From abner at securitystory.com Mon Oct 1 09:16:34 2007 From: abner at securitystory.com (Abner Germanow) Date: Mon, 1 Oct 2007 06:16:34 -0700 (PDT) Subject: [Dailydave] Wireless spaces Message-ID: <20486.69409.qm@web30415.mail.mud.yahoo.com> I believe you are looking for something like Newbury Networks' RF Firewall http://www.newburynetworks.com/products-rf-firewall.htm Cheers, Abner ----- Original Message ---- From: Dave Aitel To: dailydave Sent: Thursday, September 20, 2007 1:12:46 PM Subject: [Dailydave] Wireless spaces -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Are any of the major vendors doing this? 1. Take any three wireless access points and have them each track client wireless signal strength. (This will map to physical space almost) 2. At the same time, have them track traffic type this client is doing and use this to generate a number of some sort. 3. Map these four things into a space and all your clients will be divided into "rooms" that you can draw bounding boxes around (much like Reliance HIDS did). 4. Do simple anomaly detection and you'll see a SILICA user in the parking lot stand out like a Suicide Girl in Utah. I think if you can tie the traffic clients generate with "where" the clients are, you'll get an interesting picture of things in general. You don't care in real world terms where they are, just where they are in the mathematical space. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG8qoNB8JNm+PA+iURAu1kAKDR4BJfFya+CqUFqgbNV5QCuhwH3QCglbNq X/jcsr5cCfbZ5+1sae7g47o= =mrwt -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From dave at immunityinc.com Mon Oct 1 11:38:52 2007 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 01 Oct 2007 11:38:52 -0400 Subject: [Dailydave] Usenix w00t (ddz) Message-ID: <4701148C.3090700@immunityinc.com> I was checking out Dino's Usenix paper a couple days ago, and a few questions stuck in my head. http://www.usenix.org/events/woot07/tech/full_papers/daizovi/daizovi_html/ 1. It'd be good to see the code for this and get some description of how they were compiled. Would it have been smaller to use built-in cryptographic libraries from the host OS? Be good to compare. \begin{figure}\begin{tabular}{\vert l\vert r\vert} \hline Function & x86 machine... ... s\_fp\_sub & 336 \\ \hline Total & 1283 \\ \hline \end{tabular} \end{figure} Maybe Dino will BSD-license it and we can throw it into CANVAS to see. :> 2. "For example, the exploit may have corrupted the heap metadata and subsequent heap operations may cause the process to crash. In these cases, the Stage 2 payload have to repair the heap before attempting to execute more complex operations that require explicit or implicit heap allocation. Under Windows XP and later Windows operating systems, the default heap can be quickly switched to the low-fragmentation heap using HeapSetInformation(), thus abandoning the use of a potentially corrupted standard default heap." I'd have to defer to Nico/Sinan/Kostya on this one, but I'm not sure that technique would avoid the problem of a block of memory being freed from the corrupted heap. In addition I think stage1 would most likely have already crashed during the Connect() and Send() operations. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071001/ce36de6d/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: img1.png Type: image/png Size: 4146 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071001/ce36de6d/attachment.png From alex at sotirov.net Mon Oct 1 13:49:02 2007 From: alex at sotirov.net (Alexander Sotirov) Date: Mon, 1 Oct 2007 10:49:02 -0700 Subject: [Dailydave] Usenix w00t (ddz) In-Reply-To: <4701148C.3090700@immunityinc.com> References: <4701148C.3090700@immunityinc.com> Message-ID: <20071001174902.GA19315@dsl093-068-003.sfo1.dsl.speakeasy.net> On Mon, Oct 01, 2007 at 11:38:52AM -0400, Dave Aitel wrote: > 2. "For example, the exploit may have corrupted the heap metadata and > subsequent heap operations may cause the process to crash. In these > cases, the Stage 2 payload have to repair the heap before attempting to > execute more complex operations that require explicit or implicit heap > allocation. Under Windows XP and later Windows operating systems, the > default heap can be quickly switched to the low-fragmentation heap using > HeapSetInformation(), thus abandoning the use of a potentially corrupted > standard default heap." The low fragmentation heap is a layer that sits on top of the standard heap. Small chunks are allocated from larger LFH buckets, bypassing the standard allocator, but the buckets themselves are allocated from the old heap. If it is corrupted, switching to the LFH is not going to help. If you let the program continue (or the program has multiple threads), you also have to consider the case where the code has a pointer to a previousely allocated chunk and tries to free it. The LFH allocator will see that this chunk was not allocated from a LFH bucket and it will pass it to the standard allocator. Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071001/5cf30611/attachment-0001.pgp From nicolas.waisman at immunitysec.com Mon Oct 1 15:06:29 2007 From: nicolas.waisman at immunitysec.com (Nicolas Waisman) Date: Mon, 1 Oct 2007 14:06:29 -0500 Subject: [Dailydave] Immunity Debugger v1.2 Release Message-ID: <20071001190629.GC26639@mail.immunityinc.com> This release we include a flurry of new exciting features! We are proud to announce the first beta version of our free Vista Heap Library, which supports the new 'Freelist' and Low Fragmentation Chunk. Check out the new usage of the !heap command for more details. Also included in this release the new recognition library using heuristic patterns, with a huge database of known windows static functions. Immunity Debugger includes this library both as a PyCommand (use !recognize) and as a function for scripting (use searchFunctionByHeuristic). As an example usage, imagine you want to release your own script and set a breakpoint on a unnamed function which might move or change slightly across different versions of the program. Using Immunity Debugger's API you can get the heuristic out of the function and do: address = imm.searchFunctionByHeuristic( heuristic) imm.setBreakpoint( address ) Finally, we include our own small version of peid called !findpacker using Ero Carrera's pefile and Bob's UserDB with around 1300 signatures for packers, cryptors and other loaders. Immunity is also moving the deadline for the PyCommands contest to the 10th of December to give you more time to use the new features. Thanks for using Immunity Debugger! We hope you enjoy this month's release. You+can upgrade your current Immunity Debugger by going to Help/Update or by directly downloading the new installer from http://debugger.immunityinc.com/register.html Don't forget to check out the Immunity Forum (http://forum.immunityinc.com) for more examples, feedback, cool screenshots, etc. Thanks Immunity Debugger Team 1.20 Build 0 October 1, 2007 New Features: - Immunity Debugger API o immlib.getThreadId() method added: return the current debuggee thread id o immlib.getCallTree() method added: return the call tree for given address o immlib.setFocus() method added: focus ID window o immlib.isValidHandle() method added: check if a HWND is still valid o immlib.getInfoPanel() method added: get information from panel window and optionally receives a type flag to force the kind of comment fetched. o imm.findPacker() method added: find packers/cryptors on a file or a loaded module o imm.getMemoryPagebyOwner(): Find all the memory pages belonging to a module. o immlib.ps() returns two extra objects: the tcp list and the udp list o immlib.getComment() now will try to fetch all types of comments o Added new HOOKTYPE: PRE_BP_HOOK, hooks exactly before the breakpoint is hit (Decoding events timeline) o New Vista support for libheap o Custom Tables has "Clear Window" menu now o Added several methods from librecognize - PyCommands o findpacker added. (Use of findPacker to get Packers from a module) o recognize added. (Function Recognizing using heuristic patterns) o Hippie now can filter by heap o heap updated to work with new Vista Heap o Optimized code for stackvars (Memory usage reduction during runtime) - Core o Pyshell can be focused once created with alt-F11 o Shortcut for attach process added: Ctrl+F1 o Added librecognition.py (Library for function recognizing) - Graph o immvcglib.generateGraphFromBuf() method added: play with your own vcg files! o Redesign of VCG parser: easier to read, easier to use. Bug Fixes: o Return value (HWND) of createTable o Fixed Attach Search Filtering : http://forum.immunityinc.com/index.php?topic=49.0 o Grapher: Vertex lastline jumps correctly displayed now o Fixed crash when searching on modules: http://forum.immunityinc.com/index.php?topic=63.0 o Fixed search issue on protected binary: http://forum.immunityinc.com/index.php?topic=34 o Fixed breakpoint/logpoint hooks issue (logic/stepping inside a hook) o Fixed PyString_AsString() missbehaviour o Fixed PyCommand Gui Arguments box to receive \x00 as argument o Fixed imm.getModulebyAddress() to receive any module address and not only module entry point http://forum.immunityinc.com/index.php?topic=74.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071001/f076e59d/attachment.pgp From nathan.landon at digitaloperatives.com Mon Oct 1 16:10:35 2007 From: nathan.landon at digitaloperatives.com (Nathan Landon) Date: Mon, 1 Oct 2007 16:10:35 -0400 Subject: [Dailydave] Let's ban all devices with RF. Message-ID: <37837550710011310p44c3ccbbtb0de94d645762eb7@mail.gmail.com> Am I missing something, or are Radio Controlled toys way more capable of setting off a bomb than cellular telephones or other wireless devices remotely? http://www.cnn.com/2007/TRAVEL/10/01/tsa.toys/index.html So Dave, the next time you travel, your kids better not have anything electronic! I mean come on! -- Nathan Landon Digital Operatives -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071001/7c7abfe0/attachment.htm From felixdzerzhinsky2 at hotmail.com Mon Oct 1 22:50:36 2007 From: felixdzerzhinsky2 at hotmail.com (Felix Dzerzhinsky) Date: Tue, 2 Oct 2007 04:50:36 +0200 Subject: [Dailydave] SIGINT and Telecommunications Intercept Capability of Cambodia Message-ID: Can anybody point me to a relaible source of information regarding the capability of the security forces in Cambodia to intercept GSM phones? I am talking about military SIGINT or police wiretapping here. Legally the police have the right to do so but do they have the technical capability? _________________________________________________________________ Get the new Windows Live Messenger! http://get.live.com/messenger/overview -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071002/1f75b455/attachment.htm From lmh at info-pull.com Tue Oct 2 11:32:17 2007 From: lmh at info-pull.com (Lance M. Havok) Date: Tue, 2 Oct 2007 17:32:17 +0200 Subject: [Dailydave] SIGINT and Telecommunications Intercept Capability of Cambodia In-Reply-To: References: Message-ID: The common sense applies here: normally someone who really fears being wiretapped or put under some serious surveillance does not go under a Hotmail account asking a random list about the infrastructure of his home country. Generally speaking, someone who does this is unlikely the person for which the law enforcement gives a ***** about. In any case, the point is not if they have it (I mean, Cambodia still uses hi-tech Elephant powered transportation). I would be worried of smoke signal interception (you know, goggle and optical technology). Now, if Cambodia enjoys the privilege of having a decent GSM network, considering that interception equipment is fairly cheap (for the State, obviously), there's a certain possibility they indeed have the infrastructure required to tap people. One solution is requesting the State budget documents (if they are made public there, maybe the local version of Kim Jong-il sleeps with them under his bed, who knows), and some barebones, simplified description should be present there. Divide the figure by some known average price of specific supplies.... you get the idea. The question for poor or still-developing (aka poor) countries is: they may have the infrastructure, but will they actually invest its use on you? The more limited the resources, the greater discrimination process to ensure they are used productively. Spy books should be banned from geeks. Taps should worry you only if you deal dope. Note that deal here means more than just passing some weed to a random hippie in a park. Say, some obese LEGO bricks and stuff. For now, the only taps worrying me are ass taps. He he he. On 10/2/07, Felix Dzerzhinsky wrote: > > Can anybody point me to a relaible source of information regarding the > capability of the security forces in Cambodia to intercept GSM phones? > > I am talking about military SIGINT or police wiretapping here. > > Legally the police have the right to do so but do they have the technical > capability? > > > > ________________________________ > Get the new Windows Live Messenger! Try it! > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > From paul at xelerance.com Tue Oct 2 11:53:28 2007 From: paul at xelerance.com (Paul Wouters) Date: Tue, 2 Oct 2007 11:53:28 -0400 (EDT) Subject: [Dailydave] SIGINT and Telecommunications Intercept Capability of Cambodia In-Reply-To: References: Message-ID: On Tue, 2 Oct 2007, Lance M. Havok wrote: > Now, if Cambodia enjoys the privilege of having a decent GSM network, > considering that interception equipment is fairly cheap (for the All GSM equipment comes with built in tapping facilities that can be used by the operators. If you are the government, you just request it (using a warrant or a gun) > Spy books should be banned from geeks. Taps should worry you only if > you deal dope. Though I agree with your "most people are not interesting enough to tap" argument, saying that you shouldn't be worried, in the light of the US government doing massive warrantless tapping, and Russia poisoning its enemies, I have to disagree. There are just as many stupid people in governments ordering taps because they are overly paranoid, as there are overly paranoid people thinking the government might have a tap on them. So yes, the individual tap is not really something you should be too worried about (esp if you can still post in public mailing lists), but massive data collection through taps is definitely a legitimate concern. Paul From adrien at kunysz.be Tue Oct 2 12:08:13 2007 From: adrien at kunysz.be (Adrien Krunch Kunysz) Date: Tue, 2 Oct 2007 18:08:13 +0200 Subject: [Dailydave] SIGINT and Telecommunications Intercept Capability of Cambodia In-Reply-To: References: Message-ID: <20071002160813.GA3493@krunch-laptop> On Tue, Oct 02, 2007 at 04:50:36AM +0200, Felix Dzerzhinsky wrote: > Legally the police have the right to do so but do they have > the technical capability? They don't really need any fancy technology to intercept GSM communications. We are speaking about the state here. They just have to ask the phone provider(s) to record whatever they want. You know, like in the USA. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071002/bcda3f94/attachment-0001.pgp From lmh at info-pull.com Tue Oct 2 12:15:50 2007 From: lmh at info-pull.com (Lance M. Havok) Date: Tue, 2 Oct 2007 18:15:50 +0200 Subject: [Dailydave] John McClane is on mission at North Korea Message-ID: I managed to find Det. John McClane. He's at North Korea: http://www.korea-dpr.com/users/thai/slides/DSC1F03264.htm Bonus points: - Spot Bruce Willis in the photo (hint: look at the back). - Spot the fed(s) (hint: they wear undercover uniforms). - Spot Jet Li (hint: wearing sunglasses too). Enjoy. PS: You can also appreciate the perspective of the Jurassic Park annoying guy to the right. From daniel at ugc-labs.co.uk Tue Oct 2 12:24:15 2007 From: daniel at ugc-labs.co.uk (Daniel) Date: Tue, 2 Oct 2007 17:24:15 +0100 Subject: [Dailydave] SIGINT and Telecommunications Intercept Capability of Cambodia In-Reply-To: References: Message-ID: <057174AA-BA46-4CBD-A24B-8657CBE85C96@ugc-labs.co.uk> Having spent 16 months in the region, I would doubt anyone within the Khmer government had the equipment or the know-how to pull this off. Now Burma is different, they have the ability to do so, but Cambodia is a different story. Remember this is the same country where you can easily buy Heroin for $2 and human life is dirt cheap, the prospect of bugging GSM phones let alone actually having them work outside of Phnom Penh or Siam Reap is a technical challenge On 2 Oct 2007, at 03:50, Felix Dzerzhinsky wrote: > Can anybody point me to a relaible source of information regarding > the capability of the security forces in Cambodia to intercept GSM > phones? > > I am talking about military SIGINT or police wiretapping here. > > Legally the police have the right to do so but do they have the > technical capability? > > > > Get the new Windows Live Messenger! Try it! > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071002/fec4e66f/attachment-0001.htm From rodrigo at kernelhacking.com Tue Oct 2 10:25:49 2007 From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon)) Date: Tue, 2 Oct 2007 14:25:49 -0000 Subject: [Dailydave] SIGINT and Telecommunications Intercept Capability of Cambodia Message-ID: <20071002172549.ED2758BCEE@mail.fjaunet.com.br> After a long trip around Asia, and for sure Cambodia is included, I really don?t think so ;) Why you are asking? Let us know more details about your feelings, hehehe cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 1FCEDEA1 --------- Mensagem Original -------- De: Felix Dzerzhinsky Para: dailydave at lists.immunitysec.com Assunto: [Dailydave] SIGINT and Telecommunications Intercept Capability of Cambodia Data: 02/10/07 12:55 > > > > ..hmmessage P > { > margin:0px; > padding:0px > } > body.hmmessage > { > FONT-SIZE: 10pt; > FONT-FAMILY:Tahoma > } > > > > Can anybody point me to a relaible source of information regarding the capability of the security forces in Cambodia to intercept GSM phones? > > I am talking about military SIGINT or police wiretapping here. > > Legally the police have the right to do so but do they have the technical capability? > > Get the new Windows Live Messenger! Try it! > > > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > ________________________________________________ Message sent using UebiMiau 2.7.2 From dave at immunityinc.com Tue Oct 2 14:33:49 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 02 Oct 2007 14:33:49 -0400 Subject: [Dailydave] =?iso-8859-1?q?Network_attack_with_CANVAS_en_Espa=F1o?= =?iso-8859-1?q?l?= Message-ID: <47028F0D.8060204@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've always been obsessed with getting CANVAS able to display different languages correctly - it's quite hard to do with GTK especially when you don't necessarily know the unicode encoding you're dealing with. The market for security tools is not mono-lingual. But for now, CANVAS is only available in English and although it can target different language packs of Windows, it displays a lot of strings in raw format which is not optimal. However, internally Immunity has translation support for almost everything our customers speak, from Turkish to rare dialects of Dutch, and of course, Spanish. Nicolas Waisman is going to be giving a "Network Attack with Immunity CANVAS" class this Thursday and Friday in Buenos Aires. If you're interested in going you can email admin at immunityinc.com to set up a reservation. There will be regular classes taught in Spanish so if you can't come on this short notice, Shari can set you up with the schedule. And for those of you who can't make it at all, the new CANVAS GUI has a nice picture here: http://www.immunityinc.com/downloads/NodeView.png That's how I always saw it in my head, but now everyone can see it that way! - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHAo8LtehAhL0gheoRAgZIAJ47hMvAQiEBCFawAwEKV/1Ey8rdXACdHpPr ITvLw1be92rhkWucYYOSP7k= =4wK7 -----END PGP SIGNATURE----- From mwollenweber at gmail.com Wed Oct 3 00:52:57 2007 From: mwollenweber at gmail.com (matthew wollenweber) Date: Wed, 3 Oct 2007 00:52:57 -0400 Subject: [Dailydave] SIGINT and Telecommunications Intercept Capability of Cambodia In-Reply-To: References: Message-ID: <42210a440710022152k5912a70es8ab7e3efe332e25a@mail.gmail.com> It really depends on what you mean. It's not too hard to get a receiver that can pick up GSM signals. Converting it to digital is a bit harder. Frequency hopping.... getting expensive. Encryption -- depends on the version of GSM I think. But you're talking about a nation state and as people said, almost any nation state could replace your phone with custom hardware. Similarly they can just query the telephone company. I think the more fundamental question is can they possibly process a reasonable amount of voice traffic for a large number of users? Data mining itself is a monumental challenge. Converting (cellular) audio to something that can be stored and analyzed in a reasonable manner is a huge endevour. My final thought is that if you pissed someone off and they're targeting you, then you're screwed. If you think the government is processing everyone's cell calls -- i doubt they're doing it effectively. On 10/1/07, Felix Dzerzhinsky wrote: > > Can anybody point me to a relaible source of information regarding the > capability of the security forces in Cambodia to intercept GSM phones? > > I am talking about military SIGINT or police wiretapping here. > > Legally the police have the right to do so but do they have the technical > capability? > > > > ------------------------------ > Get the new Windows Live Messenger! Try it! > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -- Matthew Wollenweber mwollenweber at gmail.com | mjw at cyberwart.com www.cyberwart.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071003/b946854a/attachment.html From sf003 at gmx.net Wed Oct 3 08:54:47 2007 From: sf003 at gmx.net (John Dohrr) Date: Wed, 03 Oct 2007 14:54:47 +0200 Subject: [Dailydave] Usenix w00t (ddz) Message-ID: <20071003125447.306890@gmx.net> > I was checking out Dino's Usenix paper a couple days ago, and a few questions stuck in my head. > http://www.usenix.org/events/woot07/tech/full_papers/daizovi/daizovi_html/ Um, nothing new here. I recall seeing this kind of thing (ElGamal + DES + ptrace(2) games to prevent tracing) back in the days of SunOS 4.1.3. Unfortunately, on a SPARC 2, _any_ kind of encryption introduces a CPU hit, so it was relatively easy to tell that something was up. A sploit was used to transfer the encryption 'client' across (primary payload), which was then used to conceal whatever (secondary) rootkit was installed[1]. >From my experience with openssl, things change regularly enough to ensure that using the OS' crypto libraries is more pain that it's worth. You might get away with just using the bigint routines, and rolling the rest yourself.... J. [1] Interestingly enough, I know of at least one rootkit in the wild that uses a bastardised EKE/SPEKE protocol to authenticate connections to the backdoor and prevent MITM attacks. -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer From dave at immunityinc.com Wed Oct 3 09:31:48 2007 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 03 Oct 2007 09:31:48 -0400 Subject: [Dailydave] XFS Byte Swapping Fun Message-ID: <470399C4.7040409@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=602 So we got X86 Solaris support into MOSDEF just in time - this morning I noticed that iDefense's Sean Larsson has released an advisory on XFS. We've put a working remote exploit for Solaris into CANVAS Early Updates[1]. Good default anonymous remotes don't come out every day. Solaris is still all over the place so this sort of thing is quite interesting. With a fairly different bug like this one, it's always fun to see how everyone else exploits the byte-swapping primitive. Sinan Eren's way of doing it is cool, but I certainly never would have thought of it. - -dave [1] http://www.immunityinc.com/products-early_updates.shtml - 9K per quarter - that's about one dollar a Solaris box if you do enough pen-tests! :> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHA5nDtehAhL0gheoRAjiJAJ9i59lkvJbjIKUKhZN7Qae0iFbLCgCfWIhb sjCEtziVBmH+LGL/niUJ6xw= =faNC -----END PGP SIGNATURE----- From dan57170 at yahoo.com Wed Oct 3 12:58:02 2007 From: dan57170 at yahoo.com (H. Daniel Regalado Arias) Date: Wed, 3 Oct 2007 09:58:02 -0700 (PDT) Subject: [Dailydave] Debugging the false alarm problem. Message-ID: <315181.71517.qm@web30206.mail.mud.yahoo.com> Hi Dave and Friends!!! Is there a way to bypass magic_quotes_gpc on a PHP app, in order to execure SQL injection on a Microsoft SQL Server? I cant use ' (single quotes) 'cause are converted to \', i also tried %27, ', but nothing happens. Thanks!!! H. Daniel Regalado Arias, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ----- Mensaje original ---- De: Dave Aitel Para: dailydave at lists.immunitysec.com Enviado: jueves, 27 de septiembre, 2007 12:03:23 Asunto: [Dailydave] Debugging the false alarm problem. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A couple days ago the fire alarm in my building went off at midnight. It was about four hundred decibels since they install a loudspeaker in each apartment. So I trundled over to the other bedroom, got the screaming one year old, and moved him into a room where the sound was quietest, and then closed the door and played with him for the half hour it took them to turn the noise off. Later on I called my friend who's on the board of the building, and he was like "Why didn't you come downstairs? It was everyone in their nightgowns in the lobby." The answer is that every previous fire alarm (and there have been many) has been a false positive. And I didn't realize it would be a hilarious nighttime parade, of course. This one was a false alarm as well, just a longer false alarm than usual. Anyways, the same thing happens pretty much every time I see anyone run any VA tool, be it web, traditional network VA, or source code analysis, or whatever. They all have false positive results through the roof (which is on fire, naturally). For web VA I'm trying to switch completely to using Immunity Debugger, and having it XML-RPC SPIKE Proxy any time certain API filters are hit, for example, CreateFile(). This let's you watch real-time if your file include attacks are working, or path traversal, or whatever. With this kind of real feedback from the remote app you can make much more educated guesses about the filters' effects on the strings you are passing in. The whole "pass a ton of stuff into a query until you think you have blind-sql-injection" game is very hit-or-miss in my experience. It's much easier to hook the database API's and look to see if you can evade the filters directly. Essentially I want to take all the other tools we have in our bucket, and attach a debugger to them and make them 100 times better. I want to have CANVAS building and deploying custom trojans based on static analysis of executables on the target's hard drive, for example. A while back Mark Curphey asked on his weblog what it was that made good hackers so much better than average hackers. I would posit that no good hacker works alone. The question should be "What makes good teams better than average teams?". And part of the answer is going to be Immunity Debugger. - -dave [1] http://securitybuddha.com/2007/08/29/the-security-genome-understanding-how-people-find-security-bugs/ """ Really good people (and you know who you are) can find a far greater proportion of bugs in a far shorter time than you may extrapolate from a linear intellect curve. Do they think harder or have a natural gift for making security decisions? I think the later, also a topic of a good dinner conversation. """ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG++JZtehAhL0gheoRAm7VAJsHiUH33sEO4Vjd/jbazev+zWYLAQCfcBPs Uhgf4p8o5qo0FDjBaVa0408= =eWYO -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave ____________________________________________________________________________________ ?S? un mejor asador! Aprende todo sobre asados. http://telemundo.yahoo.com/promos/mejorasador.html From kristian.hermansen at gmail.com Wed Oct 3 21:04:51 2007 From: kristian.hermansen at gmail.com (Kristian Erik Hermansen) Date: Wed, 3 Oct 2007 18:04:51 -0700 Subject: [Dailydave] argeniss and vulndisco thoughts? Message-ID: Hi all, I have been a user of CANVAS since 2005 with vulndisco, however, I will be doing some pen tests using argeniss 0day pack soon. I just wanted to get any thoughts one which package anyone has found more useful and why. Any input is appreciated, and I am also glad to share with you my experience using canvas/vulndisco as well... -- Kristian Erik Hermansen From secadmin at netsecdesign.com Wed Oct 3 22:28:37 2007 From: secadmin at netsecdesign.com (Security Admin (NetSec)) Date: Wed, 3 Oct 2007 19:28:37 -0700 Subject: [Dailydave] Checkpoint FW-1 buffer overflows Message-ID: <8D870AB38C30EC4C848A11A3F83D20D80646BAA3A2@exchange2007.mmicmanhomenet.local> Reference link http://www.pentest.es/checkpoint_hack.pdf Did not read the entire 219 page report, but from the initial perusing looks like good work. Begs the question if this is an inhernet issue with architecture (Checkpoint installed on top of another OS) or if other popular security products like Juniper Netscreen or Cisco PIX/ASA have similar issues. Edward W. Ray From admin at gleg.net Thu Oct 4 01:30:38 2007 From: admin at gleg.net (admin at gleg.net) Date: Wed, 03 Oct 2007 23:30:38 -0600 Subject: [Dailydave] argeniss and vulndisco thoughts? In-Reply-To: References: Message-ID: <20071003233038.6pa05slnsos4s0kw@gleg.net> Hi, > Hi all, > > I have been a user of CANVAS since 2005 with vulndisco, however, I > will be doing some pen tests using argeniss 0day pack soon. I just > wanted to get any thoughts one which package anyone has found more > useful and why. Any input is appreciated, and I am also glad to share > with you my experience using canvas/vulndisco as well... > -- Cesar Cerrudo with his team did the amazing work. When developing exploits for Argeniss 0day Pack, we are trying to keep the focus on databases exploits and well-known software vendors suchs as Novell, IBM, Oracle. Some of the exploits which we added to Argeniss 0day Pack during last several months: Novell eDirectory DoS, IBM Tivoli Directory DoS, RealNetworks Helix Server heap overflow. -- Best regards, Evgeny Legerov PGP key: http://gleg.net/key.asc From rodrigo at kernelhacking.com Thu Oct 4 07:29:32 2007 From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon)) Date: Thu, 4 Oct 2007 11:29:32 -0000 Subject: [Dailydave] Checkpoint FW-1 buffer overflows Message-ID: <20071004142932.6CA038BD8D@mail.fjaunet.com.br> Well, it?s interesting, but does not show the true ;) First of all, the binaries showed are not suid, and for sure, cpshell are a root process that interfaces with the binaries but they haven?t showed: - If it drops the privileges - If it does not handle parameters ;) Also, when you see the TOE, he showed the phrase where says: "trusted admins", which means the system has no local protection against intruders. Also in the TOE is cleaver that the OS itself is not the target for the tests. Blergh enought, exec-shield can randomize the binary if it?s PIE, that?s not the case of this 'customized' redhat... interesting to say, it?s a really modified redhat, mainly to load the checkpoint kernel module (he said in the article it?s a default redhat)... Anyway, it?s a good article for people who want to understand how to exploit exec-shielded systems ;) cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 1FCEDEA1 --------- Mensagem Original -------- De: Security Admin NetSec Para: dailydave at lists.immunitysec.com Assunto: [Dailydave] Checkpoint FW-1 buffer overflows Data: 04/10/07 10:09 > > Reference link http://www.pentest.es/checkpoint_hack.pdf > > Did not read the entire 219 page report, but from the initial perusing looks like good work. Begs the question if this is an inhernet issue with architecture (Checkpoint installed on top of another OS) or if other popular security products like Juniper Netscreen or Cisco PIX/ASA have similar issues. > > Edward W. Ray > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > ________________________________________________ Message sent using UebiMiau 2.7.2 From Brian at cms.ca Thu Oct 4 10:02:52 2007 From: Brian at cms.ca (Brian Bourne) Date: Thu, 4 Oct 2007 10:02:52 -0400 Subject: [Dailydave] Canada's Response to Black Hat - SecTor 2007 Message-ID: <380B85787FC2034A95BD1D826F0A152936E6B8@MAIL01.corp.cms.ca> www.SecTor.ca - Join world IT Security experts at Security Education Conference Toronto, running two full days, November 20-21. Collaborate with your peers and learn from the likes of Ira Winkler, Steve Riley, Johnny Long, Mark Fabro, Dan Kaminsky, Kevin Mandia, Renderman and Joanna Rutkowska. This is hardcore security education, not a vendor fair. SecTor is brining the world's brightest (and darkest) minds together to identify, discuss, dissect and debate the latest digital threats facing corporations today. Visit the site for more details. From alex at sotirov.net Thu Oct 4 14:18:37 2007 From: alex at sotirov.net (Alexander Sotirov) Date: Thu, 4 Oct 2007 11:18:37 -0700 Subject: [Dailydave] Canada's Response to Black Hat - SecTor 2007 In-Reply-To: <380B85787FC2034A95BD1D826F0A152936E6B8@MAIL01.corp.cms.ca> References: <380B85787FC2034A95BD1D826F0A152936E6B8@MAIL01.corp.cms.ca> Message-ID: <20071004181837.GA21739@dsl093-068-003.sfo1.dsl.speakeasy.net> Isn't Canada's response to BlackHat called CanSecWest? Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071004/fb569e6f/attachment.pgp From lists at bughunter.ca Thu Oct 4 23:44:15 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Thu, 4 Oct 2007 20:44:15 -0700 Subject: [Dailydave] Canada's Response to Black Hat - SecTor 2007 In-Reply-To: <20071004181837.GA21739@dsl093-068-003.sfo1.dsl.speakeasy.net> Message-ID: <022701c80702$00b7be70$6207a8c0@jseitz> Damnit, I was just about to say CanSecWest is here in BC every year and it's the business! SecTor is relatively new but I wouldn't say it stacks up with BH/CSW. > Isn't Canada's response to BlackHat called CanSecWest? > > Alex > From dave at immunityinc.com Fri Oct 5 16:37:52 2007 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 05 Oct 2007 16:37:52 -0400 Subject: [Dailydave] Fuzzing Book Review Message-ID: <4706A0A0.1050308@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here's my Amazon.com review: http://www.amazon.com/Fuzzing-Brute-Force-Vulnerability-Discovery """ In this book the authors do a number of things that are worth reading: o Document how and why SPIKE works (and implement their own block-based fuzzer sulley) o Go through the process of writing a .flv fuzzer o Go through the process of writing a Python ActiveX fuzzer, which was probably my favorite part. o Talk about the downsides of various kinds of fuzzing. For example, when is fuzzing with a genetic algorithm not the right thing to do? That alone made this a great book. """ I was chatting here with Adam about it and there's some good stuff in it completely unrelated to fuzzing that is quite useful. For example, the part on how to really use VMWare to do the exact sorts of things everyone wants to do. Anyways, so that's my book review for Friday. Next week is another book by an academic on information warfare. I'd like to play this drinking game where you drink fine Appleton rum when the author quotes either Sun Tzu or OODA loops, or both. Pretty much when you're quoting OODA loops you know you're going the wrong direction. A flowchart does not a valuable epiphany make. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHBqCeB8JNm+PA+iURAsmOAJ0YORm2lInSeyu0PDIWYiXkiSu4IACbB2mu Cw+iNMH+5CTHPtdI8VAktyI= =qkk3 -----END PGP SIGNATURE----- From tedi.heriyanto at gmail.com Sat Oct 6 05:12:03 2007 From: tedi.heriyanto at gmail.com (Tedi Heriyanto) Date: Sat, 6 Oct 2007 16:12:03 +0700 Subject: [Dailydave] Fuzzing Book Review In-Reply-To: <4706A0A0.1050308@immunityinc.com> References: <4706A0A0.1050308@immunityinc.com> Message-ID: Dave, I got the following error page when try to access the URL you gave : === Looking for something? We're sorry. The Web address you entered is not a functioning page on our site On 10/6/07, Dave Aitel wrote: > Here's my Amazon.com review: > http://www.amazon.com/Fuzzing-Brute-Force-Vulnerability-Discovery -- cheers, tedi Blog : http://theriyanto.wordpress.com Website : http://tedi.heriyanto.net You Need More Than Awareness : Stay Alert! From peterw at firstbase.co.uk Sun Oct 7 03:03:35 2007 From: peterw at firstbase.co.uk (Peter Wood) Date: Sun, 07 Oct 2007 08:03:35 +0100 Subject: [Dailydave] Fuzzing Book Review In-Reply-To: References: <4706A0A0.1050308@immunityinc.com> Message-ID: <20071007065342.364F0239F29@lists.immunitysec.com> Try this: http://www.amazon.com/Fuzzing-Brute-Force-Vulnerability-Discovery/dp/0321446119/ regards Pete At 16:12 06/10/2007 +0700, Tedi Heriyanto wrote: >Dave, I got the following error page when try to access the URL you gave : > >=== >Looking for something? >We're sorry. The Web address you entered is not a functioning page on our site > > >On 10/6/07, Dave Aitel wrote: >> Here's my Amazon.com review: >> http://www.amazon.com/Fuzzing-Brute-Force-Vulnerability-Discovery ---------------------------------------------------------------------------------- Peter Wood FBCS CITP FIMIS MIEEE CISSP A.Inst.ISP Chief of Operations First Base Technologies tel: +44 1273 454525 mob: +44 7774 239915 www.fbtechies.co.uk www.white-hats.co.uk www.peterwood.com From nicolas.beauchesne at polymtl.ca Sun Oct 7 13:34:08 2007 From: nicolas.beauchesne at polymtl.ca (Nicolas Beauchesne) Date: Sun, 07 Oct 2007 10:34:08 -0700 Subject: [Dailydave] Canada's Response to Black Hat - SecTor 2007 In-Reply-To: <022701c80702$00b7be70$6207a8c0@jseitz> References: <022701c80702$00b7be70$6207a8c0@jseitz> Message-ID: <048139AC-153A-4F7C-94F6-7146099AC27A@polymtl.ca> There is also Recon on the Canadian east coast. However, it's smaller than CansecWest and mostly oriented toward Reverse engineering. http://recon.cx/ -nic On Oct 4, 2007, at 8:44 PM, J.M. Seitz wrote: > Damnit, I was just about to say CanSecWest is here in BC every year > and it's > the business! SecTor is relatively new but I wouldn't say it stacks > up with > BH/CSW. > >> Isn't Canada's response to BlackHat called CanSecWest? >> >> Alex >> > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From joanna at invisiblethings.org Sun Oct 7 13:55:48 2007 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Sun, 07 Oct 2007 19:55:48 +0200 Subject: [Dailydave] What Car Does Dave Drive? Message-ID: <47091DA4.2080300@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you want to know the answer: http://www.darkreading.com/document.asp?doc_id=135564&WT.svl=news1_2 One thing I don't quite get though: "We'll analyze a random printer DLL you have installed, write an exploit, and use that on your network," he says, to help companies better secure their environments. While I greatly respect skills needed to write sophisticated exploits, I still don't see how exploit writing could be used to secure anything...? You can, of course, use exploits to test some security products (e.g. an IPS), but here we're talking about exploits for bugs in some custom code. Many of us will agree that IPS are useless in this case, almost by definition, and I think that Dave is one that will agree most eagerly (search for IDS-related threads on this list). So, testing an IPS against custom exploits for bugs in the custom code seems pretty much useless, no? The question is then: how you convince a client to pay you not only for code audit (no doubt it's useful) but also to write an exploit for each bug you find? I *really* would love to know the answer :) Having said that all, I need to stress that I can't overestimate the (educational) value of exploit writing for the whole IT security field - -- one might not be following the latest trends in heaps exploits for RPC thingis, but if one never wrote and understood an exploit there's quite a big change that they simply "don't get it all". It's just I don't see how individual companies would be interested in paying somebody for preparing "educational material" for other researchers? joanna. -----BEGIN PGP SIGNATURE----- iQEVAwUBRwkdoswG7MOLAMOlAQLddAf8C+woO44zTf08jiQX4w09QxTfekf81IfP V8fUIb7MiDbtQAGIWGr65eJDS2AEEaPx4BlxUHVQe5pHLKVlzxlUa7J3XVNtLz2V BCaBtiiNPJK/CZNTdQWtCE97uusrHIEcYGJ7eLH+SkotmAQjEHV2bSxGIpuk4qQw r9KhAFh9+BgMCINBR9KITVm5QunLTuuCpV7ZuzjSApYfR3Y0nK0Z8pry9FjMtc2D dCBrXOPXMaRFJ+HoUBE+0ZvRBD1iQb+cXh2UTwUN3KDORS2UqjXS2YbHekwYA8nF lo+mEbXzhspLLa1ydBijgOL8ge5fOq7jRdecrh4awOE35edrO6SYdQ== =RcnY -----END PGP SIGNATURE----- From lists at bughunter.ca Sun Oct 7 14:33:35 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Sun, 7 Oct 2007 11:33:35 -0700 Subject: [Dailydave] Canada's Response to Black Hat - SecTor 2007 In-Reply-To: <048139AC-153A-4F7C-94F6-7146099AC27A@polymtl.ca> Message-ID: <02a701c80910$943ea7c0$6207a8c0@jseitz> I spoke with Nish (co-worker of Hugo's) and it didn't sound like ReCon was going to happen this year...has anyone heard of anything coming up for '08? JS > -----Original Message----- > From: Nicolas Beauchesne [mailto:nicolas.beauchesne at polymtl.ca] > Sent: Sunday, October 07, 2007 10:34 AM > To: J.M. Seitz > Cc: 'Alexander Sotirov'; dailydave at lists.immunitysec.com > Subject: Re: [Dailydave] Canada's Response to Black Hat - SecTor 2007 > > There is also Recon on the Canadian east coast. > However, it's smaller than CansecWest and mostly oriented > toward Reverse engineering. > > http://recon.cx/ > > -nic > > On Oct 4, 2007, at 8:44 PM, J.M. Seitz wrote: > > > Damnit, I was just about to say CanSecWest is here in BC every year > > and it's the business! SecTor is relatively new but I > wouldn't say it > > stacks up with BH/CSW. > > > >> Isn't Canada's response to BlackHat called CanSecWest? > >> > >> Alex > >> > > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > From shadown at gmail.com Mon Oct 8 05:09:36 2007 From: shadown at gmail.com (shadown) Date: Mon, 08 Oct 2007 11:09:36 +0200 Subject: [Dailydave] What Car Does Dave Drive? In-Reply-To: <47091DA4.2080300@invisiblethings.org> References: <47091DA4.2080300@invisiblethings.org> Message-ID: <4709F3D0.10003@gmail.com> Hi Joanna, This is an interesting topic. (not the car thing of course :P) Some customers (if not most of them) know that security is something critical for them, but in the end most of them just don't really get it. I mean, they don't realize how bad things could go, and they use to under-rate security problems because there's no public exploit, or just because they think that exploiting the issue is whether impossible or so difficult that they underestimate and low the bar to the point that they don't even fix the problem. I do believe that developing custom exploits makes people understand that they have to fix the problems with no excuses. Actually this is very valid when it comes to demo 'pown'ability and pivoting of/from: - Network Printers - Appliances - DSL routers - Voip devices - a large etc As many of them are developed on different CPUs and modified OSs (some of them proprietary), showing what could be done is very eyes-opening for the customers. My 2 cents. Cheers, Sergio Joanna Rutkowska wrote: > If you want to know the answer: > > http://www.darkreading.com/document.asp?doc_id=135564&WT.svl=news1_2 > > One thing I don't quite get though: > > > "We'll analyze a random printer DLL you have installed, write an > exploit, and use that on your network," he says, to help companies > better secure their environments. > > > While I greatly respect skills needed to write sophisticated exploits, I > still don't see how exploit writing could be used to secure anything...? > > You can, of course, use exploits to test some security products (e.g. an > IPS), but here we're talking about exploits for bugs in some custom > code. Many of us will agree that IPS are useless in this case, almost by > definition, and I think that Dave is one that will agree most eagerly > (search for IDS-related threads on this list). So, testing an IPS > against custom exploits for bugs in the custom code seems pretty much > useless, no? > > The question is then: how you convince a client to pay you not only for > code audit (no doubt it's useful) but also to write an exploit for each > bug you find? I *really* would love to know the answer :) > > Having said that all, I need to stress that I can't overestimate the > (educational) value of exploit writing for the whole IT security field > -- one might not be following the latest trends in heaps exploits for > RPC thingis, but if one never wrote and understood an exploit there's > quite a big change that they simply "don't get it all". It's just I > don't see how individual companies would be interested in paying > somebody for preparing "educational material" for other researchers? > > joanna. _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave -- Sergio Alvarez Security, Research & Development IT Security Consultant email: shadown at gmail.com From Brian at cms.ca Mon Oct 8 19:49:14 2007 From: Brian at cms.ca (Brian Bourne) Date: Mon, 8 Oct 2007 19:49:14 -0400 Subject: [Dailydave] Canada's Response to Black Hat - SecTor 2007 Message-ID: <380B85787FC2034A95BD1D826F0A152936E726@MAIL01.corp.cms.ca> Here's the list of Canadian Security events: - CanSecWest - (I've never managed to make it) But as far as I know, its well established and respected, but a bit more hacker-ish and a bit less corporate-friendly than BlackHat. Correct me if I'm wrong, but I suspect it runs the line between a BlackHat and a ShmooCon with a leaning to ShmooCon. It's also on the west coast in April, so I think it fills out the year and country nicely if both CanSecWest and SecTor do well! Actually, if the organizers wanna contact me, we can do some cross-promotion. - InfoSecurity Canada - A tradeshow with some conference sessions filled with vendor speakers. - ReCon - Reverse Engineering focus - West Coast Security Forum - they keep trying hard, but somehow manage to consistently upset sponsors and attendee's equally. With SecTor we're really trying to model more after BH. A depth look at threats, but in a corporately friendly sort of way. We're pulling together both the best speakers from abroad and from Canada. Actually, I was pleasantly surprised how many good security researchers live in Canada! I've also been very pleased with the support of all the speakers. Take a look at 'em at http://www.sector.ca/speakers.htm Complete tangent, but if anyone is coming up for SecTor, come for the Monday night IT Security Week party at Steam Whistle - free to attendees, and its gonna be a blast! (www.itsecurityweek.ca) /bb From grutz at jingojango.net Mon Oct 8 20:00:53 2007 From: grutz at jingojango.net (Kurt Grutzmacher) Date: Mon, 8 Oct 2007 17:00:53 -0700 Subject: [Dailydave] What Car Does Dave Drive? In-Reply-To: <4709F3D0.10003@gmail.com> References: <47091DA4.2080300@invisiblethings.org> <4709F3D0.10003@gmail.com> Message-ID: <34677d400710081700i45f5a8e8r77222aa29425ed32@mail.gmail.com> This is where "Threat Management" comes in to play I believe, and is something InfoSec groups outside of critical infrastructure have not done well. Hell even critical infrastructures don't execute it in a super fantastic way either! There's a lot of dynamic data to consider assessing the threat risk. Being able to show that a vulnerability report for some external product which is "vague" or an internally developed app can have an exploit developed helps the threat process. It takes the whole "public exploit available" argument to a different level so you can focus on the suspected DIFFICULTY of exploiting a system and what it would take to develop said exploit. If you believe it takes the financial strength of a nation state to develop an exploit against a MILSPEC system then you are a little closer to understanding the threat to said system. There are many more categories to answer but difficulty of exploit development shouldn't be a difficult answer, especially if you have staff who understand what it takes to develop AND the complexity of your environment. There are no absolutes in this industry other than you're absolutely going to be targeted at some point. Being accurate in your assumptions helps and having the basic knowledge of exploit development, including how your protections may attempt to guard against the execution, is something all InfoSec groups should do. After all, know your enemy. :) On 10/8/07, shadown wrote: > Hi Joanna, > > This is an interesting topic. (not the car thing of course :P) > Some customers (if not most of them) know that security is something > critical for them, but in the end most of them just don't really get it. > I mean, they don't realize how bad things could go, and they use to > under-rate security problems because there's no public exploit, or just > because they think that exploiting the issue is whether impossible or so > difficult that they underestimate and low the bar to the point that they > don't even fix the problem. > I do believe that developing custom exploits makes people understand > that they have to fix the problems with no excuses. > Actually this is very valid when it comes to demo 'pown'ability and > pivoting of/from: > - Network Printers > - Appliances > - DSL routers > - Voip devices > - a large etc > > As many of them are developed on different CPUs and modified OSs (some > of them proprietary), showing what could be done is very eyes-opening > for the customers. > > My 2 cents. > Cheers, > Sergio > > > Joanna Rutkowska wrote: > > If you want to know the answer: > > > > http://www.darkreading.com/document.asp?doc_id=135564&WT.svl=news1_2 > > > > One thing I don't quite get though: > > > > > > "We'll analyze a random printer DLL you have installed, write an > > exploit, and use that on your network," he says, to help companies > > better secure their environments. > > > > > > While I greatly respect skills needed to write sophisticated exploits, I > > still don't see how exploit writing could be used to secure anything...? > > > > You can, of course, use exploits to test some security products (e.g. an > > IPS), but here we're talking about exploits for bugs in some custom > > code. Many of us will agree that IPS are useless in this case, almost by > > definition, and I think that Dave is one that will agree most eagerly > > (search for IDS-related threads on this list). So, testing an IPS > > against custom exploits for bugs in the custom code seems pretty much > > useless, no? > > > > The question is then: how you convince a client to pay you not only for > > code audit (no doubt it's useful) but also to write an exploit for each > > bug you find? I *really* would love to know the answer :) > > > > Having said that all, I need to stress that I can't overestimate the > > (educational) value of exploit writing for the whole IT security field > > -- one might not be following the latest trends in heaps exploits for > > RPC thingis, but if one never wrote and understood an exploit there's > > quite a big change that they simply "don't get it all". It's just I > > don't see how individual companies would be interested in paying > > somebody for preparing "educational material" for other researchers? > > > > joanna. > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -- > Sergio Alvarez > Security, Research & Development > IT Security Consultant > email: shadown at gmail.com > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From paul at xelerance.com Tue Oct 9 00:10:17 2007 From: paul at xelerance.com (Paul Wouters) Date: Tue, 9 Oct 2007 00:10:17 -0400 (EDT) Subject: [Dailydave] What Car Does Dave Drive? In-Reply-To: <47091DA4.2080300@invisiblethings.org> References: <47091DA4.2080300@invisiblethings.org> Message-ID: On Sun, 7 Oct 2007, Joanna Rutkowska wrote: > > "We'll analyze a random printer DLL you have installed, write an > exploit, and use that on your network," he says, to help companies > better secure their environments. > > > While I greatly respect skills needed to write sophisticated exploits, I > still don't see how exploit writing could be used to secure anything...? The car is a red herring! Dave is actually a tree hugging hippie, convinving all the large corporations that have printers to go to a "paperless office". Paul From dave at immunityinc.com Tue Oct 9 10:25:54 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 09 Oct 2007 10:25:54 -0400 Subject: [Dailydave] From blackbox to grey-box during Web App tests Message-ID: <470B8F72.4000108@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So Fortify has this out - it's interesting, but I think it's not what I want. Has anyone used it? http://www.fortifysoftware.com/products/tracer/ I dunno why everyone gets so hung up on metrics when they should be going for the jugular. What I want is to use SPIKE Proxy and while I'm testing the web app have every CreateProcess and SQL Statement fed to me and then have a filter so I can look only at what I care about (and avoid spamming their network too much - especially on busy sites). Theoretically you could then write something that autodetected and bypassed filters and automated getting you your SQL injection in the first place. And you would have at least one eye in the land of the blind SQL Injection. It's probably more work to write this email than write up the code using Immunity Debugger and SPIKE Proxy, so maybe I'll just go off and do that. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHC49wB8JNm+PA+iURAuZzAJ9FOIQ1NC3EABbOomT6DqeHButWLQCg4/jR SkYWfY9IHtoli4QpCuEGqUU= =TNSd -----END PGP SIGNATURE----- From dtangent at defcon.org Mon Oct 8 21:59:47 2007 From: dtangent at defcon.org (The Dark Tangent) Date: Mon, 08 Oct 2007 18:59:47 -0700 Subject: [Dailydave] Black Hat Tokyo + DC and Europe CfPs now open. Message-ID: <200710092310.l99NA5ew009062@colossus.datamerica.com> Hey Guys, here is the latest generic announcement. Note the focus of D.C. this year will be on attacks and wireless in all it's many splendored glory. --- We've finalized the speaker lineup for Black Hat Japan 2007, and we're looking forward to a great show. Attendees will be treated to a roster with more variety and depth than ever. The schedule and speaker bios are available on-line at: http://www.blackhat.com/html/bh-japan-07/bh-jp-07-en-schedule.html http://www.blackhat.com/html/bh-japan-07/bh-jp-07-en-speakers.html As always, we've worked hard to create a show with timely, technical content and a broad range of topics. Some highlights of this year's program include: * A talk from Pedram Amini and Aaron Portnoy from Tipping Point about the Sulley fuzzing framework - a game changing, free, highly automated fuzzing suite. * A talk from Halvar Flake, world-class reverse engineer and one of Black Hat's most sought-after speakers entitled "Automated Unpacking and Malware Classification." * Brandon Baker of Microsoft will be speaking on the very timely topic of the security model of Windows Server Virtualization in Windows Server 2008. Please bear in mind that on-line registration closes October 15, and it is a good idea to sign up now to avoid waiting in the long on site registration lines. The Briefings will once again be held in the Keio Plaza Hotel in Tokyo, on Thursday, October 25 and Friday, October 26. On site registration begins at 09:00 both days. In other news: Presentations and white papers from Black Hat USA 2007 are on line, with audio and video coming soon. To know as soon as new content comes on-line, subscribe to our RSS feed at http://www.blackhat.com/BlackHatRSS.xml The Black Hat D.C. and Black Hat Amsterdam Call for Papers is now open. The focus this year for Black Hat D.C. will be both on Offensive tools, techniques, and related technology as well as wireless and near field security. A more detailed CfP will be released next week. https://cfp.blackhat.com/ See you in Tokyo! Jeff Moss From andreg at gmail.com Tue Oct 9 19:13:44 2007 From: andreg at gmail.com (Andre Gironda) Date: Tue, 9 Oct 2007 19:13:44 -0400 Subject: [Dailydave] From blackbox to grey-box during Web App tests In-Reply-To: <470B8F72.4000108@immunityinc.com> References: <470B8F72.4000108@immunityinc.com> Message-ID: <2fd9390e0710091613t60f06306l65b6b8b4e474f942@mail.gmail.com> On 10/9/07, Dave Aitel wrote: > So Fortify has this out - it's interesting, but I think it's not what > I want. Has anyone used it? > http://www.fortifysoftware.com/products/tracer/ I know one person outside of Foritfy who gave me feedback on Tracer. Did you see the Iron Chef at BH-US-07? Ouncelabs has a bounty out to OWASP on a similar tool they call Blacktop. > I dunno why everyone gets so hung up on metrics when they should be > going for the jugular. You are right. The problem Tracer is trying to solve is simply knowledge of code coverage on inputs. The real problem we ideally want to see solved is the ability to use this coverage to create a fuzzer tracker - which would use the coverage results to improve time between findings by predicting which inputs/outputs can be exploited. > What I want is to use SPIKE Proxy and while I'm testing the web app > have every CreateProcess and SQL Statement fed to me and then have a > filter so I can look only at what I care about (and avoid spamming > their network too much - especially on busy sites). It sounds like you want a web file and SQL aware proxy fuzzer. The one that comes with taof is suitable, as is the internal DVLabs proxy fuzzer. > Theoretically you could then write something that autodetected and > bypassed filters and automated getting you your SQL injection in the > first place. And you would have at least one eye in the land of the > blind SQL Injection. There are a few open-source tools such as JDBC Spy or possibly FileMon which contain code or examples useful in this effort. > It's probably more work to write this email than write up the code > using Immunity Debugger and SPIKE Proxy, so maybe I'll just go off and > do that. beSTORM is also working on something similar that could be complete at this point. They wanted it to be a DirBuster type proxy tool in addition to SQL. Cheers, Andre From tqbf at matasano.com Wed Oct 10 12:28:16 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Wed, 10 Oct 2007 11:28:16 -0500 Subject: [Dailydave] From blackbox to grey-box during Web App tests In-Reply-To: <470B8F72.4000108@immunityinc.com> References: <470B8F72.4000108@immunityinc.com> Message-ID: <1df0a410710100928w532724c8k666de0805da50a7f@mail.gmail.com> It's nice that they're doing this for JVM, but isn't this exactly what PaiMei and BinNavi (and, if you want to get snarky, gcov) do for native binaries? Can someone help me understand what web app magic this tool adds? On 10/9/07, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > So Fortify has this out - it's interesting, but I think it's not what > I want. Has anyone used it? > > http://www.fortifysoftware.com/products/tracer/ > > I dunno why everyone gets so hung up on metrics when they should be > going for the jugular. > > What I want is to use SPIKE Proxy and while I'm testing the web app > have every CreateProcess and SQL Statement fed to me and then have a > filter so I can look only at what I care about (and avoid spamming > their network too much - especially on busy sites). > > Theoretically you could then write something that autodetected and > bypassed filters and automated getting you your SQL injection in the > first place. And you would have at least one eye in the land of the > blind SQL Injection. > > It's probably more work to write this email than write up the code > using Immunity Debugger and SPIKE Proxy, so maybe I'll just go off and > do that. > > - -dave > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFHC49wB8JNm+PA+iURAuZzAJ9FOIQ1NC3EABbOomT6DqeHButWLQCg4/jR > SkYWfY9IHtoli4QpCuEGqUU= > =TNSd > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From andre at operations.net Thu Oct 11 13:48:22 2007 From: andre at operations.net (Andre Gironda) Date: Thu, 11 Oct 2007 12:48:22 -0500 Subject: [Dailydave] From blackbox to grey-box during Web App tests In-Reply-To: <1df0a410710100928w532724c8k666de0805da50a7f@mail.gmail.com> References: <470B8F72.4000108@immunityinc.com> <1df0a410710100928w532724c8k666de0805da50a7f@mail.gmail.com> Message-ID: <2fd9390e0710111048v394fdb5au2d21ac47cf68fe9d@mail.gmail.com> On 10/10/07, Thomas Ptacek wrote: > It's nice that they're doing this for JVM, but isn't this exactly what > PaiMei and BinNavi (and, if you want to get snarky, gcov) do for > native binaries? PaiMei and BinNavi are fuzzer trackers, as I explained. gcov is more of a basic line coverage tool, isn't it? See: http://bullseye.com/coverage.html > Can someone help me understand what web app magic this tool adds? Here is the presentation where I first learned about what Tracer actually does, inferring why it was created and what its uses are - http://www.blackhat.com/presentations/bh-europe-07/Kureha/Presentation/bh-eu-07-chess-kureha-ppt-apr19.pdf Cheers, Andre From lists at bughunter.ca Fri Oct 12 10:54:34 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Fri, 12 Oct 2007 07:54:34 -0700 Subject: [Dailydave] From blackbox to grey-box during Web App tests In-Reply-To: <2fd9390e0710111048v394fdb5au2d21ac47cf68fe9d@mail.gmail.com> Message-ID: <00a501c80cdf$ce34db70$6207a8c0@jseitz> > PaiMei and BinNavi are fuzzer trackers, as I explained. gcov > is more of a basic line coverage tool, isn't it? See: > http://bullseye.com/coverage.html I can't speak for BinNavi, but PaiMei isn't just a fuzzer tracker, code coverage is useful from an RE perspective as well if you are trying to hone in on particular pieces of logic within a binary. DeMott's EFS relies heavily on PaiMei's code coverage abilities to determine fitness for its fuzzing runs, that's just an example. Gcov is a whitebox code coverage tool, and there are some interesting tools from Compuware that integrate directly into your VS 2005 environment to give you code coverage metrics. I guess I am not too sure how useful that Tracer is, the more I have thought about it, the more I like Dave's idea of having a filter on the running server (database), that captures all SQL queries that made it into the server, and reporting the results back that match an injection. To take this a step further you could also hook into the application server itself and hook file creation, process creation, etc. JS From adriel at netragard.com Fri Oct 12 15:25:00 2007 From: adriel at netragard.com (Adriel Desautels) Date: Fri, 12 Oct 2007 15:25:00 -0400 Subject: [Dailydave] From blackbox to grey-box during Web App tests In-Reply-To: <470B8F72.4000108@immunityinc.com> References: <470B8F72.4000108@immunityinc.com> Message-ID: <470FCA0C.4090307@netragard.com> Regarding SQL Injection: Why don't more people just use Parameterized Stored Proceedures? Is it because there are implimentation issues or because people don't know about them? Whats your opinion? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Dave Aitel wrote: > So Fortify has this out - it's interesting, but I think it's not what > I want. Has anyone used it? > > http://www.fortifysoftware.com/products/tracer/ > > I dunno why everyone gets so hung up on metrics when they should be > going for the jugular. > > What I want is to use SPIKE Proxy and while I'm testing the web app > have every CreateProcess and SQL Statement fed to me and then have a > filter so I can look only at what I care about (and avoid spamming > their network too much - especially on busy sites). > > Theoretically you could then write something that autodetected and > bypassed filters and automated getting you your SQL injection in the > first place. And you would have at least one eye in the land of the > blind SQL Injection. > > It's probably more work to write this email than write up the code > using Immunity Debugger and SPIKE Proxy, so maybe I'll just go off and > do that. > > -dave > _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave -------------- next part -------------- A non-text attachment was scrubbed... Name: adriel.vcf Type: text/x-vcard Size: 298 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071012/9604a630/attachment.vcf -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 186 bytes Desc: OpenPGP digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071012/9604a630/attachment.pgp From dave.aitel at gmail.com Sat Oct 13 19:30:04 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Sat, 13 Oct 2007 19:30:04 -0400 Subject: [Dailydave] No more Novell AppArmor? Message-ID: http://www.news.com/8301-13580_3-9796140-39.html " Two years after acquiring the company that developed the AppArmor security software for Linux, Novell has laid off team members behind the project, CNET News.com has learned. " Personally, I never got it to work. But I understand SOME people really like AppArmor...right? Does anyone really use it? -dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071013/58ef1957/attachment.htm From rodrigo at kernelhacking.com Sat Oct 13 19:50:10 2007 From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon)) Date: Sat, 13 Oct 2007 23:50:10 -0000 Subject: [Dailydave] No more Novell AppArmor? Message-ID: <20071014025010.788EF8BD09@mail.fjaunet.com.br> Hey Dave, I believe after many fights, the apparmor team cannot be keept by Novell... It is not good for novell to keep a team who is always fighting against the linux kernel guys, who are trying to go in the other way imposing a project that cannot give EAL 4+ LSPP protection to the system and then, give more market share to novell. In anyway, the best foundation that exist in apparmor are the auto-learning system (since it?s a really easy-to-use shit) because the sysadmins can use apparmor (selinux is always disabled at installation point ;) ). cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 1FCEDEA1 --------- Mensagem Original -------- De: Dave Aitel Para: dailydave Assunto: [Dailydave] No more Novell AppArmor? Data: 13/10/07 21:54 > http://www.news.com/8301-13580_3-9796140-39.html"Two years after acquiring the company that developed the AppArmor > security software for Linux, Novell has laid off team members behind > the project, CNET News.com has learned."Personally, I never got it to work. But I understand SOME people really like AppArmor...right? Does anyone really use it?-dave > > > > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > ________________________________________________ Message sent using UebiMiau 2.7.2 From andre at operations.net Sat Oct 13 23:36:48 2007 From: andre at operations.net (Andre Gironda) Date: Sat, 13 Oct 2007 22:36:48 -0500 Subject: [Dailydave] No more Novell AppArmor? In-Reply-To: References: Message-ID: <2fd9390e0710132036l4973c9c4oba346277a2648e77@mail.gmail.com> On 10/13/07, Dave Aitel wrote: > Personally, I never got it to work. But I understand SOME people really like > AppArmor...right? Does anyone really use it? It appears that Crispin Cowan will be at Toorcon talking about AppArmor - http://toorcon.org/2007/event.php?id=30 Appears to be going "community" model for "profile sharing" dre From tqbf at matasano.com Sun Oct 14 09:56:18 2007 From: tqbf at matasano.com (Thomas Ptacek) Date: Sun, 14 Oct 2007 08:56:18 -0500 Subject: [Dailydave] From blackbox to grey-box during Web App tests In-Reply-To: <470FCA0C.4090307@netragard.com> References: <470B8F72.4000108@immunityinc.com> <470FCA0C.4090307@netragard.com> Message-ID: <1df0a410710140656j1bf2636aqc9bff0fc1009e91a@mail.gmail.com> > Why don't more people just use Parameterized Stored Proceedures? Is it > because there are implimentation issues or because people don't know > about them? Whats your opinion? I wonder that too. Also, why don't people just not write integer overflows? With the snark bit cleared, I'll point out: lots of projects use stored procedures, but have some patches of functionality (like query builders) that are easiest to write with raw SQL. -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From kyle.c.quest at gmail.com Sun Oct 14 13:06:15 2007 From: kyle.c.quest at gmail.com (C Q) Date: Sun, 14 Oct 2007 13:06:15 -0400 Subject: [Dailydave] From blackbox to grey-box during Web App tests In-Reply-To: <1df0a410710140656j1bf2636aqc9bff0fc1009e91a@mail.gmail.com> References: <470B8F72.4000108@immunityinc.com> <470FCA0C.4090307@netragard.com> <1df0a410710140656j1bf2636aqc9bff0fc1009e91a@mail.gmail.com> Message-ID: Also, just because it's a parameterized stored procedure it doesn't automatically mean that it's immune to sql injections (especially if you use dynamic SQL inside of those procedures). On top of that there are also dev related reasons why some choose not to use stored procedures in general. Here are a few reasons: 1. They slow down the development process making it harder to do the testing (overall application testing and the stored procedure testing). 2. Because of their procedural nature they are prone to code duplication (which some developers try to avoid). 3. Integration / configuration management overhead managing separate stored procedures and the main application code. > Why don't more people just use Parameterized Stored > Proceedures? Is it > > because there are implimentation issues or because people don't know > > about them? Whats your opinion? > > I wonder that too. Also, why don't people just not write integer > overflows? > > With the snark bit cleared, I'll point out: lots of projects use > stored procedures, but have some patches of functionality (like query > builders) that are easiest to write with raw SQL. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071014/45411372/attachment.html From kyle.c.quest at gmail.com Sun Oct 14 14:00:36 2007 From: kyle.c.quest at gmail.com (C Q) Date: Sun, 14 Oct 2007 14:00:36 -0400 Subject: [Dailydave] From blackbox to grey-box during Web App tests In-Reply-To: <1df0a410710140656j1bf2636aqc9bff0fc1009e91a@mail.gmail.com> References: <470B8F72.4000108@immunityinc.com> <470FCA0C.4090307@netragard.com> <1df0a410710140656j1bf2636aqc9bff0fc1009e91a@mail.gmail.com> Message-ID: Other reasons why they are not used: 4. A huge pain to debug 5. Not portable (this might be a big deal if you need to support multiple databases in which case it'll mean having the multiple versions of the same procedures for every database that needs to be supported). 6. Some developers simply don't want to add another layer and another language in the mix (because their projects are complex enough without the extra stored procedure headaches). > Why don't more people just use Parameterized Stored > Proceedures? Is it > > because there are implimentation issues or because people don't know > > about them? Whats your opinion? > > I wonder that too. Also, why don't people just not write integer > overflows? > > With the snark bit cleared, I'll point out: lots of projects use > stored procedures, but have some patches of functionality (like query > builders) that are easiest to write with raw SQL. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071014/8c64aaa2/attachment.htm From lists at bughunter.ca Mon Oct 15 00:07:34 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Sun, 14 Oct 2007 21:07:34 -0700 Subject: [Dailydave] From blackbox to grey-box during Web App tests In-Reply-To: Message-ID: <002901c80ee0$eb01b540$6207a8c0@jseitz> Ok well this is all interesting, but the real reason I believe is this: in a classic development environment, most developers don't have any raw database experience. Most DBA's are hired to ensure that there is a fully normalized (ahem), clustered, failed over, etc. database system. Most developers hate the DBA's and likewise :) In order to really write an application that relies heavily on stored procs, you are really needing the experience of a DBA with a developer who understands the system, this is rare in the real world. Many times in my travels I have seen horrendous SQL code buried in the main application to achieve the same functionality as an update trigger, the only thing you can do is educate the dev and move on, there are bigger battles to fight in a QA/sec position. Now much like the pull between deployment and development in any team, the pull between app-dev and DBA is going to be the same (in fact most DBA's are part of the deployment team) . I don't think that stored procs aren't portable, each database system generally supports a middle-language to support cross-database development. The key is to find the right expertise to have baked cross-platform in to begin with, while they are at it [restore snarky bit] maybe they should start creating architectually secure applications before the end of their scoping meetings as well :) JS [clear snarky bit] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071014/8ade67fe/attachment-0001.htm From lists at bughunter.ca Mon Oct 15 00:19:22 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Sun, 14 Oct 2007 21:19:22 -0700 Subject: [Dailydave] No more Novell AppArmor? In-Reply-To: Message-ID: <002e01c80ee2$90d958a0$6207a8c0@jseitz> Oh lord, don't even get me started with the AppArmor/SELinux craziness. I can't remember if it was InfoSec magazine, but Crispin and some other dude went head to head on SELinux vs. AppArmor. By the end of the article it was clear that neither are really useful, they are impossible to configure correctly (something like 700+ policy lines for SELinux and httpd) and in most cases are shut off. I know it's policy where I come from to do a "setenforce 0" the minute we bring up a new machine :) JS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071014/14b10916/attachment.htm From dave at immunityinc.com Mon Oct 15 13:04:10 2007 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 15 Oct 2007 13:04:10 -0400 Subject: [Dailydave] Coverage and a recent paper by L. Suto Message-ID: <47139D8A.5040001@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://ha.ckers.org/files/CoverageOfWebAppScanners.pdf He compared NTOSpider/Appscan/Webinspect - and NTOSpider "won". Without the full vulnerability reports and the VM's of the vulnerable apps, I'm not going to dwell on the comparison of tools, except to say it's interesting, but I will say that all this focus on "code coverage" is a bit strange. Vulnerabilities, like fish, tend to cluster in particular places. Having 10% code coverage is perfectly ok if it's the code that has the bugs. And you can't see race conditions with code coverage tools. Also, most of the value of instrumentation is that when built into your attack tool you get a real-time human-usable view into the guts of the application. This is why I don't think byte-code instrumentation has huge advantages over just hooking Win32 API's. But I don't have a byte-code parser yet either. :> Speaking of race conditions, I'm happy to announce that Immunity has += Paul Starzetz (http://marc.info/?a=107032640300001&r=1&w=2). - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD4DBQFHE52HB8JNm+PA+iURAk9xAKCzXrmHP7GdURmWvQqDLQx9FOn8FgCYnfJI m3XYC6cV71su3IJLIC+qZw== =RQ5q -----END PGP SIGNATURE----- From knoble at terremark.com Mon Oct 15 13:07:35 2007 From: knoble at terremark.com (Kevin Noble) Date: Mon, 15 Oct 2007 13:07:35 -0400 Subject: [Dailydave] Use of AppArmor Message-ID: <5BA9127B88DFD347AE9A8F1C05A6E08B06B6A9@exchange04.terremark.org> AppArmor seems to work best with anything routine like protecting SFTP, SSH and other services. I admit that that it is ideal for lazy admins but once I understood how to use the tool, it became a early warning sysem and can tell you quite a bit about what an app needs to function, mostly through the update profile wizard. Once you have applications profiled into production, it can tell you about anything strange. On the frontier side you will observe apparmor events for anything unhandled. It will tell you about any new and strange permissions you need for firefox for example when visiting questionable sites. You can use it as a very terrible tool for profiling malware strictly looking at permissions and limiting those permissions during execution. A talk at blackhat confirmed that there is far more granular control, more then I care about a the moment. -KNoble Terremark -------------------------- Sent via BlackBerry ;-) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071015/9c98b77c/attachment.htm From kristian.hermansen at gmail.com Mon Oct 15 13:15:31 2007 From: kristian.hermansen at gmail.com (Kristian Erik Hermansen) Date: Mon, 15 Oct 2007 10:15:31 -0700 Subject: [Dailydave] No more Novell AppArmor? Message-ID: On 10/13/07, "Dave Aitel" wrote: > http://www.news.com/8301-13580_3-9796140-39.html > " > Two years after acquiring the company that developed the AppArmor security > software for Linux, Novell has laid off team members behind the project, > CNET News.com has learned. > " > > Personally, I never got it to work. But I understand SOME people really like > AppArmor...right? Does anyone really use it? Luckily AppArmor is open and free to be developer by anyone who wants to pick up the project. Btw, AppArmor is installed and on by default in the latest release of Ubuntu Gutsy 7.10 appearing officially this Thursday... https://help.ubuntu.com/community/AppArmor -- Kristian Erik Hermansen From kees at ubuntu.com Mon Oct 15 15:14:51 2007 From: kees at ubuntu.com (Kees Cook) Date: Mon, 15 Oct 2007 12:14:51 -0700 Subject: [Dailydave] No more Novell AppArmor? In-Reply-To: References: Message-ID: <20071015191451.GC32574@outflux.net> Hi, On Sat, Oct 13, 2007 at 07:30:04PM -0400, Dave Aitel wrote: > http://www.news.com/8301-13580_3-9796140-39.html > " > Two years after acquiring the company that developed the AppArmor security > software for Linux, Novell has laid off team members behind the project, > CNET News.com has learned. > " > > Personally, I never got it to work. But I understand SOME people really like > AppArmor...right? Does anyone really use it? Enough people wanted to use it that it was enabled in Ubuntu Feisty, and got more complete attention for Ubuntu Gutsy (as already mentioned). AFAIU, Novell still has people working on AppArmor, and it will remain their supported MAC for SLES 11. I use it for confining things like Gaim, Firefox, and network games. Super easy to build up the rules, and there are some nice docs about using it[1] (which are only mildly specific to Ubuntu). -Kees [1] https://help.ubuntu.com/community/AppArmor -- Kees Cook From mwollenweber at gmail.com Mon Oct 15 16:24:54 2007 From: mwollenweber at gmail.com (matthew wollenweber) Date: Mon, 15 Oct 2007 16:24:54 -0400 Subject: [Dailydave] Coverage and a recent paper by L. Suto In-Reply-To: <47139D8A.5040001@immunityinc.com> References: <47139D8A.5040001@immunityinc.com> Message-ID: <42210a440710151324q6fd19facvac353f7a31ad29b1@mail.gmail.com> Personally, I don't understand the current trend in fuzzer research to go obtain full code coverage. Sure, it's nice to check everything and have a fuzzer traverse all the functions in the code, but maybe that's at the cost of doing it all poorly. If you have a fixed amount of time to do the assessment, I'd rather spend the time where it's needed. As you said, it's better to thoroughly test the code in spots where the bugs are. I do like instrumenting fuzzing and measuring where the fuzzer is being effective and/or spending it's time. It's useful both to see where the problems cluster and/or to give the thing a kick if it gets stuck. While it's not for web apps, I find the work the Greg Hoglund and his guys at HBGary have done to be a step in the right direction. His tool isn't really meant for fuzzing (at least from my limited knowledge of it), but it takes an RE approach to find what's important and focus there. To achieve this, it measures function traversal, but rather than focusing everywhere, it filters out irrelevant functions (background noise). For example, if you want to debug a complex crypto routine that's attached to a graphical display, you don't want to waste your time in the graphics. Most of Hoglund's recent talks have featured at least snippets of HBGary Inspector for anyone interested. Unfortunately, the software itself has too many zeros in the price tag it for most people to buy. On 10/15/07, Dave Aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > http://ha.ckers.org/files/CoverageOfWebAppScanners.pdf > > He compared NTOSpider/Appscan/Webinspect - and NTOSpider "won". > > Without the full vulnerability reports and the VM's of the vulnerable > apps, I'm not going to dwell on the comparison of tools, except to say > it's interesting, but I will say that all this focus on "code > coverage" is a bit strange. Vulnerabilities, like fish, tend to > cluster in particular places. Having 10% code coverage is perfectly ok > if it's the code that has the bugs. And you can't see race conditions > with code coverage tools. > > Also, most of the value of instrumentation is that when built into > your attack tool you get a real-time human-usable view into the guts > of the application. This is why I don't think byte-code > instrumentation has huge advantages over just hooking Win32 API's. But > I don't have a byte-code parser yet either. :> > > Speaking of race conditions, I'm happy to announce that Immunity has > += Paul Starzetz (http://marc.info/?a=107032640300001&r=1&w=2). > > - -dave > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD4DBQFHE52HB8JNm+PA+iURAk9xAKCzXrmHP7GdURmWvQqDLQx9FOn8FgCYnfJI > m3XYC6cV71su3IJLIC+qZw== > =RQ5q > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- Matthew Wollenweber mwollenweber at gmail.com | mjw at cyberwart.com www.cyberwart.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071015/64526b54/attachment.htm From smooge at gmail.com Mon Oct 15 18:47:34 2007 From: smooge at gmail.com (Stephen John Smoogen) Date: Mon, 15 Oct 2007 16:47:34 -0600 Subject: [Dailydave] Coverage and a recent paper by L. Suto In-Reply-To: <42210a440710151324q6fd19facvac353f7a31ad29b1@mail.gmail.com> References: <47139D8A.5040001@immunityinc.com> <42210a440710151324q6fd19facvac353f7a31ad29b1@mail.gmail.com> Message-ID: <80d7e4090710151547k721cc77bwf20f398012ef5485@mail.gmail.com> On 10/15/07, matthew wollenweber wrote: > Personally, I don't understand the current trend in fuzzer research to go > obtain full code coverage. Sure, it's nice to check everything and have a > fuzzer traverse all the functions in the code, but maybe that's at the cost > of doing it all poorly. If you have a fixed amount of time to do the > assessment, I'd rather spend the time where it's needed. As you said, it's > better to thoroughly test the code in spots where the bugs are. > However, when you are hacking someone's brain (eg the core of marketing/sales) to get someone to buy your product and keep buying your product... you want to use the magic words. Most big purchases are going to be done by some mid-level manager who has been asked to prepare a report on how their code looks towards hacking for some obscure SOX report.. even if he was a hacker 2 months ago.. he has been to so many finance meetings that all those cells went to Bermuda and didn't leave a forwarding address. In the time-pressed managers brain 100% always sells better than say 10%. Even if you find 100% of the bugs in 10% of the code, and they find 10% of the bugs in 100% of the code.. saying words like "Complete code coverage" sits well in managements risk averse mind. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From cmiller at securityevaluators.com Mon Oct 15 21:36:41 2007 From: cmiller at securityevaluators.com (Charles Miller) Date: Mon, 15 Oct 2007 20:36:41 -0500 Subject: [Dailydave] Coverage and a recent paper by L. Suto In-Reply-To: <42210a440710151324q6fd19facvac353f7a31ad29b1@mail.gmail.com> References: <47139D8A.5040001@immunityinc.com> <42210a440710151324q6fd19facvac353f7a31ad29b1@mail.gmail.com> Message-ID: I'm giving talks (a shorter and a more detailed one) on exactly the topic of code coverage and fuzzing this weekend at Toorcon: http://toorcon.org/2007/event.php?id=34 http://toorcon.org/2007/event.php?id=60 First, you're all quite right that code coverage isn't a magic bullet thats going to find bugs for you. You're also correct that code coverage doesn't necessarily imply the code has been adequately tested. (The obvious example is the strcpy that could be covered, but only with small amounts of data used as the source). That said, let me explain why I think code coverage can be an important tool for fuzzing. Consider the following two very common scenarios: 1. You run a finite, deterministic fuzzer like SPIKE and don't find any bugs (or at least any good ones). 2. You run a random fuzzer like GPF for some amount of time and don't find any bugs What do you do in these situations? How do you change the SPIKE configuration file to attempt to improve your chances of finding bugs? How long do you run GPF before you give up? For a random fuzzer like GPF, should you choose a different initial test case (i.e. PCAP file or whatever)? Where do you start with your static analysis? Would a different fuzzer have been a better choice? I think in these situations it makes sense to look at the application and consider what code has been executed and what hasn't. After all, if you haven't even executed a particular line of code, you'll definitely not find a bug in that line with fuzzing. Come to Toorcon and we can argue over a beer :) Charlie On Oct 15, 2007, at 3:24 PM, matthew wollenweber wrote: > Personally, I don't understand the current trend in fuzzer research > to go obtain full code coverage. Sure, it's nice to check > everything and have a fuzzer traverse all the functions in the > code, but maybe that's at the cost of doing it all poorly. If you > have a fixed amount of time to do the assessment, I'd rather spend > the time where it's needed. As you said, it's better to thoroughly > test the code in spots where the bugs are. > > I do like instrumenting fuzzing and measuring where the fuzzer is > being effective and/or spending it's time. It's useful both to see > where the problems cluster and/or to give the thing a kick if it > gets stuck. > > While it's not for web apps, I find the work the Greg Hoglund and > his guys at HBGary have done to be a step in the right direction. > His tool isn't really meant for fuzzing (at least from my limited > knowledge of it), but it takes an RE approach to find what's > important and focus there. To achieve this, it measures function > traversal, but rather than focusing everywhere, it filters out > irrelevant functions (background noise). For example, if you want > to debug a complex crypto routine that's attached to a graphical > display, you don't want to waste your time in the graphics. > > Most of Hoglund's recent talks have featured at least snippets of > HBGary Inspector for anyone interested. Unfortunately, the software > itself has too many zeros in the price tag it for most people to buy. > From dave at immunityinc.com Tue Oct 16 13:36:58 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 16 Oct 2007 13:36:58 -0400 Subject: [Dailydave] The Last Dancer released Message-ID: <4714F6BA.9040308@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.immunityinc.com/resources-dkm.shtml This is the sequel to The Long Run and is of course required reading to people with eyes or half-decent knowledge of Braille. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHFPa4B8JNm+PA+iURAtXAAJ9PEeb5PsPCTldh2Ses+OShZ+2K+gCg2PIn y5faxrcoUZITpxvYB3KNjWw= =Vnqt -----END PGP SIGNATURE----- From mwollenweber at gmail.com Wed Oct 17 00:28:44 2007 From: mwollenweber at gmail.com (matthew wollenweber) Date: Wed, 17 Oct 2007 00:28:44 -0400 Subject: [Dailydave] [fuzzing] Coverage and a recent paper by L. Suto In-Reply-To: <1192519077.5287.30.camel@localhost.localdomain> References: <47139D8A.5040001@immunityinc.com> <42210a440710151324q6fd19facvac353f7a31ad29b1@mail.gmail.com> <47144035.4060208@bughunter.ca> <1192519077.5287.30.camel@localhost.localdomain> Message-ID: <42210a440710162128m2e793f92n1ec104766c0b0f36@mail.gmail.com> > > The main downside is that I don't know why it is that finding bugs > should depend linearly on anything. is it really true that if run A > explores 10 more blocks than run B then run A has a .10 better chance of > finding a bug in the program? I think the above is the crux of the problem. Despite lots of intuition on where the bugs are or how to find them, there hasn't been much analysis (to my knowledge) of modeling bug prediction. Clearly a lot of bugs occur where unchecked data is transferred into fixed sized buffers, but from a system perspective I've not seen anything quantifiable that suggests where bugs will be. For your weights a,b,c (or even the linear equation) you're right that we don't have metrics on what the best fit looks like. I think it would be interesting for an academic or two to put a lot of "small enough" programs through a lot of fuzzers. Fuzz almost all/most of the possible paths and then analyze the common traits to answer basic questions as to how diversity, coverage, and interesting functions relate to finding bugs. (to any professors out there: I haven't finished my masters yet and would love to find an interesting program). The cool research out there (Molnar, Aitel, DeMott, etc) seems to focus a lot on the feedback systems to find more bugs, but as of yet, I've seen no reason as to why any fitness function is well suited to the problem. On 10/16/07, David Molnar wrote: > > On Mon, 2007-10-15 at 21:38 -0700, J.M. Seitz wrote: > > > So, let's try this: > > > > spankage = code coverage + (path diversity weight * 2) + (num > > interesting funcs hit * 5) > > > > This stems from many talks with Jared, Pedram, and Charlie. I also > > proposed that a proximity value to dangerous functions be thrown in, but > > let's not get too far ahead of ourselves. > > Cool, this is interesting. I wonder if you could also flip it around and > try to estimate the values of those coefficients instead of picking "2" > and "5". I don't think those are bad values, just it'd be interesting if > there is a way to derive them somehow from data about which fuzzing runs > have been successful so far. > > One way this could work is as follows: suppose we have a set of fuzzing > runs R_1, R_2,...,R_n, and suppose for each run we know whether the run > found a bug or not. Let's define Y_i to be 1 if the run R_i found at > least one bug and Y_i to be 0 otherwise. Then we could set up a linear > model: > > Y_i = a + b*coverage_i + c*path diversity_i + d*num int.funcs_i +error_i > > This just says we think whether a bug is found on run i depends linearly > on coverage, path diversity, and number of interesting functions, plus > an "intercept term" a and an error term. In your equation above for > "spankage", we have a = 0, b = 1, c = 2, d =5. > > The error represents among other things the effect of all the other > variables we did not measure. Like, there's no variable in this equation > for "did the developers do a lot of threat modeling," so if that has a > lot of impact on whether a specific run finds a bug, then we will see > that as "error" in estimating how important coverage, path diversity, > and #interesting functions is to finding a bug. The error can also > account for things like randomization in the fuzzer, difficulty in > measuring path diversity, and so on. > > The main point is that if we assume this model holds we can then > estimate values for a,b,c, and d from the data using any of several > methods. For example, if we believe the errors are independent of the > other variables, and if we believe the errors have a mean value of 0, > then we can use ordinary least squares regression. We can then look at > the resulting estimates for a,b,c, and d to give us some idea of whether > coverage, path diversity, and number of interesting functions in fact > have an impact on finding bugs. Finally, we could feed the resulting > estimates back into your Fuzzing Proxy Coverage Spanker-abob. > > The main downside is that I don't know why it is that finding bugs > should depend linearly on anything. is it really true that if run A > explores 10 more blocks than run B then run A has a .10 better chance of > finding a bug in the program? Mainly this came to mind because I'm just > learning about linear regressions now and have to read dozens of papers > where people run, like, regressions of computer use vs. wages and > compare them to regressions of pencil use vs. wages to see whether > computers or pencils better predict high wages. Still, it seems like we > should be able to leverage the data generated on which fuzzer runs > produce bugs and which do not. > > -David Molnar > > -- Matthew Wollenweber mwollenweber at gmail.com | mjw at cyberwart.com www.cyberwart.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071017/40a4645a/attachment.htm From jv274 at cl.cam.ac.uk Thu Oct 18 10:07:42 2007 From: jv274 at cl.cam.ac.uk (JFV) Date: Thu, 18 Oct 2007 16:07:42 +0200 Subject: [Dailydave] [fuzzing] Coverage and a recent paper by L. Suto In-Reply-To: <42210a440710162128m2e793f92n1ec104766c0b0f36@mail.gmail.com> References: <47139D8A.5040001@immunityinc.com> <42210a440710151324q6fd19facvac353f7a31ad29b1@mail.gmail.com> <47144035.4060208@bughunter.ca> <1192519077.5287.30.camel@localhost.localdomain> <42210a440710162128m2e793f92n1ec104766c0b0f36@mail.gmail.com> Message-ID: <471768AE.9000706@cl.cam.ac.uk> matthew wollenweber a ?crit : > > The main downside is that I don't know why it is that finding bugs > should depend linearly on anything. is it really true that if run A > explores 10 more blocks than run B then run A has a .10 better > chance of > finding a bug in the program? > What about a fuzzer that cover the whole program paths without covering the whole program cycles ? You could cover 100% of the non-cycling paths but find 0 bugs because all bugs occur when cycling more than what the fuzzer has imposed. Also, not only control flow coverage has to be realized, but also coverage of the variables values. You might wish to cover it completely, in that case fuzzing is a very bad choice : ready to execute at worse 2**64 times the program for fuzzing a double ? A better choice is certainly static analysis by abstract interpretation: approximating the verification using conservative analysis (analyzing a superset of program behaviors represented by a smaller "abstract" domain). This approach is fast, sound (will never miss any bug) but might lead to false positives (consequence of the incompletness theorem), which can be usually eliminated using refinement or partitioning. A very good project based on abstract interpretation is ASTREE: www.astree.ens.fr (by P.Cousot & al) Unfortunately, its not in the public domain and it works only with a subset of the C language (afaik: without recursive functions or dynamic memory allocation). Other very interesting projects for checking real life code are: SLAM: http://research.microsoft.com/slam/ BLAST: http://mtc.epfl.ch/software-tools/blast/ IMHO, these projects provide a much better base than any other analyzers for finding serious bugs. Fuzzers might run forever without finding anything but yea, its easier to code. Anyone of you has experience with binary-level static analyzer or model checkers ? -JFV From dave at immunityinc.com Thu Oct 18 13:40:06 2007 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 18 Oct 2007 13:40:06 -0400 Subject: [Dailydave] SQL Hooker Release Message-ID: <47179A76.2020805@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://forum.immunityinc.com/index.php?topic=92.0 JMS and I decided to put our code where our mouth was. It looks a lot like this: PyCommands $ python sql_listener.py 80812.4 Set up XMLRPC Socket on 0.0.0.0 port 8081 select count(*) from users where userName='cow' and userPass='boy' 10.10.10.243 - - [18/Oct/2007 13:03:17] "POST / HTTP/1.0" 200 - Next up - file operation hooking perhaps? :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHF5p0B8JNm+PA+iURAtFlAKDhW3CVqVd6S621t4kdsQ1Y0sb2cgCg7JY5 QaZkG+j3E5b6NO0SJrR3yM8= =bvnS -----END PGP SIGNATURE----- From lists at bughunter.ca Thu Oct 18 15:46:52 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Thu, 18 Oct 2007 12:46:52 -0700 Subject: [Dailydave] SQL Hooker Release In-Reply-To: <47179A76.2020805@immunityinc.com> Message-ID: <00dc01c811bf$a33cb6b0$6207a8c0@jseitz> > JMS and I decided to put our code where our mouth was. In my case, I had a lot of code to jam into a big mouth. And as Dave said in the forum post, take it for a test drive, and if there are any bugs, feature requests, etc. just drop us an email. There are a bazillion things you can do with even the PoC. JS From dan57170 at yahoo.com Thu Oct 18 16:00:10 2007 From: dan57170 at yahoo.com (H. Daniel Regalado Arias) Date: Thu, 18 Oct 2007 13:00:10 -0700 (PDT) Subject: [Dailydave] SQL Injection - Strange Result Message-ID: <721150.27470.qm@web30202.mail.mud.yahoo.com> Hi Dave and Friends, i have a problem while making a PHP -MSQQL-2000 Web App Assessment, after many days and due to the lack of experience i am able to bypass single quotes using char() or "[]" when trying to execute a store procedure, so, by now, i am able to inject code directly to the DataBase without being filtered but after sending the next test: http://www.client.com/mod.php?id=1;begin%20declare%20 at q%20varchar(8000)select%20 at q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end;-- or another store procedure like: http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\wwwroot\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D;-- the application responses with something like: SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with results for another hstmt, SQL state S1000 in SQLExecDirect in C:\D\Inetpub\wwwroot\sssssssssss I think its because of the first query (the one belongs to id=1 parameter, even though 1 results to 0 rows). I have ridden a lot of sql injection .. Advanced, More, and so on, but all of them always execute a store procedure after a semicolon but no one says something about this error. I thought to put a delay before my store procedure or a command to free the data base connection handler. What you think??? By the way, i am not able to run xp_cmdshell because of the database user permissions, may be i could try to elevate privileges but always appears the error describe above. Thanks in Advance. H. Daniel Regalado Arias, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ----- Mensaje original ---- De: Dave Aitel Para: dailydave Enviado: jueves, 18 de octubre, 2007 12:40:06 Asunto: [Dailydave] SQL Hooker Release -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://forum.immunityinc.com/index.php?topic=92.0 JMS and I decided to put our code where our mouth was. It looks a lot like this: PyCommands $ python sql_listener.py 80812.4 Set up XMLRPC Socket on 0.0.0.0 port 8081 select count(*) from users where userName='cow' and userPass='boy' 10.10.10.243 - - [18/Oct/2007 13:03:17] "POST / HTTP/1.0" 200 - Next up - file operation hooking perhaps? :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHF5p0B8JNm+PA+iURAtFlAKDhW3CVqVd6S621t4kdsQ1Y0sb2cgCg7JY5 QaZkG+j3E5b6NO0SJrR3yM8= =bvnS -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave ____________________________________________________________________________________ ?S? un mejor ambientalista! Encuentra consejos para cuidar el lugar donde vivimos. http://telemundo.yahoo.com/promos/mejorambientalista.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071018/51bd4d71/attachment-0001.htm From lists at bughunter.ca Thu Oct 18 17:28:27 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Thu, 18 Oct 2007 14:28:27 -0700 Subject: [Dailydave] SQL Injection - Strange Result In-Reply-To: <721150.27470.qm@web30202.mail.mud.yahoo.com> Message-ID: <00fb01c811cd$d2ca4ba0$6207a8c0@jseitz> I am more familiar with MySQL, but could there be a case that the database/application is locking the table during the first stored procedure run? If it doesn't properly unlock the table after its finished (assuming your injection would have to make sure that happens) then it can essentially block the server from allowing access to that table again. I would check the source to see what they are doing for locking, I might totally be out to lunch, but I have seen lots of PHP apps improperly lock and unlock causing all sorts of bizarres problems. JS _____ From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of H. Daniel Regalado Arias Sent: Thursday, October 18, 2007 1:00 PM To: Dave Aitel; dailydave Subject: [Dailydave] SQL Injection - Strange Result Hi Dave and Friends, i have a problem while making a PHP -MSQQL-2000 Web App Assessment, after many days and due to the lack of experience i am able to bypass single quotes using char() or "[]" when trying to execute a store procedure, so, by now, i am able to inject code directly to the DataBase without being filtered but after sending the next test: http://www.client.com/mod.php?id=1;begin%20declare%20 at q%20varchar(8000)selec t%20 at q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end ;-- or another store procedure like: http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\www root\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D ;-- the application responses with something like: SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with results for another hstmt, SQL state S1000 in SQLExecDirect in C:\D\Inetpub\wwwroot\sssssssssss I think its because of the first query (the one belongs to id=1 parameter, even though 1 results to 0 rows). I have ridden a lot of sql injection .. Advanced, More, and so on, but all of them always execute a store procedure after a semicolon but no one says something about this error. I thought to put a delay before my store procedure or a command to free the data base connection handler. What you think??? By the way, i am not able to run xp_cmdshell because of the database user permissions, may be i could try to elevate privileges but always appears the error describe above. Thanks in Advance. H. Daniel Regalado Arias, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ----- Mensaje original ---- De: Dave Aitel Para: dailydave Enviado: jueves, 18 de octubre, 2007 12:40:06 Asunto: [Dailydave] SQL Hooker Release -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://forum.immunityinc.com/index.php?topic=92.0 JMS and I decided to put our code where our mouth was. It looks a lot like this: PyCommands $ python sql_listener.py 80812.4 Set up XMLRPC Socket on 0.0.0.0 port 8081 select count(*) from users where userName='cow' and userPass='boy' 10.10.10.243 - - [18/Oct/2007 13:03:17] "POST / HTTP/1.0" 200 - Next up - file operation hooking perhaps? :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHF5p0B8JNm+PA+iURAtFlAKDhW3CVqVd6S621t4kdsQ1Y0sb2cgCg7JY5 QaZkG+j3E5b6NO0SJrR3yM8= =bvnS -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave _____ ?S? un mejor ambientalista! Encuentra consejos para cuidar el lugar donde vivimos en: http://telemundo.yahoo.com/promos/mejorambientalista.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071018/ac07be33/attachment.htm From elite_netbios at yahoo.com Thu Oct 18 17:33:32 2007 From: elite_netbios at yahoo.com (Hamid . K) Date: Thu, 18 Oct 2007 14:33:32 -0700 (PDT) Subject: [Dailydave] SQL Hooker Release Message-ID: <411581.93070.qm@web90506.mail.mud.yahoo.com> Hi. Nice piece of script ,integrated into ID. Using this script to deeply monitor and audit web-application flaws is indeed interesting , but I`m thinking about some more interesting results, an enhanced version of this toy may produce : How about automating the process of auditing Oracle internals for hunting even more pl/sql injections ? :> I`m not sure how much extra work may be required , but I don`t think it would be much complex. Rather than hooking SQL OLEDB , it can be fine-tuned for attaching to related oracle process , waiting for the other side (second script*) to trigger an injection in list of targeted packages/stored procedures . output would be a list of packages/SPs in oracle , harmed by second-script* and detected by hooker script. Second-script* , would be a parser engine , reading list of stored procedures among their parameters for example, and sending them to oracle from any query interface, while manipulating some of parameters ... example, Regards Hamid.K ----- Original Message ---- From: Dave Aitel To: dailydave Sent: Thursday, October 18, 2007 9:10:06 PM Subject: [Dailydave] SQL Hooker Release -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://forum.immunityinc.com/index.php?topic=92.0 JMS and I decided to put our code where our mouth was. It looks a lot like this: PyCommands $ python sql_listener.py 80812.4 Set up XMLRPC Socket on 0.0.0.0 port 8081 select count(*) from users where userName='cow' and userPass='boy' 10.10.10.243 - - [18/Oct/2007 13:03:17] "POST / HTTP/1.0" 200 - Next up - file operation hooking perhaps? :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHF5p0B8JNm+PA+iURAtFlAKDhW3CVqVd6S621t4kdsQ1Y0sb2cgCg7JY5 QaZkG+j3E5b6NO0SJrR3yM8= =bvnS -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From adriel at netragard.com Thu Oct 18 17:58:39 2007 From: adriel at netragard.com (Adriel Desautels) Date: Thu, 18 Oct 2007 17:58:39 -0400 Subject: [Dailydave] SQL Injection - Strange Result In-Reply-To: <721150.27470.qm@web30202.mail.mud.yahoo.com> References: <721150.27470.qm@web30202.mail.mud.yahoo.com> Message-ID: <4717D70F.1060004@netragard.com> Daniel, Google is a good friend. Discussion: This problem occurs when working with the same MS SQL Server connection as source and target of a module. This error appears in the Exceptions tab of the Execution Viewer. The complete error message is: S1000 [Microsoft][ODBC SQL Server Driver]Connection is busy with results for another hstmt This error is returned by the ODBC driver and not by SQL Server itself, so @DbError = 0. Resolution: This is due to the behaviour of the MS SQL Server connection. When a transaction is opened and a table is currently being read in single mode, no other task can be performed within this transaction. To fix this, in the module change the select mode of the table (or the dataset) to Packet(x). Another way to avoid this error is to duplicate the connection and link the source table (or the tables of the dataset) to that new connection. This way, two different transactions are opened: one for reading, and one for writing. If you want to read the same table you write, you have to use the first solution. Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security H. Daniel Regalado Arias wrote: > Hi Dave and Friends, i have a problem while making a PHP -MSQQL-2000 Web > App Assessment, after many days and due to the lack of experience i am > able to bypass single quotes using char() or "[]" when trying to execute > a store procedure, so, by now, i am able to inject code directly to the > DataBase without being filtered but after sending the next test: > > http://www.client.com/mod.php?id=1;begin%20declare%20 at q%20varchar(8000)select%20 at q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end > ;-- > > or another store procedure like: > > http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\wwwroot\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D > ;-- > > the application responses with something like: > SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with > results for another hstmt, SQL state S1000 in SQLExecDirect in > *C:\D\Inetpub\wwwroot\sssssssssss* > > I think its because of the first query (the one belongs to id=1 > parameter, even though 1 results to 0 rows). > I have ridden a lot of sql injection .. Advanced, More, and so on, but > all of them always execute a store procedure after a semicolon but no > one says something about this error. > > I thought to put a delay before my store procedure or a command to free > the data base connection handler. > > What you think??? > > By the way, i am not able to run xp_cmdshell because of the database > user permissions, may be i could try to elevate privileges but always > appears the error describe above. > > Thanks in Advance. > > H. Daniel Regalado Arias, CISSP > Chief Information Security Officer > Macula Security Consulting Group > www.macula-group.com > > > ----- Mensaje original ---- > De: Dave Aitel > Para: dailydave > Enviado: jueves, 18 de octubre, 2007 12:40:06 > Asunto: [Dailydave] SQL Hooker Release > > http://forum.immunityinc.com/index.php?topic=92.0 > > JMS and I decided to put our code where our mouth was. > > It looks a lot like this: > PyCommands $ python sql_listener.py 80812.4 > Set up XMLRPC Socket on 0.0.0.0 port 8081 > select count(*) from users where userName='cow' and userPass='boy' > 10.10.10.243 - - [18/Oct/2007 13:03:17] "POST / HTTP/1.0" 200 - > > Next up - file operation hooking perhaps? :> > > -dave _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave ------------------------------------------------------------------------ ?S? un mejor ambientalista! Encuentra consejos para cuidar el lugar donde vivimos en: http://telemundo.yahoo.com/promos/mejorambientalista.html ------------------------------------------------------------------------ _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave -------------- next part -------------- A non-text attachment was scrubbed... Name: adriel.vcf Type: text/x-vcard Size: 298 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071018/67fdb174/attachment.vcf -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 186 bytes Desc: OpenPGP digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071018/67fdb174/attachment.pgp From lists at bughunter.ca Thu Oct 18 23:18:27 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Thu, 18 Oct 2007 20:18:27 -0700 Subject: [Dailydave] SQL Hooker Release In-Reply-To: <411581.93070.qm@web90506.mail.mud.yahoo.com> Message-ID: <013a01c811fe$b7e54340$6207a8c0@jseitz> > How about automating the process of auditing Oracle internals > for hunting even more pl/sql injections ? This is interesting, and yes it would be possible. It might also be interesting to examine the size of the variables at the point when the Oracle internals fire. You may be able to determine if an internal function inside the database is vulnerable to a stack/heap based overflow. However, that might be a bit beyond the scope of what we wrote the tool for, of course always accepting patches :) > Rather than hooking SQL OLEDB , it can be fine-tuned for > attaching to related oracle process , waiting for the other > side (second script*) to trigger an injection in list of > targeted packages/stored procedures . output would be a list > of packages/SPs in oracle , harmed by second-script* and > detected by hooker script. Yes, essentially this is what it's designed for, it's just a matter of Dave/me/someone else, doing a bit of RE work and finding the magic hook points. Go hard Dave! > Second-script* , would be a parser engine , reading list of > stored procedures among their parameters for example, and > sending them to oracle from any query interface, while > manipulating some of parameters ... > example, Yeah, really you can use anything to generate the input, that's the beauty of it. Dave is looking to do some SPIKEProxy integration, but you could be using ParosProxy or really anything to generate it, just use the hooker to filter out what is useful for you. Not to mention it's a great way for an internal development team to exercise any global filtering implementations, anything that gets sent back to the RPC server made it past the filters. JS From no-reply at ekoparty.com.ar Fri Oct 19 18:53:24 2007 From: no-reply at ekoparty.com.ar (ekoparty) Date: Fri, 19 Oct 2007 19:53:24 -0300 Subject: [Dailydave] Ekoparty 3th. Edition 2007 CFP closed - Buenos Aires - Argentina. Message-ID: <001001c812a2$db269580$9b00010a@BYFXA011461> ekoparty 2007 Information Security Conference. Nov 30th (Friday)/Dec 1st (Saturday), 2007 Buenos Aires, Argentina - Bauen Hotel, Callao 360 We are happy to announce the results from CFP and the pre-selection of the speakers. By the way, we are really grateful with all those who sent their works and let us know about suggestions and comments. We have updated the web page and among the news you may find: - Confirmed speakers list with a description of the lecture and a brief bio. * Julio Auto - Next-Generation Debuggers For Reverse Engineering * Francisco Amato - evilgrade, "You have pending upgrades..." * Rodrigo Branco - KIDS - Kernel Intrusion Detection System * Cesar Cerrudo - SQL Server Anti-Forensics * Jo?o Batista Correa - Hacking the Big Brother * Mariano Nu?ez Di Croce - Atacando a los Gigantes: Explotando los Internals de SAP. * Esteban Mart??nez Fay? - Oracle Security * Damian Gomez - VulnDev as Intelligent debugging * Domingo Montanaro - The Computer Forensics Challenge and Anti-Forensics Techniques * Alfredo Ortega - OpenBSD remote exploit * Leonardo Pig?er - Antiforensics 101 * Andres Riancho - w3af a framework to own the Web - Included activities list: * City Wardriving. * War games. * Lock picking. * Aftercon party. * Trivias. Pre-Registration in now Open. For more information, please visit the event web site: http://www.ekoparty.com.ar From andreg at gmail.com Fri Oct 19 19:44:13 2007 From: andreg at gmail.com (Andre Gironda) Date: Fri, 19 Oct 2007 18:44:13 -0500 Subject: [Dailydave] No more Novell AppArmor? In-Reply-To: <20071014025010.788EF8BD09@mail.fjaunet.com.br> References: <20071014025010.788EF8BD09@mail.fjaunet.com.br> Message-ID: <2fd9390e0710191644i60bf36fx9ef1808643b10499@mail.gmail.com> On 10/13/07, Rodrigo Rubira Branco (BSDaemon) wrote: > I believe after many fights, the apparmor team cannot be keept by Novell... Some of the AppArmor team is now at - http://mercenarylinux.com ...straight from Toorcon dre From dan57170 at yahoo.com Fri Oct 19 21:16:04 2007 From: dan57170 at yahoo.com (H. Daniel Regalado Arias) Date: Fri, 19 Oct 2007 18:16:04 -0700 (PDT) Subject: [Dailydave] Debugging the false alarm problem. Message-ID: <626438.71727.qm@web30212.mail.mud.yahoo.com> Hi str0ke and friends!!!!, only a question... Do you have a manual ir order to learn how to inject php code through GET or POST to an Application? i mean, in order to execute or upload php files. i have seen something from you like: # Tested on vBulletin Version 3.0.1 /str0ke # http://www.xxx.net/misc.php?do=page&template={${system(id)}} But it doest not work while testing in my app. Thanks in Advance. H. Daniel Regalado Arias, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ----- Mensaje original ---- De: str0ke Para: H. Daniel Regalado Arias Enviado: mi?rcoles, 3 de octubre, 2007 13:27:11 Asunto: Re: [Dailydave] Debugging the false alarm problem. Daniel, The only way that I know of bypassing magic quotes is if the site is using urldecode %2527 would translate to %27. Regards, /str0ke H. Daniel Regalado Arias wrote: > Hi Dave and Friends!!! > > Is there a way to bypass magic_quotes_gpc on a PHP app, in order to execure SQL injection on a Microsoft SQL Server? > I cant use ' (single quotes) 'cause are converted to \', i also tried %27, ', but nothing happens. > > Thanks!!! > > H. Daniel Regalado Arias, CISSP > Chief Information Security Officer > Macula Security Consulting Group > www.macula-group.com > > ----- Mensaje original ---- > De: Dave Aitel > Para: dailydave at lists.immunitysec.com > Enviado: jueves, 27 de septiembre, 2007 12:03:23 > Asunto: [Dailydave] Debugging the false alarm problem. > > A couple days ago the fire alarm in my building went off at midnight. > It was about four hundred decibels since they install a loudspeaker in > each apartment. So I trundled over to the other bedroom, got the > screaming one year old, and moved him into a room where the sound was > quietest, and then closed the door and played with him for the half > hour it took them to turn the noise off. Later on I called my friend > who's on the board of the building, and he was like "Why didn't you > come downstairs? It was everyone in their nightgowns in the lobby." > > The answer is that every previous fire alarm (and there have been > many) has been a false positive. And I didn't realize it would be a > hilarious nighttime parade, of course. This one was a false alarm as > well, just a longer false alarm than usual. > > Anyways, the same thing happens pretty much every time I see anyone > run any VA tool, be it web, traditional network VA, or source code > analysis, or whatever. They all have false positive results through > the roof (which is on fire, naturally). > > For web VA I'm trying to switch completely to using Immunity Debugger, > and having it XML-RPC SPIKE Proxy any time certain API filters are > hit, for example, CreateFile(). This let's you watch real-time if your > file include attacks are working, or path traversal, or whatever. With > this kind of real feedback from the remote app you can make much more > educated guesses