Nick FitzGerald | 1 Nov 01:00 2005
Picon
Picon

Re: Re: Microsoft AntiSpyware falling further behind

Valdis Kletnieks to me:

> > This is a Johnny come lately perversion of the real meaning of Trojan 
> > Horse in reference to software.  Trojan Horse, or simply Trojan, 
> > software has always meant, and still does to anyone with a vague hint 
> > of historical awareness, software that gets installed under the 
> > pretense of being something desirable or beneficial but that actually 
> > has deliberately (on the part of its designer/developer) undesirable 
> > effects that are (at least initially) hidden or not obvious to the 
> > intended user(s) of the software.
> 
> Which is particularly amusing, given that the Trojan Horse written about by Homer
> was quite specifically a 'remote access Trojan' - a very small number of soldiers
> were hidden inside to open the gates for the main forces.  If anything, the
> use of the term to mean "remote access Trojan" is getting back in line with the
> *actual* historical meaning - uses of "Trojan" for non-remote-access back doors
> were in fact not strictly historically correct...

Two observations here...

First, I note that "bkfsec" has already pointed out that in the 
Homerian tale, "Trojan Horse" refers to the horse itself, whose job was 
to misdirect the Trojans -- they were supposed to see it as a gift, 
rather than as a poison pill.  The important notion here is the 
obfuscation of the real intention of the device, as "Trojan Horse 
software" came to mean "something apparently desirable that is not".

Second, I _suspect_ (but was not active in that community, so...) that 
the original _common_ use of Trojan Horse in relation to software was 
in the relation to the various warez designed to backdoor BBS systems 
(Continue reading)

Mandriva Security Team | 1 Nov 05:08 2005

MDKSA-2005:193-2 - Updated ethereal packages fix multiple vulnerabilities


 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDKSA-2005:193-2
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : ethereal
 Date    : October 31, 2005
 Affected: 10.2, 2006.0
 _______________________________________________________________________

 Problem Description:

 Ethereal 0.10.13 is now available fixing a number of security
 vulnerabilities in various dissectors:

 - the ISAKMP dissector could exhaust system memory
 - the FC-FCS dissector could exhaust system memory
 - the RSVP dissector could exhaust system memory
 - the ISIS LSP dissector could exhaust system memory
 - the IrDA dissector could crash
 - the SLIMP3 dissector could overflow a buffer
 - the BER dissector was susceptible to an infinite loop
 - the SCSI dissector could dereference a null pointer and crash
 - the sFlow dissector could dereference a null pointer and crash
 - the RTnet dissector could dereference a null pointer and crash
 - the SigComp UDVM could go into an infinite loop or crash
 - the X11 dissector could attempt to divide by zero
 - if SMB transaction payload reassembly is enabled the SMB dissector
(Continue reading)

Josh Perrymon | 1 Nov 07:11 2005

ICMP injection

Anyone familiar with injecting ICMP or DNS packets with NC?

I heard HPING or Juggernaut may be the way to go?

JP 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Cedric Blancher | 1 Nov 10:07 2005
Picon

Re: ICMP injection

Le mardi 01 novembre 2005 à 00:11 -0600, Josh Perrymon a écrit :
> Anyone familiar with injecting ICMP or DNS packets with NC?

You won't be able to inject ICMP with netcat (nc). Injecting DNS is
possible, but you have to craft your UDP payload yourslef.

You should try Scapy :

	http://www.secdev.org/projects/scapy/

Sort of Python shell to craft, inject packets and grab answers, with
lots of useful classes. You'll find examples, and in particular all ICMP
and DNS stuff you may need.

As an example, you can find a DNS request based traceroute onliner with
Scapy on page 3 of this article :

	http://sid.rstack.org/articles/0309_MISC_Traceroute_en.pdf

--

-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

(Continue reading)

Ben Hutchings | 1 Nov 04:57 2005
Picon

readdir_r considered harmful

readdir_r considered harmful
============================

Issued by Ben Hutchings <ben <at> decadentplace.org.uk>, 2005-11-01.

Background
----------

The POSIX readdir_r function is a thread-safe version of the readdir
function used to read directory entries.  Whereas readdir returns a
pointer to a system-allocated buffer and may use global state without
mutual exclusion, readdir_r uses a user-supplied buffer and is
guaranteed to be reentrant.  Its use is therefore preferable or even
essential in portable multithreaded programs.

Problem Description
-------------------

The length of the user-supplied buffer passed to readdir_r is
implicit; it is assumed to be long enough to hold any directory entry
read from the given directory stream.  The length of a directory entry
obviously depends on the length of the name, and the maximum name
length may vary between filesystems.  The standard means to determine
the maximum name length within a directory is to call
pathconf(dir_name, _PC_NAME_MAX).  This method unfortunately results
in a race condition between the opendir and pathconf calls, which
could in some cases be exploited to cause a buffer overflow.  For
example, suppose a setuid program "rd" includes code like this:

    #include <dirent.h>
(Continue reading)

h4cky0u | 1 Nov 10:46 2005
Picon

HYSA-2005-009 Elite Forum 1.0.0.0 XSS Vulnerability

------------------------------------------------------
      HYSA-2005-009 h4cky0u.org Advisory 009
------------------------------------------------------
Date - Tue Nov 1 2005


TITLE:
======

Elite Forum 1.0.0.0 XSS Vulnerability


SEVERITY:
=========

Medium


SOFTWARE:
=========

Elite Forum 1.0.0.0


INFO:
=====

Elite Forum is a fierce competitor entering the world of forum systems. Unlike many other choices, Elite Forum does not

require the hassle of a MySQL database. Elite Forum is one of the best and is packed full of features, including the

following: No MySQL database required, Very easy installation, Support for both user registration and guests, Private

Messaging System, Forum can be locked so registration is required, User, forum and topic statistics, Fast and easy to use

search system, Ability to view who is currently browsing the forum, Sticky Topics (Announcements), Full member list,

Unlimited users, topics and posts, Member Profiles/Stats, Multiple page support (both topics and posts user definable),

Selectable time offset, Ability to auto check for updates/patches, Clean and streamlined design, Smiley Support, BB Code and

auto url support, Topic status icons, Member and Guest user levels, Members can edit or delete their posts, Secure accounts,

Add or remove admins via administrator panel, Admins can edit/delete any post or topic.

Support Website : www.all-interviews.com/firestorm/?act=eliteforum (Down at the time of Bug Discovery)


BUG DESCRIPTION:
================

The system is vulnerable to Cross Site Scripting attacks. This issue is due to a failure of the application to properly

sanitize user-supplied input.


POC:
====

First find a forum running the Elite Forum package. Then click on a topic and then Post Reply. In the message box add any of

the following codes. Here are some examples:

<img src="javascript:void(window.location=('imagelink'))"> - Replace the imagelink with the link to the image you want to

redirect the users viewing the topic containing this code.

<img src="javascript:a=100;while(a>=0){alert(a);a--}">

<img src="javascript:a=1;while(a>0){alert("sup?")">


VENDOR STATUS:
==============

The support site is down and no vendor contact could be found.


FIX:
====

No fix available as of date.


GOOGLEDORK:
===========

"Powered by Elite Forum"


CREDITS:
========

This vulnerability was discovered and researched by Gladiator.KHF (handle/username - gladiator) of h4cky0u Security Forums.


mail : gleden123 at Yahoo dot Com

web : http://www.h4cky0u.org


ORIGINAL ADVISORY:
==================

http://www.h4cky0u.org/advisories/HYSA-2005-009-elite-forum.txt

--
http://www.h4cky0u.org
(In)Security at its best...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
ad | 1 Nov 11:05 2005

RE: for IE researchers, found a link crashing IE

So in the case of the website go off or remove the webpage, attached is the
saved page also crashing IE while loaded offline. Cheers

Nb: can't attach, size restriction, here is a direct link
http://class101.org/poc.rar

-----Message d'origine-----
De : ad <at> class101.org [mailto:ad <at> class101.org] Envoyé : dimanche 30 octobre
2005 23:50 À : 'Greg'; 'full-disclosure <at> lists.grok.org.uk'
Objet : RE: [Full-disclosure] for IE researchers, found a link crashing IE

.....................

Look my thread here:

http://class101.org/viewtopic.php?p=1272#1272

I recall my tests..

Windows XP Professional SP1 ENGLISH 64-bit (IE32-6.0.3790.1830) -crash-
Windows XP Professional SP1 ENGLISH 64-bit (IE64-6.0.3790.1830) -crash-
Windows XP Professional SP2 ENGLISH 32-bit (IE32-6.0.2900.2180) -nocrash-
Windows XP Professional SP1 ENGLISH 32-bit (IE32-6.0.2900.1106) -crash-
Windows 2k Workstation SP4 ENGLISH 32-bit (IE32-6.0.2800.1106) -crash-
Windows 2k Server SP4 ENGLISH 32-bit (IE32-6.0.2800.1106) -crash- Windows
NT4 Workstation SP6a ENGLISH 32-bit (IE32-6.0.2800.1106) -nocrash- Windows
NT4 Server SP6a ENGLISH 32-bit (IE32-6.0.2800.1106) -nocrash- Windows 2k3
Server Std SP1 ENGLISH 32-bit (IE32-6.0.3790.1830) -crash- => (silently
exiting, no crash box...)

And I don’t think this is fake screenshots

http://class101.org/bug2ksp4.bmp
http://class101.org/bugxpsp1.bmp

-----Message d'origine-----
De : ad <at> class101.org [mailto:ad <at> class101.org] 
Envoyé : dimanche 30 octobre 2005 23:50
À : 'Greg'; 'full-disclosure <at> lists.grok.org.uk'
Objet : RE: [Full-disclosure] for IE researchers, found a link crashing IE

.....................

Look my thread here:

http://class101.org/viewtopic.php?p=1272#1272

I recall my tests..

Windows XP Professional SP1 ENGLISH 64-bit (IE32-6.0.3790.1830) -crash- 
Windows XP Professional SP1 ENGLISH 64-bit (IE64-6.0.3790.1830) -crash- 
Windows XP Professional SP2 ENGLISH 32-bit (IE32-6.0.2900.2180) -nocrash- 
Windows XP Professional SP1 ENGLISH 32-bit (IE32-6.0.2900.1106) -crash- 
Windows 2k Workstation SP4 ENGLISH 32-bit (IE32-6.0.2800.1106) -crash- 
Windows 2k Server SP4 ENGLISH 32-bit (IE32-6.0.2800.1106) -crash- 
Windows NT4 Workstation SP6a ENGLISH 32-bit (IE32-6.0.2800.1106) -nocrash- 
Windows NT4 Server SP6a ENGLISH 32-bit (IE32-6.0.2800.1106) -nocrash- 
Windows 2k3 Server Std SP1 ENGLISH 32-bit (IE32-6.0.3790.1830) -crash- =>
(silently exiting, no crash box...)

And I don’t think this is fake screenshots

http://class101.org/bug2ksp4.bmp 
http://class101.org/bugxpsp1.bmp

-----Message d'origine-----
De : full-disclosure-bounces <at> lists.grok.org.uk
[mailto:full-disclosure-bounces <at> lists.grok.org.uk] De la part de Greg
Envoyé : dimanche 30 octobre 2005 21:43
À : full-disclosure <at> lists.grok.org.uk
Objet : Re: [Full-disclosure] for IE researchers, found a link crashing IE

----- Original Message ----- 
From: <ad <at> class101.org>
To: <full-disclosure <at> lists.grok.org.uk>
Sent: Sunday, October 30, 2005 11:55 PM
Subject: [Full-disclosure] for IE researchers, found a link crashing IE

> This link crashes my fully patched IE on
>

Unsure if this was a real bug-crash report or not but for the heck of it, 
tested it from 2 Windows boxes.

1) Win XPSP2 with IE6SP2 all fully patched and running, because I was too 
lazy to stop it running, Zone Alarm Pro (yes, I know but I like to do this 
for other reasons). No crash.

2) Networked (runs wired through the XP box as above and out of that, 
wireless to a router) 98SE machine with IE6SP2 fully patched on it. No 
crash.

Was this one an honest report or just someone having a laugh?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Kira | 1 Nov 11:55 2005
Picon

Snort Back Orifice Preprocessor Exploit (Win32 targets)

Dear All

I wrote Snort Back Orifice Preprocessor Exploit for Win32 targets. It's for educational purpose only.
This exploit was tested on

- Snort 2.4.2 Binary + Windows XP Professional SP1
- Snort 2.4.2 Binary + Windows XP Professional SP2
- Snort 2.4.2 Binary + Windows Server 2003 SP1
- Snort 2.4.2 Binary + Windows Server 2000 SP0
- Snort 2.4.2 Bianry + Windows 2000 Professional SP0

Note 01: This exploit was written in form of MetaSploit module, so you need metasploit to launch it.
Note 02: The exploit's quite reliable, but if it doesn't work on your machine, try to find address of 'jmp esp' instruction and replace it to the old return address.

Regards,

Kira

Attachment (snort_bo_overflow_win32.pm): application/octet-stream, 3507 bytes
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Kira | 1 Nov 11:56 2005
Picon

Snort Back Orifice Preprocessor Exploit (Win32 targets)

Dear All

I wrote Snort Back Orifice Preprocessor Exploit for Win32 targets. It's for educational purpose only.
This exploit was tested on

- Snort 2.4.2 Binary + Windows XP Professional SP1
- Snort 2.4.2 Binary + Windows XP Professional SP2
- Snort 2.4.2 Binary + Windows Server 2003 SP1
- Snort 2.4.2 Binary + Windows Server 2000 SP0
- Snort 2.4.2 Bianry + Windows 2000 Professional SP0

Note 01: This exploit was written in form of MetaSploit module, so you need metasploit to launch it.
Note 02: The exploit's quite reliable, but if it doesn't work on your machine, try to find address of 'jmp esp' instruction and replace it to the old return address.

Regards,

Kira

Attachment (snort_bo_overflow_win32.pm): application/octet-stream, 3507 bytes
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
3APA3A | 1 Nov 12:12 2005
Picon

Re: readdir_r considered harmful

Dear Ben Hutchings,

If  someone  uses pathconf to determine buffer size it's his own problem
and  he creates vulnerability by himself. You can list such applications
as vulnerable to race conditions.

Recommended (according to POSIX) way is to use NAME_MAX:

buf  =  (struct  dirent  *)malloc(  offsetof(struct  dirent,  d_name)  +
NAME_MAX + 1))

See: The GNU C Library Reference Manual Chapter 14

and also POSIX standard itself says:

     The  storage pointed to by entry shall be large enough for a dirent
     with   an   array  of  char  d_name  members  containing  at  least
     {NAME_MAX}+1 elements.

See:
http://www.opengroup.org/onlinepubs/009695399/functions/readdir.html

NAME_MAX  is  defined  in limits.h and should be 255 according to latest
POSIX extension. I see no problem with POSIX standard in this case.

See:
http://www.opengroup.org/onlinepubs/009695399/basedefs/limits.h.html

--Tuesday, November 1, 2005, 6:57:03 AM, you wrote to bugtraq <at> securityfocus.com:

BH> readdir_r considered harmful
BH> ============================

BH>         if ((dir = opendir(argv[1]))
BH>             && (name_max = pathconf(argv[1], _PC_NAME_MAX)) > 0
BH>             && (buf = (struct dirent *)malloc(
BH>                     offsetof(struct dirent, d_name) + name_max + 1))

--

-- 
~/ZARAZA
http://www.security.nnov.ru/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Gmane