Next Page >>
sure
We would love to see the same breadth and depth of submissions as we
have in previous years, so if you have an idea you're on the fence
about - please send it in! For a complete list of past presentations,
visit www.layerone.info.
Please be sure to include the following information in your submission:
- Presentation name
- A one-sentence synopsis of your topic
- A longer one to three paragraph synopsis or short outline of what
you plan on covering
your customers to report it to the appropriate company leaders as
quickly as possible. Going on the assumption that you discovered the
vulnerability while performing your standard duties, you should follow
your company's formal incident response procedures. Each company should
have incident response procedures or a whole incident response team to
deal with these sort of situations. If you are not sure whether your
company has incident response procedures or an incident response team,
check with the HR department (to prevent premature distress the IT
department).
If your company does not have an incident response team or incident
Ingres r3 Vulnerability Updates Install Steps (August 1, 2008)
Unix/Linux:
1. Log on to your system using the installation owner account and
make sure the environment is set up correctly:
1. II_SYSTEM must be set to the Ingres system files
2. PATH must include $II_SYSTEM/bin and $II_SYSTEM/utility
directories.
2. Change directory to the root directory of the Ingres
installation or use a previously created directory.
$addr=explode(':',$proxy);
}
$this->proxy_ip=$addr[0];
$this->proxy_port=$addr[1];
}
//Parses the results from a PHP error to use as a path disclosure.
function getPath($url,$pops=1){
$html=$this->send($url);
//Regular error reporting:
$resp=explode("array given in <b>",$html);
if(isset($resp[1])){
On Tue, Apr 24, 2012 at 11:13 AM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>> IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest "researcher" through secondary discovery
>
> I'm not sure I follow. Are you saying that the dishonest researcher
> will not try to find vulnerabilities if there is no reward program for
> the honest ones?
>
> /mz
>
In IE7 on Windows XP, just visiting this URL should be sufficient:
http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/starthelp.html
Some minor modifications will be required to target other configurations, this
is simply an attempt to demonstrate the problem. I'm sure the smart guys at
metasploit will work on designing reliable attacks, as security professionals
require these to do their jobs.
Additionally, my demonstration is not intended to be stealthy, a real
attack would barely be noticable to the victim. Perhaps the only unavoidable
> In IE7 on Windows XP, just visiting this URL should be sufficient:
>
> http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/starthelp.html
>
> Some minor modifications will be required to target other configurations, this
> is simply an attempt to demonstrate the problem. I'm sure the smart guys at
> metasploit will work on designing reliable attacks, as security professionals
> require these to do their jobs.
>
> Additionally, my demonstration is not intended to be stealthy, a real
> attack would barely be noticable to the victim. Perhaps the only unavoidable
I'm not sure the facts in evidence support the conclusions reached here (sorry, not posting inline as I don't want to address each conclusion built upon some other shaky conclusion.
From http://support.microsoft.com/kb/890830
======
Reporting component
The Malicious Software Removal Tool sends information to Microsoft if it detects malicious software or finds an error. The specific information that is sent to Microsoft consists of the following items: * The name of the malicious software that is detected
* The result of malicious software removal
* The operating system version
* The operating system locale
----- Original Message ----
From: Tavis Ormandy <taviso@cmpxchg8b.com>
To: full-disclosure@lists.grok.org.uk
Cc: bugtraq@securityfocus.com
Sent: Wed, June 9, 2010 4:46:21 PM
Subject: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
--- subversion/libsvn_delta/text_delta.c (revision 38519)
+++ subversion/libsvn_delta/text_delta.c (working copy)
@@ -548,7 +548,7 @@ svn_txdelta_target_push(svn_txdelta_window_handler
/* Functions for applying deltas. */
/* Ensure that BUF has enough space for VIEW_LEN bytes. */
-static APR_INLINE void
+static APR_INLINE svn_error_t *
size_buffer(char **buf, apr_size_t *buf_size,
apr_size_t view_len, apr_pool_t *pool)
{
If an admin who doesn't follow bugtraq doesn't know about the issue it's
not full disclosure to him. It's like when you hear about a "known
issue" from Microsoft. If I didn't know about it, how in the heck is
it a known issue? Just because someone in Redmond knows about it
doesn't mean the rest of us do.
I have captcha on a blog site I run. I get folks able to bypass the
filter and post spam comments that get filtered and then a week later or
so gets deleted off and the CPU use on the site sucks. But that could
also be the software I'm running.
hundred people you would see using 171.71.241.89;
/END SNIP
I implore you to read a NANOG thread http://readlist.com/lists/trapdoor.merit.edu/nanog/6/33246.html
Professionals know, IP is an inaccurate identifier so why does it seem that Microsoft
along with LEO are relying on this. Makes a great baseline sure, but is certainly ripe
for abuse
Again, please understand what I am stating, this is "not to say that its a horrible idea", its
a start, a baseline - but not a definitive measure of determining who is controlling a bot,
who created the botnet, etc.
>
>
>
> and run the filemon with the filter as smc.exe, Whenever it tries to
> access the smcgui.exe. There is a "Buffer Overflow" detected. As I have
> said at bugtrax as well, I am not sure if the buffer overflow has happened
> or averted but its all very interesting.
>
>
>
>
for free.
We're serious about this. We want the community to get something from
your presentation, not just 50 minutes of hot air. So PLEASE, in your
CFP response, indicate what you are releasing that will be of
interest. If you can't release code or something similar, be sure your
techniques and methods are mind blowing. Presentations in Bring It On!
are more open-ended, but presenters are strongly encouraged to
structure their talk in a way that engages or enrages the audience. If
it does neither, you will be unceremoniously pelted by ShmooBalls (see
below). The audience is armed and ready to fire.
auth-sharing mechanism like SAML, or combining with something like
SXIP or OpenID. None of these latter give us the changeable
persistence bits we want and need though, when passing auth around
multi-domain/host properties.
Sure, it would work fine for isolated financial apps with no
off-domain links. But that's not the direction the web is moving in.
Auth != Security
Auth != Confidentiality
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.
This update changes Debian's BIND 9 packages to implement the
recommended countermeasure: UDP query source port randomization. This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.
Note that this security update changes BIND network behavior in a
>>
>>
>>
>> and run the filemon with the filter as smc.exe, Whenever it tries to
>> access the smcgui.exe. There is a "Buffer Overflow" detected. As I have
>> said at bugtrax as well, I am not sure if the buffer overflow has
>> happened or averted but its all very interesting.
>>
>>
>>
>>
and run the filemon with the filter as smc.exe, Whenever it tries to access
the smcgui.exe. There is a "Buffer Overflow" detected. As I have said at
bugtrax as well, I am not sure if the buffer overflow has happened or
averted but its all very interesting.
or other write permissions.
3. Solution
===========
If your system is affected, upgrade Postfix, apply the patch in
Appendix C, or apply one of the countermeasures in section 4.
Updated versions will be made available via http://www.postfix.org/
for Postfix versions 2.3, 2.4, 2.5, and 2.6. Individual vendors
will provide updates depending on their support policy.
modified on Sunday, 24 Oct 2004 20:53:16 GMT) states that zlib1.dll 1.2.x
is linked against MSVCRT.DLL.
The vulnerable ZLIB32.DLL distributed with GSview 4.8 is but not linked
against MSVCRT.DLL. Although its version/copyright strings equal the ones
of the "official" zlib1.dll from zlib.net, I'm not sure who built the
ZLIB32.DLL in question. It doesn't completely look like the "official"
zlib1.dll.
Unfortunately the maintainer of GSview choose not to reply to my bug
report which included a question about the source of the ZLIB32.DLL.
There are many versions of Vista, so there can be such situation with
different versions of Vista as with XP, where XP Home and XP Professional
have different situations with default admin accounts. Which leads to
vulnerability in XP Home. So I'm planning to investigate different versions
of Windows Vista to be sure.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----------------------------------------------------------------------
Workaround:
The vendor is aware of the vuln for ages (probably since 2006) so they
recommend setting up Register Globals = Off. Not sure why they haven't
patched the vuln already. If Register Globals is Off on your server, then
you are more or less secure. If it is On, ask your system administrator
to turn it Off. If for some reason you need Register Globals = On on your
site (using old software etc), then contact the vendor and MAYBE they will
finally patch the bug :-)
> They told me that if I released the vulnerability prior to the official
> patch, I could not be officially credited for that. I tought it was not
> a critical vuln, and so I waited. Too much (?).
>
> I am a bit sorry for Microsoft, I think they lost an other chance since
> now I feel a bit tricked. I am not sure if the next time I will wait so
> much and I am not sure if I will suggest to anyone to wait for the
> patch. I just hope Microsoft will credit me in the official patch. :(
>
> Below you can find the first mail I wrote to MS regarding the issue.
>
Hello r.st and other participants of the list!
> Not sure if this matters or not but it also worked on blackberry browser
> on blackberry 8800.
Thank you for information. The more vulnerable browsers found the better for
Internet community (just browser vendors must not ignore DoS holes and fix
them). You can inform RIM about this vulnerability in their browser.
> NOT working on IE 8.0.6001.18702
>>> to promises...
>>>
>>> So... with all this commentary, in the end, I still didn't read from
>>> the
>>> "big'uns" on whether or not a 3rd party open-source patch would be
>>> released... I sure miss the days that people back in the day who
>>> cared would
>>> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
>>> stack is required; but does it really have to? Really?
>>>
>>> How effective is what Tom Grace suggests? Unless I'm
Vulnerability
Rsyncrypto itself is unaffected by the openssl vulnerability introduced
into Debian[3][4]. The common use scenario, however, will lead users
toward generating predictable keys. This advisory is in place to warn
users about possible exposure.
As with the original advisory, this problem will affect you even if you
are not currently running on a vulnerable machine, or even on a Debian
or derivative OS. If your keys were generated on a vulnerable machine,
then your data is at risk.
They told me that if I released the vulnerability prior to the official
patch, I could not be officially credited for that. I tought it was not
a critical vuln, and so I waited. Too much (?).
I am a bit sorry for Microsoft, I think they lost an other chance since
now I feel a bit tricked. I am not sure if the next time I will wait so
much and I am not sure if I will suggest to anyone to wait for the
patch. I just hope Microsoft will credit me in the official patch. :(
Below you can find the first mail I wrote to MS regarding the issue.
By claiming all "new" vulnerabilities are 0day the term becomes completely
meaningless; by your reasoning there is no such thing as a non-0day
vulnerabillity; well, the next they it's no longer a 0day vulnerability but
the funny thing is that everybody keeps calling it that.
When a vulnerability is discovered you cannot be sure no-one found it
before; the only thing you can ever be sure of whether at that point
an exploit was detected in the wild.
>I don't like this chain of logic. Whether a new vulnerability is an 0day
(I have czech version of g1; you can't simply downgrade it to
rc8/rc29, as it is prevented by CID check).
Yes, I want to get root on my shiny new t-mobile g1. I tried
exploiting dnotify hole that was fixed in 2.6.25.1... only to find out
that CONFIG_DNOTIFY is off in g1 kernel. So I made sure that
CONFIG_INOTIFY is on, and tried exploiting
6ee5a399d6a92a52646836a6e10faf255c16393e. It triggers very
reliably... with SLAB debugging on. With debugging off, it took 2+
hours to reproduce on PC. Given that I'd have to manually
insert/remove SD card for each try, that is not an option. I thought
>> They told me that if I released the vulnerability prior to the official
>> patch, I could not be officially credited for that. I tought it was not
>> a critical vuln, and so I waited. Too much (?).
>>
>> I am a bit sorry for Microsoft, I think they lost an other chance since
>> now I feel a bit tricked. I am not sure if the next time I will wait so
>> much and I am not sure if I will suggest to anyone to wait for the
>> patch. I just hope Microsoft will credit me in the official patch. :(
>>
>> Below you can find the first mail I wrote to MS regarding the issue.
>>
Next Page>>
|
