lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4542FA11.4080709@gmx.de>
Date: Sat, 28 Oct 2006 08:34:57 +0200
From: FistFuXXer <FistFuXXer@....de>
To: "[Full-Disclosure]" <full-disclosure@...ts.grok.org.uk>
Subject: Re: ZDI-06-035: Novell eDirectory NDS Server Host
 Header Buffer Overflow Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Matt Richard,

the vulnerability details have been submitted by me on June 1, 2006
CST/CDT (June 2, 2006 GMT+1). So I've found the vulnerability before
Michael Ligh and Ryan Smith did it. But it seems that one of the
employees of ZDI did a mistake during the processing of my submission.

Anyway, it doesn't matter if the IDS signature got released on, before
or after the patch day, because a professional IPS system like
TippingPoint IPS should detect or filter shellcodes and return addresses
within the host header without any special IDS signature. For example,
you can filter all illegal characters from the host header and convert
everything to lowercase characters. Or better: convert the domain name
in the host header to a random mixture of lowercase and uppercase
characters and redirect this to the destination server, this should f***
up every kind of ASCII shellcode and ASCII return address. ;-)

Maybe should you better take some minutes time and think about the fact
that we humans aren't perfect and make mistakes, instead of wasting your
time with trying to destroy the image of a company. The employees of
such companies have to do a lot of work with all the submissions that
they receive and I also know other security companies that sometimes
broke down because of this and did multiple mistakes during payment and
processing.

Sincerely yours,

Manuel Santamarina Suarez



Matt Richard wrote:
> On 10/27/06, zdi-disclosures@...m.com <zdi-disclosures@...m.com> wrote:
>> -- TippingPoint(TM) IPS Customer Protection:
>> TippingPoint IPS customers have been protected against this
>> vulnerability since October 26, 2006 by Digital Vaccine protection
>> filter ID 4519. For further product information on the TippingPoint IPS:
> <snip>
>> The specific flaw exists within the httpstk.dll library within the
>> dhost.exe web interface of the eDirectory Host Environment. The web
>> interface does not validate the length of the HTTP Host header prior to
>> using the value of that header in an HTTP redirect. This results in an
>> exploitable stack-based buffer overflow.
>
> This 0day was reported on 10/20/06 here
> http://www.mnin.org/advisories/2006_novell_httpstk.pdf.
>
> Seems that your initiative has fallen a bit behind.  Your customers
> had to wait for you to realize this had already been released and a
> signature was added to Bleeding Snort on 10/23.
>
> It's also a bit odd that Novell released the updates on 10/20/06, the
> same day as the MNIN advisory.
>
> Based on the time line it looks like the whole thing might have been
> ripped off.....
>
> Cheers,
>
> Matt
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFQvoRPF/cBnCBnL0RAljbAJ9dCjDyu/4Xi19XwovfDaKDe3Q/WgCglmTk
XH+dkrb672FvgZKua6aHxnI=
=+tQa
-----END PGP SIGNATURE-----

Download attachment "timeline.jpg" of type "image/jpeg" (136368 bytes)

View attachment "exploit.pl" of type "text/plain" (4392 bytes)

Download attachment "advisory.pdf" of type "application/pdf" (19272 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ