duplicate instances
of HTTP/SMTP message/NNTP headers that are, in common perception,
supposed to occur only once.
--
- bash$ :(){ :|:};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--- 2005-07
On Sat, 16 Jul 2005, [EMAIL PROTECTED] wrote:
I do not mean to flame you, but you are an irresponsible disgrace to the
hacking community.
You do mean to flame me, apparently, and constructing sentences this way
makes them unintentionally funny. Pretty much like saying Sir, with all
due
Good morning,
This might not come as a surprise, but there appears to be a *very*
interesting and apparently very much exploitable overflow in Microsoft
Internet Explorer (mshtml.dll).
This vulnerability can be triggered by specifying more than a couple
thousand script action handlers (such as
On Thu, 16 Mar 2006, Daniel Bonekeeper wrote:
BTW, tested the POC on MSIE (File Version = 6.00.2900.2180
(xpsp_sp2_rtm.040803-2158)) with mshtml.dll (6.00.2900.2802
(xpsp_sp2_gdr.051123-1230)) and it didn't worked.
Daniel followed up with me in private and confirmed that the PoC *did*
work
On Fri, 17 Mar 2006 [EMAIL PROTECTED] wrote:
If you puplish something without a license it is OPEN DOMAIN
That means people can use it, modify it, sell it...
That's nonsense. If I publish a book or a photo or a newspaper article
without a lengthy license attached, you can copy it at will, too?
On Fri, 17 Mar 2006, Hariharan wrote:
This does not repro on IE7 though
It generally does, according to tests by a couple of folks.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and
On Thu, 16 Mar 2006, Michal Zalewski wrote:
This might not come as a surprise, but there appears to be a *very*
interesting and apparently very much exploitable overflow in Microsoft
Internet Explorer (mshtml.dll).
I'd like to make a self-serving statement in response to dozens of people
who
On Fri, 31 Mar 2006 [EMAIL PROTECTED] wrote:
If the website then presents you with the Logon failed page, you are
possibly on a legitimate website, so you may proceed with logging in
using your correct credentials. If it gets you right through - it is
definitely a phishing attempt.
Note to
On Fri, 31 Mar 2006, [ISO-8859-1] Marcos Agüero wrote:
Note to self: design my next phishing website to always display logon
failed.
Just as most of the phishing sites already do.
Forgive me my ignorance; to my defense, I usually don't enter valid
credentials on phishing sites.
/mz
On Fri, 31 Mar 2006, Jasper Bryant-Greene wrote:
Just as most of the phishing sites already do.
Really? I thought they somehow magically knew enough about you to sign
you in properly and display all the correct details ;)
No, but the reasonable practice would be not to alert the customer (and
On Sun, 23 Apr 2006, Paul Nickerson wrote:
I don't approve of your disclosure practices, Mr. Zalewski
Then follow your own, Paul.
/mz
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and
On Wed, 26 Apr 2006, Tim Bilbro wrote:
You do a disservice to all IT shops by announcing these vulnerabilities
before contacting the vendor.
How were you impacted? What were your damages? The only loss that could
possibly occur to you or your company was the time you wasted to write
this rant,
On Wed, 26 Apr 2006, Larry Seltzer wrote:
It wasn't my analogy. I was criticizing it.
Larry,
Sorry if I criticized you undeservedly, then. That exchange of mails was
unclear at best, however. In this particular branch of this (silly)
thread:
1) Tim Bilbro blasted me for disclosing a problem
On Thu, 27 Apr 2006, Larry Seltzer wrote:
More on this in my column later this morning at
http://security.eweek.com/
Just who does he think he is? [...] Zalewski may think he's some sort
of hero disclosing this information, but his is the act of a vandal. If
it turns out that the bug is
On Thu, 27 Apr 2006, Tim Bilbro wrote:
There is no question that vendors, particulary Microsoft, have a history
of neglect in this area, and folks have a right to be angry with them.
I'm not angry with Microsoft. It's just a company, and not a particularly
evil one. I simply believe that there
On Thu, 27 Apr 2006, Brian Eaton wrote:
Please note that I ask this out of curiousity, and not in an attempt to
be critical. Why not give MSRC a head start of one week?
Because, among other things I've already mentioned, it will in no way
affect when they're going to release a patch. Their
On Sun, 21 May 2006, Ginsu Rabbit wrote:
You claim that this is a practical checklist for five very common problems
with SSL deployments... but to me, they seem to be arbitrarily chosen,
partly inaccurate (see #3), and otherwise very much random.
SSL Mistake #1 - Trusting too many Certificate
On Thu, 25 May 2006, [EMAIL PROTECTED] wrote:
Security speakers are often very good book writers.
Another little known fact is that many excellent books were written by
people who own a dog and do not regularly consume excessive amounts of
lettuce.
/mz
Web VPN or SSL VPN is a term used to denote methods for accessing
company's internal applications with a bare WWW browser, with the use of
browser-based SSO authentication and SSL tunneling. As opposed to IPSec,
no additional software or configuration is required, and hence, corporate
users can
On Fri, 9 Jun 2006, E Mintz wrote:
How about some real-world, application specific exploits?
There's an example of a XSS that can be used to compromise Cisco Web VPN
session in the text.
So, please show me an example of an actual compromise and I'll listen.
Otherwise, put up, or shut up!
Hi all,
I am happy to announce that we've just open sourced ratproxy - a free,
passive web security assessment tool. This utility is designed to
transparently analyze legitimate, browser-driven interactions with tested
web applications - and automatically pinpoint, annotate, and prioritize
On Sat, 6 Aug 2005, Debasis Mohanty wrote:
Read the description section again, perhaps you have missed out the
following -
. The Virtual Keyboard is dynamic
. The sequence in which the numbers appears will change every time,
the page is refreshed
Hence, desiging something the way
This experiment resulted in identifying a potential remote code
execution path in Microsoft Internet Explorer, plus some other bugs, and
should be a good starting point for further testing of other browsers or
similar programs.
Just for the reference, this is confirmed to be fixed by the
Hi all,
I am happy to announce the availability of our Browser Security Handbook
- a comprehensive, 60-page document meant to provide web application
developers and information security researchers with a one-stop reference
to several hundred key security properties and sometimes
On Wed, 4 Apr 2007 [EMAIL PROTECTED] wrote:
* Chinese value punctuality and uniformity. A DoS should be
similar to Western Europe, but should not vary in attack methods.
Great idea -- but you're four days late to the party!
/mz
___
Full-Disclosure
On Tue, 10 Apr 2007, James Lay wrote:
Soo...I see these in my logs from time to time:
Apr 10 14:46:37 mail named[739]: unexpected RCODE (REFUSED) resolving
'pam_mysql.so/NS/IN': 209.68.0.85#53
Can anyone shed any light on this? Thanks all! Below is a complete
list of .so's attempted:
On Sun, 15 Apr 2007, Michal Majchrowicz wrote:
I wanted to show that it is posssible to perform some kind of Cross
Domain Requests.
As much as I loathe the origin-based security model of modern web
browsers, there are semi-valid reasons why XMLHttpRequest is restricted
the way it is.
A remote
Hello,
Will keep it brief. A couple of browser bugs, fresh from the oven, hand
crafted with love:
1) Title: MSIE page update race condition (CRITICAL)
Impact : cookie stealing / setting, page hijacking, memory corruption
Demo : http://lcamtuf.coredump.cx/ierace/
...aka the
On Mon, 4 Jun 2007, Michal Zalewski wrote:
1) Title: MSIE page update race condition
Impact : cookie stealing / setting, page hijacking, memory corruption
Demo : http://lcamtuf.coredump.cx/ierace/
Just FYI - my logs indicate that there is a fairly high percentage of
patterns
On Wed, 6 Jun 2007, blah wrote:
It seems there's a presumption that an employee, when he leaves, still owns
that email address that the former employeer provided.
Yeah. And if the e-mail in question is [EMAIL PROTECTED], a generic
business contact point, he is perfectly OK to hand it over to a
On Wed, 13 Jun 2007, Robert Swiecki wrote:
The flaw exists in the javascript's window.setTimeout() implementation.
Forgive me the rant, but... all other recently reported problems aside,
seeing this, I can only ask - which rock did Safari developers hide under
for the past 8 years or so?
I
On Tue, 12 Jun 2007 [EMAIL PROTECTED] wrote:
Dear all, this is not a 0day
The author never claimed so; in fact, the subject line clearly states it's
a O-day, not a 0-day.
This presumably denotes Saint Onuphrius, commemorated on the day this
advisory got published.
You can now admit to a
On Tue, 12 Jun 2007 [EMAIL PROTECTED] wrote:
In an admittedly brief review of this page, I saw nothing useful or
informative to my career in information assurance.
Aditya has a history of using security mailing lists to advertise
his various security consulting projects (metaeye.org, etc)
On Mon, 25 Jun 2007, Larry Seltzer wrote:
It looks different on my system: http://www.larryseltzer.com/safe2.png
Safari 3.0.2 on XPSP2
Looks simply like a difference in system fonts used on your machines. The
attack relies on padding the hostname with Unicode characters that, for
the typeface
On Sat, 30 Jun 2007, carl hardwick wrote:
The vulnerability allows the attacker to silently redirect focus of
selected key press events to an otherwise protected file upload form
field. This is possible because of how onKeyDown event is handled,
allowing the focus to be moved between the two.
On Sat, 30 Jun 2007, Joseph Hick wrote:
This doesn't seem like a security flaw to me.
This is somewhat similar to my focus stealing bugs described here:
http://lcamtuf.coredump.cx/focusbug/
...though seems to work on patched Firefox because of a clever use of
label-based aliasing.
Now, the
On Mon, 2 Jul 2007, Joseph Hick wrote:
I succeeded in writing the same PoC without label with minor
modifications.
Would that allow you to selectively redirect keystrokes (that is, check
event's keycode)? More importantly, does Carl's original example allow
that?:-)
An example of event check
On Fri, 6 Jul 2007, Kevin Finisterre (lists) wrote:
Do you agree that you are often spoon fed free information by
individuals that are not paid for providing you a service? Is it so bad
that some of these nice people would ask for a little compensation here
and there?
Errr, there is a subtle
On Sun, 8 Jul 2007, wac wrote:
Is more noble to reward hard to do work that also requires a lot of
knowledge which sometimes people does even takes time to even say thank
you.
Vulnerability research is good. Getting paid for research is good. Holding
vendors accountable is good.
Yet,
There is an interesting vulnerability in how Mozilla Firefox handles
internal wyciwyg:// pseudo-URIs. These cache-related resource identifiers
are meant to be inaccessible by the user - but there are at least three
routes to bypass these restrictionss, one of which - HTTP 302 redirect -
also
Hello again,
Microsoft Internet Explorer seems to have a soft spot for browser
entrapment vulnerabilities. Just to recap, in these attacks, the user is
made believe he had left a webpage (and the URL bar or SSL state data
reinforce him in this belief) - but in reality, is prevented from doing
so,
I'd like to announce the availability of a tool called fl0p, which I hope
might be of some interest to various network security dudes and dudettes
on the list (and will hopefully serve as a convenient framework for cool
research).
The tool is a simple flow-analyzing passive L7 fingerprinter. It
A while ago, apparently angry with Larry Seltzer, I penned a quick
write-up on the possible issues with race conditions triggered by
asynchronous browser events (such as JavaScript timers) colliding with
synchronous content rendering:
http://seclists.org/vulnwatch/2006/q3/0023.html
This is in
On Thu, 4 Jan 2007, Larry Seltzer wrote:
I hope you're still not angry!
It took months of therapy, but I recovered ;)
I just tried your demo on IE7. It took a while longer but does seem to
have locked up. Were you looking at IE6 or IE7, and is the behavior any
different?
I tested several
I'd like to announce the availability of a free security reconnaissance /
firewall bypassing tool called 0trace. This tool enables the user to
perform hop enumeration (traceroute) within an established TCP
connection, such as a HTTP or SMTP session. This is opposed to sending
stray packets, as
On Sun, 7 Jan 2007, Michal Zalewski wrote:
[ Of course, I might be wrong, but Google seems to agree with my
assessment. A related use of this idea is 'firewalk' by Schiffman and
Goldsmith, a tool to probe firewall ACLs; another utility called
'tcptraceroute' by Michael C. Toren
On Tue, 9 Jan 2007, Alessandro Dellavedova wrote:
am I wrong or the mechanism that you implement is similar to the one
implemented in lft (Layer Four Traceroute http://pwhois.org/lft/ ) ?
No, what you describe is similar to tcptraceroute, from what I understand
(they use stray SYNs or RSTs or
Hi all,
I'd like to announce the availability of 'stompy', a free tool to perform
a fairly detailed black-box assessment of WWW session identifier
generation algorithms. Session IDs are commonly used to track
authenticated users, and as such, whenever they're predictable or simply
vulnerable to
On Sun, 28 Jan 2007, Rogan Dawes wrote:
Just wanted to point out that Dave has had nothing to do with WebScarab
(and that I recognise that WebScarab's analysis is pretty trivial).
Geee, sorry, I suck for misspelling your name (but feel retroactively
avenged: this happens to me quite often ;-).
On Sat, 27 Jan 2007, Michal Zalewski wrote:
I'd like to announce the availability of 'stompy', a free tool to perform
a fairly detailed black-box assessment of WWW session identifier
generation algorithms.
I'm genuinely surprised by the amount of (mostly positive ;-) feedback I
got! Just
On Sun, 4 Feb 2007, Tyop? wrote:
This is getting depressing. May 2006.
but not really surprising, yes?
No, though this bug is truly remarkable in that a quick fix, I'm quite
certain, amounts to changing != ' ' to ' ' in the code.
That's two characters, and no chance for a negative impact on
There is an interesting vulnerability in the default behavior of Firefox
builtin popup blocker. This vulnerability, coupled with an additional
trick, allows the attacker to read arbitrary user-accessible files on the
system, and thus steal some fairly sensitive information.
This was tested on
On Mon, 5 Feb 2007, pdp (architect) wrote:
You may as well use a QuickTime .mov/.qtl or a PDF document to open a
file:// link . I think it is easier.
Sure. You can probably have a file:// link in Open Office / MS Office
documents as well; but these all rely on external components, and as such,
On Tue, 6 Feb 2007 [EMAIL PROTECTED] wrote:
What is going on ? Is that true ? Any one knows ?
That dude is clearly quite determined to debate this like a matter of
(inter?)national security, on Wikipedia and elsewhere, but it is getting
oddly inappropriate.
Get a life and let go.
/mz
There is an interesting logic flaw in Mozilla Firefox web browser.
The vulnerability allows the attacker to silently redirect focus of
selected key press events to an otherwise protected file upload form
field. This is possible because of how onKeyDown / onKeyPress events are
handled, allowing
On Sun, 11 Feb 2007, pdp (architect) wrote:
IE is vulnerable too, since I used to play around with this bug long
time ago.
Possibly MS00-093, but that's long fixed. But yes, MSIE variant is
possible, though more contrived.
/mz
___
Full-Disclosure -
On Sun, 11 Feb 2007, pdp (architect) wrote:
here is an idea... we can combine both techniques into a single
attack... the hardest part of your hack is to force the user to type
:// plus several other /
Actually, MSIE doesn't require drive specification in the filename, and
will probably
On Sun, 11 Feb 2007, Michal Zalewski wrote:
http://lcamtuf.coredump.cx/focusbug/index.html (FF)
http://lcamtuf.coredump.cx/focusbug/ieversion.html (MSIE)
Paul Szabo pointed out that this is related to exploits posted by Charles
McAuley and Bart van Arnhem in June 2006 (CVE-2006-2894
On Sun, 11 Feb 2007, Michal Zalewski wrote:
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046610.html
Oh, and Secunia doesn't credit the Firefox variant to Charles, either:
NOTE: A variant of this vulnerability was reported in a Mozilla Bugzilla
bug entry back in year 2000
On Sun, 11 Feb 2007, pdp (architect) wrote:
this is a design problem that is not easy to fix.
That argument would work for a patch deferred by a month or two - not for
seven years.
And it's not really that much of an issue: disallow script-assisted
focusing on file input fields, or a) prevent
On Mon, 12 Feb 2007, Paul Szabo wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=304480
https://bugzilla.mozilla.org/show_bug.cgi?id=56236
https://bugzilla.mozilla.org/show_bug.cgi?id=258875
This probably explains why the core of the problem wasn't fixed for
Firefox: reports were
After some research, I can offer this clarification:
1) The MSIE 7 attack vector I described is a distinctive, new
vulnerability that differs from the attack reported by Charles
McAuley and Bart van Arnhem. Attacks described by them were
fixed in MSIE7 (although MSIE6 is still
On Mon, 12 Feb 2007, [ISO-8859-1] Claus Färber wrote:
A proper solution would be to keep a list of files explicitly selected
by the user and only allow uploads of files in this list. Then even if a
script can manipulate the field, the browser won't upload files that
have not been selected by
On Tue, 13 Feb 2007, Gadi Evron wrote:
I have to agree with a previous poster and suspect (only suspect) it
could somehow be a backdoor rather than a bug.
You're attributing malice to what could be equally well (or better!)
explained by incompetence or gross negligence. The latter two haunt
There is a serious vulnerability in Mozilla Firefox, tested with 2.0.0.1,
but quite certainly affecting all recent versions.
The problem lies in how Firefox handles writes to the 'location.hostname'
DOM property. It is possible for a script to set it to values that would
not otherwise be accepted
On Thu, 15 Feb 2007, 3APA3A wrote:
Mitigating factor: it doesn't work through proxy, because for proxy URI
is sent instead of URL and request will be incomplete.
Yup. Depends on the proxy, actually ('GET http://evil.com' might get
parsed as HTTP/0.9) - but Squid, both in direct and in reverse
On Thu, 15 Feb 2007, pdp (architect) wrote:
I wander whether we can execute code on about:config or about:cache.
Actually, there are several odd problems related to location updates and
location.hostname specifically, including one scenario that apparently
makes the script run with
On 2/15/07, Michal Zalewski [EMAIL PROTECTED] wrote:
[...on other potential Firefox flaws...]
I did not research them any further, so I can't say if they're
exploitable - but you can see a demo here, feel free to poke around:
http://lcamtuf.coredump.cx/fftests.html
On Thu, 15 Feb 2007
On Mon, 19 Feb 2007, Timo Schoeler wrote:
[EMAIL PROTECTED]
[...]
is this a new worm spreading or something already known?
More like a spambot probe of some sorts.
http://groups.google.com/groups?hl=enq=catchthismail
___
Full-Disclosure - We
On Tue, 20 Feb 2007, Rajesh Sethumadhavan wrote:
Microsoft Internet Explorer is a default browser bundled with all
versions of Microsoft Windows operating system.
Any luck with sending the data back to the attacker? SCRIPT and STYLE ones
can be used to steal data from very specifically
On Mon, 19 Feb 2007, Peter Dawson wrote:
just asking... Is this std practice by vendor to state ??? [..] we
ask you respect responsible disclosure guidelines and not report this
publicly
It's a common and pretty shameless practice for Microsoft. They also
openly criticize such
There is an interesting vulnerability in how Firefox handles bookmarks.
The flaw allows the attacker to steal credentials from commonly used
browser start sites (for Firefox, Google is the seldom changed default;
that means exposure of GMail authentication cookies, etc).
The problem: it is
On Thu, 22 Feb 2007, pdp (architect) wrote:
michal, is that a feature or a bug? maybe it is not obivous to me what
you are doing but it i feel that it is almost like asking the user to
bookmark a bookmarklet.
Bookmarklets should be bookmarkable only manually, with user knowledge and
consent
There seems to be some confusion regarding the exact impact of the
location.hostname vulnerability, and the ways to protect against it. I
wanted to offer a quick clarification.
1) Cookie setting (session fixation) attacks can be executed universally
and with no restrictions. This is
On Thu, 22 Feb 2007, Steve Ragan wrote:
Yea he uses it later in the video, you see him pull it up in the attack, and
read it. One would assume it is fake.
[lights dim, sinister accords play]
...OR IS IT?
/mz
___
Full-Disclosure - We believe in
On Thu, 22 Feb 2007, pdp (architect) wrote:
This vulnerability is cute but not very useful mainly because a lot of
social engineering is required.
Well, very little trickery is required - having a person bookmark an
interesting page and then reopen it later on, while the browser is still
on
On Thu, 22 Feb 2007, Florian Weimer wrote:
This is the first time I read about the forced window title change. I
hadn't noticed it earlier. Do you think this is a good enough security
indicator (or indicator of origin, to be more precise)?
This is quite inadequate as far as protecting
There is a cool combination-type vulnerability in MSIE7 that allows the
attacker to:
a) Trap the visitor in a Matrix-esque tarpit webpage that cannot be left
by normal means (this is a known brain-damaged design of onUnload
Javascript handlers),
b) Spoof transitions between pages
While researching my previous report on MSIE7 browser entrapment, I
noticed that Firefox is susceptible to a pretty nasty, and apparently
easily exploitable memory corruption vulnerability. When a location
transition occurs and the structure of a document is modified from within
onUnload event
On Fri, 23 Feb 2007, Michal Zalewski wrote:
http://lcamtuf.coredump.cx/ietrap/
I accidentally left a portion of code used to test for the Firefox memory
corruption / MSIE7 NULL ptr condition inside 'attack.js' for this page.
This crashed the testcase for some users, instead of demonstrating
On Fri, 23 Feb 2007, Michal Zalewski wrote:
Firefox isn't outright vulnerable to this problem, but judging from its
behavior, it is likely to be susceptible to a variant of this bug
And indeed, susceptible it is. On the surface, the problem is even more
serious: the unloaded page can run
On Fri, 23 Feb 2007, Stefan Esser wrote:
Proof of Concept:
The Hardened-PHP Project is not going to release a proof of concept
exploit for this vulnerability.
...because pretty much no exploit is needed. Scary. Good catch.
/mz
___
On Sun, 25 Feb 2007, Stan Bubrouski wrote:
http://lcamtuf.coredump.cx/ietrap/testme.html
This bug was fixed in 2.0.0.2, released Friday Feb 23.
No it most certainly wasn't, do your homework next time.
Actually, the story is kinda funny, but yeah, it seems that it's fixed
now.
The story: I
On Fri, 23 Feb 2007, Jeffrey Katz wrote:
Just checked on IE 7.0.5730.11 -- doesn't exhibit problem.
Most certainly does; you might have scripting disabled, or be
experiencing some other anomaly, but for much of the population, the
attack works as advertised on that version.
/mz
On Tue, 27 Feb 2007, Richard Moore wrote:
html
body onunload=location = self.location
a href=http://slashdot.org/;http://slashdot.org//a
/body
/html
Yeah, and the other way round: http://lcamtuf.coredump.cx/ietrap/, when
used with FF 2.0.0.2, puts you on a page that:
1) Has URL bar data
Significance: Very Critical
I'm very pro-disclosure. I do see a point in disclosing flaws in software
or hardware we might use. I do see a point in reporting flaws in websites
we rely on (banks, online shops). Hey, there might even be a weak case for
shaming security vendors, IT companies, or
Firefox suffers from a design flaw that can be used to confuse casual
users and evoke a false sense of authority when visiting a fraudulent
website. The flaw can be also used to bypass a fix for an old UI spoofing
bug that was thought to be addressed. This is a relatively minor issue,
but I
As a bad photographer with several forays into the forensic world, I have
a couple of comments on a recent (and pretty interesting!) Black Hat
presentation by Neal Krawetz (www.hackerfactor.com) on image forensics:
http://blog.wired.com/27bstroke6/files/bh-usa-07-krawetz.pdf
To make things
On Sun, 12 Aug 2007, carl hardwick wrote:
Firefox Remote Variable Leakage
I'm afraid don't entirely follow this attack - though I might be wrong...
The PoC, in essence, enumerates all Javascript variables and functions
that are publicly declared by the browser in the context of the current
On Fri, 28 Sep 2007, carl hardwick wrote:
javascript:5.2-0.1
Firefox 2.0.0.7 result: 5.1005 (WRONG!)
This is a proper behavior of IEEE 754 64-bit double float, which, IIRC, is
precisely what ECMA standard mandates.
You will get the same from any C-style 'double' arithmetics.
On Sat, 29 Sep 2007, Jimby Sharp wrote:
I don't get the same from C-style double arithmetics. Could you provide
a sample code that you believe should show the same behavior?
If you don't, it's presumably because the subtraction is optimized out by
the compiler, or because you printf() with an
On Thu, 13 Jul 2006, Matthew Murphy wrote:
setting 750 on /etc/cron.* would stop this exploit
Incorrect. Did you even try this on ONE vulnerable box? The
vulnerability exists BECAUSE the kernel doesn't enforce directory
permissions when writing a core dump.
You cannot chdir to (or access a
On Tue, 25 Jul 2006, [EMAIL PROTECTED] wrote:
http://www.pcworld.com/news/article/0,aid,126438,tk,nl_wbxnws,00.asp
Is that the best they can muster ?
No, they have many other equally fine articles ;-)
/mz
___
Full-Disclosure - We believe in it.
Good morning,
Fame-hungry sociopath torches cars, finds browser flaws
WARSAW, Poland (AP) -- police are on a look out for a local adolescent
vandal who continues to terrorize local IT workers in what appears to be
a bizzare bid for fame. Larry Seltzer reports from the scene.
Well, I
On Sat, 12 Aug 2006, Thierry Zoller wrote:
I found out about Satori while reading the paper [2] Chatter on the Wire
Hey, that name rings a bell... ;-)
/mz
http://lcamtuf.coredump.cx
___
Full-Disclosure - We believe in it.
Charter:
Here's another separate issue that typically causes fault on memory access
to website-influenced memory access:
http://lcamtuf.coredump.cx/ffoxdie3.html
This is separate from the previously presented example (which, remarkably,
also had a tendency to trigger an unrelated call stack overflow due
On Thu, 17 Aug 2006, Steven M. Christey wrote:
In other words - concurrency is a rich area for future research
Or past research, for that matter ;-)
http://en.wikipedia.org/wiki/Therac-25
The lesson learned is... uh...
/mz
___
Full-Disclosure - We
The fun times of security semantics!
Old debates never die...
Vulnerabilities are a subset of software engineering bugs. As the name
implies, they are defined strictly by the impact they have; if a bug
does not render the victim appreciably susceptible to anything that
would be of value to
[Thierry Zoller]
In my book, maybe only in mine, a software bug is security relevant
(sorry for the lack of clarity - it's late over here) as soon as
Integrity / Availabilty / Confidentiality are under arbritary direct
or indirect control of a another entity (i.e attacker). Period,
This is
By the way, I'm now selling a Risk Management and Scoring
tool for $19.99 that will allow you to enter a program and
define what you think the risk is. The program will allow
you to pick your target: CIO, CEO, CSO. It will then go
out and create a custom chart to maximize your budgetary
1 - 100 of 225 matches
Mail list logo