From secadmin at netsecdesign.com Thu Mar 1 02:36:34 2007 From: secadmin at netsecdesign.com (Security Admin (NetSec)) Date: Wed, 28 Feb 2007 23:36:34 -0800 Subject: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Message-ID: <8D870AB38C30EC4C848A11A3F83D20D8146FA3DC@exchange2007.mmicmanhomenet.local> I have been playing around with Vista for about a year; to date I cannot find a reason why one would take the productivity hit to upgrade. For those who do not know what WIC is, there is a good into write-up at http://www.securityfocus.com/infocus/1887. While Windows Integrity Control (WIC) is somewhat secure, I was able to elevate privileges on programs using a tool from a friend of mine. Presumable one could use this tool or one like to elevate their privileges as well. Has anyone tried to elevate all the way to SYSTEM? I know it is possible to elevate form Low to Medium to High. It seems to me that the Linux and BSD folks have figured out how to implement access controls without a heavy load on the system; Vista really chokes. Edward Ray -- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com From joanna at invisiblethings.org Thu Mar 1 08:44:05 2007 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Thu, 01 Mar 2007 08:44:05 -0500 Subject: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? In-Reply-To: <8D870AB38C30EC4C848A11A3F83D20D8146FA3DC@exchange2007.mmicmanhomenet.local> References: <8D870AB38C30EC4C848A11A3F83D20D8146FA3DC@exchange2007.mmicmanhomenet.local> Message-ID: <45E6D8A5.3050803@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Security Admin (NetSec) wrote: > I have been playing around with Vista for about a year; to date I > cannot find a reason why one would take the productivity hit to > upgrade. For those who do not know what WIC is, there is a good into > write-up at http://www.securityfocus.com/infocus/1887. While Windows > Integrity Control (WIC) is somewhat secure, I was able to elevate > privileges on programs using a tool from a friend of mine. Lucky you! (to have such helpful friends ;) > Presumable one could use this tool or one like to elevate their > privileges as well. Has anyone tried to elevate all the way to > SYSTEM? I know it is possible to elevate form Low to Medium to High. > > I'm sure everybody on this list would love to hear the details :) > It seems to me that the Linux and BSD folks have figured out how to > implement access controls without a heavy load on the system; Vista > really chokes. > "Heavy load on the system"? That's interesting... How about we don't mix our subjective opinions about performance, UI functionality, etc, with technical discussions about security mechanisms? joanna. -----BEGIN PGP SIGNATURE----- iD8DBQFF5tijORdkotfEW84RAh3JAKDEpuMgBxh5vqAEj+EgImVppxBsMACfXn96 GOv0S1r3CDC3ML9EoUBmMmM= =tbXW -----END PGP SIGNATURE----- From rodrigo at kernelhacking.com Thu Mar 1 07:40:53 2007 From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon)) Date: Thu, 1 Mar 2007 12:40:53 -0000 Subject: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Message-ID: <20070301154053.41B9D8BD0B@mail.fjaunet.com.br> This kind of protection are needed to obtain an EAL certification level 4+ (or more)... Capabilities like selinux exist in linux a long time and offer a little impact in the overall system performance (but that impact exists)... We need to first thing in windows we have more things to care about, so, its more difficult to implement this type of protection (and for sure, more performance impact are hit). Linux solutions can be bypassed as well. The main difference here is how the solutions are implemented... To obtain an EAL xyz certification, linux introduces the SELinux in the kernel, using the LSM framework... its more bugged than great (who don?t agree with me??). But other ACL mechanisms exist for linux (for sure, without the complexity and resources offered by selinux), like grsecurity (i like it). Cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 5E90CA19 --------- Mensagem Original -------- De: Security Admin NetSec Para: dailydave at lists.immunitysec.com Assunto: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Data: 01/03/07 10:25 > > I have been playing around with Vista for about a year; to date I cannot find a reason why one would take the productivity hit to upgrade. For those who do not know what WIC is, there is a good into write-up at http://www.securityfocus.com/infocus/1887. While Windows Integrity Control (WIC) is somewhat secure, I was able to elevate privileges on programs using a tool from a friend of mine. Presumable one could use this tool or one like to elevate their privileges as well. Has anyone tried to elevate all the way to SYSTEM? I know it is possible to elevate form Low to Medium to High. > > It seems to me that the Linux and BSD folks have figured out how to implement access controls without a heavy load on the system; Vista really chokes. > > Edward Ray > > -- > This mail was scanned by BitDefender > For more informations please visit http://www.bitdefender.com > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > > ________________________________________________ Message sent using UebiMiau 2.7.2 From sgrubb at redhat.com Thu Mar 1 16:02:30 2007 From: sgrubb at redhat.com (Steve Grubb) Date: Thu, 1 Mar 2007 16:02:30 -0500 Subject: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? In-Reply-To: <20070301154053.41B9D8BD0B@mail.fjaunet.com.br> References: <20070301154053.41B9D8BD0B@mail.fjaunet.com.br> Message-ID: <200703011602.30824.sgrubb@redhat.com> On Thursday 01 March 2007 07:40, Rodrigo Rubira Branco (BSDaemon) wrote: > Capabilities like selinux exist in linux a long time and offer a little > impact in the overall system performance (but that impact exists)... True, there is a little impact and it varies based on actual workload. > Linux solutions can be bypassed as well. Any kernel exploit that allows writing to arbitrary kernel memory can potentially defeat any kernel protection mechanism. > To obtain an EAL xyz certification, linux introduces the SELinux in the > kernel, We got eal4+ without SE Linux as part of the eval. > using the LSM framework... its more bugged than great (who don?t agree with > me??). I don't agree with you. I don't have any bug report in our bugzilla that is traced to the kernel implementation. -Steve From rodrigo at kernelhacking.com Thu Mar 1 14:12:41 2007 From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon)) Date: Thu, 1 Mar 2007 19:12:41 -0000 Subject: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Message-ID: <20070301221241.4285C8BD16@mail.fjaunet.com.br> Hello Steve, tks for your reply! > Any kernel exploit that allows writing to arbitrary kernel memory can potentially defeat any kernel protection mechanism. Sure, but i dont like any in the keyword... when you have pax + stmichael you dont just need arbitrary kernel writting but also multiple writes and lots of things to discover... > We got eal4+ without SE Linux as part of the eval. Yeah, it depends of the TE of the certification, the new level and TE is really dependent of selinux... in any way i have said about eal4+ just because i seen in this link http://www.internetnews.com/security/article.php/3551616 > > using the LSM framework... its more bugged than great (who don?t agree with me??). > > I don't agree with you. I don't have any bug report in our bugzilla that is traced to the kernel implementation. Its a design error, not necessarily implementation one... because that we see lots of discussion regarding how to remove it ;) I dont like so many exported hooks in my kernel... in any way I wanna know your opinion about another point that is learning-mode systems... i have a discussion about that with Joshua in the past, but no conclusions... cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 5E90CA19 ________________________________________________ Message sent using UebiMiau 2.7.2 From lists at bughunter.ca Thu Mar 1 16:22:15 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Thu, 1 Mar 2007 13:22:15 -0800 Subject: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? In-Reply-To: <45E6D8A5.3050803@invisiblethings.org> Message-ID: <005c01c75c47$afa8fef0$4d07a8c0@jseitz> Ouch! Joanna must have drunk ample amounts of Hatorade today! As well I doubt this poster has used SeLinux (not lightweight), tried AppArmor (slightly more friendly) or even attempted to use PaX and the rest of the GRSec patches, who openly admit you are going to see an 8% performance hit or more depending on what you are running on the machine and your own particular setup. Let's not kid ourselves, doing this type of application level security comes at a cost no matter what operating system is implementing it. Now the only tie to performance and security I can justify is that at times you are going to have to trade in a little of one for a little of the other, and I'll leave it at that before Miss Rutkowska kicks MY ass. JS -----Original Message----- From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Joanna Rutkowska Sent: Thursday, March 01, 2007 5:44 AM To: Security Admin (NetSec) Cc: dailydave Subject: Re: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Security Admin (NetSec) wrote: > I have been playing around with Vista for about a year; to date I > cannot find a reason why one would take the productivity hit to > upgrade. For those who do not know what WIC is, there is a good into > write-up at http://www.securityfocus.com/infocus/1887. While Windows > Integrity Control (WIC) is somewhat secure, I was able to elevate > privileges on programs using a tool from a friend of mine. Lucky you! (to have such helpful friends ;) > Presumable one could use this tool or one like to elevate their > privileges as well. Has anyone tried to elevate all the way to > SYSTEM? I know it is possible to elevate form Low to Medium to High. > > I'm sure everybody on this list would love to hear the details :) > It seems to me that the Linux and BSD folks have figured out how to > implement access controls without a heavy load on the system; Vista > really chokes. > "Heavy load on the system"? That's interesting... How about we don't mix our subjective opinions about performance, UI functionality, etc, with technical discussions about security mechanisms? joanna. -----BEGIN PGP SIGNATURE----- iD8DBQFF5tijORdkotfEW84RAh3JAKDEpuMgBxh5vqAEj+EgImVppxBsMACfXn96 GOv0S1r3CDC3ML9EoUBmMmM= =tbXW -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From chris.rohlf at gmail.com Thu Mar 1 21:51:54 2007 From: chris.rohlf at gmail.com (Chris Rohlf) Date: Thu, 1 Mar 2007 21:51:54 -0500 Subject: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? In-Reply-To: <200703011602.30824.sgrubb@redhat.com> References: <20070301154053.41B9D8BD0B@mail.fjaunet.com.br> <200703011602.30824.sgrubb@redhat.com> Message-ID: <1681f2df0703011851s55d73c1bi16dca276957d400@mail.gmail.com> On 3/1/07, Steve Grubb wrote: > On Thursday 01 March 2007 07:40, Rodrigo Rubira Branco (BSDaemon) wrote: > > Capabilities like selinux exist in linux a long time and offer a little > > impact in the overall system performance (but that impact exists)... > > True, there is a little impact and it varies based on actual workload. The biggest impact IMHO is the administrative overhead most of these implementations create. Its almost not worth it in the end. And this experience comes from my own systems, not real production stuff. Then again the last time I tried SELinux was on debian about 2 years ago so things could have improved. > > Linux solutions can be bypassed as well. > > Any kernel exploit that allows writing to arbitrary kernel memory can > potentially defeat any kernel protection mechanism. > This sort of goes without saying. But what other known 'bypasses' are there for grsec or SElinux that don't require a kernel vulnerability? Im asking honestly, its been awhile since I've looked into this stuff. Chris -- http://em386.blogspot.com From sgrubb at redhat.com Fri Mar 2 08:27:27 2007 From: sgrubb at redhat.com (Steve Grubb) Date: Fri, 2 Mar 2007 08:27:27 -0500 Subject: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? In-Reply-To: <20070301221241.4285C8BD16@mail.fjaunet.com.br> References: <20070301221241.4285C8BD16@mail.fjaunet.com.br> Message-ID: <200703020827.27377.sgrubb@redhat.com> On Thursday 01 March 2007 14:12:41 Rodrigo Rubira Branco (BSDaemon) wrote: > > We got eal4+ without SE Linux as part of the eval. > > Yeah, it depends of the TE of the certification, the new level and TE is > really dependent of selinux... in any way i have said about eal4+ just > because i seen in this link > http://www.internetnews.com/security/article.php/3551616 When you talk about a certification, there are 2 parts to it. That article talks about our current effort which is LSPP/EAL4+. LSPP is the feature selection, which selinux is needed for the MAC portions of the security target. EAL4+ simply refers to the level of effort that went into design, documentation, and testing. SE Linux by itself does not meet LSPP, there was a whole lot of other work needed, too. > > > using the LSM framework... its more bugged than great (who don?t > agree with me??). > > > I don't agree with you. I don't have any bug report in our bugzilla that > > is traced to the kernel implementation. > > Its a design error, not necessarily implementation one... because that we > see lots of discussion regarding how to remove it ;) I haven't been involved in any discussions where people are asking to remove it. I have been involved in discussions where people believe they have sufficient protection in place where they want to disable it for performance. > in any way I wanna know your opinion about another point that is > learning-mode systems... i have a discussion about that with Joshua in the > past, but no conclusions... I can only guess that you mean systems that learn normal behavior so that abnormalities can be spotted? The problem is how do you _know_ you are observing correct behavior. You could have a trojaned app that you are now learning its behavior. You can imagine SE Linux policy as a learning mode system where _people_ learn the app's behavior. They exercise the app, determine its normal behavior, put that into policy, and people everywhere install it. Then one day we get a new version of something and push it into rawhide. Suddenly we have AVCs (syscall denials based on policy). The behavior has changed. Is it a trojaned app or correct but new behavior? Does anyone have a program that can make that determination? It would take a human in the loop, either by asking the user if this is expected behavior - which they probably can't determine the implications of allowing the action (there are knowledgeable people out there, but we can't assume everyone is a programmer/admin). Or it takes skilled policy writers to make the decision and add it to policy - learning the new behavior. So, you always have this problem of version upgrades and learning new behavior. That can become the attack point. -Steve From endrazine at gmail.com Fri Mar 2 11:53:33 2007 From: endrazine at gmail.com (endrazine) Date: Fri, 02 Mar 2007 17:53:33 +0100 Subject: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? In-Reply-To: <1681f2df0703011851s55d73c1bi16dca276957d400@mail.gmail.com> References: <20070301154053.41B9D8BD0B@mail.fjaunet.com.br> <200703011602.30824.sgrubb@redhat.com> <1681f2df0703011851s55d73c1bi16dca276957d400@mail.gmail.com> Message-ID: <45E8568D.6000505@gmail.com> Chris Rohlf a ?crit : > This sort of goes without saying. But what other known 'bypasses' are > there for grsec or SElinux that don't require a kernel vulnerability? > Im asking honestly, its been awhile since I've looked into this stuff. > Afaik, Pax, grsec etc do _never_ randomize Xorg. endrazine- From kyle.c.quest at gmail.com Fri Mar 2 14:10:45 2007 From: kyle.c.quest at gmail.com (C Q) Date: Fri, 2 Mar 2007 14:10:45 -0500 Subject: [Dailydave] Intel vPro Message-ID: I've been looking at the Intel vPro's Active Management Technology and it looks pretty scary. This looks like a backdoor that's there no matter what's going on. You can even connect to the system when it's turned off :-) Their conceptual diagram shows that they have a dedicated TCP/IP stack, TLS stack, and a web server among other things... HP, Gateway, and Lenovo are already selling machines with this in them... I'm curious to know if anybody has already looked for vulnerabilities in them? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070302/261acd40/attachment.htm From rodrigo at kernelhacking.com Fri Mar 2 17:01:17 2007 From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon)) Date: Fri, 2 Mar 2007 22:01:17 -0000 Subject: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Message-ID: <20070303010117.1955B8BCEC@mail.fjaunet.com.br> Steve, When you have "security professionals" writting the default behavior you don't have the specific needs and the custom applications involved, and then the problem of turn everything ok begin... In the pratice, many people (mostly?) just disable selinux in the installation process... Like you have said, both have bad points (attack vectors...) but I think complexity != security, so, im in favour of the auto-learning systems.. cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 5E90CA19 --------- Mensagem Original -------- De: Steve Grubb Para: dailydave at lists.immunitysec.com , Rodrigo Rubira Branco BSDaemon Assunto: Re: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? Data: 02/03/07 11:27 > > On Thursday 01 March 2007 14:12:41 Rodrigo Rubira Branco (BSDaemon) wrote: > > > We got eal4+ without SE Linux as part of the eval. > > > > Yeah, it depends of the TE of the certification, the new level and TE is > > really dependent of selinux... in any way i have said about eal4+ just > > because i seen in this link > > http://www.internetnews.com/security/article.php/3551616 > > When you talk about a certification, there are 2 parts to it. That article > talks about our current effort which is LSPP/EAL4+. LSPP is the feature > selection, which selinux is needed for the MAC portions of the security > target. EAL4+ simply refers to the level of effort that went into design, > documentation, and testing. SE Linux by itself does not meet LSPP, there was > a whole lot of other work needed, too. > > > > &gt; using the LSM framework... its more bugged than great (who don?t > > agree with me??). > > > > > I don't agree with you. I don't have any bug report in our bugzilla that > > > is traced to the kernel implementation. > > > > Its a design error, not necessarily implementation one... because that we > > see lots of discussion regarding how to remove it ;) > > I haven't been involved in any discussions where people are asking to remove > it. I have been involved in discussions where people believe they have > sufficient protection in place where they want to disable it for performance. > > > in any way I wanna know your opinion about another point that is > > learning-mode systems... i have a discussion about that with Joshua in the > > past, but no conclusions... > > I can only guess that you mean systems that learn normal behavior so that > abnormalities can be spotted? The problem is how do you _know_ you are > observing correct behavior. You could have a trojaned app that you are now > learning its behavior. > > You can imagine SE Linux policy as a learning mode system where _people_ learn > the app's behavior. They exercise the app, determine its normal behavior, put > that into policy, and people everywhere install it. > > Then one day we get a new version of something and push it into rawhide. > Suddenly we have AVCs (syscall denials based on policy). The behavior has > changed. Is it a trojaned app or correct but new behavior? Does anyone have a > program that can make that determination? > > It would take a human in the loop, either by asking the user if this is > expected behavior - which they probably can't determine the implications of > allowing the action (there are knowledgeable people out there, but we can't > assume everyone is a programmer/admin). Or it takes skilled policy writers to > make the decision and add it to policy - learning the new behavior. So, you > always have this problem of version upgrades and learning new behavior. That > can become the attack point. > > -Steve > > > > > > ________________________________________________ Message sent using UebiMiau 2.7.2 From chris.rohlf at gmail.com Sat Mar 3 09:44:12 2007 From: chris.rohlf at gmail.com (Chris Rohlf) Date: Sat, 3 Mar 2007 09:44:12 -0500 Subject: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? In-Reply-To: <45E8568D.6000505@gmail.com> References: <20070301154053.41B9D8BD0B@mail.fjaunet.com.br> <200703011602.30824.sgrubb@redhat.com> <1681f2df0703011851s55d73c1bi16dca276957d400@mail.gmail.com> <45E8568D.6000505@gmail.com> Message-ID: <1681f2df0703030644j7360d644mf05272abd4307eb1@mail.gmail.com> Yes you would take certain pax permissions off applications that require an executable stack (x.org, jvm come to mind). But proper SElinux controls can still be applied to them. I was more specifically looking for how to bypass those MAC and RBAC features of SElinux and grsecurity without a kernel vulnerability. Chris On 3/2/07, endrazine wrote: > Chris Rohlf a ?crit : > > This sort of goes without saying. But what other known 'bypasses' are > > there for grsec or SElinux that don't require a kernel vulnerability? > > Im asking honestly, its been awhile since I've looked into this stuff. > > > Afaik, Pax, grsec etc do _never_ randomize Xorg. > > > endrazine- -- http://em386.blogspot.com From spender at grsecurity.net Sat Mar 3 11:16:12 2007 From: spender at grsecurity.net (Brad Spengler) Date: Sat, 3 Mar 2007 11:16:12 -0500 Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Message-ID: <20070303161612.GA10837@grsecurity.net> Re:[Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? I'd like to comment on a couple things. Also, if there are any security historians on the list, I submit for your record-keeping what I believe to be the first public exploit for a null ptr dereference bug in the Linux kernel. It was developed in a matter of hours on August 10th, 2006. The bug has been fixed and the bug class has been leaked by ilja (though PaX already had added complete protection from the bug class months before ilja's leak ;)), so the only purpose of releasing this is to insert that seed of doubt into SELinux users who buy into the "information flow graph" and "proven security model" propaganda. The URL for the exploit: http://grsecurity.net/~spender/exploit.tgz Full details about the exploit are in the README file in the tarball. For the curious, the vulnerable versions of Linux were 2.6.17->2.6.17.6 Now on to the comments: 1) Re: "Any kernel exploit that allows writing to arbitrary kernel memory can potentially defeat any kernel protection mechanism." (sgrubb at redhat.com) Now that anyone can plug my SELinux-disabling function into their kernel exploit, I'd like all RedHat employees to stop using "potentially" in any similar sentence from now on. The heuristics are generic enough to have allowed the exploit to work on a custom-compiled kernel as well as the default kernel in Fedora Core 6 Test 1. Did I also mention it disables all other LSM modules as well, atomically? 2) If anyone wants to waste some time finding out the answer to this question, I'd be interested in knowing what other distribution kernels were/are still vulnerable to that bug. The reason I ask this is because the bug was fixed silently with only a "splice: fix problems with sys_tee()" changelog, even though the submitter of the patch knew it to be a local DoS (but still oblivious to the exploitability of this class of bugs, particularly in this case). For kicks, you can read the LKML thread here: http://lkml.org/lkml/2006/7/7/34 3) Re: "I can only guess that you mean systems that learn normal behavior so that abnormalities can be spotted? The problem is how do you _know_ you are observing correct behavior. You could have a trojaned app that you are now learning its behavior." (sgrubb at redhat.com) If I'm downloading signed updates from RedHat that are trojaned, I think I have more of a problem than learning on my hands. So that can't be the problem. What about third-party apps then for which there exist no SELinux policy? I think you severely overestimate the intelligence of most administrators in their ability to determine at such a low level what kind of access a program needs to the system. Is each administrator then required to completely audit the source of all apps for which no policy exists? What if no source is available? Is every administrator supposed to be an expert in IDA Pro and unpacking? People don't learn the app's behavior, administrators don't have time when customers are complaining: they disable SELinux. There's a reason why SELinux is still around. The users clearly haven't asked for something of this complexity and unusability. When you have an unworkable "solution" to a problem, there's lots of money to be made in making it workable. (The fact that there even exists a company like Tresys is proof of this.) Unrelated, but while I'm here: 4) Some of you may have seen a "toto toto" individual posting on FD recently about selling grsecurity exploits. I contacted the person and was able to obtain his "vulnerability." It involved the RBAC policy loading code, only accessible to fully-privileged root users, and was not even a bug. The amateur auditor didn't know the semantics of strnlen_user (it returns the length of the string, including the null character) and assumed there was a non-null termination bug (which was then "somehow" exploitable ;)) In summary: SELinux's guarantees aren't worth as much as they claim to be, Linux has lots of null pointer dereference bugs and some of them are exploitable, intentionally silently fixing a security bug has been demonstrated in the Linux kernel, and grsecurity/PaX is the only thing in any OS that will protect you against invalid userland dereference bugs (of which null ptr dereference bugs are a subset), unless you're using some arch like sparc64. PaX is also still the only project that focuses at all on preventing kernel exploits as well with its KERNEXEC (and soon, KERNSEAL) feature. Expect OpenBSD to independently invent a protection against null ptr deref bugs sometime in 2009. I'll reply to any legitimate mails off-list (I don't receive mails from the list). Enjoy your weekend! -Brad -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070303/28b27741/attachment.pgp From ol at uncon.org Sat Mar 3 10:25:11 2007 From: ol at uncon.org (ol) Date: Sat, 3 Mar 2007 15:25:11 -0000 Subject: [Dailydave] The sky's downward trajectory In-Reply-To: <004001c754ef$cc46d6e0$0300a8c0@rain> References: <000e01c75354$7c82be90$75883bb0$@net><001501c75398$6985f6b0$3c91e410$@net><68dd869f0702182028m619121dr62f785989b765d5c@mail.gmail.com><68dd869f0702182028t4f499e89y485ce471ecff239c@mail.gmail.com><45D9EC15.5070709@gmail.com><767ba1040702191657p6d578c7ej90805a9208a4ec3f@mail.gmail.com><597760c90702192315w3abd9c23ua90e5b90119bd5ae@mail.gmail.com> <004001c754ef$cc46d6e0$0300a8c0@rain> Message-ID: <094D84358D2A494295EB6C21F61ECC39@storm> The paper can found here: http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf Cheers Ollie ----- Original Message ----- From:
    To: Sent: Tuesday, February 20, 2007 1:05 PM Subject: Re: [Dailydave] The sky's downward trajectory Thanks for pimpage, the final figures are: Stack - 14 bits Heap - 5+ bits Image (code) - 8 bits PEB - 4 bits Yes image randomization out of the box only occurs upon a reboot. However their is a dirty method I came up with to force a reseed for binaries, but this massivley skews the results. All is contained in the paper which we will be releasing next week and presenting at Blackhat DC (Thursday) and EuSecWest (Friday). Cheers Ollie ----- Original Message ----- From: "Dominique Brezinski" To: Sent: Tuesday, February 20, 2007 7:15 AM Subject: Re: [Dailydave] The sky's downward trajectory Vista's stack gets 14 bits, heap and image 8 bits and PEB 4 bits. Ollie Whitehouse did a complete analysis of Vista's ALSR implementation in the final release that he will be presenting at Black Hat DC in a week. For those of you that can't make it, we should have his presentation up online shortly after the conference. I believe Symantec will also be publishing the white paper then. His analysis looks at the statistical distributions within the various process-space segments that are randomized with some interesting results. I think the material will be good reading for this list. Cheers, Dominique On 2/19/07, Jonathan Wilkins wrote: > Ok, I dug a little more and here's what I found: > http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx > "This helps defeat a well-understood attack called "return-to-libc", > where exploit code attempts to call a system function [...] In the > case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of > 256 locations, which means an attacker has a 1/256 chance of getting > the address right. > > Confirmed by skape here: > http://blog.metasploit.com/2006/06/few-quick-updates.html > "Microsoft's implementation is limited to 8 bits of entropy in the 3rd octet" > > Those posts are both pre-final Vista, as was ToorCon, so I'm not > certain how things might > have changed. > > On 2/19/07, jf wrote: > > As I understood it, they are only randomized once at boot time with 4 bits > > of entropy, and it's currently opt-in for most applications (including > > IE), but opt-out for system DLLs. I tend to agree that only randomizing > > once may be an issue, but no one seems to agree with me. > > > > On Mon, 19 Feb 2007, endrazine wrote: > > > > > Date: Mon, 19 Feb 2007 19:27:33 +0100 > > > From: endrazine > > > To: Rhys Kidd > > > Cc: dailydave at lists.immunitysec.com > > > Subject: Re: [Dailydave] The sky's downward trajectory > > > > > > Hi dear readers, > > > > > > Rhys Kidd a ?crit : > > > > > > > > So what does Microsoft provide to make this more secure? > > > > > > > > Firstly the push by Michael Howard et al to get ASLR implemented in > > > > Vista beta 2 and above means the addresses within ntdll.dll are going > > > > to be somewhat random, thereby making reliable use of this technique > > > > difficult. NX bit based defenses really should be implemented > > > > hand-in-hand with some form of memory randomisation, as was documented > > > > by the PaX project. > > > > > > > Put me in my place if I'm wrong, but adresses are only randomized once > > > at boot up, making the Vista randomization far less effective than a run > > > time randomization a la PaX. Well, at least, thats what I understood > > > from the Microsoft TechDays in Paris 2 weeks ago. > > > > Secondly, as Dave mentioned setting "AlwaysOn" in boot.ini should > > > > prevent DEP from being disabled on a per-process basis. > > > > > > > > HTH. > > > > Rhys > > > > > > > > > > Regards, > > > > > > endrazine- > > > _______________________________________________ > > > Dailydave mailing list > > > Dailydave at lists.immunitysec.com > > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From lcamtuf at dione.ids.pl Sat Mar 3 12:32:35 2007 From: lcamtuf at dione.ids.pl (Michal Zalewski) Date: Sat, 3 Mar 2007 18:32:35 +0100 (CET) Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns In-Reply-To: <20070303161612.GA10837@grsecurity.net> References: <20070303161612.GA10837@grsecurity.net> Message-ID: On Sat, 3 Mar 2007, Brad Spengler wrote: > Also, if there are any security historians on the list, I submit for > your record-keeping what I believe to be the first public exploit for a > null ptr dereference bug in the Linux kernel. Historians, wait! Here, I have the same code dated 2001! Which is notable, because it actuallly predates the 2.6 kernel altogether! On a more serious note... null pointer _dereference_ ("following of") is almost never exploitable on modern platforms (unless you count 0x0+large_offset table element access), and this exploit is consistent with that assessment. What you have here is not a dereference of a null pointer (the kernel never tries to read/write *0x0), but rather, an opportunity to access a fun page of memory because of a missing 0x0 value check. Naming your post / exploit in such an alarmist way will only have folks report NULL ptrs in /bin/date as "EXTREMELY CRITICAL" as opposed to the usual "VERY CRITICAL" we're all accustomed to. Please don't ;-) /mz From julien.tinnes at francetelecom.com Mon Mar 5 08:16:16 2007 From: julien.tinnes at francetelecom.com (TINNES Julien RD-MAPS-ISS) Date: Mon, 05 Mar 2007 14:16:16 +0100 Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns In-Reply-To: References: <20070303161612.GA10837@grsecurity.net> Message-ID: <45EC1820.9000606@francetelecom.com> Michal Zalewski a ?crit : > On Sat, 3 Mar 2007, Brad Spengler wrote: > >> Also, if there are any security historians on the list, I submit for >> your record-keeping what I believe to be the first public exploit for a >> null ptr dereference bug in the Linux kernel. > > Historians, wait! Here, I have the same code dated 2001! Which is notable, > because it actuallly predates the 2.6 kernel altogether! > > On a more serious note... null pointer _dereference_ ("following of") is > almost never exploitable on modern platforms (unless you count > 0x0+large_offset table element access), and this exploit is consistent > with that assessment. Local Kernel mode exploits rely on the following paradigm: you _already_ have arbitrary code execution and you want to run code with kernel privileges (or just with more privilege) or to write to memory you're not allowed to write to. So, to exploit "to-userland pointer dereference" class of kernel flaws, you just have to mmap() the page at the correct address (and mmap at 0 is perfectly allowed). The problem in Linux is that since kernel 2.4 the segment selector registers are loaded (in *both* kernel and user mode) with references to segments with a base address of 0 (in kernel 2.0 and 2.2, the base for most selectors was different in kernel mode). This is not the case in PaX . This means that dereferencing a NULL pointer will indeed point you to address 0 in linear memory wich is also address 0 in userland in current Linux kernels. > What you have here is not a dereference of a null pointer (the kernel > never tries to read/write *0x0), but rather, an opportunity to access a > fun page of memory because of a missing 0x0 value check. I don't understand you here. The bug spender has mentioned is afair, exactly a null pointer dereference. > Naming your post / exploit in such an alarmist way will only have folks > report NULL ptrs in /bin/date as "EXTREMELY CRITICAL" as opposed to the > usual "VERY CRITICAL" we're all accustomed to. Please don't ;-) Also while it is not really relevant to the current subject (in-kernel null pointer dereference), here is a link to a paper by Gael Delalleau treating the subject of exploiting user-land null pointer dereferences. http://cansecwest.com/core05/memory_vulns_delalleau.pdf -- Julien TINNES - & france telecom - R&D Division/MAPS/NSS Research Engineer - Internet/Intranet Security GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6 From lcamtuf at dione.ids.pl Mon Mar 5 08:42:08 2007 From: lcamtuf at dione.ids.pl (Michal Zalewski) Date: Mon, 5 Mar 2007 14:42:08 +0100 (CET) Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns In-Reply-To: <45EC1820.9000606@francetelecom.com> References: <20070303161612.GA10837@grsecurity.net> <45EC1820.9000606@francetelecom.com> Message-ID: On Mon, 5 Mar 2007, TINNES Julien RD-MAPS-ISS wrote: > So, to exploit "to-userland pointer dereference" class of kernel flaws, > you just have to mmap() the page at the correct address (and mmap at 0 > is perfectly allowed). > [...] > I don't understand you here. The bug spender has mentioned is afair, > exactly a null pointer dereference. You're not exploiting any userland application (the code being run is your own program, you already have a full control of it), correct? You're attacking the kernel. The flaw in kernel is not caused by a null pointer dereference (the kernel is not vulnerable because of trying to read or write *0x0 - that's what a dereference is). The flaw is caused by a missing check that allows you to gain access to the first physical page of memory, which you can then read or write. So a proper title would be "on exploiting missing checks" or "on gaining access to *0x0". Note that Brad's exploit doesn't even get to access 0x0 in process's address space - he just gets an instance of physical page 0 mapped to some sane address. Yeah, it's just semantics, but the issue is important in that we do not want crashes caused as userland NULL pointer dereferences to be considered exploitable by those who misinterpret the nature of this flaw. > http://cansecwest.com/core05/memory_vulns_delalleau.pdf Yeah, seen that presentation in person. That's a wholly different class of problems, and I did mention it in my initial response (some architectures, and some large-offset operations on NULL ptr tables or structures, are vulnerable; NULL ptr derefs as such usually aren't). /mz From julien.tinnes at francetelecom.com Mon Mar 5 09:23:17 2007 From: julien.tinnes at francetelecom.com (TINNES Julien RD-MAPS-ISS) Date: Mon, 05 Mar 2007 15:23:17 +0100 Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns In-Reply-To: References: <20070303161612.GA10837@grsecurity.net> <45EC1820.9000606@francetelecom.co m> Message-ID: <45EC27D5.40705@francetelecom.com> > You're not exploiting any userland application (the code being run is your > own program, you already have a full control of it), correct? You're > attacking the kernel. The flaw in kernel is not caused by a null pointer > dereference (the kernel is not vulnerable because of trying to read or > write *0x0 - that's what a dereference is). That's exactly my point, you're not exploiting a userland application, so the paradigm is different, and _YOU_ can map page 0 because you've already got arbitrary code execution. ptr = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); That's what this line of code does. > The flaw is caused by a missing check that allows you to gain access to > the first physical page of memory, which you can then read or write. So a > proper title would be "on exploiting missing checks" or "on gaining access > to *0x0". Note that Brad's exploit doesn't even get to access 0x0 in > process's address space - he just gets an instance of physical page 0 > mapped to some sane address. It has nothing to do with ' first physical page', it's a logical address (0) translated into a linear address which happens to also be 0 because the base address in most segments descriptor is 0 since Linux 2.4. To sum it up, you control what is at any address in user-land (you've already got arbitrary code execution and can use mmap/munmap) and, because of a flaw (a to-user-land pointer dereference), the kernel will 'think' his data is in some area you control (here the first page of the process). -- Julien TINNES - & france telecom - R&D Division/MAPS/NSS Research Engineer - Internet/Intranet Security GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6 From lcamtuf at dione.ids.pl Mon Mar 5 09:48:16 2007 From: lcamtuf at dione.ids.pl (Michal Zalewski) Date: Mon, 5 Mar 2007 15:48:16 +0100 (CET) Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns In-Reply-To: <45EC27D5.40705@francetelecom.com> References: <20070303161612.GA10837@grsecurity.net> <45EC1820.9000606@francetelecom.co m> <45EC27D5.40705@francetelecom.com> Message-ID: On Mon, 5 Mar 2007, TINNES Julien RD-MAPS-ISS wrote: > That's exactly my point, you're not exploiting a userland application, > so the paradigm is different, and _YOU_ can map page 0 because you've > already got arbitrary code execution. Julien, I think we're getting splitting hairs over semantics here, and this list is probably not a place to do this. If you wish, we might continue off-list. It's my fault, of course, for starting this, but I hoped my post to be taken more as a weak joke than a beginning of a flame war. I do believe that the problem here arises from a missing check in kernel, and not from the fact that straight dereference of null pointers in kernel- or user-space is otherwise exploitable under normal conditions. But that's just my opnion, and not even a particularly strong one. I do find Brad's exploit interesting, the attack vector novel, and I do think it's wrong for kernel developers to fix it the way they did. /mz From lcamtuf at dione.ids.pl Mon Mar 5 09:50:49 2007 From: lcamtuf at dione.ids.pl (Michal Zalewski) Date: Mon, 5 Mar 2007 15:50:49 +0100 (CET) Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns In-Reply-To: References: <20070303161612.GA10837@grsecurity.net> <45EC1820.9000606@francetelecom.com> Message-ID: On Mon, 5 Mar 2007, Michal Zalewski wrote: > The flaw is caused by a missing check that allows you to gain access to > the first physical page of memory, which you can then read or write. And yeah, that's incorrect. I misread the exploit; it indeed relies on planting readable 0x0000000 in process memory for the kernel to tap into. That doesn't change the fact I (somewhat) disagree with the naming of this flaw, but yeah, I suck, among other things, for typing faster than I read. Regards, /mz k From julien.tinnes at francetelecom.com Mon Mar 5 10:05:36 2007 From: julien.tinnes at francetelecom.com (TINNES Julien RD-MAPS-ISS) Date: Mon, 05 Mar 2007 16:05:36 +0100 Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns In-Reply-To: References: <20070303161612.GA10837@grsecurity.net> <45EC1820.9000606@francetelecom.co m> <45EC27D5.40705@francetelecom.com> Message-ID: <45EC31C0.40301@francetelecom.com> Michal Zalewski a ?crit : > On Mon, 5 Mar 2007, TINNES Julien RD-MAPS-ISS wrote: > >> That's exactly my point, you're not exploiting a userland application, >> so the paradigm is different, and _YOU_ can map page 0 because you've >> already got arbitrary code execution. > > Julien, > > I think we're getting splitting hairs over semantics here, and this list > is probably not a place to do this. If you wish, we might continue > off-list. It's my fault, of course, for starting this, but I hoped my post > to be taken more as a weak joke than a beginning of a flame war. > > I do believe that the problem here arises from a missing check in kernel, > and not from the fact that straight dereference of null pointers in > kernel- or user-space is otherwise exploitable under normal conditions. > But that's just my opnion, and not even a particularly strong one. I don't want to go into a flame war either, and I apologize if I sound like I want. However, I don't think this is off-topic, because the point is precisely that, while they're not most of the time exploitable when lying in user-space applications, null pointers dereferences are often exploitable when they are in kernel (at least when in process context and you can control that process). This is a subject Brad, pipacs and I have discussed a few years ago and it is a fact that NULL ptr dereferences in kernel are not taken for what they are: a potential exploitable flaw, not only an 'OOPS'. > I do find Brad's exploit interesting, the attack vector novel, and I do > think it's wrong for kernel developers to fix it the way they did. -- Julien TINNES - & france telecom - R&D Division/MAPS/NSS Research Engineer - Internet/Intranet Security GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6 From prabu at hackinthebox.org Mon Mar 5 06:46:30 2007 From: prabu at hackinthebox.org (Praburaajan) Date: Mon, 05 Mar 2007 19:46:30 +0800 Subject: [Dailydave] HITBSecConf2007 - Malaysia: Call for Papers now Open Message-ID: <45EC0316.4020809@hackinthebox.org> The CFP for HITBSecConf2007 - Malaysia is now open. HITBSecConf - Malaysia is the premier network security event for the region and the largest gathering of hackers in Asia. Our 2007 event is expected to attract over 700 attendees from around the world and will see 4 keynote speakers in addition to 40 deep-knowledge technical researchers presenting over two-days. Being a deep-knowledge technical conference, talks that are more technical or that discuss new and never before seen attack methods are of more interest than a subject that has been covered several times before. Summaries not exceeding 250 words should be submitted (in plain text format) to cfp at hackinthebox.org for review and possible inclusion in the programme. Submissions are due no later than 1st May 2007. Topics of interest include, but are not limited to the following: # 3G/4G Cellular Networks # SS7/Backbone telephony networks # Analysis of network and security vulnerabilities # Firewall technologies # Intrusion detection # Data Recovery and Incident Response # GPRS and CDMA Security # Identification and Entity Authentication # Network Protocol and Analysis # Smart Card Security # Virus and Worms # WLAN and Bluetooth Security # Analysis of malicious code # Applications of cryptographic techniques # Analysis of attacks against networks and machines # File system security # Security in heterogeneous and large-scale environments PLEASE NOTE: We do not accept product or vendor related pitches. If your talk involves an advertisement for a new product or service your company is offering, please do not submit. Your submission should include: # Name, title, address, email and phone/contact number # Draft of the proposed presentation (in PDF or PowerPoint format), proof of concept for tools and exploits, etc. # Short biography, qualification, occupation, achievement and affiliations (limit 150 words). # Summary or abstract for your presentation (limit 250 words) # Time (45-60 minutes including time for discussion and questions) # Technical requirements (video, internet, wireless, audio, etc.) Each non-resident speaker will receive accommodation for 3 nights. For each non-resident speaker, HITB will cover travel expenses (through our airline partners, Malaysia Airlines) up to USD 1,000.00. HITBSecConf2007 - Malaysia: The Largest Network Security Event in Asia! http://conference.hitb.org/hitbsecconf2007kl/ From ronaldo at cais.rnp.br Mon Mar 5 07:09:55 2007 From: ronaldo at cais.rnp.br (Ronaldo Vasconcellos) Date: Mon, 5 Mar 2007 09:09:55 -0300 (BRT) Subject: [Dailydave] Ferret Message-ID: Very interesting tool, folks. When I sent a message to wifisec at securityfocus on Friday it was just an announcement made on Black Hat DC, but Maynor released the tool in the same day. Regards, Ronaldo Castro de Vasconcellos, GAWN CAIS/RNP - Brazilian Academic and Research Network CSIRT http://www.rnp.br/cais --- Apple info...and thats all folks... http://erratasec.blogspot.com/2007/03/apple-infoand-thats-all-folks.html Your Wi-Fi can tell people a lot about you http://news.com.com/Your+Wi-Fi+can+tell+people+a+lot+about+you/2100-7355_3-6163666.html Device Drivers 2.0 http://www.blackhat.com/html/bh-dc-07/bh-dc-07-speakers.html#Maynor Errata Security: Ferret http://www.erratasec.com/ferret.html From don.bailey at gmail.com Mon Mar 5 16:10:24 2007 From: don.bailey at gmail.com (don bailey) Date: Mon, 05 Mar 2007 14:10:24 -0700 Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns In-Reply-To: References: <20070303161612.GA10837@grsecurity.net> <45EC1820.9000606@francetelecom.co m> <45EC27D5.40705@francetelecom.com> Message-ID: <45EC8740.2010100@gmail.com> > I think we're getting splitting hairs over semantics here, and this list > is probably not a place to do this. Keep it on list. I haven't had a chance to look at the exploit yet, so I appreciate the technical debate. Don From tqbf at matasano.com Mon Mar 5 15:53:10 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Mon, 5 Mar 2007 14:53:10 -0600 Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns In-Reply-To: <45EC27D5.40705@francetelecom.com> References: <20070303161612.GA10837@grsecurity.net> <45EC1820.9000606@francetelecom.co m> <45EC27D5.40705@francetelecom.com> Message-ID: It really sounds like you two are saying the same thing. The flaw isn't a NULL pointer dereference, it's a u/k address folding that happens to involve an offset from NULL. It really doesn't sound like either of you disagree that "NULL pointer reads are exploitable in the common case"; I thought that was Zalewski's point. On Mar 5, 2007, at 8:23 AM, TINNES Julien RD-MAPS-ISS wrote: > To sum it up, you control what is at any address in user-land (you've > already got arbitrary code execution and can use mmap/munmap) and, > because of a flaw (a to-user-land pointer dereference), the kernel > will > 'think' his data is in some area you control (here the first page > of the > process). From bania.piotr at gmail.com Mon Mar 5 23:08:30 2007 From: bania.piotr at gmail.com (Piotr Bania) Date: Tue, 06 Mar 2007 05:08:30 +0100 Subject: [Dailydave] Apple QuickTime Player Remote Heap Overflow Message-ID: <45ECE93E.50303@gmail.com> Apple QuickTime Player Remote Heap Overflow by Piotr Bania http://www.piotrbania.com All rights reserved. Severity: Critical - potencial remote code execution. Software affected: Tested on QucikTime 7.1 (Windows version), with all newest add-ons. Timeline: 03/09/2006 Vulerability sent to the vendor. 03/09/2006 Initial vendor response. 06/03/2007 Security bulletin released. Full advisory at: http://www.piotrbania.com/all/adv/quicktime-heap-adv-7.1.txt best regards, pb -- -------------------------------------------------------------------- Piotr Bania - - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 -------------------------------------------------------------------- - "The more I learn about men, the more I love dogs." From krahmer at suse.de Tue Mar 6 04:28:41 2007 From: krahmer at suse.de (Sebastian Krahmer) Date: Tue, 6 Mar 2007 10:28:41 +0100 (CET) Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns In-Reply-To: References: <20070303161612.GA10837@grsecurity.net> <45EC1820.9000606@francetelecom.com> Message-ID: On Mon, 5 Mar 2007, Michal Zalewski wrote: Although its not a classic NULL ptr dereference; its a function-ptr thingie; you can exploit NULL ptr dereferences: **ptr = value; that can happen in more places you first think of. And if ptr is NULL, you have your real NULL ptr exploit. Sebastian > On Mon, 5 Mar 2007, TINNES Julien RD-MAPS-ISS wrote: > > > So, to exploit "to-userland pointer dereference" class of kernel flaws, > > you just have to mmap() the page at the correct address (and mmap at 0 > > is perfectly allowed). > > [...] > > I don't understand you here. The bug spender has mentioned is afair, > > exactly a null pointer dereference. > > You're not exploiting any userland application (the code being run is your > own program, you already have a full control of it), correct? You're > attacking the kernel. The flaw in kernel is not caused by a null pointer > dereference (the kernel is not vulnerable because of trying to read or > write *0x0 - that's what a dereference is). > > The flaw is caused by a missing check that allows you to gain access to > the first physical page of memory, which you can then read or write. So a > proper title would be "on exploiting missing checks" or "on gaining access > to *0x0". Note that Brad's exploit doesn't even get to access 0x0 in > process's address space - he just gets an instance of physical page 0 > mapped to some sane address. > > Yeah, it's just semantics, but the issue is important in that we do not > want crashes caused as userland NULL pointer dereferences to be considered > exploitable by those who misinterpret the nature of this flaw. > > > http://cansecwest.com/core05/memory_vulns_delalleau.pdf > > Yeah, seen that presentation in person. That's a wholly different class of > problems, and I did mention it in my initial response (some architectures, > and some large-offset operations on NULL ptr tables or structures, are > vulnerable; NULL ptr derefs as such usually aren't). > > /mz > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) From phracksenate at gmail.com Tue Mar 6 06:27:57 2007 From: phracksenate at gmail.com (Phrack Senate Omniscient) Date: Tue, 6 Mar 2007 22:27:57 +1100 Subject: [Dailydave] Ferret In-Reply-To: References: Message-ID: On 3/5/07, Ronaldo Vasconcellos wrote: > > Very interesting tool, folks. > > When I sent a message to wifisec at securityfocus on Friday it was just an > announcement made on Black Hat DC, but Maynor released the tool in the > same day. seepage > Errata Security: Ferret > http://www.erratasec.com/ferret.html "probably has a remote vulnerability" aka "we dun know how to code proper. lulz!!! :(" Ferret-1/Ferret/http.c: void process_simple_http(struct Seaper *seap, struct NetFrame *frame, const unsigned char *px, unsigned length) { char method[16]; ... x=0; while (i Dear Phrack Magazine, >> Ferret-1/Ferret/http.c: >> void process_simple_http(struct Seaper *seap, struct NetFrame *frame, >> const unsigned char *px, unsigned length) { >> char method[16]; >> ... >> x=0; >> while (i> if (x < sizeof(method) -1) { >> method[x++] = (char)toupper(px[i++]); >> method[x] = '\0'; >> } >> } Cool dude! Mine is better. It makes it so that you can buffer overflow a buffer! Check out this one. Summary: Ferret-1/Ferret/wifi80211.c: void process_wifi_fields(struct Seaper *seap, struct NetFrame *frame, const unsigned char *px, unsigned length,unsigned offset, struct WIFI_MGMT *wifimgmt) { ..... case 7: /* COUNTRY INFORMATION */ ... char country[16]; ... char power[32]; if (country_len > sizeof(country-1)) country_len = sizeof(country-1); memcpy(country, px+offset, country_len); country[country_len] = '\0'; ..... } OMFG DUDE the negative one should go OUTSIDE the paren! WTF! Someone should have hired a security startup to audit this code; one that actually knows what it is doing LoL! Due to the behavior of the sizeof operator when passed a pointer (accidentally or intentionally! OMFG WHAT A POWERFUL LANGUAGE) it is trivial to exploit this vulnerability using a specially crafted wifi packet on processors which have pointers larger than 16 bytes. This means that this bug affects ferret on x86_192 and x86_256 processors. Exploitation of this vulnerability will in most (all?) cases lead to excessive seepage and theft of pornography. Affected products: Everything except QNX RTOS and grSecurity Solution: Hire competent code auditors before running third party code Truly Yours, Gerbil Seepage High Board Of Consular Directors and Heads of State -- Click for home mortgage, fast & free, no lender fee, approval today http://tagline.hushmail.com/fc/CAaCXv1QbtUTkUL7LMyl7pJTbEA721Zi/ From dave.korn at artimi.com Tue Mar 6 09:34:39 2007 From: dave.korn at artimi.com (Dave Korn) Date: Tue, 6 Mar 2007 14:34:39 -0000 Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns In-Reply-To: References: <20070303161612.GA10837@grsecurity.net><45EC1820.9000606@francetelecom.com> Message-ID: <004601c75ffc$9253c7f0$2e08a8c0@CAM.ARTIMI.COM> On 05 March 2007 14:51, Michal Zalewski wrote: > On Mon, 5 Mar 2007, Michal Zalewski wrote: > >> The flaw is caused by a missing check that allows you to gain access to >> the first physical page of memory, which you can then read or write. > > And yeah, that's incorrect. I misread the exploit; it indeed relies on > planting readable 0x0000000 in process memory for the kernel to tap into. So why doesn't linux do like 'doze does, and permanently map a guard page at 0x0 in all user-spaces? cheers, DaveK -- Can't think of a witty .sigline today.... From wesley at mcgrewsecurity.com Tue Mar 6 10:26:26 2007 From: wesley at mcgrewsecurity.com (Robert Wesley McGrew) Date: Tue, 6 Mar 2007 09:26:26 -0600 Subject: [Dailydave] Ferret In-Reply-To: References: Message-ID: On 3/6/07, Phrack Senate Omniscient wrote: > Ferret-1/Ferret/http.c: > void process_simple_http(struct Seaper *seap, struct NetFrame *frame, > const unsigned char *px, unsigned length) { > char method[16]; > ... > x=0; > while (i if (x < sizeof(method) -1) { > method[x++] = (char)toupper(px[i++]); > method[x] = '\0'; > } > } > > ur code getting owned in less than 60 seconds: priceless Not that this isn't bad (it is), but to get here, it has to pass this check in tcp.c: 171 if (smellslike_httprequest(px, length)) 172 process_simple_http(seap, frame, px, length); It turns out the bounds-checking for this is actually done up in smellslike_httprequest : 43 for (i=0; i10) 49 return 0; I would agree that process_simple_http should carry its own bounds-checking with it though. It would turn out badly if someone tinkering decided to use that function without the corresponding smellslike. > knowing that ur code prolly has a dozen other elementary errors > resulting in memory corruption: just fucking embarassing This is probably still true. > Some at Black Hat called it "serious fucking business". Maybe I should actually build this thing and play with it :P -- Robert Wesley McGrew http://mcgrewsecurity.com From pusscat at metasploit.com Tue Mar 6 10:44:43 2007 From: pusscat at metasploit.com (Pusscat) Date: Tue, 6 Mar 2007 10:44:43 -0500 Subject: [Dailydave] Ferret In-Reply-To: References: Message-ID: <003501c76006$5d069050$1713b0f0$@com> I'm not seein' it... Not an overflow on method since the < means the null is written at offset 15. Not even an infinite loop, since length is capped at 10 before this. ~ Puss -----Original Message----- From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Phrack Senate Omniscient Sent: Tuesday, March 06, 2007 6:28 AM To: Dailydave at lists.immunitysec.com Subject: Re: [Dailydave] Ferret On 3/5/07, Ronaldo Vasconcellos wrote: > > Very interesting tool, folks. > > When I sent a message to wifisec at securityfocus on Friday it was just an > announcement made on Black Hat DC, but Maynor released the tool in the > same day. seepage > Errata Security: Ferret > http://www.erratasec.com/ferret.html "probably has a remote vulnerability" aka "we dun know how to code proper. lulz!!! :(" Ferret-1/Ferret/http.c: void process_simple_http(struct Seaper *seap, struct NetFrame *frame, const unsigned char *px, unsigned length) { char method[16]; ... x=0; while (i Message-ID: <007c01c76007$5116e140$4d07a8c0@jseitz> Ummmm....generally IMHO if someone says "hey this is proof-of-concept and probably has bugs and we acknowledge that" why would you send a posting that mirrors the same comment? I can honestly say that I have written PoC myself that was exploitable, but that's not the point of doing a PoC it's to get it out there and to put your money where your mouth is. Especially if you are going to put a psuedo-disclaimer saying that it will most likely have problems, do you need anything else? Would you like a pat on the back for finding that? Why not rewrite the tool in Java for us all so we can feel warm and fuzzy inside when we go beddy-bye tonight. JS -----Original Message----- From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Phrack Senate Omniscient Sent: Tuesday, March 06, 2007 3:28 AM To: Dailydave at lists.immunitysec.com Subject: Re: [Dailydave] Ferret On 3/5/07, Ronaldo Vasconcellos wrote: > > Very interesting tool, folks. > > When I sent a message to wifisec at securityfocus on Friday it was just > an announcement made on Black Hat DC, but Maynor released the tool in > the same day. seepage > Errata Security: Ferret > http://www.erratasec.com/ferret.html "probably has a remote vulnerability" aka "we dun know how to code proper. lulz!!! :(" Ferret-1/Ferret/http.c: void process_simple_http(struct Seaper *seap, struct NetFrame *frame, const unsigned char *px, unsigned length) { char method[16]; ... x=0; while (i Chaos Communication Camp 2007 The International Hacker Open Air Gathering "In Fairy Dust We Trust!" August, 8th to 12th, 2007 Airport Museum Finowfurt (Finow Airport) near Berlin, Germany http://events.ccc.de/camp/2007/ === Overview === We ask you to participate in the third Chaos Communication Camp on August, 8th to 12th, 2007 near Berlin, Germany. The Chaos Communication Camp is organized by the Chaos Computer Club (CCC). It is an international, five-day open-air event for hackers and associated life-forms. The Camp features two conference tracks with interesting lectures. Workshops will take place in a central workshop area and in thematic "villages", organized by various groups. You can participate! Bring your tent and join the villages. The Camp has everything you need: power, internet, food, music, sun and fun. The large area features enough space to camp. The Camp is intended to promote the exchange of technical, social and political ideas and concepts to find ways to make this world a little bit more friendly for intelligent beings, be they carbon-based or otherwise. The conference languages are English and German. === Topics === In general, lectures and workshops dealing with technology, ethics, science, security, art, philosophy, politics, culture and cooking are welcome. The main theme of this year's camp is the world we want to live in tomorrow. We try, however, to create a certain focus on a number of topics that we regard as important for the near future. We want: * flying and non-flying autonomous robots * security, encryption and anonymity * software projects * technologies for the day after the climate change * rapid prototyping and fabbing * software and hardware for disaster-resistant infrastructure * bringing broadband to the countryside * politics and propaganda * anti-crowd-control tactics and technologies * lock picking * alternative energy systems * citizen surveillance, data mining technologies, and social networks * data forensic methods * all things radio (preferably digital) * self-sustaining and -reproducing hardware * pollution free transport systems * hacker anthropology and sociology of the scene * flying cars, saucers and carpets * 42 * tesla generators * telecommunication technologies * FPGA based analysis * military technologies * all kinds of voting computers * ebooks * satellites and rockets (and countermeasures against all of the above). === Lecture Requirements === Lectures are expected to be highly relevant in practice or better be darn funny. Sales droids and PR-people have been known to disappear without traces on past events. Interactive workshops are welcome. Hands-on anything are even more welcome. Final presentations for talks should be up to 60 minutes, for workshops up to 60 or 120 minutes long. Additionally, a question-and- answer period will be provided. Follow-up discussions and hands-on workshops are strongly encouraged, there will be space for such activities available outside the main lecture shelters (if you don't prefer a nice sit-in on the grass in the sun). Audio and video recordings of the lectures will be published online in various formats. All material will be available under a Creative Commons licence allowing free non-commercial redistribution of the material as long as the original credit to authors and publishers is retained. === Submissions === All proposals MUST be submitted online using our lecture submission system at https://pentabarf.cccv.de/submission/Camp+2007 . Please follow the instructions given there. You can provide papers and slides for the digital conference pack upon submission. Please make sure your submission contains all information we need to review your talk and send us everything in one go. If you have any questions regarding your submission, feel free to contact us at camp-content at cccv.de but do NOT submit your lecture via e-mail. Accepted speakers are asked to hand in slides used in their talks. Please use a well-known format for your slides. === Dates and deadlines === The deadline for submission is May, 15th, 2007. This deadline is final. If there are remaining slots, we offer a second deadline on June, 5th. Accepted submissions between May, 15th, and June, 5th, will then be allocated to the remaining slots. Notification of acceptance will be sent out by June, 27th, or earlier. Early submissions will be treated with higher priority. -- "I am chaos. I am the substance from which your artists and scientists build rhythms. I am the spirit with which your children and clowns laugh in happy anarchy. I am chaos. I am alive, and I tell you that you are free." Eris, Goddess Of Chaos, Discord & Confusion From spender at grsecurity.net Wed Mar 7 10:19:46 2007 From: spender at grsecurity.net (Brad Spengler) Date: Wed, 7 Mar 2007 10:19:46 -0500 Subject: [Dailydave] (windows is vulnerable too) & final comments on naming In-Reply-To: <004601c75ffc$9253c7f0$2e08a8c0@CAM.ARTIMI.COM> References: <004601c75ffc$9253c7f0$2e08a8c0@CAM.ARTIMI.COM> Message-ID: <20070307151946.GA32451@grsecurity.net> > So why doesn't linux do like 'doze does, and permanently map a guard page at > 0x0 in all user-spaces? What version of Windows are you using? Maybe you're getting confused with the behavior that giving a NULL address as a hint to any allocation/mapping function is a special case within the OS to select its own address. Luckily though, the address passed in is rounded down internally, so giving an address of 1 will let you allocate at the 0 address. Here's some code to execute as an unprivileged user: #include "windows.h" typedef unsigned int (*_NtAllocateVirtualMemory)(IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG RegionSize, IN ULONG AllocationType, IN ULONG Protect ); int _tmain(int argc, _TCHAR* argv[]) { HMODULE ntdll; MEMORY_BASIC_INFORMATION buff; unsigned int status; PCHAR buf = NULL; ULONG size = 0xffff; PCHAR buf2 = (PCHAR)1; _NtAllocateVirtualMemory fptr; ntdll = GetModuleHandle("NTDLL.DLL"); fptr = (_NtAllocateVirtualMemory)GetProcAddress(ntdll, "NtAllocateVirtualMemory"); status = fptr((HANDLE)0xffffffff,(PVOID *) &buf2, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); printf("status = %08lx buf = %08lx\n", status, buf); VirtualQuery(NULL, &buff, sizeof(buff)); printf("prot: %08lx\n", buff.Protect); buf2[0] = 0x10; printf("no crash %08lx, %02x\n", &buf2[0], buf2[0]); return 0; } it'll verify a RWX allocation (0x40) and that the byte at 0x00000000 contains 0x10. If there were a permanently mapped guard page (and I don't think a real PAGE_GUARD page is what you really want) at 0, stuff like ntvdm wouldn't work. These bugs are exploitable in Windows. A final comment on the naming of the bug: I think it's a mistake to lump in null ptr + controlled offset with the null ptr + small fixed offset. The former case would likely be some overflow, integer or otherwise, in the same category as + controlled offset. Calling it a "null ptr deref bug" is also somewhat out of consistency, since if you've seen an OOPS where the faulting address is within the first page of virtual memory, it's called the same. From the bugreport for the vulnerability: Jul 7 13:04:52 doriath kernel: [ 105.041722] BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018 Anyways, as I mentioned before, this is all really under the larger class of invalid userland pointer dereferences, which just mapping (or preventing a mapping) at 0 will not protect against. -Brad -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070307/62e8e201/attachment.pgp From je at bitnux.com Wed Mar 7 10:30:00 2007 From: je at bitnux.com (Joel Eriksson) Date: Wed, 7 Mar 2007 16:30:00 +0100 Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns In-Reply-To: <004601c75ffc$9253c7f0$2e08a8c0@CAM.ARTIMI.COM> References: <004601c75ffc$9253c7f0$2e08a8c0@CAM.ARTIMI.COM> Message-ID: <20070307153000.GA25475@eip.bitnux.com> Hi Dave, Huh? Assuming by 'doze you mean Windows, you're wrong (at least for Windows <= XP, haven't checked W2K3/Vista). There is no guard-page mapped at 0x0 and it's fully possible to map your own memory page on that virtual address. You might be referring to using a guard page to prevent the stack from expanding down to the heap, but that's quite a different story and has nothing to do with preventing exploitation of NULL pointer dereferences in the kernel. Btw, there are applications (like Wine IIRC) that needs to be able to map 0x0, so the "problem" cannot be fixed without breaking some existing applications. + The real fix is writing secure kernel code to begin with. :) Although extra prevention measures doesn't hurt (unless they introduce new vulns ;) -- Best Regards, Joel Eriksson CTO Bitsec AB On Tue, Mar 06, 2007 at 02:34:39PM -0000, Dave Korn wrote: > On 05 March 2007 14:51, Michal Zalewski wrote: > > > On Mon, 5 Mar 2007, Michal Zalewski wrote: > > > >> The flaw is caused by a missing check that allows you to gain access to > >> the first physical page of memory, which you can then read or write. > > > > And yeah, that's incorrect. I misread the exploit; it indeed relies on > > planting readable 0x0000000 in process memory for the kernel to tap into. > > So why doesn't linux do like 'doze does, and permanently map a guard page at > 0x0 in all user-spaces? > > cheers, > DaveK From endrazine at gmail.com Wed Mar 7 12:31:03 2007 From: endrazine at gmail.com (endrazine) Date: Wed, 07 Mar 2007 18:31:03 +0100 Subject: [Dailydave] Is Windows Integrity Control in Vista really worth the performance hit? And does it really work? In-Reply-To: <45E8568D.6000505@gmail.com> References: <20070301154053.41B9D8BD0B@mail.fjaunet.com.br> <200703011602.30824.sgrubb@redhat.com> <1681f2df0703011851s55d73c1bi16dca276957d400@mail.gmail.com> <45E8568D.6000505@gmail.com> Message-ID: <45EEF6D7.5020901@gmail.com> Hello list readers, >Afaik, Pax, grsec etc do _never_ randomize Xorg. Ok, I was wrong, grsec _is_ randomizing xorg's stack, heap and libs, even if the stack is apparently still executable. It seems that xorg needs an executable stack for compatibility with some drivers. Thanks to the grsec ppl for putting me in my place and actually teaching me the right thing :) Regards, endrazine- endrazine a ?crit : > Chris Rohlf a ?crit : > >> This sort of goes without saying. But what other known 'bypasses' are >> there for grsec or SElinux that don't require a kernel vulnerability? >> Im asking honestly, its been awhile since I've looked into this stuff. >> >> > Afaik, Pax, grsec etc do _never_ randomize Xorg. > > > endrazine- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > From intropy at gmail.com Wed Mar 7 12:44:16 2007 From: intropy at gmail.com (intropy) Date: Wed, 7 Mar 2007 11:44:16 -0600 Subject: [Dailydave] (windows is vulnerable too) & final comments on naming In-Reply-To: <20070307151946.GA32451@grsecurity.net> References: <004601c75ffc$9253c7f0$2e08a8c0@CAM.ARTIMI.COM> <20070307151946.GA32451@grsecurity.net> Message-ID: <3060a9260703070944s205e61e6i48480263d2eb9751@mail.gmail.com> On 3/7/07, Brad Spengler wrote: > > What version of Windows are you using? Maybe you're getting confused > with the behavior that giving a NULL address as a hint to any > allocation/mapping function is a special case within the OS to select > its own address. Luckily though, the address passed in is rounded down > internally, so giving an address of 1 will let you allocate at the 0 > address. Microsoft's own driver verifier does this to trap NULL derefs when exercising code. In the dc2 application specifying /n will map the 0x0 page. "/n Map zero page so that NULL pointer de-references don't raise" And its done just like you. 45C push 4 460 push 3000h 464 lea ecx, [ebp+var_1C] 464 push ecx 468 push 1 46C lea edx, [ebp+var_14] 46C push edx 470 push 0FFFFFFFFh 474 call ds:NtAllocateVirtualMemory From dave at immunityinc.com Wed Mar 7 15:13:02 2007 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 07 Mar 2007 15:13:02 -0500 Subject: [Dailydave] (windows is vulnerable too) & final comments on naming In-Reply-To: <3060a9260703070944s205e61e6i48480263d2eb9751@mail.gmail.com> References: <004601c75ffc$9253c7f0$2e08a8c0@CAM.ARTIMI.COM> <20070307151946.GA32451@grsecurity.net> <3060a9260703070944s205e61e6i48480263d2eb9751@mail.gmail.com> Message-ID: <45EF1CCE.3040605@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can find some funny bugs in your debuggers when you're mapping 0. Most of them (Olly/ImmDBG at least) will refuse to view the memory section, but if you force them to view address 1, they'll see the data there. I happen to be porting a kernel exploit from C to Python/MOSDEF right now which uses this trick. :> - -dave (I'm sure ImmDBG will be fixed shortly. ) intropy wrote: > On 3/7/07, Brad Spengler wrote: >> What version of Windows are you using? Maybe you're getting >> confused with the behavior that giving a NULL address as a hint >> to any allocation/mapping function is a special case within the >> OS to select its own address. Luckily though, the address passed >> in is rounded down internally, so giving an address of 1 will let >> you allocate at the 0 address. > > Microsoft's own driver verifier does this to trap NULL derefs when > exercising code. In the dc2 application specifying /n will map the > 0x0 page. > > "/n Map zero page so that NULL pointer de-references don't > raise" > > And its done just like you. > > 45C push 4 460 push 3000h 464 lea ecx, [ebp+var_1C] 464 > push ecx 468 push 1 46C lea edx, [ebp+var_14] 46C push > edx 470 push 0FFFFFFFFh 474 call ds:NtAllocateVirtualMemory > _______________________________________________ Dailydave mailing > list Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF7xzMB8JNm+PA+iURArOVAJ0ZVTXe2+b2lf2euwEGaHLb+DIR6gCfca1Y eziDI9714wjFfhK94lSqD7I= =ODKb -----END PGP SIGNATURE----- From dtangent at defcon.org Wed Mar 7 22:23:04 2007 From: dtangent at defcon.org (The Dark Tangent) Date: Wed, 07 Mar 2007 19:23:04 -0800 Subject: [Dailydave] Black Hat USA CFP Now Open! Message-ID: <200703080326.l283Qo32011047@colossus.datamerica.com> Daily Dave Dudes, I wanted to make some quick Black Hat related announcements. The Call For Papers for Black Hat USA is now open. This is the main event, and this year we have even more space, we have expanded from 9 tracks to 11, and we will be introducing Break Out sessions and the Deep Knowledge track will now span both days. We are working to expand the depth and breath of content, so if you have something up your sleeve you want to present, check out the CFP: http://www.blackhat.com/html/bh-usa-07/bh-usa-07-cfp.html Black Hat USA 2007 Training Classes now open. Please see the following link for a complete list of classes being offered this year. http://www.blackhat.com/html/bh-usa-07/train-bh-usa-07-index.html Highlights include over 35 training classes including two new four day sessions. Below is a sample of what to expect: - The nuts and bolts of the Metasploit Framework: Metasploit 3.0 Internals by Matt Miller, aka skape. - Web Application (In)security by NGS Software. If you are concerned with the security of web applications and the insecurity they introduce to your back end information systems this is the workshop for you. - TCP/IP Weapons School: Black Hat Edition by Richard Bejtlich, TaoSecurity. Learn how networks can be abused and subverted, while analyzing the attacks, methods, and traffic that make it happen. - Ultimate Hacking: Wireless Edition by Foundstone. Knowledge is power and you do not want the hackers to know more about your wireless networks than you do. - Hands-On Hardware Hacking and Reverse Engineering Techniques: Black Hat Edition by Joe Grand. This course is the first of its kind and focuses entirely on hardware hacking. - ROOTKIT: Advanced 2nd Generation Digital Weaponry by Greg Hoglund and Jamie Butler. Advanced class developed and taught by the creators of rootkit.com - Advanced Malware Deobfuscation by Jason Geffner & Scott Lambert. No Source? No Symbols? No Problem. - Hacking by Numbers: Combat Grading by SensePost. Advanced level. The world?s first objective technical grading system for hackers and penetration testers. Black Hat Briefings and Trainings USA 2007: http://www.blackhat.com/html/bh-usa-07/bh-usa-07-index.html Registration on-line at: http://www.blackhat.com/html/bh-registration/bh-registration.html#USA Hotel Reservations now open. http://www.blackhat.com/html/bh-usa-07/bh-usa-07-venue.html RSS: http://www.blackhat.com/BlackHatRSS.xml Black Hat Europe: Black Hat Europe 2007 Hotel rate extended. We have extended the Group Rate at the Movenpick in Amsterdam until the end of this week (March 9). If you plan to stay at the hotel, now is the last minute for you reserve at the Black Hat conference rate, currently EUR 145,00 per night plus taxes. http://www.blackhat.com/html/bh-europe-07/bh-eu-07-venue.html Thank you, Jeff Moss From sqlsec at yahoo.com Fri Mar 9 20:09:47 2007 From: sqlsec at yahoo.com (Cesar) Date: Fri, 9 Mar 2007 17:09:47 -0800 (PST) Subject: [Dailydave] [Argeniss] Practical 10 minutes security audit: Oracle Case (Paper) Message-ID: <747718.17631.qm@web33011.mail.mud.yahoo.com> Hi. Abstract: This paper will show a extremely simple technique to quickly audit a software product in order to infer how trustable and secure it is. I will show you step by step how to identify half dozen of local 0day vulnerabilities in few minutes just making a couple of clicks on very easy to use free tools, then for the technical guys enjoyment the vulnerabilities will be easily pointed out on disassembled code and detailed, finally a 0day exploit for one of the vulnerabilities will be demonstrated. While this technique can be applied to any software in this case I will take a look at the latest version of Oracle Database Server: 10gR2 for Windows, which is a extremely secure product so it will be a very difficult challenge to find vulnerabilities since Oracle is using advanced next generation tools to identify and fix vulnerabilities http://www.argeniss.com/research/10MinSecAudit.zip (PoC exploit included) Thanks. Cesar. ____________________________________________________________________________________ No need to miss a message. Get email on-the-go with Yahoo! Mail for Mobile. Get started. http://mobile.yahoo.com/mail From dave at immunityinc.com Mon Mar 12 11:28:54 2007 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 12 Mar 2007 11:28:54 -0400 Subject: [Dailydave] non-SYSTEM to SYSTEM in one click or less Message-ID: <45F571B6.3070401@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Next week is Shmoocon - and I'll be there with whatever the latest build of SILICA is in my pocket. Feel free to pull me aside for a quick demo. Also, don't forget to submit your talks to Syscan! I'm going to miss Blackhat Europe, but Kostya won't. . . http://blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html has some good talks - I'm sure it has many good talks, but these are the ones I already know a bit about. Software Virtualization Based Rootkits Sun Bing, Research Scientist I saw him talk at Xcon, and it was one of my favorites. He really sums up how virtual machines work in a way that's very understandable. Macro-Reliability Kostya Kortchinsky, Immunity, Inc. There's a lot of very important things that go into making exploits work against both Traditional Chinese Windows and English Windows. First you have to remotely detect what your target is running. . . Anyways, it's a good talk. Be there or be square. :> Kernel Wars Joel Eriksson, CTO of Bitsec Karl Janmar, Security Researcher, Bitsec Christer ?berg, Security Researcher, Bitsec I just finished converting Joel Eriksson's exploit into CANVAS/MOSDEF and I have to admit, it was a fun one. You can grab it now from Immunity Partners. I can confirm, via my testing, that it is extremely reliable. Assuming it gets cleaned up enough to go into CANVAS by the 1st, that means every CANVAS customer will have the ability to go from non-SYSTEM to SYSTEM on Windows 2000 and XP via a nice unpatched bug. Gotta love that. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF9XGtB8JNm+PA+iURAsMvAJ9fDfPb8WzPzJD7tP/e7mqcl5eMqwCffwDS oHNXwBDf4tXdoYlkFNeRuN8= =/xuT -----END PGP SIGNATURE----- From enki at kybernet.org Mon Mar 12 12:43:01 2007 From: enki at kybernet.org (=?ISO-8859-1?Q?Paul_B=F6hm?=) Date: Mon, 12 Mar 2007 17:43:01 +0100 Subject: [Dailydave] Call for Papers: DeepSec IDSC 2007 Europe/Vienna: 20-23 Nov 2007 Message-ID: <2009ea030703120943r1e180967rec7c54871390feaa@mail.gmail.com> DeepSec In-Depth Security Conference 2007 Europe - Nov 20-23 2007 - Vienna, Austria http://deepsec.net/ Call for Papers In light of Austria's active security scene we are pleased to announce the first annual European DeepSec In-Depth Security Conference[1], to be held from November 20th to 23rd 2007 in Vienna. We have found a really nice venue, a hotel in the old imperial riding school in the heart of the City, and will provide a comprehensive social program around the event. We're inviting you to submit papers and proposals for trainings for the conference. All proposals received before June 10th 2007, 23:59 CET will be considered by the Program Committee. Also we would like to announce and invite you to the first informal monthly Security by Candlelight[2] Security-Enthusiast Meeting to be held in the Viennese non-profit Hackspace/Innovation Center Metalab[3] on Monday, the 19th of March 2007, 19:30. [1] http://deepsec.net/ [2] http://metalab.at/wiki/Security_bei_Kerzenschein [3] http://metalab.at/wiki/English == About DeepSec == DeepSec IDSC is an annual European two-day in-depth Conference on Computer-, Network-, and Application-Security. The first DeepSec Conference will be held from November 22nd to 23rd 2007 in Vienna, and aims to bring together the leading security experts from all over the world in Europe. In addition to the conference with thirty-two sessions, four two-day intense security training courses will be held before the main conference. The conference program will be augmented with a live hacking competition and a team capture the flag contest. DeepSec is a non-product, non-vendor-biased conference. Our aim is to present the best research and experience from the fields' leading experts. Target Audience: Security Officers, Security Professionals and Product Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and Firewall-Admins, and Software Developers. == Speakers/Trainers == Until June 10th, 23:59 CET, we'll be accepting papers and lightning talk submissions. Please note we are non-product, non-vendor biased security conference, and do not accept vendor pitches. Speaker privileges include * One economy class return-ticket to Vienna. * 3 nights of accomodation in the Conference Hotel. * Breakfast, Lunch, and two coffee breaks * Speaker activities during, before, and after the conference. * Speaker After-Party in the Metalab Hackerspace on November, 24th. Trainer privileges include * 50% of the net profit of the class. * 2 nights of accomodation in the Conference Hotel during the trainings. * Breakfast, Lunch, and two coffee breaks. * Free Speaker Ticket for the Conference. * Speaker activities during, before, and after the conference. * Speaker After-Party in the Metalab Hackerspace on the 24th November == Topics == We are interested in bleeding edge security research, directly from leading researchers, professionals in academics, industry, and government, and the underground security community. Topics of special interest include * Vista, Linux, OSX Security * E/I-Voting Case-Studies, Attacks, Weaknesses * Mobile Security * Network Protocol Analysis * AJAX/Web2.0/Javascript Security * Secure Software Development * VoIP * Perimeter Defense / Firewall Technology * Digital Forensics * WLAN/WiFi, GPRS, IPv6 and 3G Security * IPv6 * Smart Card Security * Cryptography * Intrusion Detection * Incident Response * Rootkit Detection, Techniques, and Defense * Security Properties of Web-Frameworks * Malicious Code Analysis * Secure Framework Design * .Net and Java Security == Submission == Proposals for presentations and trainings at the first annual DeepSec In-Depth Security Conference will be accepted until June 10th 2007, 23:59 CET. All proposals should be submitted over the web at http://www.deepsec.net/cfp/. If you have questions, want to send us additional material, or have problems with the webform, feel free to contact us at cfp at deepsec.net. Regards paul From je-dailydave at bitnux.com Mon Mar 12 20:13:51 2007 From: je-dailydave at bitnux.com (Joel Eriksson) Date: Tue, 13 Mar 2007 01:13:51 +0100 Subject: [Dailydave] non-SYSTEM to SYSTEM in one click or less In-Reply-To: <45F571B6.3070401@immunityinc.com> References: <45F571B6.3070401@immunityinc.com> Message-ID: <20070313001351.GA1516@eip.bitnux.com> Hi Dave & the rest of the list, On Mon, Mar 12, 2007 at 11:28:54AM -0400, Dave Aitel wrote: > > I just finished converting Joel Eriksson's exploit into CANVAS/MOSDEF > and I have to admit, it was a fun one. You can grab it now from > Immunity Partners. I can confirm, via my testing, that it is > extremely reliable. Assuming it gets cleaned up enough to go into > CANVAS by the 1st, that means every CANVAS customer will have the > ability to go from non-SYSTEM to SYSTEM on Windows 2000 and XP via a > nice unpatched bug. Gotta love that. :> Enjoy. :> Congrats again on finishing the port to CANVAS/MOSDEF, although it's a shame you didn't make it to the march-release. :) For those interested, there's a screenshot of my original exploit in action at: http://kernelwars.blogspot.com/ This exploit + probably a Metasploit meterpreter-addon for it will be released in the end of april (Immunity bought the rights to it for 60 days, starting from 22nd february or so). During our Blackhat-talk I'll discuss the bug in general and the process of making a reliable exploit for it, except for the minor but crucial part that achieves the actual write-4-primitive. That will be kept to CANVAS-customers for a while yet. ;) For the other two kernel bugs we'll discuss during the talk full exploits will be released directly afterwards, including Karl's neat remote wireless and pure in-memory kernel backdoor for FreeBSD which he made for his 802.11 exploit. :> Regarding the 0-day NetBSD bug that Christer will be talking about he will mention some new techniques that might come in handy for exploiting other kernel bugs on BSD-derived systems too, when certain types of structs / pointers are overflowed. :> The bug itself is in certain "ancient" BSD-code that may very well still be used in some of the commercial Unix-systems too. URL to our talk: http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Eriksson For those of you coming to BH Europe, see you there! :) > - -dave -- Best Regards, Joel Eriksson CTO Bitsec From krahmer at suse.de Wed Mar 14 10:31:16 2007 From: krahmer at suse.de (Sebastian Krahmer) Date: Wed, 14 Mar 2007 15:31:16 +0100 (CET) Subject: [Dailydave] OpenBSD icmp6 overflow Message-ID: Hi, you probably know about http://www.coresecurity.com/?action=item&id=1703 the description of how to exploit it sounds straight forward, so I wonder how this could be missed at the first look ;-) regards, Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) From dave.korn at artimi.com Wed Mar 14 10:48:23 2007 From: dave.korn at artimi.com (Dave Korn) Date: Wed, 14 Mar 2007 14:48:23 -0000 Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns In-Reply-To: <20070306193431.GA15264@grsecurity.net> References: <004601c75ffc$9253c7f0$2e08a8c0@CAM.ARTIMI.COM> <20070306193431.GA15264@grsecurity.net> Message-ID: <005d01c76647$d23442e0$2e08a8c0@CAM.ARTIMI.COM> [ forgot to send this reply last week, just wanted to wrap up the thread] On 06 March 2007 19:35, Brad Spengler wrote: >> So why doesn't linux do like 'doze does, and permanently map a guard >> page at 0x0 in all user-spaces? > > What version of Windows are you using? Anything except the '9x series. > Maybe you're getting confused > with the behavior that giving a NULL address as a hint to any > allocation/mapping function is a special case within the OS to select > its own address. Nope, I'm getting confused with the behaviour that 'doze doesn't map a guard page, it just leaves the address *un*mapped (in both cases, to protect against NULL pointer derefs in user mode). Shoulda checked before I posted! > Luckily though, the address passed in is rounded down > internally, so giving an address of 1 will let you allocate at the 0 > address. > > Here's some code to execute as an unprivileged user: Couldn't get that to compile immediately, but I'll take your word for it. > it'll verify a RWX allocation (0x40) and that the byte at 0x00000000 > contains 0x10. If there were a permanently mapped guard page at 0, > stuff like ntvdm wouldn't work. These bugs are exploitable in Windows. Clearly so. cheers, DaveK -- Can't think of a witty .sigline today.... From je-dailydave at bitnux.com Wed Mar 14 19:59:28 2007 From: je-dailydave at bitnux.com (Joel Eriksson) Date: Thu, 15 Mar 2007 00:59:28 +0100 Subject: [Dailydave] OpenBSD icmp6 overflow In-Reply-To: References: Message-ID: <20070314235928.GA26152@eip.bitnux.com> On Wed, Mar 14, 2007 at 03:31:16PM +0100, Sebastian Krahmer wrote: > > you probably know about > http://www.coresecurity.com/?action=item&id=1703 > > the description of how to exploit it sounds > straight forward, so I wonder how this could > be missed at the first look ;-) My thoughts exactly. ;) Exploiting mbuf overflows is not exactly rocket science (and no, this is not the first of its kind), especially not for someone familiar with the code base, as I assume the OpenBSD developers to be. The possible mirrored overwrite should be obvious to anyone realizing that mbufs are stored in a double linked list and the very convenient ext_free function pointer to anyone bothering to read the source. ;) Although the use of macros makes it a bit tedious.. (m_free -> MFREE -> _MEXTREMOVE) > regards, > Sebastian -- Best Regards, Joel Eriksson CTO Bitsec From dave at immunityinc.com Thu Mar 15 10:35:17 2007 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 15 Mar 2007 10:35:17 -0400 Subject: [Dailydave] my idea of the day Message-ID: <45F959A5.60006@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So here's my idea of the day: I want relational triangulation in SILICA. I want to be able to click "Find this AP" and then have SILICA say "stay still . . . . signal is 99. Now take 5 steps to the left.... signal is 91. Now take five steps forward....signal is 102" and then interpolate in "steps" the distance and direction of the access point. It'd make you look a little silly, but I think it'd be quite useful. It's weird the things you find that are useful. For example, it's nice to just know what OS every little tiny router is running. Sometimes a router will try to "be every IP address", which is very annoying. - -dave - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF+VmhB8JNm+PA+iURAuq9AJ9ZK/xNdPj6ZECd0kGRDtvllYhtfwCgt4+M CbxI1q/Pv7d2LlaqvKshrTo= =SXLj -----END PGP SIGNATURE----- From midnitrcr at gmail.com Thu Mar 15 14:57:11 2007 From: midnitrcr at gmail.com (Trey Keifer) Date: Thu, 15 Mar 2007 13:57:11 -0500 Subject: [Dailydave] Fwd: my idea of the day In-Reply-To: References: <45F959A5.60006@immunityinc.com> Message-ID: Forgot to CC: the list... my apologies... ---------- Forwarded message ---------- From: Trey Keifer Date: Mar 15, 2007 1:52 PM Subject: Re: [Dailydave] my idea of the day To: Dave Aitel This is the closest (and most technical attempt) that I've seen so far... http://www.storm.net.nz/projects/5 On 3/15/07, Dave Aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > So here's my idea of the day: I want relational triangulation in > SILICA. I want to be able to click "Find this AP" and then have SILICA > say "stay still . . . . signal is 99. Now take 5 steps to the left.... > signal is 91. Now take five steps forward....signal is 102" and then > interpolate in "steps" the distance and direction of the access point. > > It'd make you look a little silly, but I think it'd be quite useful. > It's weird the things you find that are useful. For example, it's nice > to just know what OS every little tiny router is running. Sometimes a > router will try to "be every IP address", which is very annoying. > > - -dave > > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFF+VmhB8JNm+PA+iURAuq9AJ9ZK/xNdPj6ZECd0kGRDtvllYhtfwCgt4+M > CbxI1q/Pv7d2LlaqvKshrTo= > =SXLj > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070315/6e8f6cc3/attachment.htm From jwilkins at gmail.com Thu Mar 15 17:47:18 2007 From: jwilkins at gmail.com (Jonathan Wilkins) Date: Thu, 15 Mar 2007 14:47:18 -0700 Subject: [Dailydave] my idea of the day In-Reply-To: <45F959A5.60006@immunityinc.com> References: <45F959A5.60006@immunityinc.com> Message-ID: <767ba1040703151447oebbf47eo66c78e2c9704c46c@mail.gmail.com> Dragos had a little device that did this at CanSec a couple of years ago. I'm not sure of the brand, but I seem to recall it was bright yellow and had a couple of directional antennas for triangulation. I also think it was WinCE based. It could track clients as well as APs. Google's not turning up much after a quick search. I'm sure someone on the list can provide a pointer. On 3/15/07, Dave Aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > So here's my idea of the day: I want relational triangulation in > SILICA. I want to be able to click "Find this AP" and then have SILICA > say "stay still . . . . signal is 99. Now take 5 steps to the left.... > signal is 91. Now take five steps forward....signal is 102" and then > interpolate in "steps" the distance and direction of the access point. > > It'd make you look a little silly, but I think it'd be quite useful. > It's weird the things you find that are useful. For example, it's nice > to just know what OS every little tiny router is running. Sometimes a > router will try to "be every IP address", which is very annoying. > > - -dave > > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFF+VmhB8JNm+PA+iURAuq9AJ9ZK/xNdPj6ZECd0kGRDtvllYhtfwCgt4+M > CbxI1q/Pv7d2LlaqvKshrTo= > =SXLj > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070315/4cb4b2de/attachment-0001.htm From jwilkins at gmail.com Thu Mar 15 18:02:40 2007 From: jwilkins at gmail.com (Jonathan Wilkins) Date: Thu, 15 Mar 2007 15:02:40 -0700 Subject: [Dailydave] my idea of the day In-Reply-To: <767ba1040703151447oebbf47eo66c78e2c9704c46c@mail.gmail.com> References: <45F959A5.60006@immunityinc.com> <767ba1040703151447oebbf47eo66c78e2c9704c46c@mail.gmail.com> Message-ID: <767ba1040703151502k7639e12v31390a0c37e82695@mail.gmail.com> WiFiFoFum has a radar mode http://www.aspecto-software.com/rw/applications/wififofum/screenshots/index.html No idea how useful that really is. On 3/15/07, Jonathan Wilkins wrote: > > Dragos had a little device that did this at CanSec a couple of > years ago. I'm not sure of the brand, but I seem to recall it was > bright yellow and had a couple of directional antennas for > triangulation. I also think it was WinCE based. > > It could track clients as well as APs. > > Google's not turning up much after a quick search. I'm sure > someone on the list can provide a pointer. > > On 3/15/07, Dave Aitel wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > So here's my idea of the day: I want relational triangulation in > > SILICA. I want to be able to click "Find this AP" and then have SILICA > > say "stay still . . . . signal is 99. Now take 5 steps to the left.... > > signal is 91. Now take five steps forward....signal is 102" and then > > interpolate in "steps" the distance and direction of the access point. > > > > It'd make you look a little silly, but I think it'd be quite useful. > > It's weird the things you find that are useful. For example, it's nice > > to just know what OS every little tiny router is running. Sometimes a > > router will try to "be every IP address", which is very annoying. > > > > - -dave > > > > > > - -dave > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.6 (GNU/Linux) > > > > iD8DBQFF+VmhB8JNm+PA+iURAuq9AJ9ZK/xNdPj6ZECd0kGRDtvllYhtfwCgt4+M > > CbxI1q/Pv7d2LlaqvKshrTo= > > =SXLj > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070315/1c0f1241/attachment.htm From lcamtuf at dione.ids.pl Thu Mar 15 18:02:41 2007 From: lcamtuf at dione.ids.pl (Michal Zalewski) Date: Thu, 15 Mar 2007 23:02:41 +0100 (CET) Subject: [Dailydave] my idea of the day Message-ID: On Thu, 15 Mar 2007, Dave Aitel wrote: [ Repost; Dave, if you get a chance, reject my original post and approve this one instead, I hit Ctrl-X too early; or if it's too late, reject this repost. Thanks. ] > So here's my idea of the day: I want relational triangulation in > SILICA. I want to be able to click "Find this AP" and then have SILICA > say "stay still . . . . signal is 99. Now take 5 steps to the left.... > signal is 91. Now take five steps forward....signal is 102" and then > interpolate in "steps" the distance and direction of the access point. Moving several feet to the left or right when not standing next to the device is almost guaranteed not to measure any appreciable signal differences that would not be overpowered by random reflections, RF interference, attentuation caused by walls, chairs, etc, or residual directional characteristics of an antenna (you need to get one that is almost perfectly omnidirectional, or else maintain a precise angle while moving around). Consider this: when standing 20 meters from the transmitter, facing it in an open, unobstructed, reflection- and interference-free field, moving 2 meters to the left with a perfectly omnidirectional antenna would change the actual distance the signal has to travel by about 0.1%. A precise RF interferometer could work, but signal strength measurement alone are not a useful indication of your location in this axis. Doing it from 5 meters away will of course work better, but then you're close enough to spot the transmitter by simply observing signal strength while walking around. Circling the area of a suspected transmitter site would yield great results, too, but without a GPS or a set of precise accelerometers, registering or approximating your movements in an indoor environment is unlikely to be easy. If you're left with only one axis to take meaningful measurements, you wouldn't be able to interpolate the actual distance, because you don't know how powerful the signal would be were you standing next to the transmitter - depends on chips, antenna, settings, terror alert level, and how strong is the initial attentuation is (be it caused by ceiling panels, doors, rack mount or a printer it is sitting behind). As such, standing up, making 5 steps to the right, 5 to the front, 5 to the left, 5 to the back is almost guaranteed to give you no benefit over simply walking around with a traditional meter. We happen to hunt "pirate" APs in our office buildings from time to time, and even with specialized, directional receivers and quality software, it's still a mess. That said, there are several tools that allow AP location triangulation in corporate environments, but they usually rely on several fixed measurement points that are 10-50 meters apart, and mounted in a controlled, carefully measured way, and again, *around* the rogue access point, so that absolute measurements can be made. AirMagnet sells something like this. /mz From arunkoshy at gmail.com Thu Mar 15 18:24:27 2007 From: arunkoshy at gmail.com (Arun Koshy) Date: Fri, 16 Mar 2007 09:24:27 +1100 Subject: [Dailydave] interesting paper Message-ID: <1d0ba3070703151524m73315ab3p81511c91d0b5d05b@mail.gmail.com> check : http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html From chris.kuethe at gmail.com Thu Mar 15 19:43:29 2007 From: chris.kuethe at gmail.com (Chris Kuethe) Date: Thu, 15 Mar 2007 17:43:29 -0600 Subject: [Dailydave] my idea of the day In-Reply-To: <767ba1040703151447oebbf47eo66c78e2c9704c46c@mail.gmail.com> References: <45F959A5.60006@immunityinc.com> <767ba1040703151447oebbf47eo66c78e2c9704c46c@mail.gmail.com> Message-ID: <91981b3e0703151643k7b231cf1k82f9b3aa2cef46a0@mail.gmail.com> It was a Yellowjacket. http://www.bvsystems.com/Products/WLAN/Yellowjacket/yellowjacket.htm CK On 3/15/07, Jonathan Wilkins wrote: > Dragos had a little device that did this at CanSec a couple of > years ago. I'm not sure of the brand, but I seem to recall it was > bright yellow and had a couple of directional antennas for > triangulation. I also think it was WinCE based. > > It could track clients as well as APs. > > Google's not turning up much after a quick search. I'm sure > someone on the list can provide a pointer. > > On 3/15/07, Dave Aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > So here's my idea of the day: I want relational triangulation in > > SILICA. I want to be able to click "Find this AP" and then have SILICA > > say "stay still . . . . signal is 99. Now take 5 steps to the left.... > > signal is 91. Now take five steps forward....signal is 102" and then > > interpolate in "steps" the distance and direction of the access point. > > > > It'd make you look a little silly, but I think it'd be quite useful. > > It's weird the things you find that are useful. For example, it's nice > > to just know what OS every little tiny router is running. Sometimes a > > router will try to "be every IP address", which is very annoying. > > > > - -dave > > > > > > - -dave > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.6 (GNU/Linux) > > > > > iD8DBQFF+VmhB8JNm+PA+iURAuq9AJ9ZK/xNdPj6ZECd0kGRDtvllYhtfwCgt4+M > > CbxI1q/Pv7d2LlaqvKshrTo= > > =SXLj > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -- GDB has a 'break' feature; why doesn't it have 'fix' too? From cvoid at morphine.com Thu Mar 15 20:05:27 2007 From: cvoid at morphine.com (christian void) Date: Thu, 15 Mar 2007 16:05:27 -0800 (PST) Subject: [Dailydave] my idea of the day In-Reply-To: <767ba1040703151502k7639e12v31390a0c37e82695@mail.gmail.com> References: <45F959A5.60006@immunityinc.com> <767ba1040703151447oebbf47eo66c78e2c9704c46c@mail.gmail.com> <767ba1040703151502k7639e12v31390a0c37e82695@mail.gmail.com> Message-ID: <20070315160159.G91981@spam.musubi.org> On Thu, 15 Mar 2007, Jonathan Wilkins wrote: > WiFiFoFum has a radar mode > http://www.aspecto-software.com/rw/applications/wififofum/screenshots/index.html > > No idea how useful that really is. after thinking about it for a sec, you could probably just use null-detection with a directional antenna and take a couple of power readings to find the null at several locations. it's pretty old school rdf but i don't see why you couldn't code it up by reading s-levels of the incoming signal, etc. something using doppler shift with an array of antennas (it's 2.4Ghz so the antennas are small, this could be handheld) would just give you a bearing. lots of gear out there to do this, some of the better stuff is even "open source" if you will. a wifi doppler shift rdf box that could be velcroed to a laptop would be sweet. -- christian void cvoid at morphine.com http://www.morphine.com/void/ From bigschu at moments-in-time.net Thu Mar 15 20:32:40 2007 From: bigschu at moments-in-time.net (bigschu at moments-in-time.net) Date: Thu, 15 Mar 2007 17:32:40 -0700 Subject: [Dailydave] my idea of the day Message-ID: <20070315173240.548e9e1c886ac0a4cb1ee46e2ba6239a.7aa01d32de.wbe@email.secureserver.net> I'm guessing the product referred to below is one from Berkeley Varitronics (www.bvsystems.com). They have a number of spectrum analysis and wi-fi specific products as well as their Hive mapping software. The webpage for the YellowjacketPLUS 802.11b (http://www.bvsystems.com/Products/WLAN/Yellowjacket+/yellowjacket+.htm) gives a quick run-down of some product capabilities. Mike > -------- Original Message -------- > Subject: Re: [Dailydave] my idea of the day > From: "Jonathan Wilkins" > Date: Thu, March 15, 2007 2:47 pm > To: "Dave Aitel" > Cc: dailydave > > Dragos had a little device that did this at CanSec a couple of > years ago. I'm not sure of the brand, but I seem to recall it was > bright yellow and had a couple of directional antennas for > triangulation. I also think it was WinCE based. > > It could track clients as well as APs. > > Google's not turning up much after a quick search. I'm sure > someone on the list can provide a pointer. > > From cowboym at shmoo.com Thu Mar 15 20:56:55 2007 From: cowboym at shmoo.com (Cowboym) Date: Thu, 15 Mar 2007 16:56:55 -0800 (AKDT) Subject: [Dailydave] my idea of the day In-Reply-To: <767ba1040703151447oebbf47eo66c78e2c9704c46c@mail.gmail.com> Message-ID: The YellowJacket from BV Systems sounds quite similar to what your describing: http://www.bvsystems.com/Products/WLAN/Yellowjacket/yellowjacket.htm -cowboym On Thu, 15 Mar 2007, Jonathan Wilkins wrote: [NON-Text Body part not included] From midnitrcr at gmail.com Fri Mar 16 10:32:52 2007 From: midnitrcr at gmail.com (Trey Keifer) Date: Fri, 16 Mar 2007 09:32:52 -0500 Subject: [Dailydave] my idea of the day In-Reply-To: References: Message-ID: In regards to your comment about accelerometers... The MEMS based market has had significant improvements thanks to companies like Analog Devices**, I have a couple of their dual-axis devices sitting on my desk right now for another project. That piece of the problem could be easily solved depending on your definition of "precise." The effect of small distance variations on signal strength unfortunately I've never read up on. I'll leave that one up to the RF experts... **disclaimer... i have no affiliation or interest in AD, I just think their products are cool. :) On 3/15/07, Michal Zalewski wrote: > > On Thu, 15 Mar 2007, Dave Aitel wrote: > > [ Repost; Dave, if you get a chance, reject my original post and > approve this one instead, I hit Ctrl-X too early; or if it's too late, > reject this repost. Thanks. ] > > > So here's my idea of the day: I want relational triangulation in > > SILICA. I want to be able to click "Find this AP" and then have SILICA > > say "stay still . . . . signal is 99. Now take 5 steps to the left.... > > signal is 91. Now take five steps forward....signal is 102" and then > > interpolate in "steps" the distance and direction of the access point. > > Moving several feet to the left or right when not standing next to the > device is almost guaranteed not to measure any appreciable signal > differences that would not be overpowered by random reflections, RF > interference, attentuation caused by walls, chairs, etc, or residual > directional characteristics of an antenna (you need to get one that is > almost perfectly omnidirectional, or else maintain a precise angle while > moving around). > > Consider this: when standing 20 meters from the transmitter, facing it in > an open, unobstructed, reflection- and interference-free field, moving 2 > meters to the left with a perfectly omnidirectional antenna would change > the actual distance the signal has to travel by about 0.1%. A precise RF > interferometer could work, but signal strength measurement alone are not a > useful indication of your location in this axis. > > Doing it from 5 meters away will of course work better, but then you're > close enough to spot the transmitter by simply observing signal strength > while walking around. Circling the area of a suspected transmitter site > would yield great results, too, but without a GPS or a set of precise > accelerometers, registering or approximating your movements in an indoor > environment is unlikely to be easy. > > If you're left with only one axis to take meaningful measurements, you > wouldn't be able to interpolate the actual distance, because you don't > know how powerful the signal would be were you standing next to the > transmitter - depends on chips, antenna, settings, terror alert level, and > how strong is the initial attentuation is (be it caused by ceiling panels, > doors, rack mount or a printer it is sitting behind). > > As such, standing up, making 5 steps to the right, 5 to the front, 5 to > the left, 5 to the back is almost guaranteed to give you no benefit over > simply walking around with a traditional meter. > > We happen to hunt "pirate" APs in our office buildings from time to time, > and even with specialized, directional receivers and quality software, > it's still a mess. > > That said, there are several tools that allow AP location triangulation in > corporate environments, but they usually rely on several fixed measurement > points that are 10-50 meters apart, and mounted in a controlled, carefully > measured way, and again, *around* the rogue access point, so that absolute > measurements can be made. AirMagnet sells something like this. > > /mz > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070316/5ff630cb/attachment-0001.htm From robert_david_graham at yahoo.com Fri Mar 16 17:18:23 2007 From: robert_david_graham at yahoo.com (Robert Graham) Date: Fri, 16 Mar 2007 14:18:23 -0700 (PDT) Subject: [Dailydave] Fwd: my idea of the day In-Reply-To: Message-ID: <60112.71210.qm@web51008.mail.re2.yahoo.com> I would guess that handhelds are not omnidirectional, but directional. Therefore, I'd mount the device on a gimble, measure the signal coming out of it from every possible direction and find out which way to point it. Your body interacts with the signal. I'd guess that you can exploit this, such as blocking part of the signal with your body. --- Trey Keifer wrote: > Forgot to CC: the list... my apologies... > > ---------- Forwarded message ---------- > From: Trey Keifer > Date: Mar 15, 2007 1:52 PM > Subject: Re: [Dailydave] my idea of the day > To: Dave Aitel > > This is the closest (and most technical attempt) that I've seen so far... > > http://www.storm.net.nz/projects/5 > > On 3/15/07, Dave Aitel wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > So here's my idea of the day: I want relational triangulation in > > SILICA. I want to be able to click "Find this AP" and then have SILICA > > say "stay still . . . . signal is 99. Now take 5 steps to the left.... > > signal is 91. Now take five steps forward....signal is 102" and then > > interpolate in "steps" the distance and direction of the access point. > > > > It'd make you look a little silly, but I think it'd be quite useful. > > It's weird the things you find that are useful. For example, it's nice > > to just know what OS every little tiny router is running. Sometimes a > > router will try to "be every IP address", which is very annoying. > > > > - -dave ____________________________________________________________________________________ Get your own web address. Have a HUGE year through Yahoo! Small Business. http://smallbusiness.yahoo.com/domains/?p=BESTDEAL From dfc at anize.org Thu Mar 15 20:02:05 2007 From: dfc at anize.org (Douglas F. Calvert) Date: Thu, 15 Mar 2007 20:02:05 -0400 Subject: [Dailydave] my idea of the day In-Reply-To: <767ba1040703151447oebbf47eo66c78e2c9704c46c@mail.gmail.com> References: <45F959A5.60006@immunityinc.com> <767ba1040703151447oebbf47eo66c78e2c9704c46c@mail.gmail.com> Message-ID: <45F9DE7D.70006@anize.org> Jonathan Wilkins wrote: > Dragos had a little device that did this at CanSec a couple of > years ago. I'm not sure of the brand, but I seem to recall it was > bright yellow and had a couple of directional antennas for > triangulation. I also think it was WinCE based. > > It could track clients as well as APs. > > Google's not turning up much after a quick search. I'm sure > someone on the list can provide a pointer. > The bumblebee from bvs fits this description: http://www.bvsystems.com/Products/WLAN/BumbleBee/bumblebee.htm The newer models are not nearly as cool looking... http://www.bvsystems.com/Products/WLAN/YJPLUS802.11a/YJPLUS802.11a.htm -- Douglas F. Calvert -/- dfc at anize.org 0xC9541FB2 / 0817 30D4 82B6 BB8D 5E66 06F6 B796 073D C954 1FB2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 825 bytes Desc: OpenPGP digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070315/fd5b04aa/attachment.pgp From cvoid at morphine.com Thu Mar 15 19:55:12 2007 From: cvoid at morphine.com (christian void) Date: Thu, 15 Mar 2007 15:55:12 -0800 (PST) Subject: [Dailydave] my idea of the day In-Reply-To: <767ba1040703151447oebbf47eo66c78e2c9704c46c@mail.gmail.com> References: <45F959A5.60006@immunityinc.com> <767ba1040703151447oebbf47eo66c78e2c9704c46c@mail.gmail.com> Message-ID: <20070315155319.F91981@spam.musubi.org> On Thu, 15 Mar 2007, Jonathan Wilkins wrote: > Dragos had a little device that did this at CanSec a couple of > years ago. I'm not sure of the brand, but I seem to recall it was > bright yellow and had a couple of directional antennas for > triangulation. I also think it was WinCE based. > > It could track clients as well as APs. > > Google's not turning up much after a quick search. I'm sure > someone on the list can provide a pointer. sounds like a berkeley varitronics grasshopper. used one a while back to find rogue access points. incredibly useful piece of gear. being a radio freak, i drool over their stuff a lot... http://www.bvsystems.com/ -- christian void cvoid at morphine.com http://www.morphine.com/void/ From dr at kyx.net Sat Mar 17 05:46:40 2007 From: dr at kyx.net (Dragos Ruiu) Date: Sat, 17 Mar 2007 02:46:40 -0700 Subject: [Dailydave] my idea of the day In-Reply-To: <200703170233.19699.dr@kyx.net> References: <45F959A5.60006@immunityinc.com> <91981b3e0703151643k7b231cf1k82f9b3aa2cef46a0@mail.gmail.com> <200703170233.19699.dr@kyx.net> Message-ID: <200703170246.40762.dr@kyx.net> On March 17, 2007 02:33:18 am Dragos Ruiu wrote: > On March 15, 2007 04:43:29 pm Chris Kuethe wrote: > > It was a Yellowjacket. > > > > http://www.bvsystems.com/Products/WLAN/Yellowjacket/yellowjacket.htm > > > > CK > > > > On 3/15/07, Jonathan Wilkins wrote: > > > Dragos had a little device that did this at CanSec a couple of > > > years ago. I'm not sure of the brand, but I seem to recall it was > > > bright yellow and had a couple of directional antennas for > > > triangulation. I also think it was WinCE based. > > > > > > It could track clients as well as APs. > > > > > > Google's not turning up much after a quick search. I'm sure > > > someone on the list can provide a pointer. > > > > > > On 3/15/07, Dave Aitel wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > > > > > > So here's my idea of the day: I want relational triangulation in > > > > SILICA. I want to be able to click "Find this AP" and then have > > > > SILICA say "stay still . . . . signal is 99. Now take 5 steps to the > > > > left.... signal is 91. Now take five steps forward....signal is 102" > > > > and then interpolate in "steps" the distance and direction of the > > > > access point. > > > > > > > > It'd make you look a little silly, but I think it'd be quite useful. > > > > It's weird the things you find that are useful.