Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Full-disclosure Digest, Vol 11, Issue 5
From: "Horatiu Bandoiu" <horatiu () provision ro>
Date: Thu, 5 Jan 2006 10:39:59 +0200

Dear Biljana,

Just a brief answer as I have a bad Internet connection till Monday.
You can count on 2 CISSP we have for the moment (this year I will have 3
or 4 CISSP in my team): Stefan Catrinescu and Ionut Boldizsar. Stefan
still has to finalize the documentation for getting the certification
(endorsement, stuff like this) but he has passed the exam and Ionut is
OK with all. If needed, I can involve several more certified people (as
we are organizing the exams, I have full access to the list). I hope it
helps. 

Kind regards,

Horatiu

--|------|||||-------|||--|----|||||--||-------|||||--||---
We PROtect your business VISION!
-------------------------------------
Horatiu BANDOIU
Business Unit Manager
Provision - information Security Expert Center (iSEC)
Tel: 0040 21 321 37 49
Fax: 0040 21 323 65 70
e-mail: horatiu () provision ro
http://www.provision.ro

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of
full-disclosure-request () lists grok org uk
Sent: Tuesday, January 03, 2006 2:00 PM
To: full-disclosure () lists grok org uk
Subject: Full-disclosure Digest, Vol 11, Issue 5

Send Full-Disclosure mailing list submissions to
        full-disclosure () lists grok org uk

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists grok org uk

You can reach the person managing the list at
        full-disclosure-owner () lists grok org uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Note to digest recipients - when replying to digest posts, please trim
your post appropriately. Thank you.


Today's Topics:

   1. Re: Buffer Overflow vulnerability in Windows Display      Manager
      [Suspected] (ad () heapoverflow com)
   2. Re: Win32 Heap Exploits (Nicolas RUFF)
   3. Re: Buffer Overflow vulnerability in Windows      Display Manager
      [Suspected] (InfoSecBOFH)
   4. Re: Buffer Overflow vulnerability in Windows      Display Manager
      [Suspected] (InfoSecBOFH)
   5. Re: WMF round-up, updates and de-mystification (InfoSecBOFH)
   6. Re: WMF round-up, updates and de-mystification (InfoSecBOFH)


----------------------------------------------------------------------

Message: 1
Date: Tue, 03 Jan 2006 11:12:08 +0100
From: "ad () heapoverflow com" <ad () heapoverflow com>
Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in
        Windows Display Manager [Suspected]
To: Sumit Siddharth <sumit.siddharth () gmail com>,
        full-disclosure () lists grok org uk
Message-ID: <43BA4DF8.20907 () heapoverflow com>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
haven't such driver here , it should be a third party driver security
bug probably within "*Controller Hub for Intel Graphics Driver"*

http://www.dynamiclink.nl/htmfiles/rframes/sys-i01.htm



Sumit Siddharth wrote:
I think the problem is with the intel driver and particularly with
file
ialmnt5.sys
Hope it helps
Sumit



On 1/3/06, *Sumit Siddharth* <sumit.siddharth () gmail com
<mailto:sumit.siddharth () gmail com>> wrote:

    Dear All,
    Sorry for the delayed response.
    I  had success in exploiting it remotely by a simple javascript
    <script>window.open("http://aa...";);</script>. But i think it
    doesnt work with some drivers.I am using XP ,professional, SP2.
    and firefox 1.0.6. I am using a string of about 53,000 char to
    overflow the buffer.
    Thanks
    Sumit




--


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ7pN+K+LRXunxpxfAQKBqA//YxoeFIr1rkaCixpPr34+KpDiUAKN7xss
M6ZH3ZmpqZ03yLajS8XBWIyv5uTXDuLhUQrrObvak4n6mQ+7g6YffEYQBNyIcsEm
Gxyd8uDmkwX9MeAslByvrqobj/6i4oC4sj5Lq9Ui/JCqsw5KNaBP8ZAym48HiMFM
bI3kqvSGVm++bavWrK8+FunnVHCSDezFL64Jxh6MAVU2MNR+Z2qufC+aQtIpGw7s
nyWisynx6csTp9US5qmeuVdrcwk9DeACzX+z5eAEaevLRcl7ElcpcMht21U5scMd
FTLTtN9Ao4hewQrOe05BAo3AwNmzpt3Kgay3DLtN/n7a9LqPifw9FKp5EtdYLKyM
R16AwG5PaYQXrnsY0Udwz4yAYucEYjEOSyslVf4VILyzFWdKfAgXApbbr4W2nKXx
VQ0BBWbOYnAuAPJYk85WpAZfbFX98tglGTGT/0XRO3Buyk5T50AC4VqxlF17w7+8
T6bO74xpZNi5t5fzFTqt5kZZZ6IXfSonu/SVA/tfiOJwIExo7zEUwu4vsYoMtxaR
HqFlMQyuJhp0aTjaggrFaYQ8XR7tnZherteAYdaw0k3mUPCWfXR3xz26daOpUDKu
ewsDbuq+cglVD5qym246WVYSyiPLKKBXvWPLbuoG5ngqmyQiKydIQ9UMMdJvHh5c
7DtDjiHOH8s=
=VEy3
-----END PGP SIGNATURE-----




------------------------------

Message: 2
Date: Tue, 03 Jan 2006 11:42:21 +0100
From: Nicolas RUFF <nicolas.ruff () gmail com>
Subject: Re: [Full-disclosure] Win32 Heap Exploits
To: Stefan Lochbihler <steve01 () chello at>
Cc: full-disclosure () lists grok org uk
Message-ID: <43BA550D.2090509 () gmail com>
Content-Type: text/plain; charset=ISO-8859-1

But if i execute the server without ollydbg there happen nothing.
Have anybody an idea what i make wrong. Test on a winxp sp1 system.

As pointed out multiple times, Windows heap is not the same whether the
program is flagged as "being debugged" or not.

You should always *attach* the debugger to the process and not run the
process from within the debugger.

Regards,
- Nicolas RUFF


------------------------------

Message: 3
Date: Tue, 3 Jan 2006 03:32:29 -0800
From: InfoSecBOFH <infosecbofh () gmail com>
Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in
        Windows Display Manager [Suspected]
To: Sumit Siddharth <sumit.siddharth () gmail com>
Cc: full-disclosure () lists grok org uk
Message-ID:
        <2be58a30601030332t59b2ae5fj5ff97afc45580a9b () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

I have only replicated this with the intel driver.  have tried others
and no dice.

On 1/3/06, Sumit Siddharth <sumit.siddharth () gmail com> wrote:
I think the problem is with the intel driver and particularly with
file
ialmnt5.sys
Hope it helps
Sumit




On 1/3/06, Sumit Siddharth <sumit.siddharth () gmail com > wrote:
Dear All,
Sorry for the delayed response.
I  had success in exploiting it remotely by a simple javascript
<script>window.open("http://aa...";);</script>. But i think it doesnt
work
with some drivers.I am using XP ,professional, SP2. and firefox 1.0.6.
I am
using a string of about 53,000 char to overflow the buffer.
Thanks
Sumit





--


_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




------------------------------

Message: 4
Date: Tue, 3 Jan 2006 03:33:21 -0800
From: InfoSecBOFH <infosecbofh () gmail com>
Subject: Re: [Full-disclosure] Buffer Overflow vulnerability in
        Windows Display Manager [Suspected]
To: Full-Disclosure <full-disclosure () lists grok org uk>
Message-ID:
        <2be58a30601030333x3d7c4fc7v24fa1632f7be1626 () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

oh.. and by the way... only works with the intel driver (and only a
couple differnt versions) and is not exploitable... this is a DoS and
nothing more.

On 1/3/06, InfoSecBOFH <infosecbofh () gmail com> wrote:
I have only replicated this with the intel driver.  have tried others
and no dice.

On 1/3/06, Sumit Siddharth <sumit.siddharth () gmail com> wrote:
I think the problem is with the intel driver and particularly with
file
ialmnt5.sys
Hope it helps
Sumit




On 1/3/06, Sumit Siddharth <sumit.siddharth () gmail com > wrote:
Dear All,
Sorry for the delayed response.
I  had success in exploiting it remotely by a simple javascript
<script>window.open("http://aa...";);</script>. But i think it
doesnt work
with some drivers.I am using XP ,professional, SP2. and firefox
1.0.6. I am
using a string of about 53,000 char to overflow the buffer.
Thanks
Sumit





--


_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





------------------------------

Message: 5
Date: Tue, 3 Jan 2006 03:34:46 -0800
From: InfoSecBOFH <infosecbofh () gmail com>
Subject: Re: [Full-disclosure] WMF round-up, updates and
        de-mystification
To: Gadi Evron <ge () linuxbox org>
Cc: "FunSec \[List\]" <funsec () linuxbox org>,
        "full-disclosure () lists grok org uk"
        <full-disclosure () lists grok org uk>,
bugtraq () securityfocus com
Message-ID: <2be58a30601030334r37d3dam19df4ee9fbaf9f07 () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

So this patch is trusted because you said so?

I have tested and confirmed that this patch only works in specific
scnenarios and does not mitigate the entire issue.  Variations still
work.

On 1/3/06, Gadi Evron <ge () linuxbox org> wrote:
Quite a bit of confusing and a vast amount of information coming from
all directions about the WMF 0day. Here are some URL's and generic
facts
to set us straight.

The "patch" by Ilfak Guilfanov works, but by disabling a DLL in
Windows.
So far no problems have been observed by anyone using this patch. You
should naturally check it out for yourselves but I and many others
recommend it until Microsoft bothers to show up with their own patch.

Ilfak is trusted and is in no way a Bad Guy.

You can find more information about it at his blog:
http://www.hexblog.com/2005/12/wmf_vuln.html

If you are still not sure about the patch by Ilfak, check out the
discussion of it going on in the funsec list about the patch, with
Ilfak
participating:
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Occasional information of new WMF problems keep coming in over there.

In this URL you can find the best summary I have seen of the WMF
issue:
http://isc.sans.org/diary.php?storyid=994
by the "SANS ISC diary" team.

In this URL you can find the best write-up I have seen on the WMF
issue:
http://blogs.securiteam.com/index.php/archives/167
By Matthew Murphy at the "Securiteam Blogs".

Also, it should be noted at this time that since the first public
discovery of this "problem", a new one has been coming in - every day.
All the ones seen so far are variants of the original and in all ways
the SAME problem. So, it would be best to acknowledge them as the
same... or we will keep having a NEW 0day which really isn't for about
2
months when all these few dozen variations are exhausted.

A small BUT IMPORTANT correction for future generations:
The 0day was originally found and reported by Hubbard Dan from
Websense
on a closed vetted security mailing list, and later on at the Websense
public page. All those who took credit for it took it wrongly.

Thanks, and a better new year to us all,

       Gadi.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



------------------------------

Message: 6
Date: Tue, 3 Jan 2006 03:37:09 -0800
From: InfoSecBOFH <infosecbofh () gmail com>
Subject: Re: [Full-disclosure] WMF round-up, updates and
        de-mystification
To: Gadi Evron <ge () linuxbox org>
Cc: "FunSec \[List\]" <funsec () linuxbox org>,
        "full-disclosure () lists grok org uk"
        <full-disclosure () lists grok org uk>,
bugtraq () securityfocus com
Message-ID:
        <2be58a30601030337i2cba5f87i6b56e4799d897d5f () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

On 1/3/06, Gadi Evron <ge () linuxbox org> wrote:

A small BUT IMPORTANT correction for future generations:
The 0day was originally found and reported by Hubbard Dan from
Websense
on a closed vetted security mailing list, and later on at the Websense
public page. All those who took credit for it took it wrongly.

Yes, important if you are a marketing guy or if your mouth is planted
firmly on the websense dick.

I am sure most of us are part of other and even private mailing lists.
 So the credit for discovery should go to whomever first PULICALLY
disclosed the vuln.  I have no idea who that was but thanks to a
certain few I saw this vuln in early December.


------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

End of Full-Disclosure Digest, Vol 11, Issue 5
**********************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]