SOLDIERX.COM Nobody Can Stop Information Insemination

Mozilla Firefox and Thunderbird CVE-2013-1675 Information Disclosure Vulnerability

RETIRED:Microsoft Internet Explorer CVE-2013-2551 Use-After-Free Remote Code Execution Vulnerability

phpMyAdmin CVE-2013-3238 Multiple Arbitrary PHP Code Execution Vulnerabilities

Posted by halfdog on May 19

Hello list,

In the aftermath of most of my full-disclosure posts I've observed
quite interesting referrer URLs when someone tries to read information
provided explaining the issue. In quite some cases, those requests can
be attributed to national CERTs, software distributors' security
teams, universities with IT-security research units, ... accessing
that information.

Information leaked via the referrer URLs indicates, that a...

Posted by Fernando Gont on May 19

Folks,

We have published a revision of our IETF I-D "A method for Generating
Stable Privacy-Enhanced Addresses with IPv6 Stateless Address
Autoconfiguration (SLAAC)".

This revision is available at:
<http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-07>.

This proposal is key for the mitigation of address-scanning attacks,
while at the same time preventing host-tracking.

Stay tuned for more IPv6 security news...

Posted by MustLive on May 19

Hello list!

I want to warn you about vulnerabilities in Moxiecode Image Manager
(MCImageManager). This is commercial plugin for TinyMCE. It concerns as
MCImageManager, as all web applications which have MCImageManager in their
bundle.

These are Arbitrary File Uploading vulnerabilities, which lead to Code
Execution on IIS and Apache web servers.

-------------------------
Affected products:
-------------------------

Vulnerable are Moxiecode...

Posted by MustLive on May 18

Hello list!

I want to warn you about vulnerabilities in Moxiecode File Manager
(MCFileManager). This is commercial plugin for TinyMCE. It concerns as
MCFileManager, as all web applications which have MCFileManager in their
bundle.

These are Arbitrary File Uploading vulnerabilities, which lead to Code
Execution on IIS and Apache web servers.

-------------------------
Affected products:
-------------------------

Vulnerable are Moxiecode...

Posted by Justin Elze on May 18

The idea behind private IP space is it doesn't leave the ISPs AS via BGP to
the rest of the internet.

Posted by Dan Dart on May 18

Virgin at least use the 172.16.x.x internally to their infrastructure
- and they suggest you use 192.168.x.x for your personal use.
Traceroutes to any "external" address outside of their network go
through a 172.16.x.x

Posted by Kirils Solovjovs on May 18

It should. Private address ranges are not marked "magic cows" inside a
classical router's firmware.

Still the problem OP is experiencing is strange, since if there is a
local subnet, it should have a priority local route. Why isn't it there?

Btw, I'd be cautious to state that ISP filter incoming packets with
dst=private. The limitation here would be that private ranges will
usually be router upstream, so you...

Posted by Alexander Georgiev on May 18

It is sad, that many people don't understand network basics. BTW, your
internet router should not forward rfc1918 addresses to the outside,
shouldn't he?

Am 18. Mai 2013 04:09:48 schrieb Gary Baribault <gary () baribault net>:

Posted by Gary Baribault on May 18

There is no reason for that, you can use the same address inside as
outside so long as you don't try and reach a 10.0.0.0/8 in their
network, and that should never happen. I have seen some networks where
the inside address range is 192.168.0.0/16 or /8 and the outside is as
well, so long as your trying to reach public ranges beyond the next
outside network it works just fine.

Gary Baribault
Courriel: gary () baribault net
GPG Key:...

Posted by Gary Baribault on May 18

If they use the 10.0.0.0/8 there's no harm, if they use a DOD range or
another 'public' routable range, there is definitely a risk.

Gary B

Gary Baribault
Courriel: gary () baribault net
GPG Key: 0x685430d1
Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

Posted by Tavis Ormandy on May 18

Ahh, I just realised a really cute trick, we can make PATHREC->next
point to the same userspace PATHREC, and EPATHOBJ::bFlatten will spin
forever traversing an infinite linked list.

i.e.

PathRecord->next = PathRecord;

While it's spinning, another thread can clean up the pool, then patch
the listnode (because it's in userspace), to break into pprFlattenRec!
Turning this into a clean write-what-where should be trivial.

Anyone...

Posted by Carl \"Thomas\" Guething on May 17

AT&T won't let you use 10.0.0.0/8 inside your home network on their devices
for the same reason. You will get an error if you try to configure their
device with it.

Posted by Julius Kivimäki on May 17

Many ISPs do this, usually they hijack DoD ranges. It shouldn't cause any
issues.

2013/5/17 kyle kemmerer <krkemmerer () gmail com>

Posted by mezgani ali on May 17

There are many ISP that route IP traffic through networks with private
addresses, my ISP to do the same thing and has 10.0.0.0 class A addresses
routable.
May be it is a miss of IP addresses or may be a NAT that was published due
to some network need.

regards,

Posted by Tavis Ormandy on May 17

List, there's a pretty obvious bug in win32k!EPATHOBJ::pprFlattenRec where the
PATHREC object returned by win32k!EPATHOBJ::newpathrec doesn't initialise the
next list pointer. The bug is really nice, but exploitation when
allocations start failing is tricky.

As vuln-dev is dead, I thought I'd post here, I don't have much free
time to work on silly Microsoft code, so I'm looking for ideas on how to
fix the final obstacle...

Posted by Gary Baribault on May 17

public or private IPs the problem is the same, but this was a routing
question .. and I see no problem with their using 'private' IPs on their
'inside' routing gear so long as they give me a routable public IP on my
gateway device.

Gary Baribault
Courriel: gary () baribault net
GPG Key: 0x685430d1
Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

Posted by sec on May 17

The only problem is that anyone on a cable modem could access their
10.x.x.x/8 address space and frankly who cares.

Me, if they're still not signing (much less encrypting) packets on the
local loop, and continuing to wish real hard that no one builds serial
or other debug ports—or board headers for same—into "certified" cable
modems.

I have a Verizon Wireless femtocell with what looks like an HDMI port
on the bottom, but...