lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 24 Mar 2009 15:34:32 -0400
From: Rubén Camarero <rjcamarero@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: nVidia.com [Url Redirection flaw]

I am only stating that the bug posted here isn't serious. I agree with you
on the other issues, more or less anyways.

On Tue, Mar 24, 2009 at 3:30 PM, <mac.user@....hush.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> nvidia has a poor track record with security.  I'm citing two
> examples.  One is on their website, and one is in their drivers.
> Can you cite anything they have done right?  Your effective arguing
> strategies makes you a top nominee for Gadi Evron's no-swearing
> event at defcon.
>
> On Tue, 24 Mar 2009 15:27:09 -0400 Rubén Camarero
> <rjcamarero@...il.com> wrote:
> >That example has nothing to do with this particular bug. Using
> >multiple
> >exclamation or question marks does not help your ineffective
> >argument,
> >either.
> >
> >On Tue, Mar 24, 2009 at 3:15 PM, <mac.user@....hush.com> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> With all due respect, my corned beef and sauerkraut smelling
> >> friend, I am simply pointing out that when it comes to security
> >> nvidia is clueless.  Do you not remember the great debacle of
> >2006
> >> when Rapid7 showed off remote kernel exploitation of the nvidia
> >> driver by webbrowser?  http://kerneltrap.org/node/7228 should
> >> refresh your memory.  40 million lost credit cards but at least
> >> they put nvidia in their rightful place and have their
> >priorities
> >> in order.  And speaking of security concerns and nvidia, why do
> >you
> >> think Microsoft didn't use nvidia in their trusted gaming
> >platform
> >> xbox360????  Everyone in our industry knows that nvidia is shit
> >for
> >> security, even their javascript sucks!!!
> >>
> >>
> >> On Tue, 24 Mar 2009 14:45:46 -0400 Rubén Camarero
> >> <rjcamarero@...il.com> wrote:
> >> >If ATI and nVidia were web content developers, this may be a
> >valid
> >> >argument,
> >> >but they are not. They are graphics vendors, hardware and
> >> >software. Not to
> >> >mention the fact that this isn't a "serious" issue. RFI is a
> >> >serious issue,
> >> >IMHO.
> >> >
> >> >On Tue, Mar 24, 2009 at 1:37 PM, <mac.user@....hush.com> wrote:
> >> >
> >> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> >> Hash: SHA1
> >> >>
> >> >> I have been saying for years that ATI is better than nvidia
> >and
> >> >> here is just one more reason!  You don't see serious issues
> >like
> >> >> this with ATI's website.
> >> >>
> >> >> On Tue, 24 Mar 2009 10:13:21 -0400 Lorenzo Vogelsang
> >> >> <vogelsang.lorenzo@...il.com> wrote:
> >> >> >Hi all, i'm new to the list. I'm an italian student who
> >likes
> >> >> >security
> >> >> >topics in the I.C.T world..
> >> >> >
> >> >> >Browsing the nVdia web sites, i have found a very basic Url
> >> >> >redirection
> >> >> >flaw. Infact when downloading a driver i get Urls like this:
> >> >> >
> >> >> >
> >> >>
> >>
> >>>http://www.nvidia.com/content/DriverDownload/download_confirmatio
> >n
> >> >.
> >> >>
> >>
> >>>asp?kw=&url=http://us.download.nvidia.com/Windows/179.48/179.48_n
> >o
> >> >t
> >> >> >ebook_winxp_64bit_beta.exe
> >> >> >
> >> >> >and connecting to this another Url
> >> >> >
> >> >> >
> >> >>
> >>
> >>>http://www.nvidia.com/content/DriverDownload/download_confirmatio
> >n
> >> >.
> >> >> >asp?kw=&url=http://www.google.it
> >> >> >
> >> >> >
> >> >> >will redirects succefully to www.google.it! (or other web
> >site
> >> >of
> >> >> >your
> >> >> >choice , or downloadble content..)
> >> >> >
> >> >> >
> >> >> >Enjoy!
> >> >> >
> >> >> >Lorenzo Vogelsang.
> >> >> -----BEGIN PGP SIGNATURE-----
> >> >> Charset: UTF8
> >> >> Version: Hush 3.0
> >> >> Note: This signature can be verified at
> >> >https://www.hushtools.com/verify
> >> >>
> >> >>
> >>
> >>wpwEAQMCAAYFAknJGmEACgkQfuF4tUz/X+KtEQP/fg36QI6yY9Hw6Q5eOsLUBGtPjg
> >9
> >> >/
> >> >>
> >>
> >>kxEmlsVdQl23h92FU75bHiOHhDMo7nLMCbHH7HHZDMvEw05OCDBaOqTx54xyTHBayH
> >4
> >> >s
> >> >>
> >>
> >>xf4joU8LSrTOFrklgT7tGXr+AMIfi4ypgIXzRv6Gx0vD3EAKIR3KWL4qFtg/OahHkl
> >7
> >> >q
> >> >> jOiz888=
> >> >> =2MOh
> >> >> -----END PGP SIGNATURE-----
> >> >>
> >> >> --
> >> >> Can't pay your bills?  Click here to learn about filing for
> >> >bankruptcy.
> >> >>
> >> >>
> >>
> >>http://tagline.hushmail.com/fc/BLSrjkqhNChbdTZRNxLsL4IFkcZYo7APte6
> >M
> >> >FdjI1xth2KPqL4lm3VupTlG/
> >> >>
> >> >> _______________________________________________
> >> >> Full-Disclosure - We believe in it.
> >> >> Charter: http://lists.grok.org.uk/full-disclosure-
> >charter.html
> >> >> Hosted and sponsored by Secunia - http://secunia.com/
> >> >>
> >> >
> >> >
> >> >
> >> >--
> >> >Rubén Camarero
> >> >CCNA, CISSP
> >> -----BEGIN PGP SIGNATURE-----
> >> Charset: UTF8
> >> Version: Hush 3.0
> >> Note: This signature can be verified at
> >https://www.hushtools.com/verify
> >>
> >>
> >wpwEAQMCAAYFAknJMWoACgkQfuF4tUz/X+LbggP9GPddhDh3krXB3ieyORr5Yd2RdE6
> >l
> >>
> >foRgQOUAaXbnpxc+d2XFByNe8wAYHF+dheNou5cb0XBF99NmW4wt2uoR57/7PmSp6zd
> >M
> >>
> >1bsBzocX6Kkpbl38bMf4ZG/OlEz7cqfNOGExPE5cicr2Y462fk/BAWfUWV6B82ieWz4
> >Z
> >> BbBeab8=
> >> =ZiqN
> >> -----END PGP SIGNATURE-----
> >>
> >> --
> >> Click to compare and save on auto insurance.
> >>
> >>
> >http://tagline.hushmail.com/fc/BLSrjkqePmfJGmpcWA2Xcaz2NXhk84bAM4Hx
> >iigERihBJ2ZwE0pe0OeJOxS/
> >>
> >>
> >
> >
> >--
> >Rubén Camarero
> >CCNA, CISSP
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 3.0
>
> wpwEAQMCAAYFAknJNO4ACgkQfuF4tUz/X+JobQP/fKdv2DPbFGfAh8+N6GsdKO7ct1BP
> 2h0sXd57nD6bKwOi8CiOZR3/fMjyl72R0xuS0Gtq8PhkX/mMo8GGaHw0h8DdHJ0DIAbj
> kAY4Pc/oNXtRaO0UoCT0CJA04M9wIgdR0batMc9N0PHhI7Z041w7ycSohm9Q5u6UR9iB
> R3X0sRc=
> =ucxK
> -----END PGP SIGNATURE-----
>
> --
> Click here for free information on how to reduce your debt by filing for
> bankruptcy.
>
> http://tagline.hushmail.com/fc/BLSrjkqhNCha09Yyoll97un6Gs8mL19gd7D3JKfsHHWsIQfxfuSbfcMocNq/
>
>


-- 
Rubén Camarero
CCNA, CISSP

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ