From dave at immunityinc.com  Wed Nov  1 10:34:19 2006
From: dave at immunityinc.com (Dave Aitel)
Date: Wed, 01 Nov 2006 05:34:19 -0500
Subject: [Dailydave] Forensics: USB fobs
Message-ID: <4548782B.3040102@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Someone yesterday at a conference talk I went to told the crowd that
you can overwrite a file (aka srm it) on a USB Key fob and it will
still be there
for Autopsy to see. That makes no sense to me. Can anyone verify this?

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFSHgpB8JNm+PA+iURAv4FAJwIoazjywY1peHQ4CkVTEYJgJw12wCg6sqX
OyA1m6tU5az94Wp03tVD3+Q=
=DY3U
-----END PGP SIGNATURE-----


From wawatson at ntlworld.com  Wed Nov  1 00:57:49 2006
From: wawatson at ntlworld.com (William Watson)
Date: Wed, 1 Nov 2006 00:57:49 -0000
Subject: [Dailydave] Forensics: USB fobs
References: <4548782B.3040102@immunityinc.com>
Message-ID: <001301c6fd50$c2024ee0$2001a8c0@Horse>

As far as the 'normal' filesystem goes, there should be no image left of the
old file contents ...

HOWEVER ...

It seems that each USB memory device contains spare memory areas (around 3%
on a 1Gbyte device) which are used to implement "wear-levelling" (I guess in
much the same way that magnetic discs have spare sectors). Maybe it is these
spare areas which Autopsy can recover.

It is also "well known" that there is no secure way to delete the contents
of a flash memory device. Part of this is due to the spare wear-levelling
sectors; the rest ... ????

Cheers,

William

----- Original Message ----- 
From: "Dave Aitel" <dave at immunityinc.com>
To: "dailydave" <dailydave at lists.immunitysec.com>
Sent: Wednesday, November 01, 2006 10:34 AM
Subject: [Dailydave] Forensics: USB fobs


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Someone yesterday at a conference talk I went to told the crowd that
> you can overwrite a file (aka srm it) on a USB Key fob and it will
> still be there
> for Autopsy to see. That makes no sense to me. Can anyone verify this?
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFFSHgpB8JNm+PA+iURAv4FAJwIoazjywY1peHQ4CkVTEYJgJw12wCg6sqX
> OyA1m6tU5az94Wp03tVD3+Q=
> =DY3U
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.409 / Virus Database: 268.13.18/506 - Release Date:
30/10/2006
>
>


From dave.aitel at gmail.com  Wed Nov  1 13:42:16 2006
From: dave.aitel at gmail.com (Dave Aitel)
Date: Wed, 1 Nov 2006 08:42:16 -0500
Subject: [Dailydave] Solaris 11 is a bit Twilight Zone
Message-ID: <b581b3220611010542j5d0eaac7xf351f790e5d63402@mail.gmail.com>

So I saw this talk a couple days ago by Glenn Brunette from Sun. There are
some cool things in Solaris 11 (and OpenSolaris). I guess the coolest thing
is how open the whole process is of developing Solaris now. It's almost like
Linux! :>

My favorite things in his talk on Solaris security were the Elf object
signing and the default of not having every port open under the sun.

On the other hand, he also did this nutty demo where he had a:

int main()
{
char stackbuffer[5000];
strcpy(stackbuffer,shellcode);
(void())stackbuffer();
}

And he compiled it once normally and it worked ("Hey, /bin/sh!") and then he
compiled it with --non-exec-stack=True and it failed. "Hey segfault - we
must be secure!"

It was the most 1992AD thing I've seen this year! To top it off, Solaris has
developed the world's most complex security infrastructure the planet has
ever seen - it's slightly more complex than Windows Vista even. Zones,
Roles, Permissions, blah blah. No one in their right mind is going to use
this. The people who I talked to were all looking for a way to move to Linux
but needed realtime kernel support, which is coming soon, I think.

Horizon's paper on how to not be so 1992AD is here:
http://packetstormsecurity.org/9903-exploits/defeat.solaris.nonexec.stack.txt

-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20061101/d0a4413d/attachment-0001.htm 

From mark at vulndev.org  Wed Nov  1 16:05:18 2006
From: mark at vulndev.org (mark at vulndev.org)
Date: Wed, 01 Nov 2006 16:05:18 +0000
Subject: [Dailydave] Solaris 11 is a bit Twilight Zone
Message-ID: <20061101160518.gn3cjojdsg0ko84c@secure.dylan.swctech.net>

-- So :-

[...]default of not having every port open under the sun.

-- Was that a SUN joke I see there Dave?

[...]

It was the most 1992AD thing I've seen this year!

-- They HAVE moved on then, does this also mean someone can just replay my
-- slides for CCC and save me the effort of looking at it?

-- Answers on a slate.




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


From lmh at info-pull.com  Wed Nov  1 19:18:51 2006
From: lmh at info-pull.com (L.M.H)
Date: Wed, 1 Nov 2006 20:18:51 +0100
Subject: [Dailydave] fsfuzzer-bsd 0.1 (and first MoKB release)
Message-ID: <da7ca31e0611011118nc7587e3xb18937b744742b63@mail.gmail.com>

Hi,

Just a quick note. The BSD version of fsfuzzer is out. It's a
simplified version of fsfuzzer for Linux. Should work fine on FreeBSD
and others, and with some work, in Solaris as well (Mac OS X too, it's
pretty simple code now, mostly a matter of fixing path names, etc).

Supports ufs, ext2, ext3, etc. You'll need a few ports installed.
Depending on the system, some filesystem tools may not behave as
expected (some expect a real block device, others don't).

The first MoKB release is out, thanks to HD, who has contributed a
neat bug in the Apple Airport device drivers.

For fsfuzzer-bsd: http://projects.info-pull.com/mokb/fsfuzzer-bsd-0.1.tgz
MD5=7431927597a76237433b188eebcc77af
SHA1=6adf1437ec3f9271deb07ea17403573a832bc2c0

For the MoKB release and archive:
http://kernelfun.blogspot.com/2006/11/mokb-starts-mokb-01-11-2006-apple.html
http://projects.info-pull.com/mokb/

Hope you all had a nice Halloween night :-)

Cheers.

From wam at cisco.com  Wed Nov  1 19:20:44 2006
From: wam at cisco.com (William McVey)
Date: Wed, 01 Nov 2006 13:20:44 -0600
Subject: [Dailydave] Solaris 11 is a bit Twilight Zone
In-Reply-To: <b581b3220611010542j5d0eaac7xf351f790e5d63402@mail.gmail.com>
References: <b581b3220611010542j5d0eaac7xf351f790e5d63402@mail.gmail.com>
Message-ID: <1162408844.6987.35.camel@tardis.cisco.com>

On Wed, 2006-11-01 at 08:42 -0500, Dave Aitel wrote:
> Zones, Roles, Permissions, blah blah. No one in their right mind is
> going to use this. The people who I talked to were all looking for a
> way to move to Linux but needed realtime kernel support, which is
> coming soon, I think. 

I'm kind of surprised to see you mark these features marked off as both
too complicated for real world use. Zones, roles, and obviously
permissions aren't new and there are equivalent features (with
equivalent complexity) in most other modern operating systems, including
obviously Linux. Zones and Containers a have been around since at least
Solaris 10 going back as back 2004. I can tell you first hand, server
virtualization in the data center is a big technology push and Solaris
Containers are a really powerful player in this field. The motivation to
deploy a container might not originate from security motivations in all
cases, but I can clearly see it becoming a tool in a practitioner's
arsenal for segmenting and partitioning users.

Solaris's role base access control and permission infrastructure go back
even further to Solaris 8 and never struck me as any more complicated
than the other fine grain access control alternatives out there
(including both generic Linux Capabilities or SE-Linux style mandatory
access controls.)

Administrators can obviously go crazy in tweaking the deployments of
RPAC or Zones/Containers but from a technology standpoint, I don't see
the complexity of these solutions as being enough to deter them from
large scale deployments in the enterprise.

  -- William

From mark.dowd at gmail.com  Thu Nov  2 03:53:14 2006
From: mark.dowd at gmail.com (Mark Dowd)
Date: Thu, 2 Nov 2006 14:53:14 +1100
Subject: [Dailydave] The Art of Software Security Assessment
Message-ID: <816ef1ca0611011953v45a8655el5032ba3ecb9448d0@mail.gmail.com>

 Hi,

Justin Schuh, John McDonald and I recently finished a book on software
security assessment. The three of us have put quite a bit of time and effort
into this project; essentially, it's a 1200 page book about how to audit
code to find vulnerabilities, based on our own experience. We present
high-level strategies for performing design and implementation reviews, but
the bulk of the content is dedicated to the technical details of
vulnerabilities and how they appear in real-world applications.

We've attempted to structure this book so it will prove useful for a variety
of audiences: developers assessing their own work (or the work of their
peers), consultants performing professional application security reviews, or
researchers looking to find the showstoppers that will appear in next
month's Patch Tuesday, bringing them one step closer to achieving the
coveted ZDI silver status. ;)

Here are some links:
http://www.amazon.com/gp/product/0321444426/
http://www.awprofessional.com/bookstore/product.asp?isbn=0321444426&rl=1

There's a sample chapter on the AW site that will give you a feel for what
the rest of the book is like. It's our chapter on C language issues, and it
has lots of examples of integer overflows and type conversion flaws, as well
as some fun C puzzles. The book will be hitting stores on November 10th. Any
thoughts/comments would be appreciated, unless they're from Anthony Osborne.
No one likes a show-off, Anthony.

Enjoy!

Mark Dowd*


*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20061102/09516bc6/attachment.htm 

From weld at vulnwatch.org  Thu Nov  2 20:33:18 2006
From: weld at vulnwatch.org (Chris Wysopal)
Date: Thu, 2 Nov 2006 15:33:18 -0500 (EST)
Subject: [Dailydave] The Art of Software Security Assessment
In-Reply-To: <816ef1ca0611011953v45a8655el5032ba3ecb9448d0@mail.gmail.com>
References: <816ef1ca0611011953v45a8655el5032ba3ecb9448d0@mail.gmail.com>
Message-ID: <Pine.BSO.4.55.0611021531000.20052@vikki.vulnwatch.org>


I am looking forward to reading Mark Dowd et al's book. There is no doubt
that these guys are code auditing experts that we can all learn from.
There is another soon to be released book from Addison-Wesley Professional
that may interest readers here. It is "The Art of Software Security
Testing", authored by Lucas Nelson, Dino Dai Zovi, Elfriede Dustin and me.

The book was spawned out of our product security testing experience at
major software vendors (who don't want to be named). I was frustrated with
the fact that many quality assurance teams with expertise in unit testing,
test harnesses, and automation tools still were not doing basic security
testing like fuzzing.  They have so much knowledge and technology at their
disposal. By redirecting their tools and techniques towards an attacker's
perspective, thinking threats not functionality, and tying it together
with threat modeling they have a fighting chance of shipping a secure
product.

The main audience of the book is software developers and testers, but
security consultants, especially those that need to work with software
teams, will benefit from it. There are even some techniques vulnerability
researchers will appreciate.

Some links to the book description:
http://www.awprofessional.com/bookstore/product.asp?isbn=0321304861&rl=1
http://www.amazon.com/gp/product/0321304861/

We don't have a sample chapter up at this time but we are hoping to have
one up soon. The table of contents is available at the AW site.  The book
will be available Nov. 27th.

Cheers,

Chris


From dr at kyx.net  Fri Nov  3 00:23:34 2006
From: dr at kyx.net (Dragos Ruiu)
Date: Thu, 2 Nov 2006 16:23:34 -0800
Subject: [Dailydave] EUSecWest/London CFP extended to Nov. 7
Message-ID: <200611021623.34074.dr@kyx.net>

Hi folks, some brief news:

Some people have asked for late submissions to the EUSecWest
paper selections. In the interest of fairness, we are extending the 
deadline for all until next Tuesday (November 7), at which time
the submissions will be reviewed. Details of submissions can
be found on the http://eusecwest.com site under the speakers 
sections.

PacSec/Tokyo paper descriptions have been published, and 
CanSecWest/Vancouver early discount registration is now available.

thanks,
--dr

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan    November 27-30 2006    http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp

From joanna at invisiblethings.org  Sun Nov  5 13:03:26 2006
From: joanna at invisiblethings.org (Joanna Rutkowska)
Date: Sun, 05 Nov 2006 14:03:26 +0100
Subject: [Dailydave] hardware based RAM acquisition for forensics?
Message-ID: <454DE11E.70301@invisiblethings.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Guys,

Can anybody point out some products which could be used for hardware
based RAM acquisitions for forensics on x86/x64 architecture?

I'm already aware of how to use firewire for this (as presented by
Maximillian Dornseif and Adam Boileau) and I know that there are some
prototype PCI cards for this, like e.g. Tribble:
http://www.digital-evidence.org/papers/tribble-preprint.pdf

What I'm looking for is are there any commercial products which could be
used in a *real life* forensic analysis out there? You known, something
which would be compatible e.g. with NIST's CFTT requirements, so that it
would be legal to use it against e.g.
Very-Important-Mission-Critical-Servers?

I'm not really interested in any software based solutions, like e.g. dd ;)

Thanks for any links!
joanna.


-----BEGIN PGP SIGNATURE-----

iD8DBQFFTeEdORdkotfEW84RAmtMAJ9IO7Sb3ZW0JVoCQAG4iyKUnipWygCgnznl
J86qcr9KYMmVQ9dywGHTAQM=
=9YbA
-----END PGP SIGNATURE-----

From lmh at info-pull.com  Mon Nov  6 15:16:57 2006
From: lmh at info-pull.com (L.M.H)
Date: Mon, 6 Nov 2006 16:16:57 +0100
Subject: [Dailydave] MoKB: Friday-Monday report (1)
Message-ID: <da7ca31e0611060716r6b2d6706q50cc46e4628757e1@mail.gmail.com>

Hi,

It's been a nice weekend, and a couple issues for MoKB have been
released. I prefer to keep people informed through weekly or 4-day
reports. That way the buzz on mailing lists becomes less annoying and
I can get a feedback 'digest'.

Friday 3:     FreeBSD 6.1 UFS filesystem ffs_mountfs() integer overflow
                 http://projects.info-pull.com/mokb/MOKB-03-11-2006.html

Saturday 4: Solaris 10 UFS filesystem alloccgblk denial of service
                 http://projects.info-pull.com/mokb/MOKB-04-11-2006.html

Sunday 5:   Linux 2.6.x ISO9660 __find_get_block_slow() denial of service
                 http://projects.info-pull.com/mokb/MOKB-05-11-2006.html

Monday 6:   Microsoft Windows kernel GDI local privilege escalation
                 http://projects.info-pull.com/mokb/MOKB-06-11-2006.html

Kernel Fun blog: http://kernelfun.blogspot.com/

Enjoy.

This week will be a nice one. For MOKB-03-11-200, the 'variant' of the
issue will be released probably this Wednesday, altogether with the
proof of concept image.

It could be nice to know what bugs people prefer to be released
earlier. Linux, FreeBSD, OS X, Solaris 10, MS Windows.

BTW, a specific fuzzer for Mac OS X is in the works, and it's not a
'wrapper over mangle'. It's a more targeted one, which I expect to
release in a week or so. I need to release some fsfuzzer modifications
as well (ex. Solaris compatibility changes).

If someone has some money to waste, I would love to have a _cheap_ Mac Mini ;-)
It will be used for testing purposes only (hence why 'money to waste',
I need it for "breaking" it).
I can stick to an Intel-based Macbook for testing but it becomes
rather messy when FileVault and couple other things get in the picture
(and changing accounts, etc; is certainly a tedious, sub-optimal
task).

Cheers.

From thomasptacek at gmail.com  Mon Nov  6 19:14:34 2006
From: thomasptacek at gmail.com (Thomas Ptacek)
Date: Mon, 6 Nov 2006 13:14:34 -0600
Subject: [Dailydave] MoKB: Friday-Monday report (1)
In-Reply-To: <da7ca31e0611060716r6b2d6706q50cc46e4628757e1@mail.gmail.com>
References: <da7ca31e0611060716r6b2d6706q50cc46e4628757e1@mail.gmail.com>
Message-ID: <1df0a410611061114w3f2c3575seec053f23787b834@mail.gmail.com>

Don't be mad at me, LMH. I was just writing about being impressed
about your lines-of-C-code-to-findings ratio, which is fast
approaching 1/1.

On 11/6/06, L. M. H <lmh at info-pull.com> wrote:
> Hi,
>
> It's been a nice weekend, and a couple issues for MoKB have been
> released. I prefer to keep people informed through weekly or 4-day
> reports. That way the buzz on mailing lists becomes less annoying and
> I can get a feedback 'digest'.
>
> Friday 3:     FreeBSD 6.1 UFS filesystem ffs_mountfs() integer overflow
>                  http://projects.info-pull.com/mokb/MOKB-03-11-2006.html
>
> Saturday 4: Solaris 10 UFS filesystem alloccgblk denial of service
>                  http://projects.info-pull.com/mokb/MOKB-04-11-2006.html
>
> Sunday 5:   Linux 2.6.x ISO9660 __find_get_block_slow() denial of service
>                  http://projects.info-pull.com/mokb/MOKB-05-11-2006.html
>
> Monday 6:   Microsoft Windows kernel GDI local privilege escalation
>                  http://projects.info-pull.com/mokb/MOKB-06-11-2006.html
>
> Kernel Fun blog: http://kernelfun.blogspot.com/
>
> Enjoy.
>
> This week will be a nice one. For MOKB-03-11-200, the 'variant' of the
> issue will be released probably this Wednesday, altogether with the
> proof of concept image.
>
> It could be nice to know what bugs people prefer to be released
> earlier. Linux, FreeBSD, OS X, Solaris 10, MS Windows.
>
> BTW, a specific fuzzer for Mac OS X is in the works, and it's not a
> 'wrapper over mangle'. It's a more targeted one, which I expect to
> release in a week or so. I need to release some fsfuzzer modifications
> as well (ex. Solaris compatibility changes).
>
> If someone has some money to waste, I would love to have a _cheap_ Mac Mini ;-)
> It will be used for testing purposes only (hence why 'money to waste',
> I need it for "breaking" it).
> I can stick to an Intel-based Macbook for testing but it becomes
> rather messy when FileVault and couple other things get in the picture
> (and changing accounts, etc; is certainly a tedious, sub-optimal
> task).
>
> Cheers.
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From lmh at info-pull.com  Mon Nov  6 19:19:32 2006
From: lmh at info-pull.com (L.M.H)
Date: Mon, 6 Nov 2006 20:19:32 +0100
Subject: [Dailydave] MoKB: Friday-Monday report (1)
In-Reply-To: <1df0a410611061114w3f2c3575seec053f23787b834@mail.gmail.com>
References: <da7ca31e0611060716r6b2d6706q50cc46e4628757e1@mail.gmail.com>
	<1df0a410611061114w3f2c3575seec053f23787b834@mail.gmail.com>
Message-ID: <da7ca31e0611061119r4e5d5866i6c1198b042478f19@mail.gmail.com>

On 11/6/06, Thomas Ptacek <thomasptacek at gmail.com> wrote:
> Don't be mad at me, LMH. I was just writing about being impressed
> about your lines-of-C-code-to-findings ratio, which is fast
> approaching 1/1.

You've read it too deeply :-)
Actually, I didn't think about your blog when I wrote that. It's just
that I wanted to note it wasn't yet another bash script using mangle
as back-end. This time it will be pure Ruby code.

Coding a fuzzer in C is nice, but a waste of time if you can get the
same functionality with a couple lines of Ruby, and making it easy to
integrate and extend.

Cheers.

From solareclipse at phreedom.org  Tue Nov  7 10:59:10 2006
From: solareclipse at phreedom.org (Solar Eclipse)
Date: Tue, 7 Nov 2006 02:59:10 -0800
Subject: [Dailydave] UNC imports in PE files
Message-ID: <20061107105910.GA19579@dsl093-068-003.sfo1.dsl.speakeasy.net>

Hello list,

Most of you probably know that the WebDAV redirector in Windows XP tries to
resolve UNC paths from all applications with WebDAV requests on port 80. This
means that instead of calling URLDownloadToFile("http://192.168.0.1/foo.exe")
and then WinExec, you can do just WinExec("\\192.168.0.1\foo.exe")

What you probably don't know is that you can use a full UNC path instead of a
DLL name in the import section of a PE file. When the file is executed, the
loader will try to access the imported DLL using the UNC path and the WebDAV
redirector will download the DLL from the Internet.

It is getting increasingly harder to draw (and defend) the boundaries between
the local machine, the local network and the the Internet.

Check out http://www.phreedom.org/solar/code/tinype/ for the source code of a
137 byte PE file that downloads a DLL over WebDAV and executes the payload in
its DllMain function. The PE file doesn't even have to contain any code,
because DllMain is executed before the entry point of the executable.

The page also has detailed information about hacking the PE header and building
the smallest possible PE file that can be executed on Windows. Its size is only
97 bytes.

If anybody is really bored, feel free to check how many anti-virus products
have PE parsers that don't handle the header of the 97 byte PE file properly
and fail to unpack and scan the code in the file.


Good night and good luck,
Solar Eclipse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20061107/f3e7c53e/attachment.pgp 

From perfect.material at gmail.com  Tue Nov  7 17:11:26 2006
From: perfect.material at gmail.com (PERFECT.MATERIAL)
Date: Tue, 7 Nov 2006 12:11:26 -0500
Subject: [Dailydave]  The Art of Software Security Assessment
Message-ID: <631ac1d90611070911y2c4801a2l2832b73b668eb592@mail.gmail.com>

Dear List,

Chris Wysopal shouldn't write books on security. He drinks too much
wh1skeyp*. Thanks.

PERFECT.MATERIAL
"The Infosec Grand Wizard"

From dave at immunityinc.com  Tue Nov  7 19:42:52 2006
From: dave at immunityinc.com (Dave Aitel)
Date: Tue, 07 Nov 2006 14:42:52 -0500
Subject: [Dailydave] Managing labs
Message-ID: <4550E1BC.2070804@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.vmware.com/products/labmanager/

Look at Oded go! Being able to attract people like Oded is why VMWare
is going to beat Microsoft to the Virtual Machine punch every time.

Today I was thinking: Ya know what we need? A Pantera VM. Because
installing MySQL is a huge pain in the rear....and all the cool apps
these days depend on it. :<

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFFUOG5B8JNm+PA+iURAh0jAJ9n1Gy1OgQ+V4L1D4hAyr5PKl4jFACg6VxV
9Yv614dWsZ7Sc/Z+T0yK9NE=
=jQxr
-----END PGP SIGNATURE-----


From list at roseslabs.com  Tue Nov  7 20:59:03 2006
From: list at roseslabs.com (list at roseslabs.com)
Date: Tue, 7 Nov 2006 21:59:03 +0100 (CET)
Subject: [Dailydave] Managing labs
In-Reply-To: <4550E1BC.2070804@immunityinc.com>
References: <4550E1BC.2070804@immunityinc.com>
Message-ID: <10613.88.0.178.144.1162933143.squirrel@llca835-a.servidoresdns.net>

Dave,

Pantera will be included in BackTrack 2.0 (schedule end of the month),
OWASP Live CD (schedule soon) and ubuntu also plans to create a package.

And yesterday I did install Pantera requirements (mysql) using ubuntu 6.10
in no time!! Synaptic Package Manager is your friend :)

Simon Roses Femerling

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> http://www.vmware.com/products/labmanager/
>
> Look at Oded go! Being able to attract people like Oded is why VMWare
> is going to beat Microsoft to the Virtual Machine punch every time.
>
> Today I was thinking: Ya know what we need? A Pantera VM. Because
> installing MySQL is a huge pain in the rear....and all the cool apps
> these days depend on it. :<
>
> - -dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFFUOG5B8JNm+PA+iURAh0jAJ9n1Gy1OgQ+V4L1D4hAyr5PKl4jFACg6VxV
> 9Yv614dWsZ7Sc/Z+T0yK9NE=
> =jQxr
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>



From arunkoshy at gmail.com  Tue Nov  7 22:36:54 2006
From: arunkoshy at gmail.com (Arun Koshy)
Date: Wed, 8 Nov 2006 09:36:54 +1100
Subject: [Dailydave] UNC imports in PE files
In-Reply-To: <20061107105910.GA19579@dsl093-068-003.sfo1.dsl.speakeasy.net>
References: <20061107105910.GA19579@dsl093-068-003.sfo1.dsl.speakeasy.net>
Message-ID: <1d0ba3070611071436h7c278a27w27b28e85b91451f2@mail.gmail.com>

Hello Solar,

It is impossible to see a thing of beauty on list these days, you've
just thrown an exception to that rule.

Thank you for sharing !

Cheers,
Arun.

From barrie at reboot-robot.net  Wed Nov  8 13:57:16 2006
From: barrie at reboot-robot.net (Barrie Dempster)
Date: Wed, 8 Nov 2006 13:57:16 +0000
Subject: [Dailydave] UNC imports in PE files
In-Reply-To: <20061107105910.GA19579@dsl093-068-003.sfo1.dsl.speakeasy.net>
References: <20061107105910.GA19579@dsl093-068-003.sfo1.dsl.speakeasy.net>
Message-ID: <200611081357.35854.barrie@reboot-robot.net>

On Tuesday 07 November 2006 10:59, Solar Eclipse wrote:
<snip>
> What you probably don't know is that you can use a full UNC path instead of
> a DLL name in the import section of a PE file. When the file is executed,
> the loader will try to access the imported DLL using the UNC path and the
> WebDAV redirector will download the DLL from the Internet.


Whilst using this technique to decrease PE size is quite interesting, I'd be 
willing to bet most here would already be aware of the redirector 
functionality when loading DLLs, as it was pointed out by Dave Litchfield 
over a year ago.

www.ngssoftware.com/papers/xpms.pdf

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

              - http://reboot-robot.net -

"He who hingeth aboot, geteth hee-haw" Victor - Still Game
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1902 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20061108/5ce7d4a5/attachment.bin 

From dave.korn at artimi.com  Wed Nov  8 14:16:40 2006
From: dave.korn at artimi.com (Dave Korn)
Date: Wed, 8 Nov 2006 14:16:40 -0000
Subject: [Dailydave] The Assimilation of Sysinternals
Message-ID: <00fc01c70340$82c5f470$a501a8c0@CAM.ARTIMI.COM>



  Guess what.  


---------------------------------<snip!>---------------------------------
dk at rainbow /tmp> wget -S http://www.sysinternals.com/
--13:42:46--  http://www.sysinternals.com/
           => `index.html'
Resolving www.sysinternals.com... 66.193.254.46
Connecting to www.sysinternals.com[66.193.254.46]:80... connected.
HTTP request sent, awaiting response...
 1 HTTP/1.1 301 Moved Permanently
 2 Content-Length: 181
 3 Content-Type: text/html
 4 Location: http://www.microsoft.com/technet/sysinternals/default.mspx
---------------------------------<snip!>---------------------------------


  Oh look, they've moved it over to microsoft.  Let's take a look


http://www.microsoft.com/technet/sysinternals/default.mspx
---------------------------------<snip!>---------------------------------
Featured Resources
	File and Disk Utilities	Networking	Processes & Threads
	Security Utilities	System Information	Miscellaneous
---------------------------------<snip!>---------------------------------


  Hmmm, looks like pretty much the same old stuff... <browse><browse>... hang
on a minute!  Where's the sources?


http://blogs.technet.com/sysinternals/
---------------------------------<snip!>---------------------------------
Hi, my name is Otto Helweg and I'm very excited to help lead the Sysinternals
community migration as well as help define a plan for Sysinternals growth
going forward. I'm a Program Manager in the Windows Server and Tools division
but my background is heavy IT-Pro (not too much dev) and I look forward to
interfacing[*] with the Sysinternals users.
                                [ . . . ]
Our goal is to smoothly migrate the major Sysinternals site components to
Microsoft services and keep the same level of service the community received
pre-acquisition. Here's how the components are going to match up:
 

Original Sysinternals Site		Microsoft Service

Mark's Blog				TechNet Blog - Mark
Yahoo Groups Newsletter		TechNet Blog - Sysinternals
Web Site				TechNet TechCenter
Downloads				Microsoft.Com Downloads
Forum					TechNet Forum
Source Code				Not being migrated.
---------------------------------<snip!>---------------------------------


  Woah!  "Not being migrated"?!  Thanks a BUNCH, "Otto".  WTF not?


---------------------------------<snip!>---------------------------------
Source Code: The number of source code downloads didn't justify the migration,
support, and possible integration problems it might cause with other Windows
components down the road.
---------------------------------<snip!>---------------------------------


  Now, how is that for a completely bogus weasel bunch of crap.  Source code
might cause "integration problems [...] with other Windows components"?  Total
bullshit.  Microsoft is simply irrationally allergic to ever letting anyone
see sources for anything and this is like the kind of pathetic blatantly false
rationalisations that neurotics come up with to justify their irrational and
compulsive behaviours.

  Microsoft needs to get into therapy[**].


  In other news:

http://www.microsoft.com/technet/sysinternals/information/licensing.mspx
---------------------------------<snip!>---------------------------------
Installation and User Rights

You may install and use any number of copies of the software on your devices. 
                                [ . . . ]
Scope of License

 You may not
                                [ . . . ]
make more copies of the software than specified in this agreement 
---------------------------------<snip!>---------------------------------


  I must not make more than "any number" of copies of the software?  I'm not
sure if this means I can only make zero copies or if I can make infinite
copies...



    cheers,
      DaveK

[*]  - sic.  I /think/ it's a typo for 'interfering'.  ;-)
[**] - I know, I know... this is hardly news to anyone!
-- 
Can't think of a witty .sigline today....


From dan at geer.org  Wed Nov  8 17:29:54 2006
From: dan at geer.org (dan at geer.org)
Date: Wed, 08 Nov 2006 12:29:54 -0500
Subject: [Dailydave] The Assimilation of Sysinternals
In-Reply-To: Your message of "Wed, 08 Nov 2006 14:16:40 GMT."
	<00fc01c70340$82c5f470$a501a8c0@CAM.ARTIMI.COM> 
Message-ID: <20061108172954.AE2CF1BF94E@absinthe.tinho.net>


Is this

http://web.archive.org/web/*/http://sysinternals.com

the best we can do for now?

--dan


From ian.melven at gmail.com  Wed Nov  8 18:46:55 2006
From: ian.melven at gmail.com (Ian Melven)
Date: Wed, 8 Nov 2006 10:46:55 -0800
Subject: [Dailydave] The Assimilation of Sysinternals
In-Reply-To: <00fc01c70340$82c5f470$a501a8c0@CAM.ARTIMI.COM>
References: <00fc01c70340$82c5f470$a501a8c0@CAM.ARTIMI.COM>
Message-ID: <595932140611081046q48a028e7id4735cd1dfa07c43@mail.gmail.com>

So what's the legal angle on any of the thousands of people who
mirrored the entire Sysinternals site when the MS acquisition was
announced putting up the sources somewhere ?

This reminds me of when Securityfocus took down all their exploits and
everyone had a giant .tar.gz on their machine.

Ian


On 11/8/06, Dave Korn <dave.korn at artimi.com> wrote:
>
>
>   Guess what.
>
>
> ---------------------------------<snip!>---------------------------------
> dk at rainbow /tmp> wget -S http://www.sysinternals.com/
> --13:42:46--  http://www.sysinternals.com/
>            => `index.html'
> Resolving www.sysinternals.com... 66.193.254.46
> Connecting to www.sysinternals.com[66.193.254.46]:80... connected.
> HTTP request sent, awaiting response...
>  1 HTTP/1.1 301 Moved Permanently
>  2 Content-Length: 181
>  3 Content-Type: text/html
>  4 Location: http://www.microsoft.com/technet/sysinternals/default.mspx
> ---------------------------------<snip!>---------------------------------
>
>
>   Oh look, they've moved it over to microsoft.  Let's take a look
>
>
> http://www.microsoft.com/technet/sysinternals/default.mspx
> ---------------------------------<snip!>---------------------------------
> Featured Resources
>         File and Disk Utilities Networking      Processes & Threads
>         Security Utilities      System Information      Miscellaneous
> ---------------------------------<snip!>---------------------------------
>
>
>   Hmmm, looks like pretty much the same old stuff... <browse><browse>... hang
> on a minute!  Where's the sources?
>
>
> http://blogs.technet.com/sysinternals/
> ---------------------------------<snip!>---------------------------------
> Hi, my name is Otto Helweg and I'm very excited to help lead the Sysinternals
> community migration as well as help define a plan for Sysinternals growth
> going forward. I'm a Program Manager in the Windows Server and Tools division
> but my background is heavy IT-Pro (not too much dev) and I look forward to
> interfacing[*] with the Sysinternals users.
>                                 [ . . . ]
> Our goal is to smoothly migrate the major Sysinternals site components to
> Microsoft services and keep the same level of service the community received
> pre-acquisition. Here's how the components are going to match up:
>
>
> Original Sysinternals Site              Microsoft Service
>
> Mark's Blog                             TechNet Blog - Mark
> Yahoo Groups Newsletter         TechNet Blog - Sysinternals
> Web Site                                TechNet TechCenter
> Downloads                               Microsoft.Com Downloads
> Forum                                   TechNet Forum
> Source Code                             Not being migrated.
> ---------------------------------<snip!>---------------------------------
>
>
>   Woah!  "Not being migrated"?!  Thanks a BUNCH, "Otto".  WTF not?
>
>
> ---------------------------------<snip!>---------------------------------
> Source Code: The number of source code downloads didn't justify the migration,
> support, and possible integration problems it might cause with other Windows
> components down the road.
> ---------------------------------<snip!>---------------------------------
>
>
>   Now, how is that for a completely bogus weasel bunch of crap.  Source code
> might cause "integration problems [...] with other Windows components"?  Total
> bullshit.  Microsoft is simply irrationally allergic to ever letting anyone
> see sources for anything and this is like the kind of pathetic blatantly false
> rationalisations that neurotics come up with to justify their irrational and
> compulsive behaviours.
>
>   Microsoft needs to get into therapy[**].
>
>
>   In other news:
>
> http://www.microsoft.com/technet/sysinternals/information/licensing.mspx
> ---------------------------------<snip!>---------------------------------
> Installation and User Rights
>
> You may install and use any number of copies of the software on your devices.
>                                 [ . . . ]
> Scope of License
>
>  You may not
>                                 [ . . . ]
> make more copies of the software than specified in this agreement
> ---------------------------------<snip!>---------------------------------
>
>
>   I must not make more than "any number" of copies of the software?  I'm not
> sure if this means I can only make zero copies or if I can make infinite
> copies...
>
>
>
>     cheers,
>       DaveK
>
> [*]  - sic.  I /think/ it's a typo for 'interfering'.  ;-)
> [**] - I know, I know... this is hardly news to anyone!
> --
> Can't think of a witty .sigline today....
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From lmh at info-pull.com  Wed Nov  8 20:20:27 2006
From: lmh at info-pull.com (L.M.H)
Date: Wed, 8 Nov 2006 21:20:27 +0100
Subject: [Dailydave] Some more kernel fun: zlib and the missing FreeBSD UFS
	issue (related to MOKB-03-11-2006).
Message-ID: <da7ca31e0611081220p1b6add83u8ed7f8eedf77d288@mail.gmail.com>

Hi,

Two issues (I just want to make sure at least the first one gets out
before FUD/silent patches start going through the cli... err, git):

MOKB-07-11-2006: Linux 2.6.x zlib_inflate memory corruption:
http://projects.info-pull.com/mokb/MOKB-07-11-2006.html

MOKB-08-11-2006: FreeBSD 6.1 UFS filesystem ffs_rdextattr() integer overflow
http://projects.info-pull.com/mokb/MOKB-08-11-2006.html
(this one was weird to check)

On MOKB-07-11-2006, check the comment at Kernel Fun:
http://kernelfun.blogspot.com/2006/11/mokb-07-11-2006-linux-26x-zlibinflate.html

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211668
-- quote
So, is anyone going to send the patch to lkml? The fix should be public before
the month of kernel bugs starts (nov 1).
-- end quote

No comments.

And: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211237
-- quote
(...)
btw, infamy! http://projects.info-pull.com/mokb/MOKB-02-11-2006.html
(...)
A listing on MOKB, and the second bug too...  Sadly not my idea of a good
advertisement.
-- end quote

Since when does security have to do with advertisement? Ah, since
Apple started those scary commercials. Nevermind :>

Note: Nothing against Red Hat, there are nice guys working there as
well. Thanks to Eric for letting me know about the patches, he's doing
a good job fixing the issues.

If you try to hide shit under the carpet, it will stink anyway...
Food for thought, as usual.

Cheers.

From nruff at security-labs.org  Wed Nov  8 20:56:08 2006
From: nruff at security-labs.org (Nicolas RUFF)
Date: Wed, 08 Nov 2006 21:56:08 +0100
Subject: [Dailydave] The Assimilation of Sysinternals
In-Reply-To: <00fc01c70340$82c5f470$a501a8c0@CAM.ARTIMI.COM>
References: <00fc01c70340$82c5f470$a501a8c0@CAM.ARTIMI.COM>
Message-ID: <45524468.60205@security-labs.org>

	Hello,

I think you missed part of the point :
http://www.microsoft.com/technet/sysinternals/information/licensingfaq.mspx

---
Q: How many copies of Sysinternals utilities may I freely load or use on
computers owned by my company?
A: There is no limit to the number of times you may install and use the
software on your devices.
---
Q: May I freely load or use Sysinternals utilities on computers that I
support but do not own?
A: No. You will need to contact Microsoft Sysinternals Licensing
(syslic at microsoft.com) and inquire about fee based licensing options.
---

I cannot find the prices on the website, but you got the idea ... BTW,
have a look at those :

---
Q: Can I license or re-use any Sysinternals source code?
A: No. We will no longer offer the Sysinternals source code for download
or license.
---
Q: Will Microsoft migrate and host all the Sysinternals tools?
A: No. A small number of tools were identified for removal before the
acquisition. We worked very closely with Mark Russinovich to determine
which tools to migrate. That said, a majority of the tools will be
migrated which include the latest and most popular tools. In addition,
we will be open to resurrecting old tools based on community requests.
---
Q: Will Microsoft change the licensing agreement for the Sysinternals
tools and their use?
A: Yes, but we've made the license terms more liberal. Companies can now
install and use the software throughout their organization, as opposed
to a single user limitation.
---

PS. http://www.microsoft.com/technet/sysinternals/information.mspx

"- BOOT.INI Options
The most complete BOOT.INI option reference available outside of Microsoft."

Or is it ? ;)

Regards,
- Nicolas RUFF

From ge at linuxbox.org  Thu Nov  9 00:31:52 2006
From: ge at linuxbox.org (Gadi Evron)
Date: Wed, 8 Nov 2006 18:31:52 -0600 (CST)
Subject: [Dailydave] The Assimilation of Sysinternals
In-Reply-To: <00fc01c70340$82c5f470$a501a8c0@CAM.ARTIMI.COM>
Message-ID: <Pine.LNX.4.21.0611081830181.12877-100000@linuxbox.org>

On Wed, 8 Nov 2006, Dave Korn wrote:
> Source Code				Not being migrated.

With the help of Dave Korn (with thanks to Brian Dessert), we uploaded an
archive of the sources:

http://blogs.securiteam.com/index.php/archives/723

	Gadi.


From olef.anderson at gmail.com  Thu Nov  9 05:44:38 2006
From: olef.anderson at gmail.com (Olef Anderson)
Date: Wed, 8 Nov 2006 21:44:38 -0800
Subject: [Dailydave] San Francisco hacker gathering!
Message-ID: <9b4f936f0611082144l3de4df75w44d8ea9ca9e4d595@mail.gmail.com>

http://aigasf.org/events/event_toys.html


i will be there at least.

cheers,
Olef.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20061108/1e565e5f/attachment.htm 

From dave.korn at artimi.com  Thu Nov  9 14:18:15 2006
From: dave.korn at artimi.com (Dave Korn)
Date: Thu, 9 Nov 2006 14:18:15 -0000
Subject: [Dailydave] The Assimilation of Sysinternals
In-Reply-To: <595932140611081046q48a028e7id4735cd1dfa07c43@mail.gmail.com>
Message-ID: <020f01c70409$e548f8d0$a501a8c0@CAM.ARTIMI.COM>

On 08 November 2006 18:47, Ian Melven wrote:

> So what's the legal angle on any of the thousands of people who
> mirrored the entire Sysinternals site when the MS acquisition was
> announced putting up the sources somewhere ?

  Well, you are governed by the licence conditions under which you obtained
the software.  If you got it under the original licensing terms, those still
apply, since they contain no provisions for assigns or successors nor for
modification of terms at a later date.

http://web.archive.org/web/20050323060844/http://www.sysinternals.com/licensin
g.shtml


  However neither the old nor the new licences permit redistribution without
purchasing a commercial license, so Gadi was right to hold off on mirroring
it; it really doesn't look like we can do that.

  It's just plain wasteful when someone has something that they don't even
want any more but they won't let anyone else have it just out of sheer
meanness.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


From matt at use.net  Thu Nov  9 16:28:06 2006
From: matt at use.net (Matt Hargett)
Date: Thu, 9 Nov 2006 08:28:06 -0800
Subject: [Dailydave] The Assimilation of Sysinternals
In-Reply-To: <Pine.LNX.4.21.0611081830181.12877-100000@linuxbox.org>
References: <Pine.LNX.4.21.0611081830181.12877-100000@linuxbox.org>
Message-ID: <200611090828.07208.matt@use.net>

On Wednesday 08 November 06 16:31, Gadi Evron wrote:
> On Wed, 8 Nov 2006, Dave Korn wrote:
> > Source Code				Not being migrated.
>
> With the help of Dave Korn (with thanks to Brian Dessert), we uploaded an
> archive of the sources:
>
> http://blogs.securiteam.com/index.php/archives/723

Didn't see any archive there, but I'm curious if it will include the source 
code for the Linux-based FileMon and some of the other utilities that were 
removed outright without mention months before the acquisition?

From dave at immunityinc.com  Fri Nov 10 12:35:58 2006
From: dave at immunityinc.com (Dave Aitel)
Date: Fri, 10 Nov 2006 07:35:58 -0500
Subject: [Dailydave] Mono, suse vs ubuntu
Message-ID: <4554722E.90009@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So it's definitely after installing pyMySQL and pyGTK and pyOpenSSL
that you realize the whole point of Mono and Microsoft's CLR is to
avoid having to write wrappers at all. There are whole huge projects
writing wrappers for every C library in the world. pyGTK is a great
example of a team doing such a thing. But the Common Language Runtime
eliminates all that, with the penalty of everyone writing to the same
generic VM.

Of course, with the original CLR, you couldn't do Python and Ruby. But
soon those will be first class members of the CLR family under
Windows, and I assume Mono will follow fairly quickly. At that point,
writing code in cPython or cRuby will become a rather silly idea,
since something wrapped in Mono will will be available to both the
Ruby and Python people equally well (or equally poorly.)

But then, deploying software under this model is hugely painful. Want
to make sure they have the right version of the Virtual Machine? Get
ready to deploy your app with 2 gigs of random Mono directories. It's
almost easier to deploy every app as a virtual appliance based on ubuntu.

Anyways, this is my thought of the morning, because SuSE is the best
operating system I've ever used, except for their software
installation system, which is crap. Also, you need some sort of
magical skill to understand what Novell AppArmor is all about, because
the usability there is hard for even software security specialists.
Security needs to be "Baked In" as they say, and not something the
user has to click on. If I can't tell if AppArmor is doing anything
useful, then for sure it's wasted space in the configuration menu.

Things that rock about SuSE 10.0:
  o Default install looks and feels awesome. Wireless worked after
some ndisdriver magic. Verizon EVDO card works better than it did
under Windows and was a snap to set up. Suspend works (after adding
vga=0 to kernel conf via pretty gui after console message told me
too). Sound works. Ethernet magically works. Gnome's new sexy pop up
messages make the whole system feel more responsive.
  o XGL make Windows people sad. It even makes Mac people sad.
"Virtual Desktops? What's that?" It's better than Vista, and it's on
your laptop right now with about 10 seconds of effort.
  o Nautilus has finally stopped crashing.
  o All of the custom Immunity software "just worked". SPIKE, CANVAS,
etc. SPIKE is still quite useful. I know the press is just finding out
that making small strings big can find security flaws, but it's fun to
test software stacks with the old C SPIKE just because it's so much
faster than they expect anything to happen to them. This week I
crashed one of the bigger application server systems by using cSPIKE
to just log in five hundred thousand times a second. Fun for the whole
family!
  o No broken selinux that you have to disable to get anything done
like fedora

Things that suck about SuSE 10.0:
  o Installer retarded. In fact, entire software management system
worst ever. Even Fedora is better. Example: Under fedora, if you want
to go wild and crazy and get your VLC player for divx's, you browse to
"Set up fedora to play divx" somewhere on the web, and there is a YUM
repository (livna or something) and you just clickscript your way to
divx, or whatever support you need. It always works. Under SuSE they
have the "packman" repository, which will almost work, but then it
will assume "perl" is a broken dependency that needs to be removed. I
don't think so.
  o Mega-Old versions of Firefox and Thunderbird installed by default.
Does anyone use Evolution? Why is this the default on anything?

Ubuntu has the world's best software installer. What I really want
here is a way to commercialize it. I want to have the user able to
enter a username and password for canvas_ubuntu.immunityinc.com and
then have their canvas get updated along with everything else on their
system, passing that authentication down the line to our repository.
Maybe someday. VMware would be nice to install this way too.

They do appear to have completely ignored security in their
development process, which is annoying. By installing GRSecurity in
the default kernel, and going through some basic work to blacklist a
few things that don't work with it (VMware, for instance), ubuntu
could be a ton better.


- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFFVHIqB8JNm+PA+iURAjd6AJ0WLZtABpuFdBNfvXnL0my8qRlJDACbBLF9
0EwPXGKTGeKNw4ln3HmVVEQ=
=E2Lx
-----END PGP SIGNATURE-----


From lmh at info-pull.com  Sat Nov 11 21:46:11 2006
From: lmh at info-pull.com (L.M.H)
Date: Sat, 11 Nov 2006 22:46:11 +0100
Subject: [Dailydave] Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume
	1)
Message-ID: <da7ca31e0611111346j2c652f09j6cce66bba82dbbde@mail.gmail.com>

Hi,

I've been noticed about about a post by 'Dave Jones' on his 'Kernel
slacker' blog:
http://kernelslacker.livejournal.com/62905.html

-- quote
For example, nine days into the "month of kernel bugs", we've yet to
see a Linux kernel bug that allows the user to do anything other than
crash/oops the kernel. Code execution hasn't been proven at all. (And
conveniently, lets ignore that you need either a) root privileges to
mount an image over loopback or b) physical access to insert a corrupt
CD/USB key).
-- end quote

OK, enough FUD already.

Fortunately, this time I won't have to explain the security
implications of the zlib bug. I want to thank Red Hat fellows for
explaining it already, in a private bugzilla entry of course.

Copy of printer-friendly version at:
http://projects.info-pull.com/mokb/redhash/show_bug-211668.ps

There's something that strikes me, why a bug 'with no security
implications' is marked as private to Red Hat employees? I was about
to look for the 'EYES ONLY' mark but didn't find it, yet.

Well, back to the bug itself. Dave, I'll quote this one:

-- quote
Whilst LMH's fuzzer is pretty neat, the Gartner write-up gives the
impression that kernel developers spend all day complacently idling in
the belief that everything is perfect.
-- end quote

Well, you wasted your time writing a completely non-sense post to your
blog, instead of going back to your company's bugzilla and reading the
whole thread about the bug. Please make sure you've read Phillip
Lougher's comments that nicely explain the issue:

-- quote
The line "Error -3 while decompressing!" is printed after zlib_inflate has
returned.  What then happens is cramfs_uncompress_block returns 0 bytes which
means cramfs_readpage returns a completely zero-filled block.  This means the
"Unable to handle kernel paging request at 000000002252d15d RIP:" can't be
generated by cramfs_readpage returning failure, because it never does.  This
means it is probably caused by stack corruption or other memory corruption.

The error line "ffffffff8852d146(-1711276009)->ffff810033dad000(4096)" is
generated by cramfs_uncompress_block which I think indicates the error.  The
size of the source block is given as -1711276009, which both zlib_inflate() and
cramfs_read() handle as an unsigned int, or a large number.  Cramfs_read()
doesn't fall over reading this because it never reads more than BUFFER_SIZE
bytes (16K, 4*PAGE_CACHE_SIZE), but it is likely zlib_inflate() is corrupting
memory given such a large block to evaluate/checksum.

Ultimately, the bug is caused by the corrupted block length field read by
cramfs_readpage().  The fix is to add a sanity check in cramfs_readpage() when
the block length is read.
-- end quote

Luckily enough I'm feeling good today, if not, I would rather tell you
to STFU and do your homework. You're probably a nice guy, so I just
recommend to not continue walking through this suicidal route.

That's the not-so-good advertisement you should care about, rather
than trying to obscure what is an obvious issue. If you're having some
sort of pressure from somewhere else, then I'm sorry for you.

I'm not an expert, I probably have much less kernel development
experience than you do, but I know my stuff. I'm not a 'self
proclaimed security researcher' (please point me at a single line
where I've actually said that, and I'll rip off my testicles and sell
them on eBay) as I've read in some places (recall a "Mac zealot" blog
so far).

BTW, next time you want to discuss something like this, send me an
e-mail. I won't bite you, I promise. I find it extremely off to find
how 'blogs' are being used out there (lemme use the term 'blog
whoring').

Cheers.
PS: I'm CC'ing HD, he may be able to comment on when 'non exploitable
bugs' become 'exploitable', without some obscure 'black hat Russian
voodoo magic' involved.

From perfect.material at gmail.com  Sun Nov 12 00:39:05 2006
From: perfect.material at gmail.com (PERFECT.MATERIAL)
Date: Sat, 11 Nov 2006 19:39:05 -0500
Subject: [Dailydave] Kernel 'developer' makes fuzzy FUD (RH Episodes:
	Volume 1)
In-Reply-To: <da7ca31e0611111346j2c652f09j6cce66bba82dbbde@mail.gmail.com>
References: <da7ca31e0611111346j2c652f09j6cce66bba82dbbde@mail.gmail.com>
Message-ID: <631ac1d90611111639o50b77c7vf7499b66fdae7912@mail.gmail.com>

Dear HD Moore Wannabe, Yet Still Much Dumber Than HD Moore,

>
> There's something that strikes me, why a bug 'with no security
> implications' is marked as private to Red Hat employees? I was about
> to look for the 'EYES ONLY' mark but didn't find it, yet.
>

Is this your in depth technical analysis into the exploitability of
the bug in question? Pointing out that "the vendor is taking it
seriously as opposed to as a joke" does not validate this bug at all.
Just wanted to make sure you didn't take the time to look into this
bug yourself. I am hopeful that by raising this question, you will be
forced to realize that you should stop blabbing and cross posting
harassing e-mails to bloggers.

I don't have a blog so I would like to just ask you here. Why is it
that you consider this bug to be serious? Why do you consider that
blogger guy downplaying the severity of the bugs to be FUD? Let me
quote your quote, including your fancy '-- quote' marker technology.

-- quote
> -- quote
> For example, nine days into the "month of kernel bugs", we've yet to
> see a Linux kernel bug that allows the user to do anything other than
> crash/oops the kernel. Code execution hasn't been proven at all. (And
> conveniently, lets ignore that you need either a) root privileges to
> mount an image over loopback or b) physical access to insert a corrupt
> CD/USB key).
> -- end quote
-- end quote

Ok, so let us do what the silly blogger said and ignore the
exploitability issue since you clearly aren't qualified to comment on
it (but do anyway). How do you explain the root privilege or physical
access requirement? I have several 0day hacker bugs that allow you to
hack OR crack a machine given physical or root access. I even know of
some publicly available methods...

I think you should give it up. There is only room for one annoying
fuzzer blog on this megaweb and Thor Doomen has made sure that that
spot is filled. I hereby call for you to halt the month of worthless
bugs project and delete the content of the blog immediately. Thanks.

PERFECT.MATERIAL
"I love all of you -- and especially your wives," - James Strom Thurmond

On 11/11/06, L.  M. H <lmh at info-pull.com> wrote:
> Hi,
>
> I've been noticed about about a post by 'Dave Jones' on his 'Kernel
> slacker' blog:
> http://kernelslacker.livejournal.com/62905.html
>
> -- quote
> For example, nine days into the "month of kernel bugs", we've yet to
> see a Linux kernel bug that allows the user to do anything other than
> crash/oops the kernel. Code execution hasn't been proven at all. (And
> conveniently, lets ignore that you need either a) root privileges to
> mount an image over loopback or b) physical access to insert a corrupt
> CD/USB key).
> -- end quote
>
> OK, enough FUD already.
>
> Fortunately, this time I won't have to explain the security
> implications of the zlib bug. I want to thank Red Hat fellows for
> explaining it already, in a private bugzilla entry of course.
>
> Copy of printer-friendly version at:
> http://projects.info-pull.com/mokb/redhash/show_bug-211668.ps

> Well, back to the bug itself. Dave, I'll quote this one:
>
> -- quote
> Whilst LMH's fuzzer is pretty neat, the Gartner write-up gives the
> impression that kernel developers spend all day complacently idling in
> the belief that everything is perfect.
> -- end quote
>
> Well, you wasted your time writing a completely non-sense post to your
> blog, instead of going back to your company's bugzilla and reading the
> whole thread about the bug. Please make sure you've read Phillip
> Lougher's comments that nicely explain the issue:
>
> -- quote
> The line "Error -3 while decompressing!" is printed after zlib_inflate has
> returned.  What then happens is cramfs_uncompress_block returns 0 bytes
> which
> means cramfs_readpage returns a completely zero-filled block.  This means
> the
> "Unable to handle kernel paging request at 000000002252d15d RIP:" can't be
> generated by cramfs_readpage returning failure, because it never does.  This
> means it is probably caused by stack corruption or other memory corruption.
>
> The error line "ffffffff8852d146(-1711276009)->ffff810033dad000(4096)" is
> generated by cramfs_uncompress_block which I think indicates the error.  The
> size of the source block is given as -1711276009, which both zlib_inflate()
> and
> cramfs_read() handle as an unsigned int, or a large number.  Cramfs_read()
> doesn't fall over reading this because it never reads more than BUFFER_SIZE
> bytes (16K, 4*PAGE_CACHE_SIZE), but it is likely zlib_inflate() is
> corrupting
> memory given such a large block to evaluate/checksum.
>
> Ultimately, the bug is caused by the corrupted block length field read by
> cramfs_readpage().  The fix is to add a sanity check in cramfs_readpage()
> when
> the block length is read.
> -- end quote
>
> Luckily enough I'm feeling good today, if not, I would rather tell you
> to STFU and do your homework. You're probably a nice guy, so I just
> recommend to not continue walking through this suicidal route.
>
> That's the not-so-good advertisement you should care about, rather
> than trying to obscure what is an obvious issue. If you're having some
> sort of pressure from somewhere else, then I'm sorry for you.
>
> I'm not an expert, I probably have much less kernel development
> experience than you do, but I know my stuff. I'm not a 'self
> proclaimed security researcher' (please point me at a single line
> where I've actually said that, and I'll rip off my testicles and sell
> them on eBay) as I've read in some places (recall a "Mac zealot" blog
> so far).
>
> BTW, next time you want to discuss something like this, send me an
> e-mail. I won't bite you, I promise. I find it extremely off to find
> how 'blogs' are being used out there (lemme use the term 'blog
> whoring').
>
> Cheers.
> PS: I'm CC'ing HD, he may be able to comment on when 'non exploitable
> bugs' become 'exploitable', without some obscure 'black hat Russian
> voodoo magic' involved.
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From lmh at info-pull.com  Sun Nov 12 01:22:30 2006
From: lmh at info-pull.com (L.M.H)
Date: Sun, 12 Nov 2006 02:22:30 +0100
Subject: [Dailydave] Kernel 'developer' makes fuzzy FUD (RH Episodes:
	Volume 1)
In-Reply-To: <631ac1d90611111639o50b77c7vf7499b66fdae7912@mail.gmail.com>
References: <da7ca31e0611111346j2c652f09j6cce66bba82dbbde@mail.gmail.com>
	<631ac1d90611111639o50b77c7vf7499b66fdae7912@mail.gmail.com>
Message-ID: <da7ca31e0611111722q5a3f10bmcb193a5abdf9c4a7@mail.gmail.com>

On 11/12/06, PERFECT. MATERIAL <perfect.material at gmail.com> wrote:
> Is this your in depth technical analysis into the exploitability of
> the bug in question? Pointing out that "the vendor is taking it
> seriously as opposed to as a joke" does not validate this bug at all.
> Just wanted to make sure you didn't take the time to look into this
> bug yourself. I am hopeful that by raising this question, you will be
> forced to realize that you should stop blabbing and cross posting
> harassing e-mails to bloggers.

Please go back and read my follow-up email as well as the PS file from
the bugzilla entry.
And if possible, re-phrase that. I don't pay attention to trolls,
usually. But this time I'm not sure if it's just that you didn't read,
understand or even bothered to see the details at all.

> it (but do anyway). How do you explain the root privilege or physical
> access requirement?

I'll ignore the other non-sense stuff, and answer to this one. Fedora
Core and most distributions out there currently allow unprivileged
users to mount filesystems. Check out automount and the other tools
that come with Gnome, KDE, etc. In win32 you have third-party tools
that allow all sorts of filesystem images to be mounted (ex. Daemon
Tools), also.

Anyway, it strikes me that your e-mail even managed to get through the
moderation filter. Dave, accidental mistake? :-)

I thought we didn't have trolls over here.

Cheers.

From sgrubb at redhat.com  Sun Nov 12 15:30:34 2006
From: sgrubb at redhat.com (Steve Grubb)
Date: Sun, 12 Nov 2006 10:30:34 -0500
Subject: [Dailydave] Kernel 'developer' makes fuzzy FUD (RH Episodes:
	Volume 1)
In-Reply-To: <da7ca31e0611111346j2c652f09j6cce66bba82dbbde@mail.gmail.com>
References: <da7ca31e0611111346j2c652f09j6cce66bba82dbbde@mail.gmail.com>
Message-ID: <200611121030.35137.sgrubb@redhat.com>

On Saturday 11 November 2006 16:46, L.M.H wrote:
> OK, enough FUD already.

First let's say that FUD is the wrong word to use here. You are the one 
spreading FUD. Dave is not causing panic or a sense of "oh shit". He is 
merely point out the obvious...you have to either have privileges to perform 
mount or physical access to the machine. If all these are is DoS and you have 
physical access, why not just yank the power cord? Until an exploit is 
written, these are just DoS crashes.

> There's something that strikes me, why a bug 'with no security
> implications' is marked as private to Red Hat employees?

Because that is the responsible thing to do. If a bug is not assessed that 
could be a security issue, it should be private until a determination has 
been made one way or another. This also brings up the point that you are 
posting bugs I found to the MoKB as if you found them and not giving me 
credit. This also goes for the squash double free (which the kernel catches) 
and the ext3 softlock up - both of which were in bugzilla a while back. There 
are also bugs filed for hfs and gfs2 - which simply crash the system.

These bugs do need to be fixed based on robustness criteria not necessarily 
security criteria. It is normal for people to have a disk crash and want to 
mount the corrupted disk in effort to salvage what they can. This is the main 
reason these bugs need to be fixed. If you have root to do mounting, there 
are so many ways to crash your own machine. The need to make file systems 
more robust is the reason that I worked on fsfuzzer with you.

If you have physical access to a machine, you can put your favorite distro in 
the CD-Rom tray and install anything you want on the system. So, no I do not 
believe this falls into security fixes because there are easier ways to 
compromise a box if you are root or have physical access.

-Steve

PS the above is not FUD since I'm not spreading fear.

From dave.aitel at gmail.com  Sun Nov 12 15:52:09 2006
From: dave.aitel at gmail.com (Dave Aitel)
Date: Sun, 12 Nov 2006 10:52:09 -0500
Subject: [Dailydave] "The organization I belong to doesn't have initals"
	(that evil dude in Heroes)
Message-ID: <b581b3220611120752w29e7b32at7343d2f25c6cc94b@mail.gmail.com>

So one thing that struck me this week was how most good hackers cannot tell
you how they find vulnerabilities. I've asked both Kostya and Sinan how they
find bugs, and there really isn't a process behind it, other than
persistance, experience, and gut feel. I've been consulting for a bit to get
my feet wet again. Consulting is an ego game. Do you think you can break
this in one week? The answer is maybe, but your internal voice better be
saying "hell yes" or you won't succeed.

This week I was literally one hour out of a meeting telling my sponsor the
app I was auditing was secure when I got remote code execution. But
Immunity's consulting is somewhat different from most I've been involved
with. We spend a lot less time telling people about their ICMP timestamps
and a lot more time finding 0day. At the DoD Information Assurance
conference 95% of the things discussed were compliance management. "We can't
get our people to intall patches properly" was a popular refrain. But at
Xcon it was 0day, 0day and 0day. It tells you a lot about the whether the
DoD will be successful at information assurance in the face of assymetrical
attacks (Answer: no).

The solution, of course, is to focus only on the high end risk, rather than
assuming you have to climb up the risk chain from the bottom. IMHO, of
course. I don't work for the USG and haven't for a long time. But if you're
focusing on patch and configuration compliance and your most likely
opponents don't care then you gotta assume something's broken. Invest the
majority of your cash in vulnerability research and hacking and leave the
compliance management for later. Sometimes the best defense is a good
offense, and with hacking that's nearly always true.

But, of course, even the cost of experience is expensive in this game,
because full time vulnerability research isn't profitable in a reliable way.
You could spend a year auditing one large application and find only DoS's,
epecially in this world of /GS, SafeSEH and W^X.  Persistance, experience -
these are monumentally expensive with no sure pay off. If even the
researcher can't tell they're on the way to finding a bug until the second
they find it, then how can you plan and budget for it?

-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20061112/a5ccea17/attachment.htm 

From ge at linuxbox.org  Sun Nov 12 16:20:13 2006
From: ge at linuxbox.org (Gadi Evron)
Date: Sun, 12 Nov 2006 10:20:13 -0600 (CST)
Subject: [Dailydave] Kernel 'developer' makes fuzzy FUD (RH Episodes:
 Volume 1)
In-Reply-To: <200611121030.35137.sgrubb@redhat.com>
Message-ID: <Pine.LNX.4.21.0611121013480.8042-100000@linuxbox.org>

On Sun, 12 Nov 2006, Steve Grubb wrote:
> On Saturday 11 November 2006 16:46, L.M.H wrote:
> > OK, enough FUD already.
> 
> First let's say that FUD is the wrong word to use here. You are the one 
> spreading FUD. Dave is not causing panic or a sense of "oh shit". He is 

That is true, I read Dave's post and he was not attacking LMH. LMH got
pissed over Dave's original belitting of these bugs as having no security
impact. I think it's mainly a mis-understanding. LMH is a cool guy and
Dave reads to be a cool guy.

> merely point out the obvious...you have to either have privileges to perform 
> mount or physical access to the machine. If all these are is DoS and you have 
> physical access, why not just yank the power cord? Until an exploit is 
> written, these are just DoS crashes.

DoS only? No public exploit? We heard that before. Sorry for being rude on
this point, but we did.

> > There's something that strikes me, why a bug 'with no security
> > implications' is marked as private to Red Hat employees?
> 
> Because that is the responsible thing to do. If a bug is not assessed that 
> could be a security issue, it should be private until a determination has 

So, it's private, and yet...

> been made one way or another. This also brings up the point that you are 
> posting bugs I found to the MoKB as if you found them and not giving me 
> credit. This also goes for the squash double free (which the kernel catches) 

Were you the one to find the bugs working with LMH, or did you find them
on your own and kept them private to redhat only? Please clarify..

<snip>

> If you have physical access to a machine, you can put your favorite distro in 
> the CD-Rom tray and install anything you want on the system. So, no I do not 
> believe this falls into security fixes because there are easier ways to 
> compromise a box if you are root or have physical access.

USB drives and corporate employees disagree.

It's a vulnerability, far from us to also prove how it works or what it
will be useful for, it needs fixing. That said, you ARE right these seem
LESS critical.
In my humble opinion, as an open-source related company, you may do well
to try and see if you can work with the researchers rather than attack
them. Learn from Microsoft's mistake.

That is not to say you mean to attack researchers, it comes as an honest
observation on how this misunderstanding can be avoided and not further
esclated.

> -Steve

	Gadi.


From sgrubb at redhat.com  Sun Nov 12 17:51:48 2006
From: sgrubb at redhat.com (Steve Grubb)
Date: Sun, 12 Nov 2006 12:51:48 -0500
Subject: [Dailydave] Kernel 'developer' makes fuzzy FUD (RH Episodes:
	Volume 1)
In-Reply-To: <Pine.LNX.4.21.0611121013480.8042-100000@linuxbox.org>
References: <Pine.LNX.4.21.0611121013480.8042-100000@linuxbox.org>
Message-ID: <200611121251.48993.sgrubb@redhat.com>

On Sunday 12 November 2006 11:20, Gadi Evron wrote:
> > merely point out the obvious...you have to either have privileges to
> > perform mount or physical access to the machine. If all these are is DoS
> > and you have physical access, why not just yank the power cord? Until an
> > exploit is written, these are just DoS crashes.
>
> DoS only? No public exploit? We heard that before. Sorry for being rude on
> this point, but we did.

I'm just wanting to see how you take advantage of this without root privileges 
or physical access to the machine. Yes, I have read the saying that a 
vulnerability is not an exploitable until one is written.

> Were you the one to find the bugs working with LMH,

I worked with LMH on fsfuzzer from March 5-8. The program was a great idea and 
started off as a 50 line shell script. My goal at the time was to get it to 
the point that it could create its own images so that it could be tested to 
see if there were any problems in the kernel. LMH had been playing with it 
before we met and had found an ISO9660 problem (and maybe some others). 
Anyways, during those 3 days the program was able to create its own 
filesystem images and became much more useful. At the time, only ext2/3, 
iso9660, and the msdos file systems worked. I tested those and found nothing 
interesting. (This was also back in 2.6.14 kernel days.)

This fall, I was curious how things were looking in the new 2.6.18 kernel and 
learned how to setup some more file systems and wanted to see if populating 
the image better and adding extended attribute operations would show new 
bugs. So, I added those to fsfuzzer. Sure enough there were new bugs I hadn't 
seen before. So, the next issue is how to give a corrupted image for someone 
to study and fix the problem. I added the code to let you replay the tests 
and got some more kernel developers involved since the kernel was not robust 
in the face of corrupt images.

> or did you find them on your own and kept them private to redhat only?

I found these bugs and filed bugzilla #'s 209907, 211237, 211668 before the 
month of kernel bugs was ever announced. I did mention to LMH that I was 
releasing a new version of fsfuzzer that did find and reproduce all these 
bugs and a few more that are not public.

> In my humble opinion, as an open-source related company, you may do well
> to try and see if you can work with the researchers rather than attack
> them. 

Sigh, these are bugs *I found* and we are getting people to fix these 
robustness issues. As for my response, how would you feel given the above? 

-Steve

From lmh at info-pull.com  Sun Nov 12 18:14:41 2006
From: lmh at info-pull.com (L.M.H)
Date: Sun, 12 Nov 2006 19:14:41 +0100
Subject: [Dailydave] Kernel 'developer' makes fuzzy FUD (RH Episodes:
	Volume 1)
In-Reply-To: <200611121030.35137.sgrubb@redhat.com>
References: <da7ca31e0611111346j2c652f09j6cce66bba82dbbde@mail.gmail.com>
	<200611121030.35137.sgrubb@redhat.com>
Message-ID: <da7ca31e0611121014n652bbb70ke868c2c368c5aad6@mail.gmail.com>

On 11/12/06, Steve Grubb <sgrubb at redhat.com> wrote:
> First let's say that FUD is the wrong word to use here. You are the one
> spreading FUD. Dave is not causing panic or a sense of "oh shit". He is
> merely point out the obvious...you have to either have privileges to perform
> mount or physical access to the machine. If all these are is DoS and you have
> physical access, why not just yank the power cord?

AFAIK Fedora Core and many other 'distributions' out there let
unprivileged users mount filesystems, you don't need to be root to do
it. Actually, you've worked around SELinux. We were sitting right next
to each other during a developer meeting, right? Well, you can let
policy decide in a fine-grained manner who is capable of mounting
filesystems.

> Until an exploit is written, these are just DoS crashes.

Steve, that doesn't make sense. Like arguing that an over-heating
problem is just a cooling problem until something burns out. Check
what Ilja wrote in a comment to Dave's blog.

Anyway, don't take me wrong, but I'm not here to educate yourself on
security matters.


> Because that is the responsible thing to do. If a bug is not assessed that
> could be a security issue, it should be private until a determination has
> been made one way or another. This also brings up the point that you are
> posting bugs I found to the MoKB as if you found them and not giving me
> credit. This also goes for the squash double free (which the kernel catches)
> and the ext3 softlock up - both of which were in bugzilla a while back. There
> are also bugs filed for hfs and gfs2 - which simply crash the system.

Right, HFS has null ptr dereference problems and a memory leak issue,
probaly more issues (...). GFS2 is as well broken.

On the crediting part... hmm, mind if I ask you who approached you
with filesystem issues back in March?  The assumption that I didn't
know about the other issues before even commenting to you about them
is totally flawed as well.

BTW, how's that in every mention from Red Hat (as in employees,
including yourself) about fsfuzzer, it appears as you're the only one,
first and original, developer of fsfuzzer? Not that I care, but I find
it amusing. I get all sorts of apologies over private e-mail but the
public side is there to check.

And I would like to know about your comment on that bugzilla entry
begging for the bug to be fixed 'before the month of kernel bugs
starts (nov. 1)'. The timing is what strikes me.

> reason these bugs need to be fixed. If you have root to do mounting, there
> are so many ways to crash your own machine.

*Mounts a USB stick in FC5 as nobody*
*Inserts CD, mounted*

What about network-based filesystems? Too may hints already...

> The need to make file systems
> more robust is the reason that I worked on fsfuzzer with you.

What about the Python bytecode bug? Probably not a big deal, but it's
still unpatched. For over a year, I remember I sent it to you and some
other people there.

> If you have physical access to a machine, you can put your favorite distro in
> the CD-Rom tray and install anything you want on the system. So, no I do not
> believe this falls into security fixes because there are easier ways to
> compromise a box if you are root or have physical access.

You're arguing the same over and over. Worst of all, you know that
you're talking BS on this, as Fedora Core (no RHEL handy to test here)
let's non-privileged users mount filesystems. Automount magic. Anyway,
I'll repeat myself: I'm not here to educate yourself on security
matters.

> PS the above is not FUD since I'm not spreading fear.

No, you're just spreading uncertainty and doubt.

Cheers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc.pyc
Type: application/octet-stream
Size: 87 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20061112/811be542/attachment-0001.obj 

From sgrubb at redhat.com  Sun Nov 12 20:12:51 2006
From: sgrubb at redhat.com (Steve Grubb)
Date: Sun, 12 Nov 2006 15:12:51 -0500
Subject: [Dailydave] Kernel 'developer' makes fuzzy FUD (RH Episodes:
	Volume 1)
In-Reply-To: <da7ca31e0611121014n652bbb70ke868c2c368c5aad6@mail.gmail.com>
References: <da7ca31e0611111346j2c652f09j6cce66bba82dbbde@mail.gmail.com>
	<200611121030.35137.sgrubb@redhat.com>
	<da7ca31e0611121014n652bbb70ke868c2c368c5aad6@mail.gmail.com>
Message-ID: <200611121512.51465.sgrubb@redhat.com>

On Sunday 12 November 2006 13:14, L.M.H wrote:
> On the crediting part... hmm, mind if I ask you who approached you
> with filesystem issues back in March? 

OK, let's clear the air on this. You did. The whole story is in the README 
file of http://people.redhat.com/sgrubb/files/fsfuzzer-0.6.tar.gz.

> BTW, how's that in every mention from Red Hat (as in employees,
> including yourself) about fsfuzzer, it appears as you're the only one,
> first and original, developer of fsfuzzer?

Simple mistake and that's all. In the reply to Gadi, I mentioned that I 
updated the program and tested against a current kernel and found real 
problems. I wrote the code so that other people could troubleshoot/fix the 
problem and gave it to them. When they posted the patch to lkml, They were 
excited about this new tool and assumed I wrote the whole thing.

I had figured that we would have done a proper study of file system problems, 
fix them, & release a paper. The accidental disclosure of the program without 
a proper release kinda messed it all up. In pure lines of code currently 
being distributed, I wrote most of it. In terms of the uniqueness of the 
idea, the basic technique it uses, and taking it to other OSes, its all your 
work. Bravo...seriously.

> And I would like to know about your comment on that bugzilla entry
> begging for the bug to be fixed 'before the month of kernel bugs
> starts (nov. 1)'.

Real simple. We had a verified fix and it needed to get out to all Linux 
distributions. The responsible thing to do is to fix the problem, get the 
patch to people, and then talk about it. I felt like you wanted to skip to 
the part where its discussed without people having a fix as payback for 
accident disclosure of the program.

-Steve

From tvillalobos at wowway.com  Mon Nov 13 09:47:40 2006
From: tvillalobos at wowway.com (Tito Villalobos)
Date: Mon, 13 Nov 2006 04:47:40 -0500
Subject: [Dailydave] "The organization I belong to doesn't have initals"
 (that evil dude in Heroes)
In-Reply-To: <b581b3220611120752w29e7b32at7343d2f25c6cc94b@mail.gmail.com>
References: <b581b3220611120752w29e7b32at7343d2f25c6cc94b@mail.gmail.com>
Message-ID: <45583F3C.8000606@wowway.com>

Dave Aitel wrote:
> The solution, of course, is to focus only on the high end risk, rather
> than assuming you have to climb up the risk chain from the bottom.
> IMHO, of course. I don't work for the USG and haven't for a long time.
> But if you're focusing on patch and configuration compliance and your
> most likely opponents don't care then you gotta assume something's
> broken. Invest the majority of your cash in vulnerability research and
> hacking and leave the compliance management for later. Sometimes the
> best defense is a good offense, and with hacking that's nearly always
> true.
Dave, I can't agree with this at all.  Not handling the low end (patch
management to fix known bugs) is essential.  Otherwise, all of that 0day
research isn't even necessary to crack the boxes.  If an organization
followed this advice (even one with enough resources to spare on "pure
research" style 0day research) but didn't have solid patch management,
it would be wide open to any "leet haxor" who could one finger
"metasploit.com".

"The best defense is a good offense" doesn't apply here.  One side is
completely on the offensive, and one is completely on the defensive. 
Large organizations can't "attack back", at least under the current laws
(AFAIK, INAL), and even if they could, crashing some zombie out there is
hardly going to be good protection.  The "most likely opponents" aren't
focused on patch management, because they don't have to be on the
defense at all.

Even if a typical organization finds something through vuln research,
how do they protect against it?  Either they create a patch themselves
or notify the vendor, who creates a patch.  Both still require patch
management to ensure the fix is applied throughout the org.  The only
other alternative is to try to create some IDS/IPS sigs based on it, and
those have been quite thoroughly trashed on an earlier thread.

I'm not saying that patch management is enough.  It's just one of the
basic defenses.  However, without the basic defenses, anything more
advanced is like reinforcing the windows while leaving the doors unlocked.

-Tito

From lists at isecom.org  Mon Nov 13 14:52:55 2006
From: lists at isecom.org (Pete Herzog)
Date: Mon, 13 Nov 2006 15:52:55 +0100
Subject: [Dailydave] "The organization I belong to doesn't have initals"
 (that evil dude in Heroes)
In-Reply-To: <45583F3C.8000606@wowway.com>
References: <b581b3220611120752w29e7b32at7343d2f25c6cc94b@mail.gmail.com>
	<45583F3C.8000606@wowway.com>
Message-ID: <455886C7.4020302@isecom.org>

> Dave, I can't agree with this at all.  Not handling the low end (patch
> management to fix known bugs) is essential.  

Patch management is a fancy word for "add-on support for a problem product"
which is the electronic version of a recall.  Basic defenses are removal
from or elimination of a threat (separation).  Next step up could be
controlling the classes of threats through things like authentication,
confidentiality, etc.  Management processes, like patch management, is
still another step up where after you've already defined your defenses, you
still have some services which you could neither remove nor control from a
class of threats. Those exposed services you need to make sure are running
the best they can.  Here, patch management is the least (read lazy) you can
do. It means you do it because you can wash your hands of it and say, hey,
I patched.  But it's not essential unless it's only covering your ass
that's essential.  If you need security and not just compliance, then those
exposed services better be inspected and tested by the Vuln Research team
to find the stuff the developer didn't.  Because after all, it's your stuff
out there and just waiting for them to find bugs and patch them is really
not gonna do it for those who need it.

-pete.

From lmh at info-pull.com  Mon Nov 13 15:30:07 2006
From: lmh at info-pull.com (L.M.H)
Date: Mon, 13 Nov 2006 16:30:07 +0100
Subject: [Dailydave] Kernel 'developer' makes fuzzy FUD (RH Episodes:
	Volume 1)
In-Reply-To: <200611121251.48993.sgrubb@redhat.com>
References: <Pine.LNX.4.21.0611121013480.8042-100000@linuxbox.org>
	<200611121251.48993.sgrubb@redhat.com>
Message-ID: <da7ca31e0611130730j15f576d7ra8cedaf4e7a4c90f@mail.gmail.com>

> I'm just wanting to see how you take advantage of this without root privileges
> or physical access to the machine.

Using Fedora Core, RHEL, and friends. That's how you take advantage :-)
Ah, and Open Solaris development branch already does auto mounting, AFAIK.

> I worked with LMH on fsfuzzer from March 5-8. The program was a great idea and
> started off as a 50 line shell script. My goal at the time was to get it to
> the point that it could create its own image

Usability work.

> so that it could be tested to
> see if there were any problems in the kernel.

Already did before you had a single copy. Usability work didn't do
anything to that part, except some automation. Period.

> LMH had been playing with it

(...)

> before we met and had found an ISO9660 problem (and maybe some others).

Only ISO9660? You miss JFS, etc. on purpose? or accidentally? Anyway.

> Anyways, during those 3 days the program was able to create its own
> filesystem images and became much more useful. At the time, only ext2/3,

Define useful, please. It already did the job since the start.
You made it monkey-compatible. Like putting a photo of a banana in a
big button that turns on the propulsion of a rocket, without rocket
science being involved.

> iso9660, and the msdos file systems worked. I tested those and found nothing
> interesting. (This was also back in 2.6.14 kernel days.)

Well, interesting? from the perspective of a QA lead? While this is
not being a personal attack at all, I would like to know what
arguments you had by that time, to decide when an issue was
'interesting' or not. Lemme say, that when we met, you barely had an
idea on the concept of fuzzing applied to kernel testing and other
software. Being a QA lead, that's certainly a good question begging to
be answered. And please don't argue that you knew it by the name of
'fault injection' or some other fancy marketing buzz-wording. Unless
you're just a manager, that is. (No offense to managers out there,
I've already met quite a few ones who rock, hint at some German
mates).

> This fall, I was curious how things were looking in the new 2.6.18 kernel and
> learned how to setup some more file systems and wanted to see if populating
> the image better and adding extended attribute operations would show new
> bugs. So, I added those to fsfuzzer. Sure enough there were new bugs I hadn't
> seen before. So, the next issue is how to give a corrupted image for someone
> to study and fix the problem. I added the code to let you replay the tests
> and got some more kernel developers involved since the kernel was not robust
> in the face of corrupt images.

OK, step-by-step. More usability work (which I appreciated). On the
new bugs, thanks for clarifying. BTW, the replay code is still broken
on real kernel panics, you need to transmit the image over network to
a machine unless you want sync to mess up the streams.

> > or did you find them on your own and kept them private to redhat only?
>
> I found these bugs and filed bugzilla #'s 209907, 211237, 211668 before the
> month of kernel bugs was ever announced. I did mention to LMH that I was
> releasing a new version of fsfuzzer that did find and reproduce all these
> bugs and a few more that are not public.

Finally, you're getting to the hot spot. Nice. OK, please clarify why
you mentioned *LITERALLY* the 'month of kernel bugs (nov. 1)' in that
bug report. Maybe because of that conversation we had where you denied
interest and effort to track the issues found? Maybe because you were
playing a double-side game? Maybe because you didn't have any facts to
support your argument ('"I found these bugs")? Gotta love plausible
deniability, right?

You knew about the MoKB, because I had the decency to tell you in
advance. My fault. I should have probably developed a plot to abduct
and feed you to crocodiles instead. That way I wouldn't have to waste
my time replying to BS.

> Sigh, these are bugs *I found* and we are getting people to fix these
> robustness issues. As for my response, how would you feel given the above?

Demonstrate you found them. And please don't try to play with the
credibility hype (heard enough already). I've given enough evidence to
support what I say.

I won't bother replying anymore, as it seems rather useless. If you
have any technical matters to discuss, I'll be more than happy to
check. Just keep out of trying to cheat at me next time. It's not wise
to give BS in turn of help from someone that doesn't need anything
from you (aka uninterested help).

Have a nice day.

From smanzuik at juniper.net  Mon Nov 13 17:15:57 2006
From: smanzuik at juniper.net (Steve Manzuik)
Date: Mon, 13 Nov 2006 12:15:57 -0500
Subject: [Dailydave] "The organization I belong to doesn't have initals"
	(that evil dude in Heroes)
In-Reply-To: <45583F3C.8000606@wowway.com>
Message-ID: <A6398B0DB62A474C82F61554EE93728701A6BD9B@proton.jnpr.net>

I agree with both of you guys to a point.

When I was a consultant my shtick was that a "pen-test" is a complete
waste of time if you don't have your other ducks in line.  This was
based on the un-scientific research conducted by myself that basically
concluded that 99/100 pen-tests are almost always successful.  So, I
could tell the client, without even looking at their network that there
was a 99% chance that they could be compromised by either a pen-test
team or malicious individual.  So why spend your already small budget on
something that has results that can be assumed.

Don't get me wrong, there is a huge value in pen-tests especially when
you have someone with real skills (not someone who simply tells you
about your ICMP timestamps as Dave said) doing a pen-test for you but
why not have this sort of work done after you have done the compliance
and patch management dance.  Only then will it bring out the real value
which, as Dave said, is popping zero days in your infrastructure instead
of simply telling you that you need to patch more.  The other caveat
here of course is that there is no use in popping zero day on someone if
you are unable to help them actually remediate the risk and protect from
it.  

Just my $.02 (Canadian so more like $.0175782)

-Steve

PS: Don't even get me started on my rant on the "ICMP timestamp" guys.
Dave and the rest of you in the pen-test game should be eating those
guy's lunch among other things.  Especially in this day and age.

From pmelson at gmail.com  Mon Nov 13 18:45:52 2006
From: pmelson at gmail.com (Paul Melson)
Date: Mon, 13 Nov 2006 13:45:52 -0500
Subject: [Dailydave] "The organization I belong to doesn't have
	initals"(that evil dude in Heroes)
In-Reply-To: <b581b3220611120752w29e7b32at7343d2f25c6cc94b@mail.gmail.com>
Message-ID: <004c01c70753$f27ee170$3400300a@ad.priorityhealth.com>

>  The solution, of course, is to focus only on the high end risk, rather
than assuming you have to climb 
> up the risk chain from the bottom. IMHO, of course. I don't work for the
USG and haven't for a long 
> time. But if you're focusing on patch and configuration compliance and
your most likely opponents don't 
> care then you gotta assume something's broken. Invest the majority of your
cash in vulnerability 
> research and hacking and leave the compliance management for later.
Sometimes the best defense is a good 
> offense, and with hacking that's nearly always true. 

Dave, I think you're mistaking "high end" risk for high risk.  It's a silly
suggestion that companies shouldn't acquire patch management capabilities,
but instead focus on finding vulnerabilities in the products they rely on so
they can... what?  Know just how screwed they are?

Historically speaking, the "killer" bugs of the late 90s and early 2K's were
patched by vendors before the worms hit.  This may never happen again since
Microsoft has made patch management easier for their customers, but the only
reason it wouldn't happen again is because Microsoft made patch management
easier for their customers.

I hope you're not actually telling clients (especially ones that spend US
tax dollars) that they should walk away from WSUS to spend time fuzzing
every COTS app they've got looking for 0days.

PaulM


From pmelson at gmail.com  Mon Nov 13 21:57:43 2006
From: pmelson at gmail.com (Paul Melson)
Date: Mon, 13 Nov 2006 16:57:43 -0500
Subject: [Dailydave] "The organization I belong to doesn't have
	initals"(that evil dude in Heroes)
In-Reply-To: <A6398B0DB62A474C82F61554EE93728701A6BD9B@proton.jnpr.net>
Message-ID: <000301c7076e$c0fd6f20$0202fea9@ad.priorityhealth.com>

-----Original Message-----
Subject: Re: [Dailydave] "The organization I belong to doesn't have
initals"(that evil dude in Heroes)

> When I was a consultant my shtick was that a "pen-test" is a complete
waste of time if you don't have 
> your other ducks in line.  This was based on the un-scientific research
conducted by myself that 
> basically concluded that 99/100 pen-tests are almost always successful.
So, I could tell the client, 
> without even looking at their network that there was a 99% chance that
they could be compromised by 
> either a pen-test team or malicious individual.  So why spend your already
small budget on something 
> that has results that can be assumed.

That's a misleading way to frame the conversation, don't you think?  A
pen-test isn't supposed to answer the yes/no question, "Can you be hacked?"
It's supposed to ask the open-ended questions, "How can you be hacked?" and
"How can you fix it?"   


> Don't get me wrong, there is a huge value in pen-tests especially when you
have someone with real skills 
> (not someone who simply tells you about your ICMP timestamps as Dave said)
doing a pen-test for you but 
> why not have this sort of work done after you have done the compliance and
patch management dance.  Only 
> then will it bring out the real value which, as Dave said, is popping zero
days in your infrastructure 
> instead of simply telling you that you need to patch more.  The other
caveat here of course is that 
> there is no use in popping zero day on someone if you are unable to help
them actually remediate the 
> risk and protect from it.  

Yes!  Why spend energy finding new bugs when you're in no position to fix
the ones you already know about?  It's very much putting the cart before the
horse.


> PS: Don't even get me started on my rant on the "ICMP timestamp" guys.
> Dave and the rest of you in the pen-test game should be eating those guy's
lunch among other things.  
> Especially in this day and age.

Except that companies do 3rd-party pen-tests for reasons other than
security, like compliance.  Also, differentiating between the work done by
Immunity and, say, Qualys* is a customer education issue.  Oh, and don't
forget the almighty dollar - because that's an easy way to tell Immunity and
Qualys apart that doesn't hurt Qualys' business one bit.

PaulM

* Totally not picking on Qualys, but I figure I'm less likely to offend
their software than if I named a firm that sells consulting engagements. :)



From smanzuik at juniper.net  Mon Nov 13 22:25:56 2006
From: smanzuik at juniper.net (Steve Manzuik)
Date: Mon, 13 Nov 2006 17:25:56 -0500
Subject: [Dailydave] "The organization I belong to doesn't have
	initals"(that evil dude in Heroes)
In-Reply-To: <000301c7076e$c0fd6f20$0202fea9@ad.priorityhealth.com>
Message-ID: <A6398B0DB62A474C82F61554EE93728701A6BED4@proton.jnpr.net>

> That's a misleading way to frame the conversation, don't you 
> think?  A pen-test isn't supposed to answer the yes/no 
> question, "Can you be hacked?"
> It's supposed to ask the open-ended questions, "How can you 
> be hacked?" and
> "How can you fix it?"   

Absolutely, but that was my entire point.  If you don't have the
infrastructure in place the answer to "how can I be hacked?" is a rather
long one that makes the "how can I fix it?" answer quite long as well.
Long answers to anything when executives are involved are counter
productive.

Also, when you have a network that is so poorly built/secured it is easy
for even a good pen-test team to get distracted with some of the low
hanging fruit issues and miss some of the more important but "harder"
ones.

> Yes!  Why spend energy finding new bugs when you're in no 
> position to fix the ones you already know about?  It's very 
> much putting the cart before the horse.

Yup, and that is what I was trying to get at with my original, but badly
made point. ;-)
 
> Except that companies do 3rd-party pen-tests for reasons 
> other than security, like compliance.  Also, differentiating 
> between the work done by Immunity and, say, Qualys* is a 
> customer education issue.  Oh, and don't forget the almighty 
> dollar - because that's an easy way to tell Immunity and 
> Qualys apart that doesn't hurt Qualys' business one bit.

But that isn't a pen-test.  That is a vulnerability assessment.  These
are two very different things.

Vulnerability Assessment = Using a tool to scan for known
vulnerabilities and weakness.

Pen-test = Using tools and skill to pop holes in boxes using known and
unknown vulnerabilities and weakness.

Don't take that the wrong way, I am in no way beating up on Vuln
Assessments.  They have their worth as well but they are geared more
towards the compliance issues than a real pen-test is.  In fact if you
are doing a pen-test to get past a compliance issue you are probably
opening a can of worms that you really don't want to.

From dave at immunityinc.com  Mon Nov 13 23:09:07 2006
From: dave at immunityinc.com (Dave Aitel)
Date: Mon, 13 Nov 2006 18:09:07 -0500
Subject: [Dailydave] Java
Message-ID: <4558FB13.2090307@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here I am, spending all day writing code in a language that is
statically typed. It's like eating all your food with a good helping
of sand. How does one convert a byte[] buf; into a String so you can
send it down the wire using a DataOutputStream class? Oooh, let's
chain a bunch of converters together. Blimey!

It's cool that Sun GPL'd Java though. Probably one of the smartest
things they've ever done. There's really only a few real software
licenses. If you use anything other than a mainstream license, you
condemn your code to languish unused. There's L/GPL, BSD, and OTHER.
That's basically it. If someone has to send your license to a lawyer
they won't bother even downloading it.

Which reminds me, the Navy wrote the world's best wardriving tool with
a Java GUI that's so beautiful it has to be seen to believed. I was
like "That can't be Java". So I know it's possible to be productive in
Java, I just don't see how.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFFWPsQB8JNm+PA+iURAjwaAJ0WAI9+RJuR6oo1TqH3NOgo9R6DtACgpD1x
/G4JjMnIPTRWm+NhbLJR06M=
=8cPb
-----END PGP SIGNATURE-----


From cseagle at redshift.com  Tue Nov 14 00:29:47 2006
From: cseagle at redshift.com (Chris Eagle)
Date: Mon, 13 Nov 2006 16:29:47 -0800
Subject: [Dailydave] Java
In-Reply-To: <4558FB13.2090307@immunityinc.com>
References: <4558FB13.2090307@immunityinc.com>
Message-ID: <45590DFB.3090600@redshift.com>

Dave Aitel wrote:
> Here I am, spending all day writing code in a language that is
> statically typed. It's like eating all your food with a good helping
> of sand. How does one convert a byte[] buf; into a String so you can
> send it down the wire using a DataOutputStream class? Oooh, let's
> chain a bunch of converters together. Blimey!
> 

What is your goal on the remote side?  Does it need to unmarshall as a
Java String? Or are you just trying to get the bytes on the wire?

former: dos.writeUTF(new String(buf));
later:  dos.write(buf);

How many/what type of converters do you feel compelled to use?

Chris

From olef.anderson at gmail.com  Tue Nov 14 00:45:48 2006
From: olef.anderson at gmail.com (Olef Anderson)
Date: Mon, 13 Nov 2006 16:45:48 -0800
Subject: [Dailydave] "The organization I belong to doesn't have
	initals"(that evil dude in Heroes)
In-Reply-To: <000301c7076e$c0fd6f20$0202fea9@ad.priorityhealth.com>
References: <A6398B0DB62A474C82F61554EE93728701A6BD9B@proton.jnpr.net>
	<000301c7076e$c0fd6f20$0202fea9@ad.priorityhealth.com>
Message-ID: <9b4f936f0611131645l58594648jf3f061b6feb3f05@mail.gmail.com>

On 11/13/06, Paul Melson <pmelson at gmail.com> wrote:
>
> -----Original Message-----
> Subject: Re: [Dailydave] "The organization I belong to doesn't have
> initals"(that evil dude in Heroes)
>
> That's a misleading way to frame the conversation, don't you think?  A
> pen-test isn't supposed to answer the yes/no question, "Can you be
> hacked?"
> It's supposed to ask the open-ended questions, "How can you be hacked?"
> and
> "How can you fix it?"


The answer to "How can you fix it?" relies on partially what Dave is saying.
You basically need a 2 tiered game plan. One; have a separate network for
Internet, email, browsing and such similar junk (segmentation). Two; build
and manage a skilled in house penetration/research team or have a permanent
consultancy gig with a company like Immunity (continuous assessment). All
the other options are futile and a total waste of money. Other options you
ask ? First there was the IDS which nobody serious enough does offer as a
security solution anymore, wisely enough. Than there was the HIPS; eeye,
determina, entercept etc. which was also proven to be just another security
hoax in every sense to it. And finally something more meaningful arose from
the industry; Virtualization. VMs per nodes (internet, corporate etc.) yet
another segmentation idea which in my personal belief will eventually be
broken as well in the next 2 to 3 years time frame and would be the next
most joyful hacking/REing gig for any serious researcher. So back to the
real hardware segmentation business along side with a dedicated team of
researchers for auditing everything on the public segment is the only viable
and real solution.

A lot you might feel like i piss in your cup of tea or something. Please
leave the corporate puppeteering behind and think twice. If you are in the
IDS business you expired well over 10 year by now, if you are in the IPS
business well lets say you made sense in the early 2000s but not anymore.
Virtualization, yeah quite a fresh start but wonder how long will it survive
till the first batch of attacks reveal themselves (not necessarily publicly
though)  ...

If you did not like what I just said and work or own a security company
making one of mentioned type of product, I urge you to put your product to
the test! Any decent prize money would do but remember real 0day that a
hacker would be OK to reveal, given the right terms, does not go with the
ZDI/idefense standards, they are much precious than that and requires a much
bigger pay. my prediction is any NIDS can be broken for a prize money of
$30K (if asic, fpga based solution multiply by 2), any HIPS $200K - $250K,
Virtualization $300K - $350K should do. I am looking forward to hear some
hard cash challenges rather than the usual rants from corporate emails ...

cheers,
olef
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20061113/8fb59905/attachment.htm 

From nruff at security-labs.org  Tue Nov 14 08:18:14 2006
From: nruff at security-labs.org (Nicolas RUFF)
Date: Tue, 14 Nov 2006 09:18:14 +0100
Subject: [Dailydave] "The organization I belong to doesn't have
 initals"(that evil dude in Heroes)
In-Reply-To: <000301c7076e$c0fd6f20$0202fea9@ad.priorityhealth.com>
References: <000301c7076e$c0fd6f20$0202fea9@ad.priorityhealth.com>
Message-ID: <45597BC6.7030203@security-labs.org>

>> When I was a consultant my shtick was that a "pen-test" is a complete
>> waste of time if you don't have 
>> your other ducks in line.  This was based on the un-scientific research
>> conducted by myself that 
>> basically concluded that 99/100 pen-tests are almost always successful.
[...]
> That's a misleading way to frame the conversation, don't you think?  A
> pen-test isn't supposed to answer the yes/no question, "Can you be hacked?"
> It's supposed to ask the open-ended questions, "How can you be hacked?" and
> "How can you fix it?"   

In my experience, "99/100 internal pen-tests are successful during the
first 10 minutes, without using any 0day attack".

(I don't even own a CANVAS licence :)

This means:
- Domain admin account created with a trivial password, for someone who
never logged in.
- "Password.xls" file found on a public share.
- Variations: the share is hidden ('$' sign), the Excel file is
password-protected.
- Local admin password is the same on every workstation - once you get
yours, you can connect to any admin workstation.
- Service accounts can be used to log in anywhere, and passwords are
stored on every workstation (=> LSADUMP).
- VNC/PCAnywhere/... using the same password on all mission-critical
legacy NT4 servers.
- Blank "SA" password, especially in case of 3rd party applications that
silently installed a MSDE database.
- ...

How can you fix it ? Certainly not by fuzzing and flaw-finding :)

Regards,
- Nicolas RUFF

From dmaynor at gmail.com  Tue Nov 14 12:55:03 2006
From: dmaynor at gmail.com (David Maynor)
Date: Tue, 14 Nov 2006 07:55:03 -0500
Subject: [Dailydave] "The organization I belong to doesn't have
	initals"(that evil dude in Heroes)
In-Reply-To: <45597BC6.7030203@security-labs.org>
References: <000301c7076e$c0fd6f20$0202fea9@ad.priorityhealth.com>
	<45597BC6.7030203@security-labs.org>
Message-ID: <34cf86a10611140455o34a24e4bs6969d77ab517e4ef@mail.gmail.com>

Using 0day in pentests I still very valid, IMHO. The goal of designing
a secure environment is that it could survive and repel an assault
from a determined attacker. Since the debate about whether 0day is
used in real world attacks seems to finally be over thanks to thing
like IE and office bugs, a person has to take the 0day angle into
account while designing an infrastructure. Of course people that leave
password lists on open shares will care about this less than people
who have been through a pentest process and implemented the
suggestions.

On 11/14/06, Nicolas RUFF <nruff at security-labs.org> wrote:
> >> When I was a consultant my shtick was that a "pen-test" is a complete
> >> waste of time if you don't have
> >> your other ducks in line.  This was based on the un-scientific research
> >> conducted by myself that
> >> basically concluded that 99/100 pen-tests are almost always successful.
> [...]
> > That's a misleading way to frame the conversation, don't you think?  A
> > pen-test isn't supposed to answer the yes/no question, "Can you be hacked?"
> > It's supposed to ask the open-ended questions, "How can you be hacked?" and
> > "How can you fix it?"
>
> In my experience, "99/100 internal pen-tests are successful during the
> first 10 minutes, without using any 0day attack".
>
> (I don't even own a CANVAS licence :)
>
> This means:
> - Domain admin account created with a trivial password, for someone who
> never logged in.
> - "Password.xls" file found on a public share.
> - Variations: the share is hidden ('$' sign), the Excel file is
> password-protected.
> - Local admin password is the same on every workstation - once you get
> yours, you can connect to any admin workstation.
> - Service accounts can be used to log in anywhere, and passwords are
> stored on every workstation (=> LSADUMP).
> - VNC/PCAnywhere/... using the same password on all mission-critical
> legacy NT4 servers.
> - Blank "SA" password, especially in case of 3rd party applications that
> silently installed a MSDE database.
> - ...
>
> How can you fix it ? Certainly not by fuzzing and flaw-finding :)
>
> Regards,
> - Nicolas RUFF
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From dave at immunityinc.com  Tue Nov 14 13:18:37 2006
From: dave at immunityinc.com (Dave Aitel)
Date: Tue, 14 Nov 2006 08:18:37 -0500
Subject: [Dailydave] Java
In-Reply-To: <45590DFB.3090600@redshift.com>
References: <4558FB13.2090307@immunityinc.com> <45590DFB.3090600@redshift.com>
Message-ID: <4559C22D.9090000@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Eagle wrote:
> Dave Aitel wrote:
>> Here I am, spending all day writing code in a language that is
>> statically typed. It's like eating all your food with a good
>> helping of sand. How does one convert a byte[] buf; into a String
>> so you can send it down the wire using a DataOutputStream class?
>> Oooh, let's chain a bunch of converters together. Blimey!
>>
>
> What is your goal on the remote side?  Does it need to unmarshall
> as a Java String? Or are you just trying to get the bytes on the
> wire?
>
> former: dos.writeUTF(new String(buf)); later:  dos.write(buf);
>
> How many/what type of converters do you feel compelled to use?
>
> Chris

Essentially, for all the web languages, I need a simple platform
independent callback backdoor. We have a reasonably good one for PHP,
which is great for PHP injection attacks, but we don't have one for
Java. It's an annoying problem, because you have to write your source
code to be Java 1.0-5.0 compliant, and, of course, size has to be
minimal. gcj is helping though, since it's nicely installed by default
these days.

Of course, the backdoor has to play nicely with the CANVAS framework,
which means I can't do things like "writeUTF" and "readUTF" - not only
would that be slow since the network ends have to while
(data[:-2]!="\x00\x00"): recv(1); but the client side is Python.

Then again, in Python, with a Unicode string, does len() return the
number of characters or the byte size? (answer: characters, just like
Java) Unicode is a huge problem for us these days. If you hack a
Japanese Windows box, we want to be able to display all the kanji for
you.But this requires extensive fun with fonts.

- -dave


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFFWcIqB8JNm+PA+iURAoUCAJ9TCc8k6t8tVGXkMROygEbvLyCTywCcCCjT
1eKzcL83kM/OLuwFyDXYudQ=
=DW4e
-----END PGP SIGNATURE-----


From daniel at ugc-labs.co.uk  Tue Nov 14 14:10:24 2006
From: daniel at ugc-labs.co.uk (Daniel)
Date: Tue, 14 Nov 2006 21:10:24 +0700
Subject: [Dailydave] "The organization I belong to doesn't have
	initals"(that evil dude in Heroes)
In-Reply-To: <34cf86a10611140455o34a24e4bs6969d77ab517e4ef@mail.gmail.com>
References: <000301c7076e$c0fd6f20$0202fea9@ad.priorityhealth.com>
	<45597BC6.7030203@security-labs.org>
	<34cf86a10611140455o34a24e4bs6969d77ab517e4ef@mail.gmail.com>
Message-ID: <F55CB5B6-83EA-4C2E-BEA3-02A0198D1D44@ugc-labs.co.uk>

David,

Say your on a test for a large financial bank and you use a 0hday to  
take down their core IIS web farm. How do you explain to the CSO how  
to remedy the problem. Do you explain the risk value you have  
assigned for a vulnerability which has no solution/patch?.

A prime example of this would be a 0hday in IIS6.0

David: your IIS 6.0 is vulnerable to a unpublished, unknown  
vulnerability
CSO: So what do we do David??
David: secure your network
CSO: How?
David: ????
CSO: Microsoft has no patch for this, they cannot help. I've paid you  
to do an assessment, what is the risk of the vulnerability versus the  
loss of business if I have to shut down our front-end trading system

See what I mean?


On 14 Nov 2006, at 19:55, David Maynor wrote:

> Using 0day in pentests I still very valid, IMHO. The goal of designing
> a secure environment is that it could survive and repel an assault
> from a determined attacker. Since the debate about whether 0day is
> used in real world attacks seems to finally be over thanks to thing
> like IE and office bugs, a person has to take the 0day angle into
> account while designing an infrastructure. Of course people that leave
> password lists on open shares will care about this less than people
> who have been through a pentest process and implemented the
> suggestions.
>
> On 11/14/06, Nicolas RUFF <nruff at security-labs.org> wrote:
>>>> When I was a consultant my shtick was that a "pen-test" is a  
>>>> complete
>>>> waste of time if you don't have
>>>> your other ducks in line.  This was based on the un-scientific  
>>>> research
>>>> conducted by myself that
>>>> basically concluded that 99/100 pen-tests are almost always  
>>>> successful.
>> [...]
>>> That's a misleading way to frame the conversation, don't you  
>>> think?  A
>>> pen-test isn't supposed to answer the yes/no question, "Can you  
>>> be hacked?"
>>> It's supposed to ask the open-ended questions, "How can you be  
>>> hacked?" and
>>> "How can you fix it?"
>>
>> In my experience, "99/100 internal pen-tests are successful during  
>> the
>> first 10 minutes, without using any 0day attack".
>>
>> (I don't even own a CANVAS licence :)
>>
>> This means:
>> - Domain admin account created with a trivial password, for  
>> someone who
>> never logged in.
>> - "Password.xls" file found on a public share.
>> - Variations: the share is hidden ('$' sign), the Excel file is
>> password-protected.
>> - Local admin password is the same on every workstation - once you  
>> get
>> yours, you can connect to any admin workstation.
>> - Service accounts can be used to log in anywhere, and passwords are
>> stored on every workstation (=> LSADUMP).
>> - VNC/PCAnywhere/... using the same password on all mission-critical
>> legacy NT4 servers.
>> - Blank "SA" password, especially in case of 3rd party  
>> applications that
>> silently installed a MSDE database.
>> - ...
>>
>> How can you fix it ? Certainly not by fuzzing and flaw-finding :)
>>
>> Regards,
>> - Nicolas RUFF
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


From windo at p6drad-teel.net  Tue Nov 14 16:33:00 2006
From: windo at p6drad-teel.net (=?ISO-8859-1?Q?Siim_P=F5der?=)
Date: Tue, 14 Nov 2006 18:33:00 +0200
Subject: [Dailydave] "The organization I belong to doesn't
 have	initals"(that evil dude in Heroes)
In-Reply-To: <F55CB5B6-83EA-4C2E-BEA3-02A0198D1D44@ugc-labs.co.uk>
References: <000301c7076e$c0fd6f20$0202fea9@ad.priorityhealth.com>	<45597BC6.7030203@security-labs.org>	<34cf86a10611140455o34a24e4bs6969d77ab517e4ef@mail.gmail.com>
	<F55CB5B6-83EA-4C2E-BEA3-02A0198D1D44@ugc-labs.co.uk>
Message-ID: <4559EFBC.6040804@p6drad-teel.net>

Yo!

Daniel wrote:
> David: your IIS 6.0 is vulnerable to a unpublished, unknown  
> vulnerability
> CSO: So what do we do David??
> David: secure your network
> CSO: How?
> David: ????
> CSO: Microsoft has no patch for this, they cannot help. I've paid you  
> to do an assessment, what is the risk of the vulnerability versus the  
> loss of business if I have to shut down our front-end trading system

That's the whole point of this discussion - imho - and it seems to me
you're not getting it (or it might be that I'm not getting it).

There is stuff you can (and should) do beyond patching known holes. You
never know wether there are unknown vulnerabilities in some part of your
system - so you could run your httpd in chroot, stripping it's
privileges to the minimum and monitoring what it does. Then you could
isolate it on the network and firewall connections to and from it.

There's propably bunch of other stuff any web server administrator would
do if he needed to reduce the risks of being exploited.


In the end the damage of the 0day is minimized - it might be full pwnage
of the whole network on one location, but a stripped down local shell
that gets the attacker blacklisted if abused on another location (and
that's the answer you should give to the CSO).

How far to go with it should be a business decision - if anyone could
effectively calculate the likelyhood of all that shit actually hitting
any fans and the amount of shit sprayed around by it (if that was the
question you were raising, then accept this "oops" from me).

Siim P?der

From bania.piotr at gmail.com  Tue Nov 14 20:09:48 2006
From: bania.piotr at gmail.com (Piotr Bania)
Date: Tue, 14 Nov 2006 21:09:48 +0100
Subject: [Dailydave] Some Propaganda.
Message-ID: <455A228C.7010708@gmail.com>


CODENAME 4514N - PRE-ANNOUNCE PROPAGANDA
----------------------------------------

Just some info for those who are interrested. I'm currently working on 
my masterpiece project (school project), a first gui oriented and the 
most advanced integrating-metamorphic engine so far. Integration engine 
allows user to integrate any code to any PE binary file (x86 rocessors), 
including device drivers etc. etc. 4514N engine can rebuild all the PE 
structure, internal offsets (jumps,refferences), any type of PE sections 
relocs,imports,exports,resources...), moreover it even can keep the 
align of variables. Integration means that firstly target file is 
disassembled to pieces (it creates a chain which connects the body of 
target file), then we move that chain, we do everything we want (i call 
this step InverseKinematics, just because i'm an 3d graphics hobbyst)
and then we compile the chain again. Such horrible modified application 
runs perfectly, moreover it is almost impossible to disinfect the 
modified target.  So tell me, do you want to compile a rootkit inside of 
yours ndis.sys? :)

I'm attaching a link to flash demo, where i'm integrating NOPS to 
freecell game application.


I don't want to speak much about the metamorphic engine since it is not 
100% ready yet. But the main thing you should know it is mostly based on 
the emulation process (and as far as i know it is the first metamorphic 
engine which does so), and many of the muation states are based on the 
Automaton Theory (which inspired me a lot). Lets consider the rest of 
the features as an future surprise :)


So far project includes:
+ own x86 disassembler
+ own x86 assembler
+ own x86 emulator
+ convertor from IDA disassembly to internal 4514N databases.
+ some cool gui, written by hand :)



Release time: Unknown ?? - Were you good? Will the Santa visit you this 
year? :)


Some links:
* Integration demo: 	http://piotrbania.com/all/4514N/demo.swf

* Some screenshots: 	http://www.piotrbania.com/all/4514N/a1.jpg	
			http://www.piotrbania.com/all/4514N/a2.jpg
			http://www.piotrbania.com/all/4514N/a3.jpg



Any comments, advices?


cheers,
Piotr Bania


-- 
--------------------------------------------------------------------
Piotr Bania - <bania.piotr at gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com  - Key ID: 0xBE43AC33
--------------------------------------------------------------------

               - "The more I learn about men, the more I love dogs."

From arunkoshy at gmail.com  Wed Nov 15 01:29:32 2006
From: arunkoshy at gmail.com (Arun Koshy)
Date: Wed, 15 Nov 2006 12:29:32 +1100
Subject: [Dailydave] Some Propaganda.
In-Reply-To: <455A228C.7010708@gmail.com>
References: <455A228C.7010708@gmail.com>
Message-ID: <1d0ba3070611141729g43b43fe6k66cd68eff6fde54b@mail.gmail.com>

note : for the list : part joke / part reality

Quantum meta-engine detector algorithm ( we assume we have an insanely
fast distributed / super / quantum computer ) :

- take apart engine ( if source is available and if not, be good for
Christmas and wait for Piotr Claus to ride his sleigh )

- identify f(x) used to create application class set ( for e.g.
notepad.exe can only exist for a particular processor type in N states
)

- SHA-256 suitable N states for good notepad.exe

- restoration can be any N states

For vile code ( so if someone is trying to create a nice replacement
for ndis.sys ) :

- identify deviant behavior using apppropriate distance function from
the database you built via the above technique

interesting caveat : it is possible to achieve the class set
independent of the meta engine itself.

From dave at immunityinc.com  Wed Nov 15 03:50:55 2006
From: dave at immunityinc.com (Dave Aitel)
Date: Tue, 14 Nov 2006 22:50:55 -0500
Subject: [Dailydave] The moon is not just a big rock
Message-ID: <455A8E9F.5030504@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I spent today using an unknown bug to own a webserver with the aid of
a custom Java trojan ("Look ma, my trojan is provably correct!"). The
server had DEP on, so I installed Hydrogen, then added a user and
term-served in to turn DEP off for testvuln1.exe so I could load
MOSDEF and portscan the app tier.

I was going to come back to the hotel and finish the Workstation
overflow of the month. But it looks like Kostya has that handled already.

On a completely unrelated note, with all my media whoring I'm still
not the top media whore of the family. Just goes to show, kumara soup
beats 0day, hand's down:

http://www.economist.com/business/displaystory.cfm?story_id=E1_RTQNRNJ
"""


  Marketing New Zealand

Nov 9th 2006
- From /The Economist/ print edition

*AT THE Lodge at Paratiho Farms in Nelson, lambs and chickens frolic
outside while the head chef, Angela Bone, prepares for the morning
cooking class. Today's spring menu: Portobello mushroom and Kumara
soup, salmon cakes with asparagus and lemon compote. Ms Bone has never
been busier.?*

"""

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFFWo6cB8JNm+PA+iURAgT4AJ4qf3icflrjc9yjBdg4sY2oN6KMEwCeLWry
li457EITjN8JB84VVg+nVd4=
=fp0+
-----END PGP SIGNATURE-----


From joanna at invisiblethings.org  Wed Nov 15 07:53:49 2006
From: joanna at invisiblethings.org (Joanna Rutkowska)
Date: Wed, 15 Nov 2006 08:53:49 +0100
Subject: [Dailydave] Some Propaganda.
In-Reply-To: <455A228C.7010708@gmail.com>
References: <455A228C.7010708@gmail.com>
Message-ID: <455AC78D.50806@invisiblethings.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Piotr Bania wrote:
> CODENAME 4514N - PRE-ANNOUNCE PROPAGANDA
> ----------------------------------------
> 
> Just some info for those who are interrested. I'm currently working on 
> my masterpiece project (school project), a first gui oriented and the 
> most advanced integrating-metamorphic engine so far. Integration engine 
> allows user to integrate any code to any PE binary file (x86 rocessors), 
> including device drivers etc. etc. 4514N engine can rebuild all the PE 
> structure, internal offsets (jumps,refferences), any type of PE sections 
> relocs,imports,exports,resources...), moreover it even can keep the 
> align of variables. Integration means that firstly target file is 
> disassembled to pieces (it creates a chain which connects the body of 
> target file), then we move that chain, we do everything we want (i call 
> this step InverseKinematics, just because i'm an 3d graphics hobbyst)
> and then we compile the chain again. Such horrible modified application 
> runs perfectly, moreover it is almost impossible to disinfect the 
> modified target.  So tell me, do you want to compile a rootkit inside of 
> yours ndis.sys? :)
> 

That would actually be trivially detectable if you decided to infect any
of the Windows system files (like e.g. quoted above NDIS.SYS), as all
those files (starting from Windows 2000) are digitally signed...

Still, the project looks cool - I could imagine using such an engine to
e.g. infect any of the non-signed PF files on disk, just to allow our
rootkit to be loaded into memory at system startup - but once loaded
rootkit should not change *any* code sections (Type I rootkits ale
really passe IMHO)...

Existence of such tools, as Piotr is working on, should really convince
and encourage *all* developers to digitally sign their executables.

cheers,
joanna.
-----BEGIN PGP SIGNATURE-----

iD8DBQFFWseMORdkotfEW84RAvg7AJ4mARCFjcDNfhYVy2B5SMi/lgZ+fwCcC2m+
0GtRUkGLSCZ2/km4Vhx8VqU=
=F3mR
-----END PGP SIGNATURE-----

From kbcboy at gmail.com  Wed Nov 15 03:54:26 2006
From: kbcboy at gmail.com (joe haldon)
Date: Tue, 14 Nov 2006 22:54:26 -0500
Subject: [Dailydave] Navy's wardriving tool (was JAVA ...)
Message-ID: <c439be510611141954q532436cckdc88268d41e543ee@mail.gmail.com>

> Which reminds me, the Navy wrote the world's best wardriving tool with
> a Java GUI that's so beautiful it has to be seen to believed. I was
Why is it "the world's best wardriving tool"
Honestly just curious.  What are the features in FS that others lack?
Any negatives?

From halvar at gmx.de  Wed Nov 15 13:03:09 2006
From: halvar at gmx.de (Halvar Flake)
Date: Wed, 15 Nov 2006 14:03:09 +0100
Subject: [Dailydave] Some Propaganda.
References: <455A228C.7010708@gmail.com> <455AC78D.50806@invisiblethings.org>
Message-ID: <013c01c708b6$673fc110$5e02a8c0@D1NQ6Z1J>

Silly question: How different do the morphed executables
look from compiler-generated ones statistically ?

Cheers,
Halvar
----- Original Message ----- 
From: "Joanna Rutkowska" <joanna at invisiblethings.org>
To: "Piotr Bania" <bania.piotr at gmail.com>
Cc: <dailydave at lists.immunitysec.com>
Sent: Wednesday, November 15, 2006 8:53 AM
Subject: Re: [Dailydave] Some Propaganda.


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Piotr Bania wrote:
>> CODENAME 4514N - PRE-ANNOUNCE PROPAGANDA
>> ----------------------------------------
>>
>> Just some info for those who are interrested. I'm currently working on
>> my masterpiece project (school project), a first gui oriented and the
>> most advanced integrating-metamorphic engine so far. Integration engine
>> allows user to integrate any code to any PE binary file (x86 rocessors),
>> including device drivers etc. etc. 4514N engine can rebuild all the PE
>> structure, internal offsets (jumps,refferences), any type of PE sections
>> relocs,imports,exports,resources...), moreover it even can keep the
>> align of variables. Integration means that firstly target file is
>> disassembled to pieces (it creates a chain which connects the body of
>> target file), then we move that chain, we do everything we want (i call
>> this step InverseKinematics, just because i'm an 3d graphics hobbyst)
>> and then we compile the chain again. Such horrible modified application
>> runs perfectly, moreover it is almost impossible to disinfect the
>> modified target.  So tell me, do you want to compile a rootkit inside of
>> yours ndis.sys? :)
>>
>
> That would actually be trivially detectable if you decided to infect any
> of the Windows system files (like e.g. quoted above NDIS.SYS), as all
> those files (starting from Windows 2000) are digitally signed...
>
> Still, the project looks cool - I could imagine using such an engine to
> e.g. infect any of the non-signed PF files on disk, just to allow our
> rootkit to be loaded into memory at system startup - but once loaded
> rootkit should not change *any* code sections (Type I rootkits ale
> really passe IMHO)...
>
> Existence of such tools, as Piotr is working on, should really convince
> and encourage *all* developers to digitally sign their executables.
>
> cheers,
> joanna.
> -----BEGIN PGP SIGNATURE-----
>
> iD8DBQFFWseMORdkotfEW84RAvg7AJ4mARCFjcDNfhYVy2B5SMi/lgZ+fwCcC2m+
> 0GtRUkGLSCZ2/km4Vhx8VqU=
> =F3mR
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
> 


From bania.piotr at gmail.com  Wed Nov 15 15:25:31 2006
From: bania.piotr at gmail.com (Piotr Bania)
Date: Wed, 15 Nov 2006 16:25:31 +0100
Subject: [Dailydave] Some Propaganda.
Message-ID: <455B316B.2070102@gmail.com>


 >Silly question: How different do the morphed executables
 >look from compiler-generated ones statistically ?

If you mean, the set of instructions used in the morphed file - the 
answer is: user can define what set of instructions are allowed to be 
included, for example if you can see this window:

http://www.piotrbania.com/all/4514N/a1.jpg

User can specify to use only these set of instructions (which are used 
in the orginal file). Different mutation-probability values and other 
sweet options are also configurable.


best regards,
pb

-- 
--------------------------------------------------------------------
Piotr Bania - <bania.piotr at gmail.com> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://www.piotrbania.com  - Key ID: 0xBE43AC33
--------------------------------------------------------------------

               - "The more I learn about men, the more I love dogs."

From bania.piotr at gmail.com  Wed Nov 15 16:53:20 2006
From: bania.piotr at gmail.com (Piotr Bania)
Date: Wed, 15 Nov 2006 17:53:20 +0100
Subject: [Dailydave] Some Propaganda.
Message-ID: <455B4600.6040303@gmail.com>


 >All in all, it looks pretty impressive :-)

It requested a lot of time, it should look so :)

 >A few things I am wondering about: If one regards instruction n-grams, 
 >e.g. sequences of n instructions, do they still statistically match 
 >what a regular compiler would generate ?

The metamorphic engine is not 100% finished yet , so i will try to 
answer  this question when the release time will come (i hope i will not 
forget though, if so pls just remind me).

 >Secondly, if one was capable of "measuring" the effectivity of the
 >optimizer, would one not see a difference at the point were code is 
 >inserted ?

If we speak about the integration engine, well first of all if you dont 
have the prototype file - i doubt you can find the injection (without 
spending some cool time with your ida and debugger). Secondly, the user 
decides where the injection should be done (for example he can use one 
of the HotRegions listed in the window i showed you before, HotRegions 
shows the locations that are most probable to get executed, but from the 
other hand he can use his imagination and use some other place). Also, 
currently the integration engine is 100% ready so it is a fact, that it 
is able to make some cool things to keep the injection undetected. For 
example if user produces a malware code which relies on the orginal 
program API functions, the engine can write the correct offsets and 
update his code, moreover it can also add his "instructions" to the 
reloc sections - so the thing works even if the code is relocated ie. 
drivers. All depends on the plugins, you can do everything, you have 
your PE file in pieces you just move the chains and it walks.

But when the user is dumb (i belive such guys will not get my software) 
and he makes the injection at the entrypoint - its stupid, but what can 
i say even for experienced reverse-engineer it is very hard to find the 
injected code (of course if the injected code is nicely written) inside 
a big applicaton. Who can expect that attacker is going to rebuild all 
the orginal file? Yes, times with adding trojans to the last sections 
ended for good, at least in 4514N.


Btw. Here's the link for the EEYE's BINDIFFER report, runned against the 
original freecell application and the modified freecell application (2 
nops injected after every instruction).

BDS Level 1/BDS Level 2:
http://piotrbania.com/all/4514N/diff_report.tx