| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Jan 5 12:21:12 2006
From: infosecbofh at gmail.com (InfoSecBOFH)
Subject: RE: Full-Disclosure Digest, Vol 11, Issue 5
Bad internet connection and no clue when hitting reply. Good job. I
know I am impressed with all the certifications.. are you impressed
Bijana? You should be.. I mean come on... the CISSP is SOOO HARD to
get....
ROFL...
On 1/5/06, Horatiu Bandoiu <horatiu@...vision.ro> wrote:
> Dear Biljana,
>
> Just a brief answer as I have a bad Internet connection till Monday.
> You can count on 2 CISSP we have for the moment (this year I will have 3
> or 4 CISSP in my team): Stefan Catrinescu and Ionut Boldizsar. Stefan
> still has to finalize the documentation for getting the certification
> (endorsement, stuff like this) but he has passed the exam and Ionut is
> OK with all. If needed, I can involve several more certified people (as
> we are organizing the exams, I have full access to the list). I hope it
> helps.
>
> Kind regards,
>
> Horatiu
>
> --|------|||||-------|||--|----|||||--||-------|||||--||---
> We PROtect your business VISION!
> -------------------------------------
> Horatiu BANDOIU
> Business Unit Manager
> Provision - information Security Expert Center (iSEC)
> Tel: 0040 21 321 37 49
> Fax: 0040 21 323 65 70
> e-mail: horatiu@...vision.ro
> http://www.provision.ro
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
> full-disclosure-request@...ts.grok.org.uk
> Sent: Tuesday, January 03, 2006 2:00 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: Full-Disclosure Digest, Vol 11, Issue 5
>
> Send Full-Disclosure mailing list submissions to
> full-disclosure@...ts.grok.org.uk
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.grok.org.uk/mailman/listinfo/full-disclosure
> or, via email, send a message with subject or body 'help' to
> full-disclosure-request@...ts.grok.org.uk
>
> You can reach the person managing the list at
> full-disclosure-owner@...ts.grok.org.uk
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Full-Disclosure digest..."
>
>
> Note to digest recipients - when replying to digest posts, please trim
> your post appropriately. Thank you.
>
>
> Today's Topics:
>
> 1. Re: Buffer Overflow vulnerability in Windows Display Manager
> [Suspected] (ad@...poverflow.com)
> 2. Re: Win32 Heap Exploits (Nicolas RUFF)
> 3. Re: Buffer Overflow vulnerability in Windows Display Manager
> [Suspected] (InfoSecBOFH)
> 4. Re: Buffer Overflow vulnerability in Windows Display Manager
> [Suspected] (InfoSecBOFH)
> 5. Re: WMF round-up, updates and de-mystification (InfoSecBOFH)
> 6. Re: WMF round-up, updates and de-mystification (InfoSecBOFH)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 03 Jan 2006 11:12:08 +0100
> From: "ad@...poverflow.com" <ad@...poverflow.com>
> Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in
> Windows Display Manager [Suspected]
> To: Sumit Siddharth <sumit.siddharth@...il.com>,
> full-disclosure@...ts.grok.org.uk
> Message-ID: <43BA4DF8.20907@...poverflow.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> haven't such driver here , it should be a third party driver security
> bug probably within "*Controller Hub for Intel Graphics Driver"*
>
> http://www.dynamiclink.nl/htmfiles/rframes/sys-i01.htm
>
>
>
> Sumit Siddharth wrote:
> > I think the problem is with the intel driver and particularly with
> file
> > ialmnt5.sys
> > Hope it helps
> > Sumit
> >
> >
> >
> > On 1/3/06, *Sumit Siddharth* <sumit.siddharth@...il.com
> > <mailto:sumit.siddharth@...il.com>> wrote:
> >
> > Dear All,
> > Sorry for the delayed response.
> > I had success in exploiting it remotely by a simple javascript
> > <script>window.open("http://aa...");</script>. But i think it
> > doesnt work with some drivers.I am using XP ,professional, SP2.
> > and firefox 1.0.6. I am using a string of about 53,000 char to
> > overflow the buffer.
> > Thanks
> > Sumit
> >
> >
> >
> >
> > --
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
>
> iQIVAwUBQ7pN+K+LRXunxpxfAQKBqA//YxoeFIr1rkaCixpPr34+KpDiUAKN7xss
> M6ZH3ZmpqZ03yLajS8XBWIyv5uTXDuLhUQrrObvak4n6mQ+7g6YffEYQBNyIcsEm
> Gxyd8uDmkwX9MeAslByvrqobj/6i4oC4sj5Lq9Ui/JCqsw5KNaBP8ZAym48HiMFM
> bI3kqvSGVm++bavWrK8+FunnVHCSDezFL64Jxh6MAVU2MNR+Z2qufC+aQtIpGw7s
> nyWisynx6csTp9US5qmeuVdrcwk9DeACzX+z5eAEaevLRcl7ElcpcMht21U5scMd
> FTLTtN9Ao4hewQrOe05BAo3AwNmzpt3Kgay3DLtN/n7a9LqPifw9FKp5EtdYLKyM
> R16AwG5PaYQXrnsY0Udwz4yAYucEYjEOSyslVf4VILyzFWdKfAgXApbbr4W2nKXx
> VQ0BBWbOYnAuAPJYk85WpAZfbFX98tglGTGT/0XRO3Buyk5T50AC4VqxlF17w7+8
> T6bO74xpZNi5t5fzFTqt5kZZZ6IXfSonu/SVA/tfiOJwIExo7zEUwu4vsYoMtxaR
> HqFlMQyuJhp0aTjaggrFaYQ8XR7tnZherteAYdaw0k3mUPCWfXR3xz26daOpUDKu
> ewsDbuq+cglVD5qym246WVYSyiPLKKBXvWPLbuoG5ngqmyQiKydIQ9UMMdJvHh5c
> 7DtDjiHOH8s=
> =VEy3
> -----END PGP SIGNATURE-----
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 03 Jan 2006 11:42:21 +0100
> From: Nicolas RUFF <nicolas.ruff@...il.com>
> Subject: Re: [Full-disclosure] Win32 Heap Exploits
> To: Stefan Lochbihler <steve01@...llo.at>
> Cc: full-disclosure@...ts.grok.org.uk
> Message-ID: <43BA550D.2090509@...il.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> > But if i execute the server without ollydbg there happen nothing.
> > Have anybody an idea what i make wrong. Test on a winxp sp1 system.
>
> As pointed out multiple times, Windows heap is not the same whether the
> program is flagged as "being debugged" or not.
>
> You should always *attach* the debugger to the process and not run the
> process from within the debugger.
>
> Regards,
> - Nicolas RUFF
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 3 Jan 2006 03:32:29 -0800
> From: InfoSecBOFH <infosecbofh@...il.com>
> Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in
> Windows Display Manager [Suspected]
> To: Sumit Siddharth <sumit.siddharth@...il.com>
> Cc: full-disclosure@...ts.grok.org.uk
> Message-ID:
> <2be58a30601030332t59b2ae5fj5ff97afc45580a9b@...l.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I have only replicated this with the intel driver. have tried others
> and no dice.
>
> On 1/3/06, Sumit Siddharth <sumit.siddharth@...il.com> wrote:
> > I think the problem is with the intel driver and particularly with
> file
> > ialmnt5.sys
> > Hope it helps
> > Sumit
> >
> >
> >
> >
> > On 1/3/06, Sumit Siddharth <sumit.siddharth@...il.com > wrote:
> > > Dear All,
> > > Sorry for the delayed response.
> > > I had success in exploiting it remotely by a simple javascript
> > > <script>window.open("http://aa...");</script>. But i think it doesnt
> work
> > with some drivers.I am using XP ,professional, SP2. and firefox 1.0.6.
> I am
> > using a string of about 53,000 char to overflow the buffer.
> > > Thanks
> > > Sumit
> > >
> > >
> >
> >
> >
> > --
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 3 Jan 2006 03:33:21 -0800
> From: InfoSecBOFH <infosecbofh@...il.com>
> Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in
> Windows Display Manager [Suspected]
> To: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
> Message-ID:
> <2be58a30601030333x3d7c4fc7v24fa1632f7be1626@...l.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> oh.. and by the way... only works with the intel driver (and only a
> couple differnt versions) and is not exploitable... this is a DoS and
> nothing more.
>
> On 1/3/06, InfoSecBOFH <infosecbofh@...il.com> wrote:
> > I have only replicated this with the intel driver. have tried others
> > and no dice.
> >
> > On 1/3/06, Sumit Siddharth <sumit.siddharth@...il.com> wrote:
> > > I think the problem is with the intel driver and particularly with
> file
> > > ialmnt5.sys
> > > Hope it helps
> > > Sumit
> > >
> > >
> > >
> > >
> > > On 1/3/06, Sumit Siddharth <sumit.siddharth@...il.com > wrote:
> > > > Dear All,
> > > > Sorry for the delayed response.
> > > > I had success in exploiting it remotely by a simple javascript
> > > > <script>window.open("http://aa...");</script>. But i think it
> doesnt work
> > > with some drivers.I am using XP ,professional, SP2. and firefox
> 1.0.6. I am
> > > using a string of about 53,000 char to overflow the buffer.
> > > > Thanks
> > > > Sumit
> > > >
> > > >
> > >
> > >
> > >
> > > --
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> > > http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> >
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 3 Jan 2006 03:34:46 -0800
> From: InfoSecBOFH <infosecbofh@...il.com>
> Subject: Re: [Full-disclosure] WMF round-up, updates and
> de-mystification
> To: Gadi Evron <ge@...uxbox.org>
> Cc: "FunSec \[List\]" <funsec@...uxbox.org>,
> "full-disclosure@...ts.grok.org.uk"
> <full-disclosure@...ts.grok.org.uk>,
> bugtraq@...urityfocus.com
> Message-ID: <2be58a30601030334r37d3dam19df4ee9fbaf9f07@...l.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> So this patch is trusted because you said so?
>
> I have tested and confirmed that this patch only works in specific
> scnenarios and does not mitigate the entire issue. Variations still
> work.
>
> On 1/3/06, Gadi Evron <ge@...uxbox.org> wrote:
> > Quite a bit of confusing and a vast amount of information coming from
> > all directions about the WMF 0day. Here are some URL's and generic
> facts
> > to set us straight.
> >
> > The "patch" by Ilfak Guilfanov works, but by disabling a DLL in
> Windows.
> > So far no problems have been observed by anyone using this patch. You
> > should naturally check it out for yourselves but I and many others
> > recommend it until Microsoft bothers to show up with their own patch.
> >
> > Ilfak is trusted and is in no way a Bad Guy.
> >
> > You can find more information about it at his blog:
> > http://www.hexblog.com/2005/12/wmf_vuln.html
> >
> > If you are still not sure about the patch by Ilfak, check out the
> > discussion of it going on in the funsec list about the patch, with
> Ilfak
> > participating:
> > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> > Occasional information of new WMF problems keep coming in over there.
> >
> > In this URL you can find the best summary I have seen of the WMF
> issue:
> > http://isc.sans.org/diary.php?storyid=994
> > by the "SANS ISC diary" team.
> >
> > In this URL you can find the best write-up I have seen on the WMF
> issue:
> > http://blogs.securiteam.com/index.php/archives/167
> > By Matthew Murphy at the "Securiteam Blogs".
> >
> > Also, it should be noted at this time that since the first public
> > discovery of this "problem", a new one has been coming in - every day.
> > All the ones seen so far are variants of the original and in all ways
> > the SAME problem. So, it would be best to acknowledge them as the
> > same... or we will keep having a NEW 0day which really isn't for about
> 2
> > months when all these few dozen variations are exhausted.
> >
> > A small BUT IMPORTANT correction for future generations:
> > The 0day was originally found and reported by Hubbard Dan from
> Websense
> > on a closed vetted security mailing list, and later on at the Websense
> > public page. All those who took credit for it took it wrongly.
> >
> > Thanks, and a better new year to us all,
> >
> > Gadi.
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 3 Jan 2006 03:37:09 -0800
> From: InfoSecBOFH <infosecbofh@...il.com>
> Subject: Re: [Full-disclosure] WMF round-up, updates and
> de-mystification
> To: Gadi Evron <ge@...uxbox.org>
> Cc: "FunSec \[List\]" <funsec@...uxbox.org>,
> "full-disclosure@...ts.grok.org.uk"
> <full-disclosure@...ts.grok.org.uk>,
> bugtraq@...urityfocus.com
> Message-ID:
> <2be58a30601030337i2cba5f87i6b56e4799d897d5f@...l.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 1/3/06, Gadi Evron <ge@...uxbox.org> wrote:
>
> > A small BUT IMPORTANT correction for future generations:
> > The 0day was originally found and reported by Hubbard Dan from
> Websense
> > on a closed vetted security mailing list, and later on at the Websense
> > public page. All those who took credit for it took it wrongly.
>
> Yes, important if you are a marketing guy or if your mouth is planted
> firmly on the websense dick.
>
> I am sure most of us are part of other and even private mailing lists.
> So the credit for discovery should go to whomever first PULICALLY
> disclosed the vuln. I have no idea who that was but thanks to a
> certain few I saw this vuln in early December.
>
>
> ------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> End of Full-Disclosure Digest, Vol 11, Issue 5
> **********************************************
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists