Full Disclosure mailing list archives
RE: Full-disclosure Digest, Vol 11, Issue 5
From: "Horatiu Bandoiu" <horatiu () provision ro>
Date: Thu, 5 Jan 2006 10:39:59 +0200
Dear Biljana, Just a brief answer as I have a bad Internet connection till Monday. You can count on 2 CISSP we have for the moment (this year I will have 3 or 4 CISSP in my team): Stefan Catrinescu and Ionut Boldizsar. Stefan still has to finalize the documentation for getting the certification (endorsement, stuff like this) but he has passed the exam and Ionut is OK with all. If needed, I can involve several more certified people (as we are organizing the exams, I have full access to the list). I hope it helps. Kind regards, Horatiu --|------|||||-------|||--|----|||||--||-------|||||--||--- We PROtect your business VISION! ------------------------------------- Horatiu BANDOIU Business Unit Manager Provision - information Security Expert Center (iSEC) Tel: 0040 21 321 37 49 Fax: 0040 21 323 65 70 e-mail: horatiu () provision ro http://www.provision.ro -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of full-disclosure-request () lists grok org uk Sent: Tuesday, January 03, 2006 2:00 PM To: full-disclosure () lists grok org uk Subject: Full-disclosure Digest, Vol 11, Issue 5 Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Re: Buffer Overflow vulnerability in Windows Display Manager [Suspected] (ad () heapoverflow com) 2. Re: Win32 Heap Exploits (Nicolas RUFF) 3. Re: Buffer Overflow vulnerability in Windows Display Manager [Suspected] (InfoSecBOFH) 4. Re: Buffer Overflow vulnerability in Windows Display Manager [Suspected] (InfoSecBOFH) 5. Re: WMF round-up, updates and de-mystification (InfoSecBOFH) 6. Re: WMF round-up, updates and de-mystification (InfoSecBOFH) ---------------------------------------------------------------------- Message: 1 Date: Tue, 03 Jan 2006 11:12:08 +0100 From: "ad () heapoverflow com" <ad () heapoverflow com> Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in Windows Display Manager [Suspected] To: Sumit Siddharth <sumit.siddharth () gmail com>, full-disclosure () lists grok org uk Message-ID: <43BA4DF8.20907 () heapoverflow com> Content-Type: text/plain; charset=ISO-8859-1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 haven't such driver here , it should be a third party driver security bug probably within "*Controller Hub for Intel Graphics Driver"* http://www.dynamiclink.nl/htmfiles/rframes/sys-i01.htm Sumit Siddharth wrote:
I think the problem is with the intel driver and particularly with
file
ialmnt5.sys Hope it helps Sumit On 1/3/06, *Sumit Siddharth* <sumit.siddharth () gmail com <mailto:sumit.siddharth () gmail com>> wrote: Dear All, Sorry for the delayed response. I had success in exploiting it remotely by a simple javascript <script>window.open("http://aa...");</script>. But i think it doesnt work with some drivers.I am using XP ,professional, SP2. and firefox 1.0.6. I am using a string of about 53,000 char to overflow the buffer. Thanks Sumit --
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ7pN+K+LRXunxpxfAQKBqA//YxoeFIr1rkaCixpPr34+KpDiUAKN7xss M6ZH3ZmpqZ03yLajS8XBWIyv5uTXDuLhUQrrObvak4n6mQ+7g6YffEYQBNyIcsEm Gxyd8uDmkwX9MeAslByvrqobj/6i4oC4sj5Lq9Ui/JCqsw5KNaBP8ZAym48HiMFM bI3kqvSGVm++bavWrK8+FunnVHCSDezFL64Jxh6MAVU2MNR+Z2qufC+aQtIpGw7s nyWisynx6csTp9US5qmeuVdrcwk9DeACzX+z5eAEaevLRcl7ElcpcMht21U5scMd FTLTtN9Ao4hewQrOe05BAo3AwNmzpt3Kgay3DLtN/n7a9LqPifw9FKp5EtdYLKyM R16AwG5PaYQXrnsY0Udwz4yAYucEYjEOSyslVf4VILyzFWdKfAgXApbbr4W2nKXx VQ0BBWbOYnAuAPJYk85WpAZfbFX98tglGTGT/0XRO3Buyk5T50AC4VqxlF17w7+8 T6bO74xpZNi5t5fzFTqt5kZZZ6IXfSonu/SVA/tfiOJwIExo7zEUwu4vsYoMtxaR HqFlMQyuJhp0aTjaggrFaYQ8XR7tnZherteAYdaw0k3mUPCWfXR3xz26daOpUDKu ewsDbuq+cglVD5qym246WVYSyiPLKKBXvWPLbuoG5ngqmyQiKydIQ9UMMdJvHh5c 7DtDjiHOH8s= =VEy3 -----END PGP SIGNATURE----- ------------------------------ Message: 2 Date: Tue, 03 Jan 2006 11:42:21 +0100 From: Nicolas RUFF <nicolas.ruff () gmail com> Subject: Re: [Full-disclosure] Win32 Heap Exploits To: Stefan Lochbihler <steve01 () chello at> Cc: full-disclosure () lists grok org uk Message-ID: <43BA550D.2090509 () gmail com> Content-Type: text/plain; charset=ISO-8859-1
But if i execute the server without ollydbg there happen nothing. Have anybody an idea what i make wrong. Test on a winxp sp1 system.
As pointed out multiple times, Windows heap is not the same whether the program is flagged as "being debugged" or not. You should always *attach* the debugger to the process and not run the process from within the debugger. Regards, - Nicolas RUFF ------------------------------ Message: 3 Date: Tue, 3 Jan 2006 03:32:29 -0800 From: InfoSecBOFH <infosecbofh () gmail com> Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in Windows Display Manager [Suspected] To: Sumit Siddharth <sumit.siddharth () gmail com> Cc: full-disclosure () lists grok org uk Message-ID: <2be58a30601030332t59b2ae5fj5ff97afc45580a9b () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 I have only replicated this with the intel driver. have tried others and no dice. On 1/3/06, Sumit Siddharth <sumit.siddharth () gmail com> wrote:
I think the problem is with the intel driver and particularly with
file
ialmnt5.sys Hope it helps Sumit On 1/3/06, Sumit Siddharth <sumit.siddharth () gmail com > wrote:Dear All, Sorry for the delayed response. I had success in exploiting it remotely by a simple javascript <script>window.open("http://aa...");</script>. But i think it doesnt
work
with some drivers.I am using XP ,professional, SP2. and firefox 1.0.6.
I am
using a string of about 53,000 char to overflow the buffer.Thanks Sumit-- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
------------------------------ Message: 4 Date: Tue, 3 Jan 2006 03:33:21 -0800 From: InfoSecBOFH <infosecbofh () gmail com> Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in Windows Display Manager [Suspected] To: Full-Disclosure <full-disclosure () lists grok org uk> Message-ID: <2be58a30601030333x3d7c4fc7v24fa1632f7be1626 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 oh.. and by the way... only works with the intel driver (and only a couple differnt versions) and is not exploitable... this is a DoS and nothing more. On 1/3/06, InfoSecBOFH <infosecbofh () gmail com> wrote:
I have only replicated this with the intel driver. have tried others and no dice. On 1/3/06, Sumit Siddharth <sumit.siddharth () gmail com> wrote:I think the problem is with the intel driver and particularly with
file
ialmnt5.sys Hope it helps Sumit On 1/3/06, Sumit Siddharth <sumit.siddharth () gmail com > wrote:Dear All, Sorry for the delayed response. I had success in exploiting it remotely by a simple javascript <script>window.open("http://aa...");</script>. But i think it
doesnt work
with some drivers.I am using XP ,professional, SP2. and firefox
1.0.6. I am
using a string of about 53,000 char to overflow the buffer.Thanks Sumit-- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
------------------------------ Message: 5 Date: Tue, 3 Jan 2006 03:34:46 -0800 From: InfoSecBOFH <infosecbofh () gmail com> Subject: Re: [Full-disclosure] WMF round-up, updates and de-mystification To: Gadi Evron <ge () linuxbox org> Cc: "FunSec \[List\]" <funsec () linuxbox org>, "full-disclosure () lists grok org uk" <full-disclosure () lists grok org uk>, bugtraq () securityfocus com Message-ID: <2be58a30601030334r37d3dam19df4ee9fbaf9f07 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 So this patch is trusted because you said so? I have tested and confirmed that this patch only works in specific scnenarios and does not mitigate the entire issue. Variations still work. On 1/3/06, Gadi Evron <ge () linuxbox org> wrote:
Quite a bit of confusing and a vast amount of information coming from all directions about the WMF 0day. Here are some URL's and generic
facts
to set us straight. The "patch" by Ilfak Guilfanov works, but by disabling a DLL in
Windows.
So far no problems have been observed by anyone using this patch. You should naturally check it out for yourselves but I and many others recommend it until Microsoft bothers to show up with their own patch. Ilfak is trusted and is in no way a Bad Guy. You can find more information about it at his blog: http://www.hexblog.com/2005/12/wmf_vuln.html If you are still not sure about the patch by Ilfak, check out the discussion of it going on in the funsec list about the patch, with
Ilfak
participating: https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Occasional information of new WMF problems keep coming in over there. In this URL you can find the best summary I have seen of the WMF
issue:
http://isc.sans.org/diary.php?storyid=994 by the "SANS ISC diary" team. In this URL you can find the best write-up I have seen on the WMF
issue:
http://blogs.securiteam.com/index.php/archives/167 By Matthew Murphy at the "Securiteam Blogs". Also, it should be noted at this time that since the first public discovery of this "problem", a new one has been coming in - every day. All the ones seen so far are variants of the original and in all ways the SAME problem. So, it would be best to acknowledge them as the same... or we will keep having a NEW 0day which really isn't for about
2
months when all these few dozen variations are exhausted. A small BUT IMPORTANT correction for future generations: The 0day was originally found and reported by Hubbard Dan from
Websense
on a closed vetted security mailing list, and later on at the Websense public page. All those who took credit for it took it wrongly. Thanks, and a better new year to us all, Gadi. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
------------------------------ Message: 6 Date: Tue, 3 Jan 2006 03:37:09 -0800 From: InfoSecBOFH <infosecbofh () gmail com> Subject: Re: [Full-disclosure] WMF round-up, updates and de-mystification To: Gadi Evron <ge () linuxbox org> Cc: "FunSec \[List\]" <funsec () linuxbox org>, "full-disclosure () lists grok org uk" <full-disclosure () lists grok org uk>, bugtraq () securityfocus com Message-ID: <2be58a30601030337i2cba5f87i6b56e4799d897d5f () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 On 1/3/06, Gadi Evron <ge () linuxbox org> wrote:
A small BUT IMPORTANT correction for future generations: The 0day was originally found and reported by Hubbard Dan from
Websense
on a closed vetted security mailing list, and later on at the Websense public page. All those who took credit for it took it wrongly.
Yes, important if you are a marketing guy or if your mouth is planted firmly on the websense dick. I am sure most of us are part of other and even private mailing lists. So the credit for discovery should go to whomever first PULICALLY disclosed the vuln. I have no idea who that was but thanks to a certain few I saw this vuln in early December. ------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 11, Issue 5 ********************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Full-disclosure Digest, Vol 11, Issue 5 Horatiu Bandoiu (Jan 05)
- Re: RE: Full-disclosure Digest, Vol 11, Issue 5 InfoSecBOFH (Jan 05)
- Re: RE: Full-disclosure Digest, Vol 11, Issue 5 Niek (Jan 05)
- Re: RE: Full-disclosure Digest, Vol 11, Issue 5 InfoSecBOFH (Jan 05)