| New User, Welcome! Login |
get it
>>...Windows would not do this. It would only open up access to devices
that it thought needed DMA. This is why Metlstorm had to make his Linux
machine behave like an iPod to fool Windows into spreading it's legs.
So the iPod software opens up the whole address space? I don't get it.
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
> >>...Windows would not do this. It would only open up access to devices
> that it thought needed DMA. This is why Metlstorm had to make his Linux
> machine behave like an iPod to fool Windows into spreading it's legs.
>
> So the iPod software opens up the whole address space? I don't get it.
No, the iPod device signature makes Windows drivers think it should
allow DMA access for that device because it detect it as a disk device.
Other disk device signatures would likely work the same way, that's just
the one he happened to emulate.
things! Not only will you again have the chance to participate in
workshops and the mainly security and network-focused talks, but also
get your hands on some hardware hacking, and join in to various activities.
NinjaCon 11 goes B-Sides Vienna? I don't get it. What's the big deal?
_____________________________________________________________________
As part of the organizing team is leaving Vienna for good this summer,
NinjaCon will no longer be taking place in Austria, but instead
Germany's capital after this year. However, to ensure the Viennese
> features of Solaris. Too bad if OpenBSD cannot do the same - I am not
> really sure about the benefits of OpenBSD on that scale of hardware
> anyway considering the lack of kernel threading and the parlous state
> of userland threading.
I don't think you get it. OpenBSD doesn't care a whit about
this. They stumbled upon it as the result of bringing up OpenBSD on
such a machine. No - currently I wouldn't run OpenBSD on an M-class
box either, other than for development purposes. but that's not really
the point is it. Nobody except you is saying this problem has anything
to do with running OpenBSD on a machine.
> >> didn't quite mean. Surprise, surprise. Luckily it wasn't something
> >> vulgar, (that's what I get for trusting Google Translate and trying
> to
> >> be funny) but what I meant it to say was "If you can read this,
> don't
> >> bother replying because my servers won't get it." However, it seems
> to
> >> mean something like "don't reply because you are not welcome here"
> or
> >> similar. That wasn't my intention, as it seems to infer I actually
> >> have something against the Chinese people and not their networks,
There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Android 2.1 and Android 2.2. The OBEX FTP Server is a 3rd party driver developed by HTC and installed on HTC devices running Android operating system, so the vulnerability affects to this vendor specifically.
A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls over Linux to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.
The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it. However, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and MAC address spoofing, can be used in order to avoid this. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
Scope of the attack:
The Directory Traversal vulnerability allows a remote attacker to browse folders located anywhere in the file system and download any file contained in any folder.
1) List arbitrary directories
Description:
There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Windows Mobile 6 and Windows Mobile 6.1. The OBEX FTP server is located in \Windows\obexfile.dll. Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically.
A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.
The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it; however, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and BD_ADDR address spoofing, can be used in order to avoid this. Devices must have Bluetooth enabled and File Sharing over Bluetooth service active when the attack is performed. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
The scope of the Directory Traversal vulnerability allows the attacker to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This security flaw leads to browse folders located anywhere in the file system, download files contained in any folder as well as upload files to any folder.
A remote attacker who previously owned authentication and authorization rights over Bluetooth can perform three risky actions on the device:
>> On 1/14/10 8:09 AM, Thor (Hammer of God) wrote:
>>> So, apparently my "witty" tag via Google Translate means something I
>> didn't quite mean. Surprise, surprise. Luckily it wasn't something
>> vulgar, (that's what I get for trusting Google Translate and trying to
>> be funny) but what I meant it to say was "If you can read this, don't
>> bother replying because my servers won't get it." However, it seems to
>> mean something like "don't reply because you are not welcome here" or
>> similar. That wasn't my intention, as it seems to infer I actually
>> have something against the Chinese people and not their networks, which
>> I take issue with.
>>>
So, apparently my "witty" tag via Google Translate means something I didn't quite mean. Surprise, surprise. Luckily it wasn't something vulgar, (that's what I get for trusting Google Translate and trying to be funny) but what I meant it to say was "If you can read this, don't bother replying because my servers won't get it." However, it seems to mean something like "don't reply because you are not welcome here" or similar. That wasn't my intention, as it seems to infer I actually have something against the Chinese people and not their networks, which I take issue with.
Sorry for the poorly translated reference.
t
> -----Original Message-----
> From: Thor
> Sent: Wednesday, January 13, 2010 12:29 PM
> To: bugtraq@securityfocus.com
// Open a new report will corrupt the memory
var rep = new Report();
app.alert("If the application has not been crashed, try to close the
application and then you will get it.");
}
app.checkForUpdate
({
cType:"AAAA",
> Yes, we all agree that is bad but this is an OpenBSD specific problem
> and, whilst interesting, the reality is that there are no going to be
> many people that are lunatic enough to run an untrusted third party
> operating system on a machine of this class.
Oh I get it. You can use a "trust relationship with your
administrators" to get around the fact that Sun sold a piece of
hardware which does not provide the isolation they promised in their
white papers and documentation.
I guess it is some modern creed. Ask for little, and accept it when
Credit:
MN Vasquez
Greetings:
<3 4 God, nothing else matters. Props to #13 Kurt Warner, Ron
Wolfley & Johnny Long, who "get it". Miss u dad.
BOC 4 lyfe!, 'sup to Debuc, Mekt, and jhs87. Thanks to the fam, & mom
for everything.
Danielle - I love you!
Ang - I am so proud of you!
>>>> So, apparently my "witty" tag via Google Translate means something I
>>>
>>> didn't quite mean. Surprise, surprise. Luckily it wasn't something
>>> vulgar, (that's what I get for trusting Google Translate and trying to
>>> be funny) but what I meant it to say was "If you can read this, don't
>>> bother replying because my servers won't get it." However, it seems to
>>> mean something like "don't reply because you are not welcome here" or
>>> similar. That wasn't my intention, as it seems to infer I actually
>>> have something against the Chinese people and not their networks, which
>>> I take issue with.
>>>>
OBEX FTP Bluetooth service can be used to share files through Bluetooth, not only by sending files but also by allowing remote devices to browse local shared folders and download files. Usually, the service is configured in such a way that a specific directory is shared and the user can place there all the files he would like to share with other people. The default directory is My Device\My Documents\Bluetooth Share. A different directory may be selected by the user, however the Bluetooth wizard usually doesn't allow specifying any other from the filesystem out of My Device\My Documents\ or Memory Card\My Documents\ paths. This is because of safety reasons, so the user can't expose sensitive files or information through Bluetooth.
There exists a Directory Traversal vulnerability in the OBEX FTP Service in Microsoft Bluetooth Stack implemented in Windows Mobile 5.0 & 6 devices. A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP to traverse to parent directories out of the default Bluetooth shared folder. This means the attacker can browse folders located on a lower level, download files contained in those folders as well as upload files to those folders.
The only requirement is that the attacker must have authentication and authorization privileges over the OBEX FTP service. Pairing up with the remote Windows Mobile device should be enough to get it. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
As described above, the attacker can take three risky actions:
- Browse directories located out of the limits of the default shared folder and discover sensitive information about the structure of the filesystem.
> >> didn't quite mean. Surprise, surprise. Luckily it wasn't something
> >> vulgar, (that's what I get for trusting Google Translate and trying
> to
> >> be funny) but what I meant it to say was "If you can read this,
> don't
> >> bother replying because my servers won't get it." However, it seems
> to
> >> mean something like "don't reply because you are not welcome here"
> or
> >> similar. That wasn't my intention, as it seems to infer I actually
> >> have something against the Chinese people and not their networks,
|
|
|
