Re: [Full-disclosure] Bank of the West security contact?

[Jann Horn]

On Sat, Feb 08, 2014 at 04:21:52AM -0500, Jeffrey Walton wrote:
> RFC 2142 offers a number of well known mailboxes that should be
> monitored. Tyr secure@, security@, and support@.

Doesn't look as it any of those addresses would work:

RCPT TO:
550 Mailbox unavailable or access denied - 
RCPT TO:
550 Mailbox unavailable or access denied - 
RCPT TO:
550 Mailbox unavailable or access denied - 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)

[Jann Horn]

On Thu, Dec 12, 2013 at 05:25:09PM -0800, Michal Zalewski wrote:
> > Doesn't Google always send JSON with Content-Disposition: attachment or so
> > because of that?
> 
> One of the reasons (there's also content sniffing, etc). But then,
> consider view-source:, too - you can use it in Firefox to render the
> source of a HTML page in a frame (Chrome no longer lets you use
> view-source within frames).

Augh! https://bugzilla.mozilla.org/show_bug.cgi?id=624883 – bug from 2011
about this, status NEW. That's horrible.


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)

[Jann Horn]

On Thu, Dec 12, 2013 at 05:11:59PM -0800, Michal Zalewski wrote:
> >> But I wouldn't consider it a failing on part of the targeted website -
> >> you'd need to put essentially everything behind XFO to fix this
> >> problem on application level, which is not feasible for a good number
> >> of websites (including FB, because they have a variety of gadgets that
> >> are meant to be framed).
> >
> > Or use JS to make it impossible to select text or so.
> 
> Doesn't work for non-HTML content, such as JSON responses, images, etc :-)

Doesn't Google always send JSON with Content-Disposition: attachment or so
because of that?
Of course, good point about images.


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)

[Jann Horn]

On Thu, Dec 12, 2013 at 01:25:31PM -0800, Michal Zalewski wrote:
> > That page allows drag-and-drop of the user's name. If you can convince the 
> > user
> > to select his name with a triple-click and then do a drag-and-drop of that 
> > name to
> > some place outside the iframe, you can find out his name, so I'd say it's a 
> > privacy
> > leak.
> 
> I had something to do with Chrome, Safari, and Firefox disallowing
> cross-domain drag-and-drop:
> 
> http://lcamtuf.coredump.cx/dnd/
> 
> We have pinged Microsoft long time ago about this, too - and hopefully
> this will be resolved on their end

Oh, cool.


> But I wouldn't consider it a failing on part of the targeted website -
> you'd need to put essentially everything behind XFO to fix this
> problem on application level, which is not feasible for a good number
> of websites (including FB, because they have a variety of gadgets that
> are meant to be framed).

Or use JS to make it impossible to select text or so.


> > Yeah, Chromium has protections against that, but they're not exactly
> > bulletproof – they become useless as soon as there's a single page on the
> > victim domain that is framable and somehow lets the user publish data.
> 
> Well, honestly, that becomes a bit of a stretch - if there's a good
> PoC you can put together for Facebook specifically, I suspect it may
> convince them to fix this, though.

I don't think I can do that.


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)

[Jann Horn]

On Thu, Dec 12, 2013 at 12:43:00PM -0800, Michal Zalewski wrote:
> What is your exact concern?

That page allows drag-and-drop of the user's name. If you can convince the user
to select his name with a triple-click and then do a drag-and-drop of that name 
to
some place outside the iframe, you can find out his name, so I'd say it's a 
privacy
leak.

Yeah, Chromium has protections against that, but they're not exactly
bulletproof – they become useless as soon as there's a single page on the
victim domain that is framable and somehow lets the user publish data. This is
because Chromium allows drag-and-drop between two frames from the same domain
even if those two frames are inside another page and the drag-and-drop goes
"through" a page with different origin. Also, as far as I know, not all
webbrowsers have such protections.


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)

[Jann Horn]

On Wed, Dec 11, 2013 at 10:18:09PM +0100, Stefan Schurtz wrote:
> it is possible to load
> "https://www.facebook.com/login/reauth.php?next=https://www.facebook.com/confirmphone.php&display=popup";
> in another page.
[...]
> My question: is this really not a security problem on Facebook?

It's say it is a problem, especially given that drag/drop isn't blocked on that
page. Did you report this to Facebook yet?


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [CVE-2013-6356] Avira Secure Backup v1.0.0.1 Multiple Registry Key Value Parsing Local Buffer Overflow Vulnerability

[Jann Horn]

On Sat, Nov 16, 2013 at 03:23:07PM +0100, Julien Ahrens wrote:
> A buffer overflow vulnerability has been identified in Avira Secure
> Backup v1.0.0.1 Build 3616.

> An attacker needs to force the victim to import an arbitrary .reg file
> in order to exploit the vulnerability.

Could you please elaborate on why this is a "vulnerability"? If I can convince
someone to import random registry files, can't I just add some autorun entry
or whatever?


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

[Jann Horn]

On Sat, Aug 17, 2013 at 07:50:34PM -0400, valdis.kletni...@vt.edu wrote:
> On Sat, 17 Aug 2013 13:39:16 +0200, Jann Horn said:
> 
> > And yes, you're right, a DoS attack can be unsuccessful. My point was that
> > this small amount of traffic shouldn't be called a DDoS because there's no
> > way that the intention behind this amount of traffic was to take down that
> > service with pure bandwidth.
> 
> How quickly they forget
> 
> Not all DDoS are pure bandwidth based.  Consider SYN flooding, where the
> packets sent are relatively small and often not even all that frequent, but 
> can
> tie up large amounts of resources on the target machine. This sort of attack
> works particularly well against sites that have a big blind spot because they
> think that all DDoS attacks are massive bandwidth hosedowns.

So, why would an attacker use a distributed attack for that? Wouldn't
one machine with good connectivity be sufficient (assuming that you spoof the
source address differently each time)?


> How many connections/sec does it take to forkbomb your Apache server into
> uselessness?  And if you rate limit your Apache so your system doesn't
> forkbomb, how many does it take to prevent legitimate traffice from being
> serviced?

Right, that would be much harder to block if it was distributed.


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

[Jann Horn]

On Fri, Aug 16, 2013 at 02:58:41PM -0300, Luther Blissett wrote:
> On Fri, 2013-08-16 at 19:31 +0200, Jann Horn wrote:
> 
> > Let me google that for you. Hmm. Assigned to "Polipo Web proxy". So maybe
> > someone tried to connect to them through your exit node and they do 
> > proxyscans
> > on people who connect to them?
> > 
> > 
> 
> Sorry but I did not understand this. I had already said it was attempt
> on polipo. What exactly was so dumb in my phrasing that required you to
> rephrase it?

Nothing, I didn't see that you had already looked up what port that is. Sorry
about that.


> > > Before the packet storm,
> > 
> > Oooh, a storm!
> > 
> > 
> Ok, maybe it was just a light wind and my system is the most laughable
> one.

Or maybe it was a light but dangerous wind. :P


Anyway, sorry for the tone in my mail – as others pointed out, it was
inappropriate. :/

Well, I hope you can figure out what caused every pair of bytes to be swapped
in that logfile line (the one where you posted the hexdump).


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

[Jann Horn]

On Fri, Aug 16, 2013 at 04:49:24PM -0500, adam wrote:
> Jann, you know what's even worse than someone being a dick for no
> reason? Someone being a _stupid_ dick for no reason.

Maybe I'm being a dick, and maybe I'm being a dick for no reason, but I
don't think I'm being a _stupid_ dick.


> In case you're
> unaware, the word "massive" was completely absent from this thread
> until YOU attempted to put it in someone elses' mouth. Beyond that,
> since you want to rip apart an innocent guy's post, let's see what
> happens when someone does it to yours.
> 
> "DDoS? So you mean your systems were impacted by that?"
> 
> Impacted is not the word you were looking for, since the answer to
> that would technically be a yes - not the no you were expecting. That
> aside, a denial of service attack is still a denial of service attack
> regardless of whether it succeeds or not. In fact, if you look up the
> definition - you'll see that it's _an attempt_ to make X unavailable.
> Not necessarily a successful one.

He was talking about a DDoS. Right, a DoS is just an attempt to make some kind
of service unavailable, but a DDoS is an attemt to make a system unavailable
by flooding it with an overwhelming amount of traffic from multiple sources.
IMO mentioning a DDoS implies "massive".

And yes, you're right, a DoS attack can be unsuccessful. My point was that
this small amount of traffic shouldn't be called a DDoS because there's no
way that the intention behind this amount of traffic was to take down that
service with pure bandwidth.


> "Let me google that for you. Hmm. Assigned to "Polipo Web proxy"."
> 
> Psst.. you may want to read the entire thread title.

Heh, you have a point.


> "Oooh, a storm!"
> 
> storm
> Verb
> Move angrily or forcefully in a specified direction: "she stormed off".
> 
> Whether you like it or not, it meets the definition.

Uh, he didn't use it as a verb. He used the noun "storm", and two times, he
said "packet storm". I read "packet storm" as "a storm of packets", so my
interpretation is that he was talking about a storm on the packet level.

If you have a look at the Jargon File, you'll see that in the context of
IT, a "storm" usually means something that is characterized by massive
amounts of network activity. A packet storm then would be something that looks
like a really big amount of activity on the network level, right?


> "Your systems were impacted by a DoS attack with 30 packets per
> second? You might
> want to upgrade to hardware that is a few decades newer."
> 
> How much of the original post did you actually read? Nowhere in it did
> the OP say that this attack succeeded. Again, just like above - YOU
> are the one who first used the word impact[ed]. It's funny how you put
> words in peoples' mouths, and then reply to them as though they
> actually said it.

Why would you call 30 packets per second an attack unless that actually impacts
your system? It was an ironic statement intended to hint at the possibility
that the OP was mistaken about what exactly impacted his system.


> More than that, the only thing the OP mentioned was
> that one of his log files were corrupted in the process of the attack.
> I didn't read that the attack succeeded, shut down the service, his
> machine, his network or anything else - and neither did you.

Right.


> "You were attacked by "O=TCP SPT=2216"? Cool story."
> 
> Oh my God, there was a line in there that didn't have an IP address?
> What a RETARD the OP must be. How can anyone be so stupid? I bet the
> earth stopped spinning when that happened. Think so?

Tough question. No, seriously, to me this means that he piped his firewall logs
or so into some command-line commands without making really sure that the
commands extract exactly the data he wants. Therefore, this line means for me
that there's a high possibility of totally unrelated IPs being in that list
that just happened to communicate with his system at the wrong time. For me,
this line makes the validity of that whole list very questionable.


> "He said above 30 packets per second, right? I'll just assume it's around 30.
> And the sample packet from that "packet storm" contained this part: "LEN=52".
> So that's around 1500 bytes per second, or 12 kilobits per second. And those
> packets are downstream for him."
> 
> You're randomly assuming that all of the packets were the exact same
> length, which makes anything derived from that assumption
> automatically flawed.

That's right. I assumed that the traffic was highly uniform because:
 - as far as I know, traffic usually is relatively uniform in attacks
 - he picked this one line and apparently thought that it was sufficient
   to give us an idea of what the attack traffic looked like (otherwise,
   he would have shown us a bunch of lines and not just one because his
   intent here obviously was to illustrate the nature of the attack,
   right?)
Well, maybe I jumped to conclusions here, but I don't think so.


> "A good modem connecti

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

[Jann Horn]

On Fri, Aug 16, 2013 at 01:37:54PM -0400, Jeffrey Walton wrote:
> On Fri, Aug 16, 2013 at 1:31 PM, Jann Horn  wrote:
> > On Thu, Aug 15, 2013 at 05:29:52PM -0300, Luther Blissett wrote:
> >> Hello dear companions,
> >>
> >> Two days ago one of my tor exit nodes experienced something I'm now
> >> calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all
> >
> > DDoS? So you mean your systems were impacted by that?
> He may be running an exit node for the benefit of others on a low
> bandwidth connection.
> 
> Forgive me if you were joking with an old friend, or I missed something.

Let's check how massive that "attack" is.

He said above 30 packets per second, right? I'll just assume it's around 30.
And the sample packet from that "packet storm" contained this part: "LEN=52".
So that's around 1500 bytes per second, or 12 kilobits per second. And those
packets are downstream for him.

Now take a look at <http://en.wikipedia.org/wiki/Modem#List_of_dialup_speeds>.
A good modem connection can give you up to 56kbit/s per direction as far as I
understand. So unless I made some weird calculation errors, someone on a good
modem connection should be able to take that "attack" without any problems.

An "attack" from one (!) bot on a normal DSL line should already be much bigger.

Calling this a DoS attack would be ridiculous, calling it a DDoS even more so.

(Of course, it might still be that he really was hacked and his systems were
attacked in a smarter way, but it's very clear that nobody tried to take him
out with pure bandwidth.)


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

[Jann Horn]

On Thu, Aug 15, 2013 at 05:29:52PM -0300, Luther Blissett wrote:
> Hello dear companions,
> 
> Two days ago one of my tor exit nodes experienced something I'm now
> calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all

DDoS? So you mean your systems were impacted by that?


> packets in the storm were flowing from a range of 514 different IP
> addresses, all of them inside limestonenetworks IP range and targeting
> port 8123 on my tor exit node WAN IP.

Let me google that for you. Hmm. Assigned to "Polipo Web proxy". So maybe
someone tried to connect to them through your exit node and they do proxyscans
on people who connect to them?


> Before the packet storm,

Oooh, a storm!


> The attack persisted for at least three hours and left this binary (hex
> represented):
> 
> 000        
> *
> b90       2067 3331
> ba0 3220 3a30 3135 303a 2034 6174 6567 7573
> bb0 7568 7520 6573 2e72 6177 6e72 6b20 7265
> bc0 656e 3a6c 5b20 6168 6d6d 7265 205d 203a
> bd0 4e49 763d 616c 326e 4f20 5455 203d 414d
> be0 3d43 3030 323a 3a31 3732 663a 3a61 6464
> bf0 343a 3a34 3030 313a 3a35 3966 323a 3a61
> c00 6639 643a 3a39 3830 303a 3a30 3534 303a
> c10 3a30 3030 333a 2034 5253 3d43 3132 2e36
> c20 3432 2e35 3232 2e31 3031 2037 5344 3d54
> c30 3831 2e39 3833 322e 3533 322e 3035 4c20
> c40 4e45 353d 2032 4f54 3d53 7830 3030 5020
> c50 4552 3d43 7830 3030 5420 4c54 343d 2038
> c60 4449 313d 3335 3431 4420 2046 5250 544f
> c70 3d4f 4354 2050 5053 3d54 3932 3635 4420
> c80 5450 383d 3231 2033 4957 444e 574f 363d
> c90 3535 3533 5220 5345 303d 3078 2030 5953
> ca0 204e 5255 5047 303d 000a   
> ca9

Maybe your disk is just broken?


> Attached is the list of participating IP addresses, line by line, with
> the count of packets received. The attacker started sending something
> like 4 packets per second and increased to over than 9000!!! - just
> kidding, over 30 per second.


Your systems were impacted by a DoS attack with 30 packets per second? You might
want to upgrade to hardware that is a few decades newer.

> 74.63.255.118: 248 
> 216.245.193.201: 235 
> 208.115.232.205: 231 
> 74.63.255.119: 225 
> 216.245.193.200: 219
[...]
> O=TCP SPT=2216 : 1 

You were attacked by "O=TCP SPT=2216"? Cool story.


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack

[Jann Horn]

On Fri, Jul 26, 2013 at 03:47:41PM -0400, Jeffrey Walton wrote:
> Dr. Bernstein puts a lot of effort into defending against timing
> attacks and other side channels in his NaCl library. I'm not aware of
> any other libraries which go to the same depths. On the downside, NaCl
> is not easy to work with (for example, change compilers or
> cross-compile for iOS or Android); its not really portable (lots of C
> language violations); nor is it easy to get analysis tools on it.

Also, there's no support for AES or RSA as far as I can see. Does anyone know a
library for RSA and/or AES with similar security against side-channel attacks?


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Linux reveals IO timing data

[Jann Horn]

There are multiple ways in which linux reveals IO timing data. Probably the
most interesting one is the field "voluntary_ctxt_switches" in
/proc//status: It reveals how often the process has voluntarily caused
a context switch so far, and usually, a process does that when it's waiting
for something to happen (IO, a timer, ...). Many programs that interact with
the user at least sometimes just wait for the user to do something, they don't
do anything else. So, by polling this entry in procfs, we can find out when
exactly the user does IO – and to be able to do this, it's sufficient to have
an unprivileged account on the system, you don't need to own the process you're
monitoring or to be root.

Even more interesting is that often, input is handed down through a chain of
processes where different kinds of input cause different processes to become
active. For example, an xterm will show activity whenever a modifier key is
pressed or released. For normal keys, it will show activity twice when the key
is pressed down and another time when the key is released (I'm not entirely
sure about the reason for that). This means that when an unprivileged user e.g.
knows that you're typing a text, he can tell when you're typing an uppercase
letter. That might be even more interesting when you're typing in a password.
Also, he can tell how much you're typing, so he can e.g. find out the length
of a password (especially if he also watches for process spawns).

Also, there has been research about how input timing depends on which keys
you're pressing :
> reveal a surprising amount of informa-
> tion on passwords and other text typed over SSH ses-
> sions (about 1 bit of information per character pair in
> the case of randomly chosen passwords)

So, a local, unprivileged attacker on a normal linux box could learn quite a
bit about what you're typing. For this, he only needs an intentionally-exposed
interface, and it'd be hard to lock this down reliably without impacting the
usability of tools that use it for whatever reason. In other words, removing
this would break backwards compatibility.

You might want to lock down your procfs, I guess...


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] OpenSSH User Enumeration Time-Based Attack

[Jann Horn]

On Wed, Jul 10, 2013 at 03:38:59PM +0200, Curesec Research Team wrote:
> By testing several OpenSSH installations we figured there is a delay of
> time when it comes to cracking users (not) existing on a system. A
> normal Brute-force-Attack tests for the correct user and password
> combination, usually without knowledge if the user on the system exists.

FYI, the openssh guys have known this for quite a while and they don't
treat it as an issue worth fixing. They don't want to introduce extra
anti-timing code just to prevent user enumeration from working.

You can also see a measurable difference when you try logging in with
random public RSA keys – around 100% difference over localhost, over the
internet it's much lower, but with a few attempts, you can still get good
data. Well, for systems that have password auth enabled, your approach seems
a lot more reliable.

By the way: If you can hog the CPU for seconds by sending a few kilobytes
of data, isn't that a DoS issue?


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Denial of Service in WordPress

[Jann Horn]

On Thu, Jun 27, 2013 at 11:50:47PM +0300, MustLive wrote:
> > This just affects the client though right? 
> 
> This DoS only going on client side unlike other types of DoS (see my 
> classification), but issue of web application is in allowing Looped DoS 
> state. You see error message very quickly because you are leaving in 2013 
> (where already many browsers protect against simple form of Looped DoS) and 
> using secure browser - use a browser without this protection (like IE) and 
> have fun.

Sooo... a bunch of browsers doing one request at a time (instead of doing a 
real attack) and which slow down if your server becomes unresponsive is a 
threat? Seriously, that might become a few hundred requests per second or so if 
a largeish amount of clients participates, but that shouldn't be able to bring 
down your server.

> > From my understanding you'd have to get the user to click on the tinyurl
> 
> How the attack must go to benefit the attacker. One way is to give people 
> (with vulnerable browsers) to click the link and see endless loop - it'll not 
> give enough overload on target server, since people will quickly close the 
> browser's tab/window. Another one is to give that link to crazy bots (like 
> from search engines), who has no limits on redirects - it'll endlessly 
> connect to target site/sites and overload them.

You said it – you'd need "crazy bots" for that. crazy bots with an absurd 
amount of bandwidth (since they're probably not just indexing your site). I 
think you'll have a hard time finding those – as far as I know, it's standard 
practice to put at least one second of delay between two requests, and that 
rate shouldn't be harmful at all.

> Even better way is to put iframe which leads to such redirector at some sites 
> (the more the better) - it can be ad network with such "fun banner" or hacked 
> web sites with added iframe or via persistent XSS hole. While people will be 
> at such sites the browser in background will be infinitely sending requests 
> to target site/sites (in case of WP redirectors it will be two sites for the 
> first attack with using of tinyurl.com and one site in case of the second 
> attack, which works in all WordPress, including WP 3.5.2). The more time 
> people spend on particular page with injected iframe with endless redirect 
> and the more people are visiting such sites, the more effect will be. No need 
> to ask people to "participate in DoS attack", their browser will be 
> automatically "participating" via Looped DoS attack (just by entering in any 
> way this endless loop).

Yeah, that could happen... but why only do one request at a time? Just use a 
javascript that reloads 100 images with src= at a time, and you 
have your attack completely without using any vulns (and some scriptkiddies 
actually did that, see ). Tip: If you can do something 
without using a vuln or so, having a vuln for it is worthless.


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] little proof-of-concept for remote traffic statistics using the IP ID field

[Jann Horn]

Hello,
I built a small C helper for remotely generating traffic statistics using the
IP ID field. Well, hping3 does all the interesting stuff. This program will
just, every five minutes, send 20 SYN packets in intervals of 100ms to port 80
of the target machine, then sum up the ID differences and output a line with
the current unix time and the number of packets the remote machine seems to
have sent during the two seconds of measuring.

Basically, this program samples a remote machine's packet sending rate using
short bursts of SYNs. Only if the other machine uses one global incrementing
IP ID counter, of course.

This is meant to be an educational tool, which is also why it just uses SYN
packets, making this seem to the other side as if someone's stealth-scanning
their port 80 over and over again. Not exactly the stealthiest way to do this,
but sufficient for demonstration purposes.

Usage:
 - install hping3 (or install hping2 and change hping3 in the source to hping2)
 - compile
 - run for some period of time (maybe 24h?) like this:
   ./rg  > traffic_stats
 - plot output using gnuplot or so (start gnuplot, then do
   plot "traffic_stats" using 1:2

Well, not exactly rocket science and I'm pretty sure most people here already 
know
the principle and could write something like this in a few minutes, but I 
thought
I'd share it anyway. Probably useful for demonstrating why IP ID flags are
something you might not want to be globally sequential unless you don't care 
about
giving your traffic stats to the whole world. Because graphs are good at
demonstrating stuff. :)

The code is attached and also at 
<http://git.thejh.net/?p=roguegraph.git;a=tree>.
I'm not responsible for whatever you do with this or whatever effects it has.
// Copyright (C) Jann Horn (2013)
// You can redistribute this code under the terms of the GPLv2 or GPLv3.
// THIS PROGRAM IS FOR EDUCATIONAL PURPOSES ONLY!
// I AM NOT RESPONSIBLE FOR WHAT YOU DO WITH THIS PROGRAM OR THE IMPACT THIS
// PROGRAM MIGHT HAVE ON YOUR SYSTEMS! YOU HAVE BEEN WARNED!

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

char *target;

void run(void) {
  int pipefds[2];
  if (pipe(pipefds)) perror("can't create pipe"), exit(1);
  int parent_fd = pipefds[0];
  int child_fd = pipefds[1];

  pid_t pid = fork();
  if (pid < 0) perror("can't fork"), exit(1);

  if (pid == 0) {
int nullfd = open("/dev/null", O_RDWR);
dup2(nullfd, 0);
dup2(nullfd, 2);
close(nullfd);
close(parent_fd);
dup2(child_fd, 1);
close(child_fd);
execlp("hping3", "hping3", "-c", "20", "-p", "80", "-i", "u10", "--syn", target, NULL);
perror("can't exec"), exit(1);
  }
  close(child_fd);

  char indata[4096];
  int indata_written = 0;
  int rres;
  while ((rres=read(parent_fd, indata+indata_written, 4095-indata_written)) > 0) {
indata_written += rres;
if (indata_written >= 4095) fputs("too much information", stderr), exit(1);
  }
  if (rres < 0) perror("failure reading from child"), exit(1);
  indata[indata_written] = '\0';
  close(parent_fd);

  char *s = indata;
  int last_id = -1;
  int sum = 0;
  while ((s=strstr(s, " id=")) != NULL) {
s += 4;
int id = atoi(s);
if (last_id != -1) {
  int diff = id - last_id;
  if (diff < 0) diff += (256*256);
  sum += diff;
}
last_id = id;
  }

  printf("%i %i\n", (int)time(NULL), sum);
}

int main(int argc, char **argv) {
  if (argc != 2) fputs("bad invocation\n", stderr), exit(1);
  target = argv[1];

  setbuf(stdout, NULL);

  while (1) {
run();
sleep(300);
  }
}


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Trying to send mail to Broadcom

[Jann Horn]

So, I found a vuln for overwriting kernel memory in kernel code by Broadcom for 
the
Raspberry Pi (afaik not in the official kernel sources, just in the patched
kernel sources for the raspberry pi). It requires you to be in the "video" 
group,
so it's not very interesting, I think, but I thought, hey, before you share your
PoC for causing a kerneloops with FD, maybe you should contact Broadcom and tell
them so they have a chance to write a fix!

Well, first step: Check their website.
Result: No security contact mail. No contact mail address at all, actually.

Step two: Connect via SMTP, try RFC-specified mailboxes and other common 
mailboxes
with "RCPT TO", check which are accepted.
Result: Well,  isn't accepted, but a lot of other stuff works! Yay!

Step three: Send mail to the addresses that were accepted by "RCPT TO".
Result: Bounces. Turns out the mailserver just accepts everything, then sends 
bounces.

Step four: Do a whois, send mail to the DNS admin. Not exactly first choice, 
but oh well...
Result: Bounces, too, because their second SMTP server sees that the mail comes 
from their
first SMTP server, looks at my SPF record and figures that Broadcom isn't 
allowed to send
mails in my name. Hooray.

Step five: Spam somewhat-related IRC channels to figure out a working contact 
mail.
Result: Doesn't bounce – waiting for a reply.


tl;dr: Broadcom, fix your stupid mailservers!


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How do I contact Vodafone Security?

[Jann Horn]

On Mon, Apr 22, 2013 at 03:10:19PM +0200, Jann Horn wrote:
> Hello,
> does anyone know how I can contact Vodafone Security (preferably a
> Germany-specific group because I have no idea whether the issue
> affects people in other countries, too)?

Thanks for all the replies. I sent a mail with details to a german
Vodafone employee who said he'll take care of it.

Jann


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] How do I contact Vodafone Security?

[Jann Horn]

Hello,
does anyone know how I can contact Vodafone Security (preferably a
Germany-specific group because I have no idea whether the issue
affects people in other countries, too)?

I sent a mail to secur...@vodafone.de and it didn't bounce (in case
someone from Vodafone is reading this: it was sent from my old
address jannh...@googlemail.com). In the mail, I told them to reply
within two weeks, and that was 2013-03-28. Well, I got no reply – either
they think it's not an issue and silently dropped the mail, they're
really slow or nobody reads that mailbox. (Or I made some mistake
sending the mail.)

Well, I tried phoning them first (01721212), but the helpdesk person told
me she'd need my password for that (of which I currently don't know
where exactly it is).

So, in case anyone knows how to contact their security guys properly,
please reply. Meh, why can't everyone just respect RFC 2142?

Jann


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users

[Jann Horn]

On Thu, Apr 11, 2013 at 05:01:57PM +0200, Jan Wrobel wrote:
> Hello,
> 
> In short:
> 
> Browsers can be easily cut from any resources hosted on Content
> Delivery Networks that use a domain shared between users, by a visit
> to a malicious site that sets large number of cookies on the common
> prefix of the CDN domain.
> 
> For example, an HTML document on 'foo.rackcdn.com' (visited directly
> or iframed) can set large number of large cookies with a domain
> attribute set to 'rackcdn.com'. This prevents the browser from
> accessing any content on '*.rackcdn.com'. A single site can target
> multiple CDNs at once.
> 
> More detailed writeup:
> http://mixedbit.org/blog/2013/04/11/dos_attack_on_cdn_users.html

Wow, interesting!

CDNs could mitigate this by, instead of resetting connections with lots of 
headers,
just reading all the cookies and throwing them into the bit bucket instead of 
keeping
them in RAM, right? That way, there would still be the wasted bandwidth, but
combined with the Google approach, it should work fine, right? If the client 
sends too
many headers, just ignore everything until you reach \n\n, then send back the 
error
script?


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] GitHub Login Cookie Failure

[Jann Horn]

On Mon, Apr 08, 2013 at 10:37:09PM +0200, Jann Horn wrote:
> On Mon, Apr 08, 2013 at 11:19:37AM -0500, Chris Roussel wrote:
> > Dear Hackers,
> > 
> > I've discovered what I think is a failure in GitHub.com login cookies:
> > 
> > I installed the "Import Cookies" & "Export Cookies" plugins in my
> > firefox 20, then I signed in at github and exported my cookies, then I
> > signed out, I cleaned all the cookies in my browser and I started it
> > again, then I imported the cookies and I am login in without typing my
> > passwords, I've tried this with my google account, but there is clear
> > that when I signed out the info in the cookies was annulled, then it
> > appears like I am signed while I am searching, but if I want to check my
> > mail/drive I have to type my password.
> > 
> > If you can reproduce this, tell to githubbers, if you can not let us know!
> 
> [+CC github support]
> So why exactly did you post here before contacting them?

Reproduced. Froze all Cookies using "Edit this Cookie", logged out, loaded 
github.com,
was back in.


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] GitHub Login Cookie Failure

[Jann Horn]

On Mon, Apr 08, 2013 at 11:19:37AM -0500, Chris Roussel wrote:
> Dear Hackers,
> 
> I've discovered what I think is a failure in GitHub.com login cookies:
> 
> I installed the "Import Cookies" & "Export Cookies" plugins in my
> firefox 20, then I signed in at github and exported my cookies, then I
> signed out, I cleaned all the cookies in my browser and I started it
> again, then I imported the cookies and I am login in without typing my
> passwords, I've tried this with my google account, but there is clear
> that when I signed out the info in the cookies was annulled, then it
> appears like I am signed while I am searching, but if I want to check my
> mail/drive I have to type my password.
> 
> If you can reproduce this, tell to githubbers, if you can not let us know!

[+CC github support]
So why exactly did you post here before contacting them?


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] DoS vulnerability in Adobe Flash Player (BSOD)

[Jann Horn]

On Thu, Apr 04, 2013 at 01:24:29AM +0300, MustLive wrote:
> Hello list!
> 
> I want to warn you about Denial of Service vulnerability (BSOD) in Adobe
> Flash Player. I've found this vulnerability at 27.01.2013.
> 
> -
> Affected products:
> -
> 
> Vulnerable version is Adode Flash 11.5.502.146. Attack works only on AMD/ATI
> video cards.
> 
> Adobe have fixed it at 12.02.2013 in their patch APSB13-05
> (https://www.adobe.com/support/security/bulletins/apsb13-05.html), which
> fixed multiple vulnerabilities in flash player. At that Adobe did it
> hiddenly without mentioned about this vulnerability and without referencing
> on me. After my informing in the end of January, they was "checking it"
> during 1,5 months and said, that they can't reproduce this vulnerability (at
> that I've reproduced it on multiple computers with ATI video cards), that
> they don't know anything (the hole was accidentally fixed in APSB13-05) and
> this DoS doesn't related to them.

Sorry, but how can this be a vuln in *Flash*, a *user-space* component, if it
can be used to cause a BSOD, which, as far as I know, means that something bad
happened *in the Kernel*? Sounds to me as if Flash is not the (or at least not
the only) culprit...


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] "Data-Clone" -- a new way to attack android apps

[Jann Horn]

On Sun, Mar 17, 2013 at 06:09:09PM +0800, IEhrepus wrote:
> "Data-Clone" -- a new way to attack android apps
> 
> Author: super...@www.knownsec.com [Email:5up3rh3i#gmail.com]
> Release Date: 2013/03/16
> References: http://www.80vul.com/android/data-clone.txt
> Chinese Version:
> http://blog.knownsec.com/2013/03/attack-your-android-apps-by-webview/
> 
> --[ I - Introduction
> 
> This is a new way to attack android apps t,and i call it "Data-Clone
> Attack". it can bypass password authentication ,when user login the
> app and set "remember password"(some apps is define).
[...]
> --[ III - How to exploit
> 
> "How to get the contents of data" is key to the completion of the
> attack. some like this:
> 
> 1. Already have super privileges
> 
> under the root shell like the demo,u can bypass password
> authentication used "Data-Clone Attack".
> 
> 2. apps install on SDcard
> 
> the others have read  permissions to obtain the app's data.

I'm pretty sure that this is wrong. Apps on the SD card are encrypted. The
crypto is flawed, but not so flawed that this kind of attack would
be possible. Also, apps on the device even need an exploit just to be
able to read the encrypted data.


> 3. Cross-site scripting on android
> 
> app + webview + xss(or webkit xcs vul) = "Data-Clone"
> 
> On older version of android , android app's xss or webkit xcs  vul can
> read the loacl file's contents :
> http://www.80vul.com/android/android-0days.txt
> 
> So the app's webview have the file read permissions to the app's data.
> when a app user visit a URL link,the data will Be cloned。
> 
> --[ IV - Disclosure Timeline
> 
> 2012/03/   - Found this
> 2012/12/10 - Report it to secur...@android.com
> 
> ..For a long time has passed..
> 
> 2013/03/16 - secur...@android.com do not have any response
> (maybe,because Google was not andriod's biological mother)
> 2013/03/16 －Public Disclosure

Or maybe because it's not exactly interesting that you can read an app's
data if you can execute code in its context?


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] A few android security issues

[Jann Horn]

 to notice that weird stuff is happening. Android issue tracker ID
   #1086986860.
   Well, now you might want even more to use a different browser for
   important stuff.
   This bug was fixed shortly after I reported it.
8. When you install an application from an apk file on the device, you might
   be approving the installation of a different apk than the one that will
   really be installed. For example, this means that you might be granting
   all permissions that an app could get from you without wanting to do so.
   Well, be careful with apps that tell you to update them by downloading an
   apk and installing it, and if you choose to do so anyway, maybe check for
   apps with suspicious permissions afterwards. Android issue tracker ID
   #1069937150.
9. If you uninstall an application and then install another one, the
   uninstalled application could still be running and gain all rights that the
   one you just installed has. As a mitigation, you might want to reboot after
   having uninstalled stuff. Android issue tracker ID #1093611178.
   The Android Security Team states that
   "A fix for this issue is under development.".
a. Applications with the MOUNT_FORMAT_FILESYSTEMS permission can find out
   whether files or directories are currently in use. For example, they can
   find out what music you're currently listening to if the music files are
   on your SD card. Android issue tracker ID #1055272284.
b. Applications can in certain situations replace other apps' native code (if
   the other app contains native code). This is probably one
   of the most severe issues: It allows an
   attacker to e.g. execute arbitrary code in the context of the Skype app
   (last time I checked, it included native code) or so without having any
   special privileges. The easiest thing an app developer could do against this
   is to check the integrity of all *.so files owned by the application before
   loading them – this would still leave a small race condition, but would
   already improve the situaton a lot. It should be possible to totally
   mitigate the issue by, after installation, placing all .so files in a
   randomly-named directory inside a mode-0700-directory and checking their
   integrity and, when loading the libraries, always using load() instead of
   loadLibrary() to specify the correct path. Android issue tracker ID
   #1055942661.
   The Android Security Team says that this vuln has been fixed (the fix looks
   a bit racy, but I think that it probably isn't exploitable).

Jann Horn


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How to prevent HTTPS MitM

[Jann Horn]

On Thu, Jan 17, 2013 at 09:56:53PM +0100, Luigi Rosa wrote:
> If this message is offtopic, please excuse me.
> 
> I was reading about Nokia HTTPS MitM. Many corporate firewall can MitM HTTPS
> for content inspection and many governments do this for their reasons.
> 
> I was thinking: could it be possible to create a fake HTTPS stream to DoS the
> MitM attempt?

You could probably just capture the first packet of the SSL stream that your 
browser
sends for a valid request and then replay it... that's probably the easiest way.


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Is it OK to hold credit card numbers in cookies? Santander?

[Jann Horn]

On Mon, Oct 15, 2012 at 09:53:49PM +0200, Alexander Georgiev wrote:
> Now, PLEASE, when you go to their online banking site and run your
> one_script_to_block_them_all.py or whatever, PLEASE, skip my bank
> account, ok?
> 
> Alex

What did you say, which account number should be skipped?


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] middle-clicking on links

[Jann Horn]

Have a look at this PoC: http://jsfiddle.net/wbfpM/1/

At least in Chromium and Firefox on Linux, middle-clicking the "Google" link 
opens
an alert window with the current clipboard contents. Well, I guess there's not 
much
that can be done about that, but I think it's interesting to know.

Jann


pgpuQBKoZ49Za.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Android Superuser App

[Jann Horn]

On Sun, Aug 12, 2012 at 09:47:57PM +0200, Jann Horn wrote:
> And finally, I've found another vuln that essentially lets apps gain root
> rights without asking the user, and I will release all details about it in
> two weeks.

Found another independent vuln that also gives all apps root access, details
will go public in two weeks, too.


pgpKJ5xC59sao.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] The Android Superuser App

[Jann Horn]

Hello,
on Android, everyone who wants to give apps root access to his phone uses the
Superuser application by ChainsDD. However, from a security perspective, that
might be a somewhat bad idea.

First, it's not really Open Source anymore, so you can't easily check whether
everything works the way it should. Well, there are two github repos, one for
the "su" binary and one for the Superuser app, but the one for the app is
outdated. In fact, if you choose to build the Superuser app from source, you
will get a vulnerable system because it still contains a vuln that is fixed
in the more recent binary releases.

Also, there are open, known vulns that the author doesn't seem to care about.
You might want to have a look at
https://github.com/ChainsDD/Superuser/issues/52 - whenever you choose to
update the "su" binary using the Superuser app, unsigned code will be
downloaded over HTTP and installed as a setuid root program on your device.
This bug report is a month old, no comment from the developer, not fixed yet.

And finally, I've found another vuln that essentially lets apps gain root
rights without asking the user, and I will release all details about it in
two weeks.

Seems like someone should make a better superuser app...

Jann


pgp8BkjmDoKsg.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Anonymous/iWot] Somaleaks !!!

[Jann Horn]

On Wed, Jul 18, 2012 at 09:16:29AM -0400, Abdikarim Roble wrote:
> Contacts: no need to answer to this email address, as it's not ours.
> If you want to meet us, as always we'll be at Defcon soon, and we hope
> that there will be a special prize for Dahabshiil, though it's a bit
> late to propose them to the Powney Awards. We do believe that being an
> international bank, with really lame security, fake official answers,
> and real links with terrorists to kill people in Africa, Europe or
> America (Al-Qaeda), should bring them to a special prize. They deserve
> it. *We do not forget.*
> 
> Future: if you want to participate, just share your thoughts or ideas
> of targets on Internet with the official related proofs showing links
> with terrorists. Like any skilled hackers, we can have remote access
> anywhere on earth (gov, telco, comp, etc) as the current IT Security
> community is just selling dreams and fake products. If you like our
> values, thanks to support Anonymous iWot (internet War on terror) and
> put tags like #anoniwot2012 so that we can find your list of targets,
> your messages, your help, your ideas, etc. You cannot contact us
> directly, so, please shout enough so that we can hear you. You can
> just share message to our teams on public spaces, and we'll read them.
> Before that, if you enjoyed our specific actions against terrorists in
> Somalia, thanks to really show your support about this Somaleaks
> operation, with the tag #somaleaks and just wait, as many other places
> might burn sooner or later. *Expect us.*

Wait, what? You're telling people to publically post that kind of stuff
and then assume that they will be contacted by one of you (and not the
police or so)? Does not sound very smart to me.


pgp8wLtr7Ss9A.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability

[Jann Horn]

On Wed, Jul 11, 2012 at 11:34:11AM +0300, Gokhan Muharremoglu wrote:
> Vulnerability Name: Predefined Post Authentication Session ID Vulnerability 
> Type: Improper Session Handling
> Impact: Session Hijacking
> Level: Medium
> Date: 10.07.2012
> Vendor: Vendor-neutral
> Issuer: Gokhan Muharremoglu
> E-mail: gokhan.muharremo...@iosec.org
> 
> 
> VULNERABILITY
> If a web application starts a session and defines a session id before a user
> authenticated, this session id must be changed after a successful
> authentication. If web application uses the same session id before and after
> authentication, any legitimate user who has gained the "before
> authentication" session id can hijack future "after authentication" sessions
> too.

Uh, so, erm, you assume that someone can steal my cookie/set it/whatever
although the Same Origin Policy should clearly not allow that, and then, after
I have logged in, he can't just steal my cookie? Unless you allow setting the
session-ID via an URL or so (which would IMO be pretty stupid), I can't see
how this is a realistic, vendor-neutral attack. Could you explain this a bit
better? I don't get it.


pgpK4jCF00UNB.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] How much time is appropriate for fixing a bug?

[Jann Horn]

After having reported a security-relevant bug about a smartphone, how long would
you wait for the vendor to fix it? What are typical times?

I remember telling someone about a security-relevant bug in his library some 
time
ago - he fixed it and published the fixed version within ten minutes. On the
other hand, I often see mails on bugtraq or so in which the given dates show 
that
the vendor took maybe a year or so to fix the issue...


pgpSqSsilXsXf.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] NSA Cyber security program [ maybe off-topic ]

[Jann Horn]

On Mon, May 28, 2012 at 08:06:42PM -0300, Pablo wrote:
> Interesting…
> 
>  
> 
> http://www.nsa.gov/academia/nat_cae_cyber_ops/index.shtml
> 
> http://www.esecurityplanet.com/network-security/nsa-announces-cyber-security
> -program-for-college-students.html
> 
>  
> 
> This tells us that there is a lack of qualified people for this area.

What I understand there is that they have a lack of qualified people in this
area *who want to work for them*.


pgpGBe4zTOLkw.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google Accounts Security Vulnerability

[Jann Horn]

On Sat, May 19, 2012 at 12:04:43PM -0700, Michael J. Gray wrote:
> On why I don't want to provide my email address to Google:
> 
> It's a different email address which I don't want associated with this email
> address for various reasons. That is why I am not going to provide it.
> 
> Your assumption that it's a simple piece of information and requires no
> effort to give out is correct, but the impact of the association is
> unwanted.

Sounds reasonable.


> The fact that Google can create a test account and reproduce the issue (as I
> have now done several times) tells me that they want the account information
> for some other purpose or that they're just being lazy.

So, you now have a test account that doesn't reveal any secrets about you and
which is affected... so you could surely give Google the name of that one?


pgpE8BOjx5ftS.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] pidgin OTR information leakage

[Jann Horn]

2012/2/25 Dimitris Glynos :
> Pidgin transmits OTR (off-the-record) conversations over DBUS in
> plaintext. This makes it possible for attackers that have gained
> user-level access on a host, to listen in on private conversations
> associated with the victim account.

Basically, you're saying that if I have the rights of a user on a
machine, I can access the private conversations of that user? Ooooh
no. Well, I can also copy his keyfiles, no? And I can alter his
settings. And spawn fake "Update didn't work, please enter root
password to proceed" windows. I could alter his ~/.bashrc so that
whenever he launches "sudo" or "su", a script is launched instead that
grabs his password. So, please, what's the point?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows Vista/7 lpksetup dll hijack

[Jann Horn]

Am Montag, den 25.10.2010, 22:56 + schrieb Thor (Hammer of God):
> The main point is that you've got to get people to not only connect up
> to your remote share, but you've got to get them to execute the file,
> etc.  So I'm just wondering what makes this anything more than any
> other "put a malicious link here to make the user execute it" or email
> attachment business, particularly when you say "Remote Code
> Execution."

Err... as far as I know, the interesting part is having the current path
be set to something you can control (to make windows load evil dlls),
and if you just link to the file, that's not the case.

Jann


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/