Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[Full-Disclosure] R: Full-disclosure Digest, Vol 3, Issue 42
From: "Tiziano Radice" <t.radice () wssitalia it>
Date: Tue, 22 Feb 2005 10:32:30 +0100

Help: please remove me from your mail list

-----Messaggio originale-----
Da: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com] Per conto di
full-disclosure-request () lists netsys com
Inviato: martedì 22 febbraio 2005 8.17
A: full-disclosure () lists netsys com
Oggetto: Full-Disclosure Digest, Vol 3, Issue 42

Send Full-Disclosure mailing list submissions to
        full-disclosure () lists netsys com

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists netsys com

You can reach the person managing the list at
        full-disclosure-owner () lists netsys com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Today's Topics:

   1. Shadow Crew back in business (n3td3v)
   2. iDEFENSE Security Advisory 02.21.05: Multiple     PuTTY SFTP
      Client Packet Parsing Integer Overflow Vulnerabilities
      (idlabs-advisories () idefense com)
   3. SD Server 4.0.70 Directory Traversal Bug (CorryL)
   4. iDEFENSE Security Advisory 02.21.05: Multiple     Unix/Linux
      Vendor    cURL/libcURL NTLM Authentication Buffer Overflow
      Vulnerability (idlabs-advisories () idefense com)
   5. iDEFENSE Security Advisory 02.21.05: Multiple     Unix/Linux
      Vendor    cURL/libcURL Kerberos Authentication Buffer Overflow
      Vulnerability (idlabs-advisories () idefense com)
   6. [ GLSA 200502-28 ] PuTTY: Remote code execution (Luke Macken)
   7. [gentoo-announce] [ GLSA 200502-28 ] PuTTY:       Remote code
      execution (Luke Macken)
   8. Awake a modem with AT commands (action09)
   9. Sourceforge security contact to the white courtesy phone
      please. (J.A. Terranson)
  10. Delivery by mail (Rizwanalikhan)
  11. Re: Arkeia Network Backup Client Remote Access (H D Moore)
  12. phpBB Fixed full path disclosure in username      handling -
      2.0.11 (Aaron Horst)
  13. Registration is accepted (Rizwanalikhan)


----------------------------------------------------------------------

Message: 1
Date: Mon, 21 Feb 2005 17:47:40 +0000
From: n3td3v <xploitable () gmail com>
Subject: [Full-disclosure] Shadow Crew back in business
To: full-disclosure () lists netsys com
Message-ID: <4b6ee93105022109476c88ac53 () mail gmail com>
Content-Type: text/plain; charset=US-ASCII

The Shadow Crew who are under investigation and the American Secret
Service replaced the homepage of, with a federal notice, is back in
business on a new domain.

Seen today on the popular chat service Yahoo! Chat, spamming its
advert as the alias "fire_p0w3r"

An example of the spam is below:

fire_p0w3r: Want CC ? Credit Cards and Carding Related Subjects ,
Cyberspace , Novelty Identification, Documents and other Related
Subjects , Tutorials and How-To's , Non-business related talks  ,
Scumbags & Rippers , Hardware and Other Related Subjects , Vendor's
products & services , Request Review , Auction Forum , Feedbacks ,
STRICTLY BUSINESS , Then Come And Register At www.Shadow-Crew.net NOW
!

Hopefully the American Secret Service will shut this site down like
they did with the other.

I advise Yahoo! to suspend the account fire_p0w3r, while keeping the
connection information for when the American Secret Service come to
get it from you.

Thanks, n3td3v

My list is located at http://groups-beta.google.com/group/n3td3v if
you want off-list contact.

Hi to Yahoo! Security Team and the American Secret Service, n3td3v is
always happy to provide intelligence to take away silly groups like
Shadow Crew.


------------------------------

Message: 2
Date: Mon, 21 Feb 2005 13:02:24 -0500
From: idlabs-advisories () idefense com
Subject: [Full-disclosure] iDEFENSE Security Advisory 02.21.05:
        Multiple        PuTTY SFTP Client Packet Parsing Integer Overflow
        Vulnerabilities
To: <idlabs-advisories () idefense com>
Message-ID:
        <FB24803D1DF2A34FA59FC157B77C970503E24608 () idserv04 idef com>
Content-Type: text/plain;       charset="iso-8859-1"

Multiple PuTTY SFTP Client Packet Parsing Integer Overflow
Vulnerabilities 

        
www.idefense.com/application/poi/display?id=201&type=vulnerabilities
February 21, 2005

I. BACKGROUND

PuTTY is a free implementation of Telnet and SSH for Win32 and Unix
platforms, along with an xterm terminal emulator.

More information is available on the vendor's website:
http://www.chiark.greenend.org.uk/~sgtatham/putty/

II. DESCRIPTION

Remote exploitation of multiple integer overflow vulnerabilities in 
Simon Tatham's PuTTY can allow attackers to execute arbitrary code.

The first vulnerability specifically exists due to insufficient 
validation of user-supplied data passed to a memcpy function. The PuTTY 
sftp implementation allows attackers to supply arbitrary values for the 
stored length of the string in the packet. This may be observed in the 
sftp_pkt_getstring() function from sftp.c in PuTTY source code:

static void sftp_pkt_getstring(struct sftp_packet *pkt,
                               char **p, int *length)
{                              
    *p = NULL;
    if (pkt->length - pkt->savedpos < 4)
        return;        
    /* length value is taken from user-supplied data */
    *length = GET_32BIT(pkt->data + pkt->savedpos);
    pkt->savedpos += 4;
    /* this check will be passed if length < 0 */
    if (pkt->length - pkt->savedpos < *length)  
        return;                                  
    *p = pkt->data + pkt->savedpos;
    pkt->savedpos += *length;
}

This function is called from fxp_open_recv() and passes the returned 
string pointer and string length to the mkstr() function:


struct fxp_handle *fxp_open_recv(struct sftp_packet *pktin,
                 struct sftp_request *req)
{
    ...
    /* sftp_pkt_getstring call with controlled len value */
    sftp_pkt_getstring(pktin, &hstring, &len);  
    ...
    handle = snew(struct fxp_handle);
    /* heap corruption will occur if len == -1 */
    handle->hstring = mkstr(hstring, len);      
    handle->hlen = len;
    sftp_pkt_free(pktin);
    return handle;
    ...
}

If length is passed as -1, a malloc(0) will occur when the snewn() macro 
is called:

static char *mkstr(char *s, int len)
{
    /* malloc(0) if len == -1 */
    char *p = snewn(len + 1, char);  
    /* user controlled heap corruption */
    memcpy(p, s, len);
    p[len] = '\0';
    return p;
}

Finally, when the memcpy function is called heap corruption will occur
leading to potential code execution.

The second vulnerability specifically exists due to insufficient
validation of user-supplied data passed to a malloc function. This may 
be observed in the fxp_readdir_recv() function from PuTTY source code:

struct fxp_names *fxp_readdir_recv(struct sftp_packet *pktin,
                                   struct sftp_request *req) {
        /* 32 bit value from packet */
        ret->nnames = sftp_pkt_getuint32(pktin);
        /*
         * The integer overflow occurs when ret->nnames is referenced
         * the snewn macro calls malloc() wrapper
         * #define snewn(n, type) ((type *)smalloc((n)*sizeof(type)))
         */
        ret->names = snewn(ret->nnames, struct fxp_name);
        for (i = 0; i < ret->nnames; i++) {
            char *str;
            int len;
            sftp_pkt_getstring(pktin, &str, &len);
            /* pointer to arbitrary data from packet */
            ret->names[i].filename = mkstr(str, len);
            sftp_pkt_getstring(pktin, &str, &len);
            /* pointer to arbitrary data from packet */
            ret->names[i].longname = mkstr(str, len);
            /* pointer to arbitrary data from packet */
            ret->names[i].attrs = sftp_pkt_getattrs(pktin);
    }

This function is called from scp_get_sink_action() in scp.c and 
sftp_cmd_ls() in sftp.c and can lead to remote code execution via heap 
corruption. Sample debugger output of heap corruption is shown below:

psftp> ls
Listing directory /home/test

Program received signal SIGSEGV, Segmentation fault.
0x4009173c in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0x4009173c in memcpy () from /lib/libc.so.6
#1  0x0805675f in mkstr (s=0x4e20 <Address 0x4e20 out of bounds>, len=0)
#2  0x0805748e in fxp_readdir_recv (pktin=0x809bc10, req=0x4e20)
#3  0x0804f7b8 in sftp_cmd_ls (cmd=0x4e20) at ../psftp.c:251
#4  0x08051955 in do_sftp (mode=0, modeflags=0, batchfile=0x0)
#5  0x080525f8 in psftp_main (argc=4, argv=0xbffff494)
#6  0x08080500 in main (argc=20000, argv=0x4e20)
(gdb) up 2
#2  0x0805748e in fxp_readdir_recv (pktin=0x809bc10, req=0x4e20)
952                 ret->names[i].filename = mkstr(str, len);
(gdb) x/8x *(int)pktin
0x80acc58:  0x01000068  0x66666600  0x00000067  0x42424208
0x80acc68:  0x42424242  0x00000042  0x44444408  0x44444444
(gdb) print (struct sftp_packet)pktin
$2 = {data = 0x809bc10 "XL\n\bYF", length = 134885120,
maxlen = -1073744968, savedpos = 134551097, type = 134885088} 


III. ANALYSIS

Successful exploitation allows remote attackers to execute arbitrary 
code under the privileges of the user running PuTTY. The client must be 
directed to connect to a malicious server in order to trigger the 
vulnerability. It should be noted that this vulnerability may affect 
applications which use PuTTY source code or binaries as a SSH protocol 
backend. An example of one such product would be WinSCP3, a popular 
graphical sftp/scp application for Windows.

IV. DETECTION

iDEFENSE has confirmed that PuTTY 0.56 is vulnerable. It is suspected 
that earlier versions are also vulnerable. 

The following vendors distribute susceptible PuTTY packages within 
their respective operating system distributions: 

* FreeBSD Project: 
        FreeBSD 4.9, 4.10, 5.0, 5.1 and 5.2.1 

* Gentoo Foundation Inc.: 
        Gentoo Linux 1.1a, 1.2, 1.4, 2004.0, 2004.1 and 2004.2
        
V. WORKAROUND

Use an alternate SSH client to connect to untrusted hosts until the 
vendor releases a patch.

VI. VENDOR RESPONSE

Vendor advisories for these issues are available at:

http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.
html

http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir
.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0467 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

02/18/2005  Initial vendor notification
02/19/2005  Initial vendor response
02/21/2005  Public disclosure

IX. CREDIT

Gakl Delalleau credited with this discovery. 

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright ) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice () idefense com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.




------------------------------

Message: 3
Date: Mon, 21 Feb 2005 20:41:49 +0100
From: "CorryL" <corryl () sitoverde com>
Subject: [Full-disclosure] SD Server 4.0.70 Directory Traversal Bug
To: <full-disclosure () lists netsys com>
Cc: bugtraq () securityfocus com
Message-ID: <00d001c5184d$63772bf0$0100a8c0 () server>
Content-Type: text/plain;       charset="iso-8859-1"

..:x0n3-h4ck Italian Security Team:..

/*Advisories*\

*/

Application: SD Server

Url Vendor: http://www.gdsoftware.dk/

Version: <= 4.0.70

Platforms: Windows

Bug: Directory Traversal

Exploitation: Remote

Author: CorryL

Email Author: corryl80 () gmail com

Url Author: www.x0n3-h4ck.org

*\

{Description}

The SD Server is a easy http server, A remote user can obtain files on the
system that are located outside of
the web document directory.


{Bug}

http://victimhost/../../../windows/repair/sam

A remote user succeeds to read the file sam of the system where to be in
execution SD Server.

{Vendor Status}

20/02/2005 Vendor notification

20/02/2005 Vendor response

21/02/2005 Vendor Fix the Bug

{Fix}

In version 4.0.0.72

http://www.gdsoftware.dk/dl_file.asp?link=SDServer 4.0.0.72.zip

CorryL
corryl80 () gmail com
www.x0n3-h4ck.org
Italian Security Team

_________________________________
www.seekstat.it is your web stat


------------------------------

Message: 4
Date: Mon, 21 Feb 2005 15:28:41 -0500
From: idlabs-advisories () idefense com
Subject: [Full-disclosure] iDEFENSE Security Advisory 02.21.05:
        Multiple        Unix/Linux Vendor       cURL/libcURL NTLM
Authentication Buffer
        Overflow Vulnerability
To: <idlabs-advisories () idefense com>
Message-ID:
        <FB24803D1DF2A34FA59FC157B77C970503E24617 () idserv04 idef com>
Content-Type: text/plain;       charset="us-ascii"

Multiple Unix/Linux Vendor cURL/libcURL NTLM Authentication Buffer
Overflow Vulnerability

iDEFENSE Security Advisory 02.21.05:
www.idefense.com/application/poi/display?id=202&type=vulnerabilities
February 21, 2005

I. BACKGROUND

cURL is a command line tool for transferring files with URL syntax,
supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP.
More information about cURL and libcURL is available from:

    http://curl.haxx.se/

II. DESCRIPTION

Remote exploitation of a stack-based buffer overflow in various Unix /
Linux vendors implementations of cURL could allow for arbitrary code
execution on the targeted host.

An exploitable stack-based buffer overflow condition exists when using
NT Lan Manager (NTLM) authentication. The problem specifically exists
within Curl_input_ntlm() defined in lib/http_ntlm.c. Within this
function an unsigned stack-based character array of size 256, buffer[],
is passed to the Curl_base64_decode() routine defined in lib/base64.c as
can be seen here:

    size_t size = Curl_base64_decode(header, (char *)buffer);

The Curl_base64_decode() routine relies on the calling function to
validate the decoded length. This function base64 decodes and copies
data directly from the HTTP reply of a server to the destination buffer,
in this case buffer[]. An attacker can construct a long base64 encoded
malicious payload that upon decoding will overflow the 256 byte static
buffer and overwrite the saved EIP. This in turn can lead to arbitrary
code execution.

III. ANALYSIS

Successful exploitation allows remote attackers to execute arbitrary
code
under the privileges of the target user. Exploitation requires that an
attacker either coerce or force a target to connect to a malicious
server using NTLM authentication.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in cURL
version 7.12.1. It is suspected that prior versions are affected as
well.
Any application built using a vulnerable version libcURL will also be
affected.

V. WORKAROUND

Replace the static buffer allocation on line 106 in lib/http_ntlm.c:

    unsigned char buffer[256];

With a dynamic buffer allocation:

    unsigned char *buffer = (unsigned char *)malloc(strlen(header));

and recompile cURL.

VI. VENDOR RESPONSE

No vendor response received.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/21/2004  Initial vendor notification - No response
02/10/2005  Secondary vendor notification - No response
02/21/2005  Public disclosure

IX. CREDIT

infamous41md[at]hotpop.com is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice () idefense com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.




------------------------------

Message: 5
Date: Mon, 21 Feb 2005 15:28:42 -0500
From: idlabs-advisories () idefense com
Subject: [Full-disclosure] iDEFENSE Security Advisory 02.21.05:
        Multiple        Unix/Linux Vendor       cURL/libcURL Kerberos
Authentication Buffer
        Overflow Vulnerability
To: <idlabs-advisories () idefense com>
Message-ID:
        <FB24803D1DF2A34FA59FC157B77C970503E24618 () idserv04 idef com>
Content-Type: text/plain;       charset="us-ascii"

Multiple Unix/Linux Vendor cURL/libcURL Kerberos Authentication Buffer
Overflow Vulnerability

iDEFENSE Security Advisory 02.21.05:
www.idefense.com/application/poi/display?id=203&type=vulnerabilities
February 21, 2005

I. BACKGROUND

cURL is a command line tool for transferring files with URL syntax,
supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP.
More information about cURL and libcURL is available from:

    http://curl.haxx.se/

II. DESCRIPTION

Remote exploitation of a stack-based buffer overflow in various Unix /
Linux vendors' implementation of cURL could allow for arbitrary code
execution on the targeted host.

An exploitable stack-based buffer overflow condition exists when using
Kerberos authentication. The problem specifically exists within the
functions Curl_krb_kauth() and krb4_auth() defined in lib/krb4.c.
Within these functions a statically allocated stack-based buffer of size
1250, from struct KTEXT_ST.dat, is passed to the Curl_base64_decode()
routine defined in lib/base64.c as can be seen here:

    len = Curl_base64_decode(p, (char *)adat.dat);
    tmp = Curl_base64_decode(p, (char *)tkt.dat);

The Curl_base64_decode() routine relies on the calling function to
validate the decoded length. This function base64 decodes and copies
data directly from the HTTP reply of a server to the destination buffer,
in this case buffer[]. An attacker can construct a long base64 encoded
malicious payload that upon decoding will overflow the static buffer and
overwrite the saved EIP. This in turn can lead to arbitrary code
execution.

III. ANALYSIS

Successful exploitation allows remote attackers to execute arbitrary
code
under the privileges of the target user. Exploitation requires that an
attacker either coerce or force a target to connect to a malicious
server using Kerberos authentication.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in cURL
version 7.12.1. It is suspected that prior versions are affected as
well.
Any application built using a vulnerable version libcURL will also be
affected.

V. WORKAROUND

Recompile cURL without Kerberos support if it is not needed.

VI. VENDOR RESPONSE

No vendor response received.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/23/2004  Initial vendor notification - No response
02/10/2005  Secondary vendor notification - No response
02/21/2005  Public disclosure

IX. CREDIT

infamous41md[at]hotpop.com is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice () idefense com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.




------------------------------

Message: 6
Date: Mon, 21 Feb 2005 16:01:26 -0500
From: Luke Macken <lewk () gentoo org>
Subject: [Full-disclosure] [ GLSA 200502-28 ] PuTTY: Remote code
        execution
To: gentoo-announce () gentoo org
Cc: security-alerts () linuxsecurity com, bugtraq () securityfocus com,
        full-disclosure () lists netsys com
Message-ID: <20050221210126.GA18728 () tomservo hsd1 ma comcast net>
Content-Type: text/plain; charset="us-ascii"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200502-28
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: PuTTY: Remote code execution
      Date: February 21, 2005
      Bugs: #82753
        ID: 200502-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

PuTTY was found to contain vulnerabilities that can allow a malicious
SFTP server to execute arbitrary code on unsuspecting PSCP and PSFTP
clients.

Background
==========

PuTTY is a popular SSH client, PSCP is a secure copy implementation,
and PSFTP is a SSH File Transfer Protocol client.

Affected packages
=================

    -------------------------------------------------------------------
     Package         /  Vulnerable  /                       Unaffected
    -------------------------------------------------------------------
  1  net-misc/putty       < 0.57                               >= 0.57

Description
===========

Two vulnerabilities have been discovered in the PSCP and PSFTP clients,
which can be triggered by the SFTP server itself. These issues are
caused by the improper handling of the FXP_READDIR response, along with
other string fields.

Impact
======

An attacker can setup a malicious SFTP server that would send these
malformed responses to a client, potentially allowing the execution of
arbitrary code on their system.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PuTTY users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/putty-0.57"

References
==========

  [ 1 ] PuTTY vulnerability vuln-sftp-readdir
 
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir
.html
  [ 2 ] PuTTY vulnerability vuln-sftp-string
 
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.
html
  [ 3 ] CAN-2005-0467
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0467
  [ 4 ] iDEFENSE Advisory
 
http://www.idefense.com/application/poi/display?id=201&type=vulnerabilities

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200502-28.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.netsys.com/pipermail/full-disclosure/attachments/20050221/0cd06
bdd/attachment-0001.bin

------------------------------

Message: 7
Date: Mon, 21 Feb 2005 16:01:26 -0500
From: Luke Macken <lewk () gentoo org>
Subject: [Full-disclosure] [gentoo-announce] [ GLSA 200502-28 ] PuTTY:
        Remote code execution
To: the_eye () drei at
Cc: security-alerts () linuxsecurity com, bugtraq () securityfocus com,
        full-disclosure () lists netsys com
Message-ID: <20050221210126.GA18728 () tomservo hsd1 ma comcast net>
Content-Type: text/plain; charset="us-ascii"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200502-28
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: PuTTY: Remote code execution
      Date: February 21, 2005
      Bugs: #82753
        ID: 200502-28

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

PuTTY was found to contain vulnerabilities that can allow a malicious
SFTP server to execute arbitrary code on unsuspecting PSCP and PSFTP
clients.

Background
==========

PuTTY is a popular SSH client, PSCP is a secure copy implementation,
and PSFTP is a SSH File Transfer Protocol client.

Affected packages
=================

    -------------------------------------------------------------------
     Package         /  Vulnerable  /                       Unaffected
    -------------------------------------------------------------------
  1  net-misc/putty       < 0.57                               >= 0.57

Description
===========

Two vulnerabilities have been discovered in the PSCP and PSFTP clients,
which can be triggered by the SFTP server itself. These issues are
caused by the improper handling of the FXP_READDIR response, along with
other string fields.

Impact
======

An attacker can setup a malicious SFTP server that would send these
malformed responses to a client, potentially allowing the execution of
arbitrary code on their system.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PuTTY users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/putty-0.57"

References
==========

  [ 1 ] PuTTY vulnerability vuln-sftp-readdir
 
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir
.html
  [ 2 ] PuTTY vulnerability vuln-sftp-string
 
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.
html
  [ 3 ] CAN-2005-0467
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0467
  [ 4 ] iDEFENSE Advisory
 
http://www.idefense.com/application/poi/display?id=201&type=vulnerabilities

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200502-28.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.netsys.com/pipermail/full-disclosure/attachments/20050221/0cd06
bdd/attachment-0002.bin

------------------------------

Message: 8
Date: Tue, 22 Feb 2005 00:17:08 +0100
From: action09 <action09 () aimao org>
Subject: [Full-disclosure] Awake a modem with AT commands
To: full-disclosure () lists netsys com
Message-ID: <1109027828.5917.18.camel () workstation>
Content-Type: text/plain

Hi! 
I'm looking for specially crafted Hayes AT commands to awake a computer
( behind a firewall, connected to an internal LAN , but --also--
connected to an external phone line ) .

The machine is a Windows 2K Pro, someone can help please ?

Is there a way to awake a dialup modem, have a shell on it after ? how ?

Thx a by advance dor any clue.

sorry for my bad english.

A-Xess





------------------------------

Message: 9
Date: Mon, 21 Feb 2005 17:44:24 -0600 (CST)
From: "J.A. Terranson" <measl () mfn org>
Subject: [Full-disclosure] Sourceforge security contact to the white
        courtesy phone please.
To: full-disclosure () lists netsys com
Message-ID: <20050221173916.H61960 () ubzr zsa bet>
Content-Type: TEXT/PLAIN; charset=US-ASCII


Good (morning||afternoon||evening||grief),

        I have been trying to reach the Security contact, in fact ANY
security contact at Sourceforge for several days now, to no avail.

        I *urgently* need to speak to someone over there.  And, while
we're at it, I note publicly that (a) Your switchboard has no option for
Security, (b) your operator never answers, (c) the name I was trying for a
while is accepted by the automated attendant yet refused when transferred
("That number cannot be reached from here"), and (d) Sending to your role
accounts does not get the desired response.

        Email to measl () mfn org or a phone call to the mfn.org role account
should both work.  I would STRONGLY recommend that someone over there call
me whenever they see this, regardless of time of day or night.

-- 
Yours,

J.A. Terranson
sysadmin () mfn org
0xBD4A95BF

"Quadriplegics think before they write stupid pointless
shit...because they have to type everything with their noses."

        http://www.tshirthell.com/



------------------------------

Message: 10
Date: Mon, 21 Feb 2005 20:19:41 +0800
From: "Rizwanalikhan" <rizwanalikhan74 () yahoo com>
Subject: [Full-disclosure] Delivery by mail
To: "Full-disclosure" <full-disclosure () lists netsys com>
Message-ID: <vyaunvbhudswagtoqer () lists netsys com>
Content-Type: text/plain; charset="us-ascii"

An HTML attachment was scrubbed...
URL:
http://lists.netsys.com/pipermail/full-disclosure/attachments/20050221/f862d
0d3/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: siupd02.cpl
Type: application/octet-stream
Size: 32148 bytes
Desc: not available
Url :
http://lists.netsys.com/pipermail/full-disclosure/attachments/20050221/f862d
0d3/siupd02-0001.obj

------------------------------

Message: 11
Date: Mon, 21 Feb 2005 21:01:29 -0600
From: H D Moore <fdlist () digitaloffense net>
Subject: Re: [Full-disclosure] Arkeia Network Backup Client Remote
        Access
To: full-disclosure () lists netsys com
Message-ID: <200502212101.29457.fdlist () digitaloffense net>
Content-Type: text/plain;  charset="iso-8859-1"

Just to clarify, the user manual *does* mention client security and gives 
instructions for locking down the Arkeia agent. Unfortunately this is not 
enabled by default and only restricts access on a per-host basis.

Appendix B: System Security (not sure how I missed this before)
ftp://ftp.arkeia.com/pub/manual/arkeia5/anb/Arkeia_User_Manual.pdf

-HD

On Sunday 20 February 2005 14:41, I wrote:
Anyone able to connect to TCP port 617 can gain read/write access to
the filesystem of any host running the Arkeia agent software.


------------------------------

Message: 12
Date: Tue, 22 Feb 2005 00:12:07 -0500
From: Aaron Horst <anthrax101 () gmail com>
Subject: [Full-disclosure] phpBB Fixed full path disclosure in
        username        handling - 2.0.11
To: full-disclosure () lists netsys com
Message-ID: <ab13993b05022121122c3c2437 () mail gmail com>
Content-Type: text/plain; charset=US-ASCII

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I. BACKGROUND

phpBB is a high powered, fully scalable, and highly customizable Open
Source bulletin board package. phpBB has a user-friendly interface,
simple and straightforward administration panel, and helpful FAQ.
Based on the powerful PHP server language and your choice of MySQL,
MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the
ideal free community solution for all web sites.

II. DESCRIPTION

The phpbb_clean_username function has an improper order of execution
allowing path and SQL table disclosure. The substr function should be
called before extra backslash (\) characters are stripped from the
string to force valid SQL requests. If it is not stripped after the
substr command, it is possible to remove the second backslash
character in a previously addslashes string (\). The following code
around line 80 in includes\functions.php is the problem:

$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);

This is a trivial error, not very worrying. In some configurations
this could possibly be used for either cross site scripting or SQL
injection, however it does not appear that phpBB v2.0.11 is
vulnerable to these attacks.

The following actions are susceptible to this attack:

Login
Password reminder
Add a member to a group
Post by a user who is not logged in
Search by username
Search for username
Send private message
View users profile

To attack any of these actions, attempt to submit the username
"ABCDEFGHIJKLMNOPQRSTUVWX\YZ" (Note \ character, there must be
trailing characters after that character)

III. FIX

To alleviate this issue, the code around line 80 of
includes\functions.php should be changed as follows:

$username = substr(htmlspecialchars(str_replace("\\'", "'",
trim($username))), 0, 25);
$username = rtrim($username, "\\");
$username = str_replace("'", "\\'", $username);

An upgrade to phpBB v2.0.12 includes this fix.

III. ANALYSIS

This report was created based on phpBB v2.0.11. It was discovered on
12/30/04. It was also independently discovered by kaosone+[ONE]+ on
2/19/04, and posted to the bugtraq mailing list.



AnthraX101

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQhq/Aw4h295M1tC9EQJW2wCgh8jhb97Vc4ZlUkzm/i5VtEiBQ1QAoKuH
UMHOhx0R9jRTU58YO5Oq91C5
=192I
-----END PGP SIGNATURE-----


------------------------------

Message: 13
Date: Tue, 22 Feb 2005 02:18:41 +0800
From: "Rizwanalikhan" <rizwanalikhan74 () yahoo com>
Subject: [Full-disclosure] Registration is accepted
To: "Full-disclosure" <full-disclosure () lists netsys com>
Message-ID: <ozpjbjlsflodsusbwea () lists netsys com>
Content-Type: text/plain; charset="us-ascii"

An HTML attachment was scrubbed...
URL:
http://lists.netsys.com/pipermail/full-disclosure/attachments/20050222/29bab
00a/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zupd02.scr
Type: application/octet-stream
Size: 29227 bytes
Desc: not available
Url :
http://lists.netsys.com/pipermail/full-disclosure/attachments/20050222/29bab
00a/zupd02.obj

------------------------------

_______________________________________________
Full-Disclosure mailing list
Full-Disclosure () lists netsys com
https://lists.netsys.com/mailman/listinfo/full-disclosure


End of Full-Disclosure Digest, Vol 3, Issue 42
**********************************************



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • [Full-Disclosure] R: Full-disclosure Digest, Vol 3, Issue 42 Tiziano Radice (Feb 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault