lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun Mar 12 22:39:59 2006
From: stan.bubrouski at gmail.com (Stan Bubrouski)
Subject: Advisory 2006-03-12 Gay Slut Overflow CRITICAL
	dismallest in Immunitysec Dave Aitel

Too bad they didn't resolve the problem more than a week ago when the
first spoofed messages were sent out (only 1 made it to FD I think).

Thanks for the update ad,

-sb

On 3/12/06, ad@...poverflow.com <ad@...poverflow.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> yep I have some little infos on this , the admin at c0replay showed me
> an .sql
>
> with a malicious script
>
> ********************************************************************************
> - -- Dumping data for table `advisorytype`
> - --
>
> INSERT INTO `advisorytype` VALUES (1, 'Directory Transversal', 'Remote
> exploitation of a directory traversal vulnerability in [product] could
> allow attackers to overwrite or view arbitrary files with
> user-supplied contents.');
> INSERT INTO `advisorytype` VALUES (2, 'DoS Vulnerability', 'Sending a
> specially crafted  malformed  packet to the services communication
> socket can create a loss of service.');
> INSERT INTO `advisorytype` VALUES (3, 'Integer Overflow', '[product]
> incorrectly parses integer data, and this can be used to execute
> arbitrary code.');
> INSERT INTO `advisorytype` VALUES (4, 'Heap Overflow', 'It is possible
> to make [product] crash or run arbitrary code by the use of malformed
> input.');
> INSERT INTO `advisorytype` VALUES (5, 'Buffer Overflow', 'It is
> possible to make [product] crash or run arbitrary code by the use of
> malformed input.');
> INSERT INTO `advisorytype` VALUES (6, 'Off-by-one', 'It is possible to
> make [product] crash by the use of malformed input.');
> INSERT INTO `advisorytype` VALUES (7, 'Local Privilege Escalation
> Vulnerability', '[product] incorrectly validates user input, making
> privilege escalation possible.');
>
> - -- --------------------------------------------------------
>
> - --
> - -- Table structure for table `fdmail`
> - --
>
> CREATE TABLE `fdmail` (
>  `id` int(10) NOT NULL auto_increment,
>  `Name` varchar(100) NOT NULL default '',
>  `Email` varchar(100) NOT NULL default '',
>  PRIMARY KEY  (`id`)
> ) TYPE=MyISAM AUTO_INCREMENT=2958 ;
>
> - --
> - -- Dumping data for table `fdmail`
> - --
>
> INSERT INTO `fdmail` VALUES (2078, 'Josh perrymon',
> 'perrymonj@...workarmor.com');
> INSERT INTO `fdmail` VALUES (2077, 'Valdis.Kletnieks@...edu',
> 'Valdis.Kletnieks@...edu');
> INSERT INTO `fdmail` VALUES (2075, 'Dave Korn',
> 'davek_throwaway@...mail.com');
> INSERT INTO `fdmail` VALUES (2076, 'str0ke', 'str0ke@...w0rm.com');
> INSERT INTO `fdmail` VALUES (2073, 'Morning Wood',
> 'se_cur_ity@...mail.com');
> INSERT INTO `fdmail` VALUES (2074, 'Bipin Gautam',
> 'gautam.bipin@...il.com');
>
> etc etc etc
> ***********************************************************************************
>
> Im not sure but it looks like they have been hacked through the board
> with an sql injection
> , possible private bug I dunno but I know the maintainer of this
> website and they aren't responsible of this.
>
>
> Stan Bubrouski wrote:
> > Not to mention all the messages come through www.c0replay.net
> > assuming that part of the headersare accurate.  If you'll recall
> > the same domain was used to spoof a message from Steven Rakick on
> > March 4th. Seems some little kiddie in the UK (assumption warning!)
> > is going to be paying some fines.  I wouldn't exactly call it smart
> > to slander dozens of people... and moderation has never seemed more
> > necessary.
> >
> > -sb
> >
> > On 3/12/06, Nicob <nicob@...ob.net> wrote:
> >> Le dimanche 12 mars 2006 ? 01:08 -0800, dismallest dismallest a
> >> ?crit :
> >>> APPENDIX B. - References
> >>> http://bantown.com/banforge/release.rar
> >> http://bantown.com/ : "Our website was recently hacked [...]"
> >>
> >> and
> >>
> >> http://64.233.179.104/search?q=cache:1F21krhKFHEJ:bantown.com/banforge/
> >>
> >>
> >> Index of /banforge
> >>
> >> Parent Directory         23-Feb-2006 22:51      - BPL.txt
> >> 20-Aug-2005 15:08     4k LJiggaboo1.0.1rc2.tgz    21-Jan-2006
> >> 13:10   142k Ljflooder2.pl            07-Aug-2005 05:07     5k
> >> PhpBBreg-FIXEDLOL.py     08-Aug-2005 23:11     1k banbot.pl
> >> 16-Aug-2005 11:36    15k fla.sh                   16-Aug-2005
> >> 11:22     2k flu.shot                 19-Aug-2005 11:04     3k
> >> gaffler3.tar.gz          09-Aug-2005 02:30   123k
> >> phpBBroke-0.1.tar.gz     09-Oct-2005 13:35   383k phpBBroke/
> >> 27-Sep-2005 16:47      - phpbb_captcha.c          24-Jan-2006
> >> 03:16    21k pw-lolercaust-0.2.tar.gz 10-Oct-2005 03:38     2k
> >> rsshithead.tgz
> >>
> >>
> >> Nicob
> >>
> >> _______________________________________________ Full-Disclosure -
> >> We believe in it. Charter:
> >> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> >> sponsored by Secunia - http://secunia.com/
> >>
> > _______________________________________________ Full-Disclosure -
> > We believe in it. Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> > sponsored by Secunia - http://secunia.com/
> >
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.1 (MingW32)
>
> iD8DBQFEFJxBFJS99fNfR+YRAj5EAJ9CSGssylC2ErrXD+VmVKxmLOOzMQCcDJwQ
> ESS9D2SCfNJ+phvLzenoCqQ=
> =eQ8x
> -----END PGP SIGNATURE-----
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ