[Full-disclosure] ZDI-09-067: Novell NetWare NFS Portmapper and RPC Module Stack Overflow Vulnerability
ZDI-09-067: Novell NetWare NFS Portmapper and RPC Module Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-067 September 30, 2009 -- Affected Vendors: Novell -- Affected Products: Novell Netware -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8280. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Netware NFS Portmapper daemon. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of CALLIT RPC calls. The vulnerable daemon explicitly trusts a length field when receiving data which is later copied into a stack buffer, potentially resulting in a stack overflow. Successful exploitation of this vulnerability can lead to remote code execution under the context of the daemon. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://download.novell.com/Download?buildid=DNxmXuyVPuY~ -- Disclosure Timeline: 2009-06-23 - Vulnerability reported to vendor 2009-09-30 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Nick DeBaggis -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsuck delaying patch for SMB2 on purpose?
A new exploit for the _Smb2ValidateProviderCallback() function has been released by the same person who created the Denial of Service exploit, except this one is able to execute code remotely. It seems that ms is sort of delaying the quick fix for this exploit. Whats even sadder is that they knew about it when they developed windows 7 but didn't care to patch windows vista. If they dont release a patch soon, viruses will be all over the internet... Exploit code: http://packetstormsecurity.org/filedesc/smb2_negotiate_func_index.rb.txt.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] mudos from pcapr.net
Hi All, Any one used mudos provided by pcapr.net. Is it possible to generate our own exploit pattern using that tool. If so please provide me the steps to generate the traffic. Thanks Regards SujayKumar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsuck delaying patch for SMB2 on purpose?
I'm pretty sure that Microsoft has already released a fix for this. I know they've patched Vista and Windows 7, and they've decided publicly not to backport the fix to Windows XP. --Rohit Patnaik On Wed, Sep 30, 2009 at 8:34 PM, Nick nic...@gmail.com wrote: A new exploit for the _Smb2ValidateProviderCallback() function has been released by the same person who created the Denial of Service exploit, except this one is able to execute code remotely. It seems that ms is sort of delaying the quick fix for this exploit. Whats even sadder is that they knew about it when they developed windows 7 but didn't care to patch windows vista. If they dont release a patch soon, viruses will be all over the internet... Exploit code: http://packetstormsecurity.org/filedesc/smb2_negotiate_func_index.rb.txt.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsuck delaying patch for SMB2 on purpose?
it seems...and I'm pretty sure Is this FD or some fantasyland where everybody can just make up shit? If you don't KNOW and can't CONFIRM (with links or FACTS) then stfu. - Original Message - From: Rohit Patnaik To: Nick Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsuck delaying patch for SMB2 on purpose? Date: Thu, 1 Oct 2009 08:09:22 -0500 I'm pretty sure that Microsoft has already released a fix for this. I know they've patched Vista and Windows 7, and they've decided publicly not to backport the fix to Windows XP. --Rohit Patnaik On Wed, Sep 30, 2009 at 8:34 PM, Nick nic...@gmail.com wrote: A new exploit for the _Smb2ValidateProviderCallback() function has been released by the same person who created the Denial of Service exploit, except this one is able to execute code remotely. It seems that ms is sort of delaying the quick fix for this exploit. Whats even sadder is that they knew about it when they developed windows 7 but didn't care to patch windows vista. If they dont release a patch soon, viruses will be all over the internet... Exploit code: http://packetstormsecurity.org/filedesc/smb2_negotiate_func_index.rb.txt.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
Same here. RHEL doesn't even have /var/log/auth. We call it /var/log/secure - which is 0600: -rw--- 1 root root 509 Oct 1 09:37 secure - Original Message - From: bo...@civ.zcu.cz bo...@civ.zcu.cz To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers Date: Wed, 30 Sep 2009 00:03:51 +0200 All standard users have read access to /var/log/auth, so if root they shouldn't, at least on my default debian they don't ... b ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsuck delaying patch for SMB2 on purpose?
It sounds like you're talking about the tcp/ip stack flaws rather than the smb2 issue. On Oct 1, 2009, at 9:09 AM, Rohit Patnaik quanti...@gmail.com wrote: I'm pretty sure that Microsoft has already released a fix for this. I know they've patched Vista and Windows 7, and they've decided publicly not to backport the fix to Windows XP. --Rohit Patnaik On Wed, Sep 30, 2009 at 8:34 PM, Nick nic...@gmail.com wrote: A new exploit for the _Smb2ValidateProviderCallback() function has been released by the same person who created the Denial of Service exploit, except this one is able to execute code remotely. It seems that ms is sort of delaying the quick fix for this exploit. Whats even sadder is that they knew about it when they developed windows 7 but didn't care to patch windows vista. If they dont release a patch soon, viruses will be all over the internet... Exploit code: http://packetstormsecurity.org/filedesc/smb2_negotiate_func_index.rb.txt.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Microsoft has released Internet Explorer 8 on March 19, 2009 and up to now there's no reliable method to exploit memory corruption vulnerabilities on it? I mean, on IE6 and IE7 we had SkyLined heap spray technique, first seen in the IFRAME overflow exploit [1] which have been used by almost every IE memory corruption exploit so far. Internet Explorer 8 was enhanced with DEP and ASLR protections, making heap spray useless. Then Mark Dowd and Alexander Sotirov published their great paper - Bypassing Browser Memory Protections [2] providing some excellent techniques, mainly the .NET binary technique which bypasses DEP and ASLR which was used by Nils on the latest Pwn2Own to own Internet Explorer 8 RC (Release Candidate) [3] and was used to mass-exploit other vulnerabilities [4]. One day after Nils owned IE8RC, Microsoft released Internet Explorer 8 RTM and blocked the option to load .NET DLL’s from Internet zone and Restricted sites zone. Due to the fact that most of IE exploitation doesn’t occur in Intranet/Trusted sites/Local machine zone, this makes the .NET DLL technique irrelevant most of the times. So my question is - Is there no reliable method to exploit memory corruption vulnerabilities in Internet Explorer 8? [1] http://milw0rm.com/exploits/612 [2] http://taossa.com/archive/bh08sotirovdowd.pdf [3] http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits [4] http://milw0rm.com/exploits/8969 -- Best wishes, Freddie Vicious ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsuck delaying patch for SMB2 on purpose?
This vulnerability is still unpatched and the exploit was written by Stephen Fewer and H D Moore, not by Laurent Gaffie, the original bug finder. On Wed, Sep 30, 2009 at 6:34 PM, Nick nic...@gmail.com wrote: A new exploit for the _Smb2ValidateProviderCallback() function has been released by the same person who created the Denial of Service exploit, except this one is able to execute code remotely. It seems that ms is sort of delaying the quick fix for this exploit. Whats even sadder is that they knew about it when they developed windows 7 but didn't care to patch windows vista. If they dont release a patch soon, viruses will be all over the internet... Exploit code: http://packetstormsecurity.org/filedesc/smb2_negotiate_func_index.rb.txt.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Best wishes, Freddie Vicious ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Freddie Vicious wrote: Microsoft has released Internet Explorer 8 on March 19, 2009 and up to now there's no reliable method to exploit memory corruption vulnerabilities on it? I mean, on IE6 and IE7 we had SkyLined heap spray technique, first seen in the IFRAME overflow exploit [1] which have been used by almost every IE memory corruption exploit so far. Internet Explorer 8 was enhanced with DEP and ASLR protections, making heap spray useless. Then Mark Dowd and Alexander Sotirov published their great paper - Bypassing Browser Memory Protections [2] providing some excellent techniques, mainly the .NET binary technique which bypasses DEP and ASLR which was used by Nils on the latest Pwn2Own to own Internet Explorer 8 RC (Release Candidate) [3] and was used to mass-exploit other vulnerabilities [4]. One day after Nils owned IE8RC, Microsoft released Internet Explorer 8 RTM and blocked the option to load .NET DLL’s from Internet zone and Restricted sites zone. Due to the fact that most of IE exploitation doesn’t occur in Intranet/Trusted sites/Local machine zone, this makes the .NET DLL technique irrelevant most of the times. So my question is - Is there no reliable method to exploit memory corruption vulnerabilities in Internet Explorer 8? I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. [1] http://milw0rm.com/exploits/612 [2] http://taossa.com/archive/bh08sotirovdowd.pdf [3] http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits [4] http://milw0rm.com/exploits/8969 -- Best wishes, Freddie Vicious -- __ Jared D. DeMott Principal Security Researcher ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no DEP/ASLR there... But as you said, so far there's no known catch-all technique against IE8. Along with other security features ( http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) this basicly means that IE8 is the most secure web browser nowadays? On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott jared.dem...@harris.comwrote: I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. -- __ Jared D. DeMott Principal Security Researcher -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:253 ] backuppc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:253 http://www.mandriva.com/security/ ___ Package : backuppc Date: October 1, 2009 Affected: Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in backuppc: CgiUserConfigEdit in BackupPC 3.1.0, when SSH keys and Rsync are in use in a multi-user environment, does not restrict users from the ClientNameAlias function, which allows remote authenticated users to read and write sensitive files by modifying ClientNameAlias to match another system, then initiating a backup or restore (CVE-2009-3369). This update provides a fix for this vulnerability. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3369 ___ Updated Packages: Mandriva Enterprise Server 5: 25edbc4c4a61aa034e090e6cb706f322 mes5/i586/backuppc-3.1.0-7.1mdvmes5.noarch.rpm 99e10439faaf116a1195c2fa1e926109 mes5/SRPMS/backuppc-3.1.0-7.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 38bfc11aa57f6dc67715d58eeddad8ad mes5/x86_64/backuppc-3.1.0-7.1mdvmes5.noarch.rpm 99e10439faaf116a1195c2fa1e926109 mes5/SRPMS/backuppc-3.1.0-7.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKxLe8mqjQ0CJFipgRApSDAKCQi8TGLj/885wLVIbr9fHETCAcZQCcCHIO 48I9cs/Rs+rmrU+75sVgy2Q= =NhNC -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] So weev...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How does it feel to be a hypocrite? And we quote: 22:02 weev im all for white people cleaning up the nigger problem 22:03 weev i hate niggers 22:03 weev i hate niggers. Now besides the fact that weev is an annoying little bitch who cannot seem to find better things to do with his time than augment his racist troll persona, there is a larger irony here: he has two younger siblings who are black. Not that we the undersigned have a problem with this, but our spidey sense tells us that weev does not want you to know. Thus, let us present... Chelsea and Anthony Auernheimer! Chelsea started as a college freshman this year. She is smart and she loves animals. More about Chelsea: http://www.zinch.com/z/Nouchii http://timesdispatch.mycapture.com/mycapture/enlarge.asp?image=23447 816event=745571CategoryID=20789 (pic) Anthony is a 9th grader. You can follow him on Twitter here: http://twitter.com/Antsauercool. As a picture is also in order for him: http://timesdispatch.mycapture.com/mycapture/enlarge.asp?image=23447 820event=745571CategoryID=20789 Now, we would love to know what these two think of their racist asshole brother, but have had the common courtesy not to bother them with our query. We did, however, more than momentarily entertain the idea of getting in touch with weev's parents to attempt to discover what has made him the way he is. Weev's mother (http://imgur.com/AQpSd.jpg) is a board member of the Richmond PTA and made contributions to the Democratic Party last year. She seems like a nice person. His father (http://imgur.com/CEaNX.jpg), on the other hand, is in his mid 40's, has been CEO of Sealpac USA for the last two years, and is by all accounts a great guy. Either parent is available for comment at (804) 355-2889. If you would prefer postal correspondence, letters can be mailed to: 2038 W Grace St Richmond, VA 23220 Now, being the troll that he is, weev has no problem with living a lie. His recent claim, As I said, I haven't ever committed a crime. I am a truly sinless man. ...is humorous when compared with this admission, delivered while smoking moonrocks: 15:05 weev does anybody know these russians 15:06 weev that they are buying up hacked macs for 43 cents an install 15:26 weev i have access to like 15:26 weev 8k rooted macs 15:26 weev right now 15:26 weev and i would like to make a quick $3500 But we cannot really blame the guy. Our hearts goes out to him when we see admissions such as this: 09:50 weev i gotta get some money 09:50 weev my cashflow sucks 09:51 weev whores 09:51 weev lavish cars 09:51 weev gigantic places to live Actually, scratch that. We just kind of LOL at the iProphet and imagine him LOLing back. And that is all well and good. Standard operating procedure in the life of a troll, along with playing some Sims, getting high with whatever psychoactives he can get his grubby paws on, making stupid videos, and generally proving that he does not know what the fuck he is doing with his life. Is weev's current life better than his past attempt at freelance web and graphic design? Maybe. He kinda sucked at that too. But come on, man, at least aspire to *something*. Weev, the joke is old. Your number is up. Shut up or shape up. Your docs have been pulled. We are ready to drop them at a moment's notice, but we momentarily stop to wonder if it would even be worth it. The devil is in the details, and yours have cocked the gun that has been aimed at your foot for a while. Karma has more butthurt waiting for you (in the form of us) than you know what to do with. Oh, and a representative in Anaheim has been alerted and will be handling this case personally. We are, as always, the collective. An agent is standing by to assist you with any contentions, queries, or comments resulting from this transmission. WINTERMUTE -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkrE44kACgkQAN7xmh8YPB2wrQP/QNzi1E+IfPvbVJr6wsxs9+wjknqe Qc3UAC6hSW3xPB7kwDR9g9i0WUhCjlMO9f78YXDkW0xqJ33FWhpj0zQHwmtOp7rMSXie MeeHIihWf/T5tcPBgNPOqFIqjIWm/GiGcQXrn7Ifmd2+lDZ3vf9nK2/lsgSUyPqPVtge 20blkg8= =JvuW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] So weev...
And we should give a damn because? On Thu, Oct 1, 2009 at 10:14 AM, Wintermute winterm...@hush.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How does it feel to be a hypocrite? And we quote: 22:02 weev im all for white people cleaning up the nigger problem 22:03 weev i hate niggers 22:03 weev i hate niggers. Now besides the fact that weev is an annoying little bitch who cannot seem to find better things to do with his time than augment his racist troll persona, there is a larger irony here: he has two younger siblings who are black. Not that we the undersigned have a problem with this, but our spidey sense tells us that weev does not want you to know. Thus, let us present... Chelsea and Anthony Auernheimer! Chelsea started as a college freshman this year. She is smart and she loves animals. More about Chelsea: http://www.zinch.com/z/Nouchii http://timesdispatch.mycapture.com/mycapture/enlarge.asp?image=23447 816event=745571CategoryID=20789 (pic) Anthony is a 9th grader. You can follow him on Twitter here: http://twitter.com/Antsauercool. As a picture is also in order for him: http://timesdispatch.mycapture.com/mycapture/enlarge.asp?image=23447 820event=745571CategoryID=20789 Now, we would love to know what these two think of their racist asshole brother, but have had the common courtesy not to bother them with our query. We did, however, more than momentarily entertain the idea of getting in touch with weev's parents to attempt to discover what has made him the way he is. Weev's mother (http://imgur.com/AQpSd.jpg) is a board member of the Richmond PTA and made contributions to the Democratic Party last year. She seems like a nice person. His father (http://imgur.com/CEaNX.jpg), on the other hand, is in his mid 40's, has been CEO of Sealpac USA for the last two years, and is by all accounts a great guy. Either parent is available for comment at (804) 355-2889. If you would prefer postal correspondence, letters can be mailed to: 2038 W Grace St Richmond, VA 23220 Now, being the troll that he is, weev has no problem with living a lie. His recent claim, As I said, I haven't ever committed a crime. I am a truly sinless man. ...is humorous when compared with this admission, delivered while smoking moonrocks: 15:05 weev does anybody know these russians 15:06 weev that they are buying up hacked macs for 43 cents an install 15:26 weev i have access to like 15:26 weev 8k rooted macs 15:26 weev right now 15:26 weev and i would like to make a quick $3500 But we cannot really blame the guy. Our hearts goes out to him when we see admissions such as this: 09:50 weev i gotta get some money 09:50 weev my cashflow sucks 09:51 weev whores 09:51 weev lavish cars 09:51 weev gigantic places to live Actually, scratch that. We just kind of LOL at the iProphet and imagine him LOLing back. And that is all well and good. Standard operating procedure in the life of a troll, along with playing some Sims, getting high with whatever psychoactives he can get his grubby paws on, making stupid videos, and generally proving that he does not know what the fuck he is doing with his life. Is weev's current life better than his past attempt at freelance web and graphic design? Maybe. He kinda sucked at that too. But come on, man, at least aspire to *something*. Weev, the joke is old. Your number is up. Shut up or shape up. Your docs have been pulled. We are ready to drop them at a moment's notice, but we momentarily stop to wonder if it would even be worth it. The devil is in the details, and yours have cocked the gun that has been aimed at your foot for a while. Karma has more butthurt waiting for you (in the form of us) than you know what to do with. Oh, and a representative in Anaheim has been alerted and will be handling this case personally. We are, as always, the collective. An agent is standing by to assist you with any contentions, queries, or comments resulting from this transmission. WINTERMUTE -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkrE44kACgkQAN7xmh8YPB2wrQP/QNzi1E+IfPvbVJr6wsxs9+wjknqe Qc3UAC6hSW3xPB7kwDR9g9i0WUhCjlMO9f78YXDkW0xqJ33FWhpj0zQHwmtOp7rMSXie MeeHIihWf/T5tcPBgNPOqFIqjIWm/GiGcQXrn7Ifmd2+lDZ3vf9nK2/lsgSUyPqPVtge 20blkg8= =JvuW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:254 ] graphviz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:254 http://www.mandriva.com/security/ ___ Package : graphviz Date: October 1, 2009 Affected: 2008.1, 2009.0, Corporate 4.0, Enterprise Server 5.0 ___ Problem Description: A vulnerability was discovered and corrected in graphviz: Stack-based buffer overflow in the push_subg function in parser.y (lib/graph/parser.c) in Graphviz 2.20.2, and possibly earlier versions, allows user-assisted remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a DOT file with a large number of Agraph_t elements (CVE-2008-4555). This update provides a fix for this vulnerability. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4555 ___ Updated Packages: Mandriva Linux 2008.1: 438c0a99edd76117c5f8f414483ba2cf 2008.1/i586/graphviz-2.16.1-3.2mdv2008.1.i586.rpm dfb121bb5029b7e9d7a4695bf76a1413 2008.1/i586/graphviz-doc-2.16.1-3.2mdv2008.1.i586.rpm 549ac8639eb441968824a737825bbbfd 2008.1/i586/libgraphviz4-2.16.1-3.2mdv2008.1.i586.rpm 055b0a9ea5a6d9c2bb52cdd24736466c 2008.1/i586/libgraphviz-devel-2.16.1-3.2mdv2008.1.i586.rpm 0a4d296f3280eed23ee466df6e491068 2008.1/i586/libgraphvizlua0-2.16.1-3.2mdv2008.1.i586.rpm 969e8bcb8e2fd7dbd0dc18e1bba81a12 2008.1/i586/libgraphvizocaml0-2.16.1-3.2mdv2008.1.i586.rpm 1502294cefc214c5303d62f08f3dd79e 2008.1/i586/libgraphvizperl0-2.16.1-3.2mdv2008.1.i586.rpm 3512049a131159102e2bc613496c189f 2008.1/i586/libgraphvizphp0-2.16.1-3.2mdv2008.1.i586.rpm f1dd75279c2deddec3bac08f787148a6 2008.1/i586/libgraphvizpython0-2.16.1-3.2mdv2008.1.i586.rpm e4cc9bfd988204f3cda765d9b2b5f6b4 2008.1/i586/libgraphvizr0-2.16.1-3.2mdv2008.1.i586.rpm 07b0369439dfbfdf13e1f81333053330 2008.1/i586/libgraphvizruby0-2.16.1-3.2mdv2008.1.i586.rpm b2da0ab31141bac72991913b2ba5af11 2008.1/i586/libgraphviz-static-devel-2.16.1-3.2mdv2008.1.i586.rpm 17c5d030e390edeaa499afb227c2a918 2008.1/i586/libgraphviztcl0-2.16.1-3.2mdv2008.1.i586.rpm e1ec78ea74f83f3a76bf3a2840634612 2008.1/SRPMS/graphviz-2.16.1-3.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 1d03179cba939f845767e5c53f55a3ac 2008.1/x86_64/graphviz-2.16.1-3.2mdv2008.1.x86_64.rpm 7f909c2527993dfc6fb52a99ba7d40bf 2008.1/x86_64/graphviz-doc-2.16.1-3.2mdv2008.1.x86_64.rpm 3a7a535f08e5d452c00615970ef681f4 2008.1/x86_64/lib64graphviz4-2.16.1-3.2mdv2008.1.x86_64.rpm 1031c334336b37483bd78743ac996d31 2008.1/x86_64/lib64graphviz-devel-2.16.1-3.2mdv2008.1.x86_64.rpm aeb9e97aef30819f6900ad0ac36ff7ba 2008.1/x86_64/lib64graphvizlua0-2.16.1-3.2mdv2008.1.x86_64.rpm 52a9857f11e80c8003e41c6e5a38327e 2008.1/x86_64/lib64graphvizocaml0-2.16.1-3.2mdv2008.1.x86_64.rpm a9c4f5f562e98bd643650a3c47405c5a 2008.1/x86_64/lib64graphvizperl0-2.16.1-3.2mdv2008.1.x86_64.rpm 0085b4658e8a92da42d40fcd06bce41f 2008.1/x86_64/lib64graphvizphp0-2.16.1-3.2mdv2008.1.x86_64.rpm cb6596d38d763038ba3b6fd1b8f988d5 2008.1/x86_64/lib64graphvizpython0-2.16.1-3.2mdv2008.1.x86_64.rpm c50a7ea57991f13a11fb193d90bd1dad 2008.1/x86_64/lib64graphvizr0-2.16.1-3.2mdv2008.1.x86_64.rpm 448f2265d11265818ad703724c0b5c77 2008.1/x86_64/lib64graphvizruby0-2.16.1-3.2mdv2008.1.x86_64.rpm b03474eba03405827cca9ab99a77f517 2008.1/x86_64/lib64graphviz-static-devel-2.16.1-3.2mdv2008.1.x86_64.rpm ac8c9dacf5f7d8262de0e7d9a803a38a 2008.1/x86_64/lib64graphviztcl0-2.16.1-3.2mdv2008.1.x86_64.rpm e1ec78ea74f83f3a76bf3a2840634612 2008.1/SRPMS/graphviz-2.16.1-3.2mdv2008.1.src.rpm Mandriva Linux 2009.0: cd40ad7b987be4017fc17321ef2d9db3 2009.0/i586/graphviz-2.20.2-3.1mdv2009.0.i586.rpm 16f9bf10cf8fc2703fa9c545501a60f3 2009.0/i586/graphviz-doc-2.20.2-3.1mdv2009.0.i586.rpm bbd99a51776c7635cc2fb1e6504ab660 2009.0/i586/libgraphviz4-2.20.2-3.1mdv2009.0.i586.rpm 4c51fd7007ad75990da2326a9be1f79b 2009.0/i586/libgraphviz-devel-2.20.2-3.1mdv2009.0.i586.rpm 1ced8591094aa6383aace1dc597c1b31 2009.0/i586/libgraphvizlua0-2.20.2-3.1mdv2009.0.i586.rpm 58c7888f5b8f6753fe8b9ecd2e96263c 2009.0/i586/libgraphvizocaml0-2.20.2-3.1mdv2009.0.i586.rpm 04e0d0f072c05a00c88d58ad773ae71f 2009.0/i586/libgraphvizperl0-2.20.2-3.1mdv2009.0.i586.rpm fd140078c0bd81fb7a91840626e6d73b 2009.0/i586/libgraphvizphp0-2.20.2-3.1mdv2009.0.i586.rpm 846a760fa83a380d433efec24e5029a3 2009.0/i586/libgraphvizpython0-2.20.2-3.1mdv2009.0.i586.rpm 0f700d07ec8319159a1547817774bce8 2009.0/i586/libgraphvizr0-2.20.2-3.1mdv2009.0.i586.rpm a00118be4bd5394a3bcf31a50032d7a3 2009.0/i586/libgraphvizruby0-2.20.2-3.1mdv2009.0.i586.rpm
[Full-disclosure] Rooted CON 2010 - CFP
=== - Rooted CON 2010 - C A L L F O R P A P E R S === .: [ ABOUT ] Rooted CON is a Security Congress to be held in Madrid (Spain) on March 2010. Our goal is to promote security by offering highly technical talks with a practical approach (interesant mix of theory / demos) and neutrality (although we want businesses/enterprises to participate in the congress, they should prioritize the technical and objective approach). We also want people to participate and enjoy... And even come back home with a prize! Therefore, we will hold various events (apart from talks), one of the most important of them being the CTF (Capture the flag) contest, with substantial cash prizes and been designed by none other than one of the Sexy Pandas (finalist team in the traditional Defcon CTF). And of course if you are brave enough you will also have fun by living the beautiful nights of Madrid... .: [ FORMAT ] We would like to receive two kind of proposals: - fast talks. Duration: 20'. - normal talks. Duration: 50'. If you have a crazy/interesting and fresh idea that could be summarized in fewer time, please don't hesitate and submit a fast talk. If your idea is even crazier and need more time to be explained in depth, use the second one: normal talk. We are only accepting submissions in Spanish and English language. We will do our best to have simultaneous translation in the conference room but we cannot promise it since it will depend on budget and sponsors. .: [ TOPICS ] Every hot topic in the security market is welcome. These are only some examples: - innovative defensive and offensive techniques. - everything related to fraud, phishing, trojan horses in financial entities, protection mechanisms and technologies... - reversing, low-level techniques, kernel, ... - vulnerabilities discovery, fuzzing and related topics. - virtual contexts attacks, clusters, cloud computing and new in the cloud products. - cryptography and cryptanalysis. - mobile security. - hacking tools: custom developments. - document security. - VoIP, phreaking, ... - forensics / antiforensics. - wireless security. - steganography and covert channels. - web applications security - ... .: [ SUBMISSION PROCEDURE ] Would you like to speak at Rooted CON? Please, don't forget to make talks illustrative and include demos! :) Please, send your application via e-mail to: cfp -AT- rootedcon.es For the talk to be accepted in the initial selection process it should comply with the previously described format and *must* include *all* the following info: - title - author (full name and optionally nick/handle) - bio (some lines defining who you are) - duration (normal or fast talk?) - abstract (should be sufficiently extensive for being correctly evaluated) - location/nationality - facilities needed - do you plan to present same or similar talk in another conference? Which one? .: [ SCHEDULE ] October 1, 2009 - CFP opens. December 20, 2009 - CFP closes. December 31, 2009 - Speakers selected. January 10, 2010 - Final paper and presentation material submitted. .: [ SPEAKER PRIVILEGES ] Speakers will be given the following benefits: - Free accommodation. - Free access to the conference. - Travel expenses (if possible). - Free party tickets/drinks. .: [ SPONSORS ] There are still opportunities to help us in organizing the best security congress in Spain while obtaining an interesting marketing ROI. If you are interested in being one of our sponsors, please, contact us at: sponsors -AT- rootedcon.es .: [ LINKS ] - Web site http://www.rootedcon.es/ - Facebook group http://www.facebook.com/group.php?gid=96410924798 - LinkedIn group http://www.linkedin.com/groups?gid=1969438 - Announce mailing-list https://listas.rootedcon.es/mailman/listinfo/rooted-announce -=EOF=- -- Rooted CON staff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-839-1] Samba vulnerabilities
=== Ubuntu Security Notice USN-839-1 October 01, 2009 samba vulnerabilities CVE-2009-1886, CVE-2009-1888, CVE-2009-2813, CVE-2009-2906, CVE-2009-2948 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: samba 3.0.22-1ubuntu3.9 smbfs 3.0.22-1ubuntu3.9 Ubuntu 8.04 LTS: samba 3.0.28a-1ubuntu4.9 smbfs 3.0.28a-1ubuntu4.9 Ubuntu 8.10: samba 2:3.2.3-1ubuntu3.6 smbclient 2:3.2.3-1ubuntu3.6 smbfs 2:3.2.3-1ubuntu3.6 Ubuntu 9.04: samba 2:3.3.2-1ubuntu3.2 smbfs 2:3.3.2-1ubuntu3.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: J. David Hester discovered that Samba incorrectly handled users that lack home directories when the automated [homes] share is enabled. An authenticated user could connect to that share name and gain access to the whole filesystem. (CVE-2009-2813) Tim Prouty discovered that the smbd daemon in Samba incorrectly handled certain unexpected network replies. A remote attacker could send malicious replies to the server and cause smbd to use all available CPU, leading to a denial of service. (CVE-2009-2906) Ronald Volgers discovered that the mount.cifs utility, when installed as a setuid program, would not verify user permissions before opening a credentials file. A local user could exploit this to use or read the contents of unauthorized credential files. (CVE-2009-2948) Reinhard Nißl discovered that the smbclient utility contained format string vulnerabilities in its file name handling. Because of security features in Ubuntu, exploitation of this vulnerability is limited. If a user or automated system were tricked into processing a specially crafted file name, smbclient could be made to crash, possibly leading to a denial of service. This only affected Ubuntu 8.10. (CVE-2009-1886) Jeremy Allison discovered that the smbd daemon in Samba incorrectly handled permissions to modify access control lists when dos filemode is enabled. A remote attacker could exploit this to modify access control lists. This only affected Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-1886) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.9.diff.gz Size/MD5: 161616 0ad9aaba168245042d1489fdcdd5dc42 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.9.dsc Size/MD5: 1203 e54ed933c8b093c77b7aecaccc1650ab http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22.orig.tar.gz Size/MD5: 17542657 5c39505af17cf5caf3d6ed8bab135036 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-doc-pdf_3.0.22-1ubuntu3.9_all.deb Size/MD5: 6594720 714f26b307bf9c1d81392ef89dd57420 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-doc_3.0.22-1ubuntu3.9_all.deb Size/MD5: 6902292 116d5fcbf539e39460c4de1a03a2e5f1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/samba/libpam-smbpass_3.0.22-1ubuntu3.9_amd64.deb Size/MD5: 427020 eac8d7f26dbbe0a51eb6dd2089d5318f http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient-dev_3.0.22-1ubuntu3.9_amd64.deb Size/MD5: 112902 78153d8ae792d0dad9913142ac80f304 http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient_3.0.22-1ubuntu3.9_amd64.deb Size/MD5: 798804 51db5cb3445e03ce20bc01df763626f0 http://security.ubuntu.com/ubuntu/pool/main/s/samba/python2.4-samba_3.0.22-1ubuntu3.9_amd64.deb Size/MD5: 5974858 2984a44edeff38950c8b117ee5dfc50d http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-common_3.0.22-1ubuntu3.9_amd64.deb Size/MD5: 2415334 5a7e0073ee7714fa816d528ec7015e98 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-dbg_3.0.22-1ubuntu3.9_amd64.deb Size/MD5: 11893670 e9a72bdd6da691c06755694781c28cf0 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.9_amd64.deb Size/MD5: 3405114 c3db6785e7e379912107194b85a6c4c0 http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.22-1ubuntu3.9_amd64.deb Size/MD5: 4042974 5b6d291f233ea349113f188c8b602922 http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbfs_3.0.22-1ubuntu3.9_amd64.deb Size/MD5: 450162 973bba455c72ac8f68c5266f4f6962c5
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
FYI: ASLR DEP can be bypassed on x86, there's just nothing public at the moment. Cheers, SkyLined Berend-Jan Wever berendjanwe...@gmail.com http://skypher.com/SkyLined On Thu, Oct 1, 2009 at 6:44 PM, Freddie Vicious fred.vici...@gmail.comwrote: Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no DEP/ASLR there... But as you said, so far there's no known catch-all technique against IE8. Along with other security features ( http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) this basicly means that IE8 is the most secure web browser nowadays? On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott jared.dem...@harris.comwrote: I'm not aware of any catch-all technique just for IE8, though there are a few common ones like return oriented programming. Application specific techniques are also common when third party extensions are involved. -- __ Jared D. DeMott Principal Security Researcher -- Best wishes, Freddie Vicious http://twitter.com/viciousf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
On Thu, 01 Oct 2009 21:55:37 +0200, Berend-Jan Wever said: FYI: ASLR DEP can be bypassed on x86, there's just nothing public at the moment. Is that I believe it can, but there's no proof yet, or based on non-public sources, I know for a fact it can? pgpGarY5dXHrE.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
Along with other security features (http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) this basicly means that IE8 is the most secure web browser nowadays? If memory serves me right, it's been a while since we've witnessed successful, large-scale exploitation of memory corruption flaws in any browser, and it's probably not the most common exploitable security lapse these days. This is partly because many of the modern defenses - such as DEP/NX, ASLR, canaries, lower privileges / sandboxing - are becoming more prevalent across all browsers and operating systems; partly because browser seem to be doing a lot of in-house fuzzing (for MSIE, Firefox, and Chrome, this is probably pretty evident); and last but not least, in part because of the changing landscape for security disclosure: researchers are heavily incentivized to sell vulnerabilities instead (keeping the public as such generally safe, but probably greatly increasing exposure windows for targeted attacks). In the browser world, many other problems can have profound security consequences, however; browser chrome privilege escalations, zone fenceposts, even universal XSSes (made more serious by the fact more and more of our sensitive data is handled by web applications), and other design errors that allow much simpler paths of privilege escalation (sometimes including system compromise) are taking the center stage, particularly for malware distribution and other large-scale attacks. In this department, most vendors have several skeletons in the closet (Microsoft with content sniffing and zone model complexity, Firefox and some other browsers with privileged JavaScript used to implement extensions and UIs, etc). Anyhow - in the end, I would be tempted to say that the differences between browsers are much less pronounced that the media feels compelled to say; but this new fierce competition between vendors is exceptional, highly notable, and very beneficial for the industry in the long run. For example, weren't it for Firefox claims of superior security and the ensuing market adoption, we would probably not see a sudden push for security features in MSIE8; and weren't it for Microsoft's response, Mozilla folks would likely not feel compelled to keep up their in-house fuzzing efforts and security improvements in FF3 and 3.5. Then add Chrome to the mix, and it gets even more interesting... /mz PS. As for malware filtering - also, not a feature unique to any particular browser these days - I do not quite see the relevance to this discussion. Anti-malware checks improve the safety of casual browsing for general public - and hence has a positive effect for the health of the Internet as a whole - but they do not render any particular browser less likely to have exploitable vulnerabilities. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Modifying SSH to Capture Login Credentials from Attackers
Follow up posted, which includes: - analysis of some tools most likely used against me - information on an operator of a botnet very similar to the one that was attacking me - code samples, screenshots, etc. http://paulmakowski.wordpress.com/2009/09/30/from-pass_file-to-script-kiddies/ On Tue, Sep 29, 2009 at 12:25 PM, my.hndl my.h...@gmail.com wrote: If you've ever had your SSH server dictionary attacked and wondered what usernames / passwords the attackers were trying... I've posted detailed instructions on modifying openssh on Ubuntu 9.04 in order to log username / password attempts made by bots. This information can then be used to track down the tools / dictionaries being used against you, and may even lead to discovery of IRC command control channels used by the botnet herders/masters (the topic of my next post). Full username / password logs included for your enjoyment: http://paulmakowski.wordpress.com/2009/09/28/hacking-sshd-for-a-pass_file/ Intended for novices interested in honeypots. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] So weev...
Greetings. I'd like to chime in here and mirror this. Crime is bad. So is the subversive rhetoric that is drains the resources of law enforcement, and in actuality, because of it's abusive nature increases the likely we'll lose our liberties if you do something stupid. You have any idea the harassment I've faced because of you, idiot? You are doing bad things, Andrew. http://seclists.org/fulldisclosure/2009/Oct/0013.html Mirror #1 (http://www.webcitation.org/5kD6O0OEd) Chelsea Auernheimer = http://www.zinch.com/z/Nouchii Mirror #1 (http://www.webcitation.org/5kD6PnDyk) http://timesdispatch.mycapture.com/mycapture/enlarge.asp?image=23447816event=745571CategoryID=20789 Mirror #1 (http://img44.imageshack.us/img44/1253/23447816e.jpg) Mirror #2 (http://img.waffleimages.com/4e970a16670a3fa57db1b88fee2adebef617e98a/23447816e.jpg) Anthony Auernheimer == http://twitter.com/Antsauercool Mirror #1 (http://www.webcitation.org/5kD6SestP) http://timesdispatch.mycapture.com/mycapture/enlarge.asp?image=23447820event=745571CategoryID=20789 Mirror #1 (http://img19.imageshack.us/img19/4606/23447820e.jpg) Mirror #2 (http://img.waffleimages.com/ef136fdba21217188b1dd4d374148d48d1afa145/23447820e.jpg) Mommy Auernheimer == http://imgur.com/AQpSd.jpg Mirror #1 (http://img19.imageshack.us/img19/1967/aqpsd.jpg) Mirror #2 (http://img.waffleimages.com/41c1f9036d350871dbedf177ffd1109cf3bc6ab8/aqpsd.jpg) Daddy Auernhiemer (SealPac CEO) == http://imgur.com/CEaNX.jpg Mirror #1 (http://img19.imageshack.us/img19/4673/ceanx.jpg) Mirror #2 (http://img.waffleimages.com/35414c5ec9e246bd42f2e4372abe51f836ed6867/ceanx.jpg) I hate to bring family into this, but weev, you've shown no more regard for the families of others. You have been senseless toward others. And also remember to submit any pertinent evidence or testimony to your local FBI office or http://tips.fbi.gov Sincerely, Paul P.S. Yes I'm Jewish. No, I didn't buy my way into Christianity. Liar. Original Message From: Wintermute winterm...@hush.com Apparently from: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] So weev... Date: Thu, 01 Oct 2009 12:14:49 -0500 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How does it feel to be a hypocrite? And we quote: 22:02 weev im all for white people cleaning up the nigger problem 22:03 weev i hate niggers 22:03 weev i hate niggers. Now besides the fact that weev is an annoying little bitch who cannot seem to find better things to do with his time than augment his racist troll persona, there is a larger irony here: he has two younger siblings who are black. Not that we the undersigned have a problem with this, but our spidey sense tells us that weev does not want you to know. Thus, let us present... Chelsea and Anthony Auernheimer! Chelsea started as a college freshman this year. She is smart and she loves animals. More about Chelsea: http://www.zinch.com/z/Nouchii http://timesdispatch.mycapture.com/mycapture/enlarge.asp?image=23447 816event=745571CategoryID=20789 (pic) Anthony is a 9th grader. You can follow him on Twitter here: http://twitter.com/Antsauercool. As a picture is also in order for him: http://timesdispatch.mycapture.com/mycapture/enlarge.asp?image=23447 820event=745571CategoryID=20789 Now, we would love to know what these two think of their racist asshole brother, but have had the common courtesy not to bother them with our query. We did, however, more than momentarily entertain the idea of getting in touch with weev's parents to attempt to discover what has made him the way he is. Weev's mother (http://imgur.com/AQpSd.jpg) is a board member of the Richmond PTA and made contributions to the Democratic Party last year. She seems like a nice person. His father (http://imgur.com/CEaNX.jpg), on the other hand, is in his mid 40's, has been CEO of Sealpac USA for the last two years, and is by all accounts a great guy. Either parent is available for comment at (804) 355-2889. If you would prefer postal correspondence, letters can be mailed to: 2038 W Grace St Richmond, VA 23220 Now, being the troll that he is, weev has no problem with living a lie. His recent claim, As I said, I haven't ever committed a crime. I am a truly sinless man. ...is humorous when compared with this admission, delivered while smoking moonrocks: 15:05 weev does anybody know these russians 15:06 weev that they are buying up hacked macs for 43 cents an install 15:26 weev i have access to like 15:26 weev 8k rooted macs 15:26 weev right now 15:26 weev and i would like to make a quick $3500 But we cannot really blame the guy. Our hearts goes out to him when we see admissions such as this: 09:50 weev i gotta get some money 09:50 weev my cashflow sucks 09:51 weev whores 09:51 weev lavish cars 09:51 weev gigantic places to live
Re: [Full-disclosure] So weev...
She's gorgeous and looks like a great mother. I'm totally surprised, he sounds like he has the nicest family in the world. Mom http://imgur.com/AQpSd.jpg / (http://img19.imageshack.us/img19/1967/aqpsd.jpg) / (http://img.waffleimages.com/41c1f9036d350871dbedf177ffd1109cf3bc6ab8/aqpsd.jpg) / (http://hosting11.imagecross.com/image-hosting-th-16/953aqpsd.jpg) / (http://www.freeimagehosting.net/uploads/af64fe986f.jpg) / (http://www.uploadgeek.com/thumb-CA81_4AC55843.jpg) / (http://www.imagehuge.com/out.php/t16155_aqpsd.jpg) / (http://images.imagenonline.com/img_a190867.jpg) / (http://www.desiupload.com/out.php/t325733_aqpsd.jpg) Dad http://imgur.com/CEaNX.jpg / (http://img19.imageshack.us/img19/4673/ceanx.jpg) / (http://img.waffleimages.com/35414c5ec9e246bd42f2e4372abe51f836ed6867/ceanx.jpg) / (http://www.uploadgeek.com/thumb-A304_4AC5594B.jpg) / (http://www.freeimagehosting.net/uploads/6db22e9e83.jpg) / (http://hosting11.imagecross.com/image-hosting-th-16/6430dad.jpg) / (http://www.desiupload.com/out.php/t325734_dad.jpg) / (http://www.imagehuge.com/out.php/i16156_dad.jpg) / (http://images.imagenonline.com/img_a190870.jpg) Look how Andrew Auernheimer has his dad's lip and mom's eyes and cheeks: Mirror #1: http://img.waffleimages.com/239fb622e4e5188627f39af8045575a70182f8c7/569px-Internet_business.jpg Mirror #2: http://img8.imageshack.us/img8/7586/569pxinternetbusiness.jpg Mirror #3: http://imgur.com/V5hkG.jpg That's a popular image of weev. The only psychological explanation I have for it is weev felt jealous of the connection between his dad on his mom because dad loved mom so much... And Andrew perceived himself as being neglected. Hell, can you blame him? His mom is so beautiful. Original Message From: BMF badmotherfs...@gmail.com To: GOBBLES gobbles1...@safe-mail.net Subject: Re: [Full-disclosure] So weev... Date: Thu, 1 Oct 2009 18:46:25 -0700 On Thu, Oct 1, 2009 at 4:54 PM, GOBBLES gobbles1...@safe-mail.net wrote: Mommy Auernheimer == http://imgur.com/AQpSd.jpg Dude...I would totally hit dat...Anyone know when Daddy Auernheimer works? Cuz I wanna call up mommy Auernheimer at (804) 355-2889 and make an appointment. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Drupal CCK 5.x-1.10 XSS Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Description of Vulnerability:
- -
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The CCK module (http://drupal.org/project/cck)
allows you to add custom fields to nodes using a web browser.
The CCK module version 5.x-1.10 contains a cross site scripting
vulnerability because it does not properly sanitize output of group
labels before display.
Systems affected:
- - - - -
Drupal 5.19 with CCK 5.x-1.10 was tested and shown to be vulnerable.
Impact:
- - - - ---
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.
Mitigating factors:
- - - - ---
The CCK module must be installed. To carry out a CCK based XSS exploit
the attacker must have 'administer content types' permission.
Proof of Concept:
- - - -
1. Install Drupal 5
2. Install CCK 5.x-1.10
3. Enable the CCK module from Administer - Site building - Modules
and enable all CCK modules
4. From Administer - Content management - Content types and click the
'edit' link next to the 'Page' content type
5. Click the 'Add group' tab at the top
6. Enter scriptalert('xss');/script as the label and save the
group by clicking the 'Add' button at the bottom of the form
7. On form submission you ill be redirected to
/?q=admin/content/types/page/fields and the JavaScript will be rendered
and execute three times.
Technical details:
- - -
The CCK module fails to sanitize the output of the CCK group label
before display on lines 248 and 285 of content_admin.inc. Applying the
following patch fixes this vulnerability.
Patch
- - - ---
Applying the following patch mitigates these threats.
$ diff -up cck/content_admin.inc cck_fixed/content_admin.inc
- - --- cck/content_admin.inc 2008-09-03 09:45:05.0 -0400
+++ cck_fixed/content_admin.inc 2009-10-01 15:35:04.364195774 -0400
@@ -245,7 +245,7 @@ function theme_content_admin_field_overv
$row[] = drupal_render($form['field-groups'][$fname]);
break;
default:
- - - $row[] = array('data' = $cell, 'class' = $class);
+ $row[] = array('data' = filter_xss($cell), 'class' =
$class);
}
}
@@ -282,7 +282,7 @@ function theme_content_admin_field_overv
// add the group row in its own table above the group
fields table, then reset $row().
$fieldset = array(
- - - '#title' = t('!label (!name)', array('!label' =
$form['#group_labels'][$fname], '!name' = $fname)),
+ '#title' = t('!label (!name)', array('!label' =
filter_xss($form['#group_labels'][$fname]), '!name' = $fname)),
'#collapsible' = TRUE,
'#collapsed' = FALSE,
'#value' = theme('table', array(), array(array('data' =
$row, 'class' = 'content-field-overview-group'))) . theme('table',
$header, $grows),
Vendor Response
- ---
Vendor replies that because the vulnerability requires administer
content types privilege to exploit, they will not release a security
announcement.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
iPwEAQECAAYFAkrFbIUACgkQkSlsbLsN1gD9uAcAkpzYFoh1Z+cE6VQlAuuHRYtT
yF/PlmeWdrosXEVGe7ELJw5tv1EbbopeUlIU3D9tH0tftU4Jt1ptTR8j7WMBPQ9E
DeY3wDawxlrkeKmtLtyP9Wq3nZmJARb4518Cx0hMoyt4SIVWpJvgk6AenumpEKO2
DHyTCVyQ7EEWmui1L4eDIIJz4JG4JMJxRK/VZkZhg0ikVIfpE8YP1OvhJjpYo1v5
dH/RP/5sks3Lj9I4zHE1XImeLQRsgBvSPC8PmrPJ+D4g8T1Uw8zkGfYCUhrCFeFC
1OttfJI6m/J4tWxwTPE=
=aG9O
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] So weev...
I posted on here earlier as netdev.doctor questioning weev on how he feels psychologically. *spins weev around* *grins* You came from the net, You planted your seeds of hatred and now with nature you fall here. I feel such invigorating justice seeing your real identity mirrored. Redundancy. Freedom of information. I hypothesize weev may possibly kill himself, unfortunately. I'm unsure how to approach it because I hear he may have left the United States. If not, he'll cling on like a Michael Crook kinda guy (which he is closely emulating nowadays). These kids are like mean infants. If I were in your shoes, I would intellectually be considering ending my life. However that's just me. I don't think you should. However, if it were me, it would stop the pain, and my life path that I really couldn't ever fix now. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] So weev...
I posted on here earlier as netdev.doctor questioning weev on how he feels psychologically. *spins weev around* *grins* I feel such invigorating justice seeing your real identity mirrored. Redundancy. Freedom of information. I hypothesize weev may possibly kill himself, unfortunately. I'm unsure how to approach it because I hear he may have left the United States. If not, he'll cling on like a Michael Crook kinda guy (which he is closely emulating nowadays). These kids are like mean infants. If I were in your shoes, I would intellectually be considering ending my life. However that's just me. I don't think you should. However, if it were me, it would stop the pain, and my life path that I really couldn't ever fix now. This is purity. This is what happens when you become arrogant, come down here with orders from God. You get crucified bitch. Just like Jesus. Your hung on a cross the same place you ruined people's lives. plz advz hep ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VMSA-2009-0013 VMware Fusion resolves two security issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - VMware Security Advisory Advisory ID: VMSA-2009-0013 Synopsis: VMware Fusion resolves two security issues Issue date:2009-10-01 Updated on:2009-10-01 (initial release of advisory) CVE numbers: CVE-2009-3281 CVE-2009-3282 - 1. Summary VMware Fusion 2.0.6 addresses a denial of service and code execution vulnerability 2. Relevant releases VMware Fusion 2.0.5 and earlier. 3. Problem Description VMware Fusion is a product that allows you to seamlessly run your favorite Windows applications on any Intel-based Mac. a. Kernel code execution vulnerability An file permission problem in the vmx86 kernel extension allows for executing arbitrary code in the host system kernel context by an unprivileged user on the host system. VMware would like to thank Neil Kettle of Convergent Network Solutions for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3281 to this issue. b. Kernel denial of service vulnerability An integer overflow vulnerability in the vmx86 kernel extension allows for a denial of service of the host by an unprivileged user on the host system. VMware would like to thank Neil Kettle of Convergent Network Solutions for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3282 to this issue. To remediate the above issues update your product using the table below. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = VirtualCenter any Windows not affected Workstation6.5.x Windows not affected Workstation6.5.x Linuxnot affected Player 2.5.x Windows not affected Player 2.5.x Linuxnot affected ACE2.5.x any not affected Server any any not affected Fusion any Mac OS/X Fusion 2.0.6 build 196839 ESXi any ESXi not affected ESXany ESX not affected 4. Solution Please review the patch/release notes for your product and version and verify the md5sum and/or the sha1sum of your downloaded file. VMware Fusion 2.0.6 (for Intel-based Macs): Download including VMware Fusion and a 12 month complimentary subscription to McAfee VirusScan Plus 2009 md5sum: d35490aa8caa92e21339c95c77314b2f sha1sum: 9c41985d754ac718032a47af8a3f98ea28fddb26 VMware Fusion 2.0.6 (for Intel-based Macs): Download including only VMware Fusion software md5sum: 2e8d39defdffed224c4bab4218cc6659 sha1sum: 453d54a2f37b257a0aad17c95843305250c7b6ef 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3282 - 6. Change log 2009-10-01 VMSA-2009-0013 Initial security advisory after release of Fusion 2.0.6 on 2009-10-01 - --- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2009 VMware Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) iD8DBQFKxYtnS2KysvBH1xkRAgZjAJ9xF6r9OKjHc4iayvPz0VEiLf2T6QCfdglG 7vvN45BLtMo4BuHfCGRGHo4= =y8E6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
