Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1950 - 4 msgs
From: <chris_tang () so-net com hk>
Date: Wed, 06 Oct 2004 02:16:28 +0800 (HKT)


Please be advised that my email has been changed to: 

chriskftang () yahoo com 

Please send all "full-disclosure" newsletters or related messages to 
the above email address. 


Best Rgds, 
Chris Tang 

On Tue, 05 Oct 2004 12:00 , full-disclosure-request () lists netsys com sent:

Send Full-Disclosure mailing list submissions to
      full-disclosure () lists netsys com

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
      full-disclosure-request () lists netsys com

You can reach the person managing the list at
      full-disclosure-admin () lists netsys com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."

Today's Topics:

  1. [TURBOLINUX SECURITY INFO] 05/Oct/2004 (Turbolinux)
  2. RE: Spyware installs with no interaction in IE on fully patched XP SP2 box (Castigliola, Angelo)
  3. SUSE Security Announcement: samba (SUSE-SA:2004:035) (Thomas Biege)
  4. Paranid ramblings - what's the deal? Bounded variables aren't? (Clairmont, Jan M)


Message: 1
Date: Tue, 5 Oct 2004 22:30:17 +0900
From: Turbolinux security-announce () turbolinux co jp>
Reply-To: server-users-e () turbolinux co jp
To: security-announce () turbolinux co jp
Subject: [Full-disclosure] [TURBOLINUX SECURITY INFO] 05/Oct/2004

Hash: SHA1

This is an announcement only email list for the x86 architecture.
Turbolinux Security Announcement 05/Oct/2004

The following page contains the security information of Turbolinux Inc.

- Turbolinux Security Center

(1) squid -> DoS vulnerability in squid
(2) ImageMagick -> Multiple buffer overflow vulnerabilities in ImageMagick

* squid -> DoS vulnerability in squid

More information :
   Squid is a high-performance proxy caching server for web clients, supporting
   FTP, gopher, and HTTP data objects. Unlike traditional caching software,
   Squid handles all requests in a single, non-blocking, I/O-driven process.

   A vulnerability in the NTLM helpers in squid.

Impact :
   The vulnerabilities allow remote attackers to cause a denial of service of sauid server services.

Affected Products :
   - Turbolinux Appliance Server 1.0 Hosting Edition
   - Turbolinux Appliance Server 1.0 Workgroup Edition
   - Turbolinux 8 Server
   - Turbolinux 8 Workstation
   - Turbolinux 7 Server
   - Turbolinux 7 Workstation

Solution :
   Please use the turbopkg (zabom) tool to apply the update. 
[Turbolinux 10 Desktop, Turbolinux 10 F...]
# zabom -u squid

# turbopkg
# zabom update squid

  Source Packages
  Size : MD5

     1538211 ff3e34c4b8c71d250f2781179ceec73a

  Binary Packages
  Size : MD5

      825195 85c3b583674e0ac0695c4cbf0404e586

  Source Packages
  Size : MD5

     1538211 6b6d400ee15ee97ac6f7e98fbea26e50

  Binary Packages
  Size : MD5

      825663 bed921f91e657975cc6c72d2ea8f29d4

  Source Packages
  Size : MD5

     1538211 b28eeeb88347c668fdb9938c4c1cd438

  Binary Packages
  Size : MD5

      825370 335f0fe78cfb204c86ff5b05d12bfd34

  Source Packages
  Size : MD5

     1538211 181d72c2668f72b6e50190f784421bed

  Binary Packages
  Size : MD5

      825810 5e52e49f4be6e555f57b38ffb241c455

  Source Packages
  Size : MD5

     1538211 45fd66fc13713b40beb996f664460f0e

  Binary Packages
  Size : MD5

      829880 e2a6cf6b67a7c74249b23bce5a4adedf

  Source Packages
  Size : MD5

     1538211 191eab57b2adcecf91ceb4b34c94de09

  Binary Packages
  Size : MD5

      830034 d6142042afcd410376e5a875c5436bc9

Notice :
   After performing the update, it is necessary to restart the squid daemon.
   To do this, run the following command as user root.
# /etc/init.d/squid restart
# /etc/rc.d/init.d/squid restart



* ImageMagick -> Multiple buffer overflow vulnerabilities in ImageMagick

More information :
   ImageMagick(TM) is an image display and manipulation tool for the X
   Window System.  ImageMagick can read and write JPEG, TIFF, PNM, GIF and
   Photo CD image file formats.

   Multiple buffer overflow vulnerabilities in ImageMagick allowing remote
   attackers to execute arbitrary code via a malformed image or video file.

Impact :
   These vulnerabilities may allow remote attackers to execute arbitrary
   code via a malformed image or video file in AVI or BMP formats.

Affected Products :
   - Turbolinux 10 F...
   - Turbolinux 10 Desktop
   - Turbolinux 8 Server
   - Turbolinux 8 Workstation
   - Turbolinux 7 Server
   - Turbolinux 7 Workstation

Solution :
   Please use the turbopkg (zabom) tool to apply the update. 
[Turbolinux 10 Desktop, Turbolinux 10 F...]
# zabom -u ImageMagick ImageMagick-devel

# turbopkg
# zabom update ImageMagick ImageMagick-devel

  Source Packages
  Size : MD5

     5274681 6a9d3c1b208049830e7086b9aae75fe7

  Binary Packages
  Size : MD5

     2397224 dea16cf3ee2ce38381e3d2679ad8fa3c
      555804 840cc5d2ec79afd5cfdbf4223f625195

  Source Packages
  Size : MD5

     3614849 bb43185f084dd6e32f10694f35fb513d

  Binary Packages
  Size : MD5

     3207676 6839799de74d7439334a875a097b6049
     1392173 d0af80e68a129fd41d301b7ec3469ff5
      855821 be80bb2b23c8b87ab831bb99201b85c8
       60163 1281a234915115227a2bb2fa5071d6c7

  Source Packages
  Size : MD5

     3665019 ae1a64cf87ea0e6598ca147abd3349e4

  Binary Packages
  Size : MD5

     3668565 d065de9b0d5a58b6393cc4805e0eb405
      971835 df0dda9a20ad43b2a8b3ee7a5313f6a8

  Source Packages
  Size : MD5

     3656626 6197f1b2ff6d1a831d532a3fce210f94

  Binary Packages
  Size : MD5

     3038600 0276001bdf52d75ab65dcac7ff4ebb49
     1267440 9e21404db4bf10a005a89f974fd8558e

  Source Packages
  Size : MD5

     3656626 084f8247af6313928f5dcdae20ed9713

  Binary Packages
  Size : MD5

     3039080 e3ca8b73f9a5f6cbaf8a136d121fdebf
     1267050 a3e0ef2ac5bd589f453f5ab529981fab



* You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.


Package Update Path

* To obtain the public key

Here is the public key


* To unsubscribe from the list

If you ever want to remove yourself from this mailing list,
 you can send a message to server-users-e-ctl () turbolinux co jp> with
the word `unsubscribe' in the body (don't include the quotes).


* To change your email address

If you ever want to chage email address in this mailing list,
 you can send a message to server-users-e-ctl () turbolinux co jp> with
the following command in the message body:

 chaddr 'old address' 'new address'

If you have any questions or problems, please contact
supp_info () turbolinux co jp>

Thank you!

Version: GnuPG v1.2.6 (GNU/Linux)



Message: 2
Subject: RE: [Full-disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box
Date: Tue, 5 Oct 2004 10:50:02 -0400
From: "Castigliola, Angelo" ACastigliola () unumprovident com>
To: "Alla Bezroutchko" alla () scanit be>, full-disclosure () lists netsys com>

I am sure there is a configuration setting or software (perhaps the
software made the configuration change) that is preventing this from
installing on your computer. 

I tested with a default XP SP1 install with all the Microsoft Updates
that have been applied to stop this type of IE hack. The spyware still
installs itself on the machine.

XP SP1 with the following patches:

These are _ALL_ the Microsoft Updates that specifically patch up IE

My question to the forum is: If this is not a 0-day IE exploit that
allows software to install on a computer with no user interaction then
what Microsoft Update applies to this exploit?

Again I fear there is no Microsoft Update available that will fix this

Can someone confirm that a Default install of XP SP2 with all patches
will not stop spyware from themexp.org from installing?

Angelo Castigliola III
Operations Technical Analyst I
UnumProvident IT Services

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[full-disclosure-admin () lists netsys com','','','')">full-disclosure-admin () lists netsys com] On Behalf Of Alla
Sent: Tuesday, October 05, 2004 7:01 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Spyware installs with no interaction in
IE on fully patched XP SP2 box

Carr, Robert wrote:

I just went there, and he's right. Atpartners.cab installed without 
permission. My McAfee picked it right up as Atpartners.dll, downloaded

to Temp Internet files. Spyware detected as NetPals. On the other 
hand, I'm admin of my machine, I wonder if a "user" would get an error

message about not having the correct rights...

I have tested it on Windows XP SP2 and on fully patched Windows 2000. In

both cases _nothing_ gets run or installed. Both systems are more or 
less standard installations without any special IE hardening (except 

When I surf to the site with Windows XP "Installing components... 
ATpartners.cab" briefly appears in the status bar and then the site gets

displayed. Under the normal browser bars there is a message saying "The 
site might require the following ActiveX control: FREE on-line games and

special offers from... Click here to install...". I don't click on it. 
Searching the disk for atpartnets.cab or atpartners.dll finds nothing. 
The CLSID of the ActiveX control only appears in the registry in 

With Windows 2000 I also get "Installing components... ATpartners.cab" 
in the status bar and then the dialog box asking if I want to install 
"Free online games from ATgames.com". This is a usual dialog box you get

when a page attempts to install an ActiveX control. If I click "No", 
nothing gets installed, no atpartners files on the file system, no 
traces of the CLSID in the registry.

I suppose the cab file gets downloaded so that Windows can read and 
display the signature of the file. It does not get run or installed 
unless explicitly  permitted by user.

So, as far as I can see this is no 0-day.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Message: 3
Date: Tue, 05 Oct 2004 16:57:52 +0200
From: Thomas Biege thomas () suse de>
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] SUSE Security Announcement: samba (SUSE-SA:2004:035)



                       SUSE Security Announcement

       Package:                samba
       Announcement-ID:        SUSE-SA:2004:035
       Date:                   Tuesday, Oct  5th 2004 16:53:01 MEST
       Affected products:      8.1, 8.2, 9.0
                               SUSE Linux Enterprise Server 8
                               SUSE Linux Desktop 1.0
       Vulnerability Type:     remote file disclosure
       Severity (1-10):        6
       SUSE default package:   Yes
       Cross References:       CAN-2004-0815

   Content of this advisory:
       1) security vulnerability resolved:
            - Samba file access problem
          problem description
       2) solution/workaround
       3) special instructions and notes
       4) package location and checksums
       5) pending vulnerabilities, solutions, workarounds:
           - opera
           - kernel
           - mozilla
       6) standard appendix (further information)


1) problem description, brief discussion

   The Samba server, which allows to share files and resources via
   the SMB/CIFS protocol, contains a bug in the sanitation code of path
   names which allows remote attackers to access files outside of the
   defined share. In order to access these files, they must be readable
   by the account used for the SMB session.
   CAN-2004-0815 has been assigned to this issue.

2) solution/workaround

   As a temporary workaround you can set the
    wide links = no
   option in smb.conf and restart the samba server. However an update
   is recommended nevertheless.

3) special instructions and notes

   After successfully updating the samba package, you need to issue the
   following command as root:

     rcsmb restart

4) package location and checksums

   Please download the update package for your distribution and verify its
   integrity by the methods listed in section 3) of this announcement.
   Then, install the package using the command "rpm -Fhv file.rpm" to apply
   the update.
   Our maintenance customers are being notified individually. The packages
   are being offered to install from the maintenance web.

   SUSE Linux 9.0:
   patch rpm(s):
   source rpm(s):

   SUSE Linux 8.2:
   patch rpm(s):
   source rpm(s):

   SUSE Linux 8.1:
   patch rpm(s):
   source rpm(s):

   x86-64 Platform:
   SUSE Linux 9.0:
   patch rpm(s):
   source rpm(s):


5)  Pending vulnerabilities in SUSE Distributions and Workarounds:

    - opera
    New opera packages are available on our ftp servers, fixing
    CAN-2004-0691, CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 and

    - kernel
    Update kernels for the kNFSd problem for SLES 8 and SL 8.1 have been

    - mozilla
    We are in the process of releasing updates for mozilla (and related
    browsers), fixing various issues: CAN-2004-0597, CAN-2004-0718,
    CAN-2004-0722, CAN-2004-0757, CAN-2004-0758, CAN-2004-0759,
    CAN-2004-0760, CAN-2004-0761, CAN-2004-0762, CAN-2004-0763,
    CAN-2004-0764 and CAN-2004-0765.
    We will give you concrete details in a separate mozilla advisory when
    the updates are available.


6)  standard appendix: authenticity verification, additional information

 - Package authenticity verification:

   SUSE update packages are available on many mirror ftp servers all over
   the world. While this service is being considered valuable and important
   to the free and open source software community, many users wish to be
   sure about the origin of the package and its content before installing
   the package. There are two verification methods that can be used
   independently from each other to prove the authenticity of a downloaded
   file or rpm package:
   1) md5sums as provided in the (cryptographically signed) announcement.
   2) using the internal gpg signatures of the rpm package.

   1) execute the command
      after you downloaded the file from a SUSE ftp server or its mirrors.
      Then, compare the resulting md5sum with the one that is listed in the
      announcement. Since the announcement containing the checksums is
      cryptographically signed (usually using the key security () suse de),
      the checksums show proof of the authenticity of the package.
      We disrecommend to subscribe to security lists which cause the
      email message containing the announcement to be modified so that
      the signature does not match after transport through the mailing
      list software.
      Downsides: You must be able to verify the authenticity of the
      announcement in the first place. If RPM packages are being rebuilt
      and a new version of a package is published on the ftp server, all
      md5 sums for the files are useless.

   2) rpm package signatures provide an easy way to verify the authenticity
      of an rpm package. Use the command
       rpm -v --checksig 
      to verify the signature of the package, where  is the
      filename of the rpm package that you have downloaded. Of course,
      package authenticity verification can only target an un-installed rpm
      package file.
       a) gpg is installed
       b) The package is signed using a certain key. The public part of this
          key must be installed by the gpg program in the directory
          ~/.gnupg/ under the user's home directory who performs the
          signature verification (usually root). You can import the key
          that is used by SUSE in rpm packages for SUSE Linux by saving
          this announcement to a file ("announcement.txt") and
          running the command (do "su -" to be root):
           gpg --batch; gpg 
          SUSE Linux distributions version 7.1 and thereafter install the
          key "build () suse de" upon installation or upgrade, provided that
          the package gpg is installed. The file containing the public key
          is placed at the top-level directory of the first CD (pubring.gpg)
          and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .

 - SUSE runs two security mailing lists to which any interested party may

   suse-security () suse com
       -   general/linux/SUSE security discussion.
           All SUSE security announcements are sent to this list.
           To subscribe, send an email to
               suse-security-subscribe () suse com>.

   suse-security-announce () suse com
       -   SUSE's announce-only mailing list.
           Only SUSE's security announcements are sent to this list.
           To subscribe, send an email to
               suse-security-announce-subscribe () suse com>.

   For general information or the frequently asked questions (faq) 
   send mail to:
       suse-security-info () suse com> or
       suse-security-faq () suse com> respectively.

   SUSE's security contact is security () suse com> or security () suse de>.
   The security () suse de> public key is listed below.

   The information in this advisory may be distributed or reproduced,
   provided that the advisory is not modified in any way. In particular,
   it is desired that the clear-text signature shows proof of the
   authenticity of the text.
   SUSE Linux AG makes no warranties of any kind whatsoever with respect
   to the information contained in this security advisory.

Type Bits/KeyID    Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team security () suse de>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key build () suse de>

Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)



Message: 4
Date: Tue, 5 Oct 2004 11:48:59 -0400
From: "Clairmont, Jan M" jan.m.clairmont () citigroup com>
To: full-disclosure () lists netsys com>
Subject: [Full-disclosure] Paranid ramblings - what's the deal? Bounded variables aren't?

Every time I send out a memo to full-disclosure i get this this mail bounce message and
it gets posted on full-disclosure.  Anybody have an idea what's happening.

Message Follows:

From: Mailer-Daemon () ic-s nl

Subject: NDN: [Full-disclosure] Shows when no limits are set or restricted shell or bat ac

Sorry. Your message could not be delivered to:

tycho,IC&S (The name was not found at the remote site. Check that the name
has been entered correctly.)

Are these guys phishing, swishing or whatever Netherlands uber alles?
Or is this just their mail-server barfing?  Should probably point dig at it
and debug it but I have gotten in trouble for that type of "help" before?

Keep on computing, even though your bytes are fried.

Jan Clairmont, Paladin of the Dept. of Insecurity Department, where no redundancy is allowed or is it redundancy is 
required, have to look that up in the book of insecurity security chapter 4 verse 3(The bible of the Mad Arab Adulah 
Medula, taken from
the NecronoMicron or the latest M$ directorate).

Unix Security Support/Consultant I think?


Full-Disclosure mailing list
Full-Disclosure () lists netsys com

End of Full-Disclosure Digest

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]