Re: [OOT] Thesis for master degree

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Gmail XSS?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Kerio Fake 'iphlpapi' DLL injection Vulnerability

Hello,

We would like to inform you about a vulnerability Sunbelt Kerio Personal Firewall:

Description:

When Sunbelt Kerio Personal Firewall (SKPF) loads dependant modules, it relies on the operating system.
System library 
iphlpapi.dll is located in the system directory but the main SKPF service, which requires and loads this
DLL, is located 
in the installation directory of SKPF. This is why it tries to find iphlpapi.dll in its installation
directory at first 
and then, if it is not found in this directory, it tries to find it in the system directory. Moreover, it is
possible to 
create new files in the installation directory of SKPF. A malicious application can create a fake
iphlpapi.dll in the 
installation directory of SKPF, which will be loaded by the operating system into the SKPF service during
its 
initialization. This is how the malicious application is able to execute an arbitrary code inside SKPF
service and 
bypass any of its security mechanisms.

Vulnerable software:

     * Sunbelt Kerio Personal Firewall 4.3.268
     * Sunbelt Kerio Personal Firewall 4.3.246
     * probably all versions of Sunbelt Kerio Personal Firewall 4
     * possibly older versions of Sunbelt Kerio Personal Firewall

More details and a proof of concept including its source code are available here:
http://www.matousec.com/info/advisories/Kerio-Fake-iphlpapi-DLL-injection.php

Regards,

--

-- 
Matousec - Transparent security Research
http://www.matousec.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Vista Reduced Function mode triggered

The other day I used my router to limit my Vista laptop from talking to 
anything but one subnet on the internet. 3 days later suddenly some things 
would not work.

Solitaire failed to start, click on it and you get the magic donut showing 
it's starting up then nothing.

Right click on network and pick properties you get the magic donut showing 
it's starting up then nothing.

So I removed the routes so Vista could once again phone home and within a 
minute or two both solitaire and network properties worked just fine.

Now this Vista system is less than 30 days old and has already been 
activated. So the claims that Reduced Function mode only kicks in if you 
don't activate within 30 days is bunk if this is Reduced Function mode.

So I decided to trigger RF mode on purpose to see how it responds. I stopped 
the Software License service which claims that doing so will trigger RF 
mode. 24 hours later solitaire, network properties, and control panel all 
show the same behavior, the magic donut showing they are starting up then 
nothing. No events in event log, nothing.

I then started the Software License service and presto like magic these 
functions work again. So I'm convinced that the machine being routed so it 
can't talk to MS triggered RF mode within a few days. Now to me this seems 
pretty clear even though it wasn't a real scientific method of testing. And 
further, this looks to me like an accident waiting to happen. I mean imagine 
if MS fell off the planet we would have a pretty major problem as the bulk 
of the worlds computers started shutting down, talk about a security issue?

So anyone here with a bit more technical expertise want to pick up this ball 
and run with it?

Geo. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Authenticated users can sniff WPA traffic?

On 12/31/06, /dev/null <exceed <at> email.si> wrote:
> ...
> recently I came across this link:
> http://seclists.org/pen-test/2005/Nov/0073.html
>
> Basicaly, it states that authenticated users, in combination with ARP
> poisoning, can sniff WPA traffic. Can anybody confirm this is possible? If
> that's true, is there any way to prevent this?

of course it's true.  don't let ARP poisoning occur on your network.
most good wifi security tools / systems will check for this among the
other usual masquerading (rogue AP's, injection with invalid
timestamps, etc).

note that a mandatory part of this attack is having auth credentials
for WPA-PSK or WPA-Enterprise (EAP/TLS,etc) so you can talk on the
network to mount this ARP poisoning attack.

> I would really appreciate any info/link/paper regarding topic.

any good IP routing text would be useful, particularly the interplay
between ethernet (and other L2 protocols) and IP via ARP/RARP.

as one last side note, if you've got the WPA-PSK secret via dictionary
attack you can combine this with disassociate injection to force all
clients to re-authenticate while you are listening so you can recover
the client keys (TKIP or CCMP) used for communication and get better
results since you no longer need the ARP hack which will be slower and
more brittle (you must remain in the loop) comparatively.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

simplog 0.9.3.2 SQL injection

Afected Software:
simplog up to 0.9.3.2 (latest version - 12/05/2006 )

Site:
http://www.simplog.org
Simplog provides an easy way for users to add blogging capabilities to
their existing websites. Simplog is written in PHP and compatible with
multiple databases. Simplog also features an RSS/Atom aggregator/reader.
Powerful, yet simple

Vulnerability:
SQL Injection in archive.php
other files probably also affected

Example:
http://example.com/simplog/archive.php?blogid=1&pid=1111%20union%20select%201,1,1,login,1,password,1,1%20from%20blog_users%20where%20admin=1

Vendor status:
NOT NOTIFIED

Javor Ninov aka DrFrancky
drfrancky shift+2 securax.org
http://securitydot.net/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Vista Reduced Function mode triggered

  Didn't have the chance / interest to meet Vista myself as of yet, but
if what you wrote isn't user error or something specific and limited to
only a few computers then excuse me a moment while i lmao. BTW, is there
anything in vista's agreement in legalish that could be translated into
'you agree that you feed your software internet' ? Maybe micro$ says
that this is needed to verify that you're running a legal OS every now
and then, so $uck it ?  Sorry for not having ideas just raising more
questions, hope somebody replies in a few pointing out the obvious.

-----Original Message-----
From: full-disclosure-bounces <at> lists.grok.org.uk
[mailto:full-disclosure-bounces <at> lists.grok.org.uk] On Behalf Of Geo.
Sent: Monday, January 01, 2007 8:27 PM
To: full-disclosure <at> lists.grok.org.uk
Subject: [Full-disclosure] Vista Reduced Function mode triggered

The other day I used my router to limit my Vista laptop from talking to 
anything but one subnet on the internet. 3 days later suddenly some
things 
would not work.

Solitaire failed to start, click on it and you get the magic donut
showing 
it's starting up then nothing.

Right click on network and pick properties you get the magic donut
showing 
it's starting up then nothing.

So I removed the routes so Vista could once again phone home and within
a 
minute or two both solitaire and network properties worked just fine.

Now this Vista system is less than 30 days old and has already been 
activated. So the claims that Reduced Function mode only kicks in if you

don't activate within 30 days is bunk if this is Reduced Function mode.

So I decided to trigger RF mode on purpose to see how it responds. I
stopped 
the Software License service which claims that doing so will trigger RF 
mode. 24 hours later solitaire, network properties, and control panel
all 
show the same behavior, the magic donut showing they are starting up
then 
nothing. No events in event log, nothing.

I then started the Software License service and presto like magic these 
functions work again. So I'm convinced that the machine being routed so
it 
can't talk to MS triggered RF mode within a few days. Now to me this
seems 
pretty clear even though it wasn't a real scientific method of testing.
And 
further, this looks to me like an accident waiting to happen. I mean
imagine 
if MS fell off the planet we would have a pretty major problem as the
bulk 
of the worlds computers started shutting down, talk about a security
issue?

So anyone here with a bit more technical expertise want to pick up this
ball 
and run with it?

Geo. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Jeff Bernstein

It has come to my attention that Jeff Bernstein has been falsely using the
names of SNOsoft Research Team members. Moreover, Jeff Bernstein has been
falsely associating himself with the SNOsoft/HP/DMCA vulnerability research
and development ordeal that happened earlier in 2001.

Jeff Bernstein has never been affiliated with the SNOsoft Research Team nor
will he ever be. Jeff Bernstein does not work with nor has he ever directly
worked with any of the SNOsoft Team Members.

If anyone has talked with, or speaks with Jeff Bernstein in the future and
if Mr. Bernstein mentions SNOsoft, please contact me immediately at
simon <at> snosoft.com.

Thank you.

Regards, 
    Simon Smith
    SNOsoft Research Team
    http://www.snosoft.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Gmail XSS?

According to this news it was fixed already:
http://blogs.zdnet.com/Google/?p=434

See a quote of Google Security Team

- Juha-Matti

Denzity <denzity <at> gmail.com> wrote: 
>
> There's reports of a gmail xss in the wild that will steal someone's contact
> list and email if they website is visited while being logged in to gmail.
> 
> http://cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/
> 
> I can't find this on Bugtraq or any release. Anyone have any more info or
> a PoC?
>
> Thanks, Denzity.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Vista Reduced Function mode triggered

> anything in vista's agreement in legalish that could be translated into
> 'you agree that you feed your software internet' ?

http://www.microsoft.com/windowsvista/getready/systemrequirements.mspx

Yep, specifies "internet" under requirements. Should specify unrestricted 
internet access if you ask me.

Geo. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/