Re: [Full-disclosure] [ GLSA 200611-03 ] NVIDIA binary graphics driver: Privilege escalation vulnerability
On 11/7/06, Raphael Marichez [EMAIL PROTECTED] wrote: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200611-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: NVIDIA binary graphics driver: Privilege escalation vulnerability Date: November 07, 2006 Bugs: #151635 ID: 200611-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The NVIDIA binary graphics driver is vulnerable to a local privilege escalation [snip] An X client could trigger the buffer overflow with a maliciously crafted series of glyphs. A remote attacker could also entice a user to open a specially crafted web page, document or X client that will trigger the buffer overflow. um ... doesn't that make it a *remote* privilege escalation ? Cheers, Nick Boyce -- The reason why worry kills more people than work is that more people worry than work ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PDF mailto exploit in the wild
On 10/23/07, Paul Szabo [EMAIL PROTECTED] wrote: In case you are interested... messages like the following were spammed to my users tonight. Thanks for the heads-up. I figured I'd check out Adobe's workaround : http://www.adobe.com/support/security/bulletins/apsb07-18.html ... and there, in the section on registry editing to disable Acrobat's mailto feature, we find the following : # Navigate to the appropriate registry key: [...] Reader: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\8.0\FeatureLockDown\cDefaultLaunchURLPerms [...] # To Disable mailto (recommended) Modify tSchemePerms by setting the mailto: value to 3: version:1|shell:3|hcp:3|ms-help:3|ms-its:3| ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2 And now I'm having heart palpitations ... can anyone explain the function of the telnet and ssh parts of that little registry entry ? Cheers, Nick Boyce -- The system is repaired when ordinary greed takes over from extraordinary fear - and that's what we're working towards. Prof Larry Summers, US Treasury Secretary 1999-2001, commenting on the Northern Rock banking crisis on BBC Newsnight, 14th.Sept.2007 My, what a high civilisation we've built. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PDF mailto exploit in the wild
On 10/23/07, Gregory Boyce [EMAIL PROTECTED] wrote: On Tue, 23 Oct 2007, Nick Boyce wrote: # To Disable mailto (recommended) Modify tSchemePerms by setting the mailto: value to 3: version:1|shell:3|hcp:3|ms-help:3|ms-its:3| ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2 And now I'm having heart palpitations ... can anyone explain the function of the telnet and ssh parts of that little registry entry ? So that you can have ssh:// or telnet:// links within a document. I guess you're probably right call me old-fashioned, but WhyTF would anyone want their PDF document to be able to do that ? I can't over-emphasize what a Bad Idea that seems to be. Adobe must be insane. Lets get all our users accustomed to the sight of Acrobat Reader providing links in PDF documents which can be clicked to cause network connections to be made to remote destinations ... that'll help. I suppose a personal firewall would show the initiating software to be the associated client, rather than Acrobat - not sure that's any comfort tho. As somebody pointed out to me off-list, the setting for these URI features is 3 which appears to mean disabled ... but I'd still like to see the code ripped out and obliterated. Cheers Nick Boyce -- The system is repaired when ordinary greed takes over from extraordinary fear - and that's what we're working towards. Prof Larry Summers, US Treasury Secretary 1999-2001, commenting on the Northern Rock banking crisis on BBC Newsnight, 14th.Sept.2007 My, what a high civilisation we've built. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Microsoft confirmed Word 0-day vulnerability
On 9/7/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Better workaround is to upgrade. [chokes on his coffee] What ... you mean upgrade to a later version of Word ? I don't think I'll ever be doing that, unless you can show me some really horrible thing in Word 2000, that outweighs all the excess bloat in Office XP/2003 - new-fangled Clippy-nonsense, and additional code (providing new attack surface) implementing new features that I just don't want. You'll probably recall that IT variation on an old cliche : 80% of people only use 20% of Word's features Word 2000 does it for me - and for everybody else I've ever talked to about this topic. The only people with Office XP/2003 that I know are people who got it bundled with a new PC. Everybody else upgrades to, and then sticks with, Word 2000 - glad to have gotten off the horrible treadmill of Office upgrades required *just* to exchange documents with other people on newer versions. MS, bless them, seem to have preserved .doc-file forwards compatibility across versions 2000 and later. Of course, now I've said that in public . ;) So, no - I don't think a Word upgrade is an answer for most folks. Cheers, Nick Boyce -- The person who says it cannot be done should not interrupt the person who is doing it. -- Chinese Proverb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux Kernel CIFS Vulnerability
On Thu, Apr 9, 2009 at 5:01 PM, Raj Mathur r...@linux-delhi.org wrote: On Thursday 09 Apr 2009, Andreas Bogk wrote: Neither the Linux kernel team, the CIFS maintainers nor any of the commercial Linux distributors bothered to send out an advisory. The advisory will be out in all the major distributions' kernel upgrade notice to this and other security lists. E.g. (to randomly pick an advisory): http://archives.neohapsis.com/archives/fulldisclosure/2009-04/0060.html Um .. I don't see the word CIFS anywhere in that bulletin. Nick Boyce -- Leave the Olympics in Greece, where they belong. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to disable Java Deployment Toolkit
On Wed, Apr 14, 2010 at 11:15 AM, Kristof Zelechovski giecr...@stegny.2a.pl wrote: Regarding the Java Deployment Toolkit vulnerability: On Windows XP and later: open the Local Security Settings console and create a prohibition rule for the path %HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Web Start\1.6.0_19\HOME%/JAVAWS.EXE Hmm ... presumably that would that need repeating for every later (and older) Java release until the functionality is believed safe ? Cheers Nick -- Leave the Olympics in Greece, where they belong. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] looking for Network Trafic Monitoring software
On Sat, Feb 26, 2011 at 7:17 AM, Gopi Nath gopinath...@gmail.com wrote: I want to check the traffic. Because recently many times some systems were throughing more trafic. It was difficult for me to check each and every system mannulaly . Is there any tool which i can use to monitor the traffic of each and every workstation. Your question really amounts to a dumb question on this list - monitoring the traffic is at the heart of all network-defense, so that's a sort of security-101 question. Have you done _any_ research into this yourself so far ? It doesn't sound like you know very much yet - there are hundreds of software tools for monitoring traffic, with varying functionalities. A good first step for you would perhaps be to read all about these two software packages (both available for Windows) and try them out so you can discover whether or not they do what you need : Wireshark: http://www.wireshark.org/ Snort: http://www.sourcefire.com/security-technologies/snort You don't say what it is about your organisation's traffic that you want to monitor do you want to check for *malicious* traffic, or is it just traffic *overload* you're concerned about ? For simple traffic load monitoring on a single broadcast-domain network segment, in the Elder Days I liked a rather wonderful but very simple package for [gulp] DOS, called ETHLOAD. We installed it on a PC and left it running all day in the corner of the office. Any time traffic increased beyond safe utilisation levels for that segment we could see across the room to the ETHLOAD screen where the problem was made very visually obvious, and could quickly get ETHLOAD to tell us which workstation or server was responsible for the largest traffic flows. I don't know what tool is best for _that_ purpose now, but neither do I know what it is you really want to do enlighten us. Nick -- Leave the Olympics in Greece, where they belong ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cisco Linksys WRT54G XSS Vulnerability
On Thu, Apr 28, 2011 at 5:12 PM, Justin Klein Keane jus...@madirish.net wrote: Systems affected: - - Cisco Linksys Wireless G Boradband Router WRT54G with firmware version 4.21.1 was tested and found to be vulnerable. FWIW, exact same weakness confirmed in Linksys AG241v1 with firmware 1.00.23 (the AG241 is the same animal as the WRT54G but without the WiFi). I don't suppose Cisco will ever release updates to address vulnerabilities in these products, simple (and cost-effective for customer goodwill) though it would be. Cheers Nick -- Handy Fact: Miles per Gallon and Furlongs per Pint are equivalent. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Lastpass Security Issue
On Thu, May 5, 2011 at 9:09 PM, Benji m...@b3nji.com wrote: They've said nothing about what they're going to do to the server with said anomaly. Wouldnt be happy until a full reinstall. From http://blog.lastpass.com/2011/05/lastpass-security-notification.html : We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself Is that what you meant ? Nick -- Current Earth status: NOT DESTROYED ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WTF
On Fri, May 6, 2011 at 6:49 PM, Gustavo gustavorober...@gmail.com wrote: WTF ? notebook:~$ ping www.compusa.com PING bh.georedirector.akadns.net (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost.localdomain (127.0.0.1): icmp_req=1 ttl=64 time=0.019 ms Same here ... this time on Windows : F:\ping www.compusa.com Pinging bh.georedirector.akadns.net [127.0.0.1] with 32 bytes of data: Reply from 127.0.0.1: bytes=32 time1ms TTL=128 Reply from 127.0.0.1: bytes=32 time1ms TTL=128 Reply from 127.0.0.1: bytes=32 time1ms TTL=128 Reply from 127.0.0.1: bytes=32 time1ms TTL=128 Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms F:\nslookup www.compusa.com Server: Address: 9 Non-authoritative answer: Name:bh.georedirector.akadns.net Address: 127.0.0.1 Aliases: www.compusa.com, compusa.syx.com.akadns.net Normally I'd say that's a DNS config screwup, which would make them unreachable (since their website is not on my system). However, Google seems to be able to reach them if you use the site preview option in the search results : http://www.google.com/search?q=www.compusa.com Curious. Relevant: http://forums.opendns.com/comments.php?DiscussionID=9721 Nick -- Leave the Olympics in Greece, where they belong. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is FD no longer unmoderated?
On Thu, Dec 1, 2011 at 3:06 AM, valdis.kletni...@vt.edu wrote: On Thu, 01 Dec 2011 07:49:28 +0530, David Blanc said: A colleague of mine subscribed to FD recently and tried posting to it but every time he gets this message: The *list* isn't moderated. However, several *people* are, and they for the most part know who they are and why they're moderated. Erm, in March 2010 John Cartwright (list owner) had to introduce a sort of moderation-lite procedure to deal with the way (it seemed that) n3td3v avoided his ban by just signing up new user IDs with which to spew his nonsense once his primary ID was banned. *New* users are now moderated for a while after their initial signup (not sure whether a while means time, or post-count), until they have shown they're not an idiot. See http://seclists.org/fulldisclosure/2010/Mar/459 [Very good idea, IMHO, given the idiot factor that seems to show up here from time to time] Cheers Nick Boyce -- Leave the Olympics in Greece, where they belong. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bug 718066 - [meta] Add feature to submit anonymous product metrics to Mozilla
On Wed, Feb 8, 2012 at 9:12 PM, . . kerdezd...@gmail.com wrote: https://bugzilla.mozilla.org/show_bug.cgi?id=718066 what the hell is this?! I'll bite ... (I know your question was rhetorical) It's a very bad idea IMO. From TFA: (https://wiki.mozilla.org/MetricsDataPing) Mozilla has a critical need to be able to understand the factors that cause installations of Firefox to no longer be used. The system must have some way to detect an abandoned installation. Their proposed solution seems to be (from the bug and wiki) to include code in Firefox to submit a lot of information to mozilla.org, on a regular basis, about the individual FF installation ... date installed, list of add-ons installed, with date each add-on installed, date FF last used, OS type, FF version, whether up to date when last used, etc. Far too much information for comfort - sufficient to _enable_ fingerprinting and tracking of individual FF installation use (e.g. is this browser installation using Tor the same as that other browser not using Tor ?), even if that is not the _intention_. Contravention of EU data protection laws seems probable, or at least German laws. OT: They should just make FF quality high and the design impeccable - that's all they need do to win our hearts and minds (many other FLOSS projects exist to attest to that). The engineers know what's needed, and the users have spoken out endlessly on the forums - metrics are for managers. Sigh. Nick -- public void Ballmer(Developers developers) throws Chair ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Trustwave and Mozilla
On Sun, Feb 12, 2012 at 10:54 AM, Jeffrey Walton noloa...@gmail.com wrote: https://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 In case folks are interested in the following Mozilla's response to active MitM attacks that were facilitated by Trustwave, the bug report is here: http://bugzilla.mozilla.org/show_bug.cgi?id=724929. Can anyone confirm that Trustwave CA certificates in the local Mozilla certificate store are the ones with names containing the word SecureTrust ? I want to disable Trustwave CAs on all my local systems, but am not certain which are the relevant ones. For some benighted reason, the word Trustwave is not present in any of the certificate names in the FF certificate store on WinXP or Debian (Iceweasel). Ironically of course, the word trust appears everywhere :) I found a page at mozilla.org which appears to show all CAs included with FF, and that Trustwave certificates are labelled SecureTrust : http://www.mozilla.org/projects/security/certs/included/ but I would like confirmation from Someone Who Knows Better. Be advised: the above page appears to be some kind of .. [recoils in horror] .. XML which doesn't render properly on WinXP, but renders fine on Debian Linux. Maybe there's some XSL needed somewhere. Cheers Nick -- XML is like violence. If it doesn't solve the problem, use more. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Trustwave and Mozilla
On Mon, Feb 13, 2012 at 4:18 PM, Nick Boyce nick.bo...@gmail.com wrote: http://www.mozilla.org/projects/security/certs/included/ Be advised: the above page appears to be some kind of .. [recoils in horror] .. XML which doesn't render properly on WinXP, but renders fine on Debian Linux. Maybe there's some XSL needed somewhere. OT: that problem was actually caused by having XSLT disabled in NoScript options on the WinXP box - sorry for the misdirection. Nick -- Leave the Olympics in Greece, where they belong. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
On Mon, Sep 17, 2012 at 6:39 PM, Christian Sciberras uuf6...@gmail.com wrote: On Thu, Sep 6, 2012 at 2:09 PM, Jeffrey Walton noloa...@gmail.com wrote: [snip] Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. To the more reasonable readers, I guess Adobe could have had a genuine mistake / bug in their codenothing new. This has happened elsewhere recently - specifically with the once rather fine Foxit PDF Reader - see this forum post : http://forums.foxitsoftware.com/showthread.php?18193-Auto-updade-silently-installs-extra-software-overrides-user-choices (12th.June.2012) Foxit Corporation apologised within a week for the snafu, confessing a misconfiguration of their upgrade servers. Don't know why it's such a big deal. I tend to agree, given Adobe's stunning competence record with this particular product :) Nick -- Any sufficiently advanced malice is indistinguishable from incompetence. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Foxit Reader suffers from Division By Zero
On Sat, Sep 29, 2012 at 8:01 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Title: Foxit Reader suffers from Division By Zero Version : 5.4.3.0920 [...] division by zero vulnerability during the handling of the pdf files. that will trigger a denial of service condition [...] Proof of concept .pdf included. Confirmed with V5 Foxit Reader 5.4.3.0920 on WinXP Pro SP3 (though with a slightly different offset - 0015eb8c ... ASLR ?). Interestingly, NOT confirmed for Foxit Reader 4.3.1.0323 (the last version of the V4 Foxit Reader, which is the last version many people are comfortable with); with this version I get a dialog box stating format error: not a PDF or corrupted, and no crash. This is also on XP Pro SP3. Another reason to be disappointed with Foxit Reader V5 :) Cheers Nick Boyce -- You are in a maze of twisty little relative jumps, all alike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Your account could be at risk of state-sponsored attacks
On Fri, Oct 5, 2012 at 8:04 AM, Aftermath aftermath.thegr...@gmail.com wrote: In the last two weeks some of my cyber friends have been getting this message in their gmail. http://support.google.com/mail/bin/answer.py?hl=enctx=mailanswer=2591015 [...] Has anyone else gotten this message from Google in the last 3 days? Mine was Tue, 2 Oct 2012 22:34:31 -0700 Nope - no such messages received at this Gmail address - I also looked in the Spam folder back as far as 25th.Sept .. none there either. Nor have I received any emails with suspicious attachments at this address though I'm bombarded by them at various other non-Google addresses. Googlemail seems to have pretty good filtering of mainstream malware and spam, so I find your story a little puzzling. NB: the Googlemail support page the link points to says you should have been directed there by a message above your inbox, *not* in the body of an actual email. As the support page says, they also use other indicators to decide you may be being targeted, such as suspicious login attempts. Maybe your cyber-friend-group is resident in a particularly targeted geographical region and Google knows it or maybe Google *has* successfully detected _some_ malware on its way to you, and noticed that the malware is sufficiently mutable in character (polymorphic) that other variants may have made it through undetected. Nick -- Q: How many Bavarian Illuminati does it take to screw in a lightbulb? A: Three: one to screw it in, and one to confuse the issue. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT Google raises sploit bounties
On Sat, Nov 24, 2012 at 3:28 PM, Georgi Guninski gunin...@guninski.com wrote: http://www.theregister.co.uk/2012/11/23/mystery_chrome_0_day/ ... but that was before Google began offering up to $60,000 in bug bounties [...] Did I miss a major malware related to their warez? Or are they just paranoid? Of course they're paranoid - it's the only sensible policy. These days a paranoid may be defined as someone who has some idea of what's really going on ~ William Burroughs. MZ/RS: As far as I know, all reward increases for Google VRPs were driven by a combination of factors 1 through 3. Please stop ridiculing conspiracy theories with reasonable arguments :). No fun. +1 :) Nick -- When there's a shark in the water, you don't have to swim faster than the shark ... just faster than everybody else. ~~ alleged Australian business maxim. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to lock up a VirtualBox host machine with a guest using tracepath over virtio-net network interface
On 6/21/13, Thomas Dreibholz dre...@simula.no wrote: I have discovered a problem with the VirtualBox virtio-net network driver that leads to a lockup of the host machine's kernel and the need for a hard reset to make it working again. The bug had been reported to the VirtualBox bug tracker 8 days ago (https://www.virtualbox.org/ticket/11863), with the usual reaction from Oracle support (i.e. none). FWIW: *not* confirmed for : 64-bit Linux host = Debian Squeeze 6.0.7 amd64 32-bit Linux guest = Debian Squeeze 6.0.7 i386 VirtualBox = 4.1.26 (guest network adapter set to virtio for the test) '$ tracepath 8.8.8.8' run in the guest works fine, and no unpleasant effects are noticed on either host or guest. I note that VirtualBox 4.1.26 (latest update to 4.1 series) was released on the same day as 4.2.14 (latest update to 4.2 series) - specifically 21st.June.2013 - which happens to be the same day you reported the problem here after getting apparently zero response from Oracle Support for 8 days. Maybe they just silently fixed the bug during those 8 days - in which case they should have had the manners to let you know. Cheers Nick Boyce -- I can't watch TV longer than five minutes without praying for nuclear holocaust ~~ Bill Hicks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/