Next Page >>
meant
> I could only imagine. The other problem is that many people seem to think I'm saying something against
> the Chinese *people* themselves, based on the "f* you round-eye* messages I've received (and they call
> ME racist). They don't seem to get the clear distinction (to me) between the Chinese people and China's
> network. It's the machines I'm concerned with the attacks coming from those machine. Just because the
> machine is sourced in China doesn't mean the attacker is - so I have to do the best I can to defend against
> the machines. However, that unfortunately comes across to those who choose not to think it through as me
> saying something against the Chinese themselves.
> Then again, as you well know, people will take any opportunity they can just to be ugly and confrontational,
> and to have something to rail about. In the face of the reality of China's horribly infected network, when I
On 1/15/10 6:40 PM, Thor (Hammer of God) wrote:
> I could only imagine. The other problem is that many people seem to think I'm saying something against the Chinese *people* themselves, based on the "f* you round-eye* messages I've received (and they call ME racist). They don't seem to get the clear distinction (to me) between the Chinese people and China's network. It's the machines I'm concerned with the attacks coming from those machine. Just because the machine is sourced in China doesn't mean the attacker is - so I have to do the best I can to defend against the machines. However, that unfortunately comes across to those who choose not to think it through as me saying something against the Chinese themselves.
>
> Then again, as you well know, people will take any opportunity they can just to be ugly and confrontational, and to have something to rail about. In the face of the reality of China's horribly infected network, when I suggest blocking that traffic (as many others have and do), they seize the opportunity to call me prejudice and a racist.
The Chinese network is indeed very infected, which in turn causes the
rest of the world great computerized harm. Nobody disputes this.
The solution of blocking China, however, is one which harms both people
outside of China, as well as those inside of China. Therefore, it
You and I seem perfectly aligned on that, as I state in the article. I would hope that other people would read it first without jumping to the conclusion that I'm making sweeping blocking suggestions (not saying you are).
>
> Aside to that, I know some people in China who work very hard on
> security, and do a better job than we do at it. But that does not mean
> the situation as it stands now is acceptable.
Agreed, and noted above.
T
You and I seem perfectly aligned on that, as I state in the article. I would hope that other people would read it first without jumping to the conclusion that I'm making sweeping blocking suggestions (not saying you are).
>
> Aside to that, I know some people in China who work very hard on
> security, and do a better job than we do at it. But that does not mean
> the situation as it stands now is acceptable.
Agreed, and noted above.
T
GS base not guaranteed to be kernel GS, because the interrupted
prologue code did not yet have a chance to execute the SWAPGS
instruction. In other words, the interrupt handler for the exception
could execute with user GS still active, and yet it will not use
SWAPGS to switch to kernel GS because the previous mode was kernel
mode, meaning the handler could then act upon user-controlled data as
though it were trusted kernel data.
The robustness of the SWAPGS model illustrated above is contingent
upon the kernel's ability to prevent exceptions from happening in
kernel-mode code where user GS may still be in effect. Although the
Bypass using CRLF+Encodings:
---------------------------------------------
Microsoft Windows Internet Explorer 8.0 Beta 2 was designed to stop "Type 1
XSS" attacks. CRLF Injection is also XSS type 1 and is not mitigated by the
filter, though the data in the query string will still be filtered.
This means that if an attacker tries to exploit a CRLF for XSS in the
casual manner, used in this demo:
http://www.linkstofiles.com/crlf.py?url=cookie1%3dvalue1;%0D%0A%0D%0A<html><body>
<script>alert('get it?')</script></body></html>
His attack will fail as "<script>" will be filtered to "<sc#ipt>"
GS base not guaranteed to be kernel GS, because the interrupted
prologue code did not yet have a chance to execute the SWAPGS
instruction. In other words, the interrupt handler for the exception
could execute with user GS still active, and yet it will not use
SWAPGS to switch to kernel GS because the previous mode was kernel
mode, meaning the handler could then act upon user-controlled data as
though it were trusted kernel data.
The robustness of the SWAPGS model illustrated above is contingent
upon the kernel's ability to prevent exceptions from happening in
kernel-mode code where user GS may still be in effect. Although the
With vanilla sources the function realpath() returns false and the code
jumps to no_realpath using a goto statement: PHP will use the real path
(just the path variable without any change) instead of the resolved path.
This means that "/etc/passwd////////////" will be used and the testcase
will fail with:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
Warning: include(/etc/passwd////////////): failed to open stream: Not a
I asked a few fairly regular Joes (our sales staff) what 0Day means to
them.. just the words, they have no point of reference and they all pretty
much agreed that they thought it meant
"less than a day old" "or less than 24 hours ago, X happened"
that is what i remember it being in the old NNTP file xfer days as well.
these are non-tech savy folks.
----- Original Message -----
If the attacker fixes authentication cookies on the administrator's
browser (see [1] for various ways to do that), she effectively "hands
over" her identity to the administrator. The administrator, having such
cookies fixed, logs in to the Administration Console and doesn't get any
new cookies from the Console. This means that his successful
authentication results in overwriting the state of the session identified
by the cookies such that this session becomes associated with the
administrator (and no longer with the attacker's non-administrative user).
The final result is that the administrator who has just logged in to the
Administration Console is using the exact same cookies as the attacker,
So, apparently my "witty" tag via Google Translate means something I didn't quite mean. Surprise, surprise. Luckily it wasn't something vulgar, (that's what I get for trusting Google Translate and trying to be funny) but what I meant it to say was "If you can read this, don't bother replying because my servers won't get it." However, it seems to mean something like "don't reply because you are not welcome here" or similar. That wasn't my intention, as it seems to infer I actually have something against the Chinese people and not their networks, which I take issue with.
Sorry for the poorly translated reference.
t
> -----Original Message-----
> From: Thor
> Sent: Wednesday, January 13, 2010 12:29 PM
> To: bugtraq@securityfocus.com
> valuable debate, assume your definition is correct. First, please
> prove this bug was never used in the wild. After that, please prove
> your credibility in the realm of defining words related to illegal
> computer hacking. Thanks.
Tell me something -- what do *you* think "zero day" means that
differentiates it from "not zero day"? I keep seeing people use the term
"zero day" (or "0day" or however you want to spell it) without any regard
for how this is meant to differentiate it from some alternative to "zero
day", and I have to wonder what these people think the term means. Do
you just regard it as a way to make discovery of a vulnerability as more
> valuable debate, assume your definition is correct. First, please
> prove this bug was never used in the wild. After that, please prove
> your credibility in the realm of defining words related to illegal
> computer hacking. Thanks.
Tell me something -- what do *you* think "zero day" means that
differentiates it from "not zero day"? I keep seeing people use the
term "zero day" (or "0day" or however you want to spell it) without any
regard for how this is meant to differentiate it from some alternative
to "zero day", and I have to wonder what these people think the term
means. Do you just regard it as a way to make discovery of a
OS to guarantee certain behaviours. The problem here is that there is
a mechanism which causes a guarantee to be violated.
> > Also, other signals which could be triggered by the predecessor (e.g.
> > SIGALRM triggered due to alarm() followed by exec()) can normally be
> > prevented by specific means (e.g. resetting any outstanding timers).
> > This bug means that such steps are insufficient.
> >
> > A consequence of this bug is that no signal can be trusted.
>
> Sure.
If the attacker fixes authentication cookies on the administrator's
browser (see [1] for various ways to do that), she effectively "hands
over" her identity to the administrator. The administrator, having such
cookies fixed, logs in to the Administration Console and doesn't get any
new cookies from the Console. This means that his successful
authentication results in overwriting the state of the session identified
by the cookies such that this session becomes associated with the
administrator (and no longer with the attacker's non-administrative user).
The final result is that the administrator who has just logged in to the
Administration Console is using the exact same cookies as the attacker,
the multiplication will result in zero if the timestamp and process
identifier contain together 26 lower zero bits.
Because the process identifier cannot be influenced directly the
timestamp is the easier part to influence. The timestamp has its
26 lower bits all zero once every 2.1 years. This means every 2.1
years there is a second in which the random number generator will
be seeded with a seed of zero. An attack happening during this
second on a freshly seeded random number generator (very easy to
trigger on CGI installations) will therefore allow to predict all
generated random numbers.
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
> -POP3 server and port: could be simply "pop.gmail.com" and the 995 port.
>
> When asking for the new email account to be added some different
> scenarios can happen:
> 1. The application returns the message "The server has denied the
> POP3 access to this username and password". This possibility happens
> when the username do not exists or the password is incorrect.
>
> 2. The application returns the message "Now you can recover the
> messages of this account". This other possibility happens when the
> authentication has succeeded. So, the attacker informed correctly the
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
Hey Dan,
Freaking THANK YOU first and foremost. I've been waiting for someone to say that for days now, and was just about to myself.
Just because everyone and their brother want's to show off that they can compile & run some software (herp a derp, good job) DOESN'T mean they should immediately post it here. I tested it against an OLDER KERNEL on purpose because I actually read the headers and the exploit worked as expected. I knew that this was responsibly disclosed, so it was already patched on any system that I updated. If you don't have the proper symbols, then the exploit doesn't have the proper offsets, and the exploit will fail. Plain and simple. *THEN* there's people who don't even bother to read that "Red Hat does not support Econet by default". DOES NOT. As in the exploit WON'T WORK!
It's pathetic that the original exploit dev has to waste his time saying the same thing 5 times.
</rant>
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
>> -POP3 server and port: could be simply "pop.gmail.com" and the 995 port.
>>
>> When asking for the new email account to be added some different
>> scenarios can happen:
>> 1. The application returns the message "The server has denied the
>> POP3 access to this username and password". This possibility happens
>> when the username do not exists or the password is incorrect.
>>
>> 2. The application returns the message "Now you can recover the
>> messages of this account". This other possibility happens when the
>> authentication has succeeded. So, the attacker informed correctly the
While the Chuck Norris botnet is interesting in that it shows that the
problem is real, it shouldn't surprise anyone who has researched the
security of broadband embedded devices.
It's also not the first time an incident of this nature has happened.
I'm sure a lot of the list readers remember the mass-phishing attack
launched November 2007 [1] against several popular 2Wire broadband
routers in Mexico. The attack was accomplished by means of changing
the router's DNS settings via a CSRF hole on the web interface.
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
Disclaimer
==========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
Next Page>>
|
