| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Nov 2 14:39:24 2005
From: Tino.Martinez2 at Honeywell.com (Martinez, Tino (Tempe))
Subject: RE: Full-Disclosure Digest, Vol 9, Issue 3
Yes
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of full-disclosure-request@...ts.grok.org.uk
Sent: Tuesday, November 01, 2005 10:42 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Full-Disclosure Digest, Vol 9, Issue 3
Send Full-Disclosure mailing list submissions to
full-disclosure@...ts.grok.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
full-disclosure-request@...ts.grok.org.uk
You can reach the person managing the list at
full-disclosure-owner@...ts.grok.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.
Today's Topics:
1. Snort Back Orifice Preprocessor Exploit (Win32 targets) (Kira)
2. Re: RFID docs & tools ? (Eric Auge)
3. Re: readdir_r considered harmful (Ben Hutchings)
4. RE: RE: Full-Disclosure Digest, Vol 8, Issue 48 (Martijn Lievaart)
5. Re: Re: [Full-disclosure] new IE bug (confirmed on ALL
windows) (unknown unknown)
6. Re: Comparing Algorithms On The List OfHard-to-brut-force?
(Andrew Farmer)
7. Re: Comparing Algorithms On The List OfHard-to-brut-force?
(James Longstreet)
8. Gateway 7001 A/B/G AP: Selection of improper regulatory
domains and channels (Andrew Lockhart)
9. Re: new IE bug (confirmed on ALL windows) (Greg)
10. Re: new IE bug (confirmed on ALL windows) (Greg)
11. Re: readdir_r considered harmful (Ben Hutchings)
12. Cisco Security Advisory: Cisco IPS MC Malformed Configuration
Download Vulnerability
(Cisco Systems Product Security Incident Response Team)
13. RE: new IE bug (confirmed on ALL windows) (ad@...ss101.org)
14. New Online RainbowCrack Engine (MR BABS)
15. MDKSA-2005:202 - Updated squirrelmail packages fix
vulnerability (Mandriva Security Team)
16. MDKSA-2005:203 - Updated gda2.0 packages fix string format
vulnerability (Mandriva Security Team)
17. MDKSA-2005:204 - Updated wget packages fix vulnerability
(Mandriva Security Team)
18. Re: New Online RainbowCrack Engine (str0ke)
19. On Interpretation Conflict Vulnerabilities (Steven M. Christey)
20. Re: how to describe this tool ? (Native.Code)
----------------------------------------------------------------------
Message: 1
Date: Tue, 1 Nov 2005 17:32:04 +0700
From: Kira <trir00t@...il.com>
Subject: [Full-disclosure] Snort Back Orifice Preprocessor Exploit
(Win32 targets)
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Message-ID:
<ca67aa9e0511010232p5af56ddbja8fe6c02817fe2d3@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Dear All
I wrote Snort Back Orifice Preprocessor Exploit for Win32 targets. It's for
educational purpose only.
This exploit was tested on
- Snort 2.4.2 Binary + Windows XP Professional SP1
- Snort 2.4.2 Binary + Windows XP Professional SP2
- Snort 2.4.2 Binary + Windows Server 2003 SP1
- Snort 2.4.2 Binary + Windows Server 2000 SP0
- Snort 2.4.2 Bianry + Windows 2000 Professional SP0
Note 01: This exploit was written in form of MetaSploit module, so you need
metasploit to launch it.
Note 02: The exploit's quite reliable, but if it doesn't work on your
machine, try to find address of 'jmp esp' instruction and replace it to the
old return address.
Regards,
Kira
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/5314e92e/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort_bo_overflow_win32.pm
Type: application/octet-stream
Size: 3507 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/5314e92e/snort_bo_overflow_win32-0001.obj
------------------------------
Message: 2
Date: Tue, 01 Nov 2005 10:52:09 +0100
From: Eric Auge <eau@...ar.org>
Subject: [Full-disclosure] Re: RFID docs & tools ?
To: full-disclosure@...ts.grok.org.uk
Cc: wifisec@...urityfocus.com, pen-test@...urityfocus.com
Message-ID: <43673AC9.3040302@...ar.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
http://openmrtd.org/
Eric.
Mark Sec wrote:
> Alo folks,
>
>
> Well , does anyone know links to buy "lectors" RFID ?
>
> I would like to do a "PoCs" on Hacking RFID , also i need tools,
> pappers, PoCs & links related with this.
>
> thanks :-)
>
>
> - Mark
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
------------------------------
Message: 3
Date: Tue, 01 Nov 2005 13:02:45 +0000
From: Ben Hutchings <ben@...adentplace.org.uk>
Subject: Re: [Full-disclosure] readdir_r considered harmful
To: 3APA3A <3APA3A@...URITY.NNOV.RU>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Message-ID: <1130850165.1980.7.camel@...alhost>
Content-Type: text/plain; charset="us-ascii"
3APA3A wrote:
> Dear Ben Hutchings,
>
>
> If someone uses pathconf to determine buffer size it's his own problem
> and he creates vulnerability by himself. You can list such applications
> as vulnerable to race conditions.
<snip>
> NAME_MAX is defined in limits.h and should be 255 according to latest
> POSIX extension. I see no problem with POSIX standard in this case.
>
> See:
> http://www.opengroup.org/onlinepubs/009695399/basedefs/limits.h.html
<snip>
If you had read the above page more carefully, you would have seen these
paragraphs:
"The values in the following list may be constants within an
implementation or may vary from one pathname to another. For example,
file systems or directories may have different characteristics.
"A definition of one of the values shall be omitted from the <limits.h>
header on specific implementations where the corresponding value is
equal to or greater than the stated minimum, but where the value can
vary depending on the file to which it is applied. The actual value
supported for a specific pathname shall be provided by the pathconf()
function."
--
Ben Hutchings
When you say `I wrote a program that crashed Windows', people just stare ...
and say `Hey, I got those with the system, *for free*'. - Linus Torvalds
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/cc6a76f7/attachment-0001.bin
------------------------------
Message: 4
Date: Tue, 1 Nov 2005 15:56:40 +0100 (CET)
From: "Martijn Lievaart" <m@...j.nl>
Subject: RE: [Full-disclosure] RE: Full-Disclosure Digest, Vol 8,
Issue 48
To: full-disclosure@...ts.grok.org.uk
Message-ID: <40591.217.166.60.19.1130857000.squirrel@...rtij.nl>
Content-Type: text/plain; charset=iso-8859-1
Nick FitzGerald zei:
> Martijn Lievaart wrote:
>
>> Hihi, clamav cought that... :-]
>
> Your point?
I thought this thread was about evading virusscanners. So modifying a
batch virus and pasting it in the middle of an email does not fool at
least one virusscanner, fwiw. One can argue it is a false positive though.
> Once upon a time it "cought" the GPL as a virus too...
That is one virus I *want* to propagate. :-)
M4
------------------------------
Message: 5
Date: Tue, 1 Nov 2005 17:42:15 +0000
From: unknown unknown <unknown.pentester@...il.com>
Subject: Re: Re: [Full-disclosure] new IE bug (confirmed on ALL
windows)
To: full-disclosure@...ts.grok.org.uk
Message-ID:
<b7a807650511010942jb84e1a5k507ae1a5bb391a52@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Mini version of IECrash confirmed IE 6.0 Windows XP Pro SP2 (English
version)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/3c380980/attachment-0001.html
------------------------------
Message: 6
Date: Tue, 1 Nov 2005 10:55:31 -0800
From: Andrew Farmer <andfarm@...il.com>
Subject: Re: [Full-disclosure] Comparing Algorithms On The List
OfHard-to-brut-force?
To: Brandon Enright <bmenrigh@...d.edu>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID: <D0941C4D-BE84-4156-8275-2C9C3FE090E0@...il.com>
Content-Type: text/plain; charset="us-ascii"
On 01 Nov 05, at 10:11, Brandon Enright wrote:
> Brute forcing an algorithm suggests that you are not attacking a
> weakness or
> known flaw in the algorithm but rather just running through the
> keyspace
> trying to recover the plaintext. In that case, whichever allows
> you to use
> the most bits is what you want.
Note that the encryption speed of an algorithm is *not* a significant
factor
in the time taken to brute-force it, except for extremely small
keyspaces!
Remember that the time taken to brute-force an N-bit algorithm that
takes K
seconds per encryption is, on average
N
K * 2
which increases much more rapidly with N than it does with K. Adding
even one
more bit will double the average time taken to brute-force an
algorithm, while
using a slower algorithm will only increase the difficulty marginally.
Also note that anything beyond 256 bits is silly. Brute-forcing a 256-
bit
algorithm can be shown to be PHYSICALLY impossible, so there's no
reason to
go anywhere beyond that.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/d90d6a8d/PGP-0001.bin
------------------------------
Message: 7
Date: Tue, 1 Nov 2005 13:04:16 -0600
From: James Longstreet <jlongs2@....edu>
Subject: Re: [Full-disclosure] Comparing Algorithms On The List
OfHard-to-brut-force?
To: full-disclosure@...ts.grok.org.uk
Message-ID: <576B0A1B-3A88-4F1A-9705-A2D122F68FC0@....edu>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
On Nov 1, 2005, at 12:11 PM, Brandon Enright wrote:
> IIRC, there aren't any good known attacks against Blowfish, AES, or
> Twofish
> so the *RIGHT* algorithm is whatever works best for your application.
Depending on the situation, there may be a feasible cache-timing
attack on software implementations of AES: http://cr.yp.to/
antiforgery/cachetiming-20050414.pdf
------------------------------
Message: 8
Date: Tue, 01 Nov 2005 12:15:19 -0700
From: Andrew Lockhart <alockhart@...workchemistry.com>
Subject: [Full-disclosure] Gateway 7001 A/B/G AP: Selection of
improper regulatory domains and channels
To: <bugtraq@...urityfocus.com>, "full-disclosure@...ts.grok.org.uk"
<full-disclosure@...ts.grok.org.uk>
Message-ID: <BF8D0CD7.EB9%alockhart@...workchemistry.com>
Content-Type: text/plain; charset="US-ASCII"
Issue: Gateway 7001 AP allows selection of restricted 802.11a/b/g channels
Author: Network Chemistry Labs <labs at networkchemistry dot com>
Vendor: Gateway
Products: Gateway 7001 802.11 A/B/G Dual Band Wireless Access Point
Type: Input Validation
Exploit: Not required
I. Intro
The IEEE 802.11 family of standards define the channels that a
device is allowed to operate on for specific geographic regions in
order to comply with different country's radio frequency usage
regulations.
II. Vulnerability
The web management interface for the Gateway 7001 A/B/G AP contains an
input validation vulnerability that allows anyone authenticated
with the device's built-in web server to configure the device to
use channels not regulated for 802.11a/b/g use in their geographic
region. The potential impact is that a user could configure the
device to operate outside the allocated bandwidth for 802.11
within their country, thus causing interference to other radio
systems. In addition, the device will not be visible to other
802.11 devices operating in the area.
III. Details
The IEEE 802.11 standards provide guidance on the channels that a
device may operate on in order to comply with a country's radio
frequency usage regulations. As is common on many access points,
the Gateway 7001 A/B/G AP provides a web based interface for configuring
the device. This can be used to set the channel that the AP
operates on.
The POST form in the web-management interface used to set the
channel includes a form element called "RegulatoryDomain."
Through experimentation it appears that this parameter affects
input validation operations on the channel supplied in the
request. For example, if the regulatory domain parameter is set to
FCC, then the device's firmware will only change channels if the
channel value in the request is from 1 to 11. Anything outside
this range, such as channel 13 (a European channel), will be
rejected.
However, if the regulatory domain parameter is changed, then the
firmware will allow the device's channel to be changed to any
channel allowed in the specified domain. This can cause the
device to create interference with non-802.11 devices in the
vicinity as well as allow devices to be configured to elude 802.11
security walk-throughs by operating on frequencies that the
detection equipment is incapable of monitoring.
IV. Demonstration
In addition to POST requests, the web interface will accept the
same parameters in the form of a GET requeset. The web-based
management software for the Gateway 7001 A/B/G AP uses a request string
of the following form to set configuration parameters:
http://192.168.2.1/index.cgi?r1Mode=IEEE+802.11g&r1RegulatoryDomain=FCC&r1Ch
annel=1&r2Mode=IEEE+802.11a&r2RegulatoryDomain=FCC&r2Channel=36&r1b1s1Ssid=N
etChemLabs&r1b2s1Ssid=NetChemLabs-Guest&page=wireless.html&Update=Update
To change the frequencies of operation available all that needs to
be done is to simply change the RegulatoryDomain parameter. For
instance to operate on Japanese channels, the string "FCC" would
be changed to "MKK." This allows the channel parameters
corresponding to the 802.11b/g and 802.11a radios to be changed to
channels such as 14 and 34 respectively, which the management
software will apply to the underlying hardware:
http://192.168.2.1/index.cgi?r1Mode=IEEE+802.11g&r1RegulatoryDomain=MKK&r1Ch
annel=14&r2Mode=IEEE+802.11a&r2RegulatoryDomain=MKK&r2Channel=34&r1b1s1Ssid=
NetChemLabs+&r1b2s1Ssid=NetChemLabs-Guest&page=wireless.html&Update=Update
It was also verified that European channels were settable when
changing the RegulatoryDomain parameter to "ETSI." To verify that
the device is indeed operating on non-FCC channels, special 802.11
sensor hardware was used to monitor the device on the specified
channels.
The Gateway 7001 A/B/G AP makes use of DeviceScape's Instant802 Wireless
Infrastructure Platform for configuration and management. It is
unknown at this time whether this issue affects other devices
utilizing this software, due to the fact that we have only tested
the Gateway 7001 A/B/G AP at this point. Gateway also produces an
802.11 b/g version of the Gateway 7001 AP. It is also unknown whether
this model is affected.
It should be noted that Gateway does not provide a firmware upgrade
for the affected AP.
V. Timeline
10/21 - Contacted Gateway: No response received
10/21 - Contacted DeviceScape: No response received
10/4 - Contacted Gateway: No response received
9/28 - Contacted DeviceScape to confirm they had observed the issue: No
reponse received
9/26 - Contacted Gateway: No response received
9/21 - Made contact with Gateway Support: told someone would follow-up
9/20 - Received follow-up response from DeviceScape
9/19 - Made contact with DeviceScape
VI. References
Gateway 7001 A/B/G AP product support page:
http://support.gateway.com/s/Servers/COMPO/NETWORK/7005082/7005082nv.shtml
Instant802 WIP product page:
http://www.devicescape.com/products/wip_landing.php
--
Andrew Lockhart <alockhart@...workchemistry.com>
Security Analyst, Network Chemistry
PGP Key ID: 58369156
Fingerprint: 0AE1 E826 1922 5453 2B34 E1AA F524 D20B 5836 9156
------------------------------
Message: 9
Date: Wed, 2 Nov 2005 07:31:57 +1100
From: "Greg" <full-disclosure@...andyman.com.au>
Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
To: <full-disclosure@...ts.grok.org.uk>
Message-ID: <005601c5df23$4eaa9a20$5601010a@P4>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
----- Original Message -----
From: <ad@...ss101.org>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Wednesday, November 02, 2005 4:00 AM
Subject: [Full-disclosure] new IE bug (confirmed on ALL windows)
>I think I have found by chance this weekend a security bug,while browsing
> the website news, within iexplorer on all windows versions.
>
Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with
XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was
networked through ICS (wired to this XP box then wi-fi to a router) and has
no firewall of it's own. This XP box through which the 98SE box gets it's
internet is in the router's DMZ and uses only Zone Alarm Pro, just for
clarity.
So, in essence the "confirmed on all windows" is wrong.
Greg.
------------------------------
Message: 10
Date: Wed, 2 Nov 2005 07:42:02 +1100
From: "Greg" <full-disclosure@...andyman.com.au>
Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
To: <full-disclosure@...ts.grok.org.uk>
Message-ID: <006301c5df24$b6eba380$5601010a@P4>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=response
----- Original Message -----
From: "Greg" <full-disclosure@...andyman.com.au>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Wednesday, November 02, 2005 7:31 AM
Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
> Sorry to be the "Negative Nark" here but yes, the crash works on IESP2
> with XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was
> networked through ICS (wired to this XP box then wi-fi to a router) and
> has no firewall of it's own. This XP box through which the 98SE box gets
> it's internet is in the router's DMZ and uses only Zone Alarm Pro, just
> for clarity.
>
> So, in essence the "confirmed on all windows" is wrong.
>
Sorry about the typo. Of course I meant IE6SP2 above where I typed IESP2.
Lesson learned - don't go typing things like that after about 6 hours sleep
in the last 48! Never work for yourself. The boss is a &*^%!!
Greg.
------------------------------
Message: 11
Date: Tue, 01 Nov 2005 20:16:42 +0000
From: Ben Hutchings <ben@...adentplace.org.uk>
Subject: [Full-disclosure] Re: readdir_r considered harmful
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Message-ID: <1130876202.1994.60.camel@...alhost>
Content-Type: text/plain; charset="us-ascii"
I wrote:
> readdir_r considered harmful
> ============================
A second revision of this advisory (and any future revisions) can be
found at <http://womble.decadentplace.org.uk/readdir_r-advisory.html>.
I have updated the recommendations to cover HP-UX and Tru64 properly.
Ben.
--
Ben Hutchings
When you say `I wrote a program that crashed Windows', people just stare ...
and say `Hey, I got those with the system, *for free*'. - Linus Torvalds
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/cb7f26cf/attachment-0001.bin
------------------------------
Message: 12
Date: Tue, 01 Nov 2005 16:50:22 -0500
From: Cisco Systems Product Security Incident Response Team
<psirt@...co.com>
Subject: [Full-disclosure] Cisco Security Advisory: Cisco IPS MC
Malformed Configuration Download Vulnerability
To: full-disclosure@...ts.grok.org.uk
Cc: psirt@...co.com
Message-ID: <200511011650.ipsmc@...rt.cisco.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory:
========================
Cisco IPS MC Malformed Configuration Download Vulnerability
===========================================================
Document ID: 68065
Revision 1.0
Last Updated
For Public Release 2005 November 1 2000 UTC (GMT)
- -----------------------------------------------------------------------
Contents
========
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: FINAL
Distribution
Revision History
Cisco Security Procedures
- -----------------------------------------------------------------------
Summary
=======
The CiscoWorks VPN/Security Management Solution (VMS) is a network
management application that includes Web-based tools for configuring,
monitoring, and troubleshooting VPNs, firewalls, network intrusion
detection systems (NIDSs), network intrusion prevention systems (NIPSs)
and host intrusion prevention systems (HIPSs). CiscoWorks VMS also
includes network device inventory, change audit, and software
distribution features.
An issue exists in one of the components of the Cisco Management Center
for IPS Sensors (IPS MC) v2.1 during the generation of the Cisco IOS
IPS (Intrusion Prevention System) configuration file that may result in
some signatures belonging to certain classes being disabled during the
configuration deployment process.
Cisco has made a free software patch available to address this
vulnerability for affected customers.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20051101-ipsmc.shtml.
Affected Products
=================
Vulnerable Products
+------------------
* Cisco IOS IPS devices that have been configured by IPS MC v2.1.
Products Confirmed Not Vulnerable
+--------------------------------
* Cisco IOS IPS devices that have NOT been configured by IPS MC v2.1.
This category includes Cisco IOS IPS devices that have been
configured by using any of the following methods:
+ Cisco IDS MC (Management Center for IDS Sensors)
+ Cisco SDM (Security Device Manager)
+ Cisco IOS CLI (Command Line Interface)
* Any other Cisco IDS/IPS solution, configured by either Cisco IPS MC
v2.1, Cisco IDS MC (any version), Cisco SDM (any version) or by
using the Cisco IOS CLI. These include:
+ Cisco IOS IDS
+ Cisco PIX/ASA IDS
+ Cisco IPS 4200 Series Sensors
+ Cisco Catalyst 6500/7600 Series Intrusion Detection System
(IDSM-2) Module
+ Cisco IDS Network Module (NM-CIDS-K9)
+ Cisco ASA Advanced Inspection and Prevention (AIP) Security
Services Module
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Some Cisco routers running Cisco IOS include a feature called Cisco IOS
IPS. The Cisco IOS IPS acts as an in-line intrusion protection sensor,
watching packets and sessions as they flow through the router and
scanning each packet to match any of the Cisco IOS IPS signatures that
have been enabled on the device configuration. When it detects
suspicious activity, it responds before network security can be
compromised and logs the event through Cisco IOS syslog messages or
Security Device Event Exchange (SDEE). The network administrator can
configure Cisco IOS IPS to choose the appropriate response to various
threats.
Customers can use multiple methods, including Cisco IPS MC, Cisco IDS
MC, Cisco SDM and the Cisco IOS CLI, to enable, disable and configure
Cisco IOS IPS signatures. Some signatures dealing with TCP or UDP
traffic analyze traffic destined to specific ports. Those ports are
pre-configured with default values, and some signatures might allow
changes to the list of ports to be monitored.
If the Cisco IOS IPS devices have been configured by using the Cisco
IPS MC v2.1, the Cisco IPS MC might download a configuration file to
the device that does not contain a value for the port field in one or
more signatures, resulting in the affected Cisco IOS IPS device
disabling those signatures. Only signatures using either the STRING.TCP
or STRING.UDP signature micro-engine (SME) are affected by this
vulnerability. Additionally, this behavior only happens if those
signatures were enabled and configured from the Cisco IPS MC GUI ;
signatures belonging to the STRING.TCP or STRING.UDP SMEs that were
previously configured on the device and imported into the Cisco IPS MC
will not experience this issue.
The list of signatures currently loaded into a Cisco IOS IPS device and
their status can be obtained by executing the "show ip ips signatures"
command. The following abbreviated output shows signatures currently
loaded into the device, both enabled and disabled:
Router#show ip ips signatures
Builtin signatures are configured
Signatures were last loaded from flash:128MB.sdf
Cisco SDF release version 128MB.sdf v4
Trend SDF release version V0.0
*=Marked for Deletion Action=(A)larm,(D)rop,(R)eset Trait=AlarmTraits
MH=MinHits AI=AlarmInterval CT=ChokeThreshold
TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr
WF=WantFrag
Signature Micro-Engine: OTHER (4 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- -------
1201:0 Y A HIGH 0 0 0 30 15 FA N N 2.2.1.5
1202:0 Y A HIGH 0 0 0 100 15 FA N N 2.2.1.5
1203:0 Y A HIGH 0 0 0 30 15 FA N N 2.2.1.5
3050:0 Y A HIGH 0 0 0 0 15 FA N 1.0
Signature Micro-Engine: STRING.ICMP (1 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- -------
2156:0 Y A MED 0 0 0 0 15 FA N S54
Signature Micro-Engine: STRING.UDP (16 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- -------
4060:0 Y A MED 0 0 0 0 15 FA N S10
4060:1 Y A MED 0 0 0 0 15 FA N S173
4607:0 Y A HIGH 0 0 0 0 15 FA N S30
4607:1 Y A HIGH 0 0 0 0 15 FA N S30
4607:2 Y A HIGH 0 0 0 0 15 FA N S30
4607:3 Y A HIGH 0 0 0 0 15 FA N S30
4607:4 Y A HIGH 0 0 0 0 15 FA N S30
4608:0 N A HIGH 0 1 0 0 15 FA N S30
4608:1 Y A HIGH 0 1 0 0 15 FA N S30
4608:2 Y A HIGH 0 1 0 0 15 FA N S30
11000:0 N A LOW 0 0 0 0 15 FA N S37
11000:1 Y A LOW 0 0 0 0 15 FA N S37
11000:2 Y A LOW 0 0 0 0 15 FA N S136
11207:0 Y A INFO 0 0 0 0 15 FA N S139
11208:0 Y A INFO 0 0 0 0 15 FA N S139
11209:0 Y A INFO 0 0 0 0 15 FA N S139
Signature Micro-Engine: STRING.TCP (60 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- -------
3116:0 Y A HIGH 0 1 0 0 15 FA N S12
3117:0 N A LOW 0 1 0 0 15 FA N S13
3117:1 Y A LOW 0 1 0 0 15 FA N S13
3120:0 Y A LOW 0 1 0 0 15 FA N S13
3120:1 Y A LOW 0 1 0 0 15 FA N S13
3132:0 Y A HIGH 0 1 0 0 15 FA N S67
3132:1 Y A HIGH 0 1 0 0 15 FA N S67
3135:0 Y A HIGH 0 1 0 0 15 FA N S73
3137:1 Y A HIGH 0 1 0 0 15 FA N S83
3137:2 Y A HIGH 0 1 0 0 15 FA N S128
3141:0 Y A HIGH 0 1 0 0 15 FA N S94
3142:1 Y A HIGH 0 1 0 0 15 FA N S92
3152:0 Y A MED 0 1 0 0 15 FA N 2.1.1
3450:0 Y A LOW 0 1 0 0 15 FA N 1.0
5570:0 Y A R HIGH 0 1 0 0 15 FA N S185
5571:0 Y A R HIGH 0 1 0 0 15 FA N S185
9479:0 Y A HIGH 0 1 0 0 15 FA N S104
9480:0 Y A HIGH 0 1 0 0 15 FA N S104
9481:0 Y A HIGH 0 1 0 0 15 FA N S104
9482:0 Y A HIGH 0 1 0 0 15 FA N S104
9483:0 Y A HIGH 0 1 0 0 15 FA N S104
--More--
Any signature with a capital N under the 'On' column is DISABLED, while
any signature with a capital Y under the same column is ENABLED. In
this example, signatures 4608:0 and 11000:0 (belonging to the
STRING.UDP SME), and signature 3117:0 (belonging to the STRING.TCP SME)
are listed as disabled. For each signature listed as disabled in the
output of the "show ip ips signatures" command, a corresponding
"ip ips signature <SigID> <SubsigID> disable" command should be visible
on the running configuration. This is an example of the
"show running-configuration" command, using a filter to only display
configuration lines belonging to signatures that have been disabled:
Router#show running-config | include ip ips signature .* disable
ip ips signature 11000 0 disable
ip ips signature 4608 0 disable
ip ips signature 3117 0 disable
Router#
This vulnerability is documented in the Cisco Bug Toolkit as Bug ID
CSCsc33696.
Impact
======
While this is not a vulnerability in the Cisco IOS IPS code itself, in
the processing performed by Cisco IOS IPS on traffic traversing the
device, or in the Cisco IPS MC v2.1, this vulnerability might result in
an incomplete analysis of network traffic traversing the Cisco IOS IPS
device, which could allow some attacks to go unnoticed.
Software Versions and Fixes
===========================
When considering software upgrades, please also consult
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
and any subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") for assistance.
Cisco has developed a software fix for this vulnerability. Once the fix
is applied to a VMS server running IPS MC v2.1, the IPS MC will
correctly populate the port field attached to a signature using either
the STRING.TCP or STRING.UDP SME. Additional steps will be required to
be performed. Please read the README file published together with the
software fix.
In order to obtain this software fix, customers should access the VMS
Software download page for IDS MC and IPS MC, available at
http://www.cisco.com/pcgi-bin/tablebuild.pl/mgmt-ctr-ids-app.
The fix consists of the following three files:
* idsmdc2.1.0-win-CSCsc336961.tar - this file contains the fix itself
for IPS MC v2.1 running on the Windows operating system.
* CSCOids2.1.0-sol-CSCsc336961.tar - this file contains the fix
itself for IPS MC v2.1 running on the Solaris operating system.
* CSCsc33696-README.txt - this file contains instructions on how to
apply the software fix to an affected IPS MC v2.1 installation
(either Windows or Solaris) and any needed pre and post
installation tasks to be carried out by the user.
Obtaining Fixed Software
========================
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third-party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for assistance with the upgrade,
which should be free of charge.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@...co.com
Please have your product serial number available and give the URL of
this notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.
Please do not contact either "psirt@...co.com" or
"security-alert@...co.com" for software upgrades.
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.
Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise
using such software upgrades, customers agree to be bound by the terms
of Cisco's software license terms found at
http://www.cisco.com/public/sw-license-agreement.html, or as otherwise
set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Workarounds
===========
There are no recommended workarounds for this vulnerability. Please see
the Obtaining Fixed Software section for appropriate solutions to
resolve this vulnerability.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by a customer.
Status of This Notice: FINAL
============================
THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF
MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE ADVISORY OR
MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20051101-ipsmc.shtml.
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@...co.com
* first-teams@...st.org (includes CERT/CC)
* bugtraq@...urityfocus.com
* vulnwatch@...nwatch.org
* cisco@...t.colorado.edu
* cisco-nsp@...k.nether.net
* full-disclosure@...ts.grok.org.uk
* comp.dcom.sys.cisco@...sgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+----------------------------------------------------------+
| | | |
| Revision 1.0 | 2005-November-1 | Initial public release |
| | | |
+----------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
- -----------------------------------------------------------------------
All contents are Copyright 1992-2005 Cisco Systems, Inc. All rights
reserved.
- -----------------------------------------------------------------------
Updated: Nov 01, 2005 Document ID: 68065
- -----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDZ+KGezGozzK2tZARAkDVAKDOXsdNfnhpR6CpADZVG/H/1yr6iQCguiYn
CdFv8GhqlFcXy38ur6sSN7I=
=Xc7B
-----END PGP SIGNATURE-----
------------------------------
Message: 13
Date: Wed, 2 Nov 2005 00:06:18 +0100
From: <ad@...ss101.org>
Subject: RE: [Full-disclosure] new IE bug (confirmed on ALL windows)
To: "'Greg'" <full-disclosure@...andyman.com.au>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID: <000301c5df38$df7ad960$0400a8c0@...xp64>
Content-Type: text/plain; charset="iso-8859-1"
Rofl... there is always someone to play with words...
-----Message d'origine-----
De?: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] De la part de Greg
Envoy??: mardi 1 novembre 2005 21:32
??: full-disclosure@...ts.grok.org.uk
Objet?: Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
----- Original Message -----
From: <ad@...ss101.org>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Wednesday, November 02, 2005 4:00 AM
Subject: [Full-disclosure] new IE bug (confirmed on ALL windows)
>I think I have found by chance this weekend a security bug,while browsing
> the website news, within iexplorer on all windows versions.
>
Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with
XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was
networked through ICS (wired to this XP box then wi-fi to a router) and has
no firewall of it's own. This XP box through which the 98SE box gets it's
internet is in the router's DMZ and uses only Zone Alarm Pro, just for
clarity.
So, in essence the "confirmed on all windows" is wrong.
Greg.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------------------------------
Message: 14
Date: Tue, 1 Nov 2005 18:16:09 -0500
From: MR BABS <mrbabs@...il.com>
Subject: [Full-disclosure] New Online RainbowCrack Engine
To: full-disclosure@...ts.grok.org.uk
Message-ID:
<7351b7a60511011516h45f53400xde9d126e7ecdbcc5@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hey guys,
Just finished everything up on RainbowCrack-Online, wasn't sure if anyone
would be interested, there's a membership fee, as servers, generation and
cracking machines are expensive, you guys know the score.
Really nice collection of tables, you can take a look-see at
www.rainbowcrack-online.com <http://www.rainbowcrack-online.com/>.
Current sets include:
LanManager-All (all printable chars) 1-14 (the tables are 1-7, but view the
specs on LM hashing for more info)
NTLM MixAlpha Numeric 1-7
NTLM LowerAlpha Numeric 1-8
MD5 Alpha Numeric Symbol32 Space 1-7
MD5 LowerAlpha Numeric Symbol32 Space 1-7
MD5 LowerAlpha Numeric 1-8
MD5 MixAlpha Numeric 1-7
SHA1 MixAlpha Numeric 1-7
MySQL 323 MixAlpha Numeric 1-7
CiscoPIX MixAlpha Numeric 1-7
We're almost done generation of MD4, and MySQL SHA1 tables.
Should have some articles in Information soon, basically information on what
to do to leverage knowing hashes. (And how to get the hashes in the first
place.)
For you pen tester fellows, we will be offering the tables for sale to you
guys, as well as registered businesses, prices should be up later.
-Regards,
Travis
</spam>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/a4bc4ba0/attachment-0001.html
------------------------------
Message: 15
Date: Tue, 01 Nov 2005 16:20:24 -0700
From: Mandriva Security Team <security@...driva.com>
Subject: [Full-disclosure] MDKSA-2005:202 - Updated squirrelmail
packages fix vulnerability
To: full-disclosure@...ts.grok.org.uk
Message-ID: <E1EX5QW-00032F-MT@...cury.mandriva.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2005:202
http://www.mandriva.com/security/
_______________________________________________________________________
Package : squirrelmail
Date : November 1, 2005
Affected: Corporate 3.0
_______________________________________________________________________
Problem Description:
A vulnerability in the way that SquirrelMail handled the $_POST
variables was discovered. If a user was tricked into visiting a
malicious URL, the user's SquirrelMail preferences could be read or
modified.
This vulnerability is corrected in SquirrelMail 1.4.5 and the updated
packages provide the latest stable version.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2095
_______________________________________________________________________
Updated Packages:
Corporate 3.0:
81cf3711a3faf9a95c69a8ece4962801 corporate/3.0/RPMS/squirrelmail-1.4.5-1.1.C30mdk.noarch.rpm
20eb541402352ed58b6d9e0ffd051168 corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.1.C30mdk.noarch.rpm
c03a4c37539bd9e5aee916946c196366 corporate/3.0/SRPMS/squirrelmail-1.4.5-1.1.C30mdk.src.rpm
Corporate 3.0/X86_64:
81cf3711a3faf9a95c69a8ece4962801 x86_64/corporate/3.0/RPMS/squirrelmail-1.4.5-1.1.C30mdk.noarch.rpm
20eb541402352ed58b6d9e0ffd051168 x86_64/corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.1.C30mdk.noarch.rpm
c03a4c37539bd9e5aee916946c196366 x86_64/corporate/3.0/SRPMS/squirrelmail-1.4.5-1.1.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDZ/g4mqjQ0CJFipgRAng8AJ9Td4JffO2QkmAn6ezcgnc9WiVZ4wCg3j+x
hCmXWaPsbKoPp8dPD45Aujw=
=ST/9
-----END PGP SIGNATURE-----
------------------------------
Message: 16
Date: Tue, 01 Nov 2005 16:21:48 -0700
From: Mandriva Security Team <security@...driva.com>
Subject: [Full-disclosure] MDKSA-2005:203 - Updated gda2.0 packages
fix string format vulnerability
To: full-disclosure@...ts.grok.org.uk
Message-ID: <E1EX5Rs-00036z-Hk@...cury.mandriva.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2005:203
http://www.mandriva.com/security/
_______________________________________________________________________
Package : gda2.0
Date : November 1, 2005
Affected: 10.2, 2006.0, Corporate 3.0
_______________________________________________________________________
Problem Description:
Steve Kemp discovered two format string vulnerabilities in libgda2,
the GNOME Data Access library for GNOME2, which may lead to the
execution of arbitrary code in programs that use this library.
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2958
_______________________________________________________________________
Updated Packages:
Corporate 3.0:
c2bee0812a3911016f32406c7e6b98c6 corporate/3.0/RPMS/gda2.0-1.0.3-3.2.C30mdk.i586.rpm
1c60c3861756e5f2ebec25810d698319 corporate/3.0/RPMS/gda2.0-ldap-1.0.3-3.2.C30mdk.i586.rpm
76329346f822881c283f1d80eccf0321 corporate/3.0/RPMS/gda2.0-mysql-1.0.3-3.2.C30mdk.i586.rpm
9366a1dfd24862ba1c2e785c880f42b1 corporate/3.0/RPMS/gda2.0-odbc-1.0.3-3.2.C30mdk.i586.rpm
d2eaf777cbc85fa050ea15d9483e8530 corporate/3.0/RPMS/gda2.0-postgres-1.0.3-3.2.C30mdk.i586.rpm
efb6dcf8757552aca5a2afad5e214afa corporate/3.0/RPMS/gda2.0-sqlite-1.0.3-3.2.C30mdk.i586.rpm
d19b0dc56ecc6645735e5ba4df226ea5 corporate/3.0/RPMS/libgda2.0_1-1.0.3-3.2.C30mdk.i586.rpm
04904635f832181f5f4bc13defbd2404 corporate/3.0/RPMS/libgda2.0_1-devel-1.0.3-3.2.C30mdk.i586.rpm
4ded9fd88d06c155f3fadd5438855b49 corporate/3.0/SRPMS/gda2.0-1.0.3-3.2.C30mdk.src.rpm
Corporate 3.0/X86_64:
6db35535deba7751a627682f1ba77ace x86_64/corporate/3.0/RPMS/gda2.0-1.0.3-3.2.C30mdk.x86_64.rpm
f3cc7763718da0f76c3c1e9131e1b9f5 x86_64/corporate/3.0/RPMS/gda2.0-ldap-1.0.3-3.2.C30mdk.x86_64.rpm
7f01b17e60477e916f6a390b4e4b7222 x86_64/corporate/3.0/RPMS/gda2.0-mysql-1.0.3-3.2.C30mdk.x86_64.rpm
3c93f0b8fe2f90ad54c505a813a3ea4f x86_64/corporate/3.0/RPMS/gda2.0-odbc-1.0.3-3.2.C30mdk.x86_64.rpm
527ff7ccbd2af3ea24ac3f572b050de3 x86_64/corporate/3.0/RPMS/gda2.0-postgres-1.0.3-3.2.C30mdk.x86_64.rpm
cc2aead64a14a2fa99c34a572024adbe x86_64/corporate/3.0/RPMS/gda2.0-sqlite-1.0.3-3.2.C30mdk.x86_64.rpm
0eb6f8c613088bbcbb0205eec0e7374d x86_64/corporate/3.0/RPMS/lib64gda2.0_1-1.0.3-3.2.C30mdk.x86_64.rpm
c4c5b62e45e95c0142fc823e2db49b4c x86_64/corporate/3.0/RPMS/lib64gda2.0_1-devel-1.0.3-3.2.C30mdk.x86_64.rpm
4ded9fd88d06c155f3fadd5438855b49 x86_64/corporate/3.0/SRPMS/gda2.0-1.0.3-3.2.C30mdk.src.rpm
Mandriva Linux 10.2:
8581951dac7e2e51d0e583355f0c4fdf 10.2/RPMS/gda2.0-1.2.1-1.2.102mdk.i586.rpm
6df29b76c68f2dac41511f0047844a6c 10.2/RPMS/gda2.0-bdb-1.2.1-1.2.102mdk.i586.rpm
ab2a54b37f5d3a5903c13b5caf0884f1 10.2/RPMS/gda2.0-ldap-1.2.1-1.2.102mdk.i586.rpm
a46e61c38f33d3590255b349371e5dd2 10.2/RPMS/gda2.0-mysql-1.2.1-1.2.102mdk.i586.rpm
5f82b737ad1df0f5e367554a6af57d25 10.2/RPMS/gda2.0-odbc-1.2.1-1.2.102mdk.i586.rpm
9c15f2853a50a9b8ce21c99b7c357d69 10.2/RPMS/gda2.0-postgres-1.2.1-1.2.102mdk.i586.rpm
2a99984e0d3f0ed0bb77e1df0781a745 10.2/RPMS/gda2.0-sqlite-1.2.1-1.2.102mdk.i586.rpm
ac79f03faefae3d12b25a692d84aa09c 10.2/RPMS/gda2.0-xbase-1.2.1-1.2.102mdk.i586.rpm
c246c62a8b6a44bdf517fc13ab5a9629 10.2/RPMS/libgda2.0_3-1.2.1-1.2.102mdk.i586.rpm
33244d3790d14e77cf83e297d105a0e5 10.2/RPMS/libgda2.0_3-devel-1.2.1-1.2.102mdk.i586.rpm
2ae1d69e77d265b6a45701dede9187b6 10.2/SRPMS/gda2.0-1.2.1-1.2.102mdk.src.rpm
Mandriva Linux 10.2/X86_64:
a22c56a701d4b323cd58199bd330d358 x86_64/10.2/RPMS/gda2.0-1.2.1-1.2.102mdk.x86_64.rpm
ab86e362890a87d588c6180df048d380 x86_64/10.2/RPMS/gda2.0-bdb-1.2.1-1.2.102mdk.x86_64.rpm
e68a0231c0ed2d16c71330ab2ec0bc02 x86_64/10.2/RPMS/gda2.0-ldap-1.2.1-1.2.102mdk.x86_64.rpm
561b6118c3f60507bd1d39a61ae1d1ef x86_64/10.2/RPMS/gda2.0-mysql-1.2.1-1.2.102mdk.x86_64.rpm
9c09bdaed784668cf9326aaa25fe045e x86_64/10.2/RPMS/gda2.0-odbc-1.2.1-1.2.102mdk.x86_64.rpm
9c05d405913600ab83af41a5c43012f1 x86_64/10.2/RPMS/gda2.0-postgres-1.2.1-1.2.102mdk.x86_64.rpm
678405e55c25c6be5fd1bc7282918dab x86_64/10.2/RPMS/gda2.0-sqlite-1.2.1-1.2.102mdk.x86_64.rpm
dd2b4c22b66bfdd9e7d079fceb8052bc x86_64/10.2/RPMS/gda2.0-xbase-1.2.1-1.2.102mdk.x86_64.rpm
3ad48b3adeb00a9f9a3ea7a1c987b735 x86_64/10.2/RPMS/lib64gda2.0_3-1.2.1-1.2.102mdk.x86_64.rpm
e4d9fb39922d57f56902b721b80d7c9f x86_64/10.2/RPMS/lib64gda2.0_3-devel-1.2.1-1.2.102mdk.x86_64.rpm
2ae1d69e77d265b6a45701dede9187b6 x86_64/10.2/SRPMS/gda2.0-1.2.1-1.2.102mdk.src.rpm
Mandriva Linux 2006.0:
291823a3cf2fbd1321fafd6d465b9fbc 2006.0/RPMS/gda2.0-1.2.2-2.2.20060mdk.i586.rpm
f8c350c51a5847e02e391507f1052867 2006.0/RPMS/gda2.0-bdb-1.2.2-2.2.20060mdk.i586.rpm
dd0126df1e10c2f127ebecc5e0a1c26c 2006.0/RPMS/gda2.0-ldap-1.2.2-2.2.20060mdk.i586.rpm
47e6a607eaa3738b4d07adb619232eb1 2006.0/RPMS/gda2.0-mysql-1.2.2-2.2.20060mdk.i586.rpm
4d1f9d08c55ed0a195ca001996f239e3 2006.0/RPMS/gda2.0-odbc-1.2.2-2.2.20060mdk.i586.rpm
e9dc80d837f6932969c3601f03707c59 2006.0/RPMS/gda2.0-postgres-1.2.2-2.2.20060mdk.i586.rpm
0ec62e103852325ee70769fe2eadb6c4 2006.0/RPMS/gda2.0-sqlite-1.2.2-2.2.20060mdk.i586.rpm
a5d3d090e83d080ebf6a1c210aa113f1 2006.0/RPMS/gda2.0-xbase-1.2.2-2.2.20060mdk.i586.rpm
a4a8ae72f7cd866183c2e8a4a2e16bd3 2006.0/RPMS/libgda2.0_3-1.2.2-2.2.20060mdk.i586.rpm
2b4c20ea0a38bf22c5aa31da3cd8884f 2006.0/RPMS/libgda2.0_3-devel-1.2.2-2.2.20060mdk.i586.rpm
16c1de82d2b1996adeb4577b1ff9cdcd 2006.0/SRPMS/gda2.0-1.2.2-2.2.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
36a04443e670524ae0c4d93bf0752e9f x86_64/2006.0/RPMS/gda2.0-1.2.2-2.2.20060mdk.x86_64.rpm
d2fecb3c702f5c764c6a67c85e36e448 x86_64/2006.0/RPMS/gda2.0-bdb-1.2.2-2.2.20060mdk.x86_64.rpm
44171de894c358c5bd3d4301b488170e x86_64/2006.0/RPMS/gda2.0-ldap-1.2.2-2.2.20060mdk.x86_64.rpm
863aacd7318479757dc2d2e1ed238418 x86_64/2006.0/RPMS/gda2.0-mysql-1.2.2-2.2.20060mdk.x86_64.rpm
a82c2fceef36372b1fc17086b6237293 x86_64/2006.0/RPMS/gda2.0-odbc-1.2.2-2.2.20060mdk.x86_64.rpm
067f1f9a633b3e2dbe8ca08591d48642 x86_64/2006.0/RPMS/gda2.0-postgres-1.2.2-2.2.20060mdk.x86_64.rpm
4b257c7716b6eefcfb0fec95732975a0 x86_64/2006.0/RPMS/gda2.0-sqlite-1.2.2-2.2.20060mdk.x86_64.rpm
9fef9fad9b8d98708c30c87b4bfdbece x86_64/2006.0/RPMS/gda2.0-xbase-1.2.2-2.2.20060mdk.x86_64.rpm
84787803035a7d1ee2bb7b12775ea9f0 x86_64/2006.0/RPMS/lib64gda2.0_3-1.2.2-2.2.20060mdk.x86_64.rpm
3037e49d4a6f17e6b752fcff37f05986 x86_64/2006.0/RPMS/lib64gda2.0_3-devel-1.2.2-2.2.20060mdk.x86_64.rpm
16c1de82d2b1996adeb4577b1ff9cdcd x86_64/2006.0/SRPMS/gda2.0-1.2.2-2.2.20060mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDZ/iMmqjQ0CJFipgRAsECAJ9a/c0Go4Yy9/+4hY/DWo72IrpRSgCgnX3g
zDqRFrxHNRzw/J1onPK4fc0=
=NhHM
-----END PGP SIGNATURE-----
------------------------------
Message: 17
Date: Tue, 01 Nov 2005 16:23:10 -0700
From: Mandriva Security Team <security@...driva.com>
Subject: [Full-disclosure] MDKSA-2005:204 - Updated wget packages fix
vulnerability
To: full-disclosure@...ts.grok.org.uk
Message-ID: <E1EX5TC-0003Bg-GO@...cury.mandriva.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2005:204
http://www.mandriva.com/security/
_______________________________________________________________________
Package : wget
Date : November 1, 2005
Affected: 10.1, 10.2, Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Hugo Vazquez Carames discovered a race condition when writing output
files in wget. After wget determined the output file name, but before
the file was actually opened, a local attacker with write permissions
to the download directory could create a symbolic link with the name
of the output file. This could be exploited to overwrite arbitrary
files with the permissions of the user invoking wget. The time window
of opportunity for the attacker is determined solely by the delay of
the first received data packet.
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2014
_______________________________________________________________________
Updated Packages:
Mandriva Linux 10.1:
28b67f788c7ed5f28ca7e752b15a9eb8 10.1/RPMS/wget-1.9.1-4.3.101mdk.i586.rpm
b0b856e5eeb63f608476877942f6a216 10.1/SRPMS/wget-1.9.1-4.3.101mdk.src.rpm
Mandriva Linux 10.1/X86_64:
d2fc09595e4bf4267c7cc7d9d5def8ee x86_64/10.1/RPMS/wget-1.9.1-4.3.101mdk.x86_64.rpm
b0b856e5eeb63f608476877942f6a216 x86_64/10.1/SRPMS/wget-1.9.1-4.3.101mdk.src.rpm
Corporate 3.0:
91f8d363d41afb43943f3f5569e2e83c corporate/3.0/RPMS/wget-1.9.1-4.3.C30mdk.i586.rpm
8ce78a19c89331fdb7527e6a4674376c corporate/3.0/SRPMS/wget-1.9.1-4.3.C30mdk.src.rpm
Corporate 3.0/X86_64:
e3796c54a067d9ef54d08f779fe3ec9d x86_64/corporate/3.0/RPMS/wget-1.9.1-4.3.C30mdk.x86_64.rpm
8ce78a19c89331fdb7527e6a4674376c x86_64/corporate/3.0/SRPMS/wget-1.9.1-4.3.C30mdk.src.rpm
Multi Network Firewall 2.0:
f834aa6b814014c20b6d97fd7a893ea6 mnf/2.0/RPMS/wget-1.9.1-4.3.M20mdk.i586.rpm
00f1b8920df39e3f4fc35eea07879168 mnf/2.0/SRPMS/wget-1.9.1-4.3.M20mdk.src.rpm
Mandriva Linux 10.2:
36dfb01a50fcdec20d379001f2054ba4 10.2/RPMS/wget-1.9.1-5.2.102mdk.i586.rpm
82584cb410bcb5104f44d3429675e7e5 10.2/SRPMS/wget-1.9.1-5.2.102mdk.src.rpm
Mandriva Linux 10.2/X86_64:
36dfb01a50fcdec20d379001f2054ba4 x86_64/10.2/RPMS/wget-1.9.1-5.2.102mdk.i586.rpm
82584cb410bcb5104f44d3429675e7e5 x86_64/10.2/SRPMS/wget-1.9.1-5.2.102mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDZ/jemqjQ0CJFipgRAjGJAKDtkgHO1ZWuWus4X5CPffEGbA0FxgCcDaXT
yJo8rb9mFDl/0yBiIKUdigo=
=y4/v
-----END PGP SIGNATURE-----
------------------------------
Message: 18
Date: Tue, 1 Nov 2005 18:05:07 -0600
From: str0ke <str0ke@...w0rm.com>
Subject: Re: [Full-disclosure] New Online RainbowCrack Engine
To: MR BABS <mrbabs@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
<814b9d50511011605u41cda7e3i46e0c47290eacffe@...l.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Is your webserver a 9-5 service or is it just down for other reasons?
/str0ke
On 11/1/05, MR BABS <mrbabs@...il.com> wrote:
> Hey guys,
>
> Just finished everything up on RainbowCrack-Online, wasn't sure if
> anyone would be interested, there's a membership fee, as servers, generation
> and cracking machines are expensive, you guys know the score.
>
> Really nice collection of tables, you can take a look-see at
> www.rainbowcrack-online.com.
> Current sets include:
> LanManager-All (all printable chars) 1-14 (the tables are 1-7, but view the
> specs on LM hashing for more info)
>
> NTLM MixAlpha Numeric 1-7
> NTLM LowerAlpha Numeric 1-8
>
> MD5 Alpha Numeric Symbol32 Space 1-7
> MD5 LowerAlpha Numeric Symbol32 Space 1-7
> MD5 LowerAlpha Numeric 1-8
> MD5 MixAlpha Numeric 1-7
>
> SHA1 MixAlpha Numeric 1-7
>
> MySQL 323 MixAlpha Numeric 1-7
>
> CiscoPIX MixAlpha Numeric 1-7
>
> We're almost done generation of MD4, and MySQL SHA1 tables.
>
>
> Should have some articles in Information soon, basically information on what
> to do to leverage knowing hashes. (And how to get the hashes in the first
> place.)
>
>
> For you pen tester fellows, we will be offering the tables for sale to you
> guys, as well as registered businesses, prices should be up later.
>
> -Regards,
>
> Travis
> </spam>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
------------------------------
Message: 19
Date: Wed, 2 Nov 2005 00:29:26 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
Subject: [Full-disclosure] On Interpretation Conflict Vulnerabilities
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Message-ID: <200511020529.jA25TQJd018891@...us.mitre.org>
In a post "SEC-CONSULT-SA-20051021-0: Yahoo/MSIE XSS", Bernhard
Mueller said:
>SEC-Consult believes that input-validation thru blacklists can just be
>a temporary solution to problems like this. From our point of view
>there are many other applications vulnerable to this special type of
>problem where vulnerabilities of clients and servers can be combined.
>
>...
>
> Excerpt from HTML-mails:
>
> ========================================================================
> SCRIPT-TAG:
> --cut here---
> <h1>hello</h1><s[META-Char]cript>alert("i have you
> now")</s[META-Char]cript></br>rrrrrrxxxxx<br>
> ---cut here---
>
>...
>
>Recommended hotfixes for webmail-users
>---------------
>
>Do not use MS Internet-Explorer.
This falls under a class of vulnerabilities that I refer to as either
"interpretation conflicts" or "multiple interpretation errors"
depending on what time it is, though I'm leaning toward interpretation
conflicts.
These types of problems frequently occur with products that serve as
intermediaries, proxies, or monitors between other entities - such as
antivirus products, web proxies, sniffers, IDSes, etc.
They are a special type of interaction error in which one product (in
this case, Yahoo email) performs reasonable actions but does not
properly model all behaviors of another product that it's interacting
with (in this case, Internet Explorer ignoring unusual characters
right in the middle of HTML tags). The intermediary/proxy/monitor
then becomes a conduit for exploitation due to the end product's
unexpected behavior.
Some examples:
- Ptacek/Newsham's famous IDS evasion paper used interpretation
conflicts to prevent IDSes from properly reconstructing network
traffic as it would be processed by end systems.
- Many of the Anti-Virus evasion techniques you see these days
involve interpretation conflicts - e.g. the magic byte problem,
multiple conent-type headers, and so on
- The recent problem with phpBB and others, because they did not
account for how Internet Explorer renders HTML in corrupted .GIF
images, is another example of an interpretation conflict.
- Many unusual XSS manipulations are due to interpretation conflicts
in which one web browser supports a non-standard feature that
others do not. Netscape had an unusual construct - something like
"&{abc}" - that even a whitelist might not catch.
In my opinion, the "responsibility" for avoiding interpretation
conflicts falls with:
- the intermediaries/proxies/monitors if the problem involves an
incomplete model of *normal*, reasonable, and/or standards
compliant behavior
- the end products, if the end product behavior does not conform
with established standards
- the standards or protocols, if they are defined in ways that are
too vague or flexible
However, if the end products already exhibit unexpected behaviors, the
reality is that intermediaries are forced into anticipating all
possible interpretation conflicts, and blamed if they do not.
Mueller also said:
> Do not use blacklists on tags and attributes. Whitelist
> special/meta-characters.
Whitelists, while better than blacklists, can still be too permissive.
This is especially the case with interpretation conflicts.
As I've suggested previously, Jon Postel's wisdom "Be liberal in what
you accept, and conservative in what you send" has been a boon to the
growth of networking, but blind adherence to this wisdom is a
dangerous enabler of subtle vulnerabilities that will prevent us from
ever having full control over the data that crosses our networks.
- Steve
------------------------------
Message: 20
Date: Wed, 2 Nov 2005 13:40:59 +0800
From: "Native.Code" <native.code@...il.com>
Subject: Re: [Full-disclosure] how to describe this tool ?
To: news-letters <news-letters@...ewin.ch>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
<8dc64e550511012140j1ca7caf3q30906c526e0e48c3@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Depends the use you put it on. I will call it auditing tool.
On 11/2/05, news-letters <news-letters@...ewin.ch> wrote:
>
> Hi list,
>
> I have a perl script I'd like to release(GPL), but I don't really know
> how to describe it.
>
> To make it short here's a session on one (remote)machine.(but it's
> intended to be run on ip ranges with mostly windows hosts).
>
> <sample>
> Starting script.pl ...
>
> searching hosts in 192.168.0.100 <http://192.168.0.100> ...
>
> found 192.168.0.100 <http://192.168.0.100> : BRAIN
>
>
> starting information gathering on BRAIN
>
> getting OS version ...
> TCP port scanning ...
> UDP port scanning ...
> Getting process list ...
> Getting services list ...
> Getting drive list ...
> Getting share list ...
> Getting installed applications list ...
>
> Creating naudit_report_192.168.0.100.html ... (printable)
> Creating report for 192.168.0.100 <http://192.168.0.100> ... (browsable)
>
> done. Completed in 8.004 seconds
> </sample>
>
> and attached is a sample (printable)report.
>
> Is this an :
>
> enumeration tool ?
> auditting tool ?
>
> Any idea ?
>
> Have a nice day.
>
> Simon
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051102/9a4fc467/attachment.html
------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
End of Full-Disclosure Digest, Vol 9, Issue 3
*********************************************
Powered by blists - more mailing lists