From arunkoshy at gmail.com Wed May 2 23:53:06 2007 From: arunkoshy at gmail.com (Arun Koshy) Date: Thu, 3 May 2007 13:53:06 +1000 Subject: [Dailydave] tool alpha : MutantMon ? Message-ID: <1d0ba3070705022053g678998ffu708092307aa7a9c3@mail.gmail.com> Hello, since about Jan this year, a friend and I have been coding a small tool for some unknown purpose. It's a mutation / extension of variety of file access monitoring tools produced by sysinternals ( diskmon / filemon ? ) and the similar samples in the WDK ( erstwhile DDK ). The mutation a few interesting things like watching for patterns / regexp etc .. I am looking people with a backgrounds in testing / coding filter drivers and generally comfortable with analyzing malcode / breaking things / applied math .. cross-lurkers/contributors to osronline / rootkit.com etc are welcome. A short "About You" along with a private response to this post would be appreciated .. based on which .. you will be added to the list of cool folks who will get the tool by the end of May. Of course, If you are so elite that you don't need an "About You", thats okay too. The proviso is that eliteness would be decided by us. Have'nt thought of a name .. so names can be suggested to .. for the meanwhile .. we can call it say MutantMon ? ;-). Thanks. From dave at immunityinc.com Thu May 3 11:05:33 2007 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 03 May 2007 11:05:33 -0400 Subject: [Dailydave] Punching above your weight class Message-ID: <4639FA3D.4050507@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The best hacker teams in the world right now may belong to organized crime groups. In my spare time in between packing lunch boxes and cleaning the floor under the high chair, I've been thinking about ways in which these organizations differ from most commercial companies who do penetration testing. A company has a rather large budget, dedicated infrastructure, and an experienced and skilled staff. So why do so many of them fight like flabby novices? The fact is, giving someone a LOT of money, and a big mission to solve, often gives them a good excuse to get fat and useless. I don't know how to solve your problem if you're a hundred million dollar attack team yet. But if you're at ten million or less, these are the rules I've come up with. Six Rules for Punching Above Your Weight Class: o Never use an exploit in the wild you don't completely understand. If you can't debug it on the fly, you can't use it o Don't split up research from attack. Your research team needs to be focused on the mission. o Develop a fast-reaction team that can hit easy or very time critical vulnerabilities within 8 hours or less. o Be target focused o Develop technical partnerships with other people who can write exploits. There just aren't that many of them. o One team, one mission. People naturally want to work on only Windows or only Unix, but that's not the way to success. Find people who can work on the whole picture. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGOfo7B8JNm+PA+iURAmnWAJ9fMkFiaNwsiOsiKUqgq2p3bJsv9QCg6u+7 Yc5yKpsBP3b857WvhQRtXkc= =rzBU -----END PGP SIGNATURE----- From bjack at juniper.net Fri May 4 19:04:09 2007 From: bjack at juniper.net (Barnaby Jack) Date: Fri, 4 May 2007 19:04:09 -0400 Subject: [Dailydave] New embedded attack class Message-ID: <9BD5D7887235424FA97DFC223CAE3C280623B0E5@proton.jnpr.net> Hey all, I've released a short paper on the new attack class mentioned in my CSW presentation. Respect to all those who didn't buy into quack speculation before the talk was given :) Vector Rewrite Attack: Exploitable NULL pointer vulnerabilities on ARM and XScale architectures http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf -Barnes From bjack at juniper.net Fri May 4 19:22:02 2007 From: bjack at juniper.net (Barnaby Jack) Date: Fri, 4 May 2007 19:22:02 -0400 Subject: [Dailydave] New embedded attack class Message-ID: <9BD5D7887235424FA97DFC223CAE3C280623B0E7@proton.jnpr.net> Hey all, I've released a short paper on the new attack class mentioned in my CSW presentation. Respect to all those who didn't buy into quack speculation before the talk was given :) Vector Rewrite Attack: Exploitable NULL pointer vulnerabilities on ARM and XScale architectures http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf -Barnes From assault at hush.com Sat May 5 05:53:05 2007 From: assault at hush.com (assault at hush.com) Date: Sat, 05 May 2007 12:53:05 +0300 Subject: [Dailydave] New embedded attack class Message-ID: <20070505095310.60A8CC383F@mailserver10.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i cant seem 2 find a references section in your paper that links to previous work in the subject. is this an intended rip-off or are you simply another amateur? otoh: http://lists.immunitysec.com/pipermail/dailydave/2007- March/004136.html http://ilja.netric.org/files/Unusual%20bugs%2023c3.pdf i'm also not buying into this whole "new attack class" thing. can you really call exploiting null derefs (something that we knew possible for quite a while) a "new attack class" because you "found" a platform-specific way to attack them? i'd say it's a new attack vector, if anything. and please, can the security industry pull itself together and stop publishing half-baked material? i know the job market is tough and you need to justify your salary, but this is getting ridiculous... assault On Sat, 05 May 2007 02:22:02 +0300 Barnaby Jack wrote: >Hey all, > >I've released a short paper on the new attack class mentioned in >my CSW presentation. > >Respect to all those who didn't buy into quack speculation before >the talk was given :) > >Vector Rewrite Attack: Exploitable NULL pointer vulnerabilities on >ARM and XScale architectures >http://www.juniper.net/solutions/literature/white_papers/Vector- >Rewrite-Attack.pdf > >-Barnes >_______________________________________________ >Dailydave mailing list >Dailydave at lists.immunitysec.com >http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkY8U08ACgkQwRKs9FnnsLTe2AP+LSfdCX6dnwWROzxXuJYq8zo96Fpx 3i78PuGAR1wEO1+kUtjwSzyYFLBTywp0N77/unYk4zDZs6+re0agFflXt8ZAfXNqagda AlJ5AGoVsiyNaLLMRMPq9CaGslaIUGLtg0NkVSbjZhDGyN0Sh44gj19uVSgL4SXjp6v6 3B0C7zA= =ACzq -----END PGP SIGNATURE----- -- Click to find great rates on medical insurance, save big, shop here http://tagline.hushmail.com/fc/CAaCXv1QS4W2dsZzazZcksGxdrzPguW8/ From bjack at juniper.net Sat May 5 15:53:29 2007 From: bjack at juniper.net (Barnaby Jack) Date: Sat, 5 May 2007 15:53:29 -0400 Subject: [Dailydave] New embedded attack class References: <9BD5D7887235424FA97DFC223CAE3C280623B0E7@proton.jnpr.net> Message-ID: <9BD5D7887235424FA97DFC223CAE3C280623B0F1@proton.jnpr.net> I've had a few discussions with some people on whether this should be billed as an attack class. I tend to agree this should be re-worded. Let's go with "New exploitation method" Cheers! -Barnes ________________________________ From: dailydave-bounces at lists.immunitysec.com on behalf of Barnaby Jack Sent: Fri 5/4/2007 7:22 PM To: dailydave at lists.immunitysec.com Subject: [Dailydave] New embedded attack class Hey all, I've released a short paper on the new attack class mentioned in my CSW presentation. Respect to all those who didn't buy into quack speculation before the talk was given :) Vector Rewrite Attack: Exploitable NULL pointer vulnerabilities on ARM and XScale architectures http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf -Barnes _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From dr at kyx.net Sat May 5 20:12:52 2007 From: dr at kyx.net (Dragos Ruiu) Date: Sat, 5 May 2007 17:12:52 -0700 Subject: [Dailydave] New embedded attack class In-Reply-To: <20070505095310.60A8CC383F@mailserver10.hushmail.com> References: <20070505095310.60A8CC383F@mailserver10.hushmail.com> Message-ID: <200705051712.53401.dr@kyx.net> On Saturday 05 May 2007 02:53, assault at hush.com wrote: > i cant seem 2 find a references section in your paper that links to > previous work in the subject. is this an intended rip-off or are > you simply another amateur? otoh: > > http://lists.immunitysec.com/pipermail/dailydave/2007- > March/004136.html > http://ilja.netric.org/files/Unusual%20bugs%2023c3.pdf You can find some of the references in Barnaby's previous presentation, archived at on the CanSecWest site. > i'm also not buying into this whole "new attack class" thing. can > you really call exploiting null derefs (something that we knew > possible for quite a while) a "new attack class" because you > "found" a platform-specific way to attack them? i'd say it's a new > attack vector, if anything. Vector would imply simple, single, instance, which would be inappropriate... as Barnaby's class embodies many individual attack vectors across many pieces of ARM/PXA code. "Class" is the appropriate term to use. And though people may have known about exploiting null derefs through the interrupt vector table, credit goes to Barnaby for documenting and explaining the methodology publicly - which if anyone else knew about it, they didn't do. cheers, --dr From pageexec at freemail.hu Sun May 6 05:32:19 2007 From: pageexec at freemail.hu (pageexec at freemail.hu) Date: Sun, 06 May 2007 11:32:19 +0200 Subject: [Dailydave] New embedded attack class In-Reply-To: <9BD5D7887235424FA97DFC223CAE3C280623B0F1@proton.jnpr.net> References: <9BD5D7887235424FA97DFC223CAE3C280623B0E7@proton.jnpr.net>, <9BD5D7887235424FA97DFC223CAE3C280623B0F1@proton.jnpr.net> Message-ID: <463DBCC3.16662.14330197@pageexec.freemail.hu> On 5 May 2007 at 15:53, Barnaby Jack wrote: > I've had a few discussions with some people on whether this should be > billed as an attack class. I tend to agree this should be re-worded. > > Let's go with "New exploitation method" maybe not that new either... google for "AbsExecBase null", without the quotes. the AmigaOS is 20 years old or so ;-) From shadown at gmail.com Sun May 6 11:45:45 2007 From: shadown at gmail.com (shadown) Date: Sun, 6 May 2007 17:45:45 +0200 Subject: [Dailydave] Vulnerabilities Hashes DB needed Message-ID: [Moderator: I ask you to accept this mail, so that the comunity may come with a solution. Thanks in advance.] Hi, During the near past I have to confront some issues when reporting vulnerabilities to the vendors, I'm not going to disclose the vendor's names because is not the goal of this mail, but to become with a solution. I'm asking the researches comunity and whoever can help us to come with the best solution. In this mail I'll explain my reasons and what I think is the best solution (actually I've borow the idea from others) and ask the comunity if someone thinks that is a better one. Reasons: -------------- 1- I've contacted with some vendor and after getting the right security contact to send the vulnerabilities I've sent the pgped PoC files. Then the vendor didn't come any more to me. After a month I've contacted the vendor again, the vendor said: 'oh, I didn't receive the mail'. I've resent the mail and the vendor replayed: 'I've tryed the PoC files and none of them worked, probably our internal testing team found them'. After receiving that answer from the vendor I've downloaded the software again and the vulnerabilities were fixed. I did a binary diffing to analyze OLD vs. NEW version and extraordinary...the bug I've reported + two other bugs where fixed, what was a bit suspicious. I've ask about this to the vendor and the vendor replayed the following: """ It's hard to imagine that the respective fix would be directly related to your files because we haven't had them. Don't get me wrong, we have no problem crediting anyone who reports bugs to us, helping us to improve our software (just as we did e.g. in the case of version XXXXX where we credited XXX YYYY - see http://www.linktothecredit ) but I don't think this applies here, really... Sorry - maybe you can find some other overruns in the current build? (or, even better, in the build that's coming out in about a week - because that one has some new fixes in it, too [so it's theoretically possible you'd hit something that has already been fixed, too]). """ This was the case with one vendor, and pretty similar situation with others. (ofcourse there were excelent comunication with some other vendors, but is out of the scope of the solution that I want to come with.) 2- There are some vendors that are really dificult to deal with. It took me about 4 months to get the right contact to report the bugs, and this would be another think to think about, A public 'Vendor's Vulnerability Reporting Contact DB/List'. As I do believe in responsible disclosure, I don't agree with 'giving up and launchin 0days' so that vendors eat their s**t, the following is what I think is the best solution for it. Solution: ------------- First of all: I've taken this idea from matasano and Halvar, that were the ones I've seen that did this in the past. The main mailling list should create a 'Vulnerabilities Hashes mailing list' where the researches comunity can send the hashes of the PoC files just before they conctact the vendors. That way if the vendors do not give the proper credits to the researchers, at least the researches will have another proof to show that they were the ones that reported the vulnerabilities, and not just the mails they've crossed with the vendors. Final Comments: ------------------------- I'm pretty sure that a lot of researches has this kind of problems in the past and this is really frustrating. *** I don't want this mail to end up being a: "Oh, yes, I have this problem with xxx", and so. Please don't do that because is NOT the goal of this mail. Just bring your ideas to improve this and to make this 'Vulnerability Hashes mailling list' to happen. *** The following is are the MD5, SHA-1 and SHA-256 hashes of the vulnerabilities that I'll be reporting to the vendors after sending and seeing the post in the mailling list. This is a verdors based hashes, because probably in some cases the PoC files behind this hashes may affect other vendors, but as I didn't try with other vendors I don't deserve the credits for the vendors that I didn't spot vulnerabilities, if other researcher finds the same bugs in other vendors, they are the ones that deserve the credits for that. AnhLab V3: ---------- 65d9c1f2a9f3e7cf90e814ad27c7868b bf6460b08b07b9fdfc90e243e8c72b326b4070f4 e766ac5bedb1144a8bb0426382aec5b58d9fcbf2ac560c321e474f57124c322b Avira Antivir: -------------- 6be69d215a9abee4c5966243fbd074a2 34ad8cd7fd38a8c6af9d6e13bd2bbe72806ceee4 1094efa900cd1b0bcacbd38fa6ebee65bace529227512d25cdeede4dadbaef7b 770206b8b023069913315bc0ad15fa7f a1c5a301e1898e5749eb8bdb477f7ff786142a6d ecc1a63d3c7e1c21a6d92d8b5d7889038861bf09f43c5ab81d84ff6f3a9c166c cd180ca57fccb2611eded02789830803 25d610387e7a7c2a372e8cc612b495c3145e9768 6d4ddde75ecaddd0780420485d4a973cb1d9ba0df2c1fef15ca8a1a29d67f640 c40a37cd215c7cca64310984b6b7a848 4c09a09683328f4a0a56f4ca523b5d25e4a9f618 dbb89a4f297a050df445cb8a0e81b5753f32a4fe0d8b40f648572152215977da 76105c8caf97785c9fa330481b13713d 0ee01fa4ab0f9a3504201ce02a4c53547a8efbb4 eae7a347cbd805bce87ca8303d4de98729034228a1a94b999c01bb132f4738f2 AntivirusKit: ------------- f308330ddc4fe26c0458a148f9594759 36a5feb922e8163be67a85018294d9e179cbcec7 6da70b2be86525ae5fc654cc293a44437ee6ca912668eff7501ef529a5be4196 f9a42de55118798f2920a2b1072c8444 f62f63ac4aee1295cbf7a636e13e5cba7f6474a5 8d8be8e6bd765c8822696d2af58f53f386987129c7ceca43f051f026d4073a7a 56865f1768d2a646ce0e9e8d436ec67b 0dfcb3a5c004665821f58afe3ddc7aca52411919 fd66434954edd4e07265660a37be5737e08414b033901905e5e535a4431aee7b 6511e2fdc0f721a47c4e8a1d626108f2 9fc5010703bcccdab67f4c61b2144f06c1ed6679 0c42ceba2e181cc943a330ea7d9e9ed7b05cb2602b50c10693ab3515d0d3776c e2927d23417de42c00f6570179fa0ab4 5a654b60b4e5d7b971393993bf74bff6b7babf4c a0b47cb536e58f060fd193e44cad1c282964bf02d743eeb375496d96e9852492 e29cf7b7613bfdbb9a0c1b4114527251 712e1835f88a75b50b902b5aeb8c63199d634da8 0b8b843e0e123464275b75fd1d21a808233389204df10accca0d9b29884d8c27 99558b6186c3af5415dac0488b0f4a0d fb6504beb4934e9c4656121d0efd224b3e12da04 b339d6e1ea6d76a297b691b989a650c47392d063a7ee8394ac3a104e831cd97b 136eeda72cff4ce605424dd4566b5c5b d79e8ece11468fffadd9ce0f24d6904544882979 2fb06f226571cb9f097d2ebcdef89898d70033bdd092233fea048fb345d318ad a8f265a5d767f40a942a93be4ace83f4 1aee982c67d3557dcb77989c36ff4c35115eb8c7 957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732 Avast Antivirus: ---------------- 24b53bacfa2f6aeba6226466d6a96758 7bccb6233ae8356928f49ece594af2ec05654ec7 e07652d14834e267a661892a240be7185035942224c9386e68cbdeb1e636369a df88c0d9489a877eca251f6977f07d0b dca5faa757d3a7d72bf37873db8dae7e0f002cd1 65271e3d3a5e4f70f337b19b661f8ed5521777715c3c7223c5bde05f5ab826b9 649666668e1f0a219c0bd9619aff5d91 839c714d4b28bf903c6ccd0b1b7a6fdf5c46c01a 41c263ea1ce75411792f5853c8c02bf1ccf06708f09cd874490ef11623b85d55 0f16d47de15ebbcd30ecad2b3ba9aea2 51f859523e3d1d7eb8549ac27bc0ce292dfb940d 54806f6d3c6d193ea874057bc1d04e403c99c51fcf46dacbf3fdffc8a7033244 f1f4ac1d188c020f8e9a651555279227 dd2cd2fafe3d98b099a7504bd94089c1deec680a cb5e46bb6abe10a8bc35dbb24991770f6433d7b5981998604164bb43ec2676bc 4696e1bb5e73620c6e715d9c727ac7f6 a240b8bdd748a15ef6e451e4a327258367e7c07c 2181db5345a3d04c83cbf5ca8442fecfeb1f3825ec0a7516f07eaebd03ee234a 40a82d15fcb2cd982fde52b5d90e7d49 b5248dd45ff405a0c75e7771c25ce1d8cdc2dfd2 cdedcb945de7855b9ff791ce1d0dff0bacccd715eaf61942676b4153f9783cda df519bca64476f0f7e0a973c31e0828a b46ac3f62a1dd0b9f1dc99d822913cd588f6ee68 003f657a4451b1e34de81862af10eac5cb25950406925e1f837ffc5f2ff2d4a3 193a39e6e57c5fe1e673cd60fc9f838d d2bdb2e33a3c0922918d0badbec70d830228586c dcbeefec4bb40fc39523284073ef5d1f6773786e286949d588e182de490ed74f 835899502d90cf4a435aa4392b2b03f4 ec81ee8d7239a89346e1e17ad4f018da180d5310 b019d4dcfd6db786ee13ed80f6e90b0faeb23f90b8dcb1061a718f9446e39e22 2ec5e7d881bd4792fe63992a052aa054 3bc58e9f7f1d9efc2d2a599b430ca745b810fbcc bd5d5e96fc091a21ac3c1e1e24276fb22cd42dc7b56569de23811ab7196df5e1 df519bca64476f0f7e0a973c31e0828a b46ac3f62a1dd0b9f1dc99d822913cd588f6ee68 003f657a4451b1e34de81862af10eac5cb25950406925e1f837ffc5f2ff2d4a3 193a39e6e57c5fe1e673cd60fc9f838d d2bdb2e33a3c0922918d0badbec70d830228586c dcbeefec4bb40fc39523284073ef5d1f6773786e286949d588e182de490ed74f 835899502d90cf4a435aa4392b2b03f4 ec81ee8d7239a89346e1e17ad4f018da180d5310 b019d4dcfd6db786ee13ed80f6e90b0faeb23f90b8dcb1061a718f9446e39e22 2ec5e7d881bd4792fe63992a052aa054 3bc58e9f7f1d9efc2d2a599b430ca745b810fbcc bd5d5e96fc091a21ac3c1e1e24276fb22cd42dc7b56569de23811ab7196df5e1 7f1dfbef6cbb128480a89c518ef5e7b6 86dfabefece6ced61521cca7a8d573214bacc61d abf0a439abadd50cf7871e14f7b0fecf6d24b0257679e186b4a8cfa5c95db26f 2c799b6dd1a95ac3f7ae9cb6550145ef e509214a69108485821a370d48a22ae519feda42 fc204ac5f18b04a36570273035300004d16ab38b990e7c699743f4bbe1c8cd73 8505d6f3bb638c47a51c1e954945219d 0923321102a3a6ef606a54ea6375118e5003e7d2 f5103f808ba9e227ebf8f16f361a1710f6f083757d56d40a2c6dcd64f4578499 Grisoft AVG: ------------ 7ed40b565903c3788157f1b7facd3e8c d95141a18c0d49e3ef4da4ae4164460c04df571a 018f888c8f9a280c2a546d70646cfdfb002127f786777036190227f82438e99f 4cf5ea82eeb3526584bbc0e648859f28 4872d5a93ce3caafd2398b948a17c535fe1c178d fc528e338ff779041cd7d43d5175461cbec51476bc83bab993930c894b4ab27f 3f30645d19a29120e3ed6667023f9b26 d8e468bb9b6d224e322a08e6b813d9a891a7a37c e88ad4becf6ba0917e9187b7dcc907e2f0d1789e71dd8328f455662405afcacc 9723df4678b88056e18727fadfc523f5 21823e87f72ae6268f67f27dda6e1fd97162baa0 22c7987f4c9f0ae996e322547afd8f70dd0c1e579bebd9505d1d8106c6a8c47f CA eTrust: ---------- b1ad7836c4c5f13acd39a7554cb4a74c b21fdf4ac22cb040ceb060a5ce9369344a012ea5 3c39bf686d8cfa8d5901c10b6faff8e15f53eb5a7b09226893c5ec0add63e819 bb41ecd6340ddadf1b342569f545e0b3 38405393b9145bf92c3ce2b9f887bbb200578c15 cc933471d8a8c1ff2216209b5063b5ebc77e86846d0b5d4809763af1277fcf93 830b9443c1d9a2c3a3c22a61e141ff67 a5eb5a4bfab519db6db1270dda12a3eed36e99e6 ef3a5733a48728564781c3d5d7bf364f7c6b8c2dc9f62fbf7abd07c361e1078b e29cf7b7613bfdbb9a0c1b4114527251 712e1835f88a75b50b902b5aeb8c63199d634da8 0b8b843e0e123464275b75fd1d21a808233389204df10accca0d9b29884d8c27 F-Secure Antivirus: ------------------- 8029afc917c99b76211376677bec7025 0e8b7674771c1cbd8860f73b1ce53aa88720c7d3 107b3efdeab6e622cc164c4cdde5366ca1d4aac7e263217e0b41c7dcbff3b025 2c4c3f6b89c7c395842b41a697cad411 b7d769358b594770d392bd57cbc9e56ece99b422 548b4b246be5ed4cf962d556c20c96c35994269f06b5ddedd7aa7e7248e9e250 657d39f36ac3f09f46ec30ed25a66a48 3ca8a75f157cecb89ab8a9cf29b5589536428d50 1fd43a88cf07ef8f5f1f35f656fbb08b2d16ad273363e88fa2efe4a056937f4a d27a2fb4a40b785e25a450bb3acfd793 6b1d6d0754711ff5bafd84b1ed5a9ceeb88f3a53 e50e14059f17895efcfb7f60ff0be061cf49fa4a288c63ec494991555667da32 McAfee VirusScan: ----------------- a8f265a5d767f40a942a93be4ace83f4 1aee982c67d3557dcb77989c36ff4c35115eb8c7 957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732 ee44ef6cf5cb0a8debae2adf18a33579 a4a386f2b911b7bb9fc3572935032bb56c9a5d85 c8d017c4f095b2f45623117d80433339b16b48de9fc8a7362eb13116bdd29c5b ee44ef6cf5cb0a8debae2adf18a33579 a4a386f2b911b7bb9fc3572935032bb56c9a5d85 c8d017c4f095b2f45623117d80433339b16b48de9fc8a7362eb13116bdd29c5b 3fb13db5928235fce3f6e65aa7ea4e86 83f6ef1b222ad55fd87967e3089f554a33ae5a06 be927665d2d44f0958b7c8070ea4cc77444cdfe3ada3d8398dd1cb8f6b9f6192 a8f265a5d767f40a942a93be4ace83f4 1aee982c67d3557dcb77989c36ff4c35115eb8c7 957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732 ESET NOD32: ----------- cfd37b81fd0dbc62653032a4166173ff 3c69c0e8979237bf4af66f4b93a7ada0d0d81211 e8853ba6967db030d54805899525ba20fb03c4b4786e1c1b97f1666e316052e3 440c492b01a8fb46a28d210345c180ed d0db253944fdc24f81df3cd0c1fb63c1a700e240 8a3a6be38a55a341b2bba13bb4af453ca408edc29f1ee1f3f091e921250d28f1 02dc846a5388b9c3b6021208761e6f5a 600420f8f3c7d438533817d64e0bef92462a614e 5ad94d4d445d48f1ef5d87d492e0213c7af20bebb053621418375c09412d8e4a b6f1955690dcfc804fae032216507430 65cf6c31c4c103c296c937520964d6dd7442d86f f2401d9d3a5c3be0b9eec88eacf493ad6d83942ce0f566129cba929e398efc59 c52853d1d0ada84dd432aff2eacea04e 1f11427a3c5620dff36ef4056901bd3e1a209eeb d51bbacd4b2b540266b793ee2735d729844c0476a648d3dd7fc683d6eef13db4 0107600c8612ff2ad4f22865768d407c 845391b0311305dadbed0aa41c2028e65516bfc1 40eb114d0b472d35850fcdde4bba6bdf36f067ba55a7c2df67d65dcaa4592dec Norman Antivirus: ----------------- fc7743cda0033f81d5c7d969542ea33b 0e4ffac982168a0aa73f529d830dc656a747a6dc ca371fd64625efb50a0f3bb403bd922fc7081fc8966df7b0fd40b40586624188 a9bd4536a1966c0dde8ba718c658e854 f4adb4bfac96954a93c8e9d001630540af4a3fea 32caf66cd837949bfff32d4c2365cb3519d908e56dd3684e8ddc107ba25cc873 d5d020485df8ead5192042da9f32bb0d 95ead5b4fe26e5dff98a7fa95168f41713878f4c e6a19e24893ad87a7c0c299f35fc2010af5a7a4a926e0fa5113946cb80dc1ea5 b9a8a5063abf31f53f6f7d2e35a8f7ee 3640d55abbd155ea22a2a68f9d15f27e5307a048 7cc06d3d8ceb341d6735c57c42288b067605a1fdeb8753729e4dddd0b435ad64 5397061f4268bdcc106ada8724d2cc21 3ddd04f4d4c2a1b2e91630ea909b74e9f8607554 9a9eec3f5fa24f1ccf7cf47effc0a5d1f5dad12e22b61c8e4a6552dc4345a4c1 13fc7553b8e2979942a95f6ff6f16f20 d74a4f36bead45008d826b3e2b5d9959a2394226 769ca66067e3fedff804f454a0b5a9d54dbf85f140de43b8c115f3f0bcdaf74a 40aefe65ef2371df256a5a17be5c08a2 dfc4110d62cb9a36f27b2269f3adfa1cee0ee190 17ff4d9f7dd44101544023dcd6554c2280f0cf2c779cb7a1f26717467eea25c7 7d9f52171e286d022e8c2605cab69db7 a2f3ef73dd41348131a4fc83bb269552c50e8a24 91c53eed8ab2e06e46d7e2d2f5fecfa65d29ec4cf9832b3b1690b724a25b10bf Symantec Norton Antivirus: -------------------------- 05ee29971ad88e895fe3fbb2a931cb64 344724a09b87ebb0901b4a110855840440b5dd35 40494ee480bd1eb946a82d87cdbbad2a55471942b513c7986f1ef07a6a860de8 5aa3942cfb2854ace70434ffbbaf83ad 3b07b9cdbce21fa7c018ffe49ec3e4fb26898e7a d9b0d079ee5d79d4791aed1465cf2b5cb69e953bfee6b39a51727bab6bfe0562 Panda Antivirus: ---------------- c1ef9b02aa230410db5384b60c43737f 6cdbec98c6b2dae754c835cddfd7510a27d6971d c7d9e6b1b1a6a99d15bdbc199584a82629b8c2696e052835832c9cdba6575827 a086d36416b40da2556f708ec7839091 4dd0d6efea6335af8b49e76a8629cd575f56917a 9051df4e9eca261e051097a877aa68c3de568e85e24eb70c4424693018f9cbdb fb2b41a7c8a25c835052ec788250c285 2583a038e47e85a9669f8bb944ccffcf11c21518 eeb614054a4cc99bb4aa3ac4b5f09f74c630a56ca7931a10b54a8f678eb59e67 Sophos Antivirus: ----------------- ac07ed7520c4ff1ae93be01c2dc0a91b 69f941d81f8ed9d2a21ff7421d8f658b8bdef67a 60471004837929f83c0cd5fa58c51505d0182891b656216b67d2ffa3792371ac e51333b8106e0cdc7c28e1d360470933 d3ea44047fde6792e0d451404133dfe37c2701ae 8363eb9f3db54839e10edbb5b0f0214425f42a5a67fa7a7f572d161dc6fe4ecb 1e33c49f7c86d23217f46927d17fcf84 75491f057ef1f7b69ef5431bf1a61ad0ff5765e8 68d66831aab022bac9e96e23ba8e1a55b49c392ed54fab9efe0f95d64ddb747c Cheers, Sergio -- Sergio Alvarez Security, Research & Development IT Security Consultant email: shadown at gmail.com This message is confidential. It may also contain information that is privileged or otherwise legally exempt from disclosure. If you have received it by mistake please let us know by e-mail immediately and delete it from your system; should also not copy the message nor disclose its contents to anyone. Many thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070506/f909eec6/attachment-0001.htm From dave.aitel at gmail.com Sun May 6 20:27:24 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Sun, 6 May 2007 20:27:24 -0400 Subject: [Dailydave] Vulnerabilities Hashes DB needed In-Reply-To: References: Message-ID: There's only one company in the whole world that says "buffer overrun" and that's Microsoft. Everyone else says "buffer overflow" which is more correct. I blame the Kiwi on Microsoft's insistence on using the wrong word here. But regardless, unmask.py has a field day on that sort of thing. :> Anyways, if vendor monopoly disclosure annoys you, stop doing it. Why aggravate yourself by doing work for other people for free? Life is short. If all you really want is fame, then sell the bugs to whoever can get you the most fame fastest. Or just post them to the list. And I don't think we need a separate hashes list, since dailydave or full disclosure works fine for that and, importantly, is mirrored all over the place. Alternatively, if you cc me the free 0day I'll tell everyone the date you sent it to me in a GPG signed email upon request. When I was a kid, I played this card game named "Mao" obsessively for a few weeks in the summer, and then completely forgot about it until today. Mao is an Uno variant, played silently, and the point of the game is to deduce the rules of the game - rules which are essentially made up by the dealer or local culture. It's a fun game. You never see anyone playing it at hacker conventions, which surprises me. One of the standard rules, which I'll give away here, is that if you talk, you are penalized by having to draw a card. Of course, until you can deduce the rules, you end up drawing a lot of cards. I guess my point is this: if you deal the cards, you can make the rules. Otherwise, silence is usually the best option. -dave http://en.wikipedia.org/wiki/Mao_(game) (people who have not played Mao and plan to, should not read the rules, as it ruins the fun) On 5/6/07, shadown wrote: > > [Moderator: I ask you to accept this mail, so that the comunity may come > with a solution. Thanks in advance.] > > Hi, > > During the near past I have to confront some issues when reporting > vulnerabilities to the vendors, I'm not going to disclose the vendor's names > because is not the goal of this mail, but to become with a solution. I'm > asking the researches comunity and whoever can help us to come with the best > solution. In this mail I'll explain my reasons and what I think is the best > solution (actually I've borow the idea from others) and ask the comunity if > someone thinks that is a better one. > > Reasons: > -------------- > > 1- I've contacted with some vendor and after getting the right security > contact to send the vulnerabilities I've sent the pgped PoC files. Then the > vendor didn't come any more to me. After a month I've contacted the vendor > again, the vendor said: 'oh, I didn't receive the mail'. I've resent the > mail and the vendor replayed: 'I've tryed the PoC files and none of them > worked, probably our internal testing team found them'. After receiving that > answer from the vendor I've downloaded the software again and the > vulnerabilities were fixed. I did a binary diffing to analyze OLD vs. NEW > version and extraordinary...the bug I've reported + two other bugs where > fixed, what was a bit suspicious. I've ask about this to the vendor and the > vendor replayed the following: > > """ > It's hard to imagine that the respective fix would be directly related to > your files because we haven't had them. Don't get me wrong, we have no > problem crediting anyone who reports bugs to us, helping us to improve our > > software (just as we did e.g. in the case of version XXXXX where we > credited XXX YYYY - see > http://www. linktothecredit ) but I > don't think this applies here, really... > > Sorry - maybe you can find some other overruns in the current build? (or, > even better, in the build that's coming out in about a week - because that > > one has some new fixes in it, too [so it's theoretically possible you'd > hit > something that has already been fixed, too]). > """ > > This was the case with one vendor, and pretty similar situation with > others. (ofcourse there were excelent comunication with some other vendors, > but is out of the scope of the solution that I want to come with.) > 2- There are some vendors that are really dificult to deal with. It took > me about 4 months to get the right contact to report the bugs, and this > would be another think to think about, A public 'Vendor's Vulnerability > Reporting Contact DB/List'. > > As I do believe in responsible disclosure, I don't agree with 'giving up > and launchin 0days' so that vendors eat their s**t, the following is what I > think is the best solution for it. > > Solution: > ------------- > > First of all: I've taken this idea from matasano and Halvar, that were the > ones I've seen that did this in the past. > The main mailling list should create a 'Vulnerabilities Hashes mailing > list' where the researches comunity can send the hashes of the PoC files > just before they conctact the vendors. That way if the vendors do not give > the proper credits to the researchers, at least the researches will have > another proof to show that they were the ones that reported the > vulnerabilities, and not just the mails they've crossed with the vendors. > > Final Comments: > ------------------------- > > I'm pretty sure that a lot of researches has this kind of problems in the > past and this is really frustrating. > > *** I don't want this mail to end up being a: "Oh, yes, I have this > problem with xxx", and so. Please don't do that because is NOT the goal of > this mail. Just bring your ideas to improve this and to make this > 'Vulnerability Hashes mailling list' to happen. *** > > The following is are the MD5, SHA-1 and SHA-256 hashes of the > vulnerabilities that I'll be reporting to the vendors after sending and > seeing the post in the mailling list. This is a verdors based hashes, > because probably in some cases the PoC files behind this hashes may affect > other vendors, but as I didn't try with other vendors I don't deserve the > credits for the vendors that I didn't spot vulnerabilities, if other > researcher finds the same bugs in other vendors, they are the ones that > deserve the credits for that. > > > AnhLab V3: > ---------- > > 65d9c1f2a9f3e7cf90e814ad27c7868b > bf6460b08b07b9fdfc90e243e8c72b326b4070f4 > e766ac5bedb1144a8bb0426382aec5b58d9fcbf2ac560c321e474f57124c322b > > Avira Antivir: > -------------- > > 6be69d215a9abee4c5966243fbd074a2 > 34ad8cd7fd38a8c6af9d6e13bd2bbe72806ceee4 > 1094efa900cd1b0bcacbd38fa6ebee65bace529227512d25cdeede4dadbaef7b > > 770206b8b023069913315bc0ad15fa7f > a1c5a301e1898e5749eb8bdb477f7ff786142a6d > ecc1a63d3c7e1c21a6d92d8b5d7889038861bf09f43c5ab81d84ff6f3a9c166c > > cd180ca57fccb2611eded02789830803 > 25d610387e7a7c2a372e8cc612b495c3145e9768 > 6d4ddde75ecaddd0780420485d4a973cb1d9ba0df2c1fef15ca8a1a29d67f640 > > c40a37cd215c7cca64310984b6b7a848 > 4c09a09683328f4a0a56f4ca523b5d25e4a9f618 > dbb89a4f297a050df445cb8a0e81b5753f32a4fe0d8b40f648572152215977da > > 76105c8caf97785c9fa330481b13713d > 0ee01fa4ab0f9a3504201ce02a4c53547a8efbb4 > eae7a347cbd805bce87ca8303d4de98729034228a1a94b999c01bb132f4738f2 > > AntivirusKit: > ------------- > > f308330ddc4fe26c0458a148f9594759 > 36a5feb922e8163be67a85018294d9e179cbcec7 > 6da70b2be86525ae5fc654cc293a44437ee6ca912668eff7501ef529a5be4196 > > f9a42de55118798f2920a2b1072c8444 > f62f63ac4aee1295cbf7a636e13e5cba7f6474a5 > 8d8be8e6bd765c8822696d2af58f53f386987129c7ceca43f051f026d4073a7a > > 56865f1768d2a646ce0e9e8d436ec67b > 0dfcb3a5c004665821f58afe3ddc7aca52411919 > fd66434954edd4e07265660a37be5737e08414b033901905e5e535a4431aee7b > > 6511e2fdc0f721a47c4e8a1d626108f2 > 9fc5010703bcccdab67f4c61b2144f06c1ed6679 > 0c42ceba2e181cc943a330ea7d9e9ed7b05cb2602b50c10693ab3515d0d3776c > > e2927d23417de42c00f6570179fa0ab4 > 5a654b60b4e5d7b971393993bf74bff6b7babf4c > a0b47cb536e58f060fd193e44cad1c282964bf02d743eeb375496d96e9852492 > > e29cf7b7613bfdbb9a0c1b4114527251 > 712e1835f88a75b50b902b5aeb8c63199d634da8 > 0b8b843e0e123464275b75fd1d21a808233389204df10accca0d9b29884d8c27 > > 99558b6186c3af5415dac0488b0f4a0d > fb6504beb4934e9c4656121d0efd224b3e12da04 > b339d6e1ea6d76a297b691b989a650c47392d063a7ee8394ac3a104e831cd97b > > 136eeda72cff4ce605424dd4566b5c5b > d79e8ece11468fffadd9ce0f24d6904544882979 > 2fb06f226571cb9f097d2ebcdef89898d70033bdd092233fea048fb345d318ad > > a8f265a5d767f40a942a93be4ace83f4 > 1aee982c67d3557dcb77989c36ff4c35115eb8c7 > 957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732 > > Avast Antivirus: > ---------------- > > 24b53bacfa2f6aeba6226466d6a96758 > 7bccb6233ae8356928f49ece594af2ec05654ec7 > e07652d14834e267a661892a240be7185035942224c9386e68cbdeb1e636369a > > df88c0d9489a877eca251f6977f07d0b > dca5faa757d3a7d72bf37873db8dae7e0f002cd1 > 65271e3d3a5e4f70f337b19b661f8ed5521777715c3c7223c5bde05f5ab826b9 > > 649666668e1f0a219c0bd9619aff5d91 > 839c714d4b28bf903c6ccd0b1b7a6fdf5c46c01a > 41c263ea1ce75411792f5853c8c02bf1ccf06708f09cd874490ef11623b85d55 > > 0f16d47de15ebbcd30ecad2b3ba9aea2 > 51f859523e3d1d7eb8549ac27bc0ce292dfb940d > 54806f6d3c6d193ea874057bc1d04e403c99c51fcf46dacbf3fdffc8a7033244 > > f1f4ac1d188c020f8e9a651555279227 > dd2cd2fafe3d98b099a7504bd94089c1deec680a > cb5e46bb6abe10a8bc35dbb24991770f6433d7b5981998604164bb43ec2676bc > > 4696e1bb5e73620c6e715d9c727ac7f6 > a240b8bdd748a15ef6e451e4a327258367e7c07c > 2181db5345a3d04c83cbf5ca8442fecfeb1f3825ec0a7516f07eaebd03ee234a > > 40a82d15fcb2cd982fde52b5d90e7d49 > b5248dd45ff405a0c75e7771c25ce1d8cdc2dfd2 > cdedcb945de7855b9ff791ce1d0dff0bacccd715eaf61942676b4153f9783cda > > df519bca64476f0f7e0a973c31e0828a > b46ac3f62a1dd0b9f1dc99d822913cd588f6ee68 > 003f657a4451b1e34de81862af10eac5cb25950406925e1f837ffc5f2ff2d4a3 > > 193a39e6e57c5fe1e673cd60fc9f838d > d2bdb2e33a3c0922918d0badbec70d830228586c > dcbeefec4bb40fc39523284073ef5d1f6773786e286949d588e182de490ed74f > > 835899502d90cf4a435aa4392b2b03f4 > ec81ee8d7239a89346e1e17ad4f018da180d5310 > b019d4dcfd6db786ee13ed80f6e90b0faeb23f90b8dcb1061a718f9446e39e22 > > 2ec5e7d881bd4792fe63992a052aa054 > 3bc58e9f7f1d9efc2d2a599b430ca745b810fbcc > bd5d5e96fc091a21ac3c1e1e24276fb22cd42dc7b56569de23811ab7196df5e1 > > df519bca64476f0f7e0a973c31e0828a > b46ac3f62a1dd0b9f1dc99d822913cd588f6ee68 > 003f657a4451b1e34de81862af10eac5cb25950406925e1f837ffc5f2ff2d4a3 > > 193a39e6e57c5fe1e673cd60fc9f838d > d2bdb2e33a3c0922918d0badbec70d830228586c > dcbeefec4bb40fc39523284073ef5d1f6773786e286949d588e182de490ed74f > > 835899502d90cf4a435aa4392b2b03f4 > ec81ee8d7239a89346e1e17ad4f018da180d5310 > b019d4dcfd6db786ee13ed80f6e90b0faeb23f90b8dcb1061a718f9446e39e22 > > 2ec5e7d881bd4792fe63992a052aa054 > 3bc58e9f7f1d9efc2d2a599b430ca745b810fbcc > bd5d5e96fc091a21ac3c1e1e24276fb22cd42dc7b56569de23811ab7196df5e1 > > 7f1dfbef6cbb128480a89c518ef5e7b6 > 86dfabefece6ced61521cca7a8d573214bacc61d > abf0a439abadd50cf7871e14f7b0fecf6d24b0257679e186b4a8cfa5c95db26f > > 2c799b6dd1a95ac3f7ae9cb6550145ef > e509214a69108485821a370d48a22ae519feda42 > fc204ac5f18b04a36570273035300004d16ab38b990e7c699743f4bbe1c8cd73 > > 8505d6f3bb638c47a51c1e954945219d > 0923321102a3a6ef606a54ea6375118e5003e7d2 > f5103f808ba9e227ebf8f16f361a1710f6f083757d56d40a2c6dcd64f4578499 > > Grisoft AVG: > ------------ > > 7ed40b565903c3788157f1b7facd3e8c > d95141a18c0d49e3ef4da4ae4164460c04df571a > 018f888c8f9a280c2a546d70646cfdfb002127f786777036190227f82438e99f > > 4cf5ea82eeb3526584bbc0e648859f28 > 4872d5a93ce3caafd2398b948a17c535fe1c178d > fc528e338ff779041cd7d43d5175461cbec51476bc83bab993930c894b4ab27f > > 3f30645d19a29120e3ed6667023f9b26 > d8e468bb9b6d224e322a08e6b813d9a891a7a37c > e88ad4becf6ba0917e9187b7dcc907e2f0d1789e71dd8328f455662405afcacc > > 9723df4678b88056e18727fadfc523f5 > 21823e87f72ae6268f67f27dda6e1fd97162baa0 > 22c7987f4c9f0ae996e322547afd8f70dd0c1e579bebd9505d1d8106c6a8c47f > > CA eTrust: > ---------- > > b1ad7836c4c5f13acd39a7554cb4a74c > b21fdf4ac22cb040ceb060a5ce9369344a012ea5 > 3c39bf686d8cfa8d5901c10b6faff8e15f53eb5a7b09226893c5ec0add63e819 > > bb41ecd6340ddadf1b342569f545e0b3 > 38405393b9145bf92c3ce2b9f887bbb200578c15 > cc933471d8a8c1ff2216209b5063b5ebc77e86846d0b5d4809763af1277fcf93 > > 830b9443c1d9a2c3a3c22a61e141ff67 > a5eb5a4bfab519db6db1270dda12a3eed36e99e6 > ef3a5733a48728564781c3d5d7bf364f7c6b8c2dc9f62fbf7abd07c361e1078b > > e29cf7b7613bfdbb9a0c1b4114527251 > 712e1835f88a75b50b902b5aeb8c63199d634da8 > 0b8b843e0e123464275b75fd1d21a808233389204df10accca0d9b29884d8c27 > > F-Secure Antivirus: > ------------------- > > 8029afc917c99b76211376677bec7025 > 0e8b7674771c1cbd8860f73b1ce53aa88720c7d3 > 107b3efdeab6e622cc164c4cdde5366ca1d4aac7e263217e0b41c7dcbff3b025 > > 2c4c3f6b89c7c395842b41a697cad411 > b7d769358b594770d392bd57cbc9e56ece99b422 > 548b4b246be5ed4cf962d556c20c96c35994269f06b5ddedd7aa7e7248e9e250 > > 657d39f36ac3f09f46ec30ed25a66a48 > 3ca8a75f157cecb89ab8a9cf29b5589536428d50 > 1fd43a88cf07ef8f5f1f35f656fbb08b2d16ad273363e88fa2efe4a056937f4a > > d27a2fb4a40b785e25a450bb3acfd793 > 6b1d6d0754711ff5bafd84b1ed5a9ceeb88f3a53 > e50e14059f17895efcfb7f60ff0be061cf49fa4a288c63ec494991555667da32 > > McAfee VirusScan: > ----------------- > > a8f265a5d767f40a942a93be4ace83f4 > 1aee982c67d3557dcb77989c36ff4c35115eb8c7 > 957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732 > > ee44ef6cf5cb0a8debae2adf18a33579 > a4a386f2b911b7bb9fc3572935032bb56c9a5d85 > c8d017c4f095b2f45623117d80433339b16b48de9fc8a7362eb13116bdd29c5b > > ee44ef6cf5cb0a8debae2adf18a33579 > a4a386f2b911b7bb9fc3572935032bb56c9a5d85 > c8d017c4f095b2f45623117d80433339b16b48de9fc8a7362eb13116bdd29c5b > > 3fb13db5928235fce3f6e65aa7ea4e86 > 83f6ef1b222ad55fd87967e3089f554a33ae5a06 > be927665d2d44f0958b7c8070ea4cc77444cdfe3ada3d8398dd1cb8f6b9f6192 > > a8f265a5d767f40a942a93be4ace83f4 > 1aee982c67d3557dcb77989c36ff4c35115eb8c7 > 957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732 > > ESET NOD32: > ----------- > > cfd37b81fd0dbc62653032a4166173ff > 3c69c0e8979237bf4af66f4b93a7ada0d0d81211 > e8853ba6967db030d54805899525ba20fb03c4b4786e1c1b97f1666e316052e3 > > 440c492b01a8fb46a28d210345c180ed > d0db253944fdc24f81df3cd0c1fb63c1a700e240 > 8a3a6be38a55a341b2bba13bb4af453ca408edc29f1ee1f3f091e921250d28f1 > > 02dc846a5388b9c3b6021208761e6f5a > 600420f8f3c7d438533817d64e0bef92462a614e > 5ad94d4d445d48f1ef5d87d492e0213c7af20bebb053621418375c09412d8e4a > > b6f1955690dcfc804fae032216507430 > 65cf6c31c4c103c296c937520964d6dd7442d86f > f2401d9d3a5c3be0b9eec88eacf493ad6d83942ce0f566129cba929e398efc59 > > c52853d1d0ada84dd432aff2eacea04e > 1f11427a3c5620dff36ef4056901bd3e1a209eeb > d51bbacd4b2b540266b793ee2735d729844c0476a648d3dd7fc683d6eef13db4 > > 0107600c8612ff2ad4f22865768d407c > 845391b0311305dadbed0aa41c2028e65516bfc1 > 40eb114d0b472d35850fcdde4bba6bdf36f067ba55a7c2df67d65dcaa4592dec > > Norman Antivirus: > ----------------- > > fc7743cda0033f81d5c7d969542ea33b > 0e4ffac982168a0aa73f529d830dc656a747a6dc > ca371fd64625efb50a0f3bb403bd922fc7081fc8966df7b0fd40b40586624188 > > a9bd4536a1966c0dde8ba718c658e854 > f4adb4bfac96954a93c8e9d001630540af4a3fea > 32caf66cd837949bfff32d4c2365cb3519d908e56dd3684e8ddc107ba25cc873 > > d5d020485df8ead5192042da9f32bb0d > 95ead5b4fe26e5dff98a7fa95168f41713878f4c > e6a19e24893ad87a7c0c299f35fc2010af5a7a4a926e0fa5113946cb80dc1ea5 > > b9a8a5063abf31f53f6f7d2e35a8f7ee > 3640d55abbd155ea22a2a68f9d15f27e5307a048 > 7cc06d3d8ceb341d6735c57c42288b067605a1fdeb8753729e4dddd0b435ad64 > > 5397061f4268bdcc106ada8724d2cc21 > 3ddd04f4d4c2a1b2e91630ea909b74e9f8607554 > 9a9eec3f5fa24f1ccf7cf47effc0a5d1f5dad12e22b61c8e4a6552dc4345a4c1 > > 13fc7553b8e2979942a95f6ff6f16f20 > d74a4f36bead45008d826b3e2b5d9959a2394226 > 769ca66067e3fedff804f454a0b5a9d54dbf85f140de43b8c115f3f0bcdaf74a > > 40aefe65ef2371df256a5a17be5c08a2 > dfc4110d62cb9a36f27b2269f3adfa1cee0ee190 > 17ff4d9f7dd44101544023dcd6554c2280f0cf2c779cb7a1f26717467eea25c7 > > 7d9f52171e286d022e8c2605cab69db7 > a2f3ef73dd41348131a4fc83bb269552c50e8a24 > 91c53eed8ab2e06e46d7e2d2f5fecfa65d29ec4cf9832b3b1690b724a25b10bf > > Symantec Norton Antivirus: > -------------------------- > > 05ee29971ad88e895fe3fbb2a931cb64 > 344724a09b87ebb0901b4a110855840440b5dd35 > 40494ee480bd1eb946a82d87cdbbad2a55471942b513c7986f1ef07a6a860de8 > > 5aa3942cfb2854ace70434ffbbaf83ad > 3b07b9cdbce21fa7c018ffe49ec3e4fb26898e7a > d9b0d079ee5d79d4791aed1465cf2b5cb69e953bfee6b39a51727bab6bfe0562 > > Panda Antivirus: > ---------------- > > c1ef9b02aa230410db5384b60c43737f > 6cdbec98c6b2dae754c835cddfd7510a27d6971d > c7d9e6b1b1a6a99d15bdbc199584a82629b8c2696e052835832c9cdba6575827 > > a086d36416b40da2556f708ec7839091 > 4dd0d6efea6335af8b49e76a8629cd575f56917a > 9051df4e9eca261e051097a877aa68c3de568e85e24eb70c4424693018f9cbdb > > fb2b41a7c8a25c835052ec788250c285 > 2583a038e47e85a9669f8bb944ccffcf11c21518 > eeb614054a4cc99bb4aa3ac4b5f09f74c630a56ca7931a10b54a8f678eb59e67 > > Sophos Antivirus: > ----------------- > > ac07ed7520c4ff1ae93be01c2dc0a91b > 69f941d81f8ed9d2a21ff7421d8f658b8bdef67a > 60471004837929f83c0cd5fa58c51505d0182891b656216b67d2ffa3792371ac > > e51333b8106e0cdc7c28e1d360470933 > d3ea44047fde6792e0d451404133dfe37c2701ae > 8363eb9f3db54839e10edbb5b0f0214425f42a5a67fa7a7f572d161dc6fe4ecb > > 1e33c49f7c86d23217f46927d17fcf84 > 75491f057ef1f7b69ef5431bf1a61ad0ff5765e8 > 68d66831aab022bac9e96e23ba8e1a55b49c392ed54fab9efe0f95d64ddb747c > Cheers, > Sergio > > -- > Sergio Alvarez > Security, Research & Development > IT Security Consultant > email: shadown at gmail.com > > This message is confidential. It may also contain information that is > privileged or otherwise legally exempt from disclosure. If you have received > it by mistake please let us know by e-mail immediately and delete it from > your system; should also not copy the message nor disclose its contents to > anyone. Many thanks. > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070506/9f755816/attachment-0001.htm From shadown at gmail.com Mon May 7 02:05:44 2007 From: shadown at gmail.com (shadown) Date: Mon, 07 May 2007 08:05:44 +0200 Subject: [Dailydave] Vulnerabilities Hashes DB needed In-Reply-To: References: Message-ID: <463EC1B8.2000602@gmail.com> Hi Dave, It wasn't Microsoft this time, it seems they are not the only ones that call 'buffer overrun' to 'buffer overflow' :) About the 0days thing, I think that time to time people has to report some stuff and you well know that there are so many 0days out there, more 0days than reported vulnerabilities. This game Mao sounds like fun, so I won't read the rules. :), the problem is that somebody will have to, otherwise there won't be game to play :( Cheers, Sergio Dave Aitel wrote: > There's only one company in the whole world that says "buffer overrun" and > that's Microsoft. Everyone else says "buffer overflow" which is more > correct. I blame the Kiwi on Microsoft's insistence on using the wrong word > here. But regardless, unmask.py has a field day on that sort of thing. :> > > Anyways, if vendor monopoly disclosure annoys you, stop doing it. Why > aggravate yourself by doing work for other people for free? Life is short. > If all you really want is fame, then sell the bugs to whoever can get you > the most fame fastest. Or just post them to the list. And I don't think we > need a separate hashes list, since dailydave or full disclosure works fine > for that and, importantly, is mirrored all over the place. > Alternatively, if > you cc me the free 0day I'll tell everyone the date you sent it to me in a > GPG signed email upon request. > > When I was a kid, I played this card game named "Mao" obsessively for a few > weeks in the summer, and then completely forgot about it until today. > Mao is > an Uno variant, played silently, and the point of the game is to deduce the > rules of the game - rules which are essentially made up by the dealer or > local culture. It's a fun game. You never see anyone playing it at hacker > conventions, which surprises me. One of the standard rules, which I'll give > away here, is that if you talk, you are penalized by having to draw a card. > Of course, until you can deduce the rules, you end up drawing a lot of > cards. > > I guess my point is this: if you deal the cards, you can make the rules. > Otherwise, silence is usually the best option. > > -dave > http://en.wikipedia.org/wiki/Mao_(game) (people who have not played Mao and > plan to, should not read the rules, as it ruins the fun) > > > On 5/6/07, shadown wrote: >> >> [Moderator: I ask you to accept this mail, so that the comunity may come >> with a solution. Thanks in advance.] >> >> Hi, >> >> During the near past I have to confront some issues when reporting >> vulnerabilities to the vendors, I'm not going to disclose the vendor's >> names >> because is not the goal of this mail, but to become with a solution. I'm >> asking the researches comunity and whoever can help us to come with >> the best >> solution. In this mail I'll explain my reasons and what I think is the >> best >> solution (actually I've borow the idea from others) and ask the >> comunity if >> someone thinks that is a better one. >> >> Reasons: >> -------------- >> >> 1- I've contacted with some vendor and after getting the right security >> contact to send the vulnerabilities I've sent the pgped PoC files. >> Then the >> vendor didn't come any more to me. After a month I've contacted the >> vendor >> again, the vendor said: 'oh, I didn't receive the mail'. I've resent the >> mail and the vendor replayed: 'I've tryed the PoC files and none of them >> worked, probably our internal testing team found them'. After >> receiving that >> answer from the vendor I've downloaded the software again and the >> vulnerabilities were fixed. I did a binary diffing to analyze OLD vs. NEW >> version and extraordinary...the bug I've reported + two other bugs where >> fixed, what was a bit suspicious. I've ask about this to the vendor >> and the >> vendor replayed the following: >> >> """ >> It's hard to imagine that the respective fix would be directly >> related to >> your files because we haven't had them. Don't get me wrong, we have no >> problem crediting anyone who reports bugs to us, helping us to improve >> our >> >> software (just as we did e.g. in the case of version XXXXX where we >> credited XXX YYYY - see >> http://www. linktothecredit ) but I >> don't think this applies here, really... >> >> Sorry - maybe you can find some other overruns in the current build? (or, >> even better, in the build that's coming out in about a week - because >> that >> >> one has some new fixes in it, too [so it's theoretically possible you'd >> hit >> something that has already been fixed, too]). >> """ >> >> This was the case with one vendor, and pretty similar situation with >> others. (ofcourse there were excelent comunication with some other >> vendors, >> but is out of the scope of the solution that I want to come with.) >> 2- There are some vendors that are really dificult to deal with. It took >> me about 4 months to get the right contact to report the bugs, and this >> would be another think to think about, A public 'Vendor's Vulnerability >> Reporting Contact DB/List'. >> >> As I do believe in responsible disclosure, I don't agree with 'giving up >> and launchin 0days' so that vendors eat their s**t, the following is >> what I >> think is the best solution for it. >> >> Solution: >> ------------- >> >> First of all: I've taken this idea from matasano and Halvar, that were >> the >> ones I've seen that did this in the past. >> The main mailling list should create a 'Vulnerabilities Hashes mailing >> list' where the researches comunity can send the hashes of the PoC files >> just before they conctact the vendors. That way if the vendors do not >> give >> the proper credits to the researchers, at least the researches will have >> another proof to show that they were the ones that reported the >> vulnerabilities, and not just the mails they've crossed with the vendors. >> >> Final Comments: >> ------------------------- >> >> I'm pretty sure that a lot of researches has this kind of problems in the >> past and this is really frustrating. >> >> *** I don't want this mail to end up being a: "Oh, yes, I have this >> problem with xxx", and so. Please don't do that because is NOT the >> goal of >> this mail. Just bring your ideas to improve this and to make this >> 'Vulnerability Hashes mailling list' to happen. *** >> >> The following is are the MD5, SHA-1 and SHA-256 hashes of the >> vulnerabilities that I'll be reporting to the vendors after sending and >> seeing the post in the mailling list. This is a verdors based hashes, >> because probably in some cases the PoC files behind this hashes may >> affect >> other vendors, but as I didn't try with other vendors I don't deserve the >> credits for the vendors that I didn't spot vulnerabilities, if other >> researcher finds the same bugs in other vendors, they are the ones that >> deserve the credits for that. >> >> >> AnhLab V3: >> ---------- >> >> 65d9c1f2a9f3e7cf90e814ad27c7868b >> bf6460b08b07b9fdfc90e243e8c72b326b4070f4 >> e766ac5bedb1144a8bb0426382aec5b58d9fcbf2ac560c321e474f57124c322b >> >> Avira Antivir: >> -------------- >> >> 6be69d215a9abee4c5966243fbd074a2 >> 34ad8cd7fd38a8c6af9d6e13bd2bbe72806ceee4 >> 1094efa900cd1b0bcacbd38fa6ebee65bace529227512d25cdeede4dadbaef7b >> >> 770206b8b023069913315bc0ad15fa7f >> a1c5a301e1898e5749eb8bdb477f7ff786142a6d >> ecc1a63d3c7e1c21a6d92d8b5d7889038861bf09f43c5ab81d84ff6f3a9c166c >> >> cd180ca57fccb2611eded02789830803 >> 25d610387e7a7c2a372e8cc612b495c3145e9768 >> 6d4ddde75ecaddd0780420485d4a973cb1d9ba0df2c1fef15ca8a1a29d67f640 >> >> c40a37cd215c7cca64310984b6b7a848 >> 4c09a09683328f4a0a56f4ca523b5d25e4a9f618 >> dbb89a4f297a050df445cb8a0e81b5753f32a4fe0d8b40f648572152215977da >> >> 76105c8caf97785c9fa330481b13713d >> 0ee01fa4ab0f9a3504201ce02a4c53547a8efbb4 >> eae7a347cbd805bce87ca8303d4de98729034228a1a94b999c01bb132f4738f2 >> >> AntivirusKit: >> ------------- >> >> f308330ddc4fe26c0458a148f9594759 >> 36a5feb922e8163be67a85018294d9e179cbcec7 >> 6da70b2be86525ae5fc654cc293a44437ee6ca912668eff7501ef529a5be4196 >> >> f9a42de55118798f2920a2b1072c8444 >> f62f63ac4aee1295cbf7a636e13e5cba7f6474a5 >> 8d8be8e6bd765c8822696d2af58f53f386987129c7ceca43f051f026d4073a7a >> >> 56865f1768d2a646ce0e9e8d436ec67b >> 0dfcb3a5c004665821f58afe3ddc7aca52411919 >> fd66434954edd4e07265660a37be5737e08414b033901905e5e535a4431aee7b >> >> 6511e2fdc0f721a47c4e8a1d626108f2 >> 9fc5010703bcccdab67f4c61b2144f06c1ed6679 >> 0c42ceba2e181cc943a330ea7d9e9ed7b05cb2602b50c10693ab3515d0d3776c >> >> e2927d23417de42c00f6570179fa0ab4 >> 5a654b60b4e5d7b971393993bf74bff6b7babf4c >> a0b47cb536e58f060fd193e44cad1c282964bf02d743eeb375496d96e9852492 >> >> e29cf7b7613bfdbb9a0c1b4114527251 >> 712e1835f88a75b50b902b5aeb8c63199d634da8 >> 0b8b843e0e123464275b75fd1d21a808233389204df10accca0d9b29884d8c27 >> >> 99558b6186c3af5415dac0488b0f4a0d >> fb6504beb4934e9c4656121d0efd224b3e12da04 >> b339d6e1ea6d76a297b691b989a650c47392d063a7ee8394ac3a104e831cd97b >> >> 136eeda72cff4ce605424dd4566b5c5b >> d79e8ece11468fffadd9ce0f24d6904544882979 >> 2fb06f226571cb9f097d2ebcdef89898d70033bdd092233fea048fb345d318ad >> >> a8f265a5d767f40a942a93be4ace83f4 >> 1aee982c67d3557dcb77989c36ff4c35115eb8c7 >> 957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732 >> >> Avast Antivirus: >> ---------------- >> >> 24b53bacfa2f6aeba6226466d6a96758 >> 7bccb6233ae8356928f49ece594af2ec05654ec7 >> e07652d14834e267a661892a240be7185035942224c9386e68cbdeb1e636369a >> >> df88c0d9489a877eca251f6977f07d0b >> dca5faa757d3a7d72bf37873db8dae7e0f002cd1 >> 65271e3d3a5e4f70f337b19b661f8ed5521777715c3c7223c5bde05f5ab826b9 >> >> 649666668e1f0a219c0bd9619aff5d91 >> 839c714d4b28bf903c6ccd0b1b7a6fdf5c46c01a >> 41c263ea1ce75411792f5853c8c02bf1ccf06708f09cd874490ef11623b85d55 >> >> 0f16d47de15ebbcd30ecad2b3ba9aea2 >> 51f859523e3d1d7eb8549ac27bc0ce292dfb940d >> 54806f6d3c6d193ea874057bc1d04e403c99c51fcf46dacbf3fdffc8a7033244 >> >> f1f4ac1d188c020f8e9a651555279227 >> dd2cd2fafe3d98b099a7504bd94089c1deec680a >> cb5e46bb6abe10a8bc35dbb24991770f6433d7b5981998604164bb43ec2676bc >> >> 4696e1bb5e73620c6e715d9c727ac7f6 >> a240b8bdd748a15ef6e451e4a327258367e7c07c >> 2181db5345a3d04c83cbf5ca8442fecfeb1f3825ec0a7516f07eaebd03ee234a >> >> 40a82d15fcb2cd982fde52b5d90e7d49 >> b5248dd45ff405a0c75e7771c25ce1d8cdc2dfd2 >> cdedcb945de7855b9ff791ce1d0dff0bacccd715eaf61942676b4153f9783cda >> >> df519bca64476f0f7e0a973c31e0828a >> b46ac3f62a1dd0b9f1dc99d822913cd588f6ee68 >> 003f657a4451b1e34de81862af10eac5cb25950406925e1f837ffc5f2ff2d4a3 >> >> 193a39e6e57c5fe1e673cd60fc9f838d >> d2bdb2e33a3c0922918d0badbec70d830228586c >> dcbeefec4bb40fc39523284073ef5d1f6773786e286949d588e182de490ed74f >> >> 835899502d90cf4a435aa4392b2b03f4 >> ec81ee8d7239a89346e1e17ad4f018da180d5310 >> b019d4dcfd6db786ee13ed80f6e90b0faeb23f90b8dcb1061a718f9446e39e22 >> >> 2ec5e7d881bd4792fe63992a052aa054 >> 3bc58e9f7f1d9efc2d2a599b430ca745b810fbcc >> bd5d5e96fc091a21ac3c1e1e24276fb22cd42dc7b56569de23811ab7196df5e1 >> >> df519bca64476f0f7e0a973c31e0828a >> b46ac3f62a1dd0b9f1dc99d822913cd588f6ee68 >> 003f657a4451b1e34de81862af10eac5cb25950406925e1f837ffc5f2ff2d4a3 >> >> 193a39e6e57c5fe1e673cd60fc9f838d >> d2bdb2e33a3c0922918d0badbec70d830228586c >> dcbeefec4bb40fc39523284073ef5d1f6773786e286949d588e182de490ed74f >> >> 835899502d90cf4a435aa4392b2b03f4 >> ec81ee8d7239a89346e1e17ad4f018da180d5310 >> b019d4dcfd6db786ee13ed80f6e90b0faeb23f90b8dcb1061a718f9446e39e22 >> >> 2ec5e7d881bd4792fe63992a052aa054 >> 3bc58e9f7f1d9efc2d2a599b430ca745b810fbcc >> bd5d5e96fc091a21ac3c1e1e24276fb22cd42dc7b56569de23811ab7196df5e1 >> >> 7f1dfbef6cbb128480a89c518ef5e7b6 >> 86dfabefece6ced61521cca7a8d573214bacc61d >> abf0a439abadd50cf7871e14f7b0fecf6d24b0257679e186b4a8cfa5c95db26f >> >> 2c799b6dd1a95ac3f7ae9cb6550145ef >> e509214a69108485821a370d48a22ae519feda42 >> fc204ac5f18b04a36570273035300004d16ab38b990e7c699743f4bbe1c8cd73 >> >> 8505d6f3bb638c47a51c1e954945219d >> 0923321102a3a6ef606a54ea6375118e5003e7d2 >> f5103f808ba9e227ebf8f16f361a1710f6f083757d56d40a2c6dcd64f4578499 >> >> Grisoft AVG: >> ------------ >> >> 7ed40b565903c3788157f1b7facd3e8c >> d95141a18c0d49e3ef4da4ae4164460c04df571a >> 018f888c8f9a280c2a546d70646cfdfb002127f786777036190227f82438e99f >> >> 4cf5ea82eeb3526584bbc0e648859f28 >> 4872d5a93ce3caafd2398b948a17c535fe1c178d >> fc528e338ff779041cd7d43d5175461cbec51476bc83bab993930c894b4ab27f >> >> 3f30645d19a29120e3ed6667023f9b26 >> d8e468bb9b6d224e322a08e6b813d9a891a7a37c >> e88ad4becf6ba0917e9187b7dcc907e2f0d1789e71dd8328f455662405afcacc >> >> 9723df4678b88056e18727fadfc523f5 >> 21823e87f72ae6268f67f27dda6e1fd97162baa0 >> 22c7987f4c9f0ae996e322547afd8f70dd0c1e579bebd9505d1d8106c6a8c47f >> >> CA eTrust: >> ---------- >> >> b1ad7836c4c5f13acd39a7554cb4a74c >> b21fdf4ac22cb040ceb060a5ce9369344a012ea5 >> 3c39bf686d8cfa8d5901c10b6faff8e15f53eb5a7b09226893c5ec0add63e819 >> >> bb41ecd6340ddadf1b342569f545e0b3 >> 38405393b9145bf92c3ce2b9f887bbb200578c15 >> cc933471d8a8c1ff2216209b5063b5ebc77e86846d0b5d4809763af1277fcf93 >> >> 830b9443c1d9a2c3a3c22a61e141ff67 >> a5eb5a4bfab519db6db1270dda12a3eed36e99e6 >> ef3a5733a48728564781c3d5d7bf364f7c6b8c2dc9f62fbf7abd07c361e1078b >> >> e29cf7b7613bfdbb9a0c1b4114527251 >> 712e1835f88a75b50b902b5aeb8c63199d634da8 >> 0b8b843e0e123464275b75fd1d21a808233389204df10accca0d9b29884d8c27 >> >> F-Secure Antivirus: >> ------------------- >> >> 8029afc917c99b76211376677bec7025 >> 0e8b7674771c1cbd8860f73b1ce53aa88720c7d3 >> 107b3efdeab6e622cc164c4cdde5366ca1d4aac7e263217e0b41c7dcbff3b025 >> >> 2c4c3f6b89c7c395842b41a697cad411 >> b7d769358b594770d392bd57cbc9e56ece99b422 >> 548b4b246be5ed4cf962d556c20c96c35994269f06b5ddedd7aa7e7248e9e250 >> >> 657d39f36ac3f09f46ec30ed25a66a48 >> 3ca8a75f157cecb89ab8a9cf29b5589536428d50 >> 1fd43a88cf07ef8f5f1f35f656fbb08b2d16ad273363e88fa2efe4a056937f4a >> >> d27a2fb4a40b785e25a450bb3acfd793 >> 6b1d6d0754711ff5bafd84b1ed5a9ceeb88f3a53 >> e50e14059f17895efcfb7f60ff0be061cf49fa4a288c63ec494991555667da32 >> >> McAfee VirusScan: >> ----------------- >> >> a8f265a5d767f40a942a93be4ace83f4 >> 1aee982c67d3557dcb77989c36ff4c35115eb8c7 >> 957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732 >> >> ee44ef6cf5cb0a8debae2adf18a33579 >> a4a386f2b911b7bb9fc3572935032bb56c9a5d85 >> c8d017c4f095b2f45623117d80433339b16b48de9fc8a7362eb13116bdd29c5b >> >> ee44ef6cf5cb0a8debae2adf18a33579 >> a4a386f2b911b7bb9fc3572935032bb56c9a5d85 >> c8d017c4f095b2f45623117d80433339b16b48de9fc8a7362eb13116bdd29c5b >> >> 3fb13db5928235fce3f6e65aa7ea4e86 >> 83f6ef1b222ad55fd87967e3089f554a33ae5a06 >> be927665d2d44f0958b7c8070ea4cc77444cdfe3ada3d8398dd1cb8f6b9f6192 >> >> a8f265a5d767f40a942a93be4ace83f4 >> 1aee982c67d3557dcb77989c36ff4c35115eb8c7 >> 957da7450f57781ac32f3a7ff7dcb5c975f5039f7684482706f1cd2dc61bc732 >> >> ESET NOD32: >> ----------- >> >> cfd37b81fd0dbc62653032a4166173ff >> 3c69c0e8979237bf4af66f4b93a7ada0d0d81211 >> e8853ba6967db030d54805899525ba20fb03c4b4786e1c1b97f1666e316052e3 >> >> 440c492b01a8fb46a28d210345c180ed >> d0db253944fdc24f81df3cd0c1fb63c1a700e240 >> 8a3a6be38a55a341b2bba13bb4af453ca408edc29f1ee1f3f091e921250d28f1 >> >> 02dc846a5388b9c3b6021208761e6f5a >> 600420f8f3c7d438533817d64e0bef92462a614e >> 5ad94d4d445d48f1ef5d87d492e0213c7af20bebb053621418375c09412d8e4a >> >> b6f1955690dcfc804fae032216507430 >> 65cf6c31c4c103c296c937520964d6dd7442d86f >> f2401d9d3a5c3be0b9eec88eacf493ad6d83942ce0f566129cba929e398efc59 >> >> c52853d1d0ada84dd432aff2eacea04e >> 1f11427a3c5620dff36ef4056901bd3e1a209eeb >> d51bbacd4b2b540266b793ee2735d729844c0476a648d3dd7fc683d6eef13db4 >> >> 0107600c8612ff2ad4f22865768d407c >> 845391b0311305dadbed0aa41c2028e65516bfc1 >> 40eb114d0b472d35850fcdde4bba6bdf36f067ba55a7c2df67d65dcaa4592dec >> >> Norman Antivirus: >> ----------------- >> >> fc7743cda0033f81d5c7d969542ea33b >> 0e4ffac982168a0aa73f529d830dc656a747a6dc >> ca371fd64625efb50a0f3bb403bd922fc7081fc8966df7b0fd40b40586624188 >> >> a9bd4536a1966c0dde8ba718c658e854 >> f4adb4bfac96954a93c8e9d001630540af4a3fea >> 32caf66cd837949bfff32d4c2365cb3519d908e56dd3684e8ddc107ba25cc873 >> >> d5d020485df8ead5192042da9f32bb0d >> 95ead5b4fe26e5dff98a7fa95168f41713878f4c >> e6a19e24893ad87a7c0c299f35fc2010af5a7a4a926e0fa5113946cb80dc1ea5 >> >> b9a8a5063abf31f53f6f7d2e35a8f7ee >> 3640d55abbd155ea22a2a68f9d15f27e5307a048 >> 7cc06d3d8ceb341d6735c57c42288b067605a1fdeb8753729e4dddd0b435ad64 >> >> 5397061f4268bdcc106ada8724d2cc21 >> 3ddd04f4d4c2a1b2e91630ea909b74e9f8607554 >> 9a9eec3f5fa24f1ccf7cf47effc0a5d1f5dad12e22b61c8e4a6552dc4345a4c1 >> >> 13fc7553b8e2979942a95f6ff6f16f20 >> d74a4f36bead45008d826b3e2b5d9959a2394226 >> 769ca66067e3fedff804f454a0b5a9d54dbf85f140de43b8c115f3f0bcdaf74a >> >> 40aefe65ef2371df256a5a17be5c08a2 >> dfc4110d62cb9a36f27b2269f3adfa1cee0ee190 >> 17ff4d9f7dd44101544023dcd6554c2280f0cf2c779cb7a1f26717467eea25c7 >> >> 7d9f52171e286d022e8c2605cab69db7 >> a2f3ef73dd41348131a4fc83bb269552c50e8a24 >> 91c53eed8ab2e06e46d7e2d2f5fecfa65d29ec4cf9832b3b1690b724a25b10bf >> >> Symantec Norton Antivirus: >> -------------------------- >> >> 05ee29971ad88e895fe3fbb2a931cb64 >> 344724a09b87ebb0901b4a110855840440b5dd35 >> 40494ee480bd1eb946a82d87cdbbad2a55471942b513c7986f1ef07a6a860de8 >> >> 5aa3942cfb2854ace70434ffbbaf83ad >> 3b07b9cdbce21fa7c018ffe49ec3e4fb26898e7a >> d9b0d079ee5d79d4791aed1465cf2b5cb69e953bfee6b39a51727bab6bfe0562 >> >> Panda Antivirus: >> ---------------- >> >> c1ef9b02aa230410db5384b60c43737f >> 6cdbec98c6b2dae754c835cddfd7510a27d6971d >> c7d9e6b1b1a6a99d15bdbc199584a82629b8c2696e052835832c9cdba6575827 >> >> a086d36416b40da2556f708ec7839091 >> 4dd0d6efea6335af8b49e76a8629cd575f56917a >> 9051df4e9eca261e051097a877aa68c3de568e85e24eb70c4424693018f9cbdb >> >> fb2b41a7c8a25c835052ec788250c285 >> 2583a038e47e85a9669f8bb944ccffcf11c21518 >> eeb614054a4cc99bb4aa3ac4b5f09f74c630a56ca7931a10b54a8f678eb59e67 >> >> Sophos Antivirus: >> ----------------- >> >> ac07ed7520c4ff1ae93be01c2dc0a91b >> 69f941d81f8ed9d2a21ff7421d8f658b8bdef67a >> 60471004837929f83c0cd5fa58c51505d0182891b656216b67d2ffa3792371ac >> >> e51333b8106e0cdc7c28e1d360470933 >> d3ea44047fde6792e0d451404133dfe37c2701ae >> 8363eb9f3db54839e10edbb5b0f0214425f42a5a67fa7a7f572d161dc6fe4ecb >> >> 1e33c49f7c86d23217f46927d17fcf84 >> 75491f057ef1f7b69ef5431bf1a61ad0ff5765e8 >> 68d66831aab022bac9e96e23ba8e1a55b49c392ed54fab9efe0f95d64ddb747c >> Cheers, >> Sergio >> >> -- >> Sergio Alvarez >> Security, Research & Development >> IT Security Consultant >> email: shadown at gmail.com >> >> This message is confidential. It may also contain information that is >> privileged or otherwise legally exempt from disclosure. If you have >> received >> it by mistake please let us know by e-mail immediately and delete it from >> your system; should also not copy the message nor disclose its >> contents to >> anyone. Many thanks. >> >> >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> >> > -- Sergio Alvarez Security, Research & Development IT Security Consultant email: shadown at gmail.com This message is confidential. It may also contain information that is privileged or otherwise legally exempt from disclosure. If you have received it by mistake please let us know by e-mail immediately and delete it from your system; should also not copy the message nor disclose its contents to anyone. Many thanks. From demottja at msu.edu Mon May 7 11:51:17 2007 From: demottja at msu.edu (Jared DeMott) Date: Mon, 07 May 2007 11:51:17 -0400 Subject: [Dailydave] New Evolutionary Fuzzing System (EFS) Message-ID: <463F4AF5.40103@msu.edu> Greetings, We've decided to release EFS before the Vegas conferences this year so people have time to try out EFS and provide feedback before that time. Before you delete this message EFS is not another perl framework. It's a totally new breed of fuzzer and the first (to be publicly released) of it's kind. Looking forward to feedback. The goods are at http://www.appliedsec.com/ You'll need to download: 1.) The latest version of GPF (gpf.tar.gz) -E mode has the evolutionary guts 2.) EFS GUI (efs-paimei.tar.gz) Highly modified version of Pedram's pstalker does the code coverage and more EFS install instructions are in EFS_Setup_README.rtf 3.) EFS_Research_Poster.ppt An overview of the EFS system. Won best research at MSU this spring. Blessings, Jared From adriel at netragard.com Mon May 7 16:39:39 2007 From: adriel at netragard.com (Adriel T. Desautels) Date: Mon, 07 May 2007 16:39:39 -0400 Subject: [Dailydave] Punching above your weight class In-Reply-To: <4639FA3D.4050507@immunityinc.com> Message-ID: Dave, I couldn't agree with you more. When my partner and I founded Netragard we did it with the intention of addressing the issue that you talk about below. Specifically, there is a significant gap in the level and the quality of security services being offered to businesses internationally, and the actual threat level created by malicious hackers... To make matters worse, that gap is growing rapidly. *** A quick story... About three weeks ago I spoke on a panel during a CIO conference with Steve Wozniak. Before my panel went up I was listening to the first panel present their ideas about corporate security. One of the panelists began talking about defining "Acceptable Risk Levels" within organizations. (These were CIO's, CTO's, CSO's etc for multi billion/million dollar companies.) When I heard these people speaking I realized that they never got into anything specific. Instead it was as if they were just talking about ideas that they briefly read about in magazines or online articles. So I decided to ask them something specific. My first question to them was "In order to properly understand your acceptable risk level you must first understand the threats faced by your business, correct?" They all nodded in agreement. My second question to them was "Where do you get your threat intelligence?" None of them could answer the question, instead they tried to "market" their way around it, or provided answers that were not at all related to the question. Later I was accused of asking a "trick question", when there was nothing trick about it. *** End of my quick story... That's when it hit me. I've always known that a very significant gap existed between the capabilities of malicious hackers and the IT defense capabilities of businesses and government agencies. What I never realized was how little "good" threat intelligence was available to the people trying to defend themselves against malicious hackers. I've made it a point to always have good threat intelligence by maintaining a team of people to harvest the intelligence for my business. So I suppose that I just take the intelligence capability for granted, but what has the rest of the world been doing? Who are they trying to protect themselves against if they don't have that capability? I'm sure that many of the people on this list also have ways of collecting threat intelligence, but then again the people on this list are most probably an acceptation. Am I wrong? I'm very curious... On 5/3/07 11:05 AM, "Dave Aitel" wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The best hacker teams in the world right now may belong to organized > crime groups. In my spare time in between packing lunch boxes and > cleaning the floor under the high chair, I've been thinking about ways > in which these organizations differ from most commercial companies who > do penetration testing. A company has a rather large budget, dedicated > infrastructure, and an experienced and skilled staff. So why do so > many of them fight like flabby novices? The fact is, giving someone a > LOT of money, and a big mission to solve, often gives them a good > excuse to get fat and useless. I don't know how to solve your problem > if you're a hundred million dollar attack team yet. But if you're at > ten million or less, these are the rules I've come up with. > > > Six Rules for Punching Above Your Weight Class: > o Never use an exploit in the wild you don't completely understand. If > you can't debug it on the fly, you can't use it > o Don't split up research from attack. Your research team needs to be > focused on the mission. > o Develop a fast-reaction team that can hit easy or very time critical > vulnerabilities within 8 hours or less. > o Be target focused > o Develop technical partnerships with other people who can write > exploits. There just aren't that many of them. > o One team, one mission. People naturally want to work on only Windows > or only Unix, but that's not the way to success. Find people who can > work on the whole picture. > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGOfo7B8JNm+PA+iURAmnWAJ9fMkFiaNwsiOsiKUqgq2p3bJsv9QCg6u+7 > Yc5yKpsBP3b857WvhQRtXkc= > =rzBU > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave -- Regards, Adriel T. Desautels Chief Technology Officer - Netragard, LLC Office: 617-934-0269 || Mobile : 857-636-8882 http://www.linkedin.com/pub/1/118/a45 http://www.netragard.com ------------------------- "We make IT secure." From secadmin at netsecdesign.com Mon May 7 19:48:13 2007 From: secadmin at netsecdesign.com (Security Admin (NetSec)) Date: Mon, 7 May 2007 16:48:13 -0700 Subject: [Dailydave] Punching above your weight class In-Reply-To: References: <4639FA3D.4050507@immunityinc.com> Message-ID: <8D870AB38C30EC4C848A11A3F83D20D805D625FEE2@exchange2007.mmicmanhomenet.local> "... very significant gap existed between the capabilities of malicious hackers and the IT defense capabilities of businesses and government agencies." Sadly this is true in most cases. Then others, like TJX, do not even follow the advice of their security staff when told of a problem. Edward Ray -- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com From mike at phed.org Tue May 8 00:10:05 2007 From: mike at phed.org (Michael Eddington) Date: Mon, 7 May 2007 21:10:05 -0700 Subject: [Dailydave] Announce: Peach Fuzzing Framework v0.9 Message-ID: <2db0cefa0705072110k3a555aqe69e24537ffbe77@mail.gmail.com> Peach Fuzzing Framework v0.9 http://peachfuzz.sf.net Peach is a cross-platform fuzzing framework written in Python. Peaches main goals include: short development time, code reuse, ease of use, and flexibility. Peach can fuzz just about anything from .NET, COM/ActiveX, SQL, shared libraries/DLL's, network applications, web, you name it. Peach also includes a set of bindings to various other languages like C/C++, .NET, Java, JavaScript, COM, and XPCOM. Thanks to all the people who have reported bugs, requested features, etc. Currently 3 years old and counting. Partial Changlist: * More data generators * GeneratorList Master/Slave * C Structure -> Python converter (see tools) * Agent code for win32 * Updated documentation with examples * Peach.NET is now a single assembly * Peach.NET works better as a COM object * Peach.NET HTML API documentation! * Peach.C can be easily compiled with __stdcall support * JavaScript DOM fuzzing engine (callback based) * Loads of bug fixes and tweeks * Some initial ASN.1 transformers and generators mike From xuminator at gmail.com Tue May 8 09:04:16 2007 From: xuminator at gmail.com (Xu He) Date: Tue, 8 May 2007 09:04:16 -0400 Subject: [Dailydave] Fwd: Punching above your weight class In-Reply-To: References: <4639FA3D.4050507@immunityinc.com> Message-ID: ---------- Forwarded message ---------- From: Xu He Date: May 8, 2007 9:03 AM Subject: Re: [Dailydave] Punching above your weight class To: "Adriel T. Desautels" Threat Intelligence is expensive to obtain in-house, requires dedicated people who don't mind the tedious work of trolling on boards and forums, and who also actually understand threats and their implication to their business. To the C-levle execs, most threats just bullet points on a powerpoint to sell a product or project. This is the reason there are plenty of companies that offer intelligences, like Cyota, Cyveillance, iDefenses, etc. However, they are commercial entities and their goal is to generate profit, so they eventually adopt the mass market model like the AV companies. It's about covering the top 50% of "Threats", which at this time is mostly virus and trojans, and market the hell out of it for a quick buck. To truly understand threats to a business, you need passionate people who care and have the drive to not only collect the data, but also understand the data and how it applies to a particular business. CTO, CIO, CISO wants actionable data, information they can either use to get headcount, help elevate a project, or stop fraud, most of which these intelligence companies can't provide, because they don't understand and don't have the resource to understand the risk tolerance of each business. There is a place for the intelligence companies for data collection. However, if the companies don't have internal staff that can interpret the data properly and act on the data in a timely manner, then the intelligence is just an bombardment of useless information, just like all of those signs that pointed to the hijackers in 9/11. Accurate, Appropriate, Actionable (AAA), should be the three essential qualities of good intelligence. X On 5/7/07, Adriel T. Desautels wrote: > > Dave, > I couldn't agree with you more. When my partner and I founded > Netragard > we did it with the intention of addressing the issue that you talk about > below. > > Specifically, there is a significant gap in the level and the quality of > > security services being offered to businesses internationally, and the > actual threat level created by malicious hackers... To make matters worse, > that gap is growing rapidly. > > *** A quick story... > > About three weeks ago I spoke on a panel during a CIO conference with > Steve > Wozniak. Before my panel went up I was listening to the first panel > present > their ideas about corporate security. One of the panelists began talking > about defining "Acceptable Risk Levels" within organizations. (These were > CIO's, CTO's, CSO's etc for multi billion/million dollar companies.) > > When I heard these people speaking I realized that they never got into > anything specific. Instead it was as if they were just talking about ideas > that they briefly read about in magazines or online articles. So I decided > to ask them something specific. > > My first question to them was "In order to properly understand your > acceptable risk level you must first understand the threats faced by your > business, correct?" > > They all nodded in agreement. > > My second question to them was "Where do you get your threat > intelligence?" > > None of them could answer the question, instead they tried to "market" > their > way around it, or provided answers that were not at all related to the > question. Later I was accused of asking a "trick question", when there was > > nothing trick about it. > > *** End of my quick story... > > That's when it hit me. I've always known that a very significant gap > existed > between the capabilities of malicious hackers and the IT defense > capabilities of businesses and government agencies. What I never realized > was how little "good" threat intelligence was available to the people > trying > to defend themselves against malicious hackers. > > I've made it a point to always have good threat intelligence by > maintaining > a team of people to harvest the intelligence for my business. So I suppose > that I just take the intelligence capability for granted, but what has the > > rest of the world been doing? Who are they trying to protect themselves > against if they don't have that capability? > > I'm sure that many of the people on this list also have ways of collecting > threat intelligence, but then again the people on this list are most > probably an acceptation. Am I wrong? > > I'm very curious... > > > On 5/3/07 11:05 AM, "Dave Aitel" wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > The best hacker teams in the world right now may belong to organized > > crime groups. In my spare time in between packing lunch boxes and > > cleaning the floor under the high chair, I've been thinking about ways > > in which these organizations differ from most commercial companies who > > do penetration testing. A company has a rather large budget, dedicated > > infrastructure, and an experienced and skilled staff. So why do so > > many of them fight like flabby novices? The fact is, giving someone a > > LOT of money, and a big mission to solve, often gives them a good > > excuse to get fat and useless. I don't know how to solve your problem > > if you're a hundred million dollar attack team yet. But if you're at > > ten million or less, these are the rules I've come up with. > > > > > > Six Rules for Punching Above Your Weight Class: > > o Never use an exploit in the wild you don't completely understand. If > > you can't debug it on the fly, you can't use it > > o Don't split up research from attack. Your research team needs to be > > focused on the mission. > > o Develop a fast-reaction team that can hit easy or very time critical > > vulnerabilities within 8 hours or less. > > o Be target focused > > o Develop technical partnerships with other people who can write > > exploits. There just aren't that many of them. > > o One team, one mission. People naturally want to work on only Windows > > or only Unix, but that's not the way to success. Find people who can > > work on the whole picture. > > > > - -dave > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.6 (GNU/Linux) > > > > iD8DBQFGOfo7B8JNm+PA+iURAmnWAJ9fMkFiaNwsiOsiKUqgq2p3bJsv9QCg6u+7 > > Yc5yKpsBP3b857WvhQRtXkc= > > =rzBU > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -- > > Regards, > Adriel T. Desautels > Chief Technology Officer - Netragard, LLC > Office: 617-934-0269 || Mobile : 857-636-8882 > http://www.linkedin.com/pub/1/118/a45 > http://www.netragard.com > ------------------------- > "We make IT secure." > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070508/36db99ac/attachment.htm From dave at immunityinc.com Tue May 8 13:52:58 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 08 May 2007 13:52:58 -0400 Subject: [Dailydave] Wrox: Professional Rootkits Message-ID: <4640B8FA.9080500@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-download_code.html I picked up a copy of Professional Rootkits by Ric Vieler. So far it's great! You get the feeling Ric is an exile from some random intel organization that he left after about ten years of writing rootkits. This book doesn't try to be super cutting edge - it is instead filled with practical advice for the professional rootkit writer. It's a small, understandable book. One criticism: There's a weird mini-disassembler on pages 74-96, which he uses to analyze a target binary to add hooks into it. This is the sort of thing that is a great idea, but wastes a lot of pages in the book. This should be downloadable, but perhaps not printed out line for line. If you really want a disassembler, you'll also probably want an analyzer, and you'll want do to something cool with your analyzer in order to make your hooks "future-proof". This is probably something I'll have someone do with Immunity Debugger someday. A PGP trojan that works no matter what version of PGP they have, because it has a full binary analysis engine built in. Sound fun? Send me a estimate. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF L60KkL45TLi+aRanlJWRM0s= =hevx -----END PGP SIGNATURE----- From butlerjr at acm.org Tue May 8 16:10:36 2007 From: butlerjr at acm.org (James Butler) Date: Tue, 8 May 2007 16:10:36 -0400 Subject: [Dailydave] Wrox: Professional Rootkits In-Reply-To: <4640B8FA.9080500@immunityinc.com> Message-ID: <20070508201056.F0BAE239ECE@lists.immunitysec.com> Dave, I am surprised that you liked this book. Well, with code and concepts "borrowed" from many of the contributors at rootkit.com and Russinovich, I guess it couldn't be bad. Yes, Ric is an exile, but from HBGary. He worked there as a tester for some things we were developing. My problem with his book is that it makes no attempt to cite previous bodies of work. As one example, he talks of DKOM tricks of how to hide processes without mentioning FU. He even renames structures I have used in talks and papers, which are Microsoft structure names. If the reader is not familiar with the space, you would think he invented every rootkit technique currently being used, when in actuality, his book doesn't bring anything new to the table. For the rest of you who haven't bought it yet, please consider carefully before you support someone blatantly making a profit from other people's work. Jamie It is because of Ric and companies with this attitude that has driven the free disclosure of ideas underground on rootkit.com. Yes, I have a dog in this fight. -----Original Message----- From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave Aitel Sent: Tuesday, May 08, 2007 1:53 PM To: dailydave Subject: [Dailydave] Wrox: Professional Rootkits -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-download_ code.html I picked up a copy of Professional Rootkits by Ric Vieler. So far it's great! You get the feeling Ric is an exile from some random intel organization that he left after about ten years of writing rootkits. This book doesn't try to be super cutting edge - it is instead filled with practical advice for the professional rootkit writer. It's a small, understandable book. One criticism: There's a weird mini-disassembler on pages 74-96, which he uses to analyze a target binary to add hooks into it. This is the sort of thing that is a great idea, but wastes a lot of pages in the book. This should be downloadable, but perhaps not printed out line for line. If you really want a disassembler, you'll also probably want an analyzer, and you'll want do to something cool with your analyzer in order to make your hooks "future-proof". This is probably something I'll have someone do with Immunity Debugger someday. A PGP trojan that works no matter what version of PGP they have, because it has a full binary analysis engine built in. Sound fun? Send me a estimate. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF L60KkL45TLi+aRanlJWRM0s= =hevx -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From mwollenweber at gmail.com Tue May 8 16:29:22 2007 From: mwollenweber at gmail.com (matthew wollenweber) Date: Tue, 8 May 2007 16:29:22 -0400 Subject: [Dailydave] Wrox: Professional Rootkits In-Reply-To: <20070508201056.F0BAE239ECE@lists.immunitysec.com> References: <4640B8FA.9080500@immunityinc.com> <20070508201056.F0BAE239ECE@lists.immunitysec.com> Message-ID: <42210a440705081329x5f9955e1q8f00659396e76b02@mail.gmail.com> I'm not a rootkit expert, but I had a similar impression as Jamie of the Rox book. To me it seemed like a watered down version of the content from Jamie's book and rootkits.com. It's possibly a bit more user friendly but just a compilation of stuff resources done by others. On 5/8/07, James Butler wrote: > > Dave, > > I am surprised that you liked this book. Well, with code and concepts > "borrowed" from many of the contributors at rootkit.com and Russinovich, I > guess it couldn't be bad. Yes, Ric is an exile, but from HBGary. He > worked > there as a tester for some things we were developing. > > My problem with his book is that it makes no attempt to cite previous > bodies > of work. As one example, he talks of DKOM tricks of how to hide processes > without mentioning FU. He even renames structures I have used in talks and > papers, which are Microsoft structure names. If the reader is not familiar > with the space, you would think he invented every rootkit technique > currently being used, when in actuality, his book doesn't bring anything > new > to the table. > > For the rest of you who haven't bought it yet, please consider carefully > before you support someone blatantly making a profit from other people's > work. > > Jamie > > It is because of Ric and companies with this attitude that has driven the > free disclosure of ideas underground on rootkit.com. > > Yes, I have a dog in this fight. > > > -----Original Message----- > From: dailydave-bounces at lists.immunitysec.com > [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave Aitel > Sent: Tuesday, May 08, 2007 1:53 PM > To: dailydave > Subject: [Dailydave] Wrox: Professional Rootkits > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-download_ > code.html > > I picked up a copy of Professional Rootkits by Ric Vieler. So far it's > great! You get the feeling Ric is an exile from some random intel > organization that he left after about ten years of writing rootkits. > This book doesn't try to be super cutting edge - it is instead filled with > practical advice for the professional rootkit writer. It's a small, > understandable book. > > One criticism: There's a weird mini-disassembler on pages 74-96, which he > uses to analyze a target binary to add hooks into it. This is the sort of > thing that is a great idea, but wastes a lot of pages in the book. This > should be downloadable, but perhaps not printed out line for line. If you > really want a disassembler, you'll also probably want an analyzer, and > you'll want do to something cool with your analyzer in order to make your > hooks "future-proof". This is probably something I'll have someone do > with > Immunity Debugger someday. A PGP trojan that works no matter what version > of > PGP they have, because it has a full binary analysis engine built in. > Sound > fun? Send me a estimate. :> > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF > L60KkL45TLi+aRanlJWRM0s= > =hevx > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- Matthew Wollenweber mwollenweber at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070508/3f324fbc/attachment-0001.htm From assault at hush.com Tue May 8 16:59:21 2007 From: assault at hush.com (assault at hush.com) Date: Tue, 08 May 2007 23:59:21 +0300 Subject: [Dailydave] Wrox: Professional Rootkits Message-ID: <20070508205926.B8520C3853@mailserver10.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 08 May 2007 23:10:36 +0300 James Butler wrote: .... >My problem with his book is that it makes no attempt to cite >previous bodies >of work. as do so many others. even u. > As one example, he talks of DKOM tricks of how to hide >processes >without mentioning FU. are you suggesting that fu was the first to introduce /dev/mem walki^W^Wdkom? > He even renames structures I have used in >talks and >papers, which are Microsoft structure names. If the reader is not >familiar >with the space, you would think he invented every rootkit >technique >currently being used, when in actuality, his book doesn't bring >anything new >to the table. just like yours, i assume? or are u completely ignoring yearz of dos/linux malware research? do you mind telling what parts of the rootkits book are the result of your own research? > >For the rest of you who haven't bought it yet, please consider >carefully >before you support someone blatantly making a profit from other >people's >work. assault > >Jamie > >It is because of Ric and companies with this attitude that has >driven the >free disclosure of ideas underground on rootkit.com. > >Yes, I have a dog in this fight. > > >-----Original Message----- >From: dailydave-bounces at lists.immunitysec.com >[mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave >Aitel >Sent: Tuesday, May 08, 2007 1:53 PM >To: dailydave >Subject: [Dailydave] Wrox: Professional Rootkits > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd- >download_ >code.html > >I picked up a copy of Professional Rootkits by Ric Vieler. So far >it's >great! You get the feeling Ric is an exile from some random intel >organization that he left after about ten years of writing >rootkits. >This book doesn't try to be super cutting edge - it is instead >filled with >practical advice for the professional rootkit writer. It's a >small, >understandable book. > >One criticism: There's a weird mini-disassembler on pages 74-96, >which he >uses to analyze a target binary to add hooks into it. This is the >sort of >thing that is a great idea, but wastes a lot of pages in the book. >This >should be downloadable, but perhaps not printed out line for line. >If you >really want a disassembler, you'll also probably want an analyzer, >and >you'll want do to something cool with your analyzer in order to >make your >hooks "future-proof". This is probably something I'll have >someone do with >Immunity Debugger someday. A PGP trojan that works no matter what >version of >PGP they have, because it has a full binary analysis engine built >in. Sound >fun? Send me a estimate. :> > >- -dave >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.6 (GNU/Linux) > >iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF >L60KkL45TLi+aRanlJWRM0s= >=hevx >-----END PGP SIGNATURE----- > >_______________________________________________ >Dailydave mailing list >Dailydave at lists.immunitysec.com >http://lists.immunitysec.com/mailman/listinfo/dailydave > >_______________________________________________ >Dailydave mailing list >Dailydave at lists.immunitysec.com >http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkZA4+wACgkQwRKs9FnnsLTk0AP9GpjoKe+8Sd0+nuSHpTEsd0wXuMPg 17kC4qB3OQ2Gan1bYYXg/g2AXoecH9ssdLhudmvg1RD6x39SebiEJaaPAJZL6zE8HUxs 3bWN1lJhkWscCF2d8dcrIfLkzSlXsizi8qAQqkIpV1S72STi1oazbEtH2yEmYRZHsc1P VvgnlK0= =mwWQ -----END PGP SIGNATURE----- -- Click to find great rates on health insurance, save big, shop here http://tagline.hushmail.com/fc/CAaCXv1QUczjhn9SvhpWprcUgMFaWVn0/ From jason.syversen at gmail.com Tue May 8 17:33:04 2007 From: jason.syversen at gmail.com (Jason Syversen) Date: Tue, 8 May 2007 17:33:04 -0400 Subject: [Dailydave] Wrox: Professional Rootkits In-Reply-To: <20070508201056.F0BAE239ECE@lists.immunitysec.com> References: <4640B8FA.9080500@immunityinc.com> <20070508201056.F0BAE239ECE@lists.immunitysec.com> Message-ID: <26ce52c30705081433v29687773yb01e4a17af3ff3f2@mail.gmail.com> You raise an interesting point Jamie... at what point do things like Rootkits move out of the research domain and into production? We don't reference who built the hammer, the designer of the nail, or the sawhorse when writing a book about carpentry. At some point it's just part of the body of knowledge, and if you are writing a practitioners book there is a good chance prior art is not properly referenced. I dug up some of my C/C++ books to see if people like Bjarne Stroustrup, Dennis Ritchie, etc. were referenced, and in my sample of 6 books half the time the author/inventor of the language (or pretty much anyone else) was not referenced. IMO, it seemed to correlate with the quality of the book... those who were experts in their field and attempting to contribute to the body of available knowledge referenced prior art, while those were very newbie-oriented, implementation focused or just trying to get a book out there were more likely to neglect references. I would not attribute Mr. Vieler's actions to malice, however it is probably "bad form" and indicative of the level/quality of the book one would be acquiring. Books with no references (that I could find): 1) http://www.amazon.com/gp/reader/1572318570/ref=sib_dp_srch_pop/103-2831680-9988614?v=search-inside&keywords=Stroustrup&go.x=16&go.y=9&go=Go%21 2) Advanced C++, Namir Clement Shammas, Sams Publishing, 1992. 3) http://www.amazon.com/gp/reader/0672305100/ref=sib_dp_srch_bod/103-2831680-9988614?v=search-inside&keywords=ritchie&go.x=0&go.y=0&go=Go%21# Standard references: 1) http://www.amazon.com/gp/reader/076005018X/ref=sib_dp_pt/103-2831680-9988614# 2) http://www.amazon.com/gp/reader/0764546546/ref=sib_dp_pt/103-2831680-9988614#reader-link Example with good references in each chapter: 1) Classic Data Structures in C++, Timothy A. Budd, Addison Wesley Publishing Company, 1994 - Jason On 5/8/07, James Butler wrote: > > Dave, > > I am surprised that you liked this book. Well, with code and concepts > "borrowed" from many of the contributors at rootkit.com and Russinovich, I > guess it couldn't be bad. Yes, Ric is an exile, but from HBGary. He > worked > there as a tester for some things we were developing. > > My problem with his book is that it makes no attempt to cite previous > bodies > of work. As one example, he talks of DKOM tricks of how to hide processes > without mentioning FU. He even renames structures I have used in talks and > papers, which are Microsoft structure names. If the reader is not familiar > with the space, you would think he invented every rootkit technique > currently being used, when in actuality, his book doesn't bring anything > new > to the table. > > For the rest of you who haven't bought it yet, please consider carefully > before you support someone blatantly making a profit from other people's > work. > > Jamie > > It is because of Ric and companies with this attitude that has driven the > free disclosure of ideas underground on rootkit.com. > > Yes, I have a dog in this fight. > > > -----Original Message----- > From: dailydave-bounces at lists.immunitysec.com > [mailto:dailydave-bounces at lists.immunitysec.com ] On Behalf Of Dave Aitel > Sent: Tuesday, May 08, 2007 1:53 PM > To: dailydave > Subject: [Dailydave] Wrox: Professional Rootkits > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-download_ > code.html > > I picked up a copy of Professional Rootkits by Ric Vieler. So far it's > great! You get the feeling Ric is an exile from some random intel > organization that he left after about ten years of writing rootkits. > This book doesn't try to be super cutting edge - it is instead filled with > practical advice for the professional rootkit writer. It's a small, > understandable book. > > One criticism: There's a weird mini-disassembler on pages 74-96, which he > uses to analyze a target binary to add hooks into it. This is the sort of > thing that is a great idea, but wastes a lot of pages in the book. This > should be downloadable, but perhaps not printed out line for line. If you > really want a disassembler, you'll also probably want an analyzer, and > you'll want do to something cool with your analyzer in order to make your > hooks "future-proof". This is probably something I'll have someone do > with > Immunity Debugger someday. A PGP trojan that works no matter what version > of > PGP they have, because it has a full binary analysis engine built in. > Sound > fun? Send me a estimate. :> > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF > L60KkL45TLi+aRanlJWRM0s= > =hevx > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070508/c49deeb6/attachment-0001.htm From dan at geer.org Tue May 8 20:09:09 2007 From: dan at geer.org (dan at geer.org) Date: Tue, 08 May 2007 20:09:09 -0400 Subject: [Dailydave] Wrox: Professional Rootkits In-Reply-To: Your message of "Tue, 08 May 2007 17:33:04 EDT." <26ce52c30705081433v29687773yb01e4a17af3ff3f2@mail.gmail.com> Message-ID: <20070509000909.B52681BF98B@absinthe.tinho.net> Speaking out of turn, but you can tell when a subject becomes academic when the arguments are about who published first. --dan From tqbf at matasano.com Tue May 8 20:31:00 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Tue, 8 May 2007 19:31:00 -0500 Subject: [Dailydave] Wrox: Professional Rootkits In-Reply-To: <20070508201056.F0BAE239ECE@lists.immunitysec.com> References: <4640B8FA.9080500@immunityinc.com> <20070508201056.F0BAE239ECE@lists.immunitysec.com> Message-ID: <1df0a410705081731p5a6e75e6j9b7bd1e5f958ac90@mail.gmail.com> Do you cite amodload? Google doesn't think so. Daymont used a very similar trick to Joanna to load his code into SunOS 4.1.3, back in 1995 (!). I talk to him all the time and never once heard him complain that he wasn't getting cited enough. So I think we're all off the hook on "DKOM" citation. I feel silly every time I say "DKOM", too. On 5/8/07, James Butler wrote: > Dave, > > I am surprised that you liked this book. Well, with code and concepts > "borrowed" from many of the contributors at rootkit.com and Russinovich, I > guess it couldn't be bad. Yes, Ric is an exile, but from HBGary. He worked > there as a tester for some things we were developing. > > My problem with his book is that it makes no attempt to cite previous bodies > of work. As one example, he talks of DKOM tricks of how to hide processes > without mentioning FU. He even renames structures I have used in talks and > papers, which are Microsoft structure names. If the reader is not familiar > with the space, you would think he invented every rootkit technique > currently being used, when in actuality, his book doesn't bring anything new > to the table. > > For the rest of you who haven't bought it yet, please consider carefully > before you support someone blatantly making a profit from other people's > work. > > Jamie > > It is because of Ric and companies with this attitude that has driven the > free disclosure of ideas underground on rootkit.com. > > Yes, I have a dog in this fight. > > > -----Original Message----- > From: dailydave-bounces at lists.immunitysec.com > [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave Aitel > Sent: Tuesday, May 08, 2007 1:53 PM > To: dailydave > Subject: [Dailydave] Wrox: Professional Rootkits > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > http://www.wrox.com/WileyCDA/WroxTitle/productCd-0470101547,descCd-download_ > code.html > > I picked up a copy of Professional Rootkits by Ric Vieler. So far it's > great! You get the feeling Ric is an exile from some random intel > organization that he left after about ten years of writing rootkits. > This book doesn't try to be super cutting edge - it is instead filled with > practical advice for the professional rootkit writer. It's a small, > understandable book. > > One criticism: There's a weird mini-disassembler on pages 74-96, which he > uses to analyze a target binary to add hooks into it. This is the sort of > thing that is a great idea, but wastes a lot of pages in the book. This > should be downloadable, but perhaps not printed out line for line. If you > really want a disassembler, you'll also probably want an analyzer, and > you'll want do to something cool with your analyzer in order to make your > hooks "future-proof". This is probably something I'll have someone do with > Immunity Debugger someday. A PGP trojan that works no matter what version of > PGP they have, because it has a full binary analysis engine built in. Sound > fun? Send me a estimate. :> > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGQLj4B8JNm+PA+iURAvGnAKC9h+mzLQcbBmtMvVhvmHrGI5wpzQCfTvbF > L60KkL45TLi+aRanlJWRM0s= > =hevx > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From mconover at gmail.com Wed May 9 01:39:39 2007 From: mconover at gmail.com (Matt Conover) Date: Tue, 8 May 2007 22:39:39 -0700 Subject: [Dailydave] Wrox: Professional Rootkits In-Reply-To: <4640B8FA.9080500@immunityinc.com> References: <4640B8FA.9080500@immunityinc.com> Message-ID: <3e08eefa0705082239s1de70418g740b9329137a2ca2@mail.gmail.com> > This should be downloadable, but perhaps not printed out line > for line. If you really want a disassembler, you'll also probably want > an analyzer, How about this one? http://www.cybertech.net/~sh0ksh0k/projects_small/tDisasm.zip The instruction analysis and code tracing is pretty extensive (especially in this newer version) as demonstrated by (and the hooking code below): http://www.cybertech.net/~sh0ksh0k/projects_small/tCodeTrace.zip and you'll want do to something cool with your analyzer > in order to make your hooks "future-proof". How about this one? http://www.cybertech.net/~sh0ksh0k/projects_small/Hooking.zip Give 'em a try.. these days I haven't had much time to extensively regress test, so treat these as "snapshots"... but I believe these versions to be pretty stable. Sending me an email is always the quickest way to get an updated/stable version. Reporting any bugs is always appreciated -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070508/1af670c2/attachment.htm From manish.khanijo at gmail.com Wed May 9 04:18:59 2007 From: manish.khanijo at gmail.com (Manish Khanijo) Date: Wed, 9 May 2007 13:48:59 +0530 Subject: [Dailydave] Exploit needed Message-ID: Dear All, I need an exploit for ms05-027. The critical servers in my network have this vulnerability. I have already checked the support of this exploit in CANVAS and metasploit framework. even if somebody has a source code it is a welcome. -- Thanks and Regards, Manish Khanijo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070509/aa9c56f7/attachment.htm From dave at immunityinc.com Wed May 9 12:54:01 2007 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 09 May 2007 12:54:01 -0400 Subject: [Dailydave] Syscan 07 classes! Message-ID: <4641FCA9.5000203@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm looking through the papers for Syscan 07 now, and there's some really good ones, but Thomas Lim asked me to post this as well so that everyone knew what classes were being offered: Thanks, Dave Aitel VP Marketing and Public Relations Immunity, Inc. ____________________________________________________________________________ dear all besides having free alcohol for all conference attendees at SyScan'07 this year, there will be seven (7) training classes at SyScan'07 this year. these classes are: 1. "securing your oracle database form hackers" by alexander kornbrust 2. "web application (in)security" by ngs software 3. "designing a secured voip network" by hendrik scholz 4. "practical wifi (in)security" by cedric blancher 5. "penetration testing voip network" by the grugq 6. "network storage security training" by isec partners 7. "building secured asp.net applications" by cosaire training classes will be held on july 3rd - 4th, 2007 and the main conference will be held on july 5th - 6th, 2007. those who sign up for these training classes by may 20th, 2007 will get to attend the conference for free. those who sign up for these classes after may 20th, 2007 need to pay only S$300 (about us$200) for the conference. please visit www.syscan.org for more details. - -- Thank you Thomas Lim Organiser SyScan'07 www.syscan.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGQfymB8JNm+PA+iURAieqAKCfznJQhiBp2ADJ2E3qd8YRL3UYqgCfS17U WItjZ6h6tUTaNYBOPETnrPQ= =UkRf -----END PGP SIGNATURE----- From lmh at info-pull.com Wed May 9 09:21:07 2007 From: lmh at info-pull.com (LMH) Date: Wed, 9 May 2007 15:21:07 +0200 Subject: [Dailydave] Vulnerabilities Hashes DB needed In-Reply-To: References: Message-ID: On 5/7/07, Dave Aitel wrote: > There's only one company in the whole world that says "buffer overrun" and > that's Microsoft. Don't forget about Apple there. Oh wait, they just don't say! ;PPPpppppPPp (tm) > Anyways, if vendor monopoly disclosure annoys you, stop doing it. Why > aggravate yourself by doing work for other people for free? Life is short. > If all you really want is fame, then sell the bugs to whoever can get you > the most fame fastest. Or just post them to the list. And I don't think we > need a separate hashes list, since dailydave or full disclosure works fine > for that and, importantly, is mirrored all over the place. Apparently nowadays the security industry thinks that the really sexy stuff is actually disclosing issues to vendors. The more, the better. They release one single issue in an utterly crappy piece of software with more flaws than the US education budget, and make a world out of it. Some random junkhead releases one daily and they call him a publicity stunt then ;-) Heck, that's a pretty well balanced situation, isn't it? I'm back playing with my mighty turkey. Hehe. Looks like exploitation techniques, and all that stuff is not hot anymore. And everyone who likes that can't apply for CISSP examination. > I guess my point is this: if you deal the cards, you can make the rules. > Otherwise, silence is usually the best option. It's kind of a dream, but hopefully someday a so-called security company will start making some profit out of the real work and concentrate a bit less on publicity. PR and ladies are good and all that, but I know how it feels to deal with reporters and they aren't the brightest guys on Earth. There are exceptions (really), but just look over some and their relationships towards certain security vendors in time. BTW, how's the average salary for professional trolling these days? I wanna send an application. Is Larry Seltzer still managing that kind of stuff? Or Lynn Fox (the girl who kidnaps Fox Mulder's sister in the X Files). Keep it real. [1] [1]: http://www.youtube.com/watch?v=FjKMhtyI3L8 [2]: http://en.wikipedia.org/wiki/Law_%28Da_Ali_G_Show%29 (Br?no interview) [3]: http://en.wikipedia.org/wiki/War_%28Da_Ali_G_Show%29 From arr at watson.org Wed May 9 11:54:37 2007 From: arr at watson.org (Andrew R. Reiter) Date: Wed, 9 May 2007 11:54:37 -0400 (EDT) Subject: [Dailydave] Citing In-Reply-To: <006c01c787f2$eca80c20$b7b2a8c0@D1NQ6Z1J> References: <006c01c787f2$eca80c20$b7b2a8c0@D1NQ6Z1J> Message-ID: <20070509115333.C19505@fledge.watson.org> I wonder if many (security conferences outside of academia) just don't want to put the effort into that seeing as how they are usually for-profit events? On Thu, 26 Apr 2007, Halvar Flake wrote: :Hey all, : : :I do think that we as a community should do a better job at citing. In the academic circles :you usually have a program committee that enforces proper citing, and you have the culture :that people dig up obscure old publications to find out who really wrote something first. : :In most security conferences, the review process of submissions is minimal, and citations :are not enforced -- perhabs it's time this changes. : :Cheers, :Halvar -- arr at watson.org From adriel at netragard.com Wed May 9 12:12:53 2007 From: adriel at netragard.com (Adriel T. Desautels) Date: Wed, 09 May 2007 12:12:53 -0400 Subject: [Dailydave] Exploit needed In-Reply-To: Message-ID: Found this on google, haven?t tested it. http://www.securiteam.com/exploits/5LP0L1PG0I.html On 5/9/07 4:18 AM, "Manish Khanijo" wrote: > ms05-027 -- Regards, Adriel T. Desautels Chief Technology Officer - Netragard, LLC Office: 617-934-0269 || Mobile : 857-636-8882 http://www.linkedin.com/pub/1/118/a45 http://www.netragard.com ------------------------- "We make IT secure." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070509/c08f4803/attachment-0001.htm From listuser at nvlabs.in Fri May 11 06:56:32 2007 From: listuser at nvlabs.in (Vipin Kumar) Date: Fri, 11 May 2007 16:26:32 +0530 Subject: [Dailydave] TPMkit: Breaking the Legend of Trusted Computing(TC [TPM]) and Vista (BitLocker) - Nitin Kumar & Vipin Kumar Message-ID: <46444BE0.8020802@nvlabs.in> Dear all, We are working on TPMkit:Breaking the Legend of Trusted Computing(TC [TPM]).We are almost in the final stages of breaking TPM.We have success on Window's Vista Bit Locker, though the method is OS independent. we are planning for demonstrations at the Blackhat USA and HITB cons (if they accept us). Abstract and general info about presentation --------------------------------------------------------------------------- TPMkit: Breaking the Legend of Trusted Computing(TC [TPM]) and Vista (BitLocker) ********************************************************************************* "Trusted computing" means that the computer will consistently behave in specific ways, and those behaviors will be enforced by hardware and software. Trusted Computing is often seen as a possible enabler for future versions of document protection (mandatory access control) and copy protection (Digital Rights Management) - which are of value to corporate and other users in many markets and which to critics, raises concerns about undue censorship.It's also being used by software vendors. (Source http://en.wikipedia.org/wiki/Trusted_Computing) Trusted Computing includes the use of trusted Platform Module(security processor(hardware chip)) which can be used to enforce protections ( such as BitLocker in Microsoft's Windows Vista).TCG has proposed a specification for Remote Attestation that allows a host to remotely prove its hardware and software while protecting its privacy.Trusted reporting is the key component for attestation of a host?s configuration and is accomplished by exposing trusted measurements.Remote Attestation is also used to Trusted Network Connect.The TNC architecture enables network operators to enforce policies regarding endpoint integrity at or after network connection. TCPA/TPM DRM is a technical term for a Trustworthy Computing solution that limits what fair use consumers can use with the media they own.More info on http://www.chillingeffects.org/weather.cgi?WeatherID=534 Nearly 150 Million TPM devices have already been shipped and this number is increasing day-by-day. ( Source: https://www.trustedcomputinggroup.org/news/Industry_Data/Implementing_Trusted_Computing_RK.pdf) The TPM becomes the first step in the boot sequence, serving as a secure foundation for the BIOS, the boot loader, the kernel, and the rest of ,the operating system. Since the TPM performs this check every time the PC boots,it provides a regular check for rootkit infections. This means it will be easily apparent when a PC has been tampered with. (Source: https://www.trustedcomputinggroup.org/news/Industry_Data/Whitepaper_Rootkit_Strom_v3.pdf) The attack procedure (TPMkit) involves an attack on the TPM. TPMkit lets you overcome technologies such as Vista's BitLocker.TPMkit also bypasses remote attestation and thus, will allow to connect over Trusted Network Connect(TNC)(although the system might not be in Trusted state.). TPMkit bypasses the security checks mentioned (in the above paragraphs) and thus, you will never know that you are using a compromised or changed system. The demonstration will include a few live demonstrations.For example, one demonstration will show how to login and access data on a Windows Vista System( which has TPM + BitLocker enabled). --------------------------------------------------------------------------- bye, nitin , vipin From dan at geer.org Thu May 10 23:19:04 2007 From: dan at geer.org (dan at geer.org) Date: Thu, 10 May 2007 23:19:04 -0400 Subject: [Dailydave] deadline near for Metricon 2.0 Message-ID: <20070511031904.537E01BF91A@absinthe.tinho.net> While it is likely that many know about this, we are holding a second security metrics workshop, Metricon, this summer and the deadline for requests to participate is upon us. Note that this is a *workshop* and reasons for wanting to attend are what is needed, not necessarily any full-tilt academic papers (though those are welcome). http://www.securitymetrics.org/content/Wiki.jsp?page=Welcome_blogentry_090407_1 And if this is altogether a surprise, note that we have a very active discussion group on all matters related to security metrics, run as a members-only (spam-free) mailing list. --dan From dave at immunityinc.com Sun May 13 18:23:28 2007 From: dave at immunityinc.com (Dave Aitel) Date: Sun, 13 May 2007 18:23:28 -0400 Subject: [Dailydave] hotel room things Message-ID: <46478FE0.40806@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I have a few things, other than AllergyWeb, that I want to write. Top on my list is a "SQL Injection Explorer" which allows you to use the error messages to download bits of a database as if it was a directory tree. This is useful when you end up doing SQL Injection against a DB server that has the following characteristics: o it's far away from any ability to access the internet or call back to you o it's not running as an admin user, and it doesn't have a weak admin password for you to brute force o you don't have an easy way to get results other than the error messages from your sql injection o you don't want to use 0day to root the DB server One option is to have a script that automatically downloads the whole database, but this has two problems: o Terrabytes of data coming back over the error messages sucks especially since 99% of it is stuff you don't care about o Databases change a lot over time, which is one of the things you want to explore with a nice graphical tools. Second on my list is an export from CANVAS -> Visio-like network diagrams. People can use CANVAS to quite easily find out networking information, like traceroutes, firewall rulesets, open ports, etc. and I'd like to have this sort of information in my reports. Ideally you could export directly into OpenOffice, but if not, a nice orthogonal graph would be pretty. Anyways, these are the things you think about while in hotel rooms in random cities. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGR4/etehAhL0gheoRAi5gAJ9LhFFtOEjZdaDiEi0HPJUxvfVTMQCbBetm QOn5DG+jbuiPfGQTtaOfI10= =A5A1 -----END PGP SIGNATURE----- From dailydave at digitaloffense.net Mon May 14 00:32:41 2007 From: dailydave at digitaloffense.net (dailydave at digitaloffense.net) Date: Sun, 13 May 2007 23:32:41 -0500 Subject: [Dailydave] Uninformed Journal Release Announcement: Volume 7 Message-ID: <200705132332.41740.dailydave@digitaloffense.net> Uninformed is pleased to announce the release of its seventh volume. This volume includes 3 articles on relating to exploitation technology and general research: - Exploitation Technology: Reducing the Effective Entropy of GS Cookies Author: skape - General Research: Memalyze: Dynamic Analysis of Memory Access Behavior in Software Author: skape - General Research: Mnemonic Password Formulas Authors: I)ruid This volume of the journal can be found at: http://www.uninformed.org/?v=7 About Uninformed: Uninformed is a non-commercial technical outlet for research in areas pertaining to security technologies, reverse engineering, and lowlevel programming. The goal, as the name implies, is to act as a medium for informing the uninformed. The research presented in each edition is simply an example of the evolutionary thought that affects all academic and professional disciplines. - The Uninformed Staff staff [at] uninformed.org From rd at segfault.net Mon May 14 02:58:29 2007 From: rd at segfault.net (rd) Date: Mon, 14 May 2007 09:58:29 +0300 Subject: [Dailydave] hotel room things In-Reply-To: <46478FE0.40806@immunityinc.com> References: <46478FE0.40806@immunityinc.com> Message-ID: <46480895.2000302@segfault.net> Dave Aitel wrote: > So I have a few things, other than AllergyWeb, that I want to write. > Top on my list is a "SQL Injection Explorer" which allows you to use > the error messages to download bits of a database as if it was a > directory tree. This is useful when you end up doing SQL Injection > against a DB server that has the following characteristics: dave, You may want to check this out http://www.0x90.org/releases/absinthe. It works with both error based and blind injection (check the document section for screenshots) cheers, --rd -- PGP Key ID: 71BB82EF - http://www.thc.org/keys/rd.pub Fingerprint - E18F 6CE8 E12B 3306 80D9 6B5A 364B 1D77 71BB 82EF From spender at grsecurity.net Mon May 14 10:13:19 2007 From: spender at grsecurity.net (Brad Spengler) Date: Mon, 14 May 2007 10:13:19 -0400 Subject: [Dailydave] What RedHat doesn't want you to know about ExecShield (without NX) Message-ID: <20070514141319.GA32356@grsecurity.net> Few of you may have seen my comments on the following article in RedHat magazine: http://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/ I think the issue deserves more widespread attention among the security community, however, since RedHat seems to be involved in a concerted effort of disinformation for both SELinux and ExecShield. Take note of their misleading (another word for completely inaccurate) diagrams, inability to understand what exactly the new additions to SELinux have to do with "buffer overflows," and then note my several comments below, where I also comment upon some ExecShield behavior under a non-NX system. I present you with links to several previous articles on RedHat security and the official ExecShield paper, all written by developers at RedHat, who make several inaccurate/misleading statements regarding the effectiveness under ExecShield in a non-NX environment (which RedHat would have you believe does not exist anymore). I encourage you to read all the comments, however the basic idea is that ExecShield has had problems ever since it was introduced into Fedora and then into RHEL (sometimes due to improper marking with the flawed PT_GNU_STACK which under ExecShield with no NX makes the entire address space executable, other times with bugs in the ExecShield implementation that ended up leaving over half of the services on a Fedore Core 3 system being protected improperly). Then there's the design issue RedHat doesn't want you to know about: under ExecShield with no NX, every writable mapping lower than the highest executable mapping in the address space is executable. For PIE binaries, due to their weaker form of PaX's ASLR, this becomes even more interesting since it produces what I call "nondeterministic security." Since PIE binaries are treated just like libraries, they may or may not be loaded as the highest-mapped library in the system. Since there is only one PIE binary loaded and many more libraries being loaded, this means that there's a large chance that the bss/data on the main executable will be unprotected -- writable and executable. Ingo knows about this (I mailed him privately about the problems I saw with Fedora Core 3, which resulted in an updated kernel -- though I don't believe users were really notified of the fact they were being fooled into thinking certain protection was being applied to their binaries that in fact was not), but it seems he's not talking to anyone else at RedHat if you look at the articles that keep coming out about their "security enhancements." In my last comment I list articles I found about ExecShield with the inaccurate statements (I couldn't find any with an accurate discussion of them). Among them: http://www.noncombatant.org/trove/drepper-redhat-security-enhancements.pdf http://www.redhat.com/magazine/009jul05/features/execshield/ http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf I really hope I don't see another article from RedHat about SELinux containing diagrams like: http://farm1.static.flickr.com/223/481929076_959cdef97d_o.jpg or an article about ExecShield saying that its protection on a processor without NX is comparable to one with NX. On another note, the following bug fixed in v2.6.21 of the Linux kernel: commit fdc30b3d448bf86dd45f9df3e8ac0d36a3bdd9b2 Author: Taku Izumi Date: Mon Apr 23 14:41:00 2007 -0700 Fix possible NULL pointer access in 8250 serial driver is 100% exploitable as a root user (thanks to solar designer, /proc/tty/driver has had its permissions restricted that would have prevented this from being exploitable by a non-root user). Of course, this is just one more example of a bug not being recognized by kernel developers as being exploitable. It's also one more vector to completely compromise a box running SELinux (using the handy disable_selinux() code released in my previous exploit) It's easy to misinform your users when no one questions your information. It's harder when the entire security community knows about it. I had hoped my previous exploit would have kept RedHat from getting away with publishing an article containing the diagram it has, but it appears to have not been effective. It's in everyone's best interests for RedHat to be more honest in their discussion of their security technologies, and I hope they will make a concerted effort towards that. -Brad -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070514/efd4aa07/attachment.pgp From rhyskidd at gmail.com Mon May 14 11:23:27 2007 From: rhyskidd at gmail.com (Rhys Kidd) Date: Mon, 14 May 2007 23:23:27 +0800 Subject: [Dailydave] hotel room things In-Reply-To: <46480895.2000302@segfault.net> References: <46478FE0.40806@immunityinc.com> <46480895.2000302@segfault.net> Message-ID: <68dd869f0705140823u65978047gc14cb009415bf60b@mail.gmail.com> Dave, I'm personally a big fan of sqlmap, http://sqlmap.sourceforge.net/. for blind SQL injection and enumeration. Some nice features include: - Using both page hashes and string matches to pick responses apart. - Extensive fingerprinting - Limited IDS evasion. - Support for a variety of RDBMS' Being able to do the below in Python is hot; in a very PCI-is-a-buzz-word kind of way. $ python sqlmap.py -u "http://localhost/index.php?id=1&cat=2" --tables -D mysql Database: mysql [21 tables] +---------------------------+ | columns_priv | | db | | event | | func | | general_log | | help_category | | help_keyword | | help_relation | | help_topic | | host | | plugin | | proc | | procs_priv | | slow_log | | tables_priv | | time_zone | | time_zone_leap_second | | time_zone_name | | time_zone_transition | | time_zone_transition_type | | user | +---------------------------+ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070514/e7cd4614/attachment-0001.htm From sgrubb at redhat.com Mon May 14 12:39:40 2007 From: sgrubb at redhat.com (Steve Grubb) Date: Mon, 14 May 2007 12:39:40 -0400 Subject: [Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns In-Reply-To: <20070303161612.GA10837@grsecurity.net> References: <20070303161612.GA10837@grsecurity.net> Message-ID: <200705141239.40178.sgrubb@redhat.com> Hi Brad, I was very busy at the time and had no chance to reply until now. On Saturday 03 March 2007 11:16, Brad Spengler wrote: > I submit for your record-keeping what I believe to be the first public > exploit for a null ptr dereference bug in the Linux kernel. Brad, thanks for pointing this out. I had heard rumors of an exploit that could turn selinux off last year. I theorized what could be attacked and saw that your exploit attacks exactly what I thought...a variable used for yes/no decisions. So, I was happy that this was all you had found. But I looked at the grSec kernel and found this in grsecurity/grsec_init.c: int grsec_enable_shm; int grsec_enable_link; int grsec_enable_dmesg; int grsec_enable_fifo; int grsec_enable_execve; int grsec_enable_execlog; int grsec_enable_signal; int grsec_enable_forkfail; int grsec_enable_time; int grsec_enable_audit_textrel; int grsec_enable_group; int grsec_audit_gid; int grsec_enable_chdir; int grsec_enable_audit_ipc; int grsec_enable_mount; It looks to me like you have the same exact attack point that selinux does. Its just that one needs to loop through them to shut them down. Wouldn't you agree on that point? > 3) Re: "I can only guess that you mean systems that learn normal > behavior so that abnormalities can be spotted? The problem is how do you > _know_ you are observing correct behavior. You could have a trojaned app > that you are now learning its behavior." > (sgrubb at redhat.com) > > If I'm downloading signed updates from RedHat that are trojaned, I think > I have more of a problem than learning on my hands. Who says that all apps people run come from Red Hat? > I think you severely overestimate the intelligence of most administrators in > their ability to determine at such a low level what kind of access a program > needs to the system. ?Is each administrator then required to completely > audit the source of all apps for which no policy exists? No, you can easily confine an app in a few minutes. What they need to do is to review what the application is asking permission for. If its trying to get write access to shadow, they might want to seriously consider whether the app really needs that. I was going to point out to Rodrigo that learning systems can encapsulate bad program behavior. There have been many ti