Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Linux NULL pointer dereference

From: Ben Greenfield <bcg () struxural com>
Date: Mon, 17 Aug 2009 15:06:25 -0400
Now, back to some real pen-test stuff.... Anyone had a chance to leverage
the recent Linux NULL pointer dereference bug in proto_ops in an engagement?


I have not yet had the chance to use this in an engagement, but I feel
like this is one that's going to be around for a _long time_ because
of how many different versions are affected.

Also, I've done some testing with this vulnerability, and haven't been
able to get it working against Ubuntu Jaunty 9.04 on an AMD64.  My
understanding is that all architectures are vulnerable... has anyone
had any success against AMD64 with this?

On all the x86 platforms I've tested it against (Ubuntu 8.04 LTS x86,
Debian 5 x86, Xen virtualized 2.6 linux x86) it worked as expected and
resulted in local privilege escalation to root.

2009/8/17 Erin Carroll <amoeba () amoebazone com>:

Hénarès,

No offense was taken. Your point was a valid one and deserved a response and
explanation as to why Al's email was forwarded to the list. Not everyone
knows (or cares) about the behind the scenes stuff that makes the pen-test
list work but I believe Al's contribution and now departure to be a
significant milestone that deserved acknowledgement.



--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
"I cannot brain today, I have the dumb"



-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Hénarès Sébastien
Sent: Monday, August 17, 2009 10:17 AM
To: noloader () gmail com
Cc: Erin Carroll; alfredhuger () winterhope com; pen-
test () securityfocus com; focus-ids () securityfocus com
Subject: Re: So long and thanks a bunch!

Hi again, as said by erin and the others yeah, its nice for the list
and
the accomplishments.
while at that, i have enough signal coming in to _just_ ask the
question.

sorry if you tought that was a flamebait, appologies to everyone
i still rest my case and acknowledge your point (everyone). :)

kind regards and have a nice day.

--
HSN

Jeffrey Walton a écrit :

LOL... http://www.collegehumor.com/video:1907543

On 8/17/09, Hénarès Sébastien <henares.sebastien () gmail com> wrote:


Hi, while it's nice to see that some geeks got a social life, can

you keep

those mails private ?
that's some mails that are unwanted, at least not what i suscribed

for.


thanks.

--
HSN

Erin Carroll a écrit :


Al,

Good luck to you in your new endeavor! When you graciously let me

take



over


the reins for pen-test 4 years ago I had no real idea of what I was

in for

but somehow managed to not suck at it too badly (or so I tell

myself).



Thank


you for your trust and support. I'll try to keep taking good care

of your

baby.

If you do sneak in some list reading I promise not to tell. In my

mind

pen-test still belongs to you, I'm just doing extended guest

moderator

duties. :)

--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
"I cannot brain today, I have the dumb"







-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of
alfredhuger () winterhope com
Sent: Saturday, August 15, 2009 2:28 PM
To: pen-test () securityfocus com; focus-ids () securityfocus com
Subject: So long and thanks a bunch!

Pen-Test and Focus-IDS readers,

I wanted to send a quick note to those of you on these two lists

who

have been long time subscribers and supporters of them. I long ago
gave up the moderation of the lists (to far more capable hands

than

mine) but I have followed them faithfully for nearly a decade. In

fact

 Pen-Test was the first list I created after I founded

SecurityFocus

in 1999.

Of all the Secfocus lists these two always been my favorites.

Frankly

I always thought Bugtraq, everyone else's favorite,  was/is pure
misery. Full disclosure (the ethic not the mailing list of the

same

name) is a circus and that's a pity.

I have now decided to move on from Symantec (who bought

Securityfocus

in 2002) to head back to start-up land and so I will no longer

have

the time to follow the many lists I've grown accustomed to reading
here.  Thanks to all of you who contributed, I owe you all a small
debt.

My new contact into is:

alfred.huger at gmail com

I also use Linkedin, please feel free to connect:
 http://www.linkedin.com/in/alhuger

Cheers and thanks again,
Al Huger




-----------------------------------------------------------------


Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and

their

application. By making use of an SSL certificate on your web

server,

you can securely collect sensitive information online, and

increase

business by giving your customers confidence that their

transactions

are safe.





http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1



a17f194








--------------------------------------------------------------------

----



This list is sponsored by: Information Assurance Certification

Review



Board


Prove to peers and potential employers without a doubt that you can


actually do a proper penetration test. IACRB CPT and CEPT certs

require a

full practical examination in order to become certified.


http://www.iacertification.org



--------------------------------------------------------------------

----






--------------------------------------------------------------------

----

This list is sponsored by: Information Assurance Certification

Review Board


Prove to peers and potential employers without a doubt that you can

actually

do a proper penetration test. IACRB CPT and CEPT certs require a

full

practical examination in order to become certified.
http://www.iacertification.org
--------------------------------------------------------------------

----






-----------------------------------------------------------------------
-
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
-----------------------------------------------------------------------
-



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: