From dave at erratasec.com Mon Jan 1 14:06:57 2007 From: dave at erratasec.com (David Maynor) Date: Mon, 1 Jan 2007 14:06:57 -0500 Subject: [Dailydave] Month of apple bugs Message-ID: http://applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rts p.html Starts with a bang! I wonder how many security vendors will have coverage for this today. I'll go ahead and wager a guess that its not many... -- David Maynor CTO, Errata Security http://erratasec.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070101/cc0a8bc9/attachment.html From dave at immunityinc.com Mon Jan 1 14:16:03 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 02 Jan 2007 08:16:03 +1300 Subject: [Dailydave] 1.5 hrs Message-ID: <45995DF3.8010103@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So apparently I'm wrong and par for the MS06-074 SNMP reversing challenge is 1.5 days. If you did it in less than that then you are really cool and super smart! If you did it in more than that then it's time to buy BinNavi and/or smoke less pot. For the extra point of writing the exploit we'll give you another 5 days. Let me know if you're ahead of that! Another question: Do the signatures published by the defensive vendors (the ones without Partner's access, obviously) actually work on the CANVAS exploit? This would require a large pile of cash to answer. I'm about to hop onto a 17 hour plane trip with a screaming baby so you won't get it from me. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFmV3wtehAhL0gheoRAm/iAJ0TzSIqeGwUdkrag48r6jjpZouEigCfakNM EK+88PvsZCjlw/naLbtQcPo= =dwt8 -----END PGP SIGNATURE----- From dave at immunityinc.com Mon Jan 1 20:37:32 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 02 Jan 2007 14:37:32 +1300 Subject: [Dailydave] Fun games that do not involve rm -rf Message-ID: <4599B75C.9080402@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://taossa.com/index.php/2006/12/19/fun-with-impersonation/ This is a fun game, although I'm sure I got it wrong. I just like to share my humiliation. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFmbdatehAhL0gheoRAl+lAJ9cKcKDaX+dgL+VMT/wzHQeZHAosACfQBkk GJm6aRGldLK4839gTpa28jk= =bLpV -----END PGP SIGNATURE----- From dtangent at defcon.org Tue Jan 2 18:36:21 2007 From: dtangent at defcon.org (The Dark Tangent) Date: Tue, 02 Jan 2007 15:36:21 -0800 Subject: [Dailydave] Black Hat New Years Updates (Free Stuff, too!) Message-ID: <200701022338.l02NcRgc013927@colossus.datamerica.com> Hello Daily Dave readers, Here are some announcements from Black Hat to keep you busy in the new year! - The Call for Papers and conference registration is now open for the Black Hat DC Training and Briefings. - The Call for Papers and conference registration for Black Hat Europe in open. - Registration for the summer Black Hat USA conference is now open! - Presentations from Black Hat Japan are now on-line. - Presentations including audio and video from Black Hat USA is now on-line. UPCOMING CONFERENCES: Black Hat DC 2007 Briefings & Training will be February 26 to March 1, held at the Sheraton Crystal City hotel in Arlington Virginia. Register early to take advantage of our early bird rate and save when you register for the Briefings before January 1st. Papers and requests to speak will be received and reviewed from October 1, 2006 until January 5, 2007. We strongly suggest that you submit earlier than later, since we will close the CFP early if we receive enough quality submissions to fill the slots. Please submit using the new on-line system at: https://cfp.blackhat.com/ If you want to submit to the Call for Papers please note Black Hat does not accept product or vendor related pitches, or voodoo. If your talk is a veiled advertisement for a new product or service your company is offering, please do not submit. If your talk relies on voodoo techniques or tools you are not willing to share, then you should rethink the benefit the audience will get from sitting through your presentation. Black Hat is launching its new electronic CFP submissions server with this announcement. You will be able to upload your submissions, make changes, select your co-presenters, etc. This system will allow you to submit multiple presentations as well as be able to change your info should you need to. This new submission and review process will enable the future possibility of peer review and on-line information exchange. For now we are looking forward to seeing your submissions and would like to hear any feedback you have on this new submission process. Topic Focus for Black Hat DC 2007: We would like presenters to think about offensive and defensive computer security operations and the application of your expertise and research. Think about its application in an operational process that can be defensive or offense, large enterprise or distributed organized criminal group, military or civilian. This is not a requirement to submit, but we want some differentiation for the DC conference. Thinking in terms of operational applicability will steer content in a direction we hope the DC audience will appreciate. Dates to Remember for Black Hat DC: Call for Papers closes: January 5, 2007. <-- Extended to the 5th. Early Bird registration rate ends December 31. Regular registration rate ends February 18th. More information regarding speaker requirements and our guidelines for this years submissions available at http://www.blackhat.com/ Black Hat Europe 2007 Briefings & Training will be March 27 to March 30, held at the Hotel Movenpick in Amsterdam. Dates to Remember for Black Hat Europe: Call for Papers will open November 1, 2006 and close February 1st, 2007. Registration will open November 1, 2006 and the Early Bird rate ends January 12, 2007. On-line registration closes March 18, 2007. Black Hat USA 2007 Briefings & Training will be July 28 to August 2, held at Caesars Palace in Las Vegas, Nevada, USA On-line Registration for Briefings now open. Training registration will open February 15. Call for Papers will open February 15. Hotel Reservations now open. Black Hat Japan 2007 Briefings & Training will be October 23-26, Tokyo, Japan On-line Registration will open July 1. Call for Papers will open May 1. FREE STUFF: Black Hat Japan 2006 Presentations are now available on-line! http://www.blackhat.com/html/bh-media-archives/bh-archives-2006.html#AS_2006 Presentation topics available include: Anti-Forensic Root kits, The Art and Science of Writing Secure Code, Hacking Intranet web sites from the Outside, Breaking AJAX Web Applications, Subverting Vista Kernel and more! Audio of the sessions will be encoded and added on-line in the next month as well. http://www.blackhat.com/html/bh-japan-06/bh-jp-06-en-speakers.html We also have the presentation material from USA 2006 show on-line, and we anticipate we will have audio and video of the presentations available for download within the next month. To view the entire media archives: http://www.blackhat.com/html/bh-multimedia-archives-index.html Black Hat USA Briefings audio and video are now available to download in an iPod friendly format: http://www.blackhat.com/podcast/bh-usa-06-audio.rss http://www.blackhat.com/podcast/bh-usa-06-video.rss The General Black Hat RSS feed: http://www.blackhat.com/BlackHatRSS.xml Thank you, Jeff Moss From joanna at invisiblethings.org Thu Jan 4 19:33:00 2007 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Fri, 05 Jan 2007 01:33:00 +0100 Subject: [Dailydave] GPG-compatible smart cards? Message-ID: <459D9CBC.3070203@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, does anybody know any GnuPG-compatible smart cards, which would implement 2048 RSA? I know only about the following two (which I guess are actually the same one card): http://www.g10code.com/p-card.html http://fsfe.org/en/about buy they only support 1024 RSA :( Happy New Year, BTW. joanna. -----BEGIN PGP SIGNATURE----- iD8DBQFFnZytORdkotfEW84RAnEZAKCBoHWB/+dyzR6T48DL9DLYSjQ3HgCfVnoN tvPBt+IZh1fVuY8GUsbKVTg= =NyxG -----END PGP SIGNATURE----- From alaricd at pengdows.com Thu Jan 4 23:57:31 2007 From: alaricd at pengdows.com (Alaric Dailey) Date: Thu, 04 Jan 2007 22:57:31 -0600 Subject: [Dailydave] GPG-compatible smart cards? In-Reply-To: <459D9CBC.3070203@invisiblethings.org> References: <459D9CBC.3070203@invisiblethings.org> Message-ID: <459DDABB.9010109@pengdows.com> AND those cards can't be used with windows (no CSP) nor PGP or any other PKCS #11 tool as there is no PKCS #11 driver. Werner Koch, over at GPG, doesn't believe its worth his time to support PKCS#11 but there is a movement by someone else ( Alon Bar-Lev ), the sourceforge project is here ( http://sourceforge.net/projects/gnupg-pkcs11 ) and it SHOULD enable you to use ANY PKCS#11 compliant smartcard with GPG. Joanna Rutkowska wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > does anybody know any GnuPG-compatible smart cards, which would > implement 2048 RSA? > > I know only about the following two (which I guess are actually the same > one card): > > http://www.g10code.com/p-card.html > http://fsfe.org/en/about > > buy they only support 1024 RSA :( > > Happy New Year, BTW. > joanna. > -----BEGIN PGP SIGNATURE----- > > iD8DBQFFnZytORdkotfEW84RAnEZAKCBoHWB/+dyzR6T48DL9DLYSjQ3HgCfVnoN > tvPBt+IZh1fVuY8GUsbKVTg= > =NyxG > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- *Pengdows, Inc.* Everyone deserves privacy. Pengdows, Inc. Alaric Dailey - President * StartCom 'Web of Trust' Member * Thawte 'Web of Trust' Notary * Notary Public and NNA member * CAcert 'Web of Trust' Assurer National Notary Association Member ATTENTION USERS OF MICROSOFT OUTLOOK AND MICROSOFT OUTLOOK EXPRESS: Some versions of these products have trouble replying to digitally signed emails, like this one. For more information on this error, and how to fix it please visit Mark Nobles website here . Having trouble validating the digital signature? Install the Certification Authority -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070104/afbba212/attachment-0001.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: pengdows88.png Type: image/png Size: 8540 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070104/afbba212/attachment-0001.png -------------- next part -------------- A non-text attachment was scrubbed... Name: nna-memb88.jpg Type: image/jpeg Size: 4107 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070104/afbba212/attachment-0001.jpg From gunnar at arctecgroup.net Fri Jan 5 10:55:49 2007 From: gunnar at arctecgroup.net (Gunnar Peterson) Date: Fri, 05 Jan 2007 09:55:49 -0600 Subject: [Dailydave] GPG-compatible smart cards? In-Reply-To: <459D9CBC.3070203@invisiblethings.org> Message-ID: Hi Joanna, I believe Gemalto supports 2048 RSA on its .Net cards: http://www.gemalto.com/pages/index.php?idLng=2&idCat=1187000070 Also, not exactly what you were asking but pretty cool all the same: http://www.dotnetcard.com/blogs/ksachdeva/PermaLink,guid,bf3ad3ca-c83e-4701- 800c-8afe2d9825d6.aspx http://www.dotnetcard.com/blogs/ksachdeva/PermaLink,guid,06209ed1-ebeb-48da- ab9f-ca0833c4942a.aspx -gp On 1/4/07 6:33 PM, "Joanna Rutkowska" wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > does anybody know any GnuPG-compatible smart cards, which would > implement 2048 RSA? > > I know only about the following two (which I guess are actually the same > one card): > > http://www.g10code.com/p-card.html > http://fsfe.org/en/about > > buy they only support 1024 RSA :( > > Happy New Year, BTW. > joanna. > -----BEGIN PGP SIGNATURE----- > > iD8DBQFFnZytORdkotfEW84RAnEZAKCBoHWB/+dyzR6T48DL9DLYSjQ3HgCfVnoN > tvPBt+IZh1fVuY8GUsbKVTg= > =NyxG > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave From dfc at anize.org Fri Jan 5 13:14:53 2007 From: dfc at anize.org (Douglas F. Calvert) Date: Fri, 05 Jan 2007 13:14:53 -0500 Subject: [Dailydave] GPG-compatible smart cards? In-Reply-To: <459D9CBC.3070203@invisiblethings.org> References: <459D9CBC.3070203@invisiblethings.org> Message-ID: <459E959D.8050301@anize.org> Joanna Rutkowska wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > does anybody know any GnuPG-compatible smart cards, which would > implement 2048 RSA? > > I know only about the following two (which I guess are actually the same > one card): > > http://www.g10code.com/p-card.html > http://fsfe.org/en/about > > buy they only support 1024 RSA :( > > Happy New Year, BTW. > joanna. I would check with Werner Koch about that. The smartcard howto at gnupg.org says: "2048 bit RSA is possible but at the moment far too expensive. The specification allows for 2048 Bit RSA cards. Feel free to build one."[1] It was last update in June 2006 so things might have changed but I doubt it... [1] http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html#id2505071 -- Douglas F. Calvert -/- dfc at anize.org 0xC9541FB2 / 0817 30D4 82B6 BB8D 5E66 06F6 B796 073D C954 1FB2 Do not email => badidea at anize.org <= It would be a bad idea(tm). From dave at immunityinc.com Fri Jan 5 18:42:37 2007 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 05 Jan 2007 18:42:37 -0500 Subject: [Dailydave] Useless fact of the day! Message-ID: <459EE26D.6090902@immunityinc.com> An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070105/91ae8435/attachment.htm From rhyskidd at gmail.com Sat Jan 6 08:39:50 2007 From: rhyskidd at gmail.com (Rhys Kidd) Date: Sat, 6 Jan 2007 21:39:50 +0800 Subject: [Dailydave] Useless fact of the day! In-Reply-To: <459EE26D.6090902@immunityinc.com> References: <459EE26D.6090902@immunityinc.com> Message-ID: <68dd869f0701060539j3cfe3b39refe9e72f18a2c6ab@mail.gmail.com> RPC memory exhaustion bugs are all the rage atm it would seem, hopefully this will provide the traction for MSRC to give it priority.... It's also interesting that ISC believe for servers that the current UPnP and SPOOLSS bugs are 'Important', whereas the more recent NetrWkstaUserEnum() bug is only 'Less Urgent'. They are pretty much the same, due to unvalidated client input, and in fact the NetrWkstaUserEnum() opnum ( through the wkssvc named pipe ) is usually bindable over an anonymous NULL session. - Rhys From dave.aitel at gmail.com Sat Jan 6 12:48:38 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Sat, 6 Jan 2007 12:48:38 -0500 Subject: [Dailydave] Useless fact of the day! In-Reply-To: <68dd869f0701060539j3cfe3b39refe9e72f18a2c6ab@mail.gmail.com> References: <459EE26D.6090902@immunityinc.com> <68dd869f0701060539j3cfe3b39refe9e72f18a2c6ab@mail.gmail.com> Message-ID: I think it's hard to find an MSRPC interface that doesn't have a memory exhaustion bug. Maybe I'll make ImmDBG automatically point them out next week. I guess theoretically we can have ImmDBG shuttle that information off to VisualSploit to automatically write a CANVAS exploit too. Or even better, a SILICA module for it such that you walk into a room and everyone's Windows machines stop working. Good for when you want all the bandwidth at a security convention. :> We don't have the NetrWkstaUserEnum DoS in CANVAS right now - we do use the function though to remotely get logged on users against XP SP2. It's not an easy bug for Microsoft to fix, but the hilarious thing is that they didn't even bother. I wonder if Vista is vulnerable too - I'm betting yes. :> The other thing I want to try some day is using the LSA Open Handle stuff remotely to just open an infinite number of handles. Every one's so picky in MSDN about always closing the handles to avoid handle leaks, but I'm betting Win32 will be ok even if you don't. And if it's not, hey, no more handles for anyone, anonymously and remotely, which is also fun. :> Maybe someone's already done this and can save us all the trouble? I dunno. These are all half-day projects, and there are always more interesting bugs to play with in your half-day allotment. Yesterday I spent the half-day of technical work I get a week inside a debugger looking at a strncpy() stack overflow. They still exist! It's like finding a cod off the Massachusetts coast. -dave P.S. Why are all of these different CVE numbers. Is CVE about the vulnerability, or the endpoint you can touch it through? There's some sort of rainbow going from a particular class of vulnerabilities through a particular vulnerability through an exploit through a single instance of someone exploiting a machine with an exploit and I sense everyone's naming schemes are just like someone pointing to a color frequency and calling it blue. On 1/6/07, Rhys Kidd wrote: > > RPC memory exhaustion bugs are all the rage atm it would seem, > hopefully this will provide the traction for MSRC to give it > priority.... > > It's also interesting that ISC believe for servers that the current > UPnP and SPOOLSS bugs are 'Important', whereas the more recent > NetrWkstaUserEnum() bug is only 'Less Urgent'. > > They are pretty much the same, due to unvalidated client input, and in > fact the NetrWkstaUserEnum() opnum ( through the wkssvc named pipe ) > is usually bindable over an anonymous NULL session. > > - Rhys > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070106/1934372d/attachment.htm From measl at mfn.org Sat Jan 6 14:34:03 2007 From: measl at mfn.org (J.A. Terranson) Date: Sat, 6 Jan 2007 13:34:03 -0600 (CST) Subject: [Dailydave] Useless fact of the day! In-Reply-To: References: <459EE26D.6090902@immunityinc.com> <68dd869f0701060539j3cfe3b39refe9e72f18a2c6ab@mail.gmail.com> Message-ID: <20070106133103.C5625@ubzr.zsa.bet> On Sat, 6 Jan 2007, Dave Aitel wrote: > The other thing I want to try some day is using the LSA Open Handle stuff > remotely to just open an infinite number of handles. Every one's so picky in > MSDN about always closing the handles to avoid handle leaks, but I'm betting > Win32 will be ok even if you don't. And if it's not, hey, no more handles > for anyone, anonymously and remotely, which is also fun. :> Maybe someone's > already done this and can save us all the trouble? Just this very week against a W2003 Server, by accident. How timely a postulation... Complete and utter ceasation of any new activity, even desktop and attempts to bring up Task Manager. Everything which already had an open and working handle was fine and continued to operate almost normally (just a slight degradation in throughput). Our assumption was this was our fault due to the box being older and not up to patch, but who knows? -- Yours, J.A. Terranson sysadmin at mfn.org 0xBD4A95BF "In the age-old contest between popularity and principle, only those willing to lose for their convictions are deserving of posterity's approval." Gerald Ford From pusscat at gmail.com Sat Jan 6 21:04:01 2007 From: pusscat at gmail.com (Pusscat) Date: Sat, 06 Jan 2007 21:04:01 -0500 Subject: [Dailydave] Useless fact of the day! In-Reply-To: Message-ID: We?ve had a patch for UNMIDL that marked them in the output since the very first one was patched ? it might actually be attached to our paper ;) On 1/6/07 12:48 PM, "Dave Aitel" wrote: > I think it's hard to find an MSRPC interface that doesn't have a memory > exhaustion bug. Maybe I'll make ImmDBG automatically point them out next week. > I guess theoretically we can have ImmDBG shuttle that information off to > VisualSploit to automatically write a CANVAS exploit too. Or even better, a > SILICA module for it such that you walk into a room and everyone's Windows > machines stop working. Good for when you want all the bandwidth at a security > convention. :> We don't have the NetrWkstaUserEnum DoS in CANVAS right now - > we do use the function though to remotely get logged on users against XP SP2. > > It's not an easy bug for Microsoft to fix, but the hilarious thing is that > they didn't even bother. I wonder if Vista is vulnerable too - I'm betting > yes. :> > > The other thing I want to try some day is using the LSA Open Handle stuff > remotely to just open an infinite number of handles. Every one's so picky in > MSDN about always closing the handles to avoid handle leaks, but I'm betting > Win32 will be ok even if you don't. And if it's not, hey, no more handles for > anyone, anonymously and remotely, which is also fun. :> Maybe someone's > already done this and can save us all the trouble? > > I dunno. These are all half-day projects, and there are always more > interesting bugs to play with in your half-day allotment. Yesterday I spent > the half-day of technical work I get a week inside a debugger looking at a > strncpy() stack overflow. They still exist! It's like finding a cod off the > Massachusetts coast. > -dave > > > P.S. Why are all of these different CVE numbers. Is CVE about the > vulnerability, or the endpoint you can touch it through? There's some sort of > rainbow going from a particular class of vulnerabilities through a particular > vulnerability through an exploit through a single instance of someone > exploiting a machine with an exploit and I sense everyone's naming schemes are > just like someone pointing to a color frequency and calling it blue. > > > > On 1/6/07, Rhys Kidd wrote: >> RPC memory exhaustion bugs are all the rage atm it would seem, >> hopefully this will provide the traction for MSRC to give it >> priority.... >> >> It's also interesting that ISC believe for servers that the current >> UPnP and SPOOLSS bugs are 'Important', whereas the more recent >> NetrWkstaUserEnum() bug is only 'Less Urgent'. >> >> They are pretty much the same, due to unvalidated client input, and in >> fact the NetrWkstaUserEnum() opnum ( through the wkssvc named pipe ) >> is usually bindable over an anonymous NULL session. >> >> - Rhys >> > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave ~ Puss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070106/28f9c352/attachment-0001.htm From lmh at info-pull.com Sat Jan 6 23:44:47 2007 From: lmh at info-pull.com (LMH) Date: Sun, 7 Jan 2007 05:44:47 +0100 Subject: [Dailydave] Following the specification, too strictly? Message-ID: Hi, After working around the PDF format specification for some time, finding some interesting stuff around the way it declares objects and handles embedded binary streams, this issue came up quickly: http://projects.info-pull.com/moab/MOAB-06-01-2007.html I'm curious regarding previous research around PDF and PostScript (if possible, not involving Javascript :o) ). The nice fellows of the Information Assurance group at NSA in charge of SELinux development, and Red Hat, seemed to have interest on printing labeling, etc. PS/PDF turn out to be really complex and error-prone... I wouldn't be surprised if someone can dig up a decent amount of issues in parsers and related applications. I've been poking around some tools for the framework I was working on (thankfully using Metasploit's Rex library, although the module loading engine is much more simple as there's no need for the whole module inheritance/mixins/dependencies stuff). Probably will release some code after the month ends, hoping someone will do something else far more useful with it than breaking OS X :> Cheers. From fosforo at gmail.com Mon Jan 8 00:51:48 2007 From: fosforo at gmail.com (=?UTF-8?Q?F=C3=B3sforo?=) Date: Mon, 8 Jan 2007 03:51:48 -0200 Subject: [Dailydave] Tiny covert channel server needing fake nameserver hoster Message-ID: <6e285e810701072151n5f4907a0wd453c7151a64d013@mail.gmail.com> Hi all, I am going to set up a tiny covert channel server, but i am missing a free dns forwarding service like "dnstunnel.de" (seems they are not creating accounts anymore); Do you know about others avaiable, that accepts a dyndns/no-ip account as nameserver ? Thnx F?sforo From coley at mitre.org Mon Jan 8 18:14:55 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 8 Jan 2007 18:14:55 -0500 (EST) Subject: [Dailydave] Useless fact of the day! Message-ID: <200701082314.l08NEtG4013363@faron.mitre.org> >P.S. Why are all of these different CVE numbers. Is CVE about the >vulnerability, or the endpoint you can touch it through? By virtue of being a common identifier, CVE has a unique problem. Multiple organizations have their own pool of CVE identifiers to use, not just MITRE. These are called Candidate Numbering Authorities. CNAs are useful for a number of reasons, including efficiency and limiting distribution of sensitive information pre-disclosure. However, the cost is that if there's not enough coordination across these organizations, duplicate CVEs can be produced. 0-days and other highly publicized non-coordinated disclosures are making this more difficult, and collectively I don't think we've caught up yet. This might be the case with CVE-2006-3644 and CVE-2006-6296. Even if that's not what happened here... Roughly speaking, the CVE rules are: 1) SPLIT (create different identifiers) bug1 and bug2 if the set of affected versions is different (different patch levels can also count) 2) SPLIT based on bug type. 3) SPLIT if the exact same attack/bug appears, but the codebases are entirely different (e.g. if FTP server 1 and server 2 both have buffer overflows with a long USER argument). These rules have evolved over the years, but basically - they are usually pretty consistent across the space of *all* disclosures. More specific documentation is at: http://cve.mitre.org/cve/cd_rationale_application.html Now, to the real world: 1) People count vulnerabilities differently. Usually this varies based on perspective, although most perspectives have their own apparent inconsistencies. CVE has been semi-academic in terms of trying to manage vulns in terms of the root cause; in this fashion, things like stack vs. heap-based overflows frequently have the same root cause, so are not distinguished in CVE land. 2) When there's no close coordination (and sometimes, even if there is), all you might have is the associated attack vector. As we all know, the same core issue can have multiple attack vectors. Multiple researchers piling bug disclosures on top of each other can make it difficult to sift through things, both for CVE and for the general public. The SPLIT approach will sometimes introduce duplicates, but other times, it will provide sorely the necessary distinction between a fixed bug and an unfixed one. 3) Just like Dave only has some time to dedicate to pure research, we only have so much time to dedicate to researching a specific issue; this is the case for everyone in the vulnerability database world. So, without sufficient proof that vectors 1 and 2 are really touching the same issue, we tend to split. This becomes magnified when there are distinct disclosures from different researchers. 4) Determining different "bug types" is not scientific. In overflow land, a few years ago, all we had were classic unbounded strcpy-style buffer overflows. With things like signedness errors, integer overflows, array index errors, etc., the notion of "different bug types" is changing, at least with respect to my own understanding. Also - due to lack of coordination and/or vendor details, for example - if all you have is an attack vector, you can only guess at the bug types. >There's some sort of rainbow going from a particular class of >vulnerabilities through a particular vulnerability through an exploit >through a single instance of someone exploiting a machine with an >exploit and I sense everyone's naming schemes are just like someone >pointing to a color frequency and calling it blue. I'm not 100% sure what you mean here, but this does highlight how you can wind up with different numbers. We don't usually document entire vuln classes as their own CVE; we'll do it on a per-implementation basis (for CVE-like identifiers of generic vuln classes e.g. "buffer overflow" and "XSS", see CWE. Yep, it's new.) Otherwise, every single web server would be listed under the same "long-URL overflow" bug, and that's not particularly useful, especially in these patch-and-pray times. Most major databases have their own split/merge rules; for example, Secunia's approach of combining multiple issues in the same product is more generally useful for most sysadmins - not admins of the caliber that might read DailyDave. Contrast this with OSVDB's "per-executable" splits, which might go one step too far if, say, the real issue happens to be in some library used by multiple executables. How religiously these split/merge rules are followed, and how they are handled in light of incomplete information (and their own analytical resources and skill based), will vary. See my Bugtraq/FD post on vulnerability statistics for more detailed information on these kinds of differences. Regarding the color frequency analogy - I think this is definitely happening. We use the same terminology in different parts of the vulnerability concept. For example, "buffer overflow" could mean "providing long input" on the attack side (think of the beginning researchers who mis-diagnose null derefs this way); on the vulnerability side, it could be "product does not handle when long input is provided" (and the root causes could vary widely depending on what the code is doing); on the "consequence/impact" side, you have "data is written outside buffer boundaries." - Steve From fosforo at gmail.com Mon Jan 8 22:19:30 2007 From: fosforo at gmail.com (=?UTF-8?Q?F=C3=B3sforo?=) Date: Tue, 9 Jan 2007 01:19:30 -0200 Subject: [Dailydave] Tiny covert channel server needing fake nameserver hoster In-Reply-To: <447e5bc70701080737v1605181fsac98d6826ed5c694@mail.gmail.com> References: <6e285e810701072151n5f4907a0wd453c7151a64d013@mail.gmail.com> <447e5bc70701080737v1605181fsac98d6826ed5c694@mail.gmail.com> Message-ID: <6e285e810701081919o6648b4bar153fb31b80d34ded@mail.gmail.com> Hmmm seems this service didn't work for me. Despite they allow me to set up a dyndns/no-ip account as secondary DNS, transfers are made from time to time by ns2.afraid.org, and not directly, not serving my purposes.. anyway thanks. If someone knows about other service like "dnstunnel.de" functioning, plz let me know. []s On 1/8/07, Syn Ack wrote: > You can take a look at freedns.afraid.org > > Dominique > -- ---------------------------------------------------------------------------- F?sforo Blog: http://insanenetworks.blogspot.com ---------------------------------------------------------------------------- Bcz sex is like hacking.. you get in, you get out, and you hope you didn't leave something behind that can be traced back to you.. ---------------------------------------------------------------------------- From dave at immunityinc.com Tue Jan 9 12:09:13 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 09 Jan 2007 12:09:13 -0500 Subject: [Dailydave] Oracle Rootkits Message-ID: <45A3CC39.6090205@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One of the things we've tried to do, and I think been fairly successful at, is build an ecosystem around CANVAS where we can get independent vendors to develop their own technology on top of the CANVAS base project. For the vendor there are a number of benefits. 1. We accept credit cards and are a US company (soon to be 8(a) I hope!). We have a customer list we can market their things to easily. 2. MOSDEF means vendors don't have to spend their whole lives writing shellcode. Built in Oracle/MSSQL/mySQL/SSL/etc libraries don't hurt. Having remote os and language pack detection done for you is nice. 3. CANVAS's automation means that if a vendor has a module to fix some new vulnerability, it can be used against a class B as part of massattack or VulnAssess without any additional configuration by the customer. A few years back everyone was like "I want to write exploits for a living". And now you can. Anyways, I bring this up because I notice Argeniss is now selling a really cool Oracle Rootkit now as part of their toolkit. How awesome is that? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFo8wtB8JNm+PA+iURAu/xAJsEz8wfDFNqIg96BP9SDQpgPtQ9FgCgl5Wm FTFytU44eSH5v0As5EPv66Y= =MhPq -----END PGP SIGNATURE----- From docbook.xml at gmail.com Tue Jan 9 12:56:00 2007 From: docbook.xml at gmail.com (Saqib Ali) Date: Tue, 9 Jan 2007 09:56:00 -0800 Subject: [Dailydave] Fwd: How important is FIPS 140-2 Level 1 cert? In-Reply-To: <20061229222951.21553.qmail@securityfocus.com> References: <20061229222951.21553.qmail@securityfocus.com> Message-ID: The following excellent post by Karl Levinson appeared on Security-Basics mailing list: ---------- Forwarded message ---------- FIPS certification is only one of many factors that might indicate how secure a system will be in actual use, and unless you're in the US Federal government, it is arguably not one of the most useful things you should be looking at. All four FIPS 140-2 levels can mean much the same thing, depending on what the product and situation are. All levels appear to have the same requirements for the strength of the crypto module implementation, key exchange, etc. Higher levels reference some things that you may not care about, such as hardware intrusion detection / prevention such as seals on the hardware if there is any hardware, or whether it runs under a NIAP Common Criteria-rated Operating System. (NIAP CC being another rating that does not always translate into a product being "more secure.") You start seeing what the various levels test for on page 12 of the following link: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf Like NIAP Common Criteria, FIPS certification is probably expensive and time consuming for the vendor, so that the products that get it would tend to be older products from larger, more monolithic companies, which may not necessarily guarantee you're getting superlative security. The FIPS rating does not rate all of the configurations of the device, but one possible non-default configuration that CAN optionally be enabled. So you might end up not using the system in a FIPS-compliant configuration. FIPS says nothing about how secure the product is in the default or most common configuration, or whether the product performs at an acceptable speed when FIPS-compliant options are used. As FIPS rates the crypto implementation, it says little to guarantee that there won't be a significant non-crypto vulnerability in the OS or the way you implement it that could compromise security. With MS Windows, for example, you probably don't want to enable "FIPS-compliant encryption mode," because an older, weaker encryption algorithm will be used for EFS disk encryption, rather than newer, stronger but uncertified protocols. Windows is FIPS rated, but that FIPS rating goes out the window if the OS is compromised because it's missing a security patch. Note that people use non-FIPS compliant encryption every day for all kinds of Internet financial transactions when they use SSL for web browsing. If you were able to use a FIPS-certified implementation of TLS encryption instead, you're still theoretically vulnerable to man-in-the-middle attacks (a big weakness here being that many encryption implementations go out the window if a user clicks OK on the pop-up saying that there may be a problem with the SSL, SMIME, PGP or SSH certificate). I'm not sure there's even a web browser that is FIPS 140-2 certified yet, but that doesn't say much about whether your browser of choice is or isn't safe. Bottom line, make sure you know what FIPS certification does and doesn't guarantee. I'm not sure I would pay double for a product that might be less secure than the cheaper solution, depending on how exactly it's implemented. But then that also depends on your security needs and your tolerance for various kinds of risk, so there's no one universal answer that is true for all. kind regards, Karl Levinson http://securityadmin.info saqib http://www.full-disk-encryption.net From dave at immunityinc.com Tue Jan 9 15:03:19 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 09 Jan 2007 15:03:19 -0500 Subject: [Dailydave] Today's patches. Message-ID: <45A3F507.5080809@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 *Another catch from the honeymonkeys? Interesting that 3 out of 4 had public exploits available. Also interesting that Outlook is the new punching bag. Since everyone uses Outlook, and Outlook parses HTML...it's really every part of Office that people have to move off of to avoid the Office Security Nightmare. * I like how MS italicized "originally" in the text below. Does someone own the MSRC? (Someone clumsy, I mean. Obviously lots of people own the MSRC but they shouldn't be getting caught.) Are honeymonkey's more cost-effective as a protection than code auditing? *-dave* *http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx """ * *When this security bulletin was issued, had this vulnerability been publicly disclosed?* No. Microsoft /originally/ received information about this vulnerability through responsible disclosure. *When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?* Yes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited. *Does applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?* Yes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CVE-2007-0024. """ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFo/UEB8JNm+PA+iURAuW8AKCwsAtIABue6qIALzkslgjZu2D2PgCg0k2U ZZyqVnxQVLX3tWzrKciYiRs= =D+r4 -----END PGP SIGNATURE----- From felix-dailydave at fefe.de Tue Jan 9 15:01:37 2007 From: felix-dailydave at fefe.de (felix-dailydave at fefe.de) Date: Tue, 9 Jan 2007 21:01:37 +0100 Subject: [Dailydave] Fwd: How important is FIPS 140-2 Level 1 cert? In-Reply-To: References: <20061229222951.21553.qmail@securityfocus.com> Message-ID: <20070109200137.GA16988@codeblau.de> Thus spake Saqib Ali (docbook.xml at gmail.com): > The following excellent post by Karl Levinson appeared on > Security-Basics mailing list: > ---------- Forwarded message ---------- > FIPS certification is only one of many factors that might indicate how > secure a system will be in actual use, and unless you're in the US > Federal government, it is arguably not one of the most useful things > you should be looking at. FIPS indicates no such thing. FIPS indicates that your device has passed some rudimentary functionality tests. It does NOT mean that some agency looked at your product and found no backdoors. Nobody even tried. FIPS basically says that someone took a few test vectors, ran the product algorithms on them, and the right results came out. Frankly, that does not mean anything. It's rubber stamp. Companies do that to sway gullible customers. > Like NIAP Common Criteria, FIPS certification is probably expensive > and time consuming for the vendor, so that the products that get it > would tend to be older products from larger, more monolithic > companies, which may not necessarily guarantee you're getting > superlative security. Haha, well said. In my experience there is no quality difference between large and small companies. What differs is that often smaller companies react quicker to security issues, because for them more is at stake. > Bottom line, make sure you know what FIPS certification does and > doesn't guarantee. I'm not sure I would pay double for a product that > might be less secure than the cheaper solution, depending on how > exactly it's implemented. But then that also depends on your security > needs and your tolerance for various kinds of risk, so there's no one > universal answer that is true for all. Since FIPS does not gurantee anything tangible, I would generally stay clear of FIPS certified products. It means the vendor rather spent money on a dubious certification than on making the product better. Now, story time. :-) I once had this revealing discussion with the head of the German agency that does this kind of certification. I asked him what kind of bugs they would have to find so a product does not get certified. And he said: all products get certified. They don't look for bugs. Even if they wanted to, they don't have the manpower. So I asked, if a really obvious back door happened to fall in their lap, what would they do. And he said they had that case once. They complained and got shot down for it politically. Turns out it was some kind of NATO thing. *cough* I wanted to know if the level of certification makes a difference. No, it doesn't. If they think a product sucks, they can only signal that by the recommendation they give to state agencies up to what secrecy level that device can be used. The same way they recommend how big the stripes of the paper shredder needs to be, they have levels for confidentiality in internal usage for other areas, too, like crypto software. And that's where they can say whether they think the product is any good. So, in conclusion: FIPS may not be outright fraud, but advertising it as a certificate for security achievements is pretty borderline. Felix PS: if anyone asks me about the above story, I'll deny everything. This email will self destruct in 5 seconds. From bmc at snort.org Tue Jan 9 17:10:31 2007 From: bmc at snort.org (Brian Caswell) Date: Tue, 9 Jan 2007 17:10:31 -0500 Subject: [Dailydave] stop the presses, security is solved! Message-ID: <22AFD336-82BD-434E-972E-A22D8B53DBC9@snort.org> All of you are out of a job. Green Castle has the perfect solution for all detection 0day, viruses, worms, rootkits, and spyware, even before the attack starts up! Oh, and no ongoing updates & maintenance, all while enhancing your technology without compromising it! And they didn't even say Nii! http://www.greencastletech.com/ Best Product at RSA++ -b From Thierry at Zoller.lu Tue Jan 9 18:02:25 2007 From: Thierry at Zoller.lu (Thierry Zoller) Date: Wed, 10 Jan 2007 00:02:25 +0100 Subject: [Dailydave] Fwd: How important is FIPS 140-2 Level 1 cert? In-Reply-To: <20070109200137.GA16988@codeblau.de> References: <20061229222951.21553.qmail@securityfocus.com> <20070109200137.GA16988@codeblau.de> Message-ID: <1201487858.20070110000225@Zoller.lu> Dear All, I use the Fips bttery of tests (which you can find in the very nice cryptool) to test the radomness of _Session cookies_, and that's basically all it's good for. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 From halvar at gmx.de Tue Jan 9 18:30:53 2007 From: halvar at gmx.de (Halvar Flake) Date: Wed, 10 Jan 2007 00:30:53 +0100 Subject: [Dailydave] iPhone CPU Message-ID: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> Hey all, with all this hoopla around the iPhone, is this beast running an ARM ? I have doubts about a mobile device being based on x86, so does anyone have details about what sort of shellcode needs to be written ? Cheers, Halvar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070110/3209df6d/attachment.htm From olef.anderson at gmail.com Tue Jan 9 18:31:13 2007 From: olef.anderson at gmail.com (Olef Anderson) Date: Tue, 9 Jan 2007 15:31:13 -0800 Subject: [Dailydave] stop the presses, security is solved! In-Reply-To: <22AFD336-82BD-434E-972E-A22D8B53DBC9@snort.org> References: <22AFD336-82BD-434E-972E-A22D8B53DBC9@snort.org> Message-ID: <9b4f936f0701091531u6329e30di2ed3e8b7daf59651@mail.gmail.com> well i thought the innovative use of pcap and regex libraries by the great marty roesch caused us our jobs by putting an end to computer intrusions long ago. am i missing something ? olef On 1/9/07, Brian Caswell wrote: > > All of you are out of a job. Green Castle has the perfect solution > for all detection 0day, viruses, worms, rootkits, and spyware, even > before the attack starts up! Oh, and no ongoing updates & > maintenance, all while enhancing your technology without compromising > it! > > And they didn't even say Nii! > > http://www.greencastletech.com/ > > Best Product at RSA++ > > -b > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070109/12c0a1da/attachment.htm From dave at erratasec.com Tue Jan 9 18:38:19 2007 From: dave at erratasec.com (David Maynor) Date: Tue, 9 Jan 2007 18:38:19 -0500 Subject: [Dailydave] stop the presses, security is solved! In-Reply-To: <22AFD336-82BD-434E-972E-A22D8B53DBC9@snort.org> Message-ID: I'll give the first person $1 that gets me a copy of that software. I can't sleep with out knowing how its "Innervue" technology works and has the ability to identify new software "well before it even starts to run and then is watched closely after it begins executing". Sounds like whatever it is there is a huge performance hit. Let's not forget how it's better than current security solutions: "Unlike current monitoring and security solutions, the Innervue goes to the deepest level of the computer, down to the hardware level." Whelp that answers all my questions and I feel totally protected. I mean...you can't really get better than HARDWARE protection. I mean come on, its HARDWARE. Sure software has flaws, it's written by man. But HARDWARE, it's ordained to us by the gods. This reply has been written with tongue firmly in check. -----Original Message----- From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Brian Caswell Sent: Tuesday, January 09, 2007 5:11 PM To: dailydave Subject: [Dailydave] stop the presses, security is solved! All of you are out of a job. Green Castle has the perfect solution for all detection 0day, viruses, worms, rootkits, and spyware, even before the attack starts up! Oh, and no ongoing updates & maintenance, all while enhancing your technology without compromising it! And they didn't even say Nii! http://www.greencastletech.com/ Best Product at RSA++ -b _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From lmh at info-pull.com Tue Jan 9 19:45:59 2007 From: lmh at info-pull.com (LMH) Date: Wed, 10 Jan 2007 01:45:59 +0100 Subject: [Dailydave] iPhone CPU In-Reply-To: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> Message-ID: It it will be enough if it supports AppleScript :-) They haven't disclosed any details about the underlying tech. specifications, AFAIK. We'll have to wait. If they had to add support for a new architecture then I bet they had a tough time with optimization and other issues. Some of the current design aspects of OS X might help with that, though (like fat binaries / universal binaries, for storing multiple mach-o objects for different architectures). Cheers. On 1/10/07, Halvar Flake wrote: > > > Hey all, > > with all this hoopla around the iPhone, is this beast running > an ARM ? I have doubts about a mobile device being based > on x86, so does anyone have details about what sort of > shellcode needs to be written ? > > Cheers, > Halvar > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > From dave at erratasec.com Tue Jan 9 19:50:02 2007 From: dave at erratasec.com (David Maynor) Date: Tue, 9 Jan 2007 19:50:02 -0500 Subject: [Dailydave] iPhone CPU Message-ID: I would suspect some type of ARM. The video showing the graphics gives me the feeling it has some sort of 3d chip as well. Anybody know if you can cross compile xnu for ARM? David Maynor CTO, Errata Security http://erratasec.blogspot.com -----Original Message----- From: Halvar Flake [mailto:halvar at gmx.de] Sent: Tuesday, January 09, 2007 07:25 PM Eastern Standard Time To: dailydave Subject: [Dailydave] iPhone CPU Hey all, with all this hoopla around the iPhone, is this beast running an ARM ? I have doubts about a mobile device being based on x86, so does anyone have details about what sort of shellcode needs to be written ? Cheers, Halvar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070109/bb294cc4/attachment.htm From discojonny at gmail.com Tue Jan 9 20:34:17 2007 From: discojonny at gmail.com (Disco Jonny) Date: Wed, 10 Jan 2007 01:34:17 +0000 Subject: [Dailydave] Today's patches. In-Reply-To: <45A3F507.5080809@immunityinc.com> References: <45A3F507.5080809@immunityinc.com> Message-ID: <2b87e78b0701091734l4a079be3kf4657bbdd5df0fca@mail.gmail.com> hi. On 09/01/07, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > it's really every part of Office that people have to move off > of to avoid the Office Security Nightmare. if anyone gives a shit about the excel viewer bugs, i have 2 of the 5 excel bugs (i think 3 do the word viewer in. - could be wrong it might only be two, see below.) (i only know this because they now pass the regression tests.) if anyone wants some stuff to play with send me a blank 2k3 xls sheet, ill mod up the files and give the traces, files and info back. [remove your metadata yourselves - although all emails will be private.] I have another xls bug that i have lost all info for, but was also fixed. i can pass that info across too if you like (might be the same as one of the previous though)? all the bugs i pass across will need work in generating an exploit. (i cant do everything for you!) if my penis wasnt so small i wouldnt need to try to prove it was so big all the time. cheers then. disco. From af.dingo at gmail.com Tue Jan 9 22:03:31 2007 From: af.dingo at gmail.com (Jeff Quast) Date: Tue, 9 Jan 2007 22:03:31 -0500 Subject: [Dailydave] iPhone CPU In-Reply-To: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> Message-ID: On 1/9/07, Halvar Flake wrote: > > > Hey all, > > with all this hoopla around the iPhone, is this beast running > an ARM ? I have doubts about a mobile device being based > on x86, so does anyone have details about what sort of > shellcode needs to be written ? > > Cheers, > Halvar I'd put 2 and 2 together and guess it'd be running one of the new XScale-based processors by Marvell. http://www.palminfocenter.com/news/8690/marvell-purchasing-intels-xscale-business/ http://www.infoworld.com/article/06/11/15/HNmarvellsmartphonesxscale_1.html Pretty sure its the same old, just smaller and higher clockspeed. Start practicing on a Thecus N2100 or Zaurus SL3x00 :) Great arch imo From tqbf at matasano.com Tue Jan 9 22:20:45 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Tue, 9 Jan 2007 21:20:45 -0600 Subject: [Dailydave] iPhone CPU In-Reply-To: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> Message-ID: <1df0a410701091920h4b0fa792jc37337a022055a66@mail.gmail.com> Embedded PPC seems most likely. The work they did on XNU to keep it xp PPC/x86 is nontrivial; if it really is "OS X", you'd be surprised to seem them add "/xnu/osfmk/arm". There are plenty of low-power PPC parts they could have sourced. On 1/9/07, Halvar Flake wrote: > > > Hey all, > > with all this hoopla around the iPhone, is this beast running > an ARM ? I have doubts about a mobile device being based > on x86, so does anyone have details about what sort of > shellcode needs to be written ? > > Cheers, > Halvar > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > From roesch at sourcefire.com Tue Jan 9 22:50:41 2007 From: roesch at sourcefire.com (Martin Roesch) Date: Tue, 9 Jan 2007 22:50:41 -0500 Subject: [Dailydave] stop the presses, security is solved! In-Reply-To: <9b4f936f0701091531u6329e30di2ed3e8b7daf59651@mail.gmail.com> References: <22AFD336-82BD-434E-972E-A22D8B53DBC9@snort.org> <9b4f936f0701091531u6329e30di2ed3e8b7daf59651@mail.gmail.com> Message-ID: <329BE271-AD49-47D7-8BCE-18667A5E3F09@sourcefire.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't think I ever claimed to put an end to anything... Oh, and Caswell added the regex support. -Marty On Jan 9, 2007, at 6:31 PM, Olef Anderson wrote: > > well i thought the innovative use of pcap and regex libraries by > the great marty roesch caused us our jobs by putting an end to > computer intrusions long ago. am i missing something ? > > olef > > On 1/9/07, Brian Caswell wrote: All of you are out > of a job. Green Castle has the perfect solution > for all detection 0day, viruses, worms, rootkits, and spyware, even > before the attack starts up! Oh, and no ongoing updates & > maintenance, all while enhancing your technology without compromising > it! > > And they didn't even say Nii! > > http://www.greencastletech.com/ > > Best Product at RSA++ > > -b > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave - -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFpGKRqj0FAQQ3KOARAlRaAJ9H1rPPLWmn3emzvj7lH/aE2r0jjQCeIs8l Jp5tQQDOUI9MO0Ws2XH477U= =1UWO -----END PGP SIGNATURE----- From docbook.xml at gmail.com Tue Jan 9 23:42:03 2007 From: docbook.xml at gmail.com (Saqib Ali) Date: Tue, 9 Jan 2007 20:42:03 -0800 Subject: [Dailydave] Fwd: [FDE] Inside interview with Seagate on it's new FDE Drive In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: Scott S Date: Jan 9, 2007 11:17 AM Subject: [FDE] Inside interview with Seagate on it's new FDE Drive To: fde at www.xml-dev.com Here is an exclusive interview we conducted with Dan Good, Vice President of marketing at Seagate, on the release of its new FDE drives. Some of the topics covered in the interview are the catalyst that lead to the development of the FDE solution, the FDE drive value proposition, and the FDE drive positioning against its competitions and along its collaborators. http://www.full-disk-encryption.net/seagate_interview.html From bania.piotr at gmail.com Wed Jan 10 00:05:53 2007 From: bania.piotr at gmail.com (Piotr Bania) Date: Wed, 10 Jan 2007 06:05:53 +0100 Subject: [Dailydave] Adobe Reader Remote Heap Memory Corruption - Subroutine Pointer Overwrite Message-ID: <45A47431.4030504@gmail.com> Adobe Reader Remote Heap Memory Corruption - Subroutine Pointer Overwrite by Piotr Bania http://www.piotrbania.com Orginal url: http://www.piotrbania.com/all/adv/adobe-acrobat-adv.txt Severity: Critical - Possible remote code execution. CVE ID: CVE-2006-5857 Time line: 03/09/2006 - Advisory sent to ADOBE PSIRT 03/09/2006 - Initial Vendor Response 11/09/2006 - Vendor confirms the vulnerability. 09/01/2007 - Security Bulletin ready, advisory released. Software affected: Adobe Reader 7.0.8 and earlier - all platforms. Tested on: * Adobe Reader 7.0.8 and 7.0.3 (Windows) * Adobe Reader 7.0.8 on (LINUX ) I. BACKGROUND Adobe Reader is the most popular program for viewing documents in Adobe Portable Document Format (PDF). More information at: http://www.adobe.com/products/acrobat/. II. DESCRIPTION The problem exists when the Adobe product is trying to render a specially crafted PDF file. Take a look a this code snipet: ----// SNIP SNIP //------------------------------------------------- 0:000> u 08009d3f CoolType+0x9d3f: 08009d3f 83e904 sub ecx,0x4 08009d42 890da07a1d08 mov [CoolType!CTCleanup+0xb393b 081d7aa0)],ecx 08009d48 ffb49070feffff push dword ptr [eax+edx*4-0x190] 08009d4f 8b09 mov ecx,[ecx] 08009d51 51 push ecx 08009d52 ff506c call dword ptr [eax+0x6c] ; (*) 08009d55 59 pop ecx 08009d56 59 pop ecx ----// SNIP SNIP //------------------------------------------------- Instruction at 0x08009d52 call the location which address is stored at [eax+0x6c]. Value of the eax points somewhere inside the allocated heap memory block, as shown here: ----// SNIP SNIP //------------------------------------------------- ... K: 199 -> [*] HeapAlloc(0x3E0000,0x0,0x4(4))=0x16F6FF8 end at: 0x16F6FFC K: 200 -> [*] HeapAlloc(0x3E0000,0x0,0x4F4(1268))=0x16F6958 end at: 0x16F6E4C K: 201 -> [*] HeapAlloc(0x3E0000,0x0,0xFE30(65072))=0x16F6E58 end at: 0x1706C88 K: 202 -> [*] HeapAlloc(0x3E0000,0x0,0x304(772))=0x1706C90 end at: 0x1706F94 K: 203 -> [*] HeapAlloc(0x3E0000,0x0,0xFE24(65060))=0x1706FA0 end at: 0x1716DC4 <- THIS ONE ----// SNIP SNIP //------------------------------------------------- [EAX+0x6c] points to 0x222C offset from begining of the last heap memory block. When specially badly created PDF file is being render, there exist a possibility to cause a memory corruption, which leads to the overwrite of the subroutine address stored at [eax+0x6c]. Here's the debugger snipet, after calling overwritten [eax+0x6c] (note the heap base block is different then previously mentioned, its just another independent session): ----// SNIP SNIP //------------------------------------------------- (25a0.2170): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=016f4320 ebx=00000000 ecx=baadf00d edx=00000069 esi=016f4ab9 edi=016f14b4 eip=baadf00d esp=0012deec ebp=0012df80 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Acrobat 7.0\Reader\CoolType.dll - baadf00d ?? ??? ----// SNIP SNIP //------------------------------------------------- The attacker can control EIP register, this may lead to a potencial code exection in context of current user. III. IMPACT Successful exploitation may allow the attacker to run arbitrary code in context of user running Adobe Reader. IV. VENDOR RESPONSE All pathes are available, via auto-update or http://www.adobe.com/go/getreader/ V. POC CODE Due to severity of this vulnerability i will not disclose any POC codes. best regards, pb -- -------------------------------------------------------------------- Piotr Bania - - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 -------------------------------------------------------------------- - "The more I learn about men, the more I love dogs." From anton at chuvakin.org Wed Jan 10 00:14:21 2007 From: anton at chuvakin.org (Anton Chuvakin) Date: Tue, 9 Jan 2007 21:14:21 -0800 Subject: [Dailydave] stop the presses, security is solved! In-Reply-To: <329BE271-AD49-47D7-8BCE-18667A5E3F09@sourcefire.com> References: <22AFD336-82BD-434E-972E-A22D8B53DBC9@snort.org> <9b4f936f0701091531u6329e30di2ed3e8b7daf59651@mail.gmail.com> <329BE271-AD49-47D7-8BCE-18667A5E3F09@sourcefire.com> Message-ID: I _epecially_ like the typos in their "technical" white (toilet?) paper http://www.greencastletech.com/whpaper.html Somebody should create a doghouse for security vendors, kinda like what Bruce Schneier has for crypto.. -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://chuvakin.blogspot.com http://www.info-secure.org From arunkoshy at gmail.com Wed Jan 10 01:04:48 2007 From: arunkoshy at gmail.com (Arun Koshy) Date: Wed, 10 Jan 2007 17:04:48 +1100 Subject: [Dailydave] stop the presses, security is solved! In-Reply-To: <329BE271-AD49-47D7-8BCE-18667A5E3F09@sourcefire.com> References: <22AFD336-82BD-434E-972E-A22D8B53DBC9@snort.org> <9b4f936f0701091531u6329e30di2ed3e8b7daf59651@mail.gmail.com> <329BE271-AD49-47D7-8BCE-18667A5E3F09@sourcefire.com> Message-ID: <1d0ba3070701092204o2fd6d006h179cec982dc21244@mail.gmail.com> I'm seeing this post with fascination. Are we really this starved for contrived humor or personal potshots that lead nowhere ? Very very few things in this world are original and elegant. Most of the elegant things in security or for that matter any kind of software is the math behind it. Otherwise most of it is grep through a datastream. Innovation is possible with both techniques.. I remember Frans Veldman who did an astounding job with TBAV [1] .. if you break what he did down , it could be considered a more sophisticated grep .. but in function, he achieved a brilliant generic detector ( and in a limited scope , cleaner ) for that time and age. I was propably 13 back then and did not get over the sheer elegance of his "grep" for a while. He pulled it off just when it seemed like the curve for innovation was tapering for the AVers. Most people knew all that he did but did'nt see what he saw. While I don't know anything about the company that is the target of this post, it may be wiser to reserve comments till their release. They seem to have a fairly educated team. [1] - http://utopia.knoware.nl/users/veldman/frans/dutch/tbav.htm#history P.S. Vanity.. vanity .. all is vanity ;-). From simon.cooper at gmail.com Wed Jan 10 01:45:07 2007 From: simon.cooper at gmail.com (Simon Cooper) Date: Tue, 9 Jan 2007 22:45:07 -0800 Subject: [Dailydave] iPhone CPU In-Reply-To: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> Message-ID: On 1/9/07, Halvar Flake wrote: > > Hey all, > > with all this hoopla around the iPhone, is this beast running > an ARM ? I have doubts about a mobile device being based > on x86, so does anyone have details about what sort of > shellcode needs to be written ? > > Cheers, > Halvar Do you really want to know the answer to this question? Do you want to demonstrate your skill in developing a platform that is resistant to malware? If so, then you should apply, get offered and accept the software security position I currently have open at Apple. This is work in Core OS for Mac OS X. I am not a recruiter - I am the hiring manager. Email me if you are interested. -- Simon Cooper From dunceor at gmail.com Wed Jan 10 02:20:19 2007 From: dunceor at gmail.com (Dunceor) Date: Wed, 10 Jan 2007 08:20:19 +0100 Subject: [Dailydave] iPhone CPU In-Reply-To: <1df0a410701091920h4b0fa792jc37337a022055a66@mail.gmail.com> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> <1df0a410701091920h4b0fa792jc37337a022055a66@mail.gmail.com> Message-ID: <5d84cb30701092320i25559a4el9379bf7a477c63c0@mail.gmail.com> Yeah I agree on that, embedded PPC is most likely so they can reuse as much of the old Mac OS X code as possible. Even though they claim they have been working on it for over 2? years so a port to a new arch maybe aint that crazy. On 1/10/07, Thomas Ptacek wrote: > > Embedded PPC seems most likely. The work they did on XNU to keep it xp > PPC/x86 is nontrivial; if it really is "OS X", you'd be surprised to > seem them add "/xnu/osfmk/arm". There are plenty of low-power PPC > parts they could have sourced. > > On 1/9/07, Halvar Flake wrote: > > > > > > Hey all, > > > > with all this hoopla around the iPhone, is this beast running > > an ARM ? I have doubts about a mobile device being based > > on x86, so does anyone have details about what sort of > > shellcode needs to be written ? > > > > Cheers, > > Halvar > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070110/e1b001b7/attachment-0001.htm From Charles.Haines at itt.com Wed Jan 10 07:15:59 2007 From: Charles.Haines at itt.com (Haines, Charles - AES) Date: Wed, 10 Jan 2007 07:15:59 -0500 Subject: [Dailydave] iPhone CPU References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> <1df0a410701091920h4b0fa792jc37337a022055a66@mail.gmail.com> Message-ID: <7DB20341F654384C8541A8E2FF63CCD727AF95@01HRNMX09-1.aes.de.ittind.com> ? If you look at the keynote, it says it's running an Intel processor I do believe. I'll have to double check on that one. --chuck "The only thing more frightening than a programmer with a screwdriver or a hardware engineer with a program is a user with a pair of wire cutters and the root password." -Elizabeth Zwicky ________________________________ From: dailydave-bounces at lists.immunitysec.com on behalf of Thomas Ptacek Sent: Tue 1/9/2007 10:20 PM To: Halvar Flake Cc: dailydave Subject: Re: [Dailydave] iPhone CPU Embedded PPC seems most likely. The work they did on XNU to keep it xp PPC/x86 is nontrivial; if it really is "OS X", you'd be surprised to seem them add "/xnu/osfmk/arm". There are plenty of low-power PPC parts they could have sourced. On 1/9/07, Halvar Flake wrote: > > > Hey all, > > with all this hoopla around the iPhone, is this beast running > an ARM ? I have doubts about a mobile device being based > on x86, so does anyone have details about what sort of > shellcode needs to be written ? > > Cheers, > Halvar > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave ************************************ This e-mail and any files transmitted with it are proprietary and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT, Inc. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail. ************************************ From pusscat at gmail.com Wed Jan 10 09:57:40 2007 From: pusscat at gmail.com (Pusscat) Date: Wed, 10 Jan 2007 09:57:40 -0500 Subject: [Dailydave] iPhone CPU In-Reply-To: Message-ID: I think Halvar is all set :) Also, while we have you here, how come you guys always tell me, "can't reproduce" then fix things silently later? On 1/10/07 1:45 AM, "Simon Cooper" wrote: > On 1/9/07, Halvar Flake wrote: >> >> Hey all, >> >> with all this hoopla around the iPhone, is this beast running >> an ARM ? I have doubts about a mobile device being based >> on x86, so does anyone have details about what sort of >> shellcode needs to be written ? >> >> Cheers, >> Halvar > > Do you really want to know the answer to this question? Do you want > to demonstrate your skill in developing a platform that is resistant > to malware? > > If so, then you should apply, get offered and accept the software > security position I currently have open at Apple. This is work in > Core OS for Mac OS X. > > I am not a recruiter - I am the hiring manager. Email me if you are > interested. ~ Puss From irby at sliphead.com Wed Jan 10 10:17:48 2007 From: irby at sliphead.com (Irby Thompson) Date: Wed, 10 Jan 2007 09:17:48 -0600 Subject: [Dailydave] iPhone CPU In-Reply-To: References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> Message-ID: <45A5039C.6080902@sliphead.com> Ha, And all the hackers go silent....turns out defense is both a lot harder and not as much fun as offense. -irby Simon Cooper wrote: > Do you really want to know the answer to this question? Do you want > to demonstrate your skill in developing a platform that is resistant > to malware? > > If so, then you should apply, get offered and accept the software > security position I currently have open at Apple. This is work in > Core OS for Mac OS X. > > I am not a recruiter - I am the hiring manager. Email me if you are interested. > > From adrian.sanabria at gmail.com Wed Jan 10 10:46:47 2007 From: adrian.sanabria at gmail.com (adrian.sanabria at gmail.com) Date: Wed, 10 Jan 2007 15:46:47 +0000 Subject: [Dailydave] stop the presses, security is solved! In-Reply-To: References: <22AFD336-82BD-434E-972E-A22D8B53DBC9@snort.org><9b4f936f0701091531u6329e30di2ed3e8b7daf59651@mail.gmail.com><329BE271-AD49-47D7-8BCE-18667A5E3F09@sourcefire.com> Message-ID: <829936463-1168444009-cardhu_blackberry.rim.net-853886497-@bxe041-cell01.bisx.prod.on.blackberry> Someone has! Check out the Charlatan page on Attrition. http://attrition.org/errata/charlatan.html CCing Lyger to see if he thinks it worthy of adding. -Adrian Sent via BlackBerry from Cingular Wireless -----Original Message----- From: "Anton Chuvakin" Date: Tue, 9 Jan 2007 21:14:21 To:dailydave Subject: Re: [Dailydave] stop the presses, security is solved! I _epecially_ like the typos in their "technical" white (toilet?) paper http://www.greencastletech.com/whpaper.html Somebody should create a doghouse for security vendors, kinda like what Bruce Schneier has for crypto.. -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://chuvakin.blogspot.com http://www.info-secure.org _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From halvar at gmx.de Wed Jan 10 11:38:38 2007 From: halvar at gmx.de (Halvar Flake) Date: Wed, 10 Jan 2007 17:38:38 +0100 Subject: [Dailydave] iPhone CPU References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> <45A5039C.6080902@sliphead.com> Message-ID: <0bf101c734d5$c8eb7120$c7b2a8c0@D1NQ6Z1J> Hey all, > And all the hackers go silent....turns out defense is both a lot harder > and not as much fun as offense. It's mainly less fun and (as I perceive it) less creative. IMHO only of course. Cheers, Halvar From dave.korn at artimi.com Wed Jan 10 12:14:03 2007 From: dave.korn at artimi.com (Dave Korn) Date: Wed, 10 Jan 2007 17:14:03 -0000 Subject: [Dailydave] Adobe Reader Remote Heap Memory Corruption - SubroutinePointer Overwrite In-Reply-To: <45A47431.4030504@gmail.com> Message-ID: <006f01c734da$ba73bad0$a501a8c0@CAM.ARTIMI.COM> On 10 January 2007 05:06, Piotr Bania wrote: > Orginal url: http://www.piotrbania.com/all/adv/adobe-acrobat-adv.txt I do like the custom 403's your site serves up when I try ascending that one directory component at a time! :-D cheers, DaveK -- Can't think of a witty .sigline today.... From dave.korn at artimi.com Wed Jan 10 12:33:25 2007 From: dave.korn at artimi.com (Dave Korn) Date: Wed, 10 Jan 2007 17:33:25 -0000 Subject: [Dailydave] stop the presses, security is solved! In-Reply-To: <1d0ba3070701092204o2fd6d006h179cec982dc21244@mail.gmail.com> Message-ID: <000401c734dd$6ef4c420$a501a8c0@CAM.ARTIMI.COM> On 10 January 2007 06:05, Arun Koshy wrote: > I'm seeing this post with fascination. Are we really this starved for > contrived humor or personal potshots that lead nowhere ? > > Very very few things in this world are original and elegant. Which is why when somebody makes extraordinary claims to have achieved fundamental breakthroughs, it is legitimate to point out that they are full of humbug. It's not just that their claims are smothered in marketing hype, it's that once you've removed the hype they are either false or meaningless. Or both. Take these claims: " Not an ineffective behavior-based approach " "Innervue is based on such internal activity as disk writes, page faults, network access, internal exceptions and much more." That /is/ behaviour. "this is all done without file scanning or overhead" Of course it involves overhead. To claim that it doesn't is as garbage as claiming to have invented a perpetual motion machine. When you read in depth, "The answer is to take a positive approach. At any one time the software on a computer is fixed and is from well-known suppliers. Further, newly installed software comes at predictable times and is under the user's control. It is a much smaller and easier task to approve current and new valid software than to identify all attacker software now and in the future. Greencastle takes this positive approach." you see that all they have done is reinvented some combination of whitelisting and tripwire. " New software is identified well before it even starts to run and then is watched closely after it begins executing. " If they aren't using syscall hooking to do this, they aren't doing it effectively, and if they are, their claims of stability and low overhead are bogus. "Greencastle is the first technology that goes to the level beneath which attacks simply cannot go " If that's not syscall hooking, it's not the "level beneath which attacks simply cannot go". Actually, if that's not a hypervisor, it's not "the level beneath which attacks simply cannot go". And since attacks (currently only POCs, AFAIK, but that's not the point) already have been demonstrated at the syscall, hypervisor, ACPI and BIOS levels, there really is no such level. So either attacks can go beneath it, or it's not the first at whatever level it's actually at. I'm also curious how all this "we prevent new executables from even being launched" would help prevent a buffer overflow or other redirection of control of an already-running thread in a white-listed application. At least if you read their own descriptions, there is nothing new or original about any of it. I'm sure it could stop idiots double-clicking executables they've been emailed, and prevent malicious websites from forcing an executable download via the browser, but that's nothing new. I remain to be proven wrong, but extraordinary claims require extraordinary proof, and all we've seen here is very ordinary marketing. cheers, DaveK -- Can't think of a witty .sigline today.... From dave at immunityinc.com Wed Jan 10 12:37:11 2007 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 10 Jan 2007 12:37:11 -0500 Subject: [Dailydave] Algorithmic Bugs Message-ID: <45A52447.3020204@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Best paper at a conference I went to recently here in Miami Beach. http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf Summery: You can send a remarkably small stream of data at a NIDS and cause it to go to 100% CPU and stop doing analysis if you send the RIGHT stream of data. This is basically undetectable (i.e. does not crash snort). Was fixed in Snort 2.6.1 (I believe). Some snort rules have a 1 million to 1 expansion if you do it right (from what I read - I haven't tested this out yet - but it would make a great CANVAS module!) The presentation is clearer than the paper. I hope they put it online. Similar bugs exist in major commercial Python exploitation frameworks (i.e. you can tartrap CANVAS if you do it right). The more high level the language, the easier it is to get caught by something like this. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFpSRFB8JNm+PA+iURAg/UAKDa+8OfY4AKO5lZnpvmoO9QqnQ5BQCghwWK VCbaxHVE4JImfXyaKqyVsN4= =6bSm -----END PGP SIGNATURE----- From dave.korn at artimi.com Wed Jan 10 12:36:25 2007 From: dave.korn at artimi.com (Dave Korn) Date: Wed, 10 Jan 2007 17:36:25 -0000 Subject: [Dailydave] Fwd: [FDE] Inside interview with Seagate on it's newFDE Drive In-Reply-To: Message-ID: <000501c734dd$d9ead0d0$a501a8c0@CAM.ARTIMI.COM> On 10 January 2007 04:42, Saqib Ali wrote: > ---------- Forwarded message ---------- > From: Scott S > > Here is an exclusive interview we conducted with Dan Good, Vice President > of marketing at Seagate, on the release of its new FDE drives. Some of the > topics covered in the interview are the catalyst that lead to the > development of the FDE solution, the FDE drive value proposition, and the > FDE drive positioning against its competitions and along its > collaborators. > > http://www.full-disk-encryption.net/seagate_interview.html Anyone else spot this daft piece of promoting-security-by-obscurity-as-a-virtue? " We have hidden operation in the drive as well as hidden storage place that normally can't be accessed via ATA commands. So in a way we have a bit of a black box, in terms of a security device, that no one knows what is going on in there, and it is a perfect place to hide stuff. " I give it ten minutes after the drives hit the streets before it gets cracked. cheers, DaveK -- Can't think of a witty .sigline today.... From demottja at msu.edu Wed Jan 10 13:09:32 2007 From: demottja at msu.edu (Jared DeMott) Date: Wed, 10 Jan 2007 13:09:32 -0500 Subject: [Dailydave] iPhone CPU In-Reply-To: <0bf101c734d5$c8eb7120$c7b2a8c0@D1NQ6Z1J> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> <45A5039C.6080902@sliphead.com> <0bf101c734d5$c8eb7120$c7b2a8c0@D1NQ6Z1J> Message-ID: <45A52BDC.8060209@msu.edu> Halvar Flake wrote: > Hey all, > >> And all the hackers go silent....turns out defense is both a lot harder >> and not as much fun as offense. >> > > It's mainly less fun and (as I perceive it) less creative. IMHO only of > course. > > Cheers, > Halvar > You'll get no argument from me, I'm all for O. But I'll admit that the metrics of success on D are much more difficult to understand -- there's probably a good amount of creative work to be done there. > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070110/3cb80d9b/attachment.htm From nruff at security-labs.org Wed Jan 10 14:48:25 2007 From: nruff at security-labs.org (Nicolas RUFF) Date: Wed, 10 Jan 2007 20:48:25 +0100 Subject: [Dailydave] Fwd: [FDE] Inside interview with Seagate on it's newFDE Drive In-Reply-To: <000501c734dd$d9ead0d0$a501a8c0@CAM.ARTIMI.COM> References: <000501c734dd$d9ead0d0$a501a8c0@CAM.ARTIMI.COM> Message-ID: <45A54309.7090107@security-labs.org> > " We have hidden operation in the drive as well as hidden storage place that > normally can't be accessed via ATA commands. So in a way we have a bit of a > black box, in terms of a security device, that no one knows what is going on > in there, and it is a perfect place to hide stuff. " > > I give it ten minutes after the drives hit the streets before it gets > cracked. You can count on those guys: http://www.acelab.ru/index.eng.html They already have all the stuff required to remove ATA passwords on most drives today. It's just a matter of hidden commands, like accessing negative sectors. Regards, - Nicolas RUFF From thor at polypath.com Wed Jan 10 15:11:40 2007 From: thor at polypath.com (Thor Larholm) Date: Wed, 10 Jan 2007 21:11:40 +0100 Subject: [Dailydave] iPhone CPU In-Reply-To: <7DB20341F654384C8541A8E2FF63CCD727AF95@01HRNMX09-1.aes.de.ittind.com> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> <1df0a410701091920h4b0fa792jc37337a022055a66@mail.gmail.com> <7DB20341F654384C8541A8E2FF63CCD727AF95@01HRNMX09-1.aes.de.ittind.com> Message-ID: <45A5487C.6080603@polypath.com> > Haines, Charles - AES wrote: > > If you look at the keynote, it says it's running an Intel processor I do believe. I'll have to double check on that one. > It's an Intel processor, probably from the XScale PXA27x family ( http://www.intel.com/design/intelxscale/ ). 9:29am - "Let me tell you more about what this box does. 720p high def video. It's got a 40GB hard drive, which comes in handy for something I'm about to show you... and 802.11b/g/n, and an Intel processor. It's a really cool box. It works with video, music, and photos. You can auto-sync content from your PC, and you can stream content from up to 5 computers." Quoted from: "Live from Macworld 2007: Steve Jobs keynote" http://www.engadget.com/2007/01/09/live-from-macworld-2007-steve-jobs-keynote/ Regards Thor Larholm From adrian.sanabria at gmail.com Wed Jan 10 15:14:49 2007 From: adrian.sanabria at gmail.com (adrian.sanabria at gmail.com) Date: Wed, 10 Jan 2007 20:14:49 +0000 Subject: [Dailydave] Fwd: [FDE] Inside interview with Seagate on it'snewFDE Drive In-Reply-To: <000501c734dd$d9ead0d0$a501a8c0@CAM.ARTIMI.COM> References: <000501c734dd$d9ead0d0$a501a8c0@CAM.ARTIMI.COM> Message-ID: <1871418824-1168460094-cardhu_blackberry.rim.net-2017596838-@bxe041-cell01.bisx.prod.on.blackberry> Furthermore, you're asking to be a target when you brag about doing security the wrong way. Sent via BlackBerry from Cingular Wireless -----Original Message----- From: "Dave Korn" Date: Wed, 10 Jan 2007 17:36:25 To:"'Saqib Ali'" , Subject: Re: [Dailydave] Fwd: [FDE] Inside interview with Seagate on it's newFDE Drive On 10 January 2007 04:42, Saqib Ali wrote: > ---------- Forwarded message ---------- > From: Scott S > > Here is an exclusive interview we conducted with Dan Good, Vice President > of marketing at Seagate, on the release of its new FDE drives. Some of the > topics covered in the interview are the catalyst that lead to the > development of the FDE solution, the FDE drive value proposition, and the > FDE drive positioning against its competitions and along its > collaborators. > > http://www.full-disk-encryption.net/seagate_interview.html Anyone else spot this daft piece of promoting-security-by-obscurity-as-a-virtue? " We have hidden operation in the drive as well as hidden storage place that normally can't be accessed via ATA commands. So in a way we have a bit of a black box, in terms of a security device, that no one knows what is going on in there, and it is a perfect place to hide stuff. " I give it ten minutes after the drives hit the streets before it gets cracked. cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From smithr at cs.wisc.edu Wed Jan 10 15:18:31 2007 From: smithr at cs.wisc.edu (Randy Smith) Date: Wed, 10 Jan 2007 14:18:31 -0600 Subject: [Dailydave] Algorithmic Bugs In-Reply-To: <45A52447.3020204@immunityinc.com> References: <45A52447.3020204@immunityinc.com> Message-ID: <45A54A17.9030800@cs.wisc.edu> For an (un)limited-time only, the presentation slides are now available online. Get them at http://www.cs.wisc.edu/~smithr/pubs/randy_smith_acsac2006.zip. Cheers, Randy Smith Dave Aitel wrote: > > Best paper at a conference I went to recently here in Miami Beach. > > > http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf > > Summery: > You can send a remarkably small stream of data at a NIDS and cause it > to go to 100% CPU and stop doing analysis if you send the RIGHT stream > of data. This is basically undetectable (i.e. does not crash snort). > Was fixed in Snort 2.6.1 (I believe). Some snort rules have a 1 > million to 1 expansion if you do it right (from what I read - I > haven't tested this out yet - but it would make a great CANVAS module!) > > The presentation is clearer than the paper. I hope they put it online. > > Similar bugs exist in major commercial Python exploitation frameworks > (i.e. you can tartrap CANVAS if you do it right). The more high level > the language, the easier it is to get caught by something like this. > > - -dave From tqbf at matasano.com Wed Jan 10 15:46:08 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Wed, 10 Jan 2007 14:46:08 -0600 Subject: [Dailydave] Algorithmic Bugs In-Reply-To: <45A52447.3020204@immunityinc.com> References: <45A52447.3020204@immunityinc.com> Message-ID: <1df0a410701101246w54405fbcw2b8fab99917cc0d5@mail.gmail.com> Tim Newsham worked on this in 1997-1998 (and in that respect the paper gets its cites a bit wrong; I'm pretty sure there are published hash table results prior to 2003). My sense is that the "classic" attack here is "turn chaining hash tables into linked lists with a collision extension function". On 1/10/07, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Best paper at a conference I went to recently here in Miami Beach. > > > http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf > > Summery: > You can send a remarkably small stream of data at a NIDS and cause it > to go to 100% CPU and stop doing analysis if you send the RIGHT stream > of data. This is basically undetectable (i.e. does not crash snort). > Was fixed in Snort 2.6.1 (I believe). Some snort rules have a 1 > million to 1 expansion if you do it right (from what I read - I > haven't tested this out yet - but it would make a great CANVAS module!) > > The presentation is clearer than the paper. I hope they put it online. > > Similar bugs exist in major commercial Python exploitation frameworks > (i.e. you can tartrap CANVAS if you do it right). The more high level > the language, the easier it is to get caught by something like this. > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFFpSRFB8JNm+PA+iURAg/UAKDa+8OfY4AKO5lZnpvmoO9QqnQ5BQCghwWK > VCbaxHVE4JImfXyaKqyVsN4= > =6bSm > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From tqbf at matasano.com Wed Jan 10 15:47:28 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Wed, 10 Jan 2007 14:47:28 -0600 Subject: [Dailydave] iPhone CPU In-Reply-To: <45A5487C.6080603@polypath.com> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> <1df0a410701091920h4b0fa792jc37337a022055a66@mail.gmail.com> <7DB20341F654384C8541A8E2FF63CCD727AF95@01HRNMX09-1.aes.de.ittind.com> <45A5487C.6080603@polypath.com> Message-ID: <1df0a410701101247v63d6f8d9rb188baab8d19443c@mail.gmail.com> Ok, I'm going to extend my run of bad predictions and say that there's an x86 part in here, not an ARM. On 1/10/07, Thor Larholm wrote: > > Haines, Charles - AES wrote: > > > > If you look at the keynote, it says it's running an Intel processor I > do believe. I'll have to double check on that one. > > > > It's an Intel processor, probably from the XScale PXA27x family ( > http://www.intel.com/design/intelxscale/ ). > > 9:29am - "Let me tell you more about what this box does. 720p high def > video. It's got a 40GB hard drive, which comes in handy for something > I'm about to show you... and 802.11b/g/n, and an Intel processor. It's a > really cool box. It works with video, music, and photos. You can > auto-sync content from your PC, and you can stream content from up to 5 > computers." > > Quoted from: "Live from Macworld 2007: Steve Jobs keynote" > http://www.engadget.com/2007/01/09/live-from-macworld-2007-steve-jobs-keynote/ > > > Regards > Thor Larholm > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From mattb at cs.ucla.edu Wed Jan 10 15:51:48 2007 From: mattb at cs.ucla.edu (Matt Beaumont) Date: Wed, 10 Jan 2007 12:51:48 -0800 Subject: [Dailydave] Algorithmic Bugs In-Reply-To: <45A52447.3020204@immunityinc.com> References: <45A52447.3020204@immunityinc.com> Message-ID: <20070110205148.GF5592@cs.ucla.edu> On Wed, Jan 10, 2007 at 12:37:11 -0500, Dave Aitel wrote: > You can send a remarkably small stream of data at a NIDS and cause it > to go to 100% CPU and stop doing analysis if you send the RIGHT stream > of data. The canonical paper is Rice and Wallach's "Denial of Service via Algorithmic Complexity Attacks" [1], from USENIX Security '03. They also have a page [2] with some followup work identifying specific vulnerabilities. Cheers, Matt [1] http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf [2] http://www.cs.rice.edu/~scrosby/hash/ From asotirov at determina.com Wed Jan 10 15:52:40 2007 From: asotirov at determina.com (Alexander Sotirov) Date: Wed, 10 Jan 2007 12:52:40 -0800 Subject: [Dailydave] iPhone CPU In-Reply-To: <45A5487C.6080603@polypath.com> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> <1df0a410701091920h4b0fa792jc37337a022055a66@mail.gmail.com><7DB20341F654384C8541A8E2FF63CCD727AF95@01HRNMX09-1.aes.de.ittind.com> <45A5487C.6080603@polypath.com> Message-ID: <45A55218.6040400@determina.com> Thor Larholm wrote: > It's an Intel processor, probably from the XScale PXA27x family ( > http://www.intel.com/design/intelxscale/ ). > > 9:29am - "Let me tell you more about what this box does. 720p high def > video. It's got a 40GB hard drive, which comes in handy for something > I'm about to show you... and 802.11b/g/n, and an Intel processor. It's a > really cool box. It works with video, music, and photos. You can > auto-sync content from your PC, and you can stream content from up to 5 > computers." Jobs is describing the Apple TV box above. We're talking about the iPhone. Alex From thor at polypath.com Wed Jan 10 16:50:18 2007 From: thor at polypath.com (Thor Larholm) Date: Wed, 10 Jan 2007 22:50:18 +0100 Subject: [Dailydave] iPhone CPU In-Reply-To: <614ca1240701101257i364c9c1cu6e8266eeb3b2fb5e@mail.gmail.com> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> <1df0a410701091920h4b0fa792jc37337a022055a66@mail.gmail.com> <7DB20341F654384C8541A8E2FF63CCD727AF95@01HRNMX09-1.aes.de.ittind.com> <45A5487C.6080603@polypath.com> <614ca1240701101257i364c9c1cu6e8266eeb3b2fb5e@mail.gmail.com> Message-ID: <45A55F9A.9070109@polypath.com> > Neil Jones wrote: > Those specs are for the (Apple)TV, not the iPhone. You are all correct, those specs are for the @TV, not the iPhone. I was going to add a part about "if @TV why not iPhone?", but I was tired (it's getting late in Denmark :). It's sometimes easy to get confused when all their other product launches were based on Intel and when Apple Germany themselves confirmed to Reuter that it was an Intel chip. Intels shares also rose on that confirmation and have not rebounded completely yet! Both Apple Inc. and Intel have now disputed what Apple Germany said, confirming that Intel "does not provide the sillicon" for the iPhone: http://www.washingtonpost.com/wp-dyn/content/article/2007/01/10/AR2007011001309.html They could all be technically correct, despite contradicting each other, since Marvell Technology Group now owns Intel's old mobile divison and they're one of the potential suppliers. Which would mean an Intel chip not supplied by Intel: http://chip.seekingalpha.com/article/23847 http://news.moneycentral.msn.com/provider/providerarticle.aspx?feed=AP&Date=20070110&ID=6332578 Beh, time will tell. Screw you guys, I'ma going home. Regards Thor Larholm From simon.cooper at gmail.com Wed Jan 10 15:49:11 2007 From: simon.cooper at gmail.com (Simon Cooper) Date: Wed, 10 Jan 2007 12:49:11 -0800 Subject: [Dailydave] iPhone CPU In-Reply-To: References: Message-ID: On 1/10/07, Pusscat wrote: > I think Halvar is all set :) > > Also, while we have you here, how come you guys always tell me, "can't > reproduce" then fix things silently later? First - I am going to answer your question litterally. Disclaimer - I am not directly responsible for the people and processes that occur when security problem reports come into Apple. However, what you describe isn't how other security problems are handled at Apple. When did you report this? Was it within the last 3 years? Because of the words you have used, it sounds like you might have filed a problem directly into Apple's bug tracking system. When you filed it did you give it a security "Classification"? Or, did you send your problem report to ? Either way you will have received a tracking number. What is / was it? Did your report/email include the information that could have been used to reproduce it? Were you asked for more information? Did you give it? Was there a crash dump? My second answer, just to cover all the bases is.... African or European swallow? > On 1/10/07 1:45 AM, "Simon Cooper" wrote: > > > On 1/9/07, Halvar Flake wrote: > >> > >> Hey all, > >> > >> with all this hoopla around the iPhone, is this beast running > >> an ARM ? I have doubts about a mobile device being based > >> on x86, so does anyone have details about what sort of > >> shellcode needs to be written ? > >> > >> Cheers, > >> Halvar > > > > Do you really want to know the answer to this question? Do you want > > to demonstrate your skill in developing a platform that is resistant > > to malware? > > > > If so, then you should apply, get offered and accept the software > > security position I currently have open at Apple. This is work in > > Core OS for Mac OS X. > > > > I am not a recruiter - I am the hiring manager. Email me if you are > > interested. > > ~ Puss -- Simon Cooper From lists at kriptik.org Wed Jan 10 16:02:26 2007 From: lists at kriptik.org (lists) Date: Wed, 10 Jan 2007 16:02:26 -0500 Subject: [Dailydave] Fwd: How important is FIPS 140-2 Level 1 cert? In-Reply-To: <20070109200137.GA16988@codeblau.de> References: <20061229222951.21553.qmail@securityfocus.com> <20070109200137.GA16988@codeblau.de> Message-ID: <45A55462.5030303@kriptik.org> On 9 Jan 2007 21:01:37 +0100, felix-dailydave at fefe.de wrote: > Thus spake Saqib Ali (docbook.xml at gmail.com): >> The following excellent post by Karl Levinson appeared on >> Security-Basics mailing list: > FIPS basically says that someone took a few test vectors, ran the > product algorithms on them, and the right results came out. The full set of FIPS 140-2 testing requirements can be found in [1]. They include things like authentication and authorization, and key management, as well as, looking at the particular cryptographic algorithms being used and self-testing. Labs require access to the full code (software, firmware, hardware) of the module as well as the module itself, and they do look at and play with these things. But, of course, their examination is limited to the scope of the requirements [1]. >> Like NIAP Common Criteria, FIPS certification is probably expensive >> and time consuming for the vendor, so that the products that get it >> would tend to be older products from larger, more monolithic >> companies, which may not necessarily guarantee you're getting >> superlative security. > > Haha, well said. Actually plenty of smaller companies have gone through FIPS 140 validations. While a few big boys might pump out many FIPS 140 validations (often for very related products), the overall vendor list [2] is not made up of just these players. (I guess the key word in the original paragraph is "probably." In other words, a guess.) >> Bottom line, make sure you know what FIPS certification does and >> doesn't guarantee. I'm not sure I would pay double for a product that >> might be less secure than the cheaper solution, depending on how >> exactly it's implemented. But then that also depends on your security >> needs and your tolerance for various kinds of risk, so there's no one >> universal answer that is true for all. > > Since FIPS does not gurantee anything tangible, I would generally stay > clear of FIPS certified products. It means the vendor rather spent > money on a dubious certification than on making the product better. Nothing tangible, except that a product meets a well-defined set of requirements [1]. If those requirements meet your needs, great. If not, look elsewhere. (I guess the key words in the original paragraph are "depends on your security needs and your tolerance for various kinds of risk.") > Now, story time. :-) > > I once had this revealing discussion with the head of the German agency > that does this kind of certification. I asked him what kind of bugs > they would have to find so a product does not get certified. And he > said: all products get certified. They don't look for bugs. Even if > they wanted to, they don't have the manpower. So I asked, if a really > obvious back door happened to fall in their lap, what would they do. > And he said they had that case once. They complained and got shot down > for it politically. Turns out it was some kind of NATO thing. *cough* FIPS 140 has nothing to do with German agencies. The validation program is run by the USA and Canada, which jointly issue validation certificates after a module has passed lab testing and NIST/CSE QA. (If it ever happened that a module was found to have a backdoor after validation, I imagine the validation would be revoked. I could see US agencies and their contractors being required to immediately cease use of the module and assess the impacts of the backdoor, and other private entities using the module being recommended to do the same.) I have heard of FIPS 140-2 validations digging up all sorts of problems, from improperly implemented cryptographic algorithms to poor seeding of PRNGs to data being passed around the clear that was supposed to be encrypted to authenticated operators not quite being authenticated. Sure, these are obvious when someone takes a look, but someone needs to take a look. And, no, FIPS 140-2 is not searching through every spec of code for general software bugs and backdoors. Even if it did, there is no process in place to ensure that the vendor is actually providing the same exact version of the module that was audited. If this is what you are looking for, you will need to look elsewhere. -Andrew [1] http://csrc.nist.gov/cryptval/140-1/fips1402DTR.pdf [2] http://csrc.nist.gov/cryptval/140-1/1401vend.htm From smithr at cs.wisc.edu Wed Jan 10 17:58:07 2007 From: smithr at cs.wisc.edu (Randy Smith) Date: Wed, 10 Jan 2007 16:58:07 -0600 Subject: [Dailydave] Algorithmic Bugs In-Reply-To: <1df0a410701101246w54405fbcw2b8fab99917cc0d5@mail.gmail.com> References: <45A52447.3020204@immunityinc.com> <1df0a410701101246w54405fbcw2b8fab99917cc0d5@mail.gmail.com> Message-ID: <45A56F7F.5000008@cs.wisc.edu> Linearizing hash tables is a trick that has been known about for a while. I do believe it could be considered the "classic attack", as you suggest. Of course, in our paper we showed the same kinds of effects (denial of service) using entirely different techniques (excessive backtracking). We also proposed and implemented a solution that fairly effectively neutralizes the attack. --Randy Thomas Ptacek wrote: > Tim Newsham worked on this in 1997-1998 (and in that respect the paper > gets its cites a bit wrong; I'm pretty sure there are published hash > table results prior to 2003). My sense is that the "classic" attack > here is "turn chaining hash tables into linked lists with a collision > extension function". > > On 1/10/07, Dave Aitel wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Best paper at a conference I went to recently here in Miami Beach. >> >> >> http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf >> >> Summery: >> You can send a remarkably small stream of data at a NIDS and cause it >> to go to 100% CPU and stop doing analysis if you send the RIGHT stream >> of data. This is basically undetectable (i.e. does not crash snort). >> Was fixed in Snort 2.6.1 (I believe). Some snort rules have a 1 >> million to 1 expansion if you do it right (from what I read - I >> haven't tested this out yet - but it would make a great CANVAS module!) >> >> The presentation is clearer than the paper. I hope they put it online. >> >> Similar bugs exist in major commercial Python exploitation frameworks >> (i.e. you can tartrap CANVAS if you do it right). The more high level >> the language, the easier it is to get caught by something like this. >> >> - -dave >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.6 (GNU/Linux) >> >> iD8DBQFFpSRFB8JNm+PA+iURAg/UAKDa+8OfY4AKO5lZnpvmoO9QqnQ5BQCghwWK >> VCbaxHVE4JImfXyaKqyVsN4= >> =6bSm >> -----END PGP SIGNATURE----- >> >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave From coley at mitre.org Wed Jan 10 18:32:21 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 10 Jan 2007 18:32:21 -0500 (EST) Subject: [Dailydave] Algorithmic Bugs Message-ID: <200701102332.l0ANWLIA002265@faron.mitre.org> We have some coverage of these kinds of issues in the Common Weakness Enumeration entry on Algorithmic Complexity at: http://cwe.mitre.org/data/definitions/407.html This includes 6 specific CVE examples, some of which don't involve hash collisions, and we do reference the Crosby/Wallach paper. Wandering through the node relationships will find semi-related issues, especially under its parent, Asymmetric resource consumption (amplification), CWE-405. Some DailyDave readers will likely quibble with some of the classification or wording, but we'd be glad for any feedback. - Steve From matt at use.net Wed Jan 10 21:11:10 2007 From: matt at use.net (Matt) Date: Wed, 10 Jan 2007 18:11:10 -0800 (PST) Subject: [Dailydave] Algorithmic Bugs In-Reply-To: <45A56F7F.5000008@cs.wisc.edu> References: <45A52447.3020204@immunityinc.com> <1df0a410701101246w54405fbcw2b8fab99917cc0d5@mail.gmail.com> <45A56F7F.5000008@cs.wisc.edu> Message-ID: On Wed, 10 Jan 2007, Randy Smith wrote: > Linearizing hash tables is a trick that has been known about for a > while. I do believe it could be considered the "classic attack", as you > suggest. > > Of course, in our paper we showed the same kinds of effects (denial of > service) using entirely different techniques (excessive backtracking). > We also proposed and implemented a solution that fairly effectively > neutralizes the attack. When developing the buffer interation bug detection in BugScan, we hit excessive backtracking issues in our testing that we have to creatively work around. Through a combination of really shitty code (wu-imapd from redhat 5.2, some components of adobe acrobat, all of oracle, etc) and possibly poor but definitely strange optimization, the iteration analysis would take many, many orders of magnitude longer than it should have -- even for small (depth of 50) bounded graphs. I suspect that this kind of attack could be used to make vulnerability analysis on binary code (or source code, actually) more difficult. By more difficult, I mean that analysis developers will have to think of creative ways to color the graph like we did. By the end we were analyzing iterations with a block depth in the hundreds very quickly and with no known false positives. It took a while due to running the analysis on thousands of binaries in system tests, and developing the unit testing framework to make it easy to test, to get there, though. The upside was once we moved forward, we never moved back. Much appreciated by customers :) -- tangled strands of DNA explain the way that I behave. http://www.clock.org/~matt From rasco.angel at gmail.com Thu Jan 11 07:34:35 2007 From: rasco.angel at gmail.com (rasco angel) Date: Thu, 11 Jan 2007 15:34:35 +0300 Subject: [Dailydave] Heap Overflow Message-ID: Hi, Who can help, has written exploit for MDaemon under Windows 2003 SP1, it is carried out under a debugger, without a debugger does not work. In what a trouble? Variables for environment (windbg) _NO_DEBUG_HEAP=1 are set. Kind regards From tqbf at matasano.com Thu Jan 11 07:58:25 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Thu, 11 Jan 2007 06:58:25 -0600 Subject: [Dailydave] iPhone CPU In-Reply-To: <17b0fcab0701110025q31bec4d0n2d7752b747103595@mail.gmail.com> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> <1df0a410701091920h4b0fa792jc37337a022055a66@mail.gmail.com> <7DB20341F654384C8541A8E2FF63CCD727AF95@01HRNMX09-1.aes.de.ittind.com> <45A5487C.6080603@polypath.com> <1df0a410701101247v63d6f8d9rb188baab8d19443c@mail.gmail.com> <17b0fcab0701110025q31bec4d0n2d7752b747103595@mail.gmail.com> Message-ID: <1df0a410701110458u2d5d102ay4445dae3518424ae@mail.gmail.com> No question ARM is capable of running the iPhone, but OSX already supports x86 and PPC, both of which (particularly PPC) are viable in a phone setting. I've written ARM assembly too and have to ask, why do people like it so much? On 1/11/07, Jamie Riden wrote: > On 11/01/07, Thomas Ptacek wrote: > > Ok, I'm going to extend my run of bad predictions and say that there's > > an x86 part in here, not an ARM. > > Quite possible it's ARM - I think ARM will handle the load quite > happily and as far as I'm informed, it's a lot nicer than x86 for > embedded stuff. (I used to write assembly code for ARM2 and 3 and > it's a gorgeous instruction set to play with.) > > cheers, > Jamie > -- > Jamie Riden, CISSP / jamesr at europe.com / jamie.riden at gmail.com > NZ Honeynet project - http://www.nz-honeynet.org/ > From tqbf at matasano.com Thu Jan 11 10:33:51 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Thu, 11 Jan 2007 09:33:51 -0600 Subject: [Dailydave] iPhone CPU In-Reply-To: <1df0a410701110458u2d5d102ay4445dae3518424ae@mail.gmail.com> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> <1df0a410701091920h4b0fa792jc37337a022055a66@mail.gmail.com> <7DB20341F654384C8541A8E2FF63CCD727AF95@01HRNMX09-1.aes.de.ittind.com> <45A5487C.6080603@polypath.com> <1df0a410701101247v63d6f8d9rb188baab8d19443c@mail.gmail.com> <17b0fcab0701110025q31bec4d0n2d7752b747103595@mail.gmail.com> <1df0a410701110458u2d5d102ay4445dae3518424ae@mail.gmail.com> Message-ID: <1df0a410701110733l57430801y6dfe7cf718aac41e@mail.gmail.com> Our favorite Mac pundit John Gruber has the scoop: http://daringfireball.net/2007/01/iphone_arm The job posting seems like a smoking gun; it's ARM. So, I'm wrong 3 consecutive times! On 1/11/07, Thomas Ptacek wrote: > No question ARM is capable of running the iPhone, but OSX already > supports x86 and PPC, both of which (particularly PPC) are viable in a > phone setting. > > I've written ARM assembly too and have to ask, why do people like it so much? > > On 1/11/07, Jamie Riden wrote: > > On 11/01/07, Thomas Ptacek wrote: > > > Ok, I'm going to extend my run of bad predictions and say that there's > > > an x86 part in here, not an ARM. > > > > Quite possible it's ARM - I think ARM will handle the load quite > > happily and as far as I'm informed, it's a lot nicer than x86 for > > embedded stuff. (I used to write assembly code for ARM2 and 3 and > > it's a gorgeous instruction set to play with.) > > > > cheers, > > Jamie > > -- > > Jamie Riden, CISSP / jamesr at europe.com / jamie.riden at gmail.com > > NZ Honeynet project - http://www.nz-honeynet.org/ > > > From pol.dls at gmail.com Thu Jan 11 11:12:31 2007 From: pol.dls at gmail.com (Paul Sabanal) Date: Fri, 12 Jan 2007 00:12:31 +0800 Subject: [Dailydave] iPhone CPU In-Reply-To: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> References: <0a2101c73446$34a76850$c7b2a8c0@D1NQ6Z1J> Message-ID: <9d0eab3b0701110812k3321060co8fb87c6d9e6c48ba@mail.gmail.com> Maybe this would give us a clue :) http://jobs.apple.com/index.ajs?BID=1&method=mExternal.showJob&RID=4063&CurrentPage=1 "The iPhone team is seeking a highly motivated Embedded SW Engineer to develop middleware and low-level drivers for Bluetooth and WiFi enabled products... Additional Success Factors: - Solid understanding of embedded hardware platforms (ARM processors, SDIO, UARTs, etc)" Paul On 1/10/07, Halvar Flake wrote: > > > Hey all, > > with all this hoopla around the iPhone, is this beast running > an ARM ? I have doubts about a mobile device being based > on x86, so does anyone have details about what sort of > shellcode needs to be written ? > > Cheers, > Halvar > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > From joanna at invisiblethings.org Sun Jan 14 13:24:28 2007 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Sun, 14 Jan 2007 19:24:28 +0100 Subject: [Dailydave] wanted: run_as_low_integrity command on Vista? Message-ID: <45AA755C.7040208@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Does anybody know of any *off-the-shelf* tool/command that could be used to lunch a process in low integrity mode on Vista? Something like: runaslow joanna. BTW, I read this: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ietechcol/dnwebgen/protectedmode.asp and I think I know how to do that in C - it's just that I can't believe that MS (or at least Mark Russinovich) hasn't shipped such a tool... -----BEGIN PGP SIGNATURE----- iD8DBQFFqnVbORdkotfEW84RAoT/AKCNR1seaByMcWmY6dTmtcww66+lYQCgr6m0 t4vwYjWUoISl4A4/WEymftw= =YJOL -----END PGP SIGNATURE----- From dailydave at digitaloffense.net Mon Jan 15 11:19:47 2007 From: dailydave at digitaloffense.net (dailydave at digitaloffense.net) Date: Mon, 15 Jan 2007 10:19:47 -0600 Subject: [Dailydave] Uninformed Journal Release Announcement: Volume 6 Message-ID: <200701151019.47634.dailydave@digitaloffense.net> Uninformed is pleased to announce the release of its sixth volume. This volume includes 3 articles on reverse engineering and exploitation technology. These articles include: - Engineering in Reverse: Subverting PatchGuard Version 2 Author: Skywing - Engineering in Reverse: Locreate: An Anagram for Relocate Author: skape - Exploitation Technology: Exploiting 802.11 Wireless Driver Vulnerabilities on Windows Authors: Johnny Cache, H D Moore, skape This volume of the journal can be found at: http://www.uninformed.org/?v=6 About Uninformed: Uninformed is a non-commercial technical outlet for research in areas pertaining to security technologies, reverse engineering, and lowlevel programming. The goal, as the name implies, is to act as a medium for informing the uninformed. The research presented in each edition is simply an example of the evolutionary thought that affects all academic and professional disciplines. - The Uninformed Staff staff [at] uninformed.org From joanna at invisiblethings.org Tue Jan 16 09:29:23 2007 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Tue, 16 Jan 2007 15:29:23 +0100 Subject: [Dailydave] wanted: run_as_low_integrity command on Vista? In-Reply-To: References: <45AA755C.7040208@invisiblethings.org> Message-ID: <45ACE143.3000009@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Andrew, Indeed, it seems like you can use not only chml, but also new Vista's icacls command to do that - i.e. to set the integrity level of an executable to low and then, when started (from withing a processes running at medium IL), the new process will run with low IL. But that seems to work only if you are starting the process in the context of the current user... However, if one uses the runas command (or Mark's psexec) to start a process as a different user, then the new process gets medium IL, despite the fact that its executable is marked with "Low Mandatory Level" ACE. Any idea why that happens? Also, in [1] a method for starting a medium IL processes from within IE running in Protected Mode (i.e. at low IL) is described - it requires setting appropriate entries in the registry under HKLM\Software\Microsoft\IE key. The question is: is there any way to do that for other low integrity processes, besides IE? E.g. I would like to allow my Thunderbird.exe (running as low IL) to start gpg.exe at medium IL, without popping the consent dialog box (as my Thunderbird typically starts gpg.exe a few dozens of times every day)? joanna. [1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ietechcol/dnwebgen/protectedmode.asp Andrew Cushman wrote: > Here's what Mark Russinovich said... > > > -----Original Message----- > From: Mark Russinovich > Sent: Monday, January 15, 2007 9:27 AM > To: Andrew Cushman > Subject: RE: [Dailydave] wanted: run_as_low_integrity command on Vista? > > > I'm going to add support for this to Process Explorer in the near > future. In the meantime she can make a copy of cmd.exe and set its > integrity level to low using Mark Minasi's Chml tool: > http://www.minasi.com/vista/chml.htm > > -----Original Message----- > From: dailydave-bounces at lists.immunitysec.com > [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Joanna > Rutkowska > Sent: Sunday, January 14, 2007 10:24 AM > To: dailydave > Subject: [Dailydave] wanted: run_as_low_integrity command on Vista? > > Does anybody know of any *off-the-shelf* tool/command that could be used > to lunch a process in low integrity mode on Vista? Something like: > > runaslow > > joanna. > > BTW, I read this: > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ietechc > ol/dnwebgen/protectedmode.asp > > and I think I know how to do that in C - it's just that I can't believe > that MS (or at least Mark Russinovich) hasn't shipped such a tool... _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- iD8DBQFFrOFBORdkotfEW84RAoDtAJ9JrrQJfbFZc0M2p5YXhvRvES9JowCg01E7 qTG4+8jskNd4Yy9gkELQVr0= =17yf -----END PGP SIGNATURE----- From dave at immunityinc.com Wed Jan 17 13:29:45 2007 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 17 Jan 2007 13:29:45 -0500 Subject: [Dailydave] SILICA demos at RSA Message-ID: <45AE6B19.4000203@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex (the lead SILICA developer) is going to be at RSA on the 7th and 8th of February (Thursday and Friday). He'll have SILICA and a demo setup for people who want to see it. Feel free to email him at alex at immunityinc.com. He'll also have a phone during the conference you can use to coordinate meet-ups and that sort of thing. We've put some new pictures of the device itself, the GUI, and some sample runs here: http://www.immunityinc.com/products-silica.shtml I think one of the factors we've managed to keep throughout development is an element of "fun". I dunno why I think it's so fun to know that the person sitting next to me in Starbucks is running XP SP1 with their whole hard drive shared out and a username of "fashiongirl", but it is. :> One of the themes running through my head is "Broadness" lately. I've noticed there are some people who specialize, like insects, in just Windows overflows, and then there are the people who can do both overflows and web attacks and if they can do overflows can do them against MIPS/SPARC/PPC/etc. Or, you get the opposite: people who can just do web attacks. There's enough web assessment work to go around, but the last few web assessments I've seen had overflows in the reports on random third party DLLs. I dunno. Just a theme running through my head. We can probably add "lock-picking" to the list since things like SILICA or a PCI-board trojan require physical skills that are even more rare. For the record, I'm the worst lock-picker ever. Even on the baby-locks at defcon's lockpick booths I fail miserably. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFrmsWB8JNm+PA+iURAsRqAJ9nci3fzOBfHno/cZ/R0Fs4EAKiFACg1ZP0 ZcAVyUoZntGmC6ZPWnojXn8= =h5sa -----END PGP SIGNATURE----- From dr at kyx.net Thu Jan 18 18:56:58 2007 From: dr at kyx.net (Dragos Ruiu) Date: Thu, 18 Jan 2007 15:56:58 -0800 Subject: [Dailydave] EUSecWest 2007 Papers Message-ID: <200701181556.58254.dr@kyx.net> Hi, For those who asked, we are still processing the submissions for CanSecWest and the call closed, please stand by. The paper selections are back from the reviewers for EUSecWest, in London on March 1-2. In absolutely random order: Threats against and protection of Microsoft's internal network - Greg Galford, Microsoft Linux Kernel == Security Nightmare - Marcel Holtmann, Red Hat /GS and ASLR in Windows Vista - Ollie Whitehouse, Symantec Fuzzing: history, perspectives and limits - Christian Wieser, Oulu university The new OWASP Web Application Penetration Testing Methodology - Matteo Meucci & Alberto Revelli, OWASP-Italy Reverse Engineering Malicious Javascript - Jose Nazario, Ph.D., Arbor Bypassing NAC Systems - Ofir Arkin, Insightix RFID - Adam Laurie, trifinite Protecting Next-Gen Networks @ Nx10G link sizes - Jim Deleskie, Teleglobe Video Conferencing Security - Navid Jam, Sandia National Laboratories Software Virtualization Based Rootkits - Sun Bing VoIP Attacks! - Dustin D. Trammell, TippingPoint Windows Vista Exploitation Countermeasures - Richard Johnston, Microsoft OSX Security - Daniel Cuthbert, Corsaire Distributed drone-based malware propagation and deployment automation - Emmanuel H We have added a new RFID dojo in London with Adam, and Nico has a new VoIP Security dojo amongst the new dojos to be announced for CanSecWest along with the paper selections. Dojos for London have final schedules now. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K. Mar 1-2 - 2007 http://eusecwest.com pgpkey http://dragos.com/ kyxpgp From dave at immunityinc.com Sun Jan 21 06:02:25 2007 From: dave at immunityinc.com (Dave Aitel) Date: Sun, 21 Jan 2007 06:02:25 -0500 Subject: [Dailydave] The Jungle, globalized. Message-ID: <45B34841.6010108@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm in Singapore, the urbanized rain forest - a concrete jungle, if you will. Faintly through the hotel window I can hear an endless commercial playing on a 52 inch TV next to the place I had dinner. The advertisement is of international superstar Tiger Woods, who I'm sure, at some point, has taken the 18 hour flight to come here to play golf. I will say this: I've been a few places in the past years. Singapore is the most welcoming. The service on Singapore airlines is better than all the airlines everyone swears are really good. I never fly business class unless they give me a free upgrade, but Singapore Air economy is better than the business class on domestic flights in the states. Of course, it would have to be, on an 18 hour flight, the longest commercial flight available. Remember back when you would come into the United States, show your passport, and the desk officer would stamp it and say "Welcome Home"? That's the feeling Singapore gives to travelers - on purpose, of course. It's shrewd business policy. When you enter into the United States now the desk officer interrogates you a bit, and then growls at you to go, as if disappointed you aren't a threat. This is as bad for business as Argentina's PSP-stealing customs policy. (Immunity bought Dami a PSP for Christmas, and then the customs officer stole it. Getting computers to your employees in Argentina can take months, and sometimes their pay goes into strange black holes. It's the dark side of offshoring that no one ever talks about. The global economy is fickle. Countries either fix these sorts of issues or become the next . . . ) As the flip side of the coin, Singapore is globalization personified. There's a Starbucks within spitting distance of my room, and no less than five 7-11's. I grew up in 7-11s, and it's weird to see them here selling rice balls and steamed dumplings. Where's the little machine that rotates the hot dogs? Anyways, I need caffeine within reach since tomorrow I start a full week of Unethical Hacking training. The very first one with ImmDBG. As always, I teach my classes with the CVS version of CANVAS and VisualSploit. Keeps me on my toes. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFs0g/tehAhL0gheoRAgAyAJ98fnKLUS1UMejAfcpDRwVMeumhdACbBqCR g+0SxYwXPnx6Wi1vGYSXe08= =0QUT -----END PGP SIGNATURE----- From elite_netbios at yahoo.com Sat Jan 20 07:54:50 2007 From: elite_netbios at yahoo.com (Hamid . K) Date: Sat, 20 Jan 2007 04:54:50 -0800 (PST) Subject: [Dailydave] Any news about old NISCC Vulnerability Advisory IPSEC - 004033 ? Message-ID: <20070120125450.69638.qmail@web90515.mail.mud.yahoo.com> Hi , While reviewing old titles and advisories related to IPSec protocol , my old notes about "NISCC Vulnerability Advisory IPSEC - 004033" cached my eyes again. The time I documented that for my own personal references , there was no technical details available about the topic , and after a while I completely forgot the case . After that advisory , is there anything (codes,technical documents,more-in-depth advisory) published by NISCC or other vendors ? focusing on Microsoft and Cisco I don`t remember any patch/hotfix released covering this issue ( or I was blind ? ) I guess I`ll try to implement mentioned attack vectors soon , so if anybody in list have already tried it I would be thankful reading him/her here :> regards Hamid.K ____________________________________________________________________________________ Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit. http://farechase.yahoo.com/promo-generic-14795097 From unknown.pentester at gmail.com Sun Jan 21 09:58:35 2007 From: unknown.pentester at gmail.com (pagvac) Date: Sun, 21 Jan 2007 14:58:35 +0000 Subject: [Dailydave] Any news about old NISCC Vulnerability Advisory IPSEC - 004033 ? In-Reply-To: <20070120125450.69638.qmail@web90515.mail.mud.yahoo.com> References: <20070120125450.69638.qmail@web90515.mail.mud.yahoo.com> Message-ID: I believe this vulnerability was found by the security research group of Royal Holloway university and the following is - I believe - the paper detailing the findings: http://eprint.iacr.org/2005/416.pdf On 1/20/07, Hamid . K wrote: > Hi , > > While reviewing old titles and advisories related to IPSec protocol , > my old notes about "NISCC Vulnerability Advisory IPSEC - 004033" cached my eyes again. > The time I documented that for my own personal references , there was no technical details > available about the topic , and after a while I completely forgot the case . > > After that advisory , is there anything (codes,technical documents,more-in-depth advisory) published > by NISCC or other vendors ? focusing on Microsoft and Cisco I don`t remember any patch/hotfix released > covering this issue ( or I was blind ? ) > > I guess I`ll try to implement mentioned attack vectors soon , so if anybody in list have already tried it > I would be thankful reading him/her here :> > > > regards > Hamid.K > > > > > > ____________________________________________________________________________________ > Now that's room service! Choose from over 150,000 hotels > in 45,000 destinations on Yahoo! Travel to find your fit. > http://farechase.yahoo.com/promo-generic-14795097 > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- pagvac [http://ikwt.com/] From dave at immunityinc.com Mon Jan 22 18:46:19 2007 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 22 Jan 2007 18:46:19 -0500 Subject: [Dailydave] Singapore Sling and SafeSEH Message-ID: <45B54CCB.7010806@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One thing that happens when you have someone visit you from another country is that you have to go do all the touristy things. For example, everyone makes Thomas Lim have a Singapore Sling at Raffles when they visit Singapore. (http://picasaweb.google.com/dave.aitel/Singapore ). According to rumor, Mark Maiffret , Chief Hacking Officer of eEye was a bit too manly to have such a girly drink, but sometimes, you have to bend to tradition. One thing Thomas asked me yesterday was "Why would you write your own debugger?" Which is a darn good question. A debugger is not a simple thing. It's a big investment in time and life force. But yesterday while we were tal