From steve at vitriol.net  Sun Oct 11 15:46:32 2009
From: steve at vitriol.net (Steve Tornio)
Date: Sun, 11 Oct 2009 10:46:32 -0500
Subject: [VIM] Is milw0rm not coming back?
Message-ID: <c300d1370910110846s5e64fa84v10366b9d5bbd70fd@mail.gmail.com>

I having been able to reach it for a few days, and I don't think I've
seen any email/tweet/pigeons commenting on it.

From redhowlingwolves at nc.rr.com  Mon Oct 12 07:26:44 2009
From: redhowlingwolves at nc.rr.com (meandmine)
Date: Mon, 12 Oct 2009 03:26:44 -0400
Subject: [VIM] Is milw0rm not coming back?
In-Reply-To: <c300d1370910110846s5e64fa84v10366b9d5bbd70fd@mail.gmail.com>
References: <c300d1370910110846s5e64fa84v10366b9d5bbd70fd@mail.gmail.com>
Message-ID: <4AD2DA34.50205@nc.rr.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Tornio wrote:
> I having been able to reach it for a few days, and I don't think I've
> seen any email/tweet/pigeons commenting on it.
> 
The last I heard was that str0ke sold it to someone else because he just
didn't have the desire or time to maintain it anymore. It was supposed
to stay online. Maybe he sold to the wrong person, which is doubtful. Or
the sale fell through.

My guess is as good as your's for when, or if it comes back.
I'd like for it to but, only time will tell.

Scott
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBStLaM6SvjvL7s/z0AQIGqAgAp1NgwamCRry4+jGYSvgELCEBHpTIepGD
I43EabHp8S66XNtSU1/9dx9X+QANPqmw5cabALkvlCkiCivMiGuMGYfm3igGGZ98
CpgKwToBJ6naM0FP8XCnDuzoez7M8gQT7xdaQdTmdFmHHwLNHVtcR1jtC9MYwwOu
xNKqt2nn8cKcuzmaKFQQC2zP3sOEJKSr2TwBKw4q1UUxiyNShOK/3fkqGcQsqHrm
c3DJYSNbNOFehyQgvxIH+e52SOSqSViH2QbMI1qe50MrAD9mBQ4jC0RVRKkcntPX
BTa7TfNrvMxCpg0c4zki4vD551yk9N7dhTFoosnPJVf5Zp0wberGCQ==
=CWj5
-----END PGP SIGNATURE-----

From jericho at attrition.org  Tue Oct 13 02:00:09 2009
From: jericho at attrition.org (security curmudgeon)
Date: Tue, 13 Oct 2009 02:00:09 +0000 (UTC)
Subject: [VIM] milw0rm mirror
Message-ID: <Pine.LNX.4.64.0910130159110.13780@forced.attrition.org>



---------- Forwarded message ----------
From: Rob Fuller <jd.mubix at gmail.com>
To: PaulDotCom Security Weekly Mailing List <pauldotcom at mail.pauldotcom.com>
Date: Mon, 12 Oct 2009 21:31:19 -0400
Subject: Re: [Pauldotcom] Milworm down again

Been that way for a week or so, Offensive Security keeps a sync of the
latest milw0rm tar, at:

http://www.offsec.com/milw0rm.tar.bz2

--
Rob Fuller | Mubix
Room362.com | Hak5.org | TheAcademyPro.com

From jericho at attrition.org  Wed Oct 28 01:52:26 2009
From: jericho at attrition.org (security curmudgeon)
Date: Wed, 28 Oct 2009 01:52:26 +0000 (UTC)
Subject: [VIM] various Apache products - not enough details
Message-ID: <Pine.LNX.4.64.0910280135590.3025@forced.attrition.org>


I went trolling through the Apache Jira system, fun times!

Ended up finding a world of vulnerabilities that were not disclosed 
through regular channels. Ended up making about 80 new entries in OSVDB 
for them. There will be a blog post listing them all at some point.

During that crawl, found about 30 or so that I just don't have enough 
details for. Based on the wording of the bug report, it suggests security 
implications. I don't have the time, patience or expertise to try to 
reproduce these to figure them out. Hoping that someone on the list can 
give insight over the coming week as I post a few a day probably. =)

--

https://issues.apache.org/jira/browse/JS2-714

i read this as a 'delegated security portlet' has the right to manage an 
admin user, and it should not. question is, does this give the delegated 
security portlet privileges it shouldn't have, that it can use in a bad 
way?

https://issues.apache.org/jira/browse/DERBY-3462

versions 10.4.1.3, 10.5.1.1 fix, no clue if this has security 
implications for 'information disclosure'

https://issues.apache.org/jira/browse/GERONIMO-4587

version 2.2 fixes. i read this as 'getX Method Access Restriction Bypass' 
based on the info available.

https://issues.apache.org/jira/browse/AXIS2-4241

i read this as 'Service Fault Security Policy Application Weakness', where 
a policy may not be properly enforced.

https://issues.apache.org/jira/browse/NET-74

this involves application of RFC855, specifically telnet subnegotiation. 
if it doesn't handle 0xFF correctly, is this a DoS condition? from the 
RFC:

[snip]
Designers of options requiring "subnegotiation" must take great care to 
avoid unending loops in the subnegotiation process. For example, if each 
party can accept any value of a parameter, and both parties suggest 
parameters with different values, then one is likely to have an infinite 
oscillation of "acknowledgments" (where each receiver believes it is only 
acknowledging the new proposals of the other). Finally, if parameters in 
an option "subnegotiation" include a byte with a value of 255, it is 
necessary to double this byte in accordance the general TELNET rules.
[eosnip]




From jericho at attrition.org  Wed Oct 28 19:18:13 2009
From: jericho at attrition.org (security curmudgeon)
Date: Wed, 28 Oct 2009 19:18:13 +0000 (UTC)
Subject: [VIM] CVE-2000-0105 / BID 962 and CVE-2000-0653 / BID 1502 - dupes
	i think
Message-ID: <Pine.LNX.4.64.0910281912380.2265@forced.attrition.org>



I believe the entries in the subject line are dupes. There is no obvious 
direct cross-reference between them to easily establish this, however the 
nature of the bug and timeline suggests they are.

CVE-2000-0105 / BID 962 = Bugtraq post and BID ref. Advisory from Guninski 
detailing using active scripting to "allow reading subsequently opened 
email messages after a hostile message is opened" on 2000-02-01

CVE-2000-0653 / BID 1502 = MS bulletin and BID ref. MS advisory on 
2000-07-20 detailing using script to create a persistent link to "retrieve 
the text of mails subsequently displayed in the preview pane, and relay it 
to the malicious user."

MS will not credit a researcher who doesn't play nice as you know, so 
their advisory would not reference Guninski. Further, they do not give 
credit to another researcher and the time after original disclosure is in 
keeping with a MS investigation and patch release.

Based on the wording of each advisory, I believe these are dupes. If they 
aren't, I would imagine the latter is a variation of the first attack.

From coley at linus.mitre.org  Wed Oct 28 20:52:42 2009
From: coley at linus.mitre.org (Steven M. Christey)
Date: Wed, 28 Oct 2009 16:52:42 -0400 (EDT)
Subject: [VIM] vendor clarification for CVE-2006-6404 (Innovation DoS)
Message-ID: <Pine.GSO.4.51.0910281648330.18475@faron.mitre.org>


The CVE team has been contacted by the INNOVATION security team, who has
provided specific version and product information for CVE-2006-6404 (OSVDB
30782).  They have stated the following:

   "The DoS Vulnerability problem posting of 19 Oct 2009 incorrectly
   identifies the wrong INNOVATION Data Processing product FDR, a z/OS
   mainframe data protection solution, and is actually describing a
   vulnerability discovered in an obsolete version of FDR/UPSTREAM our
   Enterprise Data Protection Solution. The FDR/UPSTREAM vulnerability in
   question exists in Rel 3.3.0 (GA Oct 2003), corrected in October 2003
   with a temporary fix subsequently made generally available in a
   following release (Rel 3.3.0.A) during the first quarter of 2004.
   Testing for susceptibility to this DoS vulnerability is in place since
   then and this DoS vulnerability does not exist in any current release
   of FDR/UPSTREAM."

(while this has a 2006 CVE, it was only made public within the past few
weeks, I believe.)

- Steve