On Wed, Jun 06, 2007 at 05:13:54PM -0300, Daniel Cid wrote:
DenyHosts, Fail2ban and BlockHosts are vulnerable to remote log injection
that can lead to arbitrarily injection of IP addresses in /etc/hosts.deny. To
make it more interesting, not only IP addresses can be added, but
also the wild
On Mon, Nov 27, 2006 at 02:22:10PM -0500, J. Oquendo wrote:
For those interested, I wrote a program called Sharpener which is an SSH
brute force blocking tool that also reports back the offenders'
addresses. I have begun posting the information on the attackers as well
as sending out
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Tavis Ormandy wrote:
Nice work, really subtle rootkit. I like the email phone-home.
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Since you seem to be clueless I'll answer step by step. Here goes idiot
On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote:
So again dumbass...
Look at the script. Although YOU'RE opening /var/log/authlog what is the
script opening.
I'm opening authlog as I dont use secure, the same thing applies.
Please tell me you're really not that stupid. And if
On Mon, Nov 27, 2006 at 04:21:19PM -0500, gabriel rosenkoetter wrote:
Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit more sanitization of (evil)
user-supplied input, given that you're (insisting that you) run as
root.
Gabriel, I was
On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote:
Tavis Ormandy wrote:
I'm not sure what you mean by modification, I simply subsituted the name
for the logfile I use.
Thanks, Tavis.
So for the third time now. Explain to me how I am backdooring someone's
system.
J
On Mon, Nov 27, 2006 at 04:55:46PM -0500, J. Oquendo wrote:
No it can't. Even if it was rm -rf someone placed in, did you not notice
my grep statement? Only print items with a decimal. At no given point
anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would
there be an
On Tue, Nov 28, 2006 at 09:33:03AM -0500, J. Oquendo wrote:
Thierry Zoller wrote:
Dear All,
You are arguing over hypothesises where facts could rule. PLEASE someone
just setup the script on a test environment and present us your
results. Heck, it's not that we are discussing Metaproblems
On Tue, Nov 28, 2006 at 10:56:33AM -0500, J. Oquendo wrote:
Incorrect did you look at the fix? It isn't unsanitized as you state:
J, you have made an attempt to fix it, but is is not sufficient.
An attacker can still add arbitrary hosts to the deny list.
Thanks, Tavis.
--
On Tue, Nov 28, 2006 at 04:02:36PM +, Tavis Ormandy wrote:
On Tue, Nov 28, 2006 at 10:56:33AM -0500, J. Oquendo wrote:
Incorrect did you look at the fix? It isn't unsanitized as you state:
J, you have made an attempt to fix it, but is is not sufficient.
An attacker can still add
On Tue, Nov 28, 2006 at 05:14:28PM +0100, Thierry Zoller wrote:
Dear Tavis,
TO J, you have made an attempt to fix it, but is is not sufficient.
TO An attacker can still add arbitrary hosts to the deny list.
Can you propose a fix ? Apart from the aggressivness of this thread
I find it
On Tue, Nov 28, 2006 at 11:59:43AM -0500, J. Oquendo wrote:
Tavis Ormandy wrote:
On Tue, Nov 28, 2006 at 04:02:36PM +, Tavis Ormandy wrote:
I notice you also havnt solved the local privilege escalation, this can
be abused by local users to gain root by attempting to login
On Thu, Dec 14, 2006 at 06:39:55PM -0600, [EMAIL PROTECTED] wrote:
Gentoo Security Team,
This statement seems to contrast greatly your practice of not following
a professional responsible disclosure process; particularly, posting a
security issue only 8.5 hours after your initial report was
Bkis s...@bkav.com.vn wrote:
Bkis has just found many vulnerabilities in the software, related to the
processing of 010 Editor Binary Template files (“.bt”) and 010 Editor
Script Files (“.1sc”). These vulnerabilities are very dangerous due to the
fact that they allow hackers to execute
Thierry Zoller thie...@zoller.lu wrote:
According to a Bugzilla entry memory is also leaked during the process.
So let's recap, we have a function that generates key material and looping
causes memory to leak. One might think this should be important enough to
investigate, especially if you
Thierry Zoller thie...@zoller.lu wrote:
Hi Tavis,
The bug title says Denial of service, not information leak, or crypto
leak or whatever.
I'm confused what it is you're replying to, I was clearly pointing out your
misunderstanding of the term memory leak in the impact section of your
post
Thierry Zoller thie...@zoller.lu wrote:
A memory leak in an interactive program that requires you to view a
hostile page for 9hours is clearly of negligible security impact.
Ok I will take the strawman :
Your random application of meaning to terminology is at least entertaining.
Only a few
August 2009.
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98
---
Credit
---
This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google
Security Team
maxigas maxi...@anargeek.net wrote:
hi!
Should this fix work against the nullpointer linux kernel vulnerability?
It looks incomplete, I don't see PF_ISDN or PF_IUCV, for example.
But this general approach looks fine, and is actually what Red Hat have
reccommended to their customers.
://www.vmware.com/security/advisories/VMSA-2009-0015.html
---
Credit
---
This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google
Security Team.
---
Greetz
---
Greetz to Lcamtuf, LiquidK, redpig, Neel, pipacs, spoonm
)
http://lxr.linux.no/#linux+v2.6.32/fs/fcntl.c#L550
Linus has committed the following patch to address this issue
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=53281b6d3
This bug was discovered by Tavis Ormandy.
Thanks to legendary kernel hackers Linus, Matt
an
official patch. It should be noted that very few users rely on NT security, the
primary audience of this advisory is expected to be domain administrators and
security professionals.
---
Credit
---
This bug was discovered by Tavis Ormandy
was discovered by Tavis Ormandy.
This work is my own, and all of the opinions expressed are mine, not my
employers or anybody elses (I added this for you, Dan. Thanks ;-)).
---
Greetz
---
Greetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK
representatives that you would like to see Microsoft invest in developing
processes for faster responses to external security reports.
---
Credit
---
This bug was discovered by Tavis Ormandy.
---
Greetz
---
Greetz to Neel, Mark
of communication between you and MSRC that after 4 days you posted this?
Tavis Ormandy wrote:
Susan, I wish I had the time to hold your hand through getting up to
speed on the disclosure debate. Instead, I would suggest starting with
the links in my advisory which were intended to give you enough
On Thu, Jun 10, 2010 at 07:02:03PM +0200, Thomas Kristensen wrote:
Tavis,
Nice find, but during our analysis we discovered that your hotfix
unfortunately is inadequate.
For more information see:
http://secunia.com/blog/103/
Patches are, of course, welcome.
Thanks, Tavis.
--
On Thu, Jun 10, 2010 at 07:21:48PM +0200, Tavis Ormandy wrote:
On Thu, Jun 10, 2010 at 07:02:03PM +0200, Thomas Kristensen wrote:
Tavis,
Nice find, but during our analysis we discovered that your hotfix
unfortunately is inadequate.
For more information see:
http://secunia.com/blog
was discovered by Tavis Ormandy.
---
Greetz
---
Greetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm, Felix, Robert,
Asirap, Spender, Pipacs, Gynvael, Scarybeasts, Redpig, Kees, Eugene, Bruce D.,
and all my other elite friends and colleagues.
Additional greetz
Hanno Böck ha...@hboeck.de wrote:
Am Monday 18 October 2010 schrieb Tavis Ormandy:
# Open a file descriptor to the target binary (note: some users are
surprised # to learn exec can be used to manipulate the redirections of
the current # shell if a command is not specified. This is what
Louis Granboulan louis.granboulan.secur...@gmail.com wrote:
However, it is quite clear to me that the current behaviour is
inconsistent and is the reason of this security flaw. We see $ ls -l
/proc/self/fd/3 pretend that it is a symbolic link to a file that does not
exist, and $ ls -lL
---
This bug was discovered by Tavis Ormandy.
Thanks to Ben Hawkes and Julien Tinnes for additional insight, and
their expertise tracking down convincing attack vectors.
---
Greetz
---
Greetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm
/etc/passwd /tmp/seunshare/krb5cc_0.1
# make ksu authentication fail.
$ fg
seunshare -v -t /tmp/seunshare/ -h /tmp/seunshare/ -- `which ksu` root
And /etc/passwd was damaged, thus breaking the system.
---
Credit
---
This bug was discovered by Tavis Ormandy
Kernel Stack Overflow Testcase
// -- Tavis Ormandy tav...@cmpxchg8b.com, March 2011
//
#define MAX_PACKET_SIZE (1024 * 1024 * 32)
#define MAX_ENCAP_DEPTH 1024
enum {
IPCOMP_OUI = 1,
IPCOMP_DEFLATE = 2,
IPCOMP_LZS = 3,
IPCOMP_MAX,
};
struct ipcomp
On Fri, Apr 01, 2011 at 05:34:18AM -0400, Jeffrey Walton wrote:
On Fri, Apr 1, 2011 at 4:00 AM, Tavis Ormandy tav...@cmpxchg8b.com wrote:
BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested
payload
List, I've prepared a paper to accompany a presentation at
blackhat las vegas discussing Sophos Antivirus design. It might be of
interest to those evaluating or deploying Sophos Antivirus.
http://lock.cmpxchg8b.com/Sophail.pdf
I've also created some tools to help understand and dump Sophos
Herr E Balls mohsep.submissi...@googlemail.com wrote:
Hi Guys!
Edition six of MOHSEP is here with no technical issues (we hired mexican
guy called manuel to run servers in latvia for us!).
Link is here:
http://mohsepblog.blogspot.com/2011/08/saturday-august-6th-2011.html
I pity the
Research@NGSSecure resea...@ngssecure.com wrote:
Vulnerable SUID script in (nomachine) NX Server for Linux 3.5.0-4
(Advanced and Enterprise across redhat and debian hosts)
21 September 2011
NGS Secure has discovered a High risk vulnerability in (nomachine) NX
Server for Linux 3.5.0-4
b...@fbi.dhs.org wrote:
bashbug:
/usr/bin/bashbug:TEMPDIR=$TMPDIR/bbug.$$
Maybe I should use bashbug to report a bug in bashbug?
I took a quick look, it's actually using mkdir to create a temporary
directory in /tmp, which it uses for collecting support files.
This is actually a safe
xD 0x41 sec...@gmail.com wrote:
Hello,
Your 'race condition possibly leading to root'is a myth...
Yes thats maybe because race condition or not, it is ASLR wich will
prevent from ANY rootshell,and Yes, it has bveen tried... You can do
better, go right ahed ;-) I am betting you thats why
On Tue, Oct 25, 2011 at 08:56:10AM -0400, b...@fbi.dhs.org wrote:
I think it was ln -T ?
Oops, thanks, a typo.
Tavis.
--
-
tav...@cmpxchg8b.com | pgp encrypted mail preferred
---
valdis.kletni...@vt.edu wrote:
On Wed, 26 Oct 2011 09:56:24 +1100, xD 0x41 said:
You can make it bypass Aslr ?
Nope. It can't, because ASLR doesn't enter into the picture. But then,
*who cares*? Are you going to make it make it through a passport check
too? Because that's as relevant
Nick FitzGerald n...@virus-l.demon.co.uk wrote:
_Open_ URL redirectors are trivially prevented by any vaguely sentient web
developer as URL redirectors have NO legitimate use from outside one's own
site so should ALWAYS be implemented with Referer checking, ensuring they
are not _open_
Marsh Ray ma...@extendedsubset.com wrote:
On 12/08/2011 12:37 AM, Michal Zalewski wrote:
For time being, if you make security decisions based on onmouseover
tooltips, link text, or anything along these lines, and do not examine
the address bar of the site you are ultimately interacting
Nick FitzGerald n...@virus-l.demon.co.uk wrote:
Michal, Tavis -- regression management problems in the Googleplex?
Surely not...
Nothing to do with me, but I think your redirection fetish is bizarre ;-)
Tavis.
--
-
tav...@cmpxchg8b.com | pgp encrypted
Marsh Ray ma...@extendedsubset.com wrote:
But now if we successfully convince every developer on the planet to
stop using HTTP redirection, that doesn't change that the user doesnt
know how to determine if the URL is trusted or not, so we just use one
of dozens of other simple tricks.
---
Credit
---
This bug was discovered by Tavis Ormandy, Google Security Team.
Additional thanks to Adam Langley also of Google for analysis and designing a
fix.
--
-
tav...@cmpxchg8b.com | pgp encrypted mail preferred
Adam Zabrocki p...@pi3.com.pl wrote:
Btw. I wonder why no-one point this out before... Btw2. Go and write
reliable exploit for kernel 3.x ;p
You must be using CONFIG_COMPAT_VDSO, it's rarely used unless you need
compatibility with an ancient libc that was released during the narrow
window
Adam Zabrocki p...@pi3.com.pl wrote:
Hi Tavis,
I've checked with the same result:
*) Fedora 16 *) latest Ubuntu *) latest Suse
Best regards, Adam Zabrocki
You must be doing something unusual, are these stock kernels?
Those distributions all have good security teams who certainly
Adam Zabrocki p...@pi3.com.pl wrote:
Hi Tavis,
Don't know why you don't believe me :) Anyway:
I don't believe any distribution stock kernel enabled it, because this is
just too simple to get wrong. But if they have, we need to find out who
enabled it so you can file bugs in the appropriate
Tavis Ormandy tav...@cmpxchg8b.com wrote:
Adam Zabrocki p...@pi3.com.pl wrote:
Hi Tavis,
Don't know why you don't believe me :) Anyway:
I don't believe any distribution stock kernel enabled it, because this is
just too simple to get wrong. But if they have, we need to find out who
On Wed, May 16, 2012 at 11:49:40PM +0200, Adam Zabrocki wrote:
Hi Tavis,
Yes this is stock kernels and yes you must believe it is so simple mistake ;)
All systems was installed as VM in default installation using official ISOs.
And of course this is configuration mistake not kernel
On Wed, May 16, 2012 at 02:39:44PM -0700, Dan Kaminsky wrote:
But we're making progress, we now know that opensuse on x86 is broken.
Is VSYSCALL at a fixed address a similar problem? My Ubuntu boxes indeed
have this mapped at the fixed location mentioned.
--Dan
Not unless you can
Justin Klein Keane jus...@madirish.net wrote:
Impact - -- Clients loading a maliciously crafted .torrent file into
Transmission and viewing the web client could be subject to arbitrary
script injection, allowing an attacker to run arbitrary code in the
context of the victim's web browser.
Tavis Ormandy tav...@cmpxchg8b.com wrote:
Justin Klein Keane jus...@madirish.net wrote:
Impact - -- Clients loading a maliciously crafted .torrent file into
Transmission and viewing the web client could be subject to arbitrary
script injection, allowing an attacker to run arbitrary
kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote:
Exploit Title: AxMan ActiveX fuzzing == Memory Corruption PoC Crash :
snip nonsense
Your silly post reminded me of something, while on vacation recently I
bought a video game called Assassin's Creed Revelations. I didn't have
much of a
kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote:
Exploit Title: AxMan ActiveX fuzzing == Memory Corruption PoC Crash
:
If someone wants to investigate further, please feel free to do so.
I Got it working, I submitted it to ubisoft via the online form, it says
reference
List, I've completed the second paper in my series analyzing Sophos
Antivirus internals, titled Practical Attacks against Sophos
Antivirus. As the name suggests, this paper describes realistic
attacks against networks using Sophos products.
The paper includes a working pre-authentication remote
Henri Salo he...@nerv.fi wrote:
On Tue, Apr 23, 2013 at 02:58:43PM +0300, Georgi Guninski wrote:
please don't spam your opinion on every message you dislike.
Point of contacting vendor is to get the issues fixed without creating
unnecessary security risks to users of the program.
Perhaps
valdis.kletni...@vt.edu wrote:
On Tue, 23 Apr 2013 17:51:55 +0300, Georgi Guninski said:
Completely disagree.
IMHO nobody should bother negotiating with terrorist vendors.
Q: What responsibility vendors have? A: Zero. Check their disclaimers.
And disclaimer or no disclaimer, there's
valdis.kletni...@vt.edu wrote:
On Tue, 23 Apr 2013 09:22:36 -0700, Tavis Ormandy said:
Easy and nonsense, I really hope you don't think this is about credit.
I mention the credit issue only because some people *have* gotten peeved
when they contact a vendor and the vendor issues
#endif
#include ntstatus.h
#pragma comment(lib, gdi32)
#pragma comment(lib, kernel32)
#pragma comment(lib, user32)
#define MAX_POLYPOINTS (8192 * 3)
#define MAX_REGIONS 8192
//
// win32k!EPATHOBJ::pprFlattenRec uninitialized Next pointer testcase.
//
// Tavis Ormandy tav...@cmpxchg8b.com, March
On Fri, May 17, 2013 at 02:26:10PM -0700, Tavis Ormandy wrote:
The question is how to get PATHALLOC() to succeed under memory pressure so we
can make this exploitable, my first thought was have another thread
manipulating the free pool, but I can't figure out how to synchronize
that. Getting
On Fri, May 17, 2013 at 05:44:58PM -0700, Tavis Ormandy wrote:
On Fri, May 17, 2013 at 02:26:10PM -0700, Tavis Ormandy wrote:
The question is how to get PATHALLOC() to succeed under memory pressure so
we
can make this exploitable, my first thought was have another thread
manipulating
On Mon, May 20, 2013 at 02:35:54PM -0700, Tavis Ormandy wrote:
I'm quite proud of this list cycle trick, here's how to turn it into an
arbitrary write.
There's a public solution now, here's my version. Thanks to progrmboy
for an exploitation idea he came up with that hadn't occurred to me
xxx ryandewhu...@gmail.com wrote:
(self promotion not intended, highlighting other issues in WordPress)
Check out WPScan for other such issues with WordPress that have existed
for a long time but never patched. WordPress are aware of these issues but
for whatever reason decided not to patch
65 matches
Mail list logo
