From lists at bughunter.ca Fri Nov 2 14:01:18 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Fri, 2 Nov 2007 10:01:18 -0800 Subject: [Dailydave] Do Pictures Help? Message-ID: <006201c81d7a$5f606e70$6207a8c0@jseitz> I threw a post up on OpenRCE regarding the usage of a "visual" to determine how to best approach fuzzing a file format. http://www.openrce.org/blog/view/922/Visual_Patterns_for_File_Format_Fuzzing JS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071102/af9c9e07/attachment-0001.htm From matt at use.net Fri Nov 2 15:08:10 2007 From: matt at use.net (Matt Hargett) Date: Fri, 2 Nov 2007 12:08:10 -0700 Subject: [Dailydave] From blackbox to grey-box during Web App tests In-Reply-To: <00a501c80cdf$ce34db70$6207a8c0@jseitz> References: <00a501c80cdf$ce34db70$6207a8c0@jseitz> Message-ID: <200711021208.11069.matt@use.net> On Friday 12 October 07 07:54:34 J.M. Seitz wrote: > > PaiMei and BinNavi are fuzzer trackers, as I explained. gcov > > is more of a basic line coverage tool, isn't it? See: > > http://bullseye.com/coverage.html The problem I always have with gcov is that it's output is too low-level and that aren't any good visualization tools for the data. ggcov doesn't count because it basically won't compile on any Linux Luis and I tried unless you sacrifice both a chicken *and* a goat. Even when we got ggcov compiled, it didn't work properly. (WAS RE: MY KINGDOM FOR A HORSE) valgrind has all the capabilities to put this kind of information together, someone just needs to do it. I'll pay $250 for someone to develop an open-source GPLv2 line-based coverage "skin" for valgrind that outputs in NCover's XML format. The other problem with gcov is that you have to recompile the source with -fprofile-arcs, etc. The fact it doesn't measure unique path coverage isn't a big surprise, because most of these tools don't do that. When working on Hailstorm 3.0 (in late 2001, I think? My co-workers at that time might remember.), I ran gcov on TinyHttpd to make sure the HTTP content in that product was covering the protocol parsing code correctly. The content was originally developed against the RFC, but the coverage wasn't very complete. We developed more content as a result. The key here was I was only caring about the coverage on the protocol parsing code itself, and I had to look at it deeply to weed out things that didn't matter. Code coverage as a raw metric is basically useless, but the understanding what *isn't* covered is a good place to start looking for bugs. The best exploitable application-logic bugs I've found in the last 5 years have had to do with poor exception handling in C++, Java, C#, and even a couple of custom-longjmp exception implementations and signal handling in plain-old C. > Gcov is a whitebox code coverage tool, and there are some interesting tools > from Compuware that integrate directly into your VS 2005 environment to > give you code coverage metrics. I've always preferred Parasoft's tools (Insure++, etc) for these kinds of things as their support has always been quite responsive with fixes for issues, regardless of the size of the company I was at. I recommend Gimpel's PC-Lint for the same reason. I'm not affiliated with either of the those companies, I've just been using their products off and on for almost 10 years. (I did used to use PureCoverage, but like it's Purify cousin, the product has largely atrophied.) > I guess I am not too sure how useful that Tracer is, the more I have > thought about it, the more I like Dave's idea of having a filter on the > running server (database), that captures all SQL queries that made it into > the server, and reporting the results back that match an injection. To take > this a step further you could also hook into the application server itself > and hook file creation, process creation, etc. I would recommend just doing destructive injection. If people don't have a staging system you can skullfuck with all your might, your ability to make the app fall over in a way that will get them to actually fix it is severely impaired. Specifically with regard to tracer, I wasn't very impressed when an acquaintance of mine who works for Fortify showed it to me. He was equally underwhelmed, but the strategy of diversifying their business is a good one. One wonders how things would have played out different for Sanctum (or Cenzic) if they had diversified their product line sooner. From lmh at info-pull.com Tue Nov 6 19:45:14 2007 From: lmh at info-pull.com (Lance M. Havok) Date: Wed, 7 Nov 2007 01:45:14 +0100 Subject: [Dailydave] The Wonderful Octopus Firewall Troll Message-ID: Here it comes. Dun dun. It's the firewall troll. With all CISSP experts around the industry, fighting over the dissertation of monsieur Rich Mongol, everyone has forgotten that this very (in Ptacek's own words!) "socket-based firewall" is an innovative piece of flawed copy-pasta. It's common knowledge that generally, all grsecurity copycats, with no exception, suck at stealing spender's touch. Please refer to the grsecurity patch, if you can read C (I know these days it's getting tricky). Hints: +int grsec_socket_all_gid; +int grsec_enable_socket_client; +int grsec_socket_client_gid; +int grsec_enable_socket_server; +int grsec_socket_server_gid; (...) +int +gr_handle_sock_all(const int family, const int type, const int protocol) +{ +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) && + (family != AF_UNIX) && (family != AF_LOCAL)) { + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol)); + return -EACCES; + } +#endif + return 0; +} (...) +int +gr_handle_sock_server(const struct sockaddr *sck) +{ +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + if (grsec_enable_socket_server && + in_group_p(grsec_socket_server_gid) && + sck && (sck->sa_family != AF_UNIX) && + (sck->sa_family != AF_LOCAL)) { + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG); + return -EACCES; + } +#endif + return 0; +} (...) +int +gr_handle_sock_server_other(const struct sock *sck) +{ +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + if (grsec_enable_socket_server && + in_group_p(grsec_socket_server_gid) && + sck && (sck->sk_family != AF_UNIX) && + (sck->sk_family != AF_LOCAL)) { + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG); + return -EACCES; + } +#endif + return 0; +} @@ -1174,6 +1190,16 @@ int retval; struct socket *sock; + if(!gr_search_socket(family, type, protocol)) { + retval = -EACCES; + goto out; + } + + if (gr_handle_sock_all(family, type, protocol)) { + retval = -EACCES; + goto out; + } + retval = sock_create(family, type, protocol, &sock); if (retval < 0) and so on. The power of grsecurity as a backdoor, doesn't rely on grsecurity being the backdoor itself, but because of its code obfuscation, turns every code theft into failure and remote rooting. That's the secret. You can copy it, but you can't copy it right (TM). (See, like Coke, Cuban coke is not Colombian coke and vice versa; one drills a hole in your nose, the other one makes you trip on communism). Therefore, new Apple's operating system, should be named Bang Octopus (like Bang Bus, but with more and bigger tentacles). For more information, please refer to The Oxymoron Encyclopedia: The More you Contradict Yourself: http://www.matasano.com/log/988/excellent-explanation-of-leopards-firewall-behavior/#comments We say 'Aloha' to Bob, Mr. R and friends. God bless those who sleep at night, even when Wordpress powers their wildest hallucinations. From tqbf at matasano.com Wed Nov 7 20:30:49 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Wed, 7 Nov 2007 19:30:49 -0600 Subject: [Dailydave] Do Pictures Help? In-Reply-To: <006201c81d7a$5f606e70$6207a8c0@jseitz> References: <006201c81d7a$5f606e70$6207a8c0@jseitz> Message-ID: <1df0a410711071730w6f5f7ab3t5142faa6ad7467fd@mail.gmail.com> A good example of the same idea: http://cr.yp.to/snuffle/diffusion.html On 11/2/07, J.M. Seitz wrote: > > > I threw a post up on OpenRCE regarding the usage of a "visual" to > determine how to best approach fuzzing a file format. > > http://www.openrce.org/blog/view/922/Visual_Patterns_for_File_Format_Fuzzing > > > JS > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From c.holloway at gmail.com Thu Nov 8 12:44:10 2007 From: c.holloway at gmail.com (Chris Holloway) Date: Thu, 8 Nov 2007 17:44:10 +0000 Subject: [Dailydave] Do Pictures Help? In-Reply-To: <1df0a410711071730w6f5f7ab3t5142faa6ad7467fd@mail.gmail.com> References: <006201c81d7a$5f606e70$6207a8c0@jseitz> <1df0a410711071730w6f5f7ab3t5142faa6ad7467fd@mail.gmail.com> Message-ID: <40ea4a030711080944h46cf0204s623e5851635e5360@mail.gmail.com> Dan Kaminsky's dot plots are worth mentioning: http://www.doxpara.com/slides/dmk_blackops2006.ppt (from slide 43) http://www.doxpara.com/slides/dmk_shmoo2007.ppt (from slide 41) On 08/11/2007, Thomas Ptacek wrote: > A good example of the same idea: > > http://cr.yp.to/snuffle/diffusion.html > > On 11/2/07, J.M. Seitz wrote: > > > > > > I threw a post up on OpenRCE regarding the usage of a "visual" to > > determine how to best approach fuzzing a file format. > > > > http://www.openrce.org/blog/view/922/Visual_Patterns_for_File_Format_Fuzzing > > > > > > JS > > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > > > -- > --- > Thomas H. Ptacek // matasano security > read us on the web: http://www.matasano.com/log > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From lmh at info-pull.com Thu Nov 8 19:59:24 2007 From: lmh at info-pull.com (Lance M. Havok) Date: Fri, 9 Nov 2007 01:59:24 +0100 Subject: [Dailydave] Dangers of the daily life and Michael's trip to the DPRK Message-ID: Today's story is certainly amusing. Who could imagine that boiling chicken can get your ass burnt out! Thankfully, thanks to the physical laws applying to gas propagation, I haven't been the victim of a explosion, but my eyebrows almost got busted. For a particularly hairy person like myself (I was called Bigfoot as a child, when I grew up I became known as the Chief Security Officer), a simple flame burst in a kitchen full of gas, could have fatal consequences. Boiling chicken (and turkey!) in fresh water could be a high risk task. Especially when you're lucky enough to have the flame exhausted by some water pouring out of the thing, and having the gas at maximum for about 45 minutes. You come back from praying the mandatory Quran pages of the day, and Allah turns over you! What a rude prick. The kitchen got new, old saloon style decoration. Like, demolished. In other news, Michael (Myers, our very own tehshape) is on his way to the Democratic People's Republic of Korea, an awesome country, probably one of the most secure and non-bloated places on Earth. You don't have to worry about McDonalds, Burger King, and all those corrupt capitalistic mammoths that grow a shaky belly above your pants. Instead, all you have to do is have some rice plantations in the backyard, a couple pictures of the great Kim and a desire for righteous work and dedication to the Party and People. For his visit, he has prepared a set of beautiful wallpapers to put on his laptop (he is Chinese in case someone wants to know, although we usually call him 'our friendly chink master of Windows arts'). These are available at: http://info-pull.com/code/cissp_and_the_people.png http://info-pull.com/code/cissp_and_the_people.jpg The reason for designing these epic wallpapers, is pretty obvious: he wants to gratefully surprise any Party officer that gently requests him to turn his laptop on and show that: 1) He doesn't run Microsoft software (communists use Linux and fascists have Apple Mac OS X). 2) He doesn't use Core Security Tech. software (communists don't like the South American communist posers, like Chavez). 3) He doesn't have pornography (generally, communists only like pornography if it's about Lenin). 4) He doesn't have a political agenda with either the United States government OR alleged exploit dealers that suck (communists don't like middle men offering bull crap). 5) He hasn't leaked any of their remote RPC 0day wuan-rez. 6) He uses AES (for great justice). If any of you has visited the DPRK, please follow up. If not, then you should really consider stop wasting money at Las Vegas and grab yourself a ticket! Do it quickly, you never know when some random country is gonna be freed from its oppressors! (as in wiped off the map and replaced with a Hooters franchise). Have a good one! From dr at kyx.net Thu Nov 8 23:19:06 2007 From: dr at kyx.net (Dragos Ruiu) Date: Thu, 8 Nov 2007 21:19:06 -0700 Subject: [Dailydave] CanSecWest 2008 CFP (deadline Nov 30, conf Mar 26-28) and PacSec Dojo's Message-ID: <200711082019.06558.dr@kyx.net> I'd like to congratulate Adam Laurie for winning the second Powerbook from the Pwn_to_Own contest as the prize for the best speaker rated by the audience for his presentation on RFID at CanSecWest 2007. We will have a similar prize for the best speaker at CanSecWest 2008, prize TBD (but we promise it will be cool - depending on what we find trawling though the electronics shops in Akihabara this year :). ** The Security Masters Dojo courses available at PacSec in Tokyo on November 27/28 2007 have been updated. The final list is: Ultimate Web Hacking - Yeng-Min Chen (Japanese) Reverse Engineering - Yuji Ukai (Japanese) The Exploit Laboratory - Saumil Shah (English) Advanced Honeypot Tactics - Thorsten Holz (English) Advanced Linux Hardening - Andrea Barisani (English) Bugfinding with the Immunity Debugger - Nicolas Waisman & Kostya Kortchinski (English) Practical 802.11 Wi-Fi (In)Security - Cedric Blancher (English) ** CanSecWest 2008 CALL FOR PAPERS VANCOUVER, Canada -- The ninth annual CanSecWest applied technical security conference - where the eminent figures in the international security industry will get together share best practices and technology - will be held in downtown Vancouver at the the Mariott Renaissance Harbourside on March 26-28, 2008. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The CanSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most scenic cities - a short drive away from one of North America's top skiing areas. The CanSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application excercises to maximize information transfer. We would like to announce the opportunity to submit papers, and/or lightning talk proposals for selection by the CanSecWest technical review committee. This year we will be doing one hour talks, and some shorter 20/30 minute talk sessions. Please make your paper proposal submissions before November 30th, 2007. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to _secwest08_ at cansecwest.com (please remove _'s). Only slides will be needed for the March paper deadline, full text does not have to be submitted - but will be accepted if available. The CanSecWest 2008 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Please list any other publications or conferences where this material has been or will be published/submitted. Please include the plain text version of this information in your email as well as any file, pdf, odt, docx, ppt, odp, or html attachments. Please forward the above information to _secwest08_ at cansecwest.com (remove _'s) to be considered for placement on the speaker roster, or have your lightning talk scheduled. You can find more information at: http://pacsec.jp and http://cansecwest.com The Vancouver Dojos will be held on March 24/25 and will be announced shortly. cheers. --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 29/30 - 2007 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp From dave at immunityinc.com Mon Nov 12 06:03:21 2007 From: dave at immunityinc.com (Dave aitel) Date: Mon, 12 Nov 2007 06:03:21 -0500 Subject: [Dailydave] The long tail of vulnerable operating systems Message-ID: <473832F9.8000909@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So every CTF I've played recently (like the one at CSI last week) has a target set of Windows 2000 and extremely old Linux (say, RedHat 8). I'm pretty sure that on any modern network you don't find a whole lot of either of these. There's always the people who still run NT4 and SCO OpenServer, but you have to look pretty far for them. But yet, no real remote exploits exist for Fedora Core 1, much less 7. Solaris has XFS and a few other remotes, but no one runs Solaris any more except the US Government, that I can tell. Even assuming you see some Solaris or AIX or whatever, you end up being so deep in the network already to find it that you've already got all the passwords and don't need exploits. But old operating systems will continue to live forever in CTF, I assume. Sort of as a sign of the times, while I was playing CTF on the Windows machine provided, I browsed the web briefly and my machine was immediately taken over by some really annoying spyware. So for the rest of the game I got to spend a lot of time clicking "close" on IE windows that kept popping up. Anyways, if you want to chat about it or grieve the pain of lost 0day, and you live in London then you should come to Immunity Pub Night In London Saturday Nov 24 at 6pm at the Price Arthur 80-82 Eversholt Street. I'll put 200 quid on the bar to help you drown your sorrows. RSVP to admin at immunityinc.com! - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHODL5tehAhL0gheoRAr/lAJ0R5KiL+pV4rRfa40rG5jXFhV/cXQCfXXYe P1VlnlQE5Uf6rDxcS2Pn0Zc= =aU96 -----END PGP SIGNATURE----- From propolice at gmail.com Mon Nov 12 10:01:36 2007 From: propolice at gmail.com (Eduardo Tongson) Date: Mon, 12 Nov 2007 23:01:36 +0800 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: <473832F9.8000909@immunityinc.com> References: <473832F9.8000909@immunityinc.com> Message-ID: With protections like SSP, NX and ASLR on recent operating systems its getting harder to compromise one via overflows. The favorite pwning vectors today are vulnerabilities in web applications and social engineering. I hope the old RedHat with Wu-ftpd holes stays a favorite in CTF competitions. I got my first root with that classic combination. Ed On Nov 12, 2007 7:03 PM, Dave aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > So every CTF I've played recently (like the one at CSI last week) has a > target set of Windows 2000 and extremely old Linux (say, RedHat 8). I'm > pretty sure that on any modern network you don't find a whole lot of > either of these. There's always the people who still run NT4 and SCO > OpenServer, but you have to look pretty far for them. But yet, no real > remote exploits exist for Fedora Core 1, much less 7. Solaris has XFS > and a few other remotes, but no one runs Solaris any more except the US > Government, that I can tell. Even assuming you see some Solaris or AIX > or whatever, you end up being so deep in the network already to find it > that you've already got all the passwords and don't need exploits. > > But old operating systems will continue to live forever in CTF, I assume. > > Sort of as a sign of the times, while I was playing CTF on the Windows > machine provided, I browsed the web briefly and my machine was > immediately taken over by some really annoying spyware. So for the rest > of the game I got to spend a lot of time clicking "close" on IE windows > that kept popping up. > > Anyways, if you want to chat about it or grieve the pain of lost 0day, > and you live in London then you should come to Immunity Pub Night In > London Saturday Nov 24 at 6pm at the Price Arthur 80-82 Eversholt > Street. I'll put 200 quid on the bar to help you drown your sorrows. > RSVP to admin at immunityinc.com! > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHODL5tehAhL0gheoRAr/lAJ0R5KiL+pV4rRfa40rG5jXFhV/cXQCfXXYe > P1VlnlQE5Uf6rDxcS2Pn0Zc= > =aU96 > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From dudevanwinkle at gmail.com Mon Nov 12 10:18:03 2007 From: dudevanwinkle at gmail.com (Dude VanWinkle) Date: Mon, 12 Nov 2007 11:18:03 -0400 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: <473832F9.8000909@immunityinc.com> References: <473832F9.8000909@immunityinc.com> Message-ID: On 11/12/07, Dave aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > But old operating systems will continue to live forever in CTF, I assume. I can just see it now: Capture The Flag: Windows 98 edition: The real test is to defeat the opposing team before getting infected by an outside force.. -JP From tqbf at matasano.com Mon Nov 12 10:34:30 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Mon, 12 Nov 2007 09:34:30 -0600 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: <473832F9.8000909@immunityinc.com> References: <473832F9.8000909@immunityinc.com> Message-ID: <1df0a410711120734i368d5b24n721b7e6b5043dfff@mail.gmail.com> Data points, of which I'm guessing you'll soon be deluged in more: We see extensive Solaris deployments. More Solaris than Fedora by far. We see regular scattered Win2K deployments. On Nov 12, 2007 5:03 AM, Dave aitel wrote: > either of these. There's always the people who still run NT4 and SCO > OpenServer, but you have to look pretty far for them. But yet, no real > remote exploits exist for Fedora Core 1, much less 7. Solaris has XFS > and a few other remotes, but no one runs Solaris any more except the US > Government, that I can tell. Even assuming you see some Solaris or AIX -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From lmh at info-pull.com Mon Nov 12 11:08:58 2007 From: lmh at info-pull.com (Lance M. Havok) Date: Mon, 12 Nov 2007 17:08:58 +0100 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: References: <473832F9.8000909@immunityinc.com> Message-ID: On 11/12/07, Eduardo Tongson wrote: > With protections like SSP, NX and ASLR on recent operating systems its > getting harder to compromise one via overflows. The favorite pwning > vectors today are vulnerabilities in web applications and social > engineering. My favorite vector is 'positive discrimination'. I call their IT support department, saying that this bullshit NX does not let my game server software work properly, that ASLR is slowing down the stats calculation and causing problems with some weird pre-compiled binaries from ID3, and finally I claim that their Apache server is refusing to work because after an update it claims the '__guard' symbol ain't coming up. This all in a seriously desperate and exasperating manner, you guess. Then they, as the neat guys they are, promptly proceed to deactivate these whole defense-in-depth-crap in every single server of their customers network, using a backdoor SSH service preinstalled on every dedicated server they rent. With a preinstalled key that is shared by all IT support members, who browse gay porno, brazilian zoo and other musings of the sick minds. Somehow, at some point, the whole network is just fucking raped and they wonder how something like that could happen. It's an universal truth that CTF games are for bragging about Packetstorm archives search skills. And some knowledge of compilation and GNU/Unbungu installation, too. Some elites use Gentoo with setuid fluxbox, but those are rare. > I hope the old RedHat with Wu-ftpd holes stays a favorite in CTF > competitions. I got my first root with that classic combination. I got mine with OpenSSH key sharing, Itz liek teh mag1c! XOXOXO FREE LANCE - Save Lance from hanging! "Save a true hacker's life today" And be remembered as one of the few who stood against many! From steve.shockley at shockley.net Mon Nov 12 12:34:57 2007 From: steve.shockley at shockley.net (Steve Shockley) Date: Mon, 12 Nov 2007 12:34:57 -0500 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: <473832F9.8000909@immunityinc.com> References: <473832F9.8000909@immunityinc.com> Message-ID: <47388EC1.4030508@shockley.net> Dave aitel wrote: > Sort of as a sign of the times, while I was playing CTF on the Windows > machine provided, I browsed the web briefly and my machine was > immediately taken over by some really annoying spyware. So for the rest > of the game I got to spend a lot of time clicking "close" on IE windows > that kept popping up. So, not only was it a Win2k box, but it was an _unpatched_ Win2k box? From k8ek8e at gmail.com Mon Nov 12 12:57:31 2007 From: k8ek8e at gmail.com (Katie M) Date: Mon, 12 Nov 2007 09:57:31 -0800 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: <473832F9.8000909@immunityinc.com> References: <473832F9.8000909@immunityinc.com> Message-ID: Hey Dave, Lots of places have older OSes deployed, perhaps only internally as you mentioned, but companies are rife with them, and sometimes closer to the perimeter than you'd expect. On a consulting enagagement, I met a Fortune 50 company that had a massive internal deployment of Windows 98 (yeah, I know, weird but here's why) because they had some biz critical crapplication that nearly everyone needed to use that would only run on Win98. I told them to hire some developers or interns or somebody, anybody, to rewrite the thing from scratch. :-) Of course they and all those other places that run old OSes *should* welcome themselves into this millenium's operating systems -- we all agree there. No need to start arguing the obvious. But the point is that more than enough orgs (won't or) don't have the resources to upgrade (or to update) due to app compatibility. That's the reality and the reason why attacking older OSes at a CTF-like event is still pertinent and practical. My 0.01 pence. -Katie On Nov 12, 2007 3:03 AM, Dave aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > So every CTF I've played recently (like the one at CSI last week) has a > target set of Windows 2000 and extremely old Linux (say, RedHat 8). I'm > pretty sure that on any modern network you don't find a whole lot of > either of these. There's always the people who still run NT4 and SCO > OpenServer, but you have to look pretty far for them. But yet, no real > remote exploits exist for Fedora Core 1, much less 7. Solaris has XFS > and a few other remotes, but no one runs Solaris any more except the US > Government, that I can tell. Even assuming you see some Solaris or AIX > or whatever, you end up being so deep in the network already to find it > that you've already got all the passwords and don't need exploits. > > But old operating systems will continue to live forever in CTF, I assume. > > Sort of as a sign of the times, while I was playing CTF on the Windows > machine provided, I browsed the web briefly and my machine was > immediately taken over by some really annoying spyware. So for the rest > of the game I got to spend a lot of time clicking "close" on IE windows > that kept popping up. > > Anyways, if you want to chat about it or grieve the pain of lost 0day, > and you live in London then you should come to Immunity Pub Night In > London Saturday Nov 24 at 6pm at the Price Arthur 80-82 Eversholt > Street. I'll put 200 quid on the bar to help you drown your sorrows. > RSVP to admin at immunityinc.com! > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHODL5tehAhL0gheoRAr/lAJ0R5KiL+pV4rRfa40rG5jXFhV/cXQCfXXYe > P1VlnlQE5Uf6rDxcS2Pn0Zc= > =aU96 > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071112/66a71a6d/attachment-0001.htm From cseagle at redshift.com Mon Nov 12 14:26:19 2007 From: cseagle at redshift.com (Chris Eagle) Date: Mon, 12 Nov 2007 11:26:19 -0800 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: <473832F9.8000909@immunityinc.com> References: <473832F9.8000909@immunityinc.com> Message-ID: <4738A8DB.3060604@redshift.com> Dave aitel wrote: > > But old operating systems will continue to live forever in CTF, I assume. > Defcon CTF has used FreeBSD5.4 in 2005, Solaris 10 in 2006, and FreeBSD6.2 this year as the basis for the game. In each year, it has been all about the applications and not the O/S. Since it is spread over three days, they can do primarily binary apps. The 6-8 hour university CTFs that go on these days tend to be primarily web apps with an occasional binary thrown in. These have used Debian, Gentoo, and Ubuntu though they either forget or choose not to disable things like ASLR. The two day long Defcon qualifier that is run like a Jeopardy board is one of the more interesting challenges out there theses days. They used OSX for one of their remotes this year. Chris From grutz at jingojango.net Tue Nov 13 13:46:46 2007 From: grutz at jingojango.net (Kurt Grutzmacher) Date: Tue, 13 Nov 2007 10:46:46 -0800 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: References: <473832F9.8000909@immunityinc.com> Message-ID: <34677d400711131046h754cda72rc53fec953335dfe2@mail.gmail.com> You guys are absolutely right. In the past few years I've seen very few remote exploits that matter but that doesn't mean the old Solaris, AIX and Win2K servers don't exist anymore. So many old PBX systems run UnixWare and are being connected to networks so the phone techs don't have to walk over to the phone room terminal to do adds/deletes. These are vendor supported systems and usually don't get the same treatment that IT puts into the Active Directory, web servers, etc. How many times have we heard from our friendly vendors "We don't support that. If you upgrade the software you'll be in violation and we won't support it." So you firewall it off and poke little holes for the tape admins to monitor the silo from the vendor's Solaris platform that really needs to run sadmind. Web apps are the newest frontier for testing but they're just another layer that is usually finely tuned into the business process. How do you tell the customer their process is flawed or needs improvement because you were able to send an exe-disguised Word doc that was executed by 5% of the company? Hmmm.. On Nov 12, 2007 7:01 AM, Eduardo Tongson wrote: > With protections like SSP, NX and ASLR on recent operating systems its > getting harder to compromise one via overflows. The favorite pwning > vectors today are vulnerabilities in web applications and social > engineering. > > I hope the old RedHat with Wu-ftpd holes stays a favorite in CTF > competitions. I got my first root with that classic combination. > > Ed > > On Nov 12, 2007 7:03 PM, Dave aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > So every CTF I've played recently (like the one at CSI last week) has a > > target set of Windows 2000 and extremely old Linux (say, RedHat 8). I'm > > pretty sure that on any modern network you don't find a whole lot of > > either of these. There's always the people who still run NT4 and SCO > > OpenServer, but you have to look pretty far for them. But yet, no real > > remote exploits exist for Fedora Core 1, much less 7. Solaris has XFS > > and a few other remotes, but no one runs Solaris any more except the US > > Government, that I can tell. Even assuming you see some Solaris or AIX > > or whatever, you end up being so deep in the network already to find it > > that you've already got all the passwords and don't need exploits. > > > > But old operating systems will continue to live forever in CTF, I > assume. > > > > Sort of as a sign of the times, while I was playing CTF on the Windows > > machine provided, I browsed the web briefly and my machine was > > immediately taken over by some really annoying spyware. So for the rest > > of the game I got to spend a lot of time clicking "close" on IE windows > > that kept popping up. > > > > Anyways, if you want to chat about it or grieve the pain of lost 0day, > > and you live in London then you should come to Immunity Pub Night In > > London Saturday Nov 24 at 6pm at the Price Arthur 80-82 Eversholt > > Street. I'll put 200 quid on the bar to help you drown your sorrows. > > RSVP to admin at immunityinc.com! > > > > - -dave > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.6 (GNU/Linux) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > iD8DBQFHODL5tehAhL0gheoRAr/lAJ0R5KiL+pV4rRfa40rG5jXFhV/cXQCfXXYe > > P1VlnlQE5Uf6rDxcS2Pn0Zc= > > =aU96 > > -----END PGP SIGNATURE----- > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071113/2f2c03b6/attachment-0001.htm From dave at immunityinc.com Wed Nov 14 04:45:25 2007 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 14 Nov 2007 04:45:25 -0500 Subject: [Dailydave] Korea! Message-ID: <473AC3B5.8060903@immunityinc.com> So I'm in Korea for the www.powerofcommunity.net conference. I like how all the computers in Korea use IE 6.0 and appear to come with Starcraft installed by default. Perhaps some future CTF can use a room full of people and you'll have to craft an email that convinces them to click on your link so you can client-side them. One thing that was great about the CSI Capture the Flag was that they had a "viewing room" where someone gave a blow-by-blow presentation of what was happening during the attacks, based on a packet capture. This could be made even better by installing VNC on the target systems and having each of them viewable by the bystanders. And before I forget - as a followup to the Larry Suto web scanner report HP/SPI has released their own. Full Report: http://portal.spidynamics.com/blogs/spilabs/attachment/71302.ashx Intro: http://portal.spidynamics.com/blogs/spilabs/archive/2007/11/12/Analysis-of-Larry-Suto_2700_s-comparative-case-study.aspx -dave From darryl at snakegully.nu Wed Nov 14 05:25:16 2007 From: darryl at snakegully.nu (Darryl Luff) Date: Wed, 14 Nov 2007 21:25:16 +1100 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: References: <473832F9.8000909@immunityinc.com> Message-ID: <473ACD0C.7050204@snakegully.nu> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> So every CTF I've played recently (like the one at CSI last week) has a >> target set of Windows 2000 and extremely old Linux (say, RedHat 8). I'm >> pretty sure that on any modern network you don't find a whole lot of >> either of these. There's always the people who still run NT4 and SCO >> OpenServer, but you have to look pretty far for them. But yet, no real >> remote exploits exist for Fedora Core 1, much less 7. Solaris has XFS >> and a few other remotes, but no one runs Solaris any more except the US >> Government, that I can tell. Even assuming you see some Solaris or AIX >> or whatever, you end up being so deep in the network already to find it >> that you've already got all the passwords and don't need exploits. >> >> But old operating systems will continue to live forever in CTF, I assume. >> >> I know at least three machines that were until the last year or so running Win95 or 98. And they seemed to be spotless. No sign of browser redirectors or other annoyances, and they'd been used on the Internet for years, though admittedly only on dialup. One was replaced a year or so ago with an XP machine that was within a couple of weeks infested with malware. The other two were eventually shut down still 'clean' as far as I know. On the Linux side I know of a RedHat 6.3 machine which until about 6 months ago was a primary DNS server, running the standard RedHat distributed bind and permanently online. It was shutdown 'clean' too as far as I could tell. The moral I guess is if you're going to use old OS's, use REALLY old ones. If someone really wants to get you they will, but the mass market infectors will probably pass you by. Where did I put that stack of OS/2 floppies? From krahmer at suse.de Wed Nov 14 04:45:56 2007 From: krahmer at suse.de (Sebastian Krahmer) Date: Wed, 14 Nov 2007 10:45:56 +0100 (CET) Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: <34677d400711131046h754cda72rc53fec953335dfe2@mail.gmail.com> References: <473832F9.8000909@immunityinc.com> <34677d400711131046h754cda72rc53fec953335dfe2@mail.gmail.com> Message-ID: On Tue, 13 Nov 2007, Kurt Grutzmacher wrote: Hola, Theres one big mistake in thinking. Just because exploits do not show up on packetstorm or bugtraq anymore does not mean that they do not exist. You all should know that the fun of the 90's became professional somewhere in 2000. And if one really thinks that nobody is using Solaris (except gov) anymore; one just dont know business and should retire :-) All big telcos and ISPs use Solaris for sure. and all the safety-critical systems use unix in some way, let it be AIX, Solaris or of course Linux ;-) If you are a bad guy and want to pwn one of the fortune50(0)'s you better have some solaris,aix and irix exploits in your bag ;-) l8er, S. > You guys are absolutely right. In the past few years I've seen very few > remote exploits that matter but that doesn't mean the old Solaris, AIX and > Win2K servers don't exist anymore. So many old PBX systems run UnixWare and > are being connected to networks so the phone techs don't have to walk over > to the phone room terminal to do adds/deletes. These are vendor supported > systems and usually don't get the same treatment that IT puts into the > Active Directory, web servers, etc. > > How many times have we heard from our friendly vendors "We don't support > that. If you upgrade the software you'll be in violation and we won't > support it." So you firewall it off and poke little holes for the tape > admins to monitor the silo from the vendor's Solaris platform that really > needs to run sadmind. > > Web apps are the newest frontier for testing but they're just another layer > that is usually finely tuned into the business process. How do you tell the > customer their process is flawed or needs improvement because you were able > to send an exe-disguised Word doc that was executed by 5% of the company? > > Hmmm.. > > On Nov 12, 2007 7:01 AM, Eduardo Tongson wrote: > > > With protections like SSP, NX and ASLR on recent operating systems its > > getting harder to compromise one via overflows. The favorite pwning > > vectors today are vulnerabilities in web applications and social > > engineering. > > > > I hope the old RedHat with Wu-ftpd holes stays a favorite in CTF > > competitions. I got my first root with that classic combination. > > > > Ed > > > > On Nov 12, 2007 7:03 PM, Dave aitel wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > So every CTF I've played recently (like the one at CSI last week) has a > > > target set of Windows 2000 and extremely old Linux (say, RedHat 8). I'm > > > pretty sure that on any modern network you don't find a whole lot of > > > either of these. There's always the people who still run NT4 and SCO > > > OpenServer, but you have to look pretty far for them. But yet, no real > > > remote exploits exist for Fedora Core 1, much less 7. Solaris has XFS > > > and a few other remotes, but no one runs Solaris any more except the US > > > Government, that I can tell. Even assuming you see some Solaris or AIX > > > or whatever, you end up being so deep in the network already to find it > > > that you've already got all the passwords and don't need exploits. > > > > > > But old operating systems will continue to live forever in CTF, I > > assume. > > > > > > Sort of as a sign of the times, while I was playing CTF on the Windows > > > machine provided, I browsed the web briefly and my machine was > > > immediately taken over by some really annoying spyware. So for the rest > > > of the game I got to spend a lot of time clicking "close" on IE windows > > > that kept popping up. > > > > > > Anyways, if you want to chat about it or grieve the pain of lost 0day, > > > and you live in London then you should come to Immunity Pub Night In > > > London Saturday Nov 24 at 6pm at the Price Arthur 80-82 Eversholt > > > Street. I'll put 200 quid on the bar to help you drown your sorrows. > > > RSVP to admin at immunityinc.com! > > > > > > - -dave > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v1.4.6 (GNU/Linux) > > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > > > iD8DBQFHODL5tehAhL0gheoRAr/lAJ0R5KiL+pV4rRfa40rG5jXFhV/cXQCfXXYe > > > P1VlnlQE5Uf6rDxcS2Pn0Zc= > > > =aU96 > > > -----END PGP SIGNATURE----- > > > _______________________________________________ > > > Dailydave mailing list > > > Dailydave at lists.immunitysec.com > > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) From adriel at netragard.com Wed Nov 14 13:54:02 2007 From: adriel at netragard.com (Adriel Desautels) Date: Wed, 14 Nov 2007 13:54:02 -0500 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: References: <473832F9.8000909@immunityinc.com> Message-ID: <473B444A.7060905@netragard.com> Kaite, The company with all of the old systems wouldn't be CFI by chance would it? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Katie M wrote: > Hey Dave, > Lots of places have older OSes deployed, perhaps only internally as > you mentioned, but companies are rife with them, and sometimes closer to > the perimeter than you'd expect. On a consulting enagagement, I met a > Fortune 50 company that had a massive internal deployment of Windows 98 > (yeah, I know, weird but here's why) because they had some biz critical > crapplication that nearly everyone needed to use that would only run on > Win98. I told them to hire some developers or interns or somebody, > anybody, to rewrite the thing from scratch. :-) > > Of course they and all those other places that run old OSes *should* > welcome themselves into this millenium's operating systems -- we all > agree there. No need to start arguing the obvious. But the point is > that more than enough orgs (won't or) don't have the resources to > upgrade (or to update) due to app compatibility. That's the reality and > the reason why attacking older OSes at a CTF-like event is still > pertinent and practical. > > My 0.01 pence. > > -Katie > > > On Nov 12, 2007 3:03 AM, Dave aitel > wrote: > > So every CTF I've played recently (like the one at CSI last week) has a > target set of Windows 2000 and extremely old Linux (say, RedHat 8). I'm > pretty sure that on any modern network you don't find a whole lot of > either of these. There's always the people who still run NT4 and SCO > OpenServer, but you have to look pretty far for them. But yet, no real > remote exploits exist for Fedora Core 1, much less 7. Solaris has XFS > and a few other remotes, but no one runs Solaris any more except the US > Government, that I can tell. Even assuming you see some Solaris or AIX > or whatever, you end up being so deep in the network already to find it > that you've already got all the passwords and don't need exploits. > > But old operating systems will continue to live forever in CTF, I > assume. > > Sort of as a sign of the times, while I was playing CTF on the Windows > machine provided, I browsed the web briefly and my machine was > immediately taken over by some really annoying spyware. So for the rest > of the game I got to spend a lot of time clicking "close" on IE windows > that kept popping up. > > Anyways, if you want to chat about it or grieve the pain of lost 0day, > and you live in London then you should come to Immunity Pub Night In > London Saturday Nov 24 at 6pm at the Price Arthur 80-82 Eversholt > Street. I'll put 200 quid on the bar to help you drown your sorrows. > RSVP to admin at immunityinc.com ! > > -dave _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave > ------------------------------------------------------------------------ > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave -------------- next part -------------- A non-text attachment was scrubbed... Name: adriel.vcf Type: text/x-vcard Size: 298 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071114/b2e7de42/attachment.vcf -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 186 bytes Desc: OpenPGP digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071114/b2e7de42/attachment.pgp From lmh at info-pull.com Wed Nov 14 10:22:25 2007 From: lmh at info-pull.com (Lance M. Havok) Date: Wed, 14 Nov 2007 16:22:25 +0100 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: References: <473832F9.8000909@immunityinc.com> <34677d400711131046h754cda72rc53fec953335dfe2@mail.gmail.com> Message-ID: Heil Krahmer! It's always good to hear back from mr. stealth :> > > Theres one big mistake in thinking. Just because exploits do not show > up on packetstorm or bugtraq anymore does not mean that they do not exist. > You all should know that the fun of the 90's became professional > somewhere in 2000. We definitely agree on that one. Just because CVS exploits don't get stolen, does not mean they were not stolen already. As my grandma used to say (may she rest in piss, or peace): take it easy, and let the good times roll. > And if one really thinks that nobody is using Solaris (except gov) > anymore; one just dont know business and should retire :-) > All big telcos and ISPs use Solaris for sure. and all the safety-critical > systems use unix in some way, let it be AIX, Solaris or of course Linux > ;-) You must count everyone who uses Solaris for breaking it too, for example, we have iDefense as a great example of someone taking a profit from AIX exploits, apart of East European juice mafia for banging ATMs. > If you are a bad guy and want to pwn one of the fortune50(0)'s you > better have some solaris,aix and irix exploits in your bag ;-) Not really, if you want to pwn one of the Fortune 500 companies, you only need to be a Google shareholder. And again, let the Gmail times roll! (please note: back in the day, even the Google's kitchen guy had shares at the company, the good old stock options and what not). Now they support IMAP. BTW, don't good guys do Fortune penetrations? Because that's what a penetrator's job is all about. Hence why people buy CANVAS. The point is, why having exploits makes you a bad guy? Am I being naive about your message? We should be all tolerant towards others. Ambiguous morality is really weak and damn Cold War-style. Let a hundred flowers bloom, let the hundred schools of thought contend; we are not enemies, but friends. And at the right time, I'll be there to support those who mow down the raising flowers, to set the hill back in order and peace for the people. Lance, dreaming about spring. From matt at use.net Wed Nov 14 12:25:42 2007 From: matt at use.net (Matt Hargett) Date: Wed, 14 Nov 2007 09:25:42 -0800 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: <1df0a410711120734i368d5b24n721b7e6b5043dfff@mail.gmail.com> References: <473832F9.8000909@immunityinc.com> <1df0a410711120734i368d5b24n721b7e6b5043dfff@mail.gmail.com> Message-ID: <200711140925.42718.matt@use.net> On Monday 12 November 07 07:34:30 Thomas Ptacek wrote: > We see extensive Solaris deployments. More Solaris than Fedora by far. > > We see regular scattered Win2K deployments. I know of at least 3 different companies here in the Silicon Valley that have NT 4.0 deployed and actively used. Unfortunately, Microsoft hasn't silently patched NT 4.0 SP6 for bugs like they have with Win2k SP4. (Well, the *English* version of Win2k SP4, anyways.) I've seen some Win98 in state agencies, and my advice to them is always to see if it works with CrossOver or to pay the $2500 or whatever to get it working. None of the legacy apps, even under NT 4.0, do anything totally crazy that would prevent them from working in wine or a newer OS. In most cases the customer was told the app would only work on a certain OS and they either never tried the app on a newer OS. Or they tried it on a newer OS, had some issues, and they didn't try to debug what went wrong. (In one case, they tested under WinXP and it didn't work because they only copied the EXE and not the supporting DLLs.) Most of these places still using NT 4.0 or Win2k are just migrating to Linux because they are tired of MS abandoning them every time they have a new OS to sell. The exception, of course, was XP SP2 which did a wonderful job of incorporating a lot of fixes and new technologies to help stem exploitation. Here's hoping they recompile the whole OS again using the latest and greatest compiler tech from Vista for XP/Win2003 SP3. From k8ek8e at gmail.com Wed Nov 14 14:48:45 2007 From: k8ek8e at gmail.com (Katie M) Date: Wed, 14 Nov 2007 11:48:45 -0800 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: <473B444A.7060905@netragard.com> References: <473832F9.8000909@immunityinc.com> <473B444A.7060905@netragard.com> Message-ID: What is this, full disclosure? I thought we were on DailyDave! ;-) No, it wasn't them and I won't tell who since they were my client and I am under NDA. The point of my post wasn't to expose any particular company, but to comment that older OSes, less-than-fully-patched current OSes, and other older software are still very relevant in terms of security today. We not only need to remember the exploits, but also look for practical ways to protect what is really out there. -Katie. On 11/14/07, Adriel Desautels wrote: > Kaite, > The company with all of the old systems wouldn't be CFI by chance would it? > > Regards, > Adriel T. Desautels > Chief Technology Officer > Netragard, LLC. > Office : 617-934-0269 > Mobile : 617-633-3821 > http://www.linkedin.com/pub/1/118/a45 > > --------------------------------------------------------------- > Netragard, LLC - http://www.netragard.com - "We make IT Safe" > Penetration Testing, Vulnerability Assessments, Website Security > > > Katie M wrote: > > Hey Dave, > > Lots of places have older OSes deployed, perhaps only internally as > > you mentioned, but companies are rife with them, and sometimes closer to > > the perimeter than you'd expect. On a consulting enagagement, I met a > > Fortune 50 company that had a massive internal deployment of Windows 98 > > (yeah, I know, weird but here's why) because they had some biz critical > > crapplication that nearly everyone needed to use that would only run on > > Win98. I told them to hire some developers or interns or somebody, > > anybody, to rewrite the thing from scratch. :-) > > > > Of course they and all those other places that run old OSes *should* > > welcome themselves into this millenium's operating systems -- we all > > agree there. No need to start arguing the obvious. But the point is > > that more than enough orgs (won't or) don't have the resources to > > upgrade (or to update) due to app compatibility. That's the reality and > > the reason why attacking older OSes at a CTF-like event is still > > pertinent and practical. > > > > My 0.01 pence. > > > > -Katie > > > > > > On Nov 12, 2007 3:03 AM, Dave aitel > > wrote: > > > > So every CTF I've played recently (like the one at CSI last week) has a > > target set of Windows 2000 and extremely old Linux (say, RedHat 8). I'm > > pretty sure that on any modern network you don't find a whole lot of > > either of these. There's always the people who still run NT4 and SCO > > OpenServer, but you have to look pretty far for them. But yet, no real > > remote exploits exist for Fedora Core 1, much less 7. Solaris has XFS > > and a few other remotes, but no one runs Solaris any more except the US > > Government, that I can tell. Even assuming you see some Solaris or AIX > > or whatever, you end up being so deep in the network already to find it > > that you've already got all the passwords and don't need exploits. > > > > But old operating systems will continue to live forever in CTF, I > > assume. > > > > Sort of as a sign of the times, while I was playing CTF on the Windows > > machine provided, I browsed the web briefly and my machine was > > immediately taken over by some really annoying spyware. So for the rest > > of the game I got to spend a lot of time clicking "close" on IE windows > > that kept popping up. > > > > Anyways, if you want to chat about it or grieve the pain of lost 0day, > > and you live in London then you should come to Immunity Pub Night In > > London Saturday Nov 24 at 6pm at the Price Arthur 80-82 Eversholt > > Street. I'll put 200 quid on the bar to help you drown your sorrows. > > RSVP to admin at immunityinc.com ! > > > > -dave > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > ------------------------------------------------------------------------ > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > From adriel at netragard.com Wed Nov 14 15:33:23 2007 From: adriel at netragard.com (Adriel Desautels) Date: Wed, 14 Nov 2007 15:33:23 -0500 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: References: <473832F9.8000909@immunityinc.com> <473B444A.7060905@netragard.com> Message-ID: <473B5B93.5060609@netragard.com> Kate, I wasn't attempting to act like n3td3v, I apologize. With regards to protecting what is out there, from my perspective there is only one way to do it. Understand the threat by collecting real threat intelligence and perform security assessments using the same caliber attacks/tests as the threat. Use the product of those tests to create a solution to any issues discovered and retest to validate the solution. Also, use security companies that produce deliverables that are the product of human talent as opposed to automated tools and scanners. Automated scanners are very useful for time savings, etc... but not good enough to produce truly complete and accurate results. While you're at it, check out OSSEC... I've been playing with it and its pretty neat especially if you configure it as an IPS and let it read your snort logs, etc. Was that more inline or am I still way off topic? ;] Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Katie M wrote: > What is this, full disclosure? I thought we were on DailyDave! ;-) > No, it wasn't them and I won't tell who since they were my client and > I am under NDA. > > The point of my post wasn't to expose any particular company, but to > comment that older OSes, less-than-fully-patched current OSes, and > other older software are still very relevant in terms of security > today. We not only need to remember the exploits, but also look for > practical ways to protect what is really out there. > > -Katie. > > > On 11/14/07, Adriel Desautels wrote: >> Kaite, >> The company with all of the old systems wouldn't be CFI by chance would it? >> >> Regards, >> Adriel T. Desautels >> Chief Technology Officer >> Netragard, LLC. >> Office : 617-934-0269 >> Mobile : 617-633-3821 >> http://www.linkedin.com/pub/1/118/a45 >> >> --------------------------------------------------------------- >> Netragard, LLC - http://www.netragard.com - "We make IT Safe" >> Penetration Testing, Vulnerability Assessments, Website Security >> >> >> Katie M wrote: >>> Hey Dave, >>> Lots of places have older OSes deployed, perhaps only internally as >>> you mentioned, but companies are rife with them, and sometimes closer to >>> the perimeter than you'd expect. On a consulting enagagement, I met a >>> Fortune 50 company that had a massive internal deployment of Windows 98 >>> (yeah, I know, weird but here's why) because they had some biz critical >>> crapplication that nearly everyone needed to use that would only run on >>> Win98. I told them to hire some developers or interns or somebody, >>> anybody, to rewrite the thing from scratch. :-) >>> >>> Of course they and all those other places that run old OSes *should* >>> welcome themselves into this millenium's operating systems -- we all >>> agree there. No need to start arguing the obvious. But the point is >>> that more than enough orgs (won't or) don't have the resources to >>> upgrade (or to update) due to app compatibility. That's the reality and >>> the reason why attacking older OSes at a CTF-like event is still >>> pertinent and practical. >>> >>> My 0.01 pence. >>> >>> -Katie >>> >>> >>> On Nov 12, 2007 3:03 AM, Dave aitel >> > wrote: >>> >>> So every CTF I've played recently (like the one at CSI last week) has a >>> target set of Windows 2000 and extremely old Linux (say, RedHat 8). I'm >>> pretty sure that on any modern network you don't find a whole lot of >>> either of these. There's always the people who still run NT4 and SCO >>> OpenServer, but you have to look pretty far for them. But yet, no real >>> remote exploits exist for Fedora Core 1, much less 7. Solaris has XFS >>> and a few other remotes, but no one runs Solaris any more except the US >>> Government, that I can tell. Even assuming you see some Solaris or AIX >>> or whatever, you end up being so deep in the network already to find it >>> that you've already got all the passwords and don't need exploits. >>> >>> But old operating systems will continue to live forever in CTF, I >>> assume. >>> >>> Sort of as a sign of the times, while I was playing CTF on the Windows >>> machine provided, I browsed the web briefly and my machine was >>> immediately taken over by some really annoying spyware. So for the rest >>> of the game I got to spend a lot of time clicking "close" on IE windows >>> that kept popping up. >>> >>> Anyways, if you want to chat about it or grieve the pain of lost 0day, >>> and you live in London then you should come to Immunity Pub Night In >>> London Saturday Nov 24 at 6pm at the Price Arthur 80-82 Eversholt >>> Street. I'll put 200 quid on the bar to help you drown your sorrows. >>> RSVP to admin at immunityinc.com ! >>> >>> -dave >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> >> >>> ------------------------------------------------------------------------ >>> _______________________________________________ >>> Dailydave mailing list >>> Dailydave at lists.immunitysec.com >>> http://lists.immunitysec.com/mailman/listinfo/dailydave -------------- next part -------------- A non-text attachment was scrubbed... Name: adriel.vcf Type: text/x-vcard Size: 298 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071114/816d0e9d/attachment.vcf -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 186 bytes Desc: OpenPGP digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071114/816d0e9d/attachment.pgp From DAVID.G.WESTON at saic.com Wed Nov 14 16:57:35 2007 From: DAVID.G.WESTON at saic.com (Weston, David G.) Date: Wed, 14 Nov 2007 13:57:35 -0800 Subject: [Dailydave] The long tail of vulnerable operating systems References: <473832F9.8000909@immunityinc.com> Message-ID: I agree with Dave that a CTF event with 2k, rh7, etc... is rather silly. That type of deployment is just fine when your training newb pen testers or demonstrating concepts. But, isn't the point of having a CTF at a conference to make it a competition/showcase? I know I personally consider qualifying for a Kenshoto run CTF like Defcon a huge statement about the skill of the participants and creates a reputation for the competition itself. I always thought a nice challenge would be to deploy known exploitable services on boxes with ASLR, N^X, heap and stack canaries, etc... It takes a fair bit of skill implement new protection bypass techniques to old exploits in a CTF environment/timeframe. We can all enjoy a game of basketball in the park but we *pay* to watch the knicks (well we used to anyway!) Thanks, David Weston Security Engineer SAIC -----Original Message----- From: dailydave-bounces at lists.immunitysec.com on behalf of Katie M Sent: Mon 11/12/2007 9:57 AM To: Dave aitel Cc: Dailydave at lists.immunitysec.com Subject: Re: [Dailydave] The long tail of vulnerable operating systems Hey Dave, Lots of places have older OSes deployed, perhaps only internally as you mentioned, but companies are rife with them, and sometimes closer to the perimeter than you'd expect. On a consulting enagagement, I met a Fortune 50 company that had a massive internal deployment of Windows 98 (yeah, I know, weird but here's why) because they had some biz critical crapplication that nearly everyone needed to use that would only run on Win98. I told them to hire some developers or interns or somebody, anybody, to rewrite the thing from scratch. :-) Of course they and all those other places that run old OSes *should* welcome themselves into this millenium's operating systems -- we all agree there. No need to start arguing the obvious. But the point is that more than enough orgs (won't or) don't have the resources to upgrade (or to update) due to app compatibility. That's the reality and the reason why attacking older OSes at a CTF-like event is still pertinent and practical. My 0.01 pence. -Katie On Nov 12, 2007 3:03 AM, Dave aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > So every CTF I've played recently (like the one at CSI last week) has a > target set of Windows 2000 and extremely old Linux (say, RedHat 8). I'm > pretty sure that on any modern network you don't find a whole lot of > either of these. There's always the people who still run NT4 and SCO > OpenServer, but you have to look pretty far for them. But yet, no real > remote exploits exist for Fedora Core 1, much less 7. Solaris has XFS > and a few other remotes, but no one runs Solaris any more except the US > Government, that I can tell. Even assuming you see some Solaris or AIX > or whatever, you end up being so deep in the network already to find it > that you've already got all the passwords and don't need exploits. > > But old operating systems will continue to live forever in CTF, I assume. > > Sort of as a sign of the times, while I was playing CTF on the Windows > machine provided, I browsed the web briefly and my machine was > immediately taken over by some really annoying spyware. So for the rest > of the game I got to spend a lot of time clicking "close" on IE windows > that kept popping up. > > Anyways, if you want to chat about it or grieve the pain of lost 0day, > and you live in London then you should come to Immunity Pub Night In > London Saturday Nov 24 at 6pm at the Price Arthur 80-82 Eversholt > Street. I'll put 200 quid on the bar to help you drown your sorrows. > RSVP to admin at immunityinc.com! > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHODL5tehAhL0gheoRAr/lAJ0R5KiL+pV4rRfa40rG5jXFhV/cXQCfXXYe > P1VlnlQE5Uf6rDxcS2Pn0Zc= > =aU96 > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071114/94db45e3/attachment.htm From dan at geer.org Wed Nov 14 17:02:12 2007 From: dan at geer.org (dan at geer.org) Date: Wed, 14 Nov 2007 17:02:12 -0500 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: Your message of "Wed, 14 Nov 2007 21:25:16 +1100." <473ACD0C.7050204@snakegully.nu> Message-ID: <20071114220212.E3D9533C51@absinthe.tinho.net> | | One was replaced a year or so ago with an XP machine that was within a | couple of weeks infested with malware. The other two were eventually | shut down still 'clean' as far as I know. | As I understand the numbers, attacks peak at one rev level off current. Ipso facto, either keep up or fall way behind. Sort of like nature -- stay in the body of the herd or hide in the bush but don't be the tail end of the great mass of animals; that's where the predators hunt. --dan From dave at immunityinc.com Thu Nov 15 18:13:59 2007 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 15 Nov 2007 18:13:59 -0500 Subject: [Dailydave] Poc 2007 notes Message-ID: <473CD2B7.4090505@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So yesterday there were quite a few talks - POC starts early and goes fairly late. I feel bad for the translators because the English speaking presenters tend to get nervous (myself included) and burn through their first 15 slides at a crazy clip before settling down into a staccato approach more suitable for simul-translation. If I understood correctly, one of the things we saw yesterday is that you can put a server: header into a HTTP response to Nessus 3.0 and get CSS, much like someone did to SILICA. According to the presentation the filtering is a bit broken, so this is still possible - and by using Java you get command execution out of it, so it's reasonably useful in some rare situations. Today there's a VMWare talk I'm looking forward to, but there won't be any 0day technical details, just a demo. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPNK3tehAhL0gheoRAn6wAJ9kZYNsVN8qWfQKSkWSriU0bdIyCQCfUkGx Ciy+Y+/qiG6TAoXG0oZUXRk= =1RwT -----END PGP SIGNATURE----- From dave at immunityinc.com Fri Nov 16 04:55:23 2007 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 16 Nov 2007 04:55:23 -0500 Subject: [Dailydave] POC 2007 notes v 2 Message-ID: <473D690B.4090401@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There were a lot of good talks today - in particular GilGil's talk on a new tool, in the same vein as Cain and Able, called SnoopSpy2 (which he just open-sourced)[1]. Likewise the talk on Bios and VMWare vulnerabilities was interesting. Sun Bing had one demo where he got local Administrator on an XP SP2 guest by using a VMWare vulnerability (unreleased). He also had several guest->host escape techniques (VMWare dieing due to memory access failures and such) - no working PoC here, just crashes. He said (via translator, so it's possible there was confusion) that his bugs only affected VMWare Workstation and not VMWare ESX. The Bios tricks were interesting as well - essentially they were documentation on how to install useful Bios rootkits or perform a really annoying DoS by flipping one of the hardware bits (would require complete power drain to reset). - -dave [1] http://gilgil.springnote.com/pages/567395 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPWkLtehAhL0gheoRAtVZAJ41xve/lXF/Z9CjLpoAFPZuJRrtWQCfXZ2T YytiSSkIQG8UzIRFoRhzOZs= =5Nbx -----END PGP SIGNATURE----- From joanna at invisiblethings.org Fri Nov 16 06:06:15 2007 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Fri, 16 Nov 2007 12:06:15 +0100 Subject: [Dailydave] POC 2007 notes v 2 In-Reply-To: <473D690B.4090401@immunityinc.com> References: <473D690B.4090401@immunityinc.com> Message-ID: <473D79A7.7070901@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Aitel wrote: > Likewise the talk on Bios and VMWare vulnerabilities was interesting. > Sun Bing had one demo where he got local Administrator on an XP SP2 > guest by using a VMWare vulnerability (unreleased). On a *guest*? Are you saying it was a host->guest "attack"? If so, there are like millions of ways to do that, and niether of them requires any vulnerability in a VMM... It's just, that in case of any type II VMM, if you're on the host, you can do anything you want with the guest, no big deal. Or am I missing something? > He also had several guest->host escape techniques (VMWare dieing due > to memory access failures and such) - no working PoC here, just > crashes. We saw many bugs in various VMMs -- just a couple of references: * A paper from Tavis Ormandy (Google) on how most VMMs couldn't (over the time when the paper was written) properly handle many non-standard I/Os and also properly parse some instructions (April 2007), * Two interesting bugs by Rafal Wojtczuk affecting VMWare and Virtual MS Server products that could potentially allow for guest escape (September 2007), * A bug by Joris van Rantwijk affecting Xen 3, that allows for code execution in dom0 from any other domain (September 2007). This is all very good and interesting -- it's a very valuable argument in convincing people that hypervisors (VMMs) should be extremly thin. And thin means just a few thousands of LOC, not 3MB of code (Hi 3i!). After all the industry didn't want to adapt the micro-kernel approach and we all pay the price today (all those rootkits, etc), so at least lets try not to make the same mistake again with VMMs... However, I can't really understand why people go to a conference and show a bunch of non-exploitable (by them) bugs without even giving any details of the bug itself... Is it like: "Hey, I can use I/O fuzzer!"? Or maybe I'm too conservative? (getting old and stuff)? :) > The Bios tricks were interesting as well - essentially > they were documentation on how to install useful Bios rootkits or > perform a really annoying DoS by flipping one of the hardware bits > (would require complete power drain to reset). Can you elaborate more on this and how that relates to what John Heasman showed at BH Federal in 2006? joanna. -----BEGIN PGP SIGNATURE----- iQEVAwUBRz15pcwG7MOLAMOlAQJWCwf/dMJfCR9OWzZctlPLOgEN1rJGsaE+2SIQ 09xDiWXMBeJYJGLFsc2OmGDO+PRK8VgdY/sr2zlzIByBHL5z41ilUJO8BjN9+vvB lD8KcP1U9uCvnp08suSE0JrsQ2CD81OAHOL/4I5bQOlS1rT65SEK9Aft8rKNriKN BrG3Ck5oF6YXJyTkX0veR7V2tmtxxJqvHX/U67PAT+QY5rAMypQTEQzvhrWIHCb3 DkQbYPvoWZqLMP+Anah/igxWxkV55KJQ2WWIIJVhgx0m5kEJ9Djl+o7L+x9wfrMx E8cUGWg+ht4fPDyO9geqwzLsQKt+1FXF2WvlS3TcnNRwtqFgucaLqQ== =D8lR -----END PGP SIGNATURE----- From dave at immunityinc.com Fri Nov 16 15:12:18 2007 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 16 Nov 2007 15:12:18 -0500 Subject: [Dailydave] POC 2007 notes v 2 In-Reply-To: <473D79A7.7070901@invisiblethings.org> References: <473D690B.4090401@immunityinc.com> <473D79A7.7070901@invisiblethings.org> Message-ID: <473DF9A2.3080506@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joanna Rutkowska wrote: > Dave Aitel wrote: >> Likewise the talk on Bios and VMWare vulnerabilities was interesting. >> Sun Bing had one demo where he got local Administrator on an XP SP2 >> guest by using a VMWare vulnerability (unreleased). > > On a *guest*? Are you saying it was a host->guest "attack"? If so, there > are like millions of ways to do that, and niether of them requires any > vulnerability in a VMM... It's just, that in case of any type II VMM, if > you're on the host, you can do anything you want with the guest, no big > deal. Or am I missing something? > I think an unprivileged guest user attack against VM's running under the root user would be somewhat interesting , but that's not what he was doing here. He ran XP SP2 as a VMWare Guest. Then inside that VM, he had a user "unpriv" which was not in the administrators group. Then he ran "VMexp.exe" as unpriv and all of a sudden unpriv was in the administrators group. According to the slides this bug is exploitable remotely via SMB as well. So there must be some sort of RPC or mailbox or file endpoint you get to touch. > >> The Bios tricks were interesting as well - essentially >> they were documentation on how to install useful Bios rootkits or >> perform a really annoying DoS by flipping one of the hardware bits >> (would require complete power drain to reset). > > Can you elaborate more on this and how that relates to what John Heasman > showed at BH Federal in 2006? According to his talk you flip the TOP_SWAP bit (using his SetTopSwap.exe as Admin) . This causes the Intel south bridge to do memory mapping on the Bios memory area differently, and (among other things) means that if you reboot, the Bios will be "invalid" until the CMOS battery powers all the way down, which will reset the bit. Or something. Next time you need to come to Power Of Community so you won't have to see the talks through my befuddled jet lagged mind. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPfmitehAhL0gheoRApohAJ4wW4UwkUN00H2RrhjPjCrVXhL1PgCdGFPH n+44trBQZhMCfrZc0sbgggY= =W2VV -----END PGP SIGNATURE----- From joe at learnsecurityonline.com Fri Nov 16 20:43:28 2007 From: joe at learnsecurityonline.com (Joseph McCray) Date: Fri, 16 Nov 2007 20:43:28 -0500 Subject: [Dailydave] The long tail of vulnerable operating systems In-Reply-To: References: Message-ID: <1195263808.10368.72.camel@LinuxLaptop> Being someone that actually hosts CTFs as well as having come up in the good old days of the RootHack.org, PullThePlug.org, and competed in the CTFs at Def Con - I would say that you probably see a lot CTFs with old OSs because: 1. Often times competitors have a difficult enough time just compromising that stuff. 2. Katie's point about old OSs, and crapplications still deployed in a lot of companies is true and will never change. If it ever does then we won't have jobs anymore. 3. Hacking is changing. Web app/client-side/reverse engineering is really what's going on now and it's hard to put together a CTF with that type of stuff. A really high skill level is required to set up and score the game, and a high skill level is required of the participants just to play. 3. The bottom line is -- it's an awful lot of work to put together a complex network of modern OSs, and apps that are still vulnerable to something, set up a scoring system that actually works in that complex of an environment to see that you only have a few participants that lack the skill to exploit even the simple stuff you put out there. In my experience the people that have skill, and do this everyday for a job really don't play very often. People get up for the big CTFs like the one at Def Con because it's once a year and basically because there really isn't that level of competition anywhere else in the world. If you are really looking for some CTFs that are hard core - meaning no Nessus, no Metasploit, real hacking (web app/custom binary exploitation/reverse engineering type stuff) you are probably going to be left with Def Con's CTF, and probably HITB Con's CTF. If you are looking for CTFs that aren't quite to the Def Con/HITB Con kind of level, but are just running newer OSs and apps I can't really think of anything free and open to the public to be honest. You'll probably end up setting up something yourself if that's the kind of CTF you want. Hope this helps.... -- Joe McCray Toll Free: 1-866-892-2132 Email: joe at learnsecurityonline.com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access "The only thing worse than training good employees and losing them is NOT training your employees and keeping them." - Zig Ziglar -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071116/a7090ac7/attachment.pgp From rodrigo at kernelhacking.com Sat Nov 17 09:46:34 2007 From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon)) Date: Sat, 17 Nov 2007 14:46:34 -0000 Subject: [Dailydave] POC 2007 notes v 2 Message-ID: <20071117164634.C86E18BD96@mail.fjaunet.com.br> I had the opportunity to met Sun Bing at Xcon and VnSec this year and saw his talk about BIOS rootkits. The hardware bits you said are the TOP_SWAP register, used in BIOS updates to grant against a power failure during the update. cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 1FCEDEA1 --------- Mensagem Original -------- De: Dave Aitel Para: dailydave at lists.immunityinc.com Assunto: [Dailydave] POC 2007 notes v 2 Data: 16/11/07 07:20 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > There were a lot of good talks today - in particular GilGil's talk on a > new tool, in the same vein as Cain and Able, called SnoopSpy2 (which he > just open-sourced)[1]. > > Likewise the talk on Bios and VMWare vulnerabilities was interesting. > Sun Bing had one demo where he got local Administrator on an XP SP2 > guest by using a VMWare vulnerability (unreleased). He also had several > guest->host escape techniques (VMWare dieing due to memory access > failures and such) - no working PoC here, just crashes. He said (via > translator, so it's possible there was confusion) that his bugs only > affected VMWare Workstation and not VMWare ESX. The Bios tricks were > interesting as well - essentially they were documentation on how to > install useful Bios rootkits or perform a really annoying DoS by > flipping one of the hardware bits (would require complete power drain to > reset). > > - -dave > > [1] http://gilgil.springnote.com/pages/567395 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHPWkLtehAhL0gheoRAtVZAJ41xve/lXF/Z9CjLpoAFPZuJRrtWQCfXZ2T > YytiSSkIQG8UzIRFoRhzOZs= > =5Nbx > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > ________________________________________________ Message sent using UebiMiau 2.7.2 From version5 at gmail.com Sat Nov 17 12:46:00 2007 From: version5 at gmail.com (nnp) Date: Sat, 17 Nov 2007 09:46:00 -0800 Subject: [Dailydave] Exploiting single NUL byte writes in XP SP2 - Is it possible? Message-ID: <28749c0e0711170946m5ae7f8a6q518ad3b30d574f0b@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well this seemed like as good a place as any to ask this, so here goes. Is it possible to exploit a single NUL byte write in XP SP2? I can write the NUL byte anywhere but for the life of me I can't think of any way to get code execution from this. As far as I can tell to exploit this I would need to be able to get data I control within 255 bytes of an address that's called and then zero out the LSB and that just doesn't seem possible in Windows. Anyone have a better (and by better I mean even remotely possible ;) ) way to exploit this? Cheers, nnp - -- http://www.smashthestack.org http://www.unprotectedhex.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: http://firegpg.tuxfamily.org iD8DBQFHP5gbbP10WPHfgnQRApGAAKC5RxEb1ee6QZajG+bcAueQswRThQCeMw2M eNI99JiK94RxBry5fgFnugU= =Zkjg -----END PGP SIGNATURE----- From shadown at gmail.com Sat Nov 17 20:13:40 2007 From: shadown at gmail.com (shadown) Date: Sun, 18 Nov 2007 02:13:40 +0100 Subject: [Dailydave] Exploiting single NUL byte writes in XP SP2 - Is it possible? In-Reply-To: <28749c0e0711170946m5ae7f8a6q518ad3b30d574f0b@mail.gmail.com> References: <28749c0e0711170946m5ae7f8a6q518ad3b30d574f0b@mail.gmail.com> Message-ID: <473F91C4.5050909@gmail.com> Hi nnp, I don't know what is exactly the situation that you have there but you could influence: sfp (saved frame pointer, EBP of the caller), some function pointer, some handle, some SEH, heap header of some chunk that you know the location and that you control the content (if previous heap massaging if possible), some reference counter that could trigger something you can further exploit, some dynamic DACL, you just have to be a bit creative depending on what you have in front of you. when you say a single NULL byte write anywhere, it's not just an offset withing 255 bytes of an address, it means depending on the BYTE you modify from a given address 0xAABBCCDD (if you overwrite an address of course), if you modify the less significant byte, then yes is withing the 255 otherwise it is not, the resulting address MAY fall within a range of memory that you can control the contents. Depending what you can influence it may be possible to exploit remotely, if you have a memory leak, if you can do heap massaging, if the exception after writing is handled helps a lot, etc. My 2 cents. Cheers, Sergio nnp wrote: > Well this seemed like as good a place as any to ask this, so here > goes. Is it possible to exploit a single NUL byte write in XP SP2? I > can write the NUL byte anywhere but for the life of me I can't think > of any way to get code execution from this. As far as I can tell to > exploit this I would need to be able to get data I control within 255 > bytes of an address that's called and then zero out the LSB and that > just doesn't seem possible in Windows. > > Anyone have a better (and by better I mean even remotely possible ;) ) > way to exploit this? > > Cheers, > nnp > _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From smaillist at gmail.com Sun Nov 18 01:18:48 2007 From: smaillist at gmail.com (Sowhat) Date: Sun, 18 Nov 2007 14:18:48 +0800 Subject: [Dailydave] Vulnerability Hash Database - Maillist Message-ID: Hi All I have created a Google Groups named "Vulnerability Hash Database", for fun ;) I think I do not need to explain more about what it is used for. Welcome to post your hashes of vulnerability/POC to this list. You can visit this maillist @ http://groups.google.com/group/vulnhashdb To subscribe to this maillist, please send email to vulnhashdb-subscribe at googlegroups.com or go to the following webpage: http://groups.google.com/group/vulnhashdb/subscribe?hl=en Comments and suggestions are welcome! -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?" From dave at immunityinc.com Sun Nov 18 17:53:02 2007 From: dave at immunityinc.com (Dave Aitel) Date: Sun, 18 Nov 2007 17:53:02 -0500 Subject: [Dailydave] "Chinese is like Unix" Message-ID: <4740C24E.9020006@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yesterday I hung out with a Chinese hacker and learned some Chinese. You can pipe words together. Hacker, for example, is "Dark guest" which is exactly what hacking is, weirdly enough. Rocket[1] is Fire Arrow, train is Fire Car, etc. Maybe next I'll learn to write my Windows shellcode in C like the Chinese do. :> I really planned to eat a scorpion while I was here, but it's probably not a GOOD idea. We'll see if I have the cojones today :> - -dave [1] For the tykes! http://www.nigelsecostore.com/acatalog/Rocket.html#aPPTR -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHQMJOtehAhL0gheoRAjVpAJ9xaFUbFrpZc0psiUudmCcMwnlmzQCeKdIJ 2B3lLqav5CXRIKgFlsAa0fc= =FslY -----END PGP SIGNATURE----- From cseagle at redshift.com Sun Nov 18 21:28:00 2007 From: cseagle at redshift.com (Chris Eagle) Date: Sun, 18 Nov 2007 18:28:00 -0800 Subject: [Dailydave] "Chinese is like Unix" In-Reply-To: <4740C24E.9020006@immunityinc.com> References: <4740C24E.9020006@immunityinc.com> Message-ID: <4740F4B0.6030400@redshift.com> Dave Aitel wrote: > Maybe next I'll learn to write my Windows shellcode in C like the > Chinese do. :> Please do, then you can stop giving me shit for being a C throw back :) Chris From lmiras at gmail.com Mon Nov 19 01:00:30 2007 From: lmiras at gmail.com (Luis Miras) Date: Sun, 18 Nov 2007 22:00:30 -0800 Subject: [Dailydave] "Chinese is like Unix" In-Reply-To: <4740C24E.9020006@immunityinc.com> References: <4740C24E.9020006@immunityinc.com> Message-ID: During Xcon, I ate silk worm. They weren't necessarily good or bad. Then again, when else am I going to eat silk worm? When else are you going to eat scorpion? Besides, what can possibly go wrong :) On Nov 18, 2007 2:53 PM, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Yesterday I hung out with a Chinese hacker and learned some Chinese. You > can pipe words together. Hacker, for example, is "Dark guest" which is > exactly what hacking is, weirdly enough. Rocket[1] is Fire Arrow, train > is Fire Car, etc. > > Maybe next I'll learn to write my Windows shellcode in C like the > Chinese do. :> > > I really planned to eat a scorpion while I was here, but it's probably > not a GOOD idea. We'll see if I have the cojones today :> > > - -dave > [1] For the tykes! http://www.nigelsecostore.com/acatalog/Rocket.html#aPPTR > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHQMJOtehAhL0gheoRAjVpAJ9xaFUbFrpZc0psiUudmCcMwnlmzQCeKdIJ > 2B3lLqav5CXRIKgFlsAa0fc= > =FslY > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From rodrigo at kernelhacking.com Mon Nov 19 16:15:07 2007 From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon)) Date: Mon, 19 Nov 2007 21:15:07 -0000 Subject: [Dailydave] H2HC Materials Message-ID: <20071119231507.97B178BFBA@mail.fjaunet.com.br> For those who have interest in better know about H2HC conference, the presentation materials are now online at http://www.h2hc.org.br/repositorio.php cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 1FCEDEA1 ________________________________________________ Message sent using UebiMiau 2.7.2 From dave at immunityinc.com Mon Nov 19 18:56:41 2007 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 19 Nov 2007 18:56:41 -0500 Subject: [Dailydave] Incredible optimism and bee pupae Message-ID: <474222B9.2070307@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packing up and heading out to Vienna for Deepsec. Same slides as Poc2007, but a very different talk I think. The audience[1] really does change what you say. I have another slidepack (BeyondFastFlux.odp) in beta form we might just post on our website that details our client-side framework. The goals of a good client-side framework are very different from a hacking framework. I ran it by some of the people here in .cn and they liked it, so after deepsec I'll polish it up and we'll post it and see what the world thinks. Essentially we believe it is entirely possible to manage a million owned hosts in a covert and un-disruptable manner. Of course, the fact that we're working on this shows our incredible optimism that the stream of IE bugs will continue. :> - -dave [1] http://picasaweb.google.com/dave.aitel/Beijing2007/photo#5134689611907704098 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHQiK5tehAhL0gheoRAoG5AJ9uNH5tDaNJ5g9YWSPArrD8h++xGACdG3wB kqCMSy5OiG8vyPNgly/kvi4= =I5K5 -----END PGP SIGNATURE----- From benny.tsai at gmail.com Tue Nov 20 19:47:53 2007 From: benny.tsai at gmail.com (Benny Tsai) Date: Tue, 20 Nov 2007 19:47:53 -0500 Subject: [Dailydave] "Chinese is like Unix" In-Reply-To: <4740C24E.9020006@immunityinc.com> References: <4740C24E.9020006@immunityinc.com> Message-ID: If the Chinese phrase for "hacker" is what I think it is (did it sound like "Hei ke"?), not only did they find words that match "hacker" in meaning, but they also sound quite close to the English word. Usually you have to pick between getting close in meaning or sound, so it's cool to get both in this instance. Another nice one is the Chinese word for Coca Cola, which sounds close to the English term and has a meaning roughly equal to "delicious happiness" :) On Nov 18, 2007 5:53 PM, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Yesterday I hung out with a Chinese hacker and learned some Chinese. You > can pipe words together. Hacker, for example, is "Dark guest" which is > exactly what hacking is, weirdly enough. Rocket[1] is Fire Arrow, train > is Fire Car, etc. > > Maybe next I'll learn to write my Windows shellcode in C like the > Chinese do. :> > > I really planned to eat a scorpion while I was here, but it's probably > not a GOOD idea. We'll see if I have the cojones today :> > > - -dave > [1] For the tykes! http://www.nigelsecostore.com/acatalog/Rocket.html#aPPTR > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHQMJOtehAhL0gheoRAjVpAJ9xaFUbFrpZc0psiUudmCcMwnlmzQCeKdIJ > 2B3lLqav5CXRIKgFlsAa0fc= > =FslY > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From dave at immunityinc.com Wed Nov 21 13:57:36 2007 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 21 Nov 2007 13:57:36 -0500 Subject: [Dailydave] London Immunity Shindig Saturday November 24 Message-ID: <47447FA0.3080109@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We changed the venue! So write this one down instead. What: 200 Quid on Bar tab - no attempt by American to outdrink brits, however. :> Who: You (rsvp to admin at immunityinc.com) When: Saturday November 24 starting at 6pm Where: Woburn Place Bar & Lounge (inside of the Hilton London Euston Hotel) 17-18 Upper Woburn Place Bloomsbury, London WC1H 0HT (p) 44 (0) 20 7943 4500 http://www.hilton.co.uk/euston Parking info: The secure, underground NCP car park 5 minutes away at Euston Station has 217 spaces. Parking costs GBP22 a day. Additional parking spaces are available at the NCP car park on Upper Woburn Place, 500 yards away. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHRH+ftehAhL0gheoRAqq6AJ9dA8cHFiq6yEUvJs9KfWpmprnICQCeK9Gm udvhdmnwh0aKMJw52y3tl5U= =2x/H -----END PGP SIGNATURE----- From sqlsec at yahoo.com Thu Nov 22 06:49:12 2007 From: sqlsec at yahoo.com (Cesar) Date: Thu, 22 Nov 2007 03:49:12 -0800 (PST) Subject: [Dailydave] [Argeniss] Data0: Next generation malware for stealing databases (Paper) Message-ID: <122546.54929.qm@web33015.mail.mud.yahoo.com> Hey, I'm releasing this new paper, not big deal but interesting. http://www.argeniss.com/research/Data0.pdf Abstract: This paper it's about Data0, a fictitious (or not) simple PoC of new malware that after it's deployed on a computer in an internal network it will automatically hack database servers and steal their data. Several techniques used by Data0 will be detailed. Data0 will be targeting Microsoft SQL Server and Oracle Database Server two of the most used database servers. While Data0 could be used by the bad guys for evil purposes, it could also be used by security professionals and organizations to determine how strong networks, workstations, database servers, etc. are against this kind of attack. This paper is not intended to be a cook book for cyber criminals, it's intended to show people that by implementing simple techniques malware can become ?smarter? and cause a lot more damage in a very near future. Cesar. ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs From elite_netbios at yahoo.com Thu Nov 22 17:19:21 2007 From: elite_netbios at yahoo.com (Hamid . K) Date: Thu, 22 Nov 2007 14:19:21 -0800 (PST) Subject: [Dailydave] Embedded fun : Hacking mp3-players Message-ID: <192372.60943.qm@web90504.mail.mud.yahoo.com> Hello, Recently I`ve began research on portable media/devices and using them as attack vector (nothing new here) , but I`ve tried to extend some old known tricks and add new techniques to this field . Since I can`t join cons for now, I`ve summed up some of results in a blog post . below is link to the post in case you`re interested. http://hkashfi.blogspot.com/2007/11/embedded-fun-hacking-mp3-players-muvo.html comments are really appreciated . Hamid.K ____________________________________________________________________________________ Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071122/5d35d2f6/attachment.htm From dave at immunityinc.com Fri Nov 23 02:26:42 2007 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 23 Nov 2007 02:26:42 -0500 Subject: [Dailydave] An Extinction Event Message-ID: <474680B2.2030809@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sometimes it takes an almost-Extinction event to make a species evolve enough to survive long-term. In any case, I think in Europe and Asia you can see a bit of a revival in the hacker community. The keynote at Deepsec was 'Paul Simmonds: Global Information Security Director, ICI, Jericho Forum'. His talk essentially was on how the perimeter security model is weakening. It was very very similar to any number of talks I heard Dan Geer give back in 2002. So this is a concept that continues to ferment. Eventually Paul and Jericho will start writing papers on how to protect a user's information even though the endpoint itself is compromised, and then everyone will look for Palladium even though two years ago they screamed and squealed when Microsoft wanted to do it. Instead everyone wants to develop a virtual machine , or in the edge case, just boot off of a Linux USB instead for all your banking. During the Q&A section Paul ended up saying "We don't have to worry about endpoint security that much because we have MessageLabs protecting our email and it's 100% effective. We've never had malicious code go through." Which is total crap, clearly. The sort of thing Mark Curphey made fun of later that night. :> He did have some good points about separating QoS from security. He's like "Why are all your security dollars focused on DoS? All you do is buy more bandwidth and filtering to solve that problem." So then I saw a flash security talk. Flash is pretty interesting, and as a demo, he did a cross site scripting on CNN.com. Later I talked to Nitesh Dhanjani about how you could do that to Google and most other interesting places too. Aaron and Cody from Tippingpoint did a great presentation - essentially a working MIDL parser in Python and a working NDR marshaller. This, plus a working .dll->.idl converter gets you a great fuzzer for MSRPC stuff. They say they just sent two bugs to MS and demoed a crash on CA. NDR is mind-blowing, so great work there. Anyways, productive day in terms of new bugs. :> My presentation is here: http://www.immunityinc.com/downloads/Debugging_With_ID.odp Just for context, an old presentation on MSRPC fuzzing: http://www.immunityinc.com/downloads/msrpc_fuzzing.odp - -dave ************************************* Want to learn more? We can teach you! www.immunityinc.com/edu.shtml Upcoming Class: December 3-7 -Unethical Hacking -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHRoCytehAhL0gheoRAvl2AJ424+caJwY48IkAaqqPhEZufnsCYwCeKKUL doMzGRWQhXWrXrugb4GkPC4= =88Dt -----END PGP SIGNATURE----- From mhtajik at gmail.com Fri Nov 23 03:56:40 2007 From: mhtajik at gmail.com (Mohammad Hosein) Date: Fri, 23 Nov 2007 12:26:40 +0330 Subject: [Dailydave] Embedded fun : Hacking mp3-players In-Reply-To: <192372.60943.qm@web90504.mail.mud.yahoo.com> References: <192372.60943.qm@web90504.mail.mud.yahoo.com> Message-ID: <26f61db50711230056s133645a3g1b4e3eea4b5e3f23@mail.gmail.com> so i recommend those of you who interested in same stuff to have a look at this great book i'v been reading past weeks "BIOS Disassembly Ninjutsu Uncovered" the real problem with embedded reversing and modifications is the wide range of chip and microcode developers and lack of "Processor Modules" although IDA is supporting alot of DSPs , but first their source code is not available and you cannot continue on some specific proc module to make it work on other variations , and second , its not that easy to develop your own proc module from every chip you got from scratch and , third , it does not support any fpga for now . i faced alot of difficulties when i was trying to understand , and maybe do some modifications on some gps microcode a while back i knew the code is compressed but couldnt manage to find out how , knew its using some kind of crc and hash , but again it was not easy to figure out and the problem with hobbies is that they are not full time job ;) Regards -mh On Nov 23, 2007 1:49 AM, Hamid . K wrote: > Hello, > > Recently I`ve began research on portable media/devices > and using them as attack vector (nothing new here) , but > I`ve tried to extend some old known tricks and add new > techniques to this field . Since I can`t join cons for now, > I`ve summed up some of results in a blog post . > below is link to the post in case you`re interested. > > > http://hkashfi.blogspot.com/2007/11/embedded-fun-hacking-mp3-players-muvo.html > > comments are really appreciated . > > > Hamid.K > > ------------------------------ > Get easy, one-click access to your favorites. Make Yahoo! your homepage. > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -- Adapt or Die -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071123/f0f0172a/attachment.htm From BlueBoar at thievco.com Fri Nov 23 03:18:16 2007 From: BlueBoar at thievco.com (Blue Boar) Date: Fri, 23 Nov 2007 00:18:16 -0800 Subject: [Dailydave] An Extinction Event In-Reply-To: <474680B2.2030809@immunityinc.com> References: <474680B2.2030809@immunityinc.com> Message-ID: <47468CC8.7010705@thievco.com> Dave Aitel wrote: > that continues to ferment. Eventually Paul and Jericho will start > writing papers on how to protect a user's information even though the > endpoint itself is compromised, and then everyone will look for > Palladium even though two years ago they screamed and squealed when > Microsoft wanted to do it. We DO want Palladium. We just don't want Microsoft in control of it. BB From blancher at cartel-securite.fr Fri Nov 23 08:08:59 2007 From: blancher at cartel-securite.fr (Cedric Blancher) Date: Fri, 23 Nov 2007 14:08:59 +0100 Subject: [Dailydave] An Extinction Event In-Reply-To: <47468CC8.7010705@thievco.com> References: <474680B2.2030809@immunityinc.com> <47468CC8.7010705@thievco.com> Message-ID: <1195823339.9227.110.camel@anduril.intranet.cartel-securite.net> Le vendredi 23 novembre 2007 ? 00:18 -0800, Blue Boar a ?crit : > We DO want Palladium. We just don't want Microsoft in control of it. Then use TPM chip if your box is equiped with. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! From BlueBoar at thievco.com Fri Nov 23 13:16:49 2007 From: BlueBoar at thievco.com (Blue Boar) Date: Fri, 23 Nov 2007 10:16:49 -0800 Subject: [Dailydave] An Extinction Event In-Reply-To: <1195823339.9227.110.camel@anduril.intranet.cartel-securite.net> References: <474680B2.2030809@immunityinc.com> <47468CC8.7010705@thievco.com> <1195823339.9227.110.camel@anduril.intranet.cartel-securite.net> Message-ID: <47471911.7030509@thievco.com> Cedric Blancher wrote: > Le vendredi 23 novembre 2007 ? 00:18 -0800, Blue Boar a ?crit : >> We DO want Palladium. We just don't want Microsoft in control of it. > > Then use TPM chip if your box is equiped with. Indeed. My secure parallel kernel writing skills are pretty nonexistent. Anyone know of such a project? Actually, I kind of expect an open-source kernel, in addition to commercial security products. Microsoft won't let you in the 64-bit Windows kernel? Run your own kernel next to it. BB From andreg at gmail.com Fri Nov 23 23:55:10 2007 From: andreg at gmail.com (Andre Gironda) Date: Fri, 23 Nov 2007 21:55:10 -0700 Subject: [Dailydave] An Extinction Event In-Reply-To: <47471911.7030509@thievco.com> References: <474680B2.2030809@immunityinc.com> <47468CC8.7010705@thievco.com> <1195823339.9227.110.camel@anduril.intranet.cartel-securite.net> <47471911.7030509@thievco.com> Message-ID: <2fd9390e0711232055v13ec9dfcp19a27cf099239fb7@mail.gmail.com> On Nov 23, 2007 11:16 AM, Blue Boar wrote: > > Then use TPM chip if your box is equiped with. > > Indeed. My secure parallel kernel writing skills are pretty nonexistent. > Anyone know of such a project? http://enforcer.sourceforge.net http://trousers.sourceforge.net dre From meissner at suse.de Sat Nov 24 03:08:48 2007 From: meissner at suse.de (Marcus Meissner) Date: Sat, 24 Nov 2007 09:08:48 +0100 Subject: [Dailydave] An Extinction Event In-Reply-To: <47471911.7030509@thievco.com> References: <474680B2.2030809@immunityinc.com> <47468CC8.7010705@thievco.com> <1195823339.9227.110.camel@anduril.intranet.cartel-securite.net> <47471911.7030509@thievco.com> Message-ID: <20071124080848.GA3944@suse.de> On Fri, Nov 23, 2007 at 10:16:49AM -0800, Blue Boar wrote: > Cedric Blancher wrote: > > Le vendredi 23 novembre 2007 ? 00:18 -0800, Blue Boar a ?crit : > >> We DO want Palladium. We just don't want Microsoft in control of it. > > > > Then use TPM chip if your box is equiped with. > > Indeed. My secure parallel kernel writing skills are pretty nonexistent. > Anyone know of such a project? > > Actually, I kind of expect an open-source kernel, in addition to > commercial security products. Microsoft won't let you in the 64-bit > Windows kernel? Run your own kernel next to it. Trusted computing without Microsoft: http://www.opentc.net A EU funded trusted computing project based on opensource. Ciao, Marcus From lists at isecom.org Sat Nov 24 04:07:34 2007 From: lists at isecom.org (Pete Herzog) Date: Sat, 24 Nov 2007 10:07:34 +0100 Subject: [Dailydave] An Extinction Event In-Reply-To: <2fd9390e0711232055v13ec9dfcp19a27cf099239fb7@mail.gmail.com> References: <474680B2.2030809@immunityinc.com> <47468CC8.7010705@thievco.com> <1195823339.9227.110.camel@anduril.intranet.cartel-securite.net> <47471911.7030509@thievco.com> <2fd9390e0711232055v13ec9dfcp19a27cf099239fb7@mail.gmail.com> Message-ID: <4747E9D6.4040406@isecom.org> > http://enforcer.sourceforge.net > http://trousers.sourceforge.net OpenTC - www.opentc.net is an EU-sponsored project that brings this all together to use Linux as a basis for trusted computing. For windows users, there is TPM software, usually made by the TPM manufacturer but even Lenovo provides its own for use with Thinkpad TPMs. You can use your TPM as MS-free (probably not conspiracy theory free though). From dave at immunityinc.com Sat Nov 24 05:37:28 2007 From: dave at immunityinc.com (Dave Aitel) Date: Sat, 24 Nov 2007 05:37:28 -0500 Subject: [Dailydave] Strategy Message-ID: <4747FEE8.3080407@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you're reading an information warfare book or paper you'll invariably see a lot of: 1. Inane references to Sun Tzu (or, in some even more horrible cases, any two of Sun Tzu, Clausewitz, and John Boyd) 2. Declarations that information warfare is an "asymmetric attack" It's not asymmetric in the slightest. If you take any significant period of time then the organization with more money has a huge advantage in this game. That doesn't mean that good strategy doesn't hurt, and I wanted to showcase some examples: Halvar gave a talk on his malware classification algorithms and at the beginning of the talk he said "This prevents the malware authors from using off-the-shelf compilers. Current AV technologies don't do this since bypassing them requires this five line Python script which I believe the malware authors have automated." Forcing your opponent to use expensive tools is good strategy. Likewise, choosing to invest in an expensive infrastructure can be good strategy. I believe BinNavi and Immunity Debugger fit this category. In terms of infrastructure, the US .com and .mil communities decided to save money and purchase a mono-culture of Microsoft technologies. Bad strategies like this result in flailing and moaning as you get defeated over and over by someone with better strategy, not because the battlefield is inherently asymmetric. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHR/7otehAhL0gheoRAkI2AJ92y1bSv1xnoS3sInPJCvQzV6O/YgCfbI/G P7xpPdZkw4cYW919WBV4GuI= =JAP5 -----END PGP SIGNATURE----- From dnm at pobox.com Sun Nov 25 16:09:23 2007 From: dnm at pobox.com (Dan Moniz) Date: Sun, 25 Nov 2007 16:09:23 -0500 Subject: [Dailydave] Strategy In-Reply-To: <4747FEE8.3080407@immunityinc.com> References: <4747FEE8.3080407@immunityinc.com> Message-ID: <86fc46910711251309w6bba4b9ckabc9b75c0ba9109b@mail.gmail.com> On Nov 24, 2007 5:37 AM, Dave Aitel wrote: > If you're reading an information warfare book or paper you'll invariably > see a lot of: > 1. Inane references to Sun Tzu (or, in some even more horrible cases, > any two of Sun Tzu, Clausewitz, and John Boyd) > 2. Declarations that information warfare is an "asymmetric attack" > > It's not asymmetric in the slightest. If you take any significant period > of time then the organization with more money has a huge advantage in > this game. That doesn't mean that good strategy doesn't hurt, and I > wanted to showcase some examples: > > Halvar gave a talk on his malware classification algorithms and at the > beginning of the talk he said "This prevents the malware authors from > using off-the-shelf compilers. Current AV technologies don't do this > since bypassing them requires this five line Python script which I > believe the malware authors have automated." > > Forcing your opponent to use expensive tools is good strategy. Likewise, > choosing to invest in an expensive infrastructure can be good strategy. > I believe BinNavi and Immunity Debugger fit this category. > > In terms of infrastructure, the US .com and .mil communities decided to > save money and purchase a mono-culture of Microsoft technologies. Bad > strategies like this result in flailing and moaning as you get defeated > over and over by someone with better strategy, not because the > battlefield is inherently asymmetric. > > - -dave Almost two years ago, I did an invited talk at a D.C. area conference that I hadn't heard of before and that was primarily catering to intelligence community and homeland security types. I got the feeling that the conference was probably more of a smorgasboard of homeland security/defense commentators, actual IC operators, military, politicos, and associated gadflies than say your average seriously technical or seriously military/Pentagon conference, but it was interesting nonetheless. Since I had an abiding personal interest in the Revolution in Military Affairs (RMA) debate (sometimes called "Transformation" by certain adherents; there are opposing views of RMA is or means and the Transformation types tend to argue for advanced battlefield technology above all else) and since this was a mixed audience I hadn't spoken to before, I decided to throw together a short high-level presentation on how I thought RMA applied to computer security. I'll have to dig up the actual presentation off of one of my other machines; in a quick search of email and this machine, I don't seem to have it locally. The basic thrust (as applies to the asymmetry question, anyway) was this: computer security is highly asymmetric in a classic defense sense because the well-funded defender has to maintain complex systems in order to get work done and has a suitably high investment and operational cost in protecting all that complexity, where the attacker can pick and choose any fragile point of the complex system to violate at his or her leisure. Monoculture exacerbates the problem, but I don't think you could arrive at a "heterogeneous enough" system (whose complexity would almost certainly be *greater* than a less heterogeneous system, thus threatening security) where the security benefits of that mixed system significantly outweigh the investment and operational costs and still enable equivalent or greater ability to do work. In a classic symmetric scenario, my tanks and your tanks are about equal. Whoever can field more, better tanks can probably win the battle. In an asymmetric scenario, your tanks provide overwhelming firepower against some things, like buildings or other tanks, but my IEDs can kill your tank crew in their Humvee as the ride to the base. The issue is that attackers in an infosec sense have IEDs (exploits), but defenders don't even have tanks, let alone IED response teams and snipers, just walls (firewalls, etc.). This is not necessarily an argument that we should have those things, though obviously in some corners there are operational teams we'd consider as "our offense" who do use exploits, etc., just against a enemy set of defenders. But again, that's still asymmetric. I'm not military scholar, though a ton of stuff included in that field interests me, so I'm interested in further debate and discussion along these lines. -- Dan Moniz [http://pobox.com/~dnm/] From blancher at cartel-securite.fr Mon Nov 26 05:01:39 2007 From: blancher at cartel-securite.fr (Cedric Blancher) Date: Mon, 26 Nov 2007 10:01:39 +0000 Subject: [Dailydave] An Extinction Event In-Reply-To: <47471911.7030509@thievco.com> References: <474680B2.2030809@immunityinc.com> <47468CC8.7010705@thievco.com> <1195823339.9227.110.camel@anduril.intranet.cartel-securite.net> <47471911.7030509@thievco.com> Message-ID: <1196071299.4855.50.camel@anduril.intranet.cartel-securite.net> Le vendredi 23 novembre 2007 ? 10:16 -0800, Blue Boar a ?crit : > Actually, I kind of expect an open-source kernel, in addition to > commercial security products. Microsoft won't let you in the 64-bit > Windows kernel? Run your own kernel next to it. A TPM chip is basically a cryptoprocessor providing crypto functions and key storage, among few other things, that can help applications perform crypto operation is a more secure way. You can write a driver for it, and actually, there are drivers for Windows plate-forms, and Vista provides TPM v1.2 support. But I was not referring to the overall idea of Trusted Computing as you seem to, as protection offered mostly relies on the quality of software. Having trusted OS/applications is great, as long as they're not vulnerable. In that later situation, you'll just get trustfully flawed software... -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! From krahmer at suse.de Mon Nov 26 06:59:18 2007 From: krahmer at suse.de (Sebastian Krahmer) Date: Mon, 26 Nov 2007 12:59:18 +0100 (CET) Subject: [Dailydave] Bootup graphs Message-ID: Hi, You might be surprised what init is executing during boot :) http://c-skills.blogspot.com/2007/11/boot-graphs.html Same can be applied to any startup sequences like startx, startkde etc. The Linux 2.6 kernel comes with a nice interface which makes this possible. Also the new inotify(2) API is worth studying, especially if you are stuck in a race-exploit :-)) Years ago I wrote a generic /proc based exec-scanner which also worked on *BSD, but this one is much more reliable b/c its un-racy. enjoy, Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) From rthieme at thiemeworks.com Mon Nov 26 11:05:53 2007 From: rthieme at thiemeworks.com (Richard Thieme) Date: Mon, 26 Nov 2007 10:05:53 -0600 Subject: [Dailydave] Strategy In-Reply-To: <86fc46910711251309w6bba4b9ckabc9b75c0ba9109b@mail.gmail.com> References: <4747FEE8.3080407@immunityinc.com> <86fc46910711251309w6bba4b9ckabc9b75c0ba9109b@mail.gmail.com> Message-ID: <474AEEE1.4090004@thiemeworks.com> I am writing a piece today called Content and Context which simply hammers at the point that the first piece of work in all this is knowing the real nature of the nested levels of organizational structure at each level. "What is it, in itself?" asked Marcus Aurelius, cutting to the chase. This means that counter intelligence is not an add-on but the first not the second order of business. Is the structure or organizational identity what it seems to be? Who does it serve, that is, who profits, from the continuing existence of this entity? Who is running it? What is embedded in it? So even if it had integrity as constructed (i.e. a jihadist web site is really a jihadist web site) has it been compromised and if so how? What persons or hardware or software have been "turned," degraded, or made into dual-use or two-way janus-faced portals? Are in fact entire structures or people sacrificed to the deception, as they occasionally must be, because the greater value of the deception outweighs even a significant number of insignificant human lives (e.g. in 1942 the KGB let the Germans know about a forthcoming attack by Marshall Zhukov's forces aimed to divert German forces from Stalingrad; the information, sent through a complex structure of deception, enhanced the value of that and subsequent information and the credibility of the bogus source. But Zhukov did not know that the disinformation was provided at the expense of thousands of his troops who were killed to sustain the ruse ...) The more granular one gets, the more uncertain the visible evidence, the way a coast line that looks long and smooth becomes a lot of branching twists and turns at a granular level, any one of which can look like a wall but be in fact a door ... yet this work, however imperfect, must be done, for the subsequent security concerns to have meaning. RT Dan Moniz wrote: > On Nov 24, 2007 5:37 AM, Dave Aitel wrote: > > >> If you're reading an information warfare book or paper you'll invariably >> see a lot of: >> 1. Inane references to Sun Tzu (or, in some even more horrible cases, >> any two of Sun Tzu, Clausewitz, and John Boyd) >> 2. Declarations that information warfare is an "asymmetric attack" >> >> It's not asymmetric in the slightest. If you take any significant period >> of time then the organization with more money has a huge advantage in >> this game. That doesn't mean that good strategy doesn't hurt, and I >> wanted to showcase some examples: >> >> Halvar gave a talk on his malware classification algorithms and at the >> beginning of the talk he said "This prevents the malware authors from >> using off-the-shelf compilers. Current AV technologies don't do this >> since bypassing them requires this five line Python script which I >> believe the malware authors have automated." >> >> Forcing your opponent to use expensive tools is good strategy. Likewise, >> choosing to invest in an expensive infrastructure can be good strategy. >> I believe BinNavi and Immunity Debugger fit this category. >> >> In terms of infrastructure, the US .com and .mil communities decided to >> save money and purchase a mono-culture of Microsoft technologies. Bad >> strategies like this result in flailing and moaning as you get defeated >> over and over by someone with better strategy, not because the >> battlefield is inherently asymmetric. >> >> - -dave >> > > Almost two years ago, I did an invited talk at a D.C. area conference > that I hadn't heard of before and that was primarily catering to > intelligence community and homeland security types. I got the feeling > that the conference was probably more of a smorgasboard of homeland > security/defense commentators, actual IC operators, military, > politicos, and associated gadflies than say your average seriously > technical or seriously military/Pentagon conference, but it was > interesting nonetheless. > > Since I had an abiding personal interest in the Revolution in Military > Affairs (RMA) debate (sometimes called "Transformation" by certain > adherents; there are opposing views of RMA is or means and the > Transformation types tend to argue for advanced battlefield technology > above all else) and since this was a mixed audience I hadn't spoken to > before, I decided to throw together a short high-level presentation on > how I thought RMA applied to computer security. I'll have to dig up > the actual presentation off of one of my other machines; in a quick > search of email and this machine, I don't seem to have it locally. > > The basic thrust (as applies to the asymmetry question, anyway) was > this: computer security is highly asymmetric in a classic defense > sense because the well-funded defender has to maintain complex systems > in order to get work done and has a suitably high investment and > operational cost in protecting all that complexity, where the attacker > can pick and choose any fragile point of the complex system to violate > at his or her leisure. Monoculture exacerbates the problem, but I > don't think you could arrive at a "heterogeneous enough" system (whose > complexity would almost certainly be *greater* than a less > heterogeneous system, thus threatening security) where the security > benefits of that mixed system significantly outweigh the investment > and operational costs and still enable equivalent or greater ability > to do work. > > In a classic symmetric scenario, my tanks and your tanks are about > equal. Whoever can field more, better tanks can probably win the > battle. In an asymmetric scenario, your tanks provide overwhelming > firepower against some things, like buildings or other tanks, but my > IEDs can kill your tank crew in their Humvee as the ride to the base. > The issue is that attackers in an infosec sense have IEDs (exploits), > but defenders don't even have tanks, let alone IED response teams and > snipers, just walls (firewalls, etc.). This is not necessarily an > argument that we should have those things, though obviously in some > corners there are operational teams we'd consider as "our offense" who > do use exploits, etc., just against a enemy set of defenders. But > again, that's still asymmetric. > > I'm not military scholar, though a ton of stuff included in that field > interests me, so I'm interested in further debate and discussion along > these lines. > > > From jf at danglingpointers.net Mon Nov 26 20:33:21 2007 From: jf at danglingpointers.net (jf) Date: Tue, 27 Nov 2007 01:33:21 +0000 (UTC) Subject: [Dailydave] Strategy In-Reply-To: <86fc46910711251309w6bba4b9ckabc9b75c0ba9109b@mail.gmail.com> References: <4747FEE8.3080407@immunityinc.com> <86fc46910711251309w6bba4b9ckabc9b75c0ba9109b@mail.gmail.com> Message-ID: firstly, you mean tactics, not strategy- strategy is the overall goal, you want to win any potential battle based in the realm of computing, the tactic is how you accomplish it, and i believe the argument was that because by and large the government and (many/most) us corporations have bought into standardized platforms sold by likes of most US based AV companies, et al and Microsoft that assuming that this is a medium for warfare that it [the tactic] is not asymmetric. Largely I will agree; for instance, in the government too much emphasis is put on clearability and whether a person has a previous or current clearance- which is important, I understand, but a better system for cleaning and farming out to unclean/uncleared people needs to occur, you simply cannot pass up on the opportunity to employ the highly talented. Furthermore, in my experiences in various positions around US organizations, public and private, there has been a large amount of standardization that causes weaknesses. For instance, choice of office producitivity suite or rather vast standardization in a manner that exists in most organization