Was busy actually, spent some time with my kids b4 shooting off abroad. Anyway - http://www.skype.com/security/SKYPE-SB-2005-002.txt As it would turn out, Mark R's bug and my bug shared the same piece of code. So basically two different attack vectors were discovered, callto:// URI and using a VCARD. Cheers Mark ----- Original Message ----- From: "Mark Rowe" <mark.rowe@private> To: bugtraq@private Cc: <vulnwatch@private>; <sec-adv@private> Sent: Friday, July 14, 2006 3:51 PM Subject: Re: WebEx Downloader Plug-in Multiple Vulnerabilities + rant > Hi all, > > I've spoken with Mark Litchfield this week and I just want to clarify > that in no way did Skype divulge any information imparted to them to > Pentest Limited or to our knowledge any one else regarding Mark's > discoveries. It was purely coincidence that one of the vulnerabilities > we reported to Skype was the same as discovered by Mark. > > I did ask Mark to post to this list to clear this up but I guess he is > too busy. > > I like conspiracy theories as much as the next person but this > definitely isn't an X-file :) > > Cheers, > Mark. > > Mark Litchfield wrote: > >> All these vulnerabilities were reported to WebEx by NGS Software back on >> the 24th February 2005 along with some other issues. >> >> The current Director of the X-Force new about these issues as at the >> time of their discovery, he worked with NGS. >> >> Seeing as I'm the subject, here is another example whereby I found a bug >> (in Skype) except Pentest-Limited were credited with it's discovery - >> http://www.theregister.co.uk/2005/10/25/skype_vuln/ An extract from an >> email below from Kurt Sauer (Security Operations / Skype Technologies), >> shows that Mark Rowe of Pentest Ltd for some unknown reason had access >> to my email sent to Kurt. >> >> In reviewing our mail archives, I see that you *DID* report the vuln (the >> VCARD aspect) to us -- to ME, directly -- before Mark Rowe did. However, >> I >> (gulp) mishandled the e-mail. >> >> As you surmised, it appears that Mark Rowe read that mail and found >> another >> instantiation of the same bug, namely the handling of the command-line >> parameters. >> >> Completely my fault on that. It will take one "push" cycle (typically >> less >> than a day) to get a correction posted, but I will both correct our >> announcement and also redistribute it with corrected attribution. >> >> I should have asked you to CC security@private on the actual vuln >> report, >> because mail sent to that address is read by more than just me. >> >> Importantly, I am going to hire a dedicated incident manager (as fast as >> our hiring practices will allow) so that there is someone spending full >> workdays just handing inbound messages on this topic. >> >> >> Could never be bothered before to make an issue of it. But to sit on a >> large number of flaws in a vendors software product for 498 days and see >> other companies credited is a tad annoying :) >> >> All the best >> >> Mark Litchfield >> >> ----- Original Message ----- From: "David Litchfield" <> >> To: "Mark Litchfield" <mark@private> >> Sent: Friday, July 07, 2006 4:12 PM >> Subject: Fw: [SA20956] WebEx Downloader Plug-in Multiple Vulnerabilities >> >> >>> You're not credited - are any of these yours? >>> >>> ----- Original Message ----- From: "Secunia Security Advisories" >>> <sec-adv@private> >>> To: <> >>> Sent: Friday, July 07, 2006 12:32 PM >>> Subject: [SA20956] WebEx Downloader Plug-in Multiple Vulnerabilities >>> >>> >>>> >>>> ---------------------------------------------------------------------- >>>> >>>> Reverse Engineer Wanted >>>> >>>> Secunia offers a Security Specialist position with emphasis on >>>> reverse engineering of software and exploit code, auditing of >>>> source code, and analysis of vulnerability reports. >>>> >>>> http://secunia.com/secunia_security_specialist/ >>>> >>>> ---------------------------------------------------------------------- >>>> >>>> TITLE: >>>> WebEx Downloader Plug-in Multiple Vulnerabilities >>>> >>>> SECUNIA ADVISORY ID: >>>> SA20956 >>>> >>>> VERIFY ADVISORY: >>>> http://secunia.com/advisories/20956/ >>>> >>>> CRITICAL: >>>> Highly critical >>>> >>>> IMPACT: >>>> System access >>>> >>>> WHERE: >>>> From remote >>>> >>>> SOFTWARE: >>>> WebEx Downloader plug-in 2.x >>>> http://secunia.com/product/10916/ >>>> >>>> DESCRIPTION: >>>> Some vulnerabilities have been reported in WebEx Downloader plug-in, >>>> which can be exploited by malicious people to compromise a user's >>>> system. >>>> >>>> 1) An error exists in the ActiveX and Java versions of the WebEx >>>> Downloader plug-in where the source of downloaded components is not >>>> properly verified. This can be exploited to install malicious >>>> components on a user's system. >>>> >>>> Successful exploitation allows execution of arbitrary code, but >>>> requires that the user e.g. is tricked into visiting a malicious web >>>> site. >>>> >>>> The vulnerability has been reported in version 2.0.0.7. Other >>>> versions may also be affected. >>>> >>>> 2) Some unspecified boundary errors in an included ActiveX control >>>> can be exploited to cause a buffer overflow. >>>> >>>> Successful exploitation may allow execution of arbitrary code. >>>> >>>> SOLUTION: >>>> Apply update. >>>> http://www.webex.com/go/downloadSP30 >>>> >>>> PROVIDED AND/OR DISCOVERED BY: >>>> 1) Discovered by an anonymous person and reported via ZDI. >>>> 1-2) David Dewey and Mark Dowd, ISS X-Force. >>>> >>>> ORIGINAL ADVISORY: >>>> WebEx Communications: >>>> http://www.webex.com/lp/security/ActiveAdv.html?TrackID=123456 >>>> >>>> Zero Day Initiative: >>>> http://www.zerodayinitiative.com/advisories/ZDI-06-021.html >>>> >>>> ISS X-Force: >>>> http://xforce.iss.net/xforce/alerts/id/226 >>>> >>>> ---------------------------------------------------------------------- >>>> >>>> About: >>>> This Advisory was delivered by Secunia as a free service to help >>>> everybody keeping their systems up to date against the latest >>>> vulnerabilities. >>>> >>>> Subscribe: >>>> http://secunia.com/secunia_security_advisories/ >>>> >>>> Definitions: (Criticality, Where etc.) >>>> http://secunia.com/about_secunia_advisories/ >>>> >>>> >>>> Please Note: >>>> Secunia recommends that you verify all advisories you receive by >>>> clicking the link. >>>> Secunia NEVER sends attached files with advisories. >>>> Secunia does not advise people to install third party patches, only >>>> use those supplied by the vendor. >>>> >>>> ---------------------------------------------------------------------- >>>> >>>> Unsubscribe: Secunia Security Advisories >>>> http://secunia.com/sec_adv_unsubscribe/?email=davidl%40ngssoftware.com >>>> >>>> ---------------------------------------------------------------------- >>>> >>> >>> >> >> > > -- > Mark Rowe > IT Security Consultant > Pentest Limited > > Office: +44 (0) 161 233 0100 > Fax: +44 (0) 161 233 0990 > Mobile: +44 (0) 7813 803 929 > > http://www.pentest.co.uk/legal.shtml#emailpolicy > > - .... . .-. . / .. ... / -. --- / ... . -.-. ..- .-. .. - -.-- / --- -. > / - .... .. ... / . .- .-. - .... / ..--.. / / --- -. .-.. -.-- / --- > .--. .--. --- .-. - ..- -. .. - -.-- / ..--.. / / / -.. --- ..- --. .-.. > .- ... / -- .- -.-. .- .-. - .... ..- .-. / > >
This archive was generated by hypermail 2.1.3 : Wed Jul 19 2006 - 18:13:13 PDT