lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <71FB705FD99C7F4FB6BA716C66FFEC92023652BD@AZ18EV802.global.ds.honeywell.com>
Date: Wed Nov  2 14:39:24 2005
From: Tino.Martinez2 at Honeywell.com (Martinez, Tino (Tempe))
Subject: RE: Full-Disclosure Digest, Vol 9, Issue 3

Yes 

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of full-disclosure-request@...ts.grok.org.uk
Sent: Tuesday, November 01, 2005 10:42 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Full-Disclosure Digest, Vol 9, Issue 3

Send Full-Disclosure mailing list submissions to
	full-disclosure@...ts.grok.org.uk

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
	full-disclosure-request@...ts.grok.org.uk

You can reach the person managing the list at
	full-disclosure-owner@...ts.grok.org.uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.


Today's Topics:

   1. Snort Back Orifice Preprocessor Exploit (Win32	targets) (Kira)
   2. Re: RFID docs & tools ? (Eric Auge)
   3. Re: readdir_r considered harmful (Ben Hutchings)
   4. RE: RE: Full-Disclosure Digest, Vol 8, Issue 48 (Martijn Lievaart)
   5. Re: Re: [Full-disclosure] new IE bug (confirmed on ALL
      windows) (unknown unknown)
   6. Re: Comparing Algorithms On The List	OfHard-to-brut-force?
      (Andrew Farmer)
   7. Re: Comparing Algorithms On The List	OfHard-to-brut-force?
      (James Longstreet)
   8. Gateway 7001 A/B/G AP: Selection of improper regulatory
      domains and channels (Andrew Lockhart)
   9. Re: new IE bug (confirmed on ALL windows) (Greg)
  10. Re: new IE bug (confirmed on ALL windows) (Greg)
  11. Re: readdir_r considered harmful (Ben Hutchings)
  12. Cisco Security Advisory: Cisco IPS MC Malformed	Configuration
      Download Vulnerability
      (Cisco Systems Product Security Incident Response Team)
  13. RE: new IE bug (confirmed on ALL windows) (ad@...ss101.org)
  14. New Online RainbowCrack Engine (MR BABS)
  15. MDKSA-2005:202 - Updated squirrelmail packages	fix
      vulnerability (Mandriva Security Team)
  16. MDKSA-2005:203 - Updated gda2.0 packages fix	string format
      vulnerability (Mandriva Security Team)
  17. MDKSA-2005:204 - Updated wget packages fix	vulnerability
      (Mandriva Security Team)
  18. Re: New Online RainbowCrack Engine (str0ke)
  19. On Interpretation Conflict Vulnerabilities (Steven M. Christey)
  20. Re: how to describe this tool ? (Native.Code)


----------------------------------------------------------------------

Message: 1
Date: Tue, 1 Nov 2005 17:32:04 +0700
From: Kira <trir00t@...il.com>
Subject: [Full-disclosure] Snort Back Orifice Preprocessor Exploit
	(Win32	targets)
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Message-ID:
	<ca67aa9e0511010232p5af56ddbja8fe6c02817fe2d3@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Dear All

I wrote Snort Back Orifice Preprocessor Exploit for Win32 targets. It's for
educational purpose only.
This exploit was tested on

- Snort 2.4.2 Binary + Windows XP Professional SP1
- Snort 2.4.2 Binary + Windows XP Professional SP2
- Snort 2.4.2 Binary + Windows Server 2003 SP1
- Snort 2.4.2 Binary + Windows Server 2000 SP0
- Snort 2.4.2 Bianry + Windows 2000 Professional SP0

Note 01: This exploit was written in form of MetaSploit module, so you need
metasploit to launch it.
Note 02: The exploit's quite reliable, but if it doesn't work on your
machine, try to find address of 'jmp esp' instruction and replace it to the
old return address.

Regards,

Kira
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/5314e92e/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort_bo_overflow_win32.pm
Type: application/octet-stream
Size: 3507 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/5314e92e/snort_bo_overflow_win32-0001.obj

------------------------------

Message: 2
Date: Tue, 01 Nov 2005 10:52:09 +0100
From: Eric Auge <eau@...ar.org>
Subject: [Full-disclosure] Re: RFID docs & tools ?
To: full-disclosure@...ts.grok.org.uk
Cc: wifisec@...urityfocus.com, pen-test@...urityfocus.com
Message-ID: <43673AC9.3040302@...ar.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

http://openmrtd.org/

Eric.

Mark Sec wrote:
> Alo folks,
> 
> 
> Well , does anyone know links to buy "lectors" RFID ?
> 
> I would like to do a "PoCs" on Hacking RFID , also i need tools,
> pappers, PoCs & links related with this.
> 
> thanks :-)
> 
> 
> - Mark
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 



------------------------------

Message: 3
Date: Tue, 01 Nov 2005 13:02:45 +0000
From: Ben Hutchings <ben@...adentplace.org.uk>
Subject: Re: [Full-disclosure] readdir_r considered harmful
To: 3APA3A <3APA3A@...URITY.NNOV.RU>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Message-ID: <1130850165.1980.7.camel@...alhost>
Content-Type: text/plain; charset="us-ascii"

3APA3A wrote:
> Dear Ben Hutchings,
> 
> 
> If  someone  uses pathconf to determine buffer size it's his own problem
> and  he creates vulnerability by himself. You can list such applications
> as vulnerable to race conditions.
<snip>
> NAME_MAX  is  defined  in limits.h and should be 255 according to latest
> POSIX extension. I see no problem with POSIX standard in this case.
> 
> See:
> http://www.opengroup.org/onlinepubs/009695399/basedefs/limits.h.html
<snip>

If you had read the above page more carefully, you would have seen these
paragraphs:

"The values in the following list may be constants within an
implementation or may vary from one pathname to another. For example,
file systems or directories may have different characteristics.

"A definition of one of the values shall be omitted from the <limits.h>
header on specific implementations where the corresponding value is
equal to or greater than the stated minimum, but where the value can
vary depending on the file to which it is applied. The actual value
supported for a specific pathname shall be provided by the pathconf()
function."

-- 
Ben Hutchings
When you say `I wrote a program that crashed Windows', people just stare ...
and say `Hey, I got those with the system, *for free*'. - Linus Torvalds
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/cc6a76f7/attachment-0001.bin

------------------------------

Message: 4
Date: Tue, 1 Nov 2005 15:56:40 +0100 (CET)
From: "Martijn Lievaart" <m@...j.nl>
Subject: RE: [Full-disclosure] RE: Full-Disclosure Digest, Vol 8,
	Issue 48
To: full-disclosure@...ts.grok.org.uk
Message-ID: <40591.217.166.60.19.1130857000.squirrel@...rtij.nl>
Content-Type: text/plain; charset=iso-8859-1

Nick FitzGerald zei:
> Martijn Lievaart wrote:
>
>> Hihi, clamav cought that... :-]
>
> Your point?

I thought this thread was about evading virusscanners. So modifying a
batch virus and pasting it in the middle of an email does not fool at
least one virusscanner, fwiw. One can argue it is a false positive though.

> Once upon a time it "cought" the GPL as a virus too...

That is one virus I *want* to propagate. :-)

M4





------------------------------

Message: 5
Date: Tue, 1 Nov 2005 17:42:15 +0000
From: unknown unknown <unknown.pentester@...il.com>
Subject: Re: Re: [Full-disclosure] new IE bug (confirmed on ALL
	windows)
To: full-disclosure@...ts.grok.org.uk
Message-ID:
	<b7a807650511010942jb84e1a5k507ae1a5bb391a52@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Mini version of IECrash confirmed IE 6.0 Windows XP Pro SP2 (English
version)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/3c380980/attachment-0001.html

------------------------------

Message: 6
Date: Tue, 1 Nov 2005 10:55:31 -0800
From: Andrew Farmer <andfarm@...il.com>
Subject: Re: [Full-disclosure] Comparing Algorithms On The List
	OfHard-to-brut-force?
To: Brandon Enright <bmenrigh@...d.edu>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID: <D0941C4D-BE84-4156-8275-2C9C3FE090E0@...il.com>
Content-Type: text/plain; charset="us-ascii"

On 01 Nov 05, at 10:11, Brandon Enright wrote:
> Brute forcing an algorithm suggests that you are not attacking a  
> weakness or
> known flaw in the algorithm but rather just running through the  
> keyspace
> trying to recover the plaintext.  In that case, whichever allows  
> you to use
> the most bits is what you want.

Note that the encryption speed of an algorithm is *not* a significant  
factor
in the time taken to brute-force it, except for extremely small  
keyspaces!
Remember that the time taken to brute-force an N-bit algorithm that  
takes K
seconds per encryption is, on average

         N
    K * 2

which increases much more rapidly with N than it does with K. Adding  
even one
more bit will double the average time taken to brute-force an  
algorithm, while
using a slower algorithm will only increase the difficulty marginally.

Also note that anything beyond 256 bits is silly. Brute-forcing a 256- 
bit
algorithm can be shown to be PHYSICALLY impossible, so there's no  
reason to
go anywhere beyond that.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/d90d6a8d/PGP-0001.bin

------------------------------

Message: 7
Date: Tue, 1 Nov 2005 13:04:16 -0600
From: James Longstreet <jlongs2@....edu>
Subject: Re: [Full-disclosure] Comparing Algorithms On The List
	OfHard-to-brut-force?
To: full-disclosure@...ts.grok.org.uk
Message-ID: <576B0A1B-3A88-4F1A-9705-A2D122F68FC0@....edu>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed


On Nov 1, 2005, at 12:11 PM, Brandon Enright wrote:

> IIRC, there aren't any good known attacks against Blowfish, AES, or  
> Twofish
> so the *RIGHT* algorithm is whatever works best for your application.

Depending on the situation, there may be a feasible cache-timing  
attack on software implementations of AES: http://cr.yp.to/ 
antiforgery/cachetiming-20050414.pdf



------------------------------

Message: 8
Date: Tue, 01 Nov 2005 12:15:19 -0700
From: Andrew Lockhart <alockhart@...workchemistry.com>
Subject: [Full-disclosure] Gateway 7001 A/B/G AP: Selection of
	improper regulatory domains and channels
To: <bugtraq@...urityfocus.com>,	"full-disclosure@...ts.grok.org.uk"
	<full-disclosure@...ts.grok.org.uk>
Message-ID: <BF8D0CD7.EB9%alockhart@...workchemistry.com>
Content-Type: text/plain;	charset="US-ASCII"

Issue: Gateway 7001 AP allows selection of restricted 802.11a/b/g channels
Author: Network Chemistry Labs <labs at networkchemistry dot com>
Vendor: Gateway 
Products: Gateway 7001 802.11 A/B/G Dual Band Wireless Access Point
Type: Input Validation
Exploit: Not required


I. Intro
The IEEE 802.11 family of standards define the channels that a
device is allowed to operate on for specific geographic regions in
order to comply with different country's radio frequency usage
regulations.


II. Vulnerability

The web management interface for the Gateway 7001 A/B/G AP contains an
input validation vulnerability that allows anyone authenticated
with the device's built-in web server to configure the device to
use channels not regulated for 802.11a/b/g use in their geographic
region.  The potential impact is that a user could configure the
device to operate outside the allocated bandwidth for 802.11
within their country, thus causing interference to other radio
systems.  In addition, the device will not be visible to other
802.11 devices operating in the area.


III. Details

The IEEE 802.11 standards provide guidance on the channels that a
device may operate on in order to comply with a country's radio
frequency usage regulations.  As is common on many access points,
the Gateway 7001 A/B/G AP provides a web based interface for configuring
the device.  This can be used to set the channel that the AP
operates on.

The POST form in the web-management interface used to set the
channel includes a form element called "RegulatoryDomain."
Through experimentation it appears that this parameter affects
input validation operations on the channel supplied in the
request. For example, if the regulatory domain parameter is set to
FCC, then the device's firmware will only change channels if the
channel value in the request is from 1 to 11.  Anything outside
this range, such as channel 13 (a European channel), will be
rejected.

However, if the regulatory domain parameter is changed, then the
firmware will allow the device's channel to be changed to any
channel allowed in the specified domain.  This can cause the
device to create interference with non-802.11 devices in the
vicinity as well as allow devices to be configured to elude 802.11
security walk-throughs by operating on frequencies that the
detection equipment is incapable of monitoring.


IV. Demonstration

In addition to POST requests, the web interface will accept the
same parameters in the form of a GET requeset. The web-based
management software for the Gateway 7001 A/B/G AP uses a request string
of the following form to set configuration parameters:

http://192.168.2.1/index.cgi?r1Mode=IEEE+802.11g&r1RegulatoryDomain=FCC&r1Ch
annel=1&r2Mode=IEEE+802.11a&r2RegulatoryDomain=FCC&r2Channel=36&r1b1s1Ssid=N
etChemLabs&r1b2s1Ssid=NetChemLabs-Guest&page=wireless.html&Update=Update

To change the frequencies of operation available all that needs to
be done is to simply change the RegulatoryDomain parameter.  For
instance to operate on Japanese channels, the string "FCC" would
be changed to "MKK."  This allows the channel parameters
corresponding to the 802.11b/g and 802.11a radios to be changed to
channels such as 14 and 34 respectively, which the management
software will apply to the underlying hardware:

http://192.168.2.1/index.cgi?r1Mode=IEEE+802.11g&r1RegulatoryDomain=MKK&r1Ch
annel=14&r2Mode=IEEE+802.11a&r2RegulatoryDomain=MKK&r2Channel=34&r1b1s1Ssid=
NetChemLabs+&r1b2s1Ssid=NetChemLabs-Guest&page=wireless.html&Update=Update

It was also verified that European channels were settable when
changing the RegulatoryDomain parameter to "ETSI."  To verify that
the device is indeed operating on non-FCC channels, special 802.11
sensor hardware was used to monitor the device on the specified
channels.

The Gateway 7001 A/B/G AP makes use of DeviceScape's Instant802 Wireless
Infrastructure Platform for configuration and management.  It is
unknown at this time whether this issue affects other devices
utilizing this software, due to the fact that we have only tested
the Gateway 7001 A/B/G AP at this point. Gateway also produces an
802.11 b/g version of the Gateway 7001 AP.  It is also unknown whether
this model is affected.

It should be noted that Gateway does not provide a firmware upgrade
for the affected AP.


V. Timeline

10/21 - Contacted Gateway: No response received
10/21 - Contacted DeviceScape: No response received
10/4 - Contacted Gateway: No response received
9/28 - Contacted DeviceScape to confirm they had observed the issue: No
reponse received
9/26 - Contacted Gateway: No response received
9/21 - Made contact with Gateway Support: told someone would follow-up
9/20 - Received follow-up response from DeviceScape
9/19 - Made contact with DeviceScape


VI. References

Gateway 7001 A/B/G AP product support page:
http://support.gateway.com/s/Servers/COMPO/NETWORK/7005082/7005082nv.shtml

Instant802 WIP product page:
http://www.devicescape.com/products/wip_landing.php


--
Andrew Lockhart <alockhart@...workchemistry.com>
Security Analyst, Network Chemistry
PGP Key ID: 58369156
Fingerprint: 0AE1 E826 1922 5453 2B34  E1AA F524 D20B 5836 9156



------------------------------

Message: 9
Date: Wed, 2 Nov 2005 07:31:57 +1100
From: "Greg" <full-disclosure@...andyman.com.au>
Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
To: <full-disclosure@...ts.grok.org.uk>
Message-ID: <005601c5df23$4eaa9a20$5601010a@P4>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=original


----- Original Message ----- 
From: <ad@...ss101.org>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Wednesday, November 02, 2005 4:00 AM
Subject: [Full-disclosure] new IE bug (confirmed on ALL windows)


>I think I have found by chance this weekend a security bug,while browsing
> the website news, within iexplorer on all windows versions.
>

Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with 
XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was 
networked through ICS (wired to this XP box then wi-fi to a router) and has 
no firewall of it's own. This XP box through which the 98SE box gets it's 
internet is in the router's DMZ and uses only Zone Alarm Pro, just for 
clarity.

So, in essence the "confirmed on all windows" is wrong.

Greg. 



------------------------------

Message: 10
Date: Wed, 2 Nov 2005 07:42:02 +1100
From: "Greg" <full-disclosure@...andyman.com.au>
Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
To: <full-disclosure@...ts.grok.org.uk>
Message-ID: <006301c5df24$b6eba380$5601010a@P4>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=response


----- Original Message ----- 
From: "Greg" <full-disclosure@...andyman.com.au>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Wednesday, November 02, 2005 7:31 AM
Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows)


> Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 
> with XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was 
> networked through ICS (wired to this XP box then wi-fi to a router) and 
> has no firewall of it's own. This XP box through which the 98SE box gets 
> it's internet is in the router's DMZ and uses only Zone Alarm Pro, just 
> for clarity.
>
> So, in essence the "confirmed on all windows" is wrong.
>

Sorry about the typo. Of course I meant IE6SP2 above where I typed IESP2. 
Lesson learned - don't go typing things like that after about 6 hours sleep 
in the last 48! Never work for yourself. The boss is a &*^%!!

Greg. 



------------------------------

Message: 11
Date: Tue, 01 Nov 2005 20:16:42 +0000
From: Ben Hutchings <ben@...adentplace.org.uk>
Subject: [Full-disclosure] Re: readdir_r considered harmful
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Message-ID: <1130876202.1994.60.camel@...alhost>
Content-Type: text/plain; charset="us-ascii"

I wrote:
> readdir_r considered harmful
> ============================

A second revision of this advisory (and any future revisions) can be
found at <http://womble.decadentplace.org.uk/readdir_r-advisory.html>.
I have updated the recommendations to cover HP-UX and Tru64 properly.

Ben.

-- 
Ben Hutchings
When you say `I wrote a program that crashed Windows', people just stare ...
and say `Hey, I got those with the system, *for free*'. - Linus Torvalds
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/cb7f26cf/attachment-0001.bin

------------------------------

Message: 12
Date: Tue, 01 Nov 2005 16:50:22 -0500
From: Cisco Systems Product Security Incident Response Team
	<psirt@...co.com>
Subject: [Full-disclosure] Cisco Security Advisory: Cisco IPS MC
	Malformed	Configuration Download Vulnerability
To: full-disclosure@...ts.grok.org.uk
Cc: psirt@...co.com
Message-ID: <200511011650.ipsmc@...rt.cisco.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Cisco Security Advisory: 
========================
Cisco IPS MC Malformed Configuration Download Vulnerability
===========================================================

Document ID: 68065

Revision 1.0

Last Updated

For Public Release 2005 November 1 2000 UTC (GMT)

- -----------------------------------------------------------------------

Contents
========

    Summary
    Affected Products
    Details
    Impact
    Software Versions and Fixes
    Obtaining Fixed Software
    Workarounds
    Exploitation and Public Announcements
    Status of This Notice: FINAL
    Distribution
    Revision History
    Cisco Security Procedures

- -----------------------------------------------------------------------

Summary
=======

The CiscoWorks VPN/Security Management Solution (VMS) is a network
management application that includes Web-based tools for configuring,
monitoring, and troubleshooting VPNs, firewalls, network intrusion
detection systems (NIDSs), network intrusion prevention systems (NIPSs)
and host intrusion prevention systems (HIPSs). CiscoWorks VMS also
includes network device inventory, change audit, and software
distribution features.

An issue exists in one of the components of the Cisco Management Center
for IPS Sensors (IPS MC) v2.1 during the generation of the Cisco IOS
IPS (Intrusion Prevention System) configuration file that may result in
some signatures belonging to certain classes being disabled during the
configuration deployment process.

Cisco has made a free software patch available to address this
vulnerability for affected customers.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-20051101-ipsmc.shtml.

Affected Products
=================

Vulnerable Products
+------------------

  * Cisco IOS IPS devices that have been configured by IPS MC v2.1.

Products Confirmed Not Vulnerable
+--------------------------------

  * Cisco IOS IPS devices that have NOT been configured by IPS MC v2.1.
    This category includes Cisco IOS IPS devices that have been
    configured by using any of the following methods:
      + Cisco IDS MC (Management Center for IDS Sensors)
      + Cisco SDM (Security Device Manager)
      + Cisco IOS CLI (Command Line Interface)
  * Any other Cisco IDS/IPS solution, configured by either Cisco IPS MC
    v2.1, Cisco IDS MC (any version), Cisco SDM (any version) or by
    using the Cisco IOS CLI. These include:
      + Cisco IOS IDS
      + Cisco PIX/ASA IDS
      + Cisco IPS 4200 Series Sensors
      + Cisco Catalyst 6500/7600 Series Intrusion Detection System
        (IDSM-2) Module
      + Cisco IDS Network Module (NM-CIDS-K9)
      + Cisco ASA Advanced Inspection and Prevention (AIP) Security
        Services Module

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
=======

Some Cisco routers running Cisco IOS include a feature called Cisco IOS
IPS. The Cisco IOS IPS acts as an in-line intrusion protection sensor,
watching packets and sessions as they flow through the router and
scanning each packet to match any of the Cisco IOS IPS signatures that
have been enabled on the device configuration. When it detects
suspicious activity, it responds before network security can be
compromised and logs the event through Cisco IOS syslog messages or
Security Device Event Exchange (SDEE). The network administrator can
configure Cisco IOS IPS to choose the appropriate response to various
threats.

Customers can use multiple methods, including Cisco IPS MC, Cisco IDS
MC, Cisco SDM and the Cisco IOS CLI, to enable, disable and configure
Cisco IOS IPS signatures. Some signatures dealing with TCP or UDP
traffic analyze traffic destined to specific ports. Those ports are
pre-configured with default values, and some signatures might allow
changes to the list of ports to be monitored.

If the Cisco IOS IPS devices have been configured by using the Cisco
IPS MC v2.1, the Cisco IPS MC might download a configuration file to
the device that does not contain a value for the port field in one or
more signatures, resulting in the affected Cisco IOS IPS device
disabling those signatures. Only signatures using either the STRING.TCP
or STRING.UDP signature micro-engine (SME) are affected by this
vulnerability. Additionally, this behavior only happens if those
signatures were enabled and configured from the Cisco IPS MC GUI ;
signatures belonging to the STRING.TCP or STRING.UDP SMEs that were
previously configured on the device and imported into the Cisco IPS MC
will not experience this issue.

The list of signatures currently loaded into a Cisco IOS IPS device and
their status can be obtained by executing the "show ip ips signatures"
command. The following abbreviated output shows signatures currently
loaded into the device, both enabled and disabled:

 Router#show ip ips signatures
 Builtin signatures are configured
 Signatures were last loaded from flash:128MB.sdf

 Cisco SDF release version 128MB.sdf v4

 Trend SDF release version V0.0

 *=Marked for Deletion  Action=(A)larm,(D)rop,(R)eset   Trait=AlarmTraits
 MH=MinHits             AI=AlarmInterval                CT=ChokeThreshold
 TI=ThrottleInterval    AT=AlarmThrottle                FA=FlipAddr
 WF=WantFrag

 Signature Micro-Engine: OTHER (4 sigs)
  SigID:SubID On Action  Sev Trait     MH    AI    CT    TI AT FA WF Version
  ----------- -- ------ ---- -----  ----- ----- ----- ----- -- -- -- -------
   1201:0      Y   A    HIGH     0      0     0    30    15 FA  N  N 2.2.1.5
   1202:0      Y   A    HIGH     0      0     0   100    15 FA  N  N 2.2.1.5
   1203:0      Y   A    HIGH     0      0     0    30    15 FA  N  N 2.2.1.5
   3050:0      Y   A    HIGH     0      0     0     0    15 FA  N    1.0

 Signature Micro-Engine: STRING.ICMP (1 sigs)
  SigID:SubID On Action  Sev Trait     MH    AI    CT    TI AT FA WF Version
  ----------- -- ------ ---- -----  ----- ----- ----- ----- -- -- -- -------
   2156:0      Y   A     MED     0      0     0     0    15 FA  N    S54

 Signature Micro-Engine: STRING.UDP (16 sigs)
  SigID:SubID On Action  Sev Trait     MH    AI    CT    TI AT FA WF Version
  ----------- -- ------ ---- -----  ----- ----- ----- ----- -- -- -- -------
   4060:0      Y   A     MED     0      0     0     0    15 FA  N    S10
   4060:1      Y   A     MED     0      0     0     0    15 FA  N    S173
   4607:0      Y   A    HIGH     0      0     0     0    15 FA  N    S30
   4607:1      Y   A    HIGH     0      0     0     0    15 FA  N    S30
   4607:2      Y   A    HIGH     0      0     0     0    15 FA  N    S30
   4607:3      Y   A    HIGH     0      0     0     0    15 FA  N    S30
   4607:4      Y   A    HIGH     0      0     0     0    15 FA  N    S30
   4608:0      N   A    HIGH     0      1     0     0    15 FA  N    S30
   4608:1      Y   A    HIGH     0      1     0     0    15 FA  N    S30
   4608:2      Y   A    HIGH     0      1     0     0    15 FA  N    S30
  11000:0      N   A     LOW     0      0     0     0    15 FA  N    S37
  11000:1      Y   A     LOW     0      0     0     0    15 FA  N    S37
  11000:2      Y   A     LOW     0      0     0     0    15 FA  N    S136
  11207:0      Y   A    INFO     0      0     0     0    15 FA  N    S139
  11208:0      Y   A    INFO     0      0     0     0    15 FA  N    S139
  11209:0      Y   A    INFO     0      0     0     0    15 FA  N    S139

 Signature Micro-Engine: STRING.TCP (60 sigs)
  SigID:SubID On Action  Sev Trait     MH    AI    CT    TI AT FA WF Version
  ----------- -- ------ ---- -----  ----- ----- ----- ----- -- -- -- -------
   3116:0      Y   A    HIGH     0      1     0     0    15 FA  N    S12
   3117:0      N   A     LOW     0      1     0     0    15 FA  N    S13
   3117:1      Y   A     LOW     0      1     0     0    15 FA  N    S13
   3120:0      Y   A     LOW     0      1     0     0    15 FA  N    S13
   3120:1      Y   A     LOW     0      1     0     0    15 FA  N    S13
   3132:0      Y   A    HIGH     0      1     0     0    15 FA  N    S67
   3132:1      Y   A    HIGH     0      1     0     0    15 FA  N    S67
   3135:0      Y   A    HIGH     0      1     0     0    15 FA  N    S73
   3137:1      Y   A    HIGH     0      1     0     0    15 FA  N    S83
   3137:2      Y   A    HIGH     0      1     0     0    15 FA  N    S128
   3141:0      Y   A    HIGH     0      1     0     0    15 FA  N    S94
   3142:1      Y   A    HIGH     0      1     0     0    15 FA  N    S92
   3152:0      Y   A     MED     0      1     0     0    15 FA  N    2.1.1
   3450:0      Y   A     LOW     0      1     0     0    15 FA  N    1.0
   5570:0      Y   A R  HIGH     0      1     0     0    15 FA  N    S185
   5571:0      Y   A R  HIGH     0      1     0     0    15 FA  N    S185
   9479:0      Y   A    HIGH     0      1     0     0    15 FA  N    S104
   9480:0      Y   A    HIGH     0      1     0     0    15 FA  N    S104
   9481:0      Y   A    HIGH     0      1     0     0    15 FA  N    S104
   9482:0      Y   A    HIGH     0      1     0     0    15 FA  N    S104
   9483:0      Y   A    HIGH     0      1     0     0    15 FA  N    S104
  --More--



Any signature with a capital N under the 'On' column is DISABLED, while
any signature with a capital Y under the same column is ENABLED. In
this example, signatures 4608:0 and 11000:0 (belonging to the
STRING.UDP SME), and signature 3117:0 (belonging to the STRING.TCP SME)
are listed as disabled. For each signature listed as disabled in the
output of the "show ip ips signatures" command, a corresponding 
"ip ips signature <SigID> <SubsigID> disable" command should be visible 
on the running configuration. This is an example of the 
"show running-configuration" command, using a filter to only display
configuration lines belonging to signatures that have been disabled:

    Router#show running-config | include ip ips signature .* disable
    ip ips signature 11000 0 disable
    ip ips signature 4608 0 disable
    ip ips signature 3117 0 disable
    Router#


This vulnerability is documented in the Cisco Bug Toolkit as Bug ID
CSCsc33696. 

Impact
======

While this is not a vulnerability in the Cisco IOS IPS code itself, in
the processing performed by Cisco IOS IPS on traffic traversing the
device, or in the Cisco IPS MC v2.1, this vulnerability might result in
an incomplete analysis of network traffic traversing the Cisco IOS IPS
device, which could allow some attacks to go unnoticed.

Software Versions and Fixes
===========================

When considering software upgrades, please also consult 
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
and any subsequent advisories to determine exposure and a complete
upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") for assistance.

Cisco has developed a software fix for this vulnerability. Once the fix
is applied to a VMS server running IPS MC v2.1, the IPS MC will
correctly populate the port field attached to a signature using either
the STRING.TCP or STRING.UDP SME. Additional steps will be required to
be performed. Please read the README file published together with the
software fix.

In order to obtain this software fix, customers should access the VMS
Software download page for IDS MC and IPS MC, available at 
http://www.cisco.com/pcgi-bin/tablebuild.pl/mgmt-ctr-ids-app. 
The fix consists of the following three files:

  * idsmdc2.1.0-win-CSCsc336961.tar - this file contains the fix itself
    for IPS MC v2.1 running on the Windows operating system.
  * CSCOids2.1.0-sol-CSCsc336961.tar - this file contains the fix
    itself for IPS MC v2.1 running on the Solaris operating system.
  * CSCsc33696-README.txt - this file contains instructions on how to
    apply the software fix to an affected IPS MC v2.1 installation
    (either Windows or Solaris) and any needed pre and post
    installation tasks to be carried out by the user.

Obtaining Fixed Software
========================

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third-party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for assistance with the upgrade,
which should be free of charge.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@...co.com

Please have your product serial number available and give the URL of
this notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.

Please do not contact either "psirt@...co.com" or
"security-alert@...co.com" for software upgrades.

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise
using such software upgrades, customers agree to be bound by the terms
of Cisco's software license terms found at 
http://www.cisco.com/public/sw-license-agreement.html, or as otherwise 
set forth at Cisco.com Downloads at 
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Workarounds
===========

There are no recommended workarounds for this vulnerability. Please see
the Obtaining Fixed Software section for appropriate solutions to
resolve this vulnerability.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was reported to Cisco by a customer.

Status of This Notice: FINAL
============================

THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF
MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE ADVISORY OR
MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at 
http://www.cisco.com/warp/public/707/cisco-sa-20051101-ipsmc.shtml.

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@...co.com
  * first-teams@...st.org (includes CERT/CC)
  * bugtraq@...urityfocus.com
  * vulnwatch@...nwatch.org
  * cisco@...t.colorado.edu
  * cisco-nsp@...k.nether.net
  * full-disclosure@...ts.grok.org.uk
  * comp.dcom.sys.cisco@...sgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+----------------------------------------------------------+
|              |                 |                         |
| Revision 1.0 | 2005-November-1 | Initial public release  |
|              |                 |                         |
+----------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at 
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security 
notices. All Cisco security advisories are available at 
http://www.cisco.com/go/psirt.

- -----------------------------------------------------------------------

All contents are Copyright 1992-2005 Cisco Systems, Inc. All rights
reserved. 
- -----------------------------------------------------------------------

Updated: Nov 01, 2005                                Document ID: 68065

- -----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDZ+KGezGozzK2tZARAkDVAKDOXsdNfnhpR6CpADZVG/H/1yr6iQCguiYn
CdFv8GhqlFcXy38ur6sSN7I=
=Xc7B
-----END PGP SIGNATURE-----


------------------------------

Message: 13
Date: Wed, 2 Nov 2005 00:06:18 +0100
From: <ad@...ss101.org>
Subject: RE: [Full-disclosure] new IE bug (confirmed on ALL windows)
To: "'Greg'" <full-disclosure@...andyman.com.au>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID: <000301c5df38$df7ad960$0400a8c0@...xp64>
Content-Type: text/plain;	charset="iso-8859-1"

Rofl... there is always someone to play with words...

-----Message d'origine-----
De?: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] De la part de Greg
Envoy??: mardi 1 novembre 2005 21:32
??: full-disclosure@...ts.grok.org.uk
Objet?: Re: [Full-disclosure] new IE bug (confirmed on ALL windows)


----- Original Message ----- 
From: <ad@...ss101.org>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Wednesday, November 02, 2005 4:00 AM
Subject: [Full-disclosure] new IE bug (confirmed on ALL windows)


>I think I have found by chance this weekend a security bug,while browsing
> the website news, within iexplorer on all windows versions.
>

Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with 
XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was 
networked through ICS (wired to this XP box then wi-fi to a router) and has 
no firewall of it's own. This XP box through which the 98SE box gets it's 
internet is in the router's DMZ and uses only Zone Alarm Pro, just for 
clarity.

So, in essence the "confirmed on all windows" is wrong.

Greg. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



------------------------------

Message: 14
Date: Tue, 1 Nov 2005 18:16:09 -0500
From: MR BABS <mrbabs@...il.com>
Subject: [Full-disclosure] New Online RainbowCrack Engine
To: full-disclosure@...ts.grok.org.uk
Message-ID:
	<7351b7a60511011516h45f53400xde9d126e7ecdbcc5@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hey guys,
  Just finished everything up on RainbowCrack-Online, wasn't sure if anyone
would be interested, there's a membership fee, as servers, generation and
cracking machines are expensive, you guys know the score.
 Really nice collection of tables, you can take a look-see at
www.rainbowcrack-online.com <http://www.rainbowcrack-online.com/>.
Current sets include:
LanManager-All (all printable chars) 1-14 (the tables are 1-7, but view the
specs on LM hashing for more info)

NTLM MixAlpha Numeric 1-7
NTLM LowerAlpha Numeric 1-8

MD5 Alpha Numeric Symbol32 Space 1-7
MD5 LowerAlpha Numeric Symbol32 Space 1-7
MD5 LowerAlpha Numeric 1-8
MD5 MixAlpha Numeric 1-7

SHA1 MixAlpha Numeric 1-7

MySQL 323 MixAlpha Numeric 1-7

CiscoPIX MixAlpha Numeric 1-7

We're almost done generation of MD4, and MySQL SHA1 tables.

Should have some articles in Information soon, basically information on what
to do to leverage knowing hashes. (And how to get the hashes in the first
place.)
 For you pen tester fellows, we will be offering the tables for sale to you
guys, as well as registered businesses, prices should be up later.
 -Regards,
 Travis
</spam>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/a4bc4ba0/attachment-0001.html

------------------------------

Message: 15
Date: Tue, 01 Nov 2005 16:20:24 -0700
From: Mandriva Security Team <security@...driva.com>
Subject: [Full-disclosure] MDKSA-2005:202 - Updated squirrelmail
	packages	fix vulnerability
To: full-disclosure@...ts.grok.org.uk
Message-ID: <E1EX5QW-00032F-MT@...cury.mandriva.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2005:202
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : squirrelmail
 Date    : November 1, 2005
 Affected: Corporate 3.0
 _______________________________________________________________________
 
 Problem Description:
 
 A vulnerability in the way that SquirrelMail handled the $_POST
 variables was discovered.  If a user was tricked into visiting a
 malicious URL, the user's SquirrelMail preferences could be read or
 modified.
 
 This vulnerability is corrected in SquirrelMail 1.4.5 and the updated
 packages provide the latest stable version.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2095
 _______________________________________________________________________
 
 Updated Packages:
 
 Corporate 3.0:
 81cf3711a3faf9a95c69a8ece4962801  corporate/3.0/RPMS/squirrelmail-1.4.5-1.1.C30mdk.noarch.rpm
 20eb541402352ed58b6d9e0ffd051168  corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.1.C30mdk.noarch.rpm
 c03a4c37539bd9e5aee916946c196366  corporate/3.0/SRPMS/squirrelmail-1.4.5-1.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 81cf3711a3faf9a95c69a8ece4962801  x86_64/corporate/3.0/RPMS/squirrelmail-1.4.5-1.1.C30mdk.noarch.rpm
 20eb541402352ed58b6d9e0ffd051168  x86_64/corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.1.C30mdk.noarch.rpm
 c03a4c37539bd9e5aee916946c196366  x86_64/corporate/3.0/SRPMS/squirrelmail-1.4.5-1.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDZ/g4mqjQ0CJFipgRAng8AJ9Td4JffO2QkmAn6ezcgnc9WiVZ4wCg3j+x
hCmXWaPsbKoPp8dPD45Aujw=
=ST/9
-----END PGP SIGNATURE-----


------------------------------

Message: 16
Date: Tue, 01 Nov 2005 16:21:48 -0700
From: Mandriva Security Team <security@...driva.com>
Subject: [Full-disclosure] MDKSA-2005:203 - Updated gda2.0 packages
	fix	string format vulnerability
To: full-disclosure@...ts.grok.org.uk
Message-ID: <E1EX5Rs-00036z-Hk@...cury.mandriva.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2005:203
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : gda2.0
 Date    : November 1, 2005
 Affected: 10.2, 2006.0, Corporate 3.0
 _______________________________________________________________________
 
 Problem Description:
 
 Steve Kemp discovered two format string vulnerabilities in libgda2, 
 the GNOME Data Access library for GNOME2, which may lead to the 
 execution of arbitrary code in programs that use this library.
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2958
 _______________________________________________________________________
 
 Updated Packages:
 
 Corporate 3.0:
 c2bee0812a3911016f32406c7e6b98c6  corporate/3.0/RPMS/gda2.0-1.0.3-3.2.C30mdk.i586.rpm
 1c60c3861756e5f2ebec25810d698319  corporate/3.0/RPMS/gda2.0-ldap-1.0.3-3.2.C30mdk.i586.rpm
 76329346f822881c283f1d80eccf0321  corporate/3.0/RPMS/gda2.0-mysql-1.0.3-3.2.C30mdk.i586.rpm
 9366a1dfd24862ba1c2e785c880f42b1  corporate/3.0/RPMS/gda2.0-odbc-1.0.3-3.2.C30mdk.i586.rpm
 d2eaf777cbc85fa050ea15d9483e8530  corporate/3.0/RPMS/gda2.0-postgres-1.0.3-3.2.C30mdk.i586.rpm
 efb6dcf8757552aca5a2afad5e214afa  corporate/3.0/RPMS/gda2.0-sqlite-1.0.3-3.2.C30mdk.i586.rpm
 d19b0dc56ecc6645735e5ba4df226ea5  corporate/3.0/RPMS/libgda2.0_1-1.0.3-3.2.C30mdk.i586.rpm
 04904635f832181f5f4bc13defbd2404  corporate/3.0/RPMS/libgda2.0_1-devel-1.0.3-3.2.C30mdk.i586.rpm
 4ded9fd88d06c155f3fadd5438855b49  corporate/3.0/SRPMS/gda2.0-1.0.3-3.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 6db35535deba7751a627682f1ba77ace  x86_64/corporate/3.0/RPMS/gda2.0-1.0.3-3.2.C30mdk.x86_64.rpm
 f3cc7763718da0f76c3c1e9131e1b9f5  x86_64/corporate/3.0/RPMS/gda2.0-ldap-1.0.3-3.2.C30mdk.x86_64.rpm
 7f01b17e60477e916f6a390b4e4b7222  x86_64/corporate/3.0/RPMS/gda2.0-mysql-1.0.3-3.2.C30mdk.x86_64.rpm
 3c93f0b8fe2f90ad54c505a813a3ea4f  x86_64/corporate/3.0/RPMS/gda2.0-odbc-1.0.3-3.2.C30mdk.x86_64.rpm
 527ff7ccbd2af3ea24ac3f572b050de3  x86_64/corporate/3.0/RPMS/gda2.0-postgres-1.0.3-3.2.C30mdk.x86_64.rpm
 cc2aead64a14a2fa99c34a572024adbe  x86_64/corporate/3.0/RPMS/gda2.0-sqlite-1.0.3-3.2.C30mdk.x86_64.rpm
 0eb6f8c613088bbcbb0205eec0e7374d  x86_64/corporate/3.0/RPMS/lib64gda2.0_1-1.0.3-3.2.C30mdk.x86_64.rpm
 c4c5b62e45e95c0142fc823e2db49b4c  x86_64/corporate/3.0/RPMS/lib64gda2.0_1-devel-1.0.3-3.2.C30mdk.x86_64.rpm
 4ded9fd88d06c155f3fadd5438855b49  x86_64/corporate/3.0/SRPMS/gda2.0-1.0.3-3.2.C30mdk.src.rpm

 Mandriva Linux 10.2:
 8581951dac7e2e51d0e583355f0c4fdf  10.2/RPMS/gda2.0-1.2.1-1.2.102mdk.i586.rpm
 6df29b76c68f2dac41511f0047844a6c  10.2/RPMS/gda2.0-bdb-1.2.1-1.2.102mdk.i586.rpm
 ab2a54b37f5d3a5903c13b5caf0884f1  10.2/RPMS/gda2.0-ldap-1.2.1-1.2.102mdk.i586.rpm
 a46e61c38f33d3590255b349371e5dd2  10.2/RPMS/gda2.0-mysql-1.2.1-1.2.102mdk.i586.rpm
 5f82b737ad1df0f5e367554a6af57d25  10.2/RPMS/gda2.0-odbc-1.2.1-1.2.102mdk.i586.rpm
 9c15f2853a50a9b8ce21c99b7c357d69  10.2/RPMS/gda2.0-postgres-1.2.1-1.2.102mdk.i586.rpm
 2a99984e0d3f0ed0bb77e1df0781a745  10.2/RPMS/gda2.0-sqlite-1.2.1-1.2.102mdk.i586.rpm
 ac79f03faefae3d12b25a692d84aa09c  10.2/RPMS/gda2.0-xbase-1.2.1-1.2.102mdk.i586.rpm
 c246c62a8b6a44bdf517fc13ab5a9629  10.2/RPMS/libgda2.0_3-1.2.1-1.2.102mdk.i586.rpm
 33244d3790d14e77cf83e297d105a0e5  10.2/RPMS/libgda2.0_3-devel-1.2.1-1.2.102mdk.i586.rpm
 2ae1d69e77d265b6a45701dede9187b6  10.2/SRPMS/gda2.0-1.2.1-1.2.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 a22c56a701d4b323cd58199bd330d358  x86_64/10.2/RPMS/gda2.0-1.2.1-1.2.102mdk.x86_64.rpm
 ab86e362890a87d588c6180df048d380  x86_64/10.2/RPMS/gda2.0-bdb-1.2.1-1.2.102mdk.x86_64.rpm
 e68a0231c0ed2d16c71330ab2ec0bc02  x86_64/10.2/RPMS/gda2.0-ldap-1.2.1-1.2.102mdk.x86_64.rpm
 561b6118c3f60507bd1d39a61ae1d1ef  x86_64/10.2/RPMS/gda2.0-mysql-1.2.1-1.2.102mdk.x86_64.rpm
 9c09bdaed784668cf9326aaa25fe045e  x86_64/10.2/RPMS/gda2.0-odbc-1.2.1-1.2.102mdk.x86_64.rpm
 9c05d405913600ab83af41a5c43012f1  x86_64/10.2/RPMS/gda2.0-postgres-1.2.1-1.2.102mdk.x86_64.rpm
 678405e55c25c6be5fd1bc7282918dab  x86_64/10.2/RPMS/gda2.0-sqlite-1.2.1-1.2.102mdk.x86_64.rpm
 dd2b4c22b66bfdd9e7d079fceb8052bc  x86_64/10.2/RPMS/gda2.0-xbase-1.2.1-1.2.102mdk.x86_64.rpm
 3ad48b3adeb00a9f9a3ea7a1c987b735  x86_64/10.2/RPMS/lib64gda2.0_3-1.2.1-1.2.102mdk.x86_64.rpm
 e4d9fb39922d57f56902b721b80d7c9f  x86_64/10.2/RPMS/lib64gda2.0_3-devel-1.2.1-1.2.102mdk.x86_64.rpm
 2ae1d69e77d265b6a45701dede9187b6  x86_64/10.2/SRPMS/gda2.0-1.2.1-1.2.102mdk.src.rpm

 Mandriva Linux 2006.0:
 291823a3cf2fbd1321fafd6d465b9fbc  2006.0/RPMS/gda2.0-1.2.2-2.2.20060mdk.i586.rpm
 f8c350c51a5847e02e391507f1052867  2006.0/RPMS/gda2.0-bdb-1.2.2-2.2.20060mdk.i586.rpm
 dd0126df1e10c2f127ebecc5e0a1c26c  2006.0/RPMS/gda2.0-ldap-1.2.2-2.2.20060mdk.i586.rpm
 47e6a607eaa3738b4d07adb619232eb1  2006.0/RPMS/gda2.0-mysql-1.2.2-2.2.20060mdk.i586.rpm
 4d1f9d08c55ed0a195ca001996f239e3  2006.0/RPMS/gda2.0-odbc-1.2.2-2.2.20060mdk.i586.rpm
 e9dc80d837f6932969c3601f03707c59  2006.0/RPMS/gda2.0-postgres-1.2.2-2.2.20060mdk.i586.rpm
 0ec62e103852325ee70769fe2eadb6c4  2006.0/RPMS/gda2.0-sqlite-1.2.2-2.2.20060mdk.i586.rpm
 a5d3d090e83d080ebf6a1c210aa113f1  2006.0/RPMS/gda2.0-xbase-1.2.2-2.2.20060mdk.i586.rpm
 a4a8ae72f7cd866183c2e8a4a2e16bd3  2006.0/RPMS/libgda2.0_3-1.2.2-2.2.20060mdk.i586.rpm
 2b4c20ea0a38bf22c5aa31da3cd8884f  2006.0/RPMS/libgda2.0_3-devel-1.2.2-2.2.20060mdk.i586.rpm
 16c1de82d2b1996adeb4577b1ff9cdcd  2006.0/SRPMS/gda2.0-1.2.2-2.2.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 36a04443e670524ae0c4d93bf0752e9f  x86_64/2006.0/RPMS/gda2.0-1.2.2-2.2.20060mdk.x86_64.rpm
 d2fecb3c702f5c764c6a67c85e36e448  x86_64/2006.0/RPMS/gda2.0-bdb-1.2.2-2.2.20060mdk.x86_64.rpm
 44171de894c358c5bd3d4301b488170e  x86_64/2006.0/RPMS/gda2.0-ldap-1.2.2-2.2.20060mdk.x86_64.rpm
 863aacd7318479757dc2d2e1ed238418  x86_64/2006.0/RPMS/gda2.0-mysql-1.2.2-2.2.20060mdk.x86_64.rpm
 a82c2fceef36372b1fc17086b6237293  x86_64/2006.0/RPMS/gda2.0-odbc-1.2.2-2.2.20060mdk.x86_64.rpm
 067f1f9a633b3e2dbe8ca08591d48642  x86_64/2006.0/RPMS/gda2.0-postgres-1.2.2-2.2.20060mdk.x86_64.rpm
 4b257c7716b6eefcfb0fec95732975a0  x86_64/2006.0/RPMS/gda2.0-sqlite-1.2.2-2.2.20060mdk.x86_64.rpm
 9fef9fad9b8d98708c30c87b4bfdbece  x86_64/2006.0/RPMS/gda2.0-xbase-1.2.2-2.2.20060mdk.x86_64.rpm
 84787803035a7d1ee2bb7b12775ea9f0  x86_64/2006.0/RPMS/lib64gda2.0_3-1.2.2-2.2.20060mdk.x86_64.rpm
 3037e49d4a6f17e6b752fcff37f05986  x86_64/2006.0/RPMS/lib64gda2.0_3-devel-1.2.2-2.2.20060mdk.x86_64.rpm
 16c1de82d2b1996adeb4577b1ff9cdcd  x86_64/2006.0/SRPMS/gda2.0-1.2.2-2.2.20060mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDZ/iMmqjQ0CJFipgRAsECAJ9a/c0Go4Yy9/+4hY/DWo72IrpRSgCgnX3g
zDqRFrxHNRzw/J1onPK4fc0=
=NhHM
-----END PGP SIGNATURE-----


------------------------------

Message: 17
Date: Tue, 01 Nov 2005 16:23:10 -0700
From: Mandriva Security Team <security@...driva.com>
Subject: [Full-disclosure] MDKSA-2005:204 - Updated wget packages fix
	vulnerability
To: full-disclosure@...ts.grok.org.uk
Message-ID: <E1EX5TC-0003Bg-GO@...cury.mandriva.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2005:204
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : wget
 Date    : November 1, 2005
 Affected: 10.1, 10.2, Corporate 3.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Hugo Vazquez Carames discovered a race condition when writing output
 files in wget.  After wget determined the output file name, but before
 the file was actually opened, a local attacker with write permissions
 to the download directory could create a symbolic link with the name
 of the output file.  This could be exploited to overwrite arbitrary
 files with the permissions of the user invoking wget.  The time window
 of opportunity for the attacker is determined solely by the delay of
 the first received data packet.
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2014
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 10.1:
 28b67f788c7ed5f28ca7e752b15a9eb8  10.1/RPMS/wget-1.9.1-4.3.101mdk.i586.rpm
 b0b856e5eeb63f608476877942f6a216  10.1/SRPMS/wget-1.9.1-4.3.101mdk.src.rpm

 Mandriva Linux 10.1/X86_64:
 d2fc09595e4bf4267c7cc7d9d5def8ee  x86_64/10.1/RPMS/wget-1.9.1-4.3.101mdk.x86_64.rpm
 b0b856e5eeb63f608476877942f6a216  x86_64/10.1/SRPMS/wget-1.9.1-4.3.101mdk.src.rpm

 Corporate 3.0:
 91f8d363d41afb43943f3f5569e2e83c  corporate/3.0/RPMS/wget-1.9.1-4.3.C30mdk.i586.rpm
 8ce78a19c89331fdb7527e6a4674376c  corporate/3.0/SRPMS/wget-1.9.1-4.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 e3796c54a067d9ef54d08f779fe3ec9d  x86_64/corporate/3.0/RPMS/wget-1.9.1-4.3.C30mdk.x86_64.rpm
 8ce78a19c89331fdb7527e6a4674376c  x86_64/corporate/3.0/SRPMS/wget-1.9.1-4.3.C30mdk.src.rpm

 Multi Network Firewall 2.0:
 f834aa6b814014c20b6d97fd7a893ea6  mnf/2.0/RPMS/wget-1.9.1-4.3.M20mdk.i586.rpm
 00f1b8920df39e3f4fc35eea07879168  mnf/2.0/SRPMS/wget-1.9.1-4.3.M20mdk.src.rpm

 Mandriva Linux 10.2:
 36dfb01a50fcdec20d379001f2054ba4  10.2/RPMS/wget-1.9.1-5.2.102mdk.i586.rpm
 82584cb410bcb5104f44d3429675e7e5  10.2/SRPMS/wget-1.9.1-5.2.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 36dfb01a50fcdec20d379001f2054ba4  x86_64/10.2/RPMS/wget-1.9.1-5.2.102mdk.i586.rpm
 82584cb410bcb5104f44d3429675e7e5  x86_64/10.2/SRPMS/wget-1.9.1-5.2.102mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDZ/jemqjQ0CJFipgRAjGJAKDtkgHO1ZWuWus4X5CPffEGbA0FxgCcDaXT
yJo8rb9mFDl/0yBiIKUdigo=
=y4/v
-----END PGP SIGNATURE-----


------------------------------

Message: 18
Date: Tue, 1 Nov 2005 18:05:07 -0600
From: str0ke <str0ke@...w0rm.com>
Subject: Re: [Full-disclosure] New Online RainbowCrack Engine
To: MR BABS <mrbabs@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
	<814b9d50511011605u41cda7e3i46e0c47290eacffe@...l.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Is your webserver a 9-5 service or is it just down for other reasons?

/str0ke

On 11/1/05, MR BABS <mrbabs@...il.com> wrote:
> Hey guys,
>
>     Just finished everything up on RainbowCrack-Online, wasn't sure if
> anyone would be interested, there's a membership fee, as servers, generation
> and cracking machines are expensive, you guys know the score.
>
> Really nice collection of tables, you can take a look-see at
> www.rainbowcrack-online.com.
> Current sets include:
> LanManager-All (all printable chars) 1-14 (the tables are 1-7, but view the
> specs on LM hashing for more info)
>
> NTLM MixAlpha Numeric 1-7
> NTLM LowerAlpha Numeric 1-8
>
> MD5 Alpha Numeric Symbol32 Space 1-7
> MD5 LowerAlpha Numeric Symbol32 Space 1-7
> MD5 LowerAlpha Numeric 1-8
> MD5 MixAlpha Numeric 1-7
>
> SHA1 MixAlpha Numeric 1-7
>
> MySQL 323 MixAlpha Numeric 1-7
>
> CiscoPIX MixAlpha Numeric 1-7
>
> We're almost done generation of MD4, and MySQL SHA1 tables.
>
>
> Should have some articles in Information soon, basically information on what
> to do to leverage knowing hashes. (And how to get the hashes in the first
> place.)
>
>
> For you pen tester fellows, we will be offering the tables for sale to you
> guys, as well as registered businesses, prices should be up later.
>
> -Regards,
>
> Travis
> </spam>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


------------------------------

Message: 19
Date: Wed, 2 Nov 2005 00:29:26 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
Subject: [Full-disclosure] On Interpretation Conflict Vulnerabilities
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Message-ID: <200511020529.jA25TQJd018891@...us.mitre.org>


In a post "SEC-CONSULT-SA-20051021-0: Yahoo/MSIE XSS", Bernhard
Mueller said:

>SEC-Consult believes that input-validation thru blacklists can just be
>a temporary solution to problems like this. From our point of view
>there are many other applications vulnerable to this special type of
>problem where vulnerabilities of clients and servers can be combined.
>
>...
>
>  Excerpt from HTML-mails:
>
>  ========================================================================
>  SCRIPT-TAG:
>  --cut here---
>  <h1>hello</h1><s[META-Char]cript>alert("i have you
>  now")</s[META-Char]cript></br>rrrrrrxxxxx<br>
>  ---cut here---
>
>...
>
>Recommended hotfixes for webmail-users
>---------------
>
>Do not use MS Internet-Explorer.


This falls under a class of vulnerabilities that I refer to as either
"interpretation conflicts" or "multiple interpretation errors"
depending on what time it is, though I'm leaning toward interpretation
conflicts.

These types of problems frequently occur with products that serve as
intermediaries, proxies, or monitors between other entities - such as
antivirus products, web proxies, sniffers, IDSes, etc.

They are a special type of interaction error in which one product (in
this case, Yahoo email) performs reasonable actions but does not
properly model all behaviors of another product that it's interacting
with (in this case, Internet Explorer ignoring unusual characters
right in the middle of HTML tags).  The intermediary/proxy/monitor
then becomes a conduit for exploitation due to the end product's
unexpected behavior.

Some examples:

  - Ptacek/Newsham's famous IDS evasion paper used interpretation
    conflicts to prevent IDSes from properly reconstructing network
    traffic as it would be processed by end systems.

  - Many of the Anti-Virus evasion techniques you see these days
    involve interpretation conflicts - e.g. the magic byte problem,
    multiple conent-type headers, and so on

  - The recent problem with phpBB and others, because they did not
    account for how Internet Explorer renders HTML in corrupted .GIF
    images, is another example of an interpretation conflict.

  - Many unusual XSS manipulations are due to interpretation conflicts
    in which one web browser supports a non-standard feature that
    others do not.  Netscape had an unusual construct - something like
    "&{abc}" - that even a whitelist might not catch.

In my opinion, the "responsibility" for avoiding interpretation
conflicts falls with:

  - the intermediaries/proxies/monitors if the problem involves an
    incomplete model of *normal*, reasonable, and/or standards
    compliant behavior

  - the end products, if the end product behavior does not conform
    with established standards

  - the standards or protocols, if they are defined in ways that are
    too vague or flexible

However, if the end products already exhibit unexpected behaviors, the
reality is that intermediaries are forced into anticipating all
possible interpretation conflicts, and blamed if they do not.


Mueller also said:

>  Do not use blacklists on tags and attributes. Whitelist
>  special/meta-characters.

Whitelists, while better than blacklists, can still be too permissive.
This is especially the case with interpretation conflicts.


As I've suggested previously, Jon Postel's wisdom "Be liberal in what
you accept, and conservative in what you send" has been a boon to the
growth of networking, but blind adherence to this wisdom is a
dangerous enabler of subtle vulnerabilities that will prevent us from
ever having full control over the data that crosses our networks.

- Steve


------------------------------

Message: 20
Date: Wed, 2 Nov 2005 13:40:59 +0800
From: "Native.Code" <native.code@...il.com>
Subject: Re: [Full-disclosure] how to describe this tool ?
To: news-letters <news-letters@...ewin.ch>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
	<8dc64e550511012140j1ca7caf3q30906c526e0e48c3@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Depends the use you put it on. I will call it auditing tool.


 On 11/2/05, news-letters <news-letters@...ewin.ch> wrote:
>
> Hi list,
>
> I have a perl script I'd like to release(GPL), but I don't really know
> how to describe it.
>
> To make it short here's a session on one (remote)machine.(but it's
> intended to be run on ip ranges with mostly windows hosts).
>
> <sample>
> Starting script.pl ...
>
> searching hosts in 192.168.0.100 <http://192.168.0.100> ...
>
> found 192.168.0.100 <http://192.168.0.100> : BRAIN
>
>
> starting information gathering on BRAIN
>
> getting OS version ...
> TCP port scanning ...
> UDP port scanning ...
> Getting process list ...
> Getting services list ...
> Getting drive list ...
> Getting share list ...
> Getting installed applications list ...
>
> Creating naudit_report_192.168.0.100.html ... (printable)
> Creating report for 192.168.0.100 <http://192.168.0.100> ... (browsable)
>
> done. Completed in 8.004 seconds
> </sample>
>
> and attached is a sample (printable)report.
>
> Is this an :
>
> enumeration tool ?
> auditting tool ?
>
> Any idea ?
>
> Have a nice day.
>
> Simon
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051102/9a4fc467/attachment.html

------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

End of Full-Disclosure Digest, Vol 9, Issue 3
*********************************************

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ