| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Aug 2010 09:07:34 -0700 From: <dink@...inkydink.com> To: full-disclosure@...ts.grok.org.uk Subject: PoTTy (Obfuscated PuTTy) vulnerable to storm's DLL Hijacking Exploit NAME: PoTTy v0.60 ================= VENDOR: Mr. Hinky Dink ====================== PoTTy, an Open Source, modified version of Simon Tatham's PuTTy (Windows version, v0.60) for Bruce Leidl's Obfuscated-OpenSSH v5.2 server, has been demonstrated vulnerable to the recent Windows DLL hijacking exploit(s). PROOF OF CONCEPT ================ See storm's (storm@...ullyourself.org) exploit code at http://www.exploit-db.com/exploits/14796/ VENDOR RESPONSE =============== WTF? How do I fix this? REMEDIATION =========== Stop running Windows. HISTORY ======= 08/27/2010 - Vendor notified 08/27/2010 - Vendor craps pance 08/27/2010 - Vendor decides any publicity is good publicity 08/27/2010 - Vendor publishes details LINKS: ====== This Notice: http://mrhinkydink.blogspot.com/2010/08/potty-dll-injection-vulnerability.html Vendor Response: http://proxyobsession.net/?p=1097 PoTTy Download Page: http://www.mrhinkydink.com/potty.htm Obfuscated-OpenSSH: http://github.com/brl/obfuscated-openssh c. MMX Mr. Hinky Dink _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists