[Full-disclosure] Windows Command Processor Vulnerabilitie
In The Name of God Discover:SaiedHacker Tested on: Winodws XP service Pack2(all version) Winodws XP service Pack1(all version) Visual Basic code exe dump file: http://saiedhacker.persiangig.com/Code.zip Tanx to my Best friends: Arsham Hacker,SiaHacker HackeranShiraz Security Team www.SaiedHackerPro.PersianBlog.IR HackeranShiraz Security Team [EMAIL PROTECTED] www.SaiedHackerPro.PersianBlog.IR www.SaiedHackerPro.MyPersianBlog.Com - Looking for last minute shopping deals? Find them fast with Yahoo! Search.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [DailyDave] ants and rants
Too many drugs or is this not you? I really tried to dog barking read this and make crumpled paper sense of it pontificating. If it is you, sleep it off and try again tomorrow... On Mon, Mar 3, 2008 at 1:39 AM, Dave Aitel [EMAIL PROTECTED] wrote: [Forwardeded from DailyDave] This is a natural capitalist effect that I think most of the very magical skill that would compensate for losing a good kernel local, or anything on debian.org worth owning that would have enabled it to work in the community to steal other people's bugs and report them (although it does happen). Part of it is stupidity and lazyness, since it takes time to change my behavior. The devil is in the details though ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hammers and nails
On Sun, Mar 02, 2008 at 05:34:42AM -0800, Andrew A wrote: http://groups.google.com/group/alt.sex.stories/msg/6329ff9861c2c0b8?q=birth+of+a+gay+sluthl=enlr=ie=UTF-8oe=UTF-8rnum=1 i want more posts like this, dave That might really be appreciated. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IE/Windows blocking Firefox downloads?
This is weird. I am sitting on my dad's computer running freshly installed Windows XP (no service pack- vanilla version) and whenever I try to open a site related to Firefox with IE, it fails to open. However, all other sites are working fine. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE/Windows blocking Firefox downloads?
I have a worse problem. After unloading Semantic Anti-Virus and installing Comcast's version of McAfee, the damn systems won't allow IE or Firefox thru, they have annihilated the ieframe.dll and whatever other critical dlls.. A denial of service core war btwn IE and Firefox apparently. My VMware tcp stack still works though UBUNTU Konqueorer or for any other VMware player browser. This is such garbage. Of course the new Vista PC I have was pre-loaded with Vista, no restore disk. What kind of a world do we live in when M$ and Firefox can get away with this insanity? Should be a class action lawsuit and of course I get no help from the offending parties. Luckily I have other systems running Linux, Win 2000 and other versions of OS's that like to work, like my N800. Never had a problem with those. Anyone know a quick fix other than re-loading a sane OS? Warm regards, KnightOfMalta Paladin of Insecurity Security Joshua Russel [EMAIL PROTECTED] wrote: This is weird. I am sitting on my dad's computer running freshly installed Windows XP (no service pack- vanilla version) and whenever I try to open a site related to Firefox with IE, it fails to open. However, all other sites are working fine. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE/Windows blocking Firefox downloads?
This is weird. I am sitting on my dad's computer running freshly installed Windows XP (no service pack- vanilla version) and whenever I try to open a site related to Firefox with IE, it fails to open. However, all other sites are working fine. I think its more likely some malware you've picked up (or thats picked you up). Check your hosts file, or try visiting some antivirus sites and see if they open. Colin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IE/Windows blocking Firefox downloads?
Jan Clairmont wrote: Never had a problem with those. Anyone know a quick fix other than re-loading a sane OS? Try sfc /scannow from a command prompt -- J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Heap overflow in Borland VisiBroker Smart Agent 08.00.00.C1.03
### Luigi Auriemma Application: Borland VisiBroker Smart Agent http://www.borland.com/visibroker/ Versions: = 08.00.00.C1.03 Platforms:Windows Bug: heap overflow Exploitation: remote Date: 03 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === From vendor's website: Borland® VisiBroker® is the most widely deployed CORBA ORB infrastructure product on the market, with more than 30 million licenses in use. Its robust CORBA-based environment makes it ideal for developing and deploying distributed computing applications. Smart Agent (osagent.exe) is a program which provides ORB object location and failure detection services, it's an essential component for allowing remote and local administrators (Borland VisiBroker Console) to manage and locate the servers in the domain. ### == 2) Bug == Smart Agent binds the UDP port 14000 and an UDP and TCP port which changes at every launch (the first free ports to bind found by the program). The protocol used on these three ports (so all exploitables) includes the handling of strings that are composed by a 32 bit number which tells how much long is the string and a subsequent 32 bit number which specifies the size in the packet padded to 8. It's enough to set 0x as first number to cause the allocation of 0 bytes of memory (0x + 1) and the subsequent usage of strncpy(allocated_memory, our_string, our_padded_size) which can allow an attacker to crash the service or possibly executing malicious code. Exists also a secondary minor vulnerability, in fact the server is automatically terminated if the amount of memory specified by the client can't be allocated. ### === 3) The Code === http://aluigi.org/poc/visibroken.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple integer overflows in Borland StarTeam server 10.0.0.57
### Luigi Auriemma Application: Borland StarTeam server 2008 http://www.borland.com/starteam/ Versions: = 10.0.0.57 Platforms:Windows Bugs: multiple integer overflows Exploitation: remote Date: 02 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === From vendor's website: Borland® StarTeam® is a fully integrated, cost-effective software change and configuration management tool, designed for both centralized and geographically distributed software development environments. ### === 2) Bugs === The server is affected by multiple integer overflow vulnerabilities caused by the calculation of the amount of memory it needs to allocate for some arrays received from the clients. The main ways I have found for exploiting these vulnerabilities are through the PROJECT_LOGIN and SET_SERVER_ACL commands where the 32 bit number received from the client which specifies the amount of entries in the packet is multiplicated respectively for 8 (or 4 depending by the folder names or specifications) and 12, the result is then used for allocating the memory without considering the 32 bit limit. The effect of this operation is a heap overflow which allows an attacker to control some registers and could exist a possibility of executing malicious code. For both the ways is necessary to have a valid account, privileges are not necessary so the less privileged one is good too. ### === 3) The Code === http://aluigi.org/poc/starteamz.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hammers and nails
On Sun, Mar 02, 2008 at 05:34:42AM -0800, Andrew A wrote: http://groups.google.com/group/alt.sex.stories/msg/6329ff9861c2c0b8?q=birth+of+a+gay+sluthl=enlr=ie=UTF-8oe=UTF-8rnum=1 i want more posts like this, dave That might really be appreciated. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Airscanner Mobile Security Advisory #07122001: Eye-Fi Multiple Vulnerabilities
Airscanner Mobile Security Advisory #07122001: Eye-Fi Solution Multiple Vulnerabilities Product: Eye-Fi 1.1.2 Platform: NA Requirements: NA Credits: Seth Fogie Airscanner Mobile Security http://www.airscanner.com December 20, 2007 Risk Level: Medium - Spoofed image injection, redirection of uploaded content, remote DoS of Eye-Fi service. Summary: The Eye-Fi is an instant solution to add wireless upload capability to any digital camera that supports an SD card. In the version of software tested, the solution has numerous vulnerabilities that can allow unauthorized image uploades to a PC, remotely altering the destination folder, remote crashing of the Eye-Fi service, and more. Details: Details on this program and the vulnerabilities are located at: http://www.informit.com/articles/article.aspx?p=1174944 http://www.informit.com/articles/article.aspx?p=1177111 Vendor Response: Vendor has released updated software for both the Eye-Fi software package and the SD card (firmware update). Copyright (c) 2008 Airscanner Corp. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200803-05 ] SplitVT: Privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: SplitVT: Privilege escalation Date: March 03, 2008 Bugs: #211240 ID: 200803-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in SplitVT may allow local users to gain escalated privileges. Background == SplitVT is a program for splitting terminals into two shells. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-misc/splitvt 1.6.6-r1 = 1.6.6-r1 Description === Mike Ashton reported that SplitVT does not drop group privileges before executing the xprop utility. Impact == A local attacker could exploit this vulnerability to gain the utmp group privileges. Workaround == There is no known workaround at this time. Resolution == All SplitVT users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-misc/splitvt-1.6.6-r1 References == [ 1 ] CVE-2008-0162 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0162 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzHJLuhJ+ozIKI5gRApfjAJ0SqPZ79ALH6HMJfGAzt65BH+9OFwCfVWco bS6neubcIpIPKnzy7sOnjE0= =KoEB -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200803-06 ] SWORD: Shell command injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: SWORD: Shell command injection Date: March 03, 2008 Bugs: #210754 ID: 200803-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Insufficient input checking in SWORD may allow shell command injection. Background == SWORD is a library for Bible study software. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-text/sword 1.5.8-r2 = 1.5.8-r2 Description === Dan Dennison reported that the diatheke.pl script used in SWORD does not properly sanitize shell meta-characters in the range parameter before processing it. Impact == A remote attacker could provide specially crafted input to a vulnerable application, possibly resulting in the remote execution of arbitrary shell commands with the privileges of the user running SWORD (generally the web server account). Workaround == There is no known workaround at this time. Resolution == All SWORD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-text/sword-1.5.8-r2 References == [ 1 ] CVE-2008-0932 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0932 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzHTpuhJ+ozIKI5gRAmOTAJ93/DdAiuRV8JbRq/phHYIzTomn4wCfYaJT cEFjYtpok7uJPUNj8t52thY= =h+WR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1511-1] New libicu packages fix multiple problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1511-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp March 03, 2008http://www.debian.org/security/faq - Package: libicu Vulnerability : various Problem type : local Debian-specific: no CVE Id(s) : 2007-4770 2007-4771 Debian Bug : 463688 Several local vulnerabilities have been discovered in libicu, International Components for Unicode, The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-4770 libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames. CVE-2007-4771 Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. For the stable distribution (etch), these problems have been fixed in version 3.6-2etch1. For the unstable distribution (sid), these problems have been fixed in version 3.8-6. We recommend that you upgrade your libicu package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/i/icu/icu_3.6.orig.tar.gz Size/MD5 checksum: 9778863 0f1bda1992b4adca62da68a7ad79d830 http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch1.dsc Size/MD5 checksum: 591 13dcea6b1c9a282147b99c4867db6ee8 http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch1.diff.gz Size/MD5 checksum: 9552 82e560098b24b245872b163a522a80b8 Architecture independent packages: http://security.debian.org/pool/updates/main/i/icu/icu-doc_3.6-2etch1_all.deb Size/MD5 checksum: 3332194 5da76263265814905245b97daec4c1c3 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_alpha.deb Size/MD5 checksum: 7028746 b6b13d0fa262501923c97a859b400d10 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_alpha.deb Size/MD5 checksum: 5581984 0cd37ce9f234b9207accc424dc191f49 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_amd64.deb Size/MD5 checksum: 6585582 9fe0ee74625a985628c9af096dd13827 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_amd64.deb Size/MD5 checksum: 5444228 250851db4a613e9a5d0029d73c1196c0 arm architecture (ARM) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_arm.deb Size/MD5 checksum: 6631114 a73ff442415ca3bc336f1fb49e3aa701 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_arm.deb Size/MD5 checksum: 5458358 c6d533fd7c1c51efbac58d2a96a386fb hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_hppa.deb Size/MD5 checksum: 7090294 aadca0bc8fb9307ea7fe293406a10e5f http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_hppa.deb Size/MD5 checksum: 5909956 07bd8e6c733072fca8b96cc10e210a68 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_i386.deb Size/MD5 checksum: 5468656 532aa02d6d67d4b6527ac8c29c9d110e http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_i386.deb Size/MD5 checksum: 6465540 bfd4d908b552bba2d871771f86369ec7 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_ia64.deb Size/MD5 checksum: 7238880 10b410fcd460e47c3619de88167b74f5 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch1_ia64.deb Size/MD5 checksum: 5865536 dbc0ec913f08682cec4f1b75d35e0531 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch1_mips.deb Size/MD5 checksum: 7047506
[Full-disclosure] [ GLSA 200803-07 ] Paramiko: Information disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Paramiko: Information disclosure Date: March 03, 2008 Bugs: #205777 ID: 200803-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Unsafe randomness usage in Paramiko may allow access to sensitive information. Background == Paramiko is a Secure Shell Server implementation written in Python. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-python/paramiko1.7.2= 1.7.2 Description === Dwayne C. Litzenberger reported that the file common.py does not properly use RandomPool when using threads or forked processes. Impact == A remote attacker could predict the values generated by applications using Paramiko for encryption purposes, potentially gaining access to sensitive information. Workaround == There is no known workaround at this time. Resolution == All Paramiko users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-python/paramiko-1.7.2 References == [ 1 ] CVE-2008-0299 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0299 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzHd0uhJ+ozIKI5gRAg0QAJ43W26KJoUkLj/zCCTJk8hcMNCWWACdG2Bm IO5CIH1vE/Ts0MrtKNEcbMI= =YoSJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:057 ] - Updated wireshark packages fix denial of service vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:057 http://www.mandriva.com/security/ ___ Package : wireshark Date: March 3, 2008 Affected: 2007.0, 2007.1, 2008.0, Corporate 4.0 ___ Problem Description: A few vulnerabilities were found in Wireshark, that could cause it to crash or consume excessive memory under certain conditions. This update rovides Wireshark 0.99.8 which is not vulnerable to the issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1070 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1071 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1072 http://www.wireshark.org/security/wnpa-sec-2008-01.html ___ Updated Packages: Mandriva Linux 2007.0: 267c56b10fb4a47dc6c6bc5be7560dae 2007.0/i586/libwireshark0-0.99.8-0.1mdv2007.0.i586.rpm bb9e087841735100bd1b7e781406f2a9 2007.0/i586/tshark-0.99.8-0.1mdv2007.0.i586.rpm accb363010f2fe2968fb2ffef055baa1 2007.0/i586/wireshark-0.99.8-0.1mdv2007.0.i586.rpm a7b6f91a9503d386719fada340aa9609 2007.0/i586/wireshark-tools-0.99.8-0.1mdv2007.0.i586.rpm db4d926599022fb1bda29f01361741b7 2007.0/SRPMS/wireshark-0.99.8-0.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 554b16372d0b6efa6e58540b242eb161 2007.0/x86_64/lib64wireshark0-0.99.8-0.1mdv2007.0.x86_64.rpm 5e806e0df70813e1e0d01890f6730941 2007.0/x86_64/tshark-0.99.8-0.1mdv2007.0.x86_64.rpm 6b510b94cb16328f3057ff3496eed119 2007.0/x86_64/wireshark-0.99.8-0.1mdv2007.0.x86_64.rpm 6669f32ee39af1372421580577548792 2007.0/x86_64/wireshark-tools-0.99.8-0.1mdv2007.0.x86_64.rpm db4d926599022fb1bda29f01361741b7 2007.0/SRPMS/wireshark-0.99.8-0.1mdv2007.0.src.rpm Mandriva Linux 2007.1: ba21439b01df6e246eedc8cce6a5bfab 2007.1/i586/libwireshark0-0.99.8-0.1mdv2007.1.i586.rpm 2bfa375e12face3cf9bae7cfd6254eb7 2007.1/i586/tshark-0.99.8-0.1mdv2007.1.i586.rpm 1799a7f54cdb16c7083d893b96ea4f07 2007.1/i586/wireshark-0.99.8-0.1mdv2007.1.i586.rpm 7cf16c987c99870be72752daa98cd3fd 2007.1/i586/wireshark-tools-0.99.8-0.1mdv2007.1.i586.rpm 7daa2b09a504c7246bf3e9bcaebc6354 2007.1/SRPMS/wireshark-0.99.8-0.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 8f67f28d3973c7be6255ef0ac542701e 2007.1/x86_64/lib64wireshark0-0.99.8-0.1mdv2007.1.x86_64.rpm 34246a2870ef18ed40599a498ab3ab4c 2007.1/x86_64/tshark-0.99.8-0.1mdv2007.1.x86_64.rpm aeb22fb0fb1fd2224e88e432c450a497 2007.1/x86_64/wireshark-0.99.8-0.1mdv2007.1.x86_64.rpm 9c3f863f13de7c7836d2a9e32bf2b99b 2007.1/x86_64/wireshark-tools-0.99.8-0.1mdv2007.1.x86_64.rpm 7daa2b09a504c7246bf3e9bcaebc6354 2007.1/SRPMS/wireshark-0.99.8-0.1mdv2007.1.src.rpm Mandriva Linux 2008.0: 071c56558b673bb348842bbd1f15b70d 2008.0/i586/libwireshark-devel-0.99.8-0.1mdv2008.0.i586.rpm f62eb9005ca79b7d359a1d638f071e48 2008.0/i586/libwireshark0-0.99.8-0.1mdv2008.0.i586.rpm 2163377dcd39c6d78aba1afa0f19f6eb 2008.0/i586/tshark-0.99.8-0.1mdv2008.0.i586.rpm d2ccb07c5aa016b497a1305514749b6a 2008.0/i586/wireshark-0.99.8-0.1mdv2008.0.i586.rpm ad50c14fcf45996717240f2867a7dc35 2008.0/i586/wireshark-tools-0.99.8-0.1mdv2008.0.i586.rpm 10d849d01ef57ff886fc851007f6e0d1 2008.0/SRPMS/wireshark-0.99.8-0.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 31360d9b2ff81d63eb0009a65d5313d7 2008.0/x86_64/lib64wireshark-devel-0.99.8-0.1mdv2008.0.x86_64.rpm 93a40a47cfc3f1a8cb6d584a8c189ac7 2008.0/x86_64/lib64wireshark0-0.99.8-0.1mdv2008.0.x86_64.rpm 9975a6a15d32ea7424cf46769186e65c 2008.0/x86_64/tshark-0.99.8-0.1mdv2008.0.x86_64.rpm 01b0691e1a80a3df48da2b982de0a814 2008.0/x86_64/wireshark-0.99.8-0.1mdv2008.0.x86_64.rpm d046aafde7235aaeaca359fe3efcead5 2008.0/x86_64/wireshark-tools-0.99.8-0.1mdv2008.0.x86_64.rpm 10d849d01ef57ff886fc851007f6e0d1 2008.0/SRPMS/wireshark-0.99.8-0.1mdv2008.0.src.rpm Corporate 4.0: c25ee38aeaf063b1819226153a619468 corporate/4.0/i586/libwireshark0-0.99.8-0.1.20060mlcs4.i586.rpm 34e49cd2419c98ed08160ea20e0d747e corporate/4.0/i586/tshark-0.99.8-0.1.20060mlcs4.i586.rpm e05ea8642e89a82b93d9f187cf2dea39 corporate/4.0/i586/wireshark-0.99.8-0.1.20060mlcs4.i586.rpm 07828feed3b1e0aafdfff6f47d05136e corporate/4.0/i586/wireshark-tools-0.99.8-0.1.20060mlcs4.i586.rpm 1db4637ddab6b4787607a9168a24d825 corporate/4.0/SRPMS/wireshark-0.99.8-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 226ccff30ff4753c59dd657a18250ad4 corporate/4.0/x86_64/lib64wireshark0-0.99.8-0.1.20060mlcs4.x86_64.rpm 1b75137b7fd262a7502323d9ec5f7130 corporate/4.0/x86_64/tshark-0.99.8-0.1.20060mlcs4.x86_64.rpm d7b77256eb8567ce37fb0021ae61a264
[Full-disclosure] VMSA-2008-0004 Low: Updated e2fsprogs service console package
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - --- ~ VMware Security Advisory Advisory ID: VMSA-2008-0004 Synopsis: Low: Updated e2fsprogs service console package Issue date:2008-03-03 Updated on:2008-03-03 (initial release of advisory) CVE numbers: CVE-2007-5497 - --- 1. Summary: Updated service console package e2fsprogs. 2. Relevant releases: ESX Server 2.5.5 Upgrade Patch 5 ESX Server 2.5.4 Upgrade Patch 16 NOTE: ESX 2.5.4 is in Extended Support and its end of support (Security ~ and Bug fixes) is 10/08/2008. Users should plan to upgrade to at ~ least 2.5.5 and preferably the newest release available before ~ the end of extended support. ~ ESX Server prior to 2.5.4 are no longer in Extended Support. ~ Users should upgrade to a supported version of the product. ~ The VMware Infrastructure Support Life Cycle Policy can be found ~ here: http://www.vmware.com/support/policies/eos_vi.html 3. Problem description: Updated e2fsprogs package address multiple integer overflow flaws Thanks to Rafal Wojtczuk of McAfee Avert Research for identifying and reporting this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5497 to this issue. 4. Solution: Please review the Patch notes for your product and version and verify the md5sum of your downloaded file. ESX Server 2.x Patches: http://www.vmware.com/download/esx/esx2_patches.html ESX Server 2.5.5 Upgrade Patch 5 http://download3.vmware.com/software/esx/esx-2.5.5-73417-upgrade.tar.gz md5sum: cf0addac42cb2057c47065971f56bee6 http://www.vmware.com/support/esx25/doc/esx-255-200802-patch.html ESX Server 2.5.4 Upgrade Patch 16 http://download3.vmware.com/software/esx/esx-2.5.4-73416-upgrade.tar.gz md5sum: b7b2cbfd45380124c128831dca8bc2b0 http://www.vmware.com/support/esx25/doc/esx-254-200802-patch.html 5. References: ~ CVE numbers ~ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5497 - --- 6. Contact: E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: ~ * [EMAIL PROTECTED] ~ * [EMAIL PROTECTED] ~ * full-disclosure@lists.grok.org.uk E-mail: [EMAIL PROTECTED] Security web site http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHzHdoS2KysvBH1xkRCCxrAJsHDTczV7agRyav5nMXgVmvMKTsSACfTmLl Rv1wQy510KaPTQy9LiNMTNo= =yM44 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
* Exploring the UNKNOWN: Scanning the Internet via SNMP! * http://www.gnucitizen.org/blog/exploring-the-unknown-scanning-the-internet-via-snmp/ Hacking is not only about coming up with interesting solutions to problems, but also about exploring the unknown. It was this drive for knowledge philosophy that lead to surveying a significant sample of the Internet which allowed us to make some VERY interesting observations and get an idea of the current state of _remote SNMP hacking_. * Why SNMP? * 2.5 million random IP addresses were surveyed via SNMP. Why SNMP you might be asking? Well, there are several reasons. First of all SNMP is a UDP-based protocol which allows us to perform scanning at a much shorter time than via TCP-based protocols. Another advantage of UDP-based protocols is that the source IP address can be spoofed easily. In the case of SNMP, it means that an attacker could change configuration settings from a spoofed IP address provided that a valid write community string is identified or cracked. Needless to say, changing config settings via SNMP can lead to a full compromise. Finally, we have been very involved [1] researching embedded devices lately, and since a significant amount of Internet devices are hackable via SNMP, such protocol was an obvious candidate. * When SNMP read access is all we need for successful pwnage * Gaining SNMP write access is of course usually considered to be a more serious issue than gaining SNMP read access only. However, even if a cracker only gained read access to a device/server via a SNMP community string, sometimes it would possible to extract sensitive information such as usernames and passwords which would eventually lead to a compromise of the targeted systems. In order to accomplish this, all that is needed by the attacker is knowledge of an interesting OID to query. My point is that SNMP read access could a enough to fully own a device! * Examples of juicy leaks via SNMP read access * For instance, Windows servers return the full list of usernames [2] by snmwalking the OID 1.3.6.1.4.1.77.1.2.25. Or how about the BT Voyager 2000 router leaking the ISP credentials [3] including the password? Oh, wait, I almost forgot to mention HP JetDirect printers leaking [4] the admin password [5] via SNMP read access (using OIDs .iso.3.6.1.4.1.11.2.3.9.4.2.1.3.9.1.1.0 and .1.3.6.1.4.1.11.2.3.9.1.1.13.0). And of course the recently disclosed [6] Dynamic DNS credentials disclosure on ZyXEL Prestige routers via the OID 1.3.6.1.4.1.890.1.2.1.2.6.0 (see section 2.2 in the paper for more details). You get the point: lots of devices leak _way too much information_ via SNMP read access. * The juicy survey stats! * From a total number of 2.5 million random IP addresses, 5320 IP addresses responded to the submitted SNMP requests. Although this is only %0.2128 of all the IP addresses, we need to keep in mind that most Internet systems with SNMP support correspond to embedded devices, which only make a small portion of the Internet. One query was sent to each random IP using the community string public, which is often used as the default read community string. The OID queried on each request is 1.3.6.1.2.1.1.1.0 which is the system description (usually returns brand and model). The destination port used was 161/UDP. Although some systems used different default port numbers for SNMP daemons, 161 is definitely the most common one. In order to protect the innocent, we hid the first two octets of the IP addresses included in our results CSV file: cat ./2dot5million-random-ips.csv | while read line do echo -en '*.*.'./2dot5million-random-ips.hidden.csv; echo $line | cut -d . -f 3- ./2dot5million-random-ips.hidden.csv done The most common systems found were the following: * ARRIS Touchstone Telephony Modems [7] - these VoIP modems alone made more than 35% of all found devices discovered! * Cisco routers * Apple AirPort [8] and Base Station * ZyXEL Prestige routers * Netopia routers * Windows 2000 servers Obviously, what kind of SNMP-enabled devices are the most popular on the Internet is very interesting information from a research point of view. For instance, if researching remote SNMP vulnerabilities, it would make sense to focus on a type of device that is widely-spread through the Internet. I'll leave you guys to make your own observations by reading the results CSV file. The survey results file can be found on: http://www.gnucitizen.org/blog/exploring-the-unknown-scanning-the-internet-via-snmp/ * References * [1] http://www.google.com/search?num=100hl=enq=site%3Agnucitizen.org+%28embedded+devices%29+OR+upnpbtnG=Search [2] http://insecure.org/sploits/NT.smnp.domain_users.record_deletion.html [3] http://www.securityfocus.com/archive/1/366780 [4] http://www.phenoelit-us.org/stuff/HP_snmp.txt [5] http://www.securityfocus.com/bid/7001/exploit [6] http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf [7]
