You got to be kidding me...
FORTICLIENT VPN CLIENT CREDENTIAL INTERCEPTION VULNERABILITY
When the FortiClient VPN client is tricked into connecting to a proxy
server rather than to the original firewall (e.g. through ARP or DNS
spoofing,) it detects the wrong SSL certificate but it only
After reading through such an extensive credit list in form of,
Reported by, Fixed by, Coordinated by, one wonders when we'll see
the Introduced by in the drupal patch announcements?
http://blog.zoller.lu
REPORTED BY
--
FIXED BY
imply GMA to have been vulnerable to MITM prior to version 2.0.2
Disclosure Timeline :
=
- GOOD disclosed over iTunes on the 02.08.2012
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http
10 year old bug classes are indeed fun to read, though the fun might
be directed at some one as opposed to something.
Even given it a cool name doesn't make that one a new weakness.
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We
Hi FD,
I'd need help confirming a specific vulnerability, if you happen to
have ISS Proventia Desktop installed, please get in touch with me. You
don't need to expose anything - I will provide more information.
Regards,
Thierry
___
Those bugs might not be security-relevant, but they can be very annyoing
nevertheless.
Three letters, C I A - guess what property can be remotely triggered.
There is no discussion whether this is security-relevant
___
Full-Disclosure - We
Slippery Slopes everywhere :
DR Again, causing the RP CPU to go to 100% due to punted
DR management-plane traffic isn't a new phenomenon
1. Nobody claimed it to be a new phenomenon
2. He is not saturating anything.
DR Of course PSIRT will ask for details, as they should; my point is
DR that
Hi Roland,
Was not aware of the acronym - BCP is generally used for Business
continuity plan in
the industry.
DR On Jul 2, 2010, at 5:59 PM, Thierry Zoller wrote:
There it is again, BCP. Is this the new IDS ?
DR BCP = Best Current Practice = iACLs, CoPP, et. al.
DR
coc ___
coc Full-Disclosure - We believe in it.
coc Charter: http://lists.grok.org.uk/full-disclosure-charter.html
coc Hosted and sponsored by Secunia - http://secunia.com/
--
http://blog.zoller.lu
Thierry Zoller
crashes when being scanned - it's a vulnerability.
Bye
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Dear List,
Anybody aware of the security contact for Bluecoat.
secure@ bounces
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
this to
be interesting. Thierry
Regards,
Thierry ZOLLER
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
TOOL: Harden SSL/TLS beta
OS: Windows (2000,XP,Seven,2003,2008,2008R2)
Requirement : .NET Framework 2.0
Author : Thierry Zoller for G-SEC Ltd.
Developed as part of G-SEC's investigation into the
Secure SSL
· RSA BSAFE
Blog Post :
http://blog.g-sec.lu/2010/02/ssltls-audit-alpha-tool-release.html
Documentation:
http://www.g-sec.lu/sslaudit/documentation.pdf
Regards,
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk
http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia
-charter.html
pssea Hosted and sponsored by Secunia - http://secunia.com/
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http
for that communication.
AD ___
AD Full-Disclosure - We believe in it.
AD Charter: http://lists.grok.org.uk/full-disclosure-charter.html
AD Hosted and sponsored by Secunia - http://secunia.com/
--
http://blog.zoller.lu
Thierry Zoller
/practicaltls.pdf
Regards,
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
witheld,
rediscovered by Thierry Zoller for this paper)
With this new information G-SEC encourages Vendors and customers
to reevaluate the impact of this vulnerability on their products.
Brief explanations :
HTTPS : Injecting arbritary _responses_ into the stream
compromise online banking security.
RPG The full paper is available in German and English at
RPG http://www.redteam-pentesting.de/publications/MitM-chipTAN-comfort
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter
-vulnerability.html
Direct Download
http://clicky.me/tlsvuln
Disclaimer
Information is believed to be accurate by the time of writing.
As this vulnerability has complex implications this document
is prone to revisions in the future.
Thierry ZOLLER - G-SEC
http://www.g-sec.lu
Principal Security Consultant
by : Thierry Zoller (G-SEC)
Affected products :
~~~
- Symantec Mail Security for Domino
- Symantec Mail Security for Microsoft Exchange
- Symantec Mail Security for SMTP
- Symantec Brightmail Gateway
- Symantec AntiVirus for Network Attached Storage
- Symantec AntiVirus for Caching
by : Thierry Zoller (G-SEC)
Affected products :
~~~
- F-Secure Internet Security 2009 and earlier
- F-Secure Anti-Virus 2009 and earlier
- F-Secure Home Server Security 2009
- Solutions based on F-Secure Protection Service for Consumers version 8.00 and
earlier
- Solutions based
=contentid=SB10003
(We disagree with the CVSS rating )
Discovered by : Thierry Zoller (G-SEC)
Affected products :
~~~
All McAfee software that uses DATs including:
- McAfee GroupShield
- McAfee LinuxShield
- McAfee NetShield for NetWare
- McAfee PortalShield
- McAfee
/portal/anonymous/phpsupcontent?contentID=218878
Discovered by : Thierry Zoller (G-SEC)
Vendor reaction rating : near perfect*
*
Continous feedback on progress - CVE numbers - In depth investigation of the
issues at hand
Affected products :
~~~
CA Anti-Virus for the Enterprise
by Secunia - http://secunia.com/
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
can't follow you here. I
frankly don't know any Access control logic where running a format leads
to the escalation of a privilege, per se.
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http
)
JL STSM, Informix Database Engineering, IBM Information Management
JL 4400 N First St, San Jose, CA 95134-1257
JL Tel: +1 408-956-2436 Tieline: 475-2436
JL I don't suffer from insanity; I enjoy every minute of it!
--
http://blog.zoller.lu
Thierry Zoller
/
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Hi K,
http://www.heise.de/ct/projekte/FAQ-406390.html#sticks
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http
to know whether and if HOW this bug was reintroduced.
[1] http://blog.g-sec.lu/2009/09/iis-5-iis-6-ftp-vulnerability.html
Regards,
Thierry ZOLLER
--
http://blog.zoller.lu
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full
Confirmed.
Ask yourselves why your fuzzers haven't found that one - Combination of
MKDIR are required before reaching vuln code ?
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk
not writing comments for you to sent to dev/null, I
consider my time more usefull.
--
http://blog.zoller.lu
Thierry Zoller
===8== Ende des Original Nachrichtentextes =---BeginMessage---
Hi Aaron,
The 'shades of grey' only exist to security people.
Define security poeple
mshtml!ptls5::fsupdatebottomlesspel+0x47c (40af6cf7)
Tainted Input Operands: ZeroFlag
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
code execution
WWW : http://www.g-sec.lu/iphone-remote-code-exec.html
CVE : CVE-2009-1698
BID : 35318
Credit: http://support.apple.com/kb/HT3639
Discovered by : Thierry Zoller
Affected products :
- iPhone OS 1.x through 2.2.1
- iPhone OS for iPod touch 1.x through 2.2.1
I
that's just me.
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
One bug to rule them all
IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror,
Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens and more.
++) foo += foo;
MZ for (i=0;i1;i++) document.write(foo);
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http
Hi Steven,
SMC we will quickly run
SMC into lots of complexity that may well enter the realm of undecidable
SMC problems,
Yeah, security is too complex. Dude, the fix was to LIMIT the
the number of elements. This is not rocket science.
--
http://blog.zoller.lu
Thierry Zoller
use that has (?) but one thing is sure, they failed
to add a limit, the W3C didn't, but that's because it was never meant
to be written to in the first place.
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter
?
There must have been a change then between HTML4 and HTML5
MZ It may or may not have any practical uses (dynamic resizing of SELECTs
MZ without having to delete individual options).
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe
trailed and struggled to capture status quo (or some compromise
MZ representation thereof) back then.
Thanks for your insight!
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full
fees are spent on.
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
One bug to rule them all
IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror,
Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens and more.
Don't wet your pants - it's DoS
As I received a lot of feedback on this bug, I thought I'd update you. After
not replying
to my notifications and subsequent forced partial disclosure, IBM stated
officially on their website that they where not affected and to my surprise
IBM got in contact immediately after disclosure to
Dear List,
To all those sending in reports, thank you, *but* please read the patch
section. It is normal that it doesn't work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.
To stop the flood of mails, explaining that the POC doesn't work
on
Update
--
Unfortunately the Denial of Service condition has not been fixed
with the new versions/builds and according to tickets filled
under the bugzilla ID the impact of this bug has changed since
version 3.5. [1]
Hence the list of affected products now is :
- All versions below Firefox
From the low-hanging-fruit-department
F-prot generic bypass (RAR,ARJ,LHA)
Shameless plug :
From the low-hanging-fruit-department
Clamav generic evasion (CAB)
Shameless plug :
From the low-hanging-fruit-department
F-prot generic TAR bypass / evasion
Shameless plug :
From the low-hanging-fruit-department
Clamav generic evasion (RAR,CAB,ZIP)
Shameless plug :
From the low-hanging-fruit-department
Norman generic evasion (RAR)
CHEAP Plug :
You are invited to
From the low-hanging-fruit-department
F-prot generic evasion (TAR)
CHEAP Plug :
You are invited to
Apple Safari Quicktime Denial of Service
Shameless plug :
You
Apple Safari Remote code execution (CSS:Attr)
Shameless plug :
From the facepalm department
Kaspersky and the silent fix that wasn't
PDF Evasion
From the low-hanging-fruit-department
Ikarus multiple generic evasions (CAB,RAR,ZIP)
CHEAP Plug :
You are
Hi,
AJE We have seen 44 sites in the last year at WhiteHat Security that were
AJE vulnerable to Fullwidth unicode-encoded attacks. This one tends to be
AJE more ubiquitous than others when you find it. In the applications weak
AJE to this -- we found roughly 200 locations vulnerable to attack in
://:
itms_base_url A*268 # Fill up the real buffer
itms_base_url # $ebx, $esi, $edi, $ebp
itms_base_url target['Addr'] # hullo there, jmp *%ecx!
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe
://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
like you hit a little boy and everybody steps into for
his defence.
Anyways, too much noise for such a stupid, near irrelevant but.
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full
JP result for naming the POC file to .HTML, .HTM.
Thierry Zoller thie...@zoller.lu 05/26/2009 13:13
JP For those that failed to reproduce, try naming the POC file with an XHTML
JP extension.
JP ___
JP Full-Disclosure - We believe in it.
JP Charter
Hi Michal,
Yep, positive, welcome to the world of rediscovery, sad that the bugs seems
to been known since 2007. Speak about Mozilla being the fastest to
patch. Ticket has now been marked as duplicate of that one.
--
http://blog.zoller.lu
Thierry Zoller
From the very-low-hanging-fruit-department
Firefox Denial of Service (KEYGEN)
Release mode: Forced release.
Ref
From the low-hanging-fruit-department
Firefox et al. Denial of Service - All versions supporting SVG
CHEAP Plug :
Hi Sub,
S does not work on firefox 3.0.10, tested
Reproduced the bug on 3.0.10 prior to posting.
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
For those that failed to reproduce, try naming the POC file with an XHTML
extension.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
astonishingly well.
Here are two generic unpackers I think deserve some exposure too :
- RL!unpack
http://ap0x.jezgra.net/unpackers.html
(tested against 101+ packers/mods)
- Quickunpack
http://rapidshare.com/files/104264619/qunpack21.zip
--
http://blog.zoller.lu
Thierry Zoller
Hi,
- RL!unpack
http://ap0x.jezgra.net/unpackers.html
Second download entry on that page : RL!Unpack
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
From the low-hanging-fruit-department
Panda generic evasion (CAB)
Why are there two panda advisories instead of one
From the low-hanging-fruit-department
Panda generic evasion (TAR)
Why are there two panda advisories instead of one ?
From the low-hanging-fruit-department
Avira Antivir generic PDF evasion of heuristics
CHEAP Plug :
From the low-hanging-fruit-department
Bitdefender generic evasion of heuristics (for PDF)
CHEAP Plug :
Hi,
PDF as image:
http://view.samurajdata.se/psview.php?id=023287d6page=1
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia
FYI: IIS7 + Webdav seems not to be affected
I can't stress enough that this is not a simple auth bypass only -
You can _upload_ arbritary data to the server.
http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
--
http://blog.zoller.lu
Thierry Zoller
Hi,
If you are running Microsoft Forefront (especially server side)
and are willing to help out, please get in touch with me.
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full
that reacted and complained. Wihtout publication there is no
change, without those reacting to advisories there is neither.
Prooves #2 and #5 at
http://blog.zoller.lu/2009/04/dear-thierry-why-are-you-such-arrogant.html
to be valid.
Regards,
Thierry Zoller
From the low-hanging-fruit-department - AVG generic ZIP bypass / evasion
CHEAP Plug :
You are invited to participate in HACK.LU 2009, a small but
From the low-hanging-fruit-department
F-prot generic CAB bypass / evasion
CHEAP Plug :
You are invited to
Update:
Aladdin responded and posted a blog post, please read the timeline and
then the blog post.
http://www.aladdin.com/AircBlog/post/2009/05/Archive-Bypass-Issue-and-eSafe.aspx
It is said that :
-
This means that in case a customer receives such a specially crafted
archive
__
From the low-hanging-fruit-department - Nod32 CAB bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-162009 - Nod32
__
Trendmicro RAR,CAB,ZIP bypass/evasions
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-172009 - Trendmicro RAR,CAB,ZIP
[Snip]
I. Background
~
ESET develops software solutions that deliver instant, comprehensive protection
against evolving computer security threats. ESET NOD32® Antivirus, is the
flagship
product, consistently achieves the highest accolades in all types of
comparative testing and is
From the low-hanging-fruit-department - Mcafee multiple generic evasions
Release mode: Coordinated but limited disclosure.
Ref : TZO-182009 -
Errata:
BID/CVE : The issue was in ZIP and not CAB archive handling.
Thank you for your understanding.
Regards,
Thierry
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by
__
From the low-hanging-fruit-department - Avira antivir bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-132009 - Avira
__
From the low-hanging-fruit-department - Comodo antivir bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-142009 -
__
From the low-hanging-fruit-department - Aladdin eSafe bypass/evasion
__
Release mode: Forced relaese, vendor has not replied.
Ref : TZO-152009 -
__
SUN/ORACLE JAVA VM Remote code execution
__
Release mode: Coordinated.
Ref : TZO-122009- SUN Java remote code execution
WWW :
URL:
http://blog.zoller.lu/2009/04/release-mode-forced-release-vendor-has.html
Update : After the reaction from avast, it is now clear that all versions
and products are affected, however there is no plan to patch, the
patch will come or will not come - sometime in the future.
You are
__
From the low-hanging-fruit-department - AVAST bypass/evasion
__
Release mode: Forced release, vendor has not replied.
Ref : TZO-092009 - AVAST
__
From the low-hanging-fruit-department - Bitdefender bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-082009 -
__
From the low-hanging-fruit-department - Nod32 bypass/evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-092009 - Nod32
__
From the low-hanging-fruit-department - Fortinet bypass/evasion
__
Release mode: Forced release, vendor has not replied.
Ref : TZO-112009 -
/
and hundrets of others.
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
bugs fraction, helps those that ignore WHY a particular bug has
security implications and helps the overall perception of OSS software
in terms of security.
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter
considers security
bugs as nothing else than normal bugs. The door closes slowly
for Linux in enterprises.
--
http://blog.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
200 servers nor has *any* real enterprise experience in terms of
security.
http://kerneltrap.org/mailarchive/linux-kernel/2008/7/15/2497674
--
http://secdev.zoller.lu
Thierry Zoller
___
Full-Disclosure - We believe in it.
Charter: http
JGB hmm, I'm jealous: where can we get this time-travel machine?
It's open source, grab it at your local oss repositry. apt-get install
timetravel
JGB 2009/4/2 Thierry Zoller thie...@zoller.lu:
13/03/2009 : Clamav responds that the bug is reproducible and will be
fixed in 0.95
__
From the low-hanging-fruit-department - Generic ClamAV evasion
__
Release mode: Coordinated but limited disclosure.
Ref : TZO-062009- ClamAV
1 - 100 of 260 matches
Mail list logo