Next Page >>
period of time
talk has been accepted.
As we have a single presentation track, please bear in mind that
speaking slots are limited to one hour. While presenters typically
divide the hour into separate presentation and Q&A sessions, you may
structure your time however you see fit. If you think your
presentation will run longer, or have any special requirements, please
include this information in your submission and we will do our best to
accommodate you.
Note: If the presentation is based upon code or a particular
different browsers. And you can not worry about that - in those advisories
I'll use a littler different approach of informing browser vendors. You will
like it ;-).
> Let's take one for example. Did you email secure@microsoft.com? I have
> before and 100% of the time they respond.
Yes, I did. I emailed Microsoft, like other browser vendors. I knew their
emails, because I wrote to all of these four vendors a lot of times during
2007-2010, and all of them answered many times (who more, who less). But as
I already wrote, in 99% cases they ignored to fix DoS holes (even if they
> I'll use a littler different approach of informing browser vendors. You
> will
> like it ;-).
>
>> Let's take one for example. Did you email secure@microsoft.com? I have
>> before and 100% of the time they respond.
>
> Yes, I did. I emailed Microsoft, like other browser vendors. I knew their
> emails, because I wrote to all of these four vendors a lot of times during
> 2007-2010, and all of them answered many times (who more, who less). But
> as
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows not affected
VirtualCenter 2.5 Windows Virtual Center 2.5 Update 6
VirtualCenter 2.0.2 Windows not being fixed at this time *
hosted ** any any not affected
ESXi any ESXi not affected
Ircu is the open source IRC server used on Undernet and other IRC networks.
I (Wouter Coekaerts) discovered multiple vulnerabilities in various versions
some time ago, which have all been fixed for some time (since 2.10.12.06)
but not yet made public. Now that servers have had enough time to upgrade,
I feel it's time to do so.
None of these bugs can be abused for arbitrary code execution. Two are about
crashing a server, one about exposing IP addresses, and the effect of the
others stay within IRC: they allow clients to get more privileges on the IRC
network then they are supposed to have.
Let's take one for example. Did you email secure@microsoft.com? I have
before and 100% of the time they respond.
Patches take time. The do not occur over night. Furthermore it may
take a day for the vendor to respond to you.
This isn't about past issues, this is about this issue. A single day did
not pass between when you emailed these vendors and when you posted
here. Have you considered giving these vendors time to respond? I do
not find that 99% of them don't, rather I find that they do. Should you
is possible via DCE/RPC over SMB. Even if user U has no administrator
privileges attacker A can still access, for example, file shares
accessible by user U and read/modify information.
Tests performed showed that challenges and responses obtained from a
system S can be reused multiple times against that same system and other
remote systems. We observed that challenges obtained from a system S
were also returned by other remote systems. This means that attacker A
only needs, in the best case scenario, to force user U to connect to his
own specially crafted SMB server once. Of course, user U must have
access (his credentials must be valid) to the other systems attacked.
$sessid = COM_applyFilter ($_COOKIE[$_CONF['cookie_session']]);
if ($_SESS_VERBOSE) {
COM_errorLog("got $sessid as the session id from lib-sessions.php",1);
}
$userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']);
if ($_SESS_VERBOSE) {
COM_errorLog("Got $userid as User ID from the session ID",1);
}
July 2008.
02 Features
-----------
A. The tool can attack both unpatched DNS systems as well as patched DNS
systems. Attacking a patched system requires a much longer time than an
unpatched system though.
B. The tool can launch two modes of attack; one is
against DNS server that supports recursion, and the second mode is against
DNS
*/
require(XOOPS_ROOT_PATH."/class/snoopy.class.php");
..
function getData($forcecache=false)
{
if(_PHPSYNDICATION_CONNECTED && $forcecache != true && (!file_exists($this->cacheDir.$this->cacheFile) || (filemtime($this->cacheDir.$this->cacheFile) + $this->cacheTimeout - time()) < 0))
{
$snoopy = new Snoopy;
/* [BREAK 2] Here snoopy->fetch(sourceUrl from [BREAK 1]) member function calling */
$snoopy->fetch($this->sourceUrl);
max_execution_time is *CPU EXECUTION* time and not
*WALL-CLOCK* time -- reread the definition from the PHP man pages.
Since you are doing sleep() in the script, which is suspending the
process (script), no CPU time is accruing for that process (script),
therefore you do not hit the max_execution_time. This is completely
working as intended and is consistent with a Unix/Posix model. Now,
if you want a wall-clock alarm/termination, that is a completely
different issue and should be handled via a different mechanism, don't
confuse the two.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Network Time Protocol
Packet Vulnerability
Advisory ID: cisco-sa-20090923-ntp
Revision 1.0
consumption. Which is working in many browsers, including their last
versions. So browser developers with their neglect to this problem make
possible attacks on the whole users' systems. It was one of leitmotifs of my
advisory.
> can I respectfully ask that you give vendors time to respond before
> posting?
This informing of vendors was an exclusion. During 2007-2009 I informed many
browser developers about many vulnerabilities (as DoS, as others) and gave
them a lot of time for fixing in many of that cases. But they almost always
. process the received file, and store it in the server;
. create the script named 'stealcookies.vbs' considering the cookies
filenames gathered from the stolen file;
. redirect the victim's browser back to the 'framset.htm' page.
This time, when the victim's history 'index.dat' file is rendered again,
the script 'stealcookies.vbs' will be loaded. This script will read
every single cookie file the user has stored in the aforementioned
Internet Explorer cookie's folder and will send the contents back to the
server using the same HTML '<form>' used before. On the server side the
one in charge of processing this data will be the Perl script named
[--Vulnerability Summary--]
Title: Windows NTP Time Server Syslog Monitor 1.0.000 Denial of Service Vulnerability
Product: Windows NTP Time Server Syslog Monitor 1.0.000
Discovered: November 29, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)
Vendor: TimeTools
Vendor URL: http://www.timetools.co.uk
Disclaimer:
This is not the first time this issue has been discussed. Andreas
Steinmetz posted about the problem for an Apache httpd release in 2003.
http://www.securityfocus.com/archive/1/339138
http://www.securityfocus.com/bid/8707
Philipp Krammer reported that he notifed the vendor over five years
ago, in January 2003. http://www.securityfocus.com/archive/1/339163
What's new is
Once the device is reloaded the original configuration is inserted
without the access lists or mib views assigned to the community
names. Consult the workarounds section of this advisory.
This vulnerability was introduced as part of a new feature integrated
into the affected releases called PROFINET. At the time of the
publication of this advisory, PROFINET was only supported on Cisco
Industrial Ethernet 3000 Series switches.
This vulnerability is documented in the Cisco Bug ID CSCtf25589.
This vulnerability has been assigned Common Vulnerabilities and
17.03.2010 - found vulnerabilities.
30.03.2010 - disclosed at my site.
31.03.2010 - informed developers.
My specific question is did you contact the admin of this particular
site ahead of time with this information. Based on your timeline you
say you found it, you disclosed this issue on your site, then informed
developers. Then posting here 7 days afterwards seems a bit of a short
window to give an admin time to do anything.
I'm pretty sure I have the same issue on my site but given that we're
Yes; there are plenty of good folks, computers and networks in China and other countries, but the sad fact is these countries also represent the network-sources (even if, as has been stated; not the "true" source) of the majority of attacks. My own firewall logs validate this.
How you use the lists Tim provides is a matter of personal choice according to your capabilities and priorities. If your firewall is smart enough to ignore anyone trying to bash your network or play silly buggers in the upper layers, then you may feel that an IP-based block set is overkill. If, like so many your firewall operates primarily at L4 and below, this data may prove very valuable.
Frankly, I like that someone has taken the time to do the numbers and produce the data; even if I can't use it the way I'd prefer.
Jim
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
The currently installed version of Tomcat depends on
your patch deployment history.
c. Third party library update for ntp.
The Network Time Protocol (NTP) is used to synchronize a computer's
time with a referenced time source.
ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the
following security issue. Note that the same security issue is
present in the ESX Service Console as described in section d. of
to upgrade to ESX 3.0.3 and preferably to the newest release
available.
3. Problem Description
a. VMware Descheduled Time Accounting driver vulnerability may cause a
denial of service in Windows based virtual machines.
The VMware Descheduled Time Accounting Service is an optional,
experimental service that provides improved guest operating system
accounting.
security awareness for the more often seen "IT guy complaining about
security and stupid users to anyone who will listen" are also part of
this threat. The security awareness threat will cause a loss of
productivity and cost of materials to businesses worldwide that will
most likely exceed the loss due to un-security-aware employee security
blunders. They'd be better off spending that time and money on user
controls, making security policies simpler so that they can be read by
normal people as a job contingent, enforcing accountability, and
formally certifying (pass a practical) employees who need to do secure
gate-keeping.
> Quick calculator session :
> 2^(-18) = 0.000003814697265625
> 2^(-14) = 0.00006103515625
>
> So there is a vanishingly small probability that a Bad Guy may
> discover less than 2 characters from my command-line, every time they
> try this attack. And each time they fail, my connection gets rudely
> chopped. Two characters won't help them much. They'd need to succeed
> about ten times per typed command-line to snoop on most of my
> sessions. This weakness is surely of no conceivable use to a Bad Guy
This vulnerability is not per se a vulnerability but a annoyance that
has been dealt with in many ways.
It is quite common to not let any process on a web server run longer
then a specified time. This is usually made possible by some trivial
shell scripting that checks the running time of certain processes.
This annoyance is also not limited to PHP. Any scripting language that
has the ability to execute something with the means of system() can
create and call a script that uses memory and waits indefinitely.
implementation, or operation and management that could be exploited to
violate the system's security policy. ..."
[http://www.terena.org/activities/tf-csirt/iodef/docs/i-taxonomy_terms.html]
In this case a security policy has been designated with the
"max_execution_time" directive and that policy is being violated by
the blocking code. As you say there are ways around this, (kill
script, resource limiting, etc..) however there can be similar
mitigating circumstances in any situation where you have a
vulnerability (firewall, executable stack protection, etc..).
TOORCON 12 CALL FOR PAPERS
It's that time of year again! ToorCon 12 is coming so get your code finished and submit a talk this time around. We're letting you decide if you want to be a part of our 50-minute talks on Saturday, 20-minute talks on Sunday, and 75-minute talks for our Deep Knowledge Seminars on Friday depending on how much time you need to present your new ideas and techniques. We evaluate our submissions in the order that they're received so submit your talk before time runs out! Track and time preference is always given to those who submit talks that fit the theme of the conference. If you haven't already figured out what the theme for ToorCon is this year, read this paragraph another time.
CFP SUBMISSION INFORMATION
Please send data to cfp@toorcon.org :
00. Name
which belong to group of DoS via protocol handlers), then there must be no
questions for next advisories. Otherwise it'll be double standards (not
moaning on 1st advisory and moaning on 2nd and 3rd ones) and as I already
wrote to the lists, double standards are bad and better to not use them.
Second, I repeat one more time :-), that there can be also made attack
without using JS (as I mentioned in all my advisories). And yesterday I
posted my new advisory, where I published pure-iframe (without JS) version
of exploit for firefoxurl protocol, and also added link to exploit in my
previous advisory (where I wrote about attack via firefoxurl URL).
Player 2.5.x any 2.5.4 build 246459 or later
Ace 2.6 Windows 2.6.1 build 227600 or later
Ace 2.5.x Windows 2.5.4 build 246459 or later
Server 2.x any not being fixed at this time
Fusion any any Mac OS/X not affected
ESXi any ESXi not applicable
Player 2.5.x any 2.5.4 build 246459 or later
Ace 2.6 Windows 2.6.1 build 227600 or later
Ace 2.5.x Windows 2.5.4 build 246459 or later
Server 2.x any not being fixed at this time
Fusion any any Mac OS/X not affected
ESXi any ESXi not applicable
Routines in these files generate user session cookies in roughly the following
way:
SECRET = SERVER_ADDRESS + STATIC_VALUE
HASH = md5(USERNAME + SECRET + CLIENT_ADDRESS + CURRENT_TIME)
COOKIE = USERNAME + ACCESS_RIGHTS + CLIENT_ADDRESS + CURRENT_TIME + HASH
In the above pseudocode, the SERVER_ADDRESS represents the VCS system's IP
address, STATIC_VALUE represents a fixed string which is hard-coded into the
application source, USERNAME is the authenticated user name, CLIENT_ADDRESS is
Next Page>>
|
