| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Oct 2006 08:34:57 +0200 From: FistFuXXer <FistFuXXer@....de> To: "[Full-Disclosure]" <full-disclosure@...ts.grok.org.uk> Subject: Re: ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Matt Richard, the vulnerability details have been submitted by me on June 1, 2006 CST/CDT (June 2, 2006 GMT+1). So I've found the vulnerability before Michael Ligh and Ryan Smith did it. But it seems that one of the employees of ZDI did a mistake during the processing of my submission. Anyway, it doesn't matter if the IDS signature got released on, before or after the patch day, because a professional IPS system like TippingPoint IPS should detect or filter shellcodes and return addresses within the host header without any special IDS signature. For example, you can filter all illegal characters from the host header and convert everything to lowercase characters. Or better: convert the domain name in the host header to a random mixture of lowercase and uppercase characters and redirect this to the destination server, this should f*** up every kind of ASCII shellcode and ASCII return address. ;-) Maybe should you better take some minutes time and think about the fact that we humans aren't perfect and make mistakes, instead of wasting your time with trying to destroy the image of a company. The employees of such companies have to do a lot of work with all the submissions that they receive and I also know other security companies that sometimes broke down because of this and did multiple mistakes during payment and processing. Sincerely yours, Manuel Santamarina Suarez Matt Richard wrote: > On 10/27/06, zdi-disclosures@...m.com <zdi-disclosures@...m.com> wrote: >> -- TippingPoint(TM) IPS Customer Protection: >> TippingPoint IPS customers have been protected against this >> vulnerability since October 26, 2006 by Digital Vaccine protection >> filter ID 4519. For further product information on the TippingPoint IPS: > <snip> >> The specific flaw exists within the httpstk.dll library within the >> dhost.exe web interface of the eDirectory Host Environment. The web >> interface does not validate the length of the HTTP Host header prior to >> using the value of that header in an HTTP redirect. This results in an >> exploitable stack-based buffer overflow. > > This 0day was reported on 10/20/06 here > http://www.mnin.org/advisories/2006_novell_httpstk.pdf. > > Seems that your initiative has fallen a bit behind. Your customers > had to wait for you to realize this had already been released and a > signature was added to Bleeding Snort on 10/23. > > It's also a bit odd that Novell released the updates on 10/20/06, the > same day as the MNIN advisory. > > Based on the time line it looks like the whole thing might have been > ripped off..... > > Cheers, > > Matt > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFFQvoRPF/cBnCBnL0RAljbAJ9dCjDyu/4Xi19XwovfDaKDe3Q/WgCglmTk XH+dkrb672FvgZKua6aHxnI= =+tQa -----END PGP SIGNATURE----- Download attachment "timeline.jpg" of type "image/jpeg" (136368 bytes) View attachment "exploit.pl" of type "text/plain" (4392 bytes) Download attachment "advisory.pdf" of type "application/pdf" (19272 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists