Slashdot Mirror

Flash can access a user's webcam [...]

I think we all remember the last time Windows source got out, and how someone found an image exploit within a couple weeks. Should be fun.

You need to read non-Apple security material more. When MacOS X came out a whole list of setuid apps used by the "pretty shell" to tell the OS to do simple things like load a CD or eject it had security wholes all over the place. http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2001-10/0117.html is a prime example. I admit Apple learned from its mistakes pretty fast, but the initial release of MacOS X was one big local security hole. You are correct - networkwise it was more or less OK, but once someone managed to connect it was ripe for picking.

Yup, although we got the wrong cable with the original shipment as well as the first replacement, so we've not had a chance to try it until today.

Port 2 is the Broadcom, which sadly doesn't work well with FreeBSD since the bge driver doesn't let the SP see the network, but there's a patch I'm going to try shortly which should do the trick. It doesn't seem possible to talk to the SP via serial console, but with ipmitool/FreeIPMI it's quite usable.

The FreeBSD nve driver does kinda support it; it detects the port and you can actually make it behave vaguely like a network interface up to the point at which it dies horribly in a variety of interesting ways, seemingly due to problems with the binary blob nVidia provide; work is ongoing to try to fix this as well as another project to port the reverse-engineered forcedeth Linux driver, so it's not without hope.

thos of us that are forced to becuase all current video editing apps (prosumer not the cheeze crap that coesm with cameras and firewire cards) require Intel P4.

As well as those of us who don't want to deal with poorly-documented motherboard chipsets and consequent FOSS driver flakiness (sometimes combined with unavoidable bugs). Now that AMD is following Intel in building their own chipsets, this should become less of an issue.

How do you want to crash IE today?

<IMG SRC="sweetydead.jpg" width="9999999" height="9999999">

See Full-Disclosure

I didn't see anything in those two exploits about "guessing a Content-type based on the last few characters of the URL".

Here's Microsoft Q258452. Here's another document about IE ignoring text/plain and assuming text/html.

Am I missing something?

Could be. In MS01-020 you have to use a JavaScript capable browser and click "Technical details" under "General information". You'd get this:

However, a flaw exists in the type of processing that is specified for certain unusual MIME types. If an attacker created an HTML e-mail containing an executable attachment, then modified the MIME header information to specify that the attachment was one of the unusual MIME types that IE handles incorrectly, IE would launch the attachment automatically when it rendered the e-mail.

This seems to refer to ignoring the "unusual" MIME type and assuming that the content is something to be executed.

This "foxie" installs iun6002.exe (desktop surveillance personal spyware) on your computer. I just ran Ad-Aware SE with the latest difinitions. Before I had installed this program I didn't have this nasty spyware installed. I could be worng but I don't think I am. Following links: http://www.lavasoftnews.com/ms/display_main.php?ta c=Favoriteman http://www.auditmypc.com/process/iun6002.asp http://www.derkeiler.com/Newsgroups/microsoft.publ ic.inetserver.iis.security/2004-06/0260.html

Go here and download here.

<HTML>
<BODY>
<IMG SRC="./sweetydead.jpg" width="9999999" height="9999999">
</BODY>
</HTML>

The patch is available here:
http://ftp.stardiv.de/pub/OpenOffice.org/contrib/r c/1.1.4secpatch/

Here is the issue:
http://www.openoffice.org/issues/show_bug.cgi?id=4 6388

And the BugTraq report:
http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2005-04/0150.html

Someone pointed out that I was wrong about the origin of that post - the original was actually written 2 years ago (Feb 2003) by Shaun Jurrens, a FreeBSD user (here's what he says about the troll I previously linked).

I apologize, but I googled before talking, and the oldest result I found was the troll I linked in parent (Jan 2004).

Still, I don't think that the text of a 2-year-old rant, copied and pasted by a troll, is objectively worth any modding up. And FWIW, what I think of the ones who do it doesn't change very much.

Strong passwords won't help against the disgruntled-employee-h4x0r who knows one of the strong passwords, nor against the insecure getpwpit() function.

Demonstration of exploits:
http://www.xfocus.net/flashsky/icoExp/index.html

http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0387.html
http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0360.html
http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0359.html

(Source: http://www.heise.de/newsticker/meldung/54610 [German])

Demonstration of exploits:
http://www.xfocus.net/flashsky/icoExp/index.html

http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0387.html
http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0360.html
http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0359.html

(Source: http://www.heise.de/newsticker/meldung/54610 [German])

Demonstration of exploits:
http://www.xfocus.net/flashsky/icoExp/index.html

http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0387.html
http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0360.html
http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0359.html

(Source: http://www.heise.de/newsticker/meldung/54610 [German])

Now, assuming that they are in fact violating the GPL, anyone who has copyrighted material in the work can in fact force their hand. So any kernel developer can deal with this.

Looking on their site, they have in fact given lipservice to sending you a CD (they claim it won't contain their propriatary software, but if they are following the letter of the law, they should have to give you the kernel source w/ any modifications they made). The offer is down near the bottom of this page:

http://demo.mt.lv/help/license.html

This appears to be in compliance with 3b of the GPL.

If you report this on the LKML list I'm fairly sure several people would help you pursue it if you can show they are in fact violating the GPL (if they didn't modify the kernel, they aren't). If they are violating the GPL, they sure are being quiet about it. Google turns up very little about it. I've seen several threads on the LKML where people outside of Linus Torvalds pursue GPL violations. Alan Cox being on of them. Any number of people pursued Linksys.

http://lkml.org/lkml/2003/6/7/164

and

http://linux.derkeiler.com/Mailing-Lists/Kernel/20 03-09/7435.html

are examples

Kirby

Are you the frustrated HawkinsOS guy btw? Some things points to it ... if it is true, than I understand your frustration. You are on a crusade against FreeBSD developers, because they pointed out that 'your' os violates a number of licences that are part of the BSD system. Let me just say for all who would buy into your bs: you were given a good advice in a polite manner, and you reacted to it as if someone close to you was murdered by the FreeBSD devs.

Of course, it is possible that you have nothing to do with HawkinsOS. If that is the case, well, nevermind. ;)

Read this very carefully and draw your own conclusions. That's the kind of attitude that has driven tens of developers away from FreeBSD. The core team should have expelled controversial people like des@ and phk@ a long time ago.

What you posted is very interesting, except what Robert Watson is saying is not true. Nice try, though.

It appears that a particularly crafted request may confuse ASP.Net and allow access to otherwise protected directories.

If a web server receives a request for a particular URL (e.g._http://server/somedirectory/filename), the 'somedirectory/filename' part has to be mapped to a particular file located on the server. This translation has been the source of many "directory traversal" bugs. The IIS unicode exploit is probably the most famous one.

After our original posting of this diary, a few users pointed to the following articles which provide more details then provided by Microsoft's advisory:
(Thanks to Chaouki & Daniel)

www.heise.de/security/news/meldung/51730 (german)
http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq/ 2004-09/0068.html
blogs.devleap.com/rob/archive/2004/10/02/1803.aspx (italian)
www.k-otik.com/news/10052004.ASPNETFlaw.php (french)

It appears that by switching a '/' character in the URL with '\' or '%5C', the canonicalization routine will be confused. So if the URL: http://www.example.com/secure/file.apx is password protected, using the either of the following URLs will bypass the restriction: http://www.example.com/secure\file.apx http://www.example.com/secure%5Cfile.apx

In addition to the slash/back-slash confusion, one reader reports that inserting a space will bypass the URL restriction as well: http://www.example.com/%20/secure/file.apx (had no chance to validate this method so far)

URL Obfuscation

Handler and star SANS instructor Ed Skoudis compiled a comprehensive list of various URL obfuscation methods used in phishing schemes and spam. Some of these methods do not work with all browsers (e.g. the %01 issue in older Internet Explorer versions). In order to preserve the tricky details of some of these methods, we setup a page which includes just the URL methods without our usual header and footer:isc.sans.org/presentations/urlobfuscation.p hp (to view as source: isc.sans.org/presentations/urlobfuscation.txt ).

Jan Reilink wrote to point us to this page with more details about URL obfuscation and decoding:www.pc-help.org/obscure.htm .

No more PA-Risc.
No more Alpha.
No more Itanium Workstations
No more open source (except for lip service)
No more Bluestone software (based on open source.
No more HPUX.
No altavista when they bought CPQ.
No more Vision
No more Hewlett Packard name
No more Walter Hewlett or Packard involved.

Seems to me that last one triggered when it all started falling apart.

Hewlett and Packard built one of the greatest companies in the history of Silicon Valley; and Carly managed to tank the thing in a couple years trying to pretend she can be a Michael Dell commodity-vendor.

I wish they'd just change the name to Carly&Co to stop trashing the inintials of two of the greatest heros of silicon valley.

If you want to save the thing, people should really bring back Walter Hewlett to the board and make him Chairman. At least he understood what his father's company stood for.

So, sometimes, we changed the number enroute so that it would launch a new ticket window instead of a ticket with 20,000 IDs all indexed to the same phone number. We just marked it with a random number that let the techs know this was not their real home phone, and thus, had to ask for a callback number if needed.

We also had hackers that did this as well, like one guy in Vancouver who hacked the ANI so he could make illegal and harrassing long distance calls in the US using a US 800 number that would, in theory, make the call unbillable.

Then there's the mysterious 604 number that people get from time to time...

Looks cool. Someone should write an Wikipedia page about schroedinger bugs.

I think openbsd already does that, when you look at the shadow file there you see something like $1$salt$md5sum ...

Looking at my fresh copy of "Practical Unix Internet Security" (O'Reilly), page 88:

That's a modular cyrpt format (MCF) for the password, with the sections delineated by '$':

First section: 1 = MD5, 2 = Blowfish
Second: Salt (limited to 16 characters)
Third: Encrypted password (sans salt)

For MD5, the salt is treated as a literal string, possibly base64 encoded. For Blowfish, it's a number indicating how many iterations. Some confustion about whether blowfish is indicated by "$2" or "$2a" or "$5" (may be implementation dependent).

You aren't the only one with this problem. Appearantly, it was fixed in 0.54 (well, somewhat). Try downloading the latest version.

Well, it crashes mine, and the bug is well documented on the net, for example here. According to Securityfocus the bug doesn't work if you've disabled the function to automatically reboot in the case of critical failure (in the system control panel).

they were really worried too

I've heard a (rumor?) posted over at Full-disclosure that mydoom actually writes to the Bios and several other things that no one else has discovered. Is this verified by anyone else?

You can read the message here.

Helevius

I've been asking around about this, and it's amazing how many people are just brushing it off as nothing. It is a serious issue for IP addresses that are being hit.

Here are some more posts on the topic, elsewhere. Note how some people just say "Oh, you are getting hits! Hits are good, no?".

http://www.webmasterworld.com/forum39/1435.htm

http://lists.jammed.com/incidents/2003/08/0369.htm l

http://www.derkeiler.com/Mailing-Lists/linuxsecuri ty/2003-08/0002.html

The blocking rules people suggest (see page five of the first link) don't work at my site, for some reason. Maybe it's because I only have access to .htaccess, not my own httpd.conf.

the EXACT same thing happened here at our school, as an added problem our dorm access control system (on the doors) were on the same network and therefore flooded with the arp requests from Nachi/Welchia worms (tens of thousands of arp broadcasts per second). Practically everyone at school uses our school portal my.snu.edu, there is a demo if anyone is interested, so we made the login page redirect to a php script on a linux box with would detect both the vulnerability and the infection. The infection can be detected by looking for a responsive tftp port, here is the script http://web.snu.edu/~jbrindle/scan.phps the sourcecode for the rpc-dcom checker is at http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2003-08/0038.html Hope this helps!

IDE to Compact Flash Adapter

Flash Storage Solutions

Read all this thread if you will be storing sensitive information

How Compact Flash can keep your data safe?

This guy has an opinon different from mine. He says that, all of a sudden, he lost hundreds of picture. Well, I've been working with Compact Flash for more than one year, now, and the ONLY time I gost corrupted data was when I took the card off the camera while it was writing. Then the camera could not read any picture. They seemed to be lost. But later I put that CF in my CF reader, and ran a chkdsk. It found lost chains, that I saved as files. And recovered ALL pictures except for the bottom half of the one it was writing at the very moment when I removed the CF. It probably corrupted the FAT (same way as hard disks, when the computer is not properly shut down).

And I do think CF is more reliable than Microdrive.

Like this one from December?