[Full-disclosure] RE: Full-Disclosure Digest, Vol 9, Issue 3

From: Martinez, Tino (Tempe) (Tino.Martinez2_at_Honeywell.com)
Date: 11/02/05

  • Next message: str0ke: "Re: [Full-disclosure] new IE bug (confirmed on ALL windows)"
    Date: Wed, 2 Nov 2005 07:20:08 -0700
    To: <full-disclosure@lists.grok.org.uk>
    
    

    Yes

    -----Original Message-----
    From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of full-disclosure-request@lists.grok.org.uk
    Sent: Tuesday, November 01, 2005 10:42 PM
    To: full-disclosure@lists.grok.org.uk
    Subject: Full-Disclosure Digest, Vol 9, Issue 3

    Send Full-Disclosure mailing list submissions to
            full-disclosure@lists.grok.org.uk

    To subscribe or unsubscribe via the World Wide Web, visit
            https://lists.grok.org.uk/mailman/listinfo/full-disclosure
    or, via email, send a message with subject or body 'help' to
            full-disclosure-request@lists.grok.org.uk

    You can reach the person managing the list at
            full-disclosure-owner@lists.grok.org.uk

    When replying, please edit your Subject line so it is more specific
    than "Re: Contents of Full-Disclosure digest..."

    Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you.

    Today's Topics:

       1. Snort Back Orifice Preprocessor Exploit (Win32 targets) (Kira)
       2. Re: RFID docs & tools ? (Eric Auge)
       3. Re: readdir_r considered harmful (Ben Hutchings)
       4. RE: RE: Full-Disclosure Digest, Vol 8, Issue 48 (Martijn Lievaart)
       5. Re: Re: [Full-disclosure] new IE bug (confirmed on ALL
          windows) (unknown unknown)
       6. Re: Comparing Algorithms On The List OfHard-to-brut-force?
          (Andrew Farmer)
       7. Re: Comparing Algorithms On The List OfHard-to-brut-force?
          (James Longstreet)
       8. Gateway 7001 A/B/G AP: Selection of improper regulatory
          domains and channels (Andrew Lockhart)
       9. Re: new IE bug (confirmed on ALL windows) (Greg)
      10. Re: new IE bug (confirmed on ALL windows) (Greg)
      11. Re: readdir_r considered harmful (Ben Hutchings)
      12. Cisco Security Advisory: Cisco IPS MC Malformed Configuration
          Download Vulnerability
          (Cisco Systems Product Security Incident Response Team)
      13. RE: new IE bug (confirmed on ALL windows) (ad@class101.org)
      14. New Online RainbowCrack Engine (MR BABS)
      15. MDKSA-2005:202 - Updated squirrelmail packages fix
          vulnerability (Mandriva Security Team)
      16. MDKSA-2005:203 - Updated gda2.0 packages fix string format
          vulnerability (Mandriva Security Team)
      17. MDKSA-2005:204 - Updated wget packages fix vulnerability
          (Mandriva Security Team)
      18. Re: New Online RainbowCrack Engine (str0ke)
      19. On Interpretation Conflict Vulnerabilities (Steven M. Christey)
      20. Re: how to describe this tool ? (Native.Code)

    ----------------------------------------------------------------------

    Message: 1
    Date: Tue, 1 Nov 2005 17:32:04 +0700
    From: Kira <trir00t@gmail.com>
    Subject: [Full-disclosure] Snort Back Orifice Preprocessor Exploit
            (Win32 targets)
    To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
    Message-ID:
            <ca67aa9e0511010232p5af56ddbja8fe6c02817fe2d3@mail.gmail.com>
    Content-Type: text/plain; charset="iso-8859-1"

    Dear All

    I wrote Snort Back Orifice Preprocessor Exploit for Win32 targets. It's for
    educational purpose only.
    This exploit was tested on

    - Snort 2.4.2 Binary + Windows XP Professional SP1
    - Snort 2.4.2 Binary + Windows XP Professional SP2
    - Snort 2.4.2 Binary + Windows Server 2003 SP1
    - Snort 2.4.2 Binary + Windows Server 2000 SP0
    - Snort 2.4.2 Bianry + Windows 2000 Professional SP0

    Note 01: This exploit was written in form of MetaSploit module, so you need
    metasploit to launch it.
    Note 02: The exploit's quite reliable, but if it doesn't work on your
    machine, try to find address of 'jmp esp' instruction and replace it to the
    old return address.

    Regards,

    Kira
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/5314e92e/attachment-0001.html
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: snort_bo_overflow_win32.pm
    Type: application/octet-stream
    Size: 3507 bytes
    Desc: not available
    Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/5314e92e/snort_bo_overflow_win32-0001.obj

    ------------------------------

    Message: 2
    Date: Tue, 01 Nov 2005 10:52:09 +0100
    From: Eric Auge <eau@phear.org>
    Subject: [Full-disclosure] Re: RFID docs & tools ?
    To: full-disclosure@lists.grok.org.uk
    Cc: wifisec@securityfocus.com, pen-test@securityfocus.com
    Message-ID: <43673AC9.3040302@phear.org>
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed

    http://openmrtd.org/

    Eric.

    Mark Sec wrote:
    > Alo folks,
    >
    >
    > Well , does anyone know links to buy "lectors" RFID ?
    >
    > I would like to do a "PoCs" on Hacking RFID , also i need tools,
    > pappers, PoCs & links related with this.
    >
    > thanks :-)
    >
    >
    > - Mark
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >

    ------------------------------

    Message: 3
    Date: Tue, 01 Nov 2005 13:02:45 +0000
    From: Ben Hutchings <ben@decadentplace.org.uk>
    Subject: Re: [Full-disclosure] readdir_r considered harmful
    To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
    Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
    Message-ID: <1130850165.1980.7.camel@localhost>
    Content-Type: text/plain; charset="us-ascii"

    3APA3A wrote:
    > Dear Ben Hutchings,
    >
    >
    > If someone uses pathconf to determine buffer size it's his own problem
    > and he creates vulnerability by himself. You can list such applications
    > as vulnerable to race conditions.
    <snip>
    > NAME_MAX is defined in limits.h and should be 255 according to latest
    > POSIX extension. I see no problem with POSIX standard in this case.
    >
    > See:
    > http://www.opengroup.org/onlinepubs/009695399/basedefs/limits.h.html
    <snip>

    If you had read the above page more carefully, you would have seen these
    paragraphs:

    "The values in the following list may be constants within an
    implementation or may vary from one pathname to another. For example,
    file systems or directories may have different characteristics.

    "A definition of one of the values shall be omitted from the <limits.h>
    header on specific implementations where the corresponding value is
    equal to or greater than the stated minimum, but where the value can
    vary depending on the file to which it is applied. The actual value
    supported for a specific pathname shall be provided by the pathconf()
    function."

    -- 
    Ben Hutchings
    When you say `I wrote a program that crashed Windows', people just stare ...
    and say `Hey, I got those with the system, *for free*'. - Linus Torvalds
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 189 bytes
    Desc: This is a digitally signed message part
    Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/cc6a76f7/attachment-0001.bin
    ------------------------------
    Message: 4
    Date: Tue, 1 Nov 2005 15:56:40 +0100 (CET)
    From: "Martijn Lievaart" <m@rtij.nl>
    Subject: RE: [Full-disclosure] RE: Full-Disclosure Digest, Vol 8,
    	Issue 48
    To: full-disclosure@lists.grok.org.uk
    Message-ID: <40591.217.166.60.19.1130857000.squirrel@ma.rtij.nl>
    Content-Type: text/plain; charset=iso-8859-1
    Nick FitzGerald zei:
    > Martijn Lievaart wrote:
    >
    >> Hihi, clamav cought that... :-]
    >
    > Your point?
    I thought this thread was about evading virusscanners. So modifying a
    batch virus and pasting it in the middle of an email does not fool at
    least one virusscanner, fwiw. One can argue it is a false positive though.
    > Once upon a time it "cought" the GPL as a virus too...
    That is one virus I *want* to propagate. :-)
    M4
    ------------------------------
    Message: 5
    Date: Tue, 1 Nov 2005 17:42:15 +0000
    From: unknown unknown <unknown.pentester@gmail.com>
    Subject: Re: Re: [Full-disclosure] new IE bug (confirmed on ALL
    	windows)
    To: full-disclosure@lists.grok.org.uk
    Message-ID:
    	<b7a807650511010942jb84e1a5k507ae1a5bb391a52@mail.gmail.com>
    Content-Type: text/plain; charset="iso-8859-1"
    Mini version of IECrash confirmed IE 6.0 Windows XP Pro SP2 (English
    version)
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/3c380980/attachment-0001.html
    ------------------------------
    Message: 6
    Date: Tue, 1 Nov 2005 10:55:31 -0800
    From: Andrew Farmer <andfarm@gmail.com>
    Subject: Re: [Full-disclosure] Comparing Algorithms On The List
    	OfHard-to-brut-force?
    To: Brandon Enright <bmenrigh@ucsd.edu>
    Cc: full-disclosure@lists.grok.org.uk
    Message-ID: <D0941C4D-BE84-4156-8275-2C9C3FE090E0@gmail.com>
    Content-Type: text/plain; charset="us-ascii"
    On 01 Nov 05, at 10:11, Brandon Enright wrote:
    > Brute forcing an algorithm suggests that you are not attacking a  
    > weakness or
    > known flaw in the algorithm but rather just running through the  
    > keyspace
    > trying to recover the plaintext.  In that case, whichever allows  
    > you to use
    > the most bits is what you want.
    Note that the encryption speed of an algorithm is *not* a significant  
    factor
    in the time taken to brute-force it, except for extremely small  
    keyspaces!
    Remember that the time taken to brute-force an N-bit algorithm that  
    takes K
    seconds per encryption is, on average
             N
        K * 2
    which increases much more rapidly with N than it does with K. Adding  
    even one
    more bit will double the average time taken to brute-force an  
    algorithm, while
    using a slower algorithm will only increase the difficulty marginally.
    Also note that anything beyond 256 bits is silly. Brute-forcing a 256- 
    bit
    algorithm can be shown to be PHYSICALLY impossible, so there's no  
    reason to
    go anywhere beyond that.
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: PGP.sig
    Type: application/pgp-signature
    Size: 186 bytes
    Desc: This is a digitally signed message part
    Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/d90d6a8d/PGP-0001.bin
    ------------------------------
    Message: 7
    Date: Tue, 1 Nov 2005 13:04:16 -0600
    From: James Longstreet <jlongs2@uic.edu>
    Subject: Re: [Full-disclosure] Comparing Algorithms On The List
    	OfHard-to-brut-force?
    To: full-disclosure@lists.grok.org.uk
    Message-ID: <576B0A1B-3A88-4F1A-9705-A2D122F68FC0@uic.edu>
    Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
    On Nov 1, 2005, at 12:11 PM, Brandon Enright wrote:
    > IIRC, there aren't any good known attacks against Blowfish, AES, or  
    > Twofish
    > so the *RIGHT* algorithm is whatever works best for your application.
    Depending on the situation, there may be a feasible cache-timing  
    attack on software implementations of AES: http://cr.yp.to/ 
    antiforgery/cachetiming-20050414.pdf
    ------------------------------
    Message: 8
    Date: Tue, 01 Nov 2005 12:15:19 -0700
    From: Andrew Lockhart <alockhart@networkchemistry.com>
    Subject: [Full-disclosure] Gateway 7001 A/B/G AP: Selection of
    	improper regulatory domains and channels
    To: <bugtraq@securityfocus.com>,	"full-disclosure@lists.grok.org.uk"
    	<full-disclosure@lists.grok.org.uk>
    Message-ID: <BF8D0CD7.EB9%alockhart@networkchemistry.com>
    Content-Type: text/plain;	charset="US-ASCII"
    Issue: Gateway 7001 AP allows selection of restricted 802.11a/b/g channels
    Author: Network Chemistry Labs <labs at networkchemistry dot com>
    Vendor: Gateway 
    Products: Gateway 7001 802.11 A/B/G Dual Band Wireless Access Point
    Type: Input Validation
    Exploit: Not required
    I. Intro
    The IEEE 802.11 family of standards define the channels that a
    device is allowed to operate on for specific geographic regions in
    order to comply with different country's radio frequency usage
    regulations.
    II. Vulnerability
    The web management interface for the Gateway 7001 A/B/G AP contains an
    input validation vulnerability that allows anyone authenticated
    with the device's built-in web server to configure the device to
    use channels not regulated for 802.11a/b/g use in their geographic
    region.  The potential impact is that a user could configure the
    device to operate outside the allocated bandwidth for 802.11
    within their country, thus causing interference to other radio
    systems.  In addition, the device will not be visible to other
    802.11 devices operating in the area.
    III. Details
    The IEEE 802.11 standards provide guidance on the channels that a
    device may operate on in order to comply with a country's radio
    frequency usage regulations.  As is common on many access points,
    the Gateway 7001 A/B/G AP provides a web based interface for configuring
    the device.  This can be used to set the channel that the AP
    operates on.
    The POST form in the web-management interface used to set the
    channel includes a form element called "RegulatoryDomain."
    Through experimentation it appears that this parameter affects
    input validation operations on the channel supplied in the
    request. For example, if the regulatory domain parameter is set to
    FCC, then the device's firmware will only change channels if the
    channel value in the request is from 1 to 11.  Anything outside
    this range, such as channel 13 (a European channel), will be
    rejected.
    However, if the regulatory domain parameter is changed, then the
    firmware will allow the device's channel to be changed to any
    channel allowed in the specified domain.  This can cause the
    device to create interference with non-802.11 devices in the
    vicinity as well as allow devices to be configured to elude 802.11
    security walk-throughs by operating on frequencies that the
    detection equipment is incapable of monitoring.
    IV. Demonstration
    In addition to POST requests, the web interface will accept the
    same parameters in the form of a GET requeset. The web-based
    management software for the Gateway 7001 A/B/G AP uses a request string
    of the following form to set configuration parameters:
    http://192.168.2.1/index.cgi?r1Mode=IEEE+802.11g&r1RegulatoryDomain=FCC&r1Ch
    annel=1&r2Mode=IEEE+802.11a&r2RegulatoryDomain=FCC&r2Channel=36&r1b1s1Ssid=N
    etChemLabs&r1b2s1Ssid=NetChemLabs-Guest&page=wireless.html&Update=Update
    To change the frequencies of operation available all that needs to
    be done is to simply change the RegulatoryDomain parameter.  For
    instance to operate on Japanese channels, the string "FCC" would
    be changed to "MKK."  This allows the channel parameters
    corresponding to the 802.11b/g and 802.11a radios to be changed to
    channels such as 14 and 34 respectively, which the management
    software will apply to the underlying hardware:
    http://192.168.2.1/index.cgi?r1Mode=IEEE+802.11g&r1RegulatoryDomain=MKK&r1Ch
    annel=14&r2Mode=IEEE+802.11a&r2RegulatoryDomain=MKK&r2Channel=34&r1b1s1Ssid=
    NetChemLabs+&r1b2s1Ssid=NetChemLabs-Guest&page=wireless.html&Update=Update
    It was also verified that European channels were settable when
    changing the RegulatoryDomain parameter to "ETSI."  To verify that
    the device is indeed operating on non-FCC channels, special 802.11
    sensor hardware was used to monitor the device on the specified
    channels.
    The Gateway 7001 A/B/G AP makes use of DeviceScape's Instant802 Wireless
    Infrastructure Platform for configuration and management.  It is
    unknown at this time whether this issue affects other devices
    utilizing this software, due to the fact that we have only tested
    the Gateway 7001 A/B/G AP at this point. Gateway also produces an
    802.11 b/g version of the Gateway 7001 AP.  It is also unknown whether
    this model is affected.
    It should be noted that Gateway does not provide a firmware upgrade
    for the affected AP.
    V. Timeline
    10/21 - Contacted Gateway: No response received
    10/21 - Contacted DeviceScape: No response received
    10/4 - Contacted Gateway: No response received
    9/28 - Contacted DeviceScape to confirm they had observed the issue: No
    reponse received
    9/26 - Contacted Gateway: No response received
    9/21 - Made contact with Gateway Support: told someone would follow-up
    9/20 - Received follow-up response from DeviceScape
    9/19 - Made contact with DeviceScape
    VI. References
    Gateway 7001 A/B/G AP product support page:
    http://support.gateway.com/s/Servers/COMPO/NETWORK/7005082/7005082nv.shtml
    Instant802 WIP product page:
    http://www.devicescape.com/products/wip_landing.php
    --
    Andrew Lockhart <alockhart@networkchemistry.com>
    Security Analyst, Network Chemistry
    PGP Key ID: 58369156
    Fingerprint: 0AE1 E826 1922 5453 2B34  E1AA F524 D20B 5836 9156
    ------------------------------
    Message: 9
    Date: Wed, 2 Nov 2005 07:31:57 +1100
    From: "Greg" <full-disclosure@pchandyman.com.au>
    Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
    To: <full-disclosure@lists.grok.org.uk>
    Message-ID: <005601c5df23$4eaa9a20$5601010a@P4>
    Content-Type: text/plain; format=flowed; charset="iso-8859-1";
    	reply-type=original
    ----- Original Message ----- 
    From: <ad@class101.org>
    To: <full-disclosure@lists.grok.org.uk>
    Sent: Wednesday, November 02, 2005 4:00 AM
    Subject: [Full-disclosure] new IE bug (confirmed on ALL windows)
    >I think I have found by chance this weekend a security bug,while browsing
    > the website news, within iexplorer on all windows versions.
    >
    Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with 
    XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was 
    networked through ICS (wired to this XP box then wi-fi to a router) and has 
    no firewall of it's own. This XP box through which the 98SE box gets it's 
    internet is in the router's DMZ and uses only Zone Alarm Pro, just for 
    clarity.
    So, in essence the "confirmed on all windows" is wrong.
    Greg. 
    ------------------------------
    Message: 10
    Date: Wed, 2 Nov 2005 07:42:02 +1100
    From: "Greg" <full-disclosure@pchandyman.com.au>
    Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
    To: <full-disclosure@lists.grok.org.uk>
    Message-ID: <006301c5df24$b6eba380$5601010a@P4>
    Content-Type: text/plain; format=flowed; charset="iso-8859-1";
    	reply-type=response
    ----- Original Message ----- 
    From: "Greg" <full-disclosure@pchandyman.com.au>
    To: <full-disclosure@lists.grok.org.uk>
    Sent: Wednesday, November 02, 2005 7:31 AM
    Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
    > Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 
    > with XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was 
    > networked through ICS (wired to this XP box then wi-fi to a router) and 
    > has no firewall of it's own. This XP box through which the 98SE box gets 
    > it's internet is in the router's DMZ and uses only Zone Alarm Pro, just 
    > for clarity.
    >
    > So, in essence the "confirmed on all windows" is wrong.
    >
    Sorry about the typo. Of course I meant IE6SP2 above where I typed IESP2. 
    Lesson learned - don't go typing things like that after about 6 hours sleep 
    in the last 48! Never work for yourself. The boss is a &*^%!!
    Greg. 
    ------------------------------
    Message: 11
    Date: Tue, 01 Nov 2005 20:16:42 +0000
    From: Ben Hutchings <ben@decadentplace.org.uk>
    Subject: [Full-disclosure] Re: readdir_r considered harmful
    To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
    Message-ID: <1130876202.1994.60.camel@localhost>
    Content-Type: text/plain; charset="us-ascii"
    I wrote:
    > readdir_r considered harmful
    > ============================
    A second revision of this advisory (and any future revisions) can be
    found at <http://womble.decadentplace.org.uk/readdir_r-advisory.html>.
    I have updated the recommendations to cover HP-UX and Tru64 properly.
    Ben.
    -- 
    Ben Hutchings
    When you say `I wrote a program that crashed Windows', people just stare ...
    and say `Hey, I got those with the system, *for free*'. - Linus Torvalds
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 189 bytes
    Desc: This is a digitally signed message part
    Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/cb7f26cf/attachment-0001.bin
    ------------------------------
    Message: 12
    Date: Tue, 01 Nov 2005 16:50:22 -0500
    From: Cisco Systems Product Security Incident Response Team
    	<psirt@cisco.com>
    Subject: [Full-disclosure] Cisco Security Advisory: Cisco IPS MC
    	Malformed	Configuration Download Vulnerability
    To: full-disclosure@lists.grok.org.uk
    Cc: psirt@cisco.com
    Message-ID: <200511011650.ipsmc@psirt.cisco.com>
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    Cisco Security Advisory: 
    ========================
    Cisco IPS MC Malformed Configuration Download Vulnerability
    ===========================================================
    Document ID: 68065
    Revision 1.0
    Last Updated
    For Public Release 2005 November 1 2000 UTC (GMT)
    - -----------------------------------------------------------------------
    Contents
    ========
        Summary
        Affected Products
        Details
        Impact
        Software Versions and Fixes
        Obtaining Fixed Software
        Workarounds
        Exploitation and Public Announcements
        Status of This Notice: FINAL
        Distribution
        Revision History
        Cisco Security Procedures
    - -----------------------------------------------------------------------
    Summary
    =======
    The CiscoWorks VPN/Security Management Solution (VMS) is a network
    management application that includes Web-based tools for configuring,
    monitoring, and troubleshooting VPNs, firewalls, network intrusion
    detection systems (NIDSs), network intrusion prevention systems (NIPSs)
    and host intrusion prevention systems (HIPSs). CiscoWorks VMS also
    includes network device inventory, change audit, and software
    distribution features.
    An issue exists in one of the components of the Cisco Management Center
    for IPS Sensors (IPS MC) v2.1 during the generation of the Cisco IOS
    IPS (Intrusion Prevention System) configuration file that may result in
    some signatures belonging to certain classes being disabled during the
    configuration deployment process.
    Cisco has made a free software patch available to address this
    vulnerability for affected customers.
    This advisory is posted at 
    http://www.cisco.com/warp/public/707/cisco-sa-20051101-ipsmc.shtml.
    Affected Products
    =================
    Vulnerable Products
    +------------------
      * Cisco IOS IPS devices that have been configured by IPS MC v2.1.
    Products Confirmed Not Vulnerable
    +--------------------------------
      * Cisco IOS IPS devices that have NOT been configured by IPS MC v2.1.
        This category includes Cisco IOS IPS devices that have been
        configured by using any of the following methods:
          + Cisco IDS MC (Management Center for IDS Sensors)
          + Cisco SDM (Security Device Manager)
          + Cisco IOS CLI (Command Line Interface)
      * Any other Cisco IDS/IPS solution, configured by either Cisco IPS MC
        v2.1, Cisco IDS MC (any version), Cisco SDM (any version) or by
        using the Cisco IOS CLI. These include:
          + Cisco IOS IDS
          + Cisco PIX/ASA IDS
          + Cisco IPS 4200 Series Sensors
          + Cisco Catalyst 6500/7600 Series Intrusion Detection System
            (IDSM-2) Module
          + Cisco IDS Network Module (NM-CIDS-K9)
          + Cisco ASA Advanced Inspection and Prevention (AIP) Security
            Services Module
    No other Cisco products are currently known to be affected by these
    vulnerabilities.
    Details
    =======
    Some Cisco routers running Cisco IOS include a feature called Cisco IOS
    IPS. The Cisco IOS IPS acts as an in-line intrusion protection sensor,
    watching packets and sessions as they flow through the router and
    scanning each packet to match any of the Cisco IOS IPS signatures that
    have been enabled on the device configuration. When it detects
    suspicious activity, it responds before network security can be
    compromised and logs the event through Cisco IOS syslog messages or
    Security Device Event Exchange (SDEE). The network administrator can
    configure Cisco IOS IPS to choose the appropriate response to various
    threats.
    Customers can use multiple methods, including Cisco IPS MC, Cisco IDS
    MC, Cisco SDM and the Cisco IOS CLI, to enable, disable and configure
    Cisco IOS IPS signatures. Some signatures dealing with TCP or UDP
    traffic analyze traffic destined to specific ports. Those ports are
    pre-configured with default values, and some signatures might allow
    changes to the list of ports to be monitored.
    If the Cisco IOS IPS devices have been configured by using the Cisco
    IPS MC v2.1, the Cisco IPS MC might download a configuration file to
    the device that does not contain a value for the port field in one or
    more signatures, resulting in the affected Cisco IOS IPS device
    disabling those signatures. Only signatures using either the STRING.TCP
    or STRING.UDP signature micro-engine (SME) are affected by this
    vulnerability. Additionally, this behavior only happens if those
    signatures were enabled and configured from the Cisco IPS MC GUI ;
    signatures belonging to the STRING.TCP or STRING.UDP SMEs that were
    previously configured on the device and imported into the Cisco IPS MC
    will not experience this issue.
    The list of signatures currently loaded into a Cisco IOS IPS device and
    their status can be obtained by executing the "show ip ips signatures"
    command. The following abbreviated output shows signatures currently
    loaded into the device, both enabled and disabled:
     Router#show ip ips signatures
     Builtin signatures are configured
     Signatures were last loaded from flash:128MB.sdf
     Cisco SDF release version 128MB.sdf v4
     Trend SDF release version V0.0
     *=Marked for Deletion  Action=(A)larm,(D)rop,(R)eset   Trait=AlarmTraits
     MH=MinHits             AI=AlarmInterval                CT=ChokeThreshold
     TI=ThrottleInterval    AT=AlarmThrottle                FA=FlipAddr
     WF=WantFrag
     Signature Micro-Engine: OTHER (4 sigs)
      SigID:SubID On Action  Sev Trait     MH    AI    CT    TI AT FA WF Version
      ----------- -- ------ ---- -----  ----- ----- ----- ----- -- -- -- -------
       1201:0      Y   A    HIGH     0      0     0    30    15 FA  N  N 2.2.1.5
       1202:0      Y   A    HIGH     0      0     0   100    15 FA  N  N 2.2.1.5
       1203:0      Y   A    HIGH     0      0     0    30    15 FA  N  N 2.2.1.5
       3050:0      Y   A    HIGH     0      0     0     0    15 FA  N    1.0
     Signature Micro-Engine: STRING.ICMP (1 sigs)
      SigID:SubID On Action  Sev Trait     MH    AI    CT    TI AT FA WF Version
      ----------- -- ------ ---- -----  ----- ----- ----- ----- -- -- -- -------
       2156:0      Y   A     MED     0      0     0     0    15 FA  N    S54
     Signature Micro-Engine: STRING.UDP (16 sigs)
      SigID:SubID On Action  Sev Trait     MH    AI    CT    TI AT FA WF Version
      ----------- -- ------ ---- -----  ----- ----- ----- ----- -- -- -- -------
       4060:0      Y   A     MED     0      0     0     0    15 FA  N    S10
       4060:1      Y   A     MED     0      0     0     0    15 FA  N    S173
       4607:0      Y   A    HIGH     0      0     0     0    15 FA  N    S30
       4607:1      Y   A    HIGH     0      0     0     0    15 FA  N    S30
       4607:2      Y   A    HIGH     0      0     0     0    15 FA  N    S30
       4607:3      Y   A    HIGH     0      0     0     0    15 FA  N    S30
       4607:4      Y   A    HIGH     0      0     0     0    15 FA  N    S30
       4608:0      N   A    HIGH     0      1     0     0    15 FA  N    S30
       4608:1      Y   A    HIGH     0      1     0     0    15 FA  N    S30
       4608:2      Y   A    HIGH     0      1     0     0    15 FA  N    S30
      11000:0      N   A     LOW     0      0     0     0    15 FA  N    S37
      11000:1      Y   A     LOW     0      0     0     0    15 FA  N    S37
      11000:2      Y   A     LOW     0      0     0     0    15 FA  N    S136
      11207:0      Y   A    INFO     0      0     0     0    15 FA  N    S139
      11208:0      Y   A    INFO     0      0     0     0    15 FA  N    S139
      11209:0      Y   A    INFO     0      0     0     0    15 FA  N    S139
     Signature Micro-Engine: STRING.TCP (60 sigs)
      SigID:SubID On Action  Sev Trait     MH    AI    CT    TI AT FA WF Version
      ----------- -- ------ ---- -----  ----- ----- ----- ----- -- -- -- -------
       3116:0      Y   A    HIGH     0      1     0     0    15 FA  N    S12
       3117:0      N   A     LOW     0      1     0     0    15 FA  N    S13
       3117:1      Y   A     LOW     0      1     0     0    15 FA  N    S13
       3120:0      Y   A     LOW     0      1     0     0    15 FA  N    S13
       3120:1      Y   A     LOW     0      1     0     0    15 FA  N    S13
       3132:0      Y   A    HIGH     0      1     0     0    15 FA  N    S67
       3132:1      Y   A    HIGH     0      1     0     0    15 FA  N    S67
       3135:0      Y   A    HIGH     0      1     0     0    15 FA  N    S73
       3137:1      Y   A    HIGH     0      1     0     0    15 FA  N    S83
       3137:2      Y   A    HIGH     0      1     0     0    15 FA  N    S128
       3141:0      Y   A    HIGH     0      1     0     0    15 FA  N    S94
       3142:1      Y   A    HIGH     0      1     0     0    15 FA  N    S92
       3152:0      Y   A     MED     0      1     0     0    15 FA  N    2.1.1
       3450:0      Y   A     LOW     0      1     0     0    15 FA  N    1.0
       5570:0      Y   A R  HIGH     0      1     0     0    15 FA  N    S185
       5571:0      Y   A R  HIGH     0      1     0     0    15 FA  N    S185
       9479:0      Y   A    HIGH     0      1     0     0    15 FA  N    S104
       9480:0      Y   A    HIGH     0      1     0     0    15 FA  N    S104
       9481:0      Y   A    HIGH     0      1     0     0    15 FA  N    S104
       9482:0      Y   A    HIGH     0      1     0     0    15 FA  N    S104
       9483:0      Y   A    HIGH     0      1     0     0    15 FA  N    S104
      --More--
    Any signature with a capital N under the 'On' column is DISABLED, while
    any signature with a capital Y under the same column is ENABLED. In
    this example, signatures 4608:0 and 11000:0 (belonging to the
    STRING.UDP SME), and signature 3117:0 (belonging to the STRING.TCP SME)
    are listed as disabled. For each signature listed as disabled in the
    output of the "show ip ips signatures" command, a corresponding 
    "ip ips signature <SigID> <SubsigID> disable" command should be visible 
    on the running configuration. This is an example of the 
    "show running-configuration" command, using a filter to only display
    configuration lines belonging to signatures that have been disabled:
        Router#show running-config | include ip ips signature .* disable
        ip ips signature 11000 0 disable
        ip ips signature 4608 0 disable
        ip ips signature 3117 0 disable
        Router#
    This vulnerability is documented in the Cisco Bug Toolkit as Bug ID
    CSCsc33696. 
    Impact
    ======
    While this is not a vulnerability in the Cisco IOS IPS code itself, in
    the processing performed by Cisco IOS IPS on traffic traversing the
    device, or in the Cisco IPS MC v2.1, this vulnerability might result in
    an incomplete analysis of network traffic traversing the Cisco IOS IPS
    device, which could allow some attacks to go unnoticed.
    Software Versions and Fixes
    ===========================
    When considering software upgrades, please also consult 
    http://www.cisco.com/en/US/products/products_security_advisories_listing.html
    and any subsequent advisories to determine exposure and a complete
    upgrade solution.
    In all cases, customers should exercise caution to be certain the
    devices to be upgraded contain sufficient memory and that current
    hardware and software configurations will continue to be supported
    properly by the new release. If the information is not clear, contact
    the Cisco Technical Assistance Center ("TAC") for assistance.
    Cisco has developed a software fix for this vulnerability. Once the fix
    is applied to a VMS server running IPS MC v2.1, the IPS MC will
    correctly populate the port field attached to a signature using either
    the STRING.TCP or STRING.UDP SME. Additional steps will be required to
    be performed. Please read the README file published together with the
    software fix.
    In order to obtain this software fix, customers should access the VMS
    Software download page for IDS MC and IPS MC, available at 
    http://www.cisco.com/pcgi-bin/tablebuild.pl/mgmt-ctr-ids-app. 
    The fix consists of the following three files:
      * idsmdc2.1.0-win-CSCsc336961.tar - this file contains the fix itself
        for IPS MC v2.1 running on the Windows operating system.
      * CSCOids2.1.0-sol-CSCsc336961.tar - this file contains the fix
        itself for IPS MC v2.1 running on the Solaris operating system.
      * CSCsc33696-README.txt - this file contains instructions on how to
        apply the software fix to an affected IPS MC v2.1 installation
        (either Windows or Solaris) and any needed pre and post
        installation tasks to be carried out by the user.
    Obtaining Fixed Software
    ========================
    Customers with Service Contracts
    +-------------------------------
    Customers with contracts should obtain upgraded software through their
    regular update channels. For most customers, this means that upgrades
    should be obtained through the Software Center on Cisco's worldwide
    website at http://www.cisco.com.
    Customers using Third-party Support Organizations
    +------------------------------------------------
    Customers whose Cisco products are provided or maintained through prior
    or existing agreement with third-party support organizations such as
    Cisco Partners, authorized resellers, or service providers should
    contact that support organization for assistance with the upgrade,
    which should be free of charge.
    Customers without Service Contracts
    +----------------------------------
    Customers who purchase direct from Cisco but who do not hold a Cisco
    service contract and customers who purchase through third-party vendors
    but are unsuccessful at obtaining fixed software through their point of
    sale should get their upgrades by contacting the Cisco Technical
    Assistance Center (TAC). TAC contacts are as follows.
      * +1 800 553 2447 (toll free from within North America)
      * +1 408 526 7209 (toll call from anywhere in the world)
      * e-mail: tac@cisco.com
    Please have your product serial number available and give the URL of
    this notice as evidence of your entitlement to a free upgrade. Free
    upgrades for non-contract customers must be requested through the TAC.
    Please do not contact either "psirt@cisco.com" or
    "security-alert@cisco.com" for software upgrades.
    See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
    additional TAC contact information, including special localized
    telephone numbers and instructions and e-mail addresses for use in
    various languages.
    Customers may only install and expect support for the feature sets they
    have purchased. By installing, downloading, accessing or otherwise
    using such software upgrades, customers agree to be bound by the terms
    of Cisco's software license terms found at 
    http://www.cisco.com/public/sw-license-agreement.html, or as otherwise 
    set forth at Cisco.com Downloads at 
    http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
    Workarounds
    ===========
    There are no recommended workarounds for this vulnerability. Please see
    the Obtaining Fixed Software section for appropriate solutions to
    resolve this vulnerability.
    Exploitation and Public Announcements
    =====================================
    The Cisco PSIRT is not aware of any public announcements or malicious
    use of the vulnerability described in this advisory.
    This vulnerability was reported to Cisco by a customer.
    Status of This Notice: FINAL
    ============================
    THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
    KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF
    MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE ADVISORY OR
    MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME.
    A stand-alone copy or paraphrase of the text of this security advisory
    that omits the distribution URL in the following section is an
    uncontrolled copy, and may lack important information or contain
    factual errors.
    Distribution
    ============
    This advisory is posted on Cisco's worldwide website at 
    http://www.cisco.com/warp/public/707/cisco-sa-20051101-ipsmc.shtml.
    In addition to worldwide web posting, a text version of this notice is
    clear-signed with the Cisco PSIRT PGP key and is posted to the
    following e-mail and Usenet news recipients.
      * cust-security-announce@cisco.com
      * first-teams@first.org (includes CERT/CC)
      * bugtraq@securityfocus.com
      * vulnwatch@vulnwatch.org
      * cisco@spot.colorado.edu
      * cisco-nsp@puck.nether.net
      * full-disclosure@lists.grok.org.uk
      * comp.dcom.sys.cisco@newsgate.cisco.com
    Future updates of this advisory, if any, will be placed on Cisco's
    worldwide website, but may or may not be actively announced on mailing
    lists or newsgroups. Users concerned about this problem are encouraged
    to check the above URL for any updates.
    Revision History
    ================
    +----------------------------------------------------------+
    |              |                 |                         |
    | Revision 1.0 | 2005-November-1 | Initial public release  |
    |              |                 |                         |
    +----------------------------------------------------------+
    Cisco Security Procedures
    =========================
    Complete information on reporting security vulnerabilities in Cisco
    products, obtaining assistance with security incidents, and registering
    to receive security information from Cisco, is available on Cisco's
    worldwide website at 
    http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
    This includes instructions for press inquiries regarding Cisco security 
    notices. All Cisco security advisories are available at 
    http://www.cisco.com/go/psirt.
    - -----------------------------------------------------------------------
    All contents are Copyright 1992-2005 Cisco Systems, Inc. All rights
    reserved. 
    - -----------------------------------------------------------------------
    Updated: Nov 01, 2005                                Document ID: 68065
    - -----------------------------------------------------------------------
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)
    iD8DBQFDZ+KGezGozzK2tZARAkDVAKDOXsdNfnhpR6CpADZVG/H/1yr6iQCguiYn
    CdFv8GhqlFcXy38ur6sSN7I=
    =Xc7B
    -----END PGP SIGNATURE-----
    ------------------------------
    Message: 13
    Date: Wed, 2 Nov 2005 00:06:18 +0100
    From: <ad@class101.org>
    Subject: RE: [Full-disclosure] new IE bug (confirmed on ALL windows)
    To: "'Greg'" <full-disclosure@pchandyman.com.au>
    Cc: full-disclosure@lists.grok.org.uk
    Message-ID: <000301c5df38$df7ad960$0400a8c0@winxp64>
    Content-Type: text/plain;	charset="iso-8859-1"
    Rofl... there is always someone to play with words...
    -----Message d'origine-----
    De : full-disclosure-bounces@lists.grok.org.uk
    [mailto:full-disclosure-bounces@lists.grok.org.uk] De la part de Greg
    Envoyé : mardi 1 novembre 2005 21:32
    Ŕ : full-disclosure@lists.grok.org.uk
    Objet : Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
    ----- Original Message ----- 
    From: <ad@class101.org>
    To: <full-disclosure@lists.grok.org.uk>
    Sent: Wednesday, November 02, 2005 4:00 AM
    Subject: [Full-disclosure] new IE bug (confirmed on ALL windows)
    >I think I have found by chance this weekend a security bug,while browsing
    > the website news, within iexplorer on all windows versions.
    >
    Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with 
    XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was 
    networked through ICS (wired to this XP box then wi-fi to a router) and has 
    no firewall of it's own. This XP box through which the 98SE box gets it's 
    internet is in the router's DMZ and uses only Zone Alarm Pro, just for 
    clarity.
    So, in essence the "confirmed on all windows" is wrong.
    Greg. 
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/
    ------------------------------
    Message: 14
    Date: Tue, 1 Nov 2005 18:16:09 -0500
    From: MR BABS <mrbabs@gmail.com>
    Subject: [Full-disclosure] New Online RainbowCrack Engine
    To: full-disclosure@lists.grok.org.uk
    Message-ID:
    	<7351b7a60511011516h45f53400xde9d126e7ecdbcc5@mail.gmail.com>
    Content-Type: text/plain; charset="iso-8859-1"
    Hey guys,
      Just finished everything up on RainbowCrack-Online, wasn't sure if anyone
    would be interested, there's a membership fee, as servers, generation and
    cracking machines are expensive, you guys know the score.
     Really nice collection of tables, you can take a look-see at
    www.rainbowcrack-online.com <http://www.rainbowcrack-online.com/>.
    Current sets include:
    LanManager-All (all printable chars) 1-14 (the tables are 1-7, but view the
    specs on LM hashing for more info)
    NTLM MixAlpha Numeric 1-7
    NTLM LowerAlpha Numeric 1-8
    MD5 Alpha Numeric Symbol32 Space 1-7
    MD5 LowerAlpha Numeric Symbol32 Space 1-7
    MD5 LowerAlpha Numeric 1-8
    MD5 MixAlpha Numeric 1-7
    SHA1 MixAlpha Numeric 1-7
    MySQL 323 MixAlpha Numeric 1-7
    CiscoPIX MixAlpha Numeric 1-7
    We're almost done generation of MD4, and MySQL SHA1 tables.
    Should have some articles in Information soon, basically information on what
    to do to leverage knowing hashes. (And how to get the hashes in the first
    place.)
     For you pen tester fellows, we will be offering the tables for sale to you
    guys, as well as registered businesses, prices should be up later.
     -Regards,
     Travis
    </spam>
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/a4bc4ba0/attachment-0001.html
    ------------------------------
    Message: 15
    Date: Tue, 01 Nov 2005 16:20:24 -0700
    From: Mandriva Security Team <security@mandriva.com>
    Subject: [Full-disclosure] MDKSA-2005:202 - Updated squirrelmail
    	packages	fix vulnerability
    To: full-disclosure@lists.grok.org.uk
    Message-ID: <E1EX5QW-00032F-MT@mercury.mandriva.com>
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
     _______________________________________________________________________
     
     Mandriva Linux Security Advisory                         MDKSA-2005:202
     http://www.mandriva.com/security/
     _______________________________________________________________________
     
     Package : squirrelmail
     Date    : November 1, 2005
     Affected: Corporate 3.0
     _______________________________________________________________________
     
     Problem Description:
     
     A vulnerability in the way that SquirrelMail handled the $_POST
     variables was discovered.  If a user was tricked into visiting a
     malicious URL, the user's SquirrelMail preferences could be read or
     modified.
     
     This vulnerability is corrected in SquirrelMail 1.4.5 and the updated
     packages provide the latest stable version.
     _______________________________________________________________________
     References:
     
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2095
     _______________________________________________________________________
     
     Updated Packages:
     
     Corporate 3.0:
     81cf3711a3faf9a95c69a8ece4962801  corporate/3.0/RPMS/squirrelmail-1.4.5-1.1.C30mdk.noarch.rpm
     20eb541402352ed58b6d9e0ffd051168  corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.1.C30mdk.noarch.rpm
     c03a4c37539bd9e5aee916946c196366  corporate/3.0/SRPMS/squirrelmail-1.4.5-1.1.C30mdk.src.rpm
     Corporate 3.0/X86_64:
     81cf3711a3faf9a95c69a8ece4962801  x86_64/corporate/3.0/RPMS/squirrelmail-1.4.5-1.1.C30mdk.noarch.rpm
     20eb541402352ed58b6d9e0ffd051168  x86_64/corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.1.C30mdk.noarch.rpm
     c03a4c37539bd9e5aee916946c196366  x86_64/corporate/3.0/SRPMS/squirrelmail-1.4.5-1.1.C30mdk.src.rpm
     _______________________________________________________________________
     To upgrade automatically use MandrivaUpdate or urpmi.  The verification
     of md5 checksums and GPG signatures is performed automatically for you.
     All packages are signed by Mandriva for security.  You can obtain the
     GPG public key of the Mandriva Security Team by executing:
      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
     You can view other update advisories for Mandriva Linux at:
      http://www.mandriva.com/security/advisories
     If you want to report vulnerabilities, please contact
      security_(at)_mandriva.com
     _______________________________________________________________________
     Type Bits/KeyID     Date       User ID
     pub  1024D/22458A98 2000-07-10 Mandriva Security Team
      <security*mandriva.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)
    iD8DBQFDZ/g4mqjQ0CJFipgRAng8AJ9Td4JffO2QkmAn6ezcgnc9WiVZ4wCg3j+x
    hCmXWaPsbKoPp8dPD45Aujw=
    =ST/9
    -----END PGP SIGNATURE-----
    ------------------------------
    Message: 16
    Date: Tue, 01 Nov 2005 16:21:48 -0700
    From: Mandriva Security Team <security@mandriva.com>
    Subject: [Full-disclosure] MDKSA-2005:203 - Updated gda2.0 packages
    	fix	string format vulnerability
    To: full-disclosure@lists.grok.org.uk
    Message-ID: <E1EX5Rs-00036z-Hk@mercury.mandriva.com>
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
     _______________________________________________________________________
     
     Mandriva Linux Security Advisory                         MDKSA-2005:203
     http://www.mandriva.com/security/
     _______________________________________________________________________
     
     Package : gda2.0
     Date    : November 1, 2005
     Affected: 10.2, 2006.0, Corporate 3.0
     _______________________________________________________________________
     
     Problem Description:
     
     Steve Kemp discovered two format string vulnerabilities in libgda2, 
     the GNOME Data Access library for GNOME2, which may lead to the 
     execution of arbitrary code in programs that use this library.
     
     The updated packages have been patched to correct this issue.
     _______________________________________________________________________
     References:
     
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2958
     _______________________________________________________________________
     
     Updated Packages:
     
     Corporate 3.0:
     c2bee0812a3911016f32406c7e6b98c6  corporate/3.0/RPMS/gda2.0-1.0.3-3.2.C30mdk.i586.rpm
     1c60c3861756e5f2ebec25810d698319  corporate/3.0/RPMS/gda2.0-ldap-1.0.3-3.2.C30mdk.i586.rpm
     76329346f822881c283f1d80eccf0321  corporate/3.0/RPMS/gda2.0-mysql-1.0.3-3.2.C30mdk.i586.rpm
     9366a1dfd24862ba1c2e785c880f42b1  corporate/3.0/RPMS/gda2.0-odbc-1.0.3-3.2.C30mdk.i586.rpm
     d2eaf777cbc85fa050ea15d9483e8530  corporate/3.0/RPMS/gda2.0-postgres-1.0.3-3.2.C30mdk.i586.rpm
     efb6dcf8757552aca5a2afad5e214afa  corporate/3.0/RPMS/gda2.0-sqlite-1.0.3-3.2.C30mdk.i586.rpm
     d19b0dc56ecc6645735e5ba4df226ea5  corporate/3.0/RPMS/libgda2.0_1-1.0.3-3.2.C30mdk.i586.rpm
     04904635f832181f5f4bc13defbd2404  corporate/3.0/RPMS/libgda2.0_1-devel-1.0.3-3.2.C30mdk.i586.rpm
     4ded9fd88d06c155f3fadd5438855b49  corporate/3.0/SRPMS/gda2.0-1.0.3-3.2.C30mdk.src.rpm
     Corporate 3.0/X86_64:
     6db35535deba7751a627682f1ba77ace  x86_64/corporate/3.0/RPMS/gda2.0-1.0.3-3.2.C30mdk.x86_64.rpm
     f3cc7763718da0f76c3c1e9131e1b9f5  x86_64/corporate/3.0/RPMS/gda2.0-ldap-1.0.3-3.2.C30mdk.x86_64.rpm
     7f01b17e60477e916f6a390b4e4b7222  x86_64/corporate/3.0/RPMS/gda2.0-mysql-1.0.3-3.2.C30mdk.x86_64.rpm
     3c93f0b8fe2f90ad54c505a813a3ea4f  x86_64/corporate/3.0/RPMS/gda2.0-odbc-1.0.3-3.2.C30mdk.x86_64.rpm
     527ff7ccbd2af3ea24ac3f572b050de3  x86_64/corporate/3.0/RPMS/gda2.0-postgres-1.0.3-3.2.C30mdk.x86_64.rpm
     cc2aead64a14a2fa99c34a572024adbe  x86_64/corporate/3.0/RPMS/gda2.0-sqlite-1.0.3-3.2.C30mdk.x86_64.rpm
     0eb6f8c613088bbcbb0205eec0e7374d  x86_64/corporate/3.0/RPMS/lib64gda2.0_1-1.0.3-3.2.C30mdk.x86_64.rpm
     c4c5b62e45e95c0142fc823e2db49b4c  x86_64/corporate/3.0/RPMS/lib64gda2.0_1-devel-1.0.3-3.2.C30mdk.x86_64.rpm
     4ded9fd88d06c155f3fadd5438855b49  x86_64/corporate/3.0/SRPMS/gda2.0-1.0.3-3.2.C30mdk.src.rpm
     Mandriva Linux 10.2:
     8581951dac7e2e51d0e583355f0c4fdf  10.2/RPMS/gda2.0-1.2.1-1.2.102mdk.i586.rpm
     6df29b76c68f2dac41511f0047844a6c  10.2/RPMS/gda2.0-bdb-1.2.1-1.2.102mdk.i586.rpm
     ab2a54b37f5d3a5903c13b5caf0884f1  10.2/RPMS/gda2.0-ldap-1.2.1-1.2.102mdk.i586.rpm
     a46e61c38f33d3590255b349371e5dd2  10.2/RPMS/gda2.0-mysql-1.2.1-1.2.102mdk.i586.rpm
     5f82b737ad1df0f5e367554a6af57d25  10.2/RPMS/gda2.0-odbc-1.2.1-1.2.102mdk.i586.rpm
     9c15f2853a50a9b8ce21c99b7c357d69  10.2/RPMS/gda2.0-postgres-1.2.1-1.2.102mdk.i586.rpm
     2a99984e0d3f0ed0bb77e1df0781a745  10.2/RPMS/gda2.0-sqlite-1.2.1-1.2.102mdk.i586.rpm
     ac79f03faefae3d12b25a692d84aa09c  10.2/RPMS/gda2.0-xbase-1.2.1-1.2.102mdk.i586.rpm
     c246c62a8b6a44bdf517fc13ab5a9629  10.2/RPMS/libgda2.0_3-1.2.1-1.2.102mdk.i586.rpm
     33244d3790d14e77cf83e297d105a0e5  10.2/RPMS/libgda2.0_3-devel-1.2.1-1.2.102mdk.i586.rpm
     2ae1d69e77d265b6a45701dede9187b6  10.2/SRPMS/gda2.0-1.2.1-1.2.102mdk.src.rpm
     Mandriva Linux 10.2/X86_64:
     a22c56a701d4b323cd58199bd330d358  x86_64/10.2/RPMS/gda2.0-1.2.1-1.2.102mdk.x86_64.rpm
     ab86e362890a87d588c6180df048d380  x86_64/10.2/RPMS/gda2.0-bdb-1.2.1-1.2.102mdk.x86_64.rpm
     e68a0231c0ed2d16c71330ab2ec0bc02  x86_64/10.2/RPMS/gda2.0-ldap-1.2.1-1.2.102mdk.x86_64.rpm
     561b6118c3f60507bd1d39a61ae1d1ef  x86_64/10.2/RPMS/gda2.0-mysql-1.2.1-1.2.102mdk.x86_64.rpm
     9c09bdaed784668cf9326aaa25fe045e  x86_64/10.2/RPMS/gda2.0-odbc-1.2.1-1.2.102mdk.x86_64.rpm
     9c05d405913600ab83af41a5c43012f1  x86_64/10.2/RPMS/gda2.0-postgres-1.2.1-1.2.102mdk.x86_64.rpm
     678405e55c25c6be5fd1bc7282918dab  x86_64/10.2/RPMS/gda2.0-sqlite-1.2.1-1.2.102mdk.x86_64.rpm
     dd2b4c22b66bfdd9e7d079fceb8052bc  x86_64/10.2/RPMS/gda2.0-xbase-1.2.1-1.2.102mdk.x86_64.rpm
     3ad48b3adeb00a9f9a3ea7a1c987b735  x86_64/10.2/RPMS/lib64gda2.0_3-1.2.1-1.2.102mdk.x86_64.rpm
     e4d9fb39922d57f56902b721b80d7c9f  x86_64/10.2/RPMS/lib64gda2.0_3-devel-1.2.1-1.2.102mdk.x86_64.rpm
     2ae1d69e77d265b6a45701dede9187b6  x86_64/10.2/SRPMS/gda2.0-1.2.1-1.2.102mdk.src.rpm
     Mandriva Linux 2006.0:
     291823a3cf2fbd1321fafd6d465b9fbc  2006.0/RPMS/gda2.0-1.2.2-2.2.20060mdk.i586.rpm
     f8c350c51a5847e02e391507f1052867  2006.0/RPMS/gda2.0-bdb-1.2.2-2.2.20060mdk.i586.rpm
     dd0126df1e10c2f127ebecc5e0a1c26c  2006.0/RPMS/gda2.0-ldap-1.2.2-2.2.20060mdk.i586.rpm
     47e6a607eaa3738b4d07adb619232eb1  2006.0/RPMS/gda2.0-mysql-1.2.2-2.2.20060mdk.i586.rpm
     4d1f9d08c55ed0a195ca001996f239e3  2006.0/RPMS/gda2.0-odbc-1.2.2-2.2.20060mdk.i586.rpm
     e9dc80d837f6932969c3601f03707c59  2006.0/RPMS/gda2.0-postgres-1.2.2-2.2.20060mdk.i586.rpm
     0ec62e103852325ee70769fe2eadb6c4  2006.0/RPMS/gda2.0-sqlite-1.2.2-2.2.20060mdk.i586.rpm
     a5d3d090e83d080ebf6a1c210aa113f1  2006.0/RPMS/gda2.0-xbase-1.2.2-2.2.20060mdk.i586.rpm
     a4a8ae72f7cd866183c2e8a4a2e16bd3  2006.0/RPMS/libgda2.0_3-1.2.2-2.2.20060mdk.i586.rpm
     2b4c20ea0a38bf22c5aa31da3cd8884f  2006.0/RPMS/libgda2.0_3-devel-1.2.2-2.2.20060mdk.i586.rpm
     16c1de82d2b1996adeb4577b1ff9cdcd  2006.0/SRPMS/gda2.0-1.2.2-2.2.20060mdk.src.rpm
     Mandriva Linux 2006.0/X86_64:
     36a04443e670524ae0c4d93bf0752e9f  x86_64/2006.0/RPMS/gda2.0-1.2.2-2.2.20060mdk.x86_64.rpm
     d2fecb3c702f5c764c6a67c85e36e448  x86_64/2006.0/RPMS/gda2.0-bdb-1.2.2-2.2.20060mdk.x86_64.rpm
     44171de894c358c5bd3d4301b488170e  x86_64/2006.0/RPMS/gda2.0-ldap-1.2.2-2.2.20060mdk.x86_64.rpm
     863aacd7318479757dc2d2e1ed238418  x86_64/2006.0/RPMS/gda2.0-mysql-1.2.2-2.2.20060mdk.x86_64.rpm
     a82c2fceef36372b1fc17086b6237293  x86_64/2006.0/RPMS/gda2.0-odbc-1.2.2-2.2.20060mdk.x86_64.rpm
     067f1f9a633b3e2dbe8ca08591d48642  x86_64/2006.0/RPMS/gda2.0-postgres-1.2.2-2.2.20060mdk.x86_64.rpm
     4b257c7716b6eefcfb0fec95732975a0  x86_64/2006.0/RPMS/gda2.0-sqlite-1.2.2-2.2.20060mdk.x86_64.rpm
     9fef9fad9b8d98708c30c87b4bfdbece  x86_64/2006.0/RPMS/gda2.0-xbase-1.2.2-2.2.20060mdk.x86_64.rpm
     84787803035a7d1ee2bb7b12775ea9f0  x86_64/2006.0/RPMS/lib64gda2.0_3-1.2.2-2.2.20060mdk.x86_64.rpm
     3037e49d4a6f17e6b752fcff37f05986  x86_64/2006.0/RPMS/lib64gda2.0_3-devel-1.2.2-2.2.20060mdk.x86_64.rpm
     16c1de82d2b1996adeb4577b1ff9cdcd  x86_64/2006.0/SRPMS/gda2.0-1.2.2-2.2.20060mdk.src.rpm
     _______________________________________________________________________
     To upgrade automatically use MandrivaUpdate or urpmi.  The verification
     of md5 checksums and GPG signatures is performed automatically for you.
     All packages are signed by Mandriva for security.  You can obtain the
     GPG public key of the Mandriva Security Team by executing:
      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
     You can view other update advisories for Mandriva Linux at:
      http://www.mandriva.com/security/advisories
     If you want to report vulnerabilities, please contact
      security_(at)_mandriva.com
     _______________________________________________________________________
     Type Bits/KeyID     Date       User ID
     pub  1024D/22458A98 2000-07-10 Mandriva Security Team
      <security*mandriva.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)
    iD8DBQFDZ/iMmqjQ0CJFipgRAsECAJ9a/c0Go4Yy9/+4hY/DWo72IrpRSgCgnX3g
    zDqRFrxHNRzw/J1onPK4fc0=
    =NhHM
    -----END PGP SIGNATURE-----
    ------------------------------
    Message: 17
    Date: Tue, 01 Nov 2005 16:23:10 -0700
    From: Mandriva Security Team <security@mandriva.com>
    Subject: [Full-disclosure] MDKSA-2005:204 - Updated wget packages fix
    	vulnerability
    To: full-disclosure@lists.grok.org.uk
    Message-ID: <E1EX5TC-0003Bg-GO@mercury.mandriva.com>
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
     _______________________________________________________________________
     
     Mandriva Linux Security Advisory                         MDKSA-2005:204
     http://www.mandriva.com/security/
     _______________________________________________________________________
     
     Package : wget
     Date    : November 1, 2005
     Affected: 10.1, 10.2, Corporate 3.0, Multi Network Firewall 2.0
     _______________________________________________________________________
     
     Problem Description:
     
     Hugo Vazquez Carames discovered a race condition when writing output
     files in wget.  After wget determined the output file name, but before
     the file was actually opened, a local attacker with write permissions
     to the download directory could create a symbolic link with the name
     of the output file.  This could be exploited to overwrite arbitrary
     files with the permissions of the user invoking wget.  The time window
     of opportunity for the attacker is determined solely by the delay of
     the first received data packet.
     
     The updated packages have been patched to correct this issue.
     _______________________________________________________________________
     References:
     
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2014
     _______________________________________________________________________
     
     Updated Packages:
     
     Mandriva Linux 10.1:
     28b67f788c7ed5f28ca7e752b15a9eb8  10.1/RPMS/wget-1.9.1-4.3.101mdk.i586.rpm
     b0b856e5eeb63f608476877942f6a216  10.1/SRPMS/wget-1.9.1-4.3.101mdk.src.rpm
     Mandriva Linux 10.1/X86_64:
     d2fc09595e4bf4267c7cc7d9d5def8ee  x86_64/10.1/RPMS/wget-1.9.1-4.3.101mdk.x86_64.rpm
     b0b856e5eeb63f608476877942f6a216  x86_64/10.1/SRPMS/wget-1.9.1-4.3.101mdk.src.rpm
     Corporate 3.0:
     91f8d363d41afb43943f3f5569e2e83c  corporate/3.0/RPMS/wget-1.9.1-4.3.C30mdk.i586.rpm
     8ce78a19c89331fdb7527e6a4674376c  corporate/3.0/SRPMS/wget-1.9.1-4.3.C30mdk.src.rpm
     Corporate 3.0/X86_64:
     e3796c54a067d9ef54d08f779fe3ec9d  x86_64/corporate/3.0/RPMS/wget-1.9.1-4.3.C30mdk.x86_64.rpm
     8ce78a19c89331fdb7527e6a4674376c  x86_64/corporate/3.0/SRPMS/wget-1.9.1-4.3.C30mdk.src.rpm
     Multi Network Firewall 2.0:
     f834aa6b814014c20b6d97fd7a893ea6  mnf/2.0/RPMS/wget-1.9.1-4.3.M20mdk.i586.rpm
     00f1b8920df39e3f4fc35eea07879168  mnf/2.0/SRPMS/wget-1.9.1-4.3.M20mdk.src.rpm
     Mandriva Linux 10.2:
     36dfb01a50fcdec20d379001f2054ba4  10.2/RPMS/wget-1.9.1-5.2.102mdk.i586.rpm
     82584cb410bcb5104f44d3429675e7e5  10.2/SRPMS/wget-1.9.1-5.2.102mdk.src.rpm
     Mandriva Linux 10.2/X86_64:
     36dfb01a50fcdec20d379001f2054ba4  x86_64/10.2/RPMS/wget-1.9.1-5.2.102mdk.i586.rpm
     82584cb410bcb5104f44d3429675e7e5  x86_64/10.2/SRPMS/wget-1.9.1-5.2.102mdk.src.rpm
     _______________________________________________________________________
     To upgrade automatically use MandrivaUpdate or urpmi.  The verification
     of md5 checksums and GPG signatures is performed automatically for you.
     All packages are signed by Mandriva for security.  You can obtain the
     GPG public key of the Mandriva Security Team by executing:
      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
     You can view other update advisories for Mandriva Linux at:
      http://www.mandriva.com/security/advisories
     If you want to report vulnerabilities, please contact
      security_(at)_mandriva.com
     _______________________________________________________________________
     Type Bits/KeyID     Date       User ID
     pub  1024D/22458A98 2000-07-10 Mandriva Security Team
      <security*mandriva.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)
    iD8DBQFDZ/jemqjQ0CJFipgRAjGJAKDtkgHO1ZWuWus4X5CPffEGbA0FxgCcDaXT
    yJo8rb9mFDl/0yBiIKUdigo=
    =y4/v
    -----END PGP SIGNATURE-----
    ------------------------------
    Message: 18
    Date: Tue, 1 Nov 2005 18:05:07 -0600
    From: str0ke <str0ke@milw0rm.com>
    Subject: Re: [Full-disclosure] New Online RainbowCrack Engine
    To: MR BABS <mrbabs@gmail.com>
    Cc: full-disclosure@lists.grok.org.uk
    Message-ID:
    	<814b9d50511011605u41cda7e3i46e0c47290eacffe@mail.gmail.com>
    Content-Type: text/plain; charset=ISO-8859-1
    Is your webserver a 9-5 service or is it just down for other reasons?
    /str0ke
    On 11/1/05, MR BABS <mrbabs@gmail.com> wrote:
    > Hey guys,
    >
    >     Just finished everything up on RainbowCrack-Online, wasn't sure if
    > anyone would be interested, there's a membership fee, as servers, generation
    > and cracking machines are expensive, you guys know the score.
    >
    > Really nice collection of tables, you can take a look-see at
    > www.rainbowcrack-online.com.
    > Current sets include:
    > LanManager-All (all printable chars) 1-14 (the tables are 1-7, but view the
    > specs on LM hashing for more info)
    >
    > NTLM MixAlpha Numeric 1-7
    > NTLM LowerAlpha Numeric 1-8
    >
    > MD5 Alpha Numeric Symbol32 Space 1-7
    > MD5 LowerAlpha Numeric Symbol32 Space 1-7
    > MD5 LowerAlpha Numeric 1-8
    > MD5 MixAlpha Numeric 1-7
    >
    > SHA1 MixAlpha Numeric 1-7
    >
    > MySQL 323 MixAlpha Numeric 1-7
    >
    > CiscoPIX MixAlpha Numeric 1-7
    >
    > We're almost done generation of MD4, and MySQL SHA1 tables.
    >
    >
    > Should have some articles in Information soon, basically information on what
    > to do to leverage knowing hashes. (And how to get the hashes in the first
    > place.)
    >
    >
    > For you pen tester fellows, we will be offering the tables for sale to you
    > guys, as well as registered businesses, prices should be up later.
    >
    > -Regards,
    >
    > Travis
    > </spam>
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter:
    > http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >
    >
    ------------------------------
    Message: 19
    Date: Wed, 2 Nov 2005 00:29:26 -0500 (EST)
    From: "Steven M. Christey" <coley@mitre.org>
    Subject: [Full-disclosure] On Interpretation Conflict Vulnerabilities
    To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
    Message-ID: <200511020529.jA25TQJd018891@linus.mitre.org>
    In a post "SEC-CONSULT-SA-20051021-0: Yahoo/MSIE XSS", Bernhard
    Mueller said:
    >SEC-Consult believes that input-validation thru blacklists can just be
    >a temporary solution to problems like this. From our point of view
    >there are many other applications vulnerable to this special type of
    >problem where vulnerabilities of clients and servers can be combined.
    >
    >...
    >
    >  Excerpt from HTML-mails:
    >
    >  ========================================================================
    >  SCRIPT-TAG:
    >  --cut here---
    >  <h1>hello</h1><s[META-Char]cript>alert("i have you
    >  now")</s[META-Char]cript></br>rrrrrrxxxxx<br>
    >  ---cut here---
    >
    >...
    >
    >Recommended hotfixes for webmail-users
    >---------------
    >
    >Do not use MS Internet-Explorer.
    This falls under a class of vulnerabilities that I refer to as either
    "interpretation conflicts" or "multiple interpretation errors"
    depending on what time it is, though I'm leaning toward interpretation
    conflicts.
    These types of problems frequently occur with products that serve as
    intermediaries, proxies, or monitors between other entities - such as
    antivirus products, web proxies, sniffers, IDSes, etc.
    They are a special type of interaction error in which one product (in
    this case, Yahoo email) performs reasonable actions but does not
    properly model all behaviors of another product that it's interacting
    with (in this case, Internet Explorer ignoring unusual characters
    right in the middle of HTML tags).  The intermediary/proxy/monitor
    then becomes a conduit for exploitation due to the end product's
    unexpected behavior.
    Some examples:
      - Ptacek/Newsham's famous IDS evasion paper used interpretation
        conflicts to prevent IDSes from properly reconstructing network
        traffic as it would be processed by end systems.
      - Many of the Anti-Virus evasion techniques you see these days
        involve interpretation conflicts - e.g. the magic byte problem,
        multiple conent-type headers, and so on
      - The recent problem with phpBB and others, because they did not
        account for how Internet Explorer renders HTML in corrupted .GIF
        images, is another example of an interpretation conflict.
      - Many unusual XSS manipulations are due to interpretation conflicts
        in which one web browser supports a non-standard feature that
        others do not.  Netscape had an unusual construct - something like
        "&{abc}" - that even a whitelist might not catch.
    In my opinion, the "responsibility" for avoiding interpretation
    conflicts falls with:
      - the intermediaries/proxies/monitors if the problem involves an
        incomplete model of *normal*, reasonable, and/or standards
        compliant behavior
      - the end products, if the end product behavior does not conform
        with established standards
      - the standards or protocols, if they are defined in ways that are
        too vague or flexible
    However, if the end products already exhibit unexpected behaviors, the
    reality is that intermediaries are forced into anticipating all
    possible interpretation conflicts, and blamed if they do not.
    Mueller also said:
    >  Do not use blacklists on tags and attributes. Whitelist
    >  special/meta-characters.
    Whitelists, while better than blacklists, can still be too permissive.
    This is especially the case with interpretation conflicts.
    As I've suggested previously, Jon Postel's wisdom "Be liberal in what
    you accept, and conservative in what you send" has been a boon to the
    growth of networking, but blind adherence to this wisdom is a
    dangerous enabler of subtle vulnerabilities that will prevent us from
    ever having full control over the data that crosses our networks.
    - Steve
    ------------------------------
    Message: 20
    Date: Wed, 2 Nov 2005 13:40:59 +0800
    From: "Native.Code" <native.code@gmail.com>
    Subject: Re: [Full-disclosure] how to describe this tool ?
    To: news-letters <news-letters@bluewin.ch>
    Cc: full-disclosure@lists.grok.org.uk
    Message-ID:
    	<8dc64e550511012140j1ca7caf3q30906c526e0e48c3@mail.gmail.com>
    Content-Type: text/plain; charset="iso-8859-1"
    Depends the use you put it on. I will call it auditing tool.
     On 11/2/05, news-letters <news-letters@bluewin.ch> wrote:
    >
    > Hi list,
    >
    > I have a perl script I'd like to release(GPL), but I don't really know
    > how to describe it.
    >
    > To make it short here's a session on one (remote)machine.(but it's
    > intended to be run on ip ranges with mostly windows hosts).
    >
    > <sample>
    > Starting script.pl ...
    >
    > searching hosts in 192.168.0.100 <http://192.168.0.100> ...
    >
    > found 192.168.0.100 <http://192.168.0.100> : BRAIN
    >
    >
    > starting information gathering on BRAIN
    >
    > getting OS version ...
    > TCP port scanning ...
    > UDP port scanning ...
    > Getting process list ...
    > Getting services list ...
    > Getting drive list ...
    > Getting share list ...
    > Getting installed applications list ...
    >
    > Creating naudit_report_192.168.0.100.html ... (printable)
    > Creating report for 192.168.0.100 <http://192.168.0.100> ... (browsable)
    >
    > done. Completed in 8.004 seconds
    > </sample>
    >
    > and attached is a sample (printable)report.
    >
    > Is this an :
    >
    > enumeration tool ?
    > auditting tool ?
    >
    > Any idea ?
    >
    > Have a nice day.
    >
    > Simon
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051102/9a4fc467/attachment.html
    ------------------------------
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/
    End of Full-Disclosure Digest, Vol 9, Issue 3
    *********************************************
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/
    

  • Next message: str0ke: "Re: [Full-disclosure] new IE bug (confirmed on ALL windows)"

    Relevant Pages