Full Disclosure mailing list archives
Re: Full-Disclosure Digest, Vol 23, Issue 56
From: <auto458033 () hushmail com>
Date: Tue, 30 Jan 2007 12:32:54 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ANOTHER VICTIM FALLS DEAD FROM FULL DISCLOSURE On Tue, 30 Jan 2007 08:18:25 -0500 douglas.graham () ntlworld com wrote:
Hello. I am Douglas Grahams Father (Roy Graham). It is withgreat regret that I have to inform you that Douglas passed away on the 22nd November 2006. after a very short illness. I apologise for the delay in letting you know, but I have only recently been able to access his email account. My wife Jacqui and I would like to thank you for assisting Douglas in the past and please would you remove his details from your data base. We hope that this email does not cause you any distress. Should you need to contact me my email address is: Braingoing () aol com please enter DIGA as the subject, so that I know that it is not spam. Regards, Roy GrahamFrom: full-disclosure-request () lists grok org uk Date: 2007/01/30 Tue PM 12:00:01 GMT To: full-disclosure () lists grok org uk Subject: Full-Disclosure Digest, Vol 23, Issue 56 Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is morespecificthan "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts,please trim your post appropriately. Thank you.Today's Topics: 1. CVSTrac 2.0.0 Denial of Service (DoS) vulnerability (Ralf S. Engelschall) 2. [OpenPKG-SA-2007.008] OpenPKG Security Advisory (cvstrac) (OpenPKG GmbH) 3. Oracle - Indirect Privilege Escalation and DefeatingVirtualPrivate Databases (David Litchfield) 4. Phishing Evolution Report Released (S?nnet Beskerming) 5. Universal printer provider exploit for Windows (AndresTarasco)6. [DRUPAL-SA-2007-005] Drupal 4.7.6 / 5.1 fixes arbitrarycodeexecution issue (Uwe Hermann) 7. PC/Laptop microphones (Jim Popovitch) 8. Re: S21sec-034-en: Cisco VTP DoS vulnerability (Clay Seaman-Kossmeyer) 9. Re: PC/Laptop microphones (Tyop?) 10. Re: PC/Laptop microphones (Simon Smith) 11. Re: PC/Laptop microphones (Clement Dupuis) 12. Re: PC/Laptop microphones (Jim Popovitch) 13. Re: PC/Laptop microphones (Simon Smith) 14. Re: S21sec-034-en: Cisco VTP DoS vulnerability (Clay Seaman-Kossmeyer) 15. COSEINC Alert: Microsoft Agent Heap Overflow Vulnerability Technical Details (Patched) (COSEINC) ----------------------------------------------------------------------Message: 1 Date: Mon, 29 Jan 2007 13:27:38 +0100 From: "Ralf S. Engelschall" <rse () engelschall com> Subject: [Full-disclosure] CVSTrac 2.0.0 Denial of Service (DoS) vulnerability To: full-disclosure () lists grok org uk Message-ID: <20070129122738.GA45233 () engelschall com> Content-Type: text/plain; charset=us-ascii SECURITY ADVISORY ================= Application: CVSTrac Version: 2.0.0 Vulnerability: Denial of Service (DoS) Identification: CVE-2007-0347 Date: 2007-01-29 12:00 UTC DESCRIPTION ----------- A Denial of Service (DoS) vulnerability exists in CVSTrac (http://www.cvstrac.org/) version 2.0.0, a web-based bug andpatch-settracking system for the version control systems CVS, Subversionand Git.The vulnerability is in the Wiki-style text output formatter andistriggered by special text constructs in commit messages, ticketsandWiki pages. Only users with check-in permissions and Wiki orticket editpermissions can perform an attack. But as the anonymous userusuallyis granted Wiki edit and ticket creation permissions, anattackerremotely and anonymously can cause a partial DoS (depending onthe pagesrequested) on a CVSTrac installation by opening a new ticket oreditinga Wiki page with an arbitrary text containing for instance thestring"/foo/bar'quux". The result of an attack is an error of the underlying SQLiteRDBMS:| Database Error | db_exists: Database exists query failed | SELECT filename FROM filechng WHEREfilename='foo/bar'quux'| Reason: near "quux": syntax error ANALYSIS -------- The DoS vulnerability exists because the is_eow() function in"format.c"does NOT just check the first(!) character of the suppliedstringfor an End-Of-Word terminating character, but instead iteratesoverstring and this way can skip a single embedded quotation mark.Theis_repository_file() function then in turn assumes that thefilenamestring can never contain a single quotation mark and traps intoan SQLescaping problem. An SQL injection via this technique is somewhat limited asis_eow()bails on whitespace. So while one _can_ do an SQL injection, oneislimited to SQL queries containing only characters which get pastthefunction isspace(3). This effectively limits attacks to SQLcommandslike "VACUUM". WORKAROUND ---------- Administrators can quickly workaround by revoking permissions ontheusers. Restoring those permissions, obviously, would requirekeepingvulnerable permissions on at least one infrequently used accountlike"setup" or using the CLI sqlite3(1) to manually add them backlater.One can resurrect an attacked CVSTrac 2.0.0 by fixing the textsin theunderlying SQLite database with the following small Perl script. ## ## cvstrack-resurrect.pl -- CVSTrac Post-Attack DatabaseResurrection## Copyright (c) 2007 Ralf S. Engelschall <rse () engelschall com> ## use DBI; # requires OpenPKG perl-dbi use DBD::SQLite; # requires OpenPKG perl-dbi, perl-dbi::with_dbd_sqlite=yesuse DBIx::Simple; # requires OpenPKG perl-dbix use Date::Format; # requires OpenPKG perl-time my $db_file = $ARGV[0]; my $db = DBIx::Simple->connect( "dbi:SQLite:dbname=$db_file", "", "", { RaiseError => 0, AutoCommit => 0 } ); my $eow = q{\x00\s.,:;?!)"'}; sub fixup { my ($data) = @_; if ($$data =~ m:/[^$eow]*/[^$eow]*'[^$eow]+:s) { $$data =~ s:(/[^$eow]*/[^$eow]*)('[^$eow]+):$1 $2:sg; return 1; } return 0; } foreach my $rec ($db->query("SELECT name, invtime, text FROMwiki")->hashes()) {if (&fixup(\$rec->{"text"})) { printf("++ adjusting Wiki page \"%s\" as of %s\n", $rec->{"name"}, time2str("%Y-%m-%d %H:%M:%S", -$rec- {"invtime"})); $db->query("UPDATE wiki SET text = ? WHERE name = ? ANDinvtime = ?",$rec->{"text"}, $rec->{"name"}, $rec->{"invtime"}); } } foreach my $rec ($db->query("SELECT tn, description, remarksFROM ticket")->hashes()) {if (&fixup(\$rec->{"description"}) or &fixup(\$rec- {"remarks"})) { printf("++ adjusting ticket #%d\n", $rec->{"tn"}); $db->query("UPDATE ticket SET description = ?, remarks =? WHERE tn = ?",$rec->{"description"}, $rec->{"remarks"}, $rec- {"tn"}); } } foreach my $rec ($db->query("SELECT tn, chngtime, oldval, newvalFROM tktchng")->hashes()) {if (&fixup(\$rec->{"oldval"}) or &fixup(\$rec->{"newval"})){printf("++ adjusting ticket [%d] change as of %s\n", $rec->{"tn"}, time2str("%Y-%m-%d %H:%M:%S", $rec- {"chngtime"})); $db->query("UPDATE tktchng SET oldval = ?, newval = ?WHERE tn = ? AND chngtime = ?",$rec->{"oldval"}, $rec->{"newval"}, $rec->{"tn"},$rec->{"chngtime"});} } foreach my $rec ($db->query("SELECT cn, message FROM chng")- hashes()) { if (&fixup(\$rec->{"message"})) { printf("++ adjusting change [%d]\n", $rec->{"cn"}); $db->query("UPDATE chng SET message = ? WHERE cn = ?", $rec->{"message"}, $rec->{"cn"}); } } $db->commit(); $db->disconnect(); RESOLUTION ---------- Upgrade to the now available CVSTrac 2.0.1: http://www.cvstrac.org/cvstrac-2.0.1.tar.gz Or apply the following upstream vendor patch against CVSTrac2.0.0:http://www.cvstrac.org/cvstrac/chngview?cn=852 Index: cvstrac/format.c --- format.c 2006/07/05 01:06:50 1.87 +++ format.c 2006/08/16 23:02:14 1.88 @@ -77,6 +77,8 @@ ** Return TRUE if *z points to the terminator for a word.Words** are terminated by whitespace or end of input or any of the ** characters in zEnd. +** Note that is_eow() ignores zEnd characters _inside_ a word.They+** only count if they're followed by other EOW characters. */ int is_eow(const char *z, const char *zEnd){ if( zEnd==0 ) zEnd = ".,:;?!)\"'"; @@ -123,6 +125,7 @@ ** somewhere inside. Spaces in filenames aren't supported. */ int is_repository_file(const char *z){ + char *s; int i; int gotslash=0; if( z[0]!='/' ) return 0; @@ -132,13 +135,12 @@ if(!gotslash) return 0; /* see if it's in the repository. Note that we strip theleading '/' from the- * query. Note that the is_eow() check means there's no 'character.+ * query. */ - if( !db_exists("SELECT filename FROM filechng WHEREfilename='%.*s'",- i-1, &z[1]) ){ - return 0; - } - return i; + s = mprintf("%.*s", i-1, &z[1]); + gotslash = db_exists("SELECT filename FROM filechng WHEREfilename='%q'", s );+ free(s); + return gotslash ? i : 0; } /* HISTORY ------- 2007-01-17 10:00 UTC: problem detected 2007-01-17 11:30 UTC: vulnerability detected informat.c:is_eow()2007-01-17 12:15 UTC: vulnerability analized and firstworkaround patch created2007-01-17 12:45 UTC: database resurrection script written 2007-01-17 13:00 UTC: upstream vendor notified 2007-01-17 22:24 UTC: vendor confirmed vulnerability andprovided official fix2007-01-18 09:22 UTC: vendor informed and CVE number requestedfrom MITRE2007-01-18 20:08 UTC: received CVE number CVE-2007-0347 fromMITRE2007-01-22 08:30 UTC: settled with vendor on an embargo date of2007-01-29 12:00 UTC2007-01-22 09:00 UTC: pre-informed "vendor-sec" 2007-01-29 12:00 UTC: send out RSE security advisory Ralf S. Engelschall rse () engelschall com www.engelschall.com ------------------------------ Message: 2 Date: Mon, 29 Jan 2007 14:03:14 +0100 From: OpenPKG GmbH <openpkg-noreply () openpkg com> Subject: [Full-disclosure] [OpenPKG-SA-2007.008] OpenPKGSecurityAdvisory (cvstrac) To: full-disclosure () lists grok org uk Message-ID: <OpenPKG-SA-2007.008 () openpkg com> Content-Type: text/plain; charset=us-ascii -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1___________________________________________________________________ _________Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2007.008 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.008Advisory Published: 2007-01-29 14:02 UTC Issue Id (internal): OpenPKG-SI-20070117.01 Issue First Created: 2007-01-17 Issue Last Modified: 2007-01-29 Issue Revision: 08___________________________________________________________________ _________Subject Name: cvstrac Subject Summary: VCS web frontend Subject Home: http://www.cvstrac.org/ Subject Versions: * = 2.0.0 Vulnerability Id: CVE-2007-0347 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service Description: Ralf S. Engelschall from OpenPKG GmbH discovered a Denial ofService(DoS) vulnerability in the CVS/Subversion/Git VersionControl System(VCS) frontend CVSTrac [0], version 2.0.0. The vulnerability is in the Wiki-style text output formatterand istriggered by special text constructs in commit messages,tickets andWiki pages. Only users with check-in permissions and Wiki orticketedit permissions can perform an attack. But as the anonymoususerusually is granted Wiki edit and ticket creationpermissions, anattacker remotely and anonymously can cause a partial DoS(dependingon the pages requested) on a CVSTrac installation by openinga newticket or editing a Wiki page with an arbitrary textcontaining forinstance the string "/foo/bar'quux". The DoS vulnerability exists because the is_eow() functionin"format.c" does NOT just check the FIRST character of thesuppliedstring for an End-Of-Word terminating character, but instead iterates over string and this way can skip a single embedded quotation mark. The is_repository_file() function then inturnassumes that the filename string can never contain a single quotation mark and traps into an SQL escaping problem. An SQL injection via this technique is somewhat limited asis_eow()bails on whitespace. So while one _can_ do an SQL injection,one islimited to SQL queries containing only characters which getpast thefunction isspace(3). This effectively limits attacks to SQLcommandslike "VACUUM". Administrators can quickly workaround by revokingpermissions on theusers. Restoring those permissions, obviously, would requirekeepingvulnerable permissions on at least one infrequently usedaccountlike "setup" or using the CLI sqlite3(1) to manually addthem backlater. References: [0] http://www.cvstrac.org/___________________________________________________________________ _________Primary Package Name: cvstrac Primary Package Home: http://openpkg.org/go/package/cvstrac Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID cvstrac-2.0.0-E1.0.2___________________________________________________________________ _________For security reasons, this document was digitally signed withtheOpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver athkp://pgp.openpkg.org/.Follow the instructions athttp://openpkg.com/security/signatures/for more details on how to verify the integrity of thisdocument.___________________________________________________________________ _________-----BEGIN PGP SIGNATURE----- Comment: OpenPKG GmbH <http://openpkg.com/> iD8DBQFFvfCEZwQuyWG3rjQRApMLAJ0Q/mkpIIar3VjFoMVay7b70i5DIwCfX8lJ 6ITu0bSW6c3RR9sQ6q6cIpQ= =kxz6 -----END PGP SIGNATURE----- ------------------------------ Message: 3 Date: Mon, 29 Jan 2007 17:00:00 -0000 From: "David Litchfield" <davidl () ngssoftware com> Subject: [Full-disclosure] Oracle - Indirect PrivilegeEscalation andDefeating Virtual Private Databases To: <bugtraq () securityfocus com> Cc: full-disclosure () lists grok org uk, dbsec () freelists org Message-ID: <001901c743c6$ecf65260$4601a8c0 () ngssoftware com> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Hey all, For anyone that's interested I've just put out two papers(chapters really);one on Indirect Privilege Escalation in Oracle and the other onDefeatingVirtual Private Databases in Oracle. You can grab them here. http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdfhttp://www.databasesecurity.com/dbsec/ohh-defeating-vpd.pdf Cheers, David -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intendedrecipient(s) andmay contain confidential or privileged information. For thoseother thanthe intended recipient(s), any disclosure, copying,distribution, or anyother action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are nottheintended recipient and have received this message in error,pleaseinform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGSpolicy.NGS accepts no liability or responsibility for any onwardtransmissionor use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next GenerationSecuritySoftware Ltd. Registered office address: 52 Throwley Way,Sutton, SM14BF with Company Number 04225835 and VAT Number 783096402 ------------------------------ Message: 4 Date: Tue, 30 Jan 2007 08:25:27 +1030 From: S?nnet Beskerming <info () beskerming com> Subject: [Full-disclosure] Phishing Evolution Report Released To: full-disclosure () lists grok org uk Message-ID: <2DD1B718-CA53-4A3D-87C7-4B6A2BF5487B () beskerming com>Content-Type: text/plain; charset=ISO-8859-1; delsp=yes;format=flowedHello List(s), For those interested in the original FD email about a newphishingtechnique being employed on a professional networking site (latelastweek), the investigation and subsequent report have beenpublished.Readers of 'The Register' will note a write up already in placewithsome feedback from the site involved. Although the claim of 10or soreports per month of similar scams being made are probable, Idoubtthat many (if any) have taken as much detailed involvement fromthescammer before the phish is set. http://www.theregister.co.uk/2007/01/29/ecademy_419_scam/ You can find the report at the following address: http://www.beskerming.com/marketing/reports/index.html Or, for the direct link: http://www.beskerming.com/marketing/reports/ Beskerming_Phishing_Report_Jan_07.pdf A higher detailed version is available upon request, whichincludessufficient detail in the account screenshots for the profiletext tobe legible. An Executive Summary for those who don't want to read thereport:- Yes, it was a scam. The scammer started out with a stolen identity, maintaining it all the way through the scam (even whenconfronted) - Ultimately it was a 419-style phish / scam that was tracedbackto Nigeria - The first recorded use of the particular stolen identity wasNovember 06, with a very similar scam (though a more traditionalmassspam email). - The scammer invested at least 2-3 days of communication andtrust-building before beginning to seed the phish / scam - The initial round of the phish bait was mild enough toalmost bemissed. - The Networking site was VERY prompt in addressing thesituationonce notified (less than 5 minutes to remove the account when itreappeared and they were notified again). Props to Ecademy inthiscase. - Sometimes you just need to be paranoid. Any questions or queries, just ask them. Carl S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com ------------------------------ Message: 5 Date: Mon, 29 Jan 2007 11:42:35 +0100 From: "Andres Tarasco" <atarasco () gmail com> Subject: [Full-disclosure] Universal printer provider exploitforWindows To: full-disclosure () lists grok org uk Message-ID: <80321d330701290242h56879d87jc346fc5fd3a9386c () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" We have developed a new exploit that should allow code executionas SYSTEMwith the following software: - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED &NOTFIXED-0day!!! - Citrix Metaframe - cpprov.dll - FIXED - Novell (nwspool.dll - CVE-2006-5854 - untested. pls givefeedback)More information at : http://www.514.es/2007/01/universal_exploit_for_vulnerab.html(spanish)exploit code:http://www.514.es/2007/01/29/Universal_printer_provider_exploit.zip/* Title: Universal exploit for vulnerable printer providers(spooler service).Vulnerability: Insecure EnumPrintersW() calls Author: Andres Tarasco Acu?a - atarasco () 514 es Website: http://www.514.es This code should allow to gain SYSTEM privileges with thefollowingsoftware: blink !blink! blink! - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED &NOTFIXED-0day!!! - Citrix Metaframe - cpprov.dll - FIXED - Novell (nwspool.dll - CVE-2006-5854 - untested) - More undisclosed stuff =) If this code crashes your spooler service (spoolsv.exe) checkyour"vulnerable" printer providers at:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\ProvidersWorkaround: Trust only default printer providers "InternetPrint Provider"and "LanMan Print Services" and delete the other ones. And remember, if it doesnt work for you, tweak it yourself. Donot askD:\Programaci?n\EnumPrinters\Exploits>testlpc.exe [+] Citrix Presentation Server - EnumPrinterW() Universalexploit[+] Exploit coded by Andres Tarasco - atarasco () 514 es [+] Connecting to spooler LCP port \RPC Control\spoolss [+] Trying to locate valid address (1 tries) [+] Mapped memory. Client address: 0x003d0000 [+] Mapped memory. Server address: 0x00a70000 [+] Targeting return address to : 0x00A700A7 [+] Writting to shared memory... [+] Written 0x1000 bytes [+] Exploiting vulnerability.... [+] Exploit complete. Now Connect to 127.0.0.1:51477 D:\Programaci?n\EnumPrinters>nc localhost 51477 Microsoft Windows XP [Versi?n 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>whoami NT AUTHORITY\SYSTEM regards, Andres Tarasco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070129/4cb1999a/attachment-0001.html------------------------------ Message: 6 Date: Tue, 30 Jan 2007 02:14:53 +0100 From: Uwe Hermann <uwe () hermann-uwe de> Subject: [Full-disclosure] [DRUPAL-SA-2007-005] Drupal 4.7.6 /5.1fixes arbitrary code execution issue To: bugtraq () securityfocus com, full-disclosure () lists grok org uk,phpsec () phparch com Message-ID: <20070130011452.GA31240@greenwood> Content-Type: text/plain; charset="us-ascii" ----------------------------------------------------------------------------Drupal security advisory DRUPAL-SA-2007-005----------------------------------------------------------------------------Project: Drupal core Version: 4.7.x, 5.x Date: 2007-Jan-29 Security risk: Highy critical Exploitable from: Remote Vulnerability: Arbitrary code execution ----------------------------------------------------------------------------Description ----------- Previews on comments were not passed through normal formvalidation routines,enabling users with the 'post comments' permission and access tomore thanone input filter to execute arbitrary code. By default,anonymous andauthenticated users have access to only one input format. Immediate workarounds include: disabling the comment module,revoking the'post comments' permission for all users or limiting access toone inputformat. Versions affected ----------------- - Drupal 4.7.x versions before Drupal 4.7.6 - Drupal 5.x versions before Drupal 5.1 Solution -------- - If you are running Drupal 4.7.x then upgrade to Drupal 4.7.6. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.6.tar.gz- If you are running Drupal 5.x then upgrade to Drupal 5.1. http://ftp.osuosl.org/pub/drupal/files/projects/drupal-5.1.tar.gz- To patch Drupal 4.7.5 use http://drupal.org/files/sa-2007-005/SA-2007-005-4.7.5.patch. - To patch Drupal 5.0 use http://drupal.org/files/sa-2007-005/SA-2007-005-5.0.patch. Please note that the patches only contain changes related tothis advisory,and do not fix bugs that were solved in 4.7.6 or 5.1. Reported by ----------- The Drupal security team. Contact ------- The security contact for Drupal can be reached at security atdrupal.orgor using the form at http://drupal.org/contact. // Uwe Hermann, on behalf of the Drupal Security Team. -- http://www.hermann-uwe.de | http://www.holsham-traders.de http://www.crazy-hacks.org | http://www.unmaintained-free-software.org-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070130/eb3c84da/attachment-0001.bin------------------------------ Message: 7 Date: Mon, 29 Jan 2007 21:26:37 -0500 From: Jim Popovitch <jimpop () yahoo com> Subject: [Full-disclosure] PC/Laptop microphones To: full-disclosure () lists grok org uk Message-ID: <1170123997.26901.7.camel@localhost> Content-Type: text/plain; charset="us-ascii" I started this discussion elsewhere, but I feel that there ismoreexperience and concern here. When I look at BIOS settings Isee configoptions to disable sound cards, USB, CDROM, INTs, etc., but whataboutthe PC or laptop microphone? Does disabling the sound cardremove theavailability of a built-in microphone? What if I want to playmp3s butnever have the need to use a microphone? Given recent info aboutthe USFBIs capabilities to remotely enable mobile phone microphones (presumably via corporate cellular service providers), whatprevents myOS provider (or distribution) and ISP from working on a way tolisten inon my office or home conversations via the microphone or thebuilt-inspeakers? Thoughts? -Jim P. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070129/f4dd0b81/attachment-0001.bin------------------------------ Message: 8 Date: Mon, 29 Jan 2007 21:31:00 -0500 From: Clay Seaman-Kossmeyer <ckossmey () cisco com> Subject: Re: [Full-disclosure] S21sec-034-en: Cisco VTP DoS vulnerability To: S21sec Labs <labs () s21sec com> Cc: ckossmey () cisco com, full-disclosure () lists grok org uk, bugtraq () securityfocus com Message-ID: <20070130023100.GH648 () cisco com> Content-Type: text/plain; charset=us-ascii -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello - Cisco has posted a Security Response in reference to this issueat thefollowing URL: http://www.cisco.com/warp/public/707/cisco-sr-20070129-vtp.shtml Cisco Response ============== An issue has been reported to the Cisco PSIRT involvingmalformed VLANTrunking Protocol (VTP) packets. This attack may cause thetargetdevice to reload, causing a Denial of Service (DoS). Such an attack must be executed on a local ethernet segment, andtheVTP domain name must be known to the attacker. Additionally,theseattacks must be executed against a switch port that isconfigured fortrunking. Non-trunk access ports are not affected. This issue is tracked as Cisco Bug ID CSCsa67294. Details ======= The VLAN Trunking Protocol (VTP) is a Layer 2 protocol thatmanagesthe addition, deletion, and renaming of VLANS on a network-widebasisin order to maintain VLAN configuration consistency. VTP packets are exchanged by VLAN-aware switches. For moreinformationon VTP, consult the following link:http://www.cisco.com/en/US/products/hw/switches/ps663/products_conf iguration_guide_chapter09186a00800e47e3.html.Upon receiving a malformed VTP packet, certain devices mayreload. Theattack could be executed repeatedly causing a extended Denial of Service. In order to successfully exploit this vulnerability, theattacker mustknow the VTP domain name, as well as send the malformed VTPpacket toa port on the switch configured for trunking. This does not affect switch ports that are configured for voice vlans. A complete Inter-Switch Link (ISL) or 802.1q trunk portisrequired for the device to be vulnerable. These platforms are affected: * Cisco 2900XL Series Switches * Cisco 2950 Series Switches * Cisco 2955 Series Switches * Cisco 3500XL Series Switches * Cisco 3550 Series Switches * Cisco 3570 Series Switches No other Cisco products are known to be vulnerable to thisissue.This issue was made public on 26-Jan-2007 on the Full-DisclosureandBugtraq mailing lists. The Cisco bug ID CSCsa67294 was madeavailableto registered customers in May of 2005. We would like to thank David Barroso Berrueta and Alfredo Andres Omella for reporting this vulnerability to us. You can findtheirrelease here: http://www.s21sec.com/es/avisos/s21sec-034-en.txt. We greatly appreciate the opportunity to work with researchersonsecurity vulnerabilities and welcome the opportunity to reviewandassist in security vulnerability reports against Cisco products. Workarounds =========== In order to mitigate your exposure, ensure that only known,trusteddevices are connected to ports configured for ISL or 802.1qtrunking.More information on securing L2 networks can be found in theCiscoSAFE Layer 2 Security document at this location:http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networkin g_solutions_white_paper09186a008014870f.shtmlAdditional Information ====================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLYANYKIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THEDOCUMENT ISAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATETHISDOCUMENT AT ANY TIME. Revision History ================ +--------------+------------------+------------------------+ | Revision 1.0 | 2007-January-29 | Initial public release | +--------------+------------------+------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities inCiscoproducts, obtaining assistance with security incidents, and registering to receive security information from Cisco, isavailableon Cisco's worldwide website athttp://www.cisco.com/en/US/products/products_security_vulnerability _policy.html.This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. On Fri, Jan 26, 2007 at 02:46:43PM -0500, S21sec Labs wrote:###############################################################ID: S21SEC-034-en Title: Cisco VTP Denial Of Service Date: 26/01/2007 Status: Vendor contacted, bug fixed Severity: Medium - DoS - remote from the local subnet Scope: Cisco Catalyst Switch denial of service Platforms: IOS Author: Alfredo Andres Omella, David Barroso Berrueta Location: http://www.s21sec.com/es/avisos/s21sec-034-en.txt Release: Public###############################################################S 2 1 S E C http://www.s21sec.com Cisco VTP Denial Of Service About VTP --------- VTP (VLAN Trunking Protocol) is a Cisco proprietary protocolused forVLAN centralized management. For instance, when you configure a VLAN in a switch, the VLANinformation (the VLAN name and its identifier) will be configured automatically in all the switches thatbelong tothe same VTP domain. Description of vulnerability ---------------------------- VTP uses Subset-Advert messages to advertise the existingVLANswithin a VTP domain, sending a malformed crafted packet it is possible to force aswitch"crash & reload". In order to trigger the vulnerability, you need to previously set up the trunking (manually or usingYersinia DTP attack). Affected Versions and platforms ------------------------------- This vulnerability has been tested against Cisco Catalyst2950Tswitches with IOS 12.1(22)EA3. Other versions are probably vulnerable. Solution -------- According to Cisco PSIRT, it is already fixed. We don't knowall thedetails because Cisco tagged (back in 2005) the issue as an "internal bug",not as asecurity vulnerability. Upgrade your IOS to the latest release. Additional information ---------------------- This vulnerability has been found and researched by: David Barroso Berrueta dbarroso () s21sec com Alfredo Andres Omella aandres () s21sec com It was found on January 2005 and shown in a real demo atBlackHatEurope Briefings 2005 (March 2005) (Yersinia, a framework forlayer 2attacks). Some months later, FX from Phenoelit found other VTPvulnerabilities:http://www.securityfocus.com/archive/1/445896/30/0/threaded Cisco released then an answer to FX(http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml) but as there is no anycomment aboutthis specific vulnerability we suppose that it is not related withthis one.This vulnerability has been implemented in the currentYersiniaversion, under the VTP attacks (see the src/vtp.c file) . Yersinia homepage: http://www.yersinia.net You can find this advisory at: http://www.s21sec.com/en/avisos/s21sec-034-en.txt Other S21SEC advisories availabe athttp://www.s21sec.com/en/avisos/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFvq3REHa/Ybuq8nARAlZ9AJ4zzh8a7qwluYP94oAf/WFMfmzrZwCgpiDl JxK2NENYveWy7rIf/SL/dBo= =IaMi -----END PGP SIGNATURE----- ------------------------------ Message: 9 Date: Tue, 30 Jan 2007 03:52:51 +0100 From: "Tyop?" <tyoptyop () gmail com> Subject: Re: [Full-disclosure] PC/Laptop microphones To: "Jim Popovitch" <jimpop () yahoo com>, full-disclosure () lists grok org uk Message-ID: <985b1a3d0701291852o369898e6nf2fa1c34b4af86fb () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 1/30/07, Jim Popovitch <jimpop () yahoo com> wrote:Given recent info about the US FBIs capabilities to remotely enable mobile phone microphones (presumably via corporate cellular service providers),Do you have some links on that? Paranoia inside :p -- Tyop? Etudiant. http://altmylife.blogspot.com ------------------------------ Message: 10 Date: Mon, 29 Jan 2007 22:02:14 -0500 From: Simon Smith <simon () snosoft com> Subject: Re: [Full-disclosure] PC/Laptop microphones To: Jim Popovitch <jimpop () yahoo com>, Untitled <full-disclosure () lists grok org uk> Message-ID: <C1E41F66.17BF5%simon () snosoft com> Content-Type: text/plain; charset="US-ASCII" Jim, In all reality you don't have to be an agent to do this.You could justwrite an exploit that when successfully executed wouldcompromise the targetand then fetch an application from a remote site. I'm sure thatthings likethis have been done in the past. Hell imagine what you could dowith a webcam! ;] New telephones are no different I'm sure. On 1/29/07 9:26 PM, "Jim Popovitch" <jimpop () yahoo com> wrote:I started this discussion elsewhere, but I feel that there ismoreexperience and concern here. When I look at BIOS settings Isee configoptions to disable sound cards, USB, CDROM, INTs, etc., butwhat aboutthe PC or laptop microphone? Does disabling the sound cardremove theavailability of a built-in microphone? What if I want to playmp3s butnever have the need to use a microphone? Given recent infoabout the USFBIs capabilities to remotely enable mobile phone microphones (presumably via corporate cellular service providers), whatprevents myOS provider (or distribution) and ISP from working on a way tolisten inon my office or home conversations via the microphone or thebuilt-inspeakers? Thoughts? -Jim P. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/------------------------------ Message: 11 Date: Mon, 29 Jan 2007 22:34:18 -0500 From: "Clement Dupuis" <cdupuis () cccure org> Subject: Re: [Full-disclosure] PC/Laptop microphones To: "'Simon Smith'" <simon () snosoft com>, "'Jim Popovitch'" <jimpop () yahoo com>, "'Untitled'" <full-disclosure () lists grok org uk>Message-ID: <00d301c7441f$894d2dc0$c1b211ac@papslaptop> Content-Type: text/plain; charset="us-ascii" This was discussed in the past. It is one of the featureswithin CoreImpact from Core Security. Here is an old post on the subject:CORE IMPACT has a Python module (uses win32api)to do justthat, it iscalled"Record audio file" (there is also a "play audio file" and a"grab 1 framefrom Webcam") Basically, it uses the Windows MCI interface:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/multimed/htm/_win32_about_mci.asphttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/multimed/htm/_win32_mci_reference.aspThere is also a generic "Execute MCI string" that we commonlyuse to amuseourselves by opening/closing the CD door remotely once we'vegain accesstoa target system running windows. It should not be difficult to write your own quickly withPython and theabove reference from the MSDN-----Original Message----- From: Simon Smith [mailto:simon () snosoft com] Sent: Monday, January 29, 2007 10:02 PM To: Jim Popovitch; Untitled Subject: Re: [Full-disclosure] PC/Laptop microphones Jim, In all reality you don't have to be an agent to do this.You could justwrite an exploit that when successfully executed wouldcompromise the targetand then fetch an application from a remote site. I'm sure thatthings likethis have been done in the past. Hell imagine what you could dowith a webcam! ;] New telephones are no different I'm sure. On 1/29/07 9:26 PM, "Jim Popovitch" <jimpop () yahoo com> wrote:I started this discussion elsewhere, but I feel that there ismoreexperience and concern here. When I look at BIOS settings Isee configoptions to disable sound cards, USB, CDROM, INTs, etc., butwhat aboutthe PC or laptop microphone? Does disabling the sound cardremove theavailability of a built-in microphone? What if I want to playmp3s butnever have the need to use a microphone? Given recent infoabout the USFBIs capabilities to remotely enable mobile phone microphones (presumably via corporate cellular service providers), whatprevents myOS provider (or distribution) and ISP from working on a way tolisten inon my office or home conversations via the microphone or thebuilt-inspeakers? Thoughts? -Jim P. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------ Message: 12 Date: Mon, 29 Jan 2007 23:13:01 -0500 From: Jim Popovitch <jimpop () yahoo com> Subject: Re: [Full-disclosure] PC/Laptop microphones To: full-disclosure <full-disclosure () lists grok org uk> Message-ID: <1170130381.3177.1.camel@localhost> Content-Type: text/plain; charset="us-ascii" On Tue, 2007-01-30 at 03:52 +0100, Tyop? wrote:On 1/30/07, Jim Popovitch <jimpop () yahoo com> wrote:Given recent info about the US FBIs capabilities to remotely enable mobile phonemicrophones(presumably via corporate cellular service providers),Do you have some links on that? Paranoia inside :p;-) Paranoia is a good characteristic to have. Here's a few references: http://www.google.com/search?hl=en&q=FBI+Mob+microphone -Jim P. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070129/3ecbecb4/attachment-0001.bin------------------------------ Message: 13 Date: Mon, 29 Jan 2007 23:29:26 -0500 From: Simon Smith <simon () snosoft com> Subject: Re: [Full-disclosure] PC/Laptop microphones To: Jim Popovitch <jimpop () yahoo com>, Untitled <full-disclosure () lists grok org uk> Message-ID: <C1E433D6.17BFA%simon () snosoft com> Content-Type: text/plain; charset="US-ASCII" Who's paranoid, I'm not paranoid, stop talking about me! On 1/29/07 11:13 PM, "Jim Popovitch" <jimpop () yahoo com> wrote:On Tue, 2007-01-30 at 03:52 +0100, Tyop? wrote:On 1/30/07, Jim Popovitch <jimpop () yahoo com> wrote:Given recent info about the US FBIs capabilities to remotely enable mobile phonemicrophones(presumably via corporate cellular service providers),Do you have some links on that? Paranoia inside :p;-) Paranoia is a good characteristic to have. Here's a few references: http://www.google.com/search?hl=en&q=FBI+Mob+microphone -Jim P. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/------------------------------ Message: 14 Date: Tue, 30 Jan 2007 01:03:48 -0500 From: Clay Seaman-Kossmeyer <ckossmey () cisco com> Subject: Re: [Full-disclosure] S21sec-034-en: Cisco VTP DoS vulnerability To: S21sec Labs <labs () s21sec com> Cc: full-disclosure () lists grok org uk,bugtraq () securityfocus com,psirt () cisco com Message-ID: <20070130060348.GC823 () cisco com> Content-Type: text/plain; charset=us-ascii -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello - Cisco's response follows for this issue: Cisco Response ============== An issue has been reported to the Cisco PSIRT involvingmalformed VLANTrunking Protocol (VTP) packets. This attack may cause thetargetdevice to reload, causing a Denial of Service (DoS). Such an attack must be executed on a local ethernet segment, andtheVTP domain name must be known to the attacker. Additionally,theseattacks must be executed against a switch port that isconfigured fortrunking. Non-trunk access ports are not affected. This issue is tracked as Cisco Bug ID CSCsa67294. Details ======= The VLAN Trunking Protocol (VTP) is a Layer 2 protocol thatmanagesthe addition, deletion, and renaming of VLANS on a network-widebasisin order to maintain VLAN configuration consistency. VTP packets are exchanged by VLAN-aware switches. For moreinformationon VTP, consult the following link:http://www.cisco.com/en/US/products/hw/switches/ps663/products_conf iguration_guide_chapter09186a00800e47e3.html.Upon receiving a malformed VTP packet, certain devices mayreload. Theattack could be executed repeatedly causing a extended Denial of Service. In order to successfully exploit this vulnerability, theattacker mustknow the VTP domain name, as well as send the malformed VTPpacket toa port on the switch configured for trunking. This does not affect switch ports that are configured for voice vlans. A complete Inter-Switch Link (ISL) or 802.1q trunk portisrequired for the device to be vulnerable. These platforms are affected: * Cisco 2900XL Series Switches * Cisco 2950 Series Switches * Cisco 2955 Series Switches * Cisco 3500XL Series Switches * Cisco 3550 Series Switches * Cisco 3570 Series Switches No other Cisco products are known to be vulnerable to thisissue.This issue was made public on 26-Jan-2007 on the Full-DisclosureandBugtraq mailing lists. The Cisco bug ID CSCsa67294 was madeavailableto registered customers in May of 2005. We would like to thank David Barroso Berrueta and Alfredo Andres Omella for reporting this vulnerability to us. You can findtheirrelease here: http://www.s21sec.com/es/avisos/s21sec-034-en.txt. We greatly appreciate the opportunity to work with researchersonsecurity vulnerabilities and welcome the opportunity to reviewandassist in security vulnerability reports against Cisco products. Workarounds =========== In order to mitigate your exposure, ensure that only known,trusteddevices are connected to ports configured for ISL or 802.1qtrunking.More information on securing L2 networks can be found in theCiscoSAFE Layer 2 Security document at this location:http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networkin g_solutions_white_paper09186a008014870f.shtmlAdditional Information ====================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLYANYKIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THEDOCUMENT ISAT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATETHISDOCUMENT AT ANY TIME. Revision History ================ +--------------+-----------------+------------------------+ | Revision 1.0 | 2007-January-29 | Initial public release | +--------------+-----------------+------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities inCiscoproducts, obtaining assistance with security incidents, and registering to receive security information from Cisco, isavailableon Cisco's worldwide website athttp://www.cisco.com/en/US/products/products_security_vulnerability _policy.html.This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. On Fri, Jan 26, 2007 at 02:46:43PM -0500, S21sec Labs wrote:###############################################################ID: S21SEC-034-en Title: Cisco VTP Denial Of Service Date: 26/01/2007 Status: Vendor contacted, bug fixed Severity: Medium - DoS - remote from the local subnet Scope: Cisco Catalyst Switch denial of service Platforms: IOS Author: Alfredo Andres Omella, David Barroso Berrueta Location: http://www.s21sec.com/es/avisos/s21sec-034-en.txt Release: Public###############################################################S 2 1 S E C http://www.s21sec.com Cisco VTP Denial Of Service About VTP --------- VTP (VLAN Trunking Protocol) is a Cisco proprietary protocolused forVLAN centralized management. For instance, when you configure a VLAN in a switch, the VLANinformation (the VLAN name and its identifier) will be configured automatically in all the switches thatbelong tothe same VTP domain. Description of vulnerability ---------------------------- VTP uses Subset-Advert messages to advertise the existingVLANswithin a VTP domain, sending a malformed crafted packet it is possible to force aswitch"crash & reload". In order to trigger the vulnerability, you need to previously set up the trunking (manually or usingYersinia DTP attack). Affected Versions and platforms ------------------------------- This vulnerability has been tested against Cisco Catalyst2950Tswitches with IOS 12.1(22)EA3. Other versions are probably vulnerable. Solution -------- According to Cisco PSIRT, it is already fixed. We don't knowall thedetails because Cisco tagged (back in 2005) the issue as an "internal bug",not as asecurity vulnerability. Upgrade your IOS to the latest release. Additional information ---------------------- This vulnerability has been found and researched by: David Barroso Berrueta dbarroso () s21sec com Alfredo Andres Omella aandres () s21sec com It was found on January 2005 and shown in a real demo atBlackHatEurope Briefings 2005 (March 2005) (Yersinia, a framework forlayer 2attacks). Some months later, FX from Phenoelit found other VTPvulnerabilities:http://www.securityfocus.com/archive/1/445896/30/0/threaded Cisco released then an answer to FX(http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml) but as there is no anycomment aboutthis specific vulnerability we suppose that it is not related withthis one.This vulnerability has been implemented in the currentYersiniaversion, under the VTP attacks (see the src/vtp.c file) . Yersinia homepage: http://www.yersinia.net You can find this advisory at: http://www.s21sec.com/en/avisos/s21sec-034-en.txt Other S21SEC advisories availabe athttp://www.s21sec.com/en/avisos/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFvt+IEHa/Ybuq8nARAmapAKCDVkXuNcSL/E5wSf2FBh298vmcOgCfTbKm oaFNJ9jqXSbTzrp5foSQLa8= =q2ut -----END PGP SIGNATURE----- ------------------------------ Message: 15 Date: Tue, 30 Jan 2007 15:56:59 +0800 From: "COSEINC" <alu () coseinc com> Subject: [Full-disclosure] COSEINC Alert: Microsoft Agent Heap Overflow Vulnerability Technical Details (Patched) To: <full-disclosure () lists grok org uk> Message-ID: <044f01c74444$388c9270$d201000a@HP77591890519> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Microsoft Agent Heap Overflow Vulnerability COSEINC Alert http://www.coseinc.com/alert.html Vendor: Microsoft Systems Affected: Windows 2000 All Service Packs Windows XP All Service Packs Overview: Microsoft Agent is a software technology that enables anenriched form ofuser interaction that makes learning to use a computer easier.With thesoftware service, developers can enhance the user interface oftheirapplications and Web pages with interactive personalities in theform ofanimated characters. This feature is preinstalled on Win2k/XP and allows loading ofremotecharacter data via HTTP through Internet Explorer. Microsoftactuallyutilizes a custom compression algorithm to compress thecharacter data file(.acf) which we presume is to speed up the distribution overnetwork.A security researcher of COSEINC Vulnerability Research Lab hasdiscoveredthat Microsoft Agent has a heap overflow vulnerability. Thisvulnerabilityis triggered when Microsoft Agent parses the malformed characterfile in itsuncompressed state in memory, by having an overly large value ina lengthfield. This will lead to an integer overflow during theallocation ofbuffer. Subsequently, when data is copied to the buffer, theheap overflowwill occur. The result is possible remote code execution. Technical Details: The vulnerability exists in the ReadWideString function inagentdpv.dll:711a2cc4 mov eax,[ebp+0xc] 711a2cc7 cmp eax,ebx 711a2cc9 jz agentdpv!ReadWideStringW+0x6b (711a2d0e) 711a2ccb lea eax,[eax+eax+0x2] 711a2ccf push eax 711a2cd0 call agentdpv!operator new (711aaa6c) The .acf format when uncompressed in memory, stores strings withtheirlengths prepended to them. To trigger the vulnerability, a largevalue7FFFFFFF can be set in the length field of a string beforecompression takesplace to create a malformed .acf file (This can be done usingthe Microsoft-supplied Agent Character Editor and editing the memory contentswhencreating the .acf file). When Microsoft Agent parses the .acffile, thislength is read after uncompressing the file in memory: 711a2cc4 mov eax,[ebp+0xc] ; length of string An integer overflow occurs presumably during the calculation ofthe size ofthe memory to allocate for a widestring using the suppliedlength, resultingin an allocation of 0 bytes: 711a2ccb lea eax,[eax+eax+0x2] 711a2ccf push eax 711a2cd0 call agentdpv!operator new (711aaa6c) Sometime after, the string will be read from memory allocatedearlier andcopied to the buffer leading to the overflow and corrupting theheap.711a2ce8 push ebx 711a2ce9 add edx,edx 711a2ceb push edx 711a2cec push eax 711a2ced push edi 711a2cee call dword ptr [ecx+0xc]{ole32!CMemStm::Read(771e7a1f)}Notes: The string has been earlier written (together with other data)to atemporary buffer as a result of the uncompressing procedure. The2nd DWORDin the .acf file specifies the total size of the file in itsuncompressedstate and is used internally to allocate the required memory forthetemporary buffer. The number of bytes to copy from this temporary buffer isapparentlydetermined by subtracting from the total size, the size ofprevious datachunks and does not utilize the supplied string length. Hence, the amount of overflow can be controlled by simply usinga string ofthe desired length. This is why the large length of 7FFFFFFFdoes not resultin continuous copying leading to access violation (usually inthe case of aninteger overflow). Consequently, an arbitrary 4-byte overwritewill occurresulting in possible code execution. Vendor Status: Microsoft has released a patch for this vulnerability. The patchisavailable at: http://www.microsoft.com/technet/security/bulletin/ms06-068.mspx Credit: This vulnerability was discovered by Willow, a Windows securityresearcherof the COSEINC Vulnerability Research Lab (VRL). Disclaimer: The information within this paper may change without notice. Useof thisinformation constitutes acceptance for use in an AS IScondition. There areno warranties, implied or express, with regard to thisinformation. In noevent shall the author or the company be liable for any director indirectdamages whatsoever arising out of or in connection with the useor spread ofthis information. Any use of this information is at the user'sown risk.------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 23, Issue 56 ***********************************************----------------------------------------- Email sent from www.ntlworld.com Virus-checked using McAfee(R) Software Visit www.ntlworld.com/security for more information _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkW/gUYACgkQgSMOKd40iZg6UAP/WLx0GdnlvJQVbVzxFZ5k2pW6Dzsa AGIDNEzqkrVXEff2rO7QyPRTNchJ6iTAYoF52L42/PiYbJ4iwF9alMnyU2XEIhH1hnRj aaQislNzxVnCYdWzor8FRNU3wHK4Ojo1K5vi7Rl+90Ai3VXchEhfC5AKU5Zjx24jLIbN ogW0M6o= =Xx0l -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Full-Disclosure Digest, Vol 23, Issue 56 douglas.graham (Jan 30)
- <Possible follow-ups>
- Re: Full-Disclosure Digest, Vol 23, Issue 56 auto458033 (Jan 30)
- Re: Full-Disclosure Digest, Vol 23, Issue 56 Paul M. Moriarty (Jan 30)