But what if www.evil.com has run an injection attack of some kind (SQL,
XSS in blog comments, etc, etc) against www.stupid.com?
Visitors to stupid.com then suffer a DoS...
In such a case, the attacker may just as well clobber body.innerHTML,
run a while (1) loop, or otherwise logically deny
I said nothing about how big or bad of a vulnerability it is, just that
it is one.
Which, in a wonderfully circular manner, brings us to the very
beginning of this branch of the thread, where opposing views on the
subject were discussed before Thierry brought this specific example in
;-)
Are
Could anyone put in any thoughts on this...
That's a weird question for full-disclosure@ - but yeah, your
observations are correct - see the intro text and first bullet here:
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
In general, cookie support is a mess to
On Thu, 3 Jan 2008, avivra wrote:
http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx
Although it's amusing Firefox filters '' in this prompt to begin with,
rather than designing it more wisely not to render attacker-controlled
text inline (use a table
Somewhat on the silly side of life, but some subscribers might find it
amusing... and a subset of that subset may even find it relevant to their
jobs (hopefully in risk management, but possibly in safe cracking):
http://lcamtuf.coredump.cx/tsafe/
Cheers,
/mz
(pluggity plug)
(Why, yes, I came up with the name, and had to find some bugs to be able
to post this.)
Summary
---
There are three fairly interesting flaws in how HTTP cookies were
designed and later implemented in various browsers; these shortcomings
make it possible (and alarmingly easy) for
On Sun, 29 Jan 2006, Amit Klein (AKsecurity) wrote:
I tried setting a cookie for .com.pl, and I failed (that is, the browser
did not respect it). If you set a cookie for .kom.pl, it will be OK (if
you're in .kom.pl domain, that is).
Amit,
Mozilla/Firefox/Netscape are vulnerable to this flaw
Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=465615
Isn't that a duplicate of Guninski's bug from 2007?
https://bugzilla.mozilla.org/show_bug.cgi?id=393832
/mz
___
Full-Disclosure - We believe in it.
Charter:
Hi all,
I am way behind on this, so I wanted to drop a quick note regarding
some of my vulnerabilities recently addressed by browser vendors - and
provide some possibly interesting PoCs / fuzzers to go with them:
Summary : MSIE same-origin bypass race condition (CVE-2007-3091)
Impact :
+ The bug was present in a 9 year old version of Netscape - draw your own
conclusions.
There are literally thousands of HTML- and JavaScript-related denial
of service vectors in modern browsers. If you want a silly, ad hoc
example I just made up on the spot (and so could any reader of the
Yes, we all know that. The flaw here was not looping on itself a
thousands of times, wow. It was a DOM implementation flaw.
The code created an oversized list, which does not seem to be that far
from creating an overly nested DOM tree, or drawing an oversized
CANVAS shape, or any
http://www.w3.org/TR/REC-DOM-Level-1/level-one-html.html
--
readonly attribute long length;
--
That was DOM Level 1 (1999). Even level 2 (2000) has this as read-write:
The W3C DOM specifies the select.length attribute to be *read only*.
Does not seem to be the case in HTML5 at least?
http://dev.w3.org/html5/spec/Overview.html#the-select-element
In fact, it has the behavior for writes defined:
On setting, it must act like the attribute of the same name on
Back in 2006, there was interesting research done by James Holderness[1] and
James M. Snell[2] which uncovered a variety of XSS issues in various online
feed aggregator services (e.g. Feed Demon). The vulnerability arises from
the fact that it is not expected of RSS readers to render scripted
Along with other security features
(http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx)
this basicly means that IE8 is the most secure web browser nowadays?
If memory serves me right, it's been a while since we've
http://www.theregister.co.uk/2009/12/05/windows_bitlocker_attacks/
Research grant ideas for 2010:
1) Replacing not only the computer, but victim's entire apartment,
with cardboard cutouts to intercept passwords,
2) Substituting victim's spouse with a conspicuously German lookalike,
3)
Dear MustLive,
Earlier I wrote already about XSS vulnerabilities at 404 pages
(http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071664.html).
And already at 2008 I planned to tell about one interesting and widespread
vector of XSS attacks - it's the attacks via errors at
Testing takes time. That's why both Microsoft and Mozilla test.
Testing almost never legitimately takes months or years, unless the
process is severely broken; contrary to the popular claims,
personally, I have serious doubts that QA is a major bottleneck when
it comes to security response -
http://www.securityfocus.com/news/11582
While the news portal section of SecurityFocus will no longer be
offered, we think our readers will be better served by this change as
we combine our efforts with Symantec Connect and continue to provide a
valuable service to the community.
[ I promise to post something more interesting shortly - but in the
meantime, I wanted to drop a quick note about something kinda amusing.
]
There was a considerable amount of buzz around clickjacking [1] in the
past year or so. It is commonly believed that this simple attack can
only be
People can post code and messages on blogs and post the link to
Twitter, thats how the threat landscape of the future will look, we
don't really need mailing lists now for straight forward vulnerability
disclosure.
Totally!
Now, it's sort of hard to follow every existing and upcoming
are there any reliable caches for this url?
Attrition has an annotated, but otherwise verbatim copy:
http://attrition.org/errata/sec-co/eeye-01.html
/mz
___
Full-Disclosure - We believe in it.
Charter:
Belated, but here are some recent bugs that you guys might find interesting:
1) DOM reference fuzzer, originally developed in 2008, crashed every
browser on the market back then:
http://lcamtuf.blogspot.com/2010/06/announcing-reffuzz-2yo-fuzzer.html
Several of the bugs triggered by the fuzzer
On unsecured networks, attackers could stealthily
create malicious Application Caches in the browser of victims for even HTTPS
sites. It has always been possible to poison the browser cache and
compromise the victim's account for HTTP based sites.
With HTML5 Application Cache, it is possible
...so FYI:
http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsible-disclosure-focus.html
/me grabs popcorn.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
It seems that corporate America's purchasing of politicians (err, PAC
contributions) has been well worth the investment. Legislation is such
that victims and shareholders both suffer after a breach.
* Heartland Databreach Lawsuit Dismissed
A COI knows no national boundaries.
Oh sure - but Jeffrey seems to be particularly critical of US
policies; I suspect this is unfair ;-)
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
Hi,
This may be of some interest to people on the list:
http://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html
In general, there is a class of UI design problems that trace back to
the failure to account for the inherent limitations of human
cognition; the specific example
Err, the subject should read hijacking, not spoofing. Sorry, not
very awake today.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Please, try to figure out the difference b/w exploitability and vulnerability.
Here's my definition
Exploitable vulnerability = vulnerability
Non-exploitable vulnerability = mental masturbation
HTH,
/mz
___
Full-Disclosure - We believe in it.
Security-Assessment.com follows responsible disclosure
and promptly contacted Oracle after discovering
the issue. Oracle was contacted on August 1,
2010.
My understanding is that Stefano Di Paola of Minded Security reported
this back in April; and further, the feature was a part of reasonably
Eh, you can see where it came from though. Design bugs like this are
absolutely miserable to fix (see how we'll never get rebinding out of the
browser) and letting identical IP's script against eachother lets an awful
lot of legitimate traffic through while blocking almost all attacks.
For once and for all: There is no such thing as a zero-day
vulnerability (quoted), only a 0-day exploit...
Cool story, bro.
Any thoughts on the use of the term hacker?
/mz
___
Full-Disclosure - We believe in it.
Charter:
This reminded me of a bunch of problems I spotted in Juniper SSL VPN a
while ago; they are apparently fixed, but I don't recall seeing any
public vendor advisory / credit for reporting them - so here you go,
even if just for the record...
These were fixed by Juniper in IVE 6.3R1, 6.2R3, 6.1R5,
And the political spin: companies get away with shipping broken
software and residing in (1) and (2) above because there are no
software liability laws, even though software enjoys intellectual
property protection. Reason: In America, corporate America bribes the
legislature (err, makes 'PAC
grep -r ACIDBITCHES *
This code has two very obvious detection bypass vulnerabilities:
1) It fails to scan dotfiles in the starting directory,
2) It can be tricked into not producing any output by creating a file
named -q in the starting dir.
Let me fire up my vulnerability research
Hi folks,
Firefox 3.6.13 fixes an interesting bug in their same-origin policy
logic for pseudo-URLs that do not have any inherent origin associated
with them. These documents are normally expected to inherit the
context from their parent, or be assigned a unique one. This didn't
work as expected
Hi folks,
Two minor things that do not deserve a lengthy discussion, but are
probably mildly interesting and worth mentioning for the record:
1) Chrome browser is an interesting example of the perils of using
minimalistic window chrome, allowing multiple windows to be spliced
seamlessly to
1) Yup, pretty unconvincing. Though one could separate window shadows,
I'm guessing you have your window manager configured to render window
shadows. In this case, this is less plausible, yup, unless you do the
inverted gradient trick.
2) Where is here? :)
I tried to dig something up, but
So for 10 years IPSEC has had a backdoor in it and not one person examining
the code has noticed it? Or even questioned it? That's a bit hard to
believe.
Yeah, this totally never happens in the FOSS world.
http://www.theregister.co.uk/2009/08/14/critical_linux_bug/
/mz
sci.crypt would probably be the best place to ask. I imagine there's a
discussion already, but have not visited lately.
Have you been to the Usenet recently?;-)
/mz
___
Full-Disclosure - We believe in it.
Charter:
These manufacturers use the same key on each of their models? That seems
ridiculous to me...
As a person who had a Siemens AP / router with a hardcoded, hidden
management account on it, I find your surprise entertaining ;-)
Craig, cool project.
/mz
Hi list,
== SUMMARY ==
I am happy to announce the availability of cross_fuzz - an amazingly
effective but notoriously annoying cross-document DOM binding fuzzer that
helped identify about one hundred bugs in all browsers on the market - many
of said bugs exploitable - and is still finding more.
I woudn't like to discourage ppl submitting vulns to vendors but this is the
response you'll most likely to get from those kind of vendors no matter what
you found in their system. I had more than a dozen similar experience like
yours. Now it's public + fixed and you gotta get nothing beside
1.www.google.com app don't filter the CRLF
This is not strictly required; there are other scenarios where this
vulnerability is exploitable.
2.IE support mhtml protocol handler to render the mhtml file format,
and this is the why mhtml: is designed
The real problem is that when mhtml: is
FYI, here's a provisional advisory from Microsoft acknowledging this issue:
http://www.microsoft.com/technet/security/advisory/2501696.mspx
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
I mean, if these are the security industry's geniuses, why, what would the
writers of Stuxnet be?
...seriously?
Disclosing how their epic story simply involved SQLi, well, what about the
guys discovering 0days in native code?
Totally. I have long postulated that perl -e '{print Ax1000}' is
Also, I would say that even though randomly prodding exec arguments
with As isn't so elite, the space of the non-web is much more deep
and much more complex than the space of the web..
I think that sentiment made sense 8-10 years ago, but today, it's
increasingly difficult to defend. I mean,
If it did for Google, you're either mistaken, [...]
Huh, what? Where did that come from?
I would generally appreciate if we refrain from dragging it employers,
business contacts, etc, into what amounts to an exchange of personal
opinions.
However, calling it an all out myth is misleading, and
You and Ormandy have a lot to learn, still.
Oh, hai.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
You can't be high profile Google employees one minute and switch off as
personal entities the next, its pretty basic.
Thank you for pointing this out to me. Your concern has been noted.
/mz
___
Full-Disclosure - We believe in it.
Charter:
all apologies, that was not my intent in the least-- referencing the public
portion of the aurora stuff, which is part of the myth I thought you were
referencing.
Sure. The moment the discussion strays toward these topics, I am
obviously not at liberty to discuss them freely.
In general, I
this is only true for remote attackers hitting network service auth.
Mhmm, and runas, su et al couldn't benefit from this?
Not a whole lot. You can likely tell a successful login from a failed
one within several miliseconds by watching /proc or so.
/mz
I believe that the IIIWorld War conflict might start in 10 months or
more from now.
It's hard to disagree.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
This one is from command line, maybe the next will be in
the server mode or whatever.
Man, I hope you never find out what Perl is written in...
/mz
___
Full-Disclosure - We believe in it.
Charter:
I would like to suggest that advertising for products and tools (free or
otherwise) be limited to just an initial announcement to tell people about
the tool.
Meh. Most authors keep the volume of their announcements low, and only
highlight genuinely interesting updates. I think it's beneficial
It's whatever, un-moderated means exactly that. No-one can tell anyone else
what to release/write. Period.
Of course you can. That's what the charter is for. Unmoderated means
simply that the charter is usually not proactively enforced (but even
that is hardly an absolute guarantee).
/mz
Cool. I got an Iphone 3GS. Consider me ex-user. GG Apple. Let me guess,
co-operation deal with NSA and the U.S goverment paid them some billion
dollars for that.
Totally. A vast conspiracy is the only possible explanation.
/mz
___
Full-Disclosure -
Paradox are way of life... Hence, the goal here is to question every
knowledge with reasoning and trying-not to build a static opinion on
anything.
But have you tried contacting the vendor first?
/mz
___
Full-Disclosure - We believe in it.
Charter:
[ But for what it's worth, I am willing to bet that the script was
added without analyzing these subtle considerations, and that makes it
somewhat scary on its own accord. ]
/mz
___
Full-Disclosure - We believe in it.
Charter:
Ubuntu's reseed(8) can be used to seed the PRNG state of a host. The
script is run when the package installed, and anytime su executes the
script.
reseed(8) performs a unsecured HTTP request to random.org for its
bits, despite random.org offering HTTPS services.
This resulted in a couple of
Just ignore Mustlive. The rest of the list does.
Well, sadly, it leads to things like this:
http://www.securityfocus.com/bid/40487
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and
http://www.gossamer-threads.com/lists/apache/dev/401638
FWIW, I pointed out the DoS-iness of their Range handling a while ago:
http://seclists.org/bugtraq/2007/Jan/83
/mz
___
Full-Disclosure - We believe in it.
Charter:
Good catch, but you didn't provide for a working exploit at the time.
Now I only see your name on the press. Why?
I don't know why this is in the news at all, let alone with any
specific attribution. Perhaps you wanted to ask the journalists?;-)
/mz
just for the record I have the impression that this not the same vulnerability
you outlined in your advisory a while back. It is more that the idea
for this vulnerability originated from your advisory, not the same bug.
I don't think this even matters, and I really don't disagree...
In 2007,
I believe that this is the best place to post the following hash values:
MD5Sum:a762a3b9cbfb3d63034646087680b254
SHA1sum:6f25d72bd693b52de25c36d04f9e17f945420580
SHA256sum:d5886dd14f3eac029d771da6bcc6d49bc2e50c79159e5390c9c0776c725243a5
No, for these specific hash values, I believe the
In any case, the *right* answer isn't to play whack-a-mole fixing /tmp races,
what you should be doing is using pam_namespace or similar so each user gets
their own /tmp namespace.
That would result in counterintuitive behavior, I suppose... /tmp is a
fairly stupid and largely unnecessary
Actually, no; per user /tmp could only be accomplished, without a major
redesign and without breaking almost every application
[citation needed] ;-)
Only a fraction of apps uses /tmp... vendors can fix their own
distros: grepping for /tmp isn't complicated, and almost every
package usually
You can make it bypass Aslr ?
No, you are absolutely correct, this vulnerability can't be used to
bypass ASLR. Score one for address space randomization.
/mz
___
Full-Disclosure - We believe in it.
Charter:
I think someone fed bugtraq archives into scigen.
I thought we're doing Twilight fanfic instead?
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
next time, i wont say shit, and, believe it.
Well it's just that the attack you are describing will be thwarted by
setting a sticky bit on /tmp, and you have not demonstrated otherwise.
/mz
___
Full-Disclosure - We believe in it.
Charter:
If you want to respect the license of this code you cannot include the
exploit in your software.
And don't get me started about my patent on NOP sleds!
/mz
___
Full-Disclosure - We believe in it.
Charter:
Evening,
This party trick is not particularly exciting, but hopefully
highlights a vaguely interesting point:
http://lcamtuf.coredump.cx/cachetime/
In essence, in the past few years, browser vendors have severely
crippled CSS :visited selectors in order to prevent CSS-based history
snooping
http://lcamtuf.coredump.cx/cachetime/
OK, just for the record: I improved the original PoC quite a bit, and
added experimental variants for other browsers. I will shut up now.
/mz
___
Full-Disclosure - We believe in it.
Charter:
_Open_ URL redirectors are trivially prevented by any vaguely sentient
web developer as URL redirectors have NO legitimate use from outside
one's own site so should ALWAYS be implemented with Referer checking
There are decent solutions to lock down some classes of open
redirectors (and replace
As for minimal risk I personally don't agree. I have leveraged Unvalidated
URL Redirections in the past to attack clients of sites all the time. It's
highly trivial to point to a site with a metasploit browser bug patiently
waiting and amass quite a large number of sessions in a short period
For example: did you know that if you click on a link from coredump.cx
to microsoft.com and it opens in a new window, then a second or two
later, that coredump.cx in the background can change the URL of the
microsoft.com window, and point it to evil.com? Heck, coredump.cx can
even wait until
I run with no script. So the links showed on the initial pages and when
clicked.
Yes, well, congrats ;-)
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia -
Granted, but I know that vulnerability research can take a huge chunk
of time out of a person's life, and without getting in to monetary
philosophy,
I feel that in our current system, a person should be compensated for their
time if they've done something useful for society.
Is this an
They may be in the minority, but there *are* users out there who know how to
look at the address bar. The security researcher knows this because he is
one of them. I call this group the competent and contentious users.
Sure. And that group is sort of safe when faced with open redirectors,
At the risk of annoying everyone...
I think we greatly underappreciate the extent to which JavaScript
allows you to exploit the limits of human perception. On modern
high-performance systems, windows can be opened, positioned, and
closed; and documents loaded and then navigated away from; so
Interesting stuff indeed. However, I don't see you talk about a solution.
Why is that?
Because it's bugtraq / full-disclosure, where people generally talk
about vulnerabilities...
I'm not sure I follow your drift about Firefox, I don't believe it's
mentioned anywhere.
Anyhow, correct me if
With the growing enthusiasm about CSP and other script containment
frameworks, I tried to put down some rough notes about the fundamental
exploitation vectors that would be available in absence of the ability
to execute scripts - and tried to see how these attacks correspond to
what XSS attacks
https://media.blackhat.com/bh-us-10/presentations/Waisman/BlackHat-USA-2010-Waisman-APT-slides.pdf
From while (1); to APT in 10 posts. Good job :-)
/mz
___
Full-Disclosure - We believe in it.
Charter:
Do you think that the Firefox warning: unresponsive script is meant
as a security feature or a usability feature?
More seriously, though, it's a bit of an oddly-phrased question. Only
the author of the code knows the true intent; you can look up the
mention of this text in the code, and see
Hi folks,
I wanted to share the news of p0f v3, a complete rewrite and redesign
of my passive fingerprinting tool.
== Synopsis ==
P0f is a tool that utilizes an array of sophisticated, purely passive
traffic fingerprinting mechanisms to identify the players behind any
incidental TCP/IP
So just for the record, version 3.00 is now officially out:
http://lcamtuf.coredump.cx/p03/. Many thanks to countless people who
submitted signatures and bug fixes, including:
Phil Ames
Jason DePriest
Dalibor Dukic
Mark Martinec
Damien Miller
Nibbler
Bernhard Rabe
Chris John Riley
Does 'Access-Control-Allow-Origin' header provide any benefits in
defending against cross site scripting attacks?
No. It's a mechanism to control cross-origin XMLHttpRequests (and some
other peripheral things), and adding it does not reduce the likelihood
or exploitability of XSS bugs.
If you
Without meaning to advertise, that is one of the reasons upSploit was
created - so that you could submit a vulnerability and then upSploit
automatically sends to the vendor. This way you and your friend don't have
to do any of the work on the disclosure.
I clicked around and don't see any
The only other people that see the vulnerability are the select few in
upSploit.
OK. You should probably document that, and make it clear that this
policy will not change without the reporter's explicit consent.
It's an interesting project - but you guys are working for security
software
I find it very unfortunate that 300 supposed security professionals clicked
on a hidden link like that without first checking what it was, or if not
simply ignoring it like I did!!!
So how do you meaningfully check what it is without actually
requesting the document?
And what's the difference
Hey,
Hopefully this won't offend the moderators:
http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html
I suspect I know how the debate will be shaped - and I think I can
offer a personal insight. I helped shape our vulnerability reward
program from the start
IMHO, anyone who willingly, knowingly places customer data at risk by
inviting attacks on their production systems is playing a very dangerous
game. There is no guarantee that a vuln discovered by a truly honest
researcher couldn't become a weapon for the dishonest researcher through
A you-only-get-it-when-successful 20,000$ budget from Google is
insulting, considering the perhaps massive time investment from
the researcher. [...] and yet they only pay a nice researcher 20
grand? You can't even live on that. Researchers aren't just kids
with no responsibilities, they have
Our interest is exploits which run over Windows 7, Snow Leopard with
applications such MS Office, Adobe, Browsers, Media Player , Notepad etc
Well, good thing I have a stash of Notepad 0-days.
Most of them involve you saving a snippet of text as evil.bat and
clicking on it, though.
/mz
Another moderately interesting tidbit, I guess...
It is an important and little-known property of web browsers that one
document can always navigate other, non-same-origin windows to
arbitrary URLs. Perhaps more interestingly, you can also navigate
third-party documents to resources served with
Wikipedia says 5 months: http://en.wikipedia.org/wiki/Responsible_disclosure
Well, the encyclopedia has spoken. So it's settled then.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
Using su to execute commands as an untrusted user from an interactive
shell may allow the untrusted user to escalate privileges to the user
running the shell.
If you have the ability to execute code on that terminal before the
user executes su, it is also possible to simply never allow the
I think you've taken that far too literaly. My understanding of it is to
protect against a) brute force retardation b) dumb attackers.
The advice weakens the security of your system, because it means I
just need to compromise your unprivileged account (in which you run
your browser, mail
The only thing I am saying is that when you have a choice between
direct root logins and using sudo / su, telling people to use the
latter option for security reasons actually makes them worse off.
Poor corporate security practices, schizophrenic account lockout
policies, or dealing with hundreds
101 - 200 of 225 matches
Mail list logo