| New User, Welcome! Login |
Next Page >>
Thierry Zoller
static and dynamic analysis. These folks live in a fantasy world where
function calls do not fail and bad guys do not exist.
Jeff
On Fri, Sep 11, 2009 at 1:06 PM, Thierry Zoller <Thierry@zoller.lu> wrote:
> Hi ,
>
> With all due respect - this is known to be a vulnerability class since
> over a century. Just because it doesn't have a acronym la XSS
> doesn't mean it's not known to be a vulnerability. Can we please stop
CA Advisory Date: 2009-01-26
Reported By:
Thierry Zoller and Sergio Alvarez of n.runs AG
Impact: A remote attacker can evade detection.
words, I agree with Geo that each of the applications should inspect the URI
before processing it. The OS components that are involved should too, but
the 3rd party apps should never assume that IE or whatever has done so.
--------------------------------------------------
From: "Thierry Zoller" <Thierry@Zoller.lu>
Sent: Saturday, October 06, 2007 1:06 PM
To: <bugtraq@securityfocus.com>; <full-disclosure@lists.grok.org.uk>
Subject: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader,
Netscape,Miranda, Skype
these work inside OE, default with html turned off
they do not work when clicked from a normal
local html.
----- Original Message -----
From: "Thierry Zoller" <Thierry@Zoller.lu>
To: <bugtraq@securityfocus.com>; <full-disclosure@lists.grok.org.uk>
Sent: Saturday, October 06, 2007 8:06 AM
Subject: Re: [Full-disclosure] URI handling woes in Acrobat Reader,
Netscape,Miranda, Skype
JP> Using FF2.0.0.20 and the file does not result in loss of use. All
JP> tabs are functional. All JAVA links continue function. Same
JP> result for naming the POC file to .HTML, .HTM.
>>>> Thierry Zoller <Thierry@Zoller.lu> 05/26/2009 13:13 >>>
JP> For those that failed to reproduce, try naming the POC file with an XHTML
JP> extension.
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: "Thierry Zoller"
To: "MustLive"
Cc: <bugtraq@securityfocus.com>
Sent: Wednesday, November 26, 2008 9:35 PM
Subject: Re: XSS in Internet Explorer 6 and 7
> these work inside OE, default with html turned off
> they do not work when clicked from a normal
> local html.
>
> ----- Original Message -----
> From: "Thierry Zoller" <Thierry@Zoller.lu>
> To: <bugtraq@securityfocus.com>; <full-disclosure@lists.grok.org.uk>
> Sent: Saturday, October 06, 2007 8:06 AM
> Subject: Re: [Full-disclosure] URI handling woes in Acrobat Reader,
> Netscape,Miranda, Skype
>
Partial disclosure rocks...
-KF
On Sep 21, 2007, at 3:53 PM, Thierry Zoller wrote:
> Dear All,
>
> pa> http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
> Is this the way responsible disclosure works these days ?
CA Advisory Date: 2009-01-26
CA Advisory Updated: May 12, 2009
Reported By:
Thierry Zoller and Sergio Alvarez of n.runs AG
Impact: A remote attacker can evade detection.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=218878
Acknowledgement
CVE-2009-3587 - Thierry Zoller - G-SEC - www.g-sec.lu
CVE-2009-3588 - Thierry Zoller - G-SEC - www.g-sec.lu
Change History
101555
*****************************************************************
-----Original Message-----
From: Thierry Zoller [mailto:Thierry@Zoller.lu]
Sent: Saturday, October 06, 2007 12:13 PM
To: Juergen Schmidt; bugtraq@securityfocus.com;
full-disclosure@lists.grok.org.uk
Subject: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader,
Netscape, Miranda, Skype
Local Exploitable: No
CVE-ID: CVE-2009-3031
Patch Status: Vendor released an patch
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
Thanks for your insight!
--
http://blog.zoller.lu
Thierry Zoller
--
http://blog.zoller.lu
Thierry Zoller
Personal Email Manager v7.1 Hotfix 4
Remote Exploitable: Yes
Local Exploitable: Yes
Patch Status: Patched with Hotfix 4
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: for the permission to use his
Policy
Background:
All other versions of SNX, EPS and EPC are vulnerable.
Credits
--------
Check Point thanks Thierry Zoller and Nagib Guettiche of Verizon Business (www.verizonbusiness.com) for bringing this issue to our attention in a forthright and professional manner.
Personal Email Manager v7.1 Hotfix 4
Remote Exploitable: Yes
Local Exploitable: Yes
Patch Status: Patched with Hotfix 4
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: for the permission to use his
Policy
Background:
Remote Exploitable: No
Local Exploitable: Yes
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
____________________________________________________________________________
____
Credit
^^^^^^
Vulnerability discovered by Frank Dick and Thierry Zoller of n.runs AG.
About n.runs
^^^^^^^^^^^^
n.runs AG is a vendor-independent consulting company specialising in the
areas of: IT Infrastructure, IT Security and IT Business Consulting. In
--
http://blog.zoller.lu
Thierry Zoller
--
http://blog.zoller.lu
Thierry Zoller
Thierry Zoller <Thierry@Zoller.lu> writes:
>PG> No, this is an entirely new level of attack,
>"New level of attack", what makes you believe that?
Because previously you had to spam users and convince them to go to some
random web site and download who knows what (or follow a link in the spam, or
whatever). The Vista sidebar changes this to clicking on a "Get more gadgets
online" link on the desktop to go to a microsoft.com site (which then goes to
a live.com site, but it's still Microsoft). The sole requirements for
----- Original Message -----
From: "Thierry Zoller" <Thierry@Zoller.lu>
> What you call for is in essence - mitigation, yes it's fine to mitigate
> a "vulnerability". But shouldn't we be concentrating on finding and
> fixing the root cause instead of trying to mitigate the problem in
> (hundrets) of third-party applications ?
If the application is what exposes the URI handling routine to untrusted
code from the internet, then it's the application's job to make sure that
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: unknown (No response from vendor)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
An article with a little more info is available on Zdnet.
http://blogs.zdnet.com/security/?p=530
Thierry Zoller wrote:
> Dear All,
>
> pa> http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
> Is this the way responsible disclosure works these days ?
> "Adobe�s representatives can contact me from the usual place."
>
RS> 5900/tcp open vnc?
RS> Service Info: Devices: terminal server, remote management
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
On Tue, 21 Jul 2009, Thierry Zoller wrote:
> Yeah, security is too complex. Dude, the fix was to LIMIT the the
> number of elements. This is not rocket science.
I believe Michal and I are having the conversation in a larger context.
What you found is valid on its own merit and got addressed, which is
great. But now think of the whole ECMAScript API and there are probably
dozens or hundreds of such functions that would expose similar issues.
- Added a simple s_client testcase
- Analysis of FTPS (vendors are encouraged to assess)
- HTTPS : Injecting arbritary _responses_ into the stream
- HTTPS : Downgrading HTTPS to HTTP and performing an active mitm
(Discovered by Frank Heidt but details witheld,
rediscovered by Thierry Zoller for this paper)
With this new information G-SEC encourages Vendors and customers
to reevaluate the impact of this vulnerability on their products.
Brief explanations :
Release mode: Coordinated but limited disclosure.
Ref : [TZO-28-2009] - Avira Antivir generic RAR,CAB,ZIP
WWW : t.b.a
Vendor : http://www.avira.com
Status : Patched (Engine-Version: AV7 7.9.0.180 / AV8/9 8.2.0.180)
(Re)Discovered : 2005 by froggz, 2007 by Thierry Zoller, 2009 by Roger Mickael
(please give appropriate credit - only when notified and pressured
under disclosure terms vendors fix these, even if they are known
since years. PS this is not exclusive to AVIRA)
CVE : none provided
Credit : t.b.a
http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html
--
http://blog.zoller.lu
Thierry Zoller
Next Page>>
|
|
|
