| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <s3fb2143.092@mail.bbl-inc.com>
Date: Tue Feb 21 19:18:55 2006
From: DMCCOY at bbl-inc.com (DONNY MCCOY)
Subject: Re: Full-Disclosure Digest, Vol 12, Issue 39
I will be in Cary, NC through Thursday and will return to Syracuse on Friday. I will check voicemail and e-mail periodically as time allows.
If your e-mail is urgent please contact the help desk in Syracuse at x19511.
Thanks.
Donny
>>> full-disclosure 02/21/06 14:16 >>>
Send Full-Disclosure mailing list submissions to
full-disclosure@...ts.grok.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
full-disclosure-request@...ts.grok.org.uk
You can reach the person managing the list at
full-disclosure-owner@...ts.grok.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.
Today's Topics:
1. Re: Quarantine your infected users spreading malware
(Simon Richter)
2. re: Insecurity in Finnish parlament (computers)
(Juha-Matti Laurio)
3. Re: Quarantine your infected users spreading malware
(Nigel Horne)
4. Re: Re: User Enumeration Flaw (Michael Holstein)
5. Re: Compromised hosts lists (James Lay)
6. Compromised host list - some clarification... (James Lay)
7. Re: ?if you are not doing anything wrong, why should you
worry about it?? (Dave Korn)
8. Re: Forum / Site redone (Dave Korn)
9. Re: Re: Forum / Site redone (Nigel Horne)
10. re: Insecurity in Finnish parlament (computers) (Markus Jansson)
11. re: Insecurity in Finnish parlament (computers)
(Juha-Matti Laurio)
12. [USN-256-1] bluez-hcidump vulnerability (Martin Pitt)
13. [USN-254-1] noweb vulnerability (Martin Pitt)
14. [USN-255-1] openssh vulnerability (Martin Pitt)
15. msgina.dll (khaalel)
16. Re: Compromised host list - some clarification...
(Robert P. McKenzie)
17. Re: ?if you are not doing a =?WINDOWS-1252?Q?nything_wrong,
_why_should_you_worry_about_it=3F=94?= (Steve Kudlak)
18. www.wpad.net (Prabhat Sharma)
19. SV: [Full-disclosure] msgina.dll (Jan Nielsen)
20. [ GLSA 200602-12 ] GPdf: Heap overflows in included Xpdf code
(Thierry Carrez)
21. Re: www.wpad.net (TheGesus)
22. Re: Compromised host list - some clarification... (Dean Pierce)
23. Re: Compromised host list - some clarification... (James Lay)
24. Re: Compromised hosts lists (Valdis.Kletnieks@...edu)
25. Re: Re: Forum / Site redone (Dave Korn)
----------------------------------------------------------------------
Message: 1
Date: Tue, 21 Feb 2006 13:05:42 +0100
From: Simon Richter <Simon.Richter@...yros.de>
Subject: Re: [Full-disclosure] Quarantine your infected users
spreading malware
To: Gadi Evron <ge@...uxbox.org>
Cc: "full-disclosure@...ts.grok.org.uk"
<full-disclosure@...ts.grok.org.uk>, bugtraq@...urityfocus.com
Message-ID: <43FB0216.4090403@...yros.de>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
Gadi Evron wrote:
> As many of us know, handling such users on tech support is not very
> cost-effective to ISP's, as if a user makes a call the ISP already
> losses money on that user. Than again, paying abuse desk personnel just
> so that they can disconnect your users is losing money too.
> Which one would you prefer?
Choice. The difference between a bug and a feature is that you can turn
the feature off. If an ISP offers filters as a feature, I say more power
to them.
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/812a887e/signature-0001.bin
------------------------------
Message: 2
Date: Tue, 21 Feb 2006 14:07:50 +0200 (EET)
From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
Subject: re: [Full-Disclosure] Insecurity in Finnish parlament
(computers)
To: Markus Jansson <markus.jansson@...hmail.com>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
<2419544.484291140523670940.JavaMail.juha-matti.laurio@...ti.fi>
Content-Type: text/plain; Charset=iso-8859-1; Format=Flowed
Markus Jansson wrote:
> Good article, but it lacks one important aspect of the fiasco:
> TeliaSonera also disabled crypto (A5/1) on GSM:s for some time, which
> made it possible to eavesdrop on its/goverments GSM:s. This was a the
> "big" fuzz.
I'm aware about these claims, but Mr. Esa Korvenmaa, spokeperson of
TeliaSonera Finland says this is not true.
> BTW. How long would you think it would take them to spot
> false-base-station type of attacks near our parlament house? ;)
No facts about this and I don't want to comment.
My article doesn't handle Finnish parliament in any way.
- Juha-Matti
------------------------------
Message: 3
Date: Tue, 21 Feb 2006 12:16:13 -0000 (GMT)
From: "Nigel Horne" <njh@...dsman.co.uk>
Subject: Re: [Full-disclosure] Quarantine your infected users
spreading malware
To: full-disclosure@...ts.grok.org.uk
Message-ID:
<4212.213.206.150.242.1140524173.squirrel@...l.bandsman.co.uk>
Content-Type: text/plain;charset=iso-8859-15
> Hi,
>
> Gadi Evron wrote:
>
>> As many of us know, handling such users on tech support is not very
>> cost-effective to ISP's, as if a user makes a call the ISP already
>> losses money on that user.
Not necessarily true. Many ISPs charge little for set up and on going
costs, but support is only available from them via a premium rate phone
number.
> Than again, paying abuse desk personnel just
>> so that they can disconnect your users is losing money too.
Not so much if the desk is in India or China.
-Nigel
------------------------------
Message: 4
Date: Tue, 21 Feb 2006 08:26:47 -0500
From: Michael Holstein <michael.holstein@...ohio.edu>
Subject: Re: [Full-disclosure] Re: User Enumeration Flaw
To: full-disclosure@...ts.grok.org.uk
Message-ID: <43FB1517.50703@...ohio.edu>
Content-Type: text/plain; charset=us-ascii; format=flowed
That's called directory harvesting and it's hardly new. Most MTAs
implement tarpitting of some sort, to limit VRFY or RCPT commands from a
perticular IP to a certian threshold, before they start slowing them down.
There are also ways to silently drop (or accept with routing to
/dev/null) a session for a recipient that isn't in an external database
(eg: LDAP) -- and while this breaks the RFC, people do it anyway.
Ever looked at a Hotmail spam message? There will be 50 recipients ..
gbush@, hbush@, jbush@, kbush@, etc. the ones that bounce aren't real
and get rejected. Those that don't come back get added as "valid" for
the second round.
~Mike.
Dave Korn wrote:
> Mar.Shatz@...cation.gov.il wrote:
>
>>whitehouse.gov MX 100 mailhub-wh2.whitehouse.gov
>>noone@box:~$
>>noone@box:~$ telnet mailhub-wh2.whitehouse.gov 25
>>Trying 63.161.169.140...
>>Connected to mailhub-wh2.whitehouse.gov.
>>Escape character is '^]'.
>>220 whitehouse.gov ESMTP service at Sun, 12 Feb 2006 11:29:38 -0500
>>(EST) helo jojo
>>250 esgeop03.whitehouse.gov Hello [xxx.xxx.xxx.xxx], pleased to meet
>>you mail from:bob@....com
>>250 2.1.0 bob@....com... Sender ok
>>rcpt to:gbush@...tehouse.gov
>>550 5.1.1 gbush@...tehouse.gov... User unknown
>>rcpt to:president@...tehouse.gov
>>250 2.1.5 president@...tehouse.gov... Recipient ok
>>quit
>>221 2.0.0 esgeop03.whitehouse.gov closing connection
>>Connection closed by foreign host.
>>
>>User enumeration at the whitehouse
>
>
>
> Tell DHS at once! What would happen if Al-Qaeda could figure out that
> there was a president in the whitehouse?
>
>
> cheers,
> DaveK
------------------------------
Message: 5
Date: Tue, 21 Feb 2006 07:09:58 -0700
From: James Lay <jlay@...ve-tothe-box.net>
Subject: Re: [Full-disclosure] Compromised hosts lists
Cc: Full-disclosure <full-disclosure@...ts.grok.org.uk>
Message-ID: <20060221070958.749da9c9@...ebox.slave-tothe-box.net>
Content-Type: text/plain; charset=US-ASCII
On Mon, 20 Feb 2006 22:40:00 -0500
Valdis.Kletnieks@...edu wrote:
> On Mon, 20 Feb 2006 16:55:06 MST, James Lay said:
> > I had heard tale of a site that had a semi-updated list of
> > compromised hosts. I was hoping that someone knows that
> > link...would LOVE to be able to get my firewall to get this list
> > and auto-create an iptables rule. Thanks all!
>
> That's ass backwards.
>
> The secure way to do this is to first deny *all* traffic, and then add
> specific rules for machines that you *do* want to talk to.
>
> Think for a bit - if some random cablemodem in another timezone is on
> the list, why should you stop packets from it? Why would you want to
> accept packets *before* it showed up on the list? Why do you still
> want to accept packets from *other* boxes in the same /24 or /16?
I completely agree for ports that I would have closed, but obviously I
could not simply deny *all* traffic for port 25 and 80 let's say, as I
want them open to the public.
James
------------------------------
Message: 6
Date: Tue, 21 Feb 2006 07:16:35 -0700
From: James Lay <jlay@...ve-tothe-box.net>
Subject: [Full-disclosure] Compromised host list - some
clarification...
To: Full-disclosure <full-disclosure@...ts.grok.org.uk>
Message-ID: <20060221071635.7ae12788@...ebox.slave-tothe-box.net>
Content-Type: text/plain; charset=US-ASCII
So ok.....I'm completely positive I didn't make myself clear at all in
my previous message...go me! Here's a web site that I did manage to
find that has a current list of open proxies:
http://www.samair.ru/proxy/index.htm
My hope is that I could find a site that has a list of currently
reported open proxies, scanners, and ssh brute force boxes. The RBL's
pretty much have smtp covered. I would run a cron job at midnight, wget
and grep the file, then create an iptables table to block those hosts.
This is an attempt to be more proactive then reactive...if I knew those
hosts that were actively doing naughty things, why not block them at
the get go?
Does this make sense? Am I barking up the wrong tree? Thanks all =)
James
------------------------------
Message: 7
Date: Tue, 21 Feb 2006 14:54:52 -0000
From: "Dave Korn" <davek_throwaway@...mail.com>
Subject: [Full-disclosure] Re: ?if you are not doing anything wrong,
why should you worry about it??
To: full-disclosure@...ts.grok.org.uk
Message-ID: <dtf9jt$bg3$1@....gmane.org>
Gadi Evron wrote:
>
> "if you are not doing anything wrong, why should you worry about it?"
If I'm not doing anything wrong then it's nobody's god-damn business but
mine what I'm doing at all. QED.
cheers,
DaveK
--
Can't think of a witty .sigline today....
------------------------------
Message: 8
Date: Tue, 21 Feb 2006 14:57:39 -0000
From: "Dave Korn" <davek_throwaway@...mail.com>
Subject: [Full-disclosure] Re: Forum / Site redone
To: full-disclosure@...ts.grok.org.uk
Message-ID: <dtf9p4$c2k$1@....gmane.org>
Nigel Horne wrote:
>> Thanks for the comments. Site has been redone ( I re-didit ) Feel
>> free to keep the comments coming.
>>
>> http://www.iatechconsulting.com
>
> Why does it attempt to store 2 cookies on my machine when all I do
> visit your front page?
Because that's how PHP tracks your session ID.
>Needless to say I said "no".
http://zapatopi.net/afdb
cheers,
DaveK
--
Can't think of a witty .sigline today....
------------------------------
Message: 9
Date: Tue, 21 Feb 2006 15:05:54 -0000 (GMT)
From: "Nigel Horne" <njh@...dsman.co.uk>
Subject: Re: [Full-disclosure] Re: Forum / Site redone
To: full-disclosure@...ts.grok.org.uk
Message-ID:
<5495.213.206.150.242.1140534354.squirrel@...l.bandsman.co.uk>
Content-Type: text/plain;charset=iso-8859-15
> Nigel Horne wrote:
>>> Thanks for the comments. Site has been redone ( I re-didit ) Feel
>>> free to keep the comments coming.
>>>
>>> http://www.iatechconsulting.com
>>
>> Why does it attempt to store 2 cookies on my machine when all I do
>> visit your front page?
>
> Because that's how PHP tracks your session ID.
>
>>Needless to say I said "no".
Public access websites should not have session IDs just to visit their
frontpage.
> cheers,
> DaveK
------------------------------
Message: 10
Date: Tue, 21 Feb 2006 16:52:24 +0200
From: "Markus Jansson" <markus.jansson@...hmail.com>
Subject: re: [Full-Disclosure] Insecurity in Finnish parlament
(computers)
To: <full-disclosure@...ts.grok.org.uk>
Message-ID: <200602211452.k1LEqSuK085801@...lserver2.hushmail.com>
On Tue, 21 Feb 2006 14:07:50 +0200 Juha-Matti Laurio <juha-
matti.laurio@...ti.fi> wrote:
>> TeliaSonera also disabled crypto (A5/1) on GSM:s for some time,
>> which made it possible to eavesdrop on its/goverments GSM:s.
This was
>> a the "big" fuzz.
>
>I'm aware about these claims, but Mr. Esa Korvenmaa, spokeperson
>of TeliaSonera Finland says this is not true.
Well, several people in different discussion forums in Finland
found it out by GSM analysing tools and posted it up. Those tools
shown that peoples phones (in TeliaSonera network) used A5/0
cipher, meaning that no encryption was used. I doubt that all of
them are simultaneously lying and TeliaSonera is telling the truth.
:D
--
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.
------------------------------
Message: 11
Date: Tue, 21 Feb 2006 17:10:11 +0200 (EET)
From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
Subject: re: [Full-Disclosure] Insecurity in Finnish parlament
(computers)
To: Markus Jansson <markus.jansson@...hmail.com>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
<21845207.514571140534611207.JavaMail.juha-matti.laurio@...ti.fi>
Content-Type: text/plain; Charset=iso-8859-1; Format=Flowed
Markus Jansson wrote:
> Well, several people in different discussion forums in Finland
> found it out by GSM analysing tools and posted it up. Those tools
> shown that peoples phones (in TeliaSonera network) used A5/0
> cipher, meaning that no encryption was used. I doubt that all of
> them are simultaneously lying and TeliaSonera is telling the truth.
> :D
Yes, I have all of these related forum posts handling the use of Nokia
Network Monitor as
printed versions.
- Juha-Matti
------------------------------
Message: 12
Date: Tue, 21 Feb 2006 16:30:40 +0100
From: Martin Pitt <martin.pitt@...onical.com>
Subject: [Full-disclosure] [USN-256-1] bluez-hcidump vulnerability
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Message-ID: <20060221153040.GB5903@...are.de>
Content-Type: text/plain; charset="us-ascii"
===========================================================
Ubuntu Security Notice USN-256-1 February 21, 2006
bluez-hcidump vulnerability
CVE-2006-0670
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)
The following packages are affected:
bluez-hcidump
The problem can be corrected by upgrading the affected package to
version 1.5-2ubuntu0.1 (for Ubuntu 4.10), 1.12-1ubuntu0.1 (for Ubuntu
5.04), or 1.23-0ubuntu1.1 (for Ubuntu 5.10). In general, a standard
system upgrade is sufficient to effect the necessary changes.
Details follow:
Pierre Betouin discovered a Denial of Service vulnerability in the
handling of the L2CAP (Logical Link Control and Adaptation Layer
Protocol) layer. By sending a specially crafted L2CAP packet through a
wireless Bluetooth connection, a remote attacker could crash hcidump.
Since hcidump is mainly a debugging tool, the impact of this flaw is
very low.
Updated packages for Ubuntu 4.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1.diff.gz
Size/MD5: 117334 2be393fb2b17f097d84c4bf1e41759b8
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1.dsc
Size/MD5: 649 2cbb2217b51ce137d84487cc8c7e67fc
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5.orig.tar.gz
Size/MD5: 166968 346f86c8e1824a505e976d0a2c8a0578
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1_amd64.deb
Size/MD5: 25198 7d0d59b7597b7d64345e9255f29ea684
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1_i386.deb
Size/MD5: 23146 93c04094444cc482058d67cb78ca7244
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1_powerpc.deb
Size/MD5: 25446 ccfa304db68953e1d2989df0fed8259c
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1.diff.gz
Size/MD5: 2277 09602446f4bdae6c8126e33db11f3249
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1.dsc
Size/MD5: 663 8efc5c10713d06de9d55613055208bca
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12.orig.tar.gz
Size/MD5: 102003 c64f44a05e3c3f036134850c8fb24a00
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1_amd64.deb
Size/MD5: 39052 4f466a14a74802cb0ea83d9859d108a9
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1_i386.deb
Size/MD5: 35048 9b767b24c3ce114a9b44cc9901335826
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1_powerpc.deb
Size/MD5: 37636 9934f9d3c03affe2a3c7d84b00cacbed
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1.diff.gz
Size/MD5: 2454 9ff0a74db5cd83914ed466a8acdf0beb
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1.dsc
Size/MD5: 662 5191c2d9cabb93969ce0604548ddc696
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23.orig.tar.gz
Size/MD5: 124717 24a72cfc605278f2846c786ae54230c2
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1_amd64.deb
Size/MD5: 68856 9ed3cd8a70fdf2f494002894208029a2
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1_i386.deb
Size/MD5: 62994 c6fab1702f2dab19af5bd2ff86af07a5
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1_powerpc.deb
Size/MD5: 69474 b75ce72ab552b0b32c301c854ea7e549
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/75d9d187/attachment-0001.bin
------------------------------
Message: 13
Date: Tue, 21 Feb 2006 16:30:44 +0100
From: Martin Pitt <martin.pitt@...onical.com>
Subject: [Full-disclosure] [USN-254-1] noweb vulnerability
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Message-ID: <20060221153044.GC5903@...are.de>
Content-Type: text/plain; charset="iso-8859-1"
===========================================================
Ubuntu Security Notice USN-254-1 February 21, 2006
noweb vulnerability
CVE-2005-3342
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)
The following packages are affected:
nowebm
The problem can be corrected by upgrading the affected package to
version 2.10c-3ubuntu1.1 (for Ubuntu 4.10), 2.10c-3.1ubuntu5.04.1 (for
Ubuntu 5.04), or 2.10c-3.1ubuntu5.10.1 (for Ubuntu 5.10). In general,
a standard system upgrade is sufficient to effect the necessary
changes.
Details follow:
Javier Fern*ndez-Sanguino Pe*a discovered that noweb scripts created
temporary files in an insecure way. This could allow a symlink attack
to create or overwrite arbitrary files with the privileges of the user
running noweb.
Updated packages for Ubuntu 4.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3ubuntu1.1.diff.gz
Size/MD5: 11262 c97d1934407598134e7da5d53b4c625a
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3ubuntu1.1.dsc
Size/MD5: 629 a21c779c23311c40353fee565971f7dd
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c.orig.tar.gz
Size/MD5: 712332 30bbacf1fb2a402410e5ad2fb600d9fc
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3ubuntu1.1_amd64.deb
Size/MD5: 535460 2d35850c7436ec5e1c452098ab8f2f26
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3ubuntu1.1_i386.deb
Size/MD5: 518536 7b89ab418e72de19d81aed9d1dc8aefa
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3ubuntu1.1_powerpc.deb
Size/MD5: 522740 f5b23a14a7600e91788a6803e1453861
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.04.1.diff.gz
Size/MD5: 11276 d692bce20df8c6e0fb64013daf7bc9e5
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.04.1.dsc
Size/MD5: 639 6b6781615241f3d07db34b4ed951eab4
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c.orig.tar.gz
Size/MD5: 712332 30bbacf1fb2a402410e5ad2fb600d9fc
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.04.1_amd64.deb
Size/MD5: 535570 7ed60a1bfce4de9db2b6f6ca24f7544d
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.04.1_i386.deb
Size/MD5: 518652 973b9b6459bc21f645725f4c5013500f
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.04.1_powerpc.deb
Size/MD5: 522804 70fd183b24ea9c8d77ca8eb65172924f
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.10.1.diff.gz
Size/MD5: 11275 8b1c3749cd3fc5f0f5bb0909d1db527c
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.10.1.dsc
Size/MD5: 639 3f37d4a988691727bdc9452e459ccc46
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c.orig.tar.gz
Size/MD5: 712332 30bbacf1fb2a402410e5ad2fb600d9fc
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.10.1_amd64.deb
Size/MD5: 535562 8ce18eceec28b3bb1165156e17d06f10
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.10.1_i386.deb
Size/MD5: 519066 5d22ae6879e674ba5dba97a10957e6c7
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.10.1_powerpc.deb
Size/MD5: 522756 2ea6685d6400fc111cf093f01b7a4b39
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/c972fe8a/attachment-0001.bin
------------------------------
Message: 14
Date: Tue, 21 Feb 2006 16:30:54 +0100
From: Martin Pitt <martin.pitt@...onical.com>
Subject: [Full-disclosure] [USN-255-1] openssh vulnerability
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Message-ID: <20060221153054.GD5903@...are.de>
Content-Type: text/plain; charset="us-ascii"
===========================================================
Ubuntu Security Notice USN-255-1 February 21, 2006
openssh vulnerability
CVE-2006-0225
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)
The following packages are affected:
openssh-client
The problem can be corrected by upgrading the affected package to
version 1:3.8.1p1-11ubuntu3.3 (for Ubuntu 4.10), 1:3.9p1-1ubuntu2.2
(for Ubuntu 5.04), or 1:4.1p1-7ubuntu4.1 (for Ubuntu 5.10). In
general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Tomas Mraz discovered a shell code injection flaw in scp. When doing
local-to-local or remote-to-remote copying, scp expanded shell escape
characters. By tricking an user into using scp on a specially crafted
file name (which could also be caught by using an innocuous wild card
like '*'), an attacker could exploit this to execute arbitrary shell
commands with the privilege of that user.
Please be aware that scp is not designed to operate securely on
untrusted file names, since it needs to stay compatible with rcp.
Please use sftp for automated systems and potentially untrusted file
names.
Updated packages for Ubuntu 4.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.3.diff.gz
Size/MD5: 147804 bcb9840f943cb185fa14cdb6639dc2de
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.3.dsc
Size/MD5: 880 64349db6679401abfe0f28f08a46559f
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1.orig.tar.gz
Size/MD5: 795948 9ce6f2fa5b2931ce2c4c25f3af9ad50d
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.8.1p1-11ubuntu3.3_all.deb
Size/MD5: 30202 dc2297b42ce6e0009b30f76df0778e9c
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.3_amd64.udeb
Size/MD5: 160136 968b48b5666e275656b20249cb61faa7
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.3_amd64.deb
Size/MD5: 526002 306594f4386fa65366fe67e1ac9c45cc
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.3_amd64.udeb
Size/MD5: 176398 480d6b645167bc2e9b533dd76016c429
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.3_amd64.deb
Size/MD5: 264122 df6c92305d240b32b63a9add7bfc5825
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.3_amd64.deb
Size/MD5: 53394 b4f5da405cb155f72d9d064a4d50567e
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.3_i386.udeb
Size/MD5: 134290 7aaca0eb6b603910f3c3bda8d30e3999
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.3_i386.deb
Size/MD5: 474992 94005876a8f9c45fa315d84264f422ce
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.3_i386.udeb
Size/MD5: 146996 fbf6d83c68f6999aacbafc98f68eb295
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.3_i386.deb
Size/MD5: 241898 55dc4bad99928d552819478c0f4d032e
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.3_i386.deb
Size/MD5: 53072 667eab23d4b9af759774640f38ec22cd
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.3_powerpc.udeb
Size/MD5: 153126 e59d9aa701310152aa4585b6b3c83df5
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.3_powerpc.deb
Size/MD5: 523108 59739bfa95120ae0ee193743694a74cb
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.3_powerpc.udeb
Size/MD5: 160376 7cbb092c954cccb014d1e564b133c1e2
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.3_powerpc.deb
Size/MD5: 258268 2e38eadac1a298db3c027ee661d8a5e5
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.3_powerpc.deb
Size/MD5: 54556 131cee0bac5d5cd080675461db8bc0c6
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.2.diff.gz
Size/MD5: 140942 2193e3793b51e7024784ec047cf3277c
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.2.dsc
Size/MD5: 866 8ec4e326208aae4b8fe90f9cac0a2ca6
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1.orig.tar.gz
Size/MD5: 832804 530b1dcbfe7a4a4ce4959c0775b85a5a
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.9p1-1ubuntu2.2_all.deb
Size/MD5: 30912 0997c23a603de9b1534ee687851fd38b
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.2_amd64.udeb
Size/MD5: 166708 bc3698453fa091e69bc7f1c67b9316ef
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.2_amd64.deb
Size/MD5: 543786 d330f2132fb0bf0295b915e7e0a453ba
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.2_amd64.udeb
Size/MD5: 179156 7048312720471a8f0c50562c4301a21d
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.2_amd64.deb
Size/MD5: 279064 5402baeb9df169b4ce6a6eddfb3a6262
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.2_amd64.deb
Size/MD5: 62514 064f02869e9c61a56b8a4e1558d18e2c
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.2_i386.udeb
Size/MD5: 139346 9b79999219a1cabd60930e682d671e17
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.2_i386.deb
Size/MD5: 492224 757e828a5ccf114fe9c4be9b046850c2
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.2_i386.udeb
Size/MD5: 149016 86ffa618024f36ac0097686b43b1d179
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.2_i386.deb
Size/MD5: 255760 11f910249c6b098fce8f8020ce6d3b27
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.2_i386.deb
Size/MD5: 62114 d5a4d9ec3011c099d2db314cf615f646
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.2_powerpc.udeb
Size/MD5: 159854 f1a90f3cb4151736bed6f263901a4d35
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.2_powerpc.deb
Size/MD5: 540312 287aa744564de63043d5bb134d0745d4
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.2_powerpc.udeb
Size/MD5: 163302 1b019329cd84ff0a1f3960565a621fed
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.2_powerpc.deb
Size/MD5: 273126 7ec4c43399986224b54d0f41fe8e3416
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.2_powerpc.deb
Size/MD5: 63634 b370bc059a12a2ddc3b3afe1f772049d
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.1.diff.gz
Size/MD5: 156844 b4cdb063563a640093c305e46f1fc87d
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.1.dsc
Size/MD5: 971 c80c70c3c63781792a7f39d6ae01940d
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1.orig.tar.gz
Size/MD5: 909689 3709109adf0b82176668b3d3478dd033
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.1p1-7ubuntu4.1_all.deb
Size/MD5: 1048 859ffbe5d4bd5202a2eebec6e8e9ac81
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.1_amd64.udeb
Size/MD5: 162510 1697e11d3a83142a879d04ab7b5e0ac7
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.1_amd64.deb
Size/MD5: 584118 3947d62111b5dca4e76344dc8cca254f
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.1_amd64.udeb
Size/MD5: 179332 51b096a5921f12614a4be6ac578c6685
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.1_amd64.deb
Size/MD5: 223756 e73afff943deeda07de98bd52cefb9df
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.1_amd64.deb
Size/MD5: 77824 9ce67812f993f2e4e896a46757ccd58d
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.1_i386.udeb
Size/MD5: 138126 eff182e04cf9c7990fa49ceeb1d8a227
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.1_i386.deb
Size/MD5: 514306 2aa78f38fad06006ac0530af8a45b821
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.1_i386.udeb
Size/MD5: 149732 1974bc3bb64c6bd32583b78420a12047
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.1_i386.deb
Size/MD5: 195172 df8d26ec28a6487513e2a8a8117fe090
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.1_i386.deb
Size/MD5: 77540 9241a0dbcde2f43ca408868be70b0523
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.1_powerpc.udeb
Size/MD5: 155720 86eec2f79139f085454334607c10825a
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.1_powerpc.deb
Size/MD5: 568402 b295641a03748fa6d8477c6a3ef7b9ec
http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.1_powerpc.udeb
Size/MD5: 163224 497641805869834b9959f0a8ecaf9b46
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.1_powerpc.deb
Size/MD5: 215272 85c392d0999eaf9ebe91230392aba50a
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.1_powerpc.deb
Size/MD5: 79104 3b6db051e9e4eb17e0024c926aa4d2ac
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/c3724d87/attachment-0001.bin
------------------------------
Message: 15
Date: Tue, 21 Feb 2006 17:03:08 +0100
From: khaalel <khaalel@...il.com>
Subject: [Full-disclosure] msgina.dll
To: full-disclosure@...ts.grok.org.uk
Message-ID:
<2d7da9270602210803v2d5f8ff0jc93e4023ba2a663b@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi everyboy,
I have to modify the winlogon process for a school project (in order to use
a smartcard : I bought some goldcards and javacards). After some time with
Google, I find msgina.dll (
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/msgina.mspx)
but I don't know how to modify it (I'm a linux and bsd hacker, windows
working is a world I visit rarely...).
Did someone already work with this dll?? I'm looking for some code examples,
some tutorials, some help to know how to use a smartcard and not
login/password at startup...
Thanks...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/8a6fb90c/attachment-0001.html
------------------------------
Message: 16
Date: Tue, 21 Feb 2006 16:03:56 +0000
From: "Robert P. McKenzie" <rmckenzi@...dp.com>
Subject: Re: [Full-disclosure] Compromised host list - some
clarification...
To: James Lay <jlay@...ve-tothe-box.net>
Cc: Full-disclosure <full-disclosure@...ts.grok.org.uk>
Message-ID: <43FB39EC.6000303@...dp.com>
Content-Type: text/plain; charset=ISO-8859-1
James Lay wrote:
> So ok.....I'm completely positive I didn't make myself clear at all in
> my previous message...go me! Here's a web site that I did manage to
> find that has a current list of open proxies:
>
> http://www.samair.ru/proxy/index.htm
>
> My hope is that I could find a site that has a list of currently
> reported open proxies, scanners, and ssh brute force boxes. The RBL's
> pretty much have smtp covered. I would run a cron job at midnight, wget
> and grep the file, then create an iptables table to block those hosts.
> This is an attempt to be more proactive then reactive...if I knew those
> hosts that were actively doing naughty things, why not block them at
> the get go?
>
> Does this make sense? Am I barking up the wrong tree? Thanks all =)
It's clear, however, as others have pointed out it's far easier to block everything and
then selectivily allow what you want to talk to you. How do you think iptables will react
if you have say 20,000 entries in it? My guess is it will slow your machines down.
Go the sensible route and block everything and permit the much smaller list of hosts to
connect to you.
------------------------------
Message: 17
Date: Tue, 21 Feb 2006 08:58:17 -0800
From: Steve Kudlak <chromazine@...global.net>
Subject: Re: [Full-disclosure] ?if you are not doing a
=?WINDOWS-1252?Q?nything_wrong, _why_should_you_worry_about_it=3F=94?=
To: Valdis.Kletnieks@...edu
Cc: "full-disclosure@...ts.grok.org.uk"
<full-disclosure@...ts.grok.org.uk>, Gadi Evron <ge@...uxbox.org>
Message-ID: <43FB46A9.9000403@...global.net>
Content-Type: text/plain; charset="windows-1252"
Valdis.Kletnieks@...edu wrote:
>On Mon, 20 Feb 2006 15:42:35 PST, coderman said:
>
>
>>On 2/20/06, Gadi Evron <ge@...uxbox.org> wrote:
>>
>>
>>>...
>>>What's to stop them from putting cameras
>>>in our showers, next?
>>>
>>>
>>ugly fat people nekkid?
>>
>>
>
>Guaranteed that there's a market for that, and websites already in existence.
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
And this is a discussion sure to get us techies marked as crude and
mean, luckily we are too bright to be called stupid;)
If it is young and attractive and female (most techies are alas still
male) it should
have on as little clothes as possible and be seen as much as possible.
If it is
not it should go hide away and we shouldn't see it. Oh well we will get
so marked.
Have Fun,
Sends Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/e0f37938/attachment-0001.html
------------------------------
Message: 18
Date: Tue, 21 Feb 2006 22:33:27 +0530
From: "Prabhat Sharma" <hi.prabhat@...il.com>
Subject: [Full-disclosure] www.wpad.net
To: full-disclosure@...ts.grok.org.uk
Message-ID:
<78a2a5c0602210903v27a20ee5p4dba08330bd905b@...l.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
Does anybody's machine also tries to access www.wpad.net. I use dial up to
connect to internet and the moment I connect to internet my firewall shows
that svchost is trying to access www.wpad.net. I tried visiting
www.wpad.netwebsite and the owner of the site says that it is due to
some microsoft bug
related to Web Proxy Discovery Protocol (WPAD).
There is also a link (which I also found in other places after some
googling) of a wpad (Web Proxy Auto Discovery Protocol) draft which is
drafted by microsoft (That is what the website says).
Has anyone else faced this issue or my machine has some unwanted material.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/a267e036/attachment-0001.html
------------------------------
Message: 19
Date: Tue, 21 Feb 2006 18:08:51 +0100
From: "Jan Nielsen" <jan@...akasha.dk>
Subject: SV: [Full-disclosure] msgina.dll
To: <full-disclosure@...ts.grok.org.uk>
Message-ID: <20060221170506.7023A262826@...pc.post.tele.dk>
Content-Type: text/plain; charset="iso-8859-1"
I haven't messed with GINA programming myself, but this will probably help
you get some basic understanding of it :
http://www.codeproject.com/useritems/GINA_SPY.asp
Jan
_____
Fra: boyakash@...dnsserverhosting.com
[mailto:boyakash@...dnsserverhosting.com] P* vegne af khaalel
Sendt: 21. februar 2006 17:03
Til: full-disclosure@...ts.grok.org.uk
Emne: [Full-disclosure] msgina.dll
Hi everyboy,
I have to modify the winlogon process for a school project (in order to use
a smartcard : I bought some goldcards and javacards). After some time with
Google, I find msgina.dll (
<http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/secur
ity/msgina.mspx>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/securi
ty/msgina.mspx) but I don't know how to modify it (I'm a linux and bsd
hacker, windows working is a world I visit rarely...).
Did someone already work with this dll?? I'm looking for some code examples,
some tutorials, some help to know how to use a smartcard and not
login/password at startup...
Thanks...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/af464d12/attachment-0001.html
------------------------------
Message: 20
Date: Tue, 21 Feb 2006 18:33:06 +0100
From: Thierry Carrez <koon@...too.org>
Subject: [Full-disclosure] [ GLSA 200602-12 ] GPdf: Heap overflows in
included Xpdf code
To: gentoo-announce@...ts.gentoo.org
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
security-alerts@...uxsecurity.com
Message-ID: <43FB4ED2.7080601@...too.org>
Content-Type: text/plain; charset="iso-8859-1"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200602-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: GPdf: Heap overflows in included Xpdf code
Date: February 21, 2006
Bugs: #121511
ID: 200602-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
GPdf includes vulnerable Xpdf code to handle PDF files, making it
vulnerable to the execution of arbitrary code.
Background
==========
GPdf is a Gnome PDF viewer.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/gpdf < 2.10.0-r4 >= 2.10.0-r4
Description
===========
Dirk Mueller found a heap overflow vulnerability in the XPdf codebase
when handling splash images that exceed size of the associated bitmap.
Impact
======
An attacker could entice a user to open a specially crafted PDF file
with GPdf, potentially resulting in the execution of arbitrary code
with the rights of the user running the affected application.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All GPdf users should upgrade to the latest version.
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/gpdf-2.10.0-r4"
References
==========
[ 1 ] CVE-2006-0301
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200602-12.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@...too.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/c158415e/signature-0001.bin
------------------------------
Message: 21
Date: Tue, 21 Feb 2006 12:43:10 -0500
From: TheGesus <thegesus@...il.com>
Subject: Re: [Full-disclosure] www.wpad.net
To: "Prabhat Sharma" <hi.prabhat@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Message-ID:
<5e70f6530602210943s4b438576v555e099f12db7d0d@...l.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On 2/21/06, Prabhat Sharma <hi.prabhat@...il.com> wrote:
> Hi,
>
> Does anybody's machine also tries to access www.wpad.net. I use dial up to
> connect to internet and the moment I connect to internet my firewall shows
> that svchost is trying to access www.wpad.net. I tried visiting www.wpad.net
> website and the owner of the site says that it is due to some microsoft bug
> related to Web Proxy Discovery Protocol (WPAD).
>
> There is also a link (which I also found in other places after some
> googling) of a wpad (Web Proxy Auto Discovery Protocol) draft which is
> drafted by microsoft (That is what the website says).
>
> Has anyone else faced this issue or my machine has some unwanted material.
>
Actually, wpad was invented by Netscape, but screwed up by MS.
"wpad." without an extension is something like the 6th or 7th most
common illegal DNS lookup.
If you deselect "Automatic Discovery" in IE that should put an end to it.
That fellow who owns the domain names could do some pretty nasty stuff
if he ever decided to turn evil.
------------------------------
Message: 22
Date: Tue, 21 Feb 2006 10:06:50 -0800
From: Dean Pierce <piercede@....edu>
Subject: Re: [Full-disclosure] Compromised host list - some
clarification...
To: James Lay <jlay@...ve-tothe-box.net>,
full-disclosure@...ts.grok.org.uk
Message-ID: <43FB56BA.8090306@....edu>
Content-Type: text/plain; charset="iso-8859-1"
If you need to protect your ssh from scanners, wouldn't it prolly just
be best to block people that are actually scanning you? I use the
denyhosts script (watches logs for failed login attempts, and blocks ips
based on that), and there are a couple other good ones. The two main
problems with your solution is..
1. how can you trust some magical offsite list so much that you are
willing to block traffic based on what it says?
2. how can you believe that such a list would ever be complete, or even
through? New machines get taken over all the time, and my guess is that
the average lifespan of such machines is about a week or so before an
admin sees what's going on.
- DEAN
James Lay wrote:
> So ok.....I'm completely positive I didn't make myself clear at all in
> my previous message...go me! Here's a web site that I did manage to
> find that has a current list of open proxies:
>
> http://www.samair.ru/proxy/index.htm
>
> My hope is that I could find a site that has a list of currently
> reported open proxies, scanners, and ssh brute force boxes. The RBL's
> pretty much have smtp covered. I would run a cron job at midnight, wget
> and grep the file, then create an iptables table to block those hosts.
> This is an attempt to be more proactive then reactive...if I knew those
> hosts that were actively doing naughty things, why not block them at
> the get go?
>
> Does this make sense? Am I barking up the wrong tree? Thanks all =)
>
> James
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/118a43a2/signature-0001.bin
------------------------------
Message: 23
Date: Tue, 21 Feb 2006 11:32:56 -0700
From: James Lay <jlay@...ve-tothe-box.net>
Subject: Re: [Full-disclosure] Compromised host list - some
clarification...
To: "Robert P. McKenzie" <rmckenzi@...dp.com>
Cc: Full-disclosure <full-disclosure@...ts.grok.org.uk>
Message-ID: <20060221113256.4f342f01@...ebox.slave-tothe-box.net>
Content-Type: text/plain; charset=US-ASCII
On Tue, 21 Feb 2006 16:03:56 +0000
"Robert P. McKenzie" <rmckenzi@...dp.com> wrote:
> James Lay wrote:
> > So ok.....I'm completely positive I didn't make myself clear at all
> > in my previous message...go me! Here's a web site that I did
> > manage to find that has a current list of open proxies:
> >
> > http://www.samair.ru/proxy/index.htm
> >
> > My hope is that I could find a site that has a list of currently
> > reported open proxies, scanners, and ssh brute force boxes. The
> > RBL's pretty much have smtp covered. I would run a cron job at
> > midnight, wget and grep the file, then create an iptables table to
> > block those hosts. This is an attempt to be more proactive then
> > reactive...if I knew those hosts that were actively doing naughty
> > things, why not block them at the get go?
> >
> > Does this make sense? Am I barking up the wrong tree? Thanks all
> > =)
>
> It's clear, however, as others have pointed out it's far easier to
> block everything and then selectivily allow what you want to talk to
> you. How do you think iptables will react if you have say 20,000
> entries in it? My guess is it will slow your machines down.
>
> Go the sensible route and block everything and permit the much
> smaller list of hosts to connect to you.
>
Robert,
I do understand this, however this would not fit well for services that
are for public use..IE web or email I could not simply just deny
everyone. But for ports that I do NOT want the public to see you
bet...block all is the way to go. Thank you!
James
------------------------------
Message: 24
Date: Tue, 21 Feb 2006 13:43:37 -0500
From: Valdis.Kletnieks@...edu
Subject: Re: [Full-disclosure] Compromised hosts lists
To: James Lay <jlay@...ve-tothe-box.net>
Cc: Full-disclosure <full-disclosure@...ts.grok.org.uk>
Message-ID: <200602211843.k1LIhbM7014041@...ing-police.cc.vt.edu>
Content-Type: text/plain; charset="us-ascii"
On Tue, 21 Feb 2006 07:09:58 MST, James Lay said:
> I completely agree for ports that I would have closed, but obviously I
> could not simply deny *all* traffic for port 25 and 80 let's say, as I
> want them open to the public.
At which point a list of the 100 million or so compromised machines believed
to be out there doesn't do you much good. (Yes, the number is likely to be
that high - at one point we were seeing several hundred thousand new zombies
*per day*.)
If you implement the block list, your machine runs like a pig (how much kernel
memory do 100M iptables rules nail down?? ;)
And you *still* have to worry about evil packets arriving on ports 25 and/or 80
from machines that haven't been *flagged* as evil yet. (Note that with 100M
rules, trying to do even daily syncs is non-trivial - and you're going to want
to do this on an hourly basis or so if you want it to be at all useful. When
the update takes over an hour, you're in trouble.....)
Your only real choice here is to make sure that 25 and 80 (and other outward-facing
services) are as bulletproof as possible, against all packets from whatever source,
and remain vigilant.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/65416621/attachment-0001.bin
------------------------------
Message: 25
Date: Tue, 21 Feb 2006 19:14:52 -0000
From: "Dave Korn" <davek_throwaway@...mail.com>
Subject: [Full-disclosure] Re: Re: Forum / Site redone
To: full-disclosure@...ts.grok.org.uk
Message-ID: <dtfore$7n5$1@....gmane.org>
Nigel Horne wrote:
>> Nigel Horne wrote:
>>>> Thanks for the comments. Site has been redone ( I re-didit ) Feel
>>>> free to keep the comments coming.
>>>>
>>>> http://www.iatechconsulting.com
>>>
>>> Why does it attempt to store 2 cookies on my machine when all I do
>>> visit your front page?
>>
>> Because that's how PHP tracks your session ID.
>>
>>> Needless to say I said "no".
>
> Public access websites should not have session IDs just to visit their
> frontpage.
Like it matters the tiniest little bit at all.
You can refuse the cookie if you want.
You can accept it if you want the personalisation you'll get.
You can set your browser to flush cookies at the end of the session if you
don't want the same server to identify you next time.
You can hang on to it indefinitely if you do.
It takes next to no space on your hard drive, is entirely under your
control, and it's not some kind of magical demon sent by the NSA to spy on
you, so who cares?
You're presenting this claim that "Public access websites" (you mean
'publicly accessible' websites, I take it) "should not have" session IDs.
Well, /WHY/ should they not? This claim needs justifying. Ethical reasons?
Financial reasons? Health and safety reasons? Aesthetic reasons? Or just
because Nigel Horne says so, and whatever he says is so obviously patently
right and true that all right-thinking people will just accept your word for
it unquestioningly?
cheers,
DaveK
--
Can't think of a witty .sigline today....
------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
End of Full-Disclosure Digest, Vol 12, Issue 39
***********************************************
Powered by blists - more mailing lists