[Full-disclosure] [SECURITY] [DSA 1872-1] New Linux 2.6.18 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1872-1secur...@debian.org http://www.debian.org/security/ dann frazier August 24, 2009 http://www.debian.org/security/faq - -- Package: linux-2.6 Vulnerability : denial of service/privilege escalation/information leak Problem type : local Debian-specific: no CVE Id(s) : CVE-2009-2698 CVE-2009-2846 CVE-2009-2847 CVE-2009-2848 CVE-2009-2849 Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service, privilege escalation or a leak of sensitive memory. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2698 Herbert Xu discovered an issue in the way UDP tracks corking status that could allow local users to cause a denial of service (system crash). Tavis Ormandy and Julien Tinnes discovered that this issue could also be used by local users to gain elevated privileges. CVE-2009-2846 Michael Buesch noticed a typing issue in the eisa-eeprom driver for the hppa architecture. Local users could exploit this issue to gain access to restricted memory. CVE-2009-2847 Ulrich Drepper noticed an issue in the do_sigalstack routine on 64-bit systems. This issue allows local users to gain access to potentially sensitive memory on the kernel stack. CVE-2009-2848 Eric Dumazet discovered an issue in the execve path, where the clear_child_tid variable was not being properly cleared. Local users could exploit this issue to cause a denial of service (memory corruption). CVE-2009-2849 Neil Brown discovered an issue in the sysfs interface to md devices. When md arrays are not active, local users can exploit this vulnerability to cause a denial of service (oops). For the oldstable distribution (etch), this problem has been fixed in version 2.6.18.dfsg.1-24etch4. We recommend that you upgrade your linux-2.6, fai-kernels, and user-mode-linux packages. Note: Debian carefully tracks all known security issues across every linux kernel package in all releases under active security support. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, updates for lower priority issues will normally not be released for all kernels at the same time. Rather, they will be released in a staggered or leap-frog fashion. The following matrix lists additional source packages that were rebuilt for compatability with or to take advantage of this update: Debian 4.0 (etch) fai-kernels 1.17+etch.24etch4 user-mode-linux 2.6.18-1um-2etch.24etch4 Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-24etch4.diff.gz Size/MD5 checksum: 5562205 77430d6cfab939a4d1c82fab6ab70af3 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-24etch4.dsc Size/MD5 checksum: 5672 733c4de16e92e78c23341c948c2b3e37 http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1.orig.tar.gz Size/MD5 checksum: 52225460 6a1ab0948d6b5b453ea0fce0fcc29060 http://security.debian.org/pool/updates/main/f/fai-kernels/fai-kernels_1.17+etch.24etch4.tar.gz Size/MD5 checksum:59372 8f60164e762c338a2d2079eda83c9b68 http://security.debian.org/pool/updates/main/f/fai-kernels/fai-kernels_1.17+etch.24etch4.dsc Size/MD5 checksum: 740 710f999fbfec7dbbee77d348a1dd244e http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.18-1um-2etch.24etch4.diff.gz Size/MD5 checksum:21030 6d4d20763b630aa689b0b138ded756b2 http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.18-1um.orig.tar.gz Size/MD5 checksum:14435 4d10c30313e11a24621f7218c31f3582 http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.18-1um-2etch.24etch4.dsc Size/MD5 checksum: 892 e4bec3b34d424dea506a3a6ed4f815e4 Architecture independent packages:
[Full-disclosure] rPSA-2009-0122-1 idle python
rPath Security Advisory: 2009-0122-1 Published: 2009-08-24 Products: rPath Appliance Platform Linux Service 1 rPath Appliance Platform Linux Service 2 rPath Linux 1 rPath Linux 2 Rating: Major Exposure Level Classification: Deterministic Weakness Updated Versions: idle=conary.rpath@rpl:1/2.4.1-20.18-1 idle=conary.rpath@rpl:2/2.4.4-41.3-1 python=conary.rpath@rpl:1/2.4.1-20.18-1 python=conary.rpath@rpl:2/2.4.4-41.3-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-3111 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1887 Description: A weakness in Python's PyString_FromStringAndSize function in previous versions of the python package makes some python programs vulnerable to various attacks, including unauthorized code execution. http://wiki.rpath.com/Advisories:rPSA-2009-0122 Copyright 2009 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2009-0123-1 apr-util
rPath Security Advisory: 2009-0123-1 Published: 2009-08-24 Products: rPath Appliance Platform Linux Service 1 rPath Appliance Platform Linux Service 2 rPath Linux 1 rPath Linux 2 Rating: Major Exposure Level Classification: Remote Deterministic Denial of Service Updated Versions: apr-util=conary.rpath@rpl:1/0.9.7-1.3-1 apr-util=conary.rpath@rpl:2/1.2.12-2.3-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-3108 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955 Description: Previous versions of the apr-util package have a weakness that makes mod_dav and mod_dav_svn modules susceptible to a remote denial of service by memory consumption attack by presenting a crafted XML document, known as the billion laughs denial of service attack. http://wiki.rpath.com/Advisories:rPSA-2009-0123 Copyright 2009 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2009-0124-1 curl
rPath Security Advisory: 2009-0124-1 Published: 2009-08-24 Products: rPath Appliance Platform Linux Service 1 rPath Appliance Platform Linux Service 2 rPath Linux 1 rPath Linux 2 Rating: Major Exposure Level Classification: Indirect Deterministic Weakness Updated Versions: curl=conary.rpath@rpl:1/7.15.3-1.4-1 curl=conary.rpath@rpl:2/7.17.0-2.2-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-3112 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417 Description: Previous versions of the curl package do not properly validate X.509 certificates with NULL bytes in the domain name portion of the Common Name field, which can allow man-in-the-middle attacks which spoof arbitrary SSL servers by presenting crafted certificates signed by legitimate certification authorities. http://wiki.rpath.com/Advisories:rPSA-2009-0124 Copyright 2009 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sexless schadenfreude: the potential extremist Michael Crook.
Some kid died. I want someone caring liberal to hug me, but no! You may remember me from such films as the EFF DMCA apology. I'm afraid he may take the next step and become a risk to himself or others. He spends his spare time proselytizing extremist and radical viewpoints on my blog in order to gain attention for himself. He celebrates the death of others in schadenfreude ways. Because of his acting like he has nothing to lose, I believe he's a lonewolf and a definite potential terrorist. Psychologically, I think he fantasizes for woman to reach out to him.. To be the mother he never had. I think he wants a liberal, surrogate mother. But in reality, he would merely exhaust the caring of her. He's not fixable. I want someone to mother me. But it can't help. I cursed with this hate. This is my nature now. My scars. I wanted to give a heads up to the federal authorities. This guy looks like a nutter. He should be placed under surveillance 24-7 to make sure he doesn't do anything funny. I'm guessing in his loneliness he gets pretty dejected and depressed at times. Why don't people know me for who I *really* am. But all they see is his attention-gaining shocks. He's a sure thing. http://tips.fbi.gov - Send in everything you know, paste them this tip. Federal authorities (SS, FBI, HLS) You can visit his blog at www.michaelcrook.org, or googling Michael Crook. Study him good. ~ John Doe / n3td3v (http://www.twitter.com/n3td3v) P.S. This is an anonymous, however, he's genuinely a threat. You can clearly see by googling his name he means business and fits the profile of a lone wolf. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sexless schadenfreude: the potential extremist Michael Crook.
He's a friendless loser with no skills nor intelligence. There's probably twenty million of them on the internet; the only difference between this one and the others is that Michael hasn't discovered /b/ yet. 2009/8/25 Michael Crook michael.cr...@hushmail.com Some kid died. I want someone caring liberal to hug me, but no! You may remember me from such films as the EFF DMCA apology. I'm afraid he may take the next step and become a risk to himself or others. He spends his spare time proselytizing extremist and radical viewpoints on my blog in order to gain attention for himself. He celebrates the death of others in schadenfreude ways. Because of his acting like he has nothing to lose, I believe he's a lonewolf and a definite potential terrorist. Psychologically, I think he fantasizes for woman to reach out to him.. To be the mother he never had. I think he wants a liberal, surrogate mother. But in reality, he would merely exhaust the caring of her. He's not fixable. I want someone to mother me. But it can't help. I cursed with this hate. This is my nature now. My scars. I wanted to give a heads up to the federal authorities. This guy looks like a nutter. He should be placed under surveillance 24-7 to make sure he doesn't do anything funny. I'm guessing in his loneliness he gets pretty dejected and depressed at times. Why don't people know me for who I *really* am. But all they see is his attention-gaining shocks. He's a sure thing. http://tips.fbi.gov - Send in everything you know, paste them this tip. Federal authorities (SS, FBI, HLS) You can visit his blog at www.michaelcrook.org, or googling Michael Crook. Study him good. ~ John Doe / n3td3v (http://www.twitter.com/n3td3v) P.S. This is an anonymous, however, he's genuinely a threat. You can clearly see by googling his name he means business and fits the profile of a lone wolf. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sexless schadenfreude: the potential extremist Michael Crook.
On Tue, 25 Aug 2009 10:07:07 -, Michael Crook said: ~ John Doe / n3td3v (http://www.twitter.com/n3td3v) P.S. This is an anonymous, Hint: Look up big words like anonymous in the dictionary, make sure you're using them correctly. It adds that extra luster of competence to your postings. pgpoYNcKbW1mK.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sexless schadenfreude: the potential extremist Michael Crook.
I'm sure the man already has his big eye on Michael, especially since his last name is Crook, these are facts they wouldn't miss. On Tue, Aug 25, 2009 at 10:49 AM, valdis.kletni...@vt.edu wrote: On Tue, 25 Aug 2009 10:07:07 -, Michael Crook said: ~ John Doe / n3td3v (http://www.twitter.com/n3td3v) P.S. This is an anonymous, Hint: Look up big words like anonymous in the dictionary, make sure you're using them correctly. It adds that extra luster of competence to your postings. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1833-2] New dhcp3 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1833-2 secur...@debian.org http://www.debian.org/security/ Florian Weimer August 25, 2009 http://www.debian.org/security/faq - Package: dhcp3 Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2009-0692 CVE-2009-1892 CERT advisory : VU#410676 The previous dhcp3 update (DSA-1833-1) did not properly apply the required changes to the stable (lenny) version. The old stable (etch) version is not affected by this problem. The original advisory description follows. Several remote vulnerabilities have been discovered in ISC's DHCP implementation: It was discovered that dhclient does not properly handle overlong subnet mask options, leading to a stack-based buffer overflow and possible arbitrary code execution. (CVE-2009-0692) Christoph Biedl discovered that the DHCP server may terminate when receiving certain well-formed DHCP requests, provided that the server configuration mixes host definitions using dhcp-client-identifier and hardware ethernet. This vulnerability only affects the lenny versions of dhcp3-server and dhcp3-server-ldap. (CVE-2009-1892) For the stable distribution (lenny), this problem has been fixed in version 3.1.1-6+lenny3. We recommend that you upgrade your dhcp3 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.1.1.orig.tar.gz Size/MD5 checksum: 798228 fcc19330a9c3a0efb5620409214652a9 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.1.1-6+lenny3.dsc Size/MD5 checksum: 1488 b884753ce46061cc6e0e6a783d7c24a3 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3_3.1.1-6+lenny3.diff.gz Size/MD5 checksum: 128921 178f7799fbe3e8fb5a0472a8060bebf7 Architecture independent packages: http://security.debian.org/pool/updates/main/d/dhcp3/dhcp-client_3.1.1-6+lenny3_all.deb Size/MD5 checksum:23010 e772483a84fdca84407e39556188a13e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_alpha.deb Size/MD5 checksum: 148302 296381030181bf29e5185823472c34c7 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_alpha.deb Size/MD5 checksum: 348542 910f44119d0cbcefdfdb0496b72f75c0 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_alpha.deb Size/MD5 checksum: 272004 63e37fc50ae798ad86713ff354f5b996 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_alpha.deb Size/MD5 checksum: 394460 a77802ce027f350aed83be710c92fa9f http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_alpha.udeb Size/MD5 checksum: 215132 ea9207b439e373b7cda0633600fc2a66 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_alpha.deb Size/MD5 checksum: 127514 f1287179244c1684b1a892c187624425 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_alpha.deb Size/MD5 checksum: 333782 713d3ad0235144a0537d747a66766b6a amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-common_3.1.1-6+lenny3_amd64.deb Size/MD5 checksum: 310356 6fb09a20cce949a6edd1a9a628863a2d http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-relay_3.1.1-6+lenny3_amd64.deb Size/MD5 checksum: 114266 bb511a3be6b474ba6233a00bd70d52b3 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client-udeb_3.1.1-6+lenny3_amd64.udeb Size/MD5 checksum: 188422 f2aaca0e2a93c0b3647d6cebc2dc515e http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server_3.1.1-6+lenny3_amd64.deb Size/MD5 checksum: 358418 15b92a206a5f782b91ef21a1cb89d8c1 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-client_3.1.1-6+lenny3_amd64.deb Size/MD5 checksum: 245246 22f8d4e550561f67ac9145e114281d30 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-server-ldap_3.1.1-6+lenny3_amd64.deb Size/MD5 checksum: 313224 2033f60c749a3e71631a5b153a77ae27 http://security.debian.org/pool/updates/main/d/dhcp3/dhcp3-dev_3.1.1-6+lenny3_amd64.deb Size/MD5
[Full-disclosure] iDefense Security Advisory 08.25.09: Autonomy KeyView Excel File SST Parsing Integer Overflow Vulnerability
iDefense Security Advisory 08.25.09 http://labs.idefense.com/intelligence/vulnerabilities/ Aug 25, 2009 I. BACKGROUND Autonomy KeyView SDK is a commercial SDK that provides many file format parsing libraries. It supports a large number of different document formats, one of which is the Microsoft Excel 97 (XLS) format. It is used by several popular vendors for processing documents. For more information, visit the URL referenced below. http://www.autonomy.com/ KeyView is used by many commercial products to handle various types of file formats. Lotus Notes and Symantec Mail Security are two examples of such products. II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in Autonomy's KeyView SDK allows attackers to execute arbitrary code with the privileges of the targeted application. The vulnerability occurs when parsing a Shared String Table (SST) record inside of an Excel file. This record is used to hold a table of strings that are used inside of the document. One of the fields in this record is a 32-bit integer that represents the number of strings in the table. This value is used in a calculation that controls the number of bytes to allocate for a dynamic heap buffer. The value is not properly sanitized, which leads to an integer overflow in the calculation. This results in a heap based buffer overflow vulnerability. III. ANALYSIS Exploitation allows attackers to execute arbitrary code with the privileges of the targeted application. In order to exploit this vulnerability, an attacker must cause a specially crafted Microsoft Excel Spreadsheet to be processed by an application using the Autonomy KeyView SDK. When targeting applications like Lotus Notes, this requires that an attacker convince a user to view an e-mail attachment; however, in other cases, processing may take place automatically as a document is examined. The specific circumstances will depend on the application being targeted. The privileges that an attacker gains may be different for each application that uses the KeyView SDK. For example, exploiting this issue via Lotus Notes yields the current user's privileges while exploiting the vulnerability via Symantec Mail Security yields SYSTEM privileges. IV. DETECTION iDefense confirmed the existence of this vulnerability using the following versions of the affected software: xlssr.dll version 8.0.0.7214, distributed with IBM Lotus Notes 8.0 xlssr.dll version 8.5.0.8339, distributed with IBM Lotus Notes 8.5 xlssr.dll version 10.5.0.0, distributed with Symantec Mail Security for Microsoft Exchange All versions of the KeyView SDK that include the xlssr.dll filter module are suspected to be vulnerable. V. WORKAROUND For all products using the KeyView SDK, you can disable the xlssr.dll filter by doing one of the following: Removing the xlssr.dll filter module from the affected system(s). Delete or comment out the line referencing xlssr.dll from the KeyView.ini file distributed with the affected application. Additionally, for Symantec Mail Security, disabling content filtering will prevent exploitation. VI. VENDOR RESPONSE IBM has released a patch which addresses this issue in Lotus Notes. For more information, consult their advisory at the following URL: http://www-01.ibm.com/support/docview.wss?rs=463uid=swg21396492 Symantec has released a patch which addresses this issue in several Symantec products. For more information, consult their advisory at the following URL: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisorypvid=security_advisoryyear=2009suid=20090825_00 VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 05/05/2009 - Initial Contact 05/05/2009 - Autonomy first response 05/05/2009 - Symantec first response 05/05/2009 - IBM first response 05/05/2009 - Autonomy POC request 05/05/2009 - IBM POC request 05/06/2009 - Autonomy clarification request 05/06/2009 - Symantec clarification request 05/06/2009 - Request public key from Autonomy 05/06/2009 - Sent POC to IBM, Symantec 05/06/2009 - Symantec requests resend 05/06/2009 - Resent POC to Symantec 05/06/2009 - Autonomy sends public key 05/06/2009 - Sent POC to Autonomy 05/07/2009 - Symantec holding on Autonomy fix 05/07/2009 - Autonomy requested clarification 05/07/2009 - Sent clarification. 08/11/2009 - Disclosure coordination 08/17/2009 - Disclosure re-coordination 08/25/2009 - Coordinated Public Disclosure IX. CREDIT This vulnerability was discovered by Joshua J. Drake of iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2009 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express
[Full-disclosure] Oracle PL/SQL Injection Flaw in REPCAT_RPC.VALIDATE_REMOTE_RC
Hey all, The Oracle REPCAT_RPC.VALIDATE_REMOTE_RC function executes blocks of anonymous PL/SQL that can be influenced by an attacker to execute arbitrary PL/SQL. As this package is only accessible directly by SYS this flaw would not normally present a risk. However, the REPCAT_RPC.VALIDATE_REMOTE_RC function can be used as an auxiliary inject function to escalate privileges. This is described in a paper I wrote in February 2007 after reporting the issue but am only releasing now as the flaw has fixed by Oracle in their July 2009 Critical Patch Update. This flaw documents the currently unspecified flaw at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1021 The paper is available from http://www.databasesecurity.com/oracle/plsql-injection-create-session.pdf Please note that many of the techniques discussed in this paper have been superceded by cursor injection (http://www.databasesecurity.com/dbsec/cursor-injection.pdf) which was written 3 days after. Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle 11g (11.1.0.6) Password Policy and Compliance
Many security standards require the tracking of users' password history to prevent password re-use. In Oracle 11g (11.1.0.6), if a security administrator has enabled 11g passwords exclusively then tracking password history is broken. This can affect compliance. This was addressed by Oracle in their April 2009 Critical Patch Update and maps to the currently unspecified vulnerability at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0988 Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Bypassing DBMS_ASSERT in certain situations
DBMS_ASSERT can be used to prevent PL/SQL injection. In certain cases it can be bypassed. This is documented in a paper I wrote in July 2008 but am only publishing now: http://www.databasesecurity.com/oracle/Bypassing-DBMS_ASSERT.pdf Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] H4RDW4RE presentations updated
Greetings: The following presentations are now available online. Dr. Karsten Nohl, H4RDW4RE Chief Scientist, Hacking at Random 2009: (Three sessions) 1) Cracking A5 GSM Encryption 2) Breaking Hitag2 3) Deep Silicon Analysis All links available at http://www.h4rdw4re.com/news/news.htm Chris Paget and Timothy Mullen interview on Beat The Chip regarding RFID security. Link available at http://www.h4rdw4re.com/news/news.htm or directly at http://wakinguporwell.podomatic.com/player/web/2009-08-18T18_35_25-07_00 Thanks. t Timothy (Thor) Mullen, Ph.D. CEO, H4RDW4RE, LLC t...@h4rdw4re.com www.h4rdw4re.com 831.706.7712 (Cell) 831.708.THOR (gVoice) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Flex website scanners
Any good flex website application scanners? Most of the free automated web application scanners like paros, nikto, etc do not look at flex/ flash web pages. We are looking at a website and need some basic automated scanning tool to cover the flex/ flash part Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flex website scanners
Check out SWFScan. It does what a scanner is supposed to do, which is find low-hanging vulnerabilities. The tool does a pretty good job at decompiling for the most part, but you still really need to do manual analysis on the code!! You should never rely on ANY scanner to do 100% of your analysis. Link- https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf -Jack Mannino ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] WPA attack improved to 1min, MITM
The Beck/Tews WiFi WPA attack presented at PacSec has been improved (down to 1 min, MITM) by 2 .jp researchers (Ohigashi, Morii) http://bit.ly/clCpm Remember: avoid WPA/TKIP and force AES only encryption in WPA2 - don't let your access point automatically fall back automatically to the insecure TKIP/WPA mode, to be safe. (At least until any WPA2 attacks are published ;-P) cheers, --dr P.S. CanSecWest registration is now up, and a new Japanese PacSec registration is live. June has been picked as the time for EUSecWest in Amsterdam. (hat tip: T Harada) url: http://jwis2009.nsysu.edu.tw/index.php/jwis/jwis2009/paper/view/80 A Practical Message Falsification Attack on WPA Toshihiro Ohigashi, Masakatu Morii Last modified: 2009-07-20 Abstract In 2008, Beck and Tews have proposed a practical attack on WPA. Their attack (called the Beck-Tews attack) can recover plaintext from an encrypted short packet, and can falsify it. The execution time of the Beck-Tews attack is about 12-15 minutes. However, the attack has the limitation, namely, the targets are only WPA implementations those support IEEE802.11e QoS features. In this paper, we propose a practical message falsification attack on any WPA implementation. In order to ease targets of limitation of wireless LAN products, we apply the Beck-Tews attack to the man-in-the-middle attack. In the man-in- the-middle attack, the user's communication is intercepted by an attacker until the attack ends. It means that the users may detect our attack when the execution time of the attack is large. Therefore, we give methods for reducing the execution time of the attack. As a result, the execution time of our attack becomes about one minute in the best case. -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 4/5 2009 http://pacsec.jp Vancouver, Canada March 22-26 http://cansecwest.com Amsterdam, Netherlands June http://eusecwest.com pgpkey http://dragos.com/ kyxpgp ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] НА: WPA attack improved to 1min, MITM
- Исходное сообщение - От: Dragos Ruiu d...@kyx.net Отправлено: 26 августа 2009 г. 6:13 Кому: Full-Disclosure mailing list full-disclosure@lists.grok.org.uk Тема: [Full-disclosure] WPA attack improved to 1min, MITM The Beck/Tews WiFi WPA attack presented at PacSec has been improved (down to 1 min, MITM) by 2 .jp researchers (Ohigashi, Morii) http://bit.ly/clCpm Remember: avoid WPA/TKIP and force AES only encryption in WPA2 - don't let your access point automatically fall back automatically to the insecure TKIP/WPA mode, to be safe. (At least until any WPA2 attacks are published ;-P) cheers, --dr P.S. CanSecWest registration is now up, and a new Japanese PacSec registration is live. June has been picked as the time for EUSecWest in Amsterdam. (hat tip: T Harada) [Включен не весь текст исходного сообщения] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/