Full Disclosure mailing list archives
Re: Full-disclosure Digest, Vol 12, Issue 39
From: "DONNY MCCOY" <DMCCOY () bbl-inc com>
Date: Tue, 21 Feb 2006 14:18:15 -0500
I will be in Cary, NC through Thursday and will return to Syracuse on Friday. I will check voicemail and e-mail periodically as time allows. If your e-mail is urgent please contact the help desk in Syracuse at x19511. Thanks. Donny
full-disclosure 02/21/06 14:16 >>>
Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Re: Quarantine your infected users spreading malware (Simon Richter) 2. re: Insecurity in Finnish parlament (computers) (Juha-Matti Laurio) 3. Re: Quarantine your infected users spreading malware (Nigel Horne) 4. Re: Re: User Enumeration Flaw (Michael Holstein) 5. Re: Compromised hosts lists (James Lay) 6. Compromised host list - some clarification... (James Lay) 7. Re: ?if you are not doing anything wrong, why should you worry about it?? (Dave Korn) 8. Re: Forum / Site redone (Dave Korn) 9. Re: Re: Forum / Site redone (Nigel Horne) 10. re: Insecurity in Finnish parlament (computers) (Markus Jansson) 11. re: Insecurity in Finnish parlament (computers) (Juha-Matti Laurio) 12. [USN-256-1] bluez-hcidump vulnerability (Martin Pitt) 13. [USN-254-1] noweb vulnerability (Martin Pitt) 14. [USN-255-1] openssh vulnerability (Martin Pitt) 15. msgina.dll (khaalel) 16. Re: Compromised host list - some clarification... (Robert P. McKenzie) 17. Re: ?if you are not doing a =?WINDOWS-1252?Q?nything_wrong, _why_should_you_worry_about_it=3F=94?= (Steve Kudlak) 18. www.wpad.net (Prabhat Sharma) 19. SV: [Full-disclosure] msgina.dll (Jan Nielsen) 20. [ GLSA 200602-12 ] GPdf: Heap overflows in included Xpdf code (Thierry Carrez) 21. Re: www.wpad.net (TheGesus) 22. Re: Compromised host list - some clarification... (Dean Pierce) 23. Re: Compromised host list - some clarification... (James Lay) 24. Re: Compromised hosts lists (Valdis.Kletnieks () vt edu) 25. Re: Re: Forum / Site redone (Dave Korn) ---------------------------------------------------------------------- Message: 1 Date: Tue, 21 Feb 2006 13:05:42 +0100 From: Simon Richter <Simon.Richter () hogyros de> Subject: Re: [Full-disclosure] Quarantine your infected users spreading malware To: Gadi Evron <ge () linuxbox org> Cc: "full-disclosure () lists grok org uk" <full-disclosure () lists grok org uk>, bugtraq () securityfocus com Message-ID: <43FB0216.4090403 () hogyros de> Content-Type: text/plain; charset="iso-8859-1" Hi, Gadi Evron wrote:
As many of us know, handling such users on tech support is not very cost-effective to ISP's, as if a user makes a call the ISP already losses money on that user. Than again, paying abuse desk personnel just so that they can disconnect your users is losing money too.
Which one would you prefer?
Choice. The difference between a bug and a feature is that you can turn the feature off. If an ISP offers filters as a feature, I say more power to them. Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 307 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/812a887e/signature-0001.bin ------------------------------ Message: 2 Date: Tue, 21 Feb 2006 14:07:50 +0200 (EET) From: Juha-Matti Laurio <juha-matti.laurio () netti fi> Subject: re: [Full-disclosure] Insecurity in Finnish parlament (computers) To: Markus Jansson <markus.jansson () hushmail com> Cc: full-disclosure () lists grok org uk Message-ID: <2419544.484291140523670940.JavaMail.juha-matti.laurio () netti fi> Content-Type: text/plain; Charset=iso-8859-1; Format=Flowed Markus Jansson wrote:
Good article, but it lacks one important aspect of the fiasco: TeliaSonera also disabled crypto (A5/1) on GSM:s for some time, which made it possible to eavesdrop on its/goverments GSM:s. This was a the "big" fuzz.
I'm aware about these claims, but Mr. Esa Korvenmaa, spokeperson of TeliaSonera Finland says this is not true.
BTW. How long would you think it would take them to spot false-base-station type of attacks near our parlament house? ;)
No facts about this and I don't want to comment. My article doesn't handle Finnish parliament in any way. - Juha-Matti ------------------------------ Message: 3 Date: Tue, 21 Feb 2006 12:16:13 -0000 (GMT) From: "Nigel Horne" <njh () bandsman co uk> Subject: Re: [Full-disclosure] Quarantine your infected users spreading malware To: full-disclosure () lists grok org uk Message-ID: <4212.213.206.150.242.1140524173.squirrel () mail bandsman co uk> Content-Type: text/plain;charset=iso-8859-15
Hi, Gadi Evron wrote:As many of us know, handling such users on tech support is not very cost-effective to ISP's, as if a user makes a call the ISP already losses money on that user.
Not necessarily true. Many ISPs charge little for set up and on going costs, but support is only available from them via a premium rate phone number.
Than again, paying abuse desk personnel justso that they can disconnect your users is losing money too.
Not so much if the desk is in India or China. -Nigel ------------------------------ Message: 4 Date: Tue, 21 Feb 2006 08:26:47 -0500 From: Michael Holstein <michael.holstein () csuohio edu> Subject: Re: [Full-disclosure] Re: User Enumeration Flaw To: full-disclosure () lists grok org uk Message-ID: <43FB1517.50703 () csuohio edu> Content-Type: text/plain; charset=us-ascii; format=flowed That's called directory harvesting and it's hardly new. Most MTAs implement tarpitting of some sort, to limit VRFY or RCPT commands from a perticular IP to a certian threshold, before they start slowing them down. There are also ways to silently drop (or accept with routing to /dev/null) a session for a recipient that isn't in an external database (eg: LDAP) -- and while this breaks the RFC, people do it anyway. Ever looked at a Hotmail spam message? There will be 50 recipients .. gbush@, hbush@, jbush@, kbush@, etc. the ones that bounce aren't real and get rejected. Those that don't come back get added as "valid" for the second round. ~Mike. Dave Korn wrote:
Mar.Shatz () education gov il wrote:whitehouse.gov MX 100 mailhub-wh2.whitehouse.gov noone@box:~$ noone@box:~$ telnet mailhub-wh2.whitehouse.gov 25 Trying 63.161.169.140... Connected to mailhub-wh2.whitehouse.gov. Escape character is '^]'. 220 whitehouse.gov ESMTP service at Sun, 12 Feb 2006 11:29:38 -0500 (EST) helo jojo 250 esgeop03.whitehouse.gov Hello [xxx.xxx.xxx.xxx], pleased to meet you mail from:bob () com com 250 2.1.0 bob () com com... Sender ok rcpt to:gbush () whitehouse gov 550 5.1.1 gbush () whitehouse gov... User unknown rcpt to:president () whitehouse gov 250 2.1.5 president () whitehouse gov... Recipient ok quit 221 2.0.0 esgeop03.whitehouse.gov closing connection Connection closed by foreign host. User enumeration at the whitehouseTell DHS at once! What would happen if Al-Qaeda could figure out that there was a president in the whitehouse? cheers, DaveK
------------------------------ Message: 5 Date: Tue, 21 Feb 2006 07:09:58 -0700 From: James Lay <jlay () slave-tothe-box net> Subject: Re: [Full-disclosure] Compromised hosts lists Cc: Full-disclosure <full-disclosure () lists grok org uk> Message-ID: <20060221070958.749da9c9 () homebox slave-tothe-box net> Content-Type: text/plain; charset=US-ASCII On Mon, 20 Feb 2006 22:40:00 -0500 Valdis.Kletnieks () vt edu wrote:
On Mon, 20 Feb 2006 16:55:06 MST, James Lay said:I had heard tale of a site that had a semi-updated list of compromised hosts. I was hoping that someone knows that link...would LOVE to be able to get my firewall to get this list and auto-create an iptables rule. Thanks all!That's ass backwards. The secure way to do this is to first deny *all* traffic, and then add specific rules for machines that you *do* want to talk to. Think for a bit - if some random cablemodem in another timezone is on the list, why should you stop packets from it? Why would you want to accept packets *before* it showed up on the list? Why do you still want to accept packets from *other* boxes in the same /24 or /16?
I completely agree for ports that I would have closed, but obviously I could not simply deny *all* traffic for port 25 and 80 let's say, as I want them open to the public. James ------------------------------ Message: 6 Date: Tue, 21 Feb 2006 07:16:35 -0700 From: James Lay <jlay () slave-tothe-box net> Subject: [Full-disclosure] Compromised host list - some clarification... To: Full-disclosure <full-disclosure () lists grok org uk> Message-ID: <20060221071635.7ae12788 () homebox slave-tothe-box net> Content-Type: text/plain; charset=US-ASCII So ok.....I'm completely positive I didn't make myself clear at all in my previous message...go me! Here's a web site that I did manage to find that has a current list of open proxies: http://www.samair.ru/proxy/index.htm My hope is that I could find a site that has a list of currently reported open proxies, scanners, and ssh brute force boxes. The RBL's pretty much have smtp covered. I would run a cron job at midnight, wget and grep the file, then create an iptables table to block those hosts. This is an attempt to be more proactive then reactive...if I knew those hosts that were actively doing naughty things, why not block them at the get go? Does this make sense? Am I barking up the wrong tree? Thanks all =) James ------------------------------ Message: 7 Date: Tue, 21 Feb 2006 14:54:52 -0000 From: "Dave Korn" <davek_throwaway () hotmail com> Subject: [Full-disclosure] Re: ?if you are not doing anything wrong, why should you worry about it?? To: full-disclosure () lists grok org uk Message-ID: <dtf9jt$bg3$1 () sea gmane org> Gadi Evron wrote:
"if you are not doing anything wrong, why should you worry about it?"
If I'm not doing anything wrong then it's nobody's god-damn business but mine what I'm doing at all. QED. cheers, DaveK -- Can't think of a witty .sigline today.... ------------------------------ Message: 8 Date: Tue, 21 Feb 2006 14:57:39 -0000 From: "Dave Korn" <davek_throwaway () hotmail com> Subject: [Full-disclosure] Re: Forum / Site redone To: full-disclosure () lists grok org uk Message-ID: <dtf9p4$c2k$1 () sea gmane org> Nigel Horne wrote:
Thanks for the comments. Site has been redone ( I re-didit ) Feel free to keep the comments coming. http://www.iatechconsulting.comWhy does it attempt to store 2 cookies on my machine when all I do visit your front page?
Because that's how PHP tracks your session ID.
Needless to say I said "no".
http://zapatopi.net/afdb cheers, DaveK -- Can't think of a witty .sigline today.... ------------------------------ Message: 9 Date: Tue, 21 Feb 2006 15:05:54 -0000 (GMT) From: "Nigel Horne" <njh () bandsman co uk> Subject: Re: [Full-disclosure] Re: Forum / Site redone To: full-disclosure () lists grok org uk Message-ID: <5495.213.206.150.242.1140534354.squirrel () mail bandsman co uk> Content-Type: text/plain;charset=iso-8859-15
Nigel Horne wrote:Thanks for the comments. Site has been redone ( I re-didit ) Feel free to keep the comments coming. http://www.iatechconsulting.comWhy does it attempt to store 2 cookies on my machine when all I do visit your front page?Because that's how PHP tracks your session ID.Needless to say I said "no".
Public access websites should not have session IDs just to visit their frontpage.
cheers, DaveK
------------------------------ Message: 10 Date: Tue, 21 Feb 2006 16:52:24 +0200 From: "Markus Jansson" <markus.jansson () hushmail com> Subject: re: [Full-disclosure] Insecurity in Finnish parlament (computers) To: <full-disclosure () lists grok org uk> Message-ID: <200602211452.k1LEqSuK085801 () mailserver2 hushmail com> On Tue, 21 Feb 2006 14:07:50 +0200 Juha-Matti Laurio <juha- matti.laurio () netti fi> wrote:
TeliaSonera also disabled crypto (A5/1) on GSM:s for some time, which made it possible to eavesdrop on its/goverments GSM:s.
This was
a the "big" fuzz.I'm aware about these claims, but Mr. Esa Korvenmaa, spokeperson of TeliaSonera Finland says this is not true.
Well, several people in different discussion forums in Finland found it out by GSM analysing tools and posted it up. Those tools shown that peoples phones (in TeliaSonera network) used A5/0 cipher, meaning that no encryption was used. I doubt that all of them are simultaneously lying and TeliaSonera is telling the truth. :D -- My computer security & privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. ------------------------------ Message: 11 Date: Tue, 21 Feb 2006 17:10:11 +0200 (EET) From: Juha-Matti Laurio <juha-matti.laurio () netti fi> Subject: re: [Full-disclosure] Insecurity in Finnish parlament (computers) To: Markus Jansson <markus.jansson () hushmail com> Cc: full-disclosure () lists grok org uk Message-ID: <21845207.514571140534611207.JavaMail.juha-matti.laurio () netti fi> Content-Type: text/plain; Charset=iso-8859-1; Format=Flowed Markus Jansson wrote:
Well, several people in different discussion forums in Finland found it out by GSM analysing tools and posted it up. Those tools shown that peoples phones (in TeliaSonera network) used A5/0 cipher, meaning that no encryption was used. I doubt that all of them are simultaneously lying and TeliaSonera is telling the truth. :D
Yes, I have all of these related forum posts handling the use of Nokia Network Monitor as printed versions. - Juha-Matti ------------------------------ Message: 12 Date: Tue, 21 Feb 2006 16:30:40 +0100 From: Martin Pitt <martin.pitt () canonical com> Subject: [Full-disclosure] [USN-256-1] bluez-hcidump vulnerability To: ubuntu-security-announce () lists ubuntu com Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com Message-ID: <20060221153040.GB5903 () piware de> Content-Type: text/plain; charset="us-ascii" =========================================================== Ubuntu Security Notice USN-256-1 February 21, 2006 bluez-hcidump vulnerability CVE-2006-0670 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: bluez-hcidump The problem can be corrected by upgrading the affected package to version 1.5-2ubuntu0.1 (for Ubuntu 4.10), 1.12-1ubuntu0.1 (for Ubuntu 5.04), or 1.23-0ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Pierre Betouin discovered a Denial of Service vulnerability in the handling of the L2CAP (Logical Link Control and Adaptation Layer Protocol) layer. By sending a specially crafted L2CAP packet through a wireless Bluetooth connection, a remote attacker could crash hcidump. Since hcidump is mainly a debugging tool, the impact of this flaw is very low. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1.diff.gz Size/MD5: 117334 2be393fb2b17f097d84c4bf1e41759b8 http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1.dsc Size/MD5: 649 2cbb2217b51ce137d84487cc8c7e67fc http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5.orig.tar.gz Size/MD5: 166968 346f86c8e1824a505e976d0a2c8a0578 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1_amd64.deb Size/MD5: 25198 7d0d59b7597b7d64345e9255f29ea684 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1_i386.deb Size/MD5: 23146 93c04094444cc482058d67cb78ca7244 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1_powerpc.deb Size/MD5: 25446 ccfa304db68953e1d2989df0fed8259c Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1.diff.gz Size/MD5: 2277 09602446f4bdae6c8126e33db11f3249 http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1.dsc Size/MD5: 663 8efc5c10713d06de9d55613055208bca http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12.orig.tar.gz Size/MD5: 102003 c64f44a05e3c3f036134850c8fb24a00 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1_amd64.deb Size/MD5: 39052 4f466a14a74802cb0ea83d9859d108a9 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1_i386.deb Size/MD5: 35048 9b767b24c3ce114a9b44cc9901335826 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1_powerpc.deb Size/MD5: 37636 9934f9d3c03affe2a3c7d84b00cacbed Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1.diff.gz Size/MD5: 2454 9ff0a74db5cd83914ed466a8acdf0beb http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1.dsc Size/MD5: 662 5191c2d9cabb93969ce0604548ddc696 http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23.orig.tar.gz Size/MD5: 124717 24a72cfc605278f2846c786ae54230c2 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1_amd64.deb Size/MD5: 68856 9ed3cd8a70fdf2f494002894208029a2 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1_i386.deb Size/MD5: 62994 c6fab1702f2dab19af5bd2ff86af07a5 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1_powerpc.deb Size/MD5: 69474 b75ce72ab552b0b32c301c854ea7e549 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/75d9d187/attachment-0001.bin ------------------------------ Message: 13 Date: Tue, 21 Feb 2006 16:30:44 +0100 From: Martin Pitt <martin.pitt () canonical com> Subject: [Full-disclosure] [USN-254-1] noweb vulnerability To: ubuntu-security-announce () lists ubuntu com Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com Message-ID: <20060221153044.GC5903 () piware de> Content-Type: text/plain; charset="iso-8859-1" =========================================================== Ubuntu Security Notice USN-254-1 February 21, 2006 noweb vulnerability CVE-2005-3342 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: nowebm The problem can be corrected by upgrading the affected package to version 2.10c-3ubuntu1.1 (for Ubuntu 4.10), 2.10c-3.1ubuntu5.04.1 (for Ubuntu 5.04), or 2.10c-3.1ubuntu5.10.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Javier Fern*ndez-Sanguino Pe*a discovered that noweb scripts created temporary files in an insecure way. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user running noweb. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3ubuntu1.1.diff.gz Size/MD5: 11262 c97d1934407598134e7da5d53b4c625a http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3ubuntu1.1.dsc Size/MD5: 629 a21c779c23311c40353fee565971f7dd http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c.orig.tar.gz Size/MD5: 712332 30bbacf1fb2a402410e5ad2fb600d9fc amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3ubuntu1.1_amd64.deb Size/MD5: 535460 2d35850c7436ec5e1c452098ab8f2f26 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3ubuntu1.1_i386.deb Size/MD5: 518536 7b89ab418e72de19d81aed9d1dc8aefa powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3ubuntu1.1_powerpc.deb Size/MD5: 522740 f5b23a14a7600e91788a6803e1453861 Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.04.1.diff.gz Size/MD5: 11276 d692bce20df8c6e0fb64013daf7bc9e5 http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.04.1.dsc Size/MD5: 639 6b6781615241f3d07db34b4ed951eab4 http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c.orig.tar.gz Size/MD5: 712332 30bbacf1fb2a402410e5ad2fb600d9fc amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.04.1_amd64.deb Size/MD5: 535570 7ed60a1bfce4de9db2b6f6ca24f7544d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.04.1_i386.deb Size/MD5: 518652 973b9b6459bc21f645725f4c5013500f powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.04.1_powerpc.deb Size/MD5: 522804 70fd183b24ea9c8d77ca8eb65172924f Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.10.1.diff.gz Size/MD5: 11275 8b1c3749cd3fc5f0f5bb0909d1db527c http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.10.1.dsc Size/MD5: 639 3f37d4a988691727bdc9452e459ccc46 http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c.orig.tar.gz Size/MD5: 712332 30bbacf1fb2a402410e5ad2fb600d9fc amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.10.1_amd64.deb Size/MD5: 535562 8ce18eceec28b3bb1165156e17d06f10 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.10.1_i386.deb Size/MD5: 519066 5d22ae6879e674ba5dba97a10957e6c7 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.10.1_powerpc.deb Size/MD5: 522756 2ea6685d6400fc111cf093f01b7a4b39 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/c972fe8a/attachment-0001.bin ------------------------------ Message: 14 Date: Tue, 21 Feb 2006 16:30:54 +0100 From: Martin Pitt <martin.pitt () canonical com> Subject: [Full-disclosure] [USN-255-1] openssh vulnerability To: ubuntu-security-announce () lists ubuntu com Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com Message-ID: <20060221153054.GD5903 () piware de> Content-Type: text/plain; charset="us-ascii" =========================================================== Ubuntu Security Notice USN-255-1 February 21, 2006 openssh vulnerability CVE-2006-0225 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: openssh-client The problem can be corrected by upgrading the affected package to version 1:3.8.1p1-11ubuntu3.3 (for Ubuntu 4.10), 1:3.9p1-1ubuntu2.2 (for Ubuntu 5.04), or 1:4.1p1-7ubuntu4.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tomas Mraz discovered a shell code injection flaw in scp. When doing local-to-local or remote-to-remote copying, scp expanded shell escape characters. By tricking an user into using scp on a specially crafted file name (which could also be caught by using an innocuous wild card like '*'), an attacker could exploit this to execute arbitrary shell commands with the privilege of that user. Please be aware that scp is not designed to operate securely on untrusted file names, since it needs to stay compatible with rcp. Please use sftp for automated systems and potentially untrusted file names. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.3.diff.gz Size/MD5: 147804 bcb9840f943cb185fa14cdb6639dc2de http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.3.dsc Size/MD5: 880 64349db6679401abfe0f28f08a46559f http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1.orig.tar.gz Size/MD5: 795948 9ce6f2fa5b2931ce2c4c25f3af9ad50d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.8.1p1-11ubuntu3.3_all.deb Size/MD5: 30202 dc2297b42ce6e0009b30f76df0778e9c amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.3_amd64.udeb Size/MD5: 160136 968b48b5666e275656b20249cb61faa7 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.3_amd64.deb Size/MD5: 526002 306594f4386fa65366fe67e1ac9c45cc http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.3_amd64.udeb Size/MD5: 176398 480d6b645167bc2e9b533dd76016c429 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.3_amd64.deb Size/MD5: 264122 df6c92305d240b32b63a9add7bfc5825 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.3_amd64.deb Size/MD5: 53394 b4f5da405cb155f72d9d064a4d50567e i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.3_i386.udeb Size/MD5: 134290 7aaca0eb6b603910f3c3bda8d30e3999 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.3_i386.deb Size/MD5: 474992 94005876a8f9c45fa315d84264f422ce http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.3_i386.udeb Size/MD5: 146996 fbf6d83c68f6999aacbafc98f68eb295 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.3_i386.deb Size/MD5: 241898 55dc4bad99928d552819478c0f4d032e http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.3_i386.deb Size/MD5: 53072 667eab23d4b9af759774640f38ec22cd powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.3_powerpc.udeb Size/MD5: 153126 e59d9aa701310152aa4585b6b3c83df5 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.3_powerpc.deb Size/MD5: 523108 59739bfa95120ae0ee193743694a74cb http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.3_powerpc.udeb Size/MD5: 160376 7cbb092c954cccb014d1e564b133c1e2 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.3_powerpc.deb Size/MD5: 258268 2e38eadac1a298db3c027ee661d8a5e5 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.3_powerpc.deb Size/MD5: 54556 131cee0bac5d5cd080675461db8bc0c6 Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.2.diff.gz Size/MD5: 140942 2193e3793b51e7024784ec047cf3277c http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.2.dsc Size/MD5: 866 8ec4e326208aae4b8fe90f9cac0a2ca6 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1.orig.tar.gz Size/MD5: 832804 530b1dcbfe7a4a4ce4959c0775b85a5a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.9p1-1ubuntu2.2_all.deb Size/MD5: 30912 0997c23a603de9b1534ee687851fd38b amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.2_amd64.udeb Size/MD5: 166708 bc3698453fa091e69bc7f1c67b9316ef http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.2_amd64.deb Size/MD5: 543786 d330f2132fb0bf0295b915e7e0a453ba http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.2_amd64.udeb Size/MD5: 179156 7048312720471a8f0c50562c4301a21d http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.2_amd64.deb Size/MD5: 279064 5402baeb9df169b4ce6a6eddfb3a6262 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.2_amd64.deb Size/MD5: 62514 064f02869e9c61a56b8a4e1558d18e2c i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.2_i386.udeb Size/MD5: 139346 9b79999219a1cabd60930e682d671e17 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.2_i386.deb Size/MD5: 492224 757e828a5ccf114fe9c4be9b046850c2 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.2_i386.udeb Size/MD5: 149016 86ffa618024f36ac0097686b43b1d179 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.2_i386.deb Size/MD5: 255760 11f910249c6b098fce8f8020ce6d3b27 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.2_i386.deb Size/MD5: 62114 d5a4d9ec3011c099d2db314cf615f646 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.2_powerpc.udeb Size/MD5: 159854 f1a90f3cb4151736bed6f263901a4d35 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.2_powerpc.deb Size/MD5: 540312 287aa744564de63043d5bb134d0745d4 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.2_powerpc.udeb Size/MD5: 163302 1b019329cd84ff0a1f3960565a621fed http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.2_powerpc.deb Size/MD5: 273126 7ec4c43399986224b54d0f41fe8e3416 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.2_powerpc.deb Size/MD5: 63634 b370bc059a12a2ddc3b3afe1f772049d Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.1.diff.gz Size/MD5: 156844 b4cdb063563a640093c305e46f1fc87d http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.1.dsc Size/MD5: 971 c80c70c3c63781792a7f39d6ae01940d http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1.orig.tar.gz Size/MD5: 909689 3709109adf0b82176668b3d3478dd033 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.1p1-7ubuntu4.1_all.deb Size/MD5: 1048 859ffbe5d4bd5202a2eebec6e8e9ac81 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.1_amd64.udeb Size/MD5: 162510 1697e11d3a83142a879d04ab7b5e0ac7 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.1_amd64.deb Size/MD5: 584118 3947d62111b5dca4e76344dc8cca254f http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.1_amd64.udeb Size/MD5: 179332 51b096a5921f12614a4be6ac578c6685 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.1_amd64.deb Size/MD5: 223756 e73afff943deeda07de98bd52cefb9df http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.1_amd64.deb Size/MD5: 77824 9ce67812f993f2e4e896a46757ccd58d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.1_i386.udeb Size/MD5: 138126 eff182e04cf9c7990fa49ceeb1d8a227 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.1_i386.deb Size/MD5: 514306 2aa78f38fad06006ac0530af8a45b821 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.1_i386.udeb Size/MD5: 149732 1974bc3bb64c6bd32583b78420a12047 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.1_i386.deb Size/MD5: 195172 df8d26ec28a6487513e2a8a8117fe090 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.1_i386.deb Size/MD5: 77540 9241a0dbcde2f43ca408868be70b0523 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.1_powerpc.udeb Size/MD5: 155720 86eec2f79139f085454334607c10825a http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.1_powerpc.deb Size/MD5: 568402 b295641a03748fa6d8477c6a3ef7b9ec http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.1_powerpc.udeb Size/MD5: 163224 497641805869834b9959f0a8ecaf9b46 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.1_powerpc.deb Size/MD5: 215272 85c392d0999eaf9ebe91230392aba50a http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.1_powerpc.deb Size/MD5: 79104 3b6db051e9e4eb17e0024c926aa4d2ac -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/c3724d87/attachment-0001.bin ------------------------------ Message: 15 Date: Tue, 21 Feb 2006 17:03:08 +0100 From: khaalel <khaalel () gmail com> Subject: [Full-disclosure] msgina.dll To: full-disclosure () lists grok org uk Message-ID: <2d7da9270602210803v2d5f8ff0jc93e4023ba2a663b () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Hi everyboy, I have to modify the winlogon process for a school project (in order to use a smartcard : I bought some goldcards and javacards). After some time with Google, I find msgina.dll ( http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/msgina.mspx) but I don't know how to modify it (I'm a linux and bsd hacker, windows working is a world I visit rarely...). Did someone already work with this dll?? I'm looking for some code examples, some tutorials, some help to know how to use a smartcard and not login/password at startup... Thanks... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/8a6fb90c/attachment-0001.html ------------------------------ Message: 16 Date: Tue, 21 Feb 2006 16:03:56 +0000 From: "Robert P. McKenzie" <rmckenzi () rpmdp com> Subject: Re: [Full-disclosure] Compromised host list - some clarification... To: James Lay <jlay () slave-tothe-box net> Cc: Full-disclosure <full-disclosure () lists grok org uk> Message-ID: <43FB39EC.6000303 () rpmdp com> Content-Type: text/plain; charset=ISO-8859-1 James Lay wrote:
So ok.....I'm completely positive I didn't make myself clear at all in my previous message...go me! Here's a web site that I did manage to find that has a current list of open proxies: http://www.samair.ru/proxy/index.htm My hope is that I could find a site that has a list of currently reported open proxies, scanners, and ssh brute force boxes. The RBL's pretty much have smtp covered. I would run a cron job at midnight, wget and grep the file, then create an iptables table to block those hosts. This is an attempt to be more proactive then reactive...if I knew those hosts that were actively doing naughty things, why not block them at the get go? Does this make sense? Am I barking up the wrong tree? Thanks all =)
It's clear, however, as others have pointed out it's far easier to block everything and then selectivily allow what you want to talk to you. How do you think iptables will react if you have say 20,000 entries in it? My guess is it will slow your machines down. Go the sensible route and block everything and permit the much smaller list of hosts to connect to you. ------------------------------ Message: 17 Date: Tue, 21 Feb 2006 08:58:17 -0800 From: Steve Kudlak <chromazine () sbcglobal net> Subject: Re: [Full-disclosure] ?if you are not doing a =?WINDOWS-1252?Q?nything_wrong, _why_should_you_worry_about_it=3F=94?= To: Valdis.Kletnieks () vt edu Cc: "full-disclosure () lists grok org uk" <full-disclosure () lists grok org uk>, Gadi Evron <ge () linuxbox org> Message-ID: <43FB46A9.9000403 () sbcglobal net> Content-Type: text/plain; charset="windows-1252" Valdis.Kletnieks () vt edu wrote:
On Mon, 20 Feb 2006 15:42:35 PST, coderman said:On 2/20/06, Gadi Evron <ge () linuxbox org> wrote:... What's to stop them from putting cameras in our showers, next?ugly fat people nekkid?Guaranteed that there's a market for that, and websites already in existence. ------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
And this is a discussion sure to get us techies marked as crude and mean, luckily we are too bright to be called stupid;) If it is young and attractive and female (most techies are alas still male) it should have on as little clothes as possible and be seen as much as possible. If it is not it should go hide away and we shouldn't see it. Oh well we will get so marked. Have Fun, Sends Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/e0f37938/attachment-0001.html ------------------------------ Message: 18 Date: Tue, 21 Feb 2006 22:33:27 +0530 From: "Prabhat Sharma" <hi.prabhat () gmail com> Subject: [Full-disclosure] www.wpad.net To: full-disclosure () lists grok org uk Message-ID: <78a2a5c0602210903v27a20ee5p4dba08330bd905b () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Hi, Does anybody's machine also tries to access www.wpad.net. I use dial up to connect to internet and the moment I connect to internet my firewall shows that svchost is trying to access www.wpad.net. I tried visiting www.wpad.netwebsite and the owner of the site says that it is due to some microsoft bug related to Web Proxy Discovery Protocol (WPAD). There is also a link (which I also found in other places after some googling) of a wpad (Web Proxy Auto Discovery Protocol) draft which is drafted by microsoft (That is what the website says). Has anyone else faced this issue or my machine has some unwanted material. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/a267e036/attachment-0001.html ------------------------------ Message: 19 Date: Tue, 21 Feb 2006 18:08:51 +0100 From: "Jan Nielsen" <jan () boyakasha dk> Subject: SV: [Full-disclosure] msgina.dll To: <full-disclosure () lists grok org uk> Message-ID: <20060221170506.7023A262826 () pfepc post tele dk> Content-Type: text/plain; charset="iso-8859-1" I haven't messed with GINA programming myself, but this will probably help you get some basic understanding of it : http://www.codeproject.com/useritems/GINA_SPY.asp Jan _____ Fra: boyakash () cp dnsserverhosting com [mailto:boyakash () cp dnsserverhosting com] P* vegne af khaalel Sendt: 21. februar 2006 17:03 Til: full-disclosure () lists grok org uk Emne: [Full-disclosure] msgina.dll Hi everyboy, I have to modify the winlogon process for a school project (in order to use a smartcard : I bought some goldcards and javacards). After some time with Google, I find msgina.dll ( <http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/secur ity/msgina.mspx> http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/securi ty/msgina.mspx) but I don't know how to modify it (I'm a linux and bsd hacker, windows working is a world I visit rarely...). Did someone already work with this dll?? I'm looking for some code examples, some tutorials, some help to know how to use a smartcard and not login/password at startup... Thanks... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/af464d12/attachment-0001.html ------------------------------ Message: 20 Date: Tue, 21 Feb 2006 18:33:06 +0100 From: Thierry Carrez <koon () gentoo org> Subject: [Full-disclosure] [ GLSA 200602-12 ] GPdf: Heap overflows in included Xpdf code To: gentoo-announce () lists gentoo org Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com, security-alerts () linuxsecurity com Message-ID: <43FB4ED2.7080601 () gentoo org> Content-Type: text/plain; charset="iso-8859-1" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200602-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GPdf: Heap overflows in included Xpdf code Date: February 21, 2006 Bugs: #121511 ID: 200602-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== GPdf includes vulnerable Xpdf code to handle PDF files, making it vulnerable to the execution of arbitrary code. Background ========== GPdf is a Gnome PDF viewer. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/gpdf < 2.10.0-r4 >= 2.10.0-r4 Description =========== Dirk Mueller found a heap overflow vulnerability in the XPdf codebase when handling splash images that exceed size of the associated bitmap. Impact ====== An attacker could entice a user to open a specially crafted PDF file with GPdf, potentially resulting in the execution of arbitrary code with the rights of the user running the affected application. Workaround ========== There is no known workaround at this time. Resolution ========== All GPdf users should upgrade to the latest version. # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/gpdf-2.10.0-r4" References ========== [ 1 ] CVE-2006-0301 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200602-12.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/c158415e/signature-0001.bin ------------------------------ Message: 21 Date: Tue, 21 Feb 2006 12:43:10 -0500 From: TheGesus <thegesus () gmail com> Subject: Re: [Full-disclosure] www.wpad.net To: "Prabhat Sharma" <hi.prabhat () gmail com> Cc: full-disclosure () lists grok org uk Message-ID: <5e70f6530602210943s4b438576v555e099f12db7d0d () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 On 2/21/06, Prabhat Sharma <hi.prabhat () gmail com> wrote:
Hi, Does anybody's machine also tries to access www.wpad.net. I use dial up to connect to internet and the moment I connect to internet my firewall shows that svchost is trying to access www.wpad.net. I tried visiting www.wpad.net website and the owner of the site says that it is due to some microsoft bug related to Web Proxy Discovery Protocol (WPAD). There is also a link (which I also found in other places after some googling) of a wpad (Web Proxy Auto Discovery Protocol) draft which is drafted by microsoft (That is what the website says). Has anyone else faced this issue or my machine has some unwanted material.
Actually, wpad was invented by Netscape, but screwed up by MS. "wpad." without an extension is something like the 6th or 7th most common illegal DNS lookup. If you deselect "Automatic Discovery" in IE that should put an end to it. That fellow who owns the domain names could do some pretty nasty stuff if he ever decided to turn evil. ------------------------------ Message: 22 Date: Tue, 21 Feb 2006 10:06:50 -0800 From: Dean Pierce <piercede () pdx edu> Subject: Re: [Full-disclosure] Compromised host list - some clarification... To: James Lay <jlay () slave-tothe-box net>, full-disclosure () lists grok org uk Message-ID: <43FB56BA.8090306 () pdx edu> Content-Type: text/plain; charset="iso-8859-1" If you need to protect your ssh from scanners, wouldn't it prolly just be best to block people that are actually scanning you? I use the denyhosts script (watches logs for failed login attempts, and blocks ips based on that), and there are a couple other good ones. The two main problems with your solution is.. 1. how can you trust some magical offsite list so much that you are willing to block traffic based on what it says? 2. how can you believe that such a list would ever be complete, or even through? New machines get taken over all the time, and my guess is that the average lifespan of such machines is about a week or so before an admin sees what's going on. - DEAN James Lay wrote:
So ok.....I'm completely positive I didn't make myself clear at all in my previous message...go me! Here's a web site that I did manage to find that has a current list of open proxies: http://www.samair.ru/proxy/index.htm My hope is that I could find a site that has a list of currently reported open proxies, scanners, and ssh brute force boxes. The RBL's pretty much have smtp covered. I would run a cron job at midnight, wget and grep the file, then create an iptables table to block those hosts. This is an attempt to be more proactive then reactive...if I knew those hosts that were actively doing naughty things, why not block them at the get go? Does this make sense? Am I barking up the wrong tree? Thanks all =) James _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 890 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/118a43a2/signature-0001.bin ------------------------------ Message: 23 Date: Tue, 21 Feb 2006 11:32:56 -0700 From: James Lay <jlay () slave-tothe-box net> Subject: Re: [Full-disclosure] Compromised host list - some clarification... To: "Robert P. McKenzie" <rmckenzi () rpmdp com> Cc: Full-disclosure <full-disclosure () lists grok org uk> Message-ID: <20060221113256.4f342f01 () homebox slave-tothe-box net> Content-Type: text/plain; charset=US-ASCII On Tue, 21 Feb 2006 16:03:56 +0000 "Robert P. McKenzie" <rmckenzi () rpmdp com> wrote:
James Lay wrote:So ok.....I'm completely positive I didn't make myself clear at all in my previous message...go me! Here's a web site that I did manage to find that has a current list of open proxies: http://www.samair.ru/proxy/index.htm My hope is that I could find a site that has a list of currently reported open proxies, scanners, and ssh brute force boxes. The RBL's pretty much have smtp covered. I would run a cron job at midnight, wget and grep the file, then create an iptables table to block those hosts. This is an attempt to be more proactive then reactive...if I knew those hosts that were actively doing naughty things, why not block them at the get go? Does this make sense? Am I barking up the wrong tree? Thanks all =)It's clear, however, as others have pointed out it's far easier to block everything and then selectivily allow what you want to talk to you. How do you think iptables will react if you have say 20,000 entries in it? My guess is it will slow your machines down. Go the sensible route and block everything and permit the much smaller list of hosts to connect to you.
Robert, I do understand this, however this would not fit well for services that are for public use..IE web or email I could not simply just deny everyone. But for ports that I do NOT want the public to see you bet...block all is the way to go. Thank you! James ------------------------------ Message: 24 Date: Tue, 21 Feb 2006 13:43:37 -0500 From: Valdis.Kletnieks () vt edu Subject: Re: [Full-disclosure] Compromised hosts lists To: James Lay <jlay () slave-tothe-box net> Cc: Full-disclosure <full-disclosure () lists grok org uk> Message-ID: <200602211843.k1LIhbM7014041 () turing-police cc vt edu> Content-Type: text/plain; charset="us-ascii" On Tue, 21 Feb 2006 07:09:58 MST, James Lay said:
I completely agree for ports that I would have closed, but obviously I could not simply deny *all* traffic for port 25 and 80 let's say, as I want them open to the public.
At which point a list of the 100 million or so compromised machines believed to be out there doesn't do you much good. (Yes, the number is likely to be that high - at one point we were seeing several hundred thousand new zombies *per day*.) If you implement the block list, your machine runs like a pig (how much kernel memory do 100M iptables rules nail down?? ;) And you *still* have to worry about evil packets arriving on ports 25 and/or 80 from machines that haven't been *flagged* as evil yet. (Note that with 100M rules, trying to do even daily syncs is non-trivial - and you're going to want to do this on an hourly basis or so if you want it to be at all useful. When the update takes over an hour, you're in trouble.....) Your only real choice here is to make sure that 25 and 80 (and other outward-facing services) are as bulletproof as possible, against all packets from whatever source, and remain vigilant. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/65416621/attachment-0001.bin ------------------------------ Message: 25 Date: Tue, 21 Feb 2006 19:14:52 -0000 From: "Dave Korn" <davek_throwaway () hotmail com> Subject: [Full-disclosure] Re: Re: Forum / Site redone To: full-disclosure () lists grok org uk Message-ID: <dtfore$7n5$1 () sea gmane org> Nigel Horne wrote:
Nigel Horne wrote:Thanks for the comments. Site has been redone ( I re-didit ) Feel free to keep the comments coming. http://www.iatechconsulting.comWhy does it attempt to store 2 cookies on my machine when all I do visit your front page?Because that's how PHP tracks your session ID.Needless to say I said "no".Public access websites should not have session IDs just to visit their frontpage.
Like it matters the tiniest little bit at all. You can refuse the cookie if you want. You can accept it if you want the personalisation you'll get. You can set your browser to flush cookies at the end of the session if you don't want the same server to identify you next time. You can hang on to it indefinitely if you do. It takes next to no space on your hard drive, is entirely under your control, and it's not some kind of magical demon sent by the NSA to spy on you, so who cares? You're presenting this claim that "Public access websites" (you mean 'publicly accessible' websites, I take it) "should not have" session IDs. Well, /WHY/ should they not? This claim needs justifying. Ethical reasons? Financial reasons? Health and safety reasons? Aesthetic reasons? Or just because Nigel Horne says so, and whatever he says is so obviously patently right and true that all right-thinking people will just accept your word for it unquestioningly? cheers, DaveK -- Can't think of a witty .sigline today.... ------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 12, Issue 39 *********************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Full-disclosure Digest, Vol 12, Issue 39 DONNY MCCOY (Feb 21)
- Re: Re: Full-disclosure Digest, Vol 12, Issue 39 Valdis . Kletnieks (Feb 21)
- Re: Re: Full-disclosure Digest, Vol 12, Issue 39 Michael Holstein (Feb 21)
- Re: Re: Full-disclosure Digest, Vol 12, Issue 39 Valdis . Kletnieks (Feb 21)