Full Disclosure mailing list archives
unsubscribe
From: "Tucker Jeff" <Jeff.Tucker () HCAHealthcare com>
Date: Mon, 19 Mar 2007 07:27:36 -0500
unsubscribe -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of full-disclosure-request () lists grok org uk Sent: Monday, March 19, 2007 7:00 AM To: full-disclosure () lists grok org uk Subject: Full-Disclosure Digest, Vol 25, Issue 27 Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Web Security and Bookmarklet Exploits (pdp (architect)) 2. [SECURITY] [DSA 1269-1] New lookup-el packages fix insecure temporary file (Martin Schulze) 3. nac-gaf spam attacks (Steve Cooperman) 4. [ GLSA 200703-17 ] ulogd: Remote execution of arbitrary code (Raphael Marichez) 5. [ GLSA 200703-18 ] Mozilla Thunderbird: Multiple vulnerabilities (Raphael Marichez) 6. [ GLSA 200703-19 ] LTSP: Authentication bypass in included LibVNCServer code (Raphael Marichez) 7. [ GLSA 200703-20 ] LSAT: Insecure temporary file creation (Raphael Marichez) 8. Re: [WEB SECURITY] GMail Contact Information Disclosure PoC (chris () thatsrightrecords com) ---------------------------------------------------------------------- Message: 1 Date: Sun, 18 Mar 2007 08:58:20 +0000 From: "pdp (architect)" <pdp.gnucitizen () googlemail com> Subject: [Full-disclosure] Web Security and Bookmarklet Exploits To: full-disclosure () lists grok org uk, "WASC Forum" <websecurity () webappsec org>, "webappsec @OWASP" <webappsec () lists owasp org> Message-ID: <6905b1570703180158q6f58e756s1b9b41027180150 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed http://www.gnucitizen.org/blog/sex-candies-and-bookmarklet-exploits http://www.gnucitizen.org/projects/technika/ I have rolled out a new Technika browser extension. It is very small and extremely fast. Technika also integrates with Firebug, so you can easily test and compose Bookmarklets on the fly. The article that I pointed above discusses how Bookmarklets can be used to compose web app exploits. There is a framework similar to metasploit that will come out very soon. I thought that it might be a good idea to share these ideas now, so the community knows what to expect in the future. Thanks. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ------------------------------ Message: 2 Date: Sun, 18 Mar 2007 18:37:56 +0100 (CET) From: joey () infodrom org (Martin Schulze) Subject: [Full-disclosure] [SECURITY] [DSA 1269-1] New lookup-el packages fix insecure temporary file To: debian-security-announce () lists debian org (Debian Security Announcements) Message-ID: <20070318173756.A37E7100E1 () finlandia home infodrom org> Content-Type: text/plain; charset=iso-8859-1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ -- Debian Security Advisory DSA 1269-1 security () debian org http://www.debian.org/security/ Martin Schulze March 18th, 2007 http://www.debian.org/security/faq - ------------------------------------------------------------------------ -- Package : lookup-el Vulnerability : insecure temporary file Problem type : local Debian-specific: no CVE ID : CVE-2007-0237 Tatsuya Kinoshita discovered that Lookup, a search interface to electronic dictionaries on emacsen, creates a temporary file in an insecure fashion when the ndeb-binary feature is used, which allows a local attacker to craft a symlink attack to overwrite arbitrary files. For the stable distribution (sarge) this problem has been fixed in version 1.4-3sarge1. For the testing distribution (etch) this problem has been fixed in version 1.4-5. For the unstable distribution (sid) this problem has been fixed in version 1.4-5. We recommend that you upgrade your lookup-el package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/l/lookup-el/lookup-el_1.4-3 sarge1.dsc Size/MD5 checksum: 585 2daf45b112f1b688658faf610308962e http://security.debian.org/pool/updates/main/l/lookup-el/lookup-el_1.4-3 sarge1.diff.gz Size/MD5 checksum: 7115 f27e58e4ea0df6b08e808624a8fcb4e2 http://security.debian.org/pool/updates/main/l/lookup-el/lookup-el_1.4.o rig.tar.gz Size/MD5 checksum: 349751 05d12aa8921969b449a6f2a47bb00247 Architecture independent components: http://security.debian.org/pool/updates/main/l/lookup-el/lookup-el_1.4-3 sarge1_all.deb Size/MD5 checksum: 228002 30c9393256c1029e3742892e3bc16a6f These files will probably be moved into the stable distribution on its next update. - ------------------------------------------------------------------------ --------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce () lists debian org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF/Xj0W5ql+IAeqTIRAofWAJ4m3KwS80yMHa+SdKSWRF9bK3A/IwCeKebE 0IJmw3+CLfosO3982ZdVry4= =czbW -----END PGP SIGNATURE----- ------------------------------ Message: 3 Date: Sun, 18 Mar 2007 16:56:44 -0400 From: "Steve Cooperman" <worried () gmail com> Subject: [Full-disclosure] nac-gaf spam attacks To: full-disclosure () lists grok org uk Message-ID: <a50eeaa10703181356q53f983dbh65edc5266d04af0b () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Good Afternoon, I'm seeing wide-spread spam attacks across several different shared hosting servers, operated by multiple companies. The attacks forge emails on the fly, and follow a pattern. The spam first takes the client's domain name, for example, plastic.com. Then adds the word "nac" to the beginning, and "gaf" to the end, making the from email address nacplasticgaf () plastic com . If the domain were rockin.com, the email would be nacrockingaf () rockin com . Byob.com, nacbyobgaf () byob com, etc. Has anyone else noticed this trend this afternoon? It seems they just started a couple of hours ago. It doesn't seem like a security risk, just standard forging of email headers. The main company I work for makes use of SPF, however not every mail server on the internet makes use of it. I'm only submitting this because it seems like a wide-spread issue this afternoon. All the best, Mike Bailey -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070318/ bad87890/attachment-0001.html ------------------------------ Message: 4 Date: Sun, 18 Mar 2007 22:41:25 +0100 From: Raphael Marichez <falco () gentoo org> Subject: [Full-disclosure] [ GLSA 200703-17 ] ulogd: Remote execution of arbitrary code To: gentoo-announce () gentoo org Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com, security-alerts () linuxsecurity com Message-ID: <20070318214125.GE12255 () falco falcal net> Content-Type: text/plain; charset="us-ascii" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: ulogd: Remote execution of arbitrary code Date: March 18, 2007 Bugs: #161882 ID: 200703-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== ulogd contains a possible buffer overflow potentially allowing for the remote execution of arbitrary code. Background ========== ulogd is a userspace daemon for netfilter related logging. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-admin/ulogd < 1.23-r1 >= 1.23-r1 Description =========== SUSE reported unspecified buffer overflows in ulogd involving the calculation of string lengths. Impact ====== A remote attacker could trigger a possible buffer overflow through unspecified vectors, potentially leading to the remote execution of arbitrary code with the rights of the user running the ulogd daemon, or more probably leading to the crash of the daemon. Workaround ========== There is no known workaround at this time. Resolution ========== All ulogd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/ulogd-1.23-r1" References ========== [ 1 ] CVE-2007-0460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0460 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-17.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070318/ adca95af/attachment-0001.bin ------------------------------ Message: 5 Date: Sun, 18 Mar 2007 22:44:48 +0100 From: Raphael Marichez <falco () gentoo org> Subject: [Full-disclosure] [ GLSA 200703-18 ] Mozilla Thunderbird: Multiple vulnerabilities To: gentoo-announce () gentoo org Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com, security-alerts () linuxsecurity com Message-ID: <20070318214448.GG12255 () falco falcal net> Content-Type: text/plain; charset="us-ascii" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla Thunderbird: Multiple vulnerabilities Date: March 18, 2007 Bugs: #165555 ID: 200703-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in Mozilla Thunderbird, some of which may allow user-assisted arbitrary remote code execution. Background ========== Mozilla Thunderbird is a popular open-source email client from the Mozilla Project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 mozilla-thunderbird < 1.5.0.10 >= 1.5.0.10 2 mozilla-thunderbird-bin < 1.5.0.10 >= 1.5.0.10 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== Georgi Guninski reported a possible integer overflow in the code handling text/enhanced or text/richtext MIME emails. Additionally, various researchers reported errors in the JavaScript engine potentially leading to memory corruption. Additionally, the binary version of Mozilla Thunderbird includes a vulnerable NSS library which contains two possible buffer overflows involving the SSLv2 protocol. Impact ====== An attacker could entice a user to read a specially crafted email that could trigger one of the vulnerabilities, some of them being related to Mozilla Thunderbird's handling of JavaScript, possibly leading to the execution of arbitrary code. Workaround ========== There is no known workaround at this time for all of these issues, but some of them can be avoided by disabling JavaScript. Note that the execution of JavaScript is disabled by default and enabling it is strongly discouraged. Resolution ========== All Mozilla Thunderbird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.5.0.10" All Mozilla Thunderbird binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.5.0.10" References ========== [ 1 ] CVE-2007-0008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008 [ 2 ] CVE-2007-0009 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009 [ 3 ] CVE-2007-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775 [ 4 ] CVE-2007-0776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0776 [ 5 ] CVE-2007-0777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777 [ 6 ] CVE-2007-1282 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1282 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-18.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070318/ 51afe7c1/attachment-0001.bin ------------------------------ Message: 6 Date: Sun, 18 Mar 2007 22:49:41 +0100 From: Raphael Marichez <falco () gentoo org> Subject: [Full-disclosure] [ GLSA 200703-19 ] LTSP: Authentication bypass in included LibVNCServer code To: gentoo-announce () gentoo org Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com, security-alerts () linuxsecurity com Message-ID: <20070318214941.GI12255 () falco falcal net> Content-Type: text/plain; charset="us-ascii" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: LTSP: Authentication bypass in included LibVNCServer code Date: March 18, 2007 Bugs: #142661 ID: 200703-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== LTSP includes a version of libVNCServer that is vulnerable to an authentication bypass. Background ========== The Linux Terminal Server Project adds thin-client support to Linux servers. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/ltsp < 4.2-r1 >= 4.2-r1 Description =========== The LTSP server includes vulnerable LibVNCServer code, which fails to properly validate protocol types effectively letting users decide what protocol to use, such as "Type 1 - None" (GLSA-200608-05). The LTSP VNC server will accept this security type, even if it is not offered by the server. Impact ====== An attacker could exploit this vulnerability to gain unauthorized access with the privileges of the user running the VNC server. Workaround ========== There is no known workaround at this time. Resolution ========== All LTSP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/ltsp-4.2-r1" References ========== [ 1 ] CVE-2006-2450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2450 [ 2 ] GLSA 200608-05 http://www.gentoo.org/security/en/glsa/glsa-200608-05.xml Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070318/ e1bf41b3/attachment-0001.bin ------------------------------ Message: 7 Date: Sun, 18 Mar 2007 22:52:37 +0100 From: Raphael Marichez <falco () gentoo org> Subject: [Full-disclosure] [ GLSA 200703-20 ] LSAT: Insecure temporary file creation To: gentoo-announce () gentoo org Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com, security-alerts () linuxsecurity com Message-ID: <20070318215237.GK12255 () falco falcal net> Content-Type: text/plain; charset="us-ascii" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: LSAT: Insecure temporary file creation Date: March 18, 2007 Bugs: #159542 ID: 200703-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== LSAT insecurely creates temporary files which can lead to symlink attacks allowing a local user to overwrite arbitrary files. Background ========== The Linux Security Auditing Tool (LSAT) is a post install security auditor which checks many system configurations and local network settings on the system for common security or configuration errors and for packages that are not needed. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-admin/lsat <= 0.9.2 Vulnerable! ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. Description =========== LSAT insecurely writes in /tmp with a predictable filename. Impact ====== A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When the LSAT script is executed, this would result in the file being overwritten with the rights of the user running the software, which could be the root user. Workaround ========== There is no known workaround at this time. Resolution ========== Since LSAT is not actively maintained anymore, this package has been masked. All LSAT users are advised to unmerge it. # emerge --ask --unmerge "app-admin/lsat" Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-20.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070318/ 839bedab/attachment-0001.bin ------------------------------ Message: 8 Date: Sun, 18 Mar 2007 21:10:01 -0700 From: <chris () thatsrightrecords com> Subject: Re: [Full-disclosure] [WEB SECURITY] GMail Contact Information Disclosure PoC To: "'beNi'" <backebackekuchen () gmail com>, <websecurity () webappsec org>, "'RSnake'" <h () ckers org>, <full-disclosure () lists grok org uk> Message-ID: <00f001c769dc$793422d0$030ba8c0 () redmond corp microsoft com> Content-Type: text/plain; charset="us-ascii" Nice find. There's a common problem when an organization gets so large that the right hand doesn't talk to the left. I'm not sure what the AuthToken would be useful for, I don't see it anywhere in my authenticated request (e.g. not in the cookie or any other data). The XSS is more nasty than the XML data though, because from what I can tell a login to gmail sets a cookie for .google.com, allowing you to use your same XSS to get the contact list from a one-click (or XSRF) attack to the gmail call which returns the same contact list. Both are nasty because they're serving up that data over non-SSL channels. -----Original Message----- From: beNi [mailto:backebackekuchen () gmail com] Sent: Wednesday, March 14, 2007 11:57 AM To: websecurity () webappsec org; RSnake; full-disclosure () lists grok org uk Subject: [WEB SECURITY] GMail Contact Information Disclosure PoC This is my GMail Contact information Disclosure Proof Of Concept Exploit, allowing you to read the Email addresses of all contacts of the currently logged in Google user. http://mybeni.rootzilla.de/mybeNi/2007/gmail_information_disclosure/ (It also Allows you to check if someone is currently logged into Google Services + Serves you the Authentication Token) have fun and cheers, benjamin -- benjamin "beNi" flesch mybeNi.tk websecurity - http://mybeNi.rootzilla.de/mybeNi/ (coolest guy in da hood) ------------------------------------------------------------------------ ---- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 25, Issue 27 *********************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- unsubscribe Tucker Jeff (Mar 19)