Re: Solaris 2.6, 7, 8

On Wed, 2 Oct 2002, buzheng wrote: I do not think this is a new bug. I completely agree. But, the remote setting of TTYPROMPT does matter. you can not succeed in login without remotely changing the TTYPROMPT. This is also the bug mentioned in Jonathan's original letter (bid:5531). That's

Linux zero IP ID vulnerability?

and incremental) for UDP and ICMP packets. The interesting thing with TCP, though, is that it can be exploited to perform an idle scan, while i don't see security implications with UDP and ICMP, despite the obvious information leak. Cheers, -- Marco Ivaldi Antifork Research, Inc. http

Re: Linux zero IP ID vulnerability?

packets tramitted, 3 packets received, 0% packet loss round-trip min/avg/max = 53.7/56.4/59.1 ms Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707

Re: Linux zero IP ID vulnerability?

may also be affected) i've the feeling they're not going to fix this any soon: in the next days i'll see if i can find some spare time to dig a bit into kernel code to identify the cause and maybe even provide a patch. Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05

Re: recursive DNS servers DDoS as a growing DDoS problem

all the major ISPs to break regular DNS functionality and override these censored records: http://www.aams.it/site.php?page=20060213093814964op=download Italy is the first democratic country to do something like that, AFAIK. Just my 2 euro-cents, -- Marco Ivaldi Antifork Research, Inc. http

Re: Oracle = 9i / 10g File System Access via utl_file Exploit

not terribly uncommon to find such setups, which allow to escalate privileges from DBMS user to OS user... Therefore, i though it would have been nice to share this proof-of-concept code with the security community;) Ciao, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05

Re: Solaris telnet vulnberability - how many on your network?

/2002/10/msg00020.html [2] http://www.0xdeadbeef.info/exploits/raptor_rlogin.c Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707

Re: Denial of Service Vulnerabilities in TrueCrypt 4.3 Linux (re. bid 23180)

user. This may have some small security implications: i suppose an additional check on the ownership of the libraries wouldn't hurt here. Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707

Re: AS/400 Vulnerabilities

://www.security-database.com/toolswatch/AS-400-Auditing-Framework-Beta.html Cheers, -- Marco Ivaldi, OPST Red Team Coordinator Data Security Division @ Mediaservice.net Srlhttp://mediaservice.net/

yet another OpenSSH timing leak?

of tests performed on other distros and configurations. Thanks to Solar Designer and Andrea Barisani for the interesting discussion on this topic. Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707[EMAIL PROTECTED]:~$ # [EMAIL

Re: yet another OpenSSH timing leak?

and auditors to spot some other timing leaks. Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707

Re: iDefense Security Advisory 10.11.06: Sun Microsystems Solaris NSPR Library Arbitrary File Creation Vulnerability

-end has landed! -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707

Re: yet another OpenSSH timing leak?

$10$KZFZX7yYEpbfDvwP6Z5N5ut4Gc/rdIF64/TmpWssIPQvROTiK/TiG:13433:0:9:7::: [password has been manually changed to test321] [EMAIL PROTECTED]: ./sshtime localhost dict sshtime v0.1 - Simple OpenSSH remote timing attack tool Copyright (c) 2006 Marco Ivaldi [EMAIL PROTECTED] [EMAIL PROTECTED

Re: Windows 7/8 admin account installation password stored in the clear in LSA Secrets

. Exploiting this requires the same permission levels that would be required to change or access the password anyway. Where's the realistic security threat? Rob -- -- Marco Ivaldi OPSA, OPST, OWSE, QSA, ASV Senior

local privilege escalation via CDE dtprintinfo

.com/0xdea/raptor_infiltrate19 Regards, -- Marco Ivaldi, SAT Manager CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F @Mediaservice.net S.r.l. con Socio Unico https://www.mediaservice.net/ @Mediaservice.net (Cybaze Group) Security Advisory #2019-01 (updated on 2019-05-08) Ti

CVE-2019-3010 - Local privilege escalation on Solaris 11.x via xscreensaver

et/2019/10/local-privilege-escalation-on-solaris-11-x-via-xscreensaver/ https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver Regards, -- Marco Ivaldi, SAT Manager CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F @Mediaservice.net S.r.l. con Socio U

CVE-2020-2656 - Low impact information disclosure via Solaris xlock

rtial contents of sensitive files. Due to the fact that target files must be in a very specific format, exploitation of this flaw to escalate privileges in a realistic scenario is unlikely." Regards, -- Marco Ivaldi, Offensive Security Manager CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001

CVE-2020-2696 - Local privilege escalation via CDE dtsession

ion/ https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtsession_ipa.c Regards, -- Marco Ivaldi, Offensive Security Manager CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F @Mediaservice.net S.r.l. con Socio Unico https://www.mediaservice.net/ Tel: +39 011 19016595 | Fa