| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Jan 5 12:03:06 2006
From: horatiu at provision.ro (Horatiu Bandoiu)
Subject: RE: Full-Disclosure Digest, Vol 11, Issue 5
Dear Biljana,
Just a brief answer as I have a bad Internet connection till Monday.
You can count on 2 CISSP we have for the moment (this year I will have 3
or 4 CISSP in my team): Stefan Catrinescu and Ionut Boldizsar. Stefan
still has to finalize the documentation for getting the certification
(endorsement, stuff like this) but he has passed the exam and Ionut is
OK with all. If needed, I can involve several more certified people (as
we are organizing the exams, I have full access to the list). I hope it
helps.
Kind regards,
Horatiu
--|------|||||-------|||--|----|||||--||-------|||||--||---
We PROtect your business VISION!
-------------------------------------
Horatiu BANDOIU
Business Unit Manager
Provision - information Security Expert Center (iSEC)
Tel: 0040 21 321 37 49
Fax: 0040 21 323 65 70
e-mail: horatiu@...vision.ro
http://www.provision.ro
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
full-disclosure-request@...ts.grok.org.uk
Sent: Tuesday, January 03, 2006 2:00 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Full-Disclosure Digest, Vol 11, Issue 5
Send Full-Disclosure mailing list submissions to
full-disclosure@...ts.grok.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
full-disclosure-request@...ts.grok.org.uk
You can reach the person managing the list at
full-disclosure-owner@...ts.grok.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Note to digest recipients - when replying to digest posts, please trim
your post appropriately. Thank you.
Today's Topics:
1. Re: Buffer Overflow vulnerability in Windows Display Manager
[Suspected] (ad@...poverflow.com)
2. Re: Win32 Heap Exploits (Nicolas RUFF)
3. Re: Buffer Overflow vulnerability in Windows Display Manager
[Suspected] (InfoSecBOFH)
4. Re: Buffer Overflow vulnerability in Windows Display Manager
[Suspected] (InfoSecBOFH)
5. Re: WMF round-up, updates and de-mystification (InfoSecBOFH)
6. Re: WMF round-up, updates and de-mystification (InfoSecBOFH)
----------------------------------------------------------------------
Message: 1
Date: Tue, 03 Jan 2006 11:12:08 +0100
From: "ad@...poverflow.com" <ad@...poverflow.com>
Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in
Windows Display Manager [Suspected]
To: Sumit Siddharth <sumit.siddharth@...il.com>,
full-disclosure@...ts.grok.org.uk
Message-ID: <43BA4DF8.20907@...poverflow.com>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
haven't such driver here , it should be a third party driver security
bug probably within "*Controller Hub for Intel Graphics Driver"*
http://www.dynamiclink.nl/htmfiles/rframes/sys-i01.htm
Sumit Siddharth wrote:
> I think the problem is with the intel driver and particularly with
file
> ialmnt5.sys
> Hope it helps
> Sumit
>
>
>
> On 1/3/06, *Sumit Siddharth* <sumit.siddharth@...il.com
> <mailto:sumit.siddharth@...il.com>> wrote:
>
> Dear All,
> Sorry for the delayed response.
> I had success in exploiting it remotely by a simple javascript
> <script>window.open("http://aa...");</script>. But i think it
> doesnt work with some drivers.I am using XP ,professional, SP2.
> and firefox 1.0.6. I am using a string of about 53,000 char to
> overflow the buffer.
> Thanks
> Sumit
>
>
>
>
> --
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
iQIVAwUBQ7pN+K+LRXunxpxfAQKBqA//YxoeFIr1rkaCixpPr34+KpDiUAKN7xss
M6ZH3ZmpqZ03yLajS8XBWIyv5uTXDuLhUQrrObvak4n6mQ+7g6YffEYQBNyIcsEm
Gxyd8uDmkwX9MeAslByvrqobj/6i4oC4sj5Lq9Ui/JCqsw5KNaBP8ZAym48HiMFM
bI3kqvSGVm++bavWrK8+FunnVHCSDezFL64Jxh6MAVU2MNR+Z2qufC+aQtIpGw7s
nyWisynx6csTp9US5qmeuVdrcwk9DeACzX+z5eAEaevLRcl7ElcpcMht21U5scMd
FTLTtN9Ao4hewQrOe05BAo3AwNmzpt3Kgay3DLtN/n7a9LqPifw9FKp5EtdYLKyM
R16AwG5PaYQXrnsY0Udwz4yAYucEYjEOSyslVf4VILyzFWdKfAgXApbbr4W2nKXx
VQ0BBWbOYnAuAPJYk85WpAZfbFX98tglGTGT/0XRO3Buyk5T50AC4VqxlF17w7+8
T6bO74xpZNi5t5fzFTqt5kZZZ6IXfSonu/SVA/tfiOJwIExo7zEUwu4vsYoMtxaR
HqFlMQyuJhp0aTjaggrFaYQ8XR7tnZherteAYdaw0k3mUPCWfXR3xz26daOpUDKu
ewsDbuq+cglVD5qym246WVYSyiPLKKBXvWPLbuoG5ngqmyQiKydIQ9UMMdJvHh5c
7DtDjiHOH8s=
=VEy3
-----END PGP SIGNATURE-----
------------------------------
Message: 2
Date: Tue, 03 Jan 2006 11:42:21 +0100
From: Nicolas RUFF <nicolas.ruff@...il.com>
Subject: Re: [Full-disclosure] Win32 Heap Exploits
To: Stefan Lochbihler <steve01@...llo.at>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID: <43BA550D.2090509@...il.com>
Content-Type: text/plain; charset=ISO-8859-1
> But if i execute the server without ollydbg there happen nothing.
> Have anybody an idea what i make wrong. Test on a winxp sp1 system.
As pointed out multiple times, Windows heap is not the same whether the
program is flagged as "being debugged" or not.
You should always *attach* the debugger to the process and not run the
process from within the debugger.
Regards,
- Nicolas RUFF
------------------------------
Message: 3
Date: Tue, 3 Jan 2006 03:32:29 -0800
From: InfoSecBOFH <infosecbofh@...il.com>
Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in
Windows Display Manager [Suspected]
To: Sumit Siddharth <sumit.siddharth@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
<2be58a30601030332t59b2ae5fj5ff97afc45580a9b@...l.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
I have only replicated this with the intel driver. have tried others
and no dice.
On 1/3/06, Sumit Siddharth <sumit.siddharth@...il.com> wrote:
> I think the problem is with the intel driver and particularly with
file
> ialmnt5.sys
> Hope it helps
> Sumit
>
>
>
>
> On 1/3/06, Sumit Siddharth <sumit.siddharth@...il.com > wrote:
> > Dear All,
> > Sorry for the delayed response.
> > I had success in exploiting it remotely by a simple javascript
> > <script>window.open("http://aa...");</script>. But i think it doesnt
work
> with some drivers.I am using XP ,professional, SP2. and firefox 1.0.6.
I am
> using a string of about 53,000 char to overflow the buffer.
> > Thanks
> > Sumit
> >
> >
>
>
>
> --
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
------------------------------
Message: 4
Date: Tue, 3 Jan 2006 03:33:21 -0800
From: InfoSecBOFH <infosecbofh@...il.com>
Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in
Windows Display Manager [Suspected]
To: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Message-ID:
<2be58a30601030333x3d7c4fc7v24fa1632f7be1626@...l.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
oh.. and by the way... only works with the intel driver (and only a
couple differnt versions) and is not exploitable... this is a DoS and
nothing more.
On 1/3/06, InfoSecBOFH <infosecbofh@...il.com> wrote:
> I have only replicated this with the intel driver. have tried others
> and no dice.
>
> On 1/3/06, Sumit Siddharth <sumit.siddharth@...il.com> wrote:
> > I think the problem is with the intel driver and particularly with
file
> > ialmnt5.sys
> > Hope it helps
> > Sumit
> >
> >
> >
> >
> > On 1/3/06, Sumit Siddharth <sumit.siddharth@...il.com > wrote:
> > > Dear All,
> > > Sorry for the delayed response.
> > > I had success in exploiting it remotely by a simple javascript
> > > <script>window.open("http://aa...");</script>. But i think it
doesnt work
> > with some drivers.I am using XP ,professional, SP2. and firefox
1.0.6. I am
> > using a string of about 53,000 char to overflow the buffer.
> > > Thanks
> > > Sumit
> > >
> > >
> >
> >
> >
> > --
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
------------------------------
Message: 5
Date: Tue, 3 Jan 2006 03:34:46 -0800
From: InfoSecBOFH <infosecbofh@...il.com>
Subject: Re: [Full-disclosure] WMF round-up, updates and
de-mystification
To: Gadi Evron <ge@...uxbox.org>
Cc: "FunSec \[List\]" <funsec@...uxbox.org>,
"full-disclosure@...ts.grok.org.uk"
<full-disclosure@...ts.grok.org.uk>,
bugtraq@...urityfocus.com
Message-ID: <2be58a30601030334r37d3dam19df4ee9fbaf9f07@...l.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
So this patch is trusted because you said so?
I have tested and confirmed that this patch only works in specific
scnenarios and does not mitigate the entire issue. Variations still
work.
On 1/3/06, Gadi Evron <ge@...uxbox.org> wrote:
> Quite a bit of confusing and a vast amount of information coming from
> all directions about the WMF 0day. Here are some URL's and generic
facts
> to set us straight.
>
> The "patch" by Ilfak Guilfanov works, but by disabling a DLL in
Windows.
> So far no problems have been observed by anyone using this patch. You
> should naturally check it out for yourselves but I and many others
> recommend it until Microsoft bothers to show up with their own patch.
>
> Ilfak is trusted and is in no way a Bad Guy.
>
> You can find more information about it at his blog:
> http://www.hexblog.com/2005/12/wmf_vuln.html
>
> If you are still not sure about the patch by Ilfak, check out the
> discussion of it going on in the funsec list about the patch, with
Ilfak
> participating:
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Occasional information of new WMF problems keep coming in over there.
>
> In this URL you can find the best summary I have seen of the WMF
issue:
> http://isc.sans.org/diary.php?storyid=994
> by the "SANS ISC diary" team.
>
> In this URL you can find the best write-up I have seen on the WMF
issue:
> http://blogs.securiteam.com/index.php/archives/167
> By Matthew Murphy at the "Securiteam Blogs".
>
> Also, it should be noted at this time that since the first public
> discovery of this "problem", a new one has been coming in - every day.
> All the ones seen so far are variants of the original and in all ways
> the SAME problem. So, it would be best to acknowledge them as the
> same... or we will keep having a NEW 0day which really isn't for about
2
> months when all these few dozen variations are exhausted.
>
> A small BUT IMPORTANT correction for future generations:
> The 0day was originally found and reported by Hubbard Dan from
Websense
> on a closed vetted security mailing list, and later on at the Websense
> public page. All those who took credit for it took it wrongly.
>
> Thanks, and a better new year to us all,
>
> Gadi.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
------------------------------
Message: 6
Date: Tue, 3 Jan 2006 03:37:09 -0800
From: InfoSecBOFH <infosecbofh@...il.com>
Subject: Re: [Full-disclosure] WMF round-up, updates and
de-mystification
To: Gadi Evron <ge@...uxbox.org>
Cc: "FunSec \[List\]" <funsec@...uxbox.org>,
"full-disclosure@...ts.grok.org.uk"
<full-disclosure@...ts.grok.org.uk>,
bugtraq@...urityfocus.com
Message-ID:
<2be58a30601030337i2cba5f87i6b56e4799d897d5f@...l.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On 1/3/06, Gadi Evron <ge@...uxbox.org> wrote:
> A small BUT IMPORTANT correction for future generations:
> The 0day was originally found and reported by Hubbard Dan from
Websense
> on a closed vetted security mailing list, and later on at the Websense
> public page. All those who took credit for it took it wrongly.
Yes, important if you are a marketing guy or if your mouth is planted
firmly on the websense dick.
I am sure most of us are part of other and even private mailing lists.
So the credit for discovery should go to whomever first PULICALLY
disclosed the vuln. I have no idea who that was but thanks to a
certain few I saw this vuln in early December.
------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
End of Full-Disclosure Digest, Vol 11, Issue 5
**********************************************
Powered by blists - more mailing lists