Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Full-disclosure Digest, Vol 12, Issue 39
From: "DONNY MCCOY" <DMCCOY () bbl-inc com>
Date: Tue, 21 Feb 2006 14:18:15 -0500

I will be in Cary, NC through Thursday and will return to Syracuse on Friday.  I will check voicemail and e-mail 
periodically as time allows.

If your e-mail is urgent please contact the help desk in Syracuse at x19511.

Thanks.

Donny

full-disclosure 02/21/06 14:16 >>>

Send Full-Disclosure mailing list submissions to
        full-disclosure () lists grok org uk

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists grok org uk

You can reach the person managing the list at
        full-disclosure-owner () lists grok org uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.


Today's Topics:

   1. Re: Quarantine your infected users spreading malware
      (Simon Richter)
   2. re: Insecurity in Finnish parlament (computers)
      (Juha-Matti Laurio)
   3. Re: Quarantine your infected users spreading      malware
      (Nigel Horne)
   4. Re: Re: User Enumeration Flaw (Michael Holstein)
   5. Re: Compromised hosts lists (James Lay)
   6. Compromised host list - some clarification... (James Lay)
   7. Re: ?if you are not doing anything wrong, why should you
      worry about it?? (Dave Korn)
   8. Re: Forum / Site redone (Dave Korn)
   9. Re: Re: Forum / Site redone (Nigel Horne)
  10. re: Insecurity in Finnish parlament (computers) (Markus Jansson)
  11. re: Insecurity in Finnish parlament (computers)
      (Juha-Matti Laurio)
  12. [USN-256-1] bluez-hcidump vulnerability (Martin Pitt)
  13. [USN-254-1] noweb vulnerability (Martin Pitt)
  14. [USN-255-1] openssh vulnerability (Martin Pitt)
  15. msgina.dll (khaalel)
  16. Re: Compromised host list - some clarification...
      (Robert P. McKenzie)
  17. Re: ?if you are not doing a =?WINDOWS-1252?Q?nything_wrong,
      _why_should_you_worry_about_it=3F=94?= (Steve Kudlak)
  18. www.wpad.net (Prabhat Sharma)
  19. SV: [Full-disclosure] msgina.dll (Jan Nielsen)
  20. [ GLSA 200602-12 ] GPdf: Heap overflows in        included Xpdf code
      (Thierry Carrez)
  21. Re: www.wpad.net (TheGesus)
  22. Re: Compromised host list - some clarification... (Dean Pierce)
  23. Re: Compromised host list - some clarification... (James Lay)
  24. Re: Compromised hosts lists  (Valdis.Kletnieks () vt edu)
  25. Re: Re: Forum / Site redone (Dave Korn)


----------------------------------------------------------------------

Message: 1
Date: Tue, 21 Feb 2006 13:05:42 +0100
From: Simon Richter <Simon.Richter () hogyros de>
Subject: Re: [Full-disclosure] Quarantine your infected users
        spreading malware
To: Gadi Evron <ge () linuxbox org>
Cc: "full-disclosure () lists grok org uk"
        <full-disclosure () lists grok org uk>, bugtraq () securityfocus com
Message-ID: <43FB0216.4090403 () hogyros de>
Content-Type: text/plain; charset="iso-8859-1"

Hi,

Gadi Evron wrote:

As many of us know, handling such users on tech support is not very 
cost-effective to ISP's, as if a user makes a call the ISP already 
losses money on that user. Than again, paying abuse desk personnel just 
so that they can disconnect your users is losing money too.

Which one would you prefer?

Choice. The difference between a bug and a feature is that you can turn 
the feature off. If an ISP offers filters as a feature, I say more power 
to them.

    Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/812a887e/signature-0001.bin

------------------------------

Message: 2
Date: Tue, 21 Feb 2006 14:07:50 +0200 (EET)
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Subject: re: [Full-disclosure] Insecurity in Finnish parlament
        (computers)
To: Markus Jansson <markus.jansson () hushmail com>
Cc: full-disclosure () lists grok org uk
Message-ID:
        <2419544.484291140523670940.JavaMail.juha-matti.laurio () netti fi>
Content-Type: text/plain; Charset=iso-8859-1; Format=Flowed

Markus Jansson wrote:
Good article, but it lacks one important aspect of the fiasco:
TeliaSonera also disabled crypto (A5/1) on GSM:s for some time, which 
made it possible to eavesdrop on its/goverments GSM:s. This was a the 
"big" fuzz.

I'm aware about these claims, but Mr. Esa Korvenmaa, spokeperson of 
TeliaSonera Finland says this is not true.

BTW. How long would you think it would take them to spot 
false-base-station type of attacks near our parlament house? ;)

No facts about this and I don't want to comment.
My article doesn't handle Finnish parliament in any way.

- Juha-Matti



------------------------------

Message: 3
Date: Tue, 21 Feb 2006 12:16:13 -0000 (GMT)
From: "Nigel Horne" <njh () bandsman co uk>
Subject: Re: [Full-disclosure] Quarantine your infected users
        spreading       malware
To: full-disclosure () lists grok org uk
Message-ID:
        <4212.213.206.150.242.1140524173.squirrel () mail bandsman co uk>
Content-Type: text/plain;charset=iso-8859-15

Hi,

Gadi Evron wrote:

As many of us know, handling such users on tech support is not very
cost-effective to ISP's, as if a user makes a call the ISP already
losses money on that user.

Not necessarily true. Many ISPs charge little for set up and on going
costs, but support is only available from them via a premium rate phone
number.

Than again, paying abuse desk personnel just
so that they can disconnect your users is losing money too.

Not so much if the desk is in India or China.

-Nigel


------------------------------

Message: 4
Date: Tue, 21 Feb 2006 08:26:47 -0500
From: Michael Holstein <michael.holstein () csuohio edu>
Subject: Re: [Full-disclosure] Re: User Enumeration Flaw
To: full-disclosure () lists grok org uk
Message-ID: <43FB1517.50703 () csuohio edu>
Content-Type: text/plain; charset=us-ascii; format=flowed

That's called directory harvesting and it's hardly new. Most MTAs 
implement tarpitting of some sort, to limit VRFY or RCPT commands from a 
perticular IP to a certian threshold, before they start slowing them down.

There are also ways to silently drop (or accept with routing to 
/dev/null) a session for a recipient that isn't in an external database 
(eg: LDAP) -- and while this breaks the RFC, people do it anyway.

Ever looked at a Hotmail spam message? There will be 50 recipients ..

gbush@, hbush@, jbush@, kbush@, etc. the ones that bounce aren't real 
and get rejected. Those that don't come back get added as "valid" for 
the second round.

~Mike.

Dave Korn wrote:
Mar.Shatz () education gov il wrote:

whitehouse.gov          MX      100 mailhub-wh2.whitehouse.gov
noone () box:~$
noone () box:~$ telnet mailhub-wh2.whitehouse.gov 25
Trying 63.161.169.140...
Connected to mailhub-wh2.whitehouse.gov.
Escape character is '^]'.
220 whitehouse.gov ESMTP service at Sun, 12 Feb 2006 11:29:38 -0500
(EST) helo jojo
250 esgeop03.whitehouse.gov Hello [xxx.xxx.xxx.xxx], pleased to meet
you mail from:bob () com com
250 2.1.0 bob () com com    Sender ok
rcpt to:gbush () whitehouse gov
550 5.1.1 gbush () whitehouse gov    User unknown
rcpt to:president () whitehouse gov
250 2.1.5 president () whitehouse gov    Recipient ok
quit
221 2.0.0 esgeop03.whitehouse.gov closing connection
Connection closed by foreign host.

User enumeration at the whitehouse



  Tell DHS at once!  What would happen if Al-Qaeda could figure out that 
there was a president in the whitehouse?


    cheers,
      DaveK


------------------------------

Message: 5
Date: Tue, 21 Feb 2006 07:09:58 -0700
From: James Lay <jlay () slave-tothe-box net>
Subject: Re: [Full-disclosure] Compromised hosts lists
Cc: Full-disclosure <full-disclosure () lists grok org uk>
Message-ID: <20060221070958.749da9c9 () homebox slave-tothe-box net>
Content-Type: text/plain; charset=US-ASCII

On Mon, 20 Feb 2006 22:40:00 -0500
Valdis.Kletnieks () vt edu wrote:

On Mon, 20 Feb 2006 16:55:06 MST, James Lay said:
I had heard tale of a site that had a semi-updated list of
compromised hosts.  I was hoping that someone knows that
link...would LOVE to be able to get my firewall to get this list
and auto-create an iptables rule.  Thanks all!

That's ass backwards.

The secure way to do this is to first deny *all* traffic, and then add
specific rules for machines that you *do* want to talk to.

Think for a bit - if some random cablemodem in another timezone is on
the list, why should you stop packets from it?  Why would you want to
accept packets *before* it showed up on the list?  Why do you still
want to accept packets from *other* boxes in the same /24 or /16?

I completely agree for ports that I would have closed, but obviously I
could not simply deny *all* traffic for port 25 and 80 let's say, as I
want them open to the public.

James


------------------------------

Message: 6
Date: Tue, 21 Feb 2006 07:16:35 -0700
From: James Lay <jlay () slave-tothe-box net>
Subject: [Full-disclosure] Compromised host list - some
        clarification...
To: Full-disclosure <full-disclosure () lists grok org uk>
Message-ID: <20060221071635.7ae12788 () homebox slave-tothe-box net>
Content-Type: text/plain; charset=US-ASCII

So ok.....I'm completely positive I didn't make myself clear at all in
my previous message...go me!  Here's a web site that I did manage to
find that has a current list of open proxies:

http://www.samair.ru/proxy/index.htm

My hope is that I could find a site that has a list of currently
reported open proxies, scanners, and ssh brute force boxes.  The RBL's
pretty much have smtp covered.  I would run a cron job at midnight, wget
and grep the file, then create an iptables table to block those hosts.
This is an attempt to be more proactive then reactive...if I knew those
hosts that were actively doing naughty things, why not block them at
the get go?

Does this make sense?  Am I barking up the wrong tree?  Thanks all =)

James


------------------------------

Message: 7
Date: Tue, 21 Feb 2006 14:54:52 -0000
From: "Dave Korn" <davek_throwaway () hotmail com>
Subject: [Full-disclosure] Re: ?if you are not doing anything wrong,
        why should you worry about it??
To: full-disclosure () lists grok org uk
Message-ID: <dtf9jt$bg3$1 () sea gmane org>

Gadi Evron wrote:

"if you are not doing anything wrong, why should you worry about it?"

  If I'm not doing anything wrong then it's nobody's god-damn business but 
mine what I'm doing at all.  QED.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 





------------------------------

Message: 8
Date: Tue, 21 Feb 2006 14:57:39 -0000
From: "Dave Korn" <davek_throwaway () hotmail com>
Subject: [Full-disclosure] Re: Forum / Site redone
To: full-disclosure () lists grok org uk
Message-ID: <dtf9p4$c2k$1 () sea gmane org>

Nigel Horne wrote:
Thanks for the comments.  Site has been redone ( I re-didit )  Feel
free to keep the comments coming.

http://www.iatechconsulting.com

Why does it attempt to store 2 cookies on my machine when all I do
visit your front page?

  Because that's how PHP tracks your session ID.

Needless to say I said "no".

  http://zapatopi.net/afdb

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 





------------------------------

Message: 9
Date: Tue, 21 Feb 2006 15:05:54 -0000 (GMT)
From: "Nigel Horne" <njh () bandsman co uk>
Subject: Re: [Full-disclosure] Re: Forum / Site redone
To: full-disclosure () lists grok org uk
Message-ID:
        <5495.213.206.150.242.1140534354.squirrel () mail bandsman co uk>
Content-Type: text/plain;charset=iso-8859-15

Nigel Horne wrote:
Thanks for the comments.  Site has been redone ( I re-didit )  Feel
free to keep the comments coming.

http://www.iatechconsulting.com

Why does it attempt to store 2 cookies on my machine when all I do
visit your front page?

  Because that's how PHP tracks your session ID.

Needless to say I said "no".

Public access websites should not have session IDs just to visit their
frontpage.

    cheers,
      DaveK



------------------------------

Message: 10
Date: Tue, 21 Feb 2006 16:52:24 +0200
From: "Markus Jansson" <markus.jansson () hushmail com>
Subject: re: [Full-disclosure] Insecurity in Finnish parlament
        (computers)
To: <full-disclosure () lists grok org uk>
Message-ID: <200602211452.k1LEqSuK085801 () mailserver2 hushmail com>

On Tue, 21 Feb 2006 14:07:50 +0200 Juha-Matti Laurio <juha-
matti.laurio () netti fi> wrote:
TeliaSonera also disabled crypto (A5/1) on GSM:s for some time, 
which made it possible to eavesdrop on its/goverments GSM:s. 
This was
a the "big" fuzz.

I'm aware about these claims, but Mr. Esa Korvenmaa, spokeperson 
of TeliaSonera Finland says this is not true.

Well, several people in different discussion forums in Finland 
found it out by GSM analysing tools and posted it up. Those tools 
shown that peoples phones (in TeliaSonera network) used A5/0 
cipher, meaning that no encryption was used. I doubt that all of 
them are simultaneously lying and TeliaSonera is telling the truth. 
:D



-- 
My computer security & privacy related homepage 
http://www.markusjansson.net 
Use HushTools or GnuPG/PGP to encrypt any email 
before sending it to me to protect our privacy.



------------------------------

Message: 11
Date: Tue, 21 Feb 2006 17:10:11 +0200 (EET)
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Subject: re: [Full-disclosure] Insecurity in Finnish parlament
        (computers)
To: Markus Jansson <markus.jansson () hushmail com>
Cc: full-disclosure () lists grok org uk
Message-ID:
        <21845207.514571140534611207.JavaMail.juha-matti.laurio () netti fi>
Content-Type: text/plain; Charset=iso-8859-1; Format=Flowed

Markus Jansson wrote:

Well, several people in different discussion forums in Finland 
found it out by GSM analysing tools and posted it up. Those tools 
shown that peoples phones (in TeliaSonera network) used A5/0 
cipher, meaning that no encryption was used. I doubt that all of 
them are simultaneously lying and TeliaSonera is telling the truth. 
:D

Yes, I have all of these related forum posts handling the use of Nokia 
Network Monitor as
printed versions.

- Juha-Matti



------------------------------

Message: 12
Date: Tue, 21 Feb 2006 16:30:40 +0100
From: Martin Pitt <martin.pitt () canonical com>
Subject: [Full-disclosure] [USN-256-1] bluez-hcidump vulnerability
To: ubuntu-security-announce () lists ubuntu com
Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com
Message-ID: <20060221153040.GB5903 () piware de>
Content-Type: text/plain; charset="us-ascii"

===========================================================
Ubuntu Security Notice USN-256-1          February 21, 2006
bluez-hcidump vulnerability
CVE-2006-0670
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

bluez-hcidump

The problem can be corrected by upgrading the affected package to
version 1.5-2ubuntu0.1 (for Ubuntu 4.10), 1.12-1ubuntu0.1 (for Ubuntu
5.04), or 1.23-0ubuntu1.1 (for Ubuntu 5.10).  In general, a standard
system upgrade is sufficient to effect the necessary changes.

Details follow:

Pierre Betouin discovered a Denial of Service vulnerability in the
handling of the L2CAP (Logical Link Control and Adaptation Layer
Protocol) layer. By sending a specially crafted L2CAP packet through a
wireless Bluetooth connection, a remote attacker could crash hcidump.

Since hcidump is mainly a debugging tool, the impact of this flaw is
very low.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1.diff.gz
      Size/MD5:   117334 2be393fb2b17f097d84c4bf1e41759b8
    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1.dsc
      Size/MD5:      649 2cbb2217b51ce137d84487cc8c7e67fc
    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5.orig.tar.gz
      Size/MD5:   166968 346f86c8e1824a505e976d0a2c8a0578

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1_amd64.deb
      Size/MD5:    25198 7d0d59b7597b7d64345e9255f29ea684

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1_i386.deb
      Size/MD5:    23146 93c04094444cc482058d67cb78ca7244

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.5-2ubuntu0.1_powerpc.deb
      Size/MD5:    25446 ccfa304db68953e1d2989df0fed8259c

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1.diff.gz
      Size/MD5:     2277 09602446f4bdae6c8126e33db11f3249
    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1.dsc
      Size/MD5:      663 8efc5c10713d06de9d55613055208bca
    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12.orig.tar.gz
      Size/MD5:   102003 c64f44a05e3c3f036134850c8fb24a00

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1_amd64.deb
      Size/MD5:    39052 4f466a14a74802cb0ea83d9859d108a9

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1_i386.deb
      Size/MD5:    35048 9b767b24c3ce114a9b44cc9901335826

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.12-1ubuntu0.1_powerpc.deb
      Size/MD5:    37636 9934f9d3c03affe2a3c7d84b00cacbed

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1.diff.gz
      Size/MD5:     2454 9ff0a74db5cd83914ed466a8acdf0beb
    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1.dsc
      Size/MD5:      662 5191c2d9cabb93969ce0604548ddc696
    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23.orig.tar.gz
      Size/MD5:   124717 24a72cfc605278f2846c786ae54230c2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1_amd64.deb
      Size/MD5:    68856 9ed3cd8a70fdf2f494002894208029a2

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1_i386.deb
      Size/MD5:    62994 c6fab1702f2dab19af5bd2ff86af07a5

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/b/bluez-hcidump/bluez-hcidump_1.23-0ubuntu1.1_powerpc.deb
      Size/MD5:    69474 b75ce72ab552b0b32c301c854ea7e549
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/75d9d187/attachment-0001.bin

------------------------------

Message: 13
Date: Tue, 21 Feb 2006 16:30:44 +0100
From: Martin Pitt <martin.pitt () canonical com>
Subject: [Full-disclosure] [USN-254-1] noweb vulnerability
To: ubuntu-security-announce () lists ubuntu com
Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com
Message-ID: <20060221153044.GC5903 () piware de>
Content-Type: text/plain; charset="iso-8859-1"

===========================================================
Ubuntu Security Notice USN-254-1          February 21, 2006
noweb vulnerability
CVE-2005-3342
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

nowebm

The problem can be corrected by upgrading the affected package to
version 2.10c-3ubuntu1.1 (for Ubuntu 4.10), 2.10c-3.1ubuntu5.04.1 (for
Ubuntu 5.04), or 2.10c-3.1ubuntu5.10.1 (for Ubuntu 5.10).  In general,
a standard system upgrade is sufficient to effect the necessary
changes.

Details follow:

Javier Fern*ndez-Sanguino Pe*a discovered that noweb scripts created
temporary files in an insecure way. This could allow a symlink attack
to create or overwrite arbitrary files with the privileges of the user
running noweb.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3ubuntu1.1.diff.gz
      Size/MD5:    11262 c97d1934407598134e7da5d53b4c625a
    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3ubuntu1.1.dsc
      Size/MD5:      629 a21c779c23311c40353fee565971f7dd
    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c.orig.tar.gz
      Size/MD5:   712332 30bbacf1fb2a402410e5ad2fb600d9fc

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3ubuntu1.1_amd64.deb
      Size/MD5:   535460 2d35850c7436ec5e1c452098ab8f2f26

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3ubuntu1.1_i386.deb
      Size/MD5:   518536 7b89ab418e72de19d81aed9d1dc8aefa

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3ubuntu1.1_powerpc.deb
      Size/MD5:   522740 f5b23a14a7600e91788a6803e1453861

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.04.1.diff.gz
      Size/MD5:    11276 d692bce20df8c6e0fb64013daf7bc9e5
    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.04.1.dsc
      Size/MD5:      639 6b6781615241f3d07db34b4ed951eab4
    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c.orig.tar.gz
      Size/MD5:   712332 30bbacf1fb2a402410e5ad2fb600d9fc

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.04.1_amd64.deb
      Size/MD5:   535570 7ed60a1bfce4de9db2b6f6ca24f7544d

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.04.1_i386.deb
      Size/MD5:   518652 973b9b6459bc21f645725f4c5013500f

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.04.1_powerpc.deb
      Size/MD5:   522804 70fd183b24ea9c8d77ca8eb65172924f

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.10.1.diff.gz
      Size/MD5:    11275 8b1c3749cd3fc5f0f5bb0909d1db527c
    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c-3.1ubuntu5.10.1.dsc
      Size/MD5:      639 3f37d4a988691727bdc9452e459ccc46
    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/noweb_2.10c.orig.tar.gz
      Size/MD5:   712332 30bbacf1fb2a402410e5ad2fb600d9fc

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.10.1_amd64.deb
      Size/MD5:   535562 8ce18eceec28b3bb1165156e17d06f10

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.10.1_i386.deb
      Size/MD5:   519066 5d22ae6879e674ba5dba97a10957e6c7

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/n/noweb/nowebm_2.10c-3.1ubuntu5.10.1_powerpc.deb
      Size/MD5:   522756 2ea6685d6400fc111cf093f01b7a4b39
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/c972fe8a/attachment-0001.bin

------------------------------

Message: 14
Date: Tue, 21 Feb 2006 16:30:54 +0100
From: Martin Pitt <martin.pitt () canonical com>
Subject: [Full-disclosure] [USN-255-1] openssh vulnerability
To: ubuntu-security-announce () lists ubuntu com
Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com
Message-ID: <20060221153054.GD5903 () piware de>
Content-Type: text/plain; charset="us-ascii"

===========================================================
Ubuntu Security Notice USN-255-1          February 21, 2006
openssh vulnerability
CVE-2006-0225
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

openssh-client

The problem can be corrected by upgrading the affected package to
version 1:3.8.1p1-11ubuntu3.3 (for Ubuntu 4.10), 1:3.9p1-1ubuntu2.2
(for Ubuntu 5.04), or 1:4.1p1-7ubuntu4.1 (for Ubuntu 5.10).  In
general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Tomas Mraz discovered a shell code injection flaw in scp. When doing
local-to-local or remote-to-remote copying, scp expanded shell escape
characters. By tricking an user into using scp on a specially crafted
file name (which could also be caught by using an innocuous wild card
like '*'), an attacker could exploit this to execute arbitrary shell
commands with the privilege of that user.

Please be aware that scp is not designed to operate securely on
untrusted file names, since it needs to stay compatible with rcp.
Please use sftp for automated systems and potentially untrusted file
names.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.3.diff.gz
      Size/MD5:   147804 bcb9840f943cb185fa14cdb6639dc2de
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.3.dsc
      Size/MD5:      880 64349db6679401abfe0f28f08a46559f
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1.orig.tar.gz
      Size/MD5:   795948 9ce6f2fa5b2931ce2c4c25f3af9ad50d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.8.1p1-11ubuntu3.3_all.deb
      Size/MD5:    30202 dc2297b42ce6e0009b30f76df0778e9c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.3_amd64.udeb
      Size/MD5:   160136 968b48b5666e275656b20249cb61faa7
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.3_amd64.deb
      Size/MD5:   526002 306594f4386fa65366fe67e1ac9c45cc
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.3_amd64.udeb
      Size/MD5:   176398 480d6b645167bc2e9b533dd76016c429
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.3_amd64.deb
      Size/MD5:   264122 df6c92305d240b32b63a9add7bfc5825
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.3_amd64.deb
      Size/MD5:    53394 b4f5da405cb155f72d9d064a4d50567e

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.3_i386.udeb
      Size/MD5:   134290 7aaca0eb6b603910f3c3bda8d30e3999
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.3_i386.deb
      Size/MD5:   474992 94005876a8f9c45fa315d84264f422ce
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.3_i386.udeb
      Size/MD5:   146996 fbf6d83c68f6999aacbafc98f68eb295
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.3_i386.deb
      Size/MD5:   241898 55dc4bad99928d552819478c0f4d032e
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.3_i386.deb
      Size/MD5:    53072 667eab23d4b9af759774640f38ec22cd

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.3_powerpc.udeb
      Size/MD5:   153126 e59d9aa701310152aa4585b6b3c83df5
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.3_powerpc.deb
      Size/MD5:   523108 59739bfa95120ae0ee193743694a74cb
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.3_powerpc.udeb
      Size/MD5:   160376 7cbb092c954cccb014d1e564b133c1e2
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.3_powerpc.deb
      Size/MD5:   258268 2e38eadac1a298db3c027ee661d8a5e5
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.3_powerpc.deb
      Size/MD5:    54556 131cee0bac5d5cd080675461db8bc0c6

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.2.diff.gz
      Size/MD5:   140942 2193e3793b51e7024784ec047cf3277c
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.2.dsc
      Size/MD5:      866 8ec4e326208aae4b8fe90f9cac0a2ca6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1.orig.tar.gz
      Size/MD5:   832804 530b1dcbfe7a4a4ce4959c0775b85a5a

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.9p1-1ubuntu2.2_all.deb
      Size/MD5:    30912 0997c23a603de9b1534ee687851fd38b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.2_amd64.udeb
      Size/MD5:   166708 bc3698453fa091e69bc7f1c67b9316ef
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.2_amd64.deb
      Size/MD5:   543786 d330f2132fb0bf0295b915e7e0a453ba
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.2_amd64.udeb
      Size/MD5:   179156 7048312720471a8f0c50562c4301a21d
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.2_amd64.deb
      Size/MD5:   279064 5402baeb9df169b4ce6a6eddfb3a6262
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.2_amd64.deb
      Size/MD5:    62514 064f02869e9c61a56b8a4e1558d18e2c

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.2_i386.udeb
      Size/MD5:   139346 9b79999219a1cabd60930e682d671e17
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.2_i386.deb
      Size/MD5:   492224 757e828a5ccf114fe9c4be9b046850c2
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.2_i386.udeb
      Size/MD5:   149016 86ffa618024f36ac0097686b43b1d179
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.2_i386.deb
      Size/MD5:   255760 11f910249c6b098fce8f8020ce6d3b27
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.2_i386.deb
      Size/MD5:    62114 d5a4d9ec3011c099d2db314cf615f646

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.2_powerpc.udeb
      Size/MD5:   159854 f1a90f3cb4151736bed6f263901a4d35
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.2_powerpc.deb
      Size/MD5:   540312 287aa744564de63043d5bb134d0745d4
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.2_powerpc.udeb
      Size/MD5:   163302 1b019329cd84ff0a1f3960565a621fed
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.2_powerpc.deb
      Size/MD5:   273126 7ec4c43399986224b54d0f41fe8e3416
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.2_powerpc.deb
      Size/MD5:    63634 b370bc059a12a2ddc3b3afe1f772049d

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.1.diff.gz
      Size/MD5:   156844 b4cdb063563a640093c305e46f1fc87d
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.1.dsc
      Size/MD5:      971 c80c70c3c63781792a7f39d6ae01940d
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1.orig.tar.gz
      Size/MD5:   909689 3709109adf0b82176668b3d3478dd033

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.1p1-7ubuntu4.1_all.deb
      Size/MD5:     1048 859ffbe5d4bd5202a2eebec6e8e9ac81

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.1_amd64.udeb
      Size/MD5:   162510 1697e11d3a83142a879d04ab7b5e0ac7
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.1_amd64.deb
      Size/MD5:   584118 3947d62111b5dca4e76344dc8cca254f
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.1_amd64.udeb
      Size/MD5:   179332 51b096a5921f12614a4be6ac578c6685
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.1_amd64.deb
      Size/MD5:   223756 e73afff943deeda07de98bd52cefb9df
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.1_amd64.deb
      Size/MD5:    77824 9ce67812f993f2e4e896a46757ccd58d

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.1_i386.udeb
      Size/MD5:   138126 eff182e04cf9c7990fa49ceeb1d8a227
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.1_i386.deb
      Size/MD5:   514306 2aa78f38fad06006ac0530af8a45b821
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.1_i386.udeb
      Size/MD5:   149732 1974bc3bb64c6bd32583b78420a12047
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.1_i386.deb
      Size/MD5:   195172 df8d26ec28a6487513e2a8a8117fe090
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.1_i386.deb
      Size/MD5:    77540 9241a0dbcde2f43ca408868be70b0523

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.1_powerpc.udeb
      Size/MD5:   155720 86eec2f79139f085454334607c10825a
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.1_powerpc.deb
      Size/MD5:   568402 b295641a03748fa6d8477c6a3ef7b9ec
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.1_powerpc.udeb
      Size/MD5:   163224 497641805869834b9959f0a8ecaf9b46
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.1_powerpc.deb
      Size/MD5:   215272 85c392d0999eaf9ebe91230392aba50a
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.1_powerpc.deb
      Size/MD5:    79104 3b6db051e9e4eb17e0024c926aa4d2ac
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/c3724d87/attachment-0001.bin

------------------------------

Message: 15
Date: Tue, 21 Feb 2006 17:03:08 +0100
From: khaalel <khaalel () gmail com>
Subject: [Full-disclosure] msgina.dll
To: full-disclosure () lists grok org uk
Message-ID:
        <2d7da9270602210803v2d5f8ff0jc93e4023ba2a663b () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

Hi everyboy,

I have to modify the winlogon process for a school project (in order to use
a smartcard : I bought some goldcards and javacards). After some time with
Google, I find msgina.dll  (
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/msgina.mspx)
but I don't know how to modify it (I'm a linux and bsd hacker, windows
working is a world I visit rarely...).

Did someone already work with this dll?? I'm looking for some code examples,
some tutorials, some help to know how to use a smartcard and not
login/password at startup...

Thanks...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/8a6fb90c/attachment-0001.html

------------------------------

Message: 16
Date: Tue, 21 Feb 2006 16:03:56 +0000
From: "Robert P. McKenzie" <rmckenzi () rpmdp com>
Subject: Re: [Full-disclosure] Compromised host list - some
        clarification...
To: James Lay <jlay () slave-tothe-box net>
Cc: Full-disclosure <full-disclosure () lists grok org uk>
Message-ID: <43FB39EC.6000303 () rpmdp com>
Content-Type: text/plain; charset=ISO-8859-1

James Lay wrote:
So ok.....I'm completely positive I didn't make myself clear at all in
my previous message...go me!  Here's a web site that I did manage to
find that has a current list of open proxies:

http://www.samair.ru/proxy/index.htm

My hope is that I could find a site that has a list of currently
reported open proxies, scanners, and ssh brute force boxes.  The RBL's
pretty much have smtp covered.  I would run a cron job at midnight, wget
and grep the file, then create an iptables table to block those hosts.
This is an attempt to be more proactive then reactive...if I knew those
hosts that were actively doing naughty things, why not block them at
the get go?

Does this make sense?  Am I barking up the wrong tree?  Thanks all =)

It's clear, however, as others have pointed out it's far easier to block everything and
then selectivily allow what you want to talk to you.  How do you think iptables will react
if you have say 20,000 entries in it?  My guess is it will slow your machines down.

Go the sensible route and block everything and permit the much smaller list of hosts to
connect to you.



------------------------------

Message: 17
Date: Tue, 21 Feb 2006 08:58:17 -0800
From: Steve Kudlak <chromazine () sbcglobal net>
Subject: Re: [Full-disclosure] ?if you are not doing a
        =?WINDOWS-1252?Q?nything_wrong, _why_should_you_worry_about_it=3F=94?=
To: Valdis.Kletnieks () vt edu
Cc: "full-disclosure () lists grok org uk"
        <full-disclosure () lists grok org uk>, Gadi Evron <ge () linuxbox org>
Message-ID: <43FB46A9.9000403 () sbcglobal net>
Content-Type: text/plain; charset="windows-1252"

Valdis.Kletnieks () vt edu wrote:

On Mon, 20 Feb 2006 15:42:35 PST, coderman said:
 

On 2/20/06, Gadi Evron <ge () linuxbox org> wrote:
   

...
What's to stop them from putting cameras
in our showers, next?
     

ugly fat people nekkid?
   


Guaranteed that there's a market for that, and websites already in existence.
 

------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

And this is a discussion sure to get us techies marked as crude and 
mean,  luckily we are too bright to be called stupid;)
If it is young and attractive and female (most techies are alas still 
male) it should
have on as little clothes as possible and be seen as much as possible. 
If it is
not it should go hide away and we shouldn't see it. Oh well we will get 
so marked.

Have Fun,
Sends Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/e0f37938/attachment-0001.html

------------------------------

Message: 18
Date: Tue, 21 Feb 2006 22:33:27 +0530
From: "Prabhat Sharma" <hi.prabhat () gmail com>
Subject: [Full-disclosure] www.wpad.net
To: full-disclosure () lists grok org uk
Message-ID:
        <78a2a5c0602210903v27a20ee5p4dba08330bd905b () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

Hi,

Does anybody's machine also tries to access www.wpad.net. I use dial up to
connect to internet and the moment I connect to internet my firewall shows
that svchost is trying to access www.wpad.net. I tried visiting
www.wpad.netwebsite and the owner of the site says that it is due to
some microsoft bug
related to Web Proxy Discovery Protocol (WPAD).

There is also a link (which I also found in other places after some
googling) of a wpad (Web Proxy Auto Discovery Protocol) draft which is
drafted by microsoft (That is what the website says).

Has anyone else faced this issue or my machine has some unwanted material.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/a267e036/attachment-0001.html

------------------------------

Message: 19
Date: Tue, 21 Feb 2006 18:08:51 +0100
From: "Jan Nielsen" <jan () boyakasha dk>
Subject: SV: [Full-disclosure] msgina.dll
To: <full-disclosure () lists grok org uk>
Message-ID: <20060221170506.7023A262826 () pfepc post tele dk>
Content-Type: text/plain; charset="iso-8859-1"

I haven't messed with GINA programming myself, but this will probably help
you get some basic understanding of it :
http://www.codeproject.com/useritems/GINA_SPY.asp
 
Jan

  _____  

Fra: boyakash () cp dnsserverhosting com
[mailto:boyakash () cp dnsserverhosting com] P* vegne af khaalel
Sendt: 21. februar 2006 17:03
Til: full-disclosure () lists grok org uk
Emne: [Full-disclosure] msgina.dll


Hi everyboy,

I have to modify the winlogon process for a school project (in order to use
a smartcard : I bought some goldcards and javacards). After some time with
Google, I find msgina.dll  (
<http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/secur
ity/msgina.mspx>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/securi
ty/msgina.mspx) but I don't know how to modify it (I'm a linux and bsd
hacker, windows working is a world I visit rarely...). 

Did someone already work with this dll?? I'm looking for some code examples,
some tutorials, some help to know how to use a smartcard and not
login/password at startup... 

Thanks...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/af464d12/attachment-0001.html

------------------------------

Message: 20
Date: Tue, 21 Feb 2006 18:33:06 +0100
From: Thierry Carrez <koon () gentoo org>
Subject: [Full-disclosure] [ GLSA 200602-12 ] GPdf: Heap overflows in
        included Xpdf code
To: gentoo-announce () lists gentoo org
Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com,
        security-alerts () linuxsecurity com
Message-ID: <43FB4ED2.7080601 () gentoo org>
Content-Type: text/plain; charset="iso-8859-1"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200602-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: GPdf: Heap overflows in included Xpdf code
      Date: February 21, 2006
      Bugs: #121511
        ID: 200602-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

GPdf includes vulnerable Xpdf code to handle PDF files, making it
vulnerable to the execution of arbitrary code.

Background
==========

GPdf is a Gnome PDF viewer.

Affected packages
=================

    -------------------------------------------------------------------
     Package        /   Vulnerable   /                      Unaffected
    -------------------------------------------------------------------
  1  app-text/gpdf      < 2.10.0-r4                       >= 2.10.0-r4

Description
===========

Dirk Mueller found a heap overflow vulnerability in the XPdf codebase
when handling splash images that exceed size of the associated bitmap.

Impact
======

An attacker could entice a user to open a specially crafted PDF file
with GPdf, potentially resulting in the execution of arbitrary code
with the rights of the user running the affected application.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GPdf users should upgrade to the latest version.

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/gpdf-2.10.0-r4"

References
==========

  [ 1 ] CVE-2006-0301
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200602-12.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/c158415e/signature-0001.bin

------------------------------

Message: 21
Date: Tue, 21 Feb 2006 12:43:10 -0500
From: TheGesus <thegesus () gmail com>
Subject: Re: [Full-disclosure] www.wpad.net
To: "Prabhat Sharma" <hi.prabhat () gmail com>
Cc: full-disclosure () lists grok org uk
Message-ID:
        <5e70f6530602210943s4b438576v555e099f12db7d0d () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

On 2/21/06, Prabhat Sharma <hi.prabhat () gmail com> wrote:
Hi,

Does anybody's machine also tries to access www.wpad.net. I use dial up to
connect to internet and the moment I connect to internet my firewall shows
that svchost is trying to access www.wpad.net. I tried visiting www.wpad.net
website and the owner of the site says that it is due to some microsoft bug
related to Web Proxy Discovery Protocol (WPAD).

There is also a link (which I also found in other places after some
googling) of a wpad (Web Proxy Auto Discovery Protocol) draft which is
drafted by microsoft (That is what the website says).

Has anyone else faced this issue or my machine has some unwanted material.


Actually, wpad was invented by Netscape, but screwed up by MS.

"wpad." without an extension is something like the 6th or 7th most
common illegal DNS lookup.

If you deselect "Automatic Discovery" in IE that should put an end to it.

That fellow who owns the domain names could do some pretty nasty stuff
if he ever decided to turn evil.


------------------------------

Message: 22
Date: Tue, 21 Feb 2006 10:06:50 -0800
From: Dean Pierce <piercede () pdx edu>
Subject: Re: [Full-disclosure] Compromised host list - some
        clarification...
To: James Lay <jlay () slave-tothe-box net>,
        full-disclosure () lists grok org uk
Message-ID: <43FB56BA.8090306 () pdx edu>
Content-Type: text/plain; charset="iso-8859-1"

If you need to protect your ssh from scanners, wouldn't it prolly just
be best to block people that are actually scanning you?  I use the
denyhosts script (watches logs for failed login attempts, and blocks ips
based on that), and there are a couple other good ones.  The two main
problems with your solution is..

1. how can you trust some magical offsite list so much that you are
willing to block traffic based on what it says?

2. how can you believe that such a list would ever be complete, or even
through?  New machines get taken over all the time, and my guess is that
the average lifespan of such machines is about a week or so before an
admin sees what's going on.

   - DEAN

James Lay wrote:
So ok.....I'm completely positive I didn't make myself clear at all in
my previous message...go me!  Here's a web site that I did manage to
find that has a current list of open proxies:

http://www.samair.ru/proxy/index.htm

My hope is that I could find a site that has a list of currently
reported open proxies, scanners, and ssh brute force boxes.  The RBL's
pretty much have smtp covered.  I would run a cron job at midnight, wget
and grep the file, then create an iptables table to block those hosts.
This is an attempt to be more proactive then reactive...if I knew those
hosts that were actively doing naughty things, why not block them at
the get go?

Does this make sense?  Am I barking up the wrong tree?  Thanks all =)

James
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/118a43a2/signature-0001.bin

------------------------------

Message: 23
Date: Tue, 21 Feb 2006 11:32:56 -0700
From: James Lay <jlay () slave-tothe-box net>
Subject: Re: [Full-disclosure] Compromised host list - some
        clarification...
To: "Robert P. McKenzie" <rmckenzi () rpmdp com>
Cc: Full-disclosure <full-disclosure () lists grok org uk>
Message-ID: <20060221113256.4f342f01 () homebox slave-tothe-box net>
Content-Type: text/plain; charset=US-ASCII

On Tue, 21 Feb 2006 16:03:56 +0000
"Robert P. McKenzie" <rmckenzi () rpmdp com> wrote:

James Lay wrote:
So ok.....I'm completely positive I didn't make myself clear at all
in my previous message...go me!  Here's a web site that I did
manage to find that has a current list of open proxies:

http://www.samair.ru/proxy/index.htm

My hope is that I could find a site that has a list of currently
reported open proxies, scanners, and ssh brute force boxes.  The
RBL's pretty much have smtp covered.  I would run a cron job at
midnight, wget and grep the file, then create an iptables table to
block those hosts. This is an attempt to be more proactive then
reactive...if I knew those hosts that were actively doing naughty
things, why not block them at the get go?

Does this make sense?  Am I barking up the wrong tree?  Thanks all
=)

It's clear, however, as others have pointed out it's far easier to
block everything and then selectivily allow what you want to talk to
you.  How do you think iptables will react if you have say 20,000
entries in it?  My guess is it will slow your machines down.

Go the sensible route and block everything and permit the much
smaller list of hosts to connect to you.


Robert,

I do understand this, however this would not fit well for services that
are for public use..IE web or email I could not simply just deny
everyone.  But for ports that I do NOT want the public to see you
bet...block all is the way to go.  Thank you!

James


------------------------------

Message: 24
Date: Tue, 21 Feb 2006 13:43:37 -0500
From: Valdis.Kletnieks () vt edu
Subject: Re: [Full-disclosure] Compromised hosts lists 
To: James Lay <jlay () slave-tothe-box net>
Cc: Full-disclosure <full-disclosure () lists grok org uk>
Message-ID: <200602211843.k1LIhbM7014041 () turing-police cc vt edu>
Content-Type: text/plain; charset="us-ascii"

On Tue, 21 Feb 2006 07:09:58 MST, James Lay said:

I completely agree for ports that I would have closed, but obviously I
could not simply deny *all* traffic for port 25 and 80 let's say, as I
want them open to the public.

At which point a list of the 100 million or so compromised machines believed
to be out there doesn't do you much good.  (Yes, the number is likely to be
that high - at one point we were seeing several hundred thousand new zombies
*per day*.)

If you implement the block list, your machine runs like a pig (how much kernel
memory do 100M iptables rules nail down?? ;)

And you *still* have to worry about evil packets arriving on ports 25 and/or 80
from machines that haven't been *flagged* as evil yet. (Note that with 100M
rules, trying to do even daily syncs is non-trivial - and you're going to want
to do this on an hourly basis or so if you want it to be at all useful.  When
the update takes over an hour, you're in trouble.....)

Your only real choice here is to make sure that 25 and 80 (and other outward-facing
services) are as bulletproof as possible, against all packets from whatever source,
and remain vigilant.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060221/65416621/attachment-0001.bin

------------------------------

Message: 25
Date: Tue, 21 Feb 2006 19:14:52 -0000
From: "Dave Korn" <davek_throwaway () hotmail com>
Subject: [Full-disclosure] Re: Re: Forum / Site redone
To: full-disclosure () lists grok org uk
Message-ID: <dtfore$7n5$1 () sea gmane org>

Nigel Horne wrote:
Nigel Horne wrote:
Thanks for the comments.  Site has been redone ( I re-didit )  Feel
free to keep the comments coming.

http://www.iatechconsulting.com

Why does it attempt to store 2 cookies on my machine when all I do
visit your front page?

  Because that's how PHP tracks your session ID.

Needless to say I said "no".

Public access websites should not have session IDs just to visit their
frontpage.

  Like it matters the tiniest little bit at all.

  You can refuse the cookie if you want.

  You can accept it if you want the personalisation you'll get.

  You can set your browser to flush cookies at the end of the session if you 
don't want the same server to identify you next time.

  You can hang on to it indefinitely if you do.

  It takes next to no space on your hard drive, is entirely under your 
control, and it's not some kind of magical demon sent by the NSA to spy on 
you, so who cares?

  You're presenting this claim that "Public access websites" (you mean 
'publicly accessible' websites, I take it) "should not have" session IDs. 
Well, /WHY/ should they not?  This claim needs justifying.  Ethical reasons? 
Financial reasons?  Health and safety reasons?  Aesthetic reasons?  Or just 
because Nigel Horne says so, and whatever he says is so obviously patently 
right and true that all right-thinking people will just accept your word for 
it unquestioningly?


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 





------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

End of Full-Disclosure Digest, Vol 12, Issue 39
***********************************************


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]