[Full-disclosure] rPSA-2006-0174-1 gnome-ssh-askpass openssh openssh-client openssh-server
rPath Security Advisory: 2006-0174-1 Published: 2006-09-27 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Remote Deterministic Denial of Service Updated Versions: gnome-ssh-askpass=/[EMAIL PROTECTED]:devel//1/4.2p1-2.2-1 openssh=/[EMAIL PROTECTED]:devel//1/4.2p1-2.2-1 openssh-client=/[EMAIL PROTECTED]:devel//1/4.2p1-2.2-1 openssh-server=/[EMAIL PROTECTED]:devel//1/4.2p1-2.2-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4925 https://issues.rpath.com/browse/RPL-661 Description: Previous versions of the openssh package are vulnerable to a remote denial of service attack that cause the server to consume CPU when presented with certain data. They also have a bug (not a vulnerability) that causes the client to crash harmlessly instead of exiting cleanly under some attacks; this is not a vulnerability but is also fixed in this update. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rothman: Belva's a Joker (was Could InfoSec beWorse than Death?)
Hi Ken, Sorry to chime in at this late stage in the thread, but it's one I've been watching and trying to get my head around since you started it and I'm running across similar problems to Paul. Because this all seems a little abstract (as such theoretical discussions are wont to be), I'm going to try and put into words (using the least detailed of all descriptions, an analogy) where I fail to see how Virtual Trust is anything other than at worst a misnomer and at best a slight marketing advantage: Cyril lives in Hackton and owns a local news paper, The Hackton Times. Every morning Cyril needs to distribute his product to the general populace (be they subscribers or resellers), to do this he uses paperboys. The paperboys all ride bicycles to get them around Hackton (it's a fairly large area so delivering by hand is impractical). Occasionally these bikes break and need repairing. In my mind, both the Loss Prevention and Virtual Trust paradigm focus on the delivery condition (the bikes being functional), the only difference being that the Virtual Trust paradigm would advocate the active servicing of bikes (the security of the delivery mechanism) on the basis that this would establish more Trust with customers (they're guaranteed to get their paper) as opposed to just actively servicing the bikes as part of a standard working practice. What I can't see is what actual advantage the Virtual Trust model is bringing beyond the one that loss prevention brings, the same process is happening, the same costs are being incurred and I can't see the slight establishment of trust (even when we get into areas where the reliability of the delivery mechanism is paramount) making much of a difference business wise. The fact you service the bikes isn't going to let you do anything beyond keep the bikes going and say that you service them - there's no extra product or anything new that's created by servicing them. It seems to me that the limited advantage gained by using the Virtual Trust paradigm is outweighed by the fact that a lot of people (myself included atm) are going to see it as a way of highlighting a fairly irrelevant point (Look! We're Secure!) to obfuscate the security process in order to encourage more expenditure. It seems like you're trying to sell Security as something other than a method for making somethin g secure. Sorry if my innane rambling got a little off the mark, I hope you can clear some of this up for me. Tom Harrison Paul, I admit it takes a bit to change one's perspective from the loss prevention to the virtual trust perspective. The loss prevention paradigm is very embedded so it is easier to think in those terms. But once you begin to think about virtual trust, it will come. You will begin to see how the security mechanisms allow us to do things rather than simply prevent loss. That's the point (which you actually agree with already). It just takes a bit to actually live it. Ken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows VML security update MS06-055 released
Juha-Matti Laurio a écrit : It appears that the timestamp of updated Vgx.dll library is 18th September, 2006. so M$ knows timestomp! http://metasploit.com/projects/antiforensics/ :-P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rothman: Belva's a Joker (was Could InfoSec beWorse than Death?)
Tom, No I don't mind answering your objections. I find this debate very healthy and it helps me to further clarify these ideas. After all, I am the challenger to a very entrenched perspective (loss prevention). I'd better be able to discuss the differences to people's satisfaction. Your example is excellent. I think it really gets to the heart of the matter. I'm going to paste something from an earlier thread and then extrapolate that in contrast to your objections. The information security mechanisms are a necessary but not sufficient condition to create these new assets. The loss prevention model shows how this necessary condition breaks down and what we can do to stop the breakdown. The virtual trust model says that once we have this necessary condition, here are the things we may do with it. The focus is different. In my mind, both the Loss Prevention and Virtual Trust paradigm focus on the delivery condition (the bikes being functional), the only difference being that the Virtual Trust paradigm would advocate the active servicing of bikes (the security of the delivery mechanism) on the basis that this would establish more Trust with customers (they're guaranteed to get their paper) as opposed to just actively servicing the bikes as part of a standard working practice. While I think this is an excellent comparison, there are certain aspects of this comparison that I do not like but I will go with it for now because I think it will help clarify things. (My main objections are that it is a physical and not an electronic example. This may cause confusion later.) The loss prevention model focuses on the servicing model that you cite. For example, vulnerability assessments, change control, following existing policy and procedures are examples of maintaining the bikes. Anti-virus, IPS/IDS, firewalls are bikes but are only meant to prevent loss. I take it that this will not be objected to. So what's the difference between loss prevention and VT. It's this. What security mechanisms would allow us to create bikes? And when we have our bikes, what can we do with them? Well, we need a bike with such and such tire size, a bike that has a soft seat for those long rides, etc. Once we have established the bike and it's properties, we can expand our routes to cover different markets, we can deliver different print content than simply newspapers, we could sell/offer different services as well as newspaper delivery (bill payment), etc. [If you are really going for the jugular you will note that I did not mention any security mechanisms. That's because this is where I think the example breaks down between physical and electronic means. Generally one should be able to take the underlying concepts and apply them, which I do next paragraph.] So, we can use authentication to identify someone (a bike). It's a security mechanism. Once we have this ability, what can we do with it? Well, we can create credit card products (it's electronic), EasyPass, Pay-per-click advertising, etc. We can create new revenue streams and cash flow using this methodology. (I should note that the pay-per-click example is Brian Eaton's. I was psyched when I saw it!) We never mention loss in the authentication example. It's not about making sure that our authentication mechanism works properly (checking for SQL injection) or maintaining it. We could (and should) understand loss prevention in terms of VT. But that's not my focus right here and now. In the first example, we understand the loss prevention and a necessary means for maintaining the trust. Keeping the bikes maintained so we can keep our routes established. In the VT model, we how do we establish the trust so we can do things with that trust. How do we establish the route itself and how do we create the bikes? Once these things are established, what can we do with our bikes and routes? Selecting the right security mechanism and its purpose(s) are our objective in the VT model. As my co-author Sam mentioned to me the other day, not every security mechanism is in the VT enablement toolkit. So, a firewall will not be in the VT enablement toolkit. It helps to get to that baseline level of trust, but it does not function in a way that is useful to the creation of new assets. I'd like to reiterate the quote at the beginning. Loss prevention is the maintenance of the necessary condition of trust. VT is establishing that trust and then doing something with it. There is often a mistake in asking security to be a sufficient condition to generate revenue. In other words, how can our IPS device all by itself bring us revenue. Well, it can't. And, I'm not claiming that. I am claiming that security is one of the essential components (necessary) for the creation of electronic business. I think that authentication and DRM are two excellent examples of this. iTunes, EasyPass, etc. are great real world examples of VT.
Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures
Hi, i.e. I can't afford to buy specialized security tools/devices for speclialized attacks unless my company relies heavily on web/content services. So, you will buy specialized security tools like firewall or Anti-Virus, but not web content filtering tool? In our company, we established a information-sharing network with other security companies. So the real-time exploit-facing signatures were then subjected to live traffic, honeypots and countless variants; They seemed to work out pretty well. I would like to see how your real-time signatures get updated with the randomization implemented in the new VML metasploit module. Your countless exploit variants will become really innumerable. The problem is that the signatures are written for the exploit, and not for the vulnerability. -- Aviv. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Major UK Bank Web Sites With Serious Security Flaws
Major UK Bank Web Sites With Serious Security Flaws Tests conducted by heise Security show that the online banking web sites of eight major UK Banks are vulnerable to long known security issues. NatWest, Cahoot, Bank of Scotland, Bank of Ireland, First Direct and Link use frames on their web sites. This means that customers of those banks using Internet Explorer, in the default configuration, are vulnerable to frame spoofing attacks. This issue has been known since 1998. Incidentally, the same kind of attack works (mis)using the site of 'The Dedicated Cheque and Plastic Crime Unit', a bank sponsored police force. UBS and the Bank of England are vulnerable to very simple cross site scripting attacks. All vulnerabilties could be used by attackers to mount advanced phishing attacks, using the context of the original banking site. The user still sees a valid certificate and the correct address in the address bar. heise Security has informed all eight banks and has set up demos that illustrate these problems. Three banks have already reacted and changed their sites. Nat West removed the name of the frame, so that simple attacks no longer work. However the frame can still be addressed and modified using JavaScript. Bank of England updated their vulnerable application to filter user input. UBS changed their online banking application twice, but is still not filtering user input sufficiently. You can find more details and concrete, working demonstrations of the security problems in the article You can't bank on security on http://www.heise-security.co.uk/articles/76590 bye, ju -- Juergen Schmidt editor-in-chief heise Security ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200609-17 ] OpenSSH: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200609-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSH: Denial of Service Date: September 27, 2006 Bugs: #148228 ID: 200609-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A flaw in the OpenSSH daemon allows remote unauthenticated attackers to cause a Denial of Service. Background == OpenSSH is a free suite of applications for the SSH protocol, developed and maintained by the OpenBSD project. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-misc/openssh 4.3_p2-r5= 4.3_p2-r5 Description === Tavis Ormandy of the Google Security Team discovered a Denial of Service vulnerability in the SSH protocol version 1 CRC compensation attack detector. Impact == A remote unauthenticated attacker may be able to trigger excessive CPU usage by sending a pathological SSH message, denying service to other legitimate users or processes. Workaround == The system administrator may disable SSH protocol version 1 in /etc/ssh/sshd_config. Resolution == All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/openssh-4.3_p2-r3 References == [ 1 ] CVE-2006-4924 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200609-17.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgp1nHuwlyRxe.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IM Sniffer release
Well I looked at the site but didn't see any files to download. Just curious, what is your utility written in? On 9/23/06, crazy frog crazy frog [EMAIL PROTECTED] wrote: Hi, i m releasing a small utility which can capture and decode yahoo,aim and rediff text chat. Hopefully it might help you in someway. Please get it here:- http://www.secgeeks.infys.net/node/209#attachments Thanks, _CF -- ting ding ting ding ting ding ting ding ting ding ding i m crazy frog :) oh yeah oh yeah... another wannabe, in hackerland!!! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ERRATA: [ GLSA 200609-17 ] OpenSSH: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory [ERRATA UPDATE]GLSA 200609-17:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSH: Denial of Service Date: September 27, 2006 Updated: September 27, 2006 Bugs: #148228 ID: 200609-17:02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Errata == The Resolution proposed in the original version of this Security Advisory listed a wrong version number. The corrected section appear below. Resolution == All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/openssh-4.3_p2-r5 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200609-17.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpcCGfni2wBp.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:170-1 ] - Updated webmin packages fix XSS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:170-1 http://www.mandriva.com/security/ ___ Package : webmin Date: September 27, 2006 Affected: 2007.0 ___ Problem Description: Webmin before 1.296 and Usermin before 1.226 does not properly handle a URL with a null (%00) character, which allows remote attackers to conduct cross-site scripting (XSS), read CGI program source code, list directories, and possibly execute programs. Updated packages have been patched to correct this issue. Update: Packages are now available for Mandriva Linux 2007. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4542 ___ Updated Packages: Mandriva Linux 2007.0: e47e91c741de0fa6fabb1653784c0400 2007.0/i586/webmin-1.290-4.1mdv2007.0.noarch.rpm 5796c775e71e3aef04bd6fd356ea049e 2007.0/SRPMS/webmin-1.290-4.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: e6042ec6b4e74f560e9a05f8b05fafd5 2007.0/x86_64/webmin-1.290-4.1mdv2007.0.noarch.rpm 5796c775e71e3aef04bd6fd356ea049e 2007.0/SRPMS/webmin-1.290-4.1mdv2007.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFGylqmqjQ0CJFipgRAsLLAJ4+nFfY5pSxr/Jw/ESomvcezWt2rQCfVlIm QzxhpYv60dzAbTx2EQa5qm4= =87GQ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/