A user of ours has reported that the D-Link DI-614+
Thomas forgot to include the Firmware that machine is
running.
I am a user of the above mentioned device, new firmware for
EUROPEAN (important as the european distributors are lagging
a few versions behind) and US versions can be found here
___
F-Prot/Frisk Anti Virus bypass - ZIP Version Header
___
Ref : TZO-012005-Fprot
Author : Thierry Zoller / Security Engineer
WWW : http
://secdev.zoller.lu
Thierry Zoller
... it is a bd idea.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
Dear List,
Small blurp I came around; when Wehntrust creates the autostart key
it forgets to correctly quote the string in the key and thus may
trigger an autostart of c:\program.bat|exe|com up-on reboot... [2]
Quoting [1] :
Dear List,
Title : CheckPoint - CheckQuotes!
Ref: TZO-012006-Checkpoint
Author : Thierry Zoller
TXT: http://secdev.zoller.lu/research/checkpoint.txt
URL: http://secdev.zoller.lu/research/checkpoint.htm
Introduction :
~~
As employees become more mobile, sophisticated VPN
___
Safe'nSec - Insecure File execution and Auto-startup
___
Ref : TZO-062006-SafenSec
Author : Thierry Zoller
WWW : http://secdev.zoller.lu
Internet
Update Manager
14/01/2009 : Release of this advisory
Thierry Zoller
http://blog.zoller.lu
/2009 : Release of this advisory
Thierry Zoller
http://blog.zoller.lu
esp=00032fa0 ebp=0003304c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206
Crash seems not to be recorded by the FF crash handled.
Regards,
Thierry
--
http://secdev.zoller.lu
Thierry Zoller
Dear XFOCUS Team,
Is this the same vuln as discovered by class101 ?
http://www.zerodayinitiative.com/advisories/ZDI-06-004.html
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
Dear Bernhard Mueller,
Opera is pretty bad at CSS, try the new fuzzer from HDM :
http://metasploit.com/users/hdm/tools/see-ess-ess-die/cssdie.html
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
-out.
What specific SSH issue are you refering to here ?
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
it to be installed on millions of workstations (IMO).
- If you compromise (or alter) a DNS server this gives immediate access to
internal client machines.
The impact as citing Kevin F. is : Dns server pwnage and then mass client
ownage
--
http://secdev.zoller.lu
Thierry Zoller
___
XAMPP - Multiple Priviledge Escalation and Rogue Autostart
___
Ref : TZO-072006-Xampp
Author : Thierry Zoller
WWW : http
:
* PLEASE implement the GUI to use the possibility for bluetooth to use
characters (UTF8) NOT ONLY DIGITS.
* Please be more transparent towards your device driver version numbers and
propose an easy way to update.
Credits :
Thierry Zoller - http://www.nruns.com - http://secdev.zoller.lu
Kevin
Dear List,
Did anybody mention this does not work in Adobe Acrobat Reader 8 ?
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
should contact
in case you have
spotted irregularities - CSSF - http://www.cssf.lu
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
are there
more of them ? I think the guys behind solairs should investigate and
post the result of their enquiry publicaly (to the vuln. post would be a
good idea) if they still want poeple to trust.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6
back door access ?
CDSC masquared as buffer overflows you might not chance upon.
Nobody doesn't that anymore, everybody does code audits now and catches
bufferoverflows, right? I think other overflows are more interesting
to hide access.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84
login: whenever
$ whoami
bin
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
platform offers an equivalent
level of usability with automatic configuration and focus on penetration
testing.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 4813 c403 58f1 1200 7189 a000 7cf1 1200 9f89 a000
time feel free to dig deeper.
I especialy liked this :
inject
url=citibank.com
TRTD colspan=3 class=smallArial noWrapSPAN STYLE='color:red'To prevent
fraud enter your credit card information please:/SPAN/TD/TR
Puke..
--
http://secdev.zoller.lu
Thierry Zoller
Dear All,
That said the original work on this from metlstorm is in the news [1]
and can be found here : http://storm.net.nz/projects/16
[1] http://it.slashdot.org/article.pl?sid=08/03/04/1258210from=rss
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3
10.000.000 keys/sec
E14 30.000.000 keys/sec
Thanks and Credits :
David Hulton
Eric Sesterhen
Myself (Thierry Zoller)
Download is available here :
http://www.nruns.com/_en/security_tools.php
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 4813 c403 58f1
. Renderman will demonstrate the findings at this years
DEFCON during the Church of WiFi, be there (I will)
Information and Files from :
http://secdev.zoller.lu
Thierry Zoller - Security Engineer
Controller http interface 2.0
RS 5900/tcp open vnc?
RS Service Info: Devices: terminal server, remote management
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Updated Advisory :
http://www.nruns.com/security_advisory_sophos_upx_code_execution.php
The complete list :
http://www.nruns.com/parsing-engines-advisories.php
- --
Thierry Zoller - Security Engineer
Fingerprint 9180 F9C9 A0EF BDA3 C46A BFEB B149
%28computer_security%29
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
to rediscover this one. Which
makes this even worse.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
a decade ago when they put
the insecure LANMAN hash next to the brand new NTLM one. The table sys.user$
still holds the case insensitive DES encrypted password version next to the new
one.
by THS
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6
Dear pdp (architect),
pa xecuted of the border router domain
I'd like to see a border router serving images on port 80 ???
Doesn't make sense, really ;) No pun intented.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
related to the nature of the networks though.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
Dear List,
Thanks Kevin for all your time and commitment :)
Slides of the talk (Hack.lu) : http://secdev.zoller.lu/research/hack_lu_2006.pdf
Bluetooth_Cracker : http://secdev.zoller.lu/research/bluetoothcracker.htm
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951
the motivation behind this move and more insight
is available through Dark Reading :
http://www.darkreading.com/document.asp?doc_id=134646WT.svl=news1_2
[1] http://www.nruns.com/_en/security_tools.php
Regards,
Thierry Zoller - Security Engineer
Fingerprint 9180 F9C9 A0EF BDA3 C46A BFEB B149 0FE4
hundrets of third party
applications.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
the handler itself is broken.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
.
PS [1] :
http:%xx../../../../../../../../../windows/system32/calc.exe.cmd
[1]
http://www.heise.de/security/news/meldung/96921/URI-Problem-zieht-weitere-Kreise-Acrobat-Reader-und-Netscape-anfaellig-2-Update
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57
Invitation to Hack.lu [1] - A small but nice Conference in the
Heart of Europe.
As you may or may not know, we always prepare something special
for Hack.lu, last year BTcrack, this year we'd like to announce
our (n.runs AG) Presentation @ this years Hack. lu, entitled:
this particular case_ has to be done
by the function. Sorry my opinion.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
explain the difference in detail, my co-workers Dave and Chen have
helped
me put together some information...
http://blogs.technet.com/msrc/archive/2007/10/10/msrc-blog-additional-details-and-background-on-security-advisory-943521.aspx
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84
and there is actual substance to start
a discussion. I would have loved to receive a question before you
shoot.
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
__
From the low-hanging-fruit-department - Generic ClamAV evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-062009- ClamAV
Thierry Zoller
__
From the low-hanging-fruit-department - F-PROT ZIP method evasion
__
Release mode: Coordinated.
Ref : TZO-07-2009 Fprot ZIP Method Evasion
WWW
__
From the low-hanging-fruit-department - Bitdefender bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-082009 -
__
From the low-hanging-fruit-department - AVAST bypass/evasion
__
Release mode: Forced release, vendor has not replied.
Ref : TZO-092009 - AVAST
__
From the low-hanging-fruit-department - Nod32 bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-092009 - Nod32
__
From the low-hanging-fruit-department - Fortinet bypass/evasion
__
Release mode: Forced release, vendor has not replied.
Ref : TZO-112009 -
URL:
http://blog.zoller.lu/2009/04/release-mode-forced-release-vendor-has.html
Update : After the reaction from avast, it is now clear that all versions
and products are affected, however there is no plan to patch, the
patch will come or will not come - sometime in the future.
You are
Dear Jplopezy,
You should try creating the directory entries in a zip file,
the vector spontanously becomes remote then. Want to try?
--
http://blog.zoller.lu
Thierry Zoller
__
SUN/ORACLE JAVA VM Remote code execution
__
Release mode: Coordinated.
Ref : TZO-122009- SUN Java remote code execution
WWW :
__
From the low-hanging-fruit-department - Avira antivir bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-132009 - Avira
__
From the low-hanging-fruit-department - Aladdin eSafe bypass/evasion
__
Release mode: Forced relaese, vendor has not replied.
Ref : TZO-152009 -
__
From the low-hanging-fruit-department - Comodo antivir bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-142009 -
Errata:
BID/CVE : The issue was in ZIP and not CAB archive handling.
Thank you for your understanding.
Regards,
Thierry
[Snip]
I. Background
~
ESET develops software solutions that deliver instant, comprehensive protection
against evolving computer security threats. ESET NOD32® Antivirus, is the
flagship
product, consistently achieves the highest accolades in all types of
comparative testing and is
__
From the low-hanging-fruit-department - Nod32 CAB bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-162009 - Nod32
__
Trendmicro RAR,CAB,ZIP bypass/evasions
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-172009 - Trendmicro RAR,CAB,ZIP
From the low-hanging-fruit-department - Mcafee multiple generic evasions
Release mode: Coordinated but limited disclosure.
Ref : TZO-182009 -
Update:
Aladdin responded and posted a blog post, please read the timeline and
then the blog post.
http://www.aladdin.com/AircBlog/post/2009/05/Archive-Bypass-Issue-and-eSafe.aspx
It is said that :
-
This means that in case a customer receives such a specially crafted
archive
From the low-hanging-fruit-department - AVG generic ZIP bypass / evasion
CHEAP Plug :
You are invited to participate in HACK.LU 2009, a small but
that reacted and complained. Wihtout publication there is no
change, without those reacting to advisories there is neither.
Prooves #2 and #5 at
http://blog.zoller.lu/2009/04/dear-thierry-why-are-you-such-arrogant.html
to be valid.
Regards,
Thierry Zoller
From the low-hanging-fruit-department
F-prot generic CAB bypass / evasion
CHEAP Plug :
You are invited to
From the low-hanging-fruit-department
Avira Antivir generic PDF evasion of heuristics
CHEAP Plug :
From the low-hanging-fruit-department
Bitdefender generic evasion of heuristics (for PDF)
CHEAP Plug :
Posted to FD - should be of interest to bugtraq readers :
http://view.samurajdata.se/psview.php?id=023287d6page=1
--
http://blog.zoller.lu
Thierry Zoller
From the low-hanging-fruit-department
Panda generic evasion (CAB)
Why are there two panda advisories instead of one
From the low-hanging-fruit-department
Panda generic evasion (TAR)
Why are there two panda advisories instead of one ?
From the low-hanging-fruit-department
Firefox et al. Denial of Service - All versions supporting SVG
CHEAP Plug :
For those that failed to reproduce, try naming the POC file with an XHTML
extension.
JP result for naming the POC file to .HTML, .HTM.
Thierry Zoller thie...@zoller.lu 05/26/2009 13:13
JP For those that failed to reproduce, try naming the POC file with an XHTML
JP extension.
JP ___
JP Full-Disclosure - We believe in it.
JP Charter
Hi Michal,
Yep, positive, welcome to the world of rediscovery, sad that the bugs seems
to been known since 2007. Speak about Mozilla being the fastest to
patch. Ticket has now been marked as duplicate of that one.
--
http://blog.zoller.lu
Thierry Zoller
From the very-low-hanging-fruit-department
Firefox Denial of Service (KEYGEN)
Release mode: Forced release.
Ref
them instead of having them sit there a few months.
period, nothing more nothing less.
--
http://blog.zoller.lu
Thierry Zoller
Antivir generic RAR,CAB,ZIP
WWW : t.b.a
Vendor : http://www.avira.com
Status : Patched (Engine-Version: AV7 7.9.0.180 / AV8/9 8.2.0.180)
(Re)Discovered : 2005 by froggz, 2007 by Thierry Zoller, 2009 by Roger Mickael
(please give appropriate credit - only when
From the low-hanging-fruit-department
Ikarus multiple generic evasions (CAB,RAR,ZIP)
CHEAP Plug :
You are
From the low-hanging-fruit-department
Norman generic evasion (RAR)
CHEAP Plug :
You are invited to
From the low-hanging-fruit-department
F-prot generic evasion (TAR)
CHEAP Plug :
You are invited to
Apple Safari Quicktime Denial of Service
Shameless plug :
You
From the facepalm department
Kaspersky and the silent fix that wasn't
PDF Evasion
Apple Safari Remote code execution (CSS:Attr)
Shameless plug :
From the low-hanging-fruit-department
F-prot generic TAR bypass / evasion
Shameless plug :
From the low-hanging-fruit-department
Clamav generic evasion (RAR,CAB,ZIP)
Shameless plug :
From the low-hanging-fruit-department
F-prot generic bypass (RAR,ARJ,LHA)
Shameless plug :
From the low-hanging-fruit-department
Clamav generic evasion (CAB)
Shameless plug :
ERRATA :
The product Norman Virus Control for Novell Netware (FireBreak) is
not affected. Please remove it from the list of affected items.
Update
--
Unfortunately the Denial of Service condition has not been fixed
with the new versions/builds and according to tickets filled
under the bugzilla ID the impact of this bug has changed since
version 3.5. [1]
Hence the list of affected products now is :
- All versions below Firefox
Update:
---
Patch was ineffective, Length2 was fixed and both
SVGNumber and SVGNumber2, but no SVGLength.
Affected products :
- All firefox versions below 3.5
It affects 3.5, there was no effective patch included in that version.
NB Thierry says he thinks No, but you say /something/ nasty happened to
NB your FF 3.5, if I understand you correctly.
--
http://blog.zoller.lu
Thierry Zoller
One bug to rule them all
IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror,
Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens and more.
Don't wet your pants - it's DoS
As I received a lot of feedback on this bug, I thought I'd update you. After
not replying
to my notifications and subsequent forced partial disclosure, IBM stated
officially on their website that they where not affected and to my surprise
IBM got in contact immediately after disclosure to
Dear List,
To all those sending in reports, thank you, *but* please read the patch
section. It is normal that it doesn't work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.
To stop the flood of mails, explaining that the POC doesn't work
on
fees are spent on.
--
http://blog.zoller.lu
Thierry Zoller
RAM, Fedora 11 with all
RD current updates as of July/15/09.
--
http://blog.zoller.lu
Thierry Zoller
One bug to rule them all
IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror,
Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens and more.
++) foo += foo;
MZ for (i=0;i1;i++) document.write(foo);
--
http://blog.zoller.lu
Thierry Zoller
Hi Steven,
SMC we will quickly run
SMC into lots of complexity that may well enter the realm of undecidable
SMC problems,
Yeah, security is too complex. Dude, the fix was to LIMIT the
the number of elements. This is not rocket science.
--
http://blog.zoller.lu
Thierry Zoller
trailed and struggled to capture status quo (or some compromise
MZ representation thereof) back then.
Thanks for your insight!
--
http://blog.zoller.lu
Thierry Zoller
1 - 100 of 135 matches
Mail list logo