| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY107-F309A26A8C5692C73C6B421AF920@phx.gbl>
Date: Mon Sep 19 21:01:44 2005
From: herbert_d_hay at msn.com (herbert hay)
Subject: RE: Full-Disclosure Digest unsubscribed
unsubscribed
Herbert Darrell Hay
>From: full-disclosure-request@...ts.grok.org.uk
>Reply-To: full-disclosure@...ts.grok.org.uk
>To: full-disclosure@...ts.grok.org.uk
>Subject: Full-Disclosure Digest, Vol 7, Issue 37
>Date: Sat, 17 Sep 2005 12:00:11 +0100 (BST)
>
>Send Full-Disclosure mailing list submissions to
> full-disclosure@...ts.grok.org.uk
>
>To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.grok.org.uk/mailman/listinfo/full-disclosure
>or, via email, send a message with subject or body 'help' to
> full-disclosure-request@...ts.grok.org.uk
>
>You can reach the person managing the list at
> full-disclosure-owner@...ts.grok.org.uk
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Full-Disclosure digest..."
>
>
>Note to digest recipients - when replying to digest posts, please trim your
>post appropriately. Thank you.
>
>
>Today's Topics:
>
> 1. Re: Forensic help? (Paul Robertson)
> 2. Re: FileZilla (client) public credentials vulnerability
> (Tobias Ulmer)
> 3. [CIRT.DK - Advisory 37] TAC Vista Webstation 3.0 Directory
> Traversal bug in webinterface (CIRT.DK Advisory)
> 4. Re: FireFox Host: Buffer Overflow is not just exploitable on
> FireFox (Juha-Matti Laurio)
> 5. Search Results w/Trojan? ('FoR ReaLz' E. Balansay)
> 6. Re: Search Results w/Trojan? (Fergie (Paul Ferguson))
> 7. Greyhats Security back online (Paul)
> 8. RE: PGPNet Upgrade path ? (Gary E. Miller)
> 9. RE: Search Results w/Trojan? (Madison, Marc)
> 10. RE: Search Results w/Trojan? ('FoR ReaLz' E. Balansay)
> 11. Greyhats Security fixed (Paul)
> 12. Re: Search Results w/ Trojan? (Dyke, Tim)
> 13. Re: Re: Search Results w/ Trojan? ('FoR ReaLz' E. Balansay)
> 14. Re: Search Results w/ Trojan? (craig@...virushelp.com)
> 15. RE: Search Results w/Trojan? (fd@...nsci.us)
> 16. Ethics and ramblins on Full DissClosure (J. Oquendo)
> 17. Web Application Security Analyzer for PHP-Nuke/phpBB CMS
> (Paul Laudanski)
> 18. SA Security Bulletin: Unique attack vector uncovered during
> packet analysis (sasb@...e-mail.net)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Fri, 16 Sep 2005 14:05:25 -0400
>From: Paul Robertson <compuwar@...il.com>
>Subject: Re: [Full-disclosure] Forensic help?
>To: nick@...us-l.demon.co.uk
>Cc: full-disclosure@...ts.grok.org.uk
>Message-ID: <63cec55305091611057c1b8367@...l.gmail.com>
>Content-Type: text/plain; charset=ISO-8859-1
>
>On 9/12/05, Nick FitzGerald <nick@...us-l.demon.co.uk> wrote:
> > Anyway, much as I am an _only very occasional_ user of Ghost, I don't
> > think I've ever used it NOT to make a sector-level, or raw disk image,
> > style drive copy. However, as I last used it so long ago, I decided to
> > check I was not mis-remembering -- two seconds at Google turned up this
> > URL discussing "...the Ghost switches to use for forensic imaging or
> > for creating raw images (sector copies)..." (URL may wrap):
> >
> > http://service1.symantec.com/SUPPORT/ghost.nsf/docid/2001111413481325?Op
> > en&src=&docid=19
>
>G'day Nick,
>
>While you *can* use Ghost to get a complete image, the switches change
>from version to version and it's really a PITA to test what does what
>when. Most folks I know if the field have decided there's too much
>room for error with Ghost. Also, it means more to document, which is
>bad for the lazy ;).
>
>Paul
>--
>www.compuwar.net
>
>
>------------------------------
>
>Message: 2
>Date: Fri, 16 Sep 2005 20:13:53 +0200
>From: Tobias Ulmer <tobiasu@...x.org>
>Subject: Re: [Full-disclosure] FileZilla (client) public credentials
> vulnerability
>To: full-disclosure@...ts.grok.org.uk
>Message-ID: <432B0B61.9@...x.org>
>Content-Type: text/plain; charset="iso-8859-1"
>
>PASTOR ADRIAN wrote:
> > Title: FileZilla (client) public credentials vulnerability
> > Risk: Medium
> > Versions affected: <=2.2.15
> > Credits: pagvac (Adrian Pastor)
> > Date found: 10th September, 2005
> > Homepage: www.ikwt.com www.adrianpv.com
> > E-mail: m123303 [ - a t - ] richmond.ac.uk
> >
>
>[...]
>
> > Regards,
> > pagvac (Adrian Pastor)
> > Earth, SOLAR SYSTEM
> >
>
>I don't know why I even reply... But anyway, I attached a screen shot
>especially for you. Please read it.
>
>a) FileZilla Users most probably are the only user of the computer. This
>is why the default makes sense (They "work" as administrator anyways).
>
>b) There is a "secure mode" witch prevents you from saving any password
>at all witch is the best solution if you want to be on the safe side.
>
>c) There is an option to save the settings in the registry and ignore
>the xml file. Settings are stored in HKEY_CURRENT_USER witch is in fact
>under X:\%homepath%\username\NTUSER.DAT and is protected by the
>filesytem ACL.
>
>Tobias
>
>
>
>
>-------------- next part --------------
>A non-text attachment was scrubbed...
>Name: filezilla_setup.png
>Type: image/png
>Size: 12444 bytes
>Desc: not available
>Url :
>http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050916/125fae2c/filezilla_setup-0001.png
>
>------------------------------
>
>Message: 3
>Date: Fri, 16 Sep 2005 21:04:33 +0200
>From: "CIRT.DK Advisory" <advisory@...t.dk>
>Subject: [Full-disclosure] [CIRT.DK - Advisory 37] TAC Vista
> Webstation 3.0 Directory Traversal bug in webinterface
>To: "Full-Disclosure@...ts. Netsys. Com"
> <full-disclosure@...ts.grok.org.uk>, "News@...uriteam. Com"
> <news@...uriteam.com>, "Submissions@...ketstormsecurity. Org"
> <submissions@...ketstormsecurity.org>, "Vuln@...unia. Com"
> <vuln@...unia.com>, "Bugs@...uritytracker. Com"
> <bugs@...uritytracker.com>
>Message-ID: <000001c5baf1$7a2e8180$0201a8c0@...ion>
>Content-Type: text/plain; charset="us-ascii"
>
>
>TAC Vista is based on open technologies, TAC VistaR is one of the most
>advanced software solutions for building automation.
>TAC Vista efficiently and economically controls, checks and analyzes all
>building operations, allowing system operators to control and monitor
>entire
>systems on site or from remote locations.
>
>The Web application is running on a Microsoft IIS 5.0 Server in this case.
>
>The problem is occurring in the input field of where the Template is
>called,
>resulting in the possibility to traverse into other parts of the system.
>
>Read the full Advisory at http://www.cirt.dk
>
>
>
>------------------------------
>
>Message: 4
>Date: Fri, 16 Sep 2005 22:28:59 +0300 (EEST)
>From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
>Subject: Re: [Full-disclosure] FireFox Host: Buffer Overflow is not
> just exploitable on FireFox
>To: milw0rm@...il.com
>Cc: full-disclosure@...ts.grok.org.uk, berendjanwever@...il.com,
> bugtraq@...urityfocus.com, security@...illa.org
>Message-ID:
> <10097833.1126898939988.JavaMail.juha-matti.laurio@...ti.fi>
>Content-Type: text/plain; Charset=iso-8859-1; Format=Flowed
>
> > This problem also effects Thunderbird (tested) and im guessing
> > Netscape's Mail client (untested) which it really can't do much except
> > cause Thunderbird/Netscape to crash without javascript.
> >
> > Include the linked source in an email for your testing.
> >
> > http://www.milw0rm.com/down.php?id=1204
> >
> > /str0ke
>
>Only the newest 7.x version 7.2 has an internal Mail client. Version
>8.0.3.3 is browser-only version. Version 7.2 has unpatched, confirmed
>vulnerabilities due to older codebase like we know. Version 8 was
>released to fix them.
>Your report will never reach Netscape due to non-working security [at]
>netscape.org (please read instructions to contact the vendor below).
>
> > On 9/13/05, Juha-Matti Laurio <juha-matti.laurio@...ti.fi> wrote:
> > > >Hi all,
> > > >Research and development has let to a ~90% reliable working exploit
>for the
> > > >IDN Heap Buffer overrun in FireFox on WinXP and Win2k3 as long as DEP
>is
> > > >turned off and JavaScript is enabled. Some tweaking might yield an
>even
> > > >higher success ratio. It has also revealed that not only FireFox is
> > > >vulnerable to this vulnerability, but the exact same exploit works on
>the
> > > >latest releases of all these products based on the Mozilla engine:
> > > >- Mozilla FireFox 1.0.6 and 1.5beta,
> > > >- Mozilla Browser 1.7.11,
> > > >- Netscape 8.0.3.3 <http://8.0.3.3>.
> > > >Recommendations for this vulnerability:
> > > >- FireFox and Mozilla: Install the workaround for (
> > > https://addons.mozilla.org/messages/307259.html).
> > > >- Netscape: hope they'll respond to this email and release a
>workaround.
> > > >- Wait for a patch and install it asap.
> > > >Recommendations to make it harder to exploit any FireFox
>vulnerability:
> > > >- Turn on DEP (Data Execution Prevention),
> > > >- Turn off JavaScript,
> > > >- Switch to another browser,
> > > >- Do not browse untrusted sites,
> > > >- Do not browse the web at all,
> > > >- Unplug your machine from the web,
> > > >- Wear a tinfoil hat.
> > > >Cheers,
> > > >SkyLined
> > >
> > > BTW: From where is that security [at] netscape.org address?
> > > 1)
> > > An official security URL to Netscape is "Netscape Browser Bug
>Submission
> > > Form" at
> > > http://browser.netscape.com/ns8/support/bugreport.jsp
> > > (www.netscape.org redirects to home.netscape.com/ , of course they
>have
> > > netscape.org, netscape.net etc.)
> > >
> > > For version 7.2 (and 7.x?) it is the following:
> > > http://wp.netscape.com/browsers/7/feedback/problem.html
> > > Two separate addresses due to different developer teams, according to
> > > my knowledge. Is there any new information?
>
>---clip---
>
>Please report your Netscape Mail client test results to Netscape with
>submission forms mentioned above.
>
>- Juha-Matti
>
>
>
>------------------------------
>
>Message: 5
>Date: Fri, 16 Sep 2005 12:40:12 -0700 (PDT)
>From: "'FoR ReaLz' E. Balansay" <edgardo@...ashington.edu>
>Subject: [Full-disclosure] Search Results w/Trojan?
>To: full-disclosure@...ts.grok.org.uk
>Message-ID:
> <Pine.A41.4.63a.0509161121530.33508@...aard01.u.washington.edu>
>Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
>Hello all!
>
>My systems relevant info:
>Windows XP SP2 fully patched
>Mcafee VirusScan 7.1 Engine 4.4 Definition 4581
>
>
>Using XP SP2s Internet Explorer, in Google, i used the following search
>query:
>
>mcafee "driver packet received from the i/o subsystem" "patch 11"
>
>When the results return from google a trojan comes along as well, as
>detected by McAfee AV.
>
>I'm aware that browsing to malicious sites can pass malware to users who
>visit those sites, but this is new to me: Trojans being passed through
>google results.
>
>Are passing of malicious programs through search engine results common?
>
>Goodbye!
>Edgardo
>(not the same newbie "Edgardo" from a couple threads ago =) )
>
>
>------------------------------
>
>Message: 6
>Date: Fri, 16 Sep 2005 19:43:21 GMT
>From: "Fergie (Paul Ferguson)" <fergdawg@...zero.net>
>Subject: Re: [Full-disclosure] Search Results w/Trojan?
>To: edgardo@...ashington.edu
>Cc: full-disclosure@...ts.grok.org.uk
>Message-ID: <20050916.124404.14562.458455@...mail24.lax.untd.com>
>Content-Type: text/plain
>
>Get in line:
>
> http://www.eeye.com/html/research/upcoming/20050915.html
>
>More:
>
> http://www.eeye.com/html/research/upcoming/index.html
>
>- ferg
>
>
>-- "'FoR ReaLz' E. Balansay" <edgardo@...ashington.edu> wrote:
>
>Hello all!
>
>My systems relevant info:
>Windows XP SP2 fully patched
>Mcafee VirusScan 7.1 Engine 4.4 Definition 4581
>
>
>Using XP SP2s Internet Explorer, in Google, i used the following search
>query:
>
>mcafee "driver packet received from the i/o subsystem" "patch 11"
>
>When the results return from google a trojan comes along as well, as
>detected by McAfee AV.
>
>I'm aware that browsing to malicious sites can pass malware to users who
>visit those sites, but this is new to me: Trojans being passed through
>google results.
>
>Are passing of malicious programs through search engine results common?
>
>Goodbye!
>Edgardo
>(not the same newbie "Edgardo" from a couple threads ago =) )
>
>--
>"Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawg@...zero.net or fergdawg@...global.net
> ferg's tech blog: http://fergdawg.blogspot.com/
>
>
>
>------------------------------
>
>Message: 7
>Date: Fri, 16 Sep 2005 16:06:13 -0400
>From: "Paul" <pvnick@...il.com>
>Subject: [Full-disclosure] Greyhats Security back online
>To: "Full Disclosure" <full-disclosure@...ts.grok.org.uk>,
> <bugtraq@...urityfocus.com>
>Message-ID: <002001c5bafa$a3728970$6401a8c0@...ls1337laptop>
>Content-Type: text/plain; charset="iso-8859-1"
>
>It's been a while, but I have decided that because a lot of valuable
>information is hosted on greyhatsecurity.org, that it is within everyone's
>best interest to share the material.
>
>Some things that have changed:
>- The layout. The navigation system looks a lot cooler now (IMHO) and is
>easier to follow/more categorical.
>- Bias is gone. No more criticism to either Microsoft nor Mozilla will be
>found on my website unless I deem it necissary for the progress of computer
>security.
>
>You can find Greyhats Security at its old address,
>http://greyhatsecurity.org.
>
>Kind regards,
>Paul
>Greyhats Security
>http://greyhatsecurity.org
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
>http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050916/74e260a5/attachment-0001.html
>
>------------------------------
>
>Message: 8
>Date: Fri, 16 Sep 2005 13:24:00 -0700 (PDT)
>From: "Gary E. Miller" <gem@...lim.com>
>Subject: RE: [Full-disclosure] PGPNet Upgrade path ?
>To: adityad2005@...rs.sourceforge.net
>Cc: full-disclosure@...ts.grok.org.uk
>Message-ID: <Pine.LNX.4.63.0509161318570.31963@...bert.rellim.com>
>Content-Type: TEXT/PLAIN; charset=US-ASCII
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Yo Aditya!
>
>On Fri, 16 Sep 2005, Aditya Deshmukh wrote:
>
> > > > What alternatives are there to pgpnet ?
> > >
> > > Have a look at OpenVPN.
> >
> > Thanks Martijn, but isn`t that a SSL vpn ? And from what I
> > have read about PGPnet I need a IPSEC VPN that uses
> > PGP keys to do the auth.
>
>IPSEC has nothing to do with PGP. Also there is really no such thing
>as a PGP key. PGP uses what ever key scheme you ask it to use. IPSEC
>is the same way. Both use keys, but are not themselves key standards.
>
>OpenVPN similarly can use what ever key scheme you wish. Since it is
>based on the OpenSSL crupto libs it is very flexible that way. For
>simple setups you can use pre-shared keys. For more complex setups
>you can use public/private key pairs of any type that OpenSSL understands.
>
>On top of that you can layer on other aith schemes like username/passwords
>and such.
>
>IMHO, if OpenVPN does not do what you want then you misunderstand the
>problem.
>
>
>RGDS
>GARY
>-
>---------------------------------------------------------------------------
>Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
> gem@...lim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (GNU/Linux)
>
>iD8DBQFDKyni8KZibdeR3qURAv9tAJ9YxZiCL/QUCpM2ciZV2apCuj8MSgCffY1s
>qOCCYwH7H5Ts0B2iL525tm4=
>=+8Dj
>-----END PGP SIGNATURE-----
>
>
>
>------------------------------
>
>Message: 9
>Date: Fri, 16 Sep 2005 15:40:28 -0500
>From: "Madison, Marc" <mmadison@...i.com>
>Subject: RE: [Full-disclosure] Search Results w/Trojan?
>To: "'FoR ReaLz' E. Balansay" <edgardo@...ashington.edu>,
> full-disclosure@...ts.grok.org.uk
>Message-ID:
> <DEDFD939A181F94AAF3D965C58B7AADC01FCE4DE@...fntcex01.fnb.fnni.com>
>Content-Type: text/plain; charset=us-ascii
>
>What Trojan does McAfee report?
>
>-----Original Message-----
>From: full-disclosure-bounces@...ts.grok.org.uk
>[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of 'FoR
>ReaLz' E. Balansay
>Sent: Friday, September 16, 2005 2:40 PM
>To: full-disclosure@...ts.grok.org.uk
>Subject: [Full-disclosure] Search Results w/Trojan?
>
>Hello all!
>
>My systems relevant info:
>Windows XP SP2 fully patched
>Mcafee VirusScan 7.1 Engine 4.4 Definition 4581
>
>
>Using XP SP2s Internet Explorer, in Google, i used the following search
>query:
>
>mcafee "driver packet received from the i/o subsystem" "patch 11"
>
>When the results return from google a trojan comes along as well, as
>detected by McAfee AV.
>
>I'm aware that browsing to malicious sites can pass malware to users who
>visit those sites, but this is new to me: Trojans being passed through
>google results.
>
>Are passing of malicious programs through search engine results common?
>
>Goodbye!
>Edgardo
>(not the same newbie "Edgardo" from a couple threads ago =) )
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
>------------------------------
>
>Message: 10
>Date: Fri, 16 Sep 2005 13:55:48 -0700 (PDT)
>From: "'FoR ReaLz' E. Balansay" <edgardo@...ashington.edu>
>Subject: RE: [Full-disclosure] Search Results w/Trojan?
>To: "Madison, Marc" <mmadison@...i.com>
>Cc: full-disclosure@...ts.grok.org.uk
>Message-ID:
> <Pine.A41.4.63a.0509161351450.33508@...aard01.u.washington.edu>
>Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
>On Fri, 16 Sep 2005, Madison, Marc wrote:
>
> > What Trojan does McAfee report?
>
>Exploit-URLSpoof.gen
>
>McAfee link:
>http://vil.nai.com/vil/content/v_100927.htm
>
>Goodbye!
>Edgardo
>
>
>------------------------------
>
>Message: 11
>Date: Fri, 16 Sep 2005 17:22:55 -0400
>From: "Paul" <pvnick@...il.com>
>Subject: [Full-disclosure] Greyhats Security fixed
>To: "Full Disclosure" <full-disclosure@...ts.grok.org.uk>
>Message-ID: <006601c5bb04$d2c275f0$6401a8c0@...ls1337laptop>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Firefox navigation bug fixed (sorry about that)
>
>Paul
>Greyhats Security
>http://greyhatsecurity.org
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
>http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050916/8db1ea76/attachment-0001.html
>
>------------------------------
>
>Message: 12
>Date: Fri, 16 Sep 2005 14:36:56 -0700
>From: "Dyke, Tim" <Tim.Dyke@...ksafebc.com>
>Subject: [Full-disclosure] Re: Search Results w/ Trojan?
>To: <full-disclosure@...ts.grok.org.uk>
>Message-ID:
> <260C8053DAB7FC44BB58A4D6F16CB2C506B621@...P02.wcbbc.wcbmain.com>
>Content-Type: text/plain; charset="us-ascii"
>
>I Noticed the following on the McAffee site
>
>-- Update July 16, 2004 --
>An Incorrect Identification of Exploit-URLSpoof.gen has been found when
>scanning files associated with the eBay Toolbar. The file being detected
>as Exploit-URLSpoof.gen is wsasc.xml. If you are seeing this specific
>detection, please download the extra.dat files below which will correct
>the Incorrect Identification.
>
>Could this be a similar issue with your google search
>
>Thanks
>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
>http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050916/29d31294/attachment-0001.html
>
>------------------------------
>
>Message: 13
>Date: Fri, 16 Sep 2005 17:08:56 -0700 (PDT)
>From: "'FoR ReaLz' E. Balansay" <edgardo@...ashington.edu>
>Subject: Re: [Full-disclosure] Re: Search Results w/ Trojan?
>To: "Dyke, Tim" <Tim.Dyke@...ksafebc.com>
>Cc: full-disclosure@...ts.grok.org.uk
>Message-ID:
> <Pine.A41.4.63a.0509161703260.33508@...aard01.u.washington.edu>
>Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
>Hello!
>
>I noticed the same message as well =), we're not using the ebay toolbar.
>
>I have just verified these results from a Win2k3 fully patched machine
>with no additional applications installed, except for McAfee 7.1.
>
>Would someone else like to search google for those terms and verify as
>well? Search terms:
>
>mcafee "driver packet received from the i/o subsystem" "patch 11"
>
>Goodbye!
>Edgardo
>
>On Fri, 16 Sep 2005, Dyke, Tim wrote:
>
> > I Noticed the following on the McAffee site
> >
> > -- Update July 16, 2004 --
> > An Incorrect Identification of Exploit-URLSpoof.gen has been found when
> > scanning files associated with the eBay Toolbar. The file being detected
> > as Exploit-URLSpoof.gen is wsasc.xml. If you are seeing this specific
> > detection, please download the extra.dat files below which will correct
> > the Incorrect Identification.
> >
> > Could this be a similar issue with your google search
> >
> > Thanks
> >
> >
>
>
>------------------------------
>
>Message: 14
>Date: Fri, 16 Sep 2005 20:32:13 -0400
>From: craig@...virushelp.com
>Subject: [Full-disclosure] Re: Search Results w/ Trojan?
>To: full-disclosure@...ts.grok.org.uk
>Message-ID:
> <S389476AbVIQAcN/20050917003213Z+48879@...006.ftl.affinity.com>
>Content-Type: text/plain; format=flowed; charset="iso-8859-1"
>
>This is an accurate detection. Google returns results that contain a
>hyperlink that contains the exploit.
>
>I've verified both the detection and exploit.
>
>Craig
>
>======
>Using XP SP2s Internet Explorer, in Google, i used the following search
>query:
>
>mcafee "driver packet received from the i/o subsystem" "patch 11"
>
>When the results return from google a trojan comes along as well, as
>detected by McAfee AV.
>
>
>
>
>------------------------------
>
>Message: 15
>Date: Fri, 16 Sep 2005 17:30:46 -0700 (PDT)
>From: fd@...nsci.us
>Subject: RE: [Full-disclosure] Search Results w/Trojan?
>To: "'FoR ReaLz' E. Balansay" <edgardo@...ashington.edu>
>Cc: full-disclosure@...ts.grok.org.uk
>Message-ID:
> <Pine.LNX.4.50.0509161729460.7883-100000@...ger.national-security.net>
>Content-Type: TEXT/PLAIN; charset=US-ASCII
>
>On Fri, 16 Sep 2005, 'FoR ReaLz' E. Balansay wrote:
>
> > On Fri, 16 Sep 2005, Madison, Marc wrote:
> >
> > > What Trojan does McAfee report?
> >
> > Exploit-URLSpoof.gen
>
>See the %00? That is probably wat mcafee calls a Exploit-URLSpoof.gen. I
>would hardly call it a trojan ... still, it is interesting to see this
>show up in a googling.
>
>www.spotlight.de%00@....google.de/zforen/sec/m/sec-1123333130-8756.html
>
>-Eric
>
> >
> > McAfee link:
> > http://vil.nai.com/vil/content/v_100927.htm
> >
> > Goodbye!
> > Edgardo
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
>--
>Eric Wheeler
>Vice President
>National Security Concepts, Inc.
>PO Box 3567
>Tualatin, OR 97062
>
>http://www.nsci.us/
>Voice: (503) 293-7656
>Fax: (503) 885-0770
>
>
>
>------------------------------
>
>Message: 16
>Date: Fri, 16 Sep 2005 21:01:26 -0400 (EDT)
>From: "J. Oquendo" <sil@...iltrated.net>
>Subject: [Full-disclosure] Ethics and ramblins on Full DissClosure
>To: full-disclosure@...ts.grok.org.uk
>Message-ID: <Pine.GSO.4.58.0509162059080.28233@...gfunix.net>
>Content-Type: TEXT/PLAIN; charset=US-ASCII
>
>
>Youo know I was thinking about how ironic it is that one should mention
>"Full Disclosure" and "responsibility" in the same paragraph. How many
>more redundant threads will one have to parse through regarding the
>irresponsibilities of vendors who won't release a fix in a timely manner.
>Then read more threads on how irresponsible people are for disclosing
>vulnerabilities without contacting a vendor, or not waiting long enough
>before releasing their disclosure.
>
>Look it does not take a rocket scientist to figure out that vendors need
>at least one or two years to fix their problems. Far too many times
>though, people in the computer security industry wrongfully think that
>corporations like Microsloth, Scam-mantec, Crisco, Oralckle, Crapafee and
>others are solely after something as trivial as money or investments via
>stock markets.
>
>Let's be honest and forthright about the whole security industry nowadays.
>It has not become a multibillion dollar industry filled with companies
>gobbling up other companies, injecting FUD into the market to sell an
>insecure product and make millions. Nope. The real answer is that
>companies are creating wonderful products that are "powered by the
>systems that take you where you want to go today". Those products often
>don't have real issues its those god awful hackers, crackers, slackers and
>open source people who are the real problem in this industry.
>
>Someone should create a consortium to eradicate those who tinker and break
>these wonderful products. Perhaps a "clean up squad" to ensure that no one
>maliciously posts information that could break the Interweb and leak out
>the kind of information that could lead to my indentity from being stolen.
>I mean, its not like I have to worry about anyone outside of those
>companies in the technology field to do something stupid like leak my
>information [1][2][3][4].
>
>The perfect consortium would consist of trustworthy companies like
>Microsloth, Oralckle, Crisco, Scam-mantec, Crapafee. Their task would be
>to ensure enough money and resources are available to bury someone in the
>legal system with lawsuits, threats, even military-like "wet ops" to
>ensure nothing is ever broken in the technology field again.
>
>[1] http://www.msnbc.msn.com/id/8119720/
>[2]
>http://news.com.com/Bank+of+America+loses+a+million+customer+records/2100-1029_3-5590989.html
>[3] http://www.vnunet.com/vnunet/news/2138274/credit-card-hack-sets-record
>[4]
>http://www.infoworld.com/articles/hn/xml/01/03/06/010306hnbiblio.html?0306alert
>[5]
>http://www.cbc.ca/story/business/national/2005/06/17/equifax-050617.html
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>J. Oquendo
>GPG Key ID 0x97B43D89
>http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89
>
>"Just one more time for the sake of sanity tell me why
> explain the gravity that drove you to this..." Assemblage
>
>
>------------------------------
>
>Message: 17
>Date: Fri, 16 Sep 2005 21:05:12 -0400 (EDT)
>From: Paul Laudanski <zx@...tlecops.com>
>Subject: [Full-disclosure] Web Application Security Analyzer for
> PHP-Nuke/phpBB CMS
>To: bugs@...uritytracker.com, <bugtraq@...urityfocus.com>,
> <full-disclosure@...ts.grok.org.uk>, <moderators@...db.org>,
> <news@...uriteam.com>, <vuln@...unia.com>, <vulnwatch@...nwatch.org>,
> <webappsec@...urityfocus.com>
>Message-ID:
> <Pine.LNX.4.44.0509162058190.22130-100000@...sbunny.castlecops.com>
>Content-Type: TEXT/PLAIN; charset=US-ASCII
>
>With all the discussions surrounding the PHP-Nuke CMS wrapping phpBB2 as
>its forums, I've released an application called Analyzer (version 2.0)
>available from Download.com.
>
>It checks the following versions and reports if newer versions exist:
>
>mysql
>php
>apache
>phpnuke
>phpbb
>
>It also checks certain settings in the php.ini file such as
>register_globals and provides the full path.
>
>Also assists in debugging the installation of the application.
>
>Available here:
>http://www.download.com/Analyzer/3000-2648_4-10397073.html
>
>The script itself is written in PHP.
>
>ref: http://en.wikipedia.org/wiki/Php-nuke
>
>--
>Paul Laudanski, Microsoft MVP Windows-Security
>CastleCops(SM), http://castlecops.com
>
>
>
>________ Information from Computer Cops, L.L.C. ________
>This message was checked by NOD32 Antivirus System for Linux Mail Server.
>
> part000.txt - is OK
>http://castlecops.com
>
>
>------------------------------
>
>Message: 18
>Date: Sat, 17 Sep 2005 03:20:36 -0400
>From: sasb@...e-mail.net
>Subject: [Full-disclosure] SA Security Bulletin: Unique attack vector
> uncovered during packet analysis
>To: full-disclosure@...ts.grok.org.uk
>Message-ID: <N1-a4DUvVDA17@...e-mail.net>
>Content-Type: text/plain; charset=UTF-8
>
>__________________________________________________________________
>
> Sexy Action Security Bulletin
>
> SASB-2005-09-17-GR8-2B-EL8
>
> Packet Analysis Uncovers Unique Attack Vector
>
> __________________________________________________________________
>
>
>
>Executive Summary:
>
>As an enterprise security professional, I insist on maintaining the highest
>degree of personal hygeine. At 10:38AM AEST, packet capture (sniffing)
>tests revealed that my Gandalf Lord of the Rings t-shirt had been
>compromised...
>
>Problem Statement:
>
>For some months now I have deployed Nivea deoderant, version 'Aqua Cool',
>as a personal firewall. Its vendor promises 'revitalising freshness and
>mild care' , while ensuring 24hr performance, reliable protection, and a
>'stimulating masculine scent' .
>
>While vendors are as trustworthy as a German sewerage plant operator, and
>the only thing released more often on the internet than German scheisse
>porn are exploits for personal firewalls, careful searching turned up no
>current issues with Nivea 'Aqua Cool'.
>
>This morning, as a preventative measure, I enabled promiscuous mode on my
>left nostril. This is something I rarely do - whenever I allow my
>nostril to become promiscous it inevitably accosts American soldiers,
>demanding two dollars for "sucky, sucky". However, as a professional and a
>champion Tony Hawk 2 player, I must accede to these demands in the name of
>Security.
>
>I picked up my Lord of the Rings t-shirt, sniffed, and captured a packet
>exuding from the right armpit production server. Not any boring old IP
>packet, no - this was a DECNET phase IV packet, transported via x.25. You
>could have tickled me pink and called me Jesus; I'd assumed DECnet
>had gone the way of the triceratops, stegasaurus, and hats.
>
>"Why", I asked myself, "is my right armpit running DECnet? It's certainly
>not a normal state of affairs. Hackers must be involved. They always are.
>DECnet smells like stale sweat and hackers must have bypassed the Nivea
>firewall to install it on my t-shirt. It's the only way this could have
>happened.
>
>Because of hackers I had to wear my Gollum Lord of the Rings t-shirt to
>work today. This is unacceptable - Gollum is not suitable for an enterprise
>security environment. Gollum is for informal occasions. Gandalf, the white
>wizard, commands respect and awe; without Gandalf, I fear that
>co-workers do not respect my authority.
>
>Fix:
>
>Users may apply more firewall, however this is only a preventative measure.
>As yet I am unsure exactly how to patch a smelly t-shirt.
>
>
>------------------------------
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>End of Full-Disclosure Digest, Vol 7, Issue 37
>**********************************************
Powered by blists - more mailing lists