gmane.comp.security.full-disclosure

New tool: Hyperion - A runtime encrypter for32-bit PE files

Levent Kayan — 2012-05-26T12:48:51

Hi there,

We just published Hyperion-1.0.zip source code at nullsecurity. The
presentation / slides are also available.


[ FILE ]

Hyperion-1.0.zip


[ DESCR ]

Hyperion is a runtime encrypter for 32-bit portable executables. It is
a reference implementation and bases on the paper "Hyperion:
Implementation of a PE-Crypter".


[ SITE ]

Tool < at > http://www.nullsecurity.net/binary.html
Slides < at > http://nullsecurity.net/papers.html


cheers,
noptrix

Info about attack trees

Federico De Meo — 2012-05-25T08:58:08

Hello everybody, I'm new to this maling-list and to security in general.
I'm here to learn and I'm starting with a question :)

I'm looking for some informations about attack trees usage in web application analysis.

For my master thesis I decided to study the usage of this formalism in order to reppresent attacks to a web applications. 
I need a lot of use cases from which to start learning common attacks which can help building a proper tree.


I've already read the OWASP top 10 vulnerabilities an I'm familiar with XSS, SQLi, ecc. however I've no clue on how to combine them together in order to perform the steps needed to attack a system. I'm looking for some examples and maybe to some famous attacks from which I can understand which steps are performed and how commons vulnerabilities can being combined together. Any help is really appreciated.


-------------------
Federico.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosur

GreHack 2012 - Call For Papers (CFP)

Fabien DUCHENE — 2012-05-24T23:19:46

*GreHack 2012* 2nd Call For Papers
http://ensiwiki.ensimag.fr/index.php/GreHack-2012-english
GreHack 2012 conference will be held in Grenoble (French Alps), France
and brings together students, academia, industry and gov in order to
exchange knowledge around emerging issues in the security + hacking
world.
During the night, a Capture The Flag will take place.


*Suggested Topics (not limited to)*
http://ensiwiki.ensimag.fr/index.php/GreHack_2012-Call_For_Presentation-english
- Track: ethical and legal
  -- greyhat hacking: a consumer advance, or a risque for worlwide security?
  -- current state of laws relative to cyber-security and hacking +
justified suggestions of modifications

- Track: technical
  -- Hadopi: why is it a technical and legal failure? how to exploit
in memory vulnerabilities of Hadopi approved software?

  -- In Memory Vulnerabilities
    --- Windows 8: heap analysis, kernel structures and new memory protections
    --- Exploit Corner: come present us your last sploit!

  -- Hardcore Pene

CFP: Hacktivity 2012, October 12-13, Budapest,Hungary

Attila Bartfai — 2012-05-24T20:55:04

Hi,

Hacktivity is the largest IT Security Festival in CEE region which
will be held between October 12-13 2012 in Budapest, Hungary.

Hacktivity festival traditionally brings together the official and
alternative representatives of information security profession with
all those interested in the area, in an informal, yet educational, and
usually deep into the technical form.

We are seeking submissions for both two days conference track & 40
minutes "Hello workshops" in the
following areas:

mobile device vulnerabilities, hardware hacking,  attack vectors of
telecommunication networks, network security, security of operating
systems, browser based attacks, misuse of popular applications,
database security,  information gathering from business applications,
malicious and mobile codes, hacking tools, information warfare,
cyber-crime, hacker subculture, social engineering, digital forensics
etc.

We had a privilege to welcome as a speaker in the pas years: Bruce
Schneier, Peter Szor, Joe McCray, Alex Kornbrust

Malware.lu - analysis and pownage of hespesnetbotnet

2012-05-25T07:17:11

Hi,
  a message to announce the creation of http://www.malware.lu few days ago. It is a repository of malware and technical analyses. The goal of the project is to provide samples and technical analyses to security researchers.

  To celebrate the creation an article about the analysis of a botnet (called herpesnet) and the pownage of this botnet ;) : http://code.google.com/p/malware-lu/wiki/en_analyse_herpnet

RootBSD.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

ResEdit Buffer Overflow Vulnerabilities

Walied Assar — 2012-05-24T19:54:48

Product Link: http://www.resedit.net/

Affected version: 1.5.11-win32

Type of vulnerabilities: Buffer Overflow.

For Further information:
http://waleedassar.blogspot.com/2012/05/resedit-named-entries-two-buffer.html

POCs:
http://code.google.com/p/ollytlscatch/downloads/detail?name=ResEdit_POC1.exe
http://code.google.com/p/ollytlscatch/downloads/detail?name=ResEdit_POC2.exe


N.B. Not much efforts have been made into these POCs. They just crash the
application but code execution is possible.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[SECURITY] [DSA 2480-1] request-tracker3.8security update

Moritz Muehlenhoff — 2012-05-24T17:37:03

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2480-1                   security< at >debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
May 24, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : request-tracker3.8
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-2082 CVE-2011-2083 CVE-2011-2084 CVE-2011-2085 
                 CVE-2011-4458 CVE-2011-4459 CVE-2011-4460

Several vulnerabilities were discovered in Request Tracker, an issue
tracking system:

CVE-2011-2082

   The vulnerable-passwords scripts introduced for CVE-2011-0009
   failed to correct the password hashes of disabled users.

CVE-2011-2083

   Several cross-site scripting issues have been discovered.

CVE-2011-2084

   Password hashes could be disclosed by p

VMDK Has Left the Building . Some Nasty AttacksAgainst VMware vSphere 5 Based Cloud Infrastructures

Enno Rey — 2012-05-24T16:40:20

List,

some of you might find this interesting:

http://www.insinuator.net/2012/05/vmdk-has-left-the-building/


have a good one

Enno

[ MDVSA-2012:081 ] firefox

2012-05-24T14:48:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:081
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : firefox
 Date    : May 24, 2012
 Affected: Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Security issues were identified and fixed in mozilla firefox:
 
 Mozilla developers identified and fixed several memory safety
 bugs in the browser engine used in Firefox and other Mozilla-based
 products. Some of these bugs showed evidence of memory corruption
 under certain circumstances, and we presume that with enough effort
 at least some of these could be exploited to run arbitrary code
 (CVE-2012-0468, CVE-2012-0467).
 
 Using the Address Sanitizer tool, security researcher Aki Helin from
 OUSPG found that IDBKeyRange of indexedDB re

Kingcopes AthCon 2012 Slides & Notes

HI-TECH . — 2012-05-24T11:21:51

Hello lists,

you can view my slides & notes for my talk entitled "Uncovering
Zero-Days and advanced fuzzing" held at AthCon 2012 at the following
places:

http://www.isowarez.de/

http://kingcope.wordpress.com/

Cheerio,

/Kingcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Security-news] SA-CONTRIB-2012-085 - BrowserID -MultipleVulnerabilities

2012-05-23T20:23:54

View online: http://drupal.org/node/1597414

  * Advisory ID: DRUPAL-SA-CONTRIB-2012-085
  * Project: BrowserID (Mozilla Persona) [1] (third-party module)
  * Version: 7.x
  * Date: 2012-May-23
  * Security risk: Critical [2]
  * Exploitable from: Remote
  * Vulnerability: Cross Site Request Forgery (results in Privilege
    Escalation)

-------- DESCRIPTION  
---------------------------------------------------------

CVE: Requested
The BrowserID module provides integration with BrowserID (also known as
Mozilla Persona) -- a Mozilla project that lets users of your site quickly
and easily log in without needing to remember a password specific to your
site.

The module did not sufficiently validate requests for authentication to log
in, potentially allowing a Cross Site Request Forgery (CSRF) attack and
introducing the possibility that logging in to a malicious site with
BrowserID could give that site the ability to log in to other websites using
your BrowserID identity.

-------- VERSIONS AFFECTED  
---------

[Security-news] SA-CONTRIB-2012-084 - Search API- Cross SiteScripting (XSS)

2012-05-23T20:24:33

View online: http://drupal.org/node/1597364

  * Advisory ID: DRUPAL-SA-CONTRIB-2012-084
  * Project: Search API [1] (third-party module)
  * Version: 7.x
  * Date: 2012-May-23
  * Security risk: Moderately critical [2]
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

CVE: Requested
This module enables you to build searches using a wide range of features,
data sources and backends.

The module doesn't sufficiently sanitize user input in some cases when
throwing exceptions or logging errors. This enables attackers to insert
arbitrary data into a page by manipulating its URL. Users would have to open
such a manipulated URL to see the changed content.

This is only possible in some setups of Search API, specifically when users
can manually enter field identifiers in some way – e.g., through an exposed
Views sort or with the old Facets module.

-------- VERSIONS AFFECTED  
------------------------------------

[Security-news] SA-CONTRIB-2012-083 - TaxonomyList - Cross SiteScripting (XSS)

2012-05-23T20:21:46

View online: http://drupal.org/node/1597262

  * Advisory ID: DRUPAL-SA-CONTRIB-2012-083
  * Project: Taxonomy List [1] (third-party module)
  * Version: 6.x
  * Date: 2012-May-23
  * Security risk: Moderately critical [2]
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

CVE: Requested
This module enables you to display the terms (and optionally nodes) under
categories.

The module doesn't sufficiently sanitize user supplied text in the taxonomy
information.

This vulnerability is mitigated by the fact that an attacker must have a role
with permissions to create or edit taxonomy terms.

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Taxonomy List 6.x-1.x versions prior to 6.x-1.4.

The 6.x-2.x branch is not affected.

Drupal core is not affected. If you do not use the contributed Taxonomy List
[3] module, there is nothing you need to do.

-------- SOLUTION  
----------

[SECURITY] [DSA 2479-1] libxml2 security update

Moritz Muehlenhoff — 2012-05-23T19:39:41

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2479-1                   security< at >debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
May 23, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libxml2
Vulnerability  : off-by-one
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-3102

Jueri Aedla discovered an off-by-one in libxml2, which could result in
the execution of arbitrary code.

For the stable distribution (squeeze), this problem has been fixed in
version 2.7.8.dfsg-2+squeeze4.

For the unstable distribution (sid), this problem has been fixed in
version 2.7.8.dfsg-9.1.

We recommend that you upgrade your libxml2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked q

[SECURITY] [DSA 2478-1] sudo security update

Moritz Muehlenhoff — 2012-05-23T19:30:06

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2478-1                   security< at >debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
May 23, 2012                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : sudo
Vulnerability  : parsing error
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2337

It was discovered that sudo misparsed network masks used in Host and
Host_List stanzas. This allowed the execution of commands on hosts,
where the user would not be allowed to run the specified command.

For the stable distribution (squeeze), this problem has been fixed in
version 1.7.4p4-2.squeeze.3.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your sudo packages.

Further information about Debian Security Advi

[ MDVSA-2012:080 ] wireshark

2012-05-23T14:54:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:080
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : wireshark
 Date    : May 23, 2012
 Affected: 2011.
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities was found and corrected in Wireshark:
 
 It may be possible to make Wireshark hang for long or indefinite
 periods by injecting a malformed packet onto the wire or by convincing
 someone to read a malformed packet trace file.
 
 It may be possible to make Wireshark crash by injecting a malformed
 packet onto the wire or by convincing someone to read a malformed
 packet trace file.
 
 This advisory provides the latest version of Wireshark (1.6.8) which
 is not vulnerable to these issues.
 __________________________________________

session stealing in mod_auth_openid -CVE-2012-2760

ptr — 2012-05-23T03:14:38

https://github.com/paranoid/mod_auth_openid/blob/master/CVE-2012-2760.markdown


# Security Advisory 1201
    Summary           : Session stealing
    Date              : May 2012
    Affected versions : all versions prior to mod_auth_openid-0.7
    ID                : mod_auth_openid-1201
    CVE reference     : CVE-2012-2760

# Details
Session ids are stored insecurely in /tmp/mod_auth_openid.db (default
filename). The db is world readable and the session ids are stored
unencrypted.

# Impact
If a user has access to the filesystem on the mod_auth_openid server,
they can steal all of the current openid authenticated sessions

# Workarounds
A quick improvement of the situation is to chmod 0400 the DB file.
Default location is /tmp/mod_auth_openid.db unless another location
has been configured in AuthOpenIDDBLocation.

# Solution
Upgrade to mod_auth_openid-0.7 or later:
http://findingscience.com/mod_auth_openid/releases

# Credits
This vulnerability was reported by Peter Ellehauge, ptr at groupon dot
com. Fix

IPv6 security: New IETF I-Ds, slideware and videos for recent presentations, trainings, etc...

Fernando Gont — 2012-05-23T06:53:02

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks,

* We've published a new IETF I-D entitled "DHCPv6-Shield: Protecting
Against Rogue DHCPv6 Servers", which is meant to provide RA-Guard-like
protection against rogue DHCPv6 servers. The I-D is available at:
<http://tools.ietf.org/id/draft-gont-opsec-dhcpv6-shield-00.txt>
Other I-Ds (such as, draft-ietf-v6ops-ra-guard-implementation) about
IPv6 security have been revised Please check them out at:
<http://www.si6networks.com/publications/ietf.html>

* The slideware (and some videos!) of some of our recent presentations
about IPv6 security are now available online. You can find them at:
<http://www.si6networks.com/presentations/index.html>

* We have also scheduled IPv6 hacking trainings in Paris (France) and
Ghent (Belgium). You can find more details at:
<http://www.si6networks.com/index.html#conferences>


Interested in IPv6 security? -- Follow us on Twitter: < at >SI6Networks

Thanks,
- -- 
Fernando Gont
SI6 Networks
e-mail: fgont< at >si6networks.com
PGP Fingerpri

Failure to restrict access

Fernando Andina — 2012-05-22T03:35:22

Hi everybody!

I won´t take much of your time: as part of a project in our University we
have developed a tool to deal with the vulnerabilty known as "Failure to
restrict access".

If you want to check it a see what do we to say about it, go to our site
and leave any comments you may have:

http://failuretorestrictaccess.wordpress.com/

It is free and open source.

Thanks a lot!

Fernando.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[ MDVSA-2012:079 ] sudo

2012-05-21T16:05:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:079
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : sudo
 Date    : May 21, 2012
 Affected: 2010.1, 2011., Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in sudo:
 
 A flaw exists in the IP network matching code in sudo versions 1.6.9p3
 through 1.8.4p4 that may result in the local host being matched
 even though it is not actually part of the network described by the
 IP address and associated netmask listed in the sudoers file or in
 LDAP. As a result, users authorized to run commands on certain IP
 networks may be able to run commands on hosts that belong to other
 networks not explicitly listed in sudoers (CVE-2012-2337
 
 The upda

DC4420 - London DEFCON - May meet - Tuesday May22nd 2012

Major Malfunction — 2012-05-21T15:48:08

Back at the Phoenix!!!! Sorry for the late notice, but you know the 
score by now.... :)

Speakers:

'Why Industrial System air-gaps suck.'

Eireann Leverett of IOActive

A talk on why industrial systems can increasingly be found on the 
internet, and how to work with CERTs to change it.

We've also got room for a 30min fun talk, so ping me when you get there 
if you have one...

Venue is here:

    The Phoenix
    37 Cavendish Square
    London
    W1G 0PP

    http://www.phoenixcavendishsquare.co.uk/

2 minutes walk from Oxford Circus tube.

Date:

    Tuesday 22nd May 2012

Time:

    17:30 till kicking out, talks start at 19:30

See you tomorrow!

cheers,
MM