Next Page >>
wasn't
php -r 'include("/etc/passwd/.");'
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
This doesn't happen under normal circumstances.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$ cat /etc/passwd/.
cat: /etc/passwd/.: Not a directory
If an admin who doesn't follow bugtraq doesn't know about the issue it's
not full disclosure to him. It's like when you hear about a "known
issue" from Microsoft. If I didn't know about it, how in the heck is
it a known issue? Just because someone in Redmond knows about it
doesn't mean the rest of us do.
I have captcha on a blog site I run. I get folks able to bypass the
filter and post spam comments that get filtered and then a week later or
so gets deleted off and the CPU use on the site sucks. But that could
also be the software I'm running.
> I could only imagine. The other problem is that many people seem to think I'm saying something against
> the Chinese *people* themselves, based on the "f* you round-eye* messages I've received (and they call
> ME racist). They don't seem to get the clear distinction (to me) between the Chinese people and China's
> network. It's the machines I'm concerned with the attacks coming from those machine. Just because the
> machine is sourced in China doesn't mean the attacker is - so I have to do the best I can to defend against
> the machines. However, that unfortunately comes across to those who choose not to think it through as me
> saying something against the Chinese themselves.
> Then again, as you well know, people will take any opportunity they can just to be ugly and confrontational,
> and to have something to rail about. In the face of the reality of China's horribly infected network, when I
> reasonable security practices were employed. I have been saying that for
> years.
Amen.
> Because it does not apply to your particular environment doesn't invalidate
> the issue. There are many, many situations where someone would want to
> access a vmware guest via the console and not allow any network access at
> all. One that comes to mind is an offline root CA that you can only fire up
> only when you need it--a virtual offline machine. Another situation for
> myself is I keep all my hacking/pen-testing tools on a vm that I can use
Hi Mustlive,
I'm not sure if there's a need to discuss or clarify this any further.
Please refer to my earlier posts, and for the sake of saving some of our
time & efforts, avoid drawing tangents about scripts and noscripts (I've
clarified both earlier) & weasel words (security vulnerability and nntp
exploit - irrelevent in this case).
JS or no-JS, this issue is nothing new, this behavior is well-defined and a
necessity and definitely not a URI (of any kind) exploit or a security
vulnerability.
Hello Susan and other readers, who replied to my previous advisory.
Earlier I've already answered Vladimir, now I'd answer Susan and soon I'd
answer John. But now one important note to every reader of the list,
including John Smith. Which I already wrote about 1,5 week ago (after
posting of a first advisory about DoS in browsers) to one reader of
Full-disclosure who inattentively read that advisory (he missed message
about attacking without JS) and also to Mozilla (who became discussing this
issue and only drew attention to attacking with JS vector). That, as I wrote
in both advisories, this attack via iframes can also be conducted without
We have talked about this one quite a few times (including
<http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard.html>).
-- still, most implementations remain broken.
If you care to get this fixed, please provide feedback about this I-D on
the IETF *v6ops* mailing-list <v6ops@ietf.org>, and CC me if possible.
Thanks!
Best regards,
> >> People always try and send me Hebrew using Google Translate... it's
> >> usually word for word which means it breaks sentence structure. Then
> it
> >> misses context, translating words with different meanings. Then it
> >> completely mistranslates by using the root of the word, or similar,
> >> anything it doesn't know.
> >>
> >> All in all, while it can't be confused with real Hebrew, it is quite
> >> clear.
> >>
> >> Chinese seems a bit (understatement) more complicated, though.
On 1/15/10 6:40 PM, Thor (Hammer of God) wrote:
> I could only imagine. The other problem is that many people seem to think I'm saying something against the Chinese *people* themselves, based on the "f* you round-eye* messages I've received (and they call ME racist). They don't seem to get the clear distinction (to me) between the Chinese people and China's network. It's the machines I'm concerned with the attacks coming from those machine. Just because the machine is sourced in China doesn't mean the attacker is - so I have to do the best I can to defend against the machines. However, that unfortunately comes across to those who choose not to think it through as me saying something against the Chinese themselves.
>
> Then again, as you well know, people will take any opportunity they can just to be ugly and confrontational, and to have something to rail about. In the face of the reality of China's horribly infected network, when I suggest blocking that traffic (as many others have and do), they seize the opportunity to call me prejudice and a racist.
The Chinese network is indeed very infected, which in turn causes the
rest of the world great computerized harm. Nobody disputes this.
The solution of blocking China, however, is one which harms both people
outside of China, as well as those inside of China. Therefore, it
Dan,
> 1) Are you sure a stock build of Windows doesn't pop a security
> warning when right clicking the file:// IFRAME? You might have munged
> your test OS.
IE allows you to right-click on a folder (but not on a file or on the
"background") inside a file:// iframe without popping up a security
warning. No idea why but it does.
Vulnerability Explaination
=======================================
Let's wait for the Cisco response, so, we'll have a better understanding on this
issue. Meanwhile...
I think this is a design error because ACE XML doesn't have in mind that the
client could probably be in the same network segment internally, so, it receives
the request, which cannot be processed, and throws an error message disclosing
an internal IP address.
According to the ACE XML Gateway User Guide, Log Messages chapter, the listed
> >> People always try and send me Hebrew using Google Translate... it's
> >> usually word for word which means it breaks sentence structure. Then
> it
> >> misses context, translating words with different meanings. Then it
> >> completely mistranslates by using the root of the word, or similar,
> >> anything it doesn't know.
> >>
> >> All in all, while it can't be confused with real Hebrew, it is quite
> >> clear.
> >>
> >> Chinese seems a bit (understatement) more complicated, though.
There's a nearly identical case that works in all Unixen, AFAIK: You
have /a/b/file1, which is writable to user1. The user has permission
to descend /a and /a/b. At some point user1 does a cd to /a/b. Then
at some later point, while the user still has that shell open, the
sysadmin closes off permission to /a, and user1 no longer can descend
it. But it doesn't matter... user1 has already got a shell open in
/a/b, and therefore full access to all the files there which are not
otherwise protected against that user's access. user1 can copy them,
mail them to friends, make hard links to them, etc.... Anything
desired, until that shell is closed. This case won't work if you
close off /a/b, because you need to be able to modify the directory in
> more vigorously.... all while remaining entirely 'white area' in
> terms of functionality.
If I read the law correctly, it requires retention of "what IP
connected to another IP" and "which phone number called where." It
doesn't bother retaining the URL called (my German is rusty, so I may
be a little off in my interpretation). Connecting to a random IP on a
random open port (80 and 443, for example) would be a good start to
accomplish the goal creating chatter. The issue is that the search
terms to find those ports could lead to connecting to a site that
increases your profile against general background chatter, even as it
#Error
if(($i>127) || ($j>32)){
if(!$pass){
print "\t-----------------------------------------------------------------\n";
print("\tEXPLOIT FAILED!\n");
print("\tFatal error: Datas doesn't find!\n");
print "\t-----------------------------------------------------------------\n";
exit(1);
}
}
return $pass;
#
#If you find a valid username, it can use --> "ON DUPLICATE KEY UPDATE column=value",
#
#this clause updates the previous row if a unique index is affected (username) and
#
#doesn't insert a new row. So (username=admin --> valid user):
#
#Username --> admin','any','any') ON DUPLICATE KEY UPDATE password=MD5(12345)%23
#
#Other parameters --> something
#
Moin moin Bugtraq readers,
Bill Paul and I have discovered that LoginWindow.app doesn't clear
credentials after a user is authenticated. We discovered this while
testing our EFI-based memory recovery utilities discussed recently[0].
We've found that depending on the state of capture, the passwords for
currently active accounts are stored in memory in plain text form, at
least once if not more times.
What happens if slash when for some reason or another the government decides that you
should not read a news site, will Microsoft willingly oblige and rewrite the news in
accordance to what the government deems readable?
How about the potential to give Microsoft a warrantless order to discover who doesn't
like a President's "health care plan", or who is irrate and whatever policy; Will Microsoft
sift through a machine to retrieve relevant data to disclose to authorities?
That doesn't include the potential for say technological espionage and gouging of sorts.
What's to stop Microsoft from say, mapping a network and reporting all "non-Microsoft"
:exe[cute] {expr1} .. Executes the string that results from the evaluation
of {expr1} as an Ex command.
-- Vim Reference Manual (eval.txt)
``execute'' is similar e.g. to the ``eval'' command of the POSIX shell. As Vim
Script doesn't allow variables as arguments to commands, only literals,
``execute'' is very popular:
let a = "vim"
execute "setfiletype" a " Alternative is cumbersome
let b = "/path/to/foo"
Hey Dan,
Freaking THANK YOU first and foremost. I've been waiting for someone to say that for days now, and was just about to myself.
Just because everyone and their brother want's to show off that they can compile & run some software (herp a derp, good job) DOESN'T mean they should immediately post it here. I tested it against an OLDER KERNEL on purpose because I actually read the headers and the exploit worked as expected. I knew that this was responsibly disclosed, so it was already patched on any system that I updated. If you don't have the proper symbols, then the exploit doesn't have the proper offsets, and the exploit will fail. Plain and simple. *THEN* there's people who don't even bother to read that "Red Hat does not support Econet by default". DOES NOT. As in the exploit WON'T WORK!
It's pathetic that the original exploit dev has to waste his time saying the same thing 5 times.
</rant>
> when I reported to PSIRT they were not aware of the issue - so who
> called them first is unsettled :-) - however I published first ;-)
Again, please ask PSIRT. :-)
In any case, the world doesn't (or "shouldn't", at least) care about the
"who", but rather should care about the "what".
>> Anyway... I'd bet that every implementation that "followed" the spec is
> should not read a news site, will Microsoft willingly oblige and
> rewrite the news in
> accordance to what the government deems readable?
>
> How about the potential to give Microsoft a warrantless order to
> discover who doesn't
> like a President's "health care plan", or who is irrate and whatever
> policy; Will Microsoft
> sift through a machine to retrieve relevant data to disclose to
> authorities?
>
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
templateName=sh.php%00&templateContent=<?php evil_code(); ?>
Successful exploitation of this vulnerability doesn't require authentication.
+--------------------------+
| Unrestricted File Upload |
+--------------------------+
Nice lesson on 101 hooking on IOS.
The (oversimplified) modus operandi is pretty straight forward: take an image,
decompress it, have his tool locate the function and later patch it, add his
code by overwriting large strings, (re)compress the image and (re)calculate/fix
the checksums. Pretty neat. The fact that he doesn't do basic binary patching
makes the approach portable and not architecture, version or feature set
specific.
This image then needs to be uploaded to the router and the device need to be
reloaded. This backdoor is persistent (vs the old backdoor trick using the TCL
Two things:
1) Are you sure a stock build of Windows doesn't pop a security
warning when right clicking the file:// IFRAME? You might have munged
your test OS.
2) You're getting closer with this "Send To" stuff, but you're still
socially engineering. Definitely better than classic "please download
and execute this file" though.
You really should stop talking about exploits against Powerpoint etc.
is allowing the data to "break the forth wall".
I discovered this issue in November of 2011 while talking about uses for
the lsof command on the @climagic Twitter account. I immediately found
which software was the culprit and submitted a bug reports to Gnome's
Bugzilla. The response so far has been that the developer doesn't not
consider this a bug. I also wrote to Behdad Esfahbod about the issue
but have not heard back from him. I was giving these people a bit of
time to respond or resolve the issue, but apparently that isn't going to
happen without making a bigger deal of it. Other knowledgeable security
people have considered this a major security issue.
Folks,
We've just published a new IETF I-D entitled "A method for Generating
Stable Privacy-Enhanced Addresses with IPv6 Stateless Address
Autoconfiguration (SLAAC)".
The abstract of the I-D is:
---- cut here ----
This document specifies a method for generating IPv6 Interface
Identifiers to be used with IPv6 Stateless Address Autoconfiguration
--On Saturday, April 24, 2010 19:15:56 -0600 wborskey@gmail.com wrote:
> After putting the port my WAP is plugged into in a bridge group--cisco
> 2600--and rejecting traffic at layer two from an XP machine, I noticed some
> odd and insecure behavior. At this point I can only assume what is causing
> it.
>
> After adding the MAC of a machine with active tcp/ip sockets to public ip
> addresses an odd thing happened. Instead of sending out DNS requests to
> resolve the hosts, the XP machine started sending ARP requests but ARP
"Marcello Barnaba (void)" <vjt@openssl.it> wrote:
> Tried on QuickTime 7.3.10 running on OSX 10.5.1, and the player doesn't
> try to connect to port 80 if 554 is closed.
> ...
> yea i second that i tested on Vista and it doesnt attempt to redirect
> to the port 80 there must be another condition that u have specified
> that allows for redirection
Uhmmm I imagine you are the same Marcello of yesterday, right?
Who else could be?
TZ> this is a low priority for us because this engine runs in a desktop
TZ> environment where malicious code in these archives will be detected upon
TZ> extraction or execution. If and when an update addressing this issue is
TZ> delivered for our engine, we will credit you."
TZ> Ignoring that the end-point argument doesn't hold true for the network
TZ> device, isn't this incredible?
TZ> 22.05.2009 - I respond that
TZ> "[..] The files
TZ> bypass your protection - to argue with client-side protection (if any)
Next Page>>
|
