Bad internet connection and no clue when hitting reply. Good job. I know I am impressed with all the certifications.. are you impressed Bijana? You should be.. I mean come on... the CISSP is SOOO HARD to get....
ROFL... On 1/5/06, Horatiu Bandoiu <[EMAIL PROTECTED]> wrote: > Dear Biljana, > > Just a brief answer as I have a bad Internet connection till Monday. > You can count on 2 CISSP we have for the moment (this year I will have 3 > or 4 CISSP in my team): Stefan Catrinescu and Ionut Boldizsar. Stefan > still has to finalize the documentation for getting the certification > (endorsement, stuff like this) but he has passed the exam and Ionut is > OK with all. If needed, I can involve several more certified people (as > we are organizing the exams, I have full access to the list). I hope it > helps. > > Kind regards, > > Horatiu > > --|------|||||-------|||--|----|||||--||-------|||||--||--- > We PROtect your business VISION! > ------------------------------------- > Horatiu BANDOIU > Business Unit Manager > Provision - information Security Expert Center (iSEC) > Tel: 0040 21 321 37 49 > Fax: 0040 21 323 65 70 > e-mail: [EMAIL PROTECTED] > http://www.provision.ro > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, January 03, 2006 2:00 PM > To: full-disclosure@lists.grok.org.uk > Subject: Full-Disclosure Digest, Vol 11, Issue 5 > > Send Full-Disclosure mailing list submissions to > full-disclosure@lists.grok.org.uk > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.grok.org.uk/mailman/listinfo/full-disclosure > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Full-Disclosure digest..." > > > Note to digest recipients - when replying to digest posts, please trim > your post appropriately. Thank you. > > > Today's Topics: > > 1. Re: Buffer Overflow vulnerability in Windows Display Manager > [Suspected] ([EMAIL PROTECTED]) > 2. Re: Win32 Heap Exploits (Nicolas RUFF) > 3. Re: Buffer Overflow vulnerability in Windows Display Manager > [Suspected] (InfoSecBOFH) > 4. Re: Buffer Overflow vulnerability in Windows Display Manager > [Suspected] (InfoSecBOFH) > 5. Re: WMF round-up, updates and de-mystification (InfoSecBOFH) > 6. Re: WMF round-up, updates and de-mystification (InfoSecBOFH) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 03 Jan 2006 11:12:08 +0100 > From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in > Windows Display Manager [Suspected] > To: Sumit Siddharth <[EMAIL PROTECTED]>, > full-disclosure@lists.grok.org.uk > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > haven't such driver here , it should be a third party driver security > bug probably within "*Controller Hub for Intel Graphics Driver"* > > http://www.dynamiclink.nl/htmfiles/rframes/sys-i01.htm > > > > Sumit Siddharth wrote: > > I think the problem is with the intel driver and particularly with > file > > ialmnt5.sys > > Hope it helps > > Sumit > > > > > > > > On 1/3/06, *Sumit Siddharth* <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > Dear All, > > Sorry for the delayed response. > > I had success in exploiting it remotely by a simple javascript > > <script>window.open("http://aa...");</script>. But i think it > > doesnt work with some drivers.I am using XP ,professional, SP2. > > and firefox 1.0.6. I am using a string of about 53,000 char to > > overflow the buffer. > > Thanks > > Sumit > > > > > > > > > > -- > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (MingW32) > > iQIVAwUBQ7pN+K+LRXunxpxfAQKBqA//YxoeFIr1rkaCixpPr34+KpDiUAKN7xss > M6ZH3ZmpqZ03yLajS8XBWIyv5uTXDuLhUQrrObvak4n6mQ+7g6YffEYQBNyIcsEm > Gxyd8uDmkwX9MeAslByvrqobj/6i4oC4sj5Lq9Ui/JCqsw5KNaBP8ZAym48HiMFM > bI3kqvSGVm++bavWrK8+FunnVHCSDezFL64Jxh6MAVU2MNR+Z2qufC+aQtIpGw7s > nyWisynx6csTp9US5qmeuVdrcwk9DeACzX+z5eAEaevLRcl7ElcpcMht21U5scMd > FTLTtN9Ao4hewQrOe05BAo3AwNmzpt3Kgay3DLtN/n7a9LqPifw9FKp5EtdYLKyM > R16AwG5PaYQXrnsY0Udwz4yAYucEYjEOSyslVf4VILyzFWdKfAgXApbbr4W2nKXx > VQ0BBWbOYnAuAPJYk85WpAZfbFX98tglGTGT/0XRO3Buyk5T50AC4VqxlF17w7+8 > T6bO74xpZNi5t5fzFTqt5kZZZ6IXfSonu/SVA/tfiOJwIExo7zEUwu4vsYoMtxaR > HqFlMQyuJhp0aTjaggrFaYQ8XR7tnZherteAYdaw0k3mUPCWfXR3xz26daOpUDKu > ewsDbuq+cglVD5qym246WVYSyiPLKKBXvWPLbuoG5ngqmyQiKydIQ9UMMdJvHh5c > 7DtDjiHOH8s= > =VEy3 > -----END PGP SIGNATURE----- > > > > > ------------------------------ > > Message: 2 > Date: Tue, 03 Jan 2006 11:42:21 +0100 > From: Nicolas RUFF <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] Win32 Heap Exploits > To: Stefan Lochbihler <[EMAIL PROTECTED]> > Cc: full-disclosure@lists.grok.org.uk > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > > But if i execute the server without ollydbg there happen nothing. > > Have anybody an idea what i make wrong. Test on a winxp sp1 system. > > As pointed out multiple times, Windows heap is not the same whether the > program is flagged as "being debugged" or not. > > You should always *attach* the debugger to the process and not run the > process from within the debugger. > > Regards, > - Nicolas RUFF > > > ------------------------------ > > Message: 3 > Date: Tue, 3 Jan 2006 03:32:29 -0800 > From: InfoSecBOFH <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in > Windows Display Manager [Suspected] > To: Sumit Siddharth <[EMAIL PROTECTED]> > Cc: full-disclosure@lists.grok.org.uk > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > I have only replicated this with the intel driver. have tried others > and no dice. > > On 1/3/06, Sumit Siddharth <[EMAIL PROTECTED]> wrote: > > I think the problem is with the intel driver and particularly with > file > > ialmnt5.sys > > Hope it helps > > Sumit > > > > > > > > > > On 1/3/06, Sumit Siddharth <[EMAIL PROTECTED] > wrote: > > > Dear All, > > > Sorry for the delayed response. > > > I had success in exploiting it remotely by a simple javascript > > > <script>window.open("http://aa...");</script>. But i think it doesnt > work > > with some drivers.I am using XP ,professional, SP2. and firefox 1.0.6. > I am > > using a string of about 53,000 char to overflow the buffer. > > > Thanks > > > Sumit > > > > > > > > > > > > > > -- > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > ------------------------------ > > Message: 4 > Date: Tue, 3 Jan 2006 03:33:21 -0800 > From: InfoSecBOFH <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in > Windows Display Manager [Suspected] > To: Full-Disclosure <full-disclosure@lists.grok.org.uk> > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > oh.. and by the way... only works with the intel driver (and only a > couple differnt versions) and is not exploitable... this is a DoS and > nothing more. > > On 1/3/06, InfoSecBOFH <[EMAIL PROTECTED]> wrote: > > I have only replicated this with the intel driver. have tried others > > and no dice. > > > > On 1/3/06, Sumit Siddharth <[EMAIL PROTECTED]> wrote: > > > I think the problem is with the intel driver and particularly with > file > > > ialmnt5.sys > > > Hope it helps > > > Sumit > > > > > > > > > > > > > > > On 1/3/06, Sumit Siddharth <[EMAIL PROTECTED] > wrote: > > > > Dear All, > > > > Sorry for the delayed response. > > > > I had success in exploiting it remotely by a simple javascript > > > > <script>window.open("http://aa...");</script>. But i think it > doesnt work > > > with some drivers.I am using XP ,professional, SP2. and firefox > 1.0.6. I am > > > using a string of about 53,000 char to overflow the buffer. > > > > Thanks > > > > Sumit > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: > > > http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > > ------------------------------ > > Message: 5 > Date: Tue, 3 Jan 2006 03:34:46 -0800 > From: InfoSecBOFH <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] WMF round-up, updates and > de-mystification > To: Gadi Evron <[EMAIL PROTECTED]> > Cc: "FunSec \[List\]" <[EMAIL PROTECTED]>, > "full-disclosure@lists.grok.org.uk" > <full-disclosure@lists.grok.org.uk>, > bugtraq@securityfocus.com > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > So this patch is trusted because you said so? > > I have tested and confirmed that this patch only works in specific > scnenarios and does not mitigate the entire issue. Variations still > work. > > On 1/3/06, Gadi Evron <[EMAIL PROTECTED]> wrote: > > Quite a bit of confusing and a vast amount of information coming from > > all directions about the WMF 0day. Here are some URL's and generic > facts > > to set us straight. > > > > The "patch" by Ilfak Guilfanov works, but by disabling a DLL in > Windows. > > So far no problems have been observed by anyone using this patch. You > > should naturally check it out for yourselves but I and many others > > recommend it until Microsoft bothers to show up with their own patch. > > > > Ilfak is trusted and is in no way a Bad Guy. > > > > You can find more information about it at his blog: > > http://www.hexblog.com/2005/12/wmf_vuln.html > > > > If you are still not sure about the patch by Ilfak, check out the > > discussion of it going on in the funsec list about the patch, with > Ilfak > > participating: > > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > > Occasional information of new WMF problems keep coming in over there. > > > > In this URL you can find the best summary I have seen of the WMF > issue: > > http://isc.sans.org/diary.php?storyid=994 > > by the "SANS ISC diary" team. > > > > In this URL you can find the best write-up I have seen on the WMF > issue: > > http://blogs.securiteam.com/index.php/archives/167 > > By Matthew Murphy at the "Securiteam Blogs". > > > > Also, it should be noted at this time that since the first public > > discovery of this "problem", a new one has been coming in - every day. > > All the ones seen so far are variants of the original and in all ways > > the SAME problem. So, it would be best to acknowledge them as the > > same... or we will keep having a NEW 0day which really isn't for about > 2 > > months when all these few dozen variations are exhausted. > > > > A small BUT IMPORTANT correction for future generations: > > The 0day was originally found and reported by Hubbard Dan from > Websense > > on a closed vetted security mailing list, and later on at the Websense > > public page. All those who took credit for it took it wrongly. > > > > Thanks, and a better new year to us all, > > > > Gadi. > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > ------------------------------ > > Message: 6 > Date: Tue, 3 Jan 2006 03:37:09 -0800 > From: InfoSecBOFH <[EMAIL PROTECTED]> > Subject: Re: [Full-disclosure] WMF round-up, updates and > de-mystification > To: Gadi Evron <[EMAIL PROTECTED]> > Cc: "FunSec \[List\]" <[EMAIL PROTECTED]>, > "full-disclosure@lists.grok.org.uk" > <full-disclosure@lists.grok.org.uk>, > bugtraq@securityfocus.com > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > On 1/3/06, Gadi Evron <[EMAIL PROTECTED]> wrote: > > > A small BUT IMPORTANT correction for future generations: > > The 0day was originally found and reported by Hubbard Dan from > Websense > > on a closed vetted security mailing list, and later on at the Websense > > public page. All those who took credit for it took it wrongly. > > Yes, important if you are a marketing guy or if your mouth is planted > firmly on the websense dick. > > I am sure most of us are part of other and even private mailing lists. > So the credit for discovery should go to whomever first PULICALLY > disclosed the vuln. I have no idea who that was but thanks to a > certain few I saw this vuln in early December. > > > ------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > End of Full-Disclosure Digest, Vol 11, Issue 5 > ********************************************** > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/