lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 29 Dec 2009 19:03:59 -0200
From: "Nelson Brito" <>
To: "'Crash - DcLabs'" <>,
Subject: RE: Tests about semicolon zero-day (BID 37460)

Okay, here is a good question after read the updated version of HD Moore Blog
post [1]:
(btw, that is the same question we are talking in twitter)
- Based on the blog post "Results of Investigation into Holyday ISS Claim"
(MSRC) [2], there is no vulnerability related to this case, right? BUT... If a
user has a weak password, a guessable password, you can GUESS the user's
password and get the user's access... Getting all the privileges he/she has.

Okay, I know that there are a lot of best practices floating around, describing
many, many ways to enforce the users to create a strong password instead... But
according to my experience in pen-tests, the easiest way to get a system access
is guessing users' passwords. RIGHT?

In a dynamic WWW, things change and "'write' and 'execute' privileges on the
same directory" (QUOTED) [2] is not a "IMPOSSIBLE AND UNBELIEVABLE" thing.

"If the weather is good, the waves are good... Let's surfing!"

So I think they should change the term "not a vulnerability" to "vulnerabilistic
feature"... I know that this word does not exist, anyway. =)

PS: Don't send me any flame if you didn't check the "vulnerability" [3]


 * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $
 * Author: Nelson Brito <nbrito [at] sekure [dot] org> 
   Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide. */

> -----Original Message-----
> From: Crash - DcLabs []
> Sent: Monday, December 28, 2009 8:28 PM
> To:
> Subject: Tests about semicolon zero-day (BID 37460)
> Tests about semicolon zero-day (BID 37460)
> Tests in Windows XP SP3 and IIS 5.1
> The results are:
> 18:21:18 GET /t.asp;.jpg 200
> The file founded,  but not interpreted! IIS print the asp souce code at
> screen.
> Testing in 2003 Server IIS 6.0 SP 2 works perfect!  the .jpg is
> interpreted as .asp
> 2009-12-28 18:56:37 W3SVC1 GET /t.asp;.jpg - 80 -
> Mozilla/4.0+(compatible;+MSIE+
> 8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.N
> ET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.0.4506.2152;+.NET+C
> LR+3.5.30729)
> 200 0 0
> Testing in 2008 Server  IIS 7.0 SP1
> Return same Windows XP, source code printed at screen.
> -------------------
> Crash
> DcLabs

Powered by blists - more mailing lists