lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20090324193951.BAF541A003A@smtp.hushmail.com>
Date: Tue, 24 Mar 2009 15:39:51 -0400
From: mac.user@....hush.com
To: full-disclosure@...ts.grok.org.uk, rjcamarero@...il.com
Subject: Re: nVidia.com [Url Redirection flaw]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Are you even aware that you've been arguing with me?  Perhaps we
should move this discussion off-list, so we don't annoy the rest of
the bugtrackers...

On Tue, 24 Mar 2009 15:34:32 -0400 Rubén Camarero
<rjcamarero@...il.com> wrote:
>I am only stating that the bug posted here isn't serious. I agree
>with you
>on the other issues, more or less anyways.
>
>On Tue, Mar 24, 2009 at 3:30 PM, <mac.user@....hush.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> nvidia has a poor track record with security.  I'm citing two
>> examples.  One is on their website, and one is in their drivers.
>> Can you cite anything they have done right?  Your effective
>arguing
>> strategies makes you a top nominee for Gadi Evron's no-swearing
>> event at defcon.
>>
>> On Tue, 24 Mar 2009 15:27:09 -0400 Rubén Camarero
>> <rjcamarero@...il.com> wrote:
>> >That example has nothing to do with this particular bug. Using
>> >multiple
>> >exclamation or question marks does not help your ineffective
>> >argument,
>> >either.
>> >
>> >On Tue, Mar 24, 2009 at 3:15 PM, <mac.user@....hush.com> wrote:
>> >
>> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> Hash: SHA1
>> >>
>> >> With all due respect, my corned beef and sauerkraut smelling
>> >> friend, I am simply pointing out that when it comes to
>security
>> >> nvidia is clueless.  Do you not remember the great debacle of
>> >2006
>> >> when Rapid7 showed off remote kernel exploitation of the
>nvidia
>> >> driver by webbrowser?  http://kerneltrap.org/node/7228 should
>> >> refresh your memory.  40 million lost credit cards but at
>least
>> >> they put nvidia in their rightful place and have their
>> >priorities
>> >> in order.  And speaking of security concerns and nvidia, why
>do
>> >you
>> >> think Microsoft didn't use nvidia in their trusted gaming
>> >platform
>> >> xbox360????  Everyone in our industry knows that nvidia is
>shit
>> >for
>> >> security, even their javascript sucks!!!
>> >>
>> >>
>> >> On Tue, 24 Mar 2009 14:45:46 -0400 Rubén Camarero
>> >> <rjcamarero@...il.com> wrote:
>> >> >If ATI and nVidia were web content developers, this may be a
>> >valid
>> >> >argument,
>> >> >but they are not. They are graphics vendors, hardware and
>> >> >software. Not to
>> >> >mention the fact that this isn't a "serious" issue. RFI is a
>> >> >serious issue,
>> >> >IMHO.
>> >> >
>> >> >On Tue, Mar 24, 2009 at 1:37 PM, <mac.user@....hush.com>
>wrote:
>> >> >
>> >> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> >> Hash: SHA1
>> >> >>
>> >> >> I have been saying for years that ATI is better than
>nvidia
>> >and
>> >> >> here is just one more reason!  You don't see serious
>issues
>> >like
>> >> >> this with ATI's website.
>> >> >>
>> >> >> On Tue, 24 Mar 2009 10:13:21 -0400 Lorenzo Vogelsang
>> >> >> <vogelsang.lorenzo@...il.com> wrote:
>> >> >> >Hi all, i'm new to the list. I'm an italian student who
>> >likes
>> >> >> >security
>> >> >> >topics in the I.C.T world..
>> >> >> >
>> >> >> >Browsing the nVdia web sites, i have found a very basic
>Url
>> >> >> >redirection
>> >> >> >flaw. Infact when downloading a driver i get Urls like
>this:
>> >> >> >
>> >> >> >
>> >> >>
>> >>
>>
>>>>http://www.nvidia.com/content/DriverDownload/download_confirmati
>o
>> >n
>> >> >.
>> >> >>
>> >>
>>
>>>>asp?kw=&url=http://us.download.nvidia.com/Windows/179.48/179.48_
>n
>> >o
>> >> >t
>> >> >> >ebook_winxp_64bit_beta.exe
>> >> >> >
>> >> >> >and connecting to this another Url
>> >> >> >
>> >> >> >
>> >> >>
>> >>
>>
>>>>http://www.nvidia.com/content/DriverDownload/download_confirmati
>o
>> >n
>> >> >.
>> >> >> >asp?kw=&url=http://www.google.it
>> >> >> >
>> >> >> >
>> >> >> >will redirects succefully to www.google.it! (or other web
>> >site
>> >> >of
>> >> >> >your
>> >> >> >choice , or downloadble content..)
>> >> >> >
>> >> >> >
>> >> >> >Enjoy!
>> >> >> >
>> >> >> >Lorenzo Vogelsang.
>> >> >> -----BEGIN PGP SIGNATURE-----
>> >> >> Charset: UTF8
>> >> >> Version: Hush 3.0
>> >> >> Note: This signature can be verified at
>> >> >https://www.hushtools.com/verify
>> >> >>
>> >> >>
>> >>
>>
>>>wpwEAQMCAAYFAknJGmEACgkQfuF4tUz/X+KtEQP/fg36QI6yY9Hw6Q5eOsLUBGtPj
>g
>> >9
>> >> >/
>> >> >>
>> >>
>>
>>>kxEmlsVdQl23h92FU75bHiOHhDMo7nLMCbHH7HHZDMvEw05OCDBaOqTx54xyTHBay
>H
>> >4
>> >> >s
>> >> >>
>> >>
>>
>>>xf4joU8LSrTOFrklgT7tGXr+AMIfi4ypgIXzRv6Gx0vD3EAKIR3KWL4qFtg/OahHk
>l
>> >7
>> >> >q
>> >> >> jOiz888=
>> >> >> =2MOh
>> >> >> -----END PGP SIGNATURE-----
>> >> >>
>> >> >> --
>> >> >> Can't pay your bills?  Click here to learn about filing
>for
>> >> >bankruptcy.
>> >> >>
>> >> >>
>> >>
>>
>>>http://tagline.hushmail.com/fc/BLSrjkqhNChbdTZRNxLsL4IFkcZYo7APte
>6
>> >M
>> >> >FdjI1xth2KPqL4lm3VupTlG/
>> >> >>
>> >> >> _______________________________________________
>> >> >> Full-Disclosure - We believe in it.
>> >> >> Charter: http://lists.grok.org.uk/full-disclosure-
>> >charter.html
>> >> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> >--
>> >> >Rubén Camarero
>> >> >CCNA, CISSP
>> >> -----BEGIN PGP SIGNATURE-----
>> >> Charset: UTF8
>> >> Version: Hush 3.0
>> >> Note: This signature can be verified at
>> >https://www.hushtools.com/verify
>> >>
>> >>
>>
>>wpwEAQMCAAYFAknJMWoACgkQfuF4tUz/X+LbggP9GPddhDh3krXB3ieyORr5Yd2RdE
>6
>> >l
>> >>
>>
>>foRgQOUAaXbnpxc+d2XFByNe8wAYHF+dheNou5cb0XBF99NmW4wt2uoR57/7PmSp6z
>d
>> >M
>> >>
>>
>>1bsBzocX6Kkpbl38bMf4ZG/OlEz7cqfNOGExPE5cicr2Y462fk/BAWfUWV6B82ieWz
>4
>> >Z
>> >> BbBeab8=
>> >> =ZiqN
>> >> -----END PGP SIGNATURE-----
>> >>
>> >> --
>> >> Click to compare and save on auto insurance.
>> >>
>> >>
>>
>>http://tagline.hushmail.com/fc/BLSrjkqePmfJGmpcWA2Xcaz2NXhk84bAM4H
>x
>> >iigERihBJ2ZwE0pe0OeJOxS/
>> >>
>> >>
>> >
>> >
>> >--
>> >Rubén Camarero
>> >CCNA, CISSP
>> -----BEGIN PGP SIGNATURE-----
>> Charset: UTF8
>> Note: This signature can be verified at
>https://www.hushtools.com/verify
>> Version: Hush 3.0
>>
>>
>wpwEAQMCAAYFAknJNO4ACgkQfuF4tUz/X+JobQP/fKdv2DPbFGfAh8+N6GsdKO7ct1B
>P
>>
>2h0sXd57nD6bKwOi8CiOZR3/fMjyl72R0xuS0Gtq8PhkX/mMo8GGaHw0h8DdHJ0DIAb
>j
>>
>kAY4Pc/oNXtRaO0UoCT0CJA04M9wIgdR0batMc9N0PHhI7Z041w7ycSohm9Q5u6UR9i
>B
>> R3X0sRc=
>> =ucxK
>> -----END PGP SIGNATURE-----
>>
>> --
>> Click here for free information on how to reduce your debt by
>filing for
>> bankruptcy.
>>
>>
>http://tagline.hushmail.com/fc/BLSrjkqhNCha09Yyoll97un6Gs8mL19gd7D3
>JKfsHHWsIQfxfuSbfcMocNq/
>>
>>
>
>
>--
>Rubén Camarero
>CCNA, CISSP
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAknJNwcACgkQfuF4tUz/X+IVsQP9HDa6vSSub9nXDYpiBgz1grUqoYbD
nVd0ee3CSbBzArov2PK6abL0aNgR4SfDj//dlq+AzUZJz02yCR61+ysv8U7uSUrRmdjD
rXjQl21C5vWMAe9FErKxEJFqit5bNhT6NBC0aHftxDnhOiK5VxmrvwiJd9s2VMXp0ob4
xSpn07c=
=4By0
-----END PGP SIGNATURE-----

--
Always a good call. Click now to establish your local phone service!
 http://tagline.hushmail.com/fc/BLSrjkqdEiol285IZBaWZwNaaLYjM2ZwrmuXbeUGsMm8hJItZk3LssTfv6A/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ