Full Disclosure mailing list archives
Re: NuralStorm Webmail Multiple Vulnerabilities
From: musnt live <musntlive () gmail com>
Date: Thu, 15 Jul 2010 08:55:32 -0400
On Thu, Jul 15, 2010 at 8:22 AM, Justin Klein Keane <justin () madirish net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, as much as I hate to feed the trolls perhaps I should provide some more context for my evaluation of NuralStorm webmail. The project is indeed quite aged, so much so that you are required to monkey with the default PHP register globals settings to get it to run (which should tip anyone interested in the project off that it might not be safe).
Maybe for to this how disclosure is done in Philadelphia but which I may ask where is this brotherly love of yours.
Unfortunately I actually came across the project because I found it as a service offering from a legitimate company. I was careful to mention the age explicitly in my advisory because I am aware that it isn't a recent project and thus is pretty easy pickings for any dedicated security researcher. Amazingly though, in the eight years since the project has been released there have only been a couple security vulnerabilities disclosed (notably CVE-2006-5386), which might lead a casual observer to conclude that the project was safe for use. I think NuralStorm serves as a great example of the types of false metrics that can sometimes be used to justify security. Nevertheless, it wasn't something I just picked out of the trash bin or dug up on random free software download archives - NuralStorm is actively deployed, unpatched, on the internet, and thus my disclosure was meant to warn folks who might have the project in use, as it is immensely exploitable and no longer under any sort of active development. Unfortunately I won't be able to work with the developers to try and update and secure this project, which should ultimately be the goal of open source security research.
There is be plenty of historic and legacy software installed in many company throughout Internet web history and our first tactical goal is plausible deniability. There is be nothing wrong with security troll researchers downloading all programs, run grep buff *.extension then post advisory. I give is you all credits for respectable research for low hanging fruit. Nothing wrong with digging out random garbage no one care about then writing an exploit that no one too also care about. It is all about security research recognition. When I is come to think of respectable research, I not think of Bellovin, Sotirov, I think of MustLive and his future advisory - he is mindreader like Miss. Cleo, I think of you - you like Marty McFly - go back to the future! SMART! However I must warn full disclosure about is your statement: "NuralStorm is actively deployed, unpatched, on the internet" IIS 5.0 is actively deployed, unpatched, on the Internet: Results 1 - 10 of about 394540 for IIS 5.0 http://www.shodanhq.com/?q=IIS+5.0 Now is you ask yourself a) Should I be so mad? - For any mad Irish is danger to society! Nasty leprechauns bring bad luck! b) Should I write next another advisory against IIS 5.0 because for to it yes be: "is actively deployed, unpatched, on the internet" c) Whore my infinite vulnerability skill and write advisory for you is to share? No, because I musntlive, I give you partial freebie. As always musntlive is at forefront of edgebleed 0day: ProductName: Crystal Reports InternalName: NOFREEBUGS OriginalFilename: NOFREEBUGS ProductVersion: X.X.X.X FileVersion: X.X.X.X Comments: Crystal Reports 0:000> .exr 0xffffffffffffffff ExceptionAddress: xxxxYYYY (nobugsRfree!DllUnregisterServer+0xyyyZZZ188e) ExceptionCode: c0000005 (Access violation) ExceptionFlags: yyyyXXXX NumberParameters: 2 Parameter[0]: yyyyXXXX Parameter[1]: 0badc0de Attempt to read from address 0badc0de 0:000> g (3610.c4e8): Access violation - code c0000005 (!!! second chance !!!) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0badc0de ebx=yyyyXXXX ecx=yyyyXXXX edx=xyzxy002 esi=zzzzYYYY edi=ababfa60 eip=0badc0de esp=xyxyeb28 ebp=yxyxeb38 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=zxqz0202 nobugsRfree!DllUnregisterServer+0xxxx88e: xxxxYYYY xxxx3800 cmp word ptr [eax],0 ds:0023:0badc0de=???? 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x64 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0xffffffff0badc0de First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:xxxxYYYY cmp word ptr [eax],0 Up for sale is +60 0day on SAP. Remote and is local and is client side. For to starting price 1,526,246.00 RUB's serious government agencies is need only apply _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- NuralStorm Webmail Multiple Vulnerabilities Justin C. Klein Keane (Jul 12)
- Re: NuralStorm Webmail Multiple Vulnerabilities musnt live (Jul 12)
- Re: NuralStorm Webmail Multiple Vulnerabilities Pavel Kankovsky (Jul 15)
- Re: NuralStorm Webmail Multiple Vulnerabilities musnt live (Jul 15)
- Re: NuralStorm Webmail Multiple Vulnerabilities Christoph Gruber (Jul 15)
- Re: NuralStorm Webmail Multiple Vulnerabilities Justin Klein Keane (Jul 15)
- Re: NuralStorm Webmail Multiple Vulnerabilities musnt live (Jul 15)
- Re: NuralStorm Webmail Multiple Vulnerabilities Pavel Kankovsky (Jul 15)
- Re: NuralStorm Webmail Multiple Vulnerabilities Valdis . Kletnieks (Jul 15)
- In-band signalling (was: Re: NuralStorm Webmail Multiple Vulnerabilities) Pavel Kankovsky (Jul 17)
- Re: In-band signalling (was: Re: NuralStorm Webmail Multiple Vulnerabilities) Dan Kaminsky (Jul 17)
- Re: In-band signalling (was: Re: NuralStorm Webmail Multiple Vulnerabilities) coderman (Jul 17)
- Re: In-band signalling (was: Re: NuralStorm Webmail Multiple Vulnerabilities) Pavel Kankovsky (Jul 24)
- Re: NuralStorm Webmail Multiple Vulnerabilities musnt live (Jul 12)