headers
coderman | 1 May 2008 01:00
Picon

Re: Microsoft device helps police pluck evidencefrom cyberscene of crime

On Wed, Apr 30, 2008 at 2:17 PM, Rob Thompson
<my.security.lists <at> gmail.com> wrote:
> ...
>  > Meaning if you disable autorun on all USB/Firewire/"hot-plug" devices
>  > does it potentially eliminate this threat?
>
>  I doubt it.  They probably have something coded into the device that
>  works with something "special" within Windows.  But again, just an
>  assumption.  I haven't gotten my paws on one of these yet.  Though I'm
>  sure that it you look hard enough, it can be found.

you'd have to epoxy over those ports.  putty epoxy in the USB,
firewire, PCCard , and related slots.  it's been done, for regulatory
compliance.  works great.  gets your hands messy.

but seriously, who will take such measures on their home PC?

last but not least, the cold boot disk encryption attacks showed how
even the plugged ports could be worked around with a quick reboot and
a can of keyboard cleaner...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 1 comment |
headers
magickal1 | 1 May 2008 02:33
Picon

Did n3td3v infulence Google Security Team

I don't often write to the list nor contribute much at all at this point 
mostly due to work commitments  but I felt a need to this time.

Why on earth was this posted to the list?  it provided no usefull information.  
It had nothing to do with full disclosure of anything.  all it did was waste 
my time and others.  At this point the author of the post has made it to the 
filter to hit the trash bin straight off marked as read.

Do us all a favor...stop posting this crap.  Its pointless, provides no 
information and can be used for nothing.  In a word this post ranked no 
higher than SPAM!

My 2cents worth.

Flame away  chances are I'm not going to respond anyway.

if [ !=n3td3v ] then;
mv $post spam
fi

On Tuesday 29 April 2008 20:50:18 full-disclosure-request <at> lists.grok.org.uk 
wrote:
> Did n3td3v infulence Google Security Team

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
(Continue reading)

Permalink | Reply | 2 comments |
headers
Ivan . | 1 May 2008 02:47
Picon

Re: Microsoft device helps police pluck evidencefrom cyberscene of crime

more info

http://www.news.com/8301-10789_3-9932600-57.html?tag=blog.promos

On Thu, May 1, 2008 at 9:00 AM, coderman <coderman <at> gmail.com> wrote:
> On Wed, Apr 30, 2008 at 2:17 PM, Rob Thompson
>  <my.security.lists <at> gmail.com> wrote:
>
> > ...
>  >  > Meaning if you disable autorun on all USB/Firewire/"hot-plug" devices
>  >  > does it potentially eliminate this threat?
>  >
>  >  I doubt it.  They probably have something coded into the device that
>  >  works with something "special" within Windows.  But again, just an
>  >  assumption.  I haven't gotten my paws on one of these yet.  Though I'm
>  >  sure that it you look hard enough, it can be found.
>
>  you'd have to epoxy over those ports.  putty epoxy in the USB,
>  firewire, PCCard , and related slots.  it's been done, for regulatory
>  compliance.  works great.  gets your hands messy.
>
>  but seriously, who will take such measures on their home PC?
>
>  last but not least, the cold boot disk encryption attacks showed how
>  even the plugged ports could be worked around with a quick reboot and
>  a can of keyboard cleaner...
>
>
>
>  _______________________________________________
(Continue reading)

Permalink | Reply | 0 comments |
headers
Pat | 1 May 2008 03:31
Picon
Gravatar

Re: Did n3td3v infulence Google Security Team

I concur :-)

2008/5/1 magickal1 <magickal1 <at> gmail.com>:
I don't often write to the list nor contribute much at all at this point
mostly due to work commitments  but I felt a need to this time.

Why on earth was this posted to the list?  it provided no usefull information.
It had nothing to do with full disclosure of anything.  all it did was waste
my time and others.  At this point the author of the post has made it to the
filter to hit the trash bin straight off marked as read.

Do us all a favor...stop posting this crap.  Its pointless, provides no
information and can be used for nothing.  In a word this post ranked no
higher than SPAM!

My 2cents worth.

Flame away  chances are I'm not going to respond anyway.

if [ !=n3td3v ] then;
mv $post spam
fi

On Tuesday 29 April 2008 20:50:18 full-disclosure-request <at> lists.grok.org.uk
wrote:
> Did n3td3v infulence Google Security Team


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
Maxime Ducharme | 1 May 2008 14:43
Favicon

Re: Did n3td3v infulence Google Security Team


I also agree

Thanks for saying what many others think

Have a nice day everyone

Maxime Ducharme

-----Message d'origine-----
De : full-disclosure-bounces <at> lists.grok.org.uk
[mailto:full-disclosure-bounces <at> lists.grok.org.uk] De la part de magickal1
Envoyé : 30 avril 2008 20:34
À : full-disclosure <at> lists.grok.org.uk
Objet : [Full-disclosure] Did n3td3v infulence Google Security Team

I don't often write to the list nor contribute much at all at this point 
mostly due to work commitments  but I felt a need to this time.

Why on earth was this posted to the list?  it provided no usefull
information.  
It had nothing to do with full disclosure of anything.  all it did was waste

my time and others.  At this point the author of the post has made it to the

filter to hit the trash bin straight off marked as read.

Do us all a favor...stop posting this crap.  Its pointless, provides no 
information and can be used for nothing.  In a word this post ranked no 
higher than SPAM!

My 2cents worth.

Flame away  chances are I'm not going to respond anyway.

if [ !=n3td3v ] then;
mv $post spam
fi

On Tuesday 29 April 2008 20:50:18 full-disclosure-request <at> lists.grok.org.uk 
wrote:
> Did n3td3v infulence Google Security Team

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
iDefense Labs | 1 May 2008 17:25

iDefense Security Advisory 04.30.08: Akamai Download Manager Arbitrary Program Execution Vulnerability

iDefense Security Advisory 04.30.08
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 30, 2008

I. BACKGROUND

Akamai Download Manager is an integral component of Akamai's global
distribution service. It is used to deliver big files quickly and
reliably to users around world. It has been used by vendors such as
Symantec and Microsoft to provide downloads to the public.

Akamai provides both an ActiveX and a Java based Download Manager. If a
user uses the ActiveX control once, it will remain installed on the
users computer until manually removed. For more information, please
visit following web sites.

http://www.akamai.com/html/technology/products/http_downloads.html

http://www.akamai.com/html/solutions/electronic_software_delivery.html

II. DESCRIPTION

Remote exploitation of a design error in Akamai Technologies, Inc's
Download Manager allows attackers to execute arbitrary code in the
context of the current user.

The ActiveX control version has the following identifiers:

  Class: DownloadManager Control
  CLSID: 2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B
  CLSID: FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1
  ProgId: MANAGER.DLMCtrl.1.
  File: C:\Windows\Downloaded Program Files\DownloadManagerV2.ocx

The Java version has the following identifiers:

  Class: com.akamai.dm.ui.applet.DMApplet.class
  JAR: dlm-java-2.2.2.0.jar

This problem specifically exists due to two undocumented object
parameters. By using these parameters, it is possible to cause Download
Manager to automatically download and execute arbitrary binaries from
attacker controlled locations.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary code in the context
of the user viewing a maliciously crafted web page.

In order to exploit this vulnerability, an attacker would need to
persuade, or otherwise force, a user to view a malicious web page. This
is usually accomplished by getting the targeted user to click a link in
a form of electronic communication such as e-mail or instant messaging.

While the attack is happening, the Download Manager user interface is
displayed. However, in a normal attack scenario there is insufficient
time to cancel the download before exploitation occurs.

IV. DETECTION

iDefense confirmed the existence of this vulnerability using version
2.2.2.1 of Akamai Technologies Inc's DownloadManagerV2.ocx.
Additionally, iDefense confirmed the problem exists in version 2.2.2.0
of the Download Manager Java Applet. All versions prior to the fixed
version are suspected to be vulnerable.

V. WORKAROUND

Setting kill-bits for the associated CLSIDs will prevent the ActiveX
control from being loaded within Internet Explorer, thereby preventing
exploitation.

Disabling Java will prevent exploitation using the Java Applet version.

VI. VENDOR RESPONSE

Akamai has addressed this vulnerability with the release of version
2.2.3.5 of their Download Manager product. For more information, refer
to their advisory. To download the updated version, visit the following
URL.

http://dlm.tools.akamai.com/tools/upgrade.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-6339 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

12/06/2007  Initial vendor notification
12/06/2007  Initial vendor response
04/30/2008  Public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Peter Vreugdenhil.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2008 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice <at> idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply | 0 comments |
headers
Team SHATTER | 1 May 2008 16:18
Favicon

Team SHATTER Security Advisory: Oracle Database SQL Injection in SYS.DBMS_CDC_UTILITY.LOCK_CHANGE_SET (DB02)


Team SHATTER Security Advisory

Oracle Database SQL Injection in SYS.DBMS_CDC_UTILITY.LOCK_CHANGE_SET (DB02)

April 28, 2008

Risk Level:
Medium

Affected versions:
Oracle Database Server versions 10gR1, 10gR2 and 11gR1

Remote exploitable:
Yes (Authentication to Database Server is needed)

Credits:
This vulnerability was discovered and researched by Esteban Martínez
Fayó of Application Security Inc.

Details:
The PL/SQL package DBMS_CDC_UTILITY owned by SYS has an instance of SQL
Injection. A malicious user can call a vulnerable procedure of this
package with specially crafted parameters and execute SQL statements
with the elevated privileges of the SYS user.

Impact:
Any Oracle database user with EXECUTE privilege on the package
SYS.DBMS_CDC_UTILITY can exploit this vulnerability. By default, users
granted SELECT_CATALOG_ROLE have the required privilege. Exploitation of
this vulnerability allows an attacker to execute SQL commands with SYS
privileges.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
Restrict access to the SYS.DBMS_CDC_UTILITY package.

Fix:
Apply Oracle Critical Patch Update April 2008 available at Oracle Metalink.

Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html
http://www.appsecinc.com/resources/alerts/oracle/2008-01.shtml

Timeline:
Vendor Notification - 9/24/2007
Vendor Response - 9/28/2007
Fix - 4/15/2008
Public Disclosure - 4/28/2008

Application Security, Inc's database security solutions have helped over
1000 organizations secure their databases from all internal and external
threats while also ensuring that those organizations meet or exceed
regulatory compliance and audit requirements.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Permalink | Reply | 0 comments |
headers
Team SHATTER | 1 May 2008 16:16
Favicon

Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11)


Team SHATTER Security Advisory

Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME
(DB11)

April 28, 2008

Risk Level:
Medium

Affected versions:
Oracle Database Server versions 9iR2, 10gR1, 10gR2 and 11gR1

Remote exploitable:
Yes (Authentication to Database Server is needed)

Credits:
This vulnerability was discovered and researched by Esteban Martínez
Fayó of Application Security Inc.

Details:
Oracle Database Server provides the SYS.KUPF$FILE_INT package. This
package contains the procedure GET_FULL_FILENAME which is vulnerable to
buffer overflow attacks.

Impact:
Any Oracle database user with EXECUTE privilege on the package
SYS.KUPF$FILE_INT can exploit this vulnerability. By default, users
granted EXECUTE_CATALOG_ROLE have the required privilege. Exploitation
of this vulnerability allows an attacker to execute arbitrary code. It
can also be exploited to cause DoS (Denial of service) killing the
Oracle server process.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
Restrict access to the SYS.KUPF$FILE_INT package.

Fix:
Apply Oracle Critical Patch Update April 2008 available at Oracle Metalink.

Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html
http://www.appsecinc.com/resources/alerts/oracle/2008-02.shtml

Timeline:
Vendor Notification - 8/24/2007
Vendor Response - 8/29/2007
Fix - 4/15/2008
Public Disclosure - 4/28/2008

Application Security, Inc's database security solutions have helped over
1000 organizations secure their databases from all internal and external
threats while also ensuring that those organizations meet or exceed
regulatory compliance and audit requirements.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Permalink | Reply | 0 comments |
headers
Team SHATTER | 1 May 2008 16:17
Favicon

Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.DBMS_AQJMS_INTERNAL (DB15)


Team SHATTER Security Advisory

Oracle Database Buffer Overflow in SYS.DBMS_AQJMS_INTERNAL (DB15)

April 28, 2008

Risk Level:
Medium

Affected versions:
Oracle Database Server versions 9iR1, 9iR2 (9.2.0.7 and previous
patchsets) and 10gR1

Remote exploitable:
Yes (Authentication to Database Server is needed)

Credits:
This vulnerability was discovered and researched by Esteban Martínez
Fayó of Application Security Inc.

Details:
Oracle Database Server provides the SYS.DBMS_AQJMS_INTERNAL package.
This package contains the procedures AQ$_REGISTER and AQ$_UNREGISTER
which are vulnerable to buffer overflow attacks.

Impact:
Any Oracle database user with EXECUTE privilege on the package
SYS.DBMS_AQJMS_INTERNAL can exploit this vulnerability. By default,
users granted EXECUTE_CATALOG_ROLE, AQ_ADMINISTRATOR_ROLE or
AQ_USER_ROLE have the required privilege. Exploitation of this
vulnerability allows an attacker to execute arbitrary code. It can also
be exploited to cause DoS (Denial of service) killing the Oracle server
process.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
Restrict access to the SYS.DBMS_AQJMS_INTERNAL package.

Fix:
Apply Oracle Critical Patch Update April 2008 available at Oracle Metalink.

Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html
http://www.appsecinc.com/resources/alerts/oracle/2008-03.shtml

Timeline:
Vendor Notification - 2/22/2005
Fix - 04/15/2008
Public Disclosure - 04/28/2008

Application Security, Inc's database security solutions have helped over
1000 organizations secure their databases from all internal and external
threats while also ensuring that those organizations meet or exceed
regulatory compliance and audit requirements.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Permalink | Reply | 0 comments |
headers
Thijs Kinkhorst | 1 May 2008 19:00
Picon
Favicon

[SECURITY] [DSA 1564-1] New wordpress packages fix several vulnerabilities


------------------------------------------------------------------------
Debian Security Advisory DSA-1564-1                  security <at> debian.org
http://www.debian.org/security/                          Thijs Kinkhorst
May 01, 2008                          http://www.debian.org/security/faq
------------------------------------------------------------------------

Package        : wordpress
Vulnerability  : multiple
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2007-3639 CVE-2007-4153 CVE-2007-4154 CVE-2007-0540

Several remote vulnerabilities have been discovered in wordpress,
a weblog manager. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2007-3639

    Insufficient input sanitising allowed for remote attackers to
    redirect visitors to external websites.

CVE-2007-4153

    Multiple cross-site scripting vulnerabilities allowed remote
    authenticated administrators to inject arbitrary web script or HTML.

CVE-2007-4154

    SQL injection vulnerability allowed allowed remote authenticated
    administrators to execute arbitrary SQL commands.

CVE-2007-0540

    WordPress allows remote attackers to cause a denial of service
    (bandwidth or thread consumption) via pingback service calls with
    a source URI that corresponds to a file with a binary content type,
    which is downloaded even though it cannot contain usable pingback data.

[no CVE name yet]

    Insufficient input sanitising caused an attacker with a normal user
    account to access the administrative interface.

For the stable distribution (etch), these problems have been fixed in
version 2.0.10-1etch2.

For the unstable distribution (sid), these problems have been fixed in
version 2.2.3-1.

We recommend that you upgrade your wordpress package.

Upgrade instructions
--------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
-------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz
    Size/MD5 checksum:   520314 e9d5373b3c6413791f864d56b473dd54
  http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch2.diff.gz
    Size/MD5 checksum:    29327 663e0b7c1693ff63715e0253ad5cc036
  http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch2.dsc
    Size/MD5 checksum:      891 2e297f530d472f47b40ba50ea04b1476

Architecture independent packages:

  http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch2_all.deb
    Size/MD5 checksum:   521244 4851fe016749b1b9c819fd8d5785198e

  These files will probably be moved into the stable distribution on
  its next update.

---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce <at> lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
Permalink | Reply | 0 comments |

Gmane