lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20090324195054.B23661A003A@smtp.hushmail.com>
Date: Tue, 24 Mar 2009 15:50:54 -0400
From: mac.user@....hush.com
To: full-disclosure@...ts.grok.org.uk, rjcamarero@...il.com
Subject: Re: nVidia.com [Url Redirection flaw]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dude... off list...  "fuera de la lista" ?  Can anyone help us
overcome this language barrier?

On Tue, 24 Mar 2009 15:46:02 -0400 Rubén Camarero
<rjcamarero@...il.com> wrote:
>Perhaps.
>
>On Tue, Mar 24, 2009 at 3:39 PM, <mac.user@....hush.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Are you even aware that you've been arguing with me?  Perhaps we
>> should move this discussion off-list, so we don't annoy the rest
>of
>> the bugtrackers...
>>
>> On Tue, 24 Mar 2009 15:34:32 -0400 Rubén Camarero
>> <rjcamarero@...il.com> wrote:
>> >I am only stating that the bug posted here isn't serious. I
>agree
>> >with you
>> >on the other issues, more or less anyways.
>> >
>> >On Tue, Mar 24, 2009 at 3:30 PM, <mac.user@....hush.com> wrote:
>> >
>> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> Hash: SHA1
>> >>
>> >> nvidia has a poor track record with security.  I'm citing two
>> >> examples.  One is on their website, and one is in their
>drivers.
>> >> Can you cite anything they have done right?  Your effective
>> >arguing
>> >> strategies makes you a top nominee for Gadi Evron's no-
>swearing
>> >> event at defcon.
>> >>
>> >> On Tue, 24 Mar 2009 15:27:09 -0400 Rubén Camarero
>> >> <rjcamarero@...il.com> wrote:
>> >> >That example has nothing to do with this particular bug.
>Using
>> >> >multiple
>> >> >exclamation or question marks does not help your ineffective
>> >> >argument,
>> >> >either.
>> >> >
>> >> >On Tue, Mar 24, 2009 at 3:15 PM, <mac.user@....hush.com>
>wrote:
>> >> >
>> >> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> >> Hash: SHA1
>> >> >>
>> >> >> With all due respect, my corned beef and sauerkraut
>smelling
>> >> >> friend, I am simply pointing out that when it comes to
>> >security
>> >> >> nvidia is clueless.  Do you not remember the great debacle
>of
>> >> >2006
>> >> >> when Rapid7 showed off remote kernel exploitation of the
>> >nvidia
>> >> >> driver by webbrowser?  http://kerneltrap.org/node/7228
>should
>> >> >> refresh your memory.  40 million lost credit cards but at
>> >least
>> >> >> they put nvidia in their rightful place and have their
>> >> >priorities
>> >> >> in order.  And speaking of security concerns and nvidia,
>why
>> >do
>> >> >you
>> >> >> think Microsoft didn't use nvidia in their trusted gaming
>> >> >platform
>> >> >> xbox360????  Everyone in our industry knows that nvidia is
>> >shit
>> >> >for
>> >> >> security, even their javascript sucks!!!
>> >> >>
>> >> >>
>> >> >> On Tue, 24 Mar 2009 14:45:46 -0400 Rubén Camarero
>> >> >> <rjcamarero@...il.com> wrote:
>> >> >> >If ATI and nVidia were web content developers, this may
>be a
>> >> >valid
>> >> >> >argument,
>> >> >> >but they are not. They are graphics vendors, hardware and
>> >> >> >software. Not to
>> >> >> >mention the fact that this isn't a "serious" issue. RFI
>is a
>> >> >> >serious issue,
>> >> >> >IMHO.
>> >> >> >
>> >> >> >On Tue, Mar 24, 2009 at 1:37 PM, <mac.user@....hush.com>
>> >wrote:
>> >> >> >
>> >> >> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> >> >> Hash: SHA1
>> >> >> >>
>> >> >> >> I have been saying for years that ATI is better than
>> >nvidia
>> >> >and
>> >> >> >> here is just one more reason!  You don't see serious
>> >issues
>> >> >like
>> >> >> >> this with ATI's website.
>> >> >> >>
>> >> >> >> On Tue, 24 Mar 2009 10:13:21 -0400 Lorenzo Vogelsang
>> >> >> >> <vogelsang.lorenzo@...il.com> wrote:
>> >> >> >> >Hi all, i'm new to the list. I'm an italian student
>who
>> >> >likes
>> >> >> >> >security
>> >> >> >> >topics in the I.C.T world..
>> >> >> >> >
>> >> >> >> >Browsing the nVdia web sites, i have found a very
>basic
>> >Url
>> >> >> >> >redirection
>> >> >> >> >flaw. Infact when downloading a driver i get Urls like
>> >this:
>> >> >> >> >
>> >> >> >> >
>> >> >> >>
>> >> >>
>> >>
>>
>>>>>http://www.nvidia.com/content/DriverDownload/download_confirmat
>i
>> >o
>> >> >n
>> >> >> >.
>> >> >> >>
>> >> >>
>> >>
>>
>>>>>asp?kw=&url=http://us.download.nvidia.com/Windows/179.48/179.48
>_
>> >n
>> >> >o
>> >> >> >t
>> >> >> >> >ebook_winxp_64bit_beta.exe
>> >> >> >> >
>> >> >> >> >and connecting to this another Url
>> >> >> >> >
>> >> >> >> >
>> >> >> >>
>> >> >>
>> >>
>>
>>>>>http://www.nvidia.com/content/DriverDownload/download_confirmat
>i
>> >o
>> >> >n
>> >> >> >.
>> >> >> >> >asp?kw=&url=http://www.google.it
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >will redirects succefully to www.google.it! (or other
>web
>> >> >site
>> >> >> >of
>> >> >> >> >your
>> >> >> >> >choice , or downloadble content..)
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >Enjoy!
>> >> >> >> >
>> >> >> >> >Lorenzo Vogelsang.
>> >> >> >> -----BEGIN PGP SIGNATURE-----
>> >> >> >> Charset: UTF8
>> >> >> >> Version: Hush 3.0
>> >> >> >> Note: This signature can be verified at
>> >> >> >https://www.hushtools.com/verify
>> >> >> >>
>> >> >> >>
>> >> >>
>> >>
>>
>>>>wpwEAQMCAAYFAknJGmEACgkQfuF4tUz/X+KtEQP/fg36QI6yY9Hw6Q5eOsLUBGtP
>j
>> >g
>> >> >9
>> >> >> >/
>> >> >> >>
>> >> >>
>> >>
>>
>>>>kxEmlsVdQl23h92FU75bHiOHhDMo7nLMCbHH7HHZDMvEw05OCDBaOqTx54xyTHBa
>y
>> >H
>> >> >4
>> >> >> >s
>> >> >> >>
>> >> >>
>> >>
>>
>>>>xf4joU8LSrTOFrklgT7tGXr+AMIfi4ypgIXzRv6Gx0vD3EAKIR3KWL4qFtg/OahH
>k
>> >l
>> >> >7
>> >> >> >q
>> >> >> >> jOiz888=
>> >> >> >> =2MOh
>> >> >> >> -----END PGP SIGNATURE-----
>> >> >> >>
>> >> >> >> --
>> >> >> >> Can't pay your bills?  Click here to learn about filing
>> >for
>> >> >> >bankruptcy.
>> >> >> >>
>> >> >> >>
>> >> >>
>> >>
>>
>>>>http://tagline.hushmail.com/fc/BLSrjkqhNChbdTZRNxLsL4IFkcZYo7APt
>e
>> >6
>> >> >M
>> >> >> >FdjI1xth2KPqL4lm3VupTlG/
>> >> >> >>
>> >> >> >> _______________________________________________
>> >> >> >> Full-Disclosure - We believe in it.
>> >> >> >> Charter: http://lists.grok.org.uk/full-disclosure-
>> >> >charter.html
>> >> >> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >--
>> >> >> >Rubén Camarero
>> >> >> >CCNA, CISSP
>> >> >> -----BEGIN PGP SIGNATURE-----
>> >> >> Charset: UTF8
>> >> >> Version: Hush 3.0
>> >> >> Note: This signature can be verified at
>> >> >https://www.hushtools.com/verify
>> >> >>
>> >> >>
>> >>
>>
>>>wpwEAQMCAAYFAknJMWoACgkQfuF4tUz/X+LbggP9GPddhDh3krXB3ieyORr5Yd2Rd
>E
>> >6
>> >> >l
>> >> >>
>> >>
>>
>>>foRgQOUAaXbnpxc+d2XFByNe8wAYHF+dheNou5cb0XBF99NmW4wt2uoR57/7PmSp6
>z
>> >d
>> >> >M
>> >> >>
>> >>
>>
>>>1bsBzocX6Kkpbl38bMf4ZG/OlEz7cqfNOGExPE5cicr2Y462fk/BAWfUWV6B82ieW
>z
>> >4
>> >> >Z
>> >> >> BbBeab8=
>> >> >> =ZiqN
>> >> >> -----END PGP SIGNATURE-----
>> >> >>
>> >> >> --
>> >> >> Click to compare and save on auto insurance.
>> >> >>
>> >> >>
>> >>
>>
>>>http://tagline.hushmail.com/fc/BLSrjkqePmfJGmpcWA2Xcaz2NXhk84bAM4
>H
>> >x
>> >> >iigERihBJ2ZwE0pe0OeJOxS/
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> >--
>> >> >Rubén Camarero
>> >> >CCNA, CISSP
>> >> -----BEGIN PGP SIGNATURE-----
>> >> Charset: UTF8
>> >> Note: This signature can be verified at
>> >https://www.hushtools.com/verify
>> >> Version: Hush 3.0
>> >>
>> >>
>>
>>wpwEAQMCAAYFAknJNO4ACgkQfuF4tUz/X+JobQP/fKdv2DPbFGfAh8+N6GsdKO7ct1
>B
>> >P
>> >>
>>
>>2h0sXd57nD6bKwOi8CiOZR3/fMjyl72R0xuS0Gtq8PhkX/mMo8GGaHw0h8DdHJ0DIA
>b
>> >j
>> >>
>>
>>kAY4Pc/oNXtRaO0UoCT0CJA04M9wIgdR0batMc9N0PHhI7Z041w7ycSohm9Q5u6UR9
>i
>> >B
>> >> R3X0sRc=
>> >> =ucxK
>> >> -----END PGP SIGNATURE-----
>> >>
>> >> --
>> >> Click here for free information on how to reduce your debt by
>> >filing for
>> >> bankruptcy.
>> >>
>> >>
>>
>>http://tagline.hushmail.com/fc/BLSrjkqhNCha09Yyoll97un6Gs8mL19gd7D
>3
>> >JKfsHHWsIQfxfuSbfcMocNq/
>> >>
>> >>
>> >
>> >
>> >--
>> >Rubén Camarero
>> >CCNA, CISSP
>> -----BEGIN PGP SIGNATURE-----
>> Charset: UTF8
>> Version: Hush 3.0
>> Note: This signature can be verified at
>https://www.hushtools.com/verify
>>
>>
>wpwEAQMCAAYFAknJNwcACgkQfuF4tUz/X+IVsQP9HDa6vSSub9nXDYpiBgz1grUqoYb
>D
>>
>nVd0ee3CSbBzArov2PK6abL0aNgR4SfDj//dlq+AzUZJz02yCR61+ysv8U7uSUrRmdj
>D
>>
>rXjQl21C5vWMAe9FErKxEJFqit5bNhT6NBC0aHftxDnhOiK5VxmrvwiJd9s2VMXp0ob
>4
>> xSpn07c=
>> =4By0
>> -----END PGP SIGNATURE-----
>>
>> --
>> Looking for insurance?  Click to compare and save big.
>>
>>
>http://tagline.hushmail.com/fc/BLSrjkqeRJSlzyuuSygReQTvYYxFkBk62kTe
>jAkm3iyoX0vxnOgDXtb7ISM/
>>
>>
>
>
>--
>Rubén Camarero
>CCNA, CISSP
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAknJOZ4ACgkQfuF4tUz/X+J8uQP/dRdtZikUJJS3hakKd+ADx8isnUxc
kJIC3uzG5yp8XFJFWkCR2DaM5tBrLhXhEiIzEzoXJ95M9Gok8+GVH2nvYex6j7bde/tx
zvzLqYbum0z96D+c0Ifv2Rk2VCTSGJ+XTlOkCSyO8aASec/XLCWxm9tkLa9wSYtj7VCf
KoShv74=
=0Wmx
-----END PGP SIGNATURE-----

--
Become a medical transcriptionist at home, at your own pace.
 http://tagline.hushmail.com/fc/BLSrjkqfMmc87Q7V886A2pQQnP3wiFzt0CJlXLvT1qRvFNCBvDAhrNqJ8Mw/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ