Asserts considered harmful (or GMP spills its sensitive information)

The GMP library uses asserts to crash a program at runtime when presented with data it did not anticipate. The library also ignores user requests to remove asserts using Posix's -DNDEBUG. Asserts are a debugging aide intended for developement, and using them in production software ranges from

Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak wrote: > Hi @ll, > > since about two or three years now, Microsoft offers Skype as > optional update on Windows/Microsoft Update. > > JFTR: for Microsoft's euphemistic use of "update" see >

CVE for Apple's ECDHE-ECDSA SecureTransport bug?

Does anyone know if Apple's ECDHE-ECDSA SecureTransport bug was assigned a CVE? It affected OS X and iOS. Effectively, the bug was an implementation error that cause interoperability failures. To mostly counter it, the cipher suites had to be disabled, which resulted in a loss of security. If the

Hidden backdoor API to root privileges in Apple OS X

https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/ The Admin framework in Apple OS X contains a hidden backdoor API to root privileges. It’s been there for several years (at least since 2011), I found it in October 2014 and it can be exploited to

Re: [FD] [oss-security] Bug in bash = 4.3 [security feature bypassed]

2014-06-03 16:16 GMT+02:00 Hector Marco hecma...@upv.es: Hi everyone, Recently we discovered a bug in bash. After some time after reporting it to bash developers, it has not been fixed. We think that this is a security issue because in some circumstances the bash security feature could be

iOS: List of available trusted root certificates

From iOS: List of available trusted root certificates, http://support.apple.com/kb/HT5012. There's no reason to allow some of this to occur in 2013. As a proxy-relying-party, Apple is responsible for this stuff because users are not allowed to make the decisions or modify the Trust Store. For

Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!

Hi Stefan, ... administrative rights for every user account Hmmm... XP/x64 appears to have a bug such that the second user also needs to be admin (perhaps XP/x86, too). XP does not recognize the first account as admin, so the second account cannot be limited (at least on my test box). Vista and

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

On Mon, Aug 12, 2013 at 1:28 PM, Coderaptor coderap...@gmail.com wrote: I have been a silent spectator to this drama, and could not resist adding a few thoughts of my own: 1. All software, especially webservers, should ship with secure defaults. Period. It is a fundamental mistake to assume

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

On Sat, Aug 10, 2013 at 6:10 AM, Gichuki John Chuksjonia chuksjo...@gmail.com wrote: One thing u gotta remember most of the Admins who handle webservers in a network are also developers since most of the organizations will always need to cut on expenses, and as we know, most of the developers

Re: [Full-disclosure] [SE-2012-01] New Reflection API affected by a known 10+ years old attack

On Thu, Jul 18, 2013 at 12:50 AM, Security Explorations cont...@security-explorations.com wrote: Hello All, We discovered yet another indication that new Reflection API introduced into Java SE 7 was not a subject to a thorough security review (if any). I'm kind or surpised some of these bugs

Re: MiniUPnPd Information Disclosure (CVE-2013-2600)

On Fri, Jul 12, 2013 at 2:16 PM, cyo...@tripwire.com wrote: ... This issue was addressed on April 26, 2013 as noted in the changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpd-1.8.20130607.tar.gz 2013/04/26: Correctly handle truncated snprintf() in SSDP code The

Apple and Wifi Hotspot Credentials Management Vulnerability

This vulnerability was published to the OWASP Mobile Security list as a research paper by Andreas Kurtz, Daniel Metz and Felix Freiling. See Cracking iOS personal hotspots using a Scrabble crossword game word list,

Re: Apple and Wifi Hotspot Credentials Management Vulnerability

On Mon, Jun 17, 2013 at 3:35 PM, Jeffrey Walton noloa...@gmail.com wrote: ... It appears Apple Wifi hotspot passwords are generated using a wordlist consisting of 1842 words. The authors built a customer cracker to aide in recovery of the Wifi hotspot passwords. My bad. The application

Re: Report OWASP WAF Naxsi bypass Vulnerability

Tracked through issue 65 (http://code.google.com/p/naxsi/issues/detail?id=65), fixed at check-in R545 (http://code.google.com/p/naxsi/source/detail?spec=svn545r=545). On Mon, Mar 25, 2013 at 10:00 PM, saf...@gmail.com wrote: OWASP WAF Naxsi bypass Vulnerability Certain unspecified input is

Re: [Full-disclosure] MySQL (Linux) Heap Based Overrun PoC Zeroday

Hi Kingcope, # As seen below $edx and $edi are fully controlled, # the current instruction is # = 0x83a6b24 free_root+180: mov(%edx),%edi # this means we landed in a place where 4 bytes can be controlled by 4 bytes # with this function pointers and GOT entries can be rewritten to execute

Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday

Hi Kingcope, MySQL Server exploitable stack based overrun Ver 5.5.19-log for Linux and below (tested with Ver 5.1.53-log for suse-linux-gnu too) unprivileged user (any account (anonymous account?), post auth) as illustrated below the instruction pointer is overwritten with

Re: [Full-disclosure] [SE-2012-01] information regarding recently discovered Java 7 attack

Hi, found as part of our SE-2012-01 Java SE security research project [3]. Well, it seems Oracle did not feel the issues Security Explorations shared were a priority. Blogging about these things has not produced optimal results either. Have you reported the issues to US Cert? Will you be

Fwd: [cryptography] Apple Legacy filevault barn door...

Interesting reading from the cryptography mailing list -- Forwarded message -- From: David I. Emery d...@dieconsulting.com Date: Fri, May 4, 2012 at 8:40 PM Subject: [cryptography] Apple Legacy filevault barn door... To: cryptogra...@randombit.net        As someone said here

Ubuntu, Linux Mint, and the Guest Account

I know there's not much new here, but I am amazed that Ubuntu, Linux Mint and friends ship with a Guest account present and enabled. The Guest account is surreptitiously added through a lightdm configuration file, and is not part of the standard user database. Because its not part of the standard

Re: [Full-disclosure] pidgin OTR information leakage

On Mon, Feb 27, 2012 at 3:21 PM, Rich Pieri rati...@mit.edu wrote: On Feb 27, 2012, at 2:37 PM, Michele Orru wrote: I think you didn't understood the content of the advisory. If there are 10 non-root users in an Ubuntu machine for example, if user 1 is using pidgin with OTR compiled with DBUS,

Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission

On Thu, Sep 15, 2011 at 7:11 PM, Michael Schmidt mschm...@drugstore.com wrote: Someone’s just not reading the bulletins – Note the term “Remote” – including webdav, so a share that could be fully controlled by the exploiter. At least that is what I am understanding. Updates released on

Re: Vulnerabilities in trading and SCADA softwares

On Wed, Sep 14, 2011 at 5:13 AM, fergal.cass...@measuresoft.com wrote: Please take this constructively... The so called vulnerability in ScadaPro does not apply when the Windows firewall is enabled and under normal circumstances the TCP-IP port is not used to communicate with the ScadaPro

Ubuntu: reseed(8), random.org, and HTTP request

Ubuntu's reseed(8) can be used to seed the PRNG state of a host. The script is run when the package installed, and anytime su executes the script. reseed(8) performs a unsecured HTTP request to random.org for its bits, despite random.org offering HTTPS services. The Ubuntu Security Team took no

Re: Perfect PDF products distributed with vulnerable MSVC++ libraries

On Tue, Jun 21, 2011 at 7:22 AM, Brad Hards br...@frogmouth.net wrote: On Sunday 19 June 2011 11:37:33 Stefan Kanthak wrote: soft Xpansion www.soft-xpansion.com distributes their (freeware) products Perfect PDF 7 Master and Perfect PDF 7 Reader (the current files are dated 2011-05-10) with

Re: OpenBSD CARP Hash Vulnerability

On Fri, Dec 17, 2010 at 10:08 PM, Sam Banks wol...@ontogeny.ac.nz wrote: Hello Bugtraq, I disclosed this bug to the BSDs and no one is interested in fixing it so here you go. The two files attached are as follows: [SNIP] The OpenBSD CARP implementation (and all derivatives, such as FreeBSD

iwconfig and recent patches?

Hi All, I was reading http://security.ece.cmu.edu/aeg/aeg-current.pdf. Is anyone aware of recent patches to iwconfig for a buffer overrun? I did not find any recent CVEs covering iwconfig. Jeff

Re: 3rd party patch for XP for MS09-048?

! * http://support.microsoft.com/gp/lifepolicy * http://support.microsoft.com/gp/lifeselect Jeff On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley sbrad...@pacbell.net wrote: Read the bulletin.  There's no patch.  It is deemed by Microsoft to be of low impact and thus no patch has been built. Jeffrey

Re: 3rd party patch for XP for MS09-048?

Hi Aras, Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, Can you cite a reference? Unless Microsoft has changed their end of life policy [1], XP should be patched for security vulnerabilities until about 2014. Both XP Home and

Re: Re[2]: Regular Expression Denial of Service

Hi Thierry, With all due respect - this is known to be a vulnerability class since over a century. The referenced web page is titled, ReDoS (Regular Expression Denial of Service) Revisited. The authors cite work as early as 2003 in their paper. Can we please stop the attitude of inventing

Re: Norman Internet Update Deamon sends cleartext license key on update

Hi Stefan, linux norman internet update deamon (niu) sends our corporate license key in cleartext over http when the first update is triggered. Similar problems (use of insecure channels) was reported on June 9, 2009 with their Windows software. Jeff On Tue, Sep 1, 2009 at 3:00 AM, Stefan

Fwd: Follow-up: Heartland CEO on Data Breach: QSAs Let Us Down

From the folks at Attrition and the DatalossDB. -- Forwarded message -- From: security curmudgeon jeri...@attrition.org Date: Aug 12, 2009 4:22 PM Subject: Follow-up: Heartland CEO on Data Breach: QSAs Let Us Down To: dataloss-disc...@datalossdb.org, datal...@datalossdb.org

Re: Re: Back door trojan in acajoom-3.2.6 for joomla

... or the developers were stupid enough to develop with old code. Stupid may be a bit harsh. I find 'Software Security' is also a frame of mind that *must* be backed by education. Perhaps the developers lack the knowledge they need to model the threats and incorporate a secure architecture.