On Wed, 13 Aug 2003, Eygene A. Ryabinkin wrote:
[ BUGTRAQ is probably not the best place for such a discussion, but
I'm not sure SECPROG is still alive and kicking, so... ]
I have an idea on buffer overflow prevention.
Well, no, strictly speaking, you don't =) You have an idea for preventing
ZH2003-24SA (security advisory): ChitChat.NET XSS Vulnerability
Published: 13 august 2003
Released: 13 august 2003
Name: ChitChat.NET
Affected Systems: 2.0
Issue: Remote attackers can inject XSS script
Author: [EMAIL PROTECTED]
Vendor: http://clickcess.com/
Description
***
This sdbot variant has been spreading around Undernet and is a combination
of the msblast worm, sdbot and spybot. It installs as a service and
triggers WFP which I think was a mistake. Termination of the process
causes an immediate reboot.
Samples are available here:
On Wed, Aug 13, 2003 at 02:28:33PM +0400, Eygene A. Ryabinkin composed:
I have an idea on buffer overflow prevention. I doubt that it's
new, but I haven't seen an implementation of it in any freely
distributable Un*x system. So, I hardly need your comments on it.
Please accept my apology
-BEGIN PGP SIGNED MESSAGE-
__
SGI Security Advisory
Title: Denial of Service Vulnerability in NFS XDR decoding
Number : 20030801-01-P
Date : August 13, 2003
Reference:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenPKG Security AdvisoryThe OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco Security Advisory: CiscoWorks Application Vulnerabilities
Revision Numeral 1.0: INTERIM
=
For Public Release 2003 August 13 UTC 1500
-
hk-vig of UHAGr and wsxz of Priv8security published a high risk remote
root exploit (if running by root) against Halflife = 1.1.1.0 (including
all mods like CS, DoD) and dedicated server 3.1.1.1c1/4.1.1.1a.
Exploitation successfully tested on FreeBSD.This code is based upon the
recent
In article [EMAIL PROTECTED], Vade 79 wrote:
# man-db[v2.4.1-]: local uid=man exploit.
Correction: 2.3.12 (a beta release) and 2.3.18 to 2.4.1.
echo [*] making runme, and mansh source files...
cat EOFrunme.c
#include stdio.h
#include stdlib.h
#include unistd.h
#include sys/types.h
#include
Informations :
°
Language : PHP
Bugged Versions : 1.3.x and less (+ 2.0.x and less ? not checked)
Safe Version : 2.0.3
Website : http://www.xoops.org
Problem : BBcode XSS
PHP Code/Location :
°°°
This hole can be used in modules :
- Private Messages
- News
- NewBB
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This is not a complete solution. It's just like non-executable
stack that prevents a certain number of buffer overflows in the
stack. Heap overflows, or some advanced buffer overflow attacks
can easily bypass this approach. Furthermore, let's suppose
#!/bin/bash
# xmandb.sh: shell command file.
#
# man-db[v2.4.1-]: local uid=man exploit.
# by: vade79/v9 [EMAIL PROTECTED] (fakehalo)
#
# open_cat_stream() privileged call exploit.
#
# i've been conversing with the new man-db maintainer, and after the
# initial post sent to bugtraq(which i
/*[ netris[v0.5]: client/server remote buffer overflow exploit. ]*
* *
* by: vade79/v9 [EMAIL PROTECTED] (fakehalo/realhalo) *
* *
* netris homepage/URL:
What about pointing the OBJECT tag codebase to a known, or probable, location
on the victim's own hard drive?
ActiveX never implemented any type of same origin policy the way JavaScript
does, so a local codebase reference should work as a technique to silently
activate any Microsoft-signed
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 367-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
August 8th, 2003
ZH2003-17SA (security advisory): gkShop Shopping Cart Path Disclosure
Published: 9 august 2003
Released: 9 august 2003
Name: gkShop Shopping Cart System
Affected Systems: 1.4.0
Issue: Remote attackers can know the path of the site
Author: [EMAIL PROTECTED]
Vendor:
- - -
Virginity Security Advisory 2003-001
- - -
DATE : 2003-08-13 03:11 GMT
TYPE : remote
VERSIONS AFFECTED : == hola-cms-1.2.9-10
ZH2003-18SA (security advisory): News Wizard Path Disclosure
Published: 10 august 2003
Released: 10 august 2003
Name: News Wizard
Affected Systems: 2.0
Issue: Remote attackers can know the path of the site
Author: [EMAIL PROTECTED]
Vendor:
The problem at hand is not one of Notepad or the view-source protocol,
but of the behavior inherant to Internet Explorer on how to handle
certain mimetypes and protocols. Your advisory (good as it is)
highlights an example of the problem, but disregards the larger picture.
Whether or not a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 365-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
August 5th, 2003
[Please do not set your mail system to send out-of-office autoreplies on
public mail lists. It is inconsiderate. Whichever mail list you received
this mail from should include headers that you can use to select whether
vacation(1) or procmail(1) should respond. procmail users, please see
David Mirza Ahmad
Symantec
PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.
-- Forwarded message --
Return-Path: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenPKG Security AdvisoryThe OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 371-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
August 11th, 2003
On Wed, Aug 13, 2003 at 12:13:27PM -0700, Nicholas Weaver wrote:
snip
This only stops attacks which overwrite the return address pointers on
the stack, it doesn't stop heap overflows or other control-flow
attacks.
ACK. Often there are function pointers stored on the heap - so this
does not
Internet Security Systems (http://www.iss.net) has released a scan tool to
check for the MS03-026 patch on Windows servers. I've downloaded and run
this tool, command-line only, on my servers and it reports correctly that
they are patched. Running a scan on the 35-10.40.x range though yields 5
-BEGIN PGP SIGNED MESSAGE-
__
SuSE Security Announcement
Package:kernel
Announcement-ID:SuSE-SA:2003:034
Date: Tue Aug 12
PostNuke Downloads Web_Links ttitle variable XSS
--
Product: PostNuke
Vendor: PostNuke WWW.POSTNUKE.COM http://www.POSTNUKE.COM
Versions Vulnerable:
PostNuke Phoenix 0.7.x.x
Phoenix 0.7.2.3 with patches ( in all versions )
Phoenix 0.7.2.3 without patches (in all versions )
0.7.2.1
(All prior
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
=
FreeBSD-SA-03:10.ibcs2 Security Advisory
The FreeBSD Project
Topic:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 361-2 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
August 9th, 2003
Network Penetration
www.networkpenetration.com
Copyright (c) 2003 Ste Jones
[EMAIL PROTECTED]
Subnet Bandwidth Management (SBM) Protocol subject to attack via the
Resource Reservation Protocol (RSVP)
Introduction
The resource reservation protocol (RSVP) is used within the
Hi!
I have an idea on buffer overflow prevention. I doubt that it's new, but I
haven't seen an implementation of it in any freely distributable Un*x system.
So, I hardly need your comments on it.
Preliminary: I'm talking about Intel x86 architecture, but maybe it will be
applicable to others
On Wednesday, Aug 13, 2003, at 03:28 US/Pacific, Eygene A. Ryabinkin
wrote:
Hi!
I have an idea on buffer overflow prevention. I doubt that it's new,
but I
haven't seen an implementation of it in any freely distributable Un*x
system.
So, I hardly need your comments on it.
Preliminary: I'm
In-Reply-To: [EMAIL PROTECTED]
And remember... PATCH and block the ports 135 - 139 -445 - 593
In adition you should block ports 69 and
Jean-Luc Cavey
ZH2003-15SA (security advisory): IdealBB XSS Vulnerability
Published: 7 august 2003
Released: 7 august 2003
Name: IdealBB
Affected Systems: 1.4.9 beta
Issue: Remote attackers can inject XSS script
Author: [EMAIL PROTECTED]
Vendor: http://www.idealbb.com
Description
***
Zone-h
More DCOM Fun,
The boards and lists are flooded with data on this little bugger. Almost too
much data, and vital stuff gets lost in the myriad email chains and re:
threads. I summed up these 3 links for easy access. Hope it helps.
DCOM ISS Scanner:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Trustix Secure Linux Security Advisory #2003-0030
Package name: stunnel
Summary: Denial of service
Date: 2003-08-07
Affected versions: TSL 1.2,
In-Reply-To: [EMAIL PROTECTED]
To repair Bug to edit the file admin.php and to add after the line:
$IN['AD_SESS'] = $HTTP_POST_VARS['adsess'] ? $HTTP_POST_VARS['adsess'] :
$HTTP_GET_VARS['adsess'];
To add this :
if (isset($IN['AD_SESS'])) {
$IN['AD_SESS'] =
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --
PACKAGE : lynx
SUMMARY : CRLF injection local
Text of original posting to Sun:
Originator: EDS Information Assurance Group - Jim Hardisty, Mark Brewis
Date of Contact: 22nd April 2003
Issue:During a recent Penetration Test, a member of the team, Jim
Hardisty, identified an issue with an installation of iPlanet
Administration Express. It
ZH2003-19SA (security advisory): BBPro Store Builder Path Disclosure
Published: 10 august 2003
Released: 10 august 2003
Name: BBPro Store Builder
Affected Systems: current version
Issue: Remote attackers can know the path of the site
Author: [EMAIL PROTECTED]
Vendor:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
=
FreeBSD-SA-03:09.signal Security Advisory
The FreeBSD Project
Topic:
Hi there,
finally released, the exploit for the Cisco IOS HTTP 2GB overflow
http://www.cisco.com/warp/public/707/cisco-sn-20030730-ios-2gb-get.shtml
and the IOS 11.x remote sniffer using the bug described here:
http://www.cisco.com/warp/public/707/cisco-sn-20030731-ios-udp-echo.shtml
Exploit:
Date: 8/6/2003 @ 17:30
Version: 1.6
Website URL: http://www.networkdweebs.com/stuff/security.html
Download URL: http://www.networkdweebs.com/stuff/mod_dosevasive.tar.gz
Description:
mod_dosevasive is a module for Apache 1.3 giving Apache the ability to
detect and fend off request-based DoS/DDoS
In-Reply-To: [EMAIL PROTECTED]
Does anyone know what the guid for this control is? I don't have it on XP
with Visual Studio 6 installed.
Could this be the same as the Microsoft Multimedia Control, aka
MCI32.OCX?
Cheers,
~ol
Microsoft MCWNDX.OCX ActiveX buffer overflow
www.evicted.org
[EMAIL PROTECTED]
August 8, 2003
Meteor FTP Version 1.5 Remote Denial of Service Vulnerability
1. Introduction
Meteor FTP is a personal ftp server that runs on Windows98/ME/2K/XP.
2. Vulnerability
-
A vulnerability exists in Meteor FTP Version
I am sorry I typo'd that url: it's
http://www.moosoft.com/thecleaner/rpcsdbot.zip
Cursed dsylexia!
Daniel
ZH2003-20SA (security advisory): Stellar Docs Path Disclosure and Security
Leak
Published: 10 august 2003
Released: 10 august 2003
Name: Stellar Docs
Affected Systems: v1.2
Issue: Remote attackers can know the path of the site and access the
administrative section
Author: [EMAIL
---
PUCCIOLAB.ORG - ADVISORIES
http://www.pucciolab.org
---
PCL-0001: Remote Vulnerability in HORDE MTA 2.2.4
---
PuCCiOLAB.ORG Security Advisories
Hi,
The Phrack Staff is proud to release the _original_ PHRACK #61 to the public.
*** NOW AVAILABLE AT HTTP://WWW.PHRACK.ORG
*** NOW AVAILABLE AT HTTP://WWW.PHRACK.ORG
*** NOW AVAILABLE AT HTTP://WWW.PHRACK.ORG
PHRACK MAGAZINE is one of the longest
Microsoft MCWNDX.OCX ActiveX buffer overflow
=
PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW
HOMEPAGE: www.microsoft.com
VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with Visual Studio 6 to
support multimedia programming.
We are pleased to announce the immediate availability of Xprobe2 v0.2
rc1, which has been officially released at the Blackhat briefings USA
2003.
Xprobe2 is a remote active operating system fingerprinting tool with a
different approach to operating system fingerprinting. Information on
On Wed, 13 Aug 2003 [EMAIL PROTECTED] wrote:
Some languages offer runtime range checking, which should bring much
security, but often is really slow :(
In the times of Java and XML used for almost everything, it's not like we
strive for every single CPU cycle nowadays in common applications
Hi Drew,
Long time no speak. Blink coming along?
MCI32.ocx is marked safe for initialization, so an attack is still
possible. Doesn't seem like the filename argument suffers from an overflow
tho'.
Perhaps you could try this on 2k and see if this really is just a
red
Portcullis Security Advisory
CiscoWorks 2000 Priviledge Escalation Vulnerability
Vulnerability discovery and development:
[EMAIL PROTECTED]
Affected systems:
Ciscoworks 2000
Details:
Portcullis have discovered that using the default Guest account
which has no password set, that it is
On Wed, Aug 13, 2003 at 02:28:33PM +0400, Eygene A. Ryabinkin composed:
I have an idea on buffer overflow prevention. I doubt that it's
new, but I haven't seen an implementation of it in any freely
distributable Un*x system. So, I hardly need your comments on it.
Then why post this to a
Eygene A. Ryabinkin wrote:
I have an idea on buffer overflow prevention. I doubt that it's new, but I
haven't seen an implementation of it in any freely distributable Un*x system.
So, I hardly need your comments on it.
...
The idea itself: all (correct me if I'm wrong) buffer overflows are based
ZH2003-23SA (security advisory): HostAdmin Path Disclosure
Published: 12 august 2003
Released: 12 august 2003
Name: HostAdmin
Affected Systems: current version
Issue: Remote attackers can know the path of the site
Author: [EMAIL PROTECTED]
Vendor: http://dreamcost.com/?page=hostadmin
-[INTRODUCTION]-
Netris is a Linux clone of the classic infamous game
Tetr*s, giving users three main game modes: play an
individual game, server mode: bind to a port and wait
for an incoming connection from an opponents Netris
client, and connect mode: connect to an opponents
Netris client
A Bugtraq user has already pointed out that a worm has been
discovered in the wild that exploits the Microsoft Windows DCOM RPC
Interface Buffer Overrun Vulnerability (Bugtraq ID 8205) to infect
host systems. Symantec has been tracking its activity and is
currently conducting analysis/full
--
- EXPL-A-2003-019 exploitlabs.com Advisory 019
--
-= CHAT SERVER =-
exploitlabs
Aug 08, 2003
Product:
Chat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The following is my response to IBM / Lotus concerning their denial reaction
to the vulnerabilities disclosed in Sametime. This is not a flame / troll,
and there is some new information here, including a packet level analysis
of
a CURRENT Sametime
62 matches
Mail list logo
