BakBone NetVault last warning

Discussion:

(too old to reply)

class

2005-05-11 12:44:33 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As a recall, there is now two months, the Hat-Squad has published 2
high security risks still UNPATCHED for BakBone NetVault 6.x/7.x all
versions. In an Open Letter:

http://phx.corporate-ir.net/phoenix.zhtml?c=67723&p=irol-newsArticle&t=Regular&id=704547&

Bakbone announce a new NetVault Q4 2005, and a new MACOSX version. My
suggestion to BakBone is to review their whole code because Im aware
that another Heap overflow has been found by a friend without to be
published.

We won't republish this warning as soon as BakBone choosed to wake up,
but we recommand to assest BakBone products if you are seeking for
security bugs, this is a nice peace of cheese.

BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow advisory

class101.org/netv-remhbof.pdf

BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow exploit

class101.org/36/55/op.php

BakBone NetVault 6.x/7.x Local Stack Buffer Overflow advisory

class101.org/netv-locsbof.pdf

BakBone NetVault 6.x/7.x Local Stack Buffer Overflow exploit

class101.org/36/55/op.php

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFCgf4vLyZ8K9aT7rARAqu3AJ411cU2YZkRcOwFfRlF1PMLWvFaRACdGAvo
belmxbd7Z/peu5L154pS02k=
=hHqE
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

class

2005-05-11 12:55:38 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

btw: *http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1009

Post by class
As a recall, there is now two months, the Hat-Squad has published 2
high security risks still UNPATCHED for BakBone NetVault 6.x/7.x
http://phx.corporate-ir.net/phoenix.zhtml?c=67723&p=irol-newsArticle&t=Regular&id=704547&
Bakbone announce a new NetVault Q4 2005, and a new MACOSX version.
My suggestion to BakBone is to review their whole code because Im
aware that another Heap overflow has been found by a friend without
to be published.
We won't republish this warning as soon as BakBone choosed to wake
up, but we recommand to assest BakBone products if you are seeking
for security bugs, this is a nice peace of cheese.
BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow advisory
class101.org/netv-remhbof.pdf
BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow exploit
class101.org/36/55/op.php
BakBone NetVault 6.x/7.x Local Stack Buffer Overflow advisory
class101.org/netv-locsbof.pdf
BakBone NetVault 6.x/7.x Local Stack Buffer Overflow exploit
class101.org/36/55/op.php

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFCggDILyZ8K9aT7rARAqU3AJ9ipPItlpY0n8sJK4+n3gQxTFjHfQCfboh3
4Z12G6RNiKM6yfy924Vuomo=
=664m
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

KF (lists)

2005-05-11 14:12:19 UTC

Permalink

"when a man such as you reports a security hole we can not put all works
on the ground and say yes: we are fixing it"

What kind of bullshit is that! I am glad I am not a customer of theirs.

What kind of man must you be to make them say "yes: we are fixing it".
Perhaps you have to be a sexy woman instead. =]

-KF

Post by class
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As a recall, there is now two months, the Hat-Squad has published 2
high security risks still UNPATCHED for BakBone NetVault 6.x/7.x all
http://phx.corporate-ir.net/phoenix.zhtml?c=67723&p=irol-newsArticle&t=Regular&id=704547&
Bakbone announce a new NetVault Q4 2005, and a new MACOSX version. My
suggestion to BakBone is to review their whole code because Im aware
that another Heap overflow has been found by a friend without to be
published.
We won't republish this warning as soon as BakBone choosed to wake up,
but we recommand to assest BakBone products if you are seeking for
security bugs, this is a nice peace of cheese.
BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow advisory
class101.org/netv-remhbof.pdf
BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow exploit
class101.org/36/55/op.php
BakBone NetVault 6.x/7.x Local Stack Buffer Overflow advisory
class101.org/netv-locsbof.pdf
BakBone NetVault 6.x/7.x Local Stack Buffer Overflow exploit
class101.org/36/55/op.php
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
iD8DBQFCgf4vLyZ8K9aT7rARAqu3AJ411cU2YZkRcOwFfRlF1PMLWvFaRACdGAvo
belmxbd7Z/peu5L154pS02k=
=hHqE
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

class

2005-05-11 14:19:26 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

have been also surprised to not see the word "security" in their open
letter

http://phx.corporate-ir.net/phoenix.zhtml?c=67723&p=irol-newsArticle&t=Regular&id=704547&

:>

Post by KF (lists)
"when a man such as you reports a security hole we can not put all
works on the ground and say yes: we are fixing it"
What kind of bullshit is that! I am glad I am not a customer of theirs.
What kind of man must you be to make them say "yes: we are fixing
it". Perhaps you have to be a sexy woman instead. =]
-KF
As a recall, there is now two months, the Hat-Squad has published 2
high security risks still UNPATCHED for BakBone NetVault 6.x/7.x
http://phx.corporate-ir.net/phoenix.zhtml?c=67723&p=irol-newsArticle&t=Regular&id=704547&
Bakbone announce a new NetVault Q4 2005, and a new MACOSX version.
My suggestion to BakBone is to review their whole code because Im
aware that another Heap overflow has been found by a friend without
to be published.
We won't republish this warning as soon as BakBone choosed to wake
up, but we recommand to assest BakBone products if you are seeking
for security bugs, this is a nice peace of cheese.
BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow advisory
class101.org/netv-remhbof.pdf
BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow exploit
class101.org/36/55/op.php
BakBone NetVault 6.x/7.x Local Stack Buffer Overflow advisory
class101.org/netv-locsbof.pdf
BakBone NetVault 6.x/7.x Local Stack Buffer Overflow exploit
class101.org/36/55/op.php

Post by KF (lists)
_______________________________________________ Full-Disclosure -
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFCghRrLyZ8K9aT7rARAgDuAJ4tYTFK7wN3XCYjveXSxJ2NHda3DACfQ4RL
yFuS6o9Ch70AvcCR6Hwo8fs=
=CfAp
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

KF (lists)

2005-05-11 14:35:08 UTC

Permalink

They do mention "Progress continues toward making the required
assessment under Section 404 of the Sarbanes-Oxley Act of 2002 and the
related rules" but of course this has nothing to do with the security
of their products. =]
-KF

Post by class
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
have been also surprised to not see the word "security" in their open
letter
http://phx.corporate-ir.net/phoenix.zhtml?c=67723&p=irol-newsArticle&t=Regular&id=704547&
:>

Post by KF (lists)
_______________________________________________ Full-Disclosure -
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
iD8DBQFCghRrLyZ8K9aT7rARAgDuAJ4tYTFK7wN3XCYjveXSxJ2NHda3DACfQ4RL
yFuS6o9Ch70AvcCR6Hwo8fs=
=CfAp
-----END PGP SIGNATURE-----