| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1308801760.5391.1.camel@kafir>
Date: Thu, 23 Jun 2011 00:02:40 -0400
From: Leon Kaiser <literalka@...il.com>
To: Laurelai Storm <laurelai@...echan.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Goatse Security EMERGENCY RELEASE - RAMPANT
VULNERABILITY SPREADING LIKE WILDFIRE
No shit.
========================================================
Leon Kaiser - Head of GNAA Public Relations -
literalka@...a.eu || literalka@...tse.fr
http://gnaa.eu || http://security.goatse.fr
7BEECD8D FCBED526 F7960173 459111CE F01F9923
"The mask of anonymity is not intensely constructive."
-- Andrew "weev" Auernheimer
========================================================
On Tue, 2011-06-21 at 21:31 -0500, Laurelai Storm wrote:
> this vulnerability is very old
>
>
> On Tue, Jun 21, 2011 at 4:12 PM, DiKKy Heartiez
> <dikkyheartiez@...mail.com> wrote:
>
> We've just stumbled upon a few dangerous exploits which can be
> used in conjunction to wreak havoc in online chatrooms, which
> could potentially be very dangerous.
>
>
> Home routers running VXWorks, such as the Netgear 614, 624,
> and Linksys WRT54G v5 routers, allow remote attackers to cause
> a denial of service by sending a malformed DCC SEND string to
> an IRC channel, which causes an IRC connection reset, possibly
> related to the masquerading code for NAT environments, and as
> demonstrated via (1) a DCC SEND with a single long argument,
> or (2) a DCC SEND with IP, port, and filesize arguments with a
> 0 value.
>
>
> Using such a string as
>
>
> \001DCC SEND "hello.jpg" 0 0 0
>
>
> would exploit this flaw.
>
>
> This exploit is exacerbated by a buffer overflow vulnerability
> in mIRC version 6.12 whereby using filename longer than
> fourteen characters will cause the client to crash. By
> combining these two flaws, we get
>
>
> \001DCC SEND "loljewsdidwtc.jpg" 0 0 0
>
>
> which will cause a Denial of Service condition in a minimum of
> four products.
>
>
> This would be bad enough, however users of Norton's Personal
> Firewall product are faced with even more risk. Symantec
> generally makes the BEST security products on the market and
> we are very surprised that this slipped through. Norton's
> Personal Firewall will drop a connection if it detects the
> string "startkeylogger" or "stopkeylogger" in incoming data.
> This is to prevent the spread of the new Spybot worm but also
> has unintended consequences. By using the string
>
>
> \001DCC SEND "startkeylogger" 0 0 0
>
>
> a Denial of Service condition is created on multiple hardware
> routers and multiple software products. Such exploits have
> been seen running rampant in channels such as #lulzsec,
> #anonops, #ix, #nanog, #2600, and #phonelosers. Please be
> wary of any chats from unknown parties, and keep your software
> up to date. We will update you more as this situation
> unfolds.
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists