From the lets-try-it-this-way Department
Qihoo360 | GDATA | Rising | Webroot | Dr Web Generic Archive Bypass
Release mode: Vendors do
From the low-hanging-fruit-department
F-SECURE Generic Malformed Container bypass (GZIP)
Ref : [TZO-16-2020] -
From the low-hanging-fruit-department
Bitdefender Generic Malformed Archive Bypass (GZIP)
Release mode: Silent Patch
From the low-hanging-fruit-department
Kaspersky Generic Malformed Archive Bypass (ZIP Filename Length)
Release mode:
From the low-hanging-fruit-department
F-SECURE Generic Malformed Container bypass (RAR)
Ref : [TZO-15-2020] -
From the low-hanging-fruit-department
AVIRA Generic Malformed Container bypass (ZIP GPFLAG)
Release mode: No Patch -
From the low-hanging-fruit-department
ESET Generic Malformed Archive Bypass (BZ2 Checksum)
Release mode: Coordinated
From the low-hanging-fruit-department
Bitdefender Generic Malformed Archive Bypass (RAR Uncompressed Size)
Release mode: Forced
From the low-hanging-fruit-department
Bitdefender Malformed Archive Bypass (RAR Compression Information)
Release mode: Forced
From the low-hanging-fruit-department
Bitdefender Generic Malformed Archive Bypass (ZIP GPFLAG)
Release mode: Forced
From the low-hanging-fruit-department
Kaspersky Generic Malformed Archive Bypass (ZIP Filename Length)
Release mode:
From the low-hanging-fruit-department
Kaspersky Generic Malformed Archive Bypass (ZIP Compressed Size)
Release mode:
From the low-hanging-fruit-department
Bitdefender Generic Malformed Archive Bypass (RAR HOST_OS)
Release mode: Forced
From the low-hanging-fruit-department
Bitdefender Generic Malformed Archive Bypass (BZ2)
Release mode : Forced Disclosure
From the low-hanging-fruit-department
AVIRA Generic Malformed Container bypass (ISO)
Release mode:
From the low-hanging-fruit-department
Kaspersky Generic Malformed Archive Bypass (ZIP GFlag)
Release mode: Coordinated
From the low-hanging-fruit-department
ESET Generic Malformed Archive Bypass (ZIP Compression Information)
Release mode:
what
platforms actually support TLS 1.1 (or 1.2).
The blog post and document is available here:
http://blog.g-sec.lu/2011/09/ssltls-hardening-and-compatibility.html
Should you be aware of any missing or wrong information, drop me a
mail.
Regards,
Thierry
--
http://blog.zoller.lu
Thierry
?eventSubmit_doGoviewsolutiondetails=solutionid=sk60510
The following product versions are not vulnerable:
* EPS R80
* EPS R73 HFA01
* EPC R73 HFA01
* EPS R75 VPN
* SNX R75
* SNX R71.30
All other versions of SNX, EPS and EPC are vulnerable.
Credits
Check Point thanks Thierry Zoller and Nagib Guettiche of Verizon
this to
be interesting. Thierry
Regards,
Thierry ZOLLER
-charter.html
pssea Hosted and sponsored by Secunia - http://secunia.com/
--
http://blog.zoller.lu
Thierry Zoller
http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html
--
http://blog.zoller.lu
Thierry Zoller
/practicaltls.pdf
Regards,
Thierry Zoller
-vulnerability.html
Direct Download
http://clicky.me/tlsvuln
Disclaimer
Information is believed to be accurate by the time of writing.
As this vulnerability has complex implications this document
is prone to revisions in the future.
Thierry ZOLLER - G-SEC
http://www.g-sec.lu
Principal Security Consultant
by : Thierry Zoller (G-SEC)
Affected products :
~~~
- Symantec Mail Security for Domino
- Symantec Mail Security for Microsoft Exchange
- Symantec Mail Security for SMTP
- Symantec Brightmail Gateway
- Symantec AntiVirus for Network Attached Storage
- Symantec AntiVirus for Caching
=contentid=SB10003
(We disagree with the CVSS rating )
Discovered by : Thierry Zoller (G-SEC)
Affected products :
~~~
All McAfee software that uses DATs including:
- McAfee GroupShield
- McAfee LinuxShield
- McAfee NetShield for NetWare
- McAfee PortalShield
- McAfee
by : Thierry Zoller (G-SEC)
Affected products :
~~~
- F-Secure Internet Security 2009 and earlier
- F-Secure Anti-Virus 2009 and earlier
- F-Secure Home Server Security 2009
- Solutions based on F-Secure Protection Service for Consumers version 8.00 and
earlier
- Solutions based
/portal/anonymous/phpsupcontent?contentID=218878
Discovered by : Thierry Zoller (G-SEC)
Vendor reaction rating : near perfect*
*
Continous feedback on progress - CVE numbers - In depth investigation of the
issues at hand
Affected products :
~~~
CA Anti-Virus for the Enterprise
am CC:ing him.
GE My best to Adar,
GE Gadi Evron,
GE http://www.gadievron.com/
--
http://blog.zoller.lu
Thierry Zoller
to know whether and if HOW this bug was reintroduced.
[1] http://blog.g-sec.lu/2009/09/iis-5-iis-6-ftp-vulnerability.html
Regards,
Thierry ZOLLER
--
http://blog.zoller.lu
Confirmed.
Ask yourselves why your fuzzers haven't found that one - Combination of
MKDIR are required before reaching vuln code ?
--
http://blog.zoller.lu
Thierry Zoller
code execution
WWW : http://www.g-sec.lu/iphone-remote-code-exec.html
CVE : CVE-2009-1698
BID : 35318
Credit: http://support.apple.com/kb/HT3639
Discovered by : Thierry Zoller
Affected products :
- iPhone OS 1.x through 2.2.1
- iPhone OS for iPod touch 1.x through 2.2.1
I
trailed and struggled to capture status quo (or some compromise
MZ representation thereof) back then.
Thanks for your insight!
--
http://blog.zoller.lu
Thierry Zoller
that's just me.
--
http://blog.zoller.lu
Thierry Zoller
use that has (?) but one thing is sure, they failed
to add a limit, the W3C didn't, but that's because it was never meant
to be written to in the first place.
--
http://blog.zoller.lu
Thierry Zoller
?
There must have been a change then between HTML4 and HTML5
MZ It may or may not have any practical uses (dynamic resizing of SELECTs
MZ without having to delete individual options).
--
http://blog.zoller.lu
Thierry Zoller
One bug to rule them all
IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror,
Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens and more.
++) foo += foo;
MZ for (i=0;i1;i++) document.write(foo);
--
http://blog.zoller.lu
Thierry Zoller
Hi Steven,
SMC we will quickly run
SMC into lots of complexity that may well enter the realm of undecidable
SMC problems,
Yeah, security is too complex. Dude, the fix was to LIMIT the
the number of elements. This is not rocket science.
--
http://blog.zoller.lu
Thierry Zoller
fees are spent on.
--
http://blog.zoller.lu
Thierry Zoller
RAM, Fedora 11 with all
RD current updates as of July/15/09.
--
http://blog.zoller.lu
Thierry Zoller
One bug to rule them all
IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror,
Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens and more.
Don't wet your pants - it's DoS
As I received a lot of feedback on this bug, I thought I'd update you. After
not replying
to my notifications and subsequent forced partial disclosure, IBM stated
officially on their website that they where not affected and to my surprise
IBM got in contact immediately after disclosure to
Dear List,
To all those sending in reports, thank you, *but* please read the patch
section. It is normal that it doesn't work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.
To stop the flood of mails, explaining that the POC doesn't work
on
It affects 3.5, there was no effective patch included in that version.
NB Thierry says he thinks No, but you say /something/ nasty happened to
NB your FF 3.5, if I understand you correctly.
--
http://blog.zoller.lu
Thierry Zoller
Update:
---
Patch was ineffective, Length2 was fixed and both
SVGNumber and SVGNumber2, but no SVGLength.
Affected products :
- All firefox versions below 3.5
Update
--
Unfortunately the Denial of Service condition has not been fixed
with the new versions/builds and according to tickets filled
under the bugzilla ID the impact of this bug has changed since
version 3.5. [1]
Hence the list of affected products now is :
- All versions below Firefox
From the low-hanging-fruit-department
F-prot generic bypass (RAR,ARJ,LHA)
Shameless plug :
From the low-hanging-fruit-department
Clamav generic evasion (CAB)
Shameless plug :
ERRATA :
The product Norman Virus Control for Novell Netware (FireBreak) is
not affected. Please remove it from the list of affected items.
From the low-hanging-fruit-department
F-prot generic TAR bypass / evasion
Shameless plug :
From the low-hanging-fruit-department
Clamav generic evasion (RAR,CAB,ZIP)
Shameless plug :
From the low-hanging-fruit-department
Ikarus multiple generic evasions (CAB,RAR,ZIP)
CHEAP Plug :
You are
From the low-hanging-fruit-department
Norman generic evasion (RAR)
CHEAP Plug :
You are invited to
From the low-hanging-fruit-department
F-prot generic evasion (TAR)
CHEAP Plug :
You are invited to
Apple Safari Quicktime Denial of Service
Shameless plug :
You
From the facepalm department
Kaspersky and the silent fix that wasn't
PDF Evasion
Apple Safari Remote code execution (CSS:Attr)
Shameless plug :
Antivir generic RAR,CAB,ZIP
WWW : t.b.a
Vendor : http://www.avira.com
Status : Patched (Engine-Version: AV7 7.9.0.180 / AV8/9 8.2.0.180)
(Re)Discovered : 2005 by froggz, 2007 by Thierry Zoller, 2009 by Roger Mickael
(please give appropriate credit - only when
From the very-low-hanging-fruit-department
Firefox Denial of Service (KEYGEN)
Release mode: Forced release.
Ref
them instead of having them sit there a few months.
period, nothing more nothing less.
--
http://blog.zoller.lu
Thierry Zoller
For those that failed to reproduce, try naming the POC file with an XHTML
extension.
JP result for naming the POC file to .HTML, .HTM.
Thierry Zoller thie...@zoller.lu 05/26/2009 13:13
JP For those that failed to reproduce, try naming the POC file with an XHTML
JP extension.
JP ___
JP Full-Disclosure - We believe in it.
JP Charter
Hi Michal,
Yep, positive, welcome to the world of rediscovery, sad that the bugs seems
to been known since 2007. Speak about Mozilla being the fastest to
patch. Ticket has now been marked as duplicate of that one.
--
http://blog.zoller.lu
Thierry Zoller
From the low-hanging-fruit-department
Firefox et al. Denial of Service - All versions supporting SVG
CHEAP Plug :
From the low-hanging-fruit-department
Panda generic evasion (CAB)
Why are there two panda advisories instead of one
From the low-hanging-fruit-department
Panda generic evasion (TAR)
Why are there two panda advisories instead of one ?
From the low-hanging-fruit-department
Avira Antivir generic PDF evasion of heuristics
CHEAP Plug :
From the low-hanging-fruit-department
Bitdefender generic evasion of heuristics (for PDF)
CHEAP Plug :
Posted to FD - should be of interest to bugtraq readers :
http://view.samurajdata.se/psview.php?id=023287d6page=1
--
http://blog.zoller.lu
Thierry Zoller
From the low-hanging-fruit-department - AVG generic ZIP bypass / evasion
CHEAP Plug :
You are invited to participate in HACK.LU 2009, a small but
that reacted and complained. Wihtout publication there is no
change, without those reacting to advisories there is neither.
Prooves #2 and #5 at
http://blog.zoller.lu/2009/04/dear-thierry-why-are-you-such-arrogant.html
to be valid.
Regards,
Thierry Zoller
From the low-hanging-fruit-department
F-prot generic CAB bypass / evasion
CHEAP Plug :
You are invited to
Update:
Aladdin responded and posted a blog post, please read the timeline and
then the blog post.
http://www.aladdin.com/AircBlog/post/2009/05/Archive-Bypass-Issue-and-eSafe.aspx
It is said that :
-
This means that in case a customer receives such a specially crafted
archive
From the low-hanging-fruit-department - Mcafee multiple generic evasions
Release mode: Coordinated but limited disclosure.
Ref : TZO-182009 -
[Snip]
I. Background
~
ESET develops software solutions that deliver instant, comprehensive protection
against evolving computer security threats. ESET NOD32® Antivirus, is the
flagship
product, consistently achieves the highest accolades in all types of
comparative testing and is
__
From the low-hanging-fruit-department - Nod32 CAB bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-162009 - Nod32
__
Trendmicro RAR,CAB,ZIP bypass/evasions
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-172009 - Trendmicro RAR,CAB,ZIP
Errata:
BID/CVE : The issue was in ZIP and not CAB archive handling.
Thank you for your understanding.
Regards,
Thierry
__
From the low-hanging-fruit-department - Avira antivir bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-132009 - Avira
__
From the low-hanging-fruit-department - Aladdin eSafe bypass/evasion
__
Release mode: Forced relaese, vendor has not replied.
Ref : TZO-152009 -
__
From the low-hanging-fruit-department - Comodo antivir bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-142009 -
__
SUN/ORACLE JAVA VM Remote code execution
__
Release mode: Coordinated.
Ref : TZO-122009- SUN Java remote code execution
WWW :
Dear Jplopezy,
You should try creating the directory entries in a zip file,
the vector spontanously becomes remote then. Want to try?
--
http://blog.zoller.lu
Thierry Zoller
URL:
http://blog.zoller.lu/2009/04/release-mode-forced-release-vendor-has.html
Update : After the reaction from avast, it is now clear that all versions
and products are affected, however there is no plan to patch, the
patch will come or will not come - sometime in the future.
You are
__
From the low-hanging-fruit-department - Bitdefender bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-082009 -
__
From the low-hanging-fruit-department - AVAST bypass/evasion
__
Release mode: Forced release, vendor has not replied.
Ref : TZO-092009 - AVAST
__
From the low-hanging-fruit-department - Nod32 bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-092009 - Nod32
__
From the low-hanging-fruit-department - Fortinet bypass/evasion
__
Release mode: Forced release, vendor has not replied.
Ref : TZO-112009 -
__
From the low-hanging-fruit-department - Generic ClamAV evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-062009- ClamAV
Thierry Zoller
__
From the low-hanging-fruit-department - F-PROT ZIP method evasion
__
Release mode: Coordinated.
Ref : TZO-07-2009 Fprot ZIP Method Evasion
WWW
esp=00032fa0 ebp=0003304c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206
Crash seems not to be recorded by the FF crash handled.
Regards,
Thierry
--
http://secdev.zoller.lu
Thierry Zoller
/2009 : Release of this advisory
Thierry Zoller
http://blog.zoller.lu
Internet
Update Manager
14/01/2009 : Release of this advisory
Thierry Zoller
http://blog.zoller.lu
Dear All,
That said the original work on this from metlstorm is in the news [1]
and can be found here : http://storm.net.nz/projects/16
[1] http://it.slashdot.org/article.pl?sid=08/03/04/1258210from=rss
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3
and there is actual substance to start
a discussion. I would have loved to receive a question before you
shoot.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
this particular case_ has to be done
by the function. Sorry my opinion.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
explain the difference in detail, my co-workers Dave and Chen have
helped
me put together some information...
http://blogs.technet.com/msrc/archive/2007/10/10/msrc-blog-additional-details-and-background-on-security-advisory-943521.aspx
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84
.
PS [1] :
http:%xx../../../../../../../../../windows/system32/calc.exe.cmd
[1]
http://www.heise.de/security/news/meldung/96921/URI-Problem-zieht-weitere-Kreise-Acrobat-Reader-und-Netscape-anfaellig-2-Update
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57
1 - 100 of 135 matches
Mail list logo