>
Sent: Wednesday, October 13, 2004 10:39 AM
Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

> Understand what it was a fucking retarded question! we are not your help
> desk EOF
>
> ----- Original Message -----
> From: "Gregh" <chowsozemail.com.au>
> To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
> <full-disclosurelists.netsys.com>
> Sent: Wednesday, October 13, 2004 1:23 PM
> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?
>
>
>
> ----- Original Message -----
> From: "VeNoMouS" <venomgen-x.co.nz>
> To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
> <full-disclosurelists.netsys.com>
> Sent: Wednesday, October 13, 2004 10:10 AM
> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?
>
>
>> Im surprised you manged to work out how an email client works after
>> reading
>> that dribble.
>>
>
> If you dont understand a cincept, take the opportunity to shut the hell up.
> Just because YOU dont understand what was said doesnt mean others dont!
>
>> This mailing list is really starting to bug me, to many newbs signing up
>> and
>> talking about the most retarded shit.
>>
>> sorry "gregh" but i think you need to get alot more experince computer
>> wise.
>>
>
> 1) You need to get a spell checker with that complete crap!
>
> 2) You need a little more experience yourself, in more than just computer
> handling, obviously.
>
> Please - take this opportunity to grow up.
>
> Greg.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

From: kf_lists (kf_listssecnetops.com)
Date: Wed Oct 13 2004 - 00:54:03 CDT

http://www.fortliberty.org/patriotic-humor/patriotic-pictures/how-about-a-nice-cup-of-shut-the-fuck-up.jpg

-KF

Gregh wrote:

>----- Original Message -----
>From: "VeNoMouS" <venomgen-x.co.nz>
>To: "Gregh" <chowsozemail.com.au>; "Disclosure Full" <full-disclosurelists.netsys.com>
>Sent: Wednesday, October 13, 2004 10:10 AM
>Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?
>
>
>
>
>>Im surprised you manged to work out how an email client works after reading
>>that dribble.
>>
>>
>>
>
>If you dont understand a cincept, take the opportunity to shut the hell up. Just because YOU dont understand what was said doesnt mean others dont!
>
>
>
>>This mailing list is really starting to bug me, to many newbs signing up and
>>talking about the most retarded shit.
>>
>>sorry "gregh" but i think you need to get alot more experince computer wise.
>>
>>
>>
>
>1) You need to get a spell checker with that complete crap!
>
>2) You need a little more experience yourself, in more than just computer handling, obviously.
>
>Please - take this opportunity to grow up.
>
>Greg.
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

From: VeNoMouS (venomgen-x.co.nz)
Date: Tue Oct 12 2004 - 20:15:44 CDT

I think you need to re-read your post son cause it reads more like you have
just rung microsoft helpdesk.

And btw this does not need to continue in the mailing list, it turns into
spam other wise if you have a issue with my post keep it private.

----- Original Message -----
From: "Gregh" <chowsozemail.com.au>
To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
<full-disclosurelists.netsys.com>
Sent: Wednesday, October 13, 2004 2:09 PM
Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

Understand it yourself. You didn't understand what you read so you went on
like a right twit!

If you had a clue, you would have said what it was. As you don't, you opened
your mouth and simply made a fool of yourself.

Tsk....what a twit!

----- Original Message -----
From: "VeNoMouS" <venomgen-x.co.nz>
To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
<full-disclosurelists.netsys.com>
Sent: Wednesday, October 13, 2004 10:39 AM
Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

> Understand what it was a fucking retarded question! we are not your help
> desk EOF
>
> ----- Original Message -----
> From: "Gregh" <chowsozemail.com.au>
> To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
> <full-disclosurelists.netsys.com>
> Sent: Wednesday, October 13, 2004 1:23 PM
> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?
>
>
>
> ----- Original Message -----
> From: "VeNoMouS" <venomgen-x.co.nz>
> To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
> <full-disclosurelists.netsys.com>
> Sent: Wednesday, October 13, 2004 10:10 AM
> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?
>
>
>> Im surprised you manged to work out how an email client works after
>> reading
>> that dribble.
>>
>
> If you dont understand a cincept, take the opportunity to shut the hell
> up.
> Just because YOU dont understand what was said doesnt mean others dont!
>
>> This mailing list is really starting to bug me, to many newbs signing up
>> and
>> talking about the most retarded shit.
>>
>> sorry "gregh" but i think you need to get alot more experince computer
>> wise.
>>
>
> 1) You need to get a spell checker with that complete crap!
>
> 2) You need a little more experience yourself, in more than just computer
> handling, obviously.
>
> Please - take this opportunity to grow up.
>
> Greg.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: SV: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Ill will (xillwillxgmail.com)
Date: Tue Oct 12 2004 - 20:08:42 CDT

oops...
http://www.illmob.org/0day/ghostradmin.zip

On Tue, 12 Oct 2004 17:40:32 +0200, Peter Kruse <krusekrusesecurity.dk> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hi,
>
> Keep in mind that there's a client and a server part in the Radmin installation. During installation of this commercial software you'll have the option to choose wether you want to install the server or only the client.
>
> If the client software is detected as malicious this would indeed be a bad call. However, if Symantec labels the server as a backdoor risk, it's likely because it was distributed as part of a malware package not so long ago (a few weeks back). Still, this doesn't justify to label the Radmin Client as a security risk. The Radmin software is widely used for remote administration in the same manner as VNC, Terminal Services or "Netbus" ;-)
>
> Regards
> Peter Kruse
>
> >-----Oprindelig meddelelse-----
> >Fra: full-disclosure-adminlists.netsys.com
> >[mailto:full-disclosure-adminlists.netsys.com]På vegne af Todd Towles
> >Sendt: 12. oktober 2004 16:15
> >Til: Sowhat .; full-disclosurelists.netsys.com
> >Emne: RE: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a
> >Virus ??!
> >
> >
> >That is a widely used tool that is dropped by various malware
> >programs. I think even one of the JPEG exploits was dropping radmin.exe
> >
> >It be better to assume you have a infection and prove yourself
> >wrong than the other way around. Look into it pretty deep, I would
> >suggest.
> >
> >> -----Original Message-----
> >> From: full-disclosure-adminlists.netsys.com
> >> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Sowhat .
> >> Sent: Tuesday, October 12, 2004 7:51 AM
> >> To: full-disclosurelists.netsys.com
> >> Subject: [Full-Disclosure] Norton AntiVirus 2005 treats
> >> Radmin as a Virus ??!
> >>
> >> hi ,list
> >>
> >> I have installed Norton AntiVirus 2005 ,and when i open my
> >> F:\ directory ,Norton pops up and show that,"Norton AntiVirus
> >> has detected a virus on your computer" "Boject Name
> >> F:\radmin.exe" "Virus Name Hacktool".
> >>
> >> Is RemoteAdministrator a commercial remote control software
> >> or a Hacktool ?
> >>
> >> the following information is copied from the Radmin's site:
> >> (http://www.radmin.com/)
> >>
> >> "This fast, reliable, easy-to-use pc remote control software
> >> saves you hours of running up and down stairs between
> >> computers. Radmin allows you to take control of another PC on
> >> a LAN, WAN or dial-up connection so you see the remote
> >> computer's screen on your monitor and all your mouse
> >> movements and keystrokes are directly transferred to the
> >> remote machine. Radmin provides fast secure access to remote
> >> PC's on Windows platforms. "
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.netsys.com/full-disclosure-charter.html
> >>
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
>
> iQA/AwUBQWv68HxYZNa+g/pgEQKOiwCePgzmaczX3p55JZXV4DvZcxox/GcAn3Kc
> q+lT8pAgWbC+ESuAaZRQNkYo
> =bmBO
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
- illwill
http://illmob.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Stealing DHCP Leases

From: TheGesus (TheGesusgmail.com)
Date: Tue Oct 12 2004 - 20:52:12 CDT

Perhaps someone running a RAS server on an NT box?

They like to suck up DHCP addresses on startup.

On Tue, 12 Oct 2004 12:08:07 -0700, Ian Holm <macaddictourholm.com> wrote:
> I was noticing that the number of DHCP address in the DHCP cache was running
> low so I decided to check which computers were assigned to each address. To
> my horror I saw that there were 81 addresses assigned at exactly the same
> time and all expired at exactly the same time. I'm assuming that these were
> all assigned to the same machine. How is this possible? Where could I learn
> about this and how to prevent it?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Quicky Analysis of a Proxy/Zombie Network

From: GuidoZ (uberguidozgmail.com)
Date: Tue Oct 12 2004 - 22:11:21 CDT

Interesting read indeed. Thx for the translation Venomous. ;)

FYI: I started getting 403 Forbidden errors upon trying to view the
last few pics. Not really sure what was up - was able to see most of
them. (?)

--
Peace. ~G

On Wed, 13 Oct 2004 13:19:00 +1300, VeNoMouS <venomgen-x.co.nz> wrote:
> Getting the russian translated for you, isnt it fun to have lackys from
> another countrys under your control >:P
>
>
>
>
> ----- Original Message -----
> From: "Gregory Gilliss" <ggillissnetpublishing.com>
> To: "Steele" <listslowkeysoft.com>
> Cc: <full-disclosurelists.netsys.com>
> Sent: Wednesday, October 13, 2004 11:08 AM
> Subject: Re: [Full-Disclosure] Quicky Analysis of a Proxy/Zombie Network
>
> > Bravo! Excellent work!
> >
> > -- Greg
> >
> > On or about 2004.10.12 15:41:16 +0000, Steele (listslowkeysoft.com) said:
> >
> >> For your consideration:
> >> http://lowkeysoft.com/proxy/
> >>
> >> screenshots included :)
> >>
> >> be gentle,
> >
> > --
> > Gregory A. Gilliss, CISSP E-mail:
> > greggilliss.com
> > Computer Security WWW:
> > http://www.gilliss.com/greg/
> > PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E
> > 8C A3
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] I detecting error in Outlook Express

From: GuidoZ (uberguidozgmail.com)
Date: Tue Oct 12 2004 - 22:35:54 CDT

Eliurkis, this isn't a tech support forum. You're quite likely to
start a flame war with a post like that. ;) I'd recommend checking out
the "Security Basics" list instead, as they welcome simple/common
technical questions.

You can get more info on that list here:
 - http://www.securityfocus.com/archive/

To answer you're question, make sure all files have write permission
(none are read-only). That's the most common problem I've seen when
you know something is up with the Outlook storage files. (Happens when
you restore from a CD by copy/paste, for example.)

Feel free to email me directly (or the Security Basics list) for more
assistance. Oh, go easy on him guys.. =)

--
Peace. ~G

On Tue, 12 Oct 2004 20:53:55 -0400, Eliurkis
<eliurkis.diazfacinf.uho.edu.cu> wrote:
>
> Hi people...
> In a few days ago I was working in my pc, and changing for erroneous the
> permission in the folder where Outlook save all the messages...
> Well, when I was trying enter at my Outlook this program say
> "This program do a invalid operation and it will close..." (so so)
> This is a problem of my windows (2000) or windows 2000 have this problem...?
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

From: Gregh (chowsozemail.com.au)
Date: Tue Oct 12 2004 - 23:03:06 CDT

As you have stated voluminously in this thread, you don't understand, you don't have a clue and you don't have anything to add.

Take the time to shut up. Honest!

----- Original Message -----
From: "VeNoMouS" <venomgen-x.co.nz>
To: "Gregh" <chowsozemail.com.au>; "Disclosure Full" <full-disclosurelists.netsys.com>
Sent: Wednesday, October 13, 2004 11:15 AM
Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

>I think you need to re-read your post son cause it reads more like you have
> just rung microsoft helpdesk.
>
> And btw this does not need to continue in the mailing list, it turns into
> spam other wise if you have a issue with my post keep it private.
>
>
> ----- Original Message -----
> From: "Gregh" <chowsozemail.com.au>
> To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
> <full-disclosurelists.netsys.com>
> Sent: Wednesday, October 13, 2004 2:09 PM
> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?
>
>
> Understand it yourself. You didn't understand what you read so you went on
> like a right twit!
>
> If you had a clue, you would have said what it was. As you don't, you opened
> your mouth and simply made a fool of yourself.
>
> Tsk....what a twit!
>
>
> ----- Original Message -----
> From: "VeNoMouS" <venomgen-x.co.nz>
> To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
> <full-disclosurelists.netsys.com>
> Sent: Wednesday, October 13, 2004 10:39 AM
> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?
>
>
>> Understand what it was a fucking retarded question! we are not your help
>> desk EOF
>>
>> ----- Original Message -----
>> From: "Gregh" <chowsozemail.com.au>
>> To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
>> <full-disclosurelists.netsys.com>
>> Sent: Wednesday, October 13, 2004 1:23 PM
>> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?
>>
>>
>>
>> ----- Original Message -----
>> From: "VeNoMouS" <venomgen-x.co.nz>
>> To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
>> <full-disclosurelists.netsys.com>
>> Sent: Wednesday, October 13, 2004 10:10 AM
>> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?
>>
>>
>>> Im surprised you manged to work out how an email client works after
>>> reading
>>> that dribble.
>>>
>>
>> If you dont understand a cincept, take the opportunity to shut the hell
>> up.
>> Just because YOU dont understand what was said doesnt mean others dont!
>>
>>> This mailing list is really starting to bug me, to many newbs signing up
>>> and
>>> talking about the most retarded shit.
>>>
>>> sorry "gregh" but i think you need to get alot more experince computer
>>> wise.
>>>
>>
>> 1) You need to get a spell checker with that complete crap!
>>
>> 2) You need a little more experience yourself, in more than just computer
>> handling, obviously.
>>
>> Please - take this opportunity to grow up.
>>
>> Greg.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [HV-HIGH] RIM Blackberry buffer overflow, DoS, data loss

vulnhexview.com
Date: Tue Oct 12 2004 - 23:40:43 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RIM Blackberry buffer overflow, DoS, data loss

Classification:
===============
Level: low-med-[HIGH]-crit
ID: HEXVIEW*2004*10*12*1

Overview:
=========
RIM Blackberry is a Java-based wireless connectivity solution providing
phone, e-mail, and other services on a variety of handheld devices.

Affected products:
==================
All tests were performed on a RIM Blackberry 7230 with RIM Blackberry
Operating System software version 3.7.1.41. The Blackberry was synchronized
with Microsoft Exchange server using Blackberry Enterprise Server for
Microsoft Exchange.

Cause and Effect:
=================
Insufficient data validation for incoming calendar data makes possible
to cause buffer overflow condition leading to stack corruption. As a result,
it is possible to reboot the device (all stored messages will be lost since
RAM storage will be reinitialized). It is also possible to execute code
embedded by the attacker. It should be mentioned that Blackberry developers
tools are freely available.

Demonstration:
==============
The issue can easily be reproduced by sending a standard Microsoft Outlook
meeting request message with very long string (over 128K) in the "Location:"
field. To force immediate user notification, set meeting date/time to the
past. The Blackberry reboots when it tries to notify the user. No user action
is required. It is possible to render Blackberry device completely useless by
queuing a number of such messages into user's mailbox.

Vendor Status:
==============
At the time of release vendor was not aware of the vulnerability.
HexView does not notify vendors unless there is a prior agreement to do so.
Vendors interested in receiving notifications prior to public disclosure
or more detailed analysis may obtain more information by writing to the
e-mail address provided at the end of the document.

About HexView:
==============
HexView contributes to online security-related lists for almost a decade.
The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms,
network applications, and embedded devices. The chances are you read our
advisories or disclosures. For more information visit http://www.hexview.com

Distribution:
=============
This document may be freely distributed through any channels as long as the
contents are kept unmodified. Commercial use of the information in the document
is not allowed without written permission from HexView signed by our pgp key.

Feedback and comments:
======================
Feedback and questions about this disclosure are welcome at vtalkhexview.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBbK9nDPV1+KQrDqQRArKsAJ4stRTmdeFBgpBdfedf6xzQQOBMUQCglAkq
l6I2a5IKd4TXp1SMQolcuao=
=pqy8
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Stealing DHCP Leases

From: Garth Stone (garth.stonegmail.com)
Date: Tue Oct 12 2004 - 23:51:15 CDT

On Tue, 12 Oct 2004 12:08:07 -0700, Ian Holm <macaddictourholm.com> wrote:
> I was noticing that the number of DHCP address in the DHCP cache was running
> low so I decided to check which computers were assigned to each address. To
> my horror I saw that there were 81 addresses assigned at exactly the same
> time and all expired at exactly the same time. I'm assuming that these were
> all assigned to the same machine. How is this possible? Where could I learn
> about this and how to prevent it?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Ive actually seen the same thing happen with a faulty network card..
We replaced it with an identical card and the problem was resolved..
Stick the faulty one back in.. Same problem.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] EEYE: Windows Shell ZIP File Decompression DUNZIP32.DLL Buffer Overflow Vulnerability

From: Derek Soeder (dsoedereeye.com)
Date: Tue Oct 12 2004 - 23:49:04 CDT

Windows Shell ZIP File Decompression DUNZIP32.DLL Buffer Overflow
Vulnerability

Release Date:
October 12, 2004

Date Reported:
August 2, 2004

Severity:
High (Code Execution)

Vendor:
Microsoft

Systems Affected:
Windows XP (SP1 and earlier)
Windows Me

Overview:
eEye Digital Security has discovered a buffer overflow in DUNZIP32.DLL,
a module that offers support for ZIP compressed folders in the Windows
shell. An exploitable buffer overflow occurs when a user opens a ZIP
folder that contains a long file name.

Technical Details:
This buffer overflow is triggered by an integer overflow. When a ZIP
file containing a long file name (greater than around 0x8000 bytes) is
opened in the Windows shell as a ZIP compressed folder, a stack-based
buffer overflow occurs, allowing an exception handler to be overwritten
and EIP to be hijacked.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS04-034.mspx

Credit:
Discovery: Yuji Ukai

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/download.html

Greetings:
R.Kanai, Y.Watanabe - Welcome to eEye Japan Team, All Black Hat Japan
2004 attendees, and AV2K4 attendees.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alerteEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] DHCP Flood on inside network. STP the problem?

From: Eddie (EddieSsofthome.net)
Date: Wed Oct 13 2004 - 00:03:55 CDT

Let me say thanks to all those that have replied both on and off the list. All your suggestions are very helpful.

I was able to figure out what was going on when I noticed that instead of a DHCP packet like I was seeing before, tcpdump captured a netbios browser packet from
one of the computers, flooding the network. It looks like it is a Spanning Tree breaking down and playing hot potato. It's the same random packet swamping the
network just like when you loop two switches togather without STP turned on. Seems to like broadcast packets tho.
 
Nothing has changed in the switches in 3 months, so a switch could be one failing, a computer sending out weird packet screwing up STP, or a virus doing the
same.
I removed all the redundant links and that seems to have fixed or slowed down the problem, I still see "<WARN:EDP> Checksum failed for pdu on port 18" errors
and I see one report of a lost connection in Big Sister, so I am not sure.

I am turning off STP for now. This weekend I will mess around with it since nobody will be in. Maybe with a little unplugging and general troubleshooting will show
what it going on. I don't know much about STP.

I can't find any virus that messes with STP and I don't think any of the servers got rooted since no servers can be access from the outside and the firewall is closed
tight both in and out.

I think one of the Summit switches going out is the problem. Tracking down what one out of the 3 is going to be fun since I can cause the problem to happen.

Thank you again.
-Eddie

On Mon, 11 Oct 2004 22:00:07 -0700, Eddie wrote:

>I don't have much information on this yet, I am driving down to the office now to pull an all nighter. I figured I would toss this out to the list and see if anyone has any
>idea. This is just info from what I can get from talking to people and what little time I can get on the network before it goes down.
>
>Starting 2 days ago, I discovered the PIX 515 was locked hard. It seems to be random, but around every 15-30 minutes something floods the network hard for a
few
>minutes. Broadcast flood too. This is a small network with 30 workstations and 5 servers (Linux and SCO, no Wins). It overloads the Extreme switches and I see
pdu (or
>something like that, not udp tho) errors on about every port.
>The Pix 515 overloads and is having issues, but I did see it say something about ARP problems when I could get to the syslog for more info. I looked up the error
>number and it said it could be ARP poisoning. Not sure what would do that.
>
>In the syslog of the DHCP server, I see thousands of DHCP DISCOVER request(and the REPLAY request from the server, a Linux box). It looks like one client on
the
>network (I have seen this both from XP and Win98) will send 100+ DISCOVER request a second swamping the network. Not always DISCOVER too.
>That will go on for a few minutes, then all is well. Then another computer will do the same thing.
>
>This is quickly overloading things and I am getting IRQ busy and overload errors on some of the servers.
>
>What should I look for. I have never seen something like this before.
>
>Thanks
>-Eddie
>
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] EEYE: Windows VDM #UD Local Privilege Escalation

From: Derek Soeder (dsoedereeye.com)
Date: Tue Oct 12 2004 - 23:45:51 CDT

Windows VDM #UD Local Privilege Escalation

Release Date:
October 12, 2004

Date Reported:
March 18, 2004

Severity:
Medium (Local Privilege Escalation to Kernel)

Systems Affected:
Windows NT 4.0
Windows 2000
Windows XP (SP1 and earlier)
Windows Server 2003

Description:
eEye Digital Security has discovered a third local privilege escalation
vulnerability in the Windows kernel that would allow any code running on
an affected system to elevate itself to the highest possible local
privilege level (kernel), regardless of the privileges with which the
code executes initially. For instance, a malicious user with legitimate
access to a machine, or a remote attacker or worm payload able to gain
unprivileged access through an unrelated exploit, could leverage this
vulnerability to fully compromise a Windows NT 4.0, Windows 2000,
Windows XP, or Windows Server 2003 system.

This vulnerability is located in a portion of the Windows kernel that
handles some low-level aspects of executing 16-bit code inside a Virtual
DOS Machine (VDM). A certain invalid opcode byte sequence is used in
the 16-bit DOS emulation code to pass requests (referred to as "bops")
to the 32-bit VDM "host" code, and the invalid opcode fault handler
within the Windows kernel gives these sequences special treatment when
relaying them to the 32-bit host code executing in user space (normally
an NTVDM.EXE process). The kernel does not validate the address to
which execution is transferred after one of these invalid instructions
is encountered, and because the memory containing the address is fully
accessible to user-mode code, it is possible to redirect execution to an
arbitrary location with kernel privileges still in effect.

[NOTE: This vulnerability was silently fixed by Microsoft in June,
approximately 90 days after it was reported, with the release of Windows
XP SP2 Release Candidate 2. All other versions of Windows remained
unpatched for over 120 additional days.]

Technical Description:
The interrupt 06h (#UD) handler in NTOSKRNL.EXE contains a branch of
code for quickly handling C4h/C4h machine code byte sequences according
to the control word specified in the two bytes that follow, when the
sequence occurs in Virtual-8086 mode (bit 17 of EFLAGS is set). If a
control word value other than 4250h or 4350h (both used for fast file
I/O) is given, the "bop" is passed off to another section of code in the
process hosting the VDM. In NTVDM.EXE, this transition normally
corresponds to returning from a call to NtVdmControl(0)
(VdmpStartExecution), but in actuality, execution can be redirected
anywhere, since the switch is just accomplished by swapping out context
structures. The VDM TIB (arrived at by way of
[[[[FFDFF124h]+44h]+1DCh]+98h] on Windows 2000, FS:[F18h] on Windows NT
4.0, Windows XP, and Windows Server 2003) is used to hold a copy of the
V86-mode context in effect at the time the fault occurred (at offset
+CD0h on NT4 and 2000, +2D8h for XP and 2003), then the context for
resuming execution of the host code is retrieved (from offset +A04h on
NT4 and 2000, +0Ch on XP and 2003) and loaded into the appropriate
registers.

As mentioned above, this context is contained in user memory but is not
sanitized in any way by the #UD handler, so any process with or without
a formally-initialized VDM can place arbitrary values in the host
execution context and get the handler to IRETD to any CS:EIP, allowing
kernel privileges to be retained while user-supplied code is executed.
On any version of Windows, it is sufficient to modify the VDM TIB in a
process with a properly initialized VDM (most easily done by code
executing in a .COM file). For Windows NT 4.0, XP, and 2003, it is only
necessary to set the pointer at offset F18h in the user-land TIB to
reference a fake VDM TIB, then execute V86-mode code using NtContinue().

Since this advisory is really dry and jargony, we have to throw in
something a little off-beat. We leave you with this:

T: Hey man, what're you reading?

N: Listen to this -- it's an advisory written by eEye in the
first-person. I am Jack's LDT; without me, Jack could not emulate his
legacy DOS applications like Doom on NT.

N: There's a whole series of these: I am Jill's null pointer. I am
Jack's kernel--

T: Yeah, I get exploited, I completely compromise Jack in such a way
that necessitates a total system reinstallation.

Hope that clears things up. (With apologies to Chuck Palahniuk.)

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS04-032.mspx

Credit:
Derek Soeder

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/index.html

Greetings:
Dedicated to

R. B. G.
1913 - 2004

An honest, humble, pious man, who worked hard for all he had, and who
dearly loved and was loved dearly by his family and community. A great
man, for whom Heaven must surely be.

Once we've run out of tears and learned to live again, forever, we will
miss you.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
alerteEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

From: winter (mail_winterhotpop.com)
Date: Tue Oct 12 2004 - 23:54:14 CDT

Im guessing they are self extracting exe's (bein setups)

Could it be that your 'setup.exe' cached some shit soemwhere, which happens
to be the same place 'this.exe' picks its shit from?

Check all your temp area's for stuff....

BTW - am I the only one bored with flaming l0sers?

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Gregh
> Sent: Wednesday, 13 October 2004 2:03 PM
> To: VeNoMouS; Disclosure Full
> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible
> way to hack?
>
>
> As you have stated voluminously in this thread, you don't
> understand, you don't have a clue and you don't have anything to add.
>
> Take the time to shut up. Honest!
>
>
> ----- Original Message -----
> From: "VeNoMouS" <venomgen-x.co.nz>
> To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
> <full-disclosurelists.netsys.com>
> Sent: Wednesday, October 13, 2004 11:15 AM
> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible
> way to hack?
>
>
> >I think you need to re-read your post son cause it reads
> more like you have
> > just rung microsoft helpdesk.
> >
> > And btw this does not need to continue in the mailing list,
> it turns into
> > spam other wise if you have a issue with my post keep it private.
> >
> >
> > ----- Original Message -----
> > From: "Gregh" <chowsozemail.com.au>
> > To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
> > <full-disclosurelists.netsys.com>
> > Sent: Wednesday, October 13, 2004 2:09 PM
> > Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a
> possible way to hack?
> >
> >
> > Understand it yourself. You didn't understand what you read
> so you went on
> > like a right twit!
> >
> > If you had a clue, you would have said what it was. As you
> don't, you opened
> > your mouth and simply made a fool of yourself.
> >
> > Tsk....what a twit!
> >
> >
> > ----- Original Message -----
> > From: "VeNoMouS" <venomgen-x.co.nz>
> > To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
> > <full-disclosurelists.netsys.com>
> > Sent: Wednesday, October 13, 2004 10:39 AM
> > Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a
> possible way to hack?
> >
> >
> >> Understand what it was a fucking retarded question! we are
> not your help
> >> desk EOF
> >>
> >> ----- Original Message -----
> >> From: "Gregh" <chowsozemail.com.au>
> >> To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
> >> <full-disclosurelists.netsys.com>
> >> Sent: Wednesday, October 13, 2004 1:23 PM
> >> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a
> possible way to hack?
> >>
> >>
> >>
> >> ----- Original Message -----
> >> From: "VeNoMouS" <venomgen-x.co.nz>
> >> To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
> >> <full-disclosurelists.netsys.com>
> >> Sent: Wednesday, October 13, 2004 10:10 AM
> >> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a
> possible way to hack?
> >>
> >>
> >>> Im surprised you manged to work out how an email client
> works after
> >>> reading
> >>> that dribble.
> >>>
> >>
> >> If you dont understand a cincept, take the opportunity to
> shut the hell
> >> up.
> >> Just because YOU dont understand what was said doesnt mean
> others dont!
> >>
> >>> This mailing list is really starting to bug me, to many
> newbs signing up
> >>> and
> >>> talking about the most retarded shit.
> >>>
> >>> sorry "gregh" but i think you need to get alot more
> experince computer
> >>> wise.
> >>>
> >>
> >> 1) You need to get a spell checker with that complete crap!
> >>
> >> 2) You need a little more experience yourself, in more
> than just computer
> >> handling, obviously.
> >>
> >> Please - take this opportunity to grow up.
> >>
> >> Greg.
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

From: VeNoMouS (venomgen-x.co.nz)
Date: Wed Oct 13 2004 - 00:37:46 CDT

lol kid ure funny
----- Original Message -----
From: "Gregh" <chowsozemail.com.au>
To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
<full-disclosurelists.netsys.com>
Sent: Wednesday, October 13, 2004 5:03 PM
Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

> As you have stated voluminously in this thread, you don't understand, you
> don't have a clue and you don't have anything to add.
>
> Take the time to shut up. Honest!
>
>
> ----- Original Message -----
> From: "VeNoMouS" <venomgen-x.co.nz>
> To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
> <full-disclosurelists.netsys.com>
> Sent: Wednesday, October 13, 2004 11:15 AM
> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?
>
>
>>I think you need to re-read your post son cause it reads more like you
>>have
>> just rung microsoft helpdesk.
>>
>> And btw this does not need to continue in the mailing list, it turns into
>> spam other wise if you have a issue with my post keep it private.
>>
>>
>> ----- Original Message -----
>> From: "Gregh" <chowsozemail.com.au>
>> To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
>> <full-disclosurelists.netsys.com>
>> Sent: Wednesday, October 13, 2004 2:09 PM
>> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to
>> hack?
>>
>>
>> Understand it yourself. You didn't understand what you read so you went
>> on
>> like a right twit!
>>
>> If you had a clue, you would have said what it was. As you don't, you
>> opened
>> your mouth and simply made a fool of yourself.
>>
>> Tsk....what a twit!
>>
>>
>> ----- Original Message -----
>> From: "VeNoMouS" <venomgen-x.co.nz>
>> To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
>> <full-disclosurelists.netsys.com>
>> Sent: Wednesday, October 13, 2004 10:39 AM
>> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to
>> hack?
>>
>>
>>> Understand what it was a fucking retarded question! we are not your help
>>> desk EOF
>>>
>>> ----- Original Message -----
>>> From: "Gregh" <chowsozemail.com.au>
>>> To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
>>> <full-disclosurelists.netsys.com>
>>> Sent: Wednesday, October 13, 2004 1:23 PM
>>> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to
>>> hack?
>>>
>>>
>>>
>>> ----- Original Message -----
>>> From: "VeNoMouS" <venomgen-x.co.nz>
>>> To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
>>> <full-disclosurelists.netsys.com>
>>> Sent: Wednesday, October 13, 2004 10:10 AM
>>> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to
>>> hack?
>>>
>>>
>>>> Im surprised you manged to work out how an email client works after
>>>> reading
>>>> that dribble.
>>>>
>>>
>>> If you dont understand a cincept, take the opportunity to shut the hell
>>> up.
>>> Just because YOU dont understand what was said doesnt mean others dont!
>>>
>>>> This mailing list is really starting to bug me, to many newbs signing
>>>> up
>>>> and
>>>> talking about the most retarded shit.
>>>>
>>>> sorry "gregh" but i think you need to get alot more experince computer
>>>> wise.
>>>>
>>>
>>> 1) You need to get a spell checker with that complete crap!
>>>
>>> 2) You need a little more experience yourself, in more than just
>>> computer
>>> handling, obviously.
>>>
>>> Please - take this opportunity to grow up.
>>>
>>> Greg.
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [SPAM] [Full-Disclosure] Stealing DHCP Leases

From: Hugo van der Kooij (hvdkooijvanderkooij.org)
Date: Wed Oct 13 2004 - 00:52:44 CDT

On Tue, 12 Oct 2004, Ian Holm wrote:

> I was noticing that the number of DHCP address in the DHCP cache was running
> low so I decided to check which computers were assigned to each address. To
> my horror I saw that there were 81 addresses assigned at exactly the same
> time and all expired at exactly the same time. I'm assuming that these were
> all assigned to the same machine. How is this possible? Where could I learn
> about this and how to prevent it?

Any decent log will show you the MAC level address. So go out and
investigate the machine.

There are plenty of known and documented ways of depleting a DHCP pool in
microseconds. A simple google search will do the trick.

Hugo.

--
        I hate duplicates. Just reply to the relevant mailinglist.
        hvdkooijvanderkooij.org http://hvdkooij.xs4all.nl/
                Don't meddle in the affairs of magicians,
                for they are subtle and quick to anger.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

irfan.syedguoco.com
Date: Wed Oct 13 2004 - 01:04:10 CDT

No I am with you. They are taking the precious bandwidth, storage space
and our time for their non-sense squabble.

Pls try to shut up. Mercy us.

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of winter
Sent: Wednesday, October 13, 2004 12:54 PM
To: full-disclosurelists.netsys.com
Cc: chowsozemail.com.au
Subject: RE: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

Im guessing they are self extracting exe's (bein setups)

Could it be that your 'setup.exe' cached some shit soemwhere, which
happens to be the same place 'this.exe' picks its shit from?

Check all your temp area's for stuff....

BTW - am I the only one bored with flaming l0sers?

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Gregh
> Sent: Wednesday, 13 October 2004 2:03 PM
> To: VeNoMouS; Disclosure Full
> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible
> way to hack?
>
>
> As you have stated voluminously in this thread, you don't
> understand, you don't have a clue and you don't have anything to add.
>
> Take the time to shut up. Honest!
>
>
> ----- Original Message -----
> From: "VeNoMouS" <venomgen-x.co.nz>
> To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
> <full-disclosurelists.netsys.com>
> Sent: Wednesday, October 13, 2004 11:15 AM
> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible
> way to hack?
>
>
> >I think you need to re-read your post son cause it reads
> more like you have
> > just rung microsoft helpdesk.
> >
> > And btw this does not need to continue in the mailing list,
> it turns into
> > spam other wise if you have a issue with my post keep it private.
> >
> >
> > ----- Original Message -----
> > From: "Gregh" <chowsozemail.com.au>
> > To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
> > <full-disclosurelists.netsys.com>
> > Sent: Wednesday, October 13, 2004 2:09 PM
> > Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a
> possible way to hack?
> >
> >
> > Understand it yourself. You didn't understand what you read
> so you went on
> > like a right twit!
> >
> > If you had a clue, you would have said what it was. As you
> don't, you opened
> > your mouth and simply made a fool of yourself.
> >
> > Tsk....what a twit!
> >
> >
> > ----- Original Message -----
> > From: "VeNoMouS" <venomgen-x.co.nz>
> > To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
> > <full-disclosurelists.netsys.com>
> > Sent: Wednesday, October 13, 2004 10:39 AM
> > Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a
> possible way to hack?
> >
> >
> >> Understand what it was a fucking retarded question! we are
> not your help
> >> desk EOF
> >>
> >> ----- Original Message -----
> >> From: "Gregh" <chowsozemail.com.au>
> >> To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
> >> <full-disclosurelists.netsys.com>
> >> Sent: Wednesday, October 13, 2004 1:23 PM
> >> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a
> possible way to hack?
> >>
> >>
> >>
> >> ----- Original Message -----
> >> From: "VeNoMouS" <venomgen-x.co.nz>
> >> To: "Gregh" <chowsozemail.com.au>; "Disclosure Full"
> >> <full-disclosurelists.netsys.com>
> >> Sent: Wednesday, October 13, 2004 10:10 AM
> >> Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a
> possible way to hack?
> >>
> >>
> >>> Im surprised you manged to work out how an email client
> works after
> >>> reading
> >>> that dribble.
> >>>
> >>
> >> If you dont understand a cincept, take the opportunity to
> shut the hell
> >> up.
> >> Just because YOU dont understand what was said doesnt mean
> others dont!
> >>
> >>> This mailing list is really starting to bug me, to many
> newbs signing up
> >>> and
> >>> talking about the most retarded shit.
> >>>
> >>> sorry "gregh" but i think you need to get alot more
> experince computer
> >>> wise.
> >>>
> >>
> >> 1) You need to get a spell checker with that complete crap!
> >>
> >> 2) You need a little more experience yourself, in more
> than just computer
> >> handling, obviously.
> >>
> >> Please - take this opportunity to grow up.
> >>
> >> Greg.
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [SPAM] [Full-Disclosure] Stealing DHCP Leases

From: VeNoMouS (venomgen-x.co.nz)
Date: Wed Oct 13 2004 - 01:18:40 CDT

if the dhcpd is by isc and the dhcpd is running on *nix just cat
/var/state/dhcp/dhcpd.leases.

----- Original Message -----
From: "Hugo van der Kooij" <hvdkooijvanderkooij.org>
To: <full-disclosurelists.netsys.com>
Sent: Wednesday, October 13, 2004 6:52 PM
Subject: Re: [SPAM] [Full-Disclosure] Stealing DHCP Leases

> On Tue, 12 Oct 2004, Ian Holm wrote:
>
>> I was noticing that the number of DHCP address in the DHCP cache was
>> running
>> low so I decided to check which computers were assigned to each address.
>> To
>> my horror I saw that there were 81 addresses assigned at exactly the same
>> time and all expired at exactly the same time. I'm assuming that these
>> were
>> all assigned to the same machine. How is this possible? Where could I
>> learn
>> about this and how to prevent it?
>
> Any decent log will show you the MAC level address. So go out and
> investigate the machine.
>
> There are plenty of known and documented ways of depleting a DHCP pool in
> microseconds. A simple google search will do the trick.
>
> Hugo.
>
> --
> I hate duplicates. Just reply to the relevant mailinglist.
> hvdkooijvanderkooij.org http://hvdkooij.xs4all.nl/
> Don't meddle in the affairs of magicians,
> for they are subtle and quick to anger.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RE: WIN XPSP2 - is this a possible way to hack?

From: r00t3d (r00t3dgmail.com)
Date: Wed Oct 13 2004 - 02:18:28 CDT

Dear VeNoMouS(I love how you do that uppercase-lowercase thing!),

 I am inclined to agree with Mr. Gregh. You certainly have a silly
way of trying to exert your superiority and knowledge over others. And
then when you get shown-up, you begin acting like a child. You revert
to calling people "son" and "kid." Why? Are you feeling insecure my
friend? Because if you are feeling insecure, I'm sure we could get you
some help. I'm sorry if you are feeling emotional and unwanted, but
you don't need to start flaming people just because you don't
understand.

  Love,
    #MSNetworks

>I think you need to re-read your post son cause it reads more like
>you have just rung microsoft helpdesk.
>And btw this does not need to continue in the mailing list, it turns
>into spam other wise if you have a issue with my post keep it
>private.

>>----- Original Message ----- From: "Gregh" <chowsozemail.com.au>
>>To: "VeNoMouS" <venomgen-x.co.nz>; "Disclosure Full"
>><full-disclosurelists.netsys.com>
>>Sent: Wednesday, October 13, 2004 2:09 PM
>>Subject: Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?
>>
>>
>>Understand it yourself. You didn't understand what you read so you
went on like a right twit!
>>
>>If you had a clue, you would have said what it was. As you don't,
you opened your mouth >>and simply made a fool of yourself.
>>
>>Tsk....what a twit!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Hi

chowsozemail.com.au
Date: Wed Oct 13 2004 - 03:30:03 CDT

You have won!!!

password -- 54618

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  • application/octet-stream attachment: Msg.zip
 
[Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Feher Tamas (etomcatfreemail.hu)
Date: Wed Oct 13 2004 - 04:38:36 CDT

Ill Will wrote:

>
>oops...
>
>http://www.illmob.org/0day/ghostradmin.zip

Trojandropper.Win32.RDM.a

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] EEYE: Windows VDM #UD Local Privilege Escalation

From: Pablo (paa-listasargentina.com)
Date: Wed Oct 13 2004 - 05:06:00 CDT

----- Original Message -----
> Windows VDM #UD Local Privilege Escalation
>
> Release Date:
> October 12, 2004
>
> Date Reported:
> March 18, 2004
>
> Severity:
> Medium (Local Privilege Escalation to Kernel)
>
> Systems Affected:
> Windows NT 4.0
> Windows 2000
> Windows XP (SP1 and earlier)
> Windows Server 2003
...
>
> [NOTE: This vulnerability was silently fixed by Microsoft in June,
> approximately 90 days after it was reported, with the release of Windows
> XP SP2 Release Candidate 2. All other versions of Windows remained
> unpatched for over 120 additional days.]
Ok, thanks for your help, but it come up "120 additional days" later ....
full-disclosure man.

Peace.

>
> Technical Description:
....
> Copyright (c) 1998-2004 eEye Digital Security
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express
> consent of eEye. If you wish to reprint the whole or any part of this
> alert in any other medium excluding electronic medium, please e-mail
> alerteEye.com for permission.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RIM Blackberry buffer overflow, DoS, data loss

From: Feher Tamas (etomcatfreemail.hu)
Date: Wed Oct 13 2004 - 05:41:19 CDT

Hello,

Would someone please enlighten Mr. Hexview and tell him that
his words "HexView does not notify vendors unless there is a
prior agreement to do so" sound very much like an extortion
attempt (racketeering?)

He(x) should be aware of how easy it is to find yourself in
a brig at Gitmo held in secrecy these days.

Phone networks and services carried over phone technology
have always been considered critical infrastructure, unlike
the Internet and thus you could be classified as organized
crime or even a terrorist (for threatening to target
critical infrastucture as part of a conspiracy to commit
extortion). Thus RIM-Berry as a target is NOT a wise idea.

Apart from law enforcement, one would think HexView has
enough common sense not to cross swords with the world's
largest companies, who all support and are financially
interested in the success of the famed RIMBerry. Hexview can
only be the loser in the end.

Hey HexView hear the message: be a nice guy and tell the
vendors when you find some bug!

They will fix it and put your real name in the security
advisory. You'll be famous and find some good job. Having
problems with not having girls is no good reason for black
hat hacking. After all, prosituates are NOT available for
rent in
most prisons, so your sex troubles will not be solved in the
cooler. If you get a good job and buy a fancy car, it will
be much easier to pick up chicks.

Regards: Tamas Feher.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Quicky Analysis of a Proxy/Zombie Network

From: VeNoMouS (venomgen-x.co.nz)
Date: Tue Oct 12 2004 - 19:40:35 CDT

there u go guys
----- Original Message -----
From: "Gregory Gilliss" <ggillissnetpublishing.com>
To: "Steele" <listslowkeysoft.com>
Cc: <full-disclosurelists.netsys.com>
Sent: Wednesday, October 13, 2004 11:08 AM
Subject: Re: [Full-Disclosure] Quicky Analysis of a Proxy/Zombie Network

> Bravo! Excellent work!
>
> -- Greg
>
> On or about 2004.10.12 15:41:16 +0000, Steele (listslowkeysoft.com) said:
>
>> For your consideration:
>> http://lowkeysoft.com/proxy/
>>
>> screenshots included :)
>>
>> be gentle,
>
> --
> Gregory A. Gilliss, CISSP E-mail:
> greggilliss.com
> Computer Security WWW:
> http://www.gilliss.com/greg/
> PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E
> 8C A3
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

asd.gif
 
Re: [Full-Disclosure] unarj dir-transversal bug (../../../..)

doubleshush.com
Date: Wed Oct 13 2004 - 06:39:15 CDT

On Tue, 12 Oct 2004 02:17:12 -0700 Harry de Grote <rik.bobbaerscc.kuleuven.ac.be>
wrote:
>you really didn't invent the light, you know...

doubles invented wheel in asient times! all users nd producers of wheels
must pay many royalty moneys to doubles!

doubles

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] EEYE: Windows VDM #UD Local Privilege Escalation

From: Brent J. Nordquist (b-nordquistbethel.edu)
Date: Wed Oct 13 2004 - 07:31:09 CDT

Looks like October's set of patches from MS nearly cleared out eEye's
queue:

http://www.eeye.com/html/research/upcoming/index.html

Anyway:

On Wed, Oct 13, 2004 at 07:06:00AM -0300, Pablo wrote:
> Ok, thanks for your help, but it come up "120 additional days" later ....
> full-disclosure man.

"eEye practices responsible disclosure as it pertains to the dissemination
of information about network vulnerabilities. The process that eEye
follows begins with alerting the manufacturer and sharing full technical
details with, and only with, that manufacturer. Under no circumstances
does eEye disclose any information to third parties until the manufacturer
releases an advisory or patch."

--
Brent J. Nordquist <b-nordquistbethel.edu> N0BJN
Other contact information: http://kepler.its.bethel.edu/~bjn/contact.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [SECURITY] [DSA 564-1] New mpg123 packages fix arbitrary code exceution

debian-security-announcelists.debian.org
Date: Wed Oct 13 2004 - 08:00:34 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 564-1 securitydebian.org
http://www.debian.org/security/ Martin Schulze
October 13th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : mpg123
Vulnerability : missing user input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0805
License : non-free

Davide Del Vecchio discovered a vulnerability mpg123, a popular (but
non-free) MPEG layer 1/2/3 audio player. A malicious MPEG layer 2/3
file could cause the header checks in mpg123 to fail, which could in
turn allow arbitrary code to be executed with the privileges of the
user running mpg123.

For the stable distribution (woody) this problem has been fixed in
version 0.59r-13woody3.

For the unstable distribution (sid) this problem has been fixed in
version 0.59r-16.

We recommend that you upgrade your mpg123 package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3.dsc
      Size/MD5 checksum: 748 77cb64c82c3c07b3c418b4cdb3c7a54e
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3.diff.gz
      Size/MD5 checksum: 24192 aae8ca014d465adf9e714e5faef260d0
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r.orig.tar.gz
      Size/MD5 checksum: 159028 95df59ad1651dd2346d49fafc83747e7

  Alpha architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_alpha.deb
      Size/MD5 checksum: 94482 9ad504920153d01a12d4c7c46e22e73f
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody3_alpha.deb
      Size/MD5 checksum: 94472 2c10a1a915a181c03c814e47785aa695

  ARM architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_arm.deb
      Size/MD5 checksum: 89640 90f1770883e8ead46b951325648ef4be

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_i386.deb
      Size/MD5 checksum: 81516 bc22febb3dd0bc2967cd850b2827838c
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody3_i386.deb
      Size/MD5 checksum: 81468 4adec8c74c7132a38a1c304ea8ca66d2
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-nas_0.59r-13woody3_i386.deb
      Size/MD5 checksum: 83502 72463077c7c4238f7ed6e5e1ac5eaeaa
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-3dnow_0.59r-13woody3_i386.deb
      Size/MD5 checksum: 81186 b4bc8699d4f58657033e0f79c87c652a
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-i486_0.59r-13woody3_i386.deb
      Size/MD5 checksum: 87740 67f686c50d87051ebacc8a5840f11ca2

  HP Precision architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_hppa.deb
      Size/MD5 checksum: 97336 5c32e4be18d105d6af3ce2f199d27419

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_m68k.deb
      Size/MD5 checksum: 75894 a65575a7b5bdf578b13d585036d8276a

  PowerPC architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_powerpc.deb
      Size/MD5 checksum: 88480 4e5d970a0a42cf9a9dd33b6590d33beb
    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody3_powerpc.deb
      Size/MD5 checksum: 88406 7289b77111d94d2ed2362739939dd9eb

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody3_sparc.deb
      Size/MD5 checksum: 88650 9549821e52d23b808acd2702ba139ae0

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announcelists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBbSbxW5ql+IAeqTIRAsL+AJ98kPs9PAPNl6Q56pOo1NQYTkM1kwCfaa41
kuIY7LAJhBZ7i6huy6M+SlY=
=8mF+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [SECURITY] [DSA 565-1] New sox packages fix buffer overflow

debian-security-announcelists.debian.org
Date: Wed Oct 13 2004 - 08:34:36 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 565-1 securitydebian.org
http://www.debian.org/security/ Martin Schulze
October 13th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : sox
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0557
Debian Bug : 262083

Ulf Harnhammar has reported two vulnerabilities in SoX, a universal
sound sample translator, which may be exploited by malicious people to
compromise a user's system with a specially crafted .wav file.

For the stable distribution (woody) these problems have been fixed in
version 12.17.3-4woody2.

For the unstable distribution (sid) these problems have been fixed in
version 12.17.4-9.

We recommend that you upgrade your sox package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2.dsc
      Size/MD5 checksum: 591 cb5fec82f02cd32b80faebe304ce520b
    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2.diff.gz
      Size/MD5 checksum: 7416 c3cc69a3e01c562f19ae87e1db396698
    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3.orig.tar.gz
      Size/MD5 checksum: 402599 23b6a2f9f225eebc30d85ec9e1af54a4

  Alpha architecture:

    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2_alpha.deb
      Size/MD5 checksum: 336076 678c3efb9398209c0eaa81837c399476
    http://security.debian.org/pool/updates/main/s/sox/sox-dev_12.17.3-4woody2_alpha.deb
      Size/MD5 checksum: 193074 f79000b7567eb00ed31500e0aae44d72

  ARM architecture:

    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2_arm.deb
      Size/MD5 checksum: 260592 43e3adc88d20838848bf259eef1e5663
    http://security.debian.org/pool/updates/main/s/sox/sox-dev_12.17.3-4woody2_arm.deb
      Size/MD5 checksum: 151582 eec28d453add90289b07c85114077131

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2_i386.deb
      Size/MD5 checksum: 241232 0cbd8714254f8e3383addbf3d1f21cfa
    http://security.debian.org/pool/updates/main/s/sox/sox-dev_12.17.3-4woody2_i386.deb
      Size/MD5 checksum: 136726 369d2b13579121a95fbe30a32aee7b05

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2_ia64.deb
      Size/MD5 checksum: 400464 4e7c9d20cd13130e042724943f77671a
    http://security.debian.org/pool/updates/main/s/sox/sox-dev_12.17.3-4woody2_ia64.deb
      Size/MD5 checksum: 218374 332c9f352a2e338a23fb10d29844b3f0

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2_hppa.deb
      Size/MD5 checksum: 305896 d4b2682a2394366c1c483442c81841d9
    http://security.debian.org/pool/updates/main/s/sox/sox-dev_12.17.3-4woody2_hppa.deb
      Size/MD5 checksum: 180884 bc5af7ce55b676059bba44321cfaf0e1

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2_m68k.deb
      Size/MD5 checksum: 220024 46f468987f21d4a6c68f52e7c84c86ff
    http://security.debian.org/pool/updates/main/s/sox/sox-dev_12.17.3-4woody2_m68k.deb
      Size/MD5 checksum: 127202 be81e1633da5ee7820446c07e2ee614e

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2_mips.deb
      Size/MD5 checksum: 291090 6a7727dc32a9b26e13a887e88ff09394
    http://security.debian.org/pool/updates/main/s/sox/sox-dev_12.17.3-4woody2_mips.deb
      Size/MD5 checksum: 167998 af42bc50dc7bc7bc5fbdbc00e03fd630

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2_mipsel.deb
      Size/MD5 checksum: 290876 0e0a0cbf78f40bd6dd97593bdf4b1871
    http://security.debian.org/pool/updates/main/s/sox/sox-dev_12.17.3-4woody2_mipsel.deb
      Size/MD5 checksum: 168254 79ff397a577a8e1c5eb51d88f51d00d3

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2_powerpc.deb
      Size/MD5 checksum: 269022 fc13fb341a3dcf15492d07be291dcb38
    http://security.debian.org/pool/updates/main/s/sox/sox-dev_12.17.3-4woody2_powerpc.deb
      Size/MD5 checksum: 166164 46508fb11779d0fa9467b1c70687c054

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2_s390.deb
      Size/MD5 checksum: 254254 c549fb32a18e22aba4361f22c645a66c
    http://security.debian.org/pool/updates/main/s/sox/sox-dev_12.17.3-4woody2_s390.deb
      Size/MD5 checksum: 140188 4f632838362fdbdb5762e311c37edfc5

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/s/sox/sox_12.17.3-4woody2_sparc.deb
      Size/MD5 checksum: 261678 dfe2049b353134fd6f817fe5dba6670d
    http://security.debian.org/pool/updates/main/s/sox/sox-dev_12.17.3-4woody2_sparc.deb
      Size/MD5 checksum: 153940 6eb8611b2ef1e7f70d5992af4f3ab687

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announcelists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBbS7rW5ql+IAeqTIRAmoLAJ0RCtf3Rs7ENWaTk7ht4ACreTolBQCeIdyb
2UJd1pud7oDRU4u+Z/wvX00=
=XhLw
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] EEYE: Windows VDM #UD Local Privilege Escalation

From: Barry Fitzgerald (bkfsecsdf.lonestar.org)
Date: Wed Oct 13 2004 - 08:48:11 CDT

Derek Soeder wrote:

>Windows VDM #UD Local Privilege Escalation
>
>Release Date:
>October 12, 2004
>
>Date Reported:
>March 18, 2004
>
>Severity:
>Medium (Local Privilege Escalation to Kernel)
>
>
>[NOTE: This vulnerability was silently fixed by Microsoft in June,
>approximately 90 days after it was reported, with the release of Windows
>XP SP2 Release Candidate 2. All other versions of Windows remained
>unpatched for over 120 additional days.]
>
>
>
>

120 days, people...

Roll that around for a few. 120 days. Granted, 4 months is better
than some other bugs that MS has taken greater than 10 months to fix...
But, it's still almost 4 months.

Think about this issue, and then think about the fact that it took them
4 months to fix it. Why are people using Microsoft-based systems, again?

Also, at least in MS Windows, it's my personal feeling that local
privilege escalation issues (particularly escalation to kernel or system
status) should be critical issues. Whether people can run arbitrary
code on MS Windows systems these days isn't an exercise for the mind
anymore, it's an exercise of "go look at your neighbors computer and see
that it's done regularly".

Adware, spyware, and trojans are bad enough without kernel-level
privileges. If properly crafted, an exploit like this could, with the
right conditions, take over an entire domain. Local system kernel
access is the keys to the city if the processes are structured to take
it over, as such. Granted, it's not as bad as a remote execution vuln,
but it can still be very useful to attackers.

>Since this advisory is really dry and jargony, we have to throw in
>something a little off-beat. We leave you with this:
>
>T: Hey man, what're you reading?
>
>N: Listen to this -- it's an advisory written by eEye in the
>first-person. I am Jack's LDT; without me, Jack could not emulate his
>legacy DOS applications like Doom on NT.
>
>N: There's a whole series of these: I am Jill's null pointer. I am
>Jack's kernel--
>
>T: Yeah, I get exploited, I completely compromise Jack in such a way
>that necessitates a total system reinstallation.
>
>Hope that clears things up. (With apologies to Chuck Palahniuk.)
>
>
>
That rocks. :)

       -Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] WIN XPSP2 - is this a possible way to hack?

From: James Tucker (jftuckergmail.com)
Date: Wed Oct 13 2004 - 09:14:00 CDT

Firstly I must apologise for adding more noise to this thread; but I
feel that this rant applies to more than just one person. I know there
are many who simply can't deal with posts like the one from "gregh", a
message in a human language form rather than a logical systems
breakdown. Some people think and work like that, and whether you like
it or not, many of those are the people pay most of your bills one way
or another (Other than consultants and service industries, IT support
techs do not make money for companies). Learn sufficient social skills
to deal with people without damaging anyones feelings. Many of the
attitudes returned on many similar topics are not dissimilar in nature
to the attitudes which lead to war (arrogance, lack of patience,
hypocrisy and aggression).

No one knows everything, you can learn as much about life from a
homeless person as you can from the richest man on the planet. Stop
trying to piss higher, there will always be someone better who will
one day come along and be far better than you; do you want them to
come down on you like a ton of bricks, or teach you something useful?
If you team up with some people and learn from them whilst teaching
them what you know, you may develop what is required to stay "on top".
There is simply too much information to ever be the top of everything.
Learn to use people, not abuse them. You gain friends by helping, not
by shouting.

On Wed, 13 Oct 2004 13:10:50 +1300, VeNoMouS <venomgen-x.co.nz> wrote:
> Im surprised you manged to work out how an email client works after reading
> that dribble.

The guy has a problem, so maybe he's not good at writing technically.
Teach him or shut up. There is no other thing you can do which could
be considered constructive.

> This mailing list is really starting to bug me, to many newbs signing up and
> talking about the most retarded shit.

See above to get an idea of what IMO is the worst thing about this mailing list.

> sorry "gregh" but i think you need to get alot more experince computer wise.

And how is he supposed to do that, is this not supposed to be one of
the "respected" places for security information. You are shitting in
your own back yard.
 
> The angus VeNoMouS has spoken!!

Did you get the word angus out of a thesaurus, because I fear you do
not know what it means:
http://dictionary.reference.com/search?q=angus
http://www.reference.com/search?q=angus
http://thesaurus.reference.com/search?q=angus
http://www.google.com/search?q=define%3A+angus

Maybe you did, or are you a breed of venomous cow? I suggest you don't
make any more comments about spell checking. Your post suggests that
you have a poor understanding of the English language, maybe this was
the source of your problem with gregh's mail? We do what we can to
make things clear, some people are more experienced at it than others.
Humans make mistakes, you should know that as well as the rest of us.

I have been assisting Gregh off-list and will not be contributing
publicly to any further discussion on this topic, unless some
impacting flaw is found; at which time I will provide a description in
a systematic format that all can understand.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] EEYE: Windows VDM #UD Local Privilege Escalation

From: KF_lists (kf_listssecnetops.com)
Date: Wed Oct 13 2004 - 09:30:27 CDT

ISS would like to have you believe otherwise... when I contacted them
about the Local SYSTEM escalation in BlackICE we went in circles over
the fact that I feel that taking local SYSTEM on a win32 box IS a
problem and they don't. They tryed to say some crap like "in all our
years in the industry we have never had a customer state that local
windows security was a concern... blah blah (paraphrasing)". And
something along the lines of "Windows is not a true multi-user system
(like unix) so local escalation means nothing."

-KF

> Also, at least in MS Windows, it's my personal feeling that local
> privilege escalation issues (particularly escalation to kernel or system
> status) should be critical issues. Whether people can run arbitrary
> code on MS Windows systems these days isn't an exercise for the mind
> anymore, it's an exercise of "go look at your neighbors computer and see
> that it's done regularly".
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] EEYE: Windows VDM #UD Local Privilege Escalation

From: Barry Fitzgerald (bkfsecsdf.lonestar.org)
Date: Wed Oct 13 2004 - 09:50:49 CDT

KF_lists wrote:

> ISS would like to have you believe otherwise... when I contacted them
> about the Local SYSTEM escalation in BlackICE we went in circles over
> the fact that I feel that taking local SYSTEM on a win32 box IS a
> problem and they don't. They tryed to say some crap like "in all our
> years in the industry we have never had a customer state that local
> windows security was a concern... blah blah (paraphrasing)". And
> something along the lines of "Windows is not a true multi-user system
> (like unix) so local escalation means nothing."
>
> -KF
>
>

*feigned look of surprise*

Then how do they explain trojan horses, adware, and spyware?!?

          -Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] EEYE: Windows Shell ZIP File Decompression DUNZIP32.DLL Buffer Overflow Vulnerability

From: Joe Stewart (jstewartlurhq.com)
Date: Wed Oct 13 2004 - 10:12:51 CDT

A few things I've noticed with this advisory: eEye states that the
vulnerability is an overflow in dunzip32.dll and that MS04-034 fixes
it. However, from what I've seen MS04-034 only patches zipfldr.dll.
Further, MS04-034 claims that Windows ME is not vulnerable, while eEye
says it is. Also, eEye says that the dunzip32.dll overflow is an issue
for XP, yet I am unable to find dunzip32.dll on a stock XP SP1 system.
Is it possible that the eEye release and the MS04-034 bulletin are
talking about two separate issues?

-Joe

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200410-11 ] tiff: Buffer overflows in image decoding

From: Thierry Carrez (koongentoo.org)
Date: Wed Oct 13 2004 - 09:45:13 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200410-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: tiff: Buffer overflows in image decoding
      Date: October 13, 2004
        ID: 200410-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple heap-based overflows have been found in the tiff library image
decoding routines, potentially allowing to execute arbitrary code with
the rights of the user viewing a malicious image.

Background
==========

The tiff library contains encoding and decoding routines for the Tag
Image File Format. It is called by numerous programs, including GNOME
and KDE, to help in displaying TIFF images. xv is a multi-format image
manipulation utility that is statically linked to the tiff library.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 media-libs/tiff < 3.6.1-r2 >= 3.6.1-r2
  2 media-gfx/xv <= 3.10a-r7 >= 3.10a-r8
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

Chris Evans found heap-based overflows in RLE decoding routines in
tif_next.c, tif_thunder.c and potentially tif_luv.c.

Impact
======

A remote attacker could entice a user to view a carefully crafted TIFF
image file, which would potentially lead to execution of arbitrary code
with the rights of the user viewing the image. This affects any program
that makes use of the tiff library, including GNOME and KDE web
browsers or mail readers.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All tiff library users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=media-libs/tiff-3.6.1-r2"
    # emerge ">=media-libs/tiff-3.6.1-r2"

xv makes use of the tiff library and needs to be recompiled to receive
the new patched version of the library. All xv users should also
upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=media-gfx/xv-3.10a-r8"
    # emerge ">=media-gfx/xv-3.10a-r8"

References
==========

  [ 1 ] CAN-2004-0803
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-11.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

From: Andrew Smith (stfunubgmail.com)
Date: Wed Oct 13 2004 - 10:41:30 CDT

That's not Radmin, that's a 'dropper' to silenty install
radmin..intended almost always for use as a trojan. So of course NAV